I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd.
Typically, SSH user authentication protocol messages are already encrypted. A third-party snooping on the exchange can't be 100% positive of the results. See  for more on how Bro does it and for tuning options. If you're just manually testing things out with your own SSH sessions, make sure to actually do some stuff in your session so Bro will see enough data exchanged to guess a success instead of failure.
Well here is what is interesting about it. I do a tcpdump and I see the traffic coming in the span port. I am not understanding why it thinks the sessions did not complete.
First, take this with a grain of salt, as I’m not an expert on Bro but expect if I’m incorrect about the below I’ll be quickly corrected on-list.
I believe you’re confused regarding the use of ‘session’ at both layer 3/4 and higher layers…SSH is using TCP, and a TCP session is certainly established. What Bro is alerting on is how much data is exchanged in an active SSH session (carried over the TCP session). In other words, since SSH is encrypted after the initial key exchange, we can only guess if someone is logging in and immediately exitiing, or trying to log in 3 times and getting their session reset. This is the heuristic part.
Essentially a variable is defined that says “if you see X amount of application data exchanged, assume the connection was successful, otherwise, assume the connection failed”.
Stated yet another way, Bro is attempting to guess whether someone was able to provide the proper authentication based on how much application data is transferred, not whether someone was able to successfully establish a TCP session with the port.
The tricky part about this detection method is that you may run into erroneous results in that someone who connects on the first login attempt and then simply exits may exchange less application data than the limit that is defined. So while they were in fact successful in logging in, Bro falsely assumes that the session failed because so little data is transferred…
Sound right everyone? Make sense John?