Skip to content
master
Switch branches/tags
Code

Latest commit

Add new Suricata schema type 'packet'
6ad5582

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jul 23, 2021

VAST

VAST — Visibility Across Space and Time

The network telemetry engine for data-driven security investigations.

Build Status Static Build Status Examples Status Changelog Since Release License

Getting StartedInstallationDocumentationDevelopmentChangelogLicense and Scientific Use

Chat

Key Features

  • High-Throughput Ingestion: import numerous log formats over 100k events/second, including Zeek, Suricata, JSON, and CSV.

  • Low-Latency Queries: sub-second response times over the entire data lake, thanks to multi-level bitmap indexing and actor model concurrency. Particularly helpful for instant indicator checking over the entire dataset.

  • Flexible Export: access data in common text formats (ASCII, JSON, CSV), in binary form (MRT, PCAP), or via zero-copy relay through Apache Arrow for arbitrary downstream analysis.

  • Powerful Data Model and Query Language: the generic semi-structured data model allows for expressing complex data in a typed fashion. An intuitive query language that feels like grep and awk at scale enables powerful subsetting of data with domain-specific operations, such as top-k prefix search for IP addresses and subset relationships.

  • Schema Pivoting: the missing link to navigate between related events, e.g., extracting a PCAP for a given IDS alert, or locating all related logs for a given query.

Get VAST

Linux users can download our latest static binary release via browser or cURL.

curl -L -O https://storage.googleapis.com/tenzir-public-data/vast-static-builds/vast-static-latest.tar.gz

Unpack the archive. It contains three folders bin, etc, and share. To get started invoke the binary in the bin directory directly.

tar xfz vast-static-latest.tar.gz
bin/vast --help

To install VAST locally, simply place the unpacked directories in your install prefix, e.g., /usr/local.

The installation guide contains more detailed and platform-specific instructions on how to build and install VAST for all supported platforms.

Getting Started

Here are some commands to get a first glimpse of what VAST can do for you.

Start a VAST node:

vast start

Ingest Zeek logs of various kinds:

zcat *.log.gz | vast import zeek

Run a query over the last hour, rendered as JSON:

vast export json ':timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'

Ingest a PCAP trace with a 1024-byte flow cutoff:

vast import pcap -c 1024 < trace.pcap

Run a query over PCAP data, sort the packets by time, and feed them into tcpdump:

vast export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

License and Scientific Use

VAST comes with a 3-clause BSD license. When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.

Developed with ❤️ by Tenzir