Merge remote-tracking branch 'origin/topic/vladg/bit-1641'

* origin/topic/vladg/bit-1641:
  Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
  Clean up the logic for ssh_auth_failed. Addresses BIT-1641
  Update baselines for adding a field to ssh.log as part of BIT-1641
  Script-land changes for BIT-1641.
  Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
  Revert "Fixing duplicate SSH authentication failure events."
  Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.

I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).

Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.

BIT-1641 #merged

CHANGES

@@ -1,4 +1,14 @@
 
+2.5-beta-89 | 2016-10-18 21:50:51 -0400
+
+  * SSH analyzer changes: the events are now restructured a bit. There is a new
+    event ssh_auth_attempted, that is raised each time authentication is tried.
+    ssh_auth_failed is still only being raised once per connection. There also
+    is an additional event ssh_auth_result giving more information about the
+    number of times that authentication was tried and if it succeded/failed in
+    the end. The number of authentication attemps are now part of ssh.log.
+    Addresses BIT-1641. (Vlad Grigorescu)
+
 2.5-beta-79 | 2016-10-13 15:58:48 -0700
 
   * Fix MD5 problem with FreeBSD 11.0 and clang 3.8. The apparent

NEWS

@@ -74,10 +74,21 @@ New Functionality
   STARTTLS sessions, handing them over to TLS analysis. These analyzers
   do not yet analyze any further IMAP/XMPP content.
 
+- New funtionality has been added to the SSL/TLS analyzer:
+
+  - Bro now supports (draft) TLS 1.3.
+
   - The new event ssl_extension_signature_algorithm() allows access to the
     TLS signature_algorithms extension that lists client supported signature
     and hash algorithm pairs.
 
+  - The new event ssl_extension_key_share gives access to the supported named
+    groups in TLS 1.3.
+
+  - The new event ssl_application_data gives information about application data
+    that is exchanged before encryption fully starts. This is used to detect when
+    encryption starts in TLS 1.3.
+
 - Bro now tracks VLAN IDs. To record them inside the connection log,
   load protocols/conn/vlan-logging.bro.
 
@@ -375,11 +386,11 @@ New Functionality
   sessions, supports v1, and introduces the intelligence type
   ``Intel::PUBKEY_HASH`` and location ``SSH::IN_SERVER_HOST_KEY``. The
   analayzer also generates a set of additional events
-  (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_capabilities``,
-  ``ssh2_server_host_key``, ``ssh1_server_host_key``,
-  ``ssh_encrypted_packet``, ``ssh2_dh_server_params``,
-  ``ssh2_gss_error``, ``ssh2_ecc_key``). See next section for
-  incompatible SSH changes.
+  (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_auth_attempted``,
+  ``ssh_auth_result``, ``ssh_capabilities``, ``ssh2_server_host_key``,
+  ``ssh1_server_host_key``, ``ssh_encrypted_packet``,
+  ``ssh2_dh_server_params``, ``ssh2_gss_error``, ``ssh2_ecc_key``). See
+  next section for incompatible SSH changes.
 
 - Bro's file analysis now supports reassembly of files that are not
   transferred/seen sequentially.  The default file reassembly buffer

VERSION

@@ -1 +1 @@
-2.5-beta-79
+2.5-beta-89

scripts/base/protocols/ssh/main.bro

@@ -20,6 +20,11 @@ export {
 		version:         count        &log;
 		## Authentication result (T=success, F=failure, unset=unknown)
 		auth_success:    bool         &log &optional;
+		## The number of authentication attemps we observed. There's always
+		## at least one, since some servers might support no authentication at all.
+		## It's important to note that not all of these are failures, since
+		## some servers require two-factor auth (e.g. password AND pubkey)
+		auth_attempts:   count        &log &optional;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@@ -55,18 +60,68 @@ export {
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
 	global log_ssh: event(rec: Info);
+}
+
+module GLOBAL;
+export {
+	## This event is generated when an :abbr:`SSH (Secure Shell)`
+	## connection was determined to have had a failed authentication. This
+	## determination is based on packet size analysis, and errs on the
+	## side of caution - that is, if there's any doubt about the
+	## authentication failure, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_result ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_failed: event(c: connection);
+
+	## This event is generated when a determination has been made about
+	## the final authentication result of an :abbr:`SSH (Secure Shell)`
+	## connection. This determination is based on packet size analysis,
+	## and errs on the side of caution - that is, if there's any doubt
+	## about the result of the authentication, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## result: True if the authentication was successful, false if not.
+	##
+	## auth_attempts: The number of authentication attempts that were
+	##    observed.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
 
 	## Event that can be handled when the analyzer sees an SSH server host
 	## key. This abstracts :bro:id:`ssh1_server_host_key` and
 	## :bro:id:`ssh2_server_host_key`.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+	##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+	##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
 	global ssh_server_host_key: event(c: connection, hash: string);
 }
 
+module SSH;
+
 redef record Info += {
 	# This connection has been logged (internal use)
 	logged:       bool         &default=F;
-	# Number of failures seen (internal use)
-	num_failures: count        &default=0;
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
@@ -120,9 +175,8 @@ event ssh_client_version(c: connection, version: string)
 		c$ssh$version = 2;
 	}
 
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 	{
-	# TODO - what to do here?
 	if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
 		return;
 
@@ -130,34 +184,29 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
 		return;
 
-	c$ssh$auth_success = T;
+	c$ssh$auth_success = authenticated;
 
-	if ( disable_analyzer_after_detection )
+	if ( c$ssh?$auth_attempts )
+		c$ssh$auth_attempts += 1;
+	else
+		{
+		c$ssh$auth_attempts = 1;
+		}
+
+	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=-5
 	{
-	if ( c?$ssh && !c$ssh$logged )
+	if ( authenticated && c?$ssh && !c$ssh$logged )
 		{
+		event ssh_auth_result(c, authenticated, c$ssh$auth_attempts);
 		c$ssh$logged = T;
 		Log::write(SSH::LOG, c$ssh);
 		}
 	}
 
-event ssh_auth_failed(c: connection) &priority=5
-	{
-	if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) )
-		return;
-
-	# We can't accurately tell for compressed streams
-	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
-		return;
-
-	c$ssh$auth_success = F;
-	c$ssh$num_failures += 1;
-	}
-
 # Determine the negotiated algorithm
 function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
 	{
@@ -204,14 +253,41 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}
 
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection)
 	{
-	if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server )
+	if ( c?$ssh && !c$ssh$logged )
+		{
+		# Do we have enough information to make a determination about auth success?
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+			{
+			# Successes get logged immediately. To protect against a race condition, we'll double check:
+			if ( c$ssh$auth_success )
+				return;
+
+			# Now that we know it's a failure, we'll raise the event.
+			event ssh_auth_failed(c);
+			}
+		# If not, we'll just log what we have
+		else
 			{
 			c$ssh$logged = T;
 			Log::write(SSH::LOG, c$ssh);
 			}
 		}
+	}
+
+event ssh_auth_failed(c: connection) &priority=-5
+	{
+	# This should not happen; prevent double-logging just in case
+	if ( ! c?$ssh || c$ssh$logged )
+		return;
+
+	c$ssh$logged = T;
+	Log::write(SSH::LOG, c$ssh);
+
+	event ssh_auth_result(c, F, c$ssh$auth_attempts);
+	}
+
 
 function generate_fingerprint(c: connection, key: string)
 	{

scripts/policy/frameworks/intel/seen/pubkey-hashes.bro

@@ -1,4 +1,5 @@
 @load base/frameworks/intel
+@load base/protocols/ssh
 @load ./where-locations
 
 event ssh_server_host_key(c: connection, hash: string)

src/analyzer/protocol/ssh/SSH.cc

@@ -16,7 +16,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c)
 	{
 	interp = new binpac::SSH::SSH_Conn(this);
 	had_gap = false;
-	auth_decision = AUTH_UNKNOWN;
+	auth_decision_made = false;
 	skipped_banner = false;
 	service_accept_size = 0;
 	userauth_failure_size = 0;
@@ -60,7 +60,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
 				orig, len);
 
-		if ( auth_decision != AUTH_SUCCESS )
+		if ( ! auth_decision_made )
 			ProcessEncrypted(len, orig);
 
 		return;
@@ -105,10 +105,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		// -16.
 		if ( ! userauth_failure_size && (len + 16 == service_accept_size) )
 			{
+			auth_decision_made = true;
 			if ( ssh_auth_successful )
 				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
-
-			auth_decision = AUTH_SUCCESS;
 			return;
 			}
 
@@ -132,20 +131,19 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 		// another packet of the same size.
 		if ( len == userauth_failure_size )
 			{
-			if ( ssh_auth_failed && auth_decision != AUTH_FAILURE )
-				BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn());
-
-			auth_decision = AUTH_FAILURE;
+			if ( ssh_auth_attempted )
+				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
 			return;
 			}
 
 		// ...or a success packet.
 		if ( len - service_accept_size == -16 )
 			{
+			auth_decision_made = true;
+			if ( ssh_auth_attempted )
+				BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
 			if ( ssh_auth_successful )
 				BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
-
-			auth_decision = AUTH_SUCCESS;
 			return;
 			}
 		}

src/analyzer/protocol/ssh/SSH.h

@@ -35,14 +35,12 @@ namespace analyzer {
 			bool had_gap;
 
 			// Packet analysis stuff
+			bool auth_decision_made;
 			bool skipped_banner;
+
 			int service_accept_size;
 			int userauth_failure_size;
 
-			enum AuthDecision {
-				AUTH_UNKNOWN, AUTH_FAILURE, AUTH_SUCCESS
-			} auth_decision;
-
 			};
 
 		}

src/analyzer/protocol/ssh/events.bif

@@ -8,9 +8,10 @@
 ## version: The identification string
 ##
 ## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
-##    ssh_encrypted_packet ssh2_dh_server_params
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
+##    ssh2_ecc_key
 event ssh_server_version%(c: connection, version: string%);
 
 ## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
@@ -23,9 +24,10 @@ event ssh_server_version%(c: connection, version: string%);
 ## version: The identification string
 ##
 ## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
-##    ssh_encrypted_packet ssh2_dh_server_params
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
+##    ssh2_ecc_key
 event ssh_client_version%(c: connection, version: string%);
 
 ## This event is generated when an :abbr:`SSH (Secure Shell)`
@@ -43,25 +45,41 @@ event ssh_client_version%(c: connection, version: string%);
 ##    unauthenticated access, which some servers support.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
-##    ssh_encrypted_packet ssh2_dh_server_params
-##    ssh2_gss_error ssh2_ecc_key
+##    ssh_auth_result ssh_auth_attempted ssh_capabilities
+##    ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
+##    ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
+##    ssh2_ecc_key
 event ssh_auth_successful%(c: connection, auth_method_none: bool%);
 
 ## This event is generated when an :abbr:`SSH (Secure Shell)`
-## connection was determined to have had a failed authentication. This
-## determination is based on packet size analysis, and errs on the
-## side of caution - that is, if there's any doubt about the
-## authentication failure, this event is *not* raised.
+## connection was determined to have had an authentication attempt.
+## This determination is based on packet size analysis, and errs
+## on the side of caution - that is, if there's any doubt about
+## whether or not an authenication attempt occured, this event is
+## *not* raised.
+##
+## At this point in the protocol, all we can determine is whether
+## or not the user is authenticated. We don't know if the particular
+## attempt succeeded or failed, since some servers require multiple
+## authentications (e.g. require both a password AND a pubkey), and
+## could return an authentication failed message which is marked
+## as a partial success.
+##
+## This event will often be raised multiple times per connection.
+## In almost all connections, it will be raised once unless
 ##
 ## c: The connection over which the :abbr:`SSH (Secure Shell)`
 ##    connection took place.
 ##
+## authenticated: This is true if the analyzer detected a
+##    successful connection from the authentication attempt.
+##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_capabilities ssh2_server_host_key
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
-event ssh_auth_failed%(c: connection%);
+event ssh_auth_attempted%(c: connection, authenticated: bool%);
 
 ## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
 ## endpoint lists the algorithms that it supports, in order of
@@ -79,8 +97,9 @@ event ssh_auth_failed%(c: connection%);
 ##    advertises support for, in order of preference.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh2_server_host_key
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key
+##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
 
@@ -95,8 +114,9 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi
 ##    itself, and not just the fingerprint or hash.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
-##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh1_server_host_key
+##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh2_server_host_key%(c: connection, key: string%);
 
@@ -112,8 +132,9 @@ event ssh2_server_host_key%(c: connection, key: string%);
 ## e: The exponent for the serer's public host key.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
-##    ssh2_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh1_server_host_key%(c: connection, p: string, e: string%);
 
@@ -133,8 +154,9 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%);
 ##    bytes. Note that this ignores reassembly, as this is unknown.
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
-##    ssh2_server_host_key ssh1_server_host_key ssh2_dh_server_params
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+##    ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key
 event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
 
@@ -149,10 +171,11 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
 ##
 ## q: The DH generator.
 ##
-## .. bro:see:: ssl_dh_server_params ssh_server_version
-##    ssh_client_version ssh_auth_successful ssh_auth_failed
-##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
-##    ssh_encrypted_packet ssh2_gss_error ssh2_ecc_key
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
+##    ssh2_gss_error ssh2_ecc_key
 event ssh2_dh_server_params%(c: connection, p: string, q: string%);
 
 ## In the event of a GSS-API error on the server, the server MAY send
@@ -169,8 +192,9 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%);
 ## err_msg: Detailed human-readable error message
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
-##    ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
 ##    ssh2_dh_server_params ssh2_ecc_key
 event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, err_msg: string%);
 
@@ -188,7 +212,8 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e
 ## q: The ephemeral public key
 ##
 ## .. bro:see:: ssh_server_version ssh_client_version
-##    ssh_auth_successful ssh_auth_failed ssh_capabilities
-##    ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
+##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+##    ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
 ##    ssh2_dh_server_params ssh2_gss_error
 event ssh2_ecc_key%(c: connection, is_orig: bool, q: string%);

testing/btest/Baseline/core.tunnels.gre/ssh.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-07-13-16-13-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
-#types	time	string	addr	port	addr	port	count	bool	enum	string	string	string	string	string	string	string	string
-1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
-#close	2016-07-13-16-13-05
+#open	2016-10-13-19-54-38
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
+#close	2016-10-13-19-54-38

testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout

@@ -0,0 +1,12 @@
+auth_result, CHhAvVGS1DHFjwGM9, F, 2
+auth_result, ClEkJM2Vm5giqnMf4h, T, 1
+auth_result, C4J4Th3PJpwUYZZ6gc, T, 3
+auth_result, Ck51lg1bScffFj34Ri, T, 2
+auth_result, C9mvWx3ezztgzcexV7, T, 5
+auth_result, CNnMIj2QSd84NKf7U3, T, 1
+auth_result, C7fIlMZDuRiqjpYbb, F, 6
+auth_result, CpmdRlaUoJLN3uIRa, T, 2
+auth_result, C1Xkzz2MaGtLrc1Tla, T, 3
+auth_result, CLNN1k2QMum1aexUK7, F, 1
+auth_result, CBA8792iHmnhPLksKa, T, 1
+auth_result, CGLPPc35OzDQij1XX8, T, 1

testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log

@@ -3,29 +3,29 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-07-13-16-16-57
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
-#types	time	string	addr	port	addr	port	count	bool	enum	string	string	string	string	string	string	string	string
-1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
-1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
-1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
-1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
-1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
-1420868281.665872	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	2	F	-	SSH-2.0-OpenSSH_6.6	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
-1420917487.227035	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
-1421006072.224828	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
-1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-#close	2016-07-13-16-16-57
+#open	2016-10-13-19-57-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	2	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
+1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	1	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
+1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	3	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
+1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	-	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
+1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	2	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
+1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	5	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
+1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	1	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
+1420868281.665872	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	2	F	6	-	SSH-2.0-OpenSSH_6.6	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
+1420917487.227035	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	2	T	2	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+1421006072.224828	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	2	T	3	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_6.7	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256@libssh.org	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
+#close	2016-10-13-19-57-11

testing/btest/Baseline/scripts.base.protocols.ssh.one-auth-fail-only/output

@@ -1,11 +1,50 @@
-C0LAHyvtKSQHyJxIl
-C37jN32gN3y3AZzyf6
-C3eiCBGOLw3VtHfOj
-C4J4Th3PJpwUYZZ6gc
-CHhAvVGS1DHFjwGM9
-CP5puj4I8PtEU4qzYg
-CUM0KZ3MLUfNB0cl11
-ClEkJM2Vm5giqnMf4h
-CmES5u32sYpV7JYN
-CtPZjS20MLrsMUOJi2
-CwjjYJ2WqgTbAqiHl6
+auth_attempted, C0LAHyvtKSQHyJxIl, F
+auth_attempted, C0LAHyvtKSQHyJxIl, F
+auth_attempted, C37jN32gN3y3AZzyf6, F
+auth_attempted, C37jN32gN3y3AZzyf6, F
+auth_attempted, C3eiCBGOLw3VtHfOj, F
+auth_attempted, C3eiCBGOLw3VtHfOj, F
+auth_attempted, C3eiCBGOLw3VtHfOj, F
+auth_attempted, C4J4Th3PJpwUYZZ6gc, F
+auth_attempted, C4J4Th3PJpwUYZZ6gc, F
+auth_attempted, CHhAvVGS1DHFjwGM9, F
+auth_attempted, CHhAvVGS1DHFjwGM9, F
+auth_attempted, CHhAvVGS1DHFjwGM9, F
+auth_attempted, CHhAvVGS1DHFjwGM9, F
+auth_attempted, CP5puj4I8PtEU4qzYg, F
+auth_attempted, CP5puj4I8PtEU4qzYg, F
+auth_attempted, CUM0KZ3MLUfNB0cl11, F
+auth_attempted, CUM0KZ3MLUfNB0cl11, F
+auth_attempted, CUM0KZ3MLUfNB0cl11, F
+auth_attempted, ClEkJM2Vm5giqnMf4h, F
+auth_attempted, ClEkJM2Vm5giqnMf4h, F
+auth_attempted, CmES5u32sYpV7JYN, F
+auth_attempted, CmES5u32sYpV7JYN, F
+auth_attempted, CmES5u32sYpV7JYN, F
+auth_attempted, CmES5u32sYpV7JYN, F
+auth_attempted, CtPZjS20MLrsMUOJi2, F
+auth_attempted, CtPZjS20MLrsMUOJi2, F
+auth_attempted, CwjjYJ2WqgTbAqiHl6, F
+auth_attempted, CwjjYJ2WqgTbAqiHl6, F
+auth_failed, C0LAHyvtKSQHyJxIl
+auth_failed, C37jN32gN3y3AZzyf6
+auth_failed, C3eiCBGOLw3VtHfOj
+auth_failed, C4J4Th3PJpwUYZZ6gc
+auth_failed, CHhAvVGS1DHFjwGM9
+auth_failed, CP5puj4I8PtEU4qzYg
+auth_failed, CUM0KZ3MLUfNB0cl11
+auth_failed, ClEkJM2Vm5giqnMf4h
+auth_failed, CmES5u32sYpV7JYN
+auth_failed, CtPZjS20MLrsMUOJi2
+auth_failed, CwjjYJ2WqgTbAqiHl6
+auth_result, C0LAHyvtKSQHyJxIl, F, 2
+auth_result, C37jN32gN3y3AZzyf6, F, 2
+auth_result, C3eiCBGOLw3VtHfOj, F, 3
+auth_result, C4J4Th3PJpwUYZZ6gc, F, 2
+auth_result, CHhAvVGS1DHFjwGM9, F, 4
+auth_result, CP5puj4I8PtEU4qzYg, F, 2
+auth_result, CUM0KZ3MLUfNB0cl11, F, 3
+auth_result, ClEkJM2Vm5giqnMf4h, F, 2
+auth_result, CmES5u32sYpV7JYN, F, 4
+auth_result, CtPZjS20MLrsMUOJi2, F, 2
+auth_result, CwjjYJ2WqgTbAqiHl6, F, 2

testing/btest/scripts/base/protocols/ssh/basic.test

@@ -3,3 +3,9 @@
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff .stdout
+
+event ssh_auth_result(c: connection, result: bool, auth_attempts: count)
+	{
+	print "auth_result", c$uid, result, auth_attempts;
+	}

testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test

@@ -1,7 +1,17 @@
 # @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
 # @TEST-EXEC: btest-diff output
 
+event ssh_auth_attempted(c: connection, authenticated: bool)
+	{
+	print "auth_attempted", c$uid, authenticated;
+	}
+
 event ssh_auth_failed(c: connection)
 	{
-    print c$uid;
+	print "auth_failed", c$uid;
+	}
+
+event ssh_auth_result(c: connection, result: bool, auth_attempts: count)
+	{
+	print "auth_result", c$uid, result, auth_attempts;
 	}