Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auditbeat/module/file_integrity: add file parsing processor #28802

Merged
merged 27 commits into from
Nov 2, 2022
+2,506 −60
Merged

auditbeat/module/file_integrity: add file parsing processor #28802

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
5f7f1a4
auditbeat/module/file_integrity: add file parsing processor
efd6 Nov 3, 2021
91b13b8
make build artifacts static
efd6 Nov 4, 2021
987e2b9
elide unnecessary work
efd6 Nov 5, 2021
e54b03f
fix typo
efd6 Nov 8, 2021
f85692a
add user facing documentation
efd6 Nov 16, 2021
5bbfce2
allow specifying target fields by regular expression
efd6 Nov 16, 2021
883f530
move parser analysis into max file constrained block
efd6 Nov 16, 2021
9c11ef7
repair blunt merge conflict approach
efd6 Jan 9, 2022
35a9de6
add support for entropy variance calculation
efd6 Jan 10, 2022
5fa1b42
say goodbye to glenda
efd6 Jan 10, 2022
803078c
run go mod tidy
efd6 Apr 11, 2022
a36bf42
fix errors import
efd6 Apr 11, 2022
97b3119
fix lint and silence linters
efd6 Apr 11, 2022
716c631
fix semantic conflicts
efd6 Apr 25, 2022
62a833f
linter churn
efd6 Apr 27, 2022
c1d3d3b
replace common.Mapstr => mapstr.M
efd6 Apr 28, 2022
2d44dcc
fix change in config import
efd6 May 16, 2022
f307b68
make tests pass
efd6 Aug 25, 2022
d5b36e5
use elastic fork of toutoumomoma
efd6 Aug 25, 2022
93a1514
remove unneeded nolint directive
efd6 Aug 25, 2022
905c874
recover panics during executable parse analysis
efd6 Aug 25, 2022
f62cd61
remove redundant lint comment and don't panic
efd6 Aug 29, 2022
975b7ee
add physical size field for sections
efd6 Sep 20, 2022
05a8e2a
revert changes to flatbuffers definitions
efd6 Oct 9, 2022
fbebfc5
update toutoumomoma
efd6 Oct 26, 2022
b65687c
Merge branch 'master' into fileinterity/parsers
efd6 Oct 26, 2022
8322b72
use field definitions from ecs main
efd6 Nov 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]

*Auditbeat*

- Add file parser processor to file_integrity module. {pull}28802[28802]

*Filebeat*

Expand Down
241 changes: 233 additions & 8 deletions NOTICE.txt
View file
Open in desktop

Large diffs are not rendered by default.

54 changes: 54 additions & 0 deletions auditbeat/auditbeat.reference.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,60 @@ auditbeat.modules:
# Set to true to publish fields with null values in events.
#keep_null: false

# Parse detailed information for the listed fields. Field paths in the list below
# that are a prefix of other field paths imply the longer field path. A set of
# fields may be specified using an RE2 regular expression quoted in //. For example
# /^file\.pe\./ will match all file.pe.* fields. Note that the expression is not
# implicitly anchored, so the empty expression will match all fields.
# file_parsers:
# - file.elf.sections
# - file.elf.sections.name
# - file.elf.sections.physical_size
# - file.elf.sections.virtual_size
# - file.elf.sections.entropy
# - file.elf.sections.var_entropy
# - file.elf.import_hash
# - file.elf.imports
# - file.elf.imports_names_entropy
# - file.elf.imports_names_var_entropy
# - file.elf.go_import_hash
# - file.elf.go_imports
# - file.elf.go_imports_names_entropy
# - file.elf.go_imports_names_var_entropy
# - file.elf.go_stripped
# - file.macho.sections
# - file.macho.sections.name
# - file.macho.sections.physical_size
# - file.macho.sections.virtual_size
# - file.macho.sections.entropy
# - file.macho.sections.var_entropy
# - file.macho.import_hash
# - file.macho.symhash
# - file.macho.imports
# - file.macho.imports_names_entropy
# - file.macho.imports_names_var_entropy
# - file.macho.go_import_hash
# - file.macho.go_imports
# - file.macho.go_imports_names_entropy
# - file.macho.go_imports_names_var_entropy
# - file.macho.go_stripped
# - file.pe.sections
# - file.pe.sections.name
# - file.pe.sections.physical_size
# - file.pe.sections.virtual_size
# - file.pe.sections.entropy
# - file.pe.sections.var_entropy
# - file.pe.import_hash
# - file.pe.imphash
# - file.pe.imports
# - file.pe.imports_names_entropy
# - file.pe.imports_names_var_entropy
# - file.pe.go_import_hash
# - file.pe.go_imports
# - file.pe.go_imports_names_entropy
# - file.pe.go_imports_names_var_entropy
# - file.pe.go_stripped



# ================================== General ===================================
Expand Down
Loading