Profiling Whonix

By Richard Bejtlich, Principal Security Strategist, Corelight Introduction This week I read a story announcing that the latest edition of Whonix had been released. I had heard of Whonix, but had never tried it. I knew it was a Linux distribution that tried to make it as easy and safe as possible to anonymize online […]

Investigating the Effects of TLS 1.3 on Corelight Logs, Part 3

By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Welcome to part 3 of my three-part series on TLS. In the previous two articles I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. I then performed the same transaction using TLS 1.2, and compared the logs with those seen […]

Investigating the Effects of TLS 1.3 on Corelight Logs, Part 2

By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Welcome to part 2 of my three-part series on TLS. In the previous article I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. In this article I will perform the same transaction using TLS 1.2, and compare the logs with […]

How to Use Corelight and Zeek Logs to Mitigate RDS/RDP Vulnerabilities

By Richard Bejtlich, Principal Security Strategist, Corelight Introduction On May 14 Microsoft released patches for, and details about, a remote code execution vulnerability in Remote Desktop Services (RDS), the graphical interactive desktop offered with most Windows operating system platforms. This vulnerability bears the Common Vulnerabilities and exposures number CVE-2019-0708. Remote Desktop Protocol (RDP) is the […]

Zeek is much more than a data format

By Greg Bell, CEO at Corelight Last week, a candidate for a senior role at Corelight explained his motivation for joining the company this way: “the world is standardizing on Zeek.”   And it’s true. The Zeek network security monitoring platform, created by leading researcher and Corelight co-founder Vern Paxson, is having its moment. Thousands of organizations worldwide […]

Examining aspects of encrypted traffic through Zeek logs

By Richard Bejtlich, Principal Security Strategist, Corelight In my last post I introduced the idea that analysis of encrypted HTTP traffic requires different analytical models. If you wish to preserve the encryption (and not inspect it via a middlebox), you have to abandon direct inspection of HTTP payloads to identify normal, malicious, and suspicious activity. […]

The last BroCon. It’ll be Zeek in 2019!

By Robin Sommer, CTO at Corelight and member of the Zeek Leadership Team I’m back in San Francisco after the last ever BroCon! Why the last BroCon? Because the Bro Leadership Team has announced a new name for the project. After two years of discussion, no shortage of suggestions, and a final shortlist going through […]

There’s more to Bro than great network data

By Vincent Stoffer, Senior Director of Product Management, Corelight Corelight recently released our 1.15 software update which includes some fantastic new features, including our first group of curated Bro Packages which we’re calling the “Core Collection.”  In this blog post, I’ll tell you a bit more about how Corelight is making it easier to detect threats […]

How we decide what Bro capabilities to include in our Sensor

By Seth Hall, Co-Founder & Chief Evangelist at Corelight We started Corelight to bring the power of Bro network monitoring to an audience that is interested in security, stability, and long-term sustainability. Even though we created and built Bro over the last 20 years, when we developed our commercial product we made some design decisions […]