[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Zeek] Access the encrypted TLS payload
From:       "Jay Wren (jawren)" <jawren () cisco ! com>
Date:       2019-03-19 19:52:51
Message-ID: BL0PR11MB307455A4FFB5E53C008F3DBBC5400 () BL0PR11MB3074 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]

After some time, I returned to this and learned how binpac actually works.

proc_ciphertext_record is called when the record is parsed and before it is added to \
the container which holds it.

To get access to it, pass `this` to the function.

e.g.
function proc_ciphertext_record(rec : SSLRecord, ct : CiphertextRecord)
and
refine typeattr CiphertextRecord += &let {
proc : bool = $context.connection.proc_ciphertext_record(rec, this);
}

Thanks,
--
Jay

________________________________
From: zeek-bounces@zeek.org <zeek-bounces@zeek.org> on behalf of Jay Wren (jawren) \
                <jawren@cisco.com>
Sent: Thursday, February 28, 2019 11:15 AM
To: zeek@zeek.org
Subject: [Zeek] Access the encrypted TLS payload

Hello,

Apologies for my ignorant question, my C++ is worse than rusty and I'm completely new \
to binpac.

I'm trying to access the CiphertextRecord restofdata here:
https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59 \
I'm expecting SSLRecord to have the data in the rec vector, based on how SSLRecord is \
defined. I must be misunderstanding something: \
https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61


The RecordText vector is always empty. How can I get at the encrypted data?

Thanks,
--
Jay


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> After some time, I returned to this and learned how binpac \
actually works.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <span style="caret-color: rgb(111, 66, 193); color: rgb(111, \
66, 193); font-family: SFMono-Regular, Consolas, &quot;Liberation Mono&quot;, Menlo, \
Courier, monospace; font-size: 12px; background-color: rgb(255, 255, 255); display: \
inline !important">proc_ciphertext_record&nbsp;</span>is  called when the record is \
parsed and before it is added to the container which holds it.</div> <div \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> To get access to it, pass `this` to the function.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> e.g.&nbsp;</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> </div>
function proc_ciphertext_record(rec : SSLRecord, ct : CiphertextRecord)
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> and&nbsp;</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <span>refine typeattr CiphertextRecord &#43;= &amp;let {<br>
</span>
<div>proc : bool = $context.connection.proc_ciphertext_record(rec, this);<br>
</div>
<div>}<br>
</div>
<span></span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Thanks,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
                color: rgb(0, 0, 0);">
--</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Jay</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> zeek-bounces@zeek.org \
&lt;zeek-bounces@zeek.org&gt; on behalf of Jay Wren (jawren) \
&lt;jawren@cisco.com&gt;<br> <b>Sent:</b> Thursday, February 28, 2019 11:15 AM<br>
<b>To:</b> zeek@zeek.org<br>
<b>Subject:</b> [Zeek] Access the encrypted TLS payload</font>
<div>&nbsp;</div>
</div>
<style type="text/css" style="display:none">
<!--
p
	{margin-top:0;
	margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Hello,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Apologies for my ignorant question, my C&#43;&#43; is worse than \
rusty and I'm completely new to binpac.</div> <div \
style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <span>I'm trying to access the CiphertextRecord restofdata \
here:<br> </span>
<div><a href="https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59" \
id="LPlnk930622">https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59</a>&nbsp;<span \
style="">&nbsp;I'm expecting SSLRecord  to have the data in the rec vector, based on \
how SSLRecord is</span><span style="">&nbsp;defined. I must be misunderstanding \
something:</span></div> <span><a \
href="https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61" \
id="LPlnk538695">https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61</a></span><br>
 </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> The RecordText vector is always empty. How can I get at the \
encrypted data?<br> </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Thanks,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
                color:rgb(0,0,0)">
--</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Jay</div>
</div>
</body>
</html>



_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--===============0150994419==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic