As someone who just started sending decrypted traffic to Zeek, I recommend also installing
MITRE’s bro-http2 (
<https://github.com/MITRECND/bro-http2>) plugin, since you’ll find a lot of
today's encrypted traffic is HTTP/2.
On Aug 28, 2019, at 4:32 PM, Johanna Amann
When feeding PCAPs to Zeek, is there any
functionality to decrypt
No, sorry, we don’t have that functionality.
I see that the SSL log contains “a record of SSL
certificates being used” - can these certificates be used to
decrypt PCAPs before Zeek processes them to ensure HTTP logs are
No, the certificates only contain the public keys, not the private keys.
For the moment you will have to use other software to decrypt the
traffic in pcaps (if you have the pcaps and the keys of the sessions).
Wireshark has a bit of functionality to do this, for example.
Zeek mailing list