diff --git a/salt/common/init.sls b/salt/common/init.sls
index 12f229d4e..de7048c51 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
@@ -114,16 +116,9 @@ nginxtmp:
     - group: 939
     - makedirs: True
 
-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.4
-
 so-core:
   docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
@@ -175,15 +170,9 @@ tgrafconf:
     - template: jinja
     - source: salt://common/telegraf/etc/telegraf.conf
 
-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
 so-telegraf:
   docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -214,7 +203,7 @@ so-telegraf:
       - /opt/so/conf/telegraf/etc/telegraf.conf
       - /opt/so/conf/telegraf/scripts
 
-# If its a master or eval lets install the back end for now		
+# If its a master or eval lets install the back end for now
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
 
 # Influx DB
@@ -236,15 +225,9 @@ influxdbconf:
     - template: jinja
     - source: salt://common/influxdb/etc/influxdb.conf
 
-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
 so-influxdb:
   docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -303,7 +286,7 @@ grafanadashfndir:
 
 grafanadashsndir:
   file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
     - user: 939
     - group: 939
     - makedirs: True
@@ -362,11 +345,11 @@ dashboard-{{ SN }}:
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 dashboard-{{ SN }}:
   file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
     - group: 939
     - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
 {% endfor %}
 {% endif %}
 
-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
 so-grafana:
   docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
     - hostname: grafana
     - user: socore
     - binds:
diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download
new file mode 100644
index 000000000..020a42f79
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -0,0 +1,46 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-auth-api:$VERSION" \
+"so-auth-ui:$VERSION" \
+"so-core:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 74dd47a99..f846ff8ae 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator
 # Create the group
@@ -112,15 +114,9 @@ curdel:
    - month: '*'
    - dayweek: '*'
 
-so-curatorimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-curator:HH1.1.0
-
 so-curator:
   docker_container.running:
-    - require:
-      - so-curatorimage
-    - image: docker.io/soshybridhunter/so-curator:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
     - hostname: curator
     - name: so-curator
     - user: curator
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 999bbbd91..c5ba0d21b 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
@@ -109,15 +110,9 @@ elastaconf:
     - group: 939
     - template: jinja
 
-so-elastalertimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elastalert:HH1.1.1
-
 so-elastalert:
   docker_container.running:
-    - require:
-      - so-elastalertimage
-    - image: docker.io/soshybridhunter/so-elastalert:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index b3f2e0ce5..94543a57b 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,6 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -98,15 +100,9 @@ eslogdir:
     - group: 939
     - makedirs: True
 
-so-elasticsearchimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
-
 so-elasticsearch:
   docker_container.running:
-    - require:
-      - so-elasticsearchimage
-    - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
@@ -140,7 +136,3 @@ so-elasticsearch-pipelines-file:
 so-elasticsearch-pipelines:
  cmd.run:
    - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
-
-# Tell the main cluster I am here
-#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
-
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 1eaa1ae5b..1a59446b3 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set MASTER = grains['master'] %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 
 # Filebeat Setup
@@ -46,25 +47,9 @@ filebeatconfsync:
     - group: 0
     - template: jinja
 
-#filebeatcrt:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-#    - source: salt://filebeat/files/filebeat.crt
-
-#filebeatkey:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-#    - source: salt://filebeat/files/filebeat.key
-
-so-filebeatimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.4
-
 so-filebeat:
   docker_container.running:
-    - require:
-      - so-filebeatimage
-    - image: docker.io/soshybridhunter/so-filebeat:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 917ee541e..85370d20d 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Fleet Setup
 fleetcdir:
@@ -59,15 +61,9 @@ fleetdbpriv:
     - user: fleetdbuser
     - host: 172.17.0.0/255.255.0.0
 
-so-fleetimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.3
-
 so-fleet:
   docker_container.running:
-    - require:
-      - so-fleetimage
-    - image: docker.io/soshybridhunter/so-fleet:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }}
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index c08a74634..9bde4065f 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
   file.directory:
     - name: /opt/so/conf/hive/etc
@@ -53,15 +55,9 @@ hiveesdata:
     - user: 939
     - group: 939
 
-so-thehive-esimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.4
-
 so-thehive-es:
   docker_container.running:
-    - require:
-      - so-thehive-esimage
-    - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 9ec6f53f7..c18814243 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:
   file.directory:
@@ -61,15 +62,9 @@ ruleslink:
     - name: /opt/so/saltstack/salt/suricata/rules
     - target: /opt/so/rules/nids
 
-so-idstoolsimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-idstools:HH1.1.0
-
 so-idstools:
   docker_container.running:
-    - require:
-      - so-idstoolsimage
-    - image: docker.io/soshybridhunter/so-idstools:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }}
     - hostname: so-idstools
     - user: socore
     - binds:
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 686564f34..58eb6a32d 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,4 +1,5 @@
-{% set master = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Add ES Group
 kibanasearchgroup:
@@ -52,25 +53,17 @@ synckibanacustom:
     - user: 932
     - group: 939
 
-# File.Recurse for custom saved dashboards
-
-so-kibanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.4
-
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - require:
-      - so-kibanaimage
-    - image: docker.io/soshybridhunter/so-kibana:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }}
     - hostname: kibana
     - user: kibana
     - environment:
       - KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
-      - ELASTICSEARCH_HOST={{ master }}
+      - ELASTICSEARCH_HOST={{ MASTER }}
       - ELASTICSEARCH_PORT=9200
-      - MASTER={{ master }}
+      - MASTER={{ MASTER }}
     - binds:
       - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
       - /opt/so/log/kibana:/var/log/kibana:rw
@@ -78,11 +71,3 @@ so-kibana:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
     - port_bindings:
       - 0.0.0.0:5601:5601
-
-# Keep the setting correct
-#KibanaHappy:
-#  cmd.script:
-#    - shell: /bin/bash
-#    - runas: socore
-#    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 6d9755c42..61ad8826c 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Logstash Section - Decide which pillar to use
 {% if grains['role'] == 'so-sensor' %}
 
@@ -152,16 +153,9 @@ lslogdir:
     - group: 939
     - makedirs: True
 
-# Add the container
-so-logstashimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.4
-
 so-logstash:
   docker_container.running:
-    - require:
-      - so-logstashimage
-    - image: docker.io/soshybridhunter/so-logstash:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
diff --git a/salt/master/init.sls b/salt/master/init.sls
index c6e11279d..f6ad5d70a 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 
 {% if masterproxy == 1 %}
@@ -24,7 +25,7 @@ socore_own_saltstack:
     - group: socore
     - recurse:
       - user
-      - group	
+      - group
 
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
@@ -55,16 +56,10 @@ acngcopyconf:
     - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
     - source: salt://master/files/acng/acng.conf
 
-so-acngimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-acng:HH1.1.0
-
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
-    - require:
-      - so-acngimage
-    - image: docker.io/soshybridhunter/so-acng:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142
@@ -73,39 +68,4 @@ so-aptcacherng:
       - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
       - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
 
-
-# Create the config directory for the docker registry
-dockerregistryconfdir:
-  file.directory:
-    - name: /opt/so/conf/docker-registry/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-dockerregistrylogdir:
-  file.directory:
-    - name: /opt/so/log/docker-registry
-    - user: 939
-    - group: 939
-    - makedirs: true
-
-# Copy the config
-dockerregistryconf:
-  file.managed:
-    - name: /opt/so/conf/docker-registry/etc/config.yml
-    - source: salt://master/files/registry/config.yml
-
-# Install the registry container
-so-dockerregistry:
-  docker_container.running:
-    - image: registry:2
-    - hostname: so-registry
-    - port_bindings:
-      - 0.0.0.0:5000:5000
-    - binds:
-      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
-      - /opt/so/conf/docker-registry:/var/lib/registry:rw
-      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
-      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-
 {% endif %}
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index a0136ae9b..b964d7d37 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # MySQL Setup
 mysqlpkgs:
   pkg.installed:
@@ -48,15 +50,9 @@ mysqldatadir:
     - group: 939
     - makedirs: True
 
-so-mysqlimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-mysql:HH1.1.0
-
 so-mysql:
   docker_container.running:
-    - require:
-      - so-mysqlimage
-    - image: docker.io/soshybridhunter/so-mysql:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
     - hostname: so-mysql
     - user: socore
     - port_bindings:
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a49dc00e3..f5a4e4924 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # PCAP Section
 
 # Create the logstash group
@@ -94,15 +95,9 @@ stenolog:
     - group: 941
     - makedirs: True
 
-so-stenoimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.3
-
 so-steno:
   docker_container.running:
-    - require:
-      - so-stenoimage
-    - image: docker.io/soshybridhunter/so-steno:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
     - network_mode: host
     - privileged: True
     - port_bindings:
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 770316ab9..907e4825c 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 playbookdb:
   file.managed:
@@ -24,15 +26,9 @@ navigatorconfig:
     - makedirs: True
     - template: jinja
 
-so-playbookimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.3
-
 so-playbook:
   docker_container.running:
-    - require:
-      - so-playbookimage
-    - image: docker.io/soshybridhunter/so-playbook:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }}
     - hostname: playbook
     - name: so-playbook
     - binds:
@@ -40,15 +36,9 @@ so-playbook:
     - port_bindings:
       - 0.0.0.0:3200:3000
 
-so-navigatorimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-navigator:HH1.1.1
-
 so-navigator:
   docker_container.running:
-    - require:
-      - so-navigatorimage
-    - image: docker.io/soshybridhunter/so-navigator:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
     - hostname: navigator
     - name: so-navigator
     - binds:
@@ -56,7 +46,7 @@ so-navigator:
       - /opt/so/conf/playbook/nav_layer_playbook.json:/nav-app/src/assets/playbook.json:ro
     - port_bindings:
       - 0.0.0.0:4200:4200
-        
+
 /usr/sbin/so-playbook-sync:
   cron.present:
     - identifier: so-playbook-sync
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 18178ce3b..690f2a7c9 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -13,6 +13,8 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Redis Setup
 redisconfdir:
@@ -44,15 +46,9 @@ redisconfsync:
     - group: 939
     - template: jinja
 
-so-redisimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-redis:HH1.1.0
-
 so-redis:
   docker_container.running:
-    - require:
-      - so-redisimage
-    - image: docker.io/soshybridhunter/so-redis:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
     - hostname: so-redis
     - user: socore
     - port_bindings:
diff --git a/salt/master/files/registry/config.yml b/salt/registry/etc/config.yml
similarity index 99%
rename from salt/master/files/registry/config.yml
rename to salt/registry/etc/config.yml
index db9f9c32b..d25a034b0 100644
--- a/salt/master/files/registry/config.yml
+++ b/salt/registry/etc/config.yml
@@ -21,4 +21,3 @@ health:
     threshold: 3
 proxy:
   remoteurl: https://registry-1.docker.io
-
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
new file mode 100644
index 000000000..ac6cc1795
--- /dev/null
+++ b/salt/registry/init.sls
@@ -0,0 +1,41 @@
+# Create the config directory for the docker registry
+dockerregistryconfdir:
+  file.directory:
+    - name: /opt/so/conf/docker-registry/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrydir:
+  file.directory:
+    - name: /nsm/docker-registry/docker
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrylogdir:
+  file.directory:
+    - name: /opt/so/log/docker-registry
+    - user: 939
+    - group: 939
+    - makedirs: true
+
+# Copy the config
+dockerregistryconf:
+  file.managed:
+    - name: /opt/so/conf/docker-registry/etc/config.yml
+    - source: salt://registry/etc/config.yml
+
+# Install the registry container
+so-dockerregistry:
+  docker_container.running:
+    - image: registry:2
+    - hostname: so-registry
+    - port_bindings:
+      - 0.0.0.0:5000:5000
+    - binds:
+      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
+      - /opt/so/conf/docker-registry:/var/lib/registry:rw
+      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
+      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
+      - /etc/pki/registry.key:/etc/pki/registry.key:ro
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 19fcd8b4a..44f29ef4f 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 sensoronidir:
   file.directory:
     - name: /opt/so/conf/sensoroni
@@ -27,15 +30,9 @@ sensoronisync:
     - group: 939
     - template: jinja
 
-so-sensoroniimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.3
-
 so-sensoroni:
   docker_container.running:
-    - require:
-      - so-sensoroniimage
-    - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }}
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 578789a76..d03ed9f04 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 soctopusdir:
   file.directory:
     - name: /opt/so/conf/soctopus
@@ -44,15 +47,9 @@ navigatordefaultlayer:
     - replace: False
     - template: jinja
 
-so-soctopusimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.3
-
 so-soctopus:
   docker_container.running:
-    - require:
-      - so-soctopusimage
-    - image: docker.io/soshybridhunter/so-soctopus:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
     - hostname: soctopus
     - name: so-soctopus
     - binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index ac876212c..6f08c2704 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -14,7 +14,9 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set BROVER = salt['pillar.get']('static:broversion', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Suricata
 
@@ -77,16 +79,10 @@ surithresholding:
     - user: 940
     - group: 940
     - template: jinja
-
-so-suricataimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
-
+    
 so-suricata:
   docker_container.running:
-    - require:
-      - so-suricataimage
-    - image: docker.io/soshybridhunter/so-suricata:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
diff --git a/salt/syslog-ng/files/patterndb.xml b/salt/syslog-ng/files/patterndb.xml
deleted file mode 100644
index a1b3cdad4..000000000
--- a/salt/syslog-ng/files/patterndb.xml
+++ /dev/null
@@ -1,2333 +0,0 @@
-<patterndb version='3' pub_date='2009-11-04'>
-	<ruleset name="FWSM" id='2'>
-		<pattern>%FWSM</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Deny @ESTRING:: @@ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-3-106010">Deny inbound tcp src OUTSIDE:2.116.180.66/3116 dst INSIDE:10.0.0.0/445</test_message>
-						<test_values>
-							<test_value name="i0">tcp</test_value>
-							<test_value name="s0">OUTSIDE</test_value>
-							<test_value name="i1">2.116.180.66</test_value>
-							<test_value name="i2">3116</test_value>
-							<test_value name="s1">INSIDE</test_value>
-							<test_value name="i3">10.0.0.0</test_value>
-							<test_value name="i4">445</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
-					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s1">www.example.com</test_value>
-							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="%FWSM-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
-							<test_values>
-								<test_value name="s1">www.example.com</test_value>
-								<test_value name="s2">feedout/content</test_value>
-								<test_value name="i0">192.168.1.1</test_value>
-								<test_value name="i1">72.246.55.49</test_value>
-							</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%FWSM-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ASA" id='2_ASA'>
-		<pattern>%ASA</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Inbound @ESTRING:i0: @connection denied from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@ESTRING::/@@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@ESTRING::/@@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@ dst @ESTRING:s1::@@IPv4:i3:@ (type @NUMBER::@, code @NUMBER::@) by access-group @ESTRING:s2: @</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2: @to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @</pattern>
-					<pattern>Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @</pattern>
-					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
-					<pattern>Deny IP from @ESTRING:i1: @to @ESTRING:i3: @</pattern>
-					<pattern>@ESTRING:i0: @access discarded from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-					<pattern>access-list @ESTRING:: @permitted @ESTRING:i0: @@ESTRING:s0:/@@ESTRING:i1:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:/@@ESTRING:i3:(@@NUMBER:i4:@) hit-cnt @NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:i0: @access permitted from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-7-106100">access-list access_out permitted tcp INSIDE/10.221.221.21(52427) -&gt; OUTSIDE/10.222.222.22(80) hit-cnt 1 first hit [0x487d4278, 0x0]</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">10.221.221.21</test_value>
-						<test_value name="i2">52427</test_value>
-						<test_value name="i3">10.222.222.22</test_value>
-						<test_value name="i4">80</test_value>
-						<test_value name="i5">1</test_value>
-						<test_value name="s0">INSIDE</test_value>
-						<test_value name="s1">OUTSIDE</test_value>
-					</example>
-					<example>
-						<test_message program="%ASA-6-302013">Built inbound TCP connection 740617324 for inside:10.21.21.221/4087 (10.21.21.221/4087) to CWWAN:172.17.6.80/8192 (172.17.6.80/8192)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">10.221.221.21</test_value>
-						<test_value name="i2">4087</test_value>
-						<test_value name="i3">172.17.6.80</test_value>
-						<test_value name="i4">8192</test_value>
-						<test_value name="s0">INSIDE</test_value>
-						<test_value name="s1">OUTSIDE</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
-					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s1">www.example.com</test_value>
-							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="%ASA-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
-							<test_values>
-								<test_value name="s1">www.example.com</test_value>
-								<test_value name="s2">feedout/content</test_value>
-								<test_value name="i0">192.168.1.1</test_value>
-								<test_value name="i1">72.246.55.49</test_value>
-							</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%ASA-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='38' id='38'>
-				<patterns>
-					<pattern>FTP connection from @ESTRING:s0::@@ESTRING:i0:/@@NUMBER:i1:@ to @ESTRING:s1::@@ESTRING:i2:/@@NUMBER:i3:@, user @ESTRING:s2: @@ESTRING:s3: @@ANYSTRING:s4:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='39' id='39'>
-				<patterns>
-					<pattern>Cleared @ESTRING:i0: @urgent flag from @ESTRING:s0::@@ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s1::@@ESTRING:i3:/@@NUMBER:i4:@</pattern>
-					<pattern>regular translation creation failed for @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @(type @NUMBER:i2:@, code @NUMBER:i4:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="PIX" id='2_PIX'>
-		<pattern>%PIX</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%PIX-6-302014">Teardown TCP connection 2050472353 for outside:10.65.200.34/1252 to inside:10.0.0.0/135 duration 0:00:00 bytes 1476 TCP FINs</test_message>
-						<test_values>
-							<test_value name="i0">TCP</test_value>
-							<test_value name="s0">outside</test_value>
-							<test_value name="i1">10.65.200.34</test_value>
-							<test_value name="i2">1252</test_value>
-							<test_value name="s1">inside</test_value>
-							<test_value name="i3">10.0.0.0</test_value>
-							<test_value name="i4">135</test_value>
-							<test_value name="s2">0:00:00</test_value>
-							<test_value name="i5">1476</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%PIX-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%PIX-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Translations" id='3'>
-		<pattern>%IOSXE-6-PLATFORM</pattern>
-		<rules>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>@ESTRING::%NAT-6-LOG_TRANSLATION: Created Translation @@ESTRING:i0: @@IPv4:i1:@:@NUMBER:i2:@ @IPv4::@:@NUMBER::@ @IPv4::@:@NUMBER::@ @IPv4:i3:@:@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%IOSXE-6-PLATFORM">F0: cpp_cp: QFP:0.0 Thread:031 TS:00000428205839105179 %NAT-6-LOG_TRANSLATION: Created Translation TCP 1.1.1.1:4227 1.1.1.1:1043 2.2.2.2:80 2.2.2.2:80 0</test_message>
-						<test_values>
-							<test_value name="i0">TCP</test_value>
-							<test_value name="i1">1.1.1.1</test_value>
-							<test_value name="i2">4227</test_value>
-							<test_value name="i3">2.2.2.2</test_value>
-							<test_value name="i4">80</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%SEC-6-IPACCESSLOGS</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>list @ESTRING::denied @@IPv4:i3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%SEC-6-IPACCESSLOGS">list REMOTE-MGMT denied 1.1.1.1 1 packet [0x7EAD30FB]</test_message>
-						<test_values>
-							<test_value name="i3">1.1.1.1</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%FMANFP-6-IPACCESSLOGP</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>F@ESTRING::denied @@ESTRING:i0: @@IPv4:i1:@(@NUMBER:i2:@) -&gt; @IPv4:i3:@(@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FMANFP-6-IPACCESSLOGP">F0: fman_fp_image: list IPV4-INTERNET-OUTBOUND denied udp 1.1.1.1(49610) -&gt; 2.2.2.2(53), 1 packet</test_message>
-						<test_values>
-							<test_value name="i0">udp</test_value>
-							<test_value name="i1">1.1.1.1</test_value>
-							<test_value name="i2">49610</test_value>
-							<test_value name="i3">2.2.2.2</test_value>
-							<test_value name="i4">53</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%FMANFP-6-IPV6ACCESSLOGP</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>F@ESTRING::denied @@ESTRING:i0: @@ESTRING:s0:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:(@@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FMANFP-6-IPV6ACCESSLOGP">F0: fman_fp_image: list IPV6-INTERNET-INBOUND denied udp ffe:4e0::(38346) -&gt; ffe:4e0::(40322), 1 packet</test_message>
-						<test_values>
-							<test_value name="i0">udp</test_value>
-							<test_value name="s0">ffe:4e0::</test_value>
-							<test_value name="i2">38346</test_value>
-							<test_value name="s1">ffe:4e0::</test_value>
-							<test_value name="i4">40322</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_Snare" id='4'>
-		<pattern>MSWinEventLog</pattern>
-		<pattern>Application</pattern>
-		<pattern>Security</pattern>
-		<pattern>System</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@	@ESTRING:i0:	@@ESTRING:s0:	@@ESTRING:s1:	@@ESTRING:s2:	@@ESTRING:s3:	@@ESTRING:s4:	@@ESTRING:s5:	@@ESTRING::	@@ESTRING::	@</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@|Logon Failure:@ESTRING::	@Reason:		@ESTRING:s2:	@User Name:	@ESTRING:s1: @</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_evtsys" id='4'>
-		<pattern>Application</pattern>
-		<pattern>Security</pattern>
-		<pattern>System</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
-						<test_values>
-							<test_value name="i0">7035</test_value>
-							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
-						<test_value name="i0">1202</test_value>
-						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_evtsys" id='4'>
-		<!-- no program pattern -->
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER:i0:@: @ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="security-auditing">4624: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
-						<test_values>
-							<test_value name="i0">4624</test_value>
-							<test_value name="s1">myuser</test_value>
-							<test_value name="s2">MYDOMAIN</test_value>
-							<test_value name="i1">172.24.248.117</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
-						<test_values>
-							<test_value name="i0">7035</test_value>
-							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
-						<test_value name="i0">1202</test_value>
-						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-18 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x3e7 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 49206 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
-						<test_value name="i0">5140</test_value>
-						<test_value name="s1">MYUSER</test_value>
-						<test_value name="s2">MYDOMAIN</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\*\ADMIN$</test_value>
-						<test_value name="s4">\??\C:\Windows</test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1e05bb9b Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 65518 Share Information: Share Name: \\\\*\\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
-						<test_value name="i0">5140</test_value>
-						<test_value name="s1">ANONYMOUS LOGON</test_value>
-						<test_value name="s2">NT AUTHORITY</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\\\*\\IPC$</test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5145: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-518783779-1162290680-929701000-2097 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x19789189 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 4235 Share Information: Share Name: \\*\SHARE_NAME Share Path: \??\C:\SHARE_PATH Relative Target Name: MYFILE Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;FA;;;WD)</test_message>
-						<test_value name="i0">5145</test_value>
-						<test_value name="s1">MYUSER</test_value>
-						<test_value name="s2">MYDOMAIN</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\*\SHARE_NAME</test_value>
-						<test_value name="s4">\??\C:\SHARE_PATH</test_value>
-						<test_value name="s5">MYFILE</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_dhcp" id='4_dhcp'>
-		<pattern>GenericLog</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER::@,@ANYSTRING::@</pattern>
-					<values>
-						<value name="i0">0</value>
-						<value name="s0">dhcplog</value>
-						<value name="PROGRAM">dhcplog</value>
-					</values>
-					<!--<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@</pattern>
-					<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@@ESTRING:s5:,@</pattern>-->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="GenericLog">30,11/16/10,12:25:04,DNS Update Request,x.x.x.x,hostname,,</test_message>
-						<test_value name="i0">0</test_value>
-						<test_value name="s0">dhcplog</test_value>
-						<test_value name="PROGRAM">dhcplog</test_value>
-					</example>
-					<example>
-						<test_message program="GenericLog">11,11/16/10,12:25:04,Renew,x.x.x.x,hostname,macaddr,</test_message>
-						<test_value name="i0">0</test_value>
-						<test_value name="s0">dhcplog</test_value>
-						<test_value name="PROGRAM">dhcplog</test_value>
-					</example>
-				</examples>
-				<tags>
-					<tag>4</tag>
-				</tags>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Adiscon" id="4_adiscon">
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@ &lt;Data Name='TargetUserName'&gt;@ESTRING:s0:&lt;@</pattern>
-				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@</pattern>
-				<examples>
-					<example>
-						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC01.domain Event ID: 5157 &lt;Data Name='ProcessID'&gt;180&lt;/Data&gt;&lt;Data Name='Application'&gt;\device\harddiskvolume2\windows\system32\svchost.exe&lt;/Data&gt;&lt;Data Name='Direction'&gt;%14592&lt;/Data&gt;&lt;Data Name='SourceAddress'&gt;10.68.239.128&lt;/Data&gt;&lt;Data Name='SourcePort'&gt;500&lt;/Data&gt;&lt;Data Name='DestAddress'&gt;10.166.175.52&lt;/Data&gt;&lt;Data Name='DestPort'&gt;500&lt;/Data&gt;&lt;Data Name='Protocol'&gt;17&lt;/Data&gt;&lt;Data Name='FilterRTID'&gt;73486&lt;/Data&gt;&lt;Data Name='LayerName'&gt;%14610&lt;/Data&gt;&lt;Data Name='LayerRTID'&gt;44&lt;/Data&gt;&lt;Data Name='RemoteUserID'&gt;S-1-0-0&lt;/Data&gt;&lt;Data Name='RemoteMachineID'&gt;S-1-0-0&lt;/Data&gt;</test_message>
-						<test_value name="i0">5157</test_value>
-					</example>
-					<example>
-						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC04.domain Event ID: 4769 &lt;Data Name='TargetUserName'&gt;user@domain&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;domain&lt;/Data&gt;&lt;Data Name='ServiceName'&gt;IU-MSSG-ADSDC04$&lt;/Data&gt;&lt;Data Name='ServiceSid'&gt;S-1-5-21-1085031214-1292428093-527237240-496356&lt;/Data&gt;&lt;Data Name='TicketOptions'&gt;0x40810000&lt;/Data&gt;&lt;Data Name='TicketEncryptionType'&gt;0x12&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;::ffff:10.160.118.87&lt;/Data&gt;&lt;Data Name='IpPort'&gt;54144&lt;/Data&gt;&lt;Data Name='Status'&gt;0x0&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{CD66EF59-4404-F056-C1CC-5E12BE6B978E}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;</test_message>
-						<test_value name="i0">4769</test_value>
-						<test_value name="s0">user@domain</test_value>
-					</example>
-						
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="url" id='7'>
-		<pattern>url</pattern>
-		<rules>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s5:,@@ESTRING:s2:,@@ESTRING:s3:,@@STRING:s4: :/;,.-()@</pattern>-->
-					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@STRING:s5:,.-@</pattern>-->
-					<!-- httpry_logger.pl -->
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@NUMBER:i5@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
-					<!-- suricata -->
-					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@IPv4:i0:@:@NUMBER:i1:@ -> @IPv4:i2:@:@NUMBER:i3:@</pattern>
-					<!-- suricata extended -->
-					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@ESTRING:s3: [**] @@ESTRING:s0: [**] @@ESTRING:: [**] @@ESTRING:i2: [**] @@NUMBER:i3:@ bytes [**] @IPv4:i0:@:@NUMBER:i4:@ -> @IPv4:i1:@:@NUMBER:i5:@</pattern>
-					<!--Common Log Format-->
-					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
-					<!--%{HOST} + Common Log Format-->
-					<pattern>@ESTRING:s1: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200|46142|8583</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3">46142</test_value>
-							<test_value name="i4">8583</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||8583</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3"></test_value>
-							<test_value name="i4">8583</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3"></test_value>
-							<test_value name="i4"></test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">127.0.0.1 - - [09/Dec/2012:23:20:27 -0600] "HEAD / HTTP/1.1" 200 334 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11"</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">HEAD</test_value>
-							<test_value name="s2">/</test_value>
-							<test_value name="s3">-</test_value>
-							<test_value name="s4">Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11</test_value>
-							<test_value name="s5">-</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3">334</test_value>
-						</test_values>
-					</example>
-					</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="snort" id='8'>
-		<pattern>snort</pattern>
-		<rules>
-			<rule provider="ELSA" class='8' id='8'>
-				<patterns>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<!--<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>-->
-				</patterns>
-				<example>
-					<test_message program="snort">[1:485:5] ICMP Destination Unreachable Communication Administratively Prohibited [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.0.0.0</test_message>
-					<test_value name="s0">1:485:5</test_value>
-					<test_value name="s1">ICMP Destination Unreachable Communication Administratively Prohibited </test_value>
-					<test_value name="s2">Misc activity</test_value>
-					<test_value name="i0">3</test_value>
-					<test_value name="i1">ICMP</test_value>
-					<test_value name="i2">192.168.1.1</test_value>
-					<test_value name="i4">10.0.0.0</test_value>
-				</example>
-			</rule>
-			<rule provider="Laurel" class='8' id='8'>
-				<!-- Rules for logs with interface included -->
-				<patterns>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-				<example>
-					<test_message program="snort">[1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 [Classification: Potentially Bad Traffic] [Priority: 2]: &lt;eth1&gt; {TCP} 192.168.193.245:38472 -> 192.168.193.1:5432</test_message>
-					<test_value name="s0">1:2010939:2</test_value>
-					<test_value name="s1">ET POLICY Suspicious inbound to PostgreSQL port 5432 </test_value>
-					<test_value name="s2">Potentially Bad Traffic</test_value>
-					<test_value name="s3">eth1</test_value>
-					<test_value name="i0">2</test_value>
-					<test_value name="i1">TCP</test_value>
-					<test_value name="i2">192.168.193.245</test_value>
-					<test_value name="i3">38472</test_value>
-					<test_value name="i4">192.168.193.1</test_value>
-					<test_value name="i5">5432</test_value>
-				</example>
-			</rule>
-			<rule provider="A Ratcliffe" class='8' id='8'>
-				<patterns>
-					<!-- via Sagan which has an extra colon in it-->
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<!-- via Sagan with extra text -->
-					<pattern>@QSTRING:s0:[]@ [@ESTRING::]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-			<rule class='8' id='8'>
-				<!--via barnyard2 using config to include year with date extracted-->
-				<patterns>
-					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-				</patterns>	
-				<values>
-					<value name="pdb_extracted_timestamp">20$pdb_extracted_shortyear-$pdb_extracted_month-$pdb_extracted_day $pdb_extracted_hour:$pdb_extracted_minute:$pdb_extracted_second</value>
-				</values>
-			</rule>
-			<rule provider="C Martinez" class='8' id='8'>
-				<!-- Patterns for forwarded messages from fast.log which contain [**]-->
-				<patterns>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@-&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] {@@ESTRING:i1:}@@IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<!--<ruleset>
-		<rules>
-			<rule class="10" id="10" context-id="ironport-icid" context-timeout="10" context-scope="program">
-				<patterns>
-					<pattern>Info: New SMTP ICID @NUMBER:icid:@ interface @ESTRING:interface_name: @(@IPv4:interface_ip:@) address @IPv4:sender_ip:@ reverse dns host @ESTRING:sender_dns: @verified yes</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="ironport_mail_logs">Info: New SMTP ICID 696117306 interface InternalNet (192.168.1.1) address 192.168.1.1 reverse dns host hostname verified yes</test_message>
-						<test_value name="icid">696117306</test_value>
-						<test_value name="interface_name">InternalNet</test_value>
-						<test_value name="interface_ip">192.168.1.1</test_value>
-						<test_value name="sender_ip">192.168.1.1</test_value>
-						<test_value name="sender_dns">hostname</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>-->
-	<ruleset name="ssh">
-		<pattern>sshd</pattern>
-		<rules>
-			<rule class="11" id="11">
-				<patterns>
-					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
-					<pattern>Accepted @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-				</patterns>
-			</rule>
-			<rule class="12" id="12">
-				<patterns>
-					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
-					<pattern>Failed @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-					<pattern>Failed @ESTRING:s0: @for invalid user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-					<pattern>Failed @ESTRING:s0: @for illegal user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-				</patterns>
-			</rule>
-			<rule class="13" id="13">
-				<patterns>
-					<!-- s0=usracct.username -->
-					<pattern>pam_unix(sshd:session): session closed for user @ANYSTRING:s0:@</pattern>
-					<pattern>session closed for user @ANYSTRING:s0:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_dns</pattern>
-		<rules>
-			<rule class="14" id="14">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_dns">1318443095.831281|0L5Ro2iPit1|10.0.0.0|23657|69.22.154.225|53|udp|31608|e2932.c.akamaiedge.net|1|C_INTERNET|1|A|0|NOERROR|F|T|F|F|F|1|20.000000|23.0.124.9</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">23657</test_value>
-						<!-- dstip -->
-						<test_value name="i2">69.22.154.225</test_value>
-						<!-- dstport -->
-						<test_value name="i3">53</test_value>
-						<!-- proto -->
-						<test_value name="i4">udp</test_value>
-						<!-- hostname -->
-						<test_value name="s0">e2932.c.akamaiedge.net</test_value>
-						<!-- answer -->
-						<test_value name="s1">23.0.124.9</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_notice</pattern>
-		<rules>
-			<rule class="41" id="Bro file transfer via bro_notice">
-				<patterns>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING::|@@IPv4::@|@IPv4::@|@NUMBER::@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@</pattern>
-				</patterns>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-			</rule>
-			<rule class='15' id='15'>
-				<patterns>
-					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@IPv4:i0@|@NUMBER:i1@|@IPv4:i2@|@NUMBER:i3@|@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:@|@IPv4:@|@NUMBER:@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@-|-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|@NUMBER:i3@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@-|@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|@IPv4:i2@|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@-|-|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@udp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@icmp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|-|-|-|-@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|@IPv4:i0:@|@ANYSTRING::@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern description='bro-2.2'>bro_files</pattern>
-		<rules>
-			<rule class='54' id='54'>
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_smtp</pattern>
-		<rules>
-			<rule class="16" id="16">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_smtp">1320612601.697404|SFiDYDwOSl8|10.0.0.0|45765|66.94.25.228|25|@woMgeVXDE|server.example.com|&lt;prvs=284e51a33=user@domain.com&gt;|&lt;user@example.com&gt;|Sun, 6 Nov 2011 14:50:00 -0600|"user" &lt;user@domain.com&gt;|"'user@example.com'" &lt;user@example.com&gt;|-|&lt;F3AC33A1A5033546890246040DCA32E303CDF29D5FE6@mailserver.domain.com&gt;|&lt;user@example.com&gt;|RE: some subject|-|from mailserver.domain.com ([10.0.0.0]) with mapi; Sun, 6 Nov 2011 14:50:01 -0600|from mailserver.domain.com ([10.0.0.0]) by mailserver.domain.com with ESMTP/TLS/RC4-MD5; 06 Nov 2011 14:50:01 -0600|250 2.0.0 10wk4g5v6k-1 Message accepted for delivery|192.168.1.1,10.0.0.0|-|F</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">45765</test_value>
-						<!-- dstip -->
-						<test_value name="i2">66.94.25.228</test_value>
-						<!-- dstport -->
-						<test_value name="i3">25</test_value>
-						<!-- server -->
-						<test_value name="s0">server.example.com</test_value>
-						<!-- from -->
-						<test_value name="s1">"user" &lt;user@domain.com&gt;</test_value>
-						<!-- to -->
-						<test_value name="s2">"'user@example.com'" &lt;user@example.com&gt;</test_value>
-						<!-- subject -->
-						<test_value name="s3">RE: some subject</test_value>
-						<!-- last_reply -->
-						<test_value name="s4">250 2.0.0 10wk4g5v6k-1 Message accepted for delivery</test_value>
-						<!-- path -->
-						<test_value name="s5">192.168.1.1,10.0.0.0</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_smtp_entities</pattern>
-		<rules>
-			<rule class="17" id="17">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_smtp_entities">1320613389.303478|zQQiHb1x3fj|216.33.127.82|37295|10.0.0.0|25|@VqmVdbY2Mm3|CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf|54399|application/pdf|-|-|-</test_message>
-						<!-- srcip -->
-						<test_value name="i0">216.33.127.82</test_value>
-						<!-- srcport -->
-						<test_value name="i1">37295</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.0.0.0</test_value>
-						<!-- dstport -->
-						<test_value name="i3">25</test_value>
-						<!-- filename -->
-						<test_value name="s0">CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf</test_value>
-						<!-- content_len -->
-						<test_value name="i4">54399</test_value>
-						<!-- mime_type -->
-						<test_value name="s1">application/pdf</test_value>
-						<!-- md5 -->
-						<test_value name="s2">-</test_value>
-						<!-- extraction_file -->
-						<test_value name="s3">-</test_value>
-						<!-- excerpt -->
-						<test_value name="s4">-</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ssl</pattern>
-		<rules>
-			<rule class="18" id="18">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING::|@@ESTRING:i4:|@@ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ssl">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|443|TLSv10|TLS_RSA_WITH_RC4_128_MD5|-|48eacd8fda1a4f48188288ce09ba84d93b8b40aaafdeafd8bace5a1ba9f7c3ce|CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US|1286341200.000000|1381035599.000000|04918ecb442ca62e6e8f29272b9cff42|ok</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">443</test_value>
-						<!-- hostname -->
-						<test_value name="s0">-</test_value>
-						<!-- subject -->
-						<test_value name="s1">CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US</test_value>
-						<!-- expiration -->
-						<test_value name="i4">1381035599.000000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_http</pattern>
-		<rules>
-			<rule class="19" id="19">
-				<patterns>
-					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  
-					  host    uri     referrer        user_agent      request_body_len        response_body_len       status_code     
-					  status_msg      info_code       info_msg        filename        tags    username        password        
-					  proxied mime_type       md5     extraction_file-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING:i5:|@@ESTRING:i4:|@</pattern>
-					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       method  
-					host    uri     referrer        user_agent      request_body_len       
-					 request_body_interrupted        response_body_len       response_body_interrupted       status_code     
-					 status_msg      filename        tags    username        password        proxied mime_type
-       md5     extraction_file-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:i5:|@@ESTRING::|@@ESTRING:i4:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_http">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|GET|www.google.com|/|http://example.com|myagent|-|-|1000|0|200|</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- method -->
-						<test_value name="s0">GET</test_value>
-						<!-- host -->
-						<test_value name="s1">www.google.com</test_value>
-						<!-- uri -->
-						<test_value name="s2">/</test_value>
-						<!-- referer -->
-						<test_value name="s3">http://example.com</test_value>
-						<!-- user_agent -->
-						<test_value name="s4">myagent</test_value>
-						<!-- status_code -->
-						<test_value name="i4">200</test_value>
-						<!-- content_length -->
-						<test_value name="i5">1000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_conn</pattern>
-		<rules>
-			<rule class="20" id="20">
-				<patterns>
-					<!--ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	
-					conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i5:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING:s4:|@</pattern>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_conn">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|tcp|...</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- proto -->
-						<test_value name="i4">tcp</test_value>
-					</example>
-					<example>
-						<test_message program="bro_conn">1355091922.994655|fOFtbJ91cG7|192.168.1.103|52949|206.12.19.9|80|tcp|http|3.970039|2829|574725|SF|-|3706|ShADadFf|200|14697|403|591995</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.103</test_value>
-						<!-- srcport -->
-						<test_value name="i1">52949</test_value>
-						<!-- dstip -->
-						<test_value name="i2">206.12.19.9</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- proto -->
-						<test_value name="i4">tcp</test_value>
-						<!-- service -->
-						<test_value name="s0">http</test_value>
-						<!-- duration -->
-						<test_value name="s1">3.970039</test_value>
-						<!-- orig_bytes -->
-						<test_value name="s2">2829</test_value>
-						<!-- resp_bytes -->
-						<test_value name="i5">574725</test_value>
-						<!-- orig_pkts -->
-						<test_value name="s3">200</test_value>
-						<!-- resp_pkts -->
-						<test_value name="s4">403</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="fortinet_url" id='21'>
-		<pattern>kernel</pattern>
-		<rules>
-			<rule provider="ELSA" class='21' id='21'>
-				<patterns>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=webfilter pri=@ESTRING:: @vd=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @serial=@ESTRING:: @user=@ESTRING:s0: @group=@ESTRING:s1: @src=@IPv4:i0:@ sport=@ESTRING:i1: @src_port=@ESTRING:: @src_int=@ESTRING:: @dst=@IPv4:i2:@ dport=@ESTRING:i3: @dst_port=@ESTRING:: @dst_int=@ESTRING:: @service=@ESTRING:s2: @hostname=@ESTRING:s3: @profiletype=@ESTRING:: @profile=@ESTRING:: @status=@ESTRING:s4: @req_type=@ESTRING:: @url=@ESTRING:s5: @method=@ESTRING:: @class=@ESTRING:: @cat=@ESTRING:i4: @cat_desc=@QSTRING::""@ carrier_ep=@ESTRING:: @msg=@QSTRING::""@ class_desc=@ESTRING:: @profilegroup=</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312 subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1 serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163 src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE status=passthrough req_type=referral url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41 cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an allowed category in policy" class_desc=N/A profilegroup=N/A</test_message>
-						<test_values>
-							<test_value name="i0">10.1.2.3</test_value>
-							<test_value name="i1">2163</test_value>
-							<test_value name="i2">4.3.2.1</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="s0">USER</test_value>
-							<test_value name="s1">AD/GROUP</test_value>
-							<test_value name="s2">http</test_value>
-							<test_value name="s3">col.stb.s-msn.com</test_value>
-							<test_value name="s4">passthrough</test_value>
-							<test_value name="s5">/i/79/65F987C952BDA0E84AE52464ADD59.jpg</test_value>
-							<test_value name="i4">41</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="fortinet_traffic" id='22'>
-		<pattern>kernel</pattern>
-		<rules>
-			<rule provider="ELSA" class='22' id='22'>
-				<patterns>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=traffic pri=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4@ app_type=@ESTRING:: @duration=@NUMBER:i5@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @src_int=@ESTRING:: @dst_int=@ESTRING:: @SN=@ESTRING:: @app=@ESTRING:: @app_cat=@ESTRING:: @carrier_ep=@ESTRING:: @vpn=@ESTRING:: @status=@ESTRING:: @user=@ESTRING:: @group=@ESTRING:: @shaper_sent_name=@ESTRING:: @shaper_rcvd_name=@ESTRING:: @perip_name</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @transip=@ESTRING:: @transport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@QSTRING::""@ dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@QSTRING::""@ SN=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dst_country=@QSTRING::""@ src_country=@QSTRING::""@ service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg</pattern>
-					<!-- Complete pattern, not used now because we aren't capturing later strings 
-						<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @shaper_sent_name=@QSTRING::""@ shaper_rcvd_name=@QSTRING::""@ perip_name=@QSTRING::""@ sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @vpn=@QSTRING::""@ src_int=@QSTRING::""@ dst_int=@QSTRING::""@ SN=@ESTRING:: @app=@QSTRING::""@ app_cat=@QSTRING::""@ user=@QSTRING::""@ group=@QSTRING::""@ carrier_ep=@QSTRING::""@</pattern>
-					-->
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3 srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80 tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6 src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A</test_message>
-						<test_values>
-							<test_value name="i0">10.1.2.3</test_value>
-							<test_value name="i1">53624</test_value>
-							<test_value name="i2">4.3.2.2</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="i4">6</test_value>
-							<test_value name="i5">120</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="checkpoint_deny" id='23'>
-		<rules>
-			<rule provider="ELSA" class='23' id='23'>
-				<patterns>
-					<pattern>@QSTRING:i0:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING:s0:""@ @QSTRING:s1:""@ @QSTRING:s2:""@ @QSTRING:s3:""@ @QSTRING:s4:""@ @QSTRING::""@ @QSTRING:i1:""@ @QSTRING:i2:""@ @QSTRING:i3:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ "message_info: @ESTRING:s5:"@ @QSTRING::""@ @QSTRING::""@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">"1" "12Feb2012" "23:59:04" "bond0.30" "FW-INT-CHCKPNT1" "Log" "Drop" "ntp-udp" "ntp-udp" "192.168.1.210" "10.133.3.10" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""</test_message>
-						<test_values>
-							<test_value name="i0">1</test_value>
-							<test_value name="s0">bond0.30</test_value>
-							<test_value name="s1">FW-INT-CHCKPNT1</test_value>
-							<test_value name="s2">Log</test_value>
-							<test_value name="s3">Drop</test_value>
-							<test_value name="s4">ntp-udp</test_value>
-							<test_value name="i1">192.168.1.210</test_value>
-							<test_value name="i2">10.133.3.10</test_value>
-							<test_value name="i3">udp</test_value>
-							<test_value name="s5">Address spoofing</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="palo_alto_url" id='24'>
-		<rules>
-			<rule provider="ELSA" class='24' id='24'>
-				<patterns>
-					<pattern>@NUMBER::@:@NUMBER::@,@NUMBER::@,@ESTRING::,@url,@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING::,@@ESTRING:s2:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@1@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@"@ESTRING:s3:/@@ESTRING:s4:"@,(@NUMBER::@),@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s5:,@</pattern>
-					<!-- Alternative pattern for PAN with columns listed -->
-					<pattern>@ESTRING::,@ TYPE: THREAT, SUBTYPE: url, THREAT_ID: (@NUMBER::@), ACTION: @ESTRING::,@ RULE: @ESTRING::,@ MISC: "@ESTRING:s3:/@@ESTRING:s4:"@</pattern>
-					<values>
-						<value name="s4">/$s4</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">46:31,002501000259,THREAT,url,0,2012/02/21 09:46:31,192.168.1.1,208.71.123.129,0.0.0.0,0.0.0.0,USERS-Network-AllowAll-to-EXT,domain\joeschmo,,web-browsing,vsys1,Users,External,ethernet1/3,ethernet1/5,forward-syslog-to-elsa,2012/02/2109:46:30,156730,1,50836,80,0,0,0x8000,tcp,alert,"network.realmedia.com/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75",(9999),All,informational,client-to-server,19630699,0x0,United States,United States,0,text/xml</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">208.71.123.129</test_value>
-							<test_value name="s0">USERS-Network-AllowAll-to-EXT</test_value>
-							<test_value name="s1">domain\joeschmo</test_value>
-							<test_value name="s2">web-browsing</test_value>
-							<test_value name="i2">156730</test_value>
-							<test_value name="s3">network.realmedia.com</test_value>
-							<test_value name="s4">/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75</test_value>
-							<test_value name="s5">United States</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="palo_alto_traffic" id='25'>
-		<rules>
-			<rule provider="ELSA" class='25' id='25'>
-				<patterns>
-					<pattern>@NUMBER::@:@NUMBER::@,@ESTRING::TRAFFIC,@@ESTRING:s5:,@@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@@ESTRING:i3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i4:,@@ESTRING::,@@ESTRING:i5:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
-					<!-- Alternative pattern for PAN with columns listed -->
-					<pattern>@ESTRING::,@ TYPE: TRAFFIC, SUBTYPE: @ESTRING:s5:,@ RULE: @ESTRING::,@ ACTION: @ESTRING::,@ INBOUND_INTERFACE: @ESTRING:s2:,@ FROM_ZONE: @ESTRING:s0:,@ SOURCE_USER: @ESTRING::,@ SOURCE_IP: @ESTRING:i0:,@ NAT_SOURCE_IP: @ESTRING::,@ SOURCE_PORT: @ESTRING:i2:,@ OUTBOUND_INTERFACE: @ESTRING:s3:,@ TO_ZONE: @ESTRING:s1:,@ DESTINATION_USER: @ESTRING::,@ DESTINATION_IP: @ESTRING:i1:,@ DESTINATION_PORT: @ESTRING:i3:,@ DESTINATION_LOCATION: @ESTRING:s4:,@ CATEGORY: @ESTRING:s5:,@ PROTOCOL: @ESTRING:i4:,@ APPLICATION: @ESTRING::,@ ELAPSED_TIME: @ESTRING::,@ BYTES: @ESTRING:i5:,@ BYTES_RECEIVED: @ESTRING::,@ BYTES_SENT: @ESTRING::,@ TOTAL_PACKETS: @ESTRING::,@ PACKETS_RECEIVED: @ESTRING::,@ PACKETS_SENT: @ESTRING::,@ REPEAT_COUNT_5sec: </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">46:31,002501000259,TRAFFIC,end,0,2012/02/21 09:46:31,10.10.10.10,192.168.1.1,0.0.0.0,0.0.0.0,ALL-http-https-to-BASTION,,,web-browsing,vsys1,External,Bastion,ethernet1/5,ethernet1/2,forward-syslog-to-elsa,2012/02/21 09:46:30,632179,1,4074,80,0,0,0x0,tcp,allow,2986,1493,1493,19,2012/02/21 09:45:57,31,not-resolved,0,453403179,0x0,United States,United States,0,10,9</test_message>
-						<test_values>
-							<test_value name="i0">10.10.10.10</test_value>
-							<test_value name="i1">192.168.1.1</test_value>
-							<test_value name="s0">External</test_value>
-							<test_value name="s1">Bastion</test_value>
-							<test_value name="s2">ethernet1/5</test_value>
-							<test_value name="s3">ethernet1/2</test_value>
-							<test_value name="i2">4074</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="i4">tcp</test_value>
-							<test_value name="i5">2986</test_value>
-							<test_value name="s4">United States</test_value>
-							<test_value name="s5">end</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ossec" id='26'>
-		<rules>
-			<rule provider="ELSA" class="4" id="26">
-				<patterns>
-					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@@ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
-					<values>
-						<value name="PROGRAM">$pdb_extracted_program</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">2013 Jan 18 20:25:08 (host.example.com) 172.20.0.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: myuser: MYDOMAIN: MYDOMAIN-DC-1.example.com: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
-						<test_values>
-							<test_value name="i0">4624</test_value>
-							<test_value name="s1">myuser</test_value>
-							<test_value name="s2">MYDOMAIN</test_value>
-							<test_value name="i1">172.24.248.117</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='4' id='26'>
-				<patterns>
-					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@</pattern>
-					<values>
-						<value name="PROGRAM">$pdb_extracted_program</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">2012 Feb 20 09:04:41 (serverb) 123.123.40.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: bgreen@DOM1.A.COM: DOM1.A.COM: serverb.dom1.a.com: A Kerberos service ticket was requested. Account Information:  Account Name: bgreen@DOM1.A.COM  Account Domain:  DOM1.A.COM  Logon GUID: {CBB22EBF-4367-CB43-E5AC-2A8C13FD9641}  Service Information:  Service Name:  SERVERC$  Service ID: S-1-5-21-117536760-2556423787-3220343774-160533  Network Information:Client Address:  ::ffff:123.123.39.33  Client Port:  62513  Additional Information:  Ticket Options:  0x40810000  Ticket Encryption Type: 0x12  Failure Code:  0x0  Transited Services: -  This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.</test_message>
-						<test_values>
-							<test_value name="i0">4769</test_value>
-							<test_value name="PROGRAM">Security</test_value>
-							<test_value name="pdb_extracted_sourceip">123.123.40.23</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="barracuda" id='27'>
-		<pattern>from</pattern>
-		<rules>
-			<rule provider="ELSA" class='27' id='27'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: scan[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: scan[8077]: UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
-						<test_values>
-							<test_value name="i0">10.37.80.102</test_value>
-							<test_value name="s0">sender@example.com</test_value>
-							<test_value name="s1">recipient@example.com</test_value>
-							<test_value name="i1">0</test_value>
-							<test_value name="i2">0</test_value>
-							<test_value name="s2">-</test_value>
-							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='28' id='28'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: inbound/pass@NUMBER::@[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: inbound/pass1[22443]: host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
-						<test_values>
-							<test_value name="i0">8.7.24.13</test_value>
-							<test_value name="s0">test@test.com</test_value>
-							<test_value name="s1">test1@test.ca</test_value>
-							<test_value name="i1">2</test_value>
-							<test_value name="i2">62</test_value>
-							<test_value name="s2">8.7.24.13</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='29' id='29'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: outbound/smtp[@NUMBER::@]: @IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">Queued mail for delivery</test_value>
-							<test_value name="i1">1</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="barracuda_scan" id='27_scan'>
-		<pattern>scan</pattern>
-		<rules>
-			<rule provider="ELSA" class='27' id='27'>
-				<patterns>
-					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="scan">UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
-						<test_values>
-							<test_value name="i0">10.37.80.102</test_value>
-							<test_value name="s0">sender@example.com</test_value>
-							<test_value name="s1">recipient@example.com</test_value>
-							<test_value name="i1">0</test_value>
-							<test_value name="i2">0</test_value>
-							<test_value name="s2">-</test_value>
-							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>		
-	<ruleset name="barracuda_inbound" id='27_inbound'>
-		<pattern>inbound</pattern>
-		<rules>
-			<rule provider="ELSA" class='28' id='28'>
-				<patterns>
-					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="inbound/pass1">host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
-						<test_values>
-							<test_value name="i0">8.7.24.13</test_value>
-							<test_value name="s0">test@test.com</test_value>
-							<test_value name="s1">test1@test.ca</test_value>
-							<test_value name="i1">2</test_value>
-							<test_value name="i2">62</test_value>
-							<test_value name="s2">8.7.24.13</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>		
-	<ruleset name="barracuda_outbound" id='27_outbound'>
-		<pattern>outbound</pattern>
-		<rules>
-			<rule provider="ELSA" class='29' id='29'>
-				<patterns>
-					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="outbound/smtp">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">Queued mail for delivery</test_value>
-							<test_value name="i1">1</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name='Microsoft Exchange via Epilog' id='30'>
-		<patterns>exchmtlog</patterns>
-		<rules>
-			<rule provider='ELSA' class='30' id='30'>
-				<patterns>
-					<pattern>@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING::,@@ESTRING:s1:,@@ESTRING::,@@ESTRING::,@STOREDRIVER,DELIVER,@NUMBER::@,@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="exchmtlog">2012-03-16T17:13:16.475Z,,servername,,casservername,,,STOREDRIVER,DELIVER,23065261,sender@some.org,recipient@other.org,,156558,1,,,TEST MESSAGE SUBJECT,sender@some.org,sender@some.org,2012-03-16T17:13:16.147Z</test_message>
-						<test_value name="s0">servername</test_value>
-						<test_value name="s1">casservername</test_value>
-						<test_value name="s2">sender@some.org</test_value>
-						<test_value name="s3">recipient@other.org</test_value>
-						<test_value name="s4">TEST MESSAGE SUBJECT</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name='URL via Novell forwarder script' id='31'>
-		<patterns>novell_logs_</patterns>
-		<rules>
-			<rule provider='ELSA' class='7' id='7'>
-				<patterns>
-					<!-- date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem cs-uri-query c-version sc-status x-cache-info sc-header-size sc(Content-Length) sc-completed sc-bytes
-	 cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) cs(X-Forwarded-For) cached x-fill-proxy-ip x-origin-ip rs-bytes sc(ETag) cs(If-Range) cs(Range) sc(Content-Range) cs(Pragma
-	) sc(Pragma)-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:username:|@@ESTRING:i1:|@@ESTRING:s1:|@@ESTRING:s0:|@@ESTRING::|@"@ESTRING:s2:"@|"@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i3:|@@ESTRING:i5:|@"@ESTRING:s4:"@|@ESTRING::|@"@ESTRING:s3:"@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="novell_logs_test">2012-04-06|15:57:49|10.124.19.11|-|10.0.59.189|dev.mail.example.com|GET|"https://dev.mail.example.com:443/owa/auth/preload.htm"|"/owa/auth/preload.htm"|""|HTTP/1.1|200|"In Cache, Fresh"|550|"1527"|Success|2077|916|0.000|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)"|"ASPSESSIONIDSSDSDRTA=JPNHAEECMAIOIDMIHNPJGOKE; ASPSESSIONIDSQDSCQSA=FGPFCJECCJAGBFBHLPHPKMPD"|"https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1"|""|1|-|-|""|""|""|""|""|""</test_message>
-						<test_value name="i0">10.124.19.11</test_value>
-						<test_value name="i1">10.0.59.189</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">dev.mail.example.com</test_value>
-						<test_value name="s2">/owa/auth/preload.htm</test_value>
-						<test_value name="s3">https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1</test_value>
-						<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="i3">916</test_value>
-						<test_value name="i5">0.000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows Event log Firewall Filtering" id='32'>
-		<pattern>Security-Auditing</pattern>
-		<rules>
-			<rule provider="M Smith" class='3' id='1000'>
-				<patterns>
-					<pattern>@ESTRING:: @The Windows Filtering Platform has @ESTRING:: @a connection. Application Information: Process ID: @ESTRING:: @Application Name: @ESTRING:: @Network Information: Direction: @ESTRING:: @Source Address: @IPv4:i1@ Source Port: @NUMBER:i2:@ Destination Address: @IPv4:i3:@ Destination Port: @NUMBER:i4:@ Protocol: @NUMBER:i0:@ Filter Information: Filter Run-Time ID: @ESTRING:: @Layer Name: @ESTRING:: @Layer Run-Time ID: @NUMBER::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="Security-Auditing">5156: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1924 Application Name: \device\harddiskvolume1\users\admin\appdata\local\dude\win.exe Network Information: Direction: Outbound Source Address: 1.1.1.1 Source Port: 1234 Destination Address: 2.2.2.2 Destination Port: 4567 Protocol: 17 Filter Information: Filter Run-Time ID: 70078 Layer Name: Connect Layer Run-Time ID: 48</test_message>
-							<!-- srcip -->
-							<test_value name="i1">1.1.1.1</test_value>
-							<!-- srcport -->
-							<test_value name="i2">1234</test_value>
-							<!-- dstip -->
-							<test_value name="i3">2.2.2.2</test_value>
-							<!-- dstport -->
-							<test_value name="i4">4567</test_value>
-							<!-- proto -->
-							<test_value name="i0">17</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="TMG-Gateway-W3C-Logs-via-Epilog" id='10099'>
-            <rules>
-                    <rule provider="bgreen" class='3' id='10099'>
-                            <patterns>
-                                    <pattern>@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:::@@ESTRING:i2:|@@ESTRING:i3::@@ESTRING:i4:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@</pattern>
-                            </patterns>
-                            <examples>
-                                    <example>
-                                            <test_message program="ISAFWSLOG">BOB|2012-07-05|15:05:11|TCP|123.123.123.222:40521|123.123.123.111:443|123.123.111.111|Local Host|Internal|Establish|0x0|-|HTTPS|0|0|0|0|-|-|-|-|4|1874698|-|-|::|-|1048575|-</test_message>
-                                            <!-- proto -->
-                                            <test_value name="i0">TCP</test_value>
-                                            <!-- srcip -->
-                                            <test_value name="i1">123.123.111.111</test_value>
-                                            <!-- srcport -->
-                                            <test_value name="i2">40521</test_value>
-                                            <!-- dstip -->
-                                            <test_value name="i3">123.123.123.111</test_value>
-                                            <!-- dstport -->
-                                            <test_value name="i4">443</test_value>
-											<!-- inside interface -->
-											<test_value name="s0">Local Host</test_value>
-											<!-- outside interface -->
-											<test_value name="s1">Internal</test_value>
-                                    </example>
-                            </examples>
-                    </rule>
-            </rules>
-    </ruleset>
-    <ruleset name="ISAFWSLog-via-Epilog">
-    		<patterns>
-    			<pattern>ISAFWSLog</pattern>
-    		</patterns>
-            <rules>
-                    <rule provider="ELSA" class='7' id='7'>
-                            <patterns>
-                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING:i2:|@</pattern>
-                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@</pattern>
-                            </patterns>
-                            <examples>
-                                    <example>
-                                    		<test_message program="ISAFWSLog">1.1.1.1|domainname\username|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)|2012-08-27|18:59:49|MAD00GS6|2.2.2.2|2.2.2.2|80|http|GET|http://search.twitter.com/search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed|200|Internet Access to Users|Req ID: 1f449904 |Internal|External|0x480|Allowed|-</test_message>
-                                            <test_value name="i0">1.1.1.1</test_value>
-											<test_value name="i1">2.2.2.2</test_value>
-											<test_value name="s0">GET</test_value>
-											<test_value name="s1">search.twitter.com</test_value>
-											<test_value name="s2">search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed</test_value>
-											<test_value name="s3"></test_value>
-											<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)</test_value>
-											<test_value name="s5"></test_value>
-											<test_value name="i2">200</test_value>
-											<test_value name="i3"></test_value>
-											<test_value name="i4"></test_value>
-                                    </example>
-                            </examples>
-                    </rule>
-            </rules>
-    </ruleset>
-    <ruleset name="Cisco SEC">
-    	<pattern>%SEC-</pattern>
-    	<rules>
-    		<rule provider="ELSA" class="2" id="2">
-    			<pattern>list @ESTRING:s2: @denied @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN denied tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
-	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
-	    				<test_value name="i0">tcp</test_value>
-	    				<test_value name="i1">1.2.3.4</test_value>
-	    				<test_value name="i2">53420</test_value>
-	    				<test_value name="i3">5.6.7.8</test_value>
-	    				<test_value name="i4">23</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-    	<rules>
-    		<rule provider="ELSA" class="3" id="3">
-    			<pattern>list @ESTRING:s2: @permitted @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN permitted tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
-	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
-	    				<test_value name="i0">tcp</test_value>
-	    				<test_value name="i1">1.2.3.4</test_value>
-	    				<test_value name="i2">53420</test_value>
-	    				<test_value name="i3">5.6.7.8</test_value>
-	    				<test_value name="i4">23</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-    </ruleset>
-    <ruleset name="CEF">
-    	<rules>
-    		<rule provider="ELSA" class="32" id="32">
-    			<pattern>CEF:@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@NUMBER:i0:@|@ANYSTRING:s5:@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="">CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232</test_message>
-	    				<test_value name="i0">10</test_value>
-	    				<test_value name="s0">security</test_value>
-	    				<test_value name="s1">threatmanager</test_value>
-	    				<test_value name="s2">1.0</test_value>
-	    				<test_value name="s3">100</test_value>
-	    				<test_value name="s4">worm successfully stopped</test_value>
-	    				<test_value name="s5">src=10.0.0.1 dst=2.1.2.2 spt=1232</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-	</ruleset>
-	<ruleset name="Watchguard Firewall">
-		<pattern>firewall</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<pattern>Deny @ESTRING:s0: @@ESTRING:s1: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
-				<examples>
-					<example>
-						<test_message program="firewall">Deny 0-External Firebox 1340 tcp 20 56 74.125.225.143 10.0.1.1 443 3449 offset 5 A 451109382 win 257 (Unhandled External Packet-00)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">74.125.225.143</test_value>
-						<test_value name="i2">443</test_value>
-						<test_value name="i3">10.0.1.1</test_value>
-						<test_value name="i4">3449</test_value>
-						<test_value name="s0">0-External</test_value>
-						<test_value name="s1">Firebox</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="3" id="3">
-				<pattern>Allow @ESTRING:s1: @@ESTRING:s0: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
-				<examples>
-					<example>
-						<test_message program="firewall">Allow 1-Trusted 0-External 52 tcp 20 127 192.168.1.31 96.60.118.121 55185 8005 offset 8 S 1125590318 win 32 (ATSBDR-00)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">192.168.1.31</test_value>
-						<test_value name="i2">55185</test_value>
-						<test_value name="i3">96.60.118.121</test_value>
-						<test_value name="i4">8005</test_value>
-						<test_value name="s0">0-External</test_value>
-						<test_value name="s1">1-Trusted</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Watchguard URL">
-		<pattern>http-proxy</pattern>
-		<rules>
-			<rule provider="ELSA" class="7" id="7">
-				<pattern>Deny @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
-				<examples>
-					<example>
-						<test_message program="http-proxy">Deny 1-Trusted 0-External tcp 192.168.1.17 23.21.13.155 62115 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="" dstname="23.21.13.155" arg="" sent_bytes="1" rcvd_bytes="0" (HTTP-proxy-ExceptLunch-00)</test_message>
-						<test_value name="i0">192.168.1.17</test_value>
-						<test_value name="i1">23.21.13.155</test_value>
-						<test_value name="i3">0</test_value>
-						<test_value name="s0"></test_value>
-						<test_value name="s1">23.21.13.155</test_value>
-						<test_value name="s2"></test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="7" id="7">
-				<pattern>Allow @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
-				<examples>
-					<example>
-						<test_message program="http-proxy">Allow 1-Trusted 0-External tcp 192.168.1.22 74.125.142.95 2597 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="GET" dstname="ajax.googleapis.com" arg="/ajax/libs/jquery/1.5/jquery.min.js" sent_bytes="363" rcvd_bytes="30368" (HTTP-proxy-ExceptLunch-00)</test_message>
-						<test_value name="i0">192.168.1.22</test_value>
-						<test_value name="i1">74.125.142.95</test_value>
-						<test_value name="i3">30368</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">ajax.googleapis.com</test_value>
-						<test_value name="s2">/ajax/libs/jquery/1.5/jquery.min.js</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Sidewinder Firewall">
-		<pattern>auditd</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::type=@t_attack@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@@ESTRING::protocol=@@NUMBER:i0:@@ESTRING::dstip=@@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@</pattern>
-				<pattern>date@ESTRING::type=@t_netprobe@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,protocol=@NUMBER:i0:@,interface=@ESTRING:s0:,@</pattern>
-				<examples>
-					<example>
-						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_kernel_ipfilter,area=a_general_area,type=t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=kernel,domain=htpp,edomain=htpp,hostname=localhost,event=IP Filter session open,rule_name=myrule-out,srcip=1.1.1.1,srcport=1,srcburb=internal2,dstip=2.2.2.2,dstport=2,dstburb=external1,protocol=6,netsessid=5069c3d9000c7831</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">1</test_value>
-						<test_value name="i3">2.2.2.2</test_value>
-						<test_value name="i4">2</test_value>
-						<test_value name="s0">external1</test_value>
-						<test_value name="s1">internal2</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="3" id="3">
-				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
-				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
-				<pattern>date@ESTRING::event=@IP Filter session close@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::event=@IP Filter session timeout@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
-				<examples>
-					<example>
-						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_http_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=28529,ruid=0,euid=0,pgid=28529,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=localhost,event=proxy traffic end,service_name=http,netsessid=5069c3d9000ab8ce,srcip=1.1.1.1,srcport=1,srcburb=internal2,protocol=6,dstip=2.2.2.2,dstport=2,dstburb=external1,bytes_written_to_client=1297,bytes_written_to_server=421,rule_name=www.isa.webproxy,cache_hit=0,request_status=0,start_time="Mon Oct 1 11:24:57 2012"</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">1</test_value>
-						<test_value name="i3">2.2.2.2</test_value>
-						<test_value name="i4">2</test_value>
-						<test_value name="s0">external1</test_value>
-						<test_value name="s1">internal2</test_value>
-						<test_value name="i5">1297</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Websense">
-		<pattern></pattern>
-		<rules>
-			<rule provider="ELSA" class="33" id="33">
-				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @@ESTRING:://@@ESTRING::/@@ANYSTRING:s2:@</pattern>
-				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @</pattern>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-				<examples>
-					<example>
-						<test_message program="">vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com/index.html</test_message>
-						<test_value name="i0">10.64.134.74</test_value>
-						<test_value name="i1">74.125.224.53</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="s0">-</test_value>
-						<test_value name="s1">mail.google.com</test_value>
-						<test_value name="s2">/index.html</test_value>
-						<test_value name="s3">1034</test_value>
-						<test_value name="s4">Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23</test_value>
-						<test_value name="s5">permitted</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="McAfee SmartFilter">
-		<pattern></pattern>
-		<rules>
-			<rule provider="ELSA" class="33" id="33">
-				<pattern>@IPv4:i0@ - @ESTRING:s0: @@ESTRING::"@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:"@ @NUMBER:i2:@ @ESTRING:s5: @@QSTRING:s3:"@</pattern>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-				<examples>
-					<example>
-						<test_message program="McAfee SmartFilter">1.1.1.1 - username [03/Oct/2012:06:52:51 +0100]  "GET http://a.nice.url/some/uri?parameters=go&amp;in=here" 200 ALLOW "Blogs/Wiki, Entertainment"</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="s0">username</test_value>
-						<test_value name="s1">a.nice.url</test_value>
-						<test_value name="s2">/some/uri?parameters=go&amp;in=here</test_value>
-						<test_value name="s3">Blogs/Wiki, Entertainment</test_value>
-						<test_value name="s5">ALLOW</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Netflow" id='Netflow'>
-		<pattern>netflow_syslog</pattern>
-		<rules>
-			<rule provider="ELSA" class='34' id='34'>
-				<patterns>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ANYSTRING:s5:@</pattern>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@</pattern>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="netflow_syslog">tcp|192.85.128.47|35843|1.1.1.1|443|30486|2173|US|Palo Alto, CA|37.376202|-122.182602|HPES - Hewlett-Packard Company</test_message>
-						<test_values>
-							<test_value name="i0">tcp</test_value>
-							<test_value name="i1">192.85.128.47</test_value>
-							<test_value name="i2">35843</test_value>
-							<test_value name="i3">1.1.1.1</test_value>
-							<test_value name="i4">443</test_value>
-							<test_value name="i5">30486</test_value>
-							<test_value name="s0">2173</test_value>
-							<test_value name="s1">US</test_value>
-							<test_value name="s2">Palo Alto, CA</test_value>
-							<test_value name="s3">37.376202</test_value>
-							<test_value name="s4">-122.182602</test_value>
-							<test_value name="s5">HPES - Hewlett-Packard Company</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="BIND">
-		<pattern>BIND</pattern>
-		<rules>
-			<rule provider="ELSA" class='35' id='35'>
-				<patterns>
-					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
-					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@ (@ESTRING::)@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="BIND-DNS">02-Nov-2012 15:49:58.516 queries: info: client 198.211.94.24#55557: query: 174.2.219.178.in-addr.arpa IN PTR + (198.211.94.23)</test_message>
-						<test_values>
-							<test_value name="i0">198.211.94.24</test_value>
-							<test_value name="s0">174.2.219.178.in-addr.arpa</test_value>
-							<test_value name="s1">PTR</test_value>
-							<test_value name="s2">198.211.94.23</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="BIND-DNS">02-Nov-2012 16:01:27.731 client 10.10.10.185#49999 (10.10.10.185): query: p.twitter.com IN A + (10.10.210.210)</test_message>
-						<test_values>
-							<test_value name="i0">10.10.10.185</test_value>
-							<test_value name="s0">p.twitter.com</test_value>
-							<test_value name="s1">A</test_value>
-							<test_value name="s2">10.10.210.210</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="IISWebLog">
-		<pattern>IISWebLog</pattern>
-		<rule provider="ELSA" class="7" id="IIS_7">
-			<pattern>@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i1:@ @ESTRING:s0: @@ESTRING:s2: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s4: @@ESTRING:: @@ESTRING:s3: @@ESTRING:s1: @@NUMBER:i2:@ @NUMBER::@ @NUMBER::@ @NUMBER:i3:@ @NUMBER::@ @NUMBER:i5:@</pattern>
-			<examples>
-				<example>
-					<test_message program="IISWebLog">2012-12-13 13:39:16 W3SVC1 MYSERVERNAME 1.1.1.1 GET / - 80 - 2.2.2.2 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11 - - www.fqdn.of.website.from.host.header.com 301 0 0 401 408 453</test_message>
-					<test_values>
-						<test_value name="i0">2.2.2.2</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">301</test_value>
-						<test_value name="i3">401</test_value>
-						<test_value name="i5">453</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">www.fqdn.of.website.from.host.header.com</test_value>
-						<test_value name="s2">/</test_value>
-						<test_value name="s3">-</test_value>
-						<test_value name="s4">Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11</test_value>
-					</test_values>
-				</example>
-			</examples>
-		</rule>
-	</ruleset>
-	<ruleset name="Vyatta FW">
-		<!-- Note: Vyatta bug id:7640 https://bugzilla.vyatta.com/show_bug.cgi?id=7640 Trailing space missing from default log prefix "-R]IN" should be "-R] "-->
-		<pattern>kernel-</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<patterns>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">[100100.226323] [WEB_IN-default-R]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.105 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=16822 PROTO=TCP SPT=51425 DPT=23 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">51425</test_value>
-						<test_value name="i3">172.31.253.105</test_value>
-						<test_value name="i4">23</test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[382188.344294] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.109 LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=55452 PROTO=TCP SPT=51809 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">51809</test_value>
-						<test_value name="i3">172.31.253.109</test_value>
-						<test_value name="i4">80</test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[387123.927635] [WEB_IN-8-D] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.103 LEN=28 TOS=0x00 PREC=0x00 TTL=47 ID=49372 PROTO=ICMP TYPE=8 CODE=0 ID=5799 SEQ=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-8</test_value>
-						<test_value name="i0">ICMP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.103</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[466981.095849] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.106 LEN=20 TOS=0x00 PREC=0x00 TTL=44 ID=39983 PROTO=135</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">135</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.106</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[451134.428328] [WEB_IN-9-R] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.107 LEN=20 TOS=0x00 PREC=0x00 TTL=37 ID=12252 PROTO=ESP INCOMPLETE [0 bytes]</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-9</test_value>
-						<test_value name="i0">ESP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.107</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-		<rules>
-			<rule provider="ELSA" class="3" id="3">
-				<patterns>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">[88829.069484] [WEB_IN-7-A] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.102 LEN=44 TOS=0x00 PREC=0x00 TTL=46 ID=22533 PROTO=TCP SPT=59995 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-7</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">59995</test_value>
-						<test_value name="i3">172.31.253.102</test_value>
-						<test_value name="i4">3306</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="OSSEC_ALERTS">
-		<pattern>ossec</pattern>
-		<rules>
-			<rule provider="shadejinx" class='35' id='35'>
-				<pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @ESTRING:s1:-@@ESTRING::;@ user: @ESTRING:s2:;@</pattern>
-				<examples>
-					<example>
-						<test_message program="ossec">Alert Level: 4; Rule: 18105 - Windows audit failure event.; Location: %SERVER.DOMAIN.LOCAL%->/var/log/ossec_in; user: %USERNAME%; Jan 12 13:51:34 %SERVER.DOMAIN.LOCAL% MSWinEventLog|1|Security|3151378|Sat Jan 12 13:51:32 2013|4776|Microsoft-Windows-Security-Auditing|%USERNAME%|N/A|Failure Audit|%SERVER.DOMAIN.LOCAL%|None||The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: %USERNAME% Source Workstation: %WORKSTATION_NAME% Error Code: 0xc0000064|3147595</test_message>
-						<test_value name="i0">4</test_value>
-						<test_value name="i1">18105</test_value>
-						<test_value name="s0">Windows audit failure event.</test_value>
-						<test_value name="s1">%SERVER.DOMAIN.LOCAL%</test_value>
-						<test_value name="s2">%USERNAME%</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="NetScreen" id='1001'>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:s2: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Deny sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fwgate-1">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="s0">IN</test_value>
-						<test_value name="i1">192.168.0.1</test_value>
-						<test_value name="s1">OUT</test_value>
-						<test_value name="i2">51271</test_value>
-						<test_value name="i3">192.168.1.1</test_value>
-						<test_value name="i4">80</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-		<rules>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:s2: @policy_id=@ESTRING:: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Permit sent=@ESTRING:: @rcvd=@ESTRING:i5: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-					    <test_message program="fwgate-1">NetScreen device_id=fwgate-1 [Root]system-notification-00257(traffic): start_time="2013-02-14 15:37:46" duration=2 policy_id=8 service=tcp/port:10050 proto=6 src zone=Trust dst zone=DMZ action=Permit sent=379 rcvd=377 src=192.168.1.XX dst=192.168.XXX.XXX src_port=36033 dst_port=10050 src-xlated ip=192.168.XX.XX port=36033 dst-xlated ip=192.168.XXX.XXX port=10050 session_id=253315 reason=Close - TCP FIN</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">192.168.1.XX</test_value>
-						<test_value name="i2">36033</test_value>
-						<test_value name="i3">192.168.XXX.XXX</test_value>
-						<test_value name="i4">10050</test_value>
-						<test_value name="i5">377</test_value>
-						<test_value name="s0">DMZ</test_value>
-						<test_value name="s1">Trust</test_value>
-						<test_value name="s2">2</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ATT Uverse" id='1001'>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @sport=@ESTRING:i2: @dport=@ESTRING:i4: @</pattern>
-					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fw,fwmon">src=192.168.1.65 dst=192.168.2.8 ipprot=17 sport=7547 dport=3478 Drop traffic to 192.168.0.0/16</test_message>
-						<test_value name="i0">17</test_value>
-						<test_value name="i1">192.168.1.65</test_value>
-						<test_value name="i2">7547</test_value>
-						<test_value name="i3">192.168.2.8</test_value>
-						<test_value name="i4">3478</test_value>
-					</example>
-					<example>
-						<test_message program="fw,fwmon">src=192.168.2.8 dst=192.168.1.72 ipprot=17 (layer 4 info unknown) Unknown inbound session stopped</test_message>
-						<test_value name="i0">17</test_value>
-						<test_value name="i1">192.168.2.8</test_value>
-						<test_value name="i3">192.168.1.72</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<!-- Bluecoat requires using a separate TCP destination in syslog-ng with the no-parse flag set and program_override("url")-->
-	<ruleset name='bluecoat'>
-		<pattern>url</pattern>
-		<rules>
-			<rule class='7' id='7'>
-				<patterns>
-					<pattern>@ESTRING:: @@ESTRING:: @@NUMBER:i5:@ @IPv4:i0:@ @NUMBER:i2:@ @ESTRING:: @@NUMBER::@ @NUMBER:i3:@ @ESTRING:s0: @@ESTRING:: @@ESTRING:s1: @@ESTRING:: @@ESTRING:s2_a: @@ESTRING:s2_b: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s4: @@ESTRING:s5: @</pattern>
-					<pattern>20@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:i0: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s1: @</pattern>
-				</patterns>
-				<values>
-					<value name="s2">$s2_a$s2_b</value>
-				</values>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="infoblox_dhcp" id='40'>
-		<pattern>dhcpd</pattern>
-		<rules>
-			<rule provider="ELSA" class='40' id='40'>
-				<!-- i0 = srcip, s0=MAC address, s1=domain, s2=hostname -->
-				<patterns>
-					<pattern>DHCPDISCOVER from @ESTRING:s0: @via @ESTRING:i0::@</pattern>
-					<pattern>bind update on @ESTRING:i0: @from @ESTRING:s1:(@@NUMBER::@)</pattern>
-					<pattern>Forward map from @ESTRING:s2: @to @ESTRING:i0: @</pattern>
-					<pattern>Abandoning IP address @ESTRING:i0::@</pattern>
-					<pattern>Reclaiming abandoned lease @IPvANY:i0:@</pattern>
-					<pattern>client @ESTRING:i0:#@@NUMBER::@: update forwarding '@ESTRING:s1:/@</pattern>
-					<pattern>DNS format error from @ESTRING:i1:#@@NUMBER:i2:@ resolving </pattern>
-					<pattern>DHCPACK on @ESTRING:i0: @to @ESTRING:s0: @(@ESTRING:s2:)@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="dhcpd">DHCPDISCOVER from aa:aa:aa:aa:aa:aa via 10.1.52.31: peer holds all free leases</test_message>
-						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
-						<test_value name="i0">10.1.52.31</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">bind update on 1.1.1.1 from corp-test(1368109376) rejected: incoming update is less critical than outgoing update</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s1">corp-test</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Forward map from host.test.com to 1.1.1.1 FAILED: Has an address record but no DHCID, not mine.</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s2">host.test.com</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Abandoning IP address 1.1.1.1: pinged before offer</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Reclaiming abandoned lease 10.1.52.207.</test_message>
-						<test_value name="i0">10.1.52.207</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">client 1.1.1.1#64919: update forwarding 'test.com/IN' denied</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s1">test.com</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">DHCPACK on 192.168.208.64 to aa:aa:aa:aa:aa:aa (JT-Mac) via 192.168.208.8</test_message>
-						<test_value name="i0">192.168.208.64</test_value>
-						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
-						<test_value name="s2">JT-Mac</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="FIREEYE" id='10003'>
-        <pattern>fenotify</pattern>
-		<rules>
-			<rule provider="ELSA" class='42' id='42'>
-				<patterns>
-					<pattern>@ESTRING::cnchost=@@ESTRING:i0:,@alertType=@ESTRING:s0:,@shost=@ESTRING:s1:,@dst=@ESTRING:i1:,@@ESTRING::sname=@@ESTRING:s2:,@fileHash=@ESTRING:s3:,@@ESTRING::occurred=@@ESTRING:i2:,@@ESTRING::cncport=@@ESTRING:i3:,@src=@ESTRING:i4:,@dpt=@ESTRING:i5:,@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fenotify">CSV:0:FireEye:Web MPS:7.0.0.138133:IM:infection-match,osinfo=,sev=minr,malware_type=,alertid=16232,app=,spt=2791,locations=,smac=c4:7d:4f:ef:e0:03,header=,cnchost=127.0.0.1,alertType=infection-match,shost=thegibson.domain.com,dst=127.0.0.1,original_name=,application=,sid=504606,malware-note=,objurl=,mwurl=,profile=,dmac=00:0a:42:f4:94:00,product=Web MPS,sname=Local.Infection,fileHash=351f1dc4e958975661f02c86a485431e,dvchost=,occurred=2013-01-14T16:58:18Z,release=7.0.0.138133,link=,cncport=80,src=10.10.10.10,dpt=80,anomaly=,dvc=,channel=,action=notified,os=,stype=bot-command,</test_message>
-						<test_value name="s0">infection-match</test_value>
-						<test_value name="s1">thegibson.domain.com</test_value>
-						<test_value name="s2">Local.Infection</test_value>
-						<test_value name="s3">351f1dc4e958975661f02c86a485431e</test_value>
-						<test_value name="s4">bot-command</test_value>
-						<test_value name="i0">127.0.0.1</test_value>
-						<test_value name="i1">127.0.0.1</test_value>
-						<test_value name="i2">2013-01-14T16:58:18Z</test_value>
-						<test_value name="i3">80</test_value>
-						<test_value name="i4">10.10.10.10</test_value>
-						<test_value name="i5">80</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ftp</pattern>
-		<rules>
-			<rule class="43" id="43">
-				<patterns>
-				  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s0:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ftp">1360158824.989266|B6a0lYqUPm4|10.1.10.64|2504|10.2.20.40|21|redcell|hidden|RETR|ftp://10.2.20.40/./bandook.exe|-|-|-|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">B6a0lYqUPm4</test_value>
-						<!-- srcip -->
-						<test_value name="i0">10.1.10.64</test_value>
-						<!-- srcport -->
-						<test_value name="i1">2504</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.2.20.40</test_value>
-						<!-- dstport -->
-						<test_value name="i3">21</test_value>
-						<!-- username -->
-						<test_value name="s1">redcell</test_value>
-						<!-- password -->
-						<test_value name="s2">hidden</test_value>
-						<!-- command -->
-						<test_value name="s3">RETR</test_value>
-						<!-- arg -->
-						<test_value name="s4">ftp://10.2.20.40/./bandook.exe</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_weird</pattern>
-		<rules>
-			<rule class="44" id="44">
-				<patterns>
-                <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s3:|@</pattern>  
-                </patterns>
-				<examples>
-					<example>
-						<test_message program="bro_weird">1351197195.607686|mHKKLqyI4mf|192.168.1.12|137|192.168.1.13|137|DNS_label_len_gt_pkt|-|F|bro</test_message>
-						<!-- eventid -->
-						<test_value name="s0">mHKKLqyI4mf</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.12</test_value>
-						<!-- srcport -->
-						<test_value name="i1">137</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.168.1.13</test_value>
-						<!-- dstport -->
-						<test_value name="i3">137</test_value>
-						<!-- name -->
-						<test_value name="s3">DNS_label_len_gt_pkt</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_tunnel</pattern>
-		<rules>
-			<rule class="45" id="45">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_tunnel">1360153388.439863|FIRbnuXCRqh|70.55.213.211|0|192.88.99.1|0|Tunnel::IP|Tunnel::DISCOVER</test_message>
-						<!-- eventid -->
-						<test_value name="s0">FIRbnuXCRqh</test_value>
-						<!-- srcip -->
-						<test_value name="i0">70.55.213.211</test_value>
-						<!-- srcport -->
-						<test_value name="i1">0</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.88.99.1</test_value>
-						<!-- dstport -->
-						<test_value name="i3">0</test_value>
-						<!-- name -->
-						<test_value name="s1">Tunnel::IP</test_value>
-						<!-- desc -->
-						<test_value name="s2">Tunnel::DISCOVER</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_software</pattern>
-		<rules>
-			<rule class="46" id="46">
-				<patterns>
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s2:@</pattern>
-                  </patterns>
-				<examples>
-					<example>
-						<test_message program="bro_software">1360157307.572112|10.1.50.5|-|HTTP::BROWSER|MSIE|5|1|-|-|Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.1.50.5</test_value>
-						<!-- srcport -->
-						<test_value name="i1">-</test_value>
-						<!-- type -->
-						<test_value name="s0">HTTP::BROWSER</test_value>
-						<!-- name -->
-						<test_value name="s1">MSIE</test_value>
-						<!-- version_major -->
-						<test_value name="i2">5</test_value>
-						<!-- version_minor -->
-						<test_value name="i3">1</test_value>
-						<!-- product -->
-						<test_value name="s2">Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ssh</pattern>
-		<rules>
-			<rule class="47" id="47">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:i4:|@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ssh">1360157311.364242|YDPUHZNdL05|10.2.199.248|41392|10.1.40.1|22|failure|OUTBOUND|-|SSH-2.0-Cisco-1.25|1119|-|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">YDPUHZNdL05</test_value>
-						<!-- srcip -->
-						<test_value name="i0">10.2.199.248</test_value>
-						<!-- srcport -->
-						<test_value name="i1">41392</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.1.40.1</test_value>
-						<!-- dstport -->
-						<test_value name="i3">22</test_value>
-						<!-- status -->
-						<test_value name="s1">failure</test_value>
-						<!-- direction -->
-						<test_value name="s2">OUTBOUND</test_value>
-						<!-- client -->
-						<test_value name="s3">-</test_value>
-						<!-- server -->
-						<test_value name="s4">SSH-2.0-Cisco-1.25</test_value>
-						<!-- conn_bytes -->
-						<test_value name="i4">1119</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_syslog</pattern>
-		<rules>
-			<rule class="48" id="48">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ANYSTRING:s3:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_syslog">1375571619.507641|QMOWsHjZqde|192.168.1.1|514|192.168.1.116|514|udp|LOCAL0|INFO|Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_message>
-						<!-- eventid -->
-						<test_value name="s0">QMOWsHjZqde</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.1</test_value>
-						<!-- srcport -->
-						<test_value name="i1">514</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.168.1.116</test_value>
-						<!-- dstport -->
-						<test_value name="i3">514</test_value>
-						<!-- proto -->
-						<test_value name="i4">udp</test_value>
-						<!-- bro_syslog_facility -->
-						<test_value name="s1">LOCAL0</test_value>
-						<!-- bro_syslog_severity -->
-						<test_value name="s2">INFO</test_value>
-						<!-- bro_syslog_message -->
-						<test_value name="s3">Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_irc</pattern>
-		<rules>
-			<rule class="49" id="49">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ANYSTRING:s1:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_irc">1352413490.163439|FB2AqwMeEy4|192.168.1.12|1045|212.48.121.249|5050|NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">FB2AqwMeEy4</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.12</test_value>
-						<!-- srcport -->
-						<test_value name="i1">1045</test_value>
-						<!-- dstip -->
-						<test_value name="i2">212.48.121.249</test_value>
-						<!-- dstport -->
-						<test_value name="i3">5050</test_value>
-						<!-- bro_syslog_facility -->
-						<test_value name="s1">NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_cert</pattern>
-		<rules>
-			<rule class="50" id="50">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@@ESTRING::emailAddress=@@ESTRING:s3:,@</pattern>
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_cert">1360154644.236015|10.2.20.60|443|emailAddress=webmaster@dox.site,CN=dox.site,OU=web server,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|emailAddress=webmaster@dox.site,CN=dox.site,OU=CA,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|02</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.2.20.60</test_value>
-						<!-- srcport -->
-						<test_value name="i1">443</test_value>
-						<!-- common_name -->
-						<test_value name="s0">dox.site</test_value>
-						<!-- organizational unit -->
-						<test_value name="s1">web server</test_value>
-						<!-- organization -->
-						<test_value name="s2">SuSE Linux Web Server</test_value>
-						<!-- email_address -->
-						<test_value name="s3">webmaster@dox.site</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_hosts</pattern>
-		<rules>
-			<rule class="51" id="51">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_hosts">1360154565.568704|192.168.3.35</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.3.35</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_services</pattern>
-		<rules>
-			<rule class="52" id="52">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:s0:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_services">1360154567.821951|192.168.10.100|2869|tcp|HTTP</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.10.100</test_value>
-						<!-- srcport -->
-						<test_value name="i1">2869</test_value>
-						<!-- proto -->
-						<test_value name="i2">tcp</test_value>
-						<!-- service -->
-						<test_value name="s0">HTTP</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_capture_loss</pattern>
-		<rules>
-			<rule class="53" id="53">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s1:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_capture_loss">1377263179.538810|900.000092|so12-eth1-1|0|3991|0.000%</test_message>
-						<!-- interface -->
-						<test_value name="s0">so12-eth1-1</test_value>
-						<!-- gaps -->
-						<test_value name="i0">0</test_value>
-						<!-- acks -->
-						<test_value name="i1">3991</test_value>
-						<!-- percent_loss -->
-						<test_value name="s1">0.000%</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-</patterndb>
diff --git a/salt/syslog-ng/files/syslog-ng.conf b/salt/syslog-ng/files/syslog-ng.conf
deleted file mode 100644
index 7b1601f02..000000000
--- a/salt/syslog-ng/files/syslog-ng.conf
+++ /dev/null
@@ -1,243 +0,0 @@
-@version: 3.5
-source s_syslog { unix-dgram("/dev/log"); };
-
-source s_network {
-	tcp();
-	udp();
-};
-
-parser p_db {
-	db-parser(file("/opt/so/conf/syslog-ng/patterndb.xml"));
-};
-
-filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_snort { match('snort:' value("MSGHDR")); };
-filter f_bro_headers { message("^#") };
-
-rewrite r_cisco_program {
-        set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-        set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-};
-
-rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
-rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) condition(program("bro_*" type(glob)))); };
-rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
-rewrite r_host { set("$SOURCEIP", value("HOST")); };
-rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
-
-template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
-
-source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
-source s_bro_http {
-	file("/nsm/bro/logs/current/http_eth1.log" flags(no-parse) program_override("bro_http"));
-
-};
-source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
-source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
-source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
-source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
-source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
-source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
-source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
-source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
-source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
-source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
-source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
-source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
-source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
-source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
-source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
-source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
-source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
-source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
-source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
-source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
-source s_bro_kerberos { file("/nsm/bro/logs/current/kerberos.log" flags(no-parse) program_override("bro_kerberos")); };
-source s_bro_rdp { file("/nsm/bro/logs/current/rdp.log" flags(no-parse) program_override("bro_rdp")); };
-source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_override("bro_pe")); };
-source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
-source s_bro_smb_mapping { file("/nsm/bro/logs/current/smb_mapping.log" flags(no-parse) program_override("bro_smb_mapping")); };
-source s_bro_smb_files { file("/nsm/bro/logs/current/smb_files.log" flags(no-parse) program_override("bro_smb_files")); };
-source s_bro_ntlm { file("/nsm/bro/logs/current/ntlm.log" flags(no-parse) program_override("bro_ntlm")); };
-source s_bro_dce_rpc { file("/nsm/bro/logs/current/dce_rpc.log" flags(no-parse) program_override("bro_dce_rpc")); };
-source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
-source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
-source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
-
-destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
-destination d_logstash { tcp("logstash" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
-
-log {
-	source(s_bro_conn);
-	source(s_bro_http);
-	source(s_bro_dns);
-	source(s_bro_weird);
-  	source(s_bro_tunnels);
-	source(s_bro_syslog);
-	source(s_bro_ftp);
-	source(s_bro_files);
-	source(s_bro_dhcp);
-	source(s_bro_notice);
-	source(s_bro_smtp);
-	source(s_bro_smtp_entities);
-	source(s_bro_ssl);
-   	source(s_bro_irc);
-	source(s_bro_software);
-  	source(s_bro_ssh);
-	source(s_bro_smb_mapping);
-	source(s_bro_smb_files);
-	source(s_bro_ntlm);
-	source(s_bro_dce_rpc);
-  	source(s_bro_intel);
-  	source(s_bro_x509);
-  	source(s_bro_snmp);
-  	source(s_bro_radius);
-  	source(s_bro_mysql);
-  	source(s_bro_kerberos);
-  	source(s_bro_rdp);
-  	source(s_bro_pe);
-  	source(s_bro_sip);
-  	source(s_bro_modbus);
-  	source(s_bro_dnp3);
-  	source(s_bro_rfb);
-	source(s_ossec);
-	source(s_network);
-	source(s_syslog);
-	log { filter(f_bro_headers); flags(final); };
-	log { destination(d_logstash); };
-};
-# Bring it all back
-#source s_src {
-#       system();
-#       internal();
-#};
-########################
-# Destinations
-########################
-# First some standard logfile
-#
-destination d_auth { file("/var/log/auth.log"); };
-destination d_cron { file("/var/log/cron.log"); };
-destination d_daemon { file("/var/log/daemon.log"); };
-destination d_kern { file("/var/log/kern.log"); };
-destination d_lpr { file("/var/log/lpr.log"); };
-destination d_mail { file("/var/log/mail.log"); };
-destination d_syslog { file("/var/log/syslog"); };
-destination d_user { file("/var/log/user.log"); };
-destination d_uucp { file("/var/log/uucp.log"); };
-
-# This files are the log come from the mail subsystem.
-#
-destination d_mailinfo { file("/var/log/mail/mail.info"); };
-destination d_mailwarn { file("/var/log/mail/mail.warn"); };
-destination d_mailerr { file("/var/log/mail/mail.err"); };
-
-# Logging for INN news system
-#
-destination d_newscrit { file("/var/log/news/news.crit"); };
-destination d_newserr { file("/var/log/news/news.err"); };
-destination d_newsnotice { file("/var/log/news/news.notice"); };
-
-# Some `catch-all' logfiles.
-#
-destination d_debug { file("/var/log/debug"); };
-destination d_error { file("/var/log/error"); };
-destination d_messages { file("/var/log/messages"); };
-
-# The root's console.
-#
-destination d_console { usertty("root"); };
-
-# Virtual console.
-#
-destination d_console_all { file("/dev/tty10"); };
-
-# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
-# you must invoke nsole' with the -file' option:
-#
-#    $ xconsole -file /dev/xconsole [...]
-#
-destination d_xconsole { pipe("/dev/xconsole"); };
-
-# Send the messages to an other host
-#
-#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
-
-# Debian only
-destination d_ppp { file("/var/log/ppp.log"); };
-
-########################
-# Filters
-########################
-# Here's come the filter options. With this rules, we can set which
-# message go where.
-
-filter f_dbg { level(debug); };
-filter f_info { level(info); };
-filter f_notice { level(notice); };
-filter f_warn { level(warn); };
-filter f_err { level(err); };
-filter f_crit { level(crit .. emerg); };
-
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-filter f_error { level(err .. emerg) and not filter(f_snort); };
-filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
-filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
-filter f_cron { facility(cron) and not filter(f_debug); };
-filter f_daemon { facility(daemon) and not filter(f_debug); };
-filter f_kern { facility(kern) and not filter(f_debug); };
-filter f_lpr { facility(lpr) and not filter(f_debug); };
-filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); };
-filter f_mail { facility(mail) and not filter(f_debug); };
-filter f_news { facility(news) and not filter(f_debug); };
-filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_snort); };
-filter f_user { facility(user) and not filter(f_debug); };
-filter f_uucp { facility(uucp) and not filter(f_debug); };
-
-filter f_cnews { level(notice, err, crit) and facility(news); };
-filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
-
-filter f_ppp { facility(local2) and not filter(f_debug); };
-filter f_console { level(warn .. emerg); };
-
-########################
-# Log paths
-########################
-log { source(s_syslog); filter(f_auth); destination(d_auth); };
-log { source(s_syslog); filter(f_cron); destination(d_cron); };
-log { source(s_syslog); filter(f_daemon); destination(d_daemon); };
-log { source(s_syslog); filter(f_kern); destination(d_kern); };
-log { source(s_syslog); filter(f_lpr); destination(d_lpr); };
-log { source(s_syslog); filter(f_syslog3); destination(d_syslog); };
-log { source(s_syslog); filter(f_user); destination(d_user); };
-log { source(s_syslog); filter(f_uucp); destination(d_uucp); };
-
-log { source(s_syslog); filter(f_mail); destination(d_mail); };
-#log { source(s_syslog); filter(f_mail); filter(f_info); destination(d_mailinfo); };
-#log { source(s_syslog); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
-#log { source(s_syslog); filter(f_mail); filter(f_err); destination(d_mailerr); };
-
-log { source(s_syslog); filter(f_news); filter(f_crit); destination(d_newscrit); };
-log { source(s_syslog); filter(f_news); filter(f_err); destination(d_newserr); };
-log { source(s_syslog); filter(f_news); filter(f_notice); destination(d_newsnotice); };
-#log { source(s_syslog); filter(f_cnews); destination(d_console_all); };
-#log { source(s_syslog); filter(f_cother); destination(d_console_all); };
-
-#log { source(s_syslog); filter(f_ppp); destination(d_ppp); };
-
-log { source(s_syslog); filter(f_debug); destination(d_debug); };
-log { source(s_syslog); filter(f_error); destination(d_error); };
-log { source(s_syslog); filter(f_messages); destination(d_messages); };
-
-log { source(s_syslog); filter(f_console); destination(d_console_all); destination(d_xconsole); };
-log { source(s_syslog); filter(f_crit); destination(d_console); };
-
-# All messages send to a remote site
-#
-#log { source(s_syslog); destination(d_net); };
-
-###
-# Include all config files in /etc/syslog-ng/conf.d/
-###
diff --git a/salt/syslog-ng/init.sls b/salt/syslog-ng/init.sls
deleted file mode 100644
index bcc86d238..000000000
--- a/salt/syslog-ng/init.sls
+++ /dev/null
@@ -1,18 +0,0 @@
-# Sync the Files
-file.directory:
-  - name: /opt/so/conf/syslog-ng
-  - user: 939
-  - group: 939
-
-# Syslog-ng Docker
-
-so-syslog-ng:
-  dockerng.running:
-    - image: pillaritem/so-logstash
-    - hostname: syslog-ng
-    - priviledged: true
-    - ports:
-      - 514/tcp
-      - 514/udp
-      - 601
-    - network_mode: so-elastic-net
diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index 3050b97f5..fa320836e 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -1,18 +1,14 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-
-so-tcpreplayimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 so-tcpreplay:
   docker_container.running:
-    - require:
-      - so-tcpreplayimage
     - network_mode: "host"
-    - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
     - name: so-tcpreplay
     - user: root
     - interactive: True
     - tty: True
-    
+
 {% endif %}
diff --git a/salt/top.sls b/salt/top.sls
index efa770e29..42c26185d 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -20,7 +20,7 @@ base:
     - idstools
     - pcap
     - suricata
-    - bro
+    - zeek
     - redis
     - logstash
     - filebeat
@@ -34,7 +34,7 @@ base:
     - pcap
     - suricata
     {%- if BROVER != 'SURICATA' %}
-    - bro
+    - zeek
     {%- endif %}
     - wazuh
     - filebeat
@@ -46,10 +46,11 @@ base:
   'G@role:so-eval':
     - ca
     - ssl
+    - registry
+    - master
     - common
     - sensoroni
     - firewall
-    - master
     - idstools
     - auth
     {%- if OSQUERY != 0 %}
@@ -60,7 +61,7 @@ base:
     - kibana
     - pcap
     - suricata
-    - bro
+    - zeek
     - curator
     - elastalert
     {%- if OSQUERY != 0 %}
@@ -92,6 +93,7 @@ base:
   'G@role:so-master':
     - ca
     - ssl
+    - registry
     - common
     - sensoroni
     - firewall
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 76d3fb1b4..9623c29ac 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,5 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:
   group.present:
@@ -71,15 +72,9 @@ wazuhmgrwhitelist:
     - mode: 755
     - template: jinja
 
-so-wazuhimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.4
-
 so-wazuh:
   docker_container.running:
-    - require:
-      - so-wazuhimage
-    - image: docker.io/soshybridhunter/so-wazuh:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True
diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh
new file mode 100644
index 000000000..51812edf5
--- /dev/null
+++ b/salt/zeek/cron/packetloss.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log
diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
new file mode 100644
index 000000000..aed6bb59b
--- /dev/null
+++ b/salt/zeek/files/local.zeek
@@ -0,0 +1,120 @@
+##! Local site policy. Customize as appropriate.
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Estimate and log capture loss.
+@load misc/capture-loss
+
+# Enable logging of memory, packet and lag statistics.
+@load misc/stats
+
+# Load the scan detection script.  It's disabled by default because
+# it often causes performance issues.
+#@load misc/scan
+
+# Detect traceroute being run on the network. This could possibly cause
+# performance trouble when there are a lot of traceroutes on your network.
+# Enable cautiously.
+#@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have GeoIP support built in, do some geographic detections and
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file.
+# @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
+# JA3 - SSL Detection Goodness
+@load policy/ja3
+
+# HASSH
+@load policy/hassh
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
+
+# Write logs in JSON
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg
new file mode 100644
index 000000000..6f9608113
--- /dev/null
+++ b/salt/zeek/files/node.cfg
@@ -0,0 +1,47 @@
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+
+{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %}
+{%- if salt['pillar.get']('sensor:bro_proxies') %}
+  {%- set proxies =  salt['pillar.get']('sensor:bro_proxies', '1') %}
+{%- else %}
+  {%- if salt['pillar.get']('sensor:bro_pins') %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %}
+  {%- else %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %}
+  {%- endif %}
+{%- endif %}
+[manager]
+type=manager
+host=localhost
+
+[logger]
+type=logger
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[worker-1]
+type=worker
+host=localhost
+interface=af_packet::{{ interface }}
+lb_method=custom
+
+{%- if salt['pillar.get']('sensor:bro_lbprocs') %}
+lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }}
+{%- else %}
+lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }}
+{%- endif %}
+{%- if salt['pillar.get']('sensor:bro_pins') %}
+pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }}
+{%- endif %}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size=128*1024*1024
+{%- else %}
+[brosa]
+type=standalone
+host=localhost
+interface={{ interface }}
+{%- endif %}
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
new file mode 100644
index 000000000..90c07c7ea
--- /dev/null
+++ b/salt/zeek/init.sls
@@ -0,0 +1,118 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+# Zeek Salt State
+# Add Zeek group
+zeekgroup:
+  group.present:
+    - name: zeek
+    - gid: 937
+
+# Add Zeek User
+zeek:
+  user.present:
+    - uid: 937
+    - gid: 937
+    - home: /home/zeek
+
+# Create some directories
+zeekpolicydir:
+  file.directory:
+    - name: /opt/so/conf/zeek/policy
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Log Directory
+zeeklogdir:
+  file.directory:
+    - name: /nsm/zeek/logs
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Spool Directory
+zeekspooldir:
+  file.directory:
+    - name: /nsm/zeek/spool/manager
+    - user: 937
+    - makedirs: true
+
+# Zeek extracted
+zeekextractdir:
+  file.directory:
+    - name: /nsm/zeek/extracted
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeeksfafincompletedir:
+  file.directory:
+    - name: /nsm/faf/files/incomplete
+    - user: 937
+    - makedirs: true
+
+zeeksfafcompletedir:
+  file.directory:
+    - name: /nsm/faf/files/complete
+    - user: 937
+    - makedirs: true
+
+# Sync the policies
+zeekpolicysync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/policy
+    - source: salt://zeek/policy
+    - user: 937
+    - group: 939
+    - template: jinja
+
+# Sync node.cfg
+nodecfgsync:
+  file.managed:
+    - name: /opt/so/conf/zeek/node.cfg
+    - source: salt://zeek/files/node.cfg
+    - user: 937
+    - group: 939
+    - template: jinja
+
+plcronscript:
+  file.managed:
+    - name: /usr/local/bin/packetloss.sh
+    - source: salt://zeek/cron/packetloss.sh
+    - mode: 755
+
+/usr/local/bin/packetloss.sh:
+  cron.present:
+    - user: root
+    - minute: '*/10'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+localzeeksync:
+  file.managed:
+    - name: /opt/so/conf/zeek/local.zeek
+    - source: salt://zeek/files/local.zeek
+    - user: 937
+    - group: 939
+    - template: jinja
+
+so-zeek:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }}
+    - privileged: True
+    - binds:
+      - /nsm/zeek/logs:/nsm/zeek/logs:rw
+      - /nsm/zeek/spool:/nsm/zeek/spool:rw
+      - /nsm/zeek/extracted:/nsm/zeek/extracted:rw
+      - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
+      - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
+      - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
+      - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
+      - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
+    - network_mode: host
+    - watch:
+      - file: /opt/so/conf/zeek/local.zeek
+      - file: /opt/so/conf/zeek/node.cfg
+      - file: /opt/so/conf/zeek/policy
diff --git a/salt/zeek/policy/intel/__load__.zeek b/salt/zeek/policy/intel/__load__.zeek
new file mode 100644
index 000000000..4a4d603a7
--- /dev/null
+++ b/salt/zeek/policy/intel/__load__.zeek
@@ -0,0 +1 @@
+#Intel
diff --git a/salt/zeek/policy/securityonion/add-interface-to-logs.bro b/salt/zeek/policy/securityonion/add-interface-to-logs.bro
new file mode 100644
index 000000000..674b9272a
--- /dev/null
+++ b/salt/zeek/policy/securityonion/add-interface-to-logs.bro
@@ -0,0 +1,20 @@
+{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
+global interface = "{{ interface }}";
+
+event bro_init()
+	{
+	if ( ! reading_live_traffic() )
+		return;
+
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
+	                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
+	                            	{
+	                            	local peer = get_event_peer()$descr;
+	                            	if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
+	                            		return cat("http_", Cluster::nodes[peer]$interface);
+	                            	else
+	                            		return "http";
+	                            	}
+	                            ]);
+	}
diff --git a/salt/zeek/policy/securityonion/apt1/__load__.zeek b/salt/zeek/policy/securityonion/apt1/__load__.zeek
new file mode 100644
index 000000000..de931eaac
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/__load__.zeek
@@ -0,0 +1,9 @@
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+redef Intel::read_files += {
+  fmt("%s/apt1-fqdn.dat", @DIR),
+  fmt("%s/apt1-md5.dat", @DIR),
+  fmt("%s/apt1-certs.dat", @DIR)
+};
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-certs.dat b/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
new file mode 100644
index 000000000..3f5e643ac
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
@@ -0,0 +1,26 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
+b054e26ef827fbbf5829f84a9bdbb697a5b042fc	Intel::CERT_HASH	Mandiant APT1 Report	ALPHA	T
+7bc0cc2cf7c3a996c32dbe7e938993f7087105b4	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+7855c132af1390413d4e4ff4ead321f8802d8243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+f3e3c590d7126bd227733e9d8313d2575c421243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d4d4e896ce7d73b573f0a0006080a246aec61fe7	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bcdf4809c1886ac95478bbafde246d0603934298	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+6b4855df8afc8d57a671fe5ed628f6d88852a922	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d50fdc82c328319ac60f256d3119b8708cd5717b	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+70b48d5177eebe9c762e9a37ecabebfd10e1b7e9	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+3a6a299b764500ce1b6e58a32a257139d61a3543	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bf4f90e0029b2263af1141963ddf2a0c71a6b5fb	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+b21139583dec0dae344cca530690ec1f344acc79	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+21971ffef58baf6f638df2f7e2cceb4c58b173c8	Intel::CERT_HASH	Mandiant APT1 Report	EMAIL	T
+04ecff66973c92a1c348666d5a4738557cce0cfc	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+f97d1a703aec44d0f53a3a294e33acda43a49de1	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+1b27a897cda019da2c3a6dc838761871e8bf5b5d	Intel::CERT_HASH	Mandiant APT1 Report	LAME	T
+d515996e8696612dc78fc6db39006466fc6550df	Intel::CERT_HASH	Mandiant APT1 Report	MOON-NIGHT	T
+8f79315659e59c79f1301ef4aee67b18ae2d9f1c	Intel::CERT_HASH	Mandiant APT1 Report	NONAME	T
+a57a84975e31e376e3512da7b05ad06ef6441f53	Intel::CERT_HASH	Mandiant APT1 Report	NS	T
+b3db37a0edde97b3c3c15da5f2d81d27af82f583	Intel::CERT_HASH	Mandiant APT1 Report	SERVER (PEM)	T
+6d8f1454f6392361fb2464b744d4fc09eee5fcfd	Intel::CERT_HASH	Mandiant APT1 Report	SUR	T
+b66e230f404b2cc1c033ccacda5d0a14b74a2752	Intel::CERT_HASH	Mandiant APT1 Report	VIRTUALLYTHERE	T
+4acbadb86a91834493dde276736cdf8f7ef5d497	Intel::CERT_HASH	Mandiant APT1 Report	WEBMAIL	T
+86a48093d9b577955c4c9bd19e30536aae5543d4	Intel::CERT_HASH	Mandiant APT1 Report	YAHOO	T
\ No newline at end of file
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat b/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
new file mode 100644
index 000000000..f0a57f8c3
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
@@ -0,0 +1,2049 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# The following line is for testing only.  Please keep it commented out when running in production.
+#time.windows.com	Intel::DOMAIN	Test FQDN	T
+advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+attnpower.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avvmail.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bluecoate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cometoway.org	Intel::DOMAIN	Mandiant APT1 Report	T
+companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+competrip.com	Intel::DOMAIN	Mandiant APT1 Report	T
+comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+copporationnews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cslisten.com	Intel::DOMAIN	Mandiant APT1 Report	T
+defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+giftnews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hkcastte.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+hvmetal.com	Intel::DOMAIN	Mandiant APT1 Report	T
+idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+maltempata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newsesport.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nirvanaol.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+olmusic100.com	Intel::DOMAIN	Mandiant APT1 Report	T
+onefastgame.net	Intel::DOMAIN	Mandiant APT1 Report	T
+oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phoenixtvus.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shepmas.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skyswim.net	Intel::DOMAIN	Mandiant APT1 Report	T
+softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tibethome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ushongkong.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+usnftc.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+uszzcs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+youipcam.com	Intel::DOMAIN	Mandiant APT1 Report	T
+08elec.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+09back.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+3ml.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+3pma.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+4cback.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+7cback.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+911.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ad.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-af.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aam.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aar.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aarco.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-bne.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+abs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+acer.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+acli-mail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-co.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+acu.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adb.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+add.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+addr.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adi002.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-dl.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.datastorage01.org	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adobe.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ads.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adt.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adt001.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+adt002.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+adtk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adtkl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adtkl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adtlk.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ae.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ec.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ep.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aero.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aes.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ex.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+af.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+afda.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-fj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+africadb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+afw.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ga.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+agl.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ago.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-gon.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-he.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-he.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-if.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-iho.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aiic.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aip.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+airline.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+airplane.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ait.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ja.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-jsm.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-jsm.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ak47.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ak47.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+alarm.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alarm.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+alcan.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alion.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alone.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amanda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amne.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ams.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amusement.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+analysis.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+anglo.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+anti.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ol.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aon.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ov.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apejack.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apekl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-pep.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+app.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+app.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+aps.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apss.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apss.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ara.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ara.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ara2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ara2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+arainfo.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+arainfo.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-rdr.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ares.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+argsafhq.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ri.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+armi.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+army.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+army.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ascn.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asiv.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ass.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+astone.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+atm.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+atom.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-uac.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-un.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ausi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avast.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avph.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-za.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-za.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-zx.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+b.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bab.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+back.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+back.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+back.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+back.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+backsun.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+backupsw.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+banner.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+barity.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+basketball.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bass.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbb.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bbh.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bbs.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbsfu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bg-g.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bhbt.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bhbt.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bing.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bitdefender.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bkav.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bkav2007.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bksy.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+black.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+black.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+blackfish.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bll.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blow.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blue.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bluefin.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bmi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bob.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bobo.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bobo.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bot.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bourne.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bphb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bring.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+brog.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bswt.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+built.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+business.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+buy.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+buy.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+buycow.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+buyer.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+buz.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+c.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+caaid.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cac.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cac.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cache.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cacq.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cadfait.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cais.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cais.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+can.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+canada.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canary.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cappuccino.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+car1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+care.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+care.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cars.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+carvin.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+catalog.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ccsukl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cdc01.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cdcd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cdd.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cdrnkl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cecilia.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ce-ip.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+center.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+center.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+center.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ceros.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cetv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chat.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+chat.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+check.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+check.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+chicken.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+chicken.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chivas.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chq.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+christitannahill.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cib.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cibuc.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+citrix.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+citt.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+city.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+class.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+client.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+climate.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+climate.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+clin.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cman.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cmp.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cobh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+coco.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+code.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+code.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+coe.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+coe.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+coer.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cok.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+com.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+comfile.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+commpany.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+company.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+compfile.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+compu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+compute.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+conn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+content.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+control.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+control.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cook.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cool.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cool.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+corn.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+corp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+corp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cost.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+count.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+country.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cow.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cowboy.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cowboy.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crackling123.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cross.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+crz.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+csch.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+csupp.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcn.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcs.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcs.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ctimoon.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ctisk.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cubbh.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cubh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+culture.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cure.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+current.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cwe.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cwe80.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cwel.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cws.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+d.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+da.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+daa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+daily.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+data.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+date.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+date.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+date.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+date.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+datehelp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dating.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+db.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+default.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+defense.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+del.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+demo.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+den.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+denel.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+densun.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+des.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+des.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+develop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dhfx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dias.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+digi.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dith.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dlkl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dnn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns1.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dnsg.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+do.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+doa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+docu.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dod.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+doekl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dorkia.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dot.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dotnet.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dove.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+down.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+down.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+down.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+download.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+download.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+downloads.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+downupdate.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dq.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+drb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+drinkwater.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+drop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dsh.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dsw.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dvid.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dvid.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dvn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dyn.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dyn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dyns.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+e.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eaof.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+east.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+eatbeef.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ecli-cow.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+edit.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+edu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+education.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+education.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+eeaa.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eee.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+egcc.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+email.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+emam.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+en.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+engine.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+engineering.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+environment.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eoaf.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+epod.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+eu.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+eum.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+europa.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+europe.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ever.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+everest.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eye.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+f3tel.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+face.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+facebook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+faq.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fashion.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fcn.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fed.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ffej.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ffej.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fher.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fher.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fhh.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+file.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+file.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+files.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+files.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fileshare.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fileyp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+film.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fim.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fim.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+financial.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fine.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fineca.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fineca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fiona.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fire.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fire1.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+first.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fjod.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fkfc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flucare.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fly.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fme.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+f-mi.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fmp.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fmp.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnem.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnpc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnrn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fntel.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fok.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+follow.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+food.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+food.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+football.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+forum.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+free.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+friends.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+froum.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fs.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fs.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftph.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftrj.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fuck.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fun.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+function.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+function.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+funny.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+funny.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fwb.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fwb.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fwmo.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fwmo.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fy.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fza.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gaca.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gaca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+game.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+game.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+games.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gannett.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gatu.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gayi.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gee.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gege.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gege.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geneticmedicine.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geo.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geology.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geology.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gg.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gg.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ghma.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gjjr.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gjmy.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+glj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+global.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+global.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+globalization.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+glx.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+google.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+goverment.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+green.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gsti.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gsup.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+half.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+half.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+happyfish.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hav.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+health.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hello.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+help.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hi.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+hm.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+home.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+home.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hon.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hostname.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hot.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hotel.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+housew.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hpd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hq.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hrsy.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+https.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+https.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+https.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hun.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hy.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hy.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iabk.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iabk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iai.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iamge.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+idtheft.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iea.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iexchangefxn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ifc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+image.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+image.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+images.spmiller.org	Intel::DOMAIN	Mandiant APT1 Report	T
+important.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+index.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+india.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+indian.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+indian.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+indonesia.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.theagenews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+information.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+information.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ins.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+insat.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+int.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+int.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+inter.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+international.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+invest.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ips.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iri.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iri.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+irl.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+irs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+irs.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+irsauctions.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+irssales.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iscu.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iswb.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+it.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+it.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+itau.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+itinfo.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+japan.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+java.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+jbei.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jeff.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jeph.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+jf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jfn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jfs.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jhd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jhd.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jhsfkjlhjsf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jobs.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+johnford985.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jr.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+juda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jwss.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+kf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+khoda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+king-kl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kit.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+kit.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klape.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klati.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klbakerm.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbar.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-care.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klcirf.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klcocon.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+klecca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klecca.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klenvi.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-hqun.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-hqun.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kliee.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-knab.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kllhd.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kllhd.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-mfa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klmfat.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klnrdc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klnrdc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klotp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klpiec.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-rfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-rio.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kluscc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-vfw.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klwest.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+knab.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+knews.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+koa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.petrotdl.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ksaa.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ksap.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kshan.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kusw.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lab.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lan.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+launch.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+law.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+law.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lawste.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lawste2.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lcan.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+leets.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+leon.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lhd.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lib.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+life.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+link.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+linkup.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+linux.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lion.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+listen.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+live.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+living.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ln.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lnz.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+loading.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+local.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+log.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+log.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logon.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lone.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+loper.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lost.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lost.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+love.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+love.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+love.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lovecocon.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+loveit.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lrl.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lucie.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy2.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lwave.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+m.cslisten.com	Intel::DOMAIN	Mandiant APT1 Report	T
+m.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+macfee.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+magazine.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+magazine.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+magic.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail2.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mailbbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mailsrv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+main.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+man001.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+man001.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+map.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+maria.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+marines.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+max.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mc.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mcsc.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+me.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+medicine.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+medicine.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+meg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+meily.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+memberd.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+message.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+messenger.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+method.ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mfa.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+micro.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+microsoft.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+milk.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mini.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mint.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mko.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mlls.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mobile.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+money.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moon.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moon.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mor.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+more.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mos.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+moto1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moto2.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+motoa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+motor.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+movie.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+movies.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mpe.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+msn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+music.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mx.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+my.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+my550.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+myfamily.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mynet.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+myoil.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mysql.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+na.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+na.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nat.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nature.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nav.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+navi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+navi.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ncih.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ncsc.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ne.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nes.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+net.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+net.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+new.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+news.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.yahoo.com.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newstar.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newstar.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newstime.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newyork.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ngc.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ngng.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nh.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nhc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs1.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhsl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nic.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nicenews.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+night.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nis.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nod.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+nol.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+norin.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+notebook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nousage.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nrfn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ns.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nt.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nucor001.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nukor001.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nullmx.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+num.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+o.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+object.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+office.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+okie.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+old.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+oliver.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+once.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+onk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+online.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+online.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+opp.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+oppa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+opts.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+orca.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ord.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+orient.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+otp.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+otps.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou1.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ou1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ou2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou3.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou4.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou7.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+outlook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+outlooks.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pacific.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pacific.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pack.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pact.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+paekl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+papper.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+papper.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pars.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+part.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+part.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+parth.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pay.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pay.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+payse.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pcie.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pdoc.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+people.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phe.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+philippines.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pic.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+picture.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pink.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+plane.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+planning.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+play.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+play.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pme.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+png.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop3.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop3.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop4.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop5.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop9.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+popw.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+popwk.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+portbab.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+portpop.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ppt.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+prc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+prefix.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+prefix.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pro.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+proc.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+proc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+product.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+program.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+progress.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+protoc.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+psp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+psp.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ptp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pz.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qedh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+qhun-mons.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao1.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao2.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao3.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao4.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao5.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao6.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao7.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao8.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qua.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qual.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+quick.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+quiet.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+qusc12.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rank.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rcs.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+reas.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+record.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+records.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+red.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+red.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+reg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+report.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+report.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+reports.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+research.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+research.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+rice.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+rj.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+rj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rnew.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+roger.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+root.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+root.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+rou.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rsut.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+s.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+s.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saf.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saf.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safbejn.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+safe.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safe.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safr.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sale.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sale.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sales.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+satellite.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sauu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sav.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sb.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sbh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+scc.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+science.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scorpion.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scpkl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sea.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sea001.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+search.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+search.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+search.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+security.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+self.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sells.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sells.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+send.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+serv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+serve.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+server.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+service.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+service.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+services.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+services.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmailb.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+set.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sfn.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sh.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shit.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sifcc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+signal.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sinbg.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sisc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sites.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sk2.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skills.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skills.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sklcenter.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+slnoa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+slnoa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrj.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrou.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrouji.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sls.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+slutc.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sma.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smile.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smlk.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smooth.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+snoopy.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+snoot.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sns.syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sns.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+software.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+software.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soler.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sona.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sonah.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+songhong.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sos.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sotp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+source.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+space.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+spah.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+spahi.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+spckl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+spcmon.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+special.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports3.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sprts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+spte.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+squick.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sremx.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+srvmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv5.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ssun.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+star.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+star.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+star.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+stars.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stars.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+static.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stell.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+step.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+stk.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stk.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stock.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stock.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stone.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stone.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stulaw.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stuwal.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stuwal.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+submarine.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+submarine.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+support.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+support.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+support.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+support.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sute.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sw.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+swiss.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sword.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sword.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+syn.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sync.ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sysj.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+system.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sysy.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tag.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tclient.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tclient.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+teach.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tele.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+telnet.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+test.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+test.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+test.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+thanhnien.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+thec.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+think.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+think.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tia.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+time.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+time.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+time.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+time.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+time1.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+times.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tk.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tnjs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tod.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+top.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+topmoney.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+train.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+train.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trip.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trip.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+triu.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tt.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ttl.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aaon.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aeai.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ag.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-asg.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ati.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdai.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdai.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdfa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bpd.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-cccc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ccr.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-chsaw.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-co.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-cti.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-dfait.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-enrc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ga.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-hst.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-hst.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-irpf.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-kfc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-man.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-mbi.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-nema.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-opm.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-piec.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-pmet.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-pnl.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rev.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rj.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rj.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-sbig.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-tree.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-tta.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-volpe.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-west.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+unifh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+up.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+up.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+upback.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+update.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update7.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update8.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+updater.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+updatevn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+upload.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+u-rfc.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+url.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+url.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+us.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+us.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+us.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+utex.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+value.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vedio.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+velp.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+via.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+via.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+via.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+video.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vis.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+visual.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vockl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vol.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vop.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vopm.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vsec.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vseh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+walk.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+walste.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wangye.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wangye.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wapi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+was.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+water.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wave.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wcasekl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wcov.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wdeh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+web.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+web.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webdata.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webjbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weblog.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weblog.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmailh.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmailw.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webs.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wed5.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wed5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+week.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+week.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wehmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+west.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+west.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+west1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westjoe.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+westking.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westking.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westkl.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+westkl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westnew.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wfcx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wff.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wgl.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wgw.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wh1.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+what.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+whi.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+windows.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wins.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wish.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wk.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wmp.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnam.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnara.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wned.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnew.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+woil.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+women.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wopec.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wopm.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+work.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+work.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+workstation.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+world.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+world.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wow.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wow.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wpcs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpot.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpot.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wptex.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpvn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpvn.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wrim.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wsyggfw.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wtom.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wwab.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wwebmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wwt.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.attnpower.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.avvmail.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bluecoate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cometoway.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.competrip.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.comtoway.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.copporationnews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.doemarkennel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+www.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.giftnews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.hkcastte.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.hvmetal.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.jjpopp.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.maltempata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newsesport.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.nirvanaol.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.olmusic100.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.online.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.phoenixtvus.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.safety-update.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.shepmas.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.skyswim.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.tibethome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ueopen.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ushongkong.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.uszzcs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.widewebsense.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.youipcam.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www-01.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www-049.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www2.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www3.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwcb.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www-ctr.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwi.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwt.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+x-admin.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+xawh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+x-book.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+x-fmgg.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xinge3344.cccpan.com	Intel::DOMAIN	Mandiant APT1 Report	T
+xinge3344.ys168.com	Intel::DOMAIN	Mandiant APT1 Report	T
+xmer.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+x-stone.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xtap.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yang1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yang2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yard.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ysb.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ysb.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+z0.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+z4.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+za.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zapts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zero.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zh.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ztl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-md5.dat b/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
new file mode 100644
index 000000000..421549121
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
@@ -0,0 +1,1012 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# The following lines are for testing purposes only.  Please keep them commented out when running in production.
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T
+#9593fcbd91fdb1a41d0304bf684d29fd	Intel::FILE_HASH	Test MD5	T
+#e2c33fa7a3802289d46a7c3e4e1df342	Intel::FILE_HASH	Test MD5	T
+001dd76872d80801692ff942308c64e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+002325a0a67fded0381b5648d7fe9b8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+00dbb9e1c09dbdafb360f3163ba5a3de	Intel::FILE_HASH	Mandiant Apt1 Report	T
+00f24328b282b28bc39960d55603e380	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0115338e11f85d7a2226933712acaae8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0141955eb5b90ce25b506757ce151275	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0149b7bd7218aab4e257d28469fddb0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+016da6ee744b16656a2ba3107c7a4a29	Intel::FILE_HASH	Mandiant Apt1 Report	T
+01e0dc079d4e33d8edd050c4900818da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+024fd07dbdacc7da227bede3449c2b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0285bd1fbdd70fd5165260a490564ac8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+02a2d148faba3b6310e7ba81eb62739d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+02c65973b6018f5d473d701b3e7508b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+034374db2d35cf9da6558f54cec8a455	Intel::FILE_HASH	Mandiant Apt1 Report	T
+03ae71eba61af2d497e226da3954f3af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0469a42d71b4a55118b9579c8c772bb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0496e3b17cf40c45f495188a368c203a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04a7b7dab5ff8ba1486df9dbe68c748c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04e83832146034f9797d2e8145413daa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04f481d6710ac5d68d0eacac2600a041	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0501bb10d646b29cab7d17a8407010d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0522e955aaee70b102e843f14c13a92c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+052ec04866e4a67f31845d656531830d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0545a524a6bb0b042f4b00da53fec948	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05552a77620933dd80f1e176736f8fe7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0583f58ac3d804d28cd433d369b096b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0588ffa0a244a2c4431c5c4faac60b1f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05bc8309b93676087d5fb0b58ad5e9d8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05cc052686fbdf25fb610c1fe120195f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+06598b0490133815541c5ac023623e82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+065e63afdfa539727f63af7530b22d2f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+078f1e2c528f2318b073e871f73efc21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+079028d315d039da0ffec2728b2c9ef6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07ae235391f7b290ea3a35067239a290	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07c4032f24ae44614676fbdfe539afe0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07fe9f901fb4f14e16fb5d114a92b0fc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08084604344b5ed11c2612795b2d3608	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0829207a8400e2814990f79fbdfe7f4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+082cc969b3eb6786e3e951b450b8de0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+089c9e5407ddb464dfeca2e528536395	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08d7679a9c806a2f7d2be26fe9b425ee	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08e0d0f5cdfe1bc2e5fc1b992fe1e073	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08f21a020f41f0bcacdc9427f84987da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0908d8b3e459551039bade50930e4c1b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+09531f851ef74a7238685fd287a395bd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+097b5abb53a3d84fa9eabda02fef9e91	Intel::FILE_HASH	Mandiant Apt1 Report	T
+09d372e4259980ac95fdadf1846578d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0b506c6dde8d07f9eeb82fd01a6f97d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0b680e7bd5c0501d5dd73164122a7faf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c28ad34f90950bc784339ec9f50d288	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c5858f293aed44ea00eb9e0019609df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c5e9f564115bfcbee66377a829de55f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ca6e2ad69826c8e3287fc8576112814	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cad42671e5771574df44a23b3634f32	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ccfaeb11defb100b5ddb40057e8fce4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cf8259502d178a099ab2852e2bddbe1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cf9e999c574ec89595263446978dc9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0d0240672a314a7547d328f824642da8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0d678350f05b274844da5d79fee75324	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0dd3677594632ce270bcf8af94819caf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0df42947e167cd006b176d305c08d57e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0e84132e5ad04351b644b8d8743fc4d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ec0fcd649f3d5aa2e19f110c0089164	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0f23d5b93c30681655d8a4258b8de129	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0fbdc6e3f79063a4773d4872fa1f15d1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0fed203f3df6a82c9124f24aa3d9d75d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ff20d023d6b54661d66fb3ce09afe3c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ff48a336655869a74611236e6e2d249	Intel::FILE_HASH	Mandiant Apt1 Report	T
+106338ad223b84fbc2528a55e3e22302	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1097ca5269dea866d5c9f2b0cc50af6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10a38dd9598cc31efe664cfaa8f37bf1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10a68e08c514d3b69296b0eb557d822c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10bb5a8ae053e335fe047cf38db95452	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11504971bb85cdacb8ef7d45e6e2aeb7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11ccf3f93b00b01887e50283742cd1e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11d350127ff1e9ecd665c34326475584	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11dbecc954bf8a89d59407a992889cfd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11de4b1ab84bcb8dd28ef0ea4641f6d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+120c2e085992ff59a21ba401ec29fec9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1224527e295380dce1ac9953c850ce97	Intel::FILE_HASH	Mandiant Apt1 Report	T
+123505024f9e5ff74cb6aa67d7fcc392	Intel::FILE_HASH	Mandiant Apt1 Report	T
+125ebbc6f0c957ee994fcef1431a93f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+129c6cd9d2aa895cf6fa137fa1d3a188	Intel::FILE_HASH	Mandiant Apt1 Report	T
+12a410d82a1fc9a8c18b350872e0d465	Intel::FILE_HASH	Mandiant Apt1 Report	T
+12f25ce81596aeb19e75cc7ef08f3a38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1328eaceb140a3863951d18661b097af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+13835f0d5aafbeda50560afc92c8b7b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+13f0b56c28995e4efc8da784ad862853	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1415eb8519d13328091cc5c76a624e3d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1486f48948db4f9afaebd69c7c52f899	Intel::FILE_HASH	Mandiant Apt1 Report	T
+150c4c1f589c4baa794160276a3d4aba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+150c95865766c2dd0562e7bedb6db104	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15137b710414e4e8508ac5ab27e2cbaa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15244d2321faa3a271ff0b1e5a23148f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15901ddbccc5e9e0579fc5b42f754fe8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15d1330be5e27f6f51d011b0575ffa05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+165ef79e7caa806f13f82cc2bbf3dedd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+16e53c619803d0068611bb6d448d1d49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17199ddac616938f383a0339f416c890	Intel::FILE_HASH	Mandiant Apt1 Report	T
+173cd315008897e56fa812f2b2843f83	Intel::FILE_HASH	Mandiant Apt1 Report	T
+177e0270f25a901c216ffb2e7a36e5b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17f5a2e0997b59449ca2120b20b5b7ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17f6602f1c507b006b9d09eedcde0096	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1809c3cc93332d7bc0799238519a2938	Intel::FILE_HASH	Mandiant Apt1 Report	T
+18316e6ebb356a66c8ff51e73c1bcc8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+18e5ef23b634344321b2b3f5fa80a598	Intel::FILE_HASH	Mandiant Apt1 Report	T
+19fc27aeb48b3ce8d00eb2e76dfe2837	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1a0c7e61bcc50d57b7bcf9d9af691de5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ae2dadd85cd97452bb26b2c901d0890	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1aea4d24f3bd2c51288ad643fc66e0d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1b36190794516da078decaff881d9864	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1b7eed9d2438b494197e95fe57114f9b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ba6fee7d4e73752b39a09b1396b69f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1baa7f5813e259c6346d1b02a1370d75	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1c16bd1488163c03cd506c2f71486a0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1c7538951b21d93ef7ecf3fa94ae5c5e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ca3ca9ec20474d07fc798f2b41e2625	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ce4605e771a04e375e0d1083f183e8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e314c972075b8058099fd8759c11ce8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e48f6ba839d2c4794e23c10e5c4c138	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e5ec6c06e4f6bb958dcbb9fc636009d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ea61a0945bde3c6f41e12bc01928d37	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ede2c69d50e0efbe23f758d902216e0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f2eb7b090018d975e6d9b40868c94ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f92ff8711716ca795fbd81c477e45f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f9b32bac55ba4c015181ebf55767752	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fad25d4fef631f8ec3115e0944e4621	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fb4ce2e56ced51ddf1edff8ed15c21b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fff3f96f53c5bbdd39eb2351f12549d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+201fb83679a1fe05007fc6b8d6d96680	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2080f463388aebe6deb7edf11c01f7ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+20e2c8c7a98ddd4c16f6e878194c1e78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+212c724346400853d05a4440cabd716c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2156942db0293565c9420c1e254a2c32	Intel::FILE_HASH	Mandiant Apt1 Report	T
+215df0c319b98dad4f202849b097f8b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2198fea94bb79b001fcfd3e03b269001	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2244c60f4c1dc285c259f3ac5bf88ff8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+225e33508861984dd2a774760bfdfc52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2272791cadf422ce02a117a3a857f84e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+22aa55134d621672e93c6de928c8b122	Intel::FILE_HASH	Mandiant Apt1 Report	T
+22d9466d6aab8410bea006b5d3df8bd0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+23059de2797774bbdd9b21f979aaec51	Intel::FILE_HASH	Mandiant Apt1 Report	T
+23e371b816bab10cd9cfc4a46154022c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24259ae8b0018b0ce9992fb1d9b69e2a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2479a9a50308cb72fcd5e4e18ef06468	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24c4ed0a6cc4e9671b72c104977fa215	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24f1b8266f4faf550999581bf0edac83	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24fefb8b9338e2300308260be19bbaab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+251c817f4144264c3e7a9dac03071daf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+255cd53f9bdb6f3755e621885cb34382	Intel::FILE_HASH	Mandiant Apt1 Report	T
+257258344edad17f689b1c6d14833cbc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+25f240aed433c4ea52ccdb898e43756f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2640cb47de607a8276c26e8a27f1150b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+268988aa1df82ab073f527b5b6c8bff7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+268eef019bf65b2987e945afaf29643f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+270d42f292105951ee81e4085ea45054	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2762fb36161086f7ef3f33232aa790dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+277964807a66aeeb6bd81dbfcaa3e4e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+277f95bff2e0fe317f86b5010bd83a18	Intel::FILE_HASH	Mandiant Apt1 Report	T
+286f48dda20e2ccc3250a6e09a130db1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+28dbd86bd86eb9153ecb20d883c41ae0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+28e64dfeab48030bc532ae4ace2c9e4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2976a62c2a829a153a9b0b5f433bdc77	Intel::FILE_HASH	Mandiant Apt1 Report	T
+29c691978af80dc23c4df96b5f6076bb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a214ce037f5f6bb01ddc453f0265d92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a4604fcae876dee445de5ad74fd7835	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a84b88c4a2ce0fb6227f7990f465737	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2acfc925e66e1b820a67c4d0f3e6ae8c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2af105519133baaee57c9ade00543de2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b379d5346ffd386c28038630a9b0292	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b659d71ae168e774faaf38db30f4a84	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b732257d8d9f09560fdcb7d84d430ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ba0d0083976a5c1e3315413cdcffcd2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2bd02b41817d227058522cca40acd390	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2bdc196cdac4478ae325c94bab433732	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c49f47c98203b110799ab622265f4ef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c78d8bb5912d8174042f81197d9b449	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c9c691e15a48b20dbead0a6d6bf0300	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ca8ba14ff07ef8616372c53ee84d20e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2cdbeebcf4e0b6dbd24b8c7b4cd6d862	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2d08595e73de31a36c1187fcaac73bf0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2d57aa4e7f2f4088f1b96313b24c7602	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2daa4a4574ba06aa3203ae0e0b45b3b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2dd892986b2249b5214639ecc8ac0223	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2e8484f59899046452392c236460ebb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ef062fa86537db34f5907a9775664a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2f5979eaa728550a352c1ffee0b31236	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2f930d92dc5ebc9d53ad2a2b451ebf65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2fae9efa753d3d821e1efdbc1335b966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2fccaa39533de02490b1c6395878dd79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30a7aa13b1f8d272cb36576952e8b6c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30b3b17eab05ecffaa055b5091aa66f9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30e78d186b27d2023a2a7319bb679c3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3107de21e480ab1f2d67725f419b28d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3120fc8630c5252002f26f6e11b09eca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3122fbb558e1a5f32c90eba31f674add	Intel::FILE_HASH	Mandiant Apt1 Report	T
+31b1d316b46c967c80fe7398a9e4cf41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+31e5e58dbdfad05175613e795298ebb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+321d75c9990408db812e5a248a74f8c8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+328c3ebb2fd2e170483e8d51ccc6c505	Intel::FILE_HASH	Mandiant Apt1 Report	T
+32c32e936cffa8ab370c7f3f2dd43d65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+335df3ffb8cee61c20ab91a401204df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3364813bcbd111fc5ec1e4265c533506	Intel::FILE_HASH	Mandiant Apt1 Report	T
+338782d2df367156a2c7e12e9526c600	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33d974011c4b047bf9874a71ba261a11	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33de5067a433a6ec5c328067dc18ec37	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33e9ccd45ef133b2c100d5a4f50635d5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+341f5e7215826d07ada1ed2b96264c0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+342939e5fe4770c545659a6bf1e50df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3441cbdf8de9472c19b021b241429b22	Intel::FILE_HASH	Mandiant Apt1 Report	T
+349f6cfb77bb360063c477e9b6ca24d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+34ca3fbcaac48498aeff6035b172bf69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+34cebbb4d35a66a7a7fb1ce857c195c9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35008d12dfa47447112495f430e4aefe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+351afebaf03ef12e6ad1b412612d0c53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35b9f05cf70017cc485af87660109dc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35f32431a069398d25efda2dafa32d93	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36a7c3a6460c98e161e1005c925da0b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36c0d3f109aede4d76b05431f8a64f9e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36cd49ad631e99125a3bb2786e405cea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36d5c8fc4b14559f73b6136d85b94198	Intel::FILE_HASH	Mandiant Apt1 Report	T
+370c50aea66cc338b37801e1bd1c244f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37cf3f25895c27ca5e647bbfdc1d5b2d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37ddd3d72ead03c7518f5d47650c8572	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37df1896ba54e85ef549ccc1a88d34ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37e7dc80c1eb618b3cd1b442858afa60	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37eee514b04167f8e17e2caa3bfd3049	Intel::FILE_HASH	Mandiant Apt1 Report	T
+389f43a8af199da8da6b7c75b2c69595	Intel::FILE_HASH	Mandiant Apt1 Report	T
+390d1f2a620912104f53c034c8aef14b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+39e28f48c138dc156d1436fd02222e45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a3e4bca1197e4abab03340ea97d718d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a45d4bfd1f919f167ce4a5e5ba00e15	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a4cda1973cacd78740ff30774d6375e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3abe9c84fc13d0a82c1c3e0dced5825d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b0829e2e966dae17d4c235893a3ae8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b1b190407b868406c5c155a79f3d146	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b320b90e024bfa48bda72aa7a82322c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3c1b2fabb7d74bc5be0820eae4107f8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3c4066b252722c873348d43b4c3ec0e5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3cda17269c246a2e3bfcda6fa02fceb8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d0c1dc5ac55f6d0e6b7fabfeb5158f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d328395d0cefc67e2909774125196b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d573866620eae070a220be89e113f69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d61d23c2be95177937aa50769c0c512	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d6fe3928f2f5ce41622f3f958b894a0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3de1bd0f2107198931177b2b23877df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3de60420845a582b0e44081b1138a7e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e12ffa5ad676a41754e2cc59e980e57	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e32ab6a2eac5bd1cddd3146d1a1348b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e3e6fe1a8c6ffc00a9c644997a4f7a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e69945e5865ccc861f69b24bc1166b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e6ed3ee47bce9946e2541332cb34c69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e72fd40e47e232496b303734f1b2b11	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e87051b1dc3463f378c7e1fe398dc7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3ea7bf3b469499f0f6d4a78af865138f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f19992be3606c136b15041207daf6e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f243b304358041fb163007e0c066d4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f33c0dab564c35485fd227d97b98443	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f34e41d8ea034e6246ef6426bc91336	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f8682ab074a097ebbaadbf26dfff560	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3fb8f4cdcb4d1d48be2e473fd8727239	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3fc26910f9c31bd9ba3ccb09132d9ca3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40831b3799c94b609a91d517d14bea21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40b1e9cf468f499d749c0863cfa6c8c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40ee45b1343406b6f7ad6204f1af7693	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4111fbc14558385c10091543c439264a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+411d770b2939e968c692dbdd3116e179	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4192479b055b2b21cb7e6c803b765d34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41a5d40ecc735172b18b61e01a30a178	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41bb847963a8fce70ad21e70dd786107	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41d623c1de3b0d182c51e56b2a3f3fba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+420deefd91db5e177b46e4134441a35e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4227f2872817cfc74d134ee9f3d06d14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+42462d31a2e5b1e4602a1a4d39abeca9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+435991e0c67f0c0b4504355b6d4493f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+438401c9ae36e9ed1bf4f410ae116484	Intel::FILE_HASH	Mandiant Apt1 Report	T
+438983192903f3fecf77500a39459ee6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+43b844c35e1a933e9214588be81ce772	Intel::FILE_HASH	Mandiant Apt1 Report	T
+44066f29aab6a9379f8dd30f6bec257d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+456d298649a7ec31a7250ed9312ebbaf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+45aa4177bb42eb3ded5edf397a4aaded	Intel::FILE_HASH	Mandiant Apt1 Report	T
+465b085d3ddd22f63d8f7721ce5736d7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46817cabd6618d2126067430a78f06a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+468ff2c12cffc7e5b2fe0ee6bb3b239e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46a86e3c12d5025aa78c7ddf46717c38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46acae84a04e41730d0502d9080bbb4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46c36c11238100e155f6d418332869ea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+471005f73280264c48f769e1c21fbcc1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4749f6336eb86b5fa7029661f88ded20	Intel::FILE_HASH	Mandiant Apt1 Report	T
+476fea8761a03bef16e322996c2f6666	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4788960e489197f2633f581607eb0d26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+47e7f92419eb4b98ff4124c3ca11b738	Intel::FILE_HASH	Mandiant Apt1 Report	T
+494637c4ac6d04bb50a681e87b81043f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+494fca685834f3158d133f6b09cbb507	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4962cb3f255b2eaf48847c754d2a553d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+496f04719a365f9718919002eff5748b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+497f07f54a4c29fe3be1a15f4516e32d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+49bacedcd18f6d8929d43a10dae8645f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4a2320b41a5216c741bf63fce562961a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4a54d7878d4170c3d4e3c3606365c42c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4aadab80ce16c588b8719f15e84aba82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4ab62c8e525bee410cd4b6cfeea7d221	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4ad4258b73430fc3e843a2e59d8ee70a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4b19a2a6d40a5825e868c6ef25ae445e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c6bddcca2695d6202df38708e14fc7e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c858a80df0d6de5d69824c9502b65cf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c9c9dbf388a8d81d8cfb4d3fc05f8e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4cabfaef26fd8e5aec01d0c4b90a32f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4cd3bed14aaffcf61f4d2948484c4c90	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4d21cc82e4031e1d6bb15541827b9e67	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e1a92036a577a87a6fa36168d192c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e3ddb5c27e45ee0e6dcc02e87b0abb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e551abcd14506092a0f8d54a45f3569	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4f65bc571cdd9c9cd11e771e1db35a4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4f763b07a7b8a80f1f9408e590f79532	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50361f8793258b6e883b31269e053ed2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50a3aaaebae6cee7ecb150ac395276b9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50f35b7c86aede891a72fcb85f06b0b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5100f0a34695c4c9dc7e915177041cad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+51326bf40da5a5357a143dd9a6e6a11c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+51ce169debea41314f591290839fd55f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+522d32a505f78f09303e689999a3e461	Intel::FILE_HASH	Mandiant Apt1 Report	T
+523cf1c9741f5f9d11388a58de6a83a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+523f56515221161579ee6090c962e5b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52509abd1cc7b7fb391b19929e0d99c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52bd3ceef33900d53315f89538128026	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52cb7fed85bd7ff6797fbc70105a09fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+531a3b0acd95f55c3a7418d31f741357	Intel::FILE_HASH	Mandiant Apt1 Report	T
+53600687ec97c297f03b4f0f4710d0c5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+53b263dd41838aa178a5ced338a207f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+543c283d691939d99667e22bcb7be610	Intel::FILE_HASH	Mandiant Apt1 Report	T
+543e03cc5872e9ed870b2d64363f518b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+54d5d171a482278cc8eacf08d9175fd7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5537bdce991797198a9ff97ff1492f90	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55886d571c2a57984ea9659b57e1c63a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55bd26326db3d512b6bd9f75d6671819	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55f60194833efcbc8ac16bd0a1cced1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55fb1409170c91740359d1d96364f17b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5613e6d7111b327307c02bec1701ac3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+565b6fedccab184c92e40483ea49a25f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+567395a3c720fcd09eb75b6c188b8687	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56892b0befe8b7a188fdb7e72a07e60f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56a5d0575c0c712deb16f465ac888a65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56c26b175ae23d90244805a6ec347e42	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56c8ff5c6832f1e31a59e0717c3ab79c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56de2854ef64d869b5df7af5e4effe3e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56dff5cdfee293100b59096326fb0daf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57326cd78a56d26e349bbd4bcc5b9fa2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+575836ebb1b8849f04e994e9160370e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5790c7c09735cf1ccf10625c7cd87f5e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57cbf78c226265cc1e61ad86779bf906	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57cfef3e32e60df11b8d2c5375f3185c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57e79f7df13c0cb01910d0c688fcd296	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57f98d16ac439a11012860f88db21831	Intel::FILE_HASH	Mandiant Apt1 Report	T
+580a4c05982accc678a72c366b45815d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+585691777080b419b523938edd3ba2d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+588c40520a3cea27d2b35cd1fa05e23f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+58b020fd3bc0d34e8c4eaf0a3f3135af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+592a33f691daa01ccbfc8078ad961b43	Intel::FILE_HASH	Mandiant Apt1 Report	T
+59620925bf1c4f760c4bf225c7efd6c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a032c13942a46c5ae015f53d9ce138a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a3abb8053c271c58e879b3b9cf8c8f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a728cb9ce56763dccb32b5298d0f050	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5aeaa53340a281074fcb539967438e3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bac505fdc202e1c6507ef381a881ed1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bcaa2f4bc7567f6ffd5507a161e221a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bd5a22d42c04db7ac1343a2a9f471fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5c4806b5859b35a3df03763e9c7ecbf6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5c6f30cc369cd164d44941d381e282cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5ccb52a8e3c31dde2ddbc486a2215e85	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cd578614afb50b925008b68b3accdb9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cd7526fc7d849cbbf8c9d1ffe97a991	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cf0959687427850a92d7f69edd41b86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5d8129be965fab8115eca34fc84bd7f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5dea347d29a3e9c21c52385a10224b65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e17055c51724b0b89ff036d02f5208a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e1d81618eaf005b8e0cd63fbc9a4937	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e33a9835bced338cb1959c347ac6798	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e42780f52763c77d592044e535e4b01	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e686bd284022e35559a9c6118df8f1e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5f837bbfd3b458321070e2aebca4ec46	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5fa50476240c9c59cb72b345751434ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5ff3269faca4a67d1a4c537154aaad4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6040dd5b603483f738be6a02a63538f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+605c1dc91a5c85024160ce78dfac842d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+609d917a7f0c526b0d8091c8191da376	Intel::FILE_HASH	Mandiant Apt1 Report	T
+611b1577ba976f76fc01368545bc395c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+611c8f862864af818202865b78ad7ca8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+61daab56e07dfa3a236d8aec9eb80545	Intel::FILE_HASH	Mandiant Apt1 Report	T
+61e0da42d5d084af24d31fbcef4ff409	Intel::FILE_HASH	Mandiant Apt1 Report	T
+620c6a6cff832e35090487680123f52b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62a35021454e17f4a913e577d7ecd22f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62bee50b480f6a6aa427a00464baf376	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62c72767508e461cfe94b0c706e6d446	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62d60a1cd1e7ba73aebc98812e5ac266	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62ea10608f0d54cd284e8d7be32f206e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+633cb95904ab9dc0a3de4ddd443494e8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6377ec0c87f4ec1e7897751dd85d73d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+63db2f4fd717723f0e6f94e0a6a62c7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6461ea41f179e660c40ed65aee1a4a2d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+648ce1c45927b24563dd8361a1b74311	Intel::FILE_HASH	Mandiant Apt1 Report	T
+649d54bc9eef5a60a4b9d8b889fee139	Intel::FILE_HASH	Mandiant Apt1 Report	T
+64fa1239f5aa9a9031e61533283f8c22	Intel::FILE_HASH	Mandiant Apt1 Report	T
+65018cd542145a3792ba09985734c12a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+650a6fca433ee243391e4b4c11f09438	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6510cee34da30c7ef5e5e39980402257	Intel::FILE_HASH	Mandiant Apt1 Report	T
+651d83c1b85acb204abd5bf7990a1298	Intel::FILE_HASH	Mandiant Apt1 Report	T
+656baf38fa5ee776e2576cead664d004	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6570163cd34454b3d1476c134d44b9d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6576c196385407b0f7f4b1b537d88983	Intel::FILE_HASH	Mandiant Apt1 Report	T
+668b92feb7cbcc7ac75ff97dcec28d10	Intel::FILE_HASH	Mandiant Apt1 Report	T
+66c287675cd4c7172590f71181e723a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+67504a0c2c2bf47efccdab5ca981ad7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6767eeb485232436de9553988765fb89	Intel::FILE_HASH	Mandiant Apt1 Report	T
+67f62f5accfeacf5e828c3b3905248fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6808ec6dbb23f0fa7637c108f44c5c80	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6846ad52c9208830ceaf4cfd81402015	Intel::FILE_HASH	Mandiant Apt1 Report	T
+687a58dcbc076b04bef4ec6050310fb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+689dcd40d5eae8c0d315265f3d90ffae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68af7be698e8a7408451c158c04a9712	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68c67a6e26855ebc2569d67689c69a6e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68d2fd5049e70942d164e4e25d13dd8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68e5bff12ac33ecb98977afed51ebad0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+693f711d8fab66a3efca98a19a733d56	Intel::FILE_HASH	Mandiant Apt1 Report	T
+698fbe7ed1ddd7f5c76b86fad3f7a485	Intel::FILE_HASH	Mandiant Apt1 Report	T
+69dc1e1ee273e531e91c60eb86396cc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6a4fbcfb44717eae2145c761c1c99b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6a88f170ab6cb0f9b3252adc61b4f487	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ab7fa8e5fb63b8d0723387d0a1ffe6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b3d19cc86d82b06f5db3ae9d5ba8a5f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b4ac249f918be9f7bc64ae7fdda947e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b6c4c0e2959df248be90d89899953a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6bf8f1f99ac5bba0db1b66518df378a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6bf9083f1567edce004bd1f7c456659d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c5c5e4049265fffc87973f3e4978b26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c65c697bcff935484a5cd2e7dd2e7d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c9c9e40683467f60b910d5bad5285ae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ca59c9c4165796e08ba6ca3eeffdee6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6d2320af561b2315c1241e3efd86067f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6db47757ba324bb61ce3cbcabbec52d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6deae79fc82df523ba99852266a33f9e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e442c5ef460bee4c9457c6bf7a132d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e8f302794cfaae731840e345063e652	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e9bedcf80f21171adb951a0d85d2adb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6eb99bed5b5fcb3fdb26f37aff2c9adb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ebbfa603aa4e90148ad0b726806c359	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ebd05a02459d3b22a9d4a79b8626bf1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6eebee2aebd5194db62cb8230502378c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f4182baa5a57b717cb9d850dfadb60a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f551594fdf3539c62389c0cf0d2e16a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f6abd53e10567d1534514fc36fca2e9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f9992c486195edcf0bf2f6ee6c3ec74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6faa4740f99408d4d2dddd0b09bbdefd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6fbf667e82c1477c4ce635b57b83bfa0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6fdec862951e8b128cd7a07b2031eef6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70a55fdc712c6e31e013e6b5d412b0d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70bb674fc97d7bf4d8dbbe3636f65c4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70c10f8b4dcd01b07be6cfb4df0d3348	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70e2827ab4af1a38dc09a02fa95b82fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+71173ad2bc7b39342b1bdaadeaaa0d8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7127241c033c403b18bd281d0dfc4e31	Intel::FILE_HASH	Mandiant Apt1 Report	T
+71536d2e95420c55412c12dffea1a0a6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7253de652a025b2b4fa7b02e97a1ee6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+727a6800991eead454e53e8af164a99c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7388d67561d0a7989202ad4d37eff24f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+73a63c21a08b0ad2c69999e448f8e6a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+73d125f84503bd87f8142cf2ba8ab05e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+74b3ee9f3f6c52413db6e5c9ace34893	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75372eb37415140fa5464f1ebb8a0e74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+753ec12f61c2f7c9a5763c9063a16106	Intel::FILE_HASH	Mandiant Apt1 Report	T
+759b320aca72ba446e7e156407ebc10d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75dad1ccabae8adeb5bae899d0c630f8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75f37a69664362462ad491741a34f195	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75ff4bd6b209b6f10472c4cd22e3f9e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+760339e927e391e289bd91bad4cd59c3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+769aeae232c6162cedcb6c7255640c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76ba06bac23a2c445cb982bf38b82199	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76bf44d7734ec8581e846a9f3005aed4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76c1b246703a10cb6e71a3e5b7b55b24	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76f6c7301dbf0219eae991d65804292a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7704ad9e8e0e3d75075e4c294f698d53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7712d05c8b499fc7a1f4a6a6b6dee825	Intel::FILE_HASH	Mandiant Apt1 Report	T
+772c771e13e599cbf25bf9e0199681f7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77382bb7fd431211b32d84d4de74b043	Intel::FILE_HASH	Mandiant Apt1 Report	T
+775459afc5415984dfa2a0f533011763	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77afced93e20b1bb906796197fa1dd1d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77dc072fdd632c12bacc09ceb8e6ee39	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77fbfed235d6062212a3e43211a5706e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+785003a405bc7a4ebcbb21ddb757bf3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+78524ba7f66c0ec4a3755e51709db1aa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7852b941a46e37fe9b332b1be77a6960	Intel::FILE_HASH	Mandiant Apt1 Report	T
+79841c13f645118a600d19def3642d1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+79f3bac2826f8511c96240758af116b4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a2692cafec377c444bc3147fc43e57f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a2eba5ca6f9b2cec61c5cc55dfca762	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a660a9e48f6065333f388f2c0a67bd8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a670d13d4d014169c4080328b8feb86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a7a46e8fbc25a624d58e897dee04ffa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7ab86c938b960dfc0c4ffbadd4163666	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7acb0d1df51706536f33bbdb990041d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7aecb34616245eb6b2906358151be55b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7aef47f9fd84669976c4b152910a6328	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7af399ff99109a9501da73337c0bdf4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b3ce6c2af1acd119a25831fac670bab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b42b35832855ab4ff37ae9b8fa9e571	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b451bbbdc840378b785bed6b9e30e0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7be6c90facbfe9ecf470fb27e6673fbc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7bfeb0eaa1c51513e60bc0abafb1be9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7c82cd17b0fa420f09f97e060621ed7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7cb055ac3acbf53e07e20b65ec9126a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7ce16b35201d8d35965ec7aeebdc80ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d0efb2480834a6a80210b7342d51154	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d25a80fe2c42368adaea5fcbab866b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d3140bd028f70f1fa865364b69c5999	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7deed54a40efc12ea03e3f1859522862	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e56369d466dd3d85a9b31f65ee8e551	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e64b28b0050d23970478c81e8037470	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e8d1f26679a88268e273ab498e597f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7eedcd6d00b4f08b825b4c134b6d8f1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f1a4bc267ace340a5aa7a0b79cbf349	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f26403f8e59a5f2728af2d3e0efaabb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f398b00546c3a0946cd6142c308a556	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7fc52a32337386d867a952a2c8644353	Intel::FILE_HASH	Mandiant Apt1 Report	T
+80856bd8ef7d5dbc3dc774f581855549	Intel::FILE_HASH	Mandiant Apt1 Report	T
+80bca9f272152280a462f84f1588c0cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8153b612499dbf432e2d9805b20ae783	Intel::FILE_HASH	Mandiant Apt1 Report	T
+815a89041dea3e56348f8f5c8b7d1457	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81602ce95a4b7f3d3cd1953a2456cd92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81b03cbcfc4b9d090cd8f5e5da816895	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81ce61ed2dc567ce70589386563890ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+82390e18379710df84d48881a1c1d0ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+827040a5f5ae8de281a63899224b2f3a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+82b065518f085c6ceb0a9135ab51df41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+830a748959bdd1ad3b6a1f72aab6f063	Intel::FILE_HASH	Mandiant Apt1 Report	T
+830e5cd6d590aa65dd3e2c1a01b42259	Intel::FILE_HASH	Mandiant Apt1 Report	T
+831a67dc75e2d4505180888747bc8ea9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8387adb5325035baa3fe3a2b0cb4921a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+839c8c06c4d81f523078b0d45d8250ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+83b3711c32d28a87b173e7e5aba5f826	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8412a3e37499f8289faf54546824ab61	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8442ae37b91f279a9f06de4c60b286a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8454918f639a1b0719e00627f211d2ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8462a62f13f92c34e4b89a7d13a185ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+855ca1b45a247754ad91d50827a2e16c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+85c4081a97255ac7ca7d0d5554e86ec1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+85c828f5ea5d99e0c98017f6d6be243f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86a906db5686bbf487689937d15bf71a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86b1f3874bf741a3f9c0d74625af5f8d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86b68ad2e9c33eadf134285ea142ccc2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86dd715a8d28788e68a575207d66df34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+871cc547feb9dbec0285321068e392b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8725870a43192cb0176c82012996910a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+874bb818208655b59a8c4c1ae2aef379	Intel::FILE_HASH	Mandiant Apt1 Report	T
+876ee736ebad6917a259456fc3a2f11b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+87efe3671ef8f1eca57f2d8f7e4711d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8845cb5b4e450cb10a3b6ca41a9b4319	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88b5f635ac9031bcdeda1f751952f966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88c7c50cd4130561d57a1d3b82c5b953	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88dbcc682635b4013bcba5ad28bb976b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8913ac72cdb8afd98bd8446896e1595a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+89164a973ae081991a973aa9d5cdee7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8934aeed5d213fe29e858eee616a6ec7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+898a8a43c8708961094944fb42c278ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+89a2802e2f2356ce6a757f833c3ba3ef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8a7764ded8467bd0fd0c30adc2acc1d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8a86df3d382bfd1e4c4165f4cacfdff8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8b75bcbff174c25a0161f30758509a44	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8bf9698c18b2aa23f71444af2571a6ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c57b287a1d2140ccedd6cd097d62ded	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c6ece2ade2bfad3171c925baa64af50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c9871a9eb88ffc43507f988b222dc52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8cb321a7871706fb6246489cb7c4da03	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8cda4e0ee20ddd00003caf7947af7fe4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8d251ef81b1e2251601a7b2b0c03ec05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8d81eeaeb0bd74a1faab257079452078	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8dc3561ca52bfe40089f3ee0af7fdd9d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8dfbf8a46d3a302fd420305918e9414d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8e1ec7e556b8c6612b6c34e310c50b66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8e8622c393d7e832d39e620ead5d3b49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8f3d20c983f9d82a8ff17466f45ee757	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8f4863b4dfb52d8362c031d3720a6d97	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8fc5fb519a222ab919f28d21545774c6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8fdb15f3d5480de78c61ccef23722683	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91dc97c4b66e3282e1aa831e0bb0bb14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91deceb64c795927c6ea07f695f67334	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91f538c08b9dee1bb0c6b6c82f727c5d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9206ae65b685dc7ea1cf1ec02606de6c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+929802a27737cebc59d19da724fdf30a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+933b11bc4799f8d9f65466fb2e3ea659	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9371fcd92ef86ccf450af903bc74ec01	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9400fb97c145587b17fb456fac636771	Intel::FILE_HASH	Mandiant Apt1 Report	T
+94a59ce0fadf84f6efa10fe7d5ee3a03	Intel::FILE_HASH	Mandiant Apt1 Report	T
+950234183528ce107d65b700be1bbbd3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9548e5ed4fbacd0ed4a9d6a27f5d8fec	Intel::FILE_HASH	Mandiant Apt1 Report	T
+959c680c26f26e7f1dd61607942dc96a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+95d85aa629a786bb67439a064c4349ec	Intel::FILE_HASH	Mandiant Apt1 Report	T
+95f25d3afc5370f5d9fd8e65c17d3599	Intel::FILE_HASH	Mandiant Apt1 Report	T
+966db6a32ccf7e57394706abc3999189	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9675827a495f4ba6a4efd4dd70932b7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+973f4a238d6d19bdc7b42977b07b9cef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+97c83d85bd76a38b13cea960a1a97f70	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98409dbf432419024dbf028c004344c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+989b797c2a63fbfc8e1c6e8a8ccd6204	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98bddd6c789a883afa1de3524bb8ea8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98cf219830733fb98fd2a957b7c4b163	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98d257a13d176940910d6441a854d7a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99882234b814b860a22b4d441b92fd82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a29ccea951a950040f3944abafed40	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a39866a657a10949fcb6d634bb30d5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a7e4a01b813b9b26ba76bf0b484742	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9a58cc73e103fd5a14ef3564e35c03df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9a66fa24268d158341d497feecbed889	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ad292de00b2175a80b5909fa173cdcd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9c03ab63a45d29aee90b72ae89f2f613	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9c36333385d351e59d6c4372d757479e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9cb07b71dcd1ac9dfdbf9f4cdfd4f273	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d1d58e370bea4b5e79a1f914516cbc0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d5aabcda9106132d1e1b6cf6cae28aa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d7499c3a01daba5c9b5090b079808ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d75897d9c0a5da7e95082ea5ae1f648	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d85a2ae1e7971a49cb417d97797ac8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d8a7970be7826d29732817c0cc84bde	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d93fc89fb6e0a8142e837b2de045fdd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9dab4da07ed669b44f409eb60f3b0e50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9df30198f52b16925db1e3da61cfc754	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e30b1665077b7e65bc8ff1e7c752306	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e511dc5ad8a884f4416e68c54f742e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e860622fee66074dfe81dcfcc40c4e2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ea3c16194ce354c244c1b74c46cd92e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ecf9d5d8872fe55ab120265c3749ffc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9f11bc08af048c5c3a110e567082fe0b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9f3fbec4341f246aa6131ab01d6e4234	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9fc3ed6c9b8056fbf155f79569ca7cb1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a039a61e4c274811b0388aa517d29fbb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1468ce16f2d17979cc1a61878c1c8c6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a14e8df8bc55f7459d24fe526f51a16d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a17bb80ae02c8b003cf69222fa13f506	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1b8aa19c92c257cbace54337f6672d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1b924b8c8fa157ae8775fd86f692053	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1cb8a9f2b8926afeb254a64f1d78ee3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a24112e4b875038331d2672b6427763c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a241eec892637dec971bd925a40d3efb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2534e9b7e4146368ea3245381830eb0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a28ee614e3d783a7561cf8a5a469959f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2cd1189860b9ba214421aab86ecbc8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2feee5e0ac3f825d4b7de7e0b95bb1f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a311516cdf06d3db4f49e67da5213ebe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a316d5aeca269ca865077e7fff356e7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a34234a27157851300d9b698f6c56d9a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a354e3c566645100e757f3e43c9b007d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a360b16c19ab9dea6763f777257c5f38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a38a367d6696ba90b2e778a5a4bf98fd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a40e20ff8b991308f508239625f275d8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4143ade719c2222d8602819a3e212ae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a44312eb63de002383a57b5a93271cdc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4903f7c293993069f865468bd7cec78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4ad7335aa391519cc5fc9140f2562f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a510d0c9b7930abaa7aa6b0ac294e675	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a517ca12e2648b0590a5af565f8346b3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a565682d8a13a5719977223e0d9c7aa4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a5b581c0600815b1112ca2fed578928b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a5d4ebc0285f0213e0c29d23bc410889	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6117891e42ee7db36253b57839c8b8f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a639f598d4c0b9aa7a4691d05f27d977	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6725f263daf3e94adc3668751b909d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6a583aeaf4952787e15f30d289ca138	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6b99080565aa7933d946b8b9d9d7476	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a70aaf335f7f1a04c7fe194602b11c14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a7117612ea6b6fa3307943f5ed21fbb4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a7f17c75519fb8a39d37c47617202b05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a807ad465b2fe5859c85626e97eaf907	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a810ab506857c933df2bea40ae0eb548	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8b183fe32ad8d426e20227f3c8b7592	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8b2ac446c614fd5d4880d95369deb3b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8f259bb36e00d124963cfa9b86f502e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a96a6c91e71e243f00a64f53e2fd6415	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a9993969be3ea340d420eea5868c0d1d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a99e06e2f90db4e506ef1347a8774dd5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+aa4f1ecc4d25b33395196b5d51a06790	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab00b38179851c8aa3f9bc80ed7baa23	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab208f0b517ba9850f1551c9555b5313	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab445da3ee4e81a84d644476f669d35c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abcaf816de63c632ec23d6bda3f02bb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abe6ab89f957f6edf8f41b5ad198e5e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abff707cb54a6e5a9fcbb3fef74dbddc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ac87816b9a371e72512d8fd82f61c737	Intel::FILE_HASH	Mandiant Apt1 Report	T
+acb99e5318f7001298df1aef51a9463e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ace798670a64b38aa7d065c776b49f17	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad3cccbe9ddff04b670d353b938f5da9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad7bdadde9a4da73ffc776c606dbb75e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad8cde8841208ff226e04e8514dc699c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+adb2fc194b960e694aa450161f1df6fc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+adb62105427567ddc11124fc27921c40	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ae1dda87cc5998de79ecb68527bbd191	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af2745e8888f2ba17a9cf2e0779d3874	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af2f7b070245c90bd2a0a0845314173a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af719814507fdca4b96184f33b6b92ea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b0538781d47dde1e9a46a2610155c2d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b07322743778b5868475dbe66eedac4f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b0d4fbcc0c65c7d5ef7e1c4309c719cb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b145e4d19f5ecfaad45c795aee69c8dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1838a6c341260fbdaf288795cc63900	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1912db011633d98bc40ac568a4167a7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1ee00cec6c2318fa86f320dd7fc99a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1ff1ef983a1aee3a395788ec441d006	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b2599b3078c28a278a3e7cd8b46304da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b305b543da332a2fcf6e1ce55ed2ea79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b36168ea438520875c621f5603db003f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3848edbabfbce246a9faf5466e743bf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3af1381f69e36b72e5b272f06aa1fa2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3bc979d8de3be09728c5de1a0297c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3defdbd173738d44137f88a571647e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b43266a047b2895399f4883cfe37c089	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b47e5d095be9fd61016817359f6c2887	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b54f58c484f56c704858ccfffbb9d535	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b5a430a0696b5b25ae6b4fa5cbfe3333	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b5e9ce72771217680efaeecfafe3da3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b631a3d832f7c22c26554711188f59c3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b63452ecd2da62f30923a124bcd41b45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b661f78279ca0b2e0ae611013eb00f20	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b6f2f483e03b9399f055a1ba5e0713a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b74022a7b9b63fdc541ae0848b28a962	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b743f6af7e307221ba425d6023ebe42c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b7dba6184f07b1e824362a2307d91ae2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8277cce81e0a372bc35d33a0c9483c2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b86e89a42a1c1bc6ea15096c68e38ba4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b883f8e5a1420d1f511266b9253c11c4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8dfe540bef505cd1adbd5f8ff31d028	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8f61242e28f2edf6cb1be8781438491	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b92db06d17d3bf906c47a0384e771076	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b9b3673a721578b230490f7dfc6df21e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba0c4d3dbf07d407211b5828405a9b91	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba10b9486043f76bb9e9a160bc1d2576	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba56035e10b423734e0ce01bb7bb8b6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba773e1608198cf8337c5902d7930710	Intel::FILE_HASH	Mandiant Apt1 Report	T
+baabd9b76bff84ed27fd432cfc6df241	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bac2e89bd92ce23e1e93a63d26dea01a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bb286e9969ca197b461286b679c0886e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc7092008ca37adf497b75eb98e2e175	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc723e4f93a3bf85f4d1e1910393d1a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc756bb6bf4e7b2058e8dce6ba8b1a79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bca9bd0abbb31a422458abf521a6a2fb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcb087f69792b69494a3edad51a842bb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcbdef1678049378be04719ed29078d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcdf8cb0868daaec3ba6176e3e7d3cfc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bce4b77a4e4acc70a3f6f52ec0a2f033	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd15714360c12ffca4c3c1e86fc69d0e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd402e910e03b70f00685d8b8be5093c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd8b082b7711bc980252f988bb0ca936	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bdc5e16aec2c3796fb879a5c260d6ca9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bdd2ad4c0e1e5667d117810ae9e36c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+be58ff564c854be419a19a030af25c86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+be74bf5afd4ba64cc8ce237307e9254d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bebbbc50a561681f48d174d6b7c2824e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bee9b7835a02973678e9ead683da1ac4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf0d5aff9c1f33e089c9c85f03c6ba8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf0ee4367ea32f8e3b911c304258e439	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf80dbf969b73790253f683cd723fd71	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf9aeefc53d97bb23d35d47986504cef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bfcae0468de0c7bcf92e9989589082f1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0134285a276ab933e2a2b9b33b103cd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c044715c2626ab515f6c85a21c47c7dd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c04c796ef126ad7429be7d55720fe392	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0a33a1b472a8c16123fd696a5ce5ebb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0a494e643c42a89d5bf718ea274df04	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c110f08399c5dca64d7dc4539eb82083	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c116f5f89e24c7de3ea9cae83b7fc829	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c1bd23ece59e36143d80f7eec0e38c52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c21591aa72ac72872f5bd05bbca5e4da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2a79bb15a31fd6584d9bf0891673d14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2e06531a2e6de3c1b7d18b14af53fdf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2fa9f567fd34fb14fee6a38b6644ff9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c307bad133cc160a0129fda4c57e0f52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c30c7fa2eb06fc8c9ebbe955abe26edd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c39bc83c16f9db8a7c43a966048bca7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c39e272e9ea15d61e0c8e6b749a1ad46	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3af09a9fc487314eb4c9fe92a01845a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3dbd79adfa21706f5451cc68331d31e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3de028cbc5aa0934008d95689d5f334	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3e5603a38e700274d1ab30ce93d08b9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4188c3bb6982d41aa783c499113a8e3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c41e44045cebebfba234063de8fd7c4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c425b8782075da33cba5aae5ad612582	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4c638750526e28f68d6d71fd1266bdf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4f144febf16ff8f36df15353d5347ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c53332a5bf112f03ed22b06d85140626	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c65617a4eedb8e0369ef8fe58ce20a02	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c69a708a2a8e4581dd95f90da3833840	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c6a29993234488fcbdcf45668eac9c47	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c6a4bb1a4e4f69ec71855d70d6960859	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c72edb12880a9af12b439a7a2d0584c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c763e041c8e85c195ade90e120338be7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c799e1d25839e1efb2b3d42d6d6efd26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c7b48b6965642b504f6f36933762df8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c8d2b7f92fff545b3b19e9b1e1057071	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c9172b3e83c782bc930c06b628f31fa5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c91eacab7655870764d13ba741aa9a73	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c99fa835350aa9e2427ce69323b061a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c9f77569aa98f71cc42644d66d9f371c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca27a87928443e21dc279008008018ba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca327bc83fbe38b3689cd1a5505dfc33	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca68ccc887cfe5d2194f6a4d3101ae66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca6fe7a1315af5afeac2961460a80569	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca899eda2c32e7d305272dd48bc8e1e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca9c1f8d709ed34d388dc7cba2bd7602	Intel::FILE_HASH	Mandiant Apt1 Report	T
+caf33d1e15953c0e782846e1709498f6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb15768a3e5c86d22289dcefec56d8a2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb3a9d7505be48019e242fbccc7e5f6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb3c5c3f53ecb2cb656fb0f4b8de03f6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc0b9bf4ea738d63f06bfe411460412b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc17fe9f2d254ad28d050bf5c1df983d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc3a9a7b026bfe0e55ff219fd6aa7d94	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc7c8aba24c66373502ba5934696b7b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cca290cd2abe96392378b71e9835ce06	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ccfb7a84bb87cc8f86ddd260ad38ed5b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd2102c5db1ed828a9c196448c40af3e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd4674e2b7be30121a46a053205472a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd677f9ede43b4b86b421db249c0e020	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd6c1dbf08d8864b382678284ef13358	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ce003a75c85627cbc7e6eb39beff0722	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cf038194f0fe222f31ec24cb80941bb1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cf9c2d5a8fbdd1c5adc20cfc5e663c21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfc6112254a69030521d0d2bba152d4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfce9478c880934b3548c3022a956e14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfe738fcc07b9ece6a11c3390d43b5df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d0d5a20c5a6c4fddab4d43b85632b6a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d0fb18b1e1f642f595a4746826350c21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d16947b200afa74a917f055597b772c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d197c388184fef263b7944a7186bc6db	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d1a18c7de189170c588e7128ec3f8453	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d20f0fbd001fd30610c3317fd3c6f7c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d22863c5e6f098a4b52688b021beef0a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d25be76b6d871a26eec08ad1bee0273d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d262cb8267beb0e218f6d11d6af9052e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d263fed2e1c18f2cb439afcef0cd1b45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d271ae0f4e9230af3b61eafe7f671fde	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d2c616bf238fc18f9ea0a1643bd2d4bc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d2f1be7e10ed39aa8bc0f7f671d824d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d3358ed4001ec0366fa23fe82759df2a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d34e357461c55d90c52309c1ff952b4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d3f9d4bc51db1e602093e3003fc789d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d41c6005a75a6d28480d63f540d36c70	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d47b04327157fb188c0e81886e346c48	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4ba6430996fb4021241efc97c607504	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4c1bfc5cd3e33643a562696d5d29bf2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4c7f1f80883412f9796f1270accff50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d5e56f7da9d2a78e49d3d0685e9613ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d5fd1ce9189cd54f157d691e317c0821	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d60ee4a39667a733c075bb7f7b36285a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d62cd4ad2a919b6acfa6d49d446dffdb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d6a01b61f490488d61dfb9376186d844	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d74b169e98dd16d0f3af0dc770dffac0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d751c7f7d2eab52c43ab31312e229307	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d76ea982d614c66c5faa36ab5fdd8b41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d776379bda9fdf695d6a54db8a5b4c72	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d7796209412da17b2ee2ccf2309b4abf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d7aa32b7465f55c368230bb52d52d885	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d802a0c3e0c3dcac43877bd488f2b042	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8238e950608e5aba3d3e9e83e9ee2cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8315c114107b7418c32f85e263766b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8b7b276710127d233abcdb7313aac36	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8fdd9cfca25315635378dd2564094ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d915f1c6792eed61dddb30e512e6c202	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9b1c95fb4424cf69a0ac8e40b3ab39b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9c4ebd61c1aee52b3597aae048a592f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9fb6620e4402764bbf2088de02898ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9fbf759f527af373e34673dc3aca462	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da383cc098a5ea8fbb87643611e4bfb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da52e6701c9eba92459c6be28efdba74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da5ff7927d608d7ccc7495939d457bd3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da60673b4f2a4660d2734a16a832282f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da6b0ee7ec735029d1ff4fa863a71de8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db05df0498b59b42a8e493cf3c10c578	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db2580f5675f04716481b24bb7af468e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db50416d9e67f4982e89e0ffb0ade6f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db5805604f84b7303fa04feb18ce8271	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dba356a4726b94731e6ea97aa73cfc3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dbdd2a9c86e71ba0c9953ff4f89cc25b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc059121677ec7a038589cda28cbcc49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc1cff84900afc9d292b305f9b9aae34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc373f011e86d5528ca4824bb287c406	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc78fd49b7f39fa3bb06b927e8413dd0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dcb90efe7e09d6900242af25aeca7b73	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd1222f96024ac28179c7508e4193285	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd1bede0e42d26fd2439a6e48547023c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd21d1ea2146861a4219b1cbdaefe59b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ddf3db31f9fa21cd43ff19dde393aba8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+de016572ade175d37cfbfabe8174391a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+df4da15796910690b05e393561b86fa1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+df5c89d49ef8997c9b5abd8f808298c8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dff4d874b2bfc64a4d1805959c379074	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dffd04ea26c03d3f6c67e10405abc5ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e06145fccac413d8c753bc822619945c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e0c4cbf3ed293e8a8df3f3987b42caac	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e0fc0fae758d7c6091cdb11d5ef98e0e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e1b6940985a23e5639450f8391820655	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e22f2e9ee73ab8b12ee5069f7e39a615	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e24e889e826df04f552e0d133548b693	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e43040ede0645a38ea5a35c26192126f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e476e4a24f8b4ff4c8a0b260aa35fc9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e480c8839e819eaa9b19d53acfa95052	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e4a9b8993e55e3d0ba355b13d1f27a2e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e4be1e46775081b1d5405b3dd7dd1c64	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e50af782414228e52e59bcbe518b1966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e5237615fde0977c0ea3626fba609ab8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e54ce5f0112c9fdfe86db17e85a5e2c5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e55f7d80d99b6aacb0c8d9ed46856d25	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e56e4b20ef6dc09d29be49481bd29561	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e649f31f7f3a7b15ce1290e8d096c058	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e64d657ce32118b415fa91dc05037c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e65c0b3f4dd2f3c9f728077ed1e48f7e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e65db662e449cab03a6c1ac51af41360	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e689b1fb0610b752f42adafc403fa49f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e6c25f9994b723d39c785ddfd38a31b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e6ff0431a9a9028808efc582405ea7df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e7f728e3bce0e59c3ba973545a3b3a92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e83f60fb0e0396ea309faf0aed64e53f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e9df2f69ed3d9c895ad9d399eaff1bc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea1b44094ae4d8e2b63a1771a3e61fd5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea3155748f9788b741b6799691250579	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea34b72cbeb07aaac2398704c3ca6b0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea47431d832faff7802710dae0abb0d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea502cd3504e74bac454835bd23e019b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea7309fa59e9347a0715f164edf6b200	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea7aeea782173eb19ef880c6a54456f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea8b6c2c083d6b7b2b6ebc015b0488ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb0c8b05ee6a4334f45968cf45656597	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb50c166074ae4f13cfea362dc7b668a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb61cedc9793226a66e4611e6ea25d7f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ebf8eebe3aa218dea5e3f0b2222267b0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec09d3b72b282872db4afb0cc9ba7d9d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec3a2197ca6b63ee1454d99a6ae145ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec63f49236858c85168da81c1ac7802a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec82a53f44511ac09e916bde02cddef0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec8aa67b05407c01094184c33d2b5a44	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec8c89aa5e521572c74e2dd02a4daf78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eca18e3872fd32f17410167871fbd1d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ecf18654e4a2668fb8b2e3db144809af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ecf900c9d743631b59442240ac4ce9da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+edb4faeee6542572aff2ec1b6affbd28	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eef298d0bc5b8c89f582e48556d77b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eef80511aa490b2168ed4c9fa5eafef0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eefa8d6c9a26dcc13604b11bbe5635c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef0a6c79f99a537f932a5e64999972b3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef29229f7b633f634db3a5c49a3f4a1c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef349196b0ffef5a02d30413c8dffc7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef6c375e3e6930e2b50e1e97fe6fbcc9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef8e0fb20e7228c7492ccdc59d87c690	Intel::FILE_HASH	Mandiant Apt1 Report	T
+efc2025431e7ec8f8784fe81389c77cf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+effa99ea879e5be518f242d5820be070	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f02abd537e481109142b6170933d1b3d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f07ac0b4301fccbae233a44e07a2a634	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f0bab119faa296c680a10ba81693915e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f0d2ad2002557a86ecc780bf938b6dfd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f113e1c754679164b0e137449b7631cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f172ff6b65140f342e6ee51966ea3c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1ad5daacace5d4a7b18a03132ec2716	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1db65d3c48ad5a9d1576aefdca036d1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1e5d9bf7705b4dc5be0b8a90b73a863	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1eea61e49a3f86e95836d1c9f67e074	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f2009007bd6718582ad62ad29b742f6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f2693de8b687c20aca98bfc1c5aa5b38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3611c5c793f521f7ff2a69c22d4174e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f38e76417c0f87322d55062428283e58	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3b54c188185ee0921848b3a6ad4751e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3f2881a1cf3f81f1ecd952ccb616504	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f445b22897a27ac5852ee19589bea8c2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4bea18e9d38ab9fa7c1cf6eea2bdc79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4ed3b7a8a58453052db4b5be3707342	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4f8067d501bfef385274912d2a833b5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f627990bbe2ec5c48c180f724490c332	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f6549d4a4097bac446acf8b31d250d2e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f65eee78ac150924cd37c7f1f3c96518	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f6655e39465c2ff5b016980d918ea028	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f67357d9fa1c3014050f2feefd39c784	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f7c63592ffb87b81ce45c89d207e9403	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f7f85d7f628ce62d1d8f7b39d8940472	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f802b6e448c054c9c16b97ff85646825	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f81991fab3b7d58d66629e26d21176ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f8437e44748d2c3fcf84019766f4e6dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f8892c6dacbf7ac756abb361e48bbc82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f904ea9bc8e2d7ce13a6007183da5957	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f9a46d5024c05a827912a89ca270c553	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f9ed623f13481da16a97aeacdca646dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fa11cb78f53db2d2718d536d4bd20b85	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fa66312d7e2ed95814f30871cae61d7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fab6b0b33d59f393e142000f128a9652	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fab7c555a511f4d4e318817455bbb75a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fad92f849e3bbfab211af339eb6a8d66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fade2270a6c7cb47893ac600a9a0509f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fae6eaf695af058af4b8dfee0709bf51	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fb671e6de6e301c892d2fdaa58f9cd9a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fbde5068f85ce0aac2e9ff387b5f8c06	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc1937c1aa536b3744ebdfb1716fd54d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc50743af221ccbff7b7c7ec378117f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc89424a2d33ea5af3f49b02e743773b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc9d20d555a88fc827f3a2bfec4dfa36	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fcdaa67e33357f64bc4ce7b57491fc53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fd37fa026747059559197461aa7c63e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fdef1329ae626656c8389f82c4f9ad38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fe5ba680a96757ff232d4bad9c0db2b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fe8ff84a23feb673a59d8571575fee0b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+feb406ff01d9fd5abc5ea079e0543e31	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fefa3638e4d6f2e00b5194ae3fa0c931	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ff085d421518772ce2df75282363279f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ff9aa093a37819af65a06046ea0c830c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ffcc7271e951055f12b61f520ce1e4c7	Intel::FILE_HASH	Mandiant Apt1 Report	T
diff --git a/salt/zeek/policy/securityonion/conn-add-sensorname.bro b/salt/zeek/policy/securityonion/conn-add-sensorname.bro
new file mode 100644
index 000000000..0fbe50297
--- /dev/null
+++ b/salt/zeek/policy/securityonion/conn-add-sensorname.bro
@@ -0,0 +1,10 @@
+global sensorname = "{{ grains.host }}";
+
+redef record Conn::Info += {
+	sensorname: string &log &optional;
+};
+
+event connection_state_remove(c: connection)
+	{
+	c$conn$sensorname = sensorname;
+	}
diff --git a/salt/zeek/policy/securityonion/file-extraction/__load__.zeek b/salt/zeek/policy/securityonion/file-extraction/__load__.zeek
new file mode 100644
index 000000000..b2707c803
--- /dev/null
+++ b/salt/zeek/policy/securityonion/file-extraction/__load__.zeek
@@ -0,0 +1 @@
+@load ./extract
diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
new file mode 100644
index 000000000..7f0f1c902
--- /dev/null
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -0,0 +1,21 @@
+global ext_map: table[string] of string = {
+    ["application/x-dosexec"] = "exe",
+    ["text/plain"] = "txt",
+    ["image/jpeg"] = "jpg",
+    ["image/png"] = "png",
+    ["text/html"] = "html",
+} &default ="";
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+    if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
+        return;
+
+    local ext = "";
+
+    if ( meta?$mime_type )
+        ext = ext_map[meta$mime_type];
+
+    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+    }
diff --git a/salt/zeek/policy/securityonion/json-logs/__load__.bro b/salt/zeek/policy/securityonion/json-logs/__load__.bro
new file mode 100644
index 000000000..780208248
--- /dev/null
+++ b/salt/zeek/policy/securityonion/json-logs/__load__.bro
@@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;
diff --git a/setup/functions.sh b/setup/functions.sh
index b102b531d..a13ce5475 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -409,20 +409,24 @@ docker_install() {
     yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     yum -y update
     yum -y install docker-ce python36-docker
-    if [ $INSTALLTYPE != 'EVALMODE' ]; then
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
+    else
+      docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
     fi
-    echo "Restarting Docker" >> $SETUPLOG 2>&1
-    systemctl restart docker
-    systemctl enable docker
 
   else
+
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
-      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
-        docker_registry >> $SETUPLOG 2>&1
-      fi
+      docker_registry >> $SETUPLOG 2>&1
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     else
@@ -450,6 +454,59 @@ docker_registry() {
 
 }
 
+docker_seed_registry() {
+  VERSION="HH1.1.4"
+  TRUSTED_CONTAINERS=( \
+  "so-auth-api:$VERSION" \
+  "so-auth-ui:$VERSION" \
+  "so-core:$VERSION" \
+  "so-thehive-cortex:$VERSION" \
+  "so-curator:$VERSION" \
+  "so-domainstats:$VERSION" \
+  "so-elastalert:$VERSION" \
+  "so-elasticsearch:$VERSION" \
+  "so-filebeat:$VERSION" \
+  "so-fleet:$VERSION" \
+  "so-fleet-launcher:$VERSION" \
+  "so-freqserver:$VERSION" \
+  "so-grafana:$VERSION" \
+  "so-idstools:$VERSION" \
+  "so-influxdb:$VERSION" \
+  "so-kibana:$VERSION" \
+  "so-logstash:$VERSION" \
+  "so-mysql:$VERSION" \
+  "so-navigator:$VERSION" \
+  "so-playbook:$VERSION" \
+  "so-redis:$VERSION" \
+  "so-sensoroni:$VERSION" \
+  "so-soctopus:$VERSION" \
+  "so-steno:$VERSION" \
+  #"so-strelka:$VERSION" \
+  "so-suricata:$VERSION" \
+  "so-telegraf:$VERSION" \
+  "so-thehive:$VERSION" \
+  "so-thehive-es:$VERSION" \
+  "so-wazuh:$VERSION" \
+  "so-zeek:$VERSION" )
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+  done
+  
+}
+
 es_heapsize() {
 
   # Determine ES Heap Size
@@ -650,6 +707,7 @@ master_static() {
   touch /opt/so/saltstack/pillar/static.sls
 
   echo "static:" > /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls
   echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
   echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
   echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 5fa4fa7b7..6059c5dd9 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -364,6 +364,10 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo -e "XXX\n42\nDownloading Containers from the Internet... \nXXX"
+      docker_seed_registry >> $SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n45\nApplying firewall rules... \nXXX"
@@ -603,12 +607,16 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo -e "XXX\n14\nDownloading Containers from the Internet... \nXXX"
+      docker_seed_registry >> $SETUPLOG 2>&1
+      salt-call state.apply master >> $SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
       salt-call state.apply firewall >> $SETUPLOG 2>&1
       echo -e "XXX\n25\nInstalling master components... \nXXX"
-      salt-call state.apply master >> $SETUPLOG 2>&1
       salt-call state.apply idstools >> $SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
         salt-call state.apply mysql >> $SETUPLOG 2>&1
diff --git a/updatemaster.sh b/updatemaster.sh
index 1bf22f07c..c66c01d86 100644
--- a/updatemaster.sh
+++ b/updatemaster.sh
@@ -11,4 +11,5 @@ chown -R socore:socore /opt/so/saltstack/salt
 chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
 cd ~
 rm -rf /tmp/sogh
+# Run so-elastic-download here and call this soup with some magic
 salt-call state.highstate