Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
VAST's query language currently supports boolean expressions consisting of conjunctions (
&&), disjunctions (
||), and negations (
!). The operands of these operations are either predicates or further sub-expressions.
A predicate has the form
LHS op RHS. Left-hand side (
LHS) and right-hand side (
RHS) have a type. The relational operator
op defines which operand types are compatible with each other. An operand is either an extractor or data.
An extractor retrieves a certain aspect of an event:
&timeextracts the event timestamp and requires an RHS of type
&nameextracts the event name and requires an RHS of type
:Textracts any event argument having type
Tin any event.
x[.y.z]describes the event type or field names according to the schema.
A data operand is a fixed constant parsed according to the data grammar.
VAST comes with the following type extractors:
&name == "bro::conn"
&time > now - 2d && :string == "http" && (:addr in 192.168.0.0/24 || :addr == 127.0.0.1)
conn.ts < 2014-04-04 && "evil" in user_agent