C++ C CMake Makefile Python HTML Other
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

VAST

Build Status Chat License

Visibility Across Space and Time (VAST) is a platform for network forensics at scale.

Synopsis

Ingest a PCAP trace into a local VAST node:

vast -n import pcap < trace.pcap

Query a local VAST node and get the result back as PCAP trace:

vast -n export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Start a VAST node in the foreground, listening at 10.0.0.1:

vast -e 10.0.0.1 start -f

Send Bro logs to a remote node:

zcat *.log.gz | vast import bro

Resources

Contact

Installation

Required dependencies:

  • A C++17 compiler:
    • GCC >= 8
    • Clang >= 6
    • Apple Clang >= 9.1
  • CMake
  • CAF (develop branch)

Optional dependencies:

Source Build

Building VAST involves the following steps:

./configure
make
make test
make install

The configure script is a small wrapper that passes build-related variables to CMake. For example, to use ninja as build generator, add --generator=Ninja to the command line. Passing --help shows all available options.

The doc target builds the API documentation locally:

make doc

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.

License

VAST comes with a 3-clause BSD licence.