Summary of suggested comments on defeating nimda probes follows. Lincoln Dale's comments were cc'd to the list, but I've included fragments here anyway just to keep them together with the other bits. Thanks! Three people suggested using NBAR on cisco routers, along these lines: http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml One person suggested the following config fragment for F5's Big/IP switches: rule block_nimda { if (http_uri starts_with "/scripts" or http_uri contains "root.exe") { discard } else { use ( server_pool) } } with the proviso that adjustments might be required of those url patterns are too general for your purposes. Users of Big/IP versions prior to 4.0 (which don't support "discards" can route the connections to a dummy pool. One person was using a Nortel/Alteon switch to redirect all traffic to a cacheflow client accelerator, then using pattern matching on the cacheflow box to prevent the traffic reaching the origin servers. Lincoln suggested the following for the cisco Content Engine and Content Services Switch: Cisco Content Engine: rule enable rule block url-regex http://.*/cmd\.exe rule block url-regex http://.*/root\.exe Cisco CSS11K (Content Services switch): service dummy ip address 10.1.1.1 keepalive type none active ! header-field-group cmd.exe header-field cmd.exe request-line contain "cmd.exe" header-field-group root.exe header-field root.exe request-line contain "root.exe" ! content block_cmd.exe protocol tcp port 80 url "/*" header-field-rule cmd.exe add service dummy active content block_root.exe protocol tcp port 80 url "/*" header-field-rule root.exe add service dummy active Lincoln also pointed out that the CSS and CE configs above will prevent the client's TCP SYN from reaching the server (the devices will accept the TCP sessions and receive the HTTP headers before deciding whether to pass them on to the servers). NBAR will only match the HTTP headers on TCP sessions that successfully establish a TCP session with the server ("delayed binding").