SSL::payload¶
Description¶
The SSL::payload commands allow you to return and manipulate the data
collected via the SSL::collect command.
This data is in plaintext format.
Syntax¶
SSL::payload length
SSL::payload [[<offset>] <length>]
SSL::payload replace <offset> <length> <data>
SSL::payload [[<offset>] <length>]¶
- Returns the actual plaintext data (optionally at the specified offset and/or for the specified length).
SSL::payload replace <offset> <length> <data>¶
- Replaces the specified amount of plaintext data at the specified offset with the provided data.
Examples¶
when CLIENTSSL_HANDSHAKE {
log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
SSL::collect
}
when CLIENTSSL_DATA {
log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length]"
log local0. "[IP::client_addr]:[TCP::client_port]: Decrypted payload (\[SSL::payload\]): [SSL::payload]"
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed first line: [SSL::payload 0 [string first \r\n [SSL::payload]]]"
log local0. "[IP::client_addr]:[TCP::client_port]: Releasing payload"
SSL::release
}
Sample log output:
: 1.1.1.1 : 1.1.1.1 : 1.1.1.1 : 1.1.1.1 : 1.1.1.1