{"id":17664463,"url":"https://github.com/tilfin/detect-http-attack","last_synced_at":"2025-05-07T23:38:49.552Z","repository":{"id":6846076,"uuid":"8094687","full_name":"tilfin/detect-http-attack","owner":"tilfin","description":"Detecting attack tool for HTTP server such as Apache and Nginx.","archived":false,"fork":false,"pushed_at":"2013-12-22T12:35:57.000Z","size":220,"stargazers_count":11,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-02-26T05:41:32.881Z","etag":null,"topics":["attack-detection","http-logs","nginx-log","ruby"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tilfin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-02-08T14:20:08.000Z","updated_at":"2025-02-20T10:01:19.000Z","dependencies_parsed_at":"2022-08-06T20:00:47.939Z","dependency_job_id":null,"html_url":"https://github.com/tilfin/detect-http-attack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tilfin%2Fdetect-http-attack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tilfin%2Fdetect-http-attack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tilfin%2Fdetect-http-attack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tilfin%2Fdetect-http-attack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tilfin","download_url":"https://codeload.github.com/tilfin/detect-http-attack/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243042925,"owners_count":20226722,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-detection","http-logs","nginx-log","ruby"],"created_at":"2024-10-23T20:05:30.206Z","updated_at":"2025-03-11T13:32:04.696Z","avatar_url":"https://github.com/tilfin.png","language":"Ruby","readme":"Detect HTTP attack\n==================\n[![Build Status](https://travis-ci.org/tilfin/detect-http-attack.png?branch=master)](https://travis-ci.org/tilfin/detect-http-attack) [![Coverage Status](https://coveralls.io/repos/tilfin/detect-http-attack/badge.png?branch=master)](https://coveralls.io/r/tilfin/detect-http-attack?branch=master)\n\nIt is a detecting attack tool for HTTP server such as Apache and Nginx.\nAnalyzing access logs, output formated text as results.\n\nTo use shell pipelines easily, all I/O targets are STDIN, STDOUT and STDERR.\n\nPrerequisites\n-------------\nRuby 1.9.x\n\nInstallation\n------------\n\n    $ git clone https://github.com/tilfin/detect-http-attack.git\n    $ cd detect-http-attack\n\nQuick Start\n-----------\n\n### Analyze access log:\n\n    $ ./detect-http-attack.rb \u003c /var/log/nginx/access.log\n\nTargets eight or more consecutive senquential access:\n\n    $ ./detect-http-attack.rb -s 8 \u003c /var/log/apache/access_log\n\nRegarded as senquential access within 3 seconds:\n\n    $ ./detect-http-attack.rb -i 3 \u003c /var/log/apache/access_log\n\n### Notify attack while tailing access log:\n\nNotifying attacks whenever detecting them to STDERR, all results are output to a file.\n\n    $ tail -f /var/log/nginx/access.log | ./detect-http-attack.rb -n \u003e attack.log\n\n### Supports LTSV Format:\n\nHandle logs of Labeled Tab-separated Values (LTSV) format (http://ltsv.org/)\n\n    $ ./detect-http-attack.rb -ltsv \u003c /var/log/apache/access_ltsv_log\n\n### Settings and Customize output template:\n\nEdit the default configuration file (detect_http_attack.conf) or specify another file.\n\n    $ ./detect-http-attack.rb -f another.conf \u003c access_log\n\nRefer detect_http_attack.conf about the detail of template setting.\n\n### Usage:\n\n    $ ./detect-http-attack.rb --help\n    Usage: detect_http_attack [options]\n        -ltsv                            Log type is LTSV\n        -n                               notify when detecting attack\n        -s COUNT                         Specify minimum sequential count\n        -i SECONDS                       Specify maximum interval seconds\n        -f CONFFILE                      Specify configuration file\n\n\nExample\n-------\n\nDetected attack result.\n\n    $ ./detect_http_attack.rb \u003c /var/log/nginx/access.log\n    10.128.192.255   15   Mozilla/3.0 (windows)\n    2012-12-20T08:25:28+09:00       200     /admin/phpmyadmin/scripts/setup.php     -\n    2012-12-20T08:25:28+09:00       200     /wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php  -\n    2012-12-20T08:25:28+09:00       200     /mysql/scripts/setup.php        -\n    2012-12-20T08:25:28+09:00       200     /phpmyadmin2/scripts/setup.php  -\n    2012-12-20T08:25:28+09:00       200     /pma/scripts/setup.php  -\n    2012-12-20T08:25:28+09:00       200     /phpmyadmin/scripts/setup.php   -\n    2012-12-20T08:25:28+09:00       200     /myadmin/scripts/setup.php      -\n    2012-12-20T08:25:28+09:00       200     /phpMyAdmin/scripts/setup.php   -\n    2012-12-20T08:25:28+09:00       200     /admin/scripts/setup.php        -\n    2012-12-20T08:25:28+09:00       200     /wordpress/wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php        -\n    2012-12-20T08:25:28+09:00       200     /blog/wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php     -\n    2012-12-20T08:25:28+09:00       200     /sql/scripts/setup.php  -\n    2012-12-20T08:25:28+09:00       200     /blog/phpMyAdmin/scripts/setup.php      -\n    2012-12-20T08:25:28+09:00       200     /wp/wp-content/plugins/wp-phpmyadmin/phpmyadmin/scripts/setup.php       -\n    2012-12-20T08:25:28+09:00       200     /scripts/setup.php      -\n\n\nSettings\n--------\n\n### Excludes\n\nExcludes monitaring targets\n\n#### Host\n    exc_hosts=127.0.0.1,localhost\n\nIt is a comma separated list of hosts.\n\n#### User-Agent\n    exc_ua_match=bot|google\n\nIt is a regular expression with ignored case.\n\n#### Path\n    exc_path_match=\\.(html|js|css|jpg|gif|png|ico)$\n\nIt is a regular expression.\n\n### Output Format\n\n#### DateTime\n    date_format=%Y-%m-%dT%H:%M:%S\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftilfin%2Fdetect-http-attack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftilfin%2Fdetect-http-attack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftilfin%2Fdetect-http-attack/lists"}