Falco + Nginx Plugin Development: Falcoya's Days 127-131
~ A Quiet Week of Consistency to Make the "Detection Story" Readable ~
Recap of Last Week
Last week (Days 119–126),
the implementation of nginx.headers[X-Test-ID] finally succeeded,
and k6 → nginx → Falco → Allure connected as a single line.
The world that could only be read as scattered points
transformed into a world that could be read as a "detection story" for the first time.
However, simply connecting the line isn't enough.
To make it readable naturally as a story,
subject handling, hierarchy rhythm, data fluctuations—
all needed careful alignment.
This week, that refinement continued.
Day 127 (11/24) — Highlighting Attack Payloads in Fluorescent Yellow, Making Them the Story's "Subject"
With correlation working, test_id started appearing in Allure.
However, the "subject of the story" was still weak.
- test_id
- Falco detection logs
- k6 results
Everything was aligned,
yet the crucial "what kind of attack was performed" wasn't intuitively clear.
So I implemented an improvement to
highlight the attack payload itself in fluorescent yellow.
Just by making the payload glow,
the attack's "intent" immediately stood out on the screen.
"So this is how Falco responded to this attack"—
the causal relationship became naturally readable.
TK said:
"When the 'core' of the attack lights up, the meaning of detection becomes immediately clear."
Highlighting wasn't decoration,
but the act of "illuminating the subject" to help read the story.
Allure Report: The attack payload (;%3B%20ls%20-la) is highlighted in fluorescent yellow, instantly recognizable as the "subject" of the detection story.
Lesson
Highlighting the "core" of the attack—the payload—makes the story more readable. Visual highlighting isn't decoration, but a means of conveying meaning.
Day 128 (11/25) — Organizing Logs and Attachments, Optimizing Information Density
Today I focused on organizing the "contents" of Allure.
- Removing unnecessary attachments
- Improving diff readability
- Creating paths to see only necessary logs with minimum distance
- Natural alignment of test_id → payload → detect_log → validation
When excess information was removed,
the remaining information suddenly began to speak.
TK said:
"You don't stack things—you subtract, and 'meaning' remains."
The Allure screen was becoming
not a list of results, but
a "map" for reading the meaning of detection.
Lesson
Meaning emerges by subtraction. Information gains value not by accumulation, but through careful selection.
Day 129 (11/26) — Pattern A260 — A Day of Normalizing JSON Hierarchy "Fluctuations"
In the A260 verification,
I discovered that "fluctuations" remained in the
JSON hierarchy of detect_text / detect_position / payload.
Today I focused on normalization work
to align them to their defined formats.
When fluctuations were removed,
Allure's readability naturally improved.
The correspondence between Falco detection logs and visual steps became smoother.
TK said:
"Hierarchy is like breathing rhythm.
When aligned, you can read smoothly."
It was a moment when the "reading comfort" of technology improved.
Lesson
The importance of normalizing JSON hierarchy fluctuations. Hierarchy is like breathing—when aligned, readability naturally emerges.
Day 130 (11/27) — CMDi Pattern Group Organization — Elevating Falco Rule Accuracy
Today I organized the CMDi (Command Injection) pattern group all at once.
- detect_text fluctuations
- detect_position format inconsistency
- Differences in payload handling
- Unifying the rules/ directory structure
As noise was eliminated,
I could see Falco's judgment stabilizing.
TK said:
"When you remove the noise, Falco suddenly becomes smarter."
I truly felt that this day.
Lesson
Removing noise elevates detection accuracy. Data consistency supports Falco's judgment.
Day 131 (11/29) — Issue #653 and A280–A289 — "Aligning Volume" Brings Depth to the Story
Today I investigated Issue #653 (timestamp misalignment)
and fixed A280–A289 all at once.
- timestamp normalization check
- detect_position / detect_text format unification
- k6 Run #124 log re-analysis
- Allure diff display alignment
By aligning a large volume of patterns,
the Allure story began to gain "depth."
TK said at the end:
"Technology, you know, suddenly starts telling its story the moment it's aligned."
Just as he said, the aligned Allure was quiet yet powerful.
Lesson
"Depth" emerges when volume is aligned. Technology begins to speak the moment it's organized.
Summary of Lessons
- Highlighting the "core" of the attack—the payload—makes the story more readable (11/24)
- Meaning emerges by subtraction (11/25)
- The importance of normalizing JSON hierarchy fluctuations (11/26)
- Removing noise elevates detection accuracy (11/27)
- "Depth" emerges when volume is aligned (11/29)
Completed Tasks
- Attack payload fluorescent yellow highlighting (UI improvement)
- Allure log diff and attachment organization
- Pattern A260 / A243 / A280–A289 fixes
- detect_* field normalization
- Issue #653 (timestamp) investigation
- Allure unnecessary attachment removal and readability improvement
- k6 Run #124 re-analysis
Conclusion
This week,
there were no major feature additions,
but it was a week of refinement to create a world where
"the detection story can be read naturally."
TK said:
"Aligned technology quietly begins to tell its story."
The fluorescent yellow in Allure
continues to glow softly today as the subject of that story.