Re: Syslog buffer overflow

From: Toby Kohlenberg (toby@private)
Date: Tue Oct 16 2001 - 10:11:17 PDT

Next message: Heidi: "RE: Syslog buffer overflow"

Previous message: George Heuston: "FW: NIPC Daily Report, 16 October 2001"
In reply to: Heidi: "Syslog buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

No. you would be correct in identifying it as traffic attempting to go to
port 514 being denied at your router. IIRC, the 100-series ACLs on Ciscos
(this looks like the log format from a Cisco, am I correct?) are purely
port and protocol based. 
Assuming anything about the intent of the traffic without a bunch more
data would be unwise.

Toby

On Tue, 16 Oct 2001, Heidi wrote:

> By noting UDP port 514 in this log, would I be correct in identifying it as
> a Syslog butter overflow attack?
> 
> Oct 16 08:08:32 rt0 10588: rd20h: %SEC-6- IPACCESSLOGP: LIST 102 denied udp
> 195.16.163.6(1094)->external.server(514), 2 packets
> Oct 16 08:16:23 rt0 10597: 4d11h: %SEC-6-IPACCESSLOGP: list 102 denied udp
> 195.16.174.10(2976) -> external server(514), 1 packet
> Oct 16 08:34:33 rt0 10629: rd11h: #SEC-6-IPACCESSLOGP: list 102 denied udp
> 195.16.174.10 (2976) -> external.server (514), 1 packet
> 
> Thank you,
> Heidi Henry
> mcps@private
>

Next message: Heidi: "RE: Syslog buffer overflow"
Previous message: George Heuston: "FW: NIPC Daily Report, 16 October 2001"
In reply to: Heidi: "Syslog buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:59 PDT