I've got a similar problem - multiple VMs that are being attacked all the time in different ways from multiple IPs - reaaaaaally annoying.
So far I've used a mix of fail2ban + elasticsearch + scripts + otherstuff but it's getting too complicated.
I want something that not only informs me that something weird is going on but especially that it reacts to weird stuff by closing the firewall.
From what I've read Snort & Co. are all able to detect stuff but don't really react to it.
What about
OSSEC?
Quote: "
blahblahblah...and active response"
Does anybody have any experience with it?
Difficult to maintain?
Any frontend (config and/or stats)?