Just one rule

["Marcin Krawiec" <cravietz () fdcservers net>]

Hi,
I have 100 mbps line which is behind a firewall that also runs snort+snortsam. Currently snort catches lots of abusive 
types of traffic i.e. network scans, some sort of remote exploit attemps etc. But sometimes that network is 
experiencing one of these DDoS attacks aimed at one IP inside my network and usually it's being hit so hard that it 
takes whole network down. Snort sometimes detects such attacks as "Bad traffic", other times as something else. So I 
was wondering if there is any universal script/rule for snort that detects when only one IP is under constant attack 
and then alerts Snortsam which later triggers the firewall to block this particular IP inside my network that is being 
attacked. I'd appreciate any help.
Marcin