Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

How do you know?

By Charles Strauss – May 17, 2021

Can you be sure attackers aren’t hiding in your encrypted traffic? Can your investigators go back 18 months ago to find what they need? Do your DNS queries all have responses, and are they what you expected? Do your alerts mean something, or nothing? Read more »

CrowdStrike + Corelight partner to reach new heights

By Lana Knop – April 21, 2021

Through our newly announced partnership with CrowdStrike, Corelight customers will be able to incorporate CrowdStrike’s best-in-class threat intelligence into Corelight Sensors to generate actionable alerts and network evidence. In addition, by... Read more »

Community ID support for Wireshark

By Christian Kreibich – October 6, 2020

The past few weeks have seen several developments around Community ID, our open standard for rendering network traffic flow tuples into a concise textual representation. I’d like to summarize them in this blog post. Read more »

Mixed VLAN tags and BPF syntax

By Richard Bejtlich – August 26, 2020

This post contains a warning and a solution for anyone using BPF syntax when filtering traffic for network security monitoring. Read more »

Zeek & Sigma: Fully compatible for cross-SIEM detections

By Alex Kirk – June 24, 2020

Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables cross-SIEM detections from a single toolset.... Read more »

Chocolate and peanut butter, Zeek and Suricata

By Brian Dye – June 15, 2020

Some things just go well together. A privilege of working with very sophisticated defenders in the open source community is seeing the design patterns they use to secure their organizations – both technology and workflows. One of the most common has... Read more »

Detecting GnuTLS CVE-2020-13777 using Zeek

By Johanna Amann – June 10, 2020

CVE-2020-13777 is a high severity issue in GnuTLS. In a nutshell, GnuTLS versions between 3.6.4 (released 2018-09-24) and 3.6.14 (2020-06-03) have a serious bug in their session resumption code, which lets attackers either completely decrypt... Read more »

Detecting the new CallStranger UPnP vulnerability with Zeek

By Ryan Victory – June 9, 2020

On June 8, Yunus Çadırcı, a cybersecurity senior manager at EY Turkey released a whitepaper and proof of concept code repository for a newly discovered vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is widely used in intranets to... Read more »

The high ground

By Charles Strauss – February 23, 2020

Introducing Corelight’s new story + the value of NTA Read more »

Corelight ECS mapping: Unified Zeek data for more efficient analytics

By Ed Smith – January 27, 2020

In addition to other great news we’ve recently shared, I’m pleased to announce that Corelight sensors now support the Elastic Common Schema (ECS) via our Corelight ECS Mapping. Read more »