[Zeek] Decryption of HTTP traffic
Johanna Amann
johanna at icir.org
Wed Aug 28 14:32:08 PDT 2019
Hi Jonah,
> When feeding PCAPs to Zeek, is there any functionality to decrypt
> HTTPS traffic?
No, sorry, we don’t have that functionality.
> I see that the SSL log contains “a record of SSL sessions, including
> certificates being used” - can these certificates be used to
> decrypt PCAPs before Zeek processes them to ensure HTTP logs are
> correctly populated?
No, the certificates only contain the public keys, not the private keys.
For the moment you will have to use other software to decrypt the
traffic in pcaps (if you have the pcaps and the keys of the sessions).
Wireshark has a bit of functionality to do this, for example.
Johanna
More information about the Zeek
mailing list