#
# bro code for exercise 5c
#
# Start Bro:  
#    bro syslog
# Then send events using broclient: 
#   cat syslog.broc | broclient


@load listen-clear
@load remote
@load notice

redef enum Notice += {
    SSHLoginFail,   
};


redef Remote::destinations += {
        ["syslog"] = [$host = 127.0.0.1, $events = /.*/, $connect=F, $retry = 60 secs, $ssl=F],
};


const max_failures =   5;    # across all hosts, from a single source

global source_list: table[addr] of count  &default=0 ;
global alarmed_hosts: table[addr] of count  &default=0 ;


global sshdlog = open_log_file("sshd") &redef;

event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
{   
    # add code here to print info to sshdlog file and possibly generate a NOTICE

}


event bro_done()
{

    # add code here to print table summary
}