Access the encrypted TLS payload

Zeek
1

Hello,

Apologies for my ignorant question, my C++ is worse than rusty and I’m completely new to binpac.

I’m trying to access the CiphertextRecord restofdata here:

https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59 I’m expecting SSLRecord to have the data in the rec vector, based on how SSLRecord is defined. I must be misunderstanding something:
https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61

The RecordText vector is always empty. How can I get at the encrypted data?

Thanks,

2

After some time, I returned to this and learned how binpac actually works.

proc_ciphertext_record is called when the record is parsed and before it is added to the container which holds it.

To get access to it, pass this to the function.

e.g.

function proc_ciphertext_record(rec : SSLRecord, ct : CiphertextRecord)and
refine typeattr CiphertextRecord += &let {

proc : bool = $context.connection.proc_ciphertext_record(rec, this);

}

Thanks,