From 20aef04dc7f232a0f4b0cba08d1f048fe7b7ee50 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 7 Oct 2016 16:47:52 -0500
Subject: [PATCH] Change SSH.cc to use ssh_auth_attempted instead of
 ssh_auth_failed. Addresses BIT-1641.

---
 src/analyzer/protocol/ssh/SSH.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc
index f1f8857e03..3b94f1f26c 100644
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@@ -131,8 +131,8 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		// another packet of the same size.
 		if ( len == userauth_failure_size )
 			{
-			if ( ssh_auth_failed )
-				BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn());
+			if ( ssh_auth_attempted )
+				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
 			return;
 			}
 
@@ -140,6 +140,8 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		if ( len - service_accept_size == -16 )
 			{
 			auth_decision_made = true;
+			if ( ssh_auth_attempted )
+				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
 			if ( ssh_auth_successful )
 				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
 			return;