Quickstart
This notebook showcases the key use cases of VAST in an interactive manner.
This page is work in progress. It is the first example of a notebook-based approach of writing user guides, but the content and CI-workflow is not fully fleshed out. Stay tuned.
Install VAST
First, let’s get a VAST binary to play with. The easiest way to setup VAST is downloading a static binary on Linux.
Following the instructions to add /opt/vast/bin
to your PATH
, test
whether you are ready to use VAST:
vast version
Start a VAST node
Begin with starting a VAST node:
vast start
[14:12:09.207] VAST v2.1.0 is listening on localhost:42000
This command creates a listening socket at localhost:42000
that you can now
interact with client commands from other terminals.
Test the connection with a new command:
{
"current-memory-usage": 10322685460480,
"database-path": "/tmp/vast",
"in-memory-table-slices": 0,
"peak-memory-usage": 645167841280
}
Ingest data
After we have a VAST node to interact with, let’s ingest some data.
We prepared a dataset derived from one day of the M57 recording and injected with malicious traffic from malware-trafic-analysis.net, adjusting timestamps such that the malware activity occurs in the same day as the background noise.
cd /tmp
curl -OL TODO
vast import pcap < dataset/PCAP/*.pcap
vast import zeek < dataset/Zeek/*.log
vast import suricata < dataset/Suricata/eve.json
Run queries
With a loaded VAST node, we can now answer some questions.