Configuration
Rockfish NDR uses YAML-based configuration with CLI overrides and environment-file credential management.
Configuration Search Paths
Rockfish searches for configuration in this order:
--config <path>(CLI argument)./rockfish.yaml/etc/rockfish/rockfish.yaml~/.config/rockfish/rockfish.yaml
Full Configuration Reference
# ============================================================
# Sensor
# ============================================================
sensor:
name: prod-sensor-01 # Sensor name (default: hostname)
# ============================================================
# Input — EVE JSON source
# ============================================================
input:
file: /var/log/suricata/eve.json # Path to EVE JSON file
socket: /var/run/suricata/eve.sock # Or: Unix socket path
socket_type: stream # stream (default) or dgram
follow: true # Tail file like tail -F
# ============================================================
# Output — Parquet destination
# ============================================================
output:
dir: /data/rockfish # Output directory
hive_partitioning: true # year=YYYY/month=MM/day=DD/
compression: zstd # none, snappy, zstd
flush_interval: 60 # Seconds between flushes
memory_threshold: 1073741824 # 1 GB memory flush threshold
partition: true # Partition by event type
# ============================================================
# Event Filtering
# ============================================================
events:
include: # Only process these types
- alert
- flow
- dns
- http
- tls
exclude: # Skip these types
- stats
# ============================================================
# S3 Upload
# ============================================================
s3:
bucket: rockfish-data
region: us-east-1
prefix: "" # Optional key prefix
delete_after_upload: false # Delete local files after upload
# ============================================================
# Report
# ============================================================
report:
output_dir: ./report
time_window: "24 hours"
theme: /etc/rockfish/theme.yaml # Optional theme file
custom_css: "" # Optional custom CSS path
# ============================================================
# Hunt
# ============================================================
hunt:
time_window: "24 hours"
detections: "beaconing,lateral,fanout,portscan,community"
min_severity: medium
scoring_method: hbos # hbos or iforest
internal_networks: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
# ============================================================
# Alert — MQTT and Kafka publishing
# ============================================================
alert:
mqtt:
broker: localhost
port: 1883
client_id: rockfish-alert
qos: 1
topic_prefix: rockfish
username: ""
password: ""
tls_enabled: false
kafka: # Optional — requires kafka feature
brokers: "localhost:9092"
topic_prefix: rockfish
client_id: rockfish-alert
security_protocol: plaintext
compression: none
confidence_threshold: 0.75
poll_interval_secs: 30
heartbeat_interval_secs: 60
dedup_window_secs: 300
enabled_types:
- signature
- lateral_movement
- c2_beacon
- exfiltration
- anomaly
# ============================================================
# Enrichment
# ============================================================
enrichment:
geoip:
database_path: /usr/share/GeoIP/GeoLite2-City.mmdb
asn_database_path: /usr/share/GeoIP/GeoLite2-ASN.mmdb
ip_reputation:
enabled: true
api_key: ${ABUSEIPDB_API_KEY}
cache_path: /var/lib/rockfish/ip_cache.parquet
cache_ttl_hours: 48
memory_cache_size: 50000
lookup_timeout_ms: 200
# ============================================================
# Data Retention
# ============================================================
retention: 30d # 30 days (supports: 7d, 24h, etc.)
# ============================================================
# HTTP Server
# ============================================================
http:
dir: /var/lib/report # Directory to serve
host: 127.0.0.1 # Bind address
port: 8001 # Bind port
users_file: /opt/rockfish/etc/users # Password file path
session_expiry_hours: 24 # Session cookie lifetime
auth: true # Enable authentication (false to disable)
# ============================================================
# License
# ============================================================
license: /etc/rockfish/license.json
Environment File
Credentials and secrets should be stored in an environment file rather than the YAML config:
# /opt/rockfish/etc/rockfish.env
ROCKFISH_S3_BUCKET=rockfish-data
ROCKFISH_S3_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIAEXAMPLE
AWS_SECRET_ACCESS_KEY=secretkey
ABUSEIPDB_API_KEY=your-api-key
MQTT_PASSWORD=broker-password
KAFKA_PASSWORD=kafka-password
The environment file path defaults to /opt/rockfish/etc/rockfish.env and can be overridden with --env-file.
CLI Overrides
CLI arguments override YAML configuration values:
# Override sensor name and data directory
rockfish -c rockfish.yaml ingest --sensor custom-name -o /tmp/data
# Override MQTT broker for alert command
rockfish -c rockfish.yaml alert --mqtt-broker custom-host
Environment Variable Overrides
Alert command options can also be set via environment variables:
| Variable | Description |
|---|---|
MQTT_BROKER | MQTT broker hostname |
MQTT_PORT | MQTT broker port |
MQTT_USERNAME | MQTT authentication username |
MQTT_PASSWORD | MQTT authentication password |
MQTT_CLIENT_ID | MQTT client identifier |
MQTT_TOPIC_PREFIX | MQTT topic prefix |
KAFKA_ENABLED | Enable Kafka transport |
KAFKA_BROKERS | Kafka broker addresses |
KAFKA_USERNAME | Kafka SASL username |
KAFKA_PASSWORD | Kafka SASL password |
CONFIDENCE_THRESHOLD | Minimum alert confidence |