Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

How SOCs can level up their PCAP game with Smart PCAP

By Roger Cheeks – May 3, 2023

This blog post is the first in a 2 part series on Corelight Smart PCAP. Tune in next week for part two where we’ll take a deep dive look at Corelight’s PCAP functionality and workflows that accelerate security investigations. Read more »

Detecting Windows NFS Portmap vulnerabilities

By Corelight Labs Team – April 21, 2022

This month, Microsoft announced two vulnerabilities in portmap, which is part of ONC RPC, on Windows systems. This blog will discuss Zeek detection packages for CVE-2022-24491 and CVE-2022-24497 developed by Corelight Labs. Read more »

Smart PCAP and threat detection in the cloud

By John Gamble – August 3, 2021

I am thrilled to publicly launch Corelight software version 22, which introduces a transformative new security product, Smart PCAP, and also enables threat detection in the cloud by extending Corelight’s Open NDR support for Suricata across... Read more »

Corelight Sensors detect the ChaChi RAT

By Corelight Labs Team – June 24, 2021

Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as its preferred command and control (C2) mechanism. We downloaded two PCAPs from the malware... Read more »

Corelight Sensors detect the ChaChi RAT

By Corelight Labs Team – June 23, 2021

Recently Blackberry analyzed a new GoLang Remote Access Trojan (RAT) named “ChaChi.” This sample was interesting in that it tunnels information over DNS as its preferred command and control (C2) mechanism. We downloaded two PCAPs from the malware... Read more »

Community detection: CVE-2020-16898

By Ben Reardon – October 14, 2020

This month’s Microsoft Patch Tuesday included a severe Remote Code Execution vulnerability in the way that Windows TCP/IP handles IPv6 “Router Advertisement” ICMP messages. Due to the severity and wide scope, we in Corelight Labs immediately set... Read more »

Community ID support for Wireshark

By Christian Kreibich – October 6, 2020

The past few weeks have seen several developments around Community ID, our open standard for rendering network traffic flow tuples into a concise textual representation. I’d like to summarize them in this blog post. Read more »

Meet the Corelight CTF tournament winners

By John Gamble – September 14, 2020

This summer, Corelight hosted a virtual CTF tournament where hundreds of players raced to solve security challenges using Zeek data in Splunk and Elastic. After the preliminary rounds, we invited the top performers back for a champions round and... Read more »

Together is faster: Zeek for vulnerabilities

By Gregory Bell – August 17, 2020

“There is an open approach that is currently rippling across the infosec industry that could give defenders the acceleration they need.” – John Lambert (Distinguished Engineer, Microsoft) Read more »

Chocolate and peanut butter, Zeek and Suricata

By Brian Dye – June 15, 2020

Some things just go well together. A privilege of working with very sophisticated defenders in the open source community is seeing the design patterns they use to secure their organizations – both technology and workflows. One of the most common has... Read more »