How about project Darknet and sinkholes and monitoring dark ip space,
worms and botnets usually scans blindly right and left, so there is a
good chance you will get a glimpse on infected hosts if thats what you
want, i catch infected hosts by looking at apache access logs and i see
alot of scans,
and Randy for that i change the ssh port to a higher one :)
>> My suggestion, in the case that you'll use snort, is to do some extensive >> testing on a non-production network. Take the time to learn and
>> understand its functionality and intended purpose. > Also figure out what you're going to do with the output. Do you have > the resources to investigate apparent misbehavior? Remember that any
> IDS will have a certain false positive rate. Even for true positives, > do you have the customer care resources to notify your users and (if > appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day password attacjs per host, when one does not have password ssh even enabled.