Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Expanded Suricata Detections With Dtection.io | Corelight

Written by Alex Kirk | Nov 4, 2021 3:00:00 PM

One of the most common questions that Corelight customers and prospects who are using our Suricata integration ask is “what signatures should I run?” While our answer has always started with the industry-standard Emerging Threats Pro feed, we recognize that other feeds - like the ones from Crowdstrike or private industry groups - often make excellent additions to the ET Pro set. Today we’re pleased to announce we are providing our customers with a new core recommendation: Dtection.io.

The new signatures come in two groups. The first group is designed to look for lateral movement within your network, both via generic techniques and more specific detection of well-known tools in the space; all the signatures in this group are aligned with MITRE ATT&CK in the alert metadata. 

The second group is focused on connections to sinkhole IP addresses - and while it’s available in Suricata format, we’ve also worked with the Dtection.io crew to have it distributed in Zeek Intel format, which will perform substantially better than the Suricata signatures.

These new rules are available for Corelight customers at no charge through our strong working relationship with 3Coresec, creators of the Dtection.io project. We share their philosophy of focusing on detections that have high signal-to-noise ratios, and are excited to bring their quality content to our platform.

Corelight customers looking to take advantage of these new, free detections should reach out to their local Corelight sales team to enable access. If there are other feeds that you feel we should be incorporating, please let us know.

By Alex Kirk, Corelight Global Principal for Suricata