Visibility Across Space and Time (VAST) is a unified platform for network forensics and incident response.
Start a VAST node with debug log verbosity in the foreground and spawn all core actors:
vastd -l 5 -f -c
Import Bro logs or a PCAP trace in one shot:
zcat *.log.gz | vast import bro
vast import pcap < trace.pcap
Query VAST and get the result back as PCAP trace:
vast export pcap -h "sport > 60000/tcp && src !in 10.0.0.0/8"
- Documentation
- Issue board
- Chat
- Contribution guidelines
- Project page
- Mailing lists:
- [email protected]: general help and discussion
- [email protected]: full diffs of git commits
The VAST docker container provides a quick way to get up and running:
docker pull mavam/vast
docker run --rm -ti mavam/vast
> vast -h
Building VAST involves the following steps:
./configure
make
make test
make install
Required dependencies:
Optional:
VAST development primarily takes place on FreeBSD because it ships with a C++14 compiler. One can install as the dependencies as follows:
pkg install cmake boost-libs google-perftools
FreeBSD provides a CAF port, but VAST currently requires the develop branch, requiring manual installation.
On recent Debian-based distributions (e.g., Ubuntu 15.04), getting a working toolchain requires installing the following packages:
apt-get install clang libc++-dev cmake # build harness
apt-get install libboost-dev libpcap-dev libgoogle-perftools-dev
CAF also requires manual installation.
Mac OS Yosemite also ships with a working C++14 compiler. Homebrew makes it easy to install the dependencies:
brew install cmake boost google-perftools
brew install caf --HEAD
VAST comes with a 3-clause BSD licence.