Hi,
When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic?
I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated?
Thanks,
Jonah
Hi Jonah,
When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic?
No, sorry, we don’t have that functionality.
I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated?
No, the certificates only contain the public keys, not the private keys.
For the moment you will have to use other software to decrypt the traffic in pcaps (if you have the pcaps and the keys of the sessions). Wireshark has a bit of functionality to do this, for example.
Johanna
As someone who just started sending decrypted traffic to Zeek, I recommend also installing MITRE’s bro-http2 (https://github.com/MITRECND/bro-http2) plugin, since you’ll find a lot of today’s encrypted traffic is HTTP/2.