Tofsee TLS Fingerprint Detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tofsee TLS Fingerprint Detection

L2 Linker

Hi all,

Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.

I assume they are false positives? Anyone else seeing the same?

It's skewing our monitoring stats significantly so I may need to create an exception.

Thanks.

24 REPLIES 24

@itsnotthenetwork 

 

For us, 8207_5750 was RELEASED at 20:53:04 EST and since we are set to update around midnight we still saw the Tofsee threat signatures occur until after the signature database was updated. This may have been what you saw? I agree though the signatures were too noisy to be released in the state they are in. But now that the Tofsee signature is gone, this content update released a nice new informational signature for "Non-RFC Compliant SSL Traffic on Port 443" that has begun acting up. Thus the circle of signature life continues..

@LRichman 

Is that ( subtype eq spyware ) for the "Non-RFC Compliant SSL Traffic on Port 443"?  Whats the signature ID for that?

I'm not seeing any hits for Non-RFC Compliant SSL Traffic on Port 443, but I would need to know what PAN is looking for for both signatures before I could determine why.

@itsnotthenetwork 

 

Threat Name: Non-RFC Compliant SSL Traffic on Port 443
category-of-threatid eq protocol-anomaly
Threat ID: 56112
 
I am also not saying right off the bat that this signature is having issues, as it's only a handful of firewalls that I've seen so far and for a specific destination subnet. Could be an old website or server that is negotiating weak ciphers and the vulnerability signature is reporting a true positive. Further investigation is required before I can truly say if this is a weak signature or not

Hi all,

Just to confirm that our threat monitor has stopped logging the 30k+ alerts per hour for the Tofsee detection since the db update to 8207.

And I'm not seeing any problems with threat id 56112 as reported by LRichman (yet!)

The Tofsee storm has stopped for us as well.  The weird thing was the updated applied and it appeared to take 2 hours for the threats to stop flagging, and thats on 7050 hardware.  I'm just glad its over.

@LRichman 

 

Are you still experiencing hits for "Non-RFC Compliant SSL Traffic on Port 443?"  Threat ID 56112.  I have seen a large uptick in this activity since Palo Alto updated the threat on 11-19-2019.  Thanks.

@MarkShanks 

 

We are still experiencing hits on that threat signature across multiple firewalls at this time. Due to the informational severity and recent holidays, I have not had a chance to investigate it much at all. I will probably end up opening a support case for clarification on this matter.

Yep, we're seeing continual 'Non-RFC Compliant SSL Traffic on Port 44' alerts too, but nothing like the volumes seen on the Tofsee threat.

I am seeing lots of alerts for 

Name: Non-RFC Compliant SSL Traffic on Port 443

Unique Threat ID: 56112

 

to 31.13.70.50 which belongs to Facebook.  However, the device (android mobile phone) that is causing the alerts does not have facebook app installed.

PCNSC, PCNSE, Cyber Force Defender

Hello 

 

Few Non-RFC Complaint signatures that was introduced in late last year and non-RFC Compliant SSL Traffic on Port 443(56112) is one of them. Please note that the main aim behind the signature TID 56112 is to detect suspicious and non-RFC compliant SSL traffic on port 443 or applications sending non-SSL traffic using port 443 or indicate possible malicious activity. 

You can capture the facebook traffic from the android device on your Firewall and check the traffic SSL protocol.

 

Best

Himani

Himani Singh
  • 25256 Views
  • 24 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!