>For a teeny site I don't think I would have to worry about >getting reverse DDoSed, or do I? You do now that the whole list knows you run Guardian. :) Just kidding. Actually, if you do use guardian, set it up so it will only block shady things done through TCP. That way, you can be fairly sure that the attacker IP is not spoofed. TCP connect() scans are a good one to block on, and most format string vulnerabilities (just make sure it's not one that has a good chance of being a false positive). I don't use anything like Guardian, I just make sure that all of my stuff is patched for the vulnerabilities that snort looks for. As far as I'm concerned, I just get to collect more data for evidence by not blocking anything. :) And trust me, evidence comes in very handy, especially to Mr. FBI.