Originally Posted by baldur2630
I have no idea what they are looking for
Joomla exploits mostly and quite old. The ones I searched for are 2009-ish and as such have been in the Snort Emerging Threats
rule set for some time. The fact queries get a 403 or 404 is good but is a good sign but it's always better to ensure
you're not running a stale installation or plugins of anything accessible through the web stack (in short: know what you run
). If you're serious about blocking this, remember web servers see a lot of noise, then I agree anything that blocks (near-) real time would be more efficient than something that runs checks every n cycles, see http://blog.spiderlabs.com/2011/11/m...dentified.html
for some leads.