[PLUG] intrustion detection software

[chris (fool) mccraw]

hey folks,

one of the last steps remaining for us to become PCI compliant at my
place of employ is to "employ an intrustion detection or prevention
system to monitor all traffic in the data environment".  we have a lot
of software that serves similar function (file-modification monitor,
carefully watched syslog including firewall logs, arpwatch, standard
system reporting on events like service startups and
half-opened-and-never-used-again network connections from
postfix/proftpd), but no specific "intrustion detection system".  upon
looking into it further (ok, i read the wikipedia article and a few
SANS articles), i find there is a plethora of signature-based systems
which seem to not be what i want--we have very limited services
running (ssh/sql connections only) and i'm more interested in a
statistical anomaly type of report.  "well, you got a thousand SQL
connections in a second from this host that usually trickles 'em in at
1/hour" or "hmm, ssh leaving *from* one of the firewalled machines"
type of reports.  i don't expect to see a lot of the stuff that people
use, say, snort for, since there's no incoming traffic at all from the
internet, just ssh connections from the dmz hosts and SQL connections
from the same.  so i don't need to sniff the entire network's traffic
(nor do i want to)--i want something host based that i can run on each
host behind the firewall to report on things happening to that host.

but i haven't found anything that's free, relatively simple, and
statistical-anomaly-type.  i don't actually want intrusion
*prevention* software that would modify firewall setup or otherwise
deny traffic, i just want to get paged when i see a portscan happening
*behind* the firewall.  ideally, such a system watches the network for
awhile and "learns" what's common--"oh, on monday, dude's gonna ssh in
for 10 minutes each machine.  carry on.  but he never seems to ssh in
at 3am.  and WHOA a netbios packet on this network?  red alert!"

does anyone use any software that does that?  would love to buy you
lunch and pick your brains about it!  and hey, if you're so inclined
and your google-fu is better than mine, let me know what i'm missing!
the best candidate i found that-a-way was "SPADE" which is a
deprecated snort plugin.