From f9b3f739e4b0a87a85f912e619f3d53c23c9222d Mon Sep 17 00:00:00 2001
From: Justin Azoff <jazoff@illinois.edu>
Date: Wed, 17 Aug 2016 10:41:41 -0400
Subject: [PATCH] Move lookup_addr when statement

Move the when statement to a function so that the connection record is
not in scope. Cloning a connection record is an expensive operation and
this avoids it and this avoids it.
---
 .../protocols/ssh/interesting-hostnames.bro   | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.bro
index af6f441646..b943f8698e 100644
--- a/scripts/policy/protocols/ssh/interesting-hostnames.bro
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@@ -27,21 +27,26 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }
 
-event ssh_auth_successful(c: connection, auth_method_none: bool)
+function check_ssh_hostname(id: conn_id, host: addr)
 	{
-	for ( host in set(c$id$orig_h, c$id$resp_h) )
+	when ( local hostname = lookup_addr(host) )
 		{
-		when ( local hostname = lookup_addr(host) )
+		if ( interesting_hostnames in hostname )
 			{
-			if ( interesting_hostnames in hostname )
-				{
-				NOTICE([$note=Interesting_Hostname_Login,
-				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
-				                 Site::is_local_addr(host) ? "local" : "remote",
-				                 host == c$id$orig_h ? "client" : "server"),
-				        $sub=hostname, $conn=c]);
-				}
+			NOTICE([$note=Interesting_Hostname_Login,
+					$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+							 Site::is_local_addr(host) ? "local" : "remote",
+							 host == id$orig_h ? "client" : "server"),
+					$sub=hostname, $id=id]);
 			}
 		}
 	}
 
+event ssh_auth_successful(c: connection, auth_method_none: bool)
+	{
+	for ( host in set(c$id$orig_h, c$id$resp_h) )
+		{
+		check_ssh_hostname(c$id, host);
+		}
+	}
+