Merge remote-tracking branch 'origin/topic/vladg/bit-1641'

* origin/topic/vladg/bit-1641: Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641. Clean up the logic for ssh_auth_failed. Addresses BIT-1641 Update baselines for adding a field to ssh.log as part of BIT-1641 Script-land changes for BIT-1641. Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641. Revert "Fixing duplicate SSH authentication failure events." Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641. I extended the tests a bit and did some small cleanups. I also moved the SSH events back to the global namespace for backwards compatibility and for consistency (the way it was at the moment, some of them were global some SSH::). Furthermore, I fixed the ssh_auth_result result event, it was only raised in the success case. ssh_auth_result is now also checked in the testcases. I also have a suspicion that the intel integration never really worked before. BIT-1641 #merged
2025-10-02 14:48:21 +00:00 · 2016-10-18 14:36:50 -04:00 · 2016-10-18 14:36:50 -04:00 · 8ce746cc25
commit 8ce746cc25
parent c5696821c8 70aaffbaac
14 changed files with 312 additions and 126 deletions
--- a/10
+++ b/10
@ -1,4 +1,14 @@
 2.5-beta-89 | 2016-10-18 21:50:51 -0400
  * SSH analyzer changes: the events are now restructured a bit. There is a new
    event ssh_auth_attempted, that is raised each time authentication is tried.
    ssh_auth_failed is still only being raised once per connection. There also
    is an additional event ssh_auth_result giving more information about the
    number of times that authentication was tried and if it succeded/failed in
    the end. The number of authentication attemps are now part of ssh.log.
    Addresses BIT-1641. (Vlad Grigorescu)
 2.5-beta-79 | 2016-10-13 15:58:48 -0700
  * Fix MD5 problem with FreeBSD 11.0 and clang 3.8. The apparent
--- a/27
+++ b/27
@ -74,9 +74,20 @@ New Functionality
  STARTTLS sessions, handing them over to TLS analysis. These analyzers
  do not yet analyze any further IMAP/XMPP content.
- The new event ssl_extension_signature_algorithm() allows access to the
+- New funtionality has been added to the SSL/TLS analyzer:
-  TLS signature_algorithms extension that lists client supported signature
+
-  and hash algorithm pairs.
+  - Bro now supports (draft) TLS 1.3.
  - The new event ssl_extension_signature_algorithm() allows access to the
    TLS signature_algorithms extension that lists client supported signature
    and hash algorithm pairs.
  - The new event ssl_extension_key_share gives access to the supported named
    groups in TLS 1.3.
  - The new event ssl_application_data gives information about application data
    that is exchanged before encryption fully starts. This is used to detect when
    encryption starts in TLS 1.3.
 - Bro now tracks VLAN IDs. To record them inside the connection log,
  load protocols/conn/vlan-logging.bro.
@ -375,11 +386,11 @@ New Functionality
  sessions, supports v1, and introduces the intelligence type
  ``Intel::PUBKEY_HASH`` and location ``SSH::IN_SERVER_HOST_KEY``. The
  analayzer also generates a set of additional events
-  (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_capabilities``,
+  (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_auth_attempted``,
-  ``ssh2_server_host_key``, ``ssh1_server_host_key``,
+  ``ssh_auth_result``, ``ssh_capabilities``, ``ssh2_server_host_key``,
-  ``ssh_encrypted_packet``, ``ssh2_dh_server_params``,
+  ``ssh1_server_host_key``, ``ssh_encrypted_packet``,
-  ``ssh2_gss_error``, ``ssh2_ecc_key``). See next section for
+  ``ssh2_dh_server_params``, ``ssh2_gss_error``, ``ssh2_ecc_key``). See
-  incompatible SSH changes.
+  next section for incompatible SSH changes.
 - Bro's file analysis now supports reassembly of files that are not
  transferred/seen sequentially.  The default file reassembly buffer
--- a/2
+++ b/2
@ -1 +1 @@
-2.5-beta-79
+2.5-beta-89
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -20,6 +20,11 @@ export {
 		version:         count        &log;
 		## Authentication result (T=success, F=failure, unset=unknown)
 		auth_success:    bool         &log &optional;
 		## The number of authentication attemps we observed. There's always
 		## at least one, since some servers might support no authentication at all.
 		## It's important to note that not all of these are failures, since
 		## some servers require two-factor auth (e.g. password AND pubkey)
 		auth_attempts:   count        &log &optional;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@ -55,18 +60,68 @@ export {
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
 	global log_ssh: event(rec: Info);
 }
 module GLOBAL;
 export {
 	## This event is generated when an :abbr:`SSH (Secure Shell)`
 	## connection was determined to have had a failed authentication. This
 	## determination is based on packet size analysis, and errs on the
 	## side of caution - that is, if there's any doubt about the
 	## authentication failure, this event is *not* raised.
 	##
 	## This event is only raised once per connection.
 	##
 	## c: The connection over which the :abbr:`SSH (Secure Shell)`
 	##    connection took place.
 	##
 	## .. bro:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_result ssh_auth_attempted
 	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 	##    ssh2_gss_error ssh2_ecc_key
 	global ssh_auth_failed: event(c: connection);
 	## This event is generated when a determination has been made about
 	## the final authentication result of an :abbr:`SSH (Secure Shell)`
 	## connection. This determination is based on packet size analysis,
 	## and errs on the side of caution - that is, if there's any doubt
 	## about the result of the authentication, this event is *not* raised.
 	##
 	## This event is only raised once per connection.
 	##
 	## c: The connection over which the :abbr:`SSH (Secure Shell)`
 	##    connection took place.
 	##
 	## result: True if the authentication was successful, false if not.
 	##
 	## auth_attempts: The number of authentication attempts that were
 	##    observed.
 	##
 	## .. bro:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_failed ssh_auth_attempted
 	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 	##    ssh2_gss_error ssh2_ecc_key
 	global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
 	## Event that can be handled when the analyzer sees an SSH server host
 	## key. This abstracts :bro:id:`ssh1_server_host_key` and
 	## :bro:id:`ssh2_server_host_key`.
 	##
 	## .. bro:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_failed ssh_auth_result
 	##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 	##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 	##    ssh2_gss_error ssh2_ecc_key
 	global ssh_server_host_key: event(c: connection, hash: string);
 }
 module SSH;
 redef record Info += {
 	# This connection has been logged (internal use)
 	logged:       bool         &default=F;
 	# Number of failures seen (internal use)
 	num_failures: count        &default=0;
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
@ -120,9 +175,8 @@ event ssh_client_version(c: connection, version: string)
 		c$ssh$version = 2;
 	}
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 	{
 	# TODO - what to do here?
 	if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
 		return;
@ -130,34 +184,29 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
 		return;
-	c$ssh$auth_success = T;
+	c$ssh$auth_success = authenticated;
-	if ( disable_analyzer_after_detection )
+	if ( c$ssh?$auth_attempts )
 		c$ssh$auth_attempts += 1;
 	else
 		{
 		c$ssh$auth_attempts = 1;
 		}
 	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=-5
 	{
-	if ( c?$ssh && !c$ssh$logged )
+	if ( authenticated && c?$ssh && !c$ssh$logged )
 		{
 		event ssh_auth_result(c, authenticated, c$ssh$auth_attempts);
 		c$ssh$logged = T;
 		Log::write(SSH::LOG, c$ssh);
 		}
 	}
 event ssh_auth_failed(c: connection) &priority=5
 	{
 	if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) )
 		return;
 	# We can't accurately tell for compressed streams
 	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
 		return;
 	c$ssh$auth_success = F;
 	c$ssh$num_failures += 1;
 	}
 # Determine the negotiated algorithm
 function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
 	{
@ -204,15 +253,42 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection)
 	{
-	if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server )
+	if ( c?$ssh && !c$ssh$logged )
 		{
-		c$ssh$logged = T;
+		# Do we have enough information to make a determination about auth success?
-		Log::write(SSH::LOG, c$ssh);
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
 			{
 			# Successes get logged immediately. To protect against a race condition, we'll double check:
 			if ( c$ssh$auth_success )
 				return;
 			# Now that we know it's a failure, we'll raise the event.
 			event ssh_auth_failed(c);
 			}
 		# If not, we'll just log what we have
 		else
 			{
 			c$ssh$logged = T;
 			Log::write(SSH::LOG, c$ssh);
 			}
 		}
 	}
 event ssh_auth_failed(c: connection) &priority=-5
 	{
 	# This should not happen; prevent double-logging just in case
 	if ( ! c?$ssh || c$ssh$logged )
 		return;
 	c$ssh$logged = T;
 	Log::write(SSH::LOG, c$ssh);
 	event ssh_auth_result(c, F, c$ssh$auth_attempts);
 	}
 function generate_fingerprint(c: connection, key: string)
 	{
 	if ( !c?$ssh )
@ -235,7 +311,7 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
 	{
-		if ( atype == Analyzer::ANALYZER_SSH )
+	if ( atype == Analyzer::ANALYZER_SSH )
 		{
 		set_session(c);
 		c$ssh$analyzer_id = aid;
--- a/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro
+++ b/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro
@ -1,4 +1,5 @@
@load base/frameworks/intel
@load base/protocols/ssh
@load ./where-locations
 event ssh_server_host_key(c: connection, hash: string)
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@ -16,7 +16,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c)
 	{
 	interp = new binpac::SSH::SSH_Conn(this);
 	had_gap = false;
-	auth_decision = AUTH_UNKNOWN;
+	auth_decision_made = false;
 	skipped_banner = false;
 	service_accept_size = 0;
 	userauth_failure_size = 0;
@ -60,7 +60,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
 				orig, len);
-		if ( auth_decision != AUTH_SUCCESS )
+		if ( ! auth_decision_made )
 			ProcessEncrypted(len, orig);
 		return;
@ -105,10 +105,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		// -16.
 		if ( ! userauth_failure_size && (len + 16 == service_accept_size) )
 			{
 			auth_decision_made = true;
 			if ( ssh_auth_successful )
 				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
 			auth_decision = AUTH_SUCCESS;
 			return;
 			}
@ -132,20 +131,19 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		// another packet of the same size.
 		if ( len == userauth_failure_size )
 			{
-			if ( ssh_auth_failed && auth_decision != AUTH_FAILURE )
+			if ( ssh_auth_attempted )
-				BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn());
+				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
 			auth_decision = AUTH_FAILURE;
 			return;
 			}
 		// ...or a success packet.
 		if ( len - service_accept_size == -16 )
 			{
 			auth_decision_made = true;
 			if ( ssh_auth_attempted )
 				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
 			if ( ssh_auth_successful )
 				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
 			auth_decision = AUTH_SUCCESS;
 			return;
 			}
 		}
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@ -35,14 +35,12 @@ namespace analyzer {
 			bool had_gap;
 			// Packet analysis stuff
 			bool auth_decision_made;
 			bool skipped_banner;
 			int service_accept_size;
 			int userauth_failure_size;
 			enum AuthDecision {
 				AUTH_UNKNOWN, AUTH_FAILURE, AUTH_SUCCESS
 			} auth_decision;
 			};
 		}
--- a/src/analyzer/protocol/ssh/events.bif
+++ b/src/analyzer/protocol/ssh/events.bif
@ -8,9 +8,10 @@
 ## version: The identification string
 ##
 ## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
-##    ssh_encrypted_packet ssh2_dh_server_params
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
 ##    ssh2_ecc_key
 event ssh_server_version%(c: connection, version: string%);
 ## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
@ -23,9 +24,10 @@ event ssh_server_version%(c: connection, version: string%);
 ## version: The identification string
 ##
 ## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
-##    ssh_encrypted_packet ssh2_dh_server_params
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
 ##    ssh2_ecc_key
 event ssh_client_version%(c: connection, version: string%);
 ## This event is generated when an :abbr:`SSH (Secure Shell)`
@ -43,25 +45,41 @@ event ssh_client_version%(c: connection, version: string%);
 ##    unauthenticated access, which some servers support.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
-##    ssh_encrypted_packet ssh2_dh_server_params
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
 ##    ssh2_ecc_key
 event ssh_auth_successful%(c: connection, auth_method_none: bool%);
 ## This event is generated when an :abbr:`SSH (Secure Shell)`
-## connection was determined to have had a failed authentication. This
+## connection was determined to have had an authentication attempt.
-## determination is based on packet size analysis, and errs on the
+## This determination is based on packet size analysis, and errs
-## side of caution - that is, if there's any doubt about the
+## on the side of caution - that is, if there's any doubt about
-## authentication failure, this event is *not* raised.
+## whether or not an authenication attempt occured, this event is
 ## *not* raised.
 ##
 ## At this point in the protocol, all we can determine is whether
 ## or not the user is authenticated. We don't know if the particular
 ## attempt succeeded or failed, since some servers require multiple
 ## authentications (e.g. require both a password AND a pubkey), and
 ## could return an authentication failed message which is marked
 ## as a partial success.
 ##
 ## This event will often be raised multiple times per connection.
 ## In almost all connections, it will be raised once unless
 ##
 ## c: The connection over which the :abbr:`SSH (Secure Shell)`
 ##    connection took place.
 ##
 ## authenticated: This is true if the analyzer detected a
 ##    successful connection from the authentication attempt.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_capabilities ssh2_server_host_key
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 ##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
-event ssh_auth_failed%(c: connection%);
+event ssh_auth_attempted%(c: connection, authenticated: bool%);
 ## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
 ## endpoint lists the algorithms that it supports, in order of
@ -79,8 +97,9 @@ event ssh_auth_failed%(c: connection%);
 ##    advertises support for, in order of preference.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh2_server_host_key
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key
 ##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
@ -95,8 +114,9 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi
 ##    itself, and not just the fingerprint or hash.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_attempted ssh_capabilities ssh1_server_host_key
 ##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh2_server_host_key%(c: connection, key: string%);
@ -112,8 +132,9 @@ event ssh2_server_host_key%(c: connection, key: string%);
 ## e: The exponent for the serer's public host key.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh2_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 ##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh1_server_host_key%(c: connection, p: string, e: string%);
@ -133,8 +154,9 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%);
 ##    bytes. Note that this ignores reassembly, as this is unknown.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh2_server_host_key ssh1_server_host_key ssh2_dh_server_params
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 ##    ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
@ -149,10 +171,11 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
 ##
 ## q: The DH generator.
 ##
-## .. bro:see:: ssl_dh_server_params ssh_server_version
+## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_client_version ssh_auth_successful ssh_auth_failed
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
-##    ssh_encrypted_packet ssh2_gss_error ssh2_ecc_key
+##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh2_dh_server_params%(c: connection, p: string, q: string%);
 ## In the event of a GSS-API error on the server, the server MAY send
@ -169,8 +192,9 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%);
 ## err_msg: Detailed human-readable error message
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 ##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
 ##    ssh2_dh_server_params ssh2_ecc_key
 event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, err_msg: string%);
@ -188,7 +212,8 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e
 ## q: The ephemeral public key
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
-##    ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 ##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
 ##    ssh2_dh_server_params ssh2_gss_error
 event ssh2_ecc_key%(c: connection, is_orig: bool, q: string%);
--- a/testing/btest/Baseline/core.tunnels.gre/ssh.log
+++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-07-13-16-13-04
+#open	2016-10-13-19-54-38
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
-#types	time	string	addr	port	addr	port	count	bool	enum	string	string	string	string	string	string	string	string
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
-1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
+1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
-#close	2016-07-13-16-13-05
+#close	2016-10-13-19-54-38
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout
@ -0,0 +1,12 @@
 auth_result, CHhAvVGS1DHFjwGM9, F, 2
 auth_result, ClEkJM2Vm5giqnMf4h, T, 1
 auth_result, C4J4Th3PJpwUYZZ6gc, T, 3
 auth_result, Ck51lg1bScffFj34Ri, T, 2
 auth_result, C9mvWx3ezztgzcexV7, T, 5
 auth_result, CNnMIj2QSd84NKf7U3, T, 1
 auth_result, C7fIlMZDuRiqjpYbb, F, 6
 auth_result, CpmdRlaUoJLN3uIRa, T, 2
 auth_result, C1Xkzz2MaGtLrc1Tla, T, 3
 auth_result, CLNN1k2QMum1aexUK7, F, 1
 auth_result, CBA8792iHmnhPLksKa, T, 1
 auth_result, CGLPPc35OzDQij1XX8, T, 1
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
@ -3,29 +3,29 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-07-13-16-16-57
+#open	2016-10-13-19-57-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
-#types	time	string	addr	port	addr	port	count	bool	enum	string	string	string	string	string	string	string	string
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
-1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
+1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	2	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
-1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
+1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	1	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
-1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
+1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	3	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
+1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	-	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
-1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
+1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	2	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
+1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	5	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
-1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
+1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	1	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
-1420868281.665872	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	2	F	-	SSH-2.0-OpenSSH_6.6	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
+1420868281.665872	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	2	F	6	-	SSH-2.0-OpenSSH_6.6	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
-1420917487.227035	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+1420917487.227035	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	2	T	2	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
-1421006072.224828	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+1421006072.224828	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	2	T	3	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
-1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-#close	2016-07-13-16-16-57
+#close	2016-10-13-19-57-11
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.one-auth-fail-only/output
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.one-auth-fail-only/output
@ -1,11 +1,50 @@
-C0LAHyvtKSQHyJxIl
+auth_attempted, C0LAHyvtKSQHyJxIl, F
-C37jN32gN3y3AZzyf6
+auth_attempted, C0LAHyvtKSQHyJxIl, F
-C3eiCBGOLw3VtHfOj
+auth_attempted, C37jN32gN3y3AZzyf6, F
-C4J4Th3PJpwUYZZ6gc
+auth_attempted, C37jN32gN3y3AZzyf6, F
-CHhAvVGS1DHFjwGM9
+auth_attempted, C3eiCBGOLw3VtHfOj, F
-CP5puj4I8PtEU4qzYg
+auth_attempted, C3eiCBGOLw3VtHfOj, F
-CUM0KZ3MLUfNB0cl11
+auth_attempted, C3eiCBGOLw3VtHfOj, F
-ClEkJM2Vm5giqnMf4h
+auth_attempted, C4J4Th3PJpwUYZZ6gc, F
-CmES5u32sYpV7JYN
+auth_attempted, C4J4Th3PJpwUYZZ6gc, F
-CtPZjS20MLrsMUOJi2
+auth_attempted, CHhAvVGS1DHFjwGM9, F
-CwjjYJ2WqgTbAqiHl6
+auth_attempted, CHhAvVGS1DHFjwGM9, F
 auth_attempted, CHhAvVGS1DHFjwGM9, F
 auth_attempted, CHhAvVGS1DHFjwGM9, F
 auth_attempted, CP5puj4I8PtEU4qzYg, F
 auth_attempted, CP5puj4I8PtEU4qzYg, F
 auth_attempted, CUM0KZ3MLUfNB0cl11, F
 auth_attempted, CUM0KZ3MLUfNB0cl11, F
 auth_attempted, CUM0KZ3MLUfNB0cl11, F
 auth_attempted, ClEkJM2Vm5giqnMf4h, F
 auth_attempted, ClEkJM2Vm5giqnMf4h, F
 auth_attempted, CmES5u32sYpV7JYN, F
 auth_attempted, CmES5u32sYpV7JYN, F
 auth_attempted, CmES5u32sYpV7JYN, F
 auth_attempted, CmES5u32sYpV7JYN, F
 auth_attempted, CtPZjS20MLrsMUOJi2, F
 auth_attempted, CtPZjS20MLrsMUOJi2, F
 auth_attempted, CwjjYJ2WqgTbAqiHl6, F
 auth_attempted, CwjjYJ2WqgTbAqiHl6, F
 auth_failed, C0LAHyvtKSQHyJxIl
 auth_failed, C37jN32gN3y3AZzyf6
 auth_failed, C3eiCBGOLw3VtHfOj
 auth_failed, C4J4Th3PJpwUYZZ6gc
 auth_failed, CHhAvVGS1DHFjwGM9
 auth_failed, CP5puj4I8PtEU4qzYg
 auth_failed, CUM0KZ3MLUfNB0cl11
 auth_failed, ClEkJM2Vm5giqnMf4h
 auth_failed, CmES5u32sYpV7JYN
 auth_failed, CtPZjS20MLrsMUOJi2
 auth_failed, CwjjYJ2WqgTbAqiHl6
 auth_result, C0LAHyvtKSQHyJxIl, F, 2
 auth_result, C37jN32gN3y3AZzyf6, F, 2
 auth_result, C3eiCBGOLw3VtHfOj, F, 3
 auth_result, C4J4Th3PJpwUYZZ6gc, F, 2
 auth_result, CHhAvVGS1DHFjwGM9, F, 4
 auth_result, CP5puj4I8PtEU4qzYg, F, 2
 auth_result, CUM0KZ3MLUfNB0cl11, F, 3
 auth_result, ClEkJM2Vm5giqnMf4h, F, 2
 auth_result, CmES5u32sYpV7JYN, F, 4
 auth_result, CtPZjS20MLrsMUOJi2, F, 2
 auth_result, CwjjYJ2WqgTbAqiHl6, F, 2
--- a/testing/btest/scripts/base/protocols/ssh/basic.test
+++ b/testing/btest/scripts/base/protocols/ssh/basic.test
@ -3,3 +3,9 @@
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff .stdout
 event ssh_auth_result(c: connection, result: bool, auth_attempts: count)
 	{
 	print "auth_result", c$uid, result, auth_attempts;
 	}
--- a/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test
+++ b/testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test
@ -1,7 +1,17 @@
 # @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
 # @TEST-EXEC: btest-diff output
 event ssh_auth_attempted(c: connection, authenticated: bool)
 	{
 	print "auth_attempted", c$uid, authenticated;
 	}
 event ssh_auth_failed(c: connection)
-    {
+	{
-    print c$uid;
+	print "auth_failed", c$uid;
-    }
+	}
 event ssh_auth_result(c: connection, result: bool, auth_attempts: count)
 	{
 	print "auth_result", c$uid, result, auth_attempts;
 	}