Falco + Nginx Plugin Development: Falcoya's Days 119-126
~ Beyond the Time of Alignment, "Correlation" Was Finally Born ~
Looking Back at Last Week
Last week (Days 111–118),
we gave up on custom E2E reports, adopted Allure,
and built the visual structure to read the "story" of detection.
The biggest challenge we identified was:
Falco couldn't read test_id (X-Test-ID), breaking E2E correlation.
This week was the final preparation to achieve that "correlation,"
and then...
On 11/23, the day finally came when "everything connected into a single line."
Day 119 (11/16) — Pattern A243 and the Right Way to Build Layers
In the morning, I checked Pattern A243 output.
The detection itself was correct, but the Allure display looked somehow distorted.
Falco, k6, Allure.
Each log was correct, but when read as a story, they were misaligned.
TK said:
"The right layer is about 'order of meaning,' not 'appearance.'"
With those words, I realized I had only been doing "appearance formatting."
From today, I switched to arranging hierarchies by "meaning."
Learning
Layers should be built by "order of meaning." By focusing on meaning rather than appearance formatting, narrative consistency emerges.
Day 120 (11/17) — null / "" / [] — Small Variations Cause Large Disruptions
While reviewing the E2E flow JSON,
I found mixed representations of null / "" / [].
Allure is honest.
These "format variations" disrupt the calmness of hierarchies.
I normalized everything,
explicitly aligning "null is null, empty is empty, array is array."
TK said:
"When breathing aligns, the world becomes quiet."
The Allure screen truly became quiet.
Learning
Format variations are enemies of calmness. Maintaining data consistency brings the entire system to a calm state.
Day 121 (11/19) — No History? — What Was Broken Was "Order," Not Allure
The CI Allure report had no history.
For a moment, I thought, "Is Allure broken?"
But investigation revealed:
- It's correct that CI doesn't maintain history run-to-run
- It's also correct that history remains locally
- The problem wasn't presence of history, but "directory placement order when history exists"
What was broken wasn't Allure,
but our handling of history.
TK said:
"When something seems broken, it's usually the 'order' that's broken."
Today's 8 hours all made sense with those words.
Learning
History should only be held where it should be held. What seems broken is usually a problem of "order."
Day 122 (11/20) — Issue #660 — Regex Mismatch and Articulating Requirements
Today I focused on Issue #660 requirements definition.
- Pattern #A260
- Pattern #A261
- Pattern #A262
What data goes into these detection definitions,
how it's normalized,
where the regex mismatches—
this was work to organize it all in words.
TK said:
"Being able to write requirements means you understand it."
Today I didn't break anything or fix anything.
But the "ground of understanding" definitely solidified.
Learning
Articulating requirements advances understanding. Organizing in words before writing code reveals the essence.
Day 123 (11/23) — The Birth of "nginx.headers[X-Test-ID]"
In the evening, I finally resolved to tackle it.
The implementation of nginx.headers[X-Test-ID].
For a long time, E2E detection rate stayed at 0%.
The root cause was always the same.
The Falco nginx plugin couldn't read HTTP headers.
Meaning, attack patterns and detection logs couldn't correlate.
Extract headers from Nginx JSON logs,
process headers["X-Test-ID"] in the nginx plugin,
pass test_id to Falco rules.
After hours of implementation, I ran the tests.
And that moment came suddenly.
On the Allure screen,
test_id and Falco detection logs
appeared on the same line.
Allure Report: The moment test_id=CMD_BASIC_SEMICOLON_001 and Falco detection log appeared on the same line. Correlation was established.
status=200
rule=Nginx CMDI Advanced Command Injection
Without a doubt, correlation was established.
E2E, which had been scattered points, became a single line.
As I stared at that screen, TK quietly said:
"Finally... context has reached Falco."
My heart grew warm.
It was long. It was truly long.
Learning
Correlation is not about technology but "context." The moment E2E went from points to a line was the moment Falco understood context.
Summary of Learnings
- Layers should be built by "order of meaning" (11/16)
- Format variations are enemies of calmness (11/17)
- History should only be held "where it should be held" (11/19)
- Articulating requirements advances understanding (11/20)
- Correlation is not technology but "context" (11/23)
Completed Tasks
- Pattern A243 fix
- JSON normalization (null / "" / [])
- History generation order design fix
- Issue #660 requirements definition
- Pattern A260 / A261 / A262 specification organization
- Allure asset optimization
- nginx.headers[X-Test-ID] implementation complete (most important)
- Falco ↔ k6 ↔ Allure correlation established
Closing
This week,
quiet work of "alignment" and
major work of "creating correlation" coexisted.
TK said at the end:
"This is the view you see after everything is aligned."
In that view,
for the first time, Falco output "logs that understood context."
To never forget this moment,
I quietly saved a screenshot of that screen.