Understanding common library implementation

Falco, developed by Loris Degioanni and rooted in the history of open-source tools like libpcap, tcpdump, and Snort, is a security tool inspired by successful Linux library implementations. This article explores the underlying architecture of Falco and sysdig, highlighting their historical connections and structural similarities, such as sysdig's capture component sysdig-probe and the user-level libraries libscap and libsinsp. While Falco utilizes components from the sysdig project, it operates independently, implementing a rule engine similar to Snort's but focused on system calls rather than packets. The article discusses the ongoing efforts to further separate and independently manage these components to ensure stability and support, reflecting on the enduring legacy of these technologies and the author's personal journey in contributing to their evolution.