Some additional information:
A Shun Host (or Block Host) will deny the source ip address, in effect denying ALL ip packets from that address,
deny ip host 10.1.1.1 any
A Shun Connection (or Block Connection) will deny Just the ip packets from the source ip address to the specific destination ip address and destination port (service).
deny tcp host 10.1.1.1 host 172.21.1.1 eq telnet
NOTE: It doesn't deny just that one connection, but instead denies all connections of that type to that destination address. You will notice that the source port is not in the deny statement so all connections for that service from the source to the destination ip will be denied rather than just the connection in which the attack was executed.
If a user executes a web attack against a web server, then all web connection from that user's ip to that specific server ip will be blocked. But the user can still send an email, or use telnet or ftp to that server, and can continue to make web connections to other ips.
Something to be aware of, however, is that multiple Shun Connection for the same source ip to either different destination ips or different destination ports will cause the Shun Connections to be upgraded to a Shun Host.
This is to prevent filling up the shun table with multiple Shun Connections from the same ip.
Also multiple Shun Connections for the same ip usually means that the ip is attacking multiple boxes or multiple services which helps rule out the possibility of a false positive, and so the sensor blocks the entire ip by upgrading it to a Shun Host.
