topic Tofsee TLS Fingerprint Detection in Advanced Threat Prevention Discussions

Tofsee TLS Fingerprint Detection

Stephen_Elliott — Thu, 31 Oct 2019 09:08:17 GMT

Hi all,

Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.

I assume they are false positives? Anyone else seeing the same?

It's skewing our monitoring stats significantly so I may need to create an exception.

Thanks.

Re: Tofsee TLS Fingerprint Detection

fatoldhippy — Fri, 01 Nov 2019 11:21:42 GMT

Confirmed we had the same threat database yesterday (now updated). We have seen this, starting yesterday 01:00 GMT for TLS from one particular Windows 7 host, which we have shut down as a precaution. However all indications around this host's traffic point towards this being a false positive, with perhaps TLS from Windows 7 being a trigger. Since the trigger host is currently disabled, I'm unable to confirm if this is resolved in updated threat databases so would appreciate if anyone hears that this was indeed false positive and is resolved.

Re: Tofsee TLS Fingerprint Detection

Stephen_Elliott — Fri, 01 Nov 2019 13:12:46 GMT

We're still seeing thousands of alerts per hour from thousands of source IPs. I can't believe that these are all real alerts.

There's also something odd when filtering on the threat name in the ACC - it displays no data despite the thousands of alerts displayed in the threat log and threat monitor.

I'll raise a TAC case and post the result here.

Re: Tofsee TLS Fingerprint Detection

LRichman — Fri, 01 Nov 2019 13:53:05 GMT

We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.

85452	Tofsee TLS Fingerprint Detection	alert	8.1.0
85453	Tofsee TLS Fingerprint Detection	alert	8.1.0
85454	Tofsee TLS Fingerprint Detection	alert	8.1.0
85455	Tofsee TLS Fingerprint Detection	alert	8.1.0

Re: Tofsee TLS Fingerprint Detection

Stephen_Elliott — Fri, 01 Nov 2019 14:08:42 GMT

Exactly that LRichman!

Doesn't seem much point in me opening a case too then.

I'll leave a few days to see if the threat DB gets updated. If not I think I'll create an exception for these threats.

Re: Tofsee TLS Fingerprint Detection

AdamGajewski — Fri, 01 Nov 2019 15:26:52 GMT

I've also open a support case yesterday. Sadly the suggestion thus far is to create an exception. I'm holding out for now because as you've all stated this seems like an adjustment they need to make on their end. We are avg right around 55-60K of these alerts popping off every hour, it's making our SIEM think the world is ending. Considering I'm seeing traffic to domains like msn.com, google.com, amazon.com, twitter.com, webex.com, yahoo.com, bing.com. I would say the fix should likely be on a much tighter signature than what they release on 10/30. The description for ID 85454 which is what is kicking them off is "This signature detects encrypted command and control traffic from Tofsee malware." I highly doubt all those domains are partaking in a C2 scenario. I too will post what support comes up with, they did say I wasn't alone and others also have complained.

Re: Tofsee TLS Fingerprint Detection

AdamGajewski — Fri, 01 Nov 2019 17:32:03 GMT

Just heard from support who received word from engineering that they will be disabling several of the problem signatures in the next content release around Tuesday of next week. They suggested doing an exception of they are causing issues in the meantime.

Re: Tofsee TLS Fingerprint Detection

KMcKenna — Mon, 04 Nov 2019 22:52:47 GMT

Same here.

Will keep an eye on this thread to confirm signature update resolved the mountain of Tofsee informational alerts.

Thanks Stephen.

Re: Tofsee TLS Fingerprint Detection

rgreens — Tue, 05 Nov 2019 19:11:46 GMT

As of Threat Version 8206-5743 (10/31/19) we are still seeing the issue. This seems to be the latest version, is there another version available?

Re: Tofsee TLS Fingerprint Detection

LRichman — Tue, 05 Nov 2019 19:44:11 GMT

There does not appear to be a new version released at this time, this is the most recent version according to my firewall.

Re: Tofsee TLS Fingerprint Detection

Stephen_Elliott — Wed, 06 Nov 2019 08:38:18 GMT

8207-5750 was released early this morning.

Our dynamic update schedule will install it tonight and I'll post an update here tomorrow.

It's available to try now though if you like.

Re: Tofsee TLS Fingerprint Detection

Stephen_Elliott — Wed, 06 Nov 2019 08:43:42 GMT

The associated info with 8207 shows 4 'tofsee' signatures being disabled, so hopefully that should fix it!

Re: Tofsee TLS Fingerprint Detection

AdamGajewski — Wed, 06 Nov 2019 13:16:49 GMT

They did say "around" Tuesday, though they did sneak it on last night.

Our FWs downloaded and installed the latest content update (Version 8207) lat night and it resolved the issue for us.

Re: Tofsee TLS Fingerprint Detection

LRichman — Wed, 06 Nov 2019 14:00:56 GMT

I can confirm that the new content release 8207 has corrected this issue after disabling the signatures. Threat logs are looking a lot cleaner without 5k alerts an hour being flagged for those signatures.

Re: Tofsee TLS Fingerprint Detection

itsnotthenetwork — Wed, 06 Nov 2019 15:30:12 GMT

RE:Stephen 8207_5750

We installed 8207_5750 last night at 19:00 MST and we still saw a lot after that. Funny thing is we have this spyware rule set to grab the first packet and there isnt even a http get in it. This has to be an over-tweaked spyware rule that PAN needs to fix.

Re: Tofsee TLS Fingerprint Detection

LRichman — Wed, 06 Nov 2019 16:38:30 GMT

@itsnotthenetwork

For us, 8207_5750 was RELEASED at 20:53:04 EST and since we are set to update around midnight we still saw the Tofsee threat signatures occur until after the signature database was updated. This may have been what you saw? I agree though the signatures were too noisy to be released in the state they are in. But now that the Tofsee signature is gone, this content update released a nice new informational signature for "Non-RFC Compliant SSL Traffic on Port 443" that has begun acting up. Thus the circle of signature life continues..

Re: Tofsee TLS Fingerprint Detection

itsnotthenetwork — Wed, 06 Nov 2019 16:56:49 GMT

@LRichman

Is that ( subtype eq spyware ) for the "Non-RFC Compliant SSL Traffic on Port 443"? Whats the signature ID for that?

I'm not seeing any hits for Non-RFC Compliant SSL Traffic on Port 443, but I would need to know what PAN is looking for for both signatures before I could determine why.

Re: Tofsee TLS Fingerprint Detection

LRichman — Wed, 06 Nov 2019 17:06:56 GMT

@itsnotthenetwork

Threat Name: Non-RFC Compliant SSL Traffic on Port 443

category-of-threatid eq protocol-anomaly
Threat ID: 56112

I am also not saying right off the bat that this signature is having issues, as it's only a handful of firewalls that I've seen so far and for a specific destination subnet. Could be an old website or server that is negotiating weak ciphers and the vulnerability signature is reporting a true positive. Further investigation is required before I can truly say if this is a weak signature or not

Re: Tofsee TLS Fingerprint Detection

Stephen_Elliott — Thu, 07 Nov 2019 09:31:05 GMT

Hi all,

Just to confirm that our threat monitor has stopped logging the 30k+ alerts per hour for the Tofsee detection since the db update to 8207.

And I'm not seeing any problems with threat id 56112 as reported by LRichman (yet!)

Re: Tofsee TLS Fingerprint Detection

itsnotthenetwork — Thu, 07 Nov 2019 16:31:10 GMT

The Tofsee storm has stopped for us as well. The weird thing was the updated applied and it appeared to take 2 hours for the threats to stop flagging, and thats on 7050 hardware. I'm just glad its over.