There are no conventional rulesets as such. The 400 code I mentioned is produced by the IIS server itself.
The IIS server itself rejects anything with an IP. You need to add the IP as a host if you want to accept an IP Host access (or, of course, set it to accept all Hosts on the IP).
In place of htaccess I use "home made" trap software. It picks up most things that most sites experience plus a few that are unique to some of my own sites. It's currently undergoing a major re-write, the fourth in eight years, to streamline it.
The 400 code plus a few lines of header was returned to me when I accessed it through Sam Spade. Through a web browser the page shows "Bad Request (Invalid Hostname)".
Unwanted activity is down a bit during weekends. Hopefully (if the attacker is still out there) my addition to the trapping software will show something in a few days time.