Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
2
Replies

I need help deciphering this log that I receive by email.

Moosenet01
Level 1
Level 1

‎10-20-2021 10:50 AM

I am receiving logs that look like this snipit multiple times a day...

 

MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=5407 DF PROTO=TCP SPT=25731 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:53:43 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=5611 DF PROTO=TCP SPT=35225 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:53:49 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=5802 DF PROTO=TCP SPT=43853 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:02 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6222 DF PROTO=TCP SPT=21560 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:14 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6628 DF PROTO=TCP SPT=51288 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:22 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6893 DF PROTO=TCP SPT=28146 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:29 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7129 DF PROTO=TCP SPT=55913 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:48 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=7703 DF PROTO=TCP SPT=36177 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:57 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=7993 DF PROTO=TCP SPT=24589 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:55:09 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=8372 DF PROTO=TCP SPT=50088 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:55:19 WRP500 SPI IN=br0 OUT=

 

This looks to me like IP: 5.188.206.230 is trying to connect using port 3391. Since this IP is based in Bulgaria and we have no contacts or employees there, I suspect that someone is trying to connect remotely without permission. Would this be a correct assessment?

 

Thanks in advance.

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-20-2021 12:59 PM

3391 is RDS port- is this router is an edge to the internet, if so you get to see these logs normally, as long as it blocked your router doing its job?

 

as per time its Dec 31  ? are you looking right log or back logs  ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Moosenet01
Level 1
Level 1
In response to balaji.bandi

‎10-21-2021 08:00 AM - edited ‎10-21-2021 10:04 AM

I have never since we purchased this router, been able to have it display the correct time. 

 

No, this port is not blocked but the ip is from outside the country and not supposed to be connecting.

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents