This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What's on your wire: Detect Linux ELF files

Anonymous
Not applicable
‎2018-07-23 10:51 AM

Servers are attacked every day and sometimes, those attacks are successful.  There is a lot of attention to Windows executables that come down on the wire, but I also wanted to know when my systems were downloading ELF files, typically used by Linux systems.  With some recent exploits that target Linux web servers and the delivery of crypto-mining software, I wrote a parser that attempts to identify Linux ELF files and places that meta in the 'filetype' meta key.

 

pastedImage_1.png

 

pastedImage_2.png

 

This isn't limited to crypto-mining ELF files and has detected many others in testing.  The parser is attached below.

 

I hope you find this parser useful, and as always, happy hunting.

 

Chris

fingerprint_elf.lua.zip
fingerprint_elf.lua.zip
2 Comments
AnkushBaveja
Contributor
Contributor
‎2018-07-23 10:53 AM
‎2018-07-23 10:53 AM

Thanks Chris!

0 Likes
Anonymous
Not applicable
‎2018-08-21 08:01 AM
‎2018-08-21 08:01 AM

I am pleased to announce that a new version of this parser will be making its way into Live shortly.

© 2022 RSA Security LLC or its affiliates. All rights reserved.