Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Mixed VLAN tags and BPF syntax

By Richard Bejtlich – August 26, 2020

This post contains a warning and a solution for anyone using BPF syntax when filtering traffic for network security monitoring. Read more »

Network Security Monitoring data: Types I, II, and III

By Richard Bejtlich – July 7, 2020

Some critics claim that ever growing encryption renders network security monitoring useless. This opinion is based on a dated understanding of the types and values of data collected and analyzed by computer incident response teams (CIRTs) that... Read more »

DNS over TLS and DNS over HTTPS

By Jamie Brim – June 17, 2020

In this post, we’ll explore DNS over TLS (DoT) and DNS over HTTPS (DoH). Read more »

Chocolate and peanut butter, Zeek and Suricata

By Brian Dye – June 15, 2020

Some things just go well together. A privilege of working with very sophisticated defenders in the open source community is seeing the design patterns they use to secure their organizations – both technology and workflows. One of the most common has... Read more »

The light shines even brighter: Updates to Corelight’s Encrypted Traffic Collection

By Vince Stoffer – June 15, 2020

With Corelight’s latest software release, v19, we are excited to announce the expansion of our Encrypted Traffic Collection (ETC). The ETC was introduced in late 2019, but as a reminder it’s a collection of security insights around SSL/TLS and SSH... Read more »

Detecting GnuTLS CVE-2020-13777 using Zeek

By Johanna Amann – June 10, 2020

CVE-2020-13777 is a high severity issue in GnuTLS. In a nutshell, GnuTLS versions between 3.6.4 (released 2018-09-24) and 3.6.14 (2020-06-03) have a serious bug in their session resumption code, which lets attackers either completely decrypt... Read more »

The election is six months away. Now is the time to instrument election infrastructure.

By Richard Bejtlich – May 6, 2020

Editor’s Note: Richard recently shared his thoughts on our blog which are now included in an article contributed to StateTech on why the overarching role of the network and election infrastructure is worthy of a deep assessment right now. If state... Read more »

Enabling SOHO Network Security Monitoring

By Richard Bejtlich – April 7, 2020

One of the most popular and regularly occurring questions I see in network security monitoring forums involves how to instrument a small office – home office (SOHO) environment. There are ways to accomplish this goal. For example, I instrument my... Read more »

Watch over DNS traffic with Corelight and Splunk

By Roger Cheeks – March 31, 2020

Corelight sensors put your organization in the best position to watch over DNS traffic with a rich, powerful Network Traffic Analysis (NTA) data set. This article highlights the benefits of Corelight DNS logs, and demonstrates how Splunk Enterprise... Read more »

Using Corelight and Zeek to support remote workers

By Richard Bejtlich – March 24, 2020

Due to the tragic Covid-19 pandemic, as we are all experiencing first hand, most governments and health officials are either mandating or encouraging those who can work from home to do so, as part of widespread “social distancing” measures. Remote... Read more »