by Alexander Thomas (aka Dr. Lex)
Mail
This is a simple Perl script that analyses a set of existing Apache2-style web server logs, and reports cases where a remote host appears to be performing a denial-of-service (DoS) attack. I mainly created this to find appropriate parameters for configuring mod_evasive.
While doing so, I found out that mod_evasive does not work the way many seem to assume. The script can either mimic the real way in which ME works (where the interval timer is reset upon every request), or the way in which one would expect it to work from its confusing documentation (where requests are counted within a sliding time window).
The script is hosted on GitHub. You can download a zip or tarball of the latest release, or just get the script straight from the repository.
Run the script in any way you want, but most convenient is probably to place it somewhere in your shell's PATH, like /usr/local/bin/. Make sure it has executable permissions.
Usage is pretty straightforward. Run the script with -h argument to see how to invoke it and what options are available.
log-dos-finder is released under the Apache 2.0 License. See the GitHub repository for more details.