Encrypted traffic insights, no break and inspect required.

The Corelight Encrypted Traffic Collection offers actionable security insights without decryption. You can fingerprint SSL connections, track soon-to-expire certificates, discover file transfers over SSH, and more.

Read the blog post.

Encryted Traffic Collection

Encrypted Traffic Collection

SSL fingerprinting (JA3)
Create a hash of every SSL/TLS client and server negotiation for use in threat hunting or intel feed matching.
SSH fingerprinting (HASSH)
Create a hash of every SSH client and server negotiation for use in threat hunting or intel feed matching.
SSL certificate monitoring
Track expired and soon-to-expire certs, newly issued certs, self-signed certs, invalid certs, change-validation errors, old versions, weak ciphers, weak key-lengths, and bad versions (e.g. TLS 1.0).
SSH client bruteforce detection
Reveal when a client makes excessive authentication attempts.
SSH authentication bypass detection
Reveal when a client and server switch to a non-SSH protocol.
SSH client keystroke detection
Reveal an interactive session where a client sends user-driven keystrokes to the server.
SSH client file activity detection
Reveal a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa.
SSH scan detection
Infer scanning activity based on how often a single service is scanned.
Custom encryption detection
Detects connections that are already encrypted without an observed handshake, which can indicate custom or pre-negotiated encryption.
Expected encryption detection
Identifies unencrypted connections running on ports where encryption is expected.
SSH agent forwarding detection
See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials.
SSH MFA detection
See when SSH connections use multifactor authentication (MFA), which can help analysts rule other explanations for observed timing discrepancies in SSH connections. This detection can also help teams monitor external SSH servers for MFA compliance.
Non-interactive SSH detection
Reveal when SSH connections do not request an interactive terminal and instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling.
SSH reverse tunnel detection
Reveal when a client connects to an SSH server and sends the server an interactive terminal, establishing a reverse SSH tunnel that may indicate malicious SSH tunnelling.
DNS over HTTPs (DoH) detection
Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden.

Core Collection

Detection packages

Lateral movement detection (MITRE BZAR)
Detect lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extract detection-related files to enable investigations of suspicious traffic.
Cryptomining detection
Generate a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.
HTTP stalling detection
Detect when a web client executes a resource exhaustion attack on a web server.
Long connections detection
Generate a notice when long running connections occur, providing early visibility into a possible attack in progress.
Port scanning detection
Identify port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.

Data enrichment packages

Data enrichment packages

Community ID
Hash the 5-tuple and append it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more.
URL extraction in SMTP
Automatically extract URLs found in email bodies and append them to Zeek's smtp.log.
POST data capture in HTTP
Extract POST data sent by a client to a server and append it to Zeek's http.log.
DNS hostname annotation
Derive hostnames from DNS traffic and automatically append it to Zeek's conn.log.

Operational packages

Operational packages

Data reduction
A set of configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%.
Traffic shunting
Conserve sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.
Windows version identification
Identify Windows OS hosts using HTTP connection headers and append them to the software.log.

Customize sensors to your environment

Support for the Zeek Intelligence and Input Frameworks:

  • Match known indicators of compromise to your network traffic; flag IPs, URLs, emails, hashes and more
  • Easy integration with intel feeds like Anomali and ThreatConnect
  • Append internal server names, owners and contact info to the conn.log to accelerate remediation
  • Add external or internal domain whitelists and blacklists
  • Update referenced data quickly, no restarts required

Manage your fleet simply and swiftly

Deploy Zeek in 15 minutes with a modern web app:

  • Manage and configure multi-sensor deployments with Corelight Fleet Manager
  • Define role-based access controls for management
  • At-a-glance status of your Corelight Sensor inputs and exporters
  • Dashboard with status and key metrics like interfaces, log rates, and ports
  • Monitor key sensor health metrics like memory and CPU usage and system temperature
  • LDAP integration
  • Demonstrate compliance using audit logs

Transferring massive datasets? Handle "elephant flows" with shunting.

The Sensor removes elephant flows from its processing jobs, extracting only the key information, which allows you to save on data processing costs and scale your Sensor beyond 25 Gbps.

Flow shunting (AP 3000 only)

  • Implementation via custom Zeek scripts / packages
  • Runs in the Corelight NIC for high performance
  • Implementation assistance available from Corelight

Deploy Zeek in minutes, not months

Configure traffic inputs
Ingest traffic from taps, span ports, or packet brokers.
Define export targets
Export Zeek logs to Splunk, Elastic, Amazon S3, Syslog, SFTP and more.
Log forking & filtering
Send full logs to storage while sending log-filtered streams to your SIEM to optimize performance and data-processing costs.
Deploy Zeek packages
Enable Core Collection packages or run your own Zeek packages.
Enable file extraction
Set file extraction parameters and export destinations.

Run and manage Zeek simply and smoothly

Sensors connect to the Corelight Cloud Service to ensure continuous monitoring of sensors for health and performance.
Set up performance reporting options for your Corelight Sensor.
Update and maintain your Corelight Sensors from the GUI. Manage a single sensor or a fleet of sensors, with role-based access controls and custom sensor grouping and configuration templates.
Automatic software updates
Phone home capability to ensure your Sensor is always up to date. Comprehensive API.
Optimized file extraction
Control which files are automatically extracted from network traffic and saved for later forensic analysis.
Custom scripts / packages
Corelight Sensors support custom packages. Add capabilities from existing packages in GitHub or write your own to meet the needs of your organization.