This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Tofsee TLS Fingerprint Detection
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Threat & Vulnerability
- Tofsee TLS Fingerprint Detection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Tofsee TLS Fingerprint Detection
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-31-2019 02:08 AM
Hi all,
Since the moment we updated our threat database to 8204-5736 we see THOUSANDS of 'Tofsee TLS Fingerprint Detection' threat matches.
I assume they are false positives? Anyone else seeing the same?
It's skewing our monitoring stats significantly so I may need to create an exception.
Thanks.
24 REPLIES 24
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-03-2019 01:56 PM
Are you still experiencing hits for "Non-RFC Compliant SSL Traffic on Port 443?" Threat ID 56112. I have seen a large uptick in this activity since Palo Alto updated the threat on 11-19-2019. Thanks.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-03-2019 02:11 PM
We are still experiencing hits on that threat signature across multiple firewalls at this time. Due to the informational severity and recent holidays, I have not had a chance to investigate it much at all. I will probably end up opening a support case for clarification on this matter.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-04-2019 12:45 AM
Yep, we're seeing continual 'Non-RFC Compliant SSL Traffic on Port 44' alerts too, but nothing like the volumes seen on the Tofsee threat.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-26-2020 12:42 PM
I am seeing lots of alerts for
Name: Non-RFC Compliant SSL Traffic on Port 443
Unique Threat ID: 56112
to 31.13.70.50 which belongs to Facebook. However, the device (android mobile phone) that is causing the alerts does not have facebook app installed.
PCNSC, PCNSE, Cyber Force Defender
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-26-2020 02:54 PM
Hello
Few Non-RFC Complaint signatures that was introduced in late last year and non-RFC Compliant SSL Traffic on Port 443(56112) is one of them. Please note that the main aim behind the signature TID 56112 is to detect suspicious and non-RFC compliant SSL traffic on port 443 or applications sending non-SSL traffic using port 443 or indicate possible malicious activity.
You can capture the facebook traffic from the android device on your Firewall and check the traffic SSL protocol.
Best
Himani
Himani Singh
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks