If there was a way to implement an email to be sent out when a rule has been matched. For example, a subnet can be specified in the firewall/classifier, and if goes over x connections, drop/limit etc. But also have a check box to enable an email to be sent out, and specify what email address, once matched.
So if said subnet goes over x connections, an email is sent out to warn someone, that hypothetically someone is using a p2p application or a spam zombie, etc.
Or if a certain class is matched that is reaching a certain threshold, someone could be alerted that lets say a client is consuming close to their allotted bandwidth. This would be good for knowing if a client that is giving x bandwidth and they complain of things being “slow”. If multiple emails of the same thing are sent out, perhaps they should increase their bandwidth to overcome the congestion.
This would let the administrator know when a rule has been matched within seconds, rather than having to review the kernel log constantly.