We have also seen this signature on most of our deployed firewalls. Most traffic triggering this signature looks legitimate, as it is only to specific websites such as an online backup provider. I opened a case with Palo support, only to be told that these signatures "are looking for hash in the client hello packet of the SSL/TLS negotiation" but they could not be more descriptive as this is "proprietary information". It astounds me that they release 16 TLS fingerprint signatures with no documentation or references on how the firewall is cherry-picking traffic that matches this signature. I tried to inquire if they leverage JA3 fingerprints but the Palo rep stated the firewall does not hash anything so it does not.. Would love some insight into these signatures as there are 4 new Tofsee threat ID's with no details on how they are different, leaving us in the dark. 85452 Tofsee TLS Fingerprint Detection alert 8.1.0 85453 Tofsee TLS Fingerprint Detection alert 8.1.0 85454 Tofsee TLS Fingerprint Detection alert 8.1.0 85455 Tofsee TLS Fingerprint Detection alert 8.1.0
... View more