Jump to content
sickpuppy

Open sockets in system process -- Immunet?

Recommended Posts

I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet?

The JA3 hash suggests it's either a Chromium or Win32 API making the requests?

I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s.

Thanks

Edited by sickpuppy

Share this post


Link to post
Share on other sites

Immunet does not rely on any Windows system processes since it has it's own dedicated processes which are sfc.exe & iptray.exe.

I would conjecture that those connections are related to your Suricata threat detection/network monitoring engine and not Immunet

You could contact Suricata support directly to see if those connections are associated with the software but I bet they are.
https://suricata-ids.org/support/

Share this post


Link to post
Share on other sites

That's a decent guess, but Suricata is running on a FreeBSD box and Bro is running on a Linux sensor.

Immunet is only running on the Win10 box. Can you confirm/deny if paloaltonetworks.com and urlscan.io are used by Immunet? 

Share this post


Link to post
Share on other sites

Immunet doesn't use any out-sourced URL connections. Instead Immunet Protect uses it's own dedicated servers for the ETHOS & SPERO cloud look-ups and for the ClamAV module's definition signature updates.

So the answer to your question is no, these URL's are not related to Immunet.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks for the conformation Wookiee!

There was a time when Immunet used (of all things) Amazon.com's servers to push new build updates through the UI to users but that was years ago before SourceFire acquired Immunet.

Share this post


Link to post
Share on other sites

For historical purposes & for any user's curiosity here's the reason for the decision to use Amazon's servers back in the good ol' days.

At that time Immunet was basically still a fledgling private company and the decision was made to use Amazon's servers to reduce the company server load when pushing new version updates to users since resources where still quite limited. Amazon's servers had some of the best security/intrusion protocols in place at that time so that was a consideration too.

There was already a growing need to increase server capacity so it was thought that this approach would best serve the rapidly expanding Immunet cloud community in the interim until a better solution could be attained.

Share this post


Link to post
Share on other sites

Like I mentioned before, you could contact Suricata support with the link I provided to find out if those connections belong to that software package sickpuppy.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×