[Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature - zeek-dev

9 Jan 2015


     [
https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.p…
]

Steve Egbert updated BIT-1238:
------------------------------
    Status: Merge Request  (was: Open)

...
  High false-positive for application/x-tar signature
 ---------------------------------------------------

                 Key: BIT-1238
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1238
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.3
            Reporter: Brian O'Berry
            Assignee: Seth Hall
              Labels: file, mime, signature
         Attachments: test.tar.gz


 The following signature in base/frameworks/files/magic/general.sig frequently triggers on
text files in our environment, and includes a strength value higher than GNU and POSIX tar
signatures in libmagic.sig.
 {code}
 signature file-tar {
     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
     file-mime "application/x-tar", 150
 }
 {code} 


--
This message was sent by Atlassian JIRA
(v6.4-OD-12-026#64007)