forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
elf.yml
309 lines (268 loc) · 8.39 KB
/
elf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: elf
title: ELF Header
group: 2
description: >
These fields contain Linux Executable Linkable Format (ELF) metadata.
beta: >
These fields are in beta and are subject to change.
type: group
reusable:
top_level: false
expected:
- at: file
as: elf
beta: This field reuse is beta and subject to change.
- at: process
as: elf
beta: This field reuse is beta and subject to change.
fields:
- name: creation_date
short: Build or compile date.
description: >
Extracted when possible from the file's metadata. Indicates when it was
built or compiled. It can also be faked by malware creators.
type: date
level: extended
- name: architecture
description: >
Machine architecture of the ELF file.
type: keyword
level: extended
example: x86-64
- name: byte_order
description: >
Byte sequence of ELF file.
type: keyword
level: extended
example: Little Endian
- name: cpu_type
description: >
CPU type of the ELF file.
type: keyword
level: extended
example: Intel
- name: go_import_hash
short: A hash of the Go language imports in an ELF file.
description: >
A hash of the Go language imports in an ELF file excluding standard library imports.
An import hash can be used to fingerprint binaries even after recompilation or other
code-level transformations have occurred, which would change more traditional hash values.
The algorithm used to calculate the Go symbol hash and a reference implementation
are available [here](https://github.com/elastic/toutoumomoma).
example: 10bddcb4cee42080f76c88d9ff964491
type: keyword
level: extended
- name: go_imports_names_entropy
description: >
Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of Go imports.
type: long
format: number
level: extended
- name: go_imports
description: >
List of imported Go language element names and types.
type: flattened
level: extended
- name: go_stripped
short: Whether the file is a stripped or obfuscated Go executable.
description: >
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
type: boolean
level: extended
- name: header.class
description: >
Header class of the ELF file.
type: keyword
level: extended
- name: header.data
description: >
Data table of the ELF header.
type: keyword
level: extended
- name: header.os_abi
description: >
Application Binary Interface (ABI) of the Linux OS.
type: keyword
level: extended
- name: header.type
description: >
Header type of the ELF file.
type: keyword
level: extended
- name: header.version
description: >
Version of the ELF header.
type: keyword
level: extended
- name: header.abi_version
type: keyword
level: extended
description: >
Version of the ELF Application Binary Interface (ABI).
- name: header.entrypoint
format: string
level: extended
type: long
description: >
Header entrypoint of the ELF file.
- name: header.object_version
type: keyword
level: extended
description: >
"0x1" for original ELF files.
- name: import_hash
short: A hash of the imports in an ELF file.
description: >
A hash of the imports in an ELF file. An import hash can be used to
fingerprint binaries even after recompilation or other code-level
transformations have occurred, which would change more traditional hash values.
This is an ELF implementation of the Windows PE imphash.
example: d41d8cd98f00b204e9800998ecf8427e
type: keyword
level: extended
- name: imports_names_entropy
description: >
Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: imports_names_var_entropy
description: >
Variance for Shannon entropy calculation from the list of imported element names and types.
format: number
type: long
level: extended
- name: sections
short: Section information of the ELF file.
description: >
An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.
type: nested
level: extended
normalize:
- "array"
- name: sections.flags
description: >
ELF Section List flags.
type: keyword
level: extended
- name: sections.name
description: >
ELF Section List name.
type: keyword
level: extended
- name: sections.physical_offset
description: >
ELF Section List offset.
type: keyword
level: extended
- name: sections.type
description: >
ELF Section List type.
type: keyword
level: extended
- name: sections.physical_size
description: >
ELF Section List physical size.
format: bytes
type: long
level: extended
- name: sections.var_entropy
description: >
Variance for Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.virtual_address
description: >
ELF Section List virtual address.
format: string
type: long
level: extended
- name: sections.virtual_size
description: >
ELF Section List virtual size.
format: string
type: long
level: extended
- name: sections.entropy
description: >
Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.chi2
description: >
Chi-square probability distribution of the section.
format: number
type: long
level: extended
- name: exports
description: >
List of exported element names and types.
level: extended
type: flattened
normalize:
- array
- name: imports
description: >
List of imported element names and types.
type: flattened
level: extended
normalize:
- array
- name: shared_libraries
description: >
List of shared libraries used by this ELF object.
type: keyword
level: extended
normalize:
- array
- name: telfhash
short: telfhash hash for ELF file.
description: >
telfhash symbol hash for ELF file.
type: keyword
level: extended
- name: segments
short: ELF object segment list.
description: >
An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.
type: nested
level: extended
normalize:
- array
- name: segments.type
description: ELF object segment type.
type: keyword
level: extended
- name: segments.sections
description: ELF object segment sections.
type: keyword
level: extended