[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature
Daniel Thayer (JIRA)
jira at bro-tracker.atlassian.net
Fri Feb 6 12:38:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19525#comment-19525 ]
Daniel Thayer commented on BIT-1238:
------------------------------------
Do you have a set of test files that you could make public as part of the Bro test suite?
If so, I could help with creating some test scripts and getting everything into our git repo.
> High false-positive for application/x-tar signature
> ---------------------------------------------------
>
> Key: BIT-1238
> URL: https://bro-tracker.atlassian.net/browse/BIT-1238
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Reporter: Brian O'Berry
> Assignee: Seth Hall
> Labels: file, mime, signature
> Fix For: git/master, 2.4
>
> Attachments: test.tar.gz
>
>
> The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
> file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
> file-mime "application/x-tar", 150
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-13-026#64011)
More information about the bro-dev
mailing list