sickpuppy Posted December 27, 2018 Report Share Posted December 27, 2018 (edited) I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet? The JA3 hash suggests it's either a Chromium or Win32 API making the requests? I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s. Thanks Edited December 27, 2018 by sickpuppy Link to comment Share on other sites More sharing options...
ritchie58 Posted December 28, 2018 Report Share Posted December 28, 2018 Immunet does not rely on any Windows system processes since it has it's own dedicated processes which are sfc.exe & iptray.exe. I would conjecture that those connections are related to your Suricata threat detection/network monitoring engine and not Immunet You could contact Suricata support directly to see if those connections are associated with the software but I bet they are.https://suricata-ids.org/support/ Link to comment Share on other sites More sharing options...
sickpuppy Posted December 28, 2018 Author Report Share Posted December 28, 2018 That's a decent guess, but Suricata is running on a FreeBSD box and Bro is running on a Linux sensor. Immunet is only running on the Win10 box. Can you confirm/deny if paloaltonetworks.com and urlscan.io are used by Immunet? Link to comment Share on other sites More sharing options...
ritchie58 Posted December 29, 2018 Report Share Posted December 29, 2018 Immunet doesn't use any out-sourced URL connections. Instead Immunet Protect uses it's own dedicated servers for the ETHOS & SPERO cloud look-ups and for the ClamAV module's definition signature updates. So the answer to your question is no, these URL's are not related to Immunet. Link to comment Share on other sites More sharing options...
Guest Wookiee Posted December 29, 2018 Report Share Posted December 29, 2018 Yeah, Rich is correct- Immunet doesn't out-source or do anything like that. Link to comment Share on other sites More sharing options...
ritchie58 Posted December 29, 2018 Report Share Posted December 29, 2018 Thanks for the conformation Wookiee! There was a time when Immunet used (of all things) Amazon.com's servers to push new build updates through the UI to users but that was years ago before SourceFire acquired Immunet. Link to comment Share on other sites More sharing options...
ritchie58 Posted December 29, 2018 Report Share Posted December 29, 2018 For historical purposes & for any user's curiosity here's the reason for the decision to use Amazon's servers back in the good ol' days. At that time Immunet was basically still a fledgling private company and the decision was made to use Amazon's servers to reduce the company server load when pushing new version updates to users since resources where still quite limited. Amazon's servers had some of the best security/intrusion protocols in place at that time so that was a consideration too. There was already a growing need to increase server capacity so it was thought that this approach would best serve the rapidly expanding Immunet cloud community in the interim until a better solution could be attained. Link to comment Share on other sites More sharing options...
sickpuppy Posted December 29, 2018 Author Report Share Posted December 29, 2018 Thanks for the confirmation, I was really hoping Immunet was opening these -- have to do further digging now. Link to comment Share on other sites More sharing options...
ritchie58 Posted December 30, 2018 Report Share Posted December 30, 2018 Like I mentioned before, you could contact Suricata support with the link I provided to find out if those connections belong to that software package sickpuppy. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now