Help, TLS Decryption function is not work

scyllaever · December 18, 2024, 8:30am

I followed the following document to operate (by reading the pcap file),
https://docs.zeek.org/en/current/frameworks/tls-decryption.html
but the result was that I was unable to restore the HTTP information in tls. The actual generated conn and http logs were exactly the same as the logs decrypted without keylog.

Then I used the keylog and pcap files provided in the zeek test case, but still couldn’t successfully parse tls. Please help me

Zeek version: 6.2.1

Keylog file: Same as the keylog in \zeek\testing\btest\scripts\policy\protocols\ssl\decryption-keylog.zeek

Pcap file: \zeek\testing\btest\Traces\tls\tls-1.2-stream-keylog.pcap

Operation steps:
export ZEEK_TLS_KEYLOG_FILE=/home/tls/testkeylog.txt
/usr/local/zeek/bin/zeek -C -r tls-1.2-stream-keylog.pcap tls_decryption-1-suspend-processing.zeek

There were no errors after running

scyllaever · December 20, 2024, 5:10pm

I know the reason now. Zeek 6.2.1 has a bug in the tls decryption function which prevents it from decrypting tls. After switching to the latest 7. x version, the function is normal

Topic		Replies	Views
Some wrong in "ssl.og" Zeek	2	231	August 15, 2023
File extraction of TLS traffic Zeek	2	246	November 21, 2022
Decryption of HTTP traffic Zeek	4	214	May 6, 2022
How to ensure that the SSL keylog arrives in Zeek memory before its related TLS packets in the TLS decryption live traffic function Zeek	0	34	December 25, 2024
Missing http events with zeek Zeek	5	52	December 16, 2024

Help, TLS Decryption function is not work

Related topics