oss,
I've got to strip out some specifics, but I have a script that does something similar to what you're looking for. I just get an hourly report on it instead of acting on it, but it's still collecting the same data you're looking for. It's not going to help you much unless you're comfortable scripting because you'll need to specifically parse out your firewall's syslog message and get the source IP address (and or Destination IP) in order to track different counters.
I'm currently just logging it by source, destination and port combination and tracking the top 20 offenders every hour. So you may want to change exactly what's being parsed out of your message as well. I'm not looking for port scanning and things of that nature here because I'm looking for them eslewhere, here I'm just looking for potential problems, access list errors, potential infections etc...
So my report table looks like this:
+-----------------------------------------------------+
| Top 20 Denied Connection Attempts |
+------------------------------------------+----------+
| 1.1.1.1 - 2.2.2.2 - udp53 | 47 |
| 111.111.111.111 - 22.22.22.22 - icmp | 18 |
+------------------------------------------+----------+
EDIT:
Ah here are the relevant bits of the script, the first part I can only provide partially because it goes in the script you'll have to use to parse your firewall messages:
With Dictionaries
DenyKey = SourceIP & " - "& DestIP & " - "& Service
IF .Exists("DenyMessage") Then
IF .ItemExists("DenyMessage", DenyKey) Then
cnt = .GetItem("DenyMessage", DenyKey)
.StoreItem "DenyMessage", DenyKey, Cstr((cnt + 1))
ELSE
.StoreItem "DenyMessage", DenyKey, "1"
ENDIF
ELSE
.StoreItem "DenyMessage", DenyKey, "1"
ENDIF
END With
What you would want to do in addition to increasing cnt on line 6, is check it against your threshold and if it's greater, you can setup a procedure call to e-mail you right there.