-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tlsdump can decrypt SSL/TLS traffic? #1437
Comments
@federicofantini: hello! 👋 This issue is being automatically closed because it does not follow the issue template. This is open source project! |
Yes indeed the tlsdump feature should mean that the encrypted traffic in the pcap gets decrypted and thus seen by suricata - you should therefore see the results of this in the network tab when you run your test exe - is this the case? |
Yes, that would be my use case! Also, trying to decrypt the traffic manually from wireshark (need to convert the |
No I didn't mean "is this your use case?" - I meant "is it the case that your exe produces the expected output in the network tab?"! |
Nope, the pcap still encrypted and I'm unable to decrypt with wireshark. The tabs in the network tab are:
And my test exe is just a py2exe conversion of this script: import requests
import time
urls = [
"https://www.google.com",
"https://www.apple.com",
"https://www.aruba.it",
"https://www.repubblica.it",
"https://tls-v1-2.badssl.com:1012/",
"https://tls-v1-1.badssl.com:1011/",
"https://tls-v1-0.badssl.com:1010/"
]
for u in urls:
r = requests.get(u)
print(r.status_code)
time.sleep(5) I was looking at the public instance and I saw that this feature is already present and that it works on win7: https://capesandbox.com/analysis/374610/ (sorry for the misunderstanding). |
Hi, I went a little bit deeper and I want to update you about this issue. Thanks to this script https://github.com/lbirchler/tls-decryption I was able to see the decrypted version of the Futhermore in the
I think this analysis https://capesandbox.com/analysis/374610/ may have something like mine for the TCP 443 requests. |
Hi @federicofantini, Can you show me the configuration of INETSIM for CAPE?, i can't find any instructions :( |
@daothinh you need to install inetsim on a dedicated VM inside the libvirt network: https://www.techanarchy.net/installing-and-configuring-inetsim/ |
@kevoreilly i'm not sure how this feature works - are there any specific CAPE configuration requirements for this to work? In my scenario, i have some HTTPs traffic (that i can see in the CAPE networking tab under HTTP(s) - but does not appear under Suricata HTTP tab or Suricata alerts - regardless of the suricata rules that i wrote) |
The HTTP(s) field is straight from the pcap whereas the suricata fields depend on suricata processing the pcap. So it sounds like the capture to pcap and decryption is fine, suricata side is not working. |
Hi @kevoreilly - appreciate you taking the time to respond. I've also added some "test" rules for suricata for that pcap - and i see them in the report.
e.g. Is there anything i'm missing? |
we don't decrypt pcap. we decrypt them for us to show in cape in network data processing, if you need that to be working with suricata, you can write extension for cape to decrypt pcap and save updated pcap, as far as i know you just need to supply certificate, maybe even you can do that with suricata if they support that |
Hi @doomedraven - thanks for the update. |
i know that people has code for that, but they don't share code, i don't need this feature so i don't do it by myself. but if you want to contribute you are more than welcome to implement it |
I will be making a PR for this soon - watch this space. |
Hello did you ever get this to work with your setup? I see now that official CAPE doesn't contain any http or https traffic anymore - I hope this is still possible. Is it as simple as taking the tlsdump.log and using that to decrypt the pcap - then just feed that pcap to the mechanism responsible for populating the Network Analysis tab on the UI? |
It works just fine on my private setup, I would think of public cape sandbox as demo version, if you have skills you can do black magic with code ;)
… El 15 sept 2023, a las 21:47, CarsonHrusovsky ***@***.***> escribió:
Nope, the pcap still encrypted and I'm unable to decrypt with wireshark. The tabs in the network tab are:
Hosts (7)
DNS (8)
TCP (18)
UDP (33)
HTTP (0)
SMTP (0)
IRC (0)
ICMP (1)
Suricata Alerts (0)
Suricata TLS (0)
Suricata HTTP (0)
Suricata Files (0)
And my test exe is just a py2exe conversion of this script:
import requests
import time
urls = [
"https://www.google.com",
"https://www.apple.com",
"https://www.aruba.it",
"https://www.repubblica.it",
"https://tls-v1-2.badssl.com:1012/",
"https://tls-v1-1.badssl.com:1011/",
"https://tls-v1-0.badssl.com:1010/"
]
for u in urls:
r = requests.get(u)
print(r.status_code)
time.sleep(5)
I was looking at the public instance and I saw that this feature is already present and that it works on win7: https://capesandbox.com/analysis/374610/ (sorry for the misunderstanding). However I have a question: why some traffic is not decrypted on that analysis? I see some TCP communications on port 443.
Hello did you ever get this to work with your setup? I see now that official CAPE doesn't contain any http or https traffic anymore - I hope this is still possible. Is it as simple as taking the tlsdump.log and using that to decrypt the pcap - then just feed that pcap to the mechanism responsible for populating the Network Analysis tab on the UI?
—
Reply to this email directly, view it on GitHub <#1437 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH3Y5XOMGUIANQFF2XB3X2SWFVANCNFSM6AAAAAAV36IAZ4>.
You are receiving this because you were mentioned.
|
This is still very much a feature, nothing has been removed from 'official' cape! |
Kev is due that VPN is down |
Hi, today I was looking at this really interesting feature in the file:
analyzer/windows/modules/auxiliary/tlsdump.py
.At the end of the analysis I can download the pcap and log files containing respectively the whole network traffic and the dumped keys. CAPEv2 is able to decrypt the traffic? In this way the suricata signatures will be more effective!
I also tried to import these two files to wireshark in order to decrypt the traffic. This feature of wireshark is supported only for TLS <=1.2 versions but also in this legacy communication version I can’t see clear traffic. Maybe not all keys are collected?
I did a test by analyzing my exe file that contacts (HTTP GET) to this URL: https://tls-v1-2.badssl.com:1012/
P.S. I know I'm not using templates but I don't know if these issues I'm opening are "bug" or "feature request" or something else... I hope it's not a problem.
Thanks in advance!
The text was updated successfully, but these errors were encountered: