[Zeek] Access the encrypted TLS payload
Jay Wren (jawren)
jawren at cisco.com
Tue Mar 19 12:52:51 PDT 2019
After some time, I returned to this and learned how binpac actually works.
proc_ciphertext_record is called when the record is parsed and before it is added to the container which holds it.
To get access to it, pass `this` to the function.
e.g.
function proc_ciphertext_record(rec : SSLRecord, ct : CiphertextRecord)
and
refine typeattr CiphertextRecord += &let {
proc : bool = $context.connection.proc_ciphertext_record(rec, this);
}
Thanks,
--
Jay
________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Jay Wren (jawren) <jawren at cisco.com>
Sent: Thursday, February 28, 2019 11:15 AM
To: zeek at zeek.org
Subject: [Zeek] Access the encrypted TLS payload
Hello,
Apologies for my ignorant question, my C++ is worse than rusty and I'm completely new to binpac.
I'm trying to access the CiphertextRecord restofdata here:
https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59 I'm expecting SSLRecord to have the data in the rec vector, based on how SSLRecord is defined. I must be misunderstanding something:
https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61
The RecordText vector is always empty. How can I get at the encrypted data?
Thanks,
--
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190319/fc6098a3/attachment.html
More information about the Zeek
mailing list