Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Feed Me! September 2024 Corelight Feed Update | Corelight

Written by Vince Stoffer | Sep 25, 2024 1:44:57 PM

Corelight has strengthened the Suricata integration within its Open NDR Platform, empowering customers with a custom ruleset, the Corelight Feed, designed to swiftly detect and help respond to emerging threats. With a new monthly update cycle, Corelight ensures that organizations stay ahead of the latest vulnerabilities and enhance their network security posture effortlessly.

Just over four years ago, Corelight launched our Suricata integration , bringing together two of the most powerful and widely used open-source network security tools into our Open NDR Platform--Zeek and Suricata. Our Suricata integration goes well beyond simply running the two engines side by side. By fusing the alerts from Suricata with the powerful contextual data from Zeek, we create a combined log to help analysts triage and respond to alerts more quickly. This tight coupling also helps integrate with our Smart PCAP product and other features of our platform.

Of course Suricata is an Intrusion detection system , which requires loading rules to trigger alerts, so. . . what rules do our customers typically use, and how do they get them?

Most of our customers license Proofpoint’s Emerging Threats (ET) Pro rules feed from Corelight, as it’s one of the most widely used rulesets for Suricata, spanning more than 80,000 rules targeting attack tools, malware, phishing, and much more. ET Pro is a fantastic resource and, we’ve also dedicated resources to examining and tuning the rules specifically for our customers to get the most value from them right out of the gate. We provide a “Day 1” tuned ruleset, continuously adapted based on our own customer feedback and testing, which is an excellent starting point to balance signal and noise. We also make it extremely easy to enable and tune your complete Suricata ruleset within our Fleet Manager product.

Making ET Pro available (and providing a recommended ruleset for our customers) is only one component of Corelight’s approach to Suricata rules, though. We also offer the Corelight Feed.

What is the Corelight Feed?

Our company has developed its own proprietary ruleset, the Corelight Feed, available to all our Suricata customers. Designed by the Corelight Labs team, the Corelight Feed focuses on rapid response to emerging threats, including zero-day exploits, lateral movement and more. With nearly 350 custom rules (and we’re always adding more) that cover nine categories and 50 unique TTPs of MITRE ATT&CK, the Corelight Feed is a powerful tool that enables customers to respond swiftly and decisively to network threats.

Rules update highlights

For the Corelight Feed, we’re now going to be using a monthly release cycle (with exceptions for out-of-band rapid response content that greatly benefits from near-immediate distribution). You can now expect regular emails detailing the new rules and any significant changes to the Corelight Feed process.

As we’ve just made some big changes this month, below you’ll see the text of the update email that will be going out shortly to all of our Corelight Suricata customers.

It’s worth noting a few important things from this latest release:

  • We’re migrating the name of our lateral rules from CORELIGHT 3CORESec LATERAL -> CORELIGHT LATERAL. This reflects that we’ve taken ownership of these rules entirely within Corelight (where we previously licensed them from 3CoreSec)
    • Existing 3CORESec rules in sid range 2620186 - 2620554 have been moved to Corelight sid range 3000147 - 3000281
    • IMPORTANT NOTE: Please update any saved searches using the sid range 2620186 - 2620554, as they will be retired in 3 months
  • Lateral: Dozens of new rules for attack frameworks and LOL techniques utilizing SMB, MSSQL, and DCE/RPC
  • Exploits: New rapid response coverage for vulnerabilities in ServiceNow, Citrix, Cisco, MOVEit and more. These help cover some recent newsmaking vulnerabilities as well as some old “favorites” being reused in campaigns like Volt Typhoon
  • Malware: New or enhanced coverage for Mythic, Covenant and a bunch of (dirty) RATs

How do I enable Corelight Feed and make sure I’m using these rules?

You can enable the Corelight Feed in the Suricata rules management section within Fleet Manager. Under the “Enable Suricata Automation” section, you’ll see “Corelight Feed” at the top. Just make sure that’s enabled and the Corelight Feed will stay updated along with the rest of your configured rulesets.

 

To confirm that the rules are being used, you can check the Suricata Rules editor and use the File Name search for “corelight.rules”:

 

Where do I find more information about Corelight’s Suricata rules and how to configure them?

Please visit this link in our Corelight Support portal , where you will find a section dedicated to explaining the rules management process, FAQs, and further details.

 

Rule update July 2024 notes

What’s new in this release?

Changed rules

Migration from CORELIGHT 3CORESec LATERAL -> CORELIGHT LATERAL Existing 3CORESec rules in sid range 2620186 - 2620554 have been copied to Corelight sid range 3000147 - 3000281. Please update any saved searches using the sid range 2620186 - 2620554, as they will be retired in 3 months.

New rules

92 new rules offering coverage exclusive to this ruleset.

New LATERAL coverage

New EXPLOIT coverage

New MALWARE coverage
View full post