diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.bro
index af6f441646..b943f8698e 100644
--- a/scripts/policy/protocols/ssh/interesting-hostnames.bro
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@@ -27,21 +27,26 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }
 
-event ssh_auth_successful(c: connection, auth_method_none: bool)
+function check_ssh_hostname(id: conn_id, host: addr)
 	{
-	for ( host in set(c$id$orig_h, c$id$resp_h) )
+	when ( local hostname = lookup_addr(host) )
 		{
-		when ( local hostname = lookup_addr(host) )
+		if ( interesting_hostnames in hostname )
 			{
-			if ( interesting_hostnames in hostname )
-				{
-				NOTICE([$note=Interesting_Hostname_Login,
-				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
-				                 Site::is_local_addr(host) ? "local" : "remote",
-				                 host == c$id$orig_h ? "client" : "server"),
-				        $sub=hostname, $conn=c]);
-				}
+			NOTICE([$note=Interesting_Hostname_Login,
+					$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+							 Site::is_local_addr(host) ? "local" : "remote",
+							 host == id$orig_h ? "client" : "server"),
+					$sub=hostname, $id=id]);
 			}
 		}
 	}
 
+event ssh_auth_successful(c: connection, auth_method_none: bool)
+	{
+	for ( host in set(c$id$orig_h, c$id$resp_h) )
+		{
+		check_ssh_hostname(c$id, host);
+		}
+	}
+