And I quote;
"If you want to look at DoS attacks you might be better getting a dedicated solution for DoS and feed logs from that into Splunk. Packet capture on Splunk consumes ALOT of a license. Sadly at the moment Splunks licensing model isn't geared up for things quite like this. You can also quite easily block the indexQueue" Drainy, 17th April. To which you asked what feature of TCPDUMP makes it suitable as an IDS? My answer above was a reply to a question asking about getting packet data into Splunk.
You need to go away and do some reading and research, you really cannot keep coming back and repeatedly asking questions about things that people have answered or tried to help you with. Also please stop asking a question and if you get no answer then posting the same question again but with more detail. Simply edit your previous question, this will also bump it back to the top of the forum.
Finally, as a step up here are some resources to go and read, if you have read and learnt about these topics then please come and ask for more specific help. Asking if a DPI tool can detect DoS or if a DoS is an intrusion or infact if a DPI is an IDS shows a lack of understanding of the subject.
This is not an area you should take lightly or jump into, if you are looking at these tools and services then you clearly have a need for them and so you should treat them as seriously as you require them with some solid research and understanding.
After some reading hopefully you will be able to answer your own questions and then maybe come back with some other ones relating to how you can then use Splunk to enhance or improve visibility on these issues 🙂
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.windowsecurity.com/whitepapers/faq_network_intrusion_detection_systems_.html#1.10
http://en.wikipedia.org/wiki/Intrusion_detection_system
... View more