Christopher Ahearn

What's on your wire: Detect Linux ELF files

Blog Post created by Christopher Ahearn Employee on Jul 23, 2018

Servers are attacked every day and sometimes, those attacks are successful.  There is a lot of attention to Windows executables that come down on the wire, but I also wanted to know when my systems were downloading ELF files, typically used by Linux systems.  With some recent exploits that target Linux web servers and the delivery of crypto-mining software, I wrote a parser that attempts to identify Linux ELF files and places that meta in the 'filetype' meta key.




This isn't limited to crypto-mining ELF files and has detected many others in testing.  The parser is attached below.


I hope you find this parser useful, and as always, happy hunting.