[Bro] Reading encrypted pcap with Bro

Osama Elnaggar oelnaggar04 at gmail.com
Sat Aug 12 18:07:02 PDT 2017 

Just a heads up on viewssld: it only supports old cipher suites.  I was
looking into using it with Bro to perform SSL decryption and then ran into
this paper (published a few months ago) where the author tried to do
something similar with Snort -
 https://www.sans.org/reading-room/whitepapers/detection/snort-ssl-tls-inspection-37735
<https://www.sans.org/reading-room/whitepapers/detection/snort-ssl-tls-inspection-37735>

Here is what the paper's author wrote about viewssld:

"Viewssld was only able to decrypt one cipher suite
'TLS_RSA_WITH_RC4_128_MD5'. After checking libdssl-master (Viewssld
dependency library), only the cipher suites below were listed in the source
code and are currently supported by Viewssld.

TLS
- AES_128_CBC,SHA1
- AES_256_CBC,SHA1

SSL2
- RC4,MD5
- RC4,MD5
- RC2,MD5
- RC2,MD5
- IDEA,MD5
- DES,MD5
- SN_DES_EDE3_CBC,MD5

SSL3
- NULL,MD5 - NULL,SHA1 - RC4,MD5
- RC4,MD5
- RC4,SHA1
- RC2,MD5
- IDEA,SHA1 - DES,SHA1
- DES,SHA1
- DES3,SHA1

Unfortunately, this tool supports old cipher suites that are insecure and
rarely used by servers today. However, the capability here is limited to
the tool and what it supports. It is possible to enhance the open source
tool’s cipher suite support, but that would take development effort."

-- 
Osama Elnaggar

On August 13, 2017 at 8:54:44 AM, Mark Buchanan (mabuchan at gmail.com) wrote:

Ack - sorry - viewssld - I got the name backwards and google finds all
sorts of other things when you try sslviewd.

Mark

On Sat, Aug 12, 2017 at 5:20 PM, Josh Guild <josh.guild at morphick.com> wrote:

> Awesome, I'll give that a shot! RE: the replay, is there something that
> can read that out and reply? I was thinking of just  a trying this with
> tshark but hadn't done research yet.
>
> I tried the Export Objects within Wireshark but these files weren't
> grabbed through a normal GET, it was pushed out in a chunked format.
>
> I'm hoping Bro can reassemble and carve for me :)
>
> On Sat, Aug 12, 2017, 18:17 Mark Buchanan <mabuchan at gmail.com> wrote:
>
>> Check out sslviewd, it can do decrypt of traffic (on the fly).   You may
>> be able to use that to either generate clear text captures or replay the
>> encrypted dump through it into a Bro instance listening to the output.
>>
>> On another note, Wireshark has some capacity to carve files out, within
>> it, while I know I'd like to use Bro, if it's a one shot deal, that may be
>> an easier method.
>>
>> --
>> Mark Buchanan
>>
>> > On Aug 12, 2017, at 13:58, Josh Guild <josh.guild at morphick.com> wrote:
>> >
>> > Hi all,
>> >
>> > Hoping to find some more uplifting answers here than I found with my
>> Google searches. I have an encrypted pcap and the key but there doesn't
>> seem to be a way to save of the plaintext pcap with tshark.
>> >
>> > Where Bro comes in - I need to carve some files out that are chunked as
>> octet streams and would really rather not have to write a tshark script for
>> this.
>> >
>> > However Bro needs the decrypted pcap to carve for me :(
>> >
>> > Any assistance or points in the right direction would be awesome,
>> thanks!
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>


--
Mark Buchanan
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170813/65f69f0f/attachment-0001.html

More information about the Bro mailing list