Archive

Creating log data from a suitable IDS to be used in Splunk for detecting DoS

Communicator

I would like to use Splunk to detect Denial of Service log anomaly. I used Wireshark as a source to get log data. i'm new to denial of service attack and i would want to clarify.

First Question : Is Denial of Service considered an Intrusion?

If Yes,
Second Question : so if Denial of Service is a form of intrusion, that means i have to use TCPDUMP to get log data since it is a intrusion detection system and not wireshark cos wireshark is not exactly an intrusion detection system? Is that right?

If Yes,
Third Question : The log data that i would like to create would come from the packet data gotten from the intrusion detection system. Am i right to say that these log data in Splunk should contain fields based on the Common Information Model such as signature,dvc,category,severity,src,dest,user,vendor,product,ids_type under the Intrusion Detection category? Is that right?
so all these information i can get from the data that comes from the intrusion detection system right?

Tags (2)
0 Karma

Champion

And I quote;
"If you want to look at DoS attacks you might be better getting a dedicated solution for DoS and feed logs from that into Splunk. Packet capture on Splunk consumes ALOT of a license. Sadly at the moment Splunks licensing model isn't geared up for things quite like this. You can also quite easily block the indexQueue" Drainy, 17th April. To which you asked what feature of TCPDUMP makes it suitable as an IDS? My answer above was a reply to a question asking about getting packet data into Splunk.

You need to go away and do some reading and research, you really cannot keep coming back and repeatedly asking questions about things that people have answered or tried to help you with. Also please stop asking a question and if you get no answer then posting the same question again but with more detail. Simply edit your previous question, this will also bump it back to the top of the forum.

Finally, as a step up here are some resources to go and read, if you have read and learnt about these topics then please come and ask for more specific help. Asking if a DPI tool can detect DoS or if a DoS is an intrusion or infact if a DPI is an IDS shows a lack of understanding of the subject.
This is not an area you should take lightly or jump into, if you are looking at these tools and services then you clearly have a need for them and so you should treat them as seriously as you require them with some solid research and understanding.

After some reading hopefully you will be able to answer your own questions and then maybe come back with some other ones relating to how you can then use Splunk to enhance or improve visibility on these issues 🙂

http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.windowsecurity.com/whitepapers/faqnetworkintrusiondetectionsystems_.html#1.10
http://en.wikipedia.org/wiki/Intrusiondetectionsystem

Legend
  1. No, not really.
  2. No, tcpdump is not an intrusion detection system, nor is wireshark.
  3. Does not apply as your first two assumptions are false.