Suricata, Supercharged.
A powerful bolt-on toolkit that transforms Suricata into a capable NDR with AI-powered detection and automated response.
| Suricata-Native | Reads EVE JSON directly from Unix socket. |
| Columnar Storage | Apache Parquet with Zstd compression for fast analytical queries. |
| Behavioral Detection | Graph-based threat hunting: beaconing, lateral movement, exfiltration. |
| Automated Response | Publish alerts to MQTT/Kafka for n8n, fluent-bit, or SIEM integration. |
| Interactive Reports | Self-contained HTML dashboards with Chart.js and D3.js. |
| AI-Ready | MCP server and chat interface for conversational network analysis. |
| Air-Gap Ready | Fully offline operation. No cloud dependencies required. |
| Single Binary | Rust. No runtime dependencies. Deploy from .deb package or Docker container. |
Architecture
Suricata EVE JSON ──► rockfish ingest ──► Parquet ──► S3 (optional)
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
Report Hunt MCP/Chat
(HTML pages) (threat detection) (AI-native queries)
│
▼
Alert
(MQTT / Kafka)
Core Pipeline
Ingest reads Suricata’s EVE JSON, partitions events by type (alert, flow, DNS, HTTP, TLS, SSH, SMTP, fileinfo, anomaly, DHCP, MQTT, Modbus, DNP3, and more), writes columnar Parquet with optional hive-style date partitioning, and flushes on configurable time or memory thresholds.
Hunt builds a communication graph from flow data and applies behavioral detection algorithms — beaconing, lateral movement, C2 fanout, port scanning, data exfiltration, DNS tunneling, and more. Findings are scored with HBOS or Isolation Forest anomaly models.
Report generates self-contained HTML dashboards with 12+ pages covering alerts, threats, DNS, TLS, flows, hosts, network topology, asset inventory, and hunt findings.
Alert reads detection events from Parquet, normalizes them into a common JSON payload, and publishes to MQTT and/or Kafka for automated response workflows.
MCP exposes Parquet data to AI assistants via the Model Context Protocol with query and hunt tools.
Chat provides a conversational AI interface for network security analysis with pluggable LLM backends.
Commands at a Glance
| Command | Description |
|---|---|
rockfish ingest | Ingest EVE JSON logs and write to Parquet |
rockfish hunt | Run graph-based behavioral threat detection |
rockfish report | Generate static HTML NDR report |
rockfish alert | Publish detection events to MQTT and/or Kafka |
rockfish mcp | Start MCP server for AI-powered queries |
rockfish chat | Start AI chat server for NDR data analysis |
rockfish http | Serve report pages over HTTP with authentication |
rockfish prune | Remove old Parquet files by retention policy |
rockfish config | Show resolved configuration and features |
rockfish stats | Parse EVE JSON and show event type statistics |
Technical Foundation
- Language: Rust — single static binary, no runtime dependencies
- Query Engine: Embedded DuckDB for analytical SQL on Parquet
- Storage Format: Apache Parquet with Zstd compression
- Protocols: MQTT, Kafka, MCP (Model Context Protocol)
- Crypto: Ed25519 license verification, TLS 1.3 transport
- Concurrency: Rayon parallel query execution, Tokio async I/O
Next Steps
- Installation - Build and deploy Rockfish NDR
- Quick Start - Get up and running in minutes
- Configuration - YAML configuration reference