High false-positive for application/x-tar signature


The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig.




Seth Hall
January 9, 2015, 9:48 PM

I'm going to go ahead and close this since things are at least significantly better now.

Brian O'Berry
January 20, 2015, 12:04 PM

We installed the file signatures from master (base/frameworks/files/magic) on a 2.3.1 system, which eliminated the false positives we were experiencing. This brought in unrelated signature changes, so we're in the process of verifying signatures for other file types that are important to us. l'll let you know if we find any discrepancies, but so far things look solid. Thank you!

Seth Hall
January 20, 2015, 2:06 PM

We’ve been meaning to write a test suite for our file signature matching because right now it’s hard to trust that we’re doing things correctly as we continue moving forward, but I never got around to it when I was making this set of changes unfortunately.

Brian O'Berry
January 20, 2015, 5:57 PM

We'd love to contribute a test suite, if you're interested. Would you care to discuss your ideas and/or Bro requirements? We already have a process that we're using to compare file type identification between the Bro 2.2 magic db and the signatures from master (but running on 2.3.1).

Daniel Thayer
February 6, 2015, 8:37 PM

Do you have a set of test files that you could make public as part of the Bro test suite?
If so, I could help with creating some test scripts and getting everything into our git repo.



Seth Hall


Brian O'Berry


External issue ID



Fix versions

Affects versions