Jump to content

Open sockets in system process -- Immunet?


Recommended Posts

I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet?

The JA3 hash suggests it's either a Chromium or Win32 API making the requests?

I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s.


Edited by sickpuppy
Link to comment
Share on other sites

Immunet does not rely on any Windows system processes since it has it's own dedicated processes which are sfc.exe & iptray.exe.

I would conjecture that those connections are related to your Suricata threat detection/network monitoring engine and not Immunet

You could contact Suricata support directly to see if those connections are associated with the software but I bet they are.

Link to comment
Share on other sites

For historical purposes & for any user's curiosity here's the reason for the decision to use Amazon's servers back in the good ol' days.

At that time Immunet was basically still a fledgling private company and the decision was made to use Amazon's servers to reduce the company server load when pushing new version updates to users since resources where still quite limited. Amazon's servers had some of the best security/intrusion protocols in place at that time so that was a consideration too.

There was already a growing need to increase server capacity so it was thought that this approach would best serve the rapidly expanding Immunet cloud community in the interim until a better solution could be attained.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...