Skip to content
Automated deployment scripts for the RockNSM network hunting distribution.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.tito Automatic commit of package [rock] release [2.4.2-1]. Apr 13, 2019
bin Remove banner on ssh-config (#436) Apr 10, 2019
etc Remove snort and suricata_update Mar 27, 2019
images Replace logo with latest version Aug 24, 2018
molecule Remove snort and suricata_update Mar 27, 2019
playbooks Change versioning to 2.4 Apr 11, 2019
tests Update roles and tests to Java 11 (#429) Apr 9, 2019
.yamllint Clean up yamllint config and issues Mar 19, 2019 Created Dec 12, 2017 Initial update to contrib guidelines (#296) Aug 19, 2018
NOTICE Add notes to README on how the testing harness works Mar 27, 2019
RELEASE Updated release notes Aug 21, 2018
Vagrantfile Bumps version Feb 21, 2019

Documentation | Download

ROCK is a collections platform, in the spirit of Network Security Monitoring by contributors from all over industry and the public sector. It's primary focus is to provide a robust, scalable sensor platform for both enduring security monitoring and incident response missions. The platform consists of 3 core capabilities:

  • Passive data acquisition via AF_PACKET, feeding systems for metadata (Bro), signature detection (Suricata), and full packet capture (Stenographer).
  • A messaging layer (Kafka and Logstash) that provides flexibility in scaling the platform to meet operational needs, as well as providing some degree of data reliability in transit.
  • Reliable data storage and indexing (Elasticsearch) to support rapid retrieval and analysis (Kibana) of the data.


  • Full Packet Capture via Google Stenographer and Docket.
  • Protocol Analysis and Metadata via Bro.
  • Signature Based Alerting via Suricata.
  • Recursive File Scanning via FSF.
  • Message Queuing and Distribution via Apache Kafka.
  • Message Transport via Logstash.
  • Data Storage, Indexing, and Search via Elasticsearch.
  • Data UI and Visualization via Kibana.
  • Security - The system is developed and tested to run with SELinux enabled.

Installation and Usage

Please reference our documentation for all ROCK details to include:

  • installation
  • configuration
  • deployment
  • troubleshooting


We use molecule for testing playbooks using vSphere instances in one or more of the developers' labs. Specifically, we're using these CookieCutter templates for molecule, as found in the molecule/ directory.

If you're looking to run these tests in a different vCenter environment, you'll need ti edit the molecule block in molecule.yml for each of the scenarios. After that, you authenticate using the environment variables VMWARE_USER and VMWARE_PASSWORD. These are the standard Ansible environment variables and get passed to the respective VMware modules.

In molecule, the easiest way to is to create a .env.yml file in the root of the rock project directory with this information. Example:

VMWARE_USER: "myuser@vsphere.local"
VMWARE_PASSWORD: "its-a-secret-to-everybody"

You can then run all the tests.

docker run --rm -ti -v $(pwd):/src  \
   -w /src test --all


This architecture is made possible by the efforts of an ever-growing list of amazing people. Look around our Github to see the whole list.

You can’t perform that action at this time.