November 18, 2020 by Gary Fisk
I love origin stories – the tales of grand plans, unforeseen circumstances, and necessity that creates something new. These strange times have resulted in something new from Corelight, and I’d like to share how it came to be.
2020 has upended virtually every aspect of our lives, and has presented many challenges and opportunities for growth and innovation. Hidden in the disruption of our lives this year is a network visibility problem. Offices, schools, theaters, and stores closed down due to COVID-19, requiring home networks to receive “battlefield promotions,” becoming mission-critical resources for work, school, and health. Home networks have become more important, but not better instrumented, better administered, or better secured. As newly minted remote workers, we started noodling on how to bring the power of Corelight’s visibility to shine a light into our home networks.
Long before the pandemic, Seth Hall (Corelight Co-founder, Chief Evangelist, and “Head of Potential Dead Ends”) had been working on a lightweight binary to run Corelight’s network security monitoring on any 64-bit Linux distribution without the complexity of open source deployments. Open source is nimble and flexible, and traditional Corelight Sensors are easy and scalable, so Seth wanted to provide the best of both worlds. Enter Corelight’s new Software Sensor – a lightweight binary designed to run in any environment and bring the visibility of Corelight to network locations previously difficult or impossible to monitor.
The Corelight Software Sensor is an enterprise product, designed to be deployed within corporate or government networks alongside our other Corelight Sensors (available in appliance, VM or cloud form factors). Since the Software Sensor is so versatile, we realized that installing it on Raspberry Pis would be an easy and cost effective way to instrument home networks so that users could get more familiar with the technology during this weird time, and a new project was born.
Corelight is excited to announce the Corelight@Home program, bringing Corelight’s enterprise-class Network Detection and Response to home networks. While it is not a commercially available or officially supported product, it has all the same capabilities you’ll find in our Corelight Sensors. It combines all the goodness of open source Zeek and Suricata plus most of the value-added features of Corelight Sensors, FREE for home use. Put it all together on cheap, dependable hardware, and you can shine a light on suddenly vital home networks.
By participating in the Corelight@Home program, you can become familiar with the power of Corelight Sensors, and while you’re at it, get a new appreciation (or trepidation) for what kind of devices are communicating over your home network, and using the power of Zeek and Suricata, figure out what they’re up to.
The Corelight@Home sensor includes software upgrades and patching, streaming log exports, high-speed file extraction, and Corelight custom content, including encrypted traffic insights and custom Zeek scripts. Do you want to know who your refrigerator or car is talking to in the middle of the night? What kind of encryption do your devices use? How many devices ARE there on my network? Who’s reaching out to whom, and what services are in use? Corelight@Home provides the data to answer these questions.
How it works
The software sensor ‘sniffs’ a monitoring interface and exports JSON formatted Zeek logs (and optionally, Suricata logs and/or extracted files) locally or to the repository of your choosing. We support streaming exports to Splunk HEC, Kafka, JSON over TCP, syslog, and Redis, as well as batch export via SFTP or local log storage, but we do not provide a data repository. The logs are standard Zeek format for ingest into most data lakes, and we partner with Humio, Splunk, Elastic, and others to facilitate integrations. Community Support is offered via a Corelight@Home Slack channel.
How to get started
As a part of this program, we’ve built a configuration script and documentation for easy deployment on Raspberry Pi. Once you have your Raspberry Pi and a way to mirror packets, you can register for the Corelight@Home program here, download the software, and run the raspi-corelight script:
Check out our recent SANS webinar for more info and examples of what others have found using the program. To be honest, we’re not sure what we’re going to find on home networks, but I hope you’ll join Corelight@Home, and that you’ll share your experiences. Sign up, install your sensor, browse your data and start down the rabbit hole of finding your first “What the heck is that??”
Tagged With: Zeek, Network Security Monitoring, Industry, SANS, Linux, open source, NDR, Announcements, Splunk, Suricata, JSON, Kafka, Raspberry Pi, TCP, Seth Hall, Elastic, Humio, Corelight@Home, home networks, Redis, syslog, covid-19