VAST's query language currently supports boolean expressions consisting of conjunctions (
&&), disjunctions (
||), and negations (
!). The operands of these operations are either predicates or further sub-expressions.
A predicate has the form
LHS op RHS. Left-hand side (
LHS) and right-hand side (
RHS) have a type. The relational operator
op defines which operand types are compatible with each other. An operand is either an extractor or data.
An extractor retrieves a certain aspect of an event:
&timeextracts the event timestamp and requires an RHS of type
&nameextracts the event name and requires an RHS of type
:Textracts any event argument having type
Tin any event.
x[.y.z]describes the event type or field names according to the schema.
A data operand is a fixed constant parsed according to the data grammar.
VAST comes with the following type extractors:
&name == "bro::conn"
&time > now - 2d && :string == "http" && (:addr in 192.168.0.0/24 || :addr == 127.0.0.1)
conn.ts < 2014-04-04 && "evil" in user_agent