[Bro] bro syntax checking

Zeolla@GMail.com zeolla at gmail.com
Wed Oct 26 08:09:21 PDT 2016 

What I'm working on doing is making this more accessible to high turnover,
fairly green SOC analysts.  In that situation I don't trust
process/procedure, I need an easily distributed validation mechanism.  The
thought would be for them to get assigned a task -> attempt a solution ->
push to a test branch which requires some very basic checks -> request a Sr
analyst to review and merge to master.  I don't want to waste my Sr
analyst's time with something that doesn't pass very basic tests.
Essentially I'm looking to scale this process out.

Jon

On Wed, Oct 26, 2016 at 9:38 AM Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Oct 26, 2016, at 9:22 AM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> >
> > So I've been looking for a cleaner way to check bro syntax via a
> pre-commit hook - we currently have bro installed on a server where we
> commit from that does a `broctl check`.  I was thinking of doing something
> small like a docker instance that can run `broctl check` using a mounted
> host directory.  My questions are:
> >
> > 1. Has anybody else already solved this issue?  What are others using to
> validate syntax before pushing out changes?
>
> bro supports a '-a' option for validating syntax on scripts.  I've built
> integration for it inside syntastic for vim and wrote an atom linter for
> bro, adding support for other editors is pretty easy.
>
> Aside from that we don't bother.. if a broken script ends up getting
> pushed out somehow, broctl deploy will complain and we can fix it without
> ever impacting the running bro instances.
>
> > 2. Is this the official bro docker image?  I pulled it down and was
> playing around a bit but ran into an issue but I wasn't sure if this was
> expected.  Specifically, /bro/bin/broctl wasn't functional until I
> installed python, but after running `apt-get update && apt-get install -y
> python && /bin/bro/broctl install` things seemed to be functional.
>
> Ah.. I build those images for try.bro.org and for script testing (there's
> one for each version of bro) but I've never actually used them to run bro
> via broctl.  You're probably better off just using it to run your scripts
> against a pcap.
>
>
> --
> - Justin Azoff
>
> --

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/c4bf1c6a/attachment.html

More information about the Bro mailing list