File extraction of TLS traffic

I would like to extract files from TLS encrypted traffic, but I failed. Here is my zeek script:

@load protocols/ssl/decryption
@load base/protocols/http

event zeek_init()
	{
	suspend_processing();
	}

event Input::end_of_data(name: string, source: string)
	{
	if ( name == "tls-keylog-file" )
		continue_processing();
	}

global ext_map: table[string] of string = {
    ["application/x-dosexec"] = "exe",
    ["text/plain"] = "txt",
    ["image/jpeg"] = "jpg",
    ["image/png"] = "png",
    ["text/html"] = "html",
    ["application/pdf"] = "pdf",
    ["audio/mpeg"] = "mp3",
} &default ="";

event file_sniff(f: fa_file, meta: fa_metadata)
    {
    if ( ! meta?$mime_type ) return;
	local ext=ext_map[meta$mime_type];
	local fname=fmt("%s-%s.%s", f$source, f$id, ext);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
                        [$extract_filename=fname]);
    }

It seems that I need to first decrypt the traffic then extract files, while the file_sniff event is not able to read the decrypted traffic.

I would like to extract files from TLS encrypted traffic, but I failed.

Are you attempting this with a pcap or from live traffic?

while the file_sniff event is not able to read the decrypted traffic.

Instead of implementing the file_sniff event you could try @load frameworks/files/extract-all-files and see if this gives you other results. Outside of file extraction, is a files.log with the expected entries created?

And just to add a bit to this - after TLS decryption, traffic is run through the Zeek analyzers like normal. This means that if there is HTTP traffic inside the TLS connection, you should indeed be able to extract files.

But - please note that today many TLS connections use HTTP/2. Zeek does not, by default, ship with an analyzer for HTTP/2 - and thus you won’t be able to extract any data from that without additional packages.