Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Protocol Analysis/Decoder Framework
Python JavaScript Makefile Other

Implement SSLam module.

This module will dump the contents of SSL encrypted sessions to disk. In
the case of a block cipher it will use one 'C' or 'S' to denote a block
from the client or server respectively. In the case of a stream cipher
it will dump one 'C' or 'S' per byte, or per <size> bytes which is

The idea behind this is to be able to better profile contents of SSL
sessions. As an example I have included two PCAP files
(reverseshell-aes.pcap and reverseshell-rc4.pcap) which are cmd.exe
shell over SSL. When run through SSLam they will generate a file
containing a series of 'C' and 'S' characters, which can be used to
infer the length of the data sent in each direction, and also the order.
This allows you to spot specific "patterns" indicative of a specific

A reverse shell on my Windows system, run from system32 will start with:

Microsoft Windows [Version 6.1.7601]^M
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.^M

This will result in a certain pattern of 'C' and 'S' in the output. From
here you can start to branch your "pattern" out to other things, by
experimenting with what the traffic would like like if the first command
run was "ipconfig /all".

To support a lot of this work I had to refactor various parts of
chop_ssl so that it can work without the key for decryption, as that is
precisely the point of this analysis. As such it will now collect
various bits of metadata about the handshake and any encrypted data and
pass them along in sslim messages.

One major thing missing right now is the full population of
sslim_ciphers file. Right now it only contains the handful of cipher
suites I care about, but can be extended to include all of them from:

This means that attempting to run chop_ssl on cipher suites which are
not in the list will cause errors, where before they would just be
ignored. If you have a cipher suite you want added to the list please
follow the convention in ext_libs/ and send me a PR or
contact me some other way and I'll add it for you.
latest commit 474177d0bf
@wxsBSD wxsBSD authored

ChopShop 4.0

Protocol Analysis/Decoder Framework


ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.

Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality.

Documentation has been moved to the docs folder. Please reference that folder for information such as:

  • Chopshop Usage
  • Module Authoring
  • Embedding Chopshop

Note: There is a known issue when running ChopShop on Ubuntu where the version of pynids obtained via apt causes an ImportError. Per, this issue affects some variants of at least 11.10 and 12.04. A workaround is to compile pynids from source which can be obtained from

Something went wrong with that request. Please try again.