This notebook showcases the key use cases of VAST in an interactive manner.
This page is work in progress. It is the first example of a notebook-based approach of writing user guides, but the content and CI-workflow is not fully fleshed out. Stay tuned.
First, let’s get a VAST binary to play with. The easiest way to setup VAST is downloading a static binary on Linux.
Following the instructions to add
/opt/vast/bin to your
whether you are ready to use VAST:
Start a VAST node
Begin with starting a VAST node:
[14:12:09.207] VAST v2.1.0 is listening on localhost:42000
This command creates a listening socket at
localhost:42000 that you can now
interact with client commands from other terminals.
Test the connection with a new command:
After we have a VAST node to interact with, let’s ingest some data.
We prepared a dataset derived from one day of the M57 recording and injected with malicious traffic from malware-trafic-analysis.net, adjusting timestamps such that the malware activity occurs in the same day as the background noise.
curl -OL TODO
vast import pcap < dataset/PCAP/*.pcap
vast import zeek < dataset/Zeek/*.log
vast import suricata < dataset/Suricata/eve.json
With a loaded VAST node, we can now answer some questions.