Skip to content
Enables Bro to communicate with VAST
Zeek
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
.gitignore
LICENSE
README.md
example.intel
zkg.meta

README.md

Zeek & VAST

This package enables Zeek to communicate with VAST, a scalable plaform for network forensics. Combining VAST and Zeek allows threat hunters to automate routine tasks, such as correlating new intelligence feed items with data from the past.

Features

  • Historic intelligence lookups: when new intelligence becomes available, go back in time and look for connections that involved the new intelligence.

  • Query arbitrary data in VAST.

Installation

The scripts ship as a Zeek package. Installation follows the standard procedure:

zkg install zeek-vast

Usage

First, make sure that VAST and zeek-to-vast are running, otherwise the scripts will not be able to communicate with VAST.

To enable historic intelligence lookups, just load the following script:

@load zeek-vast/intel.zeek

Zeek then generates a new file historic-intel.log with the results of historic intelligence lookups.

To test your setup locally, you can load the example intel file as follows:

zeek 'Intel::read_files += {"example.intel"}' scripts/intel.zeek

Configuration

See the export section of the scripts for a complete description of tuning knobs.

intel.zeek

This script integrates VAST with the intelligence framework: Whenever Zeek processes a new intelligence item, the script performs a historic lookup for the new item in VAST. If there exists relevant data, VAST sends the result back, which the scripts then writes into the file historic-intel.log.

If there's currently no connection to VAST, then the script queues the item until the connection becomes available again.

main.zeek

This script defines the basic functions to communicate with VAST. You can configure how Zeek should connect to zeek-to-vast with the two variables VAST::bridge_host and VAST::bridge_port. They default to 127.0.0.1 and 43000/tcp.

License

This Zeek package comes with a BSD license.

You can’t perform that action at this time.