Josh Trutwin wrote: > I'm actually having some trouble trying to test this on some rules. I changed it to: > and when I call http://trutwins.homeip.net/default.ida I get redirected to ms.com, but not when I call http://trutwins.homeip.net/cmd.exe This looked like fun so I modified your matching somewhat (avoided full regexp's)... I have lots of examples in my logs to choose from...: # redirect M$ IIS probes RedirectMatch permanent ^/default.ida http://www.microsoft.com/ RedirectMatch permanent ^/_vti_bin http://www.microsoft.com/ RedirectMatch permanent ^/_mem_bin http://www.microsoft.com/ RedirectMatch permanent ^/scripts http://www.microsoft.com/ RedirectMatch permanent ^/msadc http://www.microsoft.com/ RedirectMatch permanent ^/MSADC http://www.microsoft.com/ RedirectMatch permanent ^/\x90 http://www.microsoft.com/ # send them to bill # RedirectMatch permanent \.exe http://www.microsoft.com/ # send their message to bill RedirectMatch permanent (.*\.exe.*) http://www.microsoft.com$1 So all this really accomplishes is it gives them a 301 instead of a 302... You still get cruft in your logs. What I found amusing is that nearly ALL of the long URL probes (x90...) ALSO had probes on ports 1025 2745 3127 6129. Sure enough, google shows many people suspect this as a variant of MyDoom or Agobot/Gaobot. --Tom _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list