Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Rockfish Networks

Suricata, Supercharged.

A powerful bolt-on toolkit that transforms Suricata into a capable NDR with AI-powered detection and automated response.
Suricata-NativeReads EVE JSON directly from Unix socket.
Columnar StorageApache Parquet with Zstd compression for fast analytical queries.
Behavioral DetectionGraph-based threat hunting: beaconing, lateral movement, exfiltration.
Automated ResponsePublish alerts to MQTT, Kafka, or webhooks for n8n, Fluent Bit, Vector, or SIEM integration.
Interactive ReportsSelf-contained HTML dashboards with Chart.js and D3.js.
AI-ReadyMCP server and chat interface for conversational network analysis.
Air-Gap ReadyFully offline operation. No cloud dependencies required.
Single BinaryRust. No runtime dependencies. Deploy from .deb package or Docker container.

Architecture

Suricata EVE JSON ──► rockfish ingest ──► Parquet ──► S3 (optional)
                                              │
                          ┌───────────────────┼───────────────────┐
                          ▼                   ▼                   ▼
                       Report              Hunt                MCP/Chat
                    (HTML pages)      (threat detection)    (AI-native queries)
                                          │
                                          ▼
                                       Alert
                              (MQTT / Kafka / Webhook)

What Is an Event?

An event is a single JSON record from Suricata’s EVE log — one line, one record. Every alert, flow, DNS transaction, HTTP request, TLS handshake, or protocol log entry is one event. Event rate limits in license tiers are measured by counting these individual JSON records per minute.

Core Pipeline

Input — Rockfish connects directly to Suricata’s EVE output via Unix socket for real-time streaming or file tailing for batch processing. No agents. No sidecars. No middleware.

Ingest — Events are strongly typed, parsed into native Rust structures, and routed by event type. Optional enrichment layers add GeoIP geolocation and IP reputation scoring before writing to columnar storage. Configurable include/exclude event filtering, memory-bounded buffering, and multi-sensor partitioning for distributed deployments.

Store — All events are written to Apache Parquet with Zstd compression and hive-style date partitioning. Embedded DuckDB provides sub-second analytical SQL at query time. Optional AWS S3 / MinIO / DigitalOcean Spaces upload for long-term retention.

Analyze — Three complementary engines operate on the same Parquet data. Hunt builds communication graphs and applies 12 behavioral detection algorithms (beaconing, lateral movement, C2 fanout, port scanning, DNS tunneling, data exfiltration, and more) with ML-based anomaly detection for unknown threats. Report renders 12+ page self-contained HTML dashboards with Chart.js and D3. MCP and Chat expose data to AI assistants for conversational investigation.

Respond — Detection findings and enriched alerts are published to MQTT, Kafka, and webhooks for downstream automation. Integrate with Fluent Bit, Vector, n8n, Node-RED, or any consumer for SIEM forwarding and SOAR workflows.

Commands at a Glance

CommandDescription
rockfish ingestIngest EVE JSON logs and write to Parquet
rockfish huntRun graph-based behavioral threat detection
rockfish reportGenerate static HTML NDR report
rockfish alertPublish detection events to MQTT, Kafka, or webhooks
rockfish mcpStart MCP server for AI-powered queries
rockfish chatStart AI chat server for NDR data analysis
rockfish httpServe report pages over HTTP with authentication
rockfish autoRun hunt + report automatically at set intervals
rockfish pruneRemove old Parquet files by retention policy
rockfish compactCompact and merge Parquet files for storage efficiency
rockfish updateDownload and install Suricata rule updates
rockfish configShow resolved configuration and features
rockfish statsParse EVE JSON and show event type statistics

Technical Foundation

  • Language: Rust — single static binary, no runtime dependencies
  • Query Engine: Embedded DuckDB for analytical SQL on Parquet
  • Storage Format: Apache Parquet with Zstd compression
  • Protocols: MQTT, Kafka, Webhooks, MCP (Model Context Protocol)
  • Crypto: Ed25519 license verification, TLS 1.3 transport
  • Concurrency: Rayon parallel query execution, Tokio async I/O

Next Steps