[
https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18302#comment-18302
]
Brian O'Berry commented on BIT-1238:
------------------------------------
Played around with regex101.com, which shows the following string matches the
regex. Ignore line wrapping, it does not contain a newline.
{code}
This sequence is exactly 100 printable characters, followed by 3 groups of
8-character digits/spaces 23 5 78 23456781 3 5 78
{code}
I guess we see a lot of text files with strings like that in our environment.
I'll try to research tar file structure to understand where the regex came
from. In the meantime, we'll try excluding the {{file-tar}} signature by
adding it to the {{Signatures::ignored_ids}} pattern.
> High false-positive for application/x-tar signature
> ---------------------------------------------------
>
> Key: BIT-1238
> URL: https://bro-tracker.atlassian.net/browse/BIT-1238
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Reporter: Brian O'Berry
> Labels: file, mime, signature
>
> The following signature in base/frameworks/files/magic/general.sig frequently
> triggers on text files in our environment, and includes a strength value
> higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
> file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
> file-mime "application/x-tar", 150
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
