--- ssh.bro.orig	2008-06-28 20:17:11.000000000 +0000
+++ ssh.bro	2008-11-12 08:11:25.000000000 +0000
@@ -8,15 +8,16 @@
 	# (especially with large file transfers) but precludes some
 	# kinds of analyses (e.g., tracking connection size).
 	const skip_processing_after_handshake = T &redef;
+
+	global ssh_ports = { 22/tcp, } &redef;
+
+	const ssh_log = open_log_file("ssh") &redef;
 }
 
 redef capture_filters += { ["ssh"] = "tcp port 22" };
 
-global ssh_ports = { 22/tcp } &redef;
 redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };
 
-const ssh_log = open_log_file("ssh") &redef;
-
 # Indexed by address and T for client, F for server.
 global did_ssh_version: table[addr, bool] of count
 				&default = 0 &read_expire = 7 days;