I've had a request from our new corp. HQ to implement firewall
monitoring for SOX compliance. Do you have any recommendations for
monitoring:
Increases of activity that exceed certain thresholds,
repeated attacks from certain IP addresses,
excessive attacks on designated critical ports open on the firewall,
attempts to internally access unapproved ports.

I see a suggestion in 2004 post to install another SNORT box, but I
was wondering if things have changed since then.

Thanks,
/Russ