Quickstart

This notebook showcases the key use cases of VAST in an interactive manner.

Work in Progress

This page is work in progress. It is the first example of a notebook-based approach of writing user guides, but the content and CI-workflow is not fully fleshed out. Stay tuned.

Install VAST

First, let’s get a VAST binary to play with. The easiest way to setup VAST is downloading a static binary on Linux.

Following the instructions to add /opt/vast/bin to your PATH, test whether you are ready to use VAST:

vast version

Start a VAST node

Begin with starting a VAST node:

vast start

[14:12:09.207] VAST v2.1.0 is listening on localhost:42000

This command creates a listening socket at localhost:42000 that you can now interact with client commands from other terminals.

Test the connection with a new command:

{
  "current-memory-usage": 10322685460480,
  "database-path": "/tmp/vast",
  "in-memory-table-slices": 0,
  "peak-memory-usage": 645167841280
}

Ingest data

After we have a VAST node to interact with, let’s ingest some data.

We prepared a dataset derived from one day of the M57 recording and injected with malicious traffic from malware-trafic-analysis.net, adjusting timestamps such that the malware activity occurs in the same day as the background noise.

cd /tmp
curl -OL TODO
vast import pcap < dataset/PCAP/*.pcap
vast import zeek < dataset/Zeek/*.log
vast import suricata < dataset/Suricata/eve.json

Run queries

With a loaded VAST node, we can now answer some questions.

Quickstart

Install VAST​

Start a VAST node​

Ingest data​

Run queries​

Install VAST

Start a VAST node

Ingest data

Run queries