Skip to content
Branch: master
Go to file
Code

Latest commit

mavam committed 277fe4c Jul 3, 2020
Merge pull request #963
Fix badge for Docker workflow

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
aux
 
 
 
 
doc
 
 
 
 
 
 
 
 
nix
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

VAST

VAST — Visibility Across Space and Time

The network telemetry engine for data-driven security investigations.

Build Status Examples Status Docker Status Changelog Latest Release Chat License

Getting StartedInstallationDocumentationDevelopmentChangelogLicense and Scientific Use

Chat with us on Gitter.

Key Features

  • High-Throughput Ingestion: import numerous log formats over 100k events/second, including Zeek, Suricata, JSON, and CSV.

  • Low-Latency Queries: sub-second response times over the entire data lake, thanks to multi-level bitmap indexing and actor model concurrency. Particularly helpful for instant indicator checking over the entire dataset.

  • Flexible Export: access data in common text formats (ASCII, JSON, CSV), in binary form (MRT, PCAP), or via zero-copy relay through Apache Arrow for arbitrary downstream analysis.

  • Powerful Data Model and Query Language: the generic semi-structured data model allows for expressing complex data in a typed fashion. An intuitive query language that feels like grep and awk at scale enables powerful subsetting of data with domain-specific operations, such as top-k prefix search for IP addresses and subset relationships.

  • Schema Pivoting: the missing link to navigate between related events, e.g., extracting a PCAP for a given IDS alert, or locating all related logs for a given query.

Getting Started

Clone the master branch to get the most recent version of VAST.

git clone --recursive https://github.com/tenzir/vast

Once you have all dependencies in place, build VAST with the following commands:

./configure
cmake --build build
cmake --build build --target test
cmake --build build --target integration
cmake --build build --target install

The installation guide contains more detailed and platform-specific instructions on how to build and install VAST.

Start a VAST node:

vast start

Ingest Zeek logs of various kinds:

zcat *.log.gz | vast import zeek

Run a query over the last hour, rendered as JSON:

vast export json '#timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'

Ingest a PCAP trace with a 1024-byte flow cutoff:

vast import pcap -c 1024 < trace.pcap

Run a query over PCAP data, sort the packets by time, and feed them into tcpdump:

vast export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

License and Scientific Use

VAST comes with a 3-clause BSD license. When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.

Developed with ❤️ by Tenzir

You can’t perform that action at this time.