Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create file.elf #1062

Closed
peasead opened this issue Oct 29, 2020 · 2 comments · Fixed by #1077
Closed

Create file.elf #1062

peasead opened this issue Oct 29, 2020 · 2 comments · Fixed by #1077
Labels
ready Issues we'd like to address in the future. RFC:candidate

Comments

@peasead
Copy link
Contributor

peasead commented Oct 29, 2020

Summary

The Executable Linkable Format (ELF) sub-field does not yet exist for the file top-level fieldset. This can be created to include more file attributes to aid in malware and file analysis.

Because this is creating a sub-field vs. a top-level fieldset, I wanted to make an Issue first to determine if this required an RFC.

Motivation:

In creating a VirusTotal Filebeat module, we identified opportunities to extend the file.* top-level fieldset with the creation of the ELF sub-field..

Detailed Design:

- name: file.elf
  default_field: false
  description: >
    ELF events from VirusTotal Intelligence Live Hunt results.
  overwrite: true
  type: group
  release: beta
  fields:
    - name: creation_date
      default_field: false
      description: >
        extracted when possible from the file's metadata. Indicates when it was
        built or compiled. It can also be faked by malware creators.
      type: date
    - name: header
      default_field: false
      description: >
        Header information of the ELF file.
      release: beta
      type: group
      fields:
        - name: class
          description: >
            Header class of the ELF file.
          type: keyword
        - name: data
          description: >
            Data table of the ELF header.
          type: keyword
        - name: machine
          description: >
            Machine architecture of the ELF header.
          type: keyword
        - name: os_abi
          description: >
            NEED TO ADD
          type: keyword
        - name: type
          description: >
            Header type of the ELF file.
          type: keyword
        - name: version
          description: >
            Version of the ELF header.
          type: keyword
        - name: abi_version
          type: keyword
          description: >
            Version of the ELF Application Binary Interface (ABI).
        - name: entrypoint
          format: string
          type: long
          description: >
            Header entrypoint of the ELF file.
        - name: object_version
          type: keyword
          description: >
            "0x1" for original ELF files.

    - name: number_program_headers
      description: >
        Number of ELF Program Headers.
      type: long
    - name: number_section_headers
      description: >
        Number of ELF Section Headers.
      type: long
    - name: sections
      default_field: false
      description: >
        Section information of the ELF file.
      release: beta
      type: group
      fields:
        - name: flags
          description: >
            ELF Section List flags.
          type: keyword
        - name: name
          description: >
            ELF Section List name.
          type: keyword
        - name: physical_offset
          description: >
            ELF Section List offset.
          type: keyword
        - name: section_type
          description: >
            ELF Section List type.
          type: keyword
        - name: size
          description: >
            ELF Section List size.
          format: bytes
          type: long
        - name: virtual_address
          description: >
            ELF Section List virtual address.
          format: string
          type: long
    - name: exports
      description: >
        List of exported element names and types
      release: beta
      type: group
      fields:
        - name: name
          description: >
            Name of exported symbol
          type: keyword
          default_field: false
        - name: type
          description: >
            Type of exported symbol
          type: keyword
          default_field: false
    - name: imports
      description: >
        List of imported element names and types
      release: beta
      type: group
      fields:
        - name: name
          description: >
            Name of imported symbol
          type: keyword
          default_field: false
        - name: type
          description: >
            Type of imported symbol
          type: keyword
          default_field: false
    - name: shared_libraries
      description: >
        List of shared libraries used by this ELF object
      type: keyword
    - name: telfhash
      description: >
        telfhash hash for ELF files.
      type: keyword
    - name: flattened
      default_field: false
      description: >
        Flattened ELF events from VirusTotal Intelligence Live Hunt results.
      release: beta
      type: group
      fields:
        - name: segment_list
          description: >
            ELF object segment list.
          type: flattened
@peasead peasead added the enhancement New feature or request label Oct 29, 2020
@peasead peasead mentioned this issue Oct 31, 2020
Closed
6 tasks
@andrewstucki
Copy link
Contributor

Same as the file.pe field sets, this is involved enough, I'm fairly certain it warrants an RFC. Same formatting for readability:

Name Type Description
file.elf.creation_date date Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
file.elf.exports.name keyword Name of exported symbol
file.elf.exports.type keyword Type of exported symbol
file.elf.flattened.segment_list flattened ELF object segment list.
file.elf.header.class keyword Header class of the ELF file.
file.elf.header.data keyword Data table of the ELF header.
file.elf.header.machine keyword Machine architecture of the ELF header.
file.elf.header.os_abi keyword NEED TO ADD
file.elf.header.type keyword Header type of the ELF file.
file.elf.header.version keyword Version of the ELF header.
file.elf.header.abi_version keyword Version of the ELF Application Binary Interface (ABI).
file.elf.header.entrypoint long Header entrypoint of the ELF file.
file.elf.header.object_version keyword "0x1" for original ELF files.
file.elf.imports.name keyword Name of imported symbol
file.elf.imports.type keyword Type of imported symbol
file.elf.number_program_headers long Number of ELF Program Headers.
file.elf.number_section_headers long Number of ELF Section Headers.
file.elf.sections.flags keyword ELF Section List flags.
file.elf.sections.name keyword ELF Section List name.
file.elf.sections.physical_offset keyword ELF Section List offset.
file.elf.sections.section_type keyword ELF Section List type.
file.elf.sections.size long ELF Section List size.
file.elf.sections.virtual_address long ELF Section List virtual address.
file.elf.shared_libraries keyword List of shared libraries used by this ELF object
file.elf.telfhash keyword telfhash hash for ELF files.

@peasead peasead mentioned this issue Nov 4, 2020
Merged
@peasead peasead added RFC:candidate and removed enhancement New feature or request labels Nov 4, 2020
@peasead
Copy link
Contributor Author

peasead commented Nov 4, 2020

CC @devonakerr @dcode

@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Nov 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ready Issues we'd like to address in the future. RFC:candidate
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

File.elf create
3 participants
@andrewstucki @ebeahan @peasead