Network data for humans.

You don't need more alerts, most of them crying wolf and wasting your time. And you don’t need packet upon packet dumped on you indiscriminately. What you need is a unifying foundation that gives you the right amount of data at the right time, organized into highly actionable logs. We needed it too. That’s why we founded Corelight.

Software

Highlighted features from recent Corelight software releases.

The Core Collection: curated Zeek packages for out-of-the box insight.

All Corelight Sensors now come preloaded with the Core Collection, a set of Zeek packages curated and certified by Corelight for performance and stability that provide threat detection, data enrichment, and operational insight. Read more about the Core Collection

Detection packages

Cryptomining detection

Generates a notice when Bitcoin or Litecoin mining traffic is detected over TCP or HTTP.

SSL fingerprinting (JA3)

Creates a hash of every SSL/TLS client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.

SSH fingerprinting (HASSH)

Creates a hash of every SSH client and server negotiation, which can be used for hunting or matched against threat intelligence feeds.

HTTP stalling detection

Detects when a web client executes a resource exhaustion attack on a web server.

Long connections detection

Generates a notice when long running connections occur, providing early visibility into a possible attack in progress.

Port scanning detection

Identifies port scanning behavior involving hosts (horizontal) or ports (vertical) across a variety of protocols.

Data enrichment packages

URL extraction in SMTP

Automatically extracts URLs found in email bodies and appends them to Zeek's smtp.log.

POST data capture in HTTP

Extracts POST data sent by a client to a server, and appends it to Zeek's http.log.

DNS hostname annotation

Derives hostnames from DNS traffic and automatically appends it to Zeek's conn.log.

Operational packages

Data Reduction

A set of configurable options that help you optimize SIEM performance and costs by reducing data of minimal security value in the conn, http, dns, and ssl logs, shrinking total export volumes by up to 30%.

SSL certificate monitoring

Provides visibility into local X.509 certificates seen over SSL/TLS that have expired or will expire soon.

Traffic shunting

Enables the conservation of sensor processing bandwidth and/or SIEM data costs by shunting unwanted traffic flows at the NIC.

Windows Version Identification

Identifies Windows OS hosts using HTTP connection headers and appends it to the software.log.

Support for the Zeek Intelligence Framework.

Expand the power of Corelight Sensors:

Match known indicators of compromise to your network traffic
Easy integration with intel feeds like Anomali and ThreatConnect
Flag IPs, URLs, emails, hashes and more

Zeek, with a snappy UI.

15 minute Zeek deployment with a modern web app so you don't need knowledge of command-line configuration:

Manage and configure multi-sensor deployments with Corelight Fleet Manager
Define role-based access controls for management
At-a-glance status of your Corelight Sensor inputs and exporters
Dashboard with status and key metrics like interfaces, log rates, and ports
Monitor key sensor health metrics like memory and CPU usage and system temperature
LDAP integration
Demonstrate compliance using audit logs

Handle large "elephant flows" like massive datasets transferred over science DMZs with flow shunting.

The Sensor removes elephant flows from its processing jobs, extracting only the key information, which allows you to save on data processing costs and scale your Sensor beyond 25 Gbps.

Flow shunting (AP 3000 only)

Implementation via custom Zeek scripts
Runs in the Corelight NIC for high performance
Implementation assistance available from Corelight

With Corelight you can deploy Zeek in minutes, not months.

Configure traffic inputs

Ingest traffic from taps, span ports, or packet brokers.

Define Export targets

Export Zeek logs to Splunk, Elastic, Amazon S3, Syslog, SFTP and more.

Log forking & filtering

Send full logs to storage while sending log-filtered streams to your SIEM to optimize performance and data-processing costs.

Deploy Zeek packages

Enable Core Collection packages or run your own Zeek packages.

Enable file extraction

Set file extraction parameters and export destinations.

Corelight Sensors make running and managing Zeek simple and smooth.

Monitoring

Sensors connect to the Corelight Cloud Service to ensure continuous monitoring of sensors for health and performance.

Reporting

Set up performance reporting options for your Corelight Sensor.

Management

Update and maintain your Corelight Sensors from the GUI. Manage a single sensor or a fleet of sensors, with role-based access controls and custom sensor grouping and configuration templates.

Automatic software updates

Phone home capability to ensure your Sensor is always up to date. Comprehensive API.

Optimized file extraction

Control which files are automatically extracted from network traffic and saved for later forensic analysis.

Custom scripts

Corelight Sensors support custom scripts. Add capabilities from existing scripts in GitHub or write your own to meet the needs of your organization.