Skip to content
🔮 Visibility Across Space and Time
C++ C CMake Python Makefile HTML Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
aux
cmake
doc
integration
libvast
libvast_test
schema
scripts
tools
vast
.Makefile.BSD
.Makefile.GNU
.clang-format
.cmake-format
.dockerignore
.gitignore
CHANGELOG.md
CMakeLists.txt
CONTRIBUTING.md
COPYING
Dockerfile
Jenkinsfile
README.md
RELEASING.md
VERSION
configure
docker_build.sh
vast.conf

README.md

VAST

Build Status Coverage Chat License

Visibility Across Space and Time (VAST) is a platform for network forensics at scale.

Synopsis

Start a VAST node:

vast start

Ingest a bunch of Zeek logs:

zcat *.log.gz | vast import zeek

Run a query over the last hour, rendered as JSON:

vast export json '#timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'

Ingest a PCAP trace with a 1024-byte flow cut-off:

vast import pcap -c 1024 < trace.pcap

Run a query over PCAP data, sort the packets, and feed them into tcpdump:

vast export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Resources

Contact

Installation

Required dependencies:

  • A C++17 compiler:
    • GCC >= 8
    • Clang >= 5
    • Apple Clang >= 9.1
  • CMake
  • CAF (master branch)

Optional dependencies:

Source Build

Building VAST involves the following steps:

./configure
make
make test
make install

The configure script is a small wrapper that passes build-related variables to CMake. For example, to use ninja as build generator, add --generator=Ninja to the command line. Passing --help shows all available options.

The doc target builds the API documentation locally:

make doc

Docker

The source ships with the convenience script docker_build.sh, which will create the Docker images and save them as tar.gz archives (when invoked without arguments).

To run the container, you need to provide a volume to the mountpoint /data:

The default command will print the help message

docker run -v /tmp/vast:/data vast-io/vast

Create a Docker network since we'll be running multiple containers which connect to each other:

docker network create -d bridge --subnet 172.42.0.0/16 vast_nw

Use detach and publish the default port to start a VAST node

docker run --network=vast_nw --name=vast_node --ip="172.42.0.2" -d -v /tmp/vast:/data vast-io/vast start

Import a Zeek conn log to the detached server instance

docker run --network=vast_nw -i -v /tmp/vast:/data vast-io/vast -e '172.42.0.2' import zeek < zeek_conn.log

Other subcommands like export and status can be used just like the import command shown above.

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.

License

VAST comes with a 3-clause BSD licence.

You can’t perform that action at this time.