Project

General

Profile

Actions

Feature #7796

open

Support for TLS decryption in pcap mode using sslkeylog file

Added by Branislav Kramar 2 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hi Suricata community!

I'd like to suggest adding support for decrypting TLS traffic in pcap mode using the sslkeylog file format.

Motivation
  • During incident response, malware analysis, and retrospective threat hunting, analysts often work with:
    • PCAP captures of TLS-encrypted traffic
    • SSL key log files (SSLKEYLOGFILE) generated by browsers like Chrome or Firefox
  • These key log files allow offline decryption of TLS sessions (including TLS 1.2 and 1.3) and are already supported by tools like:
    • Wireshark
    • tshark
    • mitmproxy
  • Currently, Suricata can extract TLS metadata (e.g., SNI, JA3 fingerprints) but cannot inspect decrypted content, which limits detection of malicious payloads, HTTP traffic, or exploits delivered over HTTPS.
Proposed Functionality
  • Allow users to supply an sslkeylog file when running Suricata in pcap mode.
  • Use the key log file to decrypt TLS sessions during analysis, enabling:
    • Deep packet inspection of decrypted content (HTTP requests, malware, C2, etc.)
    • Rule matching based on payload content, not just TLS metadata
    • Better detection of threats that use TLS encryption to hide their traffic
Potential Use Cases
  • Malware sandbox analysis where traffic and sslkeylog are collected in parallel
  • IR teams collecting traffic from compromised endpoints with exported SSL keys
  • Retrospective analysis of APT infrastructure where victim-side key logging is available

Happy to discuss this further or provide usage examples. Thanks for your work on Suricata!

No data to display

Actions

Also available in: Atom PDF