Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.

scripts/base/protocols/ssh/main.bro

@@ -248,22 +248,36 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}
 
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection)
 	{
-	if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+	if ( c?$ssh && !c$ssh$logged )
+		{
+		# Do we have enough information to make a determination about auth success?
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
 			{
 				# Success get logged immediately. To protect against a race condition, we'll double check:
 				if ( c$ssh$auth_success )
 					return;
 
-			# Now that we know it's a failure, we'll set the field, raise the event, and log it.
+				# Now that we know it's a failure, we'll set the field, and raise the event.
 				c$ssh$auth_success = F;
 				event SSH::ssh_auth_failed(c);
-
+			}
+		# If not, we'll just log what we have
+		else
+			{
 			c$ssh$logged = T;
 			Log::write(SSH::LOG, c$ssh);
 			}
 		}
+	}
+
+event ssh_auth_failed(c: connection) &priority=-5
+	{
+	c$ssh$logged = T;
+	Log::write(SSH::LOG, c$ssh);
+	}
+
 
 function generate_fingerprint(c: connection, key: string)
 	{

testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test

@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
 # @TEST-EXEC: btest-diff output
 
-event ssh_auth_failed(c: connection)
+event SSH::ssh_auth_failed(c: connection)
     {
     print c$uid;
     }