Reading encrypted pcap with Bro

Hi all,

Hoping to find some more uplifting answers here than I found with my Google searches. I have an encrypted pcap and the key but there doesn’t seem to be a way to save of the plaintext pcap with tshark.

Where Bro comes in - I need to carve some files out that are chunked as octet streams and would really rather not have to write a tshark script for this.

However Bro needs the decrypted pcap to carve for me :frowning:

Any assistance or points in the right direction would be awesome, thanks!

Check out sslviewd, it can do decrypt of traffic (on the fly). You may be able to use that to either generate clear text captures or replay the encrypted dump through it into a Bro instance listening to the output.

On another note, Wireshark has some capacity to carve files out, within it, while I know I'd like to use Bro, if it's a one shot deal, that may be an easier method.

Awesome, I’ll give that a shot! RE: the replay, is there something that can read that out and reply? I was thinking of just a trying this with tshark but hadn’t done research yet.

I tried the Export Objects within Wireshark but these files weren’t grabbed through a normal GET, it was pushed out in a chunked format.

I’m hoping Bro can reassemble and carve for me :slight_smile:

Ack - sorry - viewssld - I got the name backwards and google finds all sorts of other things when you try sslviewd.

Mark

Ha. No worries, I’ll take a look tonight!

Just a heads up on viewssld: it only supports old cipher suites. I was looking into using it with Bro to perform SSL decryption and then ran into this paper (published a few months ago) where the author tried to do something similar with Snort - https://www.sans.org/reading-room/whitepapers/detection/snort-ssl-tls-inspection-37735

Here is what the paper’s author wrote about viewssld:

"Viewssld was only able to decrypt one cipher suite ‘TLS_RSA_WITH_RC4_128_MD5’. After checking libdssl-master (Viewssld dependency library), only the cipher suites below were listed in the source code and are currently supported by Viewssld.

TLS

  • AES_128_CBC,SHA1
  • AES_256_CBC,SHA1

SSL2

  • RC4,MD5
  • RC4,MD5
  • RC2,MD5
  • RC2,MD5
  • IDEA,MD5
  • DES,MD5
  • SN_DES_EDE3_CBC,MD5

SSL3

  • NULL,MD5 - NULL,SHA1 - RC4,MD5
  • RC4,MD5
  • RC4,SHA1
  • RC2,MD5
  • IDEA,SHA1 - DES,SHA1
  • DES,SHA1
  • DES3,SHA1

Unfortunately, this tool supports old cipher suites that are insecure and rarely used by servers today. However, the capability here is limited to the tool and what it supports. It is possible to enhance the open source tool’s cipher suite support, but that would take development effort."