[
https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19502#comment-19502
]
Brian O'Berry commented on BIT-1238:
------------------------------------
We installed the file signatures from master (base/frameworks/files/magic) on a
2.3.1 system, which eliminated the false positives we were experiencing. This
brought in unrelated signature changes, so we're in the process of verifying
signatures for other file types that are important to us. l'll let you know if
we find any discrepancies, but so far things look solid. Thank you!
> High false-positive for application/x-tar signature
> ---------------------------------------------------
>
> Key: BIT-1238
> URL: https://bro-tracker.atlassian.net/browse/BIT-1238
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Reporter: Brian O'Berry
> Assignee: Seth Hall
> Labels: file, mime, signature
> Fix For: git/master, 2.4
>
> Attachments: test.tar.gz
>
>
> The following signature in base/frameworks/files/magic/general.sig frequently
> triggers on text files in our environment, and includes a strength value
> higher than GNU and POSIX tar signatures in libmagic.sig.
> {code}
> signature file-tar {
> file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
> file-mime "application/x-tar", 150
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-13-026#64011)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
