Review: Corelight adds security clues to network packet analysis

In the tradition of other great network analysis tools like Bro and Sourcefire, Corelight gives security pros deep insight into data traffic on the systems they defend.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

I’ve long been a huge fan of network packet analysis. Like math in the real world, I believe network packets are the only truth to what is going on with your network. Sniff your network and you’ll find out the problem, or at least be pointed in the right direction to the culprit. Back in the Novell network days, I was a fan of an early (and now deceased) network packet sniffer called LANAnalyzer. Then I got turned on to Ethereal, which became Wireshark.

Those were great tools for pure network packet sniffing, but they were not the perfect, optimized tools for more efficiently detecting security issues. Then I was lucky enough to be in one of the first Snort SANS classes taught by its creator Martin Roesch. I’ve still got plastic little Snort pigs all around my house and office.

Snort was great, like an antivirus network sniffer on steroids, but it quickly became overwhelming if you deployed too many Snort sensors in a big environment. Many enterprise Snort users felt rescued when Marty turned it up to 11 by developing a commercial version called Sourcefire, which improved speed, manageability and capabilities.

For more than a decade, there wasn’t a company I worked at that didn’t address every new location connection by placing another Sourcefire appliance on the network egress/ingress point. Most enterprise network security managers didn’t consider a network secure unless they had a Sourcefire box involved. Sourcefire was eventually bought by Cisco.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.