[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature

Brian O'Berry (JIRA) jira at bro-tracker.atlassian.net
Tue Sep 2 04:57:07 PDT 2014

Brian O'Berry created BIT-1238:

             Summary: High false-positive for application/x-tar signature
                 Key: BIT-1238
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1238
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.3
            Reporter: Brian O'Berry

The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
signature file-tar {
    file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
    file-mime "application/x-tar", 150

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list