How about creating an access list on your Inside interface, for traffic flowing from your internal network out to the Internet. Permit your internal mail servers to talk on smtp (port 25) outbound, and deny all other hosts. Then just look for the hosts that get DENYs on port 25.
You could/should also be looking at an IPS solution, either Cisco's or open source (eg. Snort.) I'd also suggest looking at BotHunter, which is a customized version of Snort thats tuned to -just- look for Bots.
Yes, an external syslog server is almost a requirement for log analysis, since the PIX/ASA will overwrite its internal log fairly quickly, and parsing logs via the CLI can be a pain. I'd highly suggest Cisco MARS here, but you could use any syslog collector (kiwi syslog, syslog-ng, etc)
Alternatively, you could use the logging functionality in ASDM, and just filter on DENY, or in the cli you can do "show logging | inc Deny"
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...