Hi Mike,
Perhaps the most important point here is that the script kiddies and/or bots usually make sure the target string, 'login' in your example is *not* contained within a single packet. You can verify this with wireshark. In any case just be aware that your solution will likely not have the desired effect.
This a decent read: http://spamcleaner.org/en/misc/w00tw00t.html Specifically the Conclusion section near the bottom.
I'm definitely going to try '-m string' providing the service provider can fix the problem.
I am not, as the article suggested, going to filter on a "28-byte string". If I was going to trap the http error 400 event 'w00tw00t.at.ISC.SANS', I would filter on port 80 for 'w00t' or '.at' or 'ISC' or 'SAN' because no web page name contains those strings. Having control over web pages names brings some benefits :-)
In the current 4,000 to 6,000 daily hits, the lunatic uses
login.php contact.php forgotten_password.php
so I will filter port 80 traffic for that web site, now on its own IP, for
log con pas
because no web page name contains any of those 3 byte strings. The second defence is its own IP Table with 110 IP addresses. The lunatic has not added any new ones in the last 24 hours.
The longest packet recently rejected was 496 bytes (from another hacker) and the current lunatic's packets are 60 bytes. Optimistically I have a reasonable prospect of trapping the above 3 byte strings.
Thank you.
Paul.