Merge remote-tracking branch 'origin/topic/robin/bit-1641'

* origin/topic/robin/bit-1641:
  Fixing duplicate SSH authentication failure events.

I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.

Addresses BIT-1641

testing/btest/scripts/base/protocols/ssh/one-auth-fail-only.test

@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+event ssh_auth_failed(c: connection)
+    {
+    print c$uid;
+    }