I've had a request from our new corp. HQ to implement firewall
monitoring for SOX compliance. Do you have any recommendations for
Increases of activity that exceed certain thresholds,
repeated attacks from certain IP addresses,
excessive attacks on designated critical ports open on the firewall,
attempts to internally access unapproved ports.

I see a suggestion in 2004 post to install another SNORT box, but I
was wondering if things have changed since then.