Hey good people. After some searching (including Ennis' Newbie FAQ - great read), I decided to post this for myself and all others new to Security. I would like to have some recommendations on response to the information gathering stage of hacking. Basically, I would like to have some suggestions on what to do when your external IDS picks up scans on a block of about 30 or so IP addresses for things like the SubSeven backdoor trojan. I know that there is not much that you can do if the packets were dropped and nothing came of it immediately, but are there any recommendations for stopping any further activity, even if the initial occurence was not actually intrusive? One thing I have picked up on is looking the attackers IP up on ARIN and getting in touch with the point of contact for that block of IPs. I also usually do a Neo Trace on them to get an idea where they may be. Of course, they could be using someone else's machine as a zombie, but you get the idea. I was thinking about putting together a simple database/spreadsheet tracking probes and scans from different IPs just to get an idea of who is really trying to get in. Are there any other suggestions for this? What tactics do you guys use? I would definitely like to be proactive in protecting the network. I see no point in waiting around for something to be hacked. I want to remain productive. I appreciate any suggestions guys and gals.