10-31-2019 02:08 AM
Hi all,
Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.
I assume they are false positives? Anyone else seeing the same?
It's skewing our monitoring stats significantly so I may need to create an exception.
Thanks.
11-01-2019 02:13 AM - edited 11-01-2019 04:21 AM
Confirmed we had the same threat database yesterday (now updated). We have seen this, starting yesterday 01:00 GMT for TLS from one particular Windows 7 host, which we have shut down as a precaution. However all indications around this host's traffic point towards this being a false positive, with perhaps TLS from Windows 7 being a trigger. Since the trigger host is currently disabled, I'm unable to confirm if this is resolved in updated threat databases so would appreciate if anyone hears that this was indeed false positive and is resolved.
11-01-2019 06:12 AM
We're still seeing thousands of alerts per hour from thousands of source IPs. I can't believe that these are all real alerts.
There's also something odd when filtering on the threat name in the ACC - it displays no data despite the thousands of alerts displayed in the threat log and threat monitor.
I'll raise a TAC case and post the result here.
11-01-2019 06:53 AM
We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.
85452 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85453 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85454 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
85455 | Tofsee TLS Fingerprint Detection | alert | 8.1.0 |
11-01-2019 07:08 AM
Exactly that LRichman!
Doesn't seem much point in me opening a case too then.
I'll leave a few days to see if the threat DB gets updated. If not I think I'll create an exception for these threats.
11-01-2019 08:26 AM
I've also open a support case yesterday. Sadly the suggestion thus far is to create an exception. I'm holding out for now because as you've all stated this seems like an adjustment they need to make on their end. We are avg right around 55-60K of these alerts popping off every hour, it's making our SIEM think the world is ending. Considering I'm seeing traffic to domains like msn.com, google.com, amazon.com, twitter.com, webex.com, yahoo.com, bing.com. I would say the fix should likely be on a much tighter signature than what they release on 10/30. The description for ID 85454 which is what is kicking them off is "This signature detects encrypted command and control traffic from Tofsee malware." I highly doubt all those domains are partaking in a C2 scenario. I too will post what support comes up with, they did say I wasn't alone and others also have complained.
11-01-2019 10:32 AM
Just heard from support who received word from engineering that they will be disabling several of the problem signatures in the next content release around Tuesday of next week. They suggested doing an exception of they are causing issues in the meantime.
11-04-2019 02:52 PM
Same here.
Will keep an eye on this thread to confirm signature update resolved the mountain of Tofsee informational alerts.
Thanks Stephen.
11-05-2019 11:11 AM
11-05-2019 11:44 AM
There does not appear to be a new version released at this time, this is the most recent version according to my firewall.
11-06-2019 12:38 AM
8207-5750 was released early this morning.
Our dynamic update schedule will install it tonight and I'll post an update here tomorrow.
It's available to try now though if you like.
11-06-2019 12:43 AM
The associated info with 8207 shows 4 'tofsee' signatures being disabled, so hopefully that should fix it!
11-06-2019 05:16 AM
They did say "around" Tuesday, though they did sneak it on last night.
Our FWs downloaded and installed the latest content update (Version 8207) lat night and it resolved the issue for us.
11-06-2019 06:00 AM
I can confirm that the new content release 8207 has corrected this issue after disabling the signatures. Threat logs are looking a lot cleaner without 5k alerts an hour being flagged for those signatures.
11-06-2019 07:02 AM - edited 11-06-2019 07:30 AM
RE:Stephen 8207_5750
We installed 8207_5750 last night at 19:00 MST and we still saw a lot after that. Funny thing is we have this spyware rule set to grab the first packet and there isnt even a http get in it. This has to be an over-tweaked spyware rule that PAN needs to fix.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
