Network data for humans.

You don't need more alerts, most of them crying wolf and wasting your time. And you don’t need packet upon packet dumped on you indiscriminately. What you need is a unifying foundation that gives you the right amount of data at the right time, organized into highly actionable logs. We needed it too. That’s why we founded Corelight.


Highlighted features from recent Corelight software releases.

The Core Collection: curated Bro packages for out-of-the box insight.

All Corelight Sensors now come preloaded with the Core Collection, a set of Bro packages curated and certified by Corelight for performance and stability that provide threat detection, data enrichment, and operational insight. Read more about the Core Collection

Detection packages
Cryptomining detection
Generates a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.
SSL fingerprinting
Creates a hash of every SSL/TLS client negotiation, which can be used for hunting or matched against threat intelligence feeds.
HTTP stalling detection
Detects when a web client executes a resource exhaustion attack on a web server.
Long connections detection
Generates a notice when long running connections occur, providing early visibility into a possible attack in progress.
Port scanning detection
Identifies port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.
Data enrichment packages
URL extraction in SMTP
Automatically extracts URLs found in email bodies and appends them to Bro's smtp.log.
POST data capture in HTTP
Extracts POST data sent by a client to a server, and appends it to Bro's http.log.
DNS hostname annotation
Derives hostnames from DNS traffic and automatically appends it to Bro's conn.log.
Operational packages
SSL certificate monitoring
Provides visibility into local X.509 certificates seen over SSL/TLS that have expired or will expire soon.
Traffic shunting
Enables the conservation of sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.

Support for the Bro Intelligence Framework.

Expand the power of Corelight Sensors:

  • Match known indicators of compromise to your network traffic
  • Easy integration with intel feeds like Anomali and ThreatConnect
  • Flag IPs, URLs, emails, hashes and more

Bro, with a snappy UI.

15 minute Bro deployment with a modern web app so you don't need knowledge of command-line configuration

  • At-a-glance status of your Corelight Sensor inputs and exporters
  • Dashboard with status and key metrics like interfaces, log rates and ports
  • Monitor key sensor health metrics like memory and CPU usage and system temperature
  • LDAP integration

Handle large "elephant flows" like massive datasets transferred over science DMZs with flow shunting.

The Sensor removes elephant flows from its processing jobs, extracting only the key information, which allows you to save on data processing costs and scale your Sensor beyond 25 Gbps.

Flow shunting (AP 3000 only)

  • Implementation via custom Bro scripts
  • Runs in the Corelight NIC for high performance
  • Implementation assistance available from Corelight

Deploying a Bro network monitoring sensor has never been faster or easier.

Click to configure
Data input options
Where is the data coming from?
Export targets
Where do you want the Bro logs to go? (like Kafka, Amazon S3, Splunk, JSON, Syslog and which logs to include / exclude)
Log forking & filtering
Send full logs to storage and send separate, filtered stream to SIEM to save on processing costs.
Bro packages
Which Corelight or custom Bro packages do you want to run?
File extraction export
Set parameters and file destinations.

Corelight Sensors make running and managing Bro simple and smooth.

Set up performance reporting options for your Corelight Sensor.
Update and maintain your Corelight Sensors from the GUI.
Automatic software updates
Phone home capability to ensure your Sensor is always up to date. Comprehensive API.
Optimized file extraction
Control which files are automatically extracted from network traffic and saved for later forensic analysis.
Custom scripts
Corelight Sensors support custom scripts. Add capabilities from existing scripts in GitHub or write your own to meet the needs of your organization.