The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.
I'm going to go ahead and close this since things are at least significantly better now.
We installed the file signatures from master (base/frameworks/files/magic) on a 2.3.1 system, which eliminated the false positives we were experiencing. This brought in unrelated signature changes, so we're in the process of verifying signatures for other file types that are important to us. l'll let you know if we find any discrepancies, but so far things look solid. Thank you!
We’ve been meaning to write a test suite for our file signature matching because right now it’s hard to trust that we’re doing things correctly as we continue moving forward, but I never got around to it when I was making this set of changes unfortunately.
We'd love to contribute a test suite, if you're interested. Would you care to discuss your ideas and/or Bro requirements? We already have a process that we're using to compare file type identification between the Bro 2.2 magic db and the signatures from master (but running on 2.3.1).
Do you have a set of test files that you could make public as part of the Bro test suite?
If so, I could help with creating some test scripts and getting everything into our git repo.