Jump to content

Open sockets in system process -- Immunet?


sickpuppy
 Share

Recommended Posts

I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet?

The JA3 hash suggests it's either a Chromium or Win32 API making the requests?

I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s.

Thanks

Edited by sickpuppy
Link to comment
Share on other sites

Immunet does not rely on any Windows system processes since it has it's own dedicated processes which are sfc.exe & iptray.exe.

I would conjecture that those connections are related to your Suricata threat detection/network monitoring engine and not Immunet

You could contact Suricata support directly to see if those connections are associated with the software but I bet they are.
https://suricata-ids.org/support/

Link to comment
Share on other sites

Immunet doesn't use any out-sourced URL connections. Instead Immunet Protect uses it's own dedicated servers for the ETHOS & SPERO cloud look-ups and for the ClamAV module's definition signature updates.

So the answer to your question is no, these URL's are not related to Immunet.

Link to comment
Share on other sites

For historical purposes & for any user's curiosity here's the reason for the decision to use Amazon's servers back in the good ol' days.

At that time Immunet was basically still a fledgling private company and the decision was made to use Amazon's servers to reduce the company server load when pushing new version updates to users since resources where still quite limited. Amazon's servers had some of the best security/intrusion protocols in place at that time so that was a consideration too.

There was already a growing need to increase server capacity so it was thought that this approach would best serve the rapidly expanding Immunet cloud community in the interim until a better solution could be attained.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...