Skip to main content
Version: VAST v3.1

Cloud matchers

Commercial Plugin

This feature is available as commercial plugin that runs on top open-source VAST. Please contact us if you'd like to try it out.

We provide a reference architecture and deployment scripts to have matchers running in the AWS cloud.

In order to deploy VAST in the AWS cloud with the Pro image, follow the steps described in the deployment guide.

Architecture

To deploy matchers in the cloud, we need to instantiate two main cloud resources:

  • an SQS queue to reliable store and distribute the matched events
  • a long running Fargate client that will attach to the VAST server and publish the matches to the queue

AWS Architecture

Intended to be replaced by the Fabric

Using SQS here is just a POC. It will be replaced in the near future by the Fabric.

Setup

You first need to setup the base configuration as described in the deployment guide. The only difference is that you should activate the matcher plugin in the .env file:

VAST_CLOUD_PLUGIN = pro,matcher

After updating the config, run:

./vast-cloud deploy

You can then create VAST matchers through the Lambda client:

./vast-cloud vast.lambda-client -c "vast matcher start --mode=exact --match-types=ip feodo"

Similarly, you can load indicators into the created matchers.

We provide scripts that create and load matchers from external feeds such as the Feodo Tracker:

./vast-cloud vast.lambda-client -c file://$(pwd)/resources/scripts/matcher/feodo.sh

Note: vast.lambda-client requires an absolute path when running a script from file.

Once the matchers are created, start the matcher client that will publish all matches to the managed queue:

./vast-cloud matcher.start-client

Example usage

Dependencies

To run this example, you need to enable the workbucket and tests cloud plugins then run:

./vast-cloud deploy

The matcher will trigger when events containing the registered IoC are imported to VAST. We provide a flowlogs extract containing traffic that is currently flagged by the Feodo tracker in the test datasets:

./vast-cloud tests.import-data --dataset=flowlogs

You can listen to matched events published on AWS SQS:

./vast-cloud matcher.attach
tip

Matched events are kept in the queue only for a few minutes.