Installation
Building from Source
Rockfish NDR is built with Rust. You need a working Rust toolchain (1.75+).
Prerequisites
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# DuckDB library (required)
# The DuckDB shared library must be available at build time.
# Set DUCKDB_LIB_DIR to the directory containing libduckdb.so
export DUCKDB_LIB_DIR=/usr/local/lib
Standard Build
# Build with default features (all commands enabled)
cargo build --release -p rockfish-cli
# The binary is at:
ls -la target/release/rockfish
Feature-Selective Build
# Build with only report and hunt
cargo build --release -p rockfish-cli --features report,hunt
# Build with Kafka support
cargo build --release -p rockfish-cli --features report,hunt,kafka
Available Features
| Feature | Description | Default |
|---|---|---|
s3 | S3 upload support for Parquet files | Yes |
mcp | MCP (Model Context Protocol) server | Yes |
hunt | Graph-based threat detection engine | Yes |
report | Static HTML report generation | Yes |
chat | AI chat server with MCP integration | Yes |
geoip | MaxMind GeoIP lookups | Yes |
ip_reputation | AbuseIPDB integration | Yes |
kafka | Apache Kafka transport for alerts | No |
bundled | Bundle DuckDB (no system library needed) | No |
Deployment
Copy Binary
# Deploy to standard location
cp target/release/rockfish /opt/rockfish/bin/rockfish
# Create configuration directories
mkdir -p /opt/rockfish/etc
mkdir -p /opt/rockfish/shared/extensions
Configuration File
# Copy or create configuration
cp rockfish.yaml /opt/rockfish/etc/rockfish.yaml
Rockfish searches for configuration in this order:
--config <path>(CLI argument)./rockfish.yaml/etc/rockfish/rockfish.yaml~/.config/rockfish/rockfish.yaml
Environment File
Credentials and secrets are stored in an environment file:
# Create environment file
cat > /opt/rockfish/etc/rockfish.env << 'EOF'
ROCKFISH_S3_BUCKET=rockfish-data
ROCKFISH_S3_REGION=us-east-1
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
ABUSEIPDB_API_KEY=...
EOF
Docker Deployment
Production Image
Build and run Rockfish NDR in a container with all features:
# Build the image
docker build -t rockfish:latest -f Dockerfile .
# Run with configuration and data volumes
docker run -d \
--name rockfish \
-v /opt/rockfish/etc:/opt/rockfish/etc:ro \
-v /data/rockfish:/data/rockfish \
-p 3000:3000 \
-p 8082:8082 \
rockfish:latest ingest --socket /var/run/suricata/eve.sock
The production image includes all default features plus Kafka support, with DuckDB bundled from source.
| Port | Service |
|---|---|
3000 | MCP server |
8082 | Chat server |
Demo Report Image
Generate a self-contained demo report served by nginx:
# Build the demo image
docker build -t rockfish-demo:latest -f Dockerfile.demo .
# Run on port 8080
docker run -d --name rockfish-demo -p 8080:8080 rockfish-demo:latest
Open http://localhost:8080 to view the demo report.
Verify Installation
# Check version
rockfish --version
# Show configuration and features
rockfish config
Next Steps
- Quick Start - Ingest, hunt, and report in minutes
- Configuration - Full YAML configuration reference