Suricata

Hi Suricata community!

I'd like to suggest adding support for decrypting TLS traffic in pcap mode using the sslkeylog file format.

Motivation

• During incident response, malware analysis, and retrospective threat hunting, analysts often work with:
  • PCAP captures of TLS-encrypted traffic
  • SSL key log files (SSLKEYLOGFILE) generated by browsers like Chrome or Firefox
• These key log files allow offline decryption of TLS sessions (including TLS 1.2 and 1.3) and are already supported by tools like:
  • Wireshark
  • tshark
  • mitmproxy
• Currently, Suricata can extract TLS metadata (e.g., SNI, JA3 fingerprints) but cannot inspect decrypted content, which limits detection of malicious payloads, HTTP traffic, or exploits delivered over HTTPS.

Proposed Functionality

• Allow users to supply an sslkeylog file when running Suricata in pcap mode.
• Use the key log file to decrypt TLS sessions during analysis, enabling:
  • Deep packet inspection of decrypted content (HTTP requests, malware, C2, etc.)
  • Rule matching based on payload content, not just TLS metadata
  • Better detection of threats that use TLS encryption to hide their traffic

Potential Use Cases

• Malware sandbox analysis where traffic and sslkeylog are collected in parallel
• IR teams collecting traffic from compromised endpoints with exported SSL keys
• Retrospective analysis of APT infrastructure where victim-side key logging is available

Happy to discuss this further or provide usage examples. Thanks for your work on Suricata!