feat: elastic beats bin classifier (#4969)

Signed-off-by: Rez Moss <hi@rezmoss.com>
This commit is contained in:
Rez Moss 2026-06-22 11:49:44 -04:00 committed by GitHub
parent 9c321691d4
commit 52a4c3b594
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 292 additions and 1 deletions

View File

@ -786,6 +786,56 @@ catalogers:
cpes:
- cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/filebeat'
packages:
- class: filebeat-binary
name: filebeat
purl: pkg:generic/filebeat
cpes:
- cpe:2.3:a:elastic:filebeat:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/metricbeat'
packages:
- class: metricbeat-binary
name: metricbeat
purl: pkg:generic/metricbeat
cpes:
- cpe:2.3:a:elastic:metricbeat:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/heartbeat'
packages:
- class: heartbeat-binary
name: heartbeat
purl: pkg:generic/heartbeat
cpes:
- cpe:2.3:a:elastic:heartbeat:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/packetbeat'
packages:
- class: packetbeat-binary
name: packetbeat
purl: pkg:generic/packetbeat
cpes:
- cpe:2.3:a:elastic:packetbeat:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/auditbeat'
packages:
- class: auditbeat-binary
name: auditbeat
purl: pkg:generic/auditbeat
cpes:
- cpe:2.3:a:elastic:auditbeat:*:*:*:*:*:*:*:*
type: BinaryPkg
- method: glob
criteria:
- '**/elastic-agent'

View File

@ -2557,6 +2557,83 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
Metadata: metadata("ingress-nginx-binary"),
},
},
{
logicalFixture: "filebeat/9.4.2/linux-amd64",
expected: pkg.Package{
Name: "filebeat",
Version: "9.4.2",
Type: "binary",
PURL: "pkg:generic/filebeat@9.4.2",
Locations: locations("filebeat"),
Metadata: metadata("filebeat-binary"),
},
},
{
logicalFixture: "filebeat/8.18.4/linux-amd64",
expected: pkg.Package{
Name: "filebeat",
Version: "8.18.4",
Type: "binary",
PURL: "pkg:generic/filebeat@8.18.4",
Locations: locations("filebeat"),
Metadata: metadata("filebeat-binary"),
},
},
{
logicalFixture: "filebeat/8.11.2/linux-amd64",
expected: pkg.Package{
Name: "filebeat",
Version: "8.11.2",
Type: "binary",
PURL: "pkg:generic/filebeat@8.11.2",
Locations: locations("filebeat"),
Metadata: metadata("filebeat-binary"),
},
},
{
logicalFixture: "metricbeat/9.4.2/linux-amd64",
expected: pkg.Package{
Name: "metricbeat",
Version: "9.4.2",
Type: "binary",
PURL: "pkg:generic/metricbeat@9.4.2",
Locations: locations("metricbeat"),
Metadata: metadata("metricbeat-binary"),
},
},
{
logicalFixture: "heartbeat/9.4.2/linux-amd64",
expected: pkg.Package{
Name: "heartbeat",
Version: "9.4.2",
Type: "binary",
PURL: "pkg:generic/heartbeat@9.4.2",
Locations: locations("heartbeat"),
Metadata: metadata("heartbeat-binary"),
},
},
{
logicalFixture: "packetbeat/9.4.2/linux-amd64",
expected: pkg.Package{
Name: "packetbeat",
Version: "9.4.2",
Type: "binary",
PURL: "pkg:generic/packetbeat@9.4.2",
Locations: locations("packetbeat"),
Metadata: metadata("packetbeat-binary"),
},
},
{
logicalFixture: "auditbeat/9.4.2/linux-amd64",
expected: pkg.Package{
Name: "auditbeat",
Version: "9.4.2",
Type: "binary",
PURL: "pkg:generic/auditbeat@9.4.2",
Locations: locations("auditbeat"),
Metadata: metadata("auditbeat-binary"),
},
},
{
logicalFixture: "elastic-agent/9.4.2/linux-amd64",
expected: pkg.Package{

View File

@ -28,6 +28,18 @@ func DefaultClassifiers() []binutils.Classifier {
// ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
`(?m)ruby (?P<version>[0-9]+\.[0-9]+\.[0-9]+((p|preview|rc|dev)[0-9]*)?) `)
// all Elastic Beats (filebeat, metricbeat, heartbeat, packetbeat, auditbeat)
var elasticBeatsMatcher = binutils.MatchAny(
// 9.x: forcestdinsetupTest 9.4.2%s %w (filebeat/metricbeat/auditbeat)
// forcestdinsetupTest 9.4.2input (heartbeat/packetbeat)
m.FileContentsVersionMatcher(`Test (?P<version>[0-9]+\.[0-9]+\.[0-9]+)[a-z%]`),
// 9.x: exportconfigcreateplugin9.4.2-globalclient
// 8.18.x: exportconfigcreateplugin8.18.4globalclient
m.FileContentsVersionMatcher(`plugin(?:output)?(?P<version>[0-9]+\.[0-9]+\.[0-9]+)[-a-z]`),
// 8.11.x: 5m.rate8.11.2-9765625
m.FileContentsVersionMatcher(`5m\.rate(?P<version>[0-9]+\.[0-9]+\.[0-9]+)-`),
)
classifiers := []binutils.Classifier{
{
Class: "python-binary",
@ -1110,6 +1122,46 @@ func DefaultClassifiers() []binutils.Classifier {
PURL: mustPURL("pkg:generic/nginx-ingress-controller@version"),
CPEs: singleCPE("cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "filebeat-binary",
FileGlob: "**/filebeat",
EvidenceMatcher: elasticBeatsMatcher,
Package: "filebeat",
PURL: mustPURL("pkg:generic/filebeat@version"),
CPEs: singleCPE("cpe:2.3:a:elastic:filebeat:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "metricbeat-binary",
FileGlob: "**/metricbeat",
EvidenceMatcher: elasticBeatsMatcher,
Package: "metricbeat",
PURL: mustPURL("pkg:generic/metricbeat@version"),
CPEs: singleCPE("cpe:2.3:a:elastic:metricbeat:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "heartbeat-binary",
FileGlob: "**/heartbeat",
EvidenceMatcher: elasticBeatsMatcher,
Package: "heartbeat",
PURL: mustPURL("pkg:generic/heartbeat@version"),
CPEs: singleCPE("cpe:2.3:a:elastic:heartbeat:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "packetbeat-binary",
FileGlob: "**/packetbeat",
EvidenceMatcher: elasticBeatsMatcher,
Package: "packetbeat",
PURL: mustPURL("pkg:generic/packetbeat@version"),
CPEs: singleCPE("cpe:2.3:a:elastic:packetbeat:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "auditbeat-binary",
FileGlob: "**/auditbeat",
EvidenceMatcher: elasticBeatsMatcher,
Package: "auditbeat",
PURL: mustPURL("pkg:generic/auditbeat@version"),
CPEs: singleCPE("cpe:2.3:a:elastic:auditbeat:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
},
{
Class: "elastic-agent-binary",
FileGlob: "**/elastic-agent",

View File

@ -0,0 +1,8 @@
name: auditbeat
offset: 106492476
length: 100
snippetSha256: 7cfca991c6d073690c48c9489a6929009b866e78d266ecb6f6f2b6f04d9f592f
fileSha256: 81ac1f3ab45bb7b3211cf26f94660ae73fdd257bb4890bdf8e71ecddb5afce10
### byte snippet to follow ###
rulesforcestdinsetupTest 9.4.2%s %windexeventint16int32int64uint8arraysliceInts:Ptrs:sse41sse42ssse3

View File

@ -0,0 +1,8 @@
name: filebeat
offset: 99362887
length: 100
snippetSha256: e81df9ab08f801188a6912a2c3651233049a50474063deba3181be22d50e4c14
fileSha256: e29c151f3eae6d2aa6c57ce6810a1ca657fd29cd335d85c83d3b76fddaf0d7ed
### byte snippet to follow ###
.5.4.82.5.4.92006-015m.rate8.11.2-9765625: type ::ffff::method:scheme:status<<nil>><UNSET><array><cl

View File

@ -0,0 +1,8 @@
name: filebeat
offset: 140231767
length: 100
snippetSha256: a35df402d58dd12b8b993d52f991fabbe8f842d5f1ed22706ead99b2682d0bbc
fileSha256: 4d9fbee3eb1c1610f3692e2e5519e6e84e09a5606a49e169897b849061106a28
### byte snippet to follow ###
leexportconfigcreateplugin8.18.4globalclient%v{%v}aws-s3rdtscppopcntuint16uint32uint64structcmd/gone

View File

@ -0,0 +1,8 @@
name: filebeat
offset: 156731953
length: 100
snippetSha256: e41d8a6af2f8614feab3bc1875622c4e1a817198d2db64230af14c82f5655550
fileSha256: 52919ee04ec37e4ee86dbe5f6bd216f0d95e9dab037c230a582a921c4a677dcc
### byte snippet to follow ###
*.ymlforcestdinsetupTest 9.4.2%s %w8.0.0sse41sse42ssse3int16int32int64uint8arraysliceInts:Ptrs:value

View File

@ -0,0 +1,8 @@
name: heartbeat
offset: 97948236
length: 100
snippetSha256: 88c46b68ddc495a24baee84a04b70ad23285725a5d214a216d28904db7bb24ec
fileSha256: ecf50b047a5461a736164566a3d19b6fbe9f1f9f4cbfb086f0c168c93e94b108
### byte snippet to follow ###
8.0.0forcestdinsetupTest 9.4.2inputerroraddedblockmutexdebugFetchFOUNDINPUTERRORDEBUGTRACEStoreindex

View File

@ -0,0 +1,8 @@
name: metricbeat
offset: 174021883
length: 100
snippetSha256: 44802bbc7e534b43aeed3c4f166744836a11560bee4b9bd0282de1827d7c191e
fileSha256: 1761a0ec65aa7324bd3fdd69904e943ea4861d20b2f1e3c09f7389f9ba5ed859
### byte snippet to follow ###
COBRAforcestdinsetupTest 9.4.2%s %w*.ymlsse41sse42ssse3int16int32int64uint8arraysliceInts:Ptrs:order

View File

@ -0,0 +1,8 @@
name: packetbeat
offset: 101048442
length: 100
snippetSha256: ebdfd10ab740f479a0aa2260349109b114607873f49ff27f11edcc1b71ae5476
fileSha256: 06d820e76dcbc4fe34a33bee19e1f68021ba34de1098875691bc44247814f992
### byte snippet to follow ###
COBRAforcestdinsetupTest 9.4.2input%s %w8.0.0agentindexeventerroraddedblockmutexdebugFetchFOUNDINPUT

View File

@ -1650,6 +1650,62 @@ from-images:
- /usr/local/julia/lib/libjulia.so.1.3
- name: filebeat
version: 9.4.2
images:
- ref: docker.elastic.co/beats/filebeat:9.4.2@sha256:f2b3bb6a6a02ebfc5f2f91cf8d560522acc4965bdb941f3f1608964cb8544829
platform: linux/amd64
paths:
- /usr/share/filebeat/filebeat
- name: filebeat
version: 8.18.4
images:
- ref: docker.elastic.co/beats/filebeat:8.18.4@sha256:307efa7d01df0f823c585a9dc3b1f8e70372eab94f7f307a4d974d32ab6f4959
platform: linux/amd64
paths:
- /usr/share/filebeat/filebeat
- name: filebeat
version: 8.11.2
images:
- ref: docker.elastic.co/beats/filebeat:8.11.2@sha256:4c22cdb4b260de6f2b3f2f1cc6a4f6635280c21ab3b3753f9599855b2f360c5d
platform: linux/amd64
paths:
- /usr/share/filebeat/filebeat
- name: metricbeat
version: 9.4.2
images:
- ref: docker.elastic.co/beats/metricbeat:9.4.2@sha256:a14bbcef77a505b3236c5aba972ed4066902c81e52be01257a086d02677386c2
platform: linux/amd64
paths:
- /usr/share/metricbeat/metricbeat
- name: heartbeat
version: 9.4.2
images:
- ref: docker.elastic.co/beats/heartbeat:9.4.2@sha256:a1e0446251f8f5f19860453510e9da65ccd3c2e1e6701830fce91b157063908f
platform: linux/amd64
paths:
- /usr/share/heartbeat/heartbeat
- name: packetbeat
version: 9.4.2
images:
- ref: docker.elastic.co/beats/packetbeat:9.4.2@sha256:306950c4e4e38c2b84e8a091ad0d82b744fe10a21f36a3d694eb3767be599f81
platform: linux/amd64
paths:
- /usr/share/packetbeat/packetbeat
- name: auditbeat
version: 9.4.2
images:
- ref: docker.elastic.co/beats/auditbeat:9.4.2@sha256:1d8006227b171e62413ee40367ab77a89d73d95692ad0345f34d4a7f49bd7281
platform: linux/amd64
paths:
- /usr/share/auditbeat/auditbeat
- name: elastic-agent
version: 9.4.2
images:
@ -1680,4 +1736,4 @@ from-images:
- ref: docker.elastic.co/elastic-agent/elastic-agent:8.11.2@sha256:1177eb349365132409df73e4a7fa97c32242db2b2c8704b9843d726837638001
platform: linux/amd64
paths:
- /usr/share/elastic-agent/data/elastic-agent-1c21b0/elastic-agent
- /usr/share/elastic-agent/data/elastic-agent-1c21b0/elastic-agent