Turn network traffic into security visibility.

Corelight Sensors transform network traffic into rich logs, extracted files, and custom insights via Zeek (formerly known as Bro), a powerful, open-source network security monitor used by thousands of organizations worldwide. Make quick sense of traffic so you can resolve incidents faster and threat hunt more effectively.

aws-webcast icon Watch our webcast to learn how it works in AWS.



Highlighted features from recent Corelight software releases.

The Core Collection: curated Zeek packages for out-of-the box insight.

All Corelight Sensors now come preloaded with the Core Collection, a set of Zeek packages curated and certified by Corelight for performance and stability that provide threat detection, data enrichment, and operational insight.

Detection packages
Lateral movement detection (MITRE BZAR)
Detects lateral movement techniques in MITRE ATT&CK related to SMB and DCE-RPC traffic, such as indicators targeting Windows Admin Shares and Remote File Copy, and optionally extracts detection-related files to enable investigations of suspicious traffic.
Cryptomining detection
Generates a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.
SSL fingerprinting (JA3)
Creates a hash of every SSL/TLS client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.
SSH fingerprinting (HASSH)
Creates a hash of every SSH client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.
HTTP stalling detection
Detects when a web client executes a resource exhaustion attack on a web server.
Long connections detection
Generates a notice when long running connections occur, providing early visibility into a possible attack in progress.
Port scanning detection
Identifies port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.
Data enrichment packages
Community ID
Creates a common hash of the 5-tuple and appends it to Zeek’s conn.log so analysts can quickly pivot on a connection in Corelight to and from tools such as Suricata, Elastic, Moloch and more.
URL extraction in SMTP
Automatically extracts URLs found in email bodies and appends them to Zeek's smtp.log.
POST data capture in HTTP
Extracts POST data sent by a client to a server, and appends it to Zeek's http.log.
DNS hostname annotation
Derives hostnames from DNS traffic and automatically appends it to Zeek's conn.log.
Operational packages
Data Reduction
A set of configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%.
SSL certificate monitoring
Provides visibility into local X.509 certificates seen over SSL/TLS that have expired or will expire soon.
Traffic shunting
Enables the conservation of sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.
Windows Version Identification
Identifies Windows OS hosts using HTTP connection headers and appends it to the software.log.

Support for the Zeek Intelligence and Input Frameworks.

Customize Corelight Sensors to your environment:

  • Match known indicators of compromise to your network traffic; flag IPs, URLs, emails, hashes and more
  • Easy integration with intel feeds like Anomali and ThreatConnect
  • Append internal server names, owners and contact info to the conn.log to accelerate remediation
  • Add external or internal domain whitelists and blacklists
  • Update referenced data quickly, no restarts required

Zeek, with a snappy UI.

15 minute Zeek deployment with a modern web app so you don't need knowledge of command-line configuration:

  • Manage and configure multi-sensor deployments with Corelight Fleet Manager
  • Define role-based access controls for management
  • At-a-glance status of your Corelight Sensor inputs and exporters
  • Dashboard with status and key metrics like interfaces, log rates, and ports
  • Monitor key sensor health metrics like memory and CPU usage and system temperature
  • LDAP integration
  • Demonstrate compliance using audit logs

Handle large "elephant flows" like massive datasets transferred over science DMZs with flow shunting.

The Sensor removes elephant flows from its processing jobs, extracting only the key information, which allows you to save on data processing costs and scale your Sensor beyond 25 Gbps.

Flow shunting (AP 3000 only)

  • Implementation via custom Zeek scripts / packages
  • Runs in the Corelight NIC for high performance
  • Implementation assistance available from Corelight

With Corelight you can deploy Zeek in minutes, not months.

Configure traffic inputs
Ingest traffic from taps, span ports, or packet brokers.
Define export targets
Export Zeek logs to Splunk, Elastic, Amazon S3, Syslog, SFTP and more.
Log forking & filtering
Send full logs to storage while sending log-filtered streams to your SIEM to optimize performance and data-processing costs.
Deploy Zeek packages
Enable Core Collection packages or run your own Zeek packages.
Enable file extraction
Set file extraction parameters and export destinations.

Corelight Sensors make running and managing Zeek simple and smooth.

Sensors connect to the Corelight Cloud Service to ensure continuous monitoring of sensors for health and performance.
Set up performance reporting options for your Corelight Sensor.
Update and maintain your Corelight Sensors from the GUI. Manage a single sensor or a fleet of sensors, with role-based access controls and custom sensor grouping and configuration templates.
Automatic software updates
Phone home capability to ensure your Sensor is always up to date. Comprehensive API.
Optimized file extraction
Control which files are automatically extracted from network traffic and saved for later forensic analysis.
Custom scripts / packages
Corelight Sensors support custom packages. Add capabilities from existing packages in GitHub or write your own to meet the needs of your organization.