Corelight Blog

We make the world's networks safer.

What’s the riskiest part of your Bro deployment? It may be you. — August 16, 2017

What’s the riskiest part of your Bro deployment? It may be you.

By Seth Hall, Co-founder & Chief Evangelist at Corelight

Don’t overlook the obvious: the answer may be you 😉

Let me explain, because I’ve watched the following story unfold many times.  A curious person gets super excited about Bro, deploys it widely in their organization, and makes a big impact on the local SOC.  Everyone on that team becomes more effective, because Bro data helps them understand and respond to security incidents so much faster. Over time, this Bro advocate becomes the local Bro expert – responsible for configuration, tuning, documentation, patching, integration, etc.  It’s a full-time job.  And that’s OK, until the local Bro expert is hired away for the experience he or she just acquired!  

It happens. Just think of all the skills that person gained along the way: about Bro itself, specialized network cards, BIOS/UEFI firmware options, network stack tuning, file systems, memory allocators, etc.  This means your ‘local Bro expert’ is an asset but also a risk.  Because so many companies are looking for Bro experts now, it cuts both ways.  I’ve seen wonderful Bro deployments fall into disrepair when a key person leaves.

In fact, it was watching that pattern unfold several times that led us to develop the enterprise ready, turn-key Corelight Sensor about 18 months ago because we had identified that just creating Bro wasn’t quite enough.  We sweated many, many details so that customers could confidently deploy Bro in less than 30 minutes, focusing effort on incident response, forensics, and threat hunting.

As a very small example of the tiny details we take care of for you on the Corelight Sensor and because I’d like to provide some useful tidbit for people running Bro on their own, I’d like to finish the post with a note about using tcmalloc.  Tcmalloc is an alternative memory allocator that was originally created by Google as part of their Google Perftools package for memory debugging.  The package has since been renamed to gperftools (found here: and is no longer officially maintained by Google. It’s intended to perform especially well in multithreaded applications and it has a number of other tweaks that make it an appealing choice as a memory allocator.   A number of years ago we discovered that Bro performs noticeably better when tcmalloc is the memory allocator.  This led to a change in the build system to use tcmalloc by default on Linux if it is discovered.  Bro has been doing this for a long time but we’ve never publicly told everyone that they should be using it.

You should use whatever package system your OS uses to install gperftools and tcmalloc.  On CentOS, it’s named “gperftools” and on Ubuntu it’s named “google-perftools”.  After you install the package, you will want to reconfigure Bro with whatever configure arguments you used previously.  If tcmalloc was found, you will see the following toward the end of the configure output:


If it show that gperftools is found and tcmalloc is found then you’re all set to build and reinstall.  If you’ve had trouble getting rid of the last few percentage points of packet loss in your own Bro deployment, this easy change could possibly get rid of it right away!  As you remove more and more of these small problems and Bro’s output becomes better, all of your downstream analysis is improved.  Better data in equals better data out.

On the Corelight Sensor we are already using tcmalloc along with many other specialized configurations and an accelerated FPGA network card.  This is all maintained and updated with zero effort from you so that you can focus on data and discovering intrusions.

And that’s just one example of how you’re covered if your Bro expert disappears one day.

Corelight Accelerated by Venture Funding — July 18, 2017

Corelight Accelerated by Venture Funding

By Greg Bell, Corelight CEO

Welcome to the Corelight blog!

I’m kicking off this series with an update about the company, but future posts will be a lot more technical.  You can expect information and musings from Vern Paxson, Robin Sommer, Seth Hall, Johanna Amann, Christian Kreibich, Vince Stoffer, and others on our team.

Many of you know this – but for those who don’t, Corelight was founded by the creators of open-source Bro and leaders in the open-source community.  We have two goals: 1) to build incredibly effective security solutions on a foundation of Bro, and 2) to channel money and human cycles into the open-source project, helping it grow and thrive.  

To date we’ve been bootstrapping the company.  Even though bootstrapping taught us a lot about focus, it hasn’t helped support the Bro community as much as we’d hoped. Yes, Corelight made a significant donation to the Bro Foundation last year – and we were very happy to do it. But Robin and Seth’s cycles (and Johanna’s too) have been redirected more than we’d like by the process of getting this company off the ground.  

Late last year we decided to look for venture funding, and we have just announced a $9.2M round of investment. Our primary investor is Accel Partners, which has expertise in the art of nurturing and sustaining ‘open’ business models. Accel has invested in Facebook, Docker, Slack, Cloudera, and many other great companies – both open-source and proprietary. Our new board member Eric Wolford brings operational experience, deep roots in product management, and wisdom.  

I’m delighted to announce that Steve McCanne has become an investor in Corelight as well, and an independent board member.  Steve was founding CTO of Riverbed Technology and CTO of Inktomi.  And here’s a coincidence: Steve was creating ‘libpcap’ in the mid-1990s at Lawrence Berkeley National Laboratory while sharing an office with fellow grad student Vern Paxson, who was creating Bro at the same time. So our Series A funding reunites two networking legends, who are working on the same team again.

Since closing the funding round, we’ve relocated to San Francisco and gotten busy hiring – attracting senior leaders who will help us serve our customers better. A good example is our advisor and acting CMO Alan Saldich, previously VP Marketing for Cloudera, and a person who truly understands the dynamics of open-source companies. We’re also busy adding new capabilities to our flagship Corelight Sensor, a turn-key appliance with features and integrations large enterprises need.  We’ll have more to say about our product vision in future posts.    

OK, that’s it for the company update!

In the future, this blog will shine a spotlight on Bro. Whether it’s used to validate or disprove alerts from other tools, piece together complex security incidents, or support threat hunting teams, Bro’s powerful and actionable data is at the center of the world’s most capable security operations.