RE: Syslog buffer overflow

From: Heidi (mcps@private)
Date: Sat Oct 20 2001 - 05:35:44 PDT

  • Next message: Wil Cooley: "Re: Syslog buffer overflow"

    Toby, thank you very much for your input.  I am just learning this as you
    can probably tell, so I really do appreciate your taking the time to respond
    to my questions.  Thank you and have a great weekend, Heidi Henry
    
    -----Original Message-----
    From: owner-crime@/var/spool/majordomo/lists/crime
    [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Toby
    Kohlenberg
    Sent: Friday, October 19, 2001 7:40 PM
    To: Heidi
    Cc: CRIME
    Subject: RE: Syslog buffer overflow
    
    On Wed, 17 Oct 2001, Heidi wrote:
    
    > Toby, yes, this is from Cisco router ACL (syslog).  The data just repeats
    > itself for a couple of hours. Perhaps a DoS aimed at the syslog port due
    to
    > the timestamps and multiple attempts with one packet? I.E., an attacker
    > attempting to deny bandwidth by taking out a router.  It appears the
    > attacker is trying to identify the syslog server to attempt DoS or to gain
    > root access.  Thank you for your input.
    > Heidi
    
    I don't think you have enough information to assume it is a. intentional
    or b. malicious. Without the actual packets, or at least the headers from
    them, you have no data regarding the purpose or stimulus for the
    traffic. This could be the result of someone spoofing you and attacking
    your traffic's source. If it got blocked at your firewall, acknowledge it,
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:28:23 PDT