[Zeek] Decryption of HTTP traffic
Eric Ooi
ericooi at gmail.com
Wed Aug 28 18:49:24 PDT 2019
As someone who just started sending decrypted traffic to Zeek, I recommend also installing MITRE’s bro-http2 (https://github.com/MITRECND/bro-http2 <https://github.com/MITRECND/bro-http2>) plugin, since you’ll find a lot of today's encrypted traffic is HTTP/2.
> On Aug 28, 2019, at 4:32 PM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi Jonah,
>
>> When feeding PCAPs to Zeek, is there any functionality to decrypt
>> HTTPS traffic?
>
> No, sorry, we don’t have that functionality.
>
>> I see that the SSL log contains “a record of SSL sessions, including
>> certificates being used” - can these certificates be used to
>> decrypt PCAPs before Zeek processes them to ensure HTTP logs are
>> correctly populated?
>
> No, the certificates only contain the public keys, not the private keys.
>
> For the moment you will have to use other software to decrypt the
> traffic in pcaps (if you have the pcaps and the keys of the sessions).
> Wireshark has a bit of functionality to do this, for example.
>
> Johanna
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190828/0d907614/attachment.html
More information about the Zeek
mailing list