[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature

Brian O'Berry (JIRA) jira at bro-tracker.atlassian.net
Wed Oct 15 06:55:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18404#comment-18404 ] 

Brian O'Berry commented on BIT-1238:

Attached test.tar.gz, with test results of an HTTP GET for which the extracted text file is classified as a tar file.
* test.pcap contains the HTTP GET session (you'll need to disable checksums to use it)
* test.txt is the original file
* extract_files/ contains the extracted file
* etc/ holds config files used for the test, for which bro was started as a daemon via 'broctl start'
* logs/ includes files.*.log.gz showing the incorrect mime type
* spool/ includes the local.bro policy file used for the test

> High false-positive for application/x-tar signature
> ---------------------------------------------------
>                 Key: BIT-1238
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1238
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Brian O'Berry
>            Assignee: Seth Hall
>              Labels: file, mime, signature
>         Attachments: test.tar.gz
> The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
>     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
>     file-mime "application/x-tar", 150
> }
> {code}

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list