Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

DNS over TLS and DNS over HTTPS

By Jamie Brim – June 17, 2020

In this post, we’ll explore DNS over TLS (DoT) and DNS over HTTPS (DoH). Read more »

Detecting GnuTLS CVE-2020-13777 using Zeek

By Johanna Amann – June 10, 2020

CVE-2020-13777 is a high severity issue in GnuTLS. In a nutshell, GnuTLS versions between 3.6.4 (released 2018-09-24) and 3.6.14 (2020-06-03) have a serious bug in their session resumption code, which lets attackers either completely decrypt... Read more »

Investigating the effects of TLS 1.3 on Corelight logs, part 3

By Richard Bejtlich – June 6, 2019

Introduction Welcome to part 3 of my three-part series on TLS. In the previous two articles I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. I then performed the same transaction using TLS 1.2, and... Read more »

Investigating the effects of TLS 1.3 on Corelight logs, part 2

By Richard Bejtlich – June 2, 2019

Introduction Welcome to part 2 of my three-part series on TLS. In the previous article I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. In this article I will perform the same transaction using TLS... Read more »

Investigating the effects of TLS 1.3 on Corelight logs, part 1

By Richard Bejtlich – May 28, 2019

Introduction I’ve written previously about Corelight data and encryption. I wanted to know how TLS 1.3 would appear in Corelight data, and compare the same network conversation over clear-text HTTP, TLS 1.2, and TLS 1.3. In this first of three... Read more »