I have been reviewing a friends site data to get a break down on the traffic and who and when and where. One thing became apparent is that certain URL's just don't exist and especially ones that contain the word login that are neither a login URL or a URL that would allow a login.

eg.
Code:
/cms/?do=login
does not exist but
Code:
/?do=login
does but it is no longer a valid login URL method as that is to log in to the old CMS thats no longer in use but kept for posterity
Code:
/cms/admin/login.php
or just plain old
Code:
/cms/admin/
is a valid login URL for the new CMS.

My friends IP address seems to be static, even when he reboots his modem, the IP address is the same, so I can tell if the login attempt is valid. As I have no requirement to log in, I can fix my IP in a table so I can login when I do need to.

How would I "NOT" REGEXP?
Code:
SELECT * FROM `databasename`.`tablename` 
WHERE 
  `request_uri` REGEXP 'login' 
AND 
  `request_uri` REGEXP !='/cms/admin' 
OR 
  `request_uri` REGEXP !='/cms/admin/login.php'
is not right as I get an error on the syntax and TBH... I think it wouldn't work based on the logic so I need to assert some hierarchy in the selection.

The idea is to get a picture of how many hack attempts the site is getting and if the user is persistent or something like a zombie master trying to flood the server.

As this (in my mind) requires multiple queries, it needs a temp table or multiple queries joined in some way that produce the results I am looking for. I will be using this data to store in a table or update a table. The data is for me to determine and track people visiting, if they are a bot, possible bot etc.

Anyone got any ideas because SQL is not my thing.