Visibility Across Space and Time (VAST) is a unified platform for network forensics and incident response.

Start a VAST node with debug log verbosity in the foreground and spawn all core actors:

vastd -l 5 -f -c

Import Bro logs or a PCAP trace in one shot:

zcat *.log.gz | vast import bro
vast import pcap < trace.pcap

Query VAST and get the result back as PCAP trace:

vast export pcap -h "sport > 60000/tcp && src !in 10.0.0.0/8"

• Documentation
• Issue board
• Chat
• Contribution guidelines
• Project page
• Mailing lists:
  • [email protected]: general help and discussion
  • [email protected]: full diffs of git commits

The VAST docker container provides a quick way to get up and running:

docker pull mavam/vast
docker run --rm -ti mavam/vast
> vast -h

Building VAST involves the following steps:

./configure
make
make test
make install

Required dependencies:

• A C++14 compiler:
  • Clang >= 3.4
  • GCC >= 5
• CMake
• CAF (develop branch)
• Boost (headers only)

Optional:

• libpcap
• gperftools
• Doxygen
• md2man

VAST development primarily takes place on FreeBSD because it ships with a C++14 compiler. One can install as the dependencies as follows:

pkg install cmake boost-libs google-perftools

FreeBSD provides a CAF port, but VAST currently requires the develop branch, requiring manual installation.

On recent Debian-based distributions (e.g., Ubuntu 15.04), getting a working toolchain requires installing the following packages:

apt-get install clang libc++-dev cmake # build harness
apt-get install libboost-dev libpcap-dev libgoogle-perftools-dev

CAF also requires manual installation.

Mac OS Yosemite also ships with a working C++14 compiler. Homebrew makes it easy to install the dependencies:

brew install cmake boost google-perftools
brew install caf --HEAD

VAST comes with a 3-clause BSD licence.