Limiting concurrent connections from a particular host to a particular host on a particular port?

I am trying to find a way to stop port scans or DoS type activities from within the network to external resources so I can reduce the number of abuse complaints. While I know there are numerous tools with iptables or with Snort/Suricata that can allow you to track the # of connections by source OR destination, I haven't figured out a way to do BOTH. For example, it would probably be normal activity if a particular host was making 50 outbound port 80 connections to various hosts on the Internet, but it might not be so if those 50 connections were going to one particular host in a short period of time. Has anyone encountered this issue before and have any suggestions on how to proceed? Thanks!