forrester wave report 2023

Close your ransomware case with Open NDR



Corelight now powers CrowdStrike solutions and services



Alerts, meet evidence.



5 Ways Corelight Data Helps Investigators Win



10 Considerations for Implementing an XDR Strategy



Don't trust. Verify with evidence



The Power of Open-Source Tools for Network Detection and Response



The Evolving Role of NDR



Detecting 5 Current APTs without heavy lifting



Network Detection and Response



Corelight Moves Toward Open NDR Platform with Powerful Suricata IDS/IPS Integration and Enhancements to Encrypted Traffic Collection

Security teams can access better network data to help detect and respond to threats more quickly using one extensible and customizable platform

San Francisco, Calif. — June 16, 2020 — Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today announced its first major steps toward offering an open network detection and response (NDR) platform that will bring a proven open-source design pattern into one unified product for customers.

Corelight has integrated two powerful open-source projects, Zeek and Suricata, into a seamless solution that enables rapid pivoting from Suricata alerts into the rich network metadata extracted by Zeek. Suricata is an open-source network threat detection engine already supported by a wide variety of ruleset providers. The integration will first be available as an additional license on Corelight’s highest capacity sensor, the AP 3000.

“The power of deep integration between Zeek and Suricata is significant. Incident responders often deal with hundreds of Suricata alerts, but making sense of them quickly is challenging,” said Brian Dye, chief product officer at Corelight. “Zeek brings rich network evidence together with Suricata’s extensive rules and signature language, making it possible for security teams to rapidly test their hunting hypotheses and turn discoveries into automated threat detections.”

Corelight’s new integrated Suricata log includes the Unique ID (UID) familiar to Zeek users, which means an analyst can pivot directly from a Suricata alert directly into any of the Zeek logs to leverage powerful evidence about email, web traffic, SSL, DHCP, DNS and dozens of other data types inherent to Zeek.

“To achieve our vision of extensible data and community engagement, we rely on open-source software, with enterprise-grade features added for easy deployment, security, integration, performance and extensibility,” said Dye. “Our integration of Zeek with Suricata is the natural progression toward a truly open NDR platform for customers.

We are excited to support and participate in the vibrant Suricata community going forward, in addition to our historical community of Zeek developers and users,” added Dye.

“The Open Information Security Foundation is excited to welcome Corelight into the Consortium. Corelight and Zeek are a long time and respected members of the Suricata community, and we are thrilled to be part of this exciting new solution in the network defender’s arsenal,” said Dr. Kelley Misata, president and executive director of OISF.

Seamless integration of Suricata into the Corelight AP 3000 Sensor makes it possible for sophisticated security teams to rely on a single data source for unlocking advanced analysis capabilities in an easy to deploy form factor. Beyond the functional integration to accelerate incident response, Corelight has engineered Zeek and Suricata to use a shared CPU architecture to ensure that sensor performance scales with traffic growth.

Also included in today’s launch are enhancements to the Corelight Encrypted Traffic Collection (ETC). The Corelight ETC is designed to expand defenders’ incident response, threat hunting and forensics capabilities in encrypted environments by generating insights around SSH and TLS traffic that indicate potential security risk.

New insights developed by Corelight’s research team include:

  • SSH Agent Forwarding Detection: See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials.
  • SSH MFA Detection: See when SSH connections use multifactor authentication (MFA), which can help analysts rule out other explanations for anomalies in SSH connections. This detection can also help teams monitor external SSH servers for MFA compliance.
  • Non-interactive SSH Detection: Reveal when SSH connections do not request an interactive terminal and instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling.
  • SSH Reverse Tunnel Detection: Reveal when a client connects to an SSH server and provides the server with an interactive terminal, which may indicate malicious SSH tunnelling.
  • DNS over HTTPs (DoH) Detection: Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden.

“Most network traffic – commonly 60-70 percent – is encrypted and decryption is often prohibited for policy or privacy reasons, yet defenders still need insight into malicious activity across their network,” said Dye. “The new capabilities in Corelight’s Encrypted Traffic Collection reveal a suite of behaviors that illuminate attackers’ footsteps across the network.”

Suricata integration in the Corelight AP 3000 Sensor as well as enhancements to the Encrypted Traffic Collection are available in the Corelight Version 19 update, available to customers today.


Corelight software version 19 is now available to customers. More information on each of today’s enhancements can be found in the product section of Corelight’s website.

The Corelight product team has issued blog posts with more details on our Suricata integration and enhancements to the Encrypted Traffic Collection.

About Corelight
Corelight delivers the most powerful network visibility solutions for information security professionals, helping them understand network traffic and defend their organizations more effectively. Corelight solutions are built on the Zeek framework (formerly known as “Bro”), the powerful and widely-used open source network analysis framework that generates actionable, real-time data for thousands of security teams worldwide. Zeek data has become the ‘gold standard’ for incident response, threat hunting, and forensics in large enterprises and government agencies worldwide. Corelight makes a family of network sensors — both physical and virtual, at every scale — that take the pain out of deploying Zeek by adding integrations and capabilities large organizations need. The Zeek project was initially developed at Lawrence Berkeley National Laboratory (LBNL), and has been supported by the US Department of Energy (DOE), the National Science Foundation (NSF), and the International Computer Science Institute (ICSI). Corelight is based in San Francisco, Calif. For more information, visit or follow @corelight_inc.

About OISF
The Open Information Security Foundation (OISF), founded in 2009, is a 501(c)3 non-profit organization created to build community and support open source security technologies like Suricata. OISF’s world-class team of cyber and information security experts, consortium members, and a vibrant and active open-source community, together, drive Suricata’s success. For more information, please visit

Recent Posts