Installation

Building from Source

Rockfish NDR is built with Rust. You need a working Rust toolchain (1.75+).

Prerequisites

# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# DuckDB library (required)
# The DuckDB shared library must be available at build time.
# Set DUCKDB_LIB_DIR to the directory containing libduckdb.so
export DUCKDB_LIB_DIR=/usr/local/lib

Standard Build

# Build with default features (all commands enabled)
cargo build --release -p rockfish-cli

# The binary is at:
ls -la target/release/rockfish

Feature-Selective Build

# Build with only report and hunt
cargo build --release -p rockfish-cli --features report,hunt

# Build with Kafka support
cargo build --release -p rockfish-cli --features report,hunt,kafka

Available Features

Feature	Description	Default
`s3`	S3 upload support for Parquet files	Yes
`mcp`	MCP (Model Context Protocol) server	Yes
`hunt`	Graph-based threat detection engine	Yes
`report`	Static HTML report generation	Yes
`chat`	AI chat server with MCP integration	Yes
`geoip`	MaxMind GeoIP lookups	Yes
`ip_reputation`	AbuseIPDB integration	Yes
`kafka`	Apache Kafka transport for alerts	No
`bundled`	Bundle DuckDB (no system library needed)	No

Deployment

Copy Binary

# Deploy to standard location
cp target/release/rockfish /opt/rockfish/bin/rockfish

# Create configuration directories
mkdir -p /opt/rockfish/etc
mkdir -p /opt/rockfish/shared/extensions

Configuration File

# Copy or create configuration
cp rockfish.yaml /opt/rockfish/etc/rockfish.yaml

Rockfish searches for configuration in this order:

--config <path> (CLI argument)
./rockfish.yaml
/etc/rockfish/rockfish.yaml
~/.config/rockfish/rockfish.yaml

Environment File

Credentials and secrets are stored in an environment file:

# Create environment file
cat > /opt/rockfish/etc/rockfish.env << 'EOF'
ROCKFISH_S3_BUCKET=rockfish-data
ROCKFISH_S3_REGION=us-east-1
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
ABUSEIPDB_API_KEY=...
EOF

Docker Deployment

Production Image

Build and run Rockfish NDR in a container with all features:

# Build the image
docker build -t rockfish:latest -f Dockerfile .

# Run with configuration and data volumes
docker run -d \
  --name rockfish \
  -v /opt/rockfish/etc:/opt/rockfish/etc:ro \
  -v /data/rockfish:/data/rockfish \
  -p 3000:3000 \
  -p 8082:8082 \
  rockfish:latest ingest --socket /var/run/suricata/eve.sock

The production image includes all default features plus Kafka support, with DuckDB bundled from source.

Port	Service
`3000`	MCP server
`8082`	Chat server

Demo Report Image

Generate a self-contained demo report served by nginx:

# Build the demo image
docker build -t rockfish-demo:latest -f Dockerfile.demo .

# Run on port 8080
docker run -d --name rockfish-demo -p 8080:8080 rockfish-demo:latest

Open http://localhost:8080 to view the demo report.

Verify Installation

# Check version
rockfish --version

# Show configuration and features
rockfish config

Next Steps

Quick Start - Ingest, hunt, and report in minutes
Configuration - Full YAML configuration reference

Keyboard shortcuts

Rockfish NDR Documentation