Zeek & VAST
This package enables Zeek to communicate with VAST, a scalable plaform for network forensics. Combining VAST and Zeek allows threat hunters to automate routine tasks, such as correlating new intelligence feed items with data from the past.
Features
-
Historic intelligence lookups: when new intelligence becomes available, go back in time and look for connections that involved the new intelligence.
-
Query arbitrary data in VAST.
Installation
The scripts ship as a Zeek package. Installation follows the standard procedure:
zkg install zeek-vastUsage
First, make sure that VAST and zeek-to-vast are running,
otherwise the scripts will not be able to communicate with VAST.
To enable historic intelligence lookups, just load the following script:
@load zeek-vast/intel.zeekZeek then generates a new file historic-intel.log with the results of historic
intelligence lookups.
To test your setup locally, you can load the example intel file as follows:
zeek 'Intel::read_files += {"example.intel"}' scripts/intel.zeekConfiguration
See the export section of the scripts for a complete description of tuning
knobs.
intel.zeek
This script integrates VAST with the intelligence framework:
Whenever Zeek processes a new intelligence item, the script performs a historic
lookup for the new item in VAST. If there exists relevant data, VAST sends the
result back, which the scripts then writes into the file historic-intel.log.
If there's currently no connection to VAST, then the script queues the item until the connection becomes available again.
main.zeek
This script defines the basic functions to communicate with VAST. You can
configure how Zeek should connect to zeek-to-vast with the two variables
VAST::bridge_host and VAST::bridge_port. They default to 127.0.0.1 and
43000/tcp.
License
This Zeek package comes with a BSD license.