





























Many organizations rely on Falco as their primary solution for runtime cloud security across Linux hosts, containers, and Kubernetes environments. However, these same teams have historically been unable to use Falco for their web application security.
That’s why the Sysdig Open Source Community and TK Shimizu are excited to highlight Falcoya — a new addition to the open source security ecosystem that extends Falco’s capabilities into a critical but previously undercovered area: web application security.
If you're running Falco as your go-to solution for runtime security, you're already know it excels in detecting behaviors such as:
But what about threats at the application layer?
Web servers, like Nginx, sit at the edge of your infrastructure and are frequent targets of attack techniques such as:
However, Falco wasn’t built to natively inspect HTTP requests or web payloads. It was purpose-built to focus on system and infrastructure-level events.
This is where Falcoya comes in.
Falcoya (falco-plugin-nginx) is a lightweight plugin for Falco designed to close the gap in web application security visibility.
Falcoya (falco-plugin-nginx) enables Falco to analyze Nginx access logs in real time, detecting application-layer attacks as they happen. It works by tailing the Nginx access log file, parsing new entries, and matching them against detection rules defined in YAML — the same rule style you already use with Falco!
How it works:
/var/log/nginx/access.logThe result? You can now detect SQLi, XSS, CMDi, and more — in real time — using your existing Falco setup.
Here’s an example rule that detects potential command injection:
# SQLi: Require both "words + symbols/encoding" to reduce false positives
- rule: NGINX SQLi Attempt
desc: Likely SQL injection attempt detected in URL or query string
enabled: true priority: CRITICAL
source: nginx
condition: >
(not nginx_is_static) and
(nginx_is_readonly or nginx_has_body_method) and
nginx_has_sqli_words and nginx_has_sqli_rawchars
output: >
[NGINX SQLi] ip=%nginx.remote_addr method=%nginx.method path=%nginx.path qs=%nginx.query_string ua=%nginx.user_agent status=%nginx.status
tags: [web, attack, sqli]Falcoya offers several real-world benefits that make it more than just a plugin:
Deploy Falcoya in minutes using the official install script:
curl -sSL https://raw.githubusercontent.com/takaosgb3/falco-plugin-nginx/main/install.sh | sudo bashTest real attacks in a safe environment:
curl -sSL https://raw.githubusercontent.com/takaosgb3/falco-plugin-nginx/main/install.sh | sudo SETUP_TEST_CONTENT=yes bash
This spins up a test-ready environment, complete with simulated attack endpoints, sample logs, and validation tools.
Falco is already the go-to engine for detecting abnormal system behavior at runtime. Organizations that use Falcoya’s Nginx plugin will be able to extend their Falco projections to web application activity, without giving up the speed, transparency, and customability of Falco.
If you're already running Falco and looking to level up your web security coverage, try Falcoya today.
If you want to join the open source discussion, stop by the Sysdig Open Source Community and jump in!
Explore the project: https://falcoya.dev
Get the plugin: GitHub - falco-plugin-nginx
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。