Tofsee TLS Fingerprint Detection

Reply
L2 Linker

Tofsee TLS Fingerprint Detection

Hi all,

Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.

I assume they are false positives? Anyone else seeing the same?

It's skewing our monitoring stats significantly so I may need to create an exception.

Thanks.

L0 Member

Re: Tofsee TLS Fingerprint Detection

Confirmed we had the same threat database yesterday (now updated). We have seen this, starting yesterday 01:00 GMT for TLS from one particular Windows 7 host, which we have shut down as a precaution. However all indications around this host's traffic point towards this being a false positive, with perhaps TLS from Windows 7 being a trigger. Since the trigger host is currently disabled, I'm unable to confirm if this is resolved in updated threat databases so would appreciate if anyone hears that this was indeed false positive and is resolved.

L2 Linker

Re: Tofsee TLS Fingerprint Detection

We're still seeing thousands of alerts per hour from thousands of source IPs. I can't believe that these are all real alerts.

There's also something odd when filtering on the threat name in the ACC - it displays no data despite the thousands of alerts displayed in the threat log and threat monitor.

I'll raise a TAC case and post the result here.

L1 Bithead

Re: Tofsee TLS Fingerprint Detection

We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.

 

85452

Tofsee TLS Fingerprint Detection

alert

8.1.0

85453

Tofsee TLS Fingerprint Detection

alert

8.1.0

85454

Tofsee TLS Fingerprint Detection

alert

8.1.0

85455

Tofsee TLS Fingerprint Detection

alert

8.1.0

L2 Linker

Re: Tofsee TLS Fingerprint Detection

Exactly that LRichman!

Doesn't seem much point in me opening a case too then.

I'll leave a few days to see if the threat DB gets updated. If not I think I'll create an exception for these threats.

L1 Bithead

Re: Tofsee TLS Fingerprint Detection

I've also open a support case yesterday. Sadly the suggestion thus far is to create an exception. I'm holding out for now because as you've all stated this seems like an adjustment they need to make on their end. We are avg right around 55-60K of these alerts popping off every hour, it's making our SIEM think the world is ending. Considering I'm seeing traffic to domains like msn.com, google.com, amazon.com, twitter.com, webex.com, yahoo.com, bing.com. I would say the fix should likely be on a much tighter signature than what they release on 10/30. The description for ID 85454 which is what is kicking them off is "This signature detects encrypted command and control traffic from Tofsee malware." I highly doubt all those domains are partaking in a C2 scenario. I too will post what support comes up with, they did say I wasn't alone and others also have complained.

L1 Bithead

Re: Tofsee TLS Fingerprint Detection

Just heard from support who received word from engineering that they will be disabling several of the problem signatures in the next content release around Tuesday of next week. They suggested doing an exception of they are causing issues in the meantime.

L0 Member

Re: Tofsee TLS Fingerprint Detection

Same here.

 

Will keep an eye on this thread to confirm signature update resolved the mountain of Tofsee informational alerts.

 

Thanks Stephen.

L2 Linker

Re: Tofsee TLS Fingerprint Detection

As of Threat Version 8206-5743 (10/31/19) we are still seeing the issue. This seems to be the latest version, is there another version available?
L1 Bithead

Re: Tofsee TLS Fingerprint Detection

There does not appear to be a new version released at this time, this is the most recent version according to my firewall. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!