Thanks Nebulus200,
I've used Port Sentry for years and love it. Question, will portsentry detect a TCP DoS attack on port 80? Its great for port scans and IIS exploit scripts.

Back to my question....

LogCheck works on the same theory as my script does.

Grep -i -f $exploit list ; scans log files for exploits
Grep -v $false_positive ; removes false positives
Then mails the results to the admin.

LogCheck doesn't focus on PHP exploits, which is what I am concerned about. I need something that is more for apache log scanning then syslog. I was thinking about separating the exploit tests into different colors. Like IIS exploits could be green. That way when I get my results and everything would be color coordinated. I would know who is attacking my server, but I would also know what severity it is.