Visibility Across Space and Time (VAST) is a platform for network forensics at scale.
Ingest a PCAP trace into a local VAST node:
vast -n import pcap < trace.pcap
Query a local VAST node and get the result back as PCAP trace:
vast -n export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
| ipsumdump --collate -w - \
| tcpdump -r - -nl
Start a VAST node in the foreground, listening at 10.0.0.1:
vast -e 10.0.0.1 start -f
Send Bro logs to a remote node:
zcat *.log.gz | vast import bro
- Chat: Gitter
- Twitter: @vast_io
- Mailing lists:
- [email protected]: general help and discussion
- [email protected]: full diffs of git commits
Building VAST involves the following steps:
./configure
make
make test
make install
Required dependencies:
Optional:
FreeBSD ships with a C++14 compiler. One can install as the dependencies as follows:
pkg install cmake
Even though FreeBSD provides a CAF port, VAST currently depends the CAF develop branch and therefore requires manual installation.
On recent Debian-based distributions, getting a working toolchain involves installing the following packages:
apt-get install cmake
CAF offers binary packages via openSUSE's Build Service.
Mac OS also ships with a C++14 compiler out of the box. Homebrew makes it easy to install the dependencies:
brew install cmake
brew install caf --HEAD
When referring to VAST in a scientific context, please use the following citation:
@InProceedings{nsdi16:vast,
author = {Matthias Vallentin and Vern Paxson and Robin Sommer},
title = {{VAST: A Unified Platform for Interactive Network Forensics}},
booktitle = {Proceedings of the USENIX Symposium on Networked Systems
Design and Implementation (NSDI)},
month = {March},
year = {2016}
}
You can download the paper from the NSDI '16 proceedings.
VAST comes with a 3-clause BSD licence.