10-31-2019 02:08 AM
Hi all,
Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.
I assume they are false positives? Anyone else seeing the same?
It's skewing our monitoring stats significantly so I may need to create an exception.
Thanks.
11-01-2019 02:13 AM - edited 11-01-2019 04:21 AM
Confirmed we had the same threat database yesterday (now updated). We have seen this, starting yesterday 01:00 GMT for TLS from one particular Windows 7 host, which we have shut down as a precaution. However all indications around this host's traffic point towards this being a false positive, with perhaps TLS from Windows 7 being a trigger. Since the trigger host is currently disabled, I'm unable to confirm if this is resolved in updated threat databases so would appreciate if anyone hears that this was indeed false positive and is resolved.
11-01-2019 06:12 AM
We're still seeing thousands of alerts per hour from thousands of source IPs. I can't believe that these are all real alerts.
There's also something odd when filtering on the threat name in the ACC - it displays no data despite the thousands of alerts displayed in the threat log and threat monitor.
I'll raise a TAC case and post the result here.
11-01-2019 06:53 AM
We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.
85452 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85453 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85454 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85455 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
11-01-2019 07:08 AM
Exactly that LRichman!
Doesn't seem much point in me opening a case too then.
I'll leave a few days to see if the threat DB gets updated. If not I think I'll create an exception for these threats.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!