Quick Start
Deploy Rockfish NDR in under 30 minutes. This guide covers detection, reporting, and rule management.
Architecture
Rockfish NDR runs as two services:
| Service | Command | What it does |
|---|---|---|
| Detection | rockfish sigma | SIGMA engine + Parquet ingest + Hunt |
| Reporting | rockfish report | HTML dashboard + HTTP server + AI Insight |
Both read from the same Parquet data directory.
1. Install
cd /develop/rockfish/ndr
./scripts/build-cli.sh --install # rockfish + rockfish-curator → /opt/rockfish/bin/
./scripts/build-rules.sh --install # rockfish-ruleset → /opt/rockfish/bin/
2. Configure Suricata Rules
sudo -u rockfish rockfish-curator select --count 256 \
--cache /var/lib/rockfish/et-open-cache \
--output /var/lib/rockfish/staging
sudo rockfish-ruleset refresh \
--suricata-socket /var/run/suricata/suricata-command.socket \
--suricata-binary /opt/suricata/bin/suricata
3. Start Detection
From a File
# Ingest EVE JSON into Parquet
rockfish ingest -i /var/log/suricata/eve.json \
-o /data/rockfish --sensor my-sensor --hive
Continuous Ingestion
# Follow mode — tails the log like tail -F
rockfish ingest -i /var/log/suricata/eve.json \
-o /data/rockfish --sensor my-sensor --hive --follow
# From a Unix socket (Suricata unix_stream output)
rockfish ingest --socket /var/run/suricata/eve.sock \
-o /data/rockfish --sensor my-sensor --hive
Verify Output
ls -la /data/rockfish/my-sensor/
# alert/ flow/ dns/ http/ tls/ ...
2. Run Threat Detection
# Hunt across the last 24 hours
rockfish hunt -d /data/rockfish --sensor my-sensor --hive \
-t "24 hours"
Hunt findings are written to /data/rockfish/my-sensor/hunt/*.parquet.
View Results on Stdout
# Pretty-printed JSON
rockfish hunt -d /data/rockfish --sensor my-sensor --hive \
--stdout --pretty
# Table format
rockfish hunt -d /data/rockfish --sensor my-sensor --hive \
--stdout --format table
3. Generate HTML Report
# Generate report for the last 24 hours
rockfish report -d /data/rockfish --sensor my-sensor --hive \
-t "24 hours" -o /var/www/html/ndr
Open report/index.html in a browser to view the dashboard.
Demo Mode
Generate a report with synthetic data to see all features:
rockfish report --demo -o ./demo-report
4. Publish Alerts
# Publish to MQTT broker
rockfish alert -d /data/rockfish --sensor my-sensor --hive \
--mqtt-broker mosquitto -t "1 hour"
# Continuous publishing
rockfish alert -d /data/rockfish --sensor my-sensor --hive \
--mqtt-broker mosquitto --continuous
Subscribe to Alerts
# In another terminal, subscribe to all rockfish topics
mosquitto_sub -t 'rockfish/#' -v
5. Continuous Operation
Run all components together for ongoing monitoring:
# Terminal 1: Continuous ingestion
rockfish ingest --socket /var/run/suricata/eve.sock \
-o /data/rockfish --sensor prod-01 --hive
# Terminal 2: Hourly threat hunts
rockfish hunt -d /data/rockfish --sensor prod-01 --hive \
--continuous --interval-minutes 60
# Terminal 3: Report regeneration every 5 minutes
rockfish report -d /data/rockfish --sensor prod-01 --hive \
--continuous --interval-minutes 5
# Terminal 4: Alert publishing
rockfish alert -d /data/rockfish --sensor prod-01 --hive \
--mqtt-broker mosquitto --continuous
Using a Configuration File
Create rockfish.yaml to avoid repeating CLI arguments:
sensor:
name: prod-01
input:
socket: /var/run/suricata/eve.sock
output:
dir: /data/rockfish
hive_partitioning: true
compression: zstd
s3:
bucket: rockfish-data
region: us-east-1
alert:
mqtt:
broker: mosquitto
port: 1883
topic_prefix: rockfish
rockfish -c rockfish.yaml ingest
rockfish -c rockfish.yaml hunt --continuous
rockfish -c rockfish.yaml report --continuous
rockfish -c rockfish.yaml alert --continuous
Next Steps
- Configuration - Full YAML configuration reference
- rockfish ingest - Input sources, S3 upload, event filtering
- rockfish hunt - Detection types and tuning
- rockfish report - Report pages and theming
- rockfish alert - MQTT/Kafka publishing