When does a scan attempt become a focused attack?

["Hunt, Jim" <Jim.Hunt () nwsc k12 in us>]

I recently set up snort to look for intrusions and am still learning to
sort out all of my alerts.  However, I have one that has caught my eye
this afternoon and wonder what to do...

The scan/attack started about 1/2 hour ago and is still continuing as I
type this out.  The snort box is Windows and the attacker is happily
trying all the basic attempts over and over.  The pattern looks very
deliberate.

Here are the exploits - 

http://www.snort.org/snort-db/sid.html?sid=1040
http://www.snort.org/snort-db/sid.html?sid=1002
http://www.snort.org/snort-db/sid.html?sid=1256
http://www.snort.org/snort-db/sid.html?sid=983
http://www.snort.org/snort-db/sid.html?sid=1286

We are at 150+ in 35 minutes.  Does it really do any good to report him?


Here is the whois data -
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w
hois.arin.net

What is the correct thing to do?

Jim Hunt
Certified Network & Systems Engineer
Northwestern School Corporation
Technology Services Manager
http://technology.nwsc.k12.in.us

http://www.ProWinHost.com | Professional Windows Hosting | Professional
Windows Reselling
http://www.AlertServ.com | Managed and Incident Windows Server Support |
Custom Alerting
http://www.NetMon.org | Network Monitoring Tools and Tutorials |
Includes MRTG for Dummies



----------
Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange.
Northwestern School Corporation - Kokomo, Indiana



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that
makes the complex - easy
www.clearsightnet.com/jmp6-downloadtrial.jsp
----------------------------------------------------------------------------