Skip to content

kkpan11/tenzir

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 Cannot retrieve latest commit at this time.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VAST VAST

Visibility Across Space and Time

The network telemetry engine for data-driven security investigations.

Build Status Static Build Status Examples Status Changelog Since Release License

Getting StartedInstallationDocumentationDevelopmentChangelogLicense and Scientific Use

Chat

Key Features

  • High-Throughput Ingestion: import numerous log formats over 100k events/second, including Zeek, Suricata, JSON, and CSV.

  • Low-Latency Queries: sub-second response times over the entire data lake, thanks to multi-level bitmap indexing and actor model concurrency. Particularly helpful for instant indicator checking over the entire dataset.

  • Flexible Export: access data in common text formats (ASCII, JSON, CSV), in binary form (MRT, PCAP), or via zero-copy relay through Apache Arrow for arbitrary downstream analysis.

  • Powerful Data Model and Query Language: the generic semi-structured data model allows for expressing complex data in a typed fashion. An intuitive query language that feels like grep and awk at scale enables powerful subsetting of data with domain-specific operations, such as top-k prefix search for IP addresses and subset relationships.

  • Schema Pivoting: the missing link to navigate between related events, e.g., extracting a PCAP for a given IDS alert, or locating all related logs for a given query.

Get VAST

We offer pre-packaged versions of VAST for download:

  • stable: see the artifacts of the latest official VAST release
  • development: we offer a static build of the master branch for Linux
curl -L -O https://storage.googleapis.com/tenzir-public-data/vast-static-builds/vast-static-latest.tar.gz

Unpack the archive. It contains three folders bin, etc, and share. To get started invoke the binary in the bin directory directly.

tar xfz vast-static-latest.tar.gz
bin/vast --help

To install VAST locally, simply place the unpacked directories in your install prefix, e.g., /usr/local.

The installation guide contains more detailed and platform-specific instructions on how to build and install VAST for all supported platforms.

Getting Started

Here are some commands to get a first glimpse of what VAST can do for you.

Start a VAST node:

vast start

Ingest Zeek logs of various kinds:

zcat *.log.gz | vast import zeek

Run a query over the last hour, rendered as JSON:

vast export json ':timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'

Ingest a PCAP trace with a 1024-byte flow cutoff:

vast import pcap -c 1024 < trace.pcap

Run a query over PCAP data, sort the packets by time, and feed them into tcpdump:

vast export pcap "sport > 60000/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

License and Scientific Use

VAST comes with a 3-clause BSD license. When referring to VAST in a scientific context, please use the following citation:

@InProceedings{nsdi16:vast,
  author    = {Matthias Vallentin and Vern Paxson and Robin Sommer},
  title     = {{VAST: A Unified Platform for Interactive Network Forensics}},
  booktitle = {Proceedings of the USENIX Symposium on Networked Systems
               Design and Implementation (NSDI)},
  month     = {March},
  year      = {2016}
}

You can download the paper from the NSDI '16 proceedings.

Developed with ❤️ by Tenzir

About

Open source security data pipelines.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 89.7%
  • CMake 3.2%
  • Shell 2.5%
  • Python 1.7%
  • Pawn 1.0%
  • Nix 0.8%
  • Other 1.1%