Enrichment

Rockfish NDR enriches flow data with geographic and reputation intelligence during ingestion.

GeoIP

Geographic location lookups via MaxMind GeoLite2 or GeoIP2 databases.

Enriched Fields

Configuration

enrichment:
  geoip:
    database_path: /usr/share/GeoIP/GeoLite2-City.mmdb
    asn_database_path: /usr/share/GeoIP/GeoLite2-ASN.mmdb

Requirements

• MaxMind GeoLite2-City and GeoLite2-ASN databases
• Free account at maxmind.com
• Requires the geoip feature (enabled by default)
• Requires Standard or Enterprise license tier

IP Reputation

Abuse confidence scoring via the AbuseIPDB API.

Enriched Fields

Configuration

enrichment:
  ip_reputation:
    enabled: true
    api_key: ${ABUSEIPDB_API_KEY}
    cache_path: /var/lib/rockfish/ip_cache.parquet
    cache_ttl_hours: 48
    memory_cache_size: 50000
    lookup_timeout_ms: 200
    fail_open: false

Caching

IP reputation lookups are cached at two levels:

1. Memory cache — LRU cache (default: 50,000 entries) for fast lookups
2. Parquet cache — Persistent disk cache with configurable TTL

Requirements

• AbuseIPDB API key (set in environment file)
• Requires the ip_reputation feature (enabled by default)
• Requires Standard or Enterprise license tier

Report Integration

Both GeoIP and IP reputation data appear across multiple report pages:

• Overview — Top countries by flow volume
• Flows — Country breakdown with GeoIP data
• Threats — IP reputation scores and flagged hosts
• Network — Node detail panel with geographic info
• World Map — Leaflet.js globe with country-level overlays

Note: GeoIP and IP reputation columns are only populated when the probe runs with those features enabled. Report queries gracefully return zero rows when enrichment data is absent.