About LRichman

@MarkShanks    We are still experiencing hits on that threat signature across multiple firewalls at this time. Due to the informational severity and recent holidays, I have not had a chance to investigate it much at all. I will probably end up opening a support case for clarification on this matter. ... View more

@itsnotthenetwork    Threat Name: Non-RFC Compliant SSL Traffic on Port 443 category-of-threatid eq protocol-anomaly Threat ID: 56112   I am also not saying right off the bat that this signature is having issues, as it's only a handful of firewalls that I've seen so far and for a specific destination subnet. Could be an old website or server that is negotiating weak ciphers and the vulnerability signature is reporting a true positive. Further investigation is required before I can truly say if this is a weak signature or not ... View more

@itsnotthenetwork    For us, 8207_5750 was RELEASED at 20:53:04 EST and since we are set to update around midnight we still saw the Tofsee threat signatures occur until after the signature database was updated. This may have been what you saw? I agree though the signatures were too noisy to be released in the state they are in. But now that the Tofsee signature is gone, this content update released a nice new informational signature for "Non-RFC Compliant SSL Traffic on Port 443" that has begun acting up. Thus the circle of signature life continues.. ... View more

I can confirm that the new content release 8207 has corrected this issue after disabling the signatures. Threat logs are looking a lot cleaner without 5k alerts an hour being flagged for those signatures. ... View more

There does not appear to be a new version released at this time, this is the most recent version according to my firewall.  ... View more

We have also seen this signature on most of our deployed  firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark.   85452 Tofsee TLS Fingerprint Detection alert 8.1.0 85453 Tofsee TLS Fingerprint Detection alert 8.1.0 85454 Tofsee TLS Fingerprint Detection alert 8.1.0 85455 Tofsee TLS Fingerprint Detection alert 8.1.0 ... View more