forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
elf.yml
236 lines (206 loc) · 5.86 KB
/
elf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: elf
title: ELF Header
group: 2
description: >
These fields contain Linux Executable Linkable Format (ELF) metadata.
beta: >
These fields are in beta and are subject to change.
type: group
reusable:
top_level: false
expected:
- at: file
as: elf
beta: This field reuse is beta and subject to change.
- at: process
as: elf
beta: This field reuse is beta and subject to change.
fields:
- name: creation_date
short: Build or compile date.
description: >
Extracted when possible from the file's metadata. Indicates when it was
built or compiled. It can also be faked by malware creators.
type: date
level: extended
- name: architecture
description: >
Machine architecture of the ELF file.
type: keyword
level: extended
example: x86-64
- name: byte_order
description: >
Byte sequence of ELF file.
type: keyword
level: extended
example: Little Endian
- name: cpu_type
description: >
CPU type of the ELF file.
type: keyword
level: extended
example: Intel
- name: header.class
description: >
Header class of the ELF file.
type: keyword
level: extended
- name: header.data
description: >
Data table of the ELF header.
type: keyword
level: extended
- name: header.os_abi
description: >
Application Binary Interface (ABI) of the Linux OS.
type: keyword
level: extended
- name: header.type
description: >
Header type of the ELF file.
type: keyword
level: extended
- name: header.version
description: >
Version of the ELF header.
type: keyword
level: extended
- name: header.abi_version
type: keyword
level: extended
description: >
Version of the ELF Application Binary Interface (ABI).
- name: header.entrypoint
format: string
level: extended
type: long
description: >
Header entrypoint of the ELF file.
- name: header.object_version
type: keyword
level: extended
description: >
"0x1" for original ELF files.
- name: sections
short: Section information of the ELF file.
description: >
An array containing an object for each section of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.sections.*`.
type: nested
level: extended
normalize:
- "array"
- name: sections.flags
description: >
ELF Section List flags.
type: keyword
level: extended
- name: sections.name
description: >
ELF Section List name.
type: keyword
level: extended
- name: sections.physical_offset
description: >
ELF Section List offset.
type: keyword
level: extended
- name: sections.type
description: >
ELF Section List type.
type: keyword
level: extended
- name: sections.physical_size
description: >
ELF Section List physical size.
format: bytes
type: long
level: extended
- name: sections.virtual_address
description: >
ELF Section List virtual address.
format: string
type: long
level: extended
- name: sections.virtual_size
description: >
ELF Section List virtual size.
format: string
type: long
level: extended
- name: sections.entropy
description: >
Shannon entropy calculation from the section.
format: number
type: long
level: extended
- name: sections.chi2
description: >
Chi-square probability distribution of the section.
format: number
type: long
level: extended
- name: exports
description: >
List of exported element names and types.
level: extended
type: flattened
normalize:
- array
- name: imports
description: >
List of imported element names and types.
type: flattened
level: extended
normalize:
- array
- name: shared_libraries
description: >
List of shared libraries used by this ELF object.
type: keyword
level: extended
normalize:
- array
- name: telfhash
short: telfhash hash for ELF file.
description: >
telfhash symbol hash for ELF file.
type: keyword
level: extended
- name: segments
short: ELF object segment list.
description: >
An array containing an object for each segment of the ELF file.
The keys that should be present in these objects are defined by sub-fields
underneath `elf.segments.*`.
type: nested
level: extended
normalize:
- array
- name: segments.type
description: ELF object segment type.
type: keyword
level: extended
- name: segments.sections
description: ELF object segment sections.
type: keyword
level: extended