It is a detecting attack tool for HTTP server such as Apache and Nginx. Analyzing access logs, output formated text as results.
To use shell pipelines easily, all I/O targets are STDIN, STDOUT and STDERR.
Ruby 1.9.x
$ ./detect-http-attack.rb < /var/log/nginx/access.log
Targets eight or more consecutive senquential access:
$ ./detect-http-attack.rb -s 8 < /var/log/apache/access_log
Regarded as senquential access within 3 seconds:
$ ./detect-http-attack.rb -i 3 < /var/log/apache/access_log
Notifying attacks whenever detecting them to STDERR, all results are output to a file.
$ tail -f /var/log/nginx/access.log | ./detect-http-attack.rb -n > attack.log
Uses Labeled Tab-separated Values (LTSV) format (http://ltsv.org/)
$ ./detect-http-attack.rb -ltsv < /var/log/apache/access_ltsv_log
Edit the default configuration file (detect_http_attack.conf) or specify another file.
$ ./detect-http-attack.rb -f another.conf < access_log
$ ./detect-http-attack.rb --help
Usage: detect_http_attack [options]
-ltsv Log type is LTSV
-n notify when detecting attack
-s COUNT Specify minimum sequential count
-i SECONDS Specify maximum interval seconds
-f CONFFILE Specify configuration file