philrz
commented
3 years ago @alberto-bc: Thanks for your interest in Brim!
There are currently no plans to support decryption in Brim. At the moment, the heavy lifting of creating summary logs out of packet captures is handled by an embedded Zeek. So based on the Brim architecture, that's normally where we'd look for such decryption to happen. A recent thread on the Zeek public Slack confirms that their core developers don't have this on their to-do list:
Just brainstorming, but having looked at the Internet Draft you linked to, maybe it would be technically feasible for Brim to run the packet capture through a preprocessing phase before passing it to Zeek, such that these secrets could be leveraged for decryption when present. The zq tools that are also embedded with Brim include a pcap tool that's used for indexing captures and other operations, and perhaps it could be extended to handle this.
The core Brim dev team is busy with other priorities at the moment, so even if something were technically feasible, it's unlikely to be something addressed in the near team. We'll hold this issue open to continue gathering interest and in case there's interest in the community (Zeek's or our own) in starting to dig into this area.
Since WireShark 3.0 it is possible to embed TLS secrets in a pcapng file. Following the WireShark documentation I created a pcapng file with the tls keys embeded in it.
Using such file I'm able to inspect http traffic in WireShark, but when I load the same file in Brim, no such data (plain/unencrypted http data) is available. Since Decryption Secrets Blocks are part of the pcapng specification, are there any plans to support these files in Brim?