Actions
Feature #7796
openSupport for TLS decryption in pcap mode using sslkeylog file
Description
Hi Suricata community!
I'd like to suggest adding support for decrypting TLS traffic in pcap mode using the sslkeylog file format.
Motivation- During incident response, malware analysis, and retrospective threat hunting, analysts often work with:
- PCAP captures of TLS-encrypted traffic
- SSL key log files (SSLKEYLOGFILE) generated by browsers like Chrome or Firefox
- These key log files allow offline decryption of TLS sessions (including TLS 1.2 and 1.3) and are already supported by tools like:
- Wireshark
- tshark
- mitmproxy
- Currently, Suricata can extract TLS metadata (e.g., SNI, JA3 fingerprints) but cannot inspect decrypted content, which limits detection of malicious payloads, HTTP traffic, or exploits delivered over HTTPS.
- Allow users to supply an sslkeylog file when running Suricata in pcap mode.
- Use the key log file to decrypt TLS sessions during analysis, enabling:
- Deep packet inspection of decrypted content (HTTP requests, malware, C2, etc.)
- Rule matching based on payload content, not just TLS metadata
- Better detection of threats that use TLS encryption to hide their traffic
- Malware sandbox analysis where traffic and sslkeylog are collected in parallel
- IR teams collecting traffic from compromised endpoints with exported SSL keys
- Retrospective analysis of APT infrastructure where victim-side key logging is available
Happy to discuss this further or provide usage examples. Thanks for your work on Suricata!
No data to display
Actions