bro syntax checking

So I’ve been looking for a cleaner way to check bro syntax via a pre-commit hook - we currently have bro installed on a server where we commit from that does a broctl check. I was thinking of doing something small like a docker instance that can run broctl check using a mounted host directory. My questions are:

  1. Has anybody else already solved this issue? What are others using to validate syntax before pushing out changes?
  2. Is this the official bro docker image? I pulled it down and was playing around a bit but ran into an issue but I wasn’t sure if this was expected. Specifically, /bro/bin/broctl wasn’t functional until I installed python, but after running apt-get update && apt-get install -y python && /bin/bro/broctl install things seemed to be functional.

I did briefly try to peruse the mailing list archive for the past few months but didn’t find what I was looking for. Thanks,

Jon

Why not just load the edited scripts against a small pcap? That’s what I’ve learned to do on my end before doing a deploy. :slight_smile:

So I've been looking for a cleaner way to check bro syntax via a pre-commit hook - we currently have bro installed on a server where we commit from that does a `broctl check`. I was thinking of doing something small like a docker instance that can run `broctl check` using a mounted host directory. My questions are:

1. Has anybody else already solved this issue? What are others using to validate syntax before pushing out changes?

bro supports a '-a' option for validating syntax on scripts. I've built integration for it inside syntastic for vim and wrote an atom linter for bro, adding support for other editors is pretty easy.

Aside from that we don't bother.. if a broken script ends up getting pushed out somehow, broctl deploy will complain and we can fix it without ever impacting the running bro instances.

2. Is this the official bro docker image? I pulled it down and was playing around a bit but ran into an issue but I wasn't sure if this was expected. Specifically, /bro/bin/broctl wasn't functional until I installed python, but after running `apt-get update && apt-get install -y python && /bin/bro/broctl install` things seemed to be functional.

Ah.. I build those images for try.bro.org and for script testing (there's one for each version of bro) but I've never actually used them to run bro via broctl. You're probably better off just using it to run your scripts against a pcap.

What I’m working on doing is making this more accessible to high turnover, fairly green SOC analysts. In that situation I don’t trust process/procedure, I need an easily distributed validation mechanism. The thought would be for them to get assigned a task → attempt a solution → push to a test branch which requires some very basic checks → request a Sr analyst to review and merge to master. I don’t want to waste my Sr analyst’s time with something that doesn’t pass very basic tests. Essentially I’m looking to scale this process out.

Jon