Hi, I want to block a certain WWW bot called verticalpigeon; it is known to scan for Joomla! installations. You can also trigger it through the website manually. But the nice thing is, it says who it is:
66.103.61.161 - - [05/Jun/2011:09:44:59 +0200] "GET /index2.php?option=com_docman HTTP/1.0" 404 1928 "http://verticalpigeon.com/"; "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; http://verticalpigeon.com/)" So I thought I could block that bot after the first time it accesses a website by just adding a rule matching the string "http://verticalpigeon.com/"; The rule I created is: (local_rules.xml) <rule id="100034" level="8"> <match>http://verticalpigeon.com</match> <options>alert_by_email</options> <description>joomla scanner</description> <group>attacks,</group> </rule> But it just doesn't work. Apache access_log and error_log is decoded fine. As far as I understood, I don't need to escape : and / in the rule above. What did I miss? thanks.
