From 0f6f6cdb2987332447d48d5d87d0a04b196eec56 Mon Sep 17 00:00:00 2001
From: Michael Dopheide <dopheide@es.net>
Date: Wed, 13 Mar 2019 14:14:38 -0500
Subject: [PATCH] Fix geo-data to log remote_location data when auth is
 successful.

---
 scripts/policy/protocols/ssh/geo-data.bro | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro
index c8f73b6ac7..d5641e8a85 100644
--- a/scripts/policy/protocols/ssh/geo-data.bro
+++ b/scripts/policy/protocols/ssh/geo-data.bro
@@ -35,9 +35,6 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
 	if ( ! c$ssh?$direction )
 		return;
 
-	# Add the location data to the SSH record.
-	c$ssh$remote_location = get_location(c);
-
 	if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
 		{
 		NOTICE([$note=Watched_Country_Login,
@@ -48,7 +45,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
 		}
 	}
 
-event ssh_auth_failed(c: connection) &priority=3
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=3
 	{
 	if ( ! c$ssh?$direction )
 		return;