Visibility Across Space and Time (VAST) is a unified platform for network forensics and incident response.
Import a PCAP trace into a local VAST node in one shot:
vast -n import pcap < trace.pcap
Query a local node and get the result back as PCAP trace:
vast -n export pcap -h "sport > 60000/tcp && src !in 10.0.0.0/8" \
| ipsumdump --collate -w - \
| tcpdump -r - -nl
Start a node with debug log verbosity in the foreground:
vast -e 10.0.0.1 -l 5 start -f
Send Bro logs to the remote node:
zcat *.log.gz | vast -e 10.0.0.1 import bro
- Documentation
- Issue board
- Chat
- Contribution guidelines
- Project page
- Mailing lists:
- vast@icir.org: general help and discussion
- vast-commits@icir.org: full diffs of git commits
The VAST docker container provides a quick way to get up and running:
docker pull mavam/vast
docker run --rm -ti mavam/vast
> vast -h
Building VAST involves the following steps:
./configure
make
make test
make install
Required dependencies:
Optional:
FreeBSD ships with a C++14 compiler. One can install as the dependencies as follows:
pkg install cmake google-perftools
Even though FreeBSD provides a CAF port, VAST depends the develop branch and therefore requires a manual CAF installation.
On recent Debian-based distributions (e.g., Ubuntu 15.04), getting a working toolchain involves installing the following packages:
apt-get install clang libc++-dev cmake libpcap-dev libgoogle-perftools-dev
CAF offers binary packages via openSUSE's Build Service.
Mac OS Yosemite also ships with a working C++14 compiler. Homebrew makes it easy to install the dependencies:
brew install cmake google-perftools
brew install caf --HEAD
VAST comes with a 3-clause BSD licence.