Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

There’s More to Zeek Than Great Network Data | Corelight

Written by Vince Stoffer | Sep 6, 2018 4:00:00 AM

Corelight recently released our 1.15 software update which includes some fantastic new features, including our first group of curated Bro Packages which we’re calling the “Core Collection.”  In this blog post, I’ll tell you a bit more about how Corelight is making it easier to detect threats on your network, and providing even better data to respond to them.

Bro is much more than just a source of network data, it’s also a Turing-complete, domain-specific programming language.  Expert users know that Bro scripts (now often shared as packages) are the way to tune your sensors to generate alerts, customize the data output, and to take action.  At Corelight we support running custom Bro Packages on our platform, and some of the technical details of how and why we did that are described in this blog post.

Despite the fact that customers can run their own Bro scripts and packages on our platform, we find that many people still want easier access to content created by Corelight and the broader Bro community.  So in our 1.15 software release we chose 10 of the most popular and interesting Bro Packages (most contributed by members of the Bro community) and pre-loaded them directly onto the Corelight Sensor platform.  We believe making the results of Bro’s powerful scripting language available by default and easy to use means you’ll not only have the best data for forensics, incident response, and threat hunting, but you’ll also have detections and enrichments that make your workflow easier.

Like any Bro packages running on a Corelight sensor, these 10 run in a sandboxed environment to protect the underlying operating system, and we’ve also ensured they don’t significantly impact the performance of the sensor, and we made them as easy to enable as flipping a switch.

We divided these packages into 3 separate functional groups: detection, data enrichment, and operations.  Our intent is to demonstrate how powerful Bro’s scripting capabilities can be across a variety of use cases.  I’ll briefly describe what packages we included in each group and how to use them:

Detection:

bitcoin – Detects Bitcoin, Litecoin, etc. mining traffic over TCP or HTTP and generates an alert.  Useful to track down users exploiting internal system or network resources for profit.

ja3 – A popular package written by the security team at Salesforce, this hashes properties of the SSL/TLS client negotiation to help identify and catalog client software being used over SSL/TLS.  Once you’ve associated a ja3 hash to a piece of software (whether it’s a particular version of a web browser of a piece of malware), it’s easy to match and alert on those hashes using Bro’s intelligence framework.  And because those client negotiation properties don’t change, you can use the ja3 hashes to pinpoint client software regardless of the IP it’s coming from or the external server it’s reaching out to.

http stalling – Detects a web client sending data very slowly (a resource exhaustion attack) against a webserver and generates an alert.

long connections – Because Bro usually only logs connections when they have completed, this package detects long connections that are still running and logs them periodically.  Because malware can use persistent connections, this log is great for identifying ongoing C&C channels and generally keeping your eye on other long-running connections to establish them as valid or malicious.

scan detection – A great example of the ability of Bro to provide behavioral insight, this detects machines that are port scanning (both vertically and horizontally) and generates an alert.  It’s very useful for finding recon and feeding into an orchestration platform for blacklisting.

Data Enrichment:

Hostname enrichment – One of the most common first steps when investigating network traffic is to map an IP address to its corresponding hostname.  This Corelight only feature tracks hostnames observed over DNS by the sensor, and add them as a new column to the conn.log. This speeds the incident response workflow, by providing those hostnames where available, and does so without tipping your hand to potential adversaries with an active DNS lookup.

SMTP URL extraction – For SMTP, this extracts any URLs which are seen in the message body.  Useful for searching for phishing links and doing URL intelligence matching on live email.

http post bodies – Writes an additional field into the http.log that adds the POST body data (size limited).  Watch for credentials, C&C, and more in HTTP traffic.

Operations:

shunting – Corelight’s flagship platform, the AP 3000, can now handle shunting large or long running connections using its integrated NIC – which allows performance to be maintained in extreme conditions, while still preserving connection state information.  For our other platforms, this script also shows what connections would have been shunted, helping to profile traffic meeting certain conditions. A number of options are configurable in the new Web GUI to tune the threshold for shunting.

SSL expiring certs – Highlights any internal x509 certificates which are expired or will be expiring within 30 days.  A great way to double check on the integrity of your secure applications.

As you can see, there is a lot to explore!  We’ve made it easy to enable any of these packages and this is only the first step –– we plan to offer lots more content for the Core Collection and even other collections in the future.