Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About sickpuppy

  • Rank
  1. Thanks for the confirmation, I was really hoping Immunet was opening these -- have to do further digging now.
  2. That's a decent guess, but Suricata is running on a FreeBSD box and Bro is running on a Linux sensor. Immunet is only running on the Win10 box. Can you confirm/deny if paloaltonetworks.com and urlscan.io are used by Immunet?
  3. I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet? The JA3 hash suggests it's either a Chromium or Win32 API making the requests? I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s. Thanks
  • Create New...