Seeing something *weird* in router logs ...
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Seeing something *weird* in router logs ...

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    132

    Question Seeing something *weird* in router logs ...

    Hello - this is from a Cisco router running IOS 12.1(6) - am I seeing a buffer overflow attack, or just some weirdness? This shows under debug logging ... and this comes seemingly from the router itself, which I find weird. It almost looks like it's trying to get/send something, like syslog stuff.

    Please give me a pointer on this; it's weird enough to have caught my eye in looking over logs today.

    Syslog Message:

    0<002><001><000><004><007>version<006><006>+<006><001><004><001><009>@<004>rY<001><002><001><006><002><001><001>C<004><003>00<018><006><013>+<006><001><004><001><009><002><009><003><001><001><002><001><002><001><005>0<028><006><023>+<006><001><002><001><006><013><001><001><006>rY<001><023><006>rY<009><029><002><001><004>0<031><006><025>+<006><001><004><001><009><002><006><001><001><005><006>rY<001><023><006>rY<009><029><002><002>)0<030><006><025>+<006><001><004><001><009><002><006><001><001><001><006>rY<001><023><006>rY<009><029><002><001>g0<031><006><025>+<006><001><004><001><009><002><006><001><001><002><006>rY<001><023><006>rY<009><029><002><002>E0<016><006><012>+<006><001><004><001><009><002><009><002><001><018><002><004><000>

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    Actually ... something quick here - it *looks* like a reboot, almost ... the <>'s are control characters ... but these come about during the day - when THE ROUTER SHOULD BE SOLIDLY UP!

    <sigh>

    ~N~

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    157

    Exclamation dunno

    I haven't seen that
    Post your question at the
    Cisco IDS Discussion Forum

    Let us know what you find out and Good Luck!
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    Hmmm ... well, it's over at Cisco now. I'll keep you posted!

    ~N~

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    Yeah - I *think* it's a message that's generated when I log into the router and hit either the logs or NVRAM. <sigh> Weird, though.

    ~N~

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    tks for keeping us informed. I am interested in what cisco says.
    Trappedagainbyperfectlogic.

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    321
    have cisco answered yet? i'm just curious 'cause i have a tac open with them and no ans...
    assembly.... digital dna ?

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    Bah - still no reply. The actual question is located here:
    http://forums.cisco.com/eforum/servl...%40%40.ee7ae43

    Stupid. However, I *did* find that it's 100% tied to either hitting NVRAM or local logs on the router (buffer). It's also a DEBUG level errormessage from the router ... so as far as I'm concerned, the forums kind of let me down here, but I am satisfied that it's just an oddity of logging EVERYTHING (which I do. ) and not a threat.

    In fact, I guess I'm staking my job on it. :/
    ~N~

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    This should let that link come through ... I think.

    ~N~

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    132
    F'-em. I have no responses. SO ... I'm working now that correlation==causality.
    Not great, but it's what I'm left with.

    Someone else could verify this by logging debug messages to syslog, then going and hitting NVRAM and buffered logs (sh log) on a router - we'd still have correlational work only, but at least it'd be from more than 2 sites (my work & home router - both running on the same router model, same IOS version, different build).

    ~N~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •