Open sockets in system process -- Immunet?

[sickpuppy]

I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet?

The JA3 hash suggests it's either a Chromium or Win32 API making the requests?

I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s.

Thanks

Edited December 27, 2018 by sickpuppy

[ritchie58]

Immunet does not rely on any Windows system processes since it has it's own dedicated processes which are sfc.exe & iptray.exe.

I would conjecture that those connections are related to your Suricata threat detection/network monitoring engine and not Immunet

You could contact Suricata support directly to see if those connections are associated with the software but I bet they are.
https://suricata-ids.org/support/

[sickpuppy]

That's a decent guess, but Suricata is running on a FreeBSD box and Bro is running on a Linux sensor.

Immunet is only running on the Win10 box. Can you confirm/deny if paloaltonetworks.com and urlscan.io are used by Immunet? 

[ritchie58]

Immunet doesn't use any out-sourced URL connections. Instead Immunet Protect uses it's own dedicated servers for the ETHOS & SPERO cloud look-ups and for the ClamAV module's definition signature updates.

So the answer to your question is no, these URL's are not related to Immunet.

[Guest Wookiee]

Yeah, Rich is correct- Immunet doesn't out-source or do anything like that.

[ritchie58]

Thanks for the conformation Wookiee!

There was a time when Immunet used (of all things) Amazon.com's servers to push new build updates through the UI to users but that was years ago before SourceFire acquired Immunet.

[ritchie58]

For historical purposes & for any user's curiosity here's the reason for the decision to use Amazon's servers back in the good ol' days.

At that time Immunet was basically still a fledgling private company and the decision was made to use Amazon's servers to reduce the company server load when pushing new version updates to users since resources where still quite limited. Amazon's servers had some of the best security/intrusion protocols in place at that time so that was a consideration too.

There was already a growing need to increase server capacity so it was thought that this approach would best serve the rapidly expanding Immunet cloud community in the interim until a better solution could be attained.

[sickpuppy]

Thanks for the confirmation, I was really hoping Immunet was opening these --  have to do further digging now.

[ritchie58]

Like I mentioned before, you could contact Suricata support with the link I provided to find out if those connections belong to that software package sickpuppy.