Hi Mark, Sure. Human eyes must evaluate the nature of the attack, and human eyes must evaluate the source location. For example, if the "attack" if some a DNS timeout issue with your DNS server, do you want to block that? Another example, if the "attack" is from another admin testing his "skills" from home, do you want to block that? Another example, the IDS is misconfigured, do you want to block what it says? Another example, a legit host is infected and cleaned. Now that host is blocked. Do you want to block that and then deal with connectivity issues when you forgot about your blocking filters or try to fish out the blocked host address from the thousands you your list? Harden your hosts, use Application and Web filters, never publish a Web site using an IP address, all the basic stuff. That's a lot more effective than blocking addresses willy nilly. YMMV, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 2:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Tom, Could you elaborate on this "intelligent address blocking"? Thanks. Mark _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 1:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Ni Brian, Nor should you. Blocking addresses that scan you is like shooting at cars that drive past your home and look at your windows and front door. :-) Be aware of the attempt, but you'll end up making a critical error sooner or later if you block addresses without putting some intelligence behind the block. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder>