github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-12 21:16:33 +00:00
Code Issues Projects Releases Wiki Activity

Updated Home (markdown)

Henri DF
2016-05-16 17:55:23 -07:00
parent 92b472c91e
commit 3d481c6bab
1 changed files with 1 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Home.md

@@ -1,9 +1 @@
### Digwatch. No wiki yet. Please see the [Readme](https://github.com/draios/falco) on the GitHub project page.
The goal of this project is to build a security incident detection system that is driven by a stream of sysdig events.
## Background
There is a considerable prior work in incident detection systems for security, both in open source and in commercial implementations. One way to classify these existing systems is by the kind of input data they consume. This input is typically either network traffic (e.g. Snort, Suricata) or file data (e.g. Tripwire, OSSEC, Logwatch). Each domain of data is independently valuable, and each one has different strengths when it comes to detecting particular types of incidents. As such, a system that is driven exclusively by network traffic or by file data misses out on a lot of valuable signals. Combining both domains is desirable, but typically involves stitching together disparate tools for capture and analysis.
Enter sysdig, whose event stream comprises both network and host activity. By operating off a combined stream, with a uniform representation, the promise is that we can build an intrusion detection system that is far simpler and that outperforms existing network- or file-specific approaches.