View Code? Open in Web Editor NEW

This project forked from tenzir/tenzir

:crystal_ball: Visibility Across Space and Time

License: BSD 3-Clause "New" or "Revised" License

Gnuplot 0.01% CMake 1.25% C 18.20% C++ 76.29% Objective-C++ 0.36% Shell 0.49% Makefile 1.34% HTML 0.86% Roff 0.30% Python 0.90% Awk 0.01%

vast's Introduction

VAST

Visibility Across Space and Time (VAST) is a platform for network forensics at scale.

Synopsis

Ingest a PCAP trace into a local VAST node:

vast -n import pcap < trace.pcap

Query a local VAST node and get the result back as PCAP trace:

vast -n export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Start a VAST node in the foreground, listening at 10.0.0.1:

vast -e 10.0.0.1 start -f

Send Bro logs to a remote node:

zcat *.log.gz | vast import bro

Resources

Contact

Chat: Gitter
Twitter: @vast_io
Mailing lists:
- [email protected]: general help and discussion
- [email protected]: full diffs of git commits

Installation

Required dependencies:

A C++17 compiler:
- Clang 5
- GCC 7
CMake
CAF (develop branch)

Optional dependencies:

Source Build

Building VAST involves the following steps:

./configure
make
make test
make install

The configure script is a small wrapper that passes build-related variables to CMake. For example, to use ninja as build generator, add --generator=Ninja to the command line. Passing --help shows all available options.

The doc target builds the API documentation locally:

make doc

Scientific Use

When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.