Re: Syslog buffer overflow

From: Toby Kohlenberg (toby@private)
Date: Tue Oct 16 2001 - 10:11:17 PDT

  • Next message: Heidi: "RE: Syslog buffer overflow"

    No. you would be correct in identifying it as traffic attempting to go to
    port 514 being denied at your router. IIRC, the 100-series ACLs on Ciscos
    (this looks like the log format from a Cisco, am I correct?) are purely
    port and protocol based. 
    Assuming anything about the intent of the traffic without a bunch more
    data would be unwise.
    
    Toby
    
    On Tue, 16 Oct 2001, Heidi wrote:
    
    > By noting UDP port 514 in this log, would I be correct in identifying it as
    > a Syslog butter overflow attack?
    > 
    > Oct 16 08:08:32 rt0 10588: rd20h: %SEC-6- IPACCESSLOGP: LIST 102 denied udp
    > 195.16.163.6(1094)->external.server(514), 2 packets
    > Oct 16 08:16:23 rt0 10597: 4d11h: %SEC-6-IPACCESSLOGP: list 102 denied udp
    > 195.16.174.10(2976) -> external server(514), 1 packet
    > Oct 16 08:34:33 rt0 10629: rd11h: #SEC-6-IPACCESSLOGP: list 102 denied udp
    > 195.16.174.10 (2976) -> external.server (514), 1 packet
    > 
    > Thank you,
    > Heidi Henry
    > mcps@private
    > 
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:59 PDT