The ultimate Suricata bolt-on.

Five stages. One Rust binary. Air-gap native.

From Suricata's eve-log to actionable intelligence — every stage built into a single deployable binary. No external dependencies. No cloud. No telemetry.

Deep Dive Live Demo
5+
Pipeline stages
16+
Industrial protocols
37
Behavioral features
1
Single binary
The Pipeline

From eve-log to actionable intelligence.

Five stages, one Rust binary. Data flows left to right — from Suricata's event stream into Parquet, then into the analytics engines and reports.

INPUT Suricata EVE Unix Socket File (tail -f) INGEST parse & classify events alert flow dns http tls smtp +8 more + GeoIP enrichment + IP reputation + event filtering STORE Parquet Zstd compression Hive partitioning year / month / day S3 / MinIO (optional upload) ANALYZE Hunt graph-based behavioral detection Anomaly ML-based anomaly detection Report 12+ page HTML dashboards RESPOND JSON Alerts MQTT / Kafka Fluent Bit / Vector n8n / Node-RED Suricata rockfish ingest Apache Parquet rockfish hunt|report SIEM & SOAR
Input

Suricata EVE records

Rockfish connects directly to Suricata's EVE output — via Unix socket for real-time streaming or file tailing for batch processing. No agents. No sidecars. No middleware.

  • Unix socket with automatic reconnect on failure
  • File input with tail -f semantics for batch replay
  • All EVE event types including OT/ICS protocols
suricata → rockfish
# Suricata output sources Suricata ├─ eve.json ──────► file input └─ eve.sock ──────► socket input # Supported event types alert flow dns http tls ssh smtp fileinfo anomaly dhcp mqtt modbus dnp3 ...
Ingest

Parse, Enrich, Partition

Events are strongly typed, parsed into native Rust structures, and routed by event type. Optional enrichment layers add geolocation and IP reputation before writing to columnar storage.

  • Strongly-typed EVE JSON deserialization with full validation
  • GeoIP enrichment via MaxMind databases
  • IP reputation scoring via AbuseIPDB with local caching
  • Configurable include/exclude Event Filtering
  • Memory-bounded buffering with time-based flush
  • Multi-sensor partitioning for distributed deployments
rockfish ingest
$ rockfish ingest \ --input /var/run/suricata/eve.sock \ --output /var/lib/rockfish/parquet/ \ --geoip /usr/share/GeoIP/ \ --flush-interval 60s \ --compression zstd # Hive-style date partitioning /parquet/ ├── alert=2026/month=04/day=01/ ├── flow=2026/month=04/day=01/ ├── dns=2026/month=04/day=01/ └── tls=2026/month=04/day=01/
Store

Columnar Parquet + Zstd

All events are written to Apache Parquet with Zstd compression and hive-style date partitioning. SQL engine queries exploit partition pruning for sub-second analytical performance. Optional S3 upload for long-term retention.

  • Apache Parquet columnar format with 10-20x compression
  • Hive-style date partitioning for sub-second queries
  • Per-event-type schemas with full field coverage
  • Embedded SQL engine for analytical queries at query time
  • Optional AWS S3 / MinIO / DigitalOcean Spaces upload
  • Configurable retention with rockfish prune
schema & query
# Schema per event type alert.parquet ├── timestamp TIMESTAMP_TZ ├── src_ip VARCHAR ├── dest_ip VARCHAR ├── alert_action VARCHAR ├── alert_sig_id INT64 ├── alert_severity INT32 └── ...48+ fields # SQL engine analytical query SELECT dest_ip, count(*) FROM read_parquet('alert/**/*.parquet', hive_partitioning=true) WHERE year=2026 AND month=4 GROUP BY 1 ORDER BY 2 DESC
Analyze

Hunt & Report

Two complementary engines operate on the same Parquet data. Hunt builds communication graphs for behavioral detection. Report renders interactive dashboards with full audit trails — entirely self-contained, no cloud, no telemetry.

  • 12 behavioral detection algorithms in a single pass
  • Beaconing, lateral movement, C2 fanout, port scanning
  • DNS tunneling and data exfiltration detection
  • SIGMA Algorithm: predictive ML detection on industrial protocols
  • 16+ page self-contained HTML reports with Chart.js & D3
  • OT-specific detection: Modbus, DNP3, OPC UA, S7comm, MQTT
  • Air-gap native — no external dependencies, no telemetry
rockfish hunt & report
# 12 behavioral detection algorithms rockfish hunt: ├── Beaconing C2 callback detection ├── Lateral Movement A→B→C chain analysis ├── C2 Fanout many→one patterns ├── Port Scanning host→many ports ├── DNS Tunneling subdomain entropy ├── Data Exfiltration byte thresholds ├── Community Detect botnet clustering ├── Baseline Deviation behavioral drift ├── Anomaly Detection ML-based scoring └── ...3 more algorithms # Self-contained HTML report rockfish report → report.html ├── Overview ├── Alerts ├── Findings ├── DNS ├── TLS ├── Flows ├── Network └── Inventory
Respond

Alert & Automate

Detection findings and enriched alerts are published to MQTT and Kafka for downstream automation. Integrate with Fluent Bit, Vector, n8n, Node-RED, or any consumer for SIEM forwarding and SOAR workflows.

  • MQTT publish for IoT and OT environments
  • Kafka produce for enterprise event pipelines
  • Fluent Bit and Vector integration for SIEM forwarding
  • n8n and Node-RED workflow triggers
  • Normalized JSON alert payload with severity and confidence
rockfish alert
$ rockfish alert \ --mqtt-broker mqtt://localhost:1883 \ --kafka-broker localhost:9092 \ --topic rockfish/alerts # Example alert payload { "timestamp": "2026-04-01T14:32:01Z", "src_ip": "10.0.1.42", "dest_ip": "198.51.100.7", "alert": "ET MALWARE C2 Beacon", "severity": 1, "hunt_type": "beaconing", "score": 0.94 }
Detection Plugins

Three plugin families. One Suricata.

Rockfish ships native Suricata plugins that emit structured eve-log events into the same pipeline as alerts and flows. Every event lands in Parquet, queryable by DuckDB, surfaced in the report.

Network Performance

A Suricata plugin that emits tcp_perf and udp_perf events for every flow. Surfaces handshake RTT, retransmits, RST closes, slow TTFB, jitter, and DNS health — the signals that catch brownouts before users do.

  • TCP handshake & first-byte latency
  • Retransmits, RST closes, zero-window stalls
  • UDP jitter, DNS RTT, packet loss proxy
  • Renders the Performance report page

Encrypted Traffic Analysis

A Suricata plugin emitting payload_entropy events — Cisco ETA-style features that find C2, exfiltration, and tunneling inside TLS without ever decrypting the payload.

  • Per-direction Shannon entropy
  • Producer/Consumer Ratio (PCR)
  • SPLT — sequence of packet lengths & inter-arrival times
  • Renders the Encryption report page

OT Protocol Analysis

A family of Suricata plugins that decode 16+ OT and IIoT protocols natively — every function code, every object access, every command logged. The structured stream feeds the SIGMA Algorithm for behavioral detection.

  • Modbus, DNP3, S7comm, EtherNet/IP, PROFINET
  • OPC UA, MQTT, CoAP, LwM2M
  • IEC 61850 (MMS), IEC 60870-5-104, BACnet
  • RTPS / DDS (ROS 2), EtherCAT, ASTERIX

Deploy Rockfish NDR in minutes. Single binary. No dependencies. Air-gap native. The plant's data stays at the plant.

We built this for critical infrastructure.

Now we want to prove it.

We are looking for defense contractors, water utilities, power facilities, manufacturing plants, and C3PAOs to deploy Rockfish NDR in a production environment at no cost. Slots are limited.

Requirements are simple: you run it, we support it, you tell us what you think. If that sounds like a fair trade, let's talk.

Request a Pilot Slot