[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature

Brian O'Berry (JIRA) jira at bro-tracker.atlassian.net
Sat Oct 11 05:36:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18302#comment-18302 ] 

Brian O'Berry commented on BIT-1238:

Played around with regex101.com, which shows the following string matches the regex.  Ignore line wrapping, it does not contain a newline.
This sequence is exactly 100 printable characters, followed by 3 groups of 8-character digits/spaces 23 5 78 23456781 3 5 78
I guess we see a lot of text files with strings like that in our environment.  I'll try to research tar file structure to understand where the regex came from.  In the meantime, we'll try excluding the {{file-tar}} signature by adding it to the {{Signatures::ignored_ids}} pattern.

> High false-positive for application/x-tar signature
> ---------------------------------------------------
>                 Key: BIT-1238
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1238
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Brian O'Berry
>              Labels: file, mime, signature
> The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
>     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
>     file-mime "application/x-tar", 150
> }
> {code}

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list