Visibility Across Space and Time (VAST) is a unified platform for network forensics and incident response.
Start a VAST node with debug log verbosity in the foreground and spawn all core actors:
vastd -l 5 -f -c
Import Bro logs or a PCAP trace in one shot:
zcat *.log.gz | vast import bro vast import pcap -r trace.pcap
Query VAST and get the result back as PCAP trace:
vast export pcap -h sport > 60000/tcp && src !in 10.0.0.0/8
- Issue board
- Contribution guidelines
- Project page
- Mailing lists:
The VAST docker container provides a quick way to get up and running:
docker pull mavam/vast docker run --rm -ti mavam/vast > vast -h
Building VAST involves the following steps:
./configure make make test make install
VAST development primarily takes place on FreeBSD because it ships with a C++14 compiler and provides all dependencies natively, which one can install as follows:
pkg install cmake boost-libs caf google-perftools
To the best of our knowledge, no distribution currently comes with an apt compiler out of the box. On recent Debian-based distributions (e.g., Ubuntu 14.04.1), getting a working toolchain requires installing the following packages:
apt-get install cmake clang-3.5 libc++-dev libc++abi-dev \ libboost-dev libpcap-dev libgoogle-perftools-dev
CAF still needs manual installation.
Mac OS Yosemite also ships with a working C++14 compiler. Homebrew makes it easy to install the dependencies:
brew install cmake boost caf google-perftools
VAST comes with a 3-clause BSD licence.