Decryption of HTTP traffic

Jonah_Burgess · August 28, 2019, 9:22pm

Hi,

When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic?

I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated?

Thanks,

Jonah

Vlad_Grigorescu · August 28, 2019, 9:28pm

No.

johanna · August 28, 2019, 9:32pm

Hi Jonah,

When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic?

No, sorry, we don’t have that functionality.

I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated?

No, the certificates only contain the public keys, not the private keys.

For the moment you will have to use other software to decrypt the traffic in pcaps (if you have the pcaps and the keys of the sessions). Wireshark has a bit of functionality to do this, for example.

Johanna

ericooi · August 29, 2019, 1:49am

As someone who just started sending decrypted traffic to Zeek, I recommend also installing MITRE’s bro-http2 (https://github.com/MITRECND/bro-http2) plugin, since you’ll find a lot of today’s encrypted traffic is HTTP/2.

Topic		Replies	Views
[EXT] HTTP/2 analyzer Zeek	5	129	May 6, 2022
File extraction of TLS traffic Zeek	2	159	November 21, 2022
Some wrong in "ssl.og" Zeek	2	176	August 15, 2023
Host field empty in http.log Zeek	4	83	May 6, 2022
Zeek traffic capture on loopback ip Zeek	6	172	April 14, 2023

Decryption of HTTP traffic

Related Topics