elastic
diff --git a/‎x-pack/filebeat/module/virustotal/fields.go‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/filebeat/module/virustotal/fields.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/filebeat/module/virustotal/livehunt/config/livehunt.yml‎
Lines changed: 11 additions & 2 deletions b/‎x-pack/filebeat/module/virustotal/livehunt/config/livehunt.yml‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎x-pack/filebeat/module/virustotal/livehunt/config/virustotal-elf.js‎
Lines changed: 20 additions & 10 deletions b/‎x-pack/filebeat/module/virustotal/livehunt/config/virustotal-elf.js‎
Lines changed: 20 additions & 10 deletions
diff --git a/‎x-pack/filebeat/module/virustotal/livehunt/config/virustotal-pe.js‎
Lines changed: 61 additions & 3 deletions b/‎x-pack/filebeat/module/virustotal/livehunt/config/virustotal-pe.js‎
Lines changed: 61 additions & 3 deletions
@@ -1,15 +1,20 @@
 #spellchecker: disable
 {{ if eq .input "httpjson" }}
 type: httpjson
-config_version: 2
-interval: 1m
+config_version: "2"
+interval: {{ .interval }}
 request:
   url: https://www.virustotal.com/api/v3/intelligence/hunting_notification_files?limit={{ .limit }}
   method: GET
   transforms:
     - set:
         target: header.x-apikey
         value: {{ .api_key }}
+    - set:
+        target: url.params.filter
+        value: 'date:[[.cursor.timefilter]]+'
+        default: ''
+
 response:
   split:
     target: body.data
@@ -18,6 +23,10 @@ response:
     - set:
         target: url.params.cursor
         value: '[[.last_response.body.meta.cursor]]'
+
+cursor:
+  timefilter:
+    value: '[[ .last_event.context_attributes.notification_date ]]'
 {{ end }}
 
 {{ if eq .input "file" }}
 
@@ -7,6 +7,11 @@ var elf_symbol_type_lookup = {
     "OBJECT": "object"
 };
 
+function isLetter(c) {
+    return c.toLowerCase() != c.toUpperCase();
+}
+
+
 var vtELF = (function () {
     var processor = require("processor");
     var console = require("console");
@@ -94,11 +99,10 @@ var vtELF = (function () {
                 var new_sect = {
                     "name": old_sect.name,
                     // VT returns this field with a misspelling
-                    "physical_offset": old_sect.phisical_offset,
+                    "physical_offset": "0x" + old_sect.phisical_offset.toString(16).toUpperCase(),
                     "physical_size": old_sect.size,
-                    "virtual_address": old_sect.virtual_address,
-                    "type": old_sect.section_type,
-                    "flags": Array()
+                    "virtual_address": "0x" + old_sect.virtual_address.toString(16).toUpperCase(),
+                    "type": old_sect.section_type
                 }
 
                 // Section flags: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#Section_header
@@ -126,18 +130,24 @@ var vtELF = (function () {
                     "T": "TLS"
                 }
 
+                console.debug("section flags[" + old_sect.flags.length + "]: \n" + old_sect.flags);
+
+                var new_flags = [];
                 for (var j = 0; j < old_sect.flags.length; j++) {
-                    var flag = old_sect.flags[i];
-                    new_sect.flags.push(flag);
-                    continue;
 
-                    if (flag_lookup[flag] != null) {
-                        new_sect.flags.push(flag_lookup[flag]);
+                    var flag = old_sect.flags[j];
+                    console.debug("flag[" + j + "]: " + flag[j]);
+                    if (flag_lookup.hasOwnProperty(flag)) {
+                        new_flags.push(flag_lookup[flag]);
                     } else {
-                        new_sect.flags.push(flag);
+                        new_flags.push(flag);
                     }
+                }
 
+                if (new_flags.length > 0) {
+                    new_sect["flags"] = new_flags;
                 }
+
                 // Replace existing section
                 sections[i] = new_sect;
             }
 
@@ -44,10 +44,9 @@ var vtPE = (function () {
         console.debug("vtPE.normalizeExports");
 
         var exports = evt.Get("file.pe.exports");
-        var normal_exports = Array();
-
         if (exports != null) {
-            console.debug("exports[" + exports.length + "]: \n" + JSON.stringify(exports, undefined, 2));
+            console.debug("exports[" + exports.length + "]: \n" +
+                JSON.stringify(exports, undefined, 2));
 
             /* The goal is to normalize export list to the following
              * structure:
@@ -72,6 +71,65 @@ var vtPE = (function () {
         }
     };
 
+    var normalizeSections = function (evt) {
+        console.debug("vtPE.normalizeSections");
+
+        var sections = evt.Get("file.pe.sections");
+
+        // original sections entry: [{
+        //     "chi2": 144106.34,
+        //     "virtual_address": 8192,
+        //     "entropy": 5.29,
+        //     "name": ".text",
+        //     "flags": "rx",
+        //     "raw_size": 5632,
+        //     "virtual_size": 5316,
+        //     "md5": "9002a963c87901397a986c3333d09627"
+        //   },...]
+        if (sections != null) {
+            console.debug("sections[" + sections.length + "]: \n" +
+                JSON.stringify(sections, undefined, 2));
+
+            // {
+            //     name: "Name of code section",
+            //     physical_offset: "[keyword] Offset of the section from the beginning of the segment, in hex",
+            //     physical_size: "[long] Size of the code section in the file in bytes",
+            //     virtual_address: "[keyword] relative virtual memory address when loaded",
+            //     virtual_size: "[long] Size of the section in bytes when loaded into memory",
+            //     flags: "[keyword] List of flag values as strings for this section",
+            //     type: "[keyword] Section type as string, if applicable",
+            //     segment_name: "[keyword] Name of segment for this section, if applicable",
+            //     entropy: "[float] shannon entropy calculated from section content in bits per byte of information",
+            //     chi2: "[float]"
+            // }
+            var normal_sections = Array();
+            for (var i = 0; i < sections.length; i++) {
+                var norm_sect = {
+                    "name": sections[i].name,
+                    "physical_size": sections[i].raw_size,
+                    "virtual_address": "0x" + sections[i].virtual_address.toString(16).toUpperCase(),
+                    "virtual_size": sections[i].virtual_size,
+                    "flags": sections[i].flags,
+                    "entropy": sections[i].entropy,
+                    "chi2": sections[i].chi2
+                };
+
+                // Allow for different hashes in the future
+                var hashes = {};
+                if (sections[i].hasOwnProperty("md5")) {
+                    hashes["md5"] = sections[i].md5;
+                }
+
+                if (hashes != {}) {
+                    norm_sect["hash"] = hashes;
+                }
+
+                normal_sections.push(norm_sect);
+            }
+        }
+
+    };
+
     var processMessage = new processor.Chain()
         .Add(function (evt) {
             normalizeImports(evt);