• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Announcements ›› Small, fast and easy. Pick any three.

Small, fast and easy. Pick any three.

November 18, 2020 by Seth Hall

By Seth Hall, Co-Founder & Chief Evangelist, Corelight

Zeek has been the darling of security defenders looking to get deep visibility into network traffic. Over the last two decades, Zeek has become a household name – widely used by enterprise organizations, educational institutions and government agencies around the world. In the last few years, community contributions and other indicators of a healthy open source project have surged, culminating in participation in virtual ZeekWeek 2020 topping out  at over 1,200 registrations.

At Corelight, we are dedicated to making it easy for organizations to get Zeek up and running with enterprise class sensors. Our customers have frequently asked: “is there a way to get Corelight’s visibility in hundreds or thousands of locations without a hardware sensor?” Although Corelight offers hardware appliances, VM sensors and cloud sensors, many customers need something different. Often, these customers are deploying at scale in large distributed environments, or upgrading the visibility stack on an existing infrastructure, or looking to monitor a remote office without installing yet another appliance. Most importantly, these customers are looking for an ‘easy button’ to deploy a network sensor on any platform without constant tweaking.

While making things easy is incredibly difficult, we believe we have finally cracked the code. Today we are excited to announce the Software Sensor.

Platform agnostic: The Software Sensor is a standalone binary package statically linked to include all required dependencies. The binary can run natively on any X86_64 or Aarch64 Linux OS, packaged into a container, or in a VM. It uses AF_Packet to capture packets from the NIC – just configure which interface to monitor and how many cores to use, no additional tweaking needed.

Small, but powerful: The Software Sensor clocks in at a lightweight 65MB while packing a serious punch with Zeek, Suricata, and a suite of open source and Corelight packages. It is designed to run on any platform while consuming minimal overhead. It can seamlessly scale from a small Raspberry Pi to a 128-core CPU – to consume the available resources.

Fast & Easy: Get the Software Sensor configured and running within a matter of minutes. Configuration is done via a flat file with keys and values – designed to be human readable, or expressed by automation tools. The sensor supports real time log streaming (to Splunk HEC, Kafka, JSON over TCP & syslog) and high performance file extraction. Logs and files may be batched to disk or exported via sftp.

Suricata Integration: Currently available as an experimental feature, you can now deploy two powerful open source projects, Zeek + Suricata in a single sensor with the Suricata logs integrated with Zeek (with the real connection uid!) and exported along with all the other Zeek logs. We hear it’s as delicious as chocolate and peanut butter.


Corelight Content
: The Software Sensor also comes with a built-in suite of Corelight Collections and community packages. The Encrypted Traffic Collection includes security insights into SSL/TLS certificates and SSH traffic composed primarily of proprietary detections developed by the Corelight research team. Additionally, it also includes a curated list of the ‘best hits’ community packages. These packages can be enabled and disabled via config, as well as additional community or custom scripts may be loaded directly from the disk via /etc/corelight/local.zeek.

If you have access to tapped traffic in your environment and would like to take the Software Sensor for a spin, please reach out to us for a no strings attached evaluation – https://www3.corelight.com/evaluation-form.

Filed Under: Announcements, Product, Zeek Tagged With: Aarch64, Corelight, encrypted traffic collection, encryption, JSON, Kafka, Linux, Raspberry Pi, software, Splunk, SSL, Suricata, TCP, TLS, VM, Zeek, ZeekWeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Extending NDR visibility in AWS IaaS
  • Maximize your Splunk ES investment with Corelight
  • Exchange exploitation and architecting for visibility
  • Translating query into action
  • Getting the most out of your NIDS

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS IDS incident response ja3 ja3s JSON logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM Sigma SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use