diff --git a/CHANGES b/CHANGES
index 3d7118c750..2e8741ad96 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,13 @@
 
+2.2-beta-194 | 2013-11-06 14:39:50 -0500
+
+  * Remove resp_size from the ssh log. Refactor when we write out to the log a bit. Geodata now works reliably. (Vlad Grigorescu)
+
+  * Update VirusTotal URL to work with changes to their website and changed it to a redef. (Vlad Grigorescu)
+
+  * Added a document for the SumStats framework. (Seth Hall)
+
+
 2.2-beta-184 | 2013-11-03 22:53:42 -0800
 
   * Remove swig-ruby from required packages section of install doc.
diff --git a/VERSION b/VERSION
index 24723a69bb..417b14663a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-beta-184
+2.2-beta-194
diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index 5b452d432c..33b0c84147 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -37,12 +37,6 @@ export {
 		client:          string       &log &optional;
 		## Software string from the server.
 		server:          string       &log &optional;
-		## Amount of data returned from the server. This is currently
-		## the only measure of the success heuristic and it is logged to
-		## assist analysts looking at the logs to make their own
-		## determination about the success on a case-by-case basis.
-		resp_size:       count        &log &default=0;
-
 		## Indicate if the SSH session is done being watched.
 		done:            bool         &default=F;
 	};
@@ -107,10 +101,10 @@ function check_ssh_connection(c: connection, done: bool)
 		# this matches the conditions for a failed login.  Failed
 		# logins are only detected at connection state removal.
 
-		if ( # Require originators to have sent at least 50 bytes.
-		     c$orig$size > 50 &&
+		if ( # Require originators and responders to have sent at least 50 bytes.
+		     c$orig$size > 50 && c$resp$size > 50 &&
 		     # Responders must be below 4000 bytes.
-		     c$resp$size < 4000 &&
+		     c$resp$size < authentication_data_size &&
 		     # Responder must have sent fewer than 40 packets.
 		     c$resp$num_pkts < 40 &&
 		     # If there was a content gap we can't reliably do this heuristic.
@@ -122,7 +116,7 @@ function check_ssh_connection(c: connection, done: bool)
 			event SSH::heuristic_failed_login(c);
 			}
 
-		if ( c$resp$size > authentication_data_size )
+		if ( c$resp$size >= authentication_data_size )
 			{
 			c$ssh$status = "success";
 			event SSH::heuristic_successful_login(c);
@@ -132,7 +126,7 @@ function check_ssh_connection(c: connection, done: bool)
 		{
 		# If this connection is still being tracked, then it's possible
 		# to watch for it to be a successful connection.
-		if ( c$resp$size > authentication_data_size )
+		if ( c$resp$size >= authentication_data_size )
 			{
 			c$ssh$status = "success";
 			event SSH::heuristic_successful_login(c);
@@ -150,8 +144,6 @@ function check_ssh_connection(c: connection, done: bool)
 	# after detection is done.
 	c$ssh$done=T;
 
-	Log::write(SSH::LOG, c$ssh);
-
 	if ( skip_processing_after_detection )
 		{
 		# Stop watching this connection, we don't care about it anymore.
@@ -161,10 +153,24 @@ function check_ssh_connection(c: connection, done: bool)
 	}
 
 
+event heuristic_successful_login(c: connection) &priority=-5
+	{
+	Log::write(SSH::LOG, c$ssh);
+	}
+
+event heuristic_failed_login(c: connection) &priority=-5
+	{
+	Log::write(SSH::LOG, c$ssh);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssh )
+		{
 		check_ssh_connection(c, T);
+		if ( c$ssh$status == "undetermined" )
+			Log::write(SSH::LOG, c$ssh);
+		}
 	}
 
 event ssh_watcher(c: connection)
diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro
index 3abc19d337..a5fed986ef 100644
--- a/scripts/policy/protocols/ssh/geo-data.bro
+++ b/scripts/policy/protocols/ssh/geo-data.bro
@@ -24,21 +24,29 @@ export {
 	const watched_countries: set[string] = {"RO"} &redef;
 }
 
+function get_location(c: connection): geo_location
+	{
+	local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
+	return lookup_location(lookup_ip);
+	}
+
 event SSH::heuristic_successful_login(c: connection) &priority=5
 	{
-	local location: geo_location;
-	location = (c$ssh$direction == OUTBOUND) ? 
-		lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
-	
 	# Add the location data to the SSH record.
-	c$ssh$remote_location = location;
+	c$ssh$remote_location = get_location(c);
 	
-	if ( location?$country_code && location$country_code in watched_countries )
+	if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
 		{
 		NOTICE([$note=Watched_Country_Login,
 		        $conn=c,
 		        $msg=fmt("SSH login %s watched country: %s", 
 		                 (c$ssh$direction == OUTBOUND) ? "to" : "from", 
-		                 location$country_code)]);
+		                 c$ssh$remote_location$country_code)]);
 		}
 	}
+
+event SSH::heuristic_failed_login(c: connection) &priority=5
+	{
+	# Add the location data to the SSH record.
+	c$ssh$remote_location = get_location(c);
+	}