ELF Header Fields

edit

These fields contain Linux Executable Linkable Format (ELF) metadata.

These fields are in beta and are subject to change.

ELF Header Field Details

edit
Field Description Level

elf.architecture

Machine architecture of the ELF file.

type: keyword

example: x86-64

extended

elf.byte_order

Byte sequence of ELF file.

type: keyword

example: Little Endian

extended

elf.cpu_type

CPU type of the ELF file.

type: keyword

example: Intel

extended

elf.creation_date

Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.

type: date

extended

elf.exports

List of exported element names and types.

type: flattened

Note: this field should contain an array of values.

extended

elf.header.abi_version

Version of the ELF Application Binary Interface (ABI).

type: keyword

extended

elf.header.class

Header class of the ELF file.

type: keyword

extended

elf.header.data

Data table of the ELF header.

type: keyword

extended

elf.header.entrypoint

Header entrypoint of the ELF file.

type: long

extended

elf.header.object_version

"0x1" for original ELF files.

type: keyword

extended

elf.header.os_abi

Application Binary Interface (ABI) of the Linux OS.

type: keyword

extended

elf.header.type

Header type of the ELF file.

type: keyword

extended

elf.header.version

Version of the ELF header.

type: keyword

extended

elf.imports

List of imported element names and types.

type: flattened

Note: this field should contain an array of values.

extended

elf.sections

An array containing an object for each section of the ELF file.

The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.

type: nested

Note: this field should contain an array of values.

extended

elf.sections.chi2

Chi-square probability distribution of the section.

type: long

extended

elf.sections.entropy

Shannon entropy calculation from the section.

type: long

extended

elf.sections.flags

ELF Section List flags.

type: keyword

extended

elf.sections.name

ELF Section List name.

type: keyword

extended

elf.sections.physical_offset

ELF Section List offset.

type: keyword

extended

elf.sections.physical_size

ELF Section List physical size.

type: long

extended

elf.sections.type

ELF Section List type.

type: keyword

extended

elf.sections.virtual_address

ELF Section List virtual address.

type: long

extended

elf.sections.virtual_size

ELF Section List virtual size.

type: long

extended

elf.segments

An array containing an object for each segment of the ELF file.

The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.

type: nested

Note: this field should contain an array of values.

extended

elf.segments.sections

ELF object segment sections.

type: keyword

extended

elf.segments.type

ELF object segment type.

type: keyword

extended

elf.shared_libraries

List of shared libraries used by this ELF object.

type: keyword

Note: this field should contain an array of values.

extended

elf.telfhash

telfhash symbol hash for ELF file.

type: keyword

extended

Field Reuse

edit

The elf fields are expected to be nested at:

  • file.elf
  • process.elf

Note also that the elf fields are not expected to be used directly at the root of the events.