If you have the key log files from a client’s browser, you can import them into IBM
QRadar Incident Forensics to decrypt
traffic from that client.
Key log files are generated by Google Chrome, Firefox, and Opera browsers that have the
SSLKEYLOGFILE environment variable set. Only the RSA and DH key formats are
supported for the SSLKEYLOGFILE session key.
Procedure
-
Use SSH to log in to the QRadar
Console, and then into the QRadar
Incident Forensics host as the
root user.
-
Review the location of the key logs in the
/opt/qradar/conf/forensics_config.xml file.
<keybag
keydir="/opt/ibm/forensics/decapper/keys"
keylogs="/opt/ibm/forensics/decapper/keylogs"/>
You will use the keylogs location in the next steps.
- Copy the key log files into the keylogs default
directory.
For example,
/opt/ibm/forensics/decapper/keylogs/default.
- Restart the decapper service by typing the following
command:
systemctl restart decapper
Results
From this point on, all analysis of new recoveries or flows use the new keys to decrypt
traffic.