Tofsee TLS Fingerprint Detection

Reply
Highlighted
L2 Linker

8207-5750 was released early this morning.

Our dynamic update schedule will install it tonight and I'll post an update here tomorrow.

It's available to try now though if you like.

Highlighted
L2 Linker

The associated info with 8207 shows 4 'tofsee' signatures being disabled, so hopefully that should fix it!

Highlighted
L1 Bithead

They did say "around" Tuesday, though they did sneak it on last night.

 

Our FWs downloaded and installed the latest content update (Version 8207) lat night and it resolved the issue for us.

Highlighted
L1 Bithead

I can confirm that the new content release 8207 has corrected this issue after disabling the signatures. Threat logs are looking a lot cleaner without 5k alerts an hour being flagged for those signatures.

Highlighted
L1 Bithead

RE:Stephen 8207_5750

We installed 8207_5750 last night at 19:00 MST and we still saw a lot after that.  Funny thing is we have this spyware rule set to grab the first packet and there isnt even a http get in it.  This has to be an over-tweaked spyware rule that PAN needs to fix.tofsee_first_packet.jpg

Highlighted
L1 Bithead

@itsnotthenetwork 

 

For us, 8207_5750 was RELEASED at 20:53:04 EST and since we are set to update around midnight we still saw the Tofsee threat signatures occur until after the signature database was updated. This may have been what you saw? I agree though the signatures were too noisy to be released in the state they are in. But now that the Tofsee signature is gone, this content update released a nice new informational signature for "Non-RFC Compliant SSL Traffic on Port 443" that has begun acting up. Thus the circle of signature life continues..

Highlighted
L1 Bithead

@LRichman 

Is that ( subtype eq spyware ) for the "Non-RFC Compliant SSL Traffic on Port 443"?  Whats the signature ID for that?

I'm not seeing any hits for Non-RFC Compliant SSL Traffic on Port 443, but I would need to know what PAN is looking for for both signatures before I could determine why.

Highlighted
L1 Bithead

@itsnotthenetwork 

 

Threat Name: Non-RFC Compliant SSL Traffic on Port 443
category-of-threatid eq protocol-anomaly
Threat ID: 56112
 
I am also not saying right off the bat that this signature is having issues, as it's only a handful of firewalls that I've seen so far and for a specific destination subnet. Could be an old website or server that is negotiating weak ciphers and the vulnerability signature is reporting a true positive. Further investigation is required before I can truly say if this is a weak signature or not
Highlighted
L2 Linker

Hi all,

Just to confirm that our threat monitor has stopped logging the 30k+ alerts per hour for the Tofsee detection since the db update to 8207.

And I'm not seeing any problems with threat id 56112 as reported by LRichman (yet!)

Highlighted
L1 Bithead

The Tofsee storm has stopped for us as well.  The weird thing was the updated applied and it appeared to take 2 hours for the threats to stop flagging, and thats on 7050 hardware.  I'm just glad its over.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!