Motivation

Hi! We're deploying Falco on large, highly utilized instances. Despite allocating an entire CPU core to Falco, we experience a high percentage of event drops. We have a high volume of nearly identical and benign events coming through on hosts that ultimately consume resources having to run through the rule evaluation pipeline.

Feature

It would be excellent to be able to specify a set of filters for dropping events in kernel-space before even getting allocated on the ring buffer. For example, a filter could ignore all exec events with a specific proc.cmdline or similarly open events with a given fd.name.

We're looking to try and make a patch supporting this, and it would be great if we could do it in such a way that it could ultimately be beneficial to the upstream.

Diving into the code, it looks like it could potentially live here where we could peek into ctx, filtering out syscalls that match patterns defined in the config. I'm not sure the best way to do this generically, but even just supporting exec* and open* would likely benefit us a lot.

Any thoughts on this approach or if there's potentially a better way to do this?

Alternatives

We've tried adjusting base_syscalls.custom_set in the config to the minimum set we need in addition to adjusting the ring buffer parameters with no perceivable improvement.

Additional context

We're running the latest 0.36.2 release on a mixture of ARM and x86 boxes running CentOS Stream and AlmaLinux 9 with kernel versions 5.15 and later.