Skip to content

VAST 2021.08.26
Compare
Choose a tag to compare
@dominiklohmann dominiklohmann released this 27 Aug 08:25
2021.08.26
fec6590
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

This release of VAST brings a number of exciting experimental features that can be checked out by enterprising users.

Progress on the Segment Store Backend

With the previous release, we introduced store backend plugins, and the new segment store implementation will become the default with the next release. With this release, the segment store reached feature parity with the legacy architecture. We encourage our enterprise users to test the new backend. Opt-in by adding the following to your VAST configuration:

vast:
  store-backend: segment-store

New features for transformations and data compaction will be built upon the segment store backend and will only be available for data stored using the new backend. Legacy data can still be queried for and exported, and we expect data rotation via the disk monitor to eventually remove all data stored using legacy storage.

Live Matching

We rebuilt the matcher plugin for VAST that enables live-matching of threat data against the incoming stream of telemetry. The completely rewritten documentation shows how to use the plugin. Highlights include:

  • Exact & Fuzzy Mode: controllable memory usage through multiple matcher backends, such as hash tables, Bloom filters, and Cuckoo filters.
  • Surgical Target Locking: fine-grained configuration options to dispatch matchers to fields in the data, fully leveraging VAST's type system, field names, and concepts.
  • Composable Sighting Streams: mix-and-match sighting streams to combine the results of matchers, e.g., fuse TLP:RED and inhouse indicators in one stream and OSINT and TLP:WHITE in another one.
  • Full CLI Control: powerful controls to add/remove indicators, perform bulk-imports, and save/restore binary matcher state.

Also noteworthy: we included binary compatibility with DCSO’s bloom library. For example, you can load a DCSO Bloom filter into a matcher called dns follows:

vast matcher load dns < ns.bloom

If you are interested in testing the plugin, please reach out to us in our Community Slack.

Maintenance

This month especially brings a lot of smaller changes and bug fixes. Here’s a selection:

  • VAST now supports building against {fmt} 8 and spdlog 1.9.2, and now requires at least {fmt} 7.1.3. #1846

  • In order to align with the GNU Coding Standards, the static binary (and other relocatable binaries) now uses /etc as sysconfdir for installations to /usr/bin/vast. #1856

  • The CSV parser now correctly parses quoted fields in non-string types. E.g., "127.0.0.1" in CSV now successfully parses when a matching schema contains an address type field. #1858

As always, you can find the full scoop in our changelog.

Assets 6
Loading