[Bro] bro syntax checking
Zeolla@GMail.com
zeolla at gmail.com
Wed Oct 26 08:09:21 PDT 2016
What I'm working on doing is making this more accessible to high turnover,
fairly green SOC analysts. In that situation I don't trust
process/procedure, I need an easily distributed validation mechanism. The
thought would be for them to get assigned a task -> attempt a solution ->
push to a test branch which requires some very basic checks -> request a Sr
analyst to review and merge to master. I don't want to waste my Sr
analyst's time with something that doesn't pass very basic tests.
Essentially I'm looking to scale this process out.
Jon
On Wed, Oct 26, 2016 at 9:38 AM Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> > On Oct 26, 2016, at 9:22 AM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> >
> > So I've been looking for a cleaner way to check bro syntax via a
> pre-commit hook - we currently have bro installed on a server where we
> commit from that does a `broctl check`. I was thinking of doing something
> small like a docker instance that can run `broctl check` using a mounted
> host directory. My questions are:
> >
> > 1. Has anybody else already solved this issue? What are others using to
> validate syntax before pushing out changes?
>
> bro supports a '-a' option for validating syntax on scripts. I've built
> integration for it inside syntastic for vim and wrote an atom linter for
> bro, adding support for other editors is pretty easy.
>
> Aside from that we don't bother.. if a broken script ends up getting
> pushed out somehow, broctl deploy will complain and we can fix it without
> ever impacting the running bro instances.
>
> > 2. Is this the official bro docker image? I pulled it down and was
> playing around a bit but ran into an issue but I wasn't sure if this was
> expected. Specifically, /bro/bin/broctl wasn't functional until I
> installed python, but after running `apt-get update && apt-get install -y
> python && /bin/bro/broctl install` things seemed to be functional.
>
> Ah.. I build those images for try.bro.org and for script testing (there's
> one for each version of bro) but I've never actually used them to run bro
> via broctl. You're probably better off just using it to run your scripts
> against a pcap.
>
>
> --
> - Justin Azoff
>
> --
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/c4bf1c6a/attachment.html
More information about the Bro
mailing list