[Bro] How "priority" keyword works?
jsiwek at illinois.edu
Fri Oct 31 06:41:08 PDT 2014
> On Oct 31, 2014, at 3:48 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
> ------snippet code.bro------
> event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
> if(c$id$orig_p == 138/udp)
> ...do something and write in my custom log file...
> My custom event dns_message overrides the standard event?
The body of it just gets executed before any other dns_message event handlers with a lower priority.
> The standard event is executed or not in this case?
It still executes.
> Should i find the same packet logged in dns.log and in my custom log or not?
In both (technically not in your custom log if the condition you show isn’t true).
> It depends on priority keyword?
No, &priority just changes the order that the event handlers execute (highest goes first).
> And what happens if i set priority = -5?
The logic in your event handler runs after other event handlers that have priority greater than -5 (if no &priority is given, it defaults to 0). If the priority of two event handlers is the same, the order is not well-defined.
More information about the Bro