[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature

Brian O'Berry (JIRA) jira at bro-tracker.atlassian.net
Tue Jan 20 04:05:00 PST 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19502#comment-19502 ] 

Brian O'Berry commented on BIT-1238:
------------------------------------

We installed the file signatures from master (base/frameworks/files/magic) on a 2.3.1 system, which eliminated the false positives we were experiencing.  This brought in unrelated signature changes, so we're in the process of verifying signatures for other file types that are important to us.  l'll let you know if we find any discrepancies, but so far things look solid.  Thank you!

> High false-positive for application/x-tar signature
> ---------------------------------------------------
>
>                 Key: BIT-1238
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1238
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Brian O'Berry
>            Assignee: Seth Hall
>              Labels: file, mime, signature
>             Fix For: git/master, 2.4
>
>         Attachments: test.tar.gz
>
>
> The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
>     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
>     file-mime "application/x-tar", 150
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-13-026#64011)


More information about the bro-dev mailing list