# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: macho
  title: Mach-O Header
  group: 2
  description: >
    These fields contain Mac OS Mach Object file format (Mach-O) metadata.
  beta: >
    These fields are in beta and are subject to change.
  type: group
  reusable:
    top_level: false
    expected:
      - at: file
        as: macho
        beta: This field reuse is beta and subject to change.
      - at: process
        as: macho
        beta: This field reuse is beta and subject to change.
  fields:
    - name: go_import_hash
      short: A hash of the Go language imports in a Mach-O file.
      description: >
        A hash of the Go language imports in a Mach-O file excluding standard library imports.
        An import hash can be used to fingerprint binaries even after recompilation or other
        code-level transformations have occurred, which would change more traditional hash values.

        The algorithm used to calculate the Go symbol hash and a reference implementation
        are available [here](https://github.com/elastic/toutoumomoma).
      example: 10bddcb4cee42080f76c88d9ff964491
      type: keyword
      level: extended

    - name: go_imports_names_entropy
      description: >
        Shannon entropy calculation from the list of Go imports.
      type: long
      format: number
      level: extended

    - name: go_imports_names_var_entropy
      description: >
        Variance for Shannon entropy calculation from the list of Go imports.
      type: long
      format: number
      level: extended

    - name: go_imports
      description: >
        List of imported Go language element names and types.
      type: flattened
      level: extended

    - name: go_stripped
      short: Whether the file is a stripped or obfuscated Go executable.
      description: >
        Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
      type: boolean
      level: extended

    - name: import_hash
      short: A hash of the imports in a Mach-O file.
      description: >
        A hash of the imports in a Mach-O file. An import hash can be used to
        fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        This is a synonym for symhash.
      example: d41d8cd98f00b204e9800998ecf8427e
      type: keyword
      level: extended

    - name: imports
      description: >
        List of imported element names and types.
      type: flattened
      level: extended
      normalize:
        - array

    - name: imports_names_entropy
      description: >
        Shannon entropy calculation from the list of imported element names and types.
      format: number
      type: long
      level: extended

    - name: imports_names_var_entropy
      description: >
        Variance for Shannon entropy calculation from the list of imported element names and types.
      format: number
      type: long
      level: extended

    - name: sections
      short: Section information of the Mach-O file.
      description: >
        An array containing an object for each section of the Mach-O file.

        The keys that should be present in these objects are defined by sub-fields
        underneath `macho.sections.*`.
      type: nested
      level: extended
      normalize:
        - "array"

    - name: sections.entropy
      description: >
        Shannon entropy calculation from the section.
      format: number
      type: long
      level: extended

    - name: sections.name
      description: >
        Mach-O Section List name.
      type: keyword
      level: extended

    - name: sections.physical_size
      description: >
        Mach-O Section List physical size.
      format: bytes
      type: long
      level: extended

    - name: sections.var_entropy
      description: >
        Variance for Shannon entropy calculation from the section.
      format: number
      type: long
      level: extended

    - name: sections.virtual_size
      description: >
        Mach-O Section List virtual size. This is always the same as `physical_size`.
      format: string
      type: long
      level: extended

    - name: symhash
      short: A hash of the imports in a Mach-O file.
      description: >
        A hash of the imports in a Mach-O file. An import hash can be used to
        fingerprint binaries even after recompilation or other code-level
        transformations have occurred, which would change more traditional hash values.

        This is a Mach-O implementation of the Windows PE imphash
      example: d3ccf195b62a9279c3c19af1080497ec
      type: keyword
      level: extended