[Zeek] handshake ssl

Johanna Amann johanna at icir.org
Thu Jan 17 07:35:21 PST 2019


Hi Rober,

> 1. Question
> i would like obtain the bytes related with the field certificates, but 
> i
> don't see any event to get it.
>
> Attach a wireshark image with the field underlined.

You cannot get at the data for the field certificated directly; however 
you can get all of the individual certificates. The easiest way to get 
to them is through the event x509_certificate - 
https://www.zeek.org/sphinx/scripts/base/bif/plugins/Bro_X509.events.bif.bro.html#id-x509_certificate. 
That event gets the parsed out certificate data + an opaque of type 
x509. You can use the x509_get_certificate_string function to get the 
ASN.1 representation of the individual certificates out of that,


>
> 2. Question
> There is a way to extract exclusively the payload generate in each 
> packet
> of the ssl handshake?
> for example
>
>       struct {
>           ProtocolVersion client_version;
>           Random random;
>           SessionID session_id;
>           CipherSuite cipher_suites<2..2^16-2>;
>           CompressionMethod compression_methods<1..2^8-1>;
>           select (extensions_present) {
>               case false:
>                   struct {};
>               case true:
>                   Extension extensions<0..2^16-1>;
>           };
>       } ClientHello;
>
> all bytes of this struct of Client Hello.

No, there is no way to get the payload for each packet in the handshake. 
That being said, there is an different event for I think every single 
event in the handshake that gets the parsed out information; in this 
case it would be ssl_client_hello and the different extension events.

Is there a reason why you want the raw data and not access to the parsed 
information?

Johanna



More information about the Zeek mailing list