High false-positive for application/x-tar signature

Description

The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.

Environment

None

Activity

Show:
Seth Hall
January 9, 2015, 9:48 PM

I'm going to go ahead and close this since things are at least significantly better now.

Brian O'Berry
January 20, 2015, 12:04 PM

We installed the file signatures from master (base/frameworks/files/magic) on a 2.3.1 system, which eliminated the false positives we were experiencing. This brought in unrelated signature changes, so we're in the process of verifying signatures for other file types that are important to us. l'll let you know if we find any discrepancies, but so far things look solid. Thank you!

Seth Hall
January 20, 2015, 2:06 PM

We’ve been meaning to write a test suite for our file signature matching because right now it’s hard to trust that we’re doing things correctly as we continue moving forward, but I never got around to it when I was making this set of changes unfortunately.

Brian O'Berry
January 20, 2015, 5:57 PM

We'd love to contribute a test suite, if you're interested. Would you care to discuss your ideas and/or Bro requirements? We already have a process that we're using to compare file type identification between the Bro 2.2 magic db and the signatures from master (but running on 2.3.1).

Daniel Thayer
February 6, 2015, 8:37 PM

Do you have a set of test files that you could make public as part of the Bro test suite?
If so, I could help with creating some test scripts and getting everything into our git repo.

Assignee

Seth Hall

Reporter

Brian O'Berry

Labels

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure