My first comment was not to block all the Tor exit nodes, since the attacker will use alternative solutions and we will lose visibility. In my opinion, it is better to flag the connection as it is breaking our policies than just blocking, because the second case will not give us information about the intention and skills of the attackers, but only a connection rejected.
So, it is better to receive a warning that flags a possible illegal activity and correlate/track the attacker's movements among our infrastructure.
The above comments explain what it comes to be passive monitoring and information gathering, but we could switch to our grey hat and do something a little bit evil with our attackers :)
What about sending some countermeasures to our attacker, taking advantage of our position, given that the attacker is not aware he/she has been discovered?
Following this talk in Spanish presented by Roberto Martinez, I thought we could use Mod Security to inject content on the pages when we detect someone is connecting through Tor. This gives us the following possibilities:
- Inject a link that redirects them to our honeypot or, better send them to a Labyrinth to fool their tools and waste their time.
- Inject objects to de-anonymize the attacker.
- Drop back an exploit (not so ethical :D)?
Note: Searching on Google I found this directory that lists all the Tor exit nodes. Now we have all the tools to troll the script kiddies that want to attack our website.