The network telemetry engine for data-driven security investigations.
Getting Started— Installation— Documentation— Development— Changelog— License and Scientific Use
Chat with us on Gitter, or join us on Matrix at #tenzir_vast:gitter.im
.
Key Features
High-Throughput Ingestion: import numerous log formats over 100k events/second, including Zeek, Suricata, JSON, and CSV.
Low-Latency Queries: sub-second response times over the entire data lake, thanks to multi-level bitmap indexing and actor model concurrency. Particularly helpful for instant indicator checking over the entire dataset.
Flexible Export: access data in common text formats (ASCII, JSON, CSV), in binary form (MRT, PCAP), or via zero-copy relay through Apache Arrow for arbitrary downstream analysis.
Powerful Data Model and Query Language: the generic semi-structured data model allows for expressing complex data in a typed fashion. An intuitive query language that feels like grep and awk at scale enables powerful subsetting of data with domain-specific operations, such as top-k prefix search for IP addresses and subset relationships.
Schema Pivoting: the missing link to navigate between related events, e.g., extracting a PCAP for a given IDS alert, or locating all related logs for a given query.
Get VAST
Linux users can download our latest static binary release via browser or cURL.
curl -L -O https://storage.googleapis.com/tenzir-public-data/vast-static-builds/vast-static-latest.tar.gz
Unpack the archive. It contains three folders bin
, etc
, and share
. To get started invoke the binary in the bin
directory directly.
tar xfz vast-static-latest.tar.gz
bin/vast --help
To install VAST properly for your local user simly place the unpacked folders in /usr/local/
.
FreeBSD and macOS users have to build from source. Clone the master
branch to get the most recent version of VAST.
git clone --recursive https://github.com/tenzir/vast
Once you have all dependencies in place, build VAST with the following commands:
./configure
cmake --build build
cmake --build build --target test
cmake --build build --target integration
cmake --build build --target install
The installation guide contains more detailed and platform-specific instructions on how to build and install VAST.
Getting Started
Here are some commands to get a first glimpse of what VAST can do for you.
Start a VAST node:
vast start
Ingest Zeek logs of various kinds:
zcat *.log.gz | vast import zeek
Run a query over the last hour, rendered as JSON:
vast export json ':timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'
Ingest a PCAP trace with a 1024-byte flow cutoff:
vast import pcap -c 1024 < trace.pcap
Run a query over PCAP data, sort the packets by time, and feed them intotcpdump
:
vast export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
| ipsumdump --collate -w - \
| tcpdump -r - -nl
License and Scientific Use
VAST comes with a 3-clause BSD license. When referring to VAST in a scientific context, please use the following citation:
@InProceedings{nsdi16:vast,
author = {Matthias Vallentin and Vern Paxson and Robin Sommer},
title = {{VAST: A Unified Platform for Interactive Network Forensics}},
booktitle = {Proceedings of the USENIX Symposium on Networked Systems
Design and Implementation (NSDI)},
month = {March},
year = {2016}
}
You can download the paper from the NSDI '16 proceedings.
Developed with ❤️ by Tenzir