diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index b9768b6dbb..2ac289750a 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -22,7 +22,7 @@ export {
 		host_key: string &log &optional;
 		## Auth result
 		result: string &log &optional;
-		## Auth method
+		## Auth method (password, pubkey, etc.)
 		method: string &log &optional;
 	};
 
@@ -70,21 +70,34 @@ event ssh_client_version(c: connection, version: string)
 	c$ssh$client = version;
 	}
 
-event ssh_auth_successful(c: connection, method: string)
+function determine_auth_method(middle_pkt_len: int, first_pkt_len: int): string
+	{
+	if ( middle_pkt_len == 96 )
+		return "password";
+	if ( ( middle_pkt_len == 32 ) && ( first_pkt_len == 0 || first_pkt_len == 48 ) )
+		return "challenge-response";
+	if ( ( first_pkt_len >= 112 ) && ( first_pkt_len <= 432 ) )
+		return "pubkey";
+	if ( first_pkt_len == 16 )
+		return "host-based";
+	return fmt("unknown (mid=%d, first=%d)", middle_pkt_len, first_pkt_len);
+	}
+	
+event ssh_auth_successful(c: connection, middle_pkt_len: int, first_pkt_len: int)
 	{
 	if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
 		return;
 	c$ssh$result = "success";
-	c$ssh$method = method;
+	c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
 	Log::write(SSH::LOG, c$ssh);
 	}
 
-event ssh_auth_failed(c: connection, method: string)
+event ssh_auth_failed(c: connection, middle_pkt_len: int, first_pkt_len: int)
 	{
 	if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
 		return;
 	c$ssh$result = "failure";
-	c$ssh$method = method;
+	c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
 	Log::write(SSH::LOG, c$ssh);
 	}
 
@@ -93,7 +106,6 @@ event connection_closed(c: connection)
 	if ( c?$ssh && !c$ssh?$result )
 		{
 		c$ssh$result = "unknown";
-		c$ssh$method = "unknown";
 		Log::write(SSH::LOG, c$ssh);
 		}
 	}
diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc
index c89a77b9e7..1d942c5097 100644
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@@ -68,7 +68,6 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("    **** %s\n", e.c_msg());
 		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
@@ -92,19 +91,18 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 	  	relative_len = len - initial_client_packet_size;
 	else
 	  	relative_len = len - initial_server_packet_size;
-	//	printf("Encrypted packet of length %d from %s.\n", len, orig?"client":"server");
 	if ( num_encrypted_packets_seen >= 4 )
 		{
 		int auth_result = AuthResult(relative_len, orig);
 		if ( auth_result > 0 )
 			{
 			num_encrypted_packets_seen = 1;
-			//printf("Have auth\n");
-			StringVal* method = new StringVal(AuthMethod(relative_len, orig));
 			if ( auth_result == 1 )
-				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
+				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
+					                                   packet_n_1_size, packet_n_2_size);
 			if ( auth_result == 2 )
-				BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
+				BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
+					                               packet_n_1_size, packet_n_2_size);
 			}
 		}
 	if ( num_encrypted_packets_seen >= 2 )
@@ -132,16 +130,3 @@ int SSH_Analyzer::AuthResult(int len, bool orig)
 		return -1;
 	}
 
-const char* SSH_Analyzer::AuthMethod(int len, bool orig)
-	{
-	if ( packet_n_1_size == 96 ) // Password auth
-		return fmt("password (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
-	if ( packet_n_1_size == 32 && ( packet_n_2_size == 0 || packet_n_2_size == 48 ) ) // Challenge-response auth
-		return fmt("challenge-response (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
-	if ( packet_n_2_size >= 112 &&
-	     packet_n_2_size <= 432 ) // Public key auth
-		return fmt("pubkey (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
-	if ( packet_n_2_size == 16 ) // Host-based auth
-		return fmt("host-based (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
-	return fmt("unknown (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
-	}
diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h
index b0d8aade57..7ded40c32c 100644
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@@ -44,7 +44,6 @@ protected:
 	
 	void ProcessEncrypted(int len, bool orig);
 	int AuthResult(int len, bool orig);
-	const char* AuthMethod(int len, bool orig);
 
 	bool had_gap;
 
diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif
index cefb591a6e..1389b2e0da 100644
--- a/src/analyzer/protocol/ssh/events.bif
+++ b/src/analyzer/protocol/ssh/events.bif
@@ -2,9 +2,9 @@ event ssh_server_version%(c: connection, version: string%);
 
 event ssh_client_version%(c: connection, version: string%);
 
-event ssh_auth_successful%(c: connection, method: string%);
+event ssh_auth_successful%(c: connection, middle_packet_len: int, first_packet_len: int%);
 
-event ssh_auth_failed%(c: connection, method: string%);
+event ssh_auth_failed%(c: connection, middle_packet_len: int, first_packet_len: int%);
 
 event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%);