Detecting OpenBSD CVE-2019-19521 SSH Exploit Attempts

By Anthony Kasza, Ben Reardon, Corelight Security Researchers On December 4, Qualys released a security advisory for an authentication bypass vulnerability in OpenBSD, CVE-2019-19521. The vulnerability affects multiple services in OpenBSD including smtpd, sshd, ldapd, and radiusd. This immediately caught our attention as our recent v18 release included a package, part of our Encrypted Traffic […]

Light in the Darkness: New Corelight Encrypted Traffic Collection

By Vince Stoffer, Senior Director, Product Management, Corelight This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS certificates, and insights into encrypted network sessions.  SSH Inferences The […]

Introducing the Corelight SSH Inference Package

By Anthony Kasza, Security Researcher, Corelight Labs Corelight has recently released a new package, focusing on SSH inferences, as part of our Encrypted Traffic Collection. The package installs on sensors with a few clicks and provides network traffic analysis (NTA) inferences on live SSH traffic. Which SSH connections transferred files? Which SSH connections transferred keystrokes? […]

How Zeek can provide insights despite encrypted communications

By Anthony Kasza, Security Researcher, Corelight Labs Overview Encrypted communications are ubiquitous. While encryption provides confidentiality, it cannot prevent all means of traffic analysis. Certain protocols, such as SSH and TLS, ensure contents are not directly readable by monitoring systems. However, analysis of size and order of transmitted data can provide grounds for inference. This […]