Deployment Profiles
Rockfish NDR supports different deployment profiles optimized for specific environments.
IT Profile
Enterprise network monitoring with full enrichment capabilities.
| Component | Configuration |
|---|---|
| GeoIP | Enabled — MaxMind GeoLite2 databases |
| IP Reputation | Enabled — AbuseIPDB API integration |
| S3 Upload | Enabled — cloud storage for retention |
| Chat | Cloud LLM (OpenAI, Anthropic) |
| Hunt | Full detection suite |
| Alert | MQTT/Kafka for SIEM integration |
# IT deployment example
enrichment:
geoip:
database_path: /usr/share/GeoIP/GeoLite2-City.mmdb
ip_reputation:
enabled: true
api_key: ${ABUSEIPDB_API_KEY}
s3:
bucket: security-data
region: us-east-1
alert:
mqtt:
broker: siem-mqtt.internal
OT Profile
Industrial / IoT environments with asset inventory and baseline monitoring.
| Component | Configuration |
|---|---|
| GeoIP | Optional |
| IP Reputation | Optional |
| S3 Upload | Optional — local storage preferred |
| Chat | Local SLM (air-gap compatible) |
| Hunt | Baseline deviation, polling disruption |
| Inventory | OT protocol awareness enabled |
# OT deployment example
hunt:
detections: "baseline_deviation,polling_disruption,beaconing,lateral"
internal_networks: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
Key OT detections:
- Baseline deviation — traffic pattern shifts in control networks
- Polling disruption — interruption of periodic SCADA polling
- New connection pairs — unexpected host communication
Military Profile
Air-gapped networks with no internet dependencies.
| Component | Configuration |
|---|---|
| GeoIP | Offline databases only |
| IP Reputation | Disabled — no API access |
| S3 Upload | Disabled — local storage only |
| Chat | Local SLM only (Ollama) |
| Hunt | Data exfiltration focus |
| Alert | Local MQTT broker only |
# Air-gapped deployment example
enrichment:
geoip:
database_path: /opt/rockfish/geoip/GeoLite2-City.mmdb
ip_reputation:
enabled: false
hunt:
detections: "exfiltration,beaconing,lateral,fanout,dns_tunneling"
alert:
mqtt:
broker: localhost
Key considerations:
- All enrichment data must be pre-loaded locally
- SLM (small language model) runs entirely on-device
- No S3, no cloud APIs, no external network access
- Focus on data exfiltration and unauthorized communication detection
Docker Deployment
Rockfish NDR provides Docker images for containerized deployment.
Production Container
# Build
docker build -t rockfish:latest -f Dockerfile .
# Run with mounted config and data
docker run -d --name rockfish \
-v /opt/rockfish/etc:/opt/rockfish/etc:ro \
-v /data/rockfish:/data/rockfish \
-p 3000:3000 -p 8082:8082 \
rockfish:latest ingest --socket /var/run/suricata/eve.sock
The production image is a multi-stage build (Rust builder, Debian slim runtime) and includes all default features plus Kafka, with DuckDB bundled from source.
Demo Container
# Build and run demo report on port 8080
docker build -t rockfish-demo:latest -f Dockerfile.demo .
docker run -d --name rockfish-demo -p 8080:8080 rockfish-demo:latest
The demo image generates a synthetic report at build time and serves it via nginx.