From 70aaffbaacaaf4cbef1ad0a15081f9bca23545a1 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 13 Oct 2016 16:33:48 -0500
Subject: [PATCH] Logic fix for ssh/main.bro when the auth status is
 indeterminate, and fix a test. Addresses BIT-1641.

---
 scripts/base/protocols/ssh/main.bro           | 32 +++++++++++++------
 .../protocols/ssh/one-auth-fail-only.test     |  2 +-
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index d0ad9a8b73..7b51b1b525 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -248,23 +248,37 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}
 
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection)
 	{
-	if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+	if ( c?$ssh && !c$ssh$logged )
 		{
-			# Success get logged immediately. To protect against a race condition, we'll double check:
-			if ( c$ssh$auth_success )
-				return;
-
-			# Now that we know it's a failure, we'll set the field, raise the event, and log it.
-			c$ssh$auth_success = F;
-			event SSH::ssh_auth_failed(c);
+		# Do we have enough information to make a determination about auth success?
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+			{
+				# Success get logged immediately. To protect against a race condition, we'll double check:
+				if ( c$ssh$auth_success )
+					return;
 
+				# Now that we know it's a failure, we'll set the field, and raise the event.
+				c$ssh$auth_success = F;
+				event SSH::ssh_auth_failed(c);
+			}
+		# If not, we'll just log what we have
+		else
+			{
 			c$ssh$logged = T;
 			Log::write(SSH::LOG, c$ssh);
+			}
 		}
 	}
 
+event ssh_auth_failed(c: connection) &priority=-5
+	{
+	c$ssh$logged = T;
+	Log::write(SSH::LOG, c$ssh);
+	}
+
+
 function generate_fingerprint(c: connection, key: string)
 	{
 	if ( !c?$ssh )
diff --git a/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test b/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test
index fc39683a16..f6751c2a03 100644
--- a/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test
+++ b/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
 # @TEST-EXEC: btest-diff output
 
-event ssh_auth_failed(c: connection)
+event SSH::ssh_auth_failed(c: connection)
     {
     print c$uid;
     }