I manage an Internet facing PIX firewall for an external customer which logs all denied traffic for later analysis. Thus, I see that a high percentage of the denied traffic is repetitive scans either for destination ports with known vulnerabilities, or just general port scans. My suggestion is to add a shun operation to the access-list command similar to the existing permit and deny operations. e.g.
/* shun any IP that attempts to connect to tcp/139 */ access-list outside_access_in shun tcp any any netbios-ssn /* shun any IP that attempts to connect to an IP not assigned to a server */ access-list outside_access_in shun tcp any object-group unassigned_IPs any