Toby, yes, this is from Cisco router ACL (syslog). The data just repeats itself for a couple of hours. Perhaps a DoS aimed at the syslog port due to the timestamps and multiple attempts with one packet? I.E., an attacker attempting to deny bandwidth by taking out a router. It appears the attacker is trying to identify the syslog server to attempt DoS or to gain root access. Thank you for your input. Heidi No. you would be correct in identifying it as traffic attempting to go to port 514 being denied at your router. IIRC, the 100-series ACLs on Ciscos (this looks like the log format from a Cisco, am I correct?) are purely port and protocol based. Assuming anything about the intent of the traffic without a bunch more data would be unwise. Toby On Tue, 16 Oct 2001, Heidi wrote: > By noting UDP port 514 in this log, would I be correct in identifying it as > a Syslog butter overflow attack? > > Oct 16 08:08:32 rt0 10588: rd20h: %SEC-6- IPACCESSLOGP: LIST 102 denied udp > 195.16.163.6(1094)->external.server(514), 2 packets > Oct 16 08:16:23 rt0 10597: 4d11h: %SEC-6-IPACCESSLOGP: list 102 denied udp > 195.16.174.10(2976) -> external server(514), 1 packet > Oct 16 08:34:33 rt0 10629: rd11h: #SEC-6-IPACCESSLOGP: list 102 denied udp > 195.16.174.10 (2976) -> external.server (514), 1 packet > > Thank you, > Heidi Henry > mcps@private >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:28:12 PDT