How "priority" keyword works?

Hi,

i have some questions about priority keyword: i’ll try to explain with an example.

If i make a script able to write a new log file

------snippet code.bro------
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if(c$id$orig_p == 138/udp)
{

…do something and write in my custom log file…
}
}

------snippet code.bro------
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if(c$id$orig_p == 138/udp)
{
...do something and write in my custom log file...
}
}
-------------------------------------

My custom event dns_message overrides the standard event?

The body of it just gets executed before any other dns_message event handlers with a lower priority.

The standard event is executed or not in this case?

It still executes.

Should i find the same packet logged in dns.log and in my custom log or not?

In both (technically not in your custom log if the condition you show isn’t true).

It depends on priority keyword?

No, &priority just changes the order that the event handlers execute (highest goes first).

And what happens if i set priority = -5?

The logic in your event handler runs after other event handlers that have priority greater than -5 (if no &priority is given, it defaults to 0). If the priority of two event handlers is the same, the order is not well-defined.

- Jon

Hi Jon,

thanks for your reply. Only a question: How can avoid to execute the standard event and permit only the execution of my custom event?

thanks for your reply. Only a question: How can avoid to execute the standard event and permit only the execution of my custom event?

The main option is to simply not load the script that contains unwanted event handlers. You may have to run Bro with the ‘-b’ flag to do that. But it may also not load a lot of other default functionality that you want and you’ll either have to replicate some portions of the default scripts in your own, or pick and choose which scripts are ok to @load individually.

In the example below, how can avoid the log of the same packet (in dns.log and in my custom log) if the condition "if(c$id$orig_p == 138/udp)" is true?

If you just care about modifying the logging aspects of the standard event rather than preventing it from running entirely, you may be able to customize that via logging filters. In this case, it seems you could supply the “pred” field [1] for the default DNS logging filter. More reading at [2] that may help explain options for customized logging.

- Jon

[1] https://www.bro.org/sphinx/scripts/base/frameworks/logging/main.bro.html?highlight=filter#type-Log::Filter
[2] https://www.bro.org/sphinx/scripting/index.html#custom-logging