[Bro] How "priority" keyword works?

Siwek, Jon jsiwek at illinois.edu
Fri Oct 31 08:21:24 PDT 2014


> On Oct 31, 2014, at 9:42 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
> 
> thanks for your reply. Only a question: How can avoid to execute the standard event and permit only the execution of my custom event? 

The main option is to simply not load the script that contains unwanted event handlers.  You may have to run Bro with the ‘-b’ flag to do that.  But it may also not load a lot of other default functionality that you want and you’ll either have to replicate some portions of the default scripts in your own, or pick and choose which scripts are ok to @load individually.

> In the example below,  how can avoid the log of the same packet (in dns.log and in my custom log) if the condition "if(c$id$orig_p == 138/udp)" is true?

If you just care about modifying the logging aspects of the standard event rather than preventing it from running entirely, you may be able to customize that via logging filters.  In this case, it seems you could supply the “pred” field [1] for the default DNS logging filter.  More reading at [2] that may help explain options for customized logging.

- Jon

[1] https://www.bro.org/sphinx/scripts/base/frameworks/logging/main.bro.html?highlight=filter#type-Log::Filter
[2] https://www.bro.org/sphinx/scripting/index.html#custom-logging




More information about the Bro mailing list