[Bro] How "priority" keyword works?
Vito Logrillo
vitologrillo at gmail.com
Fri Oct 31 07:42:03 PDT 2014
Hi Jon,
thanks for your reply. Only a question: How can avoid to execute the
standard event and permit only the execution of my custom event?
In the example below, how can avoid the log of the same packet (in dns.log
and in my custom log) if the condition "if(c$id$orig_p == 138/udp)" is true?
Thanks
Vito
2014-10-31 14:41 GMT+01:00 Siwek, Jon <jsiwek at illinois.edu>:
>
> > On Oct 31, 2014, at 3:48 AM, Vito Logrillo <vitologrillo at gmail.com>
> wrote:
> >
> > ------snippet code.bro------
> > event dns_message(c: connection, is_orig: bool, msg: dns_msg, len:
> count) &priority=5
> > {
> > if(c$id$orig_p == 138/udp)
> > {
> > ...do something and write in my custom log file...
> > }
> > }
> > -------------------------------------
> >
> > My custom event dns_message overrides the standard event?
>
> The body of it just gets executed before any other dns_message event
> handlers with a lower priority.
>
> > The standard event is executed or not in this case?
>
> It still executes.
>
> > Should i find the same packet logged in dns.log and in my custom log or
> not?
>
> In both (technically not in your custom log if the condition you show
> isn’t true).
>
> > It depends on priority keyword?
>
> No, &priority just changes the order that the event handlers execute
> (highest goes first).
>
> > And what happens if i set priority = -5?
>
> The logic in your event handler runs after other event handlers that have
> priority greater than -5 (if no &priority is given, it defaults to 0). If
> the priority of two event handlers is the same, the order is not
> well-defined.
>
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/e6e5fc1c/attachment.html
More information about the Bro
mailing list