VM-Packages icon indicating copy to clipboard operation
VM-Packages copied to clipboard
verified publisher icon mandiant

Use ICMP instead of HTTP for testing the connection

Open d35ha opened this issue 11 months ago • 8 comments

d35ha avatar Jan 28 '25 07:01 d35ha

I tested locally and it works as expected. As suggested by @Ana06 it is not known why this implementation poses an advantage over HTTPS

sara-rn avatar Jan 31 '25 09:01 sara-rn

@sara-rn you also tested the change. Did you also get the noise in fakenet?

Ana06 avatar Feb 03 '25 10:02 Ana06

@d35ha thank you for the changes! I appreciate the documentation addition and the detailed commit description.

I have done some more testing and this change is very noisy in fakenet: image

It seems the ProcessBlackList: internet_detector.exe fakenet exclusion is not working properly for ICMP. The HTTP communication was excluded from the output, while ICMP is still there. @d35ha can you reproduce this? Am I doing something wrong?

@Ana06 I noticed the same noise, not sure why fakenet is unable to identify the source process (maybe related to https://github.com/mandiant/flare-vm/pull/630).

d35ha avatar Feb 04 '25 07:02 d35ha

@d35ha thank you for the changes! I appreciate the documentation addition and the detailed commit description. I have done some more testing and this change is very noisy in fakenet: image It seems the ProcessBlackList: internet_detector.exe fakenet exclusion is not working properly for ICMP. The HTTP communication was excluded from the output, while ICMP is still there. @d35ha can you reproduce this? Am I doing something wrong?

@Ana06 I noticed the same noise, not sure why fakenet is unable to identify the source process (maybe related to mandiant/flare-vm#630).

It seems that fakenet failes to (or doesn't) identify the source process for the ICMP requests.

Screenshot from 2025-02-04 11-42-36

d35ha avatar Feb 04 '25 07:02 d35ha

@d35ha I think it is not related to https://github.com/mandiant/flare-vm/pull/630 as fakenet does ignore the process when using HTTP. I think the issue is how fakenet is implemented. When @emtuls first implemented the internet detector using HTTP requests we realised the process was not being ignored: https://github.com/mandiant/flare-fakenet-ng/issues/190. Supporting ignoring HTTP requests coming from a black listed process required structural changes in fakenet implemented in https://github.com/mandiant/flare-fakenet-ng/pull/192. It seems that we now have the same issue with ICMP and this would requiring modifying fakenet again, not sure if it is even possible. :thinking:

Ana06 avatar Feb 04 '25 11:02 Ana06

PR to add ICMP ID-based filtering in fakenet that allows us to ignore the ICMP traffic from the internet detector: https://github.com/mandiant/flare-fakenet-ng/pull/204

Ana06 avatar Feb 05 '25 19:02 Ana06

We would still need to adapt this PR after https://github.com/mandiant/flare-fakenet-ng/pull/204 has been merged to add the ID, @d35ha do you plan to do this now to illustrate how this is exactly implemented (concretely how the ID is generate), which will help understanding what we want to address with https://github.com/mandiant/flare-fakenet-ng/pull/204 (and may help with the PR review)? Or are you planning to wait for feedback on https://github.com/mandiant/flare-fakenet-ng/pull/204 before making changes here?

Ana06 avatar Feb 06 '25 10:02 Ana06

@Ana06

Now the fakenet filter is enabled from the tool side, the only thing we are waiting for is https://github.com/mandiant/flare-fakenet-ng/pull/204 to be approved.

d35ha avatar Feb 07 '25 13:02 d35ha

@d35ha fakenet has been released and updated in VM-Packages. Please rebase and ensure the code works with the new fakenet version and the linter is happy. :wink:

Ana06 avatar Apr 14 '25 11:04 Ana06

@Ana06 rebased and successfully tested.

d35ha avatar Apr 15 '25 11:04 d35ha

I tested locally and I realized that this issue https://github.com/mandiant/VM-Packages/pull/1261#issuecomment-2633106481 still persists, shouldn't be Fakenet able to identify the source process for the ICMP requests?

sara-rn avatar Apr 22 '25 11:04 sara-rn

I tested locally and I realized that this issue #1261 (comment) still persists, shouldn't be Fakenet able to identify the source process for the ICMP requests?

@sara-rn please make sure fakenet 3.5 is installed and 3.3 is totally removed (from C:\Tools\fakenet\fakenet3.3) as fakenet.vm will pick the old version if exists:

https://github.com/mandiant/VM-Packages/blob/d7e532fe2193e2d2a51f58bf5c6bf8eb6b12044a/packages/fakenet-ng.vm/tools/chocolateyinstall.ps1#L31-L32

d35ha avatar Apr 23 '25 08:04 d35ha

@d35ha

@sara-rn please make sure fakenet 3.5 is installed and 3.3 is totally removed (from C:\Tools\fakenet\fakenet3.3) as fakenet.vm will pick the old version if exists

Can we modify fakenet.vm to take the latest instead of the oldest version instead? That would avoid this type of issues.

Ana06 avatar Apr 23 '25 09:04 Ana06

@d35ha

@sara-rn please make sure fakenet 3.5 is installed and 3.3 is totally removed (from C:\Tools\fakenet\fakenet3.3) as fakenet.vm will pick the old version if exists

Can we modify fakenet.vm to take the latest instead of the oldest version instead? That would avoid this type of issues.

Modified it.

d35ha avatar Apr 23 '25 09:04 d35ha

@sara-rn can you please test it again? :smile:

Ana06 avatar Apr 23 '25 09:04 Ana06

tested locally, LGTM, thanks @d35ha great job

sara-rn avatar Apr 23 '25 20:04 sara-rn