Tofsee TLS Fingerprint Detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tofsee TLS Fingerprint Detection

L2 Linker

Hi all,

Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.

I assume they are false positives? Anyone else seeing the same?

It's skewing our monitoring stats significantly so I may need to create an exception.

Thanks.

24 REPLIES 24

L0 Member

Confirmed we had the same threat database yesterday (now updated). We have seen this, starting yesterday 01:00 GMT for TLS from one particular Windows 7 host, which we have shut down as a precaution. However all indications around this host's traffic point towards this being a false positive, with perhaps TLS from Windows 7 being a trigger. Since the trigger host is currently disabled, I'm unable to confirm if this is resolved in updated threat databases so would appreciate if anyone hears that this was indeed false positive and is resolved.

We're still seeing thousands of alerts per hour from thousands of source IPs. I can't believe that these are all real alerts.

There's also something odd when filtering on the threat name in the ACC - it displays no data despite the thousands of alerts displayed in the threat log and threat monitor.

I'll raise a TAC case and post the result here.

L1 Bithead

We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.

 

85452

Tofsee TLS Fingerprint Detection

alert

8.1.0

85453

Tofsee TLS Fingerprint Detection

alert

8.1.0

85454

Tofsee TLS Fingerprint Detection

alert

8.1.0

85455

Tofsee TLS Fingerprint Detection

alert

8.1.0

Exactly that LRichman!

Doesn't seem much point in me opening a case too then.

I'll leave a few days to see if the threat DB gets updated. If not I think I'll create an exception for these threats.

L1 Bithead

I've also open a support case yesterday. Sadly the suggestion thus far is to create an exception. I'm holding out for now because as you've all stated this seems like an adjustment they need to make on their end. We are avg right around 55-60K of these alerts popping off every hour, it's making our SIEM think the world is ending. Considering I'm seeing traffic to domains like msn.com, google.com, amazon.com, twitter.com, webex.com, yahoo.com, bing.com. I would say the fix should likely be on a much tighter signature than what they release on 10/30. The description for ID 85454 which is what is kicking them off is "This signature detects encrypted command and control traffic from Tofsee malware." I highly doubt all those domains are partaking in a C2 scenario. I too will post what support comes up with, they did say I wasn't alone and others also have complained.

Just heard from support who received word from engineering that they will be disabling several of the problem signatures in the next content release around Tuesday of next week. They suggested doing an exception of they are causing issues in the meantime.

Same here.

 

Will keep an eye on this thread to confirm signature update resolved the mountain of Tofsee informational alerts.

 

Thanks Stephen.

As of Threat Version 8206-5743 (10/31/19) we are still seeing the issue. This seems to be the latest version, is there another version available?

There does not appear to be a new version released at this time, this is the most recent version according to my firewall. 

8207-5750 was released early this morning.

Our dynamic update schedule will install it tonight and I'll post an update here tomorrow.

It's available to try now though if you like.

The associated info with 8207 shows 4 'tofsee' signatures being disabled, so hopefully that should fix it!

L1 Bithead

They did say "around" Tuesday, though they did sneak it on last night.

 

Our FWs downloaded and installed the latest content update (Version 8207) lat night and it resolved the issue for us.

I can confirm that the new content release 8207 has corrected this issue after disabling the signatures. Threat logs are looking a lot cleaner without 5k alerts an hour being flagged for those signatures.

RE:Stephen 8207_5750

We installed 8207_5750 last night at 19:00 MST and we still saw a lot after that.  Funny thing is we have this spyware rule set to grab the first packet and there isnt even a http get in it.  This has to be an over-tweaked spyware rule that PAN needs to fix.tofsee_first_packet.jpg

  • 25604 Views
  • 24 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!