[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature
Brian O'Berry (JIRA)
jira at bro-tracker.atlassian.net
Tue Sep 2 04:57:07 PDT 2014
Brian O'Berry created BIT-1238:
----------------------------------
Summary: High false-positive for application/x-tar signature
Key: BIT-1238
URL: https://bro-tracker.atlassian.net/browse/BIT-1238
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.3
Reporter: Brian O'Berry
The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
{code}
signature file-tar {
file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
file-mime "application/x-tar", 150
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-04-006#64001)
More information about the bro-dev
mailing list