10-31-2019 02:08 AM
Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.
I assume they are false positives? Anyone else seeing the same?
It's skewing our monitoring stats significantly so I may need to create an exception.
11-06-2019 08:38 AM
For us, 8207_5750 was RELEASED at 20:53:04 EST and since we are set to update around midnight we still saw the Tofsee threat signatures occur until after the signature database was updated. This may have been what you saw? I agree though the signatures were too noisy to be released in the state they are in. But now that the Tofsee signature is gone, this content update released a nice new informational signature for "Non-RFC Compliant SSL Traffic on Port 443" that has begun acting up. Thus the circle of signature life continues..
11-06-2019 08:56 AM
Is that ( subtype eq spyware ) for the "Non-RFC Compliant SSL Traffic on Port 443"? Whats the signature ID for that?
I'm not seeing any hits for Non-RFC Compliant SSL Traffic on Port 443, but I would need to know what PAN is looking for for both signatures before I could determine why.
11-06-2019 09:06 AM
11-07-2019 01:31 AM
Just to confirm that our threat monitor has stopped logging the 30k+ alerts per hour for the Tofsee detection since the db update to 8207.
And I'm not seeing any problems with threat id 56112 as reported by LRichman (yet!)
11-07-2019 08:31 AM
The Tofsee storm has stopped for us as well. The weird thing was the updated applied and it appeared to take 2 hours for the threats to stop flagging, and thats on 7050 hardware. I'm just glad its over.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!