From d66eca1db47231afde0880cda6341d11e4e81dca Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 16 Dec 2019 20:45:14 +0000
Subject: [PATCH 001/188] add Bro extracted directory

---
 salt/bro/init.sls | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index 2e6f10f3c..422e7fbf9 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -35,6 +35,14 @@ brospooldir:
     - user: 937
     - makedirs: true
 
+# Bro extracted directory
+broextractdir:
+  file.directory:
+    - name: /nsm/bro/extracted
+    - user: 937
+    - group: 939
+    - makedirs: True
+
 brosfafincompletedir:
   file.directory:
     - name: /nsm/faf/files/incomplete
@@ -103,6 +111,7 @@ so-bro:
     - binds:
       - /nsm/bro/logs:/nsm/bro/logs:rw
       - /nsm/bro/spool:/nsm/bro/spool:rw
+      - /nsm/bro/extracted:/nsm/bro/extracted:rw
       - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
       - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
       - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
@@ -136,6 +145,7 @@ so-bro:
     - binds:
       - /nsm/bro/logs:/nsm/bro/logs:rw
       - /nsm/bro/spool:/nsm/bro/spool:rw
+      - /nsm/bro/extracted:/nsm/bro/extracted:rw
       - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
       - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
       - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro

From 56d354b2560a6908a6f83b4244feaa4d6b49c23b Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 16 Dec 2019 21:22:00 +0000
Subject: [PATCH 002/188] update Cyberchef to serve static files vs self-hosted

---
 salt/cyberchef/init.sls | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
index 202b15037..8d33f38d5 100644
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -42,12 +42,15 @@ cybercheflog:
 
 so-cyberchefimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4
 
 so-cyberchef:
   docker_container.running:
     - require:
       - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
+    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+    - interactive: True
+    - binds:
+      - /opt/so/saltstack/salt/cyberchef/build:/prod:rw
     - port_bindings:
       - 0.0.0.0:9080:8080

From 4a34ac7c05e5d6f58806ad10e099c5fba755de21 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 17 Dec 2019 13:34:01 +0000
Subject: [PATCH 003/188] wait for TheHive before attempting to configure

---
 salt/hive/thehive/scripts/hive_init.sh | 50 ++++++++++++++++----------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh
index 2215d4e44..f726ae229 100755
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init.sh
@@ -9,31 +9,43 @@ hive_init(){
     HIVE_IP="{{MASTERIP}}"
     HIVE_USER="{{HIVEUSER}}"
     HIVE_PASSWORD="{{HIVEPASSWORD}}"
+    HIVE_KEY="{{HIVEKEY}}"
     SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf"
 
-    # Migrate DB
-    curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate"
+    echo -n "Waiting for TheHive..."
+    COUNT=0
+    HIVE_CONNECTED="no"
+    while [[ "$COUNT" -le 240 ]]; do
+        curl --output /dev/null --silent --head --fail "https://$HIVE_IP:/thehive"
+            if [ $? -eq 0 ]; then
+                HIVE_CONNECTED="yes"
+                echo "connected!"
+                break
+            else
+                ((COUNT+=1))
+                sleep 1
+                echo -n "."
+            fi
+    done
+    
+    if [ "$HIVE_CONNECTED" == "yes" ]; then
+    
+        # Migrate DB
+        curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate"
 
-    # Generate unique ID for apikey
-    HIVE_KEY="{{HIVEKEY}}"
-
-    # Create intial TheHive user
-    curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}"
+        # Create intial TheHive user
+        curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}"
    
-    # Pre-load custom fields
-    #
-    # reputation
-    curl -v -k "https://$HIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $HIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}"
+        # Pre-load custom fields
+        #
+        # reputation
+        curl -v -k "https://$HIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $HIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}"
 
    
-    # Update SOCtopus config with apikey value
-    #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG
-
-    # Check for correct authentication
-    #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER"
-
-    touch /opt/so/state/thehive.txt
-
+        touch /opt/so/state/thehive.txt
+    else
+        echo "We experienced an issue connecting to TheHive!"
+    fi
 }
 
 if [ -f /opt/so/state/thehive.txt ]; then

From 3879798d460b2f75af306de3fd4dd5a96b349f5b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Dec 2019 11:25:39 -0500
Subject: [PATCH 004/188] Update Master - Fix bleeding edge

---
 updatemaster.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/updatemaster.sh b/updatemaster.sh
index 0ee09b9e4..1bf22f07c 100644
--- a/updatemaster.sh
+++ b/updatemaster.sh
@@ -3,7 +3,7 @@
 # Clone github
 mkdir /tmp/sogh
 cd /tmp/sogh
-#git clone https://github.com/TOoSmOotH/securityonion-saltstack.git
+#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
 cd securityonion-saltstack
 rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/

From efd641f0df3399cb8a165bb8392b5cf929d532cb Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Dec 2019 13:43:37 -0500
Subject: [PATCH 005/188] Rename Storage to Search Nodes

---
 pillar/firewall/storage_nodes.sls                    |  2 +-
 salt/common/grafana/etc/dashboards/dashboard.yml     |  6 +++---
 .../storage.json => search_nodes/searchnode.json}    |  0
 salt/firewall/init.sls                               |  6 +++---
 setup/functions.sh                                   | 12 ++++++------
 setup/so-setup.sh                                    |  4 ++--
 setup/whiptail.sh                                    | 11 ++++++-----
 7 files changed, 21 insertions(+), 20 deletions(-)
 rename salt/common/grafana/grafana_dashboards/{storage_nodes/storage.json => search_nodes/searchnode.json} (100%)

diff --git a/pillar/firewall/storage_nodes.sls b/pillar/firewall/storage_nodes.sls
index ffa970320..d6563b873 100644
--- a/pillar/firewall/storage_nodes.sls
+++ b/pillar/firewall/storage_nodes.sls
@@ -1,2 +1,2 @@
-storage_nodes:
+search_nodes:
   - 127.0.0.1
diff --git a/salt/common/grafana/etc/dashboards/dashboard.yml b/salt/common/grafana/etc/dashboards/dashboard.yml
index 8bb7615ea..80d356c8e 100644
--- a/salt/common/grafana/etc/dashboards/dashboard.yml
+++ b/salt/common/grafana/etc/dashboards/dashboard.yml
@@ -17,13 +17,13 @@ providers:
   editable: true
   options:
     path: /etc/grafana/grafana_dashboards/forward_nodes
-- name: 'Storage Nodes'
-  folder: 'Storage Nodes'
+- name: 'Search Nodes'
+  folder: 'Search Nodes'
   type: file
   disableDeletion: false
   editable: true
   options:
-    path: /etc/grafana/grafana_dashboards/storage_nodes
+    path: /etc/grafana/grafana_dashboards/search_nodes
 {%- else %}
 - name: 'Security Onion'
   folder: 'Eval Mode'
diff --git a/salt/common/grafana/grafana_dashboards/storage_nodes/storage.json b/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
similarity index 100%
rename from salt/common/grafana/grafana_dashboards/storage_nodes/storage.json
rename to salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 8a6d41f0f..fe38b4cd9 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -410,9 +410,9 @@ enable_forwardnode_sensoroni_9822_{{ip}}:
 
 {% endfor %}
 
-{% for ip in pillar.get('storage_nodes')  %}
+{% for ip in pillar.get('ssearch_nodes')  %}
 
-enable_storagenode_redis_6379_{{ip}}:
+enable_searchnode_redis_6379_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -583,7 +583,7 @@ enable_standard_analyst_443_{{ip}}:
 
 {% endif %}
 
-# Rules if you are a Storage Node
+# Rules if you are a Node
 {% if grains['role'] == 'so-node' %}
 
 #This should be more granular
diff --git a/setup/functions.sh b/setup/functions.sh
index e0145c7a1..6ebcd7a89 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -729,7 +729,7 @@ patch_pillar() {
     SENSORONLY)
       PATCHPILLARPATH=$SENSORPILLARPATH
       ;;
-    STORAGENODE | PARSINGNODE | HOTNODE | WARMNODE)
+    SEARCHNODE | PARSINGNODE | HOTNODE | WARMNODE)
       PATCHPILLARPATH=$NODEPILLARPATH
       ;;
   esac
@@ -1202,7 +1202,7 @@ set_initial_firewall_policy() {
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/storage_nodes.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/search_nodes.sls
     /opt/so/saltstack/pillar/data/addtotab.sh evaltab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
   fi
 
@@ -1218,9 +1218,9 @@ set_initial_firewall_policy() {
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
   fi
 
-  if [ $INSTALLTYPE == 'STORAGENODE' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ]; then
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
@@ -1257,8 +1257,8 @@ set_management_interface() {
 set_node_type() {
 
   # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-    NODETYPE='storage'
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+    NODETYPE='search'
   fi
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
     NODETYPE='parser'
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 81cde370b..6c26783ae 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -589,7 +589,7 @@ if (whiptail_you_sure) ; then
       configure_minion eval >> $SETUPLOG 2>&1
       echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
       set_node_type >> $SETUPLOG 2>&1
-      echo -e "XXX\n7\nStorage node pillar... \nXXX"
+      echo -e "XXX\n7\nSearch node pillar... \nXXX"
       node_pillar >> $SETUPLOG 2>&1
       echo -e "XXX\n8\nCreating firewall policies... \nXXX"
       set_initial_firewall_policy >> $SETUPLOG 2>&1
@@ -678,7 +678,7 @@ if (whiptail_you_sure) ; then
   ##     Nodes     ##
   ###################
 
-  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
     whiptail_management_server
     whiptail_master_updates
     set_updates
diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 8497635c5..2d48e890c 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -250,13 +250,14 @@ whiptail_install_type() {
   INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
   "Choose Install Type:" 20 75 13 \
   "SENSORONLY" "Create a forward only sensor" ON \
-  "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \
+  "SEARCHNODE" "Add a Search Node with parsing" OFF \
   "MASTERONLY" "Start a new grid" OFF \
   "EVALMODE" "Evaluate all the things" OFF \
+  "MASTERSEARCH" "Master + Search Node" OFF \
   "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \
   "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
-  "HOTNODE" "TODO Add Hot Node (Storage Node without Parsing)" OFF \
-  "WARMNODE" "TODO Add Warm Node to existing Hot or Storage node" OFF \
+  "HOTNODE" "TODO Add Hot Node (Search Node without Parsing)" OFF \
+  "WARMNODE" "TODO Add Warm Node to existing Hot or Search node" OFF \
   "WAZUH" "TODO Stand Alone Wazuh Node" OFF \
   "STRELKA" "TODO Stand Alone Strelka Node" OFF \
   "FLEET" "TODO Stand Alone Fleet OSQuery Node" OFF 3>&1 1>&2 2>&3 )
@@ -449,7 +450,7 @@ whiptail_node_advanced() {
 
   NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
   "What type of config would you like to use?:" 20 75 4 \
-  "NODEBASIC" "Install Storage Node with recommended settings" ON \
+  "NODEBASIC" "Install Search Node with recommended settings" ON \
   "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )
 
   local exitstatus=$?

From 110049436e16632fd83c6c43294b687e8851f1e6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Dec 2019 14:53:15 -0500
Subject: [PATCH 006/188] Fix Search node naming for firewall state

---
 pillar/firewall/{storage_nodes.sls => search_nodes.sls} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename pillar/firewall/{storage_nodes.sls => search_nodes.sls} (100%)

diff --git a/pillar/firewall/storage_nodes.sls b/pillar/firewall/search_nodes.sls
similarity index 100%
rename from pillar/firewall/storage_nodes.sls
rename to pillar/firewall/search_nodes.sls

From 5ead3a26b607bb39a518cd0c17d3188afb4f69f9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Dec 2019 15:32:43 -0500
Subject: [PATCH 007/188] Rename Storage to Search Nodes

---
 .../grafana/grafana_dashboards/search_nodes/searchnode.json | 4 ++--
 salt/firewall/init.sls                                      | 6 +++---
 salt/top.sls                                                | 4 ++--
 salt/utility/bin/crossthestreams.sh                         | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json b/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
index 2f9a1111a..12688e15c 100644
--- a/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
+++ b/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
@@ -12,7 +12,7 @@
       }
     ]
   },
-  "description": "This Dashboard provides a general overview of a Storage Node",
+  "description": "This Dashboard provides a general overview of a Search Node",
   "editable": true,
   "gnetId": 2381,
   "graphTooltip": 0,
@@ -3433,7 +3433,7 @@
     ]
   },
   "timezone": "browser",
-  "title": "Storage Node - {{ SERVERNAME }} Overview",
+  "title": "Search Node - {{ SERVERNAME }} Overview",
   "uid": "{{ UID }}",
   "version": 3
 }
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index fe38b4cd9..f70632c9f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -410,7 +410,7 @@ enable_forwardnode_sensoroni_9822_{{ip}}:
 
 {% endfor %}
 
-{% for ip in pillar.get('ssearch_nodes')  %}
+{% for ip in pillar.get('search_nodes')  %}
 
 enable_searchnode_redis_6379_{{ip}}:
   iptables.insert:
@@ -423,7 +423,7 @@ enable_searchnode_redis_6379_{{ip}}:
     - position: 1
     - save: True
 
-enable_storagenode_ES_9300_{{ip}}:
+enable_searchnode_ES_9300_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -578,7 +578,7 @@ enable_standard_analyst_443_{{ip}}:
 
 {% endfor %}
 
-# Rules for storage nodes connecting to master
+# Rules for search nodes connecting to master
 
 
 {% endif %}
diff --git a/salt/top.sls b/salt/top.sls
index 7a6d5b99b..265214216 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -117,7 +117,7 @@ base:
     {%- endif %}
 
 
-  # Storage node logic
+  # Search node logic
 
   'G@role:so-node and I@node:node_type:parser':
     - match: pillar
@@ -151,7 +151,7 @@ base:
     {%- endif %}
     - schedule
 
-  'G@role:so-node and I@node:node_type:storage':
+  'G@role:so-node and I@node:node_type:search':
     - match: compound
     - ca
     - ssl
diff --git a/salt/utility/bin/crossthestreams.sh b/salt/utility/bin/crossthestreams.sh
index 3cd8b005c..23279ff13 100644
--- a/salt/utility/bin/crossthestreams.sh
+++ b/salt/utility/bin/crossthestreams.sh
@@ -29,7 +29,7 @@ echo "Applying cross cluster search config..."
          -H 'Content-Type: application/json' \
          -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MASTER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}"
 
-# Add all the storage nodes to cross cluster searching.
+# Add all the search nodes to cross cluster searching.
 
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 curl -XPUT http://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SNDATA.ip }}:9300"]}}}}}'

From 82076b1988017f67c5fdf4243a216be84bbca2f9 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 17 Dec 2019 16:23:59 -0500
Subject: [PATCH 008/188] Initial commit - so-restart

---
 salt/common/tools/sbin/so-restart | 36 +++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-restart

diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
new file mode 100644
index 000000000..e07fd5010
--- /dev/null
+++ b/salt/common/tools/sbin/so-restart
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-restart  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Restarting $1\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+case $1 in
+   "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+   "fleet") docker stop so-fleet so-redis && docker rm so-fleet so-redis && salt-call state.apply fleet queue=True;;
+   *) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
+esac

From 2319f503f8d14055870d3eef8566f262a33f7457 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 17 Dec 2019 16:24:26 -0500
Subject: [PATCH 009/188] Initial commit - so-common

---
 salt/common/tools/sbin/so-common | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-common

diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
new file mode 100644
index 000000000..759f78f18
--- /dev/null
+++ b/salt/common/tools/sbin/so-common
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+# Define a banner to separate sections
+banner="========================================================================="
+
+header() {
+        echo
+        printf '%s\n' "$banner" "$*" "$banner"
+}

From 88f142664ff6e50e9f1c0d7d65969de5c5e9e542 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 18 Dec 2019 03:13:14 +0000
Subject: [PATCH 010/188] Strelka - intial config

---
 salt/strelka/files/backend/backend.yaml       | 423 ++++++++++
 salt/strelka/files/backend/logging.yaml       |  78 ++
 salt/strelka/files/backend/passwords.dat      |   2 +
 salt/strelka/files/backend/taste/taste.yara   | 748 ++++++++++++++++++
 salt/strelka/files/filestream/filestream.yaml |  20 +
 salt/strelka/files/frontend/frontend.yaml     |  11 +
 salt/strelka/files/manager/manager.yaml       |   4 +
 salt/strelka/init.sls                         | 149 ++++
 8 files changed, 1435 insertions(+)
 create mode 100644 salt/strelka/files/backend/backend.yaml
 create mode 100644 salt/strelka/files/backend/logging.yaml
 create mode 100644 salt/strelka/files/backend/passwords.dat
 create mode 100644 salt/strelka/files/backend/taste/taste.yara
 create mode 100644 salt/strelka/files/filestream/filestream.yaml
 create mode 100644 salt/strelka/files/frontend/frontend.yaml
 create mode 100644 salt/strelka/files/manager/manager.yaml
 create mode 100644 salt/strelka/init.sls

diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml
new file mode 100644
index 000000000..40ea1b5b3
--- /dev/null
+++ b/salt/strelka/files/backend/backend.yaml
@@ -0,0 +1,423 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+logging_cfg: '/etc/strelka/logging.yaml'
+limits:
+  max_files: 5000
+  time_to_live: 900
+  max_depth: 15
+  distribution: 600
+  scanner: 150
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
+tasting:
+  mime_db: null
+  yara_rules: '/etc/strelka/taste/'
+scanners:
+  'ScanBase64':
+    - positive:
+        filename: '^base64_'
+      priority: 5
+  'ScanBatch':
+    - positive:
+        flavors:
+          - 'text/x-msdos-batch'
+          - 'batch_file'
+      priority: 5
+  'ScanBzip2':
+    - positive:
+        flavors:
+          - 'application/x-bzip2'
+          - 'bzip2_file'
+      priority: 5
+  'ScanDocx':
+    - positive:
+        flavors:
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+      priority: 5
+      options:
+        extract_text: False
+  'ScanElf':
+    - positive:
+        flavors:
+          - 'application/x-object'
+          - 'application/x-executable'
+          - 'application/x-sharedlib'
+          - 'application/x-coredump'
+          - 'elf_file'
+      priority: 5
+  'ScanEmail':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-outlook'
+          - 'message/rfc822'
+          - 'email_file'
+      priority: 5
+  'ScanEntropy':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+  'ScanExiftool':
+    - positive:
+        flavors:
+          - 'application/msword'
+          - 'application/vnd.openxmlformats-officedocument'
+          - 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+          - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
+          - 'olecf_file'
+          - 'ooxml_file'
+          - 'audio/mpeg'
+          - 'mp3_file'
+          - 'mhtml_file'
+          - 'application/pdf'
+          - 'pdf_file'
+          - 'text/rtf'
+          - 'rtf_file'
+          - 'wordml_file'
+          - 'application/x-dosexec'
+          - 'mz_file'
+          - 'application/x-object'
+          - 'application/x-executable'
+          - 'application/x-sharedlib'
+          - 'application/x-coredump'
+          - 'elf_file'
+          - 'lnk_file'
+          - 'application/x-mach-binary'
+          - 'macho_file'
+          - 'image/gif'
+          - 'gif_file'
+          - 'image/jpeg'
+          - 'jpeg_file'
+          - 'image/png'
+          - 'png_file'
+          - 'image/tiff'
+          - 'type_is_tiff'
+          - 'image/x-ms-bmp'
+          - 'bmp_file'
+          - 'application/x-shockwave-flash'
+          - 'fws_file'
+          - 'psd_file'
+          - 'video/mp4'
+          - 'video/quicktime'
+          - 'video/x-msvideo'
+          - 'avi_file'
+          - 'video/x-ms-wmv'
+          - 'wmv_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanGif':
+    - positive:
+        flavors:
+          - 'image/gif'
+          - 'gif_file'
+      priority: 5
+  'ScanGzip':
+    - positive:
+        flavors:
+          - 'application/gzip'
+          - 'application/x-gzip'
+          - 'gzip_file'
+      priority: 5
+  'ScanHash':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+  'ScanHeader':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+      options:
+        length: 50
+  'ScanHtml':
+    - positive:
+        flavors:
+          - 'hta_file'
+          - 'text/html'
+          - 'html_file'
+      priority: 5
+      options:
+        parser: "html5lib"
+  'ScanIni':
+    - positive:
+        filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
+        flavors:
+          - 'ini_file'
+      priority: 5
+  'ScanJarManifest':
+    - positive:
+        flavors:
+          - 'jar_manifest_file'
+      priority: 5
+  'ScanJavascript':
+    - negative:
+        flavors:
+          - 'text/html'
+          - 'html_file'
+      positive:
+        flavors:
+          - 'javascript_file'
+          - 'text/javascript'
+      priority: 5
+      options:
+        beautify: True
+  'ScanJpeg':
+    - positive:
+        flavors:
+          - 'image/jpeg'
+          - 'jpeg_file'
+      priority: 5
+  'ScanJson':
+    - positive:
+        flavors:
+          - 'application/json'
+          - 'json_file'
+      priority: 5
+  'ScanLibarchive':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-cab-compressed'
+          - 'cab_file'
+          - 'application/x-7z-compressed'
+          - '_7zip_file'
+          - 'application/x-cpio'
+          - 'cpio_file'
+          - 'application/x-xar'
+          - 'xar_file'
+          - 'arj_file'
+          - 'iso_file'
+          - 'application/x-debian-package'
+          - 'debian_package_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanLzma':
+    - positive:
+        flavors:
+          - 'application/x-lzma'
+          - 'lzma_file'
+          - 'application/x-xz'
+          - 'xz_file'
+      priority: 5
+  'ScanMacho':
+    - positive:
+        flavors:
+          - 'application/x-mach-binary'
+          - 'macho_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanMmbot':
+    - positive:
+        flavors:
+          - 'vb_file'
+          - 'vbscript'
+      priority: 5
+      options:
+        server: 'strelka_mmrpc_1:33907'
+  'ScanOcr':
+    - positive:
+        flavors:
+          - 'image/jpeg'
+          - 'jpeg_file'
+          - 'image/png'
+          - 'png_file'
+          - 'image/tiff'
+          - 'type_is_tiff'
+          - 'image/x-ms-bmp'
+          - 'bmp_file'
+      priority: 5
+      options:
+        extract_text: False
+        tmp_directory: '/dev/shm/'
+  'ScanOle':
+    - positive:
+        flavors:
+          - 'application/CDFV2'
+          - 'application/msword'
+          - 'olecf_file'
+      priority: 5
+  'ScanPdf':
+    - positive:
+        flavors:
+          - 'application/pdf'
+          - 'pdf_file'
+      priority: 5
+      options:
+        extract_text: False
+        limit: 2000
+  'ScanPe':
+    - positive:
+        flavors:
+          - 'application/x-dosexec'
+          - 'mz_file'
+      priority: 5
+  'ScanPgp':
+    - positive:
+        flavors:
+          - 'application/pgp-keys'
+          - 'pgp_file'
+      priority: 5
+  'ScanPhp':
+    - positive:
+        flavors:
+          - 'text/x-php'
+          - 'php_file'
+      priority: 5
+  'ScanPkcs7':
+    - positive:
+        flavors:
+          - 'pkcs7_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanPlist':
+    - positive:
+        flavors:
+          - 'bplist_file'
+          - 'plist_file'
+      priority: 5
+      options:
+        keys:
+          - 'KeepAlive'
+          - 'Label'
+          - 'NetworkState'
+          - 'Program'
+          - 'ProgramArguments'
+          - 'RunAtLoad'
+          - 'StartInterval'
+  'ScanRar':
+    - positive:
+        flavors:
+          - 'application/x-rar'
+          - 'rar_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanRpm':
+    - positive:
+        flavors:
+          - 'application/x-rpm'
+          - 'rpm_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanRtf':
+    - positive:
+        flavors:
+          - 'text/rtf'
+          - 'rtf_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanRuby':
+    - positive:
+        flavors:
+          - 'text/x-ruby'
+      priority: 5
+  'ScanSwf':
+    - positive:
+        flavors:
+          - 'application/x-shockwave-flash'
+          - 'fws_file'
+          - 'cws_file'
+          - 'zws_file'
+      priority: 5
+  'ScanTar':
+    - positive:
+        flavors:
+          - 'application/x-tar'
+          - 'tar_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanTnef':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-tnef'
+          - 'tnef_file'
+      priority: 5
+  'ScanUpx':
+    - positive:
+        flavors:
+          - 'upx_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanUrl':
+    - negative:
+        flavors:
+          - 'javascript_file'
+      positive:
+        flavors:
+          - 'text/plain'
+      priority: 5
+  'ScanVb':
+    - positive:
+        flavors:
+          - 'vb_file'
+          - 'vbscript'
+      priority: 5
+  'ScanVba':
+    - positive:
+        flavors:
+          - 'mhtml_file'
+          - 'application/msword'
+          - 'olecf_file'
+          - 'wordml_file'
+      priority: 5
+      options:
+        analyze_macros: True
+  'ScanX509':
+    - positive:
+        flavors:
+          - 'x509_der_file'
+      priority: 5
+      options:
+        type: 'der'
+    - positive:
+        flavors:
+          - 'x509_pem_file'
+      priority: 5
+      options:
+        type: 'pem'
+  'ScanXml':
+    - positive:
+        flavors:
+          - 'application/xml'
+          - 'text/xml'
+          - 'xml_file'
+          - 'mso_file'
+          - 'soap_file'
+      priority: 5
+  'ScanYara':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+      options:
+        location: '/etc/yara/'
+  'ScanZip':
+    - positive:
+        flavors:
+          - 'application/java-archive'
+          - 'application/zip'
+          - 'zip_file'
+          - 'application/vnd.openxmlformats-officedocument'
+          - 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+          - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
+          - 'ooxml_file'
+      priority: 5
+      options:
+        limit: 1000
+        password_file: '/etc/strelka/passwords.dat'
+  'ScanZlib':
+    - positive:
+        flavors:
+          - 'application/zlib'
+          - 'zlib_file'
+      priority: 5
diff --git a/salt/strelka/files/backend/logging.yaml b/salt/strelka/files/backend/logging.yaml
new file mode 100644
index 000000000..b21d3c396
--- /dev/null
+++ b/salt/strelka/files/backend/logging.yaml
@@ -0,0 +1,78 @@
+version: 1
+formatters:
+  simple:
+    format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
+    datefmt: '%Y-%m-%d %H:%M:%S'
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: simple
+    stream: ext://sys.stdout
+root:
+  level: DEBUG
+  handlers: [console]
+loggers:
+  OpenSSL:
+    propagate: 0
+  bs4:
+    propagate: 0
+  bz2:
+    propagate: 0
+  chardet:
+    propagate: 0
+  docx:
+    propagate: 0
+  elftools:
+    propagate: 0
+  email:
+    propagate: 0
+  entropy:
+    propagate: 0
+  esprima:
+    propagate: 0
+  gzip:
+    propagate: 0
+  hashlib:
+    propagate: 0
+  json:
+    propagate: 0
+  libarchive:
+    propagate: 0
+  lxml:
+    propagate: 0
+  lzma:
+    propagate: 0
+  macholibre:
+    propagate: 0
+  olefile:
+    propagate: 0
+  oletools:
+    propagate: 0
+  pdfminer:
+    propagate: 0
+  pefile:
+    propagate: 0
+  pgpdump:
+    propagate: 0
+  pygments:
+    propagate: 0
+  pylzma:
+    propagate: 0
+  rarfile:
+    propagate: 0
+  requests:
+    propagate: 0
+  rpmfile:
+    propagate: 0
+  ssdeep:
+    propagate: 0
+  tarfile:
+    propagate: 0
+  tnefparse:
+    propagate: 0
+  yara:
+    propagate: 0
+  zipfile:
+    propagate: 0
+  zlib:
+    propagate: 0
diff --git a/salt/strelka/files/backend/passwords.dat b/salt/strelka/files/backend/passwords.dat
new file mode 100644
index 000000000..e9541f540
--- /dev/null
+++ b/salt/strelka/files/backend/passwords.dat
@@ -0,0 +1,2 @@
+infected
+password
diff --git a/salt/strelka/files/backend/taste/taste.yara b/salt/strelka/files/backend/taste/taste.yara
new file mode 100644
index 000000000..15d2dffbb
--- /dev/null
+++ b/salt/strelka/files/backend/taste/taste.yara
@@ -0,0 +1,748 @@
+// Archive Files
+
+rule _7zip_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 37 7A BC AF 27 1C }
+    condition:
+        $a at 0
+}
+
+rule arj_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint16(0) == 0xEA60
+}
+
+rule cab_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 4D 53 43 46 00 00 00 00 }
+    condition:
+        $a at 0 or
+        ( uint16(0) == 0x5A4D and $a )
+}
+
+rule cpio_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 30 37 30 37 30 31 }
+    condition:
+        $a at 0
+}
+
+rule iso_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 43 44 30 30 31 }
+    condition:
+        $a at 0x8001 and $a at 0x8801 and $a at 0x9001
+}
+
+rule mhtml_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = "MIME-Version: 1.0"
+        $b = "This document is a Single File Web Page, also known as a Web Archive file"
+    condition:
+        $a at 0 and $b
+}
+
+rule rar_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07
+}
+
+rule tar_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 75 73 74 61 72 }
+    condition:
+        uint16(0) == 0x9D1F or
+        uint16(0) == 0xA01F or
+        $a at 257
+}
+
+rule xar_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint32(0) == 0x21726178
+}
+
+rule zip_file
+{
+    meta:
+        type = "archive"
+    condition:
+        ( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 )
+}
+
+// Audio Files
+
+rule mp3_file
+{
+    meta:
+        type = "audio"
+    condition:
+        uint16(0) == 0x4449 and uint8(2) == 0x33
+}
+
+// Certificate Files
+
+rule pkcs7_file
+{
+    meta:
+        type = "certificate"
+    strings:
+        $a = "-----BEGIN PKCS7-----"
+    condition:
+        (uint16(0) == 0x8230 and uint16(4) == 0x0906) or
+        uint32(0) == 0x09068030 or
+        $a at 0
+}
+
+rule x509_der_file
+{
+    meta:
+        type = "certificate"
+    condition:
+        uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 )
+}
+
+rule x509_pem_file
+{
+    meta:
+        type = "certificate"
+    strings:
+        $a = "-----BEGIN CERTI"
+    condition:
+        $a at 0
+}
+
+// Compressed Files
+
+rule bzip2_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x5A42 and uint8(2) == 0x68
+}
+
+rule gzip_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x8B1F and uint8(2) == 0x08
+}
+
+rule lzma_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x005D and uint8(2) == 0x00
+}
+
+rule xz_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint32(0) == 0x587A37FD and uint16(4) == 0x005A
+}
+
+// Document Files
+
+rule doc_subheader_file
+{
+    meta:
+        type = "document"
+    condition:
+        uint32(0) == 0x00C1A5EC
+}
+
+rule mso_file
+{
+    meta:
+        type = "document"
+    strings:
+        $a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // <?mso-application
+        $b = { 3C 3F 6D 73 6F 2D 63 6F 6E 74 65 6E 74 54 79 70 65 } // <?mso-contentType
+    condition:
+        $a at 0 or
+        $b at 0
+}
+
+rule olecf_file
+{
+    meta:
+        description = "Object Linking and Embedding (OLE) Compound File (CF)"
+        type = "document"
+    condition:
+        uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1
+}
+
+rule ooxml_file
+{
+    meta:
+        description = "Microsoft Office Open XML Format"
+        type  = "document"
+    condition:
+        uint32(0) == 0x04034B50 and uint32(4) == 0x00060014
+}
+
+rule pdf_file
+{
+    meta:
+        description = "Portable Document Format"
+        type = "document"
+    condition:
+        uint32(0) == 0x46445025
+}
+
+rule poi_hpbf_file
+{
+    meta:
+        description = "https://poi.apache.org/components/hpbf/file-format.html"
+        type = "document"
+    strings:
+        $a = { 43 48 4E 4B 49 4E 4B } // CHNKINK
+    condition:
+        $a at 0
+}
+
+rule rtf_file
+{
+    meta:
+        type = "document"
+    condition:
+        uint32(0) == 0x74725C7B
+}
+
+rule vbframe_file
+{
+    meta:
+        type = "document"
+    strings:
+        $a = { 56 45 52 53 49 4F 4E 20 35 2E 30 30 0D 0A 42 65 67 69 6E } // VERSION 5.00\r\nBegin
+    condition:
+        $a at 0
+}
+
+rule wordml_file
+{
+    meta:
+        description = "Microsoft Office Word 2003 XML format"
+        type = "document"
+    strings:
+       $a = { 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D } // <?xml version=
+       $b = "http://schemas.microsoft.com/office/word/2003/wordml"
+    condition:
+        $a at 0 and $b
+}
+
+rule xfdf_file
+{
+    meta:
+        description = "XML Forms Data Format"
+        type = "document"
+    strings:
+        $a = { 3C 78 66 64 66 20 78 6D 6C 6E 73 3D } // <xfdf xmlns=
+    condition:
+        $a at 0
+}
+
+// Email Files
+
+rule email_file
+{
+    meta:
+        type = "email"
+    strings:
+        $a = "\x0aReceived:" nocase fullword
+        $b = "\x0AReturn-Path:" nocase fullword
+        $c = "\x0aMessage-ID:" nocase fullword
+        $d = "\x0aReply-To:" nocase fullword
+        $e = "\x0aX-Mailer:" nocase fullword
+    condition:
+        $a in (0..2048) or
+        $b in (0..2048) or
+        $c in (0..2048) or
+        $d in (0..2048) or
+        $e in (0..2048)
+}
+
+rule tnef_file
+{
+    meta:
+        description = "Transport Neutral Encapsulation Format"
+        type = "email"
+    condition:
+        uint32(0) == 0x223E9F78
+}
+
+// Encryption Files
+
+rule pgp_file
+{
+    meta:
+        type = "encryption"
+    strings:
+        $a = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 50 55 42 4C 49 43 20 4B 45 59 20 42 4C 4F 43 4B 2D } // (.{2})(\x2D\x2D\x2DBEGIN PGP PUBLIC KEY BLOCK\x2D)
+        $b = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 53 49 47 4E 41 54 55 52 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP SIGNATURE\x2D)
+        $c = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 4D 45 53 53 41 47 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP MESSAGE\x2D)
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0
+}
+
+// Executable Files
+
+rule elf_file
+{
+    meta:
+        description = "Executable and Linkable Format"
+        type = "executable"
+    condition:
+        uint32(0) == 0x464C457F
+}
+
+rule lnk_file
+{
+    meta:
+        description = "Windows Shortcut file"
+        type = "executable"
+    condition:
+        uint32(0) == 0x0000004C
+}
+
+rule macho_file
+{
+    meta:
+        description = "Mach object"
+        type = "executable"
+    condition:
+        uint32(0) == 0xCEFAEDFE or
+        uint32(0) == 0xCFFAEDFE or
+        uint32(0) == 0xFEEDFACE or
+        uint32(0) == 0xFEEDFACF
+}
+
+rule mz_file
+{
+    meta:
+        description = "DOS MZ executable"
+        type = "executable"
+    condition:
+        uint16(0) == 0x5A4D
+}
+
+// Image Files
+
+rule bmp_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 42 4D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ( 0C | 28 | 40 | 6C | 7C | 80 ) 00 } // BM
+    condition:
+        $a at 0
+}
+
+rule cmap_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 62 65 67 69 6E 63 6D 61 70 } // begincmap
+    condition:
+        $a at 0
+}
+
+rule gif_file
+{
+    meta:
+        description = "Graphics Interchange Format"
+        type = "image"
+    condition:
+        uint32(0) == 0x38464947 and ( uint16(4) == 0x6137 or uint16(4) == 0x6139 )
+}
+
+rule jpeg_file
+{
+    meta:
+        type = "image"
+    condition:
+        uint32(0) == 0xE0FFD8FF or
+        uint32(0) == 0xE1FFD8FF or
+        uint32(0) == 0xE2FFD8FF or
+        uint32(0) == 0xE8FFD8FF
+}
+
+rule postscript_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 } // %!PS-Adobe-3.0
+    condition:
+        $a at 0
+}
+
+rule png_file
+{
+    meta:
+        type = "image"
+    condition:
+        uint32(0) == 0x474E5089
+}
+
+rule psd_file
+{
+    meta:
+        description = "Photoshop Document"
+        type = "image"
+    condition:
+        uint32(0) == 0x53504238
+}
+
+rule psd_image_file
+{
+    meta:
+        description = "Photoshop Document image resource block"
+        type = "image"
+    condition:
+        uint32(0) == 0x4D494238
+}
+
+rule svg_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 3C 73 76 67 20 } // <svg
+    condition:
+        $a at 0
+}
+
+rule xicc_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 58 49 43 43 5F 50 52 4F 46 49 4C 45 } // XICC_PROFILE
+    condition:
+        $a at 0
+}
+
+rule xmp_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 3C 3F 78 70 61 63 6B 65 74 20 62 65 67 69 6E 3D } // <?xpacket begin=
+        $b = { 3C 78 3A 78 6D 70 6D 65 74 61 20 78 6D 6C 6E 73 3A 78 3D } // <x:xmpmeta xmlns:x=
+    condition:
+        $a at 0 or $b at 0
+}
+
+// Metadata Files
+
+rule jar_manifest_file
+{
+    meta:
+        type = "metadata"
+    condition:
+        uint32(0) == 0x696E614D and uint32(4) == 0x74736566
+}
+
+rule bplist_file
+{
+    meta:
+        description = "Binary Property List"
+        type = "metadata"
+    condition:
+        uint32(0) == 0x696C7062 and uint32(4) == 0x30307473
+}
+
+// Multimedia Files
+
+rule fws_file
+{
+    meta:
+        type =  "multimedia"
+    condition:
+        uint16(0) == 0x5746 and uint8(2) == 0x53
+}
+
+rule cws_file
+{
+    meta:
+        description = "zlib compressed Flash file"
+        type = "multimedia"
+    condition:
+        uint16(0) == 0x5743 and uint8(2) == 0x53
+}
+
+
+rule zws_file
+{
+    meta:
+        description = "LZMA compressed Flash file"
+        type =  "multimedia"
+    condition:
+        uint16(0) == 0x575A and uint8(2) == 0x53
+}
+
+// Package Files
+
+rule debian_package_file
+{
+    meta:
+        type = "package"
+    strings:
+        $a = { 21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E } // \x21\x3Carch\x3E\x0Adebian
+    condition:
+        $a at 0
+}
+
+rule rpm_file
+{
+    meta:
+        type = "package"
+    condition:
+        uint32(0) == 0x6D707264 or uint32(0) == 0xDBEEABED
+}
+
+// Packer Files
+
+rule upx_file
+{
+    meta:
+        description = "Ultimate Packer for Executables"
+        type = "packer"
+    strings:
+        $a = {55505830000000}
+        $b = {55505831000000}
+        $c = "UPX!"
+    condition:
+        uint16(0) == 0x5A4D and
+        $a in (0..1024) and
+        $b in (0..1024) and
+        $c in (0..1024)
+}
+
+// Script Files
+
+rule batch_file
+{
+    meta:
+        type = "script"
+    strings:
+        $a = { ( 45 | 65 ) ( 43 | 63 ) ( 48 | 68 ) ( 4F | 6F ) 20 ( 4F | 6F) ( 46 | 66 ) ( 46 | 66 ) } // [Ee][Cc][Hh][Oo] [Oo][Ff][Ff]
+    condition:
+        $a at 0
+}
+
+rule javascript_file
+{
+    meta:
+        type = "script"
+    strings:
+        $var = { 76 61 72 20 } // var
+        $function1 = { 66 75 6E 63 74 69 6F 6E } // function
+        $function2 = { 28 66 75 6E 63 74 69 6F 6E } // (function
+        $function3 = { 66 75 6E 63 74 69 6F 6E [0-1] 28 } // function[0-1](
+        $if = { 69 66 [0-1] 28 } // if[0-1](
+        $misc1 = { 24 28 } // $(
+        $misc2 = { 2F ( 2A | 2F ) } // \/(\/|\*)
+        $jquery = { 6A 51 75 65 72 79 } // jQuery
+        $try = { 74 72 79 [0-1] 7B } // try[0-1]{
+        $catch = { 63 61 74 63 68 28 } // catch(
+        $push = { 2E 70 75 73 68 28 } // .push(
+        $array = { 6E 65 77 20 41 72 72 61 79 28 } // new Array(
+        $document1 = { 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 } // document.create
+        $document2 = { 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 } // document.write
+        $window = { 77 69 6E 64 6F 77 ( 2E | 5B ) } // window[.\[]
+        $define = { 64 65 66 69 6E 65 28 } // define(
+        $eval = { 65 76 61 6C 28 } // eval(
+        $unescape = { 75 6E 65 73 63 61 70 65 28 } // unescape(
+    condition:
+        $var at 0 or
+        $function1 at 0 or
+        $function2 at 0 or
+        $if at 0 or
+        $jquery at 0 or
+        $function3 in (0..30) or
+        $push in (0..30) or
+        $array in (0..30) or
+        ( $try at 0 and $catch in (5..5000) ) or
+        $document1 in (0..100) or
+        $document2 in (0..100) or
+        $window in (0..100) or
+        $define in (0..100) or
+        $eval in (0..100) or
+        $unescape in (0..100) or
+        ( ( $misc1 at 0 or $misc2 at 0 ) and $var and $function1 and $if )
+}
+
+rule vb_file
+{
+    meta:
+        type = "script"
+    strings:
+        $a = { 41 74 74 72 69 62 75 74 65 20 56 42 5F 4E 61 6D 65 20 3D } // Attribute VB_Name =
+        $b = { 4F 70 74 69 6F 6E 20 45 78 70 6C 69 63 69 74 } // Option Explicit
+        $c = { 44 69 6D 20 } // Dim
+        $d = { 50 75 62 6C 69 63 20 53 75 62 20 } // Public Sub
+        $e = { 50 72 69 76 61 74 65 20 53 75 62 20 } // Private Sub
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0
+}
+
+// Text Files
+
+rule hta_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 48 54 41 3A 41 50 50 4C 49 43 41 54 49 4F 4E 20 } // <HTA:APPLICATION
+    condition:
+        $a in (0..2000)
+}
+
+rule html_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 21 ( 64 | 44 ) ( 6F | 4F ) ( 63 |43 ) ( 74 | 54 ) ( 79 | 59 ) ( 70 | 50 ) ( 65 | 45 )  20 ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C )  } // <![Dd][Oo][Cc][Tt][Yy][Pp][Ee] [Hh][Tt][Mm][Ll]
+        $b = { 3C ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <[Hh][Tt][Mm][Ll]
+        $c = { 3C ( 62 | 42 ) ( 72 | 52 ) } // <br
+        $d = { 3C ( 44 | 64 ) ( 49 | 69 ) ( 56 | 76 ) } // <[Dd][Ii][Vv]
+        $e = { 3C ( 41 | 61 ) 20 ( 48 |68 ) ( 52 | 72 ) ( 45 | 65 ) ( 46 | 66 ) 3D } // <[Aa] [Hh][Rr][Ee][Ff]=
+        $f = { 3C ( 48 | 68 ) ( 45 | 65 ) ( 41 | 61 ) ( 44 | 64 ) } // <[Hh][Ee][Aa][Dd]
+        $g = { 3C ( 53 | 73 ) ( 43 | 63 ) ( 52 | 72 ) ( 49 | 69 ) ( 50 | 70 ) ( 54 | 74 ) } // <[Ss][Cc][Rr][Ii][Pp][Tt]
+        $h = { 3C ( 53 | 73 ) ( 54 | 74 ) ( 59 | 79 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Ss][Tt][Yy][Ll][Ee]
+        $i = { 3C ( 54 | 74 ) ( 41 | 61 ) ( 42 | 62 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Tt][Aa][Bb][Ll][Ee]
+        $j = { 3C ( 50 | 70 ) } // <[Pp]
+        $k = { 3C ( 49 | 69 ) ( 4D | 6D ) ( 47 | 67 ) } // <[Ii][Mm][Gg]
+        $l = { 3C ( 53 | 73 ) ( 50 |70 ) ( 41 | 61 ) ( 4E | 6E ) } // <[Ss][Pp][Aa][Nn]
+        $m = { 3C ( 48 | 68 ) ( 52 | 72 | 31 | 32 | 33 | 34 | 35 | 36 ) } // <[Hh][Rr] <[Hh][1-6]
+        $n = { 3C ( 54 | 74) ( 49 | 69 ) ( 54 | 74 ) ( 4C | 6C ) ( 45 | 65 ) 3E } // <[Tt][Ii][Tt][Ll][Ee]>
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0 or
+        $f at 0 or
+        $g at 0 or
+        $h at 0 or
+        $i at 0 or
+        $j at 0 or
+        $k at 0 or
+        $l at 0 or
+        $m at 0 or
+        $n at 0
+}
+
+rule json_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 7B [0-5] 22 }
+    condition:
+        $a at 0
+}
+
+rule php_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3c 3f 70 68 70 }
+    condition:
+        $a at 0
+}
+
+rule soap_file
+{
+    meta:
+        description = "Simple Object Access Protocol"
+        type = "text"
+    strings:
+        $a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // <soapenv:Envelope xmlns
+        $b = { 3C 73 3A 45 6E 76 65 6C 6F 70 65 } // <s:Envelope
+    condition:
+        $a at 0 or
+        $b at 0
+}
+
+rule xml_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 3F ( 58 | 78) ( 4D | 6D ) ( 4C | 6C ) 20 76 65 72 73 69 6F 6E 3D } // <?[Xx][Mm][Ll] version=
+        $b = { 3C 3F 78 6D 6C 3F 3E } // <?xml?>
+        $c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } // <styleSheet xmlns=
+        $d = { 3C 77 6F 72 6B 62 6F 6F 6B 20 78 6D 6C 6E 73 } // <workbook xmlns
+        $e = { 3C 78 6D 6C 20 78 6D 6C 6E 73 } // <xml xmlns
+        $f = { 3C 69 6E 74 20 78 6D 6C 6E 73 } // <int xmlns
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0 or
+        $f at 0
+}
+
+// Video Files
+
+rule avi_file
+{
+    meta:
+        type = "video"
+    strings:
+        $a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
+    condition:
+        $a at 0
+}
+
+rule wmv_file
+{
+    meta:
+        type = "video"
+    condition:
+        uint32(0) == 0x75B22630 and uint32(4) == 0x11CF668E and uint32(8) == 0xAA00D9A6 and uint32(12) == 0x6CCE6200
+}
diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml
new file mode 100644
index 000000000..0475840c9
--- /dev/null
+++ b/salt/strelka/files/filestream/filestream.yaml
@@ -0,0 +1,20 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+conn:
+  server: '{{ ip }}:57314'
+  cert: ''
+  timeout:
+    dial: 5s
+    file: 1m
+throughput:
+  concurrency: 8
+  chunk: 32768
+  delay: 0s
+files:
+  patterns:
+    - '/nsm/strelka/*'
+  delete: false
+  gatekeeper: true
+response:
+  report: 5s
+delta: 5s
+staging: '/nsm/strelka/processed'
diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml
new file mode 100644
index 000000000..1c7b15175
--- /dev/null
+++ b/salt/strelka/files/frontend/frontend.yaml
@@ -0,0 +1,11 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+server: ":57314"
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
+gatekeeper:
+  addr: '{{ ip }}:6381'
+  db: 0
+  ttl: 1h
+response:
+  log: "/var/log/strelka/strelka.log"
diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml
new file mode 100644
index 000000000..16a4c697b
--- /dev/null
+++ b/salt/strelka/files/manager/manager.yaml
@@ -0,0 +1,4 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
new file mode 100644
index 000000000..0369f351e
--- /dev/null
+++ b/salt/strelka/init.sls
@@ -0,0 +1,149 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTER = grains['master'] %}
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+
+# Strelka config
+strelkaconfdir:
+  file.directory:
+    - name: /opt/so/conf/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Strelka logs 
+strelkalogdir:
+  file.directory:
+    - name: /opt/so/log/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Sync dynamic config to conf dir
+strelkasync:
+  file.recurse:
+    - name: /opt/so/conf/strelka/
+    - source: salt://strelka/files
+    - user: 939
+    - group: 939
+    - template: jinja
+
+strelkadatadir:
+   file.directory:
+    - name: /nsm/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkastagedir:
+   file.directory:
+    - name: /nsm/strelka/processed
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+
+#so-strelka-frontendimage:
+# cmd.run:
+#   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
+
+so-strelka-coordinatorimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
+
+so-strelka-gatekeeperimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
+
+so-strelka-backendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+
+so-strelka-managerimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
+
+so-strelka-backendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+
+
+strelka_coordinator:
+  docker_container.running:
+    - require:
+      - so-strelka-coordinatorimage
+    - image: docker.io/redis:5.0.5-alpine3.10
+    - name: so-strelka-coordinator
+    - command: redis-server --save "" --appendonly no
+    - port_bindings:
+      - 0.0.0.0:6380:6379
+
+strelka_gatekeeper:
+  docker_container.running:
+    - require:
+      - so-strelka-gatekeeperimage
+    - image: docker.io/redis:5.0.5-alpine3.10
+    - name: so-strelka-gatekeeper
+    - command: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
+    - port_bindings:
+      - 0.0.0.0:6381:6379
+   
+strelka_frontend:
+  docker_container.running:
+    - require:
+      - so-strelka-frontendimage
+    - image: docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5 
+    - binds:
+      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
+      - /opt/so/log/strelka/:/var/log/strelka/:rw
+    - privileged: True
+    - name: so-strelka-frontend
+    - command: strelka-frontend
+    - port_bindings:
+      - 0.0.0.0:57314:57314
+
+strelka_backend:
+  docker_container.running:
+    - require:
+      - so-strelka-backendimage
+    - image: docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+    - restart_policy: unless-stopped
+    - binds:
+      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
+      - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
+    - name: so-strelka-backend
+    - command: strelka-backend
+
+strelka_manager:
+  docker_container.running:
+    - require:
+      - so-strelka-managerimage
+    - image: docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
+    - binds:
+      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
+    - name: so-strelka-manager
+    - command: strelka-manager
+
+strelka_filestream:
+  docker_container.running:
+    - require:
+      - so-strelka-filestreamimage
+    - image: docker.io/soshybridhunter/so-strelka-filestream:HH1.1.5   
+    - image: docker.io/wlambert/sfilestream:grpc
+    - binds:
+      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
+      - /nsm/strelka:/nsm/strelka
+    - name: so-strelka-filestream
+    - command: strelka-filestream

From c597dd2fb4dad5a64f7bab4cd165fc450f760716 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 18 Dec 2019 03:22:30 +0000
Subject: [PATCH 011/188] Strelka - Filebeat config

---
 salt/filebeat/etc/filebeat.yml | 16 +++++++++++++++-
 salt/strelka/init.sls          |  6 +++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0da9b68bc..1fdfc68e1 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -3,6 +3,7 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
 {%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -66,7 +67,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
@@ -126,6 +127,19 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
+{%- endif %}
+
+{%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /opt/so/log/strelka/strelka.log
+    fields:
+      type: strelka
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}
 #----------------------------- Logstash output ---------------------------------
 output.logstash:
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index 0369f351e..803886d2b 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -55,9 +55,9 @@ strelkastagedir:
     - makedirs: True
 
 
-#so-strelka-frontendimage:
-# cmd.run:
-#   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
+so-strelka-frontendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
 
 so-strelka-coordinatorimage:
  cmd.run:

From 9bae1c7a03cb42d9618d9057da98d313dafeafa4 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 12:06:57 -0500
Subject: [PATCH 012/188] Registry Update

---
 salt/common/init.sls                       |  8 ++---
 salt/common/tools/sbin/so-elastic-download | 40 ++++++++++++++++++++++
 setup/functions.sh                         | 14 ++++----
 3 files changed, 52 insertions(+), 10 deletions(-)
 create mode 100644 salt/common/tools/sbin/so-elastic-download

diff --git a/salt/common/init.sls b/salt/common/init.sls
index e34431a46..74256dabb 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -214,7 +214,7 @@ so-telegraf:
       - /opt/so/conf/telegraf/etc/telegraf.conf
       - /opt/so/conf/telegraf/scripts
 
-# If its a master or eval lets install the back end for now		
+# If its a master or eval lets install the back end for now
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
 
 # Influx DB
@@ -303,7 +303,7 @@ grafanadashfndir:
 
 grafanadashsndir:
   file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
     - user: 939
     - group: 939
     - makedirs: True
@@ -362,11 +362,11 @@ dashboard-{{ SN }}:
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 dashboard-{{ SN }}:
   file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
     - group: 939
     - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download
new file mode 100644
index 000000000..8155af414
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -0,0 +1,40 @@
+#!/bin/bash
+MASTER={{ MASTER }}
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-auth-api:$VERSION" \
+"so-auth-ui:$VERSION" \
+"so-bro:$VERSION" \
+"so-core:$VERSION" \
+"so-cortex:$VERSION" \
+"so-curator:VERSION" \
+"so-cyberchef:VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+done
diff --git a/setup/functions.sh b/setup/functions.sh
index 6ebcd7a89..98e2a1d81 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -409,9 +409,10 @@ docker_install() {
     yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     yum -y update
     yum -y install docker-ce python36-docker
-    if [ $INSTALLTYPE != 'EVALMODE' ]; then
-      docker_registry
-    fi
+#    if [ $INSTALLTYPE != 'EVALMODE' ]; then
+#      docker_registry
+#    fi
+    docker_registry
     echo "Restarting Docker" >> $SETUPLOG 2>&1
     systemctl restart docker
     systemctl enable docker
@@ -420,9 +421,10 @@ docker_install() {
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
-      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
-        docker_registry >> $SETUPLOG 2>&1
-      fi
+#      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
+#        docker_registry >> $SETUPLOG 2>&1
+#      fi
+      docker_registry
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     else

From 2888dce48f38dcf21fcbaa5100c8d326edfe0a11 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 14:11:26 -0500
Subject: [PATCH 013/188] fix ssl verify hive_init.sh

---
 salt/hive/thehive/scripts/hive_init.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh
index f726ae229..6c5168a66 100755
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init.sh
@@ -16,7 +16,7 @@ hive_init(){
     COUNT=0
     HIVE_CONNECTED="no"
     while [[ "$COUNT" -le 240 ]]; do
-        curl --output /dev/null --silent --head --fail "https://$HIVE_IP:/thehive"
+        curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive"
             if [ $? -eq 0 ]; then
                 HIVE_CONNECTED="yes"
                 echo "connected!"

From dd8728e2750ff9ba9448dc8edd08786a5a9129f3 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 15:32:07 -0500
Subject: [PATCH 014/188] Registry Update - Switch all to use registry

---
 setup/so-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6c26783ae..671eb2eb7 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -603,12 +603,12 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply master >> $SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
       salt-call state.apply firewall >> $SETUPLOG 2>&1
       echo -e "XXX\n25\nInstalling master components... \nXXX"
-      salt-call state.apply master >> $SETUPLOG 2>&1
       salt-call state.apply idstools >> $SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
         salt-call state.apply mysql >> $SETUPLOG 2>&1

From 0d541f49498b52858d42d5ad956ef45110237ac0 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 19 Dec 2019 10:49:23 -0500
Subject: [PATCH 015/188] initial commit - so-component-restart scripts

---
 salt/common/tools/sbin/so-cortex-restart   | 20 ++++++++++++++
 salt/common/tools/sbin/so-filebeat-restart | 31 ++++++++++++----------
 salt/common/tools/sbin/so-playbook-restart | 20 ++++++++++++++
 salt/common/tools/sbin/so-soctopus-restart | 20 ++++++++++++++
 salt/common/tools/sbin/so-thehive-restart  | 20 ++++++++++++++
 5 files changed, 97 insertions(+), 14 deletions(-)
 create mode 100644 salt/common/tools/sbin/so-cortex-restart
 create mode 100644 salt/common/tools/sbin/so-playbook-restart
 create mode 100644 salt/common/tools/sbin/so-soctopus-restart
 create mode 100644 salt/common/tools/sbin/so-thehive-restart

diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart
new file mode 100644
index 000000000..aab452475
--- /dev/null
+++ b/salt/common/tools/sbin/so-cortex-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart cortex $1
diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart
index 85faf7499..d9cdeeec8 100644
--- a/salt/common/tools/sbin/so-filebeat-restart
+++ b/salt/common/tools/sbin/so-filebeat-restart
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart filebeat $1
diff --git a/salt/common/tools/sbin/so-playbook-restart b/salt/common/tools/sbin/so-playbook-restart
new file mode 100644
index 000000000..f05222eae
--- /dev/null
+++ b/salt/common/tools/sbin/so-playbook-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart playbook $1
diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/common/tools/sbin/so-soctopus-restart
new file mode 100644
index 000000000..144ddbf3e
--- /dev/null
+++ b/salt/common/tools/sbin/so-soctopus-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart soctopus $1
diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart
new file mode 100644
index 000000000..4b28c0030
--- /dev/null
+++ b/salt/common/tools/sbin/so-thehive-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart thehive $1

From 2b20d009e1dc17aa641caf6025cbf539de54d59e Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@gmail.com>
Date: Thu, 19 Dec 2019 15:50:22 -0500
Subject: [PATCH 016/188] Fixed cyberchef container image version error.

Cyberchef container image v1.1.4 has not been built yet, revert to 1.1.3 for now
---
 salt/cyberchef/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
index 8d33f38d5..aa04d3725 100644
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -42,7 +42,7 @@ cybercheflog:
 
 so-cyberchefimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
 
 so-cyberchef:
   docker_container.running:

From 7653959d60cfd15f8aa088369065179d9f4bb566 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 19 Dec 2019 17:50:45 -0500
Subject: [PATCH 017/188] [BUG] Updated missed text in cyberchef init.sls

The docker pull command was updated but not the run instruction
---
 salt/cyberchef/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
index aa04d3725..ff258c293 100644
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -48,7 +48,7 @@ so-cyberchef:
   docker_container.running:
     - require:
       - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
     - interactive: True
     - binds:
       - /opt/so/saltstack/salt/cyberchef/build:/prod:rw

From b97ff72bc25be80f0817a648f97d750d76a543b4 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 14:11:26 -0500
Subject: [PATCH 018/188] fix ssl verify hive_init.sh

---
 salt/hive/thehive/scripts/hive_init.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh
index f726ae229..6c5168a66 100755
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init.sh
@@ -16,7 +16,7 @@ hive_init(){
     COUNT=0
     HIVE_CONNECTED="no"
     while [[ "$COUNT" -le 240 ]]; do
-        curl --output /dev/null --silent --head --fail "https://$HIVE_IP:/thehive"
+        curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive"
             if [ $? -eq 0 ]; then
                 HIVE_CONNECTED="yes"
                 echo "connected!"

From 2b6e2e04656943d1b9b95ee25f50947d0b667f0c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 21:55:24 -0500
Subject: [PATCH 019/188] Initial changes to add new auth framework

* Changes to evalmode only at this time
* Cleaned up nginx eval config
---
 salt/auth/init.sls                   | 44 ++++++++++++++++
 salt/common/nginx/nginx.conf.so-eval | 76 +++++++++++++++++-----------
 salt/cyberchef/init.sls              |  4 +-
 salt/top.sls                         |  1 +
 setup/so-setup.sh                    |  1 +
 5 files changed, 94 insertions(+), 32 deletions(-)
 create mode 100644 salt/auth/init.sls

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
new file mode 100644
index 000000000..45254e177
--- /dev/null
+++ b/salt/auth/init.sls
@@ -0,0 +1,44 @@
+authdir:
+    file.directory:
+        - name: /opt/so/conf/auth
+        - user: 939
+        - group: 939
+        - makedirs: True
+
+authfilesync:
+    file.recurse:
+        - name: /opt/so/conf/auth
+        - source: salt://auth/files
+        - user: 939
+        - group: 939
+        - template: jinja
+
+so-auth-api-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
+
+so-auth-ui-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+
+so-auth-api:
+    docker_container.running:
+        - require:
+            - so-auth-api-image
+        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - hostname: so-auth-api
+        - name: so-auth-api
+        - environment:
+            - BASE_PATH: "/so-auth/api"
+        - port_bindings:
+            - 0.0.0.0:5656:5656
+
+so-auth-ui:
+    docker_container.running:
+        - require:
+            - so-auth-ui-image
+        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - hostname: so-auth-ui
+        - name: so-auth-ui
+        - port_bindings:
+            - 0.0.0.0:4242:80
diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index b5cf6ef5a..f506499a7 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -58,9 +58,9 @@ http {
     #    }
     #}
     server {
-	      listen 80 default_server;
-	      server_name _;
-	      return 301 https://$host$request_uri;
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
     }
 
 
@@ -88,8 +88,8 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:3000/;
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -100,10 +100,9 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:5601/;
+          auth_request          /so-auth/api/auth/;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -114,7 +113,7 @@ http {
         }
 
         location /playbook/ {
-          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -126,9 +125,8 @@ http {
 
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:4200/navigator/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -139,7 +137,7 @@ http {
         }
 
         location /api/ {
-          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_pass            https://{{ masterip }}:8080/api/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Upgrade $http_upgrade;
@@ -152,7 +150,7 @@ http {
         }
 
         location /fleet/ {
-          proxy_pass https://{{ masterip }}:8080/fleet/;
+          proxy_pass            https://{{ masterip }}:8080/fleet/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -163,10 +161,10 @@ http {
         }
 
         location /thehive/ {
-          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -175,10 +173,10 @@ http {
         }
 
         location /cortex/ {
-          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -187,19 +185,19 @@ http {
         }
         
         location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
+          proxy_pass            http://{{ masterip }}:9080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
 
         }
-	
+  
         location /soctopus/ {
-          proxy_pass http://{{ masterip }}:7000/;
+          proxy_pass            http://{{ masterip }}:7000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -210,17 +208,16 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:9822/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
 
         }
 
@@ -237,15 +234,34 @@ http {
         }
 
         location /sensoroniagents/ {
-          proxy_pass http://{{ masterip }}:9822/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
         }
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }
diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
index 8d33f38d5..ff258c293 100644
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -42,13 +42,13 @@ cybercheflog:
 
 so-cyberchefimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
 
 so-cyberchef:
   docker_container.running:
     - require:
       - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
     - interactive: True
     - binds:
       - /opt/so/saltstack/salt/cyberchef/build:/prod:rw
diff --git a/salt/top.sls b/salt/top.sls
index 265214216..4a2ccdd2b 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -48,6 +48,7 @@ base:
     - firewall
     - master
     - idstools
+    - auth
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6c26783ae..5fa4fa7b7 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -655,6 +655,7 @@ if (whiptail_you_sure) ; then
       echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
       checkin_at_boot >> $SETUPLOG 2>&1
       echo -e "XX\n97\nFinishing touches... \nXXX"
+      salt-call state.apply auth >> $SETUPLOG 2>&1
       filter_unused_nics >> $SETUPLOG 2>&1
       network_setup >> $SETUPLOG 2>&1
       echo -e "XXX\n98\nVerifying Setup... \nXXX"

From eea08f35153b4d13857d91e493870a51ebb45163 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 20 Dec 2019 01:24:20 +0000
Subject: [PATCH 020/188] add back helix

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 1fdfc68e1..4706e4c5a 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -67,7 +67,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log

From 124c552fca2e979c54caeb45d3a55891ca014e16 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 20 Dec 2019 15:49:22 +0000
Subject: [PATCH 021/188] remove Cyberchef from top file since it is now in
 so-core

---
 salt/top.sls | 2 --
 1 file changed, 2 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index 265214216..8e8b286cf 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -58,7 +58,6 @@ base:
     - suricata
     - bro
     - curator
-    - cyberchef
     - elastalert
     {%- if OSQUERY != 0 %}
     - fleet
@@ -85,7 +84,6 @@ base:
     - ca
     - ssl
     - common
-    - cyberchef
     - sensoroni
     - firewall
     - master

From ed28be4ba9f4f37b407fc6d801cc6da2fdad5bee Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 20 Dec 2019 11:32:55 -0500
Subject: [PATCH 022/188] rename logstash config for storage to search -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/176

---
 .../conf/{conf.enabled.txt.storage => conf.enabled.txt.search}    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename salt/logstash/conf/{conf.enabled.txt.storage => conf.enabled.txt.search} (100%)

diff --git a/salt/logstash/conf/conf.enabled.txt.storage b/salt/logstash/conf/conf.enabled.txt.search
similarity index 100%
rename from salt/logstash/conf/conf.enabled.txt.storage
rename to salt/logstash/conf/conf.enabled.txt.search

From beb12663f5c0a05c9092a7ef68ea3cd2f82e8e50 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 20 Dec 2019 13:10:53 -0500
Subject: [PATCH 023/188] more so-restart scripts

---
 salt/common/tools/sbin/so-curator-restart     | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-elastalert-restart  | 20 +++++++++++++++++++
 .../tools/sbin/so-elasticsearch-restart       | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-fleet-restart       | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-grafana-restart     | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-kibana-restart      | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-mysql-restart       | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-redis-restart       | 20 +++++++++++++++++++
 salt/common/tools/sbin/so-restart             |  1 -
 salt/common/tools/sbin/so-zeek-restart        | 20 +++++++++++++++++++
 10 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 salt/common/tools/sbin/so-curator-restart
 create mode 100644 salt/common/tools/sbin/so-elastalert-restart
 create mode 100644 salt/common/tools/sbin/so-elasticsearch-restart
 create mode 100644 salt/common/tools/sbin/so-fleet-restart
 create mode 100644 salt/common/tools/sbin/so-grafana-restart
 create mode 100644 salt/common/tools/sbin/so-kibana-restart
 create mode 100644 salt/common/tools/sbin/so-mysql-restart
 create mode 100644 salt/common/tools/sbin/so-redis-restart
 create mode 100644 salt/common/tools/sbin/so-zeek-restart

diff --git a/salt/common/tools/sbin/so-curator-restart b/salt/common/tools/sbin/so-curator-restart
new file mode 100644
index 000000000..043f04b7d
--- /dev/null
+++ b/salt/common/tools/sbin/so-curator-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart curator $1
diff --git a/salt/common/tools/sbin/so-elastalert-restart b/salt/common/tools/sbin/so-elastalert-restart
new file mode 100644
index 000000000..46e66ec40
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastalert-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elastalert $1
diff --git a/salt/common/tools/sbin/so-elasticsearch-restart b/salt/common/tools/sbin/so-elasticsearch-restart
new file mode 100644
index 000000000..e13a89ba8
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elasticsearch $1
diff --git a/salt/common/tools/sbin/so-fleet-restart b/salt/common/tools/sbin/so-fleet-restart
new file mode 100644
index 000000000..264e9f8a7
--- /dev/null
+++ b/salt/common/tools/sbin/so-fleet-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart fleet $1
diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart
new file mode 100644
index 000000000..52ebbacda
--- /dev/null
+++ b/salt/common/tools/sbin/so-grafana-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart grafana $1
diff --git a/salt/common/tools/sbin/so-kibana-restart b/salt/common/tools/sbin/so-kibana-restart
new file mode 100644
index 000000000..0349348cb
--- /dev/null
+++ b/salt/common/tools/sbin/so-kibana-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart kibana $1
diff --git a/salt/common/tools/sbin/so-mysql-restart b/salt/common/tools/sbin/so-mysql-restart
new file mode 100644
index 000000000..1fcb885a4
--- /dev/null
+++ b/salt/common/tools/sbin/so-mysql-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart mysql $1
diff --git a/salt/common/tools/sbin/so-redis-restart b/salt/common/tools/sbin/so-redis-restart
new file mode 100644
index 000000000..b1e1293b8
--- /dev/null
+++ b/salt/common/tools/sbin/so-redis-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart redis $1
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index e07fd5010..0bf5b7736 100644
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -31,6 +31,5 @@ fi
 
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
-   "fleet") docker stop so-fleet so-redis && docker rm so-fleet so-redis && salt-call state.apply fleet queue=True;;
    *) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
 esac
diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart
new file mode 100644
index 000000000..29c50f27a
--- /dev/null
+++ b/salt/common/tools/sbin/so-zeek-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart bro $1

From 2feb14503c6fcb0c07472472791cb5cc21529f27 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 20 Dec 2019 14:40:08 -0500
Subject: [PATCH 024/188] changes for
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/157

---
 pillar/top.sls     |  11 ++-
 setup/functions.sh | 197 +++++++++++++++++++++------------------------
 setup/whiptail.sh  |   6 +-
 3 files changed, 99 insertions(+), 115 deletions(-)

diff --git a/pillar/top.sls b/pillar/top.sls
index 17bf33e02..d8c519eac 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -3,20 +3,20 @@ base:
     - patch.needs_restarting
 
   'G@role:so-sensor':
-    - sensors.{{ grains.id }}
+    - minions.{{ grains.id }}
     - static
     - firewall.*
     - brologs
 
   'G@role:so-master':
-    - masters.{{ grains.id }}
+    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - auth
 
   'G@role:so-eval':
-    - masters.{{ grains.id }}
+    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
@@ -24,13 +24,12 @@ base:
     - auth
 
   'G@role:so-node':
-    - nodes.{{ grains.id }}
+    - minions.{{ grains.id }}
     - static
     - firewall.*
 
   'G@role:so-helix':
-    - masters.{{ grains.id }}
-    - sensors.{{ grains.id }}
+    - minions.{{ grains.id }}
     - static
     - firewall.*
     - fireeye
diff --git a/setup/functions.sh b/setup/functions.sh
index 6ebcd7a89..474f26863 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -270,9 +270,9 @@ copy_minion_tmp_files() {
 
   if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
     echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
-    cp -Rv $TMP/pillar/ /opt/so/saltstack/pillar/ >> $SETUPLOG 2>&1
+    cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
     if [ -d $TMP/salt ] ; then
-      cp -Rv $TMP/salt/ /opt/so/saltstack/salt/ >> $SETUPLOG 2>&1
+      cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
     fi
   else
     echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
@@ -545,7 +545,8 @@ got_root() {
 
 install_cleanup() {
 
-  echo "install_cleanup called" >> $SETUPLOG 2>&1
+  echo "install_cleanup removing the following files:"
+  ls -lR $TMP 
 
   # Clean up after ourselves
   rm -rf /root/installtmp
@@ -556,6 +557,8 @@ install_prep() {
 
   # Create a tmp space that isn't in /tmp
   mkdir /root/installtmp
+  mkdir /root/installtmp/pillar
+  mkdir /root/installtmp/pillar/minions
   TMP=/root/installtmp
 
 }
@@ -595,47 +598,50 @@ ls_heapsize() {
 
 master_pillar() {
 
+  PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
+
   # Create the master pillar
-  touch /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "master:" > /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+  echo "master:" > $PILLARFILE
+  echo "  mainip: $MAINIP" >> $PILLARFILE
+  echo "  mainint: $MAININT" >> $PILLARFILE
+  echo "  esheap: $ES_HEAP_SIZE" >> $PILLARFILE
+  echo "  esclustername: {{ grains.host }}" >> $PILLARFILE
   if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-    echo "  freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  mtu: 1500" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+    echo "  freq: 0" >> $PILLARFILE
+    echo "  domainstats: 0" >> $PILLARFILE
+    echo "  ls_pipeline_batch_size: 125" >> $PILLARFILE
+    echo "  ls_input_threads: 1" >> $PILLARFILE
+    echo "  ls_batch_count: 125" >> $PILLARFILE
+    echo "  mtu: 1500" >> $PILLARFILE
 
   else
-    echo "  freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-    echo "  domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+    echo "  freq: 0" >> $PILLARFILE
+    echo "  domainstats: 0" >> $PILLARFILE
   fi
   if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-    echo "  lsheap: 1000m" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+    echo "  lsheap: 1000m" >> $PILLARFILE
   else
-    echo "  lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+    echo "  lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
   fi
-  echo "  lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  elastalert: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  #echo "  access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  #echo "  access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  #echo "  mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  #echo "  fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
-  echo "  playbook: $PLAYBOOK" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
+  echo "  lsaccessip: 127.0.0.1" >> $PILLARFILE
+  echo "  elastalert: 1" >> $PILLARFILE
+  echo "  ls_pipeline_workers: $CPUCORES" >> $PILLARFILE
+  echo "  nids_rules: $RULESETUP" >> $PILLARFILE
+  echo "  oinkcode: $OINKCODE" >> $PILLARFILE
+  #echo "  access_key: $ACCESS_KEY" >> $PILLARFILE
+  #echo "  access_secret: $ACCESS_SECRET" >> $PILLARFILE
+  echo "  es_port: $NODE_ES_PORT" >> $PILLARFILE
+  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
+  echo "  cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
+  #echo "  mysqlpass: $MYSQLPASS" >> $PILLARFILE
+  #echo "  fleetpass: $FLEETPASS" >> $PILLARFILE
+  echo "  grafana: $GRAFANA" >> $PILLARFILE
+  echo "  osquery: $OSQUERY" >> $PILLARFILE
+  echo "  wazuh: $WAZUH" >> $PILLARFILE
+  echo "  thehive: $THEHIVE" >> $PILLARFILE
+  echo "  playbook: $PLAYBOOK" >> $PILLARFILE
+  echo "" >> $PILLARFILE
+
   }
 
 master_static() {
@@ -695,53 +701,39 @@ network_setup() {
 
 node_pillar() {
 
-  NODEPILLARPATH=$TMP/pillar/nodes
-  if [ ! -d $NODEPILLARPATH ]; then
-    mkdir -p $NODEPILLARPATH
-  fi
+  PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
 
   # Create the node pillar
-  touch $NODEPILLARPATH/$MINION_ID.sls
-  echo "node:" > $NODEPILLARPATH/$MINION_ID.sls
-  echo "  mainip: $MAINIP" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  mainint: $MAININT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  esclustername: {{ grains.host }}" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_input_threads: $LSINPUTTHREADS" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  es_shard_count: $SHARDCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  node_type: $NODETYPE" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  es_port: $NODE_ES_PORT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $NODEPILLARPATH/$MINION_ID.sls
-  echo "  cur_close_days: $CURCLOSEDAYS" >> $NODEPILLARPATH/$MINION_ID.sls
+  echo "node:" > $PILLARFILE
+  echo "  mainip: $MAINIP" >> $PILLARFILE
+  echo "  mainint: $MAININT" >> $PILLARFILE
+  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE
+  echo "  esclustername: {{ grains.host }}" >> $PILLARFILE
+  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $PILLARFILE
+  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $PILLARFILE
+  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $PILLARFILE
+  echo "  ls_input_threads: $LSINPUTTHREADS" >> $PILLARFILE
+  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $PILLARFILE
+  echo "  es_shard_count: $SHARDCOUNT" >> $PILLARFILE
+  echo "  node_type: $NODETYPE" >> $PILLARFILE
+  echo "  es_port: $NODE_ES_PORT" >> $PILLARFILE
+  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
+  echo "  cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
+  echo "" >> $PILLARFILE
 
 }
 
 patch_pillar() {
 
-  case $INSTALLTYPE in
-    MASTERONLY | EVALMODE | HELIXSENSOR)
-      PATCHPILLARPATH=/opt/so/saltstack/pillar/masters
-      ;;
-    SENSORONLY)
-      PATCHPILLARPATH=$SENSORPILLARPATH
-      ;;
-    SEARCHNODE | PARSINGNODE | HOTNODE | WARMNODE)
-      PATCHPILLARPATH=$NODEPILLARPATH
-      ;;
-  esac
-
-
-  echo "" >> $PATCHPILLARPATH/$MINION_ID.sls
-  echo "patch:" >> $PATCHPILLARPATH/$MINION_ID.sls
-  echo "  os:" >> $PATCHPILLARPATH/$MINION_ID.sls
-  echo "    schedule_name: $PATCHSCHEDULENAME" >> $PATCHPILLARPATH/$MINION_ID.sls
-  echo "    enabled: True" >> $PATCHPILLARPATH/$MINION_ID.sls
-  echo "    splay: 300" >> $PATCHPILLARPATH/$MINION_ID.sls
+  PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
 
+  echo "" >> $PILLARFILE
+  echo "patch:" >> $PILLARFILE
+  echo "  os:" >> $PILLARFILE
+  echo "    schedule_name: $PATCHSCHEDULENAME" >> $PILLARFILE
+  echo "    enabled: True" >> $PILLARFILE
+  echo "    splay: 300" >> $PILLARFILE
+  echo "" >> $PILLARFILE
 
 }
 
@@ -1105,51 +1097,44 @@ salt_install_mysql_deps() {
 }
 
 sensor_pillar() {
-  if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-    SENSORPILLARPATH=/opt/so/saltstack/pillar/sensors
-    mkdir -p $TMP
-    mkdir -p $SENSORPILLARPATH
-  else
-    SENSORPILLARPATH=$TMP/pillar/sensors
-  fi
-  if [ ! -d $SENSORPILLARPATH ]; then
-    mkdir -p $SENSORPILLARPATH
-  fi
+
+  PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
 
   # Create the sensor pillar
-  touch $SENSORPILLARPATH/$MINION_ID.sls
-  echo "sensor:" > $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  interface: bond0" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mainip: $MAINIP" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mainint: $MAININT" >> $SENSORPILLARPATH/$MINION_ID.sls
+  touch $PILLARFILE
+  echo "sensor:" > $PILLARFILE
+  echo "  interface: bond0" >> $PILLARFILE
+  echo "  mainip: $MAINIP" >> $PILLARFILE
+  echo "  mainint: $MAININT" >> $PILLARFILE
   if [ $NSMSETUP == 'ADVANCED' ]; then
-    echo "  bro_pins:" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "  bro_pins:" >> $PILLARFILE
     for PIN in $BROPINS; do
       PIN=$(echo $PIN |  cut -d\" -f2)
-    echo "    - $PIN" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "    - $PIN" >> $PILLARFILE
     done
-    echo "  suripins:" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "  suripins:" >> $PILLARFILE
     for SPIN in $SURIPINS; do
       SPIN=$(echo $SPIN |  cut -d\" -f2)
-    echo "    - $SPIN" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "    - $SPIN" >> $PILLARFILE
     done
   elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-    echo "  bro_lbprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls
-    echo "  suriprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "  bro_lbprocs: $LBPROCS" >> $PILLARFILE
+    echo "  suriprocs: $LBPROCS" >> $PILLARFILE
   else
-    echo "  bro_lbprocs: $BASICBRO" >> $SENSORPILLARPATH/$MINION_ID.sls
-    echo "  suriprocs: $BASICSURI" >> $SENSORPILLARPATH/$MINION_ID.sls
+    echo "  bro_lbprocs: $BASICBRO" >> $PILLARFILE
+    echo "  suriprocs: $BASICSURI" >> $PILLARFILE
   fi
-  echo "  brobpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  pcapbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  nidsbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  master: $MSRV" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  mtu: $MTU" >> $SENSORPILLARPATH/$MINION_ID.sls
+  echo "  brobpf:" >> $PILLARFILE
+  echo "  pcapbpf:" >> $PILLARFILE
+  echo "  nidsbpf:" >> $PILLARFILE
+  echo "  master: $MSRV" >> $PILLARFILE
+  echo "  mtu: $MTU" >> $PILLARFILE
   if [ $HNSENSOR != 'inherit' ]; then
-  echo "  hnsensor: $HNSENSOR" >> $SENSORPILLARPATH/$MINION_ID.sls
+  echo "  hnsensor: $HNSENSOR" >> $PILLARFILE
   fi
-  echo "  access_key: $ACCESS_KEY" >> $SENSORPILLARPATH/$MINION_ID.sls
-  echo "  access_secret: $ACCESS_SECRET" >>  $SENSORPILLARPATH/$MINION_ID.sls
+  echo "  access_key: $ACCESS_KEY" >> $PILLARFILE
+  echo "  access_secret: $ACCESS_SECRET" >>  $PILLARFILE
+  echo "" >> $PILLARFILE
 
 }
 
diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 2d48e890c..a3bee17ea 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -90,7 +90,7 @@ whiptail_cancel() {
   whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75
   if [ -d "/root/installtmp" ]; then
     echo "/root/installtmp exists" >> $SETUPLOG 2>&1
-    install_cleanup
+    install_cleanup >> $SETUPLOG 2>&1
     echo "/root/installtmp removed" >> $SETUPLOG 2>&1
   fi
   exit
@@ -685,14 +685,14 @@ whiptail_set_hostname() {
 whiptail_setup_complete() {
 
   whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75
-  install_cleanup
+  install_cleanup >> $SETUPLOG 2>&1
 
 }
 
 whiptail_setup_failed() {
 
   whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75
-  install_cleanup
+  install_cleanup >> $SETUPLOG 2>&1
 
 }
 

From ac800782f7d79f97763d7daf69d47089b509e2bd Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 20 Dec 2019 15:34:23 -0500
Subject: [PATCH 025/188] [BUG] Remove unneeded dir from auth salt file

Auth no longer needs a volume mount, so remove its directory
---
 salt/auth/init.sls | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 45254e177..ce9eda44f 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,18 +1,3 @@
-authdir:
-    file.directory:
-        - name: /opt/so/conf/auth
-        - user: 939
-        - group: 939
-        - makedirs: True
-
-authfilesync:
-    file.recurse:
-        - name: /opt/so/conf/auth
-        - source: salt://auth/files
-        - user: 939
-        - group: 939
-        - template: jinja
-
 so-auth-api-image:
     cmd.run:
         - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3

From 1b8bb8e761668ce0a026f6902b84bd31c467be1c Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 20 Dec 2019 16:02:20 -0500
Subject: [PATCH 026/188] fix writing to PILLARFILE

---
 setup/functions.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 474f26863..b102b531d 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -601,7 +601,7 @@ master_pillar() {
   PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
 
   # Create the master pillar
-  echo "master:" > $PILLARFILE
+  echo "master:" >> $PILLARFILE
   echo "  mainip: $MAINIP" >> $PILLARFILE
   echo "  mainint: $MAININT" >> $PILLARFILE
   echo "  esheap: $ES_HEAP_SIZE" >> $PILLARFILE
@@ -704,7 +704,7 @@ node_pillar() {
   PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
 
   # Create the node pillar
-  echo "node:" > $PILLARFILE
+  echo "node:" >> $PILLARFILE
   echo "  mainip: $MAINIP" >> $PILLARFILE
   echo "  mainint: $MAININT" >> $PILLARFILE
   echo "  esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE
@@ -1102,7 +1102,7 @@ sensor_pillar() {
 
   # Create the sensor pillar
   touch $PILLARFILE
-  echo "sensor:" > $PILLARFILE
+  echo "sensor:" >> $PILLARFILE
   echo "  interface: bond0" >> $PILLARFILE
   echo "  mainip: $MAINIP" >> $PILLARFILE
   echo "  mainint: $MAININT" >> $PILLARFILE

From ffc116085e343e2da9bbd47b480db1b527d62baf Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 30 Dec 2019 17:32:54 +0000
Subject: [PATCH 027/188] add auth log path for Centos

---
 salt/wazuh/files/agent/ossec.conf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 5b02910f9..192e21abc 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -179,12 +179,17 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
-
+%- if grains['os'] == 'Ubuntu' %}
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
   </localfile>
-
+{%- else %}
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/secure</location>
+  </localfile>
+{%- endif %}
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>

From df722c173f940ffb1a780002e0a449d61508eca1 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 30 Dec 2019 17:47:00 +0000
Subject: [PATCH 028/188] fix typo and prevent agent from getting re-added

---
 salt/wazuh/files/agent/ossec.conf           | 2 +-
 salt/wazuh/files/agent/wazuh-register-agent | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 192e21abc..2a7fe6d6b 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -179,7 +179,7 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
-%- if grains['os'] == 'Ubuntu' %}
+{%- if grains['os'] == 'Ubuntu' %}
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index 4197a5334..12ab7dc8a 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -31,6 +31,7 @@ USER="foo"
 PASSWORD="bar"
 AGENT_NAME=$(hostname)
 AGENT_IP="{{ip}}"
+AGENT_ID=001
 
 display_help() {
 cat <<HELP_USAGE
@@ -135,5 +136,10 @@ shift $(($OPTIND - 1))
 
 # Default action -> try to register the agent
 sleep 10s
-register_agent
+STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
+if [[ $STATUS == "Active" ]]; then 
+  echo "Agent $AGENT_ID already registered!"
+else
+  register_agent
+fi
 #remove_agent

From f597b9f4e5b8c4482d0b4f2be0d7804d6040a992 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 30 Dec 2019 19:04:54 +0000
Subject: [PATCH 029/188] add AR whitelist for Wazuh

---
 salt/common/tools/sbin/so-allow | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 1685e386a..5802427fe 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -40,3 +40,21 @@ fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+                  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi

From bc533bef249b190a75efa70947cea2ad57fa8211 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 30 Dec 2019 21:10:56 +0000
Subject: [PATCH 030/188] update TheHiveAlerter module

---
 salt/elastalert/files/modules/so/thehive.py | 131 ++++++++++++--------
 1 file changed, 77 insertions(+), 54 deletions(-)

diff --git a/salt/elastalert/files/modules/so/thehive.py b/salt/elastalert/files/modules/so/thehive.py
index 42b6f9e1d..af18b412e 100644
--- a/salt/elastalert/files/modules/so/thehive.py
+++ b/salt/elastalert/files/modules/so/thehive.py
@@ -1,84 +1,107 @@
 # -*- coding: utf-8 -*-
-from __future__ import unicode_literals
+# HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
+
 import uuid
-import re
 
 from elastalert.alerts import Alerter
 from thehive4py.api import TheHiveApi
 from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
 
+
 class TheHiveAlerter(Alerter):
     """
     Use matched data to create alerts containing observables in an instance of TheHive
-    This is a modified version for use with Security Onion
     """
 
     required_options = set(['hive_connection', 'hive_alert_config'])
 
-    def alert(self, matches):
+    def get_aggregation_summary_text(self, matches):
+        text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
+        if text:
+            text = '```\n{0}```\n'.format(text)
+        return text
 
+    def create_artifacts(self, match):
+        artifacts = []
+        context = {'rule': self.rule, 'match': match}
+        for mapping in self.rule.get('hive_observable_data_mapping', []):
+            for observable_type, match_data_key in mapping.items():
+                try:
+                    artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
+                except KeyError as e:
+                    print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
+        return artifacts
+
+    def create_alert_config(self, match):
+        context = {'rule': self.rule, 'match': match}
+        alert_config = {
+            'artifacts': self.create_artifacts(match),
+            'sourceRef': str(uuid.uuid4())[0:6],
+            'title': '{rule[name]}'.format(**context)
+        }
+
+        alert_config.update(self.rule.get('hive_alert_config', {}))
+
+        for alert_config_field, alert_config_value in alert_config.items():
+            if alert_config_field == 'customFields':
+                custom_fields = CustomFieldHelper()
+                for cf_key, cf_value in alert_config_value.items():
+                    try:
+                        func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
+                    except AttributeError:
+                        raise Exception('unsupported custom field type {}'.format(cf_value['type']))
+                    value = cf_value['value'].format(**context)
+                    func(cf_key, value)
+                alert_config[alert_config_field] = custom_fields.build()
+            elif isinstance(alert_config_value, str):
+                alert_config[alert_config_field] = alert_config_value.format(**context)
+            elif isinstance(alert_config_value, (list, tuple)):
+                formatted_list = []
+                for element in alert_config_value:
+                    try:
+                        formatted_list.append(element.format(**context))
+                    except (AttributeError, KeyError, IndexError):
+                        formatted_list.append(element)
+                alert_config[alert_config_field] = formatted_list
+
+        return alert_config
+
+    def send_to_thehive(self, alert_config):
         connection_details = self.rule['hive_connection']
-
         api = TheHiveApi(
-            connection_details.get('hive_host'),
+            connection_details.get('hive_host', ''),
             connection_details.get('hive_apikey', ''),
             proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
             cert=connection_details.get('hive_verify', False))
 
-        for match in matches:
-            context = {'rule': self.rule, 'match': match}
+        alert = Alert(**alert_config)
+        response = api.create_alert(alert)
 
+        if response.status_code != 201:
+            raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
+
+    def alert(self, matches):
+        if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
+            for match in matches:
+                alert_config = self.create_alert_config(match)
+                self.send_to_thehive(alert_config)
+        else:
+            alert_config = self.create_alert_config(matches[0])
             artifacts = []
-            for mapping in self.rule.get('hive_observable_data_mapping', []):
-                for observable_type, match_data_key in mapping.items():
-                    try:
-                        match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key)
-                        rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key)
-                        data_keys = match_data_keys + rule_data_keys
-                        context_keys = list(context['match'].keys()) + list(context['rule'].keys())
-                        if all([True if k in context_keys else False for k in data_keys]):
-                            artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
-                    except KeyError:
-                        raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context))
+            for match in matches:
+                artifacts += self.create_artifacts(match)
+                if 'related_events' in match:
+                    for related_event in match['related_events']:
+                        artifacts += self.create_artifacts(related_event)
 
-            alert_config = {
-                'artifacts': artifacts,
-                'sourceRef': str(uuid.uuid4())[0:6],
-                'title': '{rule[index]}_{rule[name]}'.format(**context)
-            }
-            alert_config.update(self.rule.get('hive_alert_config', {}))
-
-            for alert_config_field, alert_config_value in alert_config.items():
-                if alert_config_field == 'customFields':
-                    custom_fields = CustomFieldHelper()
-                    for cf_key, cf_value in alert_config_value.items():
-                        try:
-                            func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
-                        except AttributeError:
-                            raise Exception('unsupported custom field type {}'.format(cf_value['type']))
-                        value = cf_value['value'].format(**context)
-                        func(cf_key, value)
-                    alert_config[alert_config_field] = custom_fields.build()
-                elif isinstance(alert_config_value, str):
-                    alert_config[alert_config_field] = alert_config_value.format(**context)
-                elif isinstance(alert_config_value, (list, tuple)):
-                    formatted_list = []
-                    for element in alert_config_value:
-                        try:
-                            formatted_list.append(element.format(**context))
-                        except (AttributeError, KeyError, IndexError):
-                            formatted_list.append(element)
-                    alert_config[alert_config_field] = formatted_list
-
-            alert = Alert(**alert_config)
-            response = api.create_alert(alert)
-
-            if response.status_code != 201:
-                raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
+            alert_config['artifacts'] = artifacts
+            alert_config['title'] = self.create_title(matches)
+            alert_config['description'] = self.create_alert_body(matches)
+            self.send_to_thehive(alert_config)
 
     def get_info(self):
 
         return {
             'type': 'hivealerter',
             'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
-       } 
+        }

From c7e98f17e14c3656e451fe94a0d16720dd7e9d37 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 31 Dec 2019 17:19:57 -0500
Subject: [PATCH 031/188] Add volume binding to so-auth-api

---
 salt/auth/init.sls | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index ce9eda44f..0d82f6cb9 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,3 +1,10 @@
+so-auth-api-dir:
+  file.directory:
+    - name: /opt/so/conf/auth/api
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-auth-api-image:
     cmd.run:
         - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
@@ -15,6 +22,8 @@ so-auth-api:
         - name: so-auth-api
         - environment:
             - BASE_PATH: "/so-auth/api"
+        - binds:
+            - /opt/so/conf/auth/api:/data
         - port_bindings:
             - 0.0.0.0:5656:5656
 

From c4f57f09eefe47a8c859ef5894d170ef2f3fb5a0 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Jan 2020 15:13:46 +0000
Subject: [PATCH 032/188] add Zeek clean script

---
 salt/bro/cron/zeek_clean | 34 ++++++++++++++++++++++++++++++++++
 salt/bro/init.sls        | 15 +++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 salt/bro/cron/zeek_clean

diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
new file mode 100644
index 000000000..9e3bc86dd
--- /dev/null
+++ b/salt/bro/cron/zeek_clean
@@ -0,0 +1,34 @@
+#!/bin/bash
+# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
+
+clean () {
+
+SENSOR_DIR='/nsm'
+CRIT_DISK_USAGE=90
+CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+LOG="/nsm/bro/logs/zeek_clean.log"
+
+if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
+    while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
+        do
+                TODAY=$(date -u "+%Y-%m-%d")
+
+                # find the oldest Zeek logs directory and exclude today
+                OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | sort | grep -v $TODAY | head -n 1)
+                if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+                then
+                        echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
+                        exit 0
+                else
+                        echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
+                        rm -rf /nsm/bro/logs/"$OLDEST_DIR"
+                fi
+
+
+    done
+else
+  echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
+fi
+}
+
+clean
diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index 422e7fbf9..6a972cbe7 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -79,6 +79,21 @@ plcronscript:
     - source: salt://bro/cron/packetloss.sh
     - mode: 755
 
+zeekcleanscript:
+  file.managed:
+    - name: /usr/local/bin/zeek_clean
+    - source: salt://bro/cron/zeek_clean
+    - mode: 755
+
+/usr/local/bin/zeek_clean:
+  cron.present:
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 /usr/local/bin/packetloss.sh:
   cron.present:
     - user: root

From 566d3ed2805d726e95eac8406754e61b471a6248 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Jan 2020 15:20:34 +0000
Subject: [PATCH 033/188] revise message text

---
 salt/bro/cron/zeek_clean | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
index 9e3bc86dd..1594b7752 100644
--- a/salt/bro/cron/zeek_clean
+++ b/salt/bro/cron/zeek_clean
@@ -27,7 +27,7 @@ if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
 
     done
 else
-  echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
+  echo "$(date) - Current usage of $CUR_USAGE% not greater than the CRIT_DISK_VALUE of $CRIT_DISK_USAGE%..." >> $LOG
 fi
 }
 

From 82f1d5718a674b82eddb828d57a0b999867ebcf7 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Jan 2020 15:39:38 +0000
Subject: [PATCH 034/188] add exclusion for Zeek clean log and extracted file
 mgmt

---
 salt/bro/cron/zeek_clean | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
index 1594b7752..918d68a66 100644
--- a/salt/bro/cron/zeek_clean
+++ b/salt/bro/cron/zeek_clean
@@ -14,7 +14,7 @@ if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
                 TODAY=$(date -u "+%Y-%m-%d")
 
                 # find the oldest Zeek logs directory and exclude today
-                OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | sort | grep -v $TODAY | head -n 1)
+                OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
                 if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
                 then
                         echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
@@ -24,10 +24,24 @@ if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
                         rm -rf /nsm/bro/logs/"$OLDEST_DIR"
                 fi
 
-
+                # find oldest files in extracted directory and exclude today
+                OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
+                if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
+                then
+                        echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
+                else
+                        OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
+                        OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
+                        echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
+                        find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
+                        do
+                                echo "$(date) - Removing extracted file: $FILE" >> $LOG
+                                rm -f "$FILE"
+                        done
+                fi
     done
 else
-  echo "$(date) - Current usage of $CUR_USAGE% not greater than the CRIT_DISK_VALUE of $CRIT_DISK_USAGE%..." >> $LOG
+  echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
 fi
 }
 

From 82abdedb029eb8af5ef6649a8ec5d882f73370e5 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Jan 2020 15:55:52 +0000
Subject: [PATCH 035/188] add license

---
 salt/bro/cron/zeek_clean | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
index 918d68a66..af47611bc 100644
--- a/salt/bro/cron/zeek_clean
+++ b/salt/bro/cron/zeek_clean
@@ -1,6 +1,21 @@
 #!/bin/bash
 # Delete Zeek Logs based on defined CRIT_DISK_USAGE value
 
+# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 clean () {
 
 SENSOR_DIR='/nsm'

From 5a772e4f1ca0be3585bdc02a8782bbdeffb75a3f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 2 Jan 2020 11:43:28 -0500
Subject: [PATCH 036/188] Break out FS & DS into their own states

---
 salt/domainstats/init.sls   | 51 ++++++++++++++++++++
 salt/elasticsearch/init.sls | 92 +------------------------------------
 salt/freqserver/init.sls    | 52 +++++++++++++++++++++
 salt/top.sls                | 17 ++++++-
 4 files changed, 119 insertions(+), 93 deletions(-)
 create mode 100644 salt/domainstats/init.sls
 create mode 100644 salt/freqserver/init.sls

diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls
new file mode 100644
index 000000000..01e673764
--- /dev/null
+++ b/salt/domainstats/init.sls
@@ -0,0 +1,51 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Create the group
+dstatsgroup:
+  group.present:
+    - name: domainstats
+    - gid: 936
+
+# Add user
+domainstats:
+  user.present:
+    - uid: 936
+    - gid: 936
+    - home: /opt/so/conf/domainstats
+    - createhome: False
+
+# Create the log directory
+dstatslogdir:
+  file.directory:
+    - name: /opt/so/log/domainstats
+    - user: 936
+    - group: 939
+    - makedirs: True
+
+so-domainstatsimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
+
+so-domainstats:
+  docker_container.running:
+    - require:
+      - so-domainstatsimage
+    - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
+    - hostname: domainstats
+    - name: so-domainstats
+    - user: domainstats
+    - binds:
+      - /opt/so/log/domainstats:/var/log/domain_stats
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 6036d5da8..4c5d3e644 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -16,22 +16,16 @@
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
-{% set freq = salt['pillar.get']('master:freq', '0') %}
-{% set dstats = salt['pillar.get']('master:dstats', '0') %}
 
 {% elif grains['role'] == 'so-eval' %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
-{% set freq = salt['pillar.get']('master:freq', '0') %}
-{% set dstats = salt['pillar.get']('master:dstats', '0') %}
 
 {% elif grains['role'] == 'so-node' %}
 
 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
-{% set freq = salt['pillar.get']('node:freq', '0') %}
-{% set dstats = salt['pillar.get']('node:dstats', '0') %}
 
 {% endif %}
 
@@ -150,87 +144,3 @@ so-elasticsearch-pipelines:
 # Tell the main cluster I am here
 #curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
 
-# See if Freqserver is enabled
-{% if freq == 1 %}
-
-# Create the user
-fservergroup:
-  group.present:
-    - name: freqserver
-    - gid: 935
-
-# Add ES user
-freqserver:
-  user.present:
-    - uid: 935
-    - gid: 935
-    - home: /opt/so/conf/freqserver
-    - createhome: False
-
-# Create the log directory
-freqlogdir:
-  file.directory:
-    - name: /opt/so/log/freq_server
-    - user: 935
-    - group: 935
-    - makedirs: True
-
-so-freqimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
-
-so-freq:
-  docker_container.running:
-    - require:
-      - so-freqimage
-    - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
-    - hostname: freqserver
-    - name: so-freqserver
-    - user: freqserver
-    - binds:
-      - /opt/so/log/freq_server:/var/log/freq_server:rw
-
-
-{% endif %}
-
-{% if dstats == 1 %}
-
-# Create the group
-dstatsgroup:
-  group.present:
-    - name: domainstats
-    - gid: 936
-
-# Add user
-domainstats:
-  user.present:
-    - uid: 936
-    - gid: 936
-    - home: /opt/so/conf/domainstats
-    - createhome: False
-
-# Create the log directory
-dstatslogdir:
-  file.directory:
-    - name: /opt/so/log/domainstats
-    - user: 936
-    - group: 939
-    - makedirs: True
-
-so-domainstatsimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
-
-so-domainstats:
-  docker_container.running:
-    - require:
-      - so-domainstatsimage
-    - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
-    - hostname: domainstats
-    - name: so-domainstats
-    - user: domainstats
-    - binds:
-      - /opt/so/log/domainstats:/var/log/domain_stats
-
-
-{% endif %}
diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls
new file mode 100644
index 000000000..783d11b6a
--- /dev/null
+++ b/salt/freqserver/init.sls
@@ -0,0 +1,52 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Create the user
+fservergroup:
+  group.present:
+    - name: freqserver
+    - gid: 935
+
+# Add ES user
+freqserver:
+  user.present:
+    - uid: 935
+    - gid: 935
+    - home: /opt/so/conf/freqserver
+    - createhome: False
+
+# Create the log directory
+freqlogdir:
+  file.directory:
+    - name: /opt/so/log/freq_server
+    - user: 935
+    - group: 935
+    - makedirs: True
+
+so-freqimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
+
+so-freq:
+  docker_container.running:
+    - require:
+      - so-freqimage
+    - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
+    - hostname: freqserver
+    - name: so-freqserver
+    - user: freqserver
+    - binds:
+      - /opt/so/log/freq_server:/var/log/freq_server:rw
+
diff --git a/salt/top.sls b/salt/top.sls
index 8e8b286cf..b6bd14bd7 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -4,6 +4,9 @@
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
+{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
+{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
+
 base:
   '*':
     - patch.os.schedule
@@ -77,7 +80,12 @@ base:
     {%- if PLAYBOOK != 0 %}
     - playbook
     {%- endif %}
-
+    {%- if FREQSERVER != 0 %}
+    - freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - domainstats
+    {%- endif %}
 
 
   'G@role:so-master':
@@ -113,7 +121,12 @@ base:
     {%- if PLAYBOOK != 0 %}
     - playbook
     {%- endif %}
-
+    {%- if FREQSERVER != 0 %}
+    - freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - domainstats
+    {%- endif %}
 
   # Search node logic
 

From 4b23d333ef6e89d15a6ec333da4f8a737e14c73f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 2 Jan 2020 12:29:56 -0500
Subject: [PATCH 037/188] so-stop scripts - initial commit

---
 salt/common/tools/sbin/so-cortex-stop        | 20 +++++++++++++
 salt/common/tools/sbin/so-curator-stop       | 20 +++++++++++++
 salt/common/tools/sbin/so-elastalert-stop    | 20 +++++++++++++
 salt/common/tools/sbin/so-elasticsearch-stop | 20 +++++++++++++
 salt/common/tools/sbin/so-filebeat-stop      | 31 +++++++++++---------
 salt/common/tools/sbin/so-fleet-stop         | 20 +++++++++++++
 salt/common/tools/sbin/so-grafana-stop       | 20 +++++++++++++
 salt/common/tools/sbin/so-kibana-stop        | 20 +++++++++++++
 salt/common/tools/sbin/so-logstash-stop      | 20 +++++++++++++
 salt/common/tools/sbin/so-mysql-stop         | 20 +++++++++++++
 salt/common/tools/sbin/so-playbook-stop      | 20 +++++++++++++
 salt/common/tools/sbin/so-redis-stop         | 20 +++++++++++++
 salt/common/tools/sbin/so-soctopus-stop      | 20 +++++++++++++
 salt/common/tools/sbin/so-stop               | 27 +++++++++++++++++
 salt/common/tools/sbin/so-thehive-stop       | 20 +++++++++++++
 salt/common/tools/sbin/so-zeek-stop          | 20 +++++++++++++
 16 files changed, 324 insertions(+), 14 deletions(-)
 create mode 100644 salt/common/tools/sbin/so-cortex-stop
 create mode 100644 salt/common/tools/sbin/so-curator-stop
 create mode 100644 salt/common/tools/sbin/so-elastalert-stop
 create mode 100644 salt/common/tools/sbin/so-elasticsearch-stop
 create mode 100644 salt/common/tools/sbin/so-fleet-stop
 create mode 100644 salt/common/tools/sbin/so-grafana-stop
 create mode 100644 salt/common/tools/sbin/so-kibana-stop
 create mode 100644 salt/common/tools/sbin/so-logstash-stop
 create mode 100644 salt/common/tools/sbin/so-mysql-stop
 create mode 100644 salt/common/tools/sbin/so-playbook-stop
 create mode 100644 salt/common/tools/sbin/so-redis-stop
 create mode 100644 salt/common/tools/sbin/so-soctopus-stop
 create mode 100644 salt/common/tools/sbin/so-stop
 create mode 100644 salt/common/tools/sbin/so-thehive-stop
 create mode 100644 salt/common/tools/sbin/so-zeek-stop

diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop
new file mode 100644
index 000000000..727b2c7fa
--- /dev/null
+++ b/salt/common/tools/sbin/so-cortex-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop cortex $1
diff --git a/salt/common/tools/sbin/so-curator-stop b/salt/common/tools/sbin/so-curator-stop
new file mode 100644
index 000000000..9aab50c8c
--- /dev/null
+++ b/salt/common/tools/sbin/so-curator-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop curator $1
diff --git a/salt/common/tools/sbin/so-elastalert-stop b/salt/common/tools/sbin/so-elastalert-stop
new file mode 100644
index 000000000..731312e8c
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastalert-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elastalert $1
diff --git a/salt/common/tools/sbin/so-elasticsearch-stop b/salt/common/tools/sbin/so-elasticsearch-stop
new file mode 100644
index 000000000..9d03a64ae
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elasticsearch $1
diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop
index 3b7419db7..7a5e2f28e 100644
--- a/salt/common/tools/sbin/so-filebeat-stop
+++ b/salt/common/tools/sbin/so-filebeat-stop
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop filebeat $1
diff --git a/salt/common/tools/sbin/so-fleet-stop b/salt/common/tools/sbin/so-fleet-stop
new file mode 100644
index 000000000..d22df4704
--- /dev/null
+++ b/salt/common/tools/sbin/so-fleet-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop fleet $1
diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop
new file mode 100644
index 000000000..bb0a19545
--- /dev/null
+++ b/salt/common/tools/sbin/so-grafana-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop grafana $1
diff --git a/salt/common/tools/sbin/so-kibana-stop b/salt/common/tools/sbin/so-kibana-stop
new file mode 100644
index 000000000..007ee54d4
--- /dev/null
+++ b/salt/common/tools/sbin/so-kibana-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop kibana $1
diff --git a/salt/common/tools/sbin/so-logstash-stop b/salt/common/tools/sbin/so-logstash-stop
new file mode 100644
index 000000000..528216ca3
--- /dev/null
+++ b/salt/common/tools/sbin/so-logstash-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop logstash $1
diff --git a/salt/common/tools/sbin/so-mysql-stop b/salt/common/tools/sbin/so-mysql-stop
new file mode 100644
index 000000000..998a48ac0
--- /dev/null
+++ b/salt/common/tools/sbin/so-mysql-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop mysql $1
diff --git a/salt/common/tools/sbin/so-playbook-stop b/salt/common/tools/sbin/so-playbook-stop
new file mode 100644
index 000000000..a1ebd7503
--- /dev/null
+++ b/salt/common/tools/sbin/so-playbook-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop playbook $1
diff --git a/salt/common/tools/sbin/so-redis-stop b/salt/common/tools/sbin/so-redis-stop
new file mode 100644
index 000000000..34577814c
--- /dev/null
+++ b/salt/common/tools/sbin/so-redis-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop redis $1
diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/common/tools/sbin/so-soctopus-stop
new file mode 100644
index 000000000..f38eecc08
--- /dev/null
+++ b/salt/common/tools/sbin/so-soctopus-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop soctopus $1
diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop
new file mode 100644
index 000000000..6fb369826
--- /dev/null
+++ b/salt/common/tools/sbin/so-stop
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-stop  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping $1\n"
+echo $banner
+
+docker stop so-$1
+
diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop
new file mode 100644
index 000000000..6c56e0473
--- /dev/null
+++ b/salt/common/tools/sbin/so-thehive-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop thehive $1
diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop
new file mode 100644
index 000000000..1e39a2c49
--- /dev/null
+++ b/salt/common/tools/sbin/so-zeek-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop bro $1

From 3d436037e273a64a6c92883e133fb3762c5d4b8d Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 2 Jan 2020 15:58:15 -0500
Subject: [PATCH 038/188] SO Scripts - start|stop|restart

---
 salt/common/tools/sbin/so-cortex-start        | 20 ++++++++++
 salt/common/tools/sbin/so-curator-start       | 20 ++++++++++
 salt/common/tools/sbin/so-elastalert-start    | 20 ++++++++++
 salt/common/tools/sbin/so-elasticsearch-start | 20 ++++++++++
 salt/common/tools/sbin/so-filebeat-start      | 31 +++++++++-------
 salt/common/tools/sbin/so-fleet-start         | 20 ++++++++++
 salt/common/tools/sbin/so-grafana-start       | 20 ++++++++++
 salt/common/tools/sbin/so-kibana-start        | 20 ++++++++++
 salt/common/tools/sbin/so-logstash-start      | 20 ++++++++++
 salt/common/tools/sbin/so-mysql-start         | 20 ++++++++++
 salt/common/tools/sbin/so-playbook-start      | 20 ++++++++++
 salt/common/tools/sbin/so-redis-start         | 20 ++++++++++
 salt/common/tools/sbin/so-restart             |  4 +-
 salt/common/tools/sbin/so-soctopus-start      | 20 ++++++++++
 salt/common/tools/sbin/so-start               | 37 ++++++++++++++++++-
 salt/common/tools/sbin/so-stop                |  4 +-
 salt/common/tools/sbin/so-thehive-start       | 20 ++++++++++
 salt/common/tools/sbin/so-wazuh-start         |  2 +-
 salt/common/tools/sbin/so-zeek-start          | 20 ++++++++++
 19 files changed, 338 insertions(+), 20 deletions(-)
 create mode 100644 salt/common/tools/sbin/so-cortex-start
 create mode 100644 salt/common/tools/sbin/so-curator-start
 create mode 100644 salt/common/tools/sbin/so-elastalert-start
 create mode 100644 salt/common/tools/sbin/so-elasticsearch-start
 create mode 100644 salt/common/tools/sbin/so-fleet-start
 create mode 100644 salt/common/tools/sbin/so-grafana-start
 create mode 100644 salt/common/tools/sbin/so-kibana-start
 create mode 100644 salt/common/tools/sbin/so-logstash-start
 create mode 100644 salt/common/tools/sbin/so-mysql-start
 create mode 100644 salt/common/tools/sbin/so-playbook-start
 create mode 100644 salt/common/tools/sbin/so-redis-start
 create mode 100644 salt/common/tools/sbin/so-soctopus-start
 create mode 100644 salt/common/tools/sbin/so-thehive-start
 create mode 100644 salt/common/tools/sbin/so-zeek-start

diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start
new file mode 100644
index 000000000..db383e2e8
--- /dev/null
+++ b/salt/common/tools/sbin/so-cortex-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start cortex $1
diff --git a/salt/common/tools/sbin/so-curator-start b/salt/common/tools/sbin/so-curator-start
new file mode 100644
index 000000000..676da0d2e
--- /dev/null
+++ b/salt/common/tools/sbin/so-curator-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start curator $1
diff --git a/salt/common/tools/sbin/so-elastalert-start b/salt/common/tools/sbin/so-elastalert-start
new file mode 100644
index 000000000..7101eec15
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastalert-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elastalert $1
diff --git a/salt/common/tools/sbin/so-elasticsearch-start b/salt/common/tools/sbin/so-elasticsearch-start
new file mode 100644
index 000000000..76a3baac6
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elasticsearch $1
diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start
index e5ce6ed88..e15c2e5e9 100644
--- a/salt/common/tools/sbin/so-filebeat-start
+++ b/salt/common/tools/sbin/so-filebeat-start
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-filebeat && salt-call state.apply filebeat
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start filebeat $1
diff --git a/salt/common/tools/sbin/so-fleet-start b/salt/common/tools/sbin/so-fleet-start
new file mode 100644
index 000000000..06133ef58
--- /dev/null
+++ b/salt/common/tools/sbin/so-fleet-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start fleet $1
diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start
new file mode 100644
index 000000000..660d1d31b
--- /dev/null
+++ b/salt/common/tools/sbin/so-grafana-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start grafana $1
diff --git a/salt/common/tools/sbin/so-kibana-start b/salt/common/tools/sbin/so-kibana-start
new file mode 100644
index 000000000..edf7ec61f
--- /dev/null
+++ b/salt/common/tools/sbin/so-kibana-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start kibana $1
diff --git a/salt/common/tools/sbin/so-logstash-start b/salt/common/tools/sbin/so-logstash-start
new file mode 100644
index 000000000..cd2e168f4
--- /dev/null
+++ b/salt/common/tools/sbin/so-logstash-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start logstash $1
diff --git a/salt/common/tools/sbin/so-mysql-start b/salt/common/tools/sbin/so-mysql-start
new file mode 100644
index 000000000..1a02b7658
--- /dev/null
+++ b/salt/common/tools/sbin/so-mysql-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start mysql $1
diff --git a/salt/common/tools/sbin/so-playbook-start b/salt/common/tools/sbin/so-playbook-start
new file mode 100644
index 000000000..34ddf18aa
--- /dev/null
+++ b/salt/common/tools/sbin/so-playbook-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start playbook $1
diff --git a/salt/common/tools/sbin/so-redis-start b/salt/common/tools/sbin/so-redis-start
new file mode 100644
index 000000000..3ef2d3c01
--- /dev/null
+++ b/salt/common/tools/sbin/so-redis-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start redis $1
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index 0bf5b7736..968b7233a 100644
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -20,7 +20,7 @@
 . /usr/sbin/so-common
 
 echo $banner
-printf "Restarting $1\n"
+printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
 echo $banner
 
 if [ "$2" = "--force" ]
@@ -31,5 +31,5 @@ fi
 
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
-   *) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
+   *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/common/tools/sbin/so-soctopus-start
new file mode 100644
index 000000000..e0d2a2a35
--- /dev/null
+++ b/salt/common/tools/sbin/so-soctopus-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start soctopus $1
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
index 8ad0326db..70b8d6aed 100644
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -1 +1,36 @@
-sudo salt-call state.highstate
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-start  all | filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+
+case $1 in
+   "all") salt-call state.highstate queue=True;;
+   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
+esac
diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop
index 6fb369826..108424bb9 100644
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -20,8 +20,8 @@
 . /usr/sbin/so-common
 
 echo $banner
-printf "Stopping $1\n"
+printf "Stopping $1...\n"
 echo $banner
 
-docker stop so-$1
+docker stop so-$1 ; docker rm so-$1
 
diff --git a/salt/common/tools/sbin/so-thehive-start b/salt/common/tools/sbin/so-thehive-start
new file mode 100644
index 000000000..17ec7bfaa
--- /dev/null
+++ b/salt/common/tools/sbin/so-thehive-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start thehive $1
diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start
index 195287314..dd64354c7 100644
--- a/salt/common/tools/sbin/so-wazuh-start
+++ b/salt/common/tools/sbin/so-wazuh-start
@@ -14,4 +14,4 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-wazuh && salt-call state.apply wazuh
+docker stop so-wazuh
diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start
new file mode 100644
index 000000000..ccd475bb6
--- /dev/null
+++ b/salt/common/tools/sbin/so-zeek-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start bro $1

From 7415ed8dd080ba68067986e9f9931e72f2cbc0d5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 3 Jan 2020 13:31:19 -0500
Subject: [PATCH 039/188] manage threshold.conf with Salt -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/127

---
 pillar/thresholding/pillar.example       | 44 ++++++++++++++++++++++++
 pillar/thresholding/pillar.usage         | 20 +++++++++++
 salt/suricata/files/threshold.conf.jinja | 32 +++++++++++++++++
 salt/suricata/init.sls                   | 10 ++++++
 4 files changed, 106 insertions(+)
 create mode 100644 pillar/thresholding/pillar.example
 create mode 100644 pillar/thresholding/pillar.usage
 create mode 100644 salt/suricata/files/threshold.conf.jinja

diff --git a/pillar/thresholding/pillar.example b/pillar/thresholding/pillar.example
new file mode 100644
index 000000000..705cb606c
--- /dev/null
+++ b/pillar/thresholding/pillar.example
@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24
diff --git a/pillar/thresholding/pillar.usage b/pillar/thresholding/pillar.usage
new file mode 100644
index 000000000..1626433b1
--- /dev/null
+++ b/pillar/thresholding/pillar.usage
@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>
diff --git a/salt/suricata/files/threshold.conf.jinja b/salt/suricata/files/threshold.conf.jinja
new file mode 100644
index 000000000..6c40f6cb9
--- /dev/null
+++ b/salt/suricata/files/threshold.conf.jinja
@@ -0,0 +1,32 @@
+{% set THRESHOLDING  = salt['pillar.get']('thresholding', {}) -%}
+
+{% if THRESHOLDING %}
+{%- for EACH_SID in THRESHOLDING.sids %}
+  {%- for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] %}
+    {% for EACH_ACTION in ACTIONS_LIST %}
+      
+      {% if EACH_ACTION == 'threshold' %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
+      
+      {% elif EACH_ACTION == 'rate_filter' %}
+        {% if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+        {% else %}
+##### Security Onion does not support drop or reject actions for rate_filter
+#####{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+        {% endif %}
+      
+      {% elif EACH_ACTION == 'suppress' %}
+        {% if ACTIONS_LIST[EACH_ACTION].track is defined %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
+        {% else %}
+{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
+        {% endif %}
+      
+      {% endif %}
+    {% endfor -%}
+  {% endfor -%}
+{% endfor -%}
+{% else %}
+
+{% endif %}
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a30010d5e..ac876212c 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -70,6 +70,14 @@ suriconfigsync:
     - group: 940
     - template: jinja
 
+surithresholding:
+  file.managed:
+    - name: /opt/so/conf/suricata/threshold.conf
+    - source: salt://suricata/files/threshold.conf.jinja
+    - user: 940
+    - group: 940
+    - template: jinja
+
 so-suricataimage:
  cmd.run:
    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
       - INTERFACE={{ interface }}
     - binds:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
+      - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
     - network_mode: host
     - watch:
       - file: /opt/so/conf/suricata/suricata.yaml
+      - file: surithresholding
       - file: /opt/so/conf/suricata/rules/

From 4dc667d8051bb3dee07258447103973590f90fa5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 3 Jan 2020 14:50:32 -0500
Subject: [PATCH 040/188] change threshold.conf template -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/127

---
 salt/suricata/files/threshold.conf.jinja | 50 +++++++++++++-----------
 1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/salt/suricata/files/threshold.conf.jinja b/salt/suricata/files/threshold.conf.jinja
index 6c40f6cb9..45642404a 100644
--- a/salt/suricata/files/threshold.conf.jinja
+++ b/salt/suricata/files/threshold.conf.jinja
@@ -1,32 +1,36 @@
 {% set THRESHOLDING  = salt['pillar.get']('thresholding', {}) -%}
 
-{% if THRESHOLDING %}
-{%- for EACH_SID in THRESHOLDING.sids %}
-  {%- for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] %}
-    {% for EACH_ACTION in ACTIONS_LIST %}
-      
-      {% if EACH_ACTION == 'threshold' %}
+{% if THRESHOLDING -%}
+  
+  {% for EACH_SID in THRESHOLDING.sids -%}
+    {% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%}
+      {% for EACH_ACTION in ACTIONS_LIST -%}
+        
+        {%- if EACH_ACTION == 'threshold' %}
 {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
-      
-      {% elif EACH_ACTION == 'rate_filter' %}
-        {% if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
+        
+        {%- elif EACH_ACTION == 'rate_filter' %}
+          {%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
 {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
-        {% else %}
+          {%- else %}
 ##### Security Onion does not support drop or reject actions for rate_filter
-#####{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
-        {% endif %}
-      
-      {% elif EACH_ACTION == 'suppress' %}
-        {% if ACTIONS_LIST[EACH_ACTION].track is defined %}
+##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
+          {%- endif %}
+        
+        {%- elif EACH_ACTION == 'suppress' %}
+          {%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
 {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
-        {% else %}
+          {%- else %}
 {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
-        {% endif %}
+          {%- endif %}
+        
+        {%- endif %}
       
-      {% endif %}
-    {% endfor -%}
-  {% endfor -%}
-{% endfor -%}
-{% else %}
+      {%- endfor %}
+    {%- endfor %}
+  {%- endfor %}
 
-{% endif %}
+{%- else %}
+##### The thresholding pillar has not been defined
+
+{%- endif %}

From a646c1123f3d0121ce52d9b951c69e79bd7faf7f Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 3 Jan 2020 21:31:40 +0000
Subject: [PATCH 041/188] fix typo

---
 salt/tcpreplay/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index a6cc62c32..3050b97f5 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -7,7 +7,7 @@ so-tcpreplayimage:
 so-tcpreplay:
   docker_container.running:
     - require:
-      - so-tcpreplay
+      - so-tcpreplayimage
     - network_mode: "host"
     - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
     - name: so-tcpreplay

From 5ce5a46292e5a8bd5c0cf78e370cee83eae5595e Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Sun, 5 Jan 2020 21:25:01 -0500
Subject: [PATCH 042/188] Playbook - redmine.db schema changes

---
 salt/playbook/files/redmine.db | Bin 2207744 -> 2207744 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/salt/playbook/files/redmine.db b/salt/playbook/files/redmine.db
index 7d84b5856cd5da11e7431b3bebcefaa6443b4fa1..52f171833057343cb6df144bf88c5ba79b1dd785 100644
GIT binary patch
literal 2207744
zcmeF431A!5nfOPyM$*ifgv1F+$iy6uli1dMaf-wwhLD6DTm_V|G_pl>7-^KmKmkoy
zN?o8Vr3F$56ew3IP?`eEQrcxHWm&dmyDV*47J5*Ywj3>`Kq>$B|Gjymv1BO@p-G6-
z&y&pizIVUhJ7z|2=Djs1FV8Bnm?@U>k|G9}HpXOPjul0QIc1Px%(EEAq%aI~D#&+&
zX@&o_KT}QEu?cbXc;hzk;1(V;gYl^FqVRvh&xPlOr-dhk$Ak}rXN7l!H-(3H90$4}
z0VIF~kN^@u0!RP}AOR$R1dsp{KmyE->NKFRzIp+ivsHLzXKq%HfODq07|sVC38#~*
z<WYV40Gt@+PIWz;zpAc+^XJtb@@#GrK7ccGI5mife@FlcAOR$R1dsp{Kmter2_OL^
zfCP}hena3=)lMemO~PxWNcU4?zbPFS1PLGkB!C2v01`j~NB{{S0VIF~kig#~f%~Rf
zy3BsB5B~W=zF@%T^)iohK*A*4&%i(YLjp(u2_OL^fCP{L5<mh-00|%gB!C3=5dter
zwnOG65^`Z<wp1+S<$^L?DyAzbC0i`OgMF;q8|wB)MZY)h4aWWco>(Xl@dbD6;(~IS
zgx@pp5C4z=5<mh-00|%gB!C2v01`j~NB{{Sf&GO5Z#jgm`}Kem7BeRPa)!U0yLEpl
zB9;RQAOR$R1dsp{Kmter2_OL^fCTn!0@a{dVAxrm33I5*v222ywW?G+M@}hHMJdAa
z^f1NUGd$vpd87W2FAxa(y~zfb*~csLW~Fy?_wa}^R4jCtQ>E;%5(#<-<g^@41!Qm9
z?~nQAOf=%nNU2mfmX2j)KY1BG=#xQ>rc$Y3BpphH!CS`X3x{I<0G&IJcKbu3FAxvJ
z;y!;*07AqdeP68C8wIG}-nYR{kULJek70$ijPM6omp>!?Ncg<)72$m0TVREMNB{{S
z0VIF~kN^@u0!RP}AOR$R1dzZ41lm~3VWw<;xL8t>u(@8oY@TYdEHudlX&@)3lX-Yw
zKPQ(RQyi9sY_?pk$jOqN(|+D4x7i?QUd|85rDUlHzHA=5WsYf+JTO!&ZYVp2?=W_T
zaXKyS?56C7Y#DMfbzDxSS}mQHRHY0*nItz#xr$t7ZrJWJTV|S+;s&`;&bm#OIm{+W
zNe#)RGWq@=HvPjtB!C2v01`j~NB{{S0VIF~kN^@u0!Uy#Ccrrt!Y>G~GJ?!M&xg3r
zdv5e}y038k-gPGXJr*1s!}kBMK4d-Ia;5n_vvab7Q0LB=&UDY2rp|@mJDe<Qa?W8{
zXLT{xPkw$`to>MWd{)k-SLLLU0r;gQmn|#Z-QBKkv2U{?mkLr2#QuUIri%G|_ogho
zV=_|C7YpEM*bG#%IVIa*1xqxf>b>Np+$O0c*IN}8_%){9Vz{^oex4bUb2%4R%LC*{
zoL8z0jPwpk<)L^2R(;qguc-`^Uz+0aWngz|RvGFqq_dffT!OVB5~-A2F1sqFTyj`a
zNbcieXQxX}XO*NP4JOOVNKV$Qs=2v9sB2oaS0}{68#rwB<R(IkrLrt00LaLBkiRib
z>q@zDN-89?#pD`UDy4?RZZSK&C=D;}WDAQ(eiuPDpoEM2R<D(mRZ_VOnP0ME4fxYN
zWzJ0(7G;NBQ}<Lk;TNyehU7qTv#WaG!PA)T!)7vdrFB;Ono7GSJ6MpEN=X*`mz0%K
zwlFy5<7SS$o0QBHOYkBSG><`z`uK{ePMZVS>NK+Dgi2_Yt$yvtMRAP+c`MU=9k569
z#m|O(%{1~w8b_;qk?vCi)wU-ybenq?G}rEF-#e_<p-FR9r!`ezV(r?)7oRAul~Y57
z?70<rtii5@^-q1!9*ODK&46wObu*-!Vcm@AW>hz0)bx3EQ;*N5$LG`I^Xc*V^!R*w
zd_FxspB|r2kI%2i=hx%&>+$*Z`22c&emy?F9-m*2&#%Yl*W(N5@dfnw0(yJ_J-&b*
zUqFv9pvM=`;|u8V1@!oWdVE1WzMvjoP>(OD#~0M&3+nL&_4tB%d_g_FkRD%1k1wRh
z7t-Sk>G6g1_(FPoAw9kj#0SgRoL&_Vf@az~jrMA%i8j+yn;ON+VY#IJ-Y(_D6-7lZ
zlfG%)ZS6HvfkB&`lAE$=Whe=qqF7O&!}~g2)#yyf;;d<M!@$$xLPS^f8EdX^u}K#<
zm7$^KvW3cKFr@+v|JhQ7*cHprwo4-}{^J&6{7BT|5&;)~ZJ(gYdK2(b^Ih$2hbn5H
zcIr;5Xt}%*uFl4dLaw+8Dk2ZyDtQowvV%ilz$>UqHU+m2o;_GI)dQz#Io?^jhpQP}
zeW0zoKW=84E@Bh5^(hBHwrW=mr^z|3^;IKLf!B3Q^fG2%3%zl-<qqz3#y9Nh%r?l>
zJY$TYm)PbpVzsQ@Lc#qLDYI+0Wod`Nyf8Sl3y?Rs1<+dFj>oUQHR8#nyOW&R_k7M^
z*iv}N*wm@D+a(HZPSe18a{rQSL18~`mYV9S=z^<!`?Tsh00P%{eL!y>EmxM(a%rq9
zl7Y5c?DT8rfOZaQ=a6;|Yv+h|j%w$acJ@IPKrkN-?W4hcG`x>S;DZ>PyQ_FD#@Om1
z&blsBD{x<A{Bz1OxOcAIXgNM^ewsRSi|#@a6198&wQ_zKW~s@YaP?pZ<Z|Io+v#e#
zT*)c)X`u`QB{WytZp-WrI}*9ddhC$FcI|!@#vFD>_p58O3e2%<_w~CiUo9Y3XP6;7
zb9c&X<pBBG0f-Y)mfe=4iAX`m!ukJ?dS`(CkN^@u0!RP}AOR$R1dsp{Kmter2~1J~
zobVDeO*ox=|Nmp*S>fM=+l8Bi>x6$4wg{ub1wutA2(Jr|3ttxoh4sSe!aob!g<pYr
z`XntbW*Z400VIF~kN^@u0!RP}AOR$R1dzb)C19IlF`4GrZL`6cZMV%LhSk;%#!Rbi
zIv6vowrOCrTWwRom}a$2C5GMB2F3wan*c_e)y9J%SZy2_yw!FP7&Gj)xnRt-+71Te
zV5@B=7_+Q4Cm2qv%>jnPYO{l3w+bIH{8+JUGr;m7tIZ6C*$Vcslz@$oG55Rv3X1t4
z;ZMTb!f%CFg#Q(u7k(%_CH#x<i11C}9^tFPHsM;~D&ez&3Tp!@LLOEMObVw7CkrQd
z4i-W}kI*TI!c1X`;1;Z&U-NJAukk<UU*P|Xe}?}a{}}%ee?Na0e+&O*{u=%Y{!;!T
zelveAe-5AG&*Z}VQvO)p&oAT;<>&Czd4YHGChi0758UhAueg`EA9K%g|HeJe{WG_n
z`#N_!cN2FV_mA8tw}rcat8fKwkXz54&aLK7<d$$palPDpZXS0KH<j~nHqT!??|FXb
z`Gx0yJkNRl!}Fx)JD!I<-|*b+xz%%n=Zl^zJ)iMh>>2TtJR3Y|&sm;RJS#oRJPA+S
z6YwnZ9Oh~Fw0T&M+5KntJMK5!ueyKY{!jPQ?tgVZ>i(AdUiTgDo88yDuXcaVeTn<i
z?v3uEd&n)h&v37CFL(F3k9J4gUU!$f!#&G=pqq2sU4M1ITsz?F3jG+X8<da$5<mh-
z00|%gB!C3=5CQkgj02+94fty4L-pZLgYjqe;ZK3_f%<SC7=Kb94uf%>`tS@eu2mm~
zAg2FO9~uDTY4xEK!T2}zp+#Ukr9LzTjPI)t4ukQe`rw&hd{2FFB^Xbr5Bk7(RDJLe
zFdkGNw1M%@>bEw4@re4Z<zW1i`YjU6!|J!Dfw58Dei0ZIb$bzvvbud87{luJBfu!C
z+es`1b^8HeY*4qu9lR;4elr8cIqEl01LFeqn{hDCSHDT(98teX0{lh&Cs-oPv|0To
zJPMd@RUbG9j9b(PNEvQdAMk?lRrLWVgL$U<4Jd<ohWZVN%sgHFMi5H<hI->{(59*1
zm;=Uv>iq>UrmFV?Eb|og{^P(nK)oN*Gq<VtLmAA1df$a$@alb8FgW!-5}8N6kL2uP
z^}fTw_<!ns9xw*gdpCiRQSV(3hOFMZ42-mTFUfpLy_e*AK>hj%7?S$+v%y%eetj_*
zN%iZHCDYmJ*Uey@rQSn$o~hn*5*VLS?}1#KmZ<j-o{QD5oeM@n{o2W3MAU7h{*G0@
zb`%)Ls9z%>k5=y{DFoHKNhSj7-6w$ISMOd3hF86t)NQYNmjXtQdRGdJx$0e{iXT&N
zodL!a^)6T`-85Cb%Lm56>Rq$In4{iBYI?SM=VmZwsCS+L#&q@0C14z>-bq^45$c^J
z_zLw7fMq&Ky<-rJ6V*FNvpGS%BLK!S^$t>hOVvBzyKB?&>g@zpPQ9I!;eGY?RbafQ
z-cEqLtKNPX7=Ki6ZwKQY^{eND@dx#*G8k{GUnPy`_v%-V2IF_?S4o_2sb3{{-c)ZR
zWq(7xO#<U}^)}KbeyiR_it?Z8Z3lz#ta=*@#t+q7Nd|wQ-bz3|uHM?uuh9AtX#b+#
z+6TsW)LZB9@76zWg5|f>TS&L~mU_#nU~E@!Nr3T9^%j!d2h>|gEBJ=`l`<Ijs9#Bf
z(XW1mcv+-=<xnsds9zDl=u&Scjds3zGhyAS-c0K6F!kp7U>vI6OxpD!>P>`ohk6rX
zJx{%fa1qs;y1@vkH<4K4>P@65QFYrU;mC3M46ECq?9BV>wg?#SsoUm(@vgef4aOhU
z8_xyf59*Dp!FXG}@klV<Qg4K2+87J-x_UziEPt!skOJd3>J3Z5__cZi@MK<7Z-5GC
z{!jffR1Wj1`empb=2z;Mp~9J8s$Yf*XMUl6xebh;sav7vFwd)7fi?3Zb!#UW&#GIA
z+Yi<20T%O&dOh%D{$0JEWcMlcdJ&8#)$3hgd{4bD2gVcXb<jeXe^sx8{=hu0UI!hI
z`4{y%6Byr7uZ1SeJf>c|oV@>UbB-|lLeDDC9QV&b#6Ki}1dsp{Kmter3G5jHm&!IL
z!<yz?VM^FfrOO*1qma)r<Kp5REFdE;h9!2SLRwq~AC4AFBb=+Ot#%R@<;}2sLpBe~
z+ekUim6qu?Pp~;uEhJfrhlCuWA;oNgu9+Zi8p^`DG}*FPDa&aQ)?yLU@RfG~7POH!
zN@cRWl*qYC#)sc=&LzShe9NyW!{vBy?;xzMQyJ)i_<Kuo8dkfJN+YRauLMgiXH(r^
z)vd@<zIPy39O%tU@V#qEcPsa<_4$HfdhQvK@{sYys9{kUDYc;|pH)h7Pq8%EtJGF3
zsfFcSu-O%SCm$DAN$|yLYJ+$jtRV#JM*{=+EH^IF?Wh91{vhYd6$i`3N+~7lWq=ik
z(v=jfL7^=kL8w9eWJ4|8eS<u*saQ&vb(Q9=vy>MX48Y1gNu6XT&9&|d87zt&9pcdw
zc}hu&*qfF&_7-40j3%#un?y$b;KS=&LF_JP>by^oxKgSVAZ{5#cz2loAtcrc)UP5g
z>tD0>`2OX6ouYV%2s8?^s1(JFl!MA2E|y`DhK(|iq<PVD1I-MURWbsu=|7|IC~qTy
zS_A7&>Gr82ti7aR6>CH}mzIc;hS8|j6*d%#n+i}@WF3jPwqOM3f>oJnl>jSz&_<y*
z(xl!<YfVRYRY=P+HYp2>zGyrch<hVF(MTZR^~J3Y=w^o<mat3daz-kroBlV34TR&~
zV2?lO3rC|q3kf?F!X^@l`k;+L{NZ@e*AoZ@gW>3w(_ob_)-><ZlokjofGp^+e*Jop
zwt6Wi!&+4wd}p7Q2P%W(`tK60S(e3BWbvytWbrEz*3N)M)5T1wn1>Zlp!3VAib57r
z7Y9Z}STsxA2+L4GLl*PdGAwS98X|b|GW3)*pogWn<dT-0wmymuUz1_+E3%%GZY7G;
zgE${*qX6r+r{f(#ueU=?tXKl01F?c$CiV0c2D1hE6q;s_Udi$K{+<P55dMdH7Icvy
zV=bvJ?6P8686PqL0XP?|?ILf6&I!F%f&SJ#AWKTQdjaPvNO|blV>r4gj&6dZTPk$-
z892K2n7dEXIV8QDYq*px!U7~CFgTEbtp*<e!5T8K?oC_-Ps+$Jq#+exh=qDGs#e?X
zE*Ok^Lp>pHI2;abS#2U!JB?H=Su+PKl{ARSSgF2vDB1)4I~4VjUkq%*YmD%r@E*+m
zzX2ltAps<S1dsp{Kmter2_OL^fCP{L5<mizlz`R3nr!4`B_|6xnJpGr7!k_D@>ko0
zmxKp}F9<o|SYZnP693Qq)swWKm~AA01dsp{Kmter2_OL^fCP{L5||_eI$0NUh{@Rt
z@9Hy4$g45MVe+n*c`dy1)mKnTBigoS@KVD(r;C}%);yMBr>-V1eus-W!sP5GanUWH
z;Qa~MZY)*NULPZG>X?`4+G2Q{Xb@gBTV!`JK9+`ASC-)&v3l?0eb2YKn7JlrC!{c|
zKTmdlfoN>nb`7iamoLapFz~tr!yICT3{$`D>q>)AC~K2PKf}zkxR`0Ww`CC4(&Q;{
zn3=@HYN@UuTZ-k(4W8hQAqjR~U__IPnaXOpo4LHWslgBIR|B~s&;Ja3Spd)f-ytIY
zAps<S1dsp{Kmter2_OL^fCP{L5<mj`9|7|IzxMnO@Bi<ArNa^-0VIF~kN^@u0!RP}
zAOR$R1dsp{KmvpS$Nw8+@tneN3%EbR3iziW6(oQJkN^@u0!RP}AOR$R1dzb45vZOF
zs}7pB%w;)8cXzidUMMEZaxRlB6qRfyE2raPr?1l$Cku7LThQfX8CF^(Yw?LvIpvCP
zl1hbSv5<siKsSPI5>{}OHX4Bxd9wlwUrNbLu>cENc0xS)k>s#6C?|8$NU@^CVFAFL
zoYBl~Snac1k;_t<ydN&7VWmzPoJ;Upb%T3JCW}4F>46b&H{yeZBT2SknY{Bq?W!&_
z!D@(G1eTkqNIS@i_^GpuWQp85iTI#YP?Y3(#bO>->~raA9?Cfcc?j<|VAYdhVMncc
z>=Tt`QdJME>`&Ih$G=@8P<#J>*FvFhB!C2v01`j~NB{{S0VIF~kN^@u0!Uyo5#X%<
z%J7yq8R1f4F<;`lxF5R@cjehLoU<JNYQNv}51uZ|o8XLpNB{{;dIHteM>^W)%rU8(
zv@LWtk^ORDE1Q~m%;MF3iM4&=+Qf0o`^1i#b%!{=Bb)AkeY9YO6j%^t)$0C}601)a
zPwYEgOsreGvVR4HJE?EQT5-in_`h!X@<n=JvQJNv>@U+HZj?%?A=uVyN#F5_b<5Yn
z@Aj>I*C$l->#g?+dv}#!dmbY@UGA4nZ%q1{*`Esldu=b@UFB2T4tBK9oN3x}zSe@3
z;s)5ijh^Q<wq9!avD)tVCT29+hK49<8>ksAdw#&%Wq53C-5aG`WvmO#5AM)o3g)$7
z778Z6Iz+Omn*wVdHMIR<V%zB6b;=BT`@(6a^R-Q+3i76M681Mc2ex;EUP9DaI+y+x
zOZrX|JI49w5Ld3CmIT#U$c`@c$aY8jv}vYGKBb{1;mH4k8Zi^Aj|I6dsoKZ_!-lp6
z;26{J4pEgWu*qL(WX!8S6sqSBan)@N*ddZ>L$ITJ=+%!OMx8ZOZmXJr;Kr0#s#qx~
z#u(HhjxM#$?P%}pG;K+0_)-;Urun4S6v_>Xrx9p_+s7hHW5}Kd4W(i1ouGx*1*sca
zTNH~hpe2EM++2F+AoaFS@OM?iE=PMTW>OvXNVJH`Nu>lEAi~9{KKe0RcS}g)f)ZNw
z!FQfJJ<*+bgp9L0&bZ!?$7Q@`>zXLzHBY;q@fN+OMQwF)Cow1No}u@Q9(#LtyXhir
zl-ZQskgXqPG~KJ0R3B%?`=JAkW=o1&SAec+U$>*Zz1^f{wRWNT(N4XM@QlFqZS*7E
zjnt)98*J*wRoHc}q-gIDj2lntZfNNCqs?93XGGKmq(^rT?Y}jaRd%>0EHs_2@hqR4
z%PKOwfdN|_7E<y!)zQFsoa2150pTJD*|pSaZ~s)t#Ax-e`+~u=sOd=wZpq;8uvCz8
zN!WZ*B6}q!eXVS5)fE;;dnja5kI^#M%1<jhYeP0WT6rPO3U*{Ps?eyI`a4z_z#1>d
zWJJ?1yAq7(6J2&&x_2ea_V#tXJ0eqtJM6ra%x4En5?ODsob)wWSvH#-?Y+IG>Rei1
z<AXE>FgL<zawjD8eK9Ad(M9I}?ZP%Q?EUw1;XA^!!hOQFzqRpUcqD)XkN^@u0!RP}
zAOR$R1dsp{Kmtf$R|p6WJ2S^=VwPmfWGXFf=k3ITW%~2<dlkV-J@gmIY{W*{D%hw+
z0%qGlPun<)otX(yXuBrJ7KZVd>`Xg}vm|8{Gv|1L@mL>VJm2*!bay+Bw_k6c>bi{m
zfIr3gp7jCexz2NUCBNtw2_OL^uqO$qXP@n8pEu9+5Ben1kW?6y;Y&UE5ws>9(fIS|
zm;?D;w0`cO_VfO@ABf4<faR<Lo53_p4Ap$YFUBQ#W3~*x<~IMjN`6j;&l<A|{2D&y
zT6>d0e>tM&qj4tJ_`O<>gM1oECoYYtords9@>@0i#d^Glaw<>CIsT;!J@^jiw~2dK
z)w06To>*wAc51)v%LVPylgt;>m7H8Z>od-!U#G6m|BQ33o0O(ALF3$;=7biU<RDWR
zs$2U_e4Oub>axZPALly0)<5oy5mXDA4jIE*YY<)415R+XAJu89o~R+y=OF1^Z<1<c
zI<~=nP9v@cx4JMCR)Z@k&sd~%j+ZnUZC+NJ_Jz9dV%Ia*?#X`mG2^aUk}&-<&s05%
zqB1&dQtNea-Z<7@kJK5hThV{=x;{~FS!3>FVRTGJY=lu`HwHpRuk9K<%h4W~W2(Bf
zOz2Z3^=-Rmby#C9)vTLZbIoCVGv-cawth@fdpKCteVU`a4<?;@H3qe*Xk#9}u82);
z%NwaQxz~lI71QKnJf~{MsdNeqrdi=mx5<B##ff?r^mo;o+{Yzg%=*?w;)b_9KI&@#
z=O3euNn5(LOlqH&Llex=iM?^^ag7-q=Ss3ye<k`zV-k%cQ-b$M>ciHCA!y;$hf>^;
zdo8n#FNPRbkH*)Q(oiy(P1Rrf>#9yU+R+|?2BQyhMqf*6sg@zlx@)j*nb0Zhum_KY
z9p8oZ7zin&$CGjy#U!I#l|PEMn-jGvF+4(Uv=9HAERJogmL~V6<Z9)wzdBRQt?B^Y
z0WjJ2aL?WMqu<hbruLrcrSr5}sSS=b^U%gRs9BHi6Sa0d?(R(Q>J3f2Wv_0$Sl7Ia
zZ{y`uDLYJN=Ett<V_u=H$(aniO9#)=6WngqULa_AZ?6_h?WU{6yL(2*)BTVaT<B63
zjqkyY_g8xtW&HhJXK`3AbV8=f@Tx7WT+yOPg<?S-d-b-9v{jezeK?z*5&kT^EBs#g
zt?(=1W#Om7e+mDgIqdt*4ReSDkN^@u0!RP}AOR$R1dsp{KmthM?}dP=q{39a=^^zb
zIR8kU59g~@Gn~ItJ&R$?=4uS&b=7Hbb_@fQpPvY)|L$}-qRf*HKLhXozajh*p89_%
zd{6ji;Tyso!i~ZggwF~W2^C?3APJ`mCkcy%n9wU6Cd?8J5FGsf<Nv__ntz%9Z~ou;
zf8ihEzs}#vU(bJ@{|Ekj{#<^LKZ{?(_w&c_A$}o0k8kHW-opKfdyD%O_dnc!a^L5^
z&3%)*i@S;YBKJA&Vou?PxHGv`+!8LzE#gG(K+fs;(DOUbE1sWto`JU$wtMdM+~B#&
zbBSlOC+Au3S?gKmInv|x9O{|j@pu^bJMP!qFS?&~KjD7ZeUJNQ_ciXz+!wfq-D&q}
z?&a=d-9h(!_iT5Y+v<AX^}6e4uIF4&xgK@h@4C%(o$GSf#V*A)<T}%}%C*E5buDs<
zt^-|8_Cxk}>?`a~*k{=9vfJ4^*&Eoa*h|>WY=%99UBMp5hS>$|!R!>)?)<>{rt=rh
z=bcYGA9Ft7yxqCgd8JczZgigGJlnb2dAu|3>~VHDr#oGazc}7@yy|$t@dL->jt3og
zJGMElc3kQ>&rxs;I8Je#;5gdh-%pN3j{V}Wd-m*My>Raz`^unb9cAnc!_K$jH%I$G
zmAD?Y-n|cGW1r0eTq>cp+AOTubcJJyA%D)X%8)<nIMa|n;}|kzcv;1ew>T~~<f`Lx
zL%zsyogshPahoBZ@3`NPM;wnD@+QYqhFozxXUJv8&kXro$Loe%bi8lKd8gHoH#pl2
zIqRHl$b-)LhAcaShMaO9YsivwxgjT=ry25D&a@$a$~kPvr#mk&<WrrO8S*;kHHN&#
zd9xv(?7YX2S2`ay<dd9F81jkEXAQaE`Jy2&b-rfEea?3bc`?fva)R|3@-gfTLq3W<
z)R2#0y@niPk2K^6yUdV7>{>$(z?&DfcH(1mhTO|u$ardvTWdv&SZ(~%<OS@P44?Da
zTMYSd_Fh9ilzqgIJJ=@;S!91?$Op488S-rQH->x=`>r9+aG4Exx{EjD16>Ch@)XzM
zhTP`z8#3=Y+K@f26AanqI>nHkt^q@~y9$PEb)9F(X4j>L%($+u$;@9|+YI?b*WHHv
zf$Kp-e&6-DA;0VTfg!)+dclz2cD-uIzjM89$Zxv-V#u$%U55M{_jE&k&D~+huey5-
z`4xBEkbmJm-jILhUTw%Pxz9G_7v1L=@(b>bhWrz^YRJ#KuQcT6+*=L#NABAV`C0b^
zhWrEfV}|^U`)Nad+WovCKjr>~AwTJU(~zHVe_+Uud+dh%UC$Ile#~>QAwTL_V91Yn
z!iM~?=Qu-t(6hpjw|mYo<Oe(%L%!crGUR(b7aH<Co>4=-+w&zuzSDDyA>Zz~*N|`X
zJYvYVc%C%mn>{}=<ZYgp4EYAnZwz^>=Uqd-jx!tbmpI;#ui*|d<g2;E4f!h0Z^&12
zM;r3x+zEy}%AI1!mvIAzd?{Bj<V(2o3|ZwaHROxAs~8(&wXmiOxvjc%0e71&oyXm)
zOPjfeb!j8_xGpK&GrCmbp4X*e?q|AG;C`b^Iqn@@I*0p<E)DTcUCQuNbScfx)};ad
za9vu@dv)n-KCVk=@=J8-41R?!oyMQ0OQ-Myy0n(h>C$R`qb{xDFV>|M{HQK1=daPF
z6Zmbqw2Z$~myYKj(4{5(qq=k)|D-M*%Rj42NAoY}(vkctx)kT%)TJo@zAl9Yvn~Y%
zk1qLz>AK_<L|y6;7U<F<A*f3Wgrjw7zOYP}4i{GI(xJkcy3`?LbV(G3b?IQ?JYAYC
zT%t<{30LaU4B<Lmnl9X;O9u+~=+YG7L0xJSzN<^T@U$*@gy(e0CA_3dPT@6OvJ3C&
zl9e<w_zZx7t04T5@Bb~3tni3%o$$Y!6`qg)5<mh-00|%gB!C2v01`j~NB{{SfxSdP
zgwOU_HsSPpeX(vY{0oS_Sll0u`+_~;h%f5*&NJH?6Zo)GFX3))Nc8#Rfml2g?1@DJ
z;aF@QtPViDIBK!@A(m)75QvAOJ&{l-7L1bTf2M6O6$+C<0!RP}AOR$R1dsp{Kmter
z2_OL^fCN4f0xps&KL39r>@iU!fCP{L5<mh-00|%gB!C2v01`j~dy4?h|L-l*m<|#^
z0!RP}AOR$R1dsp{Kmter2_S(_jsUC>$V}yLfV1fm;Z5O1;c4Mv;dWU0?_wb@oFOa~
zg2Ft3=l{&V2J8Gi&flkb{p7NXDI)<SfCP{L5<mh-00|%gB!C2vz<x=<r1I8wv!$PG
z<!IW%+z^Gw)J=6(=Q3YDAFT3qR%bC=VKHgbX?0fp%=M3h)!I6%5OdwHz-mpMmB?J@
z1go|>E1tR53s&5i74re}r8QvXuCscT`Qk>fa@AS=h`9!KeKpzZtR7>&@NKZN)mh!m
zT>T1IS?a95#9U3*<@=z{N@f1B2dw_YS=&vNM2@*?DcJme%;q%a^Jjw1D`PgtF;|wr
z=IJq;Ma&hS0h@mtvzftMz76012PXK31dsp{Kmter2_OL^fCP{L5<mh-U_U27-v2iV
z*E8@B|BwI@Kmter2_OL^fCP{L5<mh-00|(0y-h$iwJ`yXb25oUC(D}P)r2LoBBzvW
zu^_I>Nh1Tr;)XI^*FV(lkBWY8+#8CALOroiAQ%oAEB;4BUj&x>Cz}F9{Lx6jKdcAt
z9xfHrW*d~tB>b728O_++<;3)m01`j~NB{{S0VIF~kN^@u0!RP}Ab~wh;Q!e<_CChJ
zE;S1a_|@!EZmQ=9_Yd6zu0OI%8;?Dl5sV%QAOR$R1dsp{KmwDEK&IQluv5=UB&6YN
zSoVi9UMb`EM+QQ2X23Tf$$@k_lFAJD(*xmPI+Y3g1769PqJd4BBXNH)9*Fb=V}YnQ
zwqqC1?WS)|Ha36f`Q5PA!I)-2({PmKav7%YQYn8dA`eJ0Ns@g2fmkXy;2p?B2K*`6
z@ALbkvNx51y}1KgEAaWceb7Dv@t~JX;rYC<tv8+A8*>52Ku^RQ4urhttcG?-64TR)
zL?U5tCL={-(Qqmg^JZk(>ks%+v2aF8#UjB_C>)JuQnbbSyksKL7m5e{WFj%(4|yYD
znhS4tz(=+YC;wtS;b_Poj%NK(uy#@~h&5df1Vdq;Kbr9c(y>f*APPB^(ivYW5R-j=
zc_11LMZI1Lx`n=@Io*pq7>tMfJ+Kpb&`*<sz0R9mxC@y4UTa2!UMLso%Xa9@Qc!||
z1)`CtKk5xafl>p}bVib6VaRXD2R0FJDiBGHD^&otYVYyIqLI3pSZ(k1V4Vy981wvI
zE7e|0D9h>1!mc%oNIIC7Qr@sH5(|bizHl10u8(@tQLis8LBmW#JBOB^0b8=seQg(e
zXo1044>ZeAi1ve)E{yO+Cbzc=He`XWMVh--Ea*S6K+Nx#yqST4Sil$aOKIOgFeCY3
zY!8Ma(6>NH2Whd48TxSC>+1=HqM?A^+FQAh5^dN^#o~mQ7_;y#M)-m7EjS+AOUYs~
zNB{{S0VIF~kN^@u0!RP}AOR$R1dzba2(;Us%wbNG)6A~P4(27XKR;Y7DQ44Od8?C|
z=44qjOFj`W{S_kWm^d=dBQbXOg=TIk|2zJ({A~Ayo<Y|m6Nf=pB!C2v01`j~NB{{S
z0VJ^Z3BZl(6MH|^-J4={y?rV(@2r{gST=D0eCa!lnRb#hAXSuNULs%m`a^O6rWw-#
ze+pg|2xY<{cu_!x*Gj@^IqmhQqA}1@UU`k2S~*-!jD>5QV-Li=-X32NUM`8qg~o~2
zKr9|4Uk1l~A$_j0HvjI2*9t;C(Qqgd2(K&4r9!bF`_o}591F@`?|?U*i9`ebv>Y6e
zWxte4MIy0=S6ZTREe7Ef#?CO+PdTPCv(B0|%h^!Sf|MI6E9n$WqXz=;u0lYTLcvff
zB|*&o3{0xZnP4d9j|~K%Kz@mO*A2hd@9p;bV9r?d`pJt4fk02x2h;R{S{b1v@X`W&
z{S2=&z^rQ|8uIFs$>2i2i-!5wa8J}9fj1#)WeiENflw&qi^#rAC>4fNFq27xAw`4f
zfmFnp=^u+hIHkJUG?i&TtGyj6lG7@3DyhhHK3fRO0dFMcONG<HOe!ovt|8KBFdB%$
z`vC!X*Td@ro<8rI%CKBYkPwX}^M>OgZ%-iL4F(`AnIt#njDzH549IDq?v<fhuKa<X
zpg$7u`AE5>TrL_2g;VfqQXm>gM*}cT9q~oeKEFg}tR<+<regU68>~|qj^pM!oeU{c
zC)35i=jhN5M)JkV_;1hQ^`&T!pS&2NGp@^};bH_PnJN}?Bgy<oQr;*Rl(KBm66<!d
zT4G&rb}}pAWB0tAACOC81wu5Z>G$_|W8OeW|K7bWO~YkrsaP3?h)&YtNt?A~7B(bf
zWNU&{!hV0anLkNIbJ0>U;(<}(?%g|5?5Wtu`hQH@o{AmgMFL0w2_OL^fCP{L5<mh-
z00|%gB!C3=1p>JL-@Z@_m<J?)1dsp{Kmter2_OL^fCP{L5<mibmH?UmpTUP1;SJ#h
z;rqgN;VZ(G!ui6GuueEm=oMxQEdMV5Oa58@+x*@9wfrUgx%}Dui4Xw)kN^@u0!RP}
zAOR$R1dsp{Kmtf$|0gh2J=omq>n_RUYXv#ENgf!2-RRoXIp!|-jDRd)3ST7n!rnle
zI=jv)>W>9OZR)I=l@C6QfDcciZR$aqRRmP{U;!3d^tGuob*rE+24AkgdU<W?48sbN
z@OlH_t6jH(Zw|a6UpVA#Q>WLgARE3QIJBwL3@gZ9$nS?t9H?9Qy%8@gbLj<NQ#C7C
z!xG|(`Ftc_Q*<jIy!#)6&u9E?>H)eHe6it;LKz`oTZ2`|4*`V+EBJb)P33D=UcWC8
z2>QW_GpwN0kTr<jL#@0ae+(A%41~bSty={lHQ?n360Vw+HwcR<!lxl^DyvzAe1OFp
z3jvKb)mgJ53wipr0yzvT2<Z0)f;Qo4h7+!VHfvfa{6ct5cwTryxJS5MctE&WxJKA2
zJS;pWJS%)qJNEy^jU_|^NB{{S0VIF~kN^@u0!RP}AOR$>w+NVKefdy$B0uWOGMuMv
zJp;}MUVAj8{^FNlJwH?XbzV3xzwt;opS;Zs_CNSXS$L5wv;j6Nw}F4=KQ5msyh&}C
z6GqpA&9^_d3eHpDf8C!AWSj6yIGeT#e-{2Iye0fv_@(f_bzV?J0!RP}AOR$R1dsp{
zKmter2_OL^fCTn&0`w<=bJgYWfL~Re3}d!e`$1k^1(|ts33>nDBs|9m&zY5d_1MP|
zWA=8L0JnaZgJ1w8fCP{L5<mh-00|%gB!C2v01{{-u)yMAOa~mm^;=RIe{4-9m6FTl
zOeH6Fi)35C{v~nIn+c}^5noJpIWK0Ov`lA&ci`Rs7vW9+C*Y0$d$f1|FB2{hhK00n
zny_3rRtO67VKsm@!OFkSzs~=Re~y2Of0VzUzm30+zns6ASNI|ROnw!=gpcxzc#%Jl
zcXA(czvEuve!@M&eV5zL-O1g+UBczKwcL^1p`6F_j^{<s6P|lK*LW`Q40w+BEb#E|
zx82XXA8~JUtL}{Z1b2^nitAn13$Djpx415Ko#R^J^1G(9AFwa6kF&S4qilg)&4$^7
zoPTlt!uh20Zs(QGk~8f*#ktHGcP?@s>}+$I9q%|^b^OHfwBu37y^fn5S353oY;+7c
z&TuSu9PRKrIvfW&?DqHVzp=k)|AGCx_6O{@*}r7J%zmCdXFuD%%6^<ZXg}OO!|t+u
zXnWK4Guw}BPuL!`-D%ruyWDo6ZP+$oTWdSs7PT#~&9?D2#`?DP73=fXr>u`y@3C&P
zUS(CSiZx?B&3c0MNNbN(v`(>FE$>=hv%Fw=#`2iue#<SEYb=*qHe1fIoM~BMIo9I0
z9BP@q=Z~f)gBA@0IIFqcY`UVqT&~Eb%c=G`s*O_ZvsAl`YM-InrBwR|s$D|0EmTvf
zR;Aj-RJ(|37gFuhRJ(v`=Tq%Gs*O->Gu1XxZ6nnxR8y!{rdo+==TdE$YDKCQsFtT%
zj%pjIb`I6DR2!n&Ak{Kdlc|=bT8e4|RFkN-o@z;|olUi~sCFjRK1H=NsCGKlPNUkX
zR6B)g>!`MtYHO&rnrbIgZ57p4Qf&p*PNLd!s+~x+6R6ftwPjRWO10yu)<?A^R9j57
z<EWOP+ObqShH6Js?I@}pNwp)W7N=T_YEi01s1~MLh-yKq1*qnynvZH;s`XN>hiZ$c
zwuovAsJ4J=^QktUYKK$paH<_jwL_`aLA4I5iBuD*b}-crrrK<(&8FHxR6B@jGpII$
zYSXDUooWYC?Lewcq1qIxwNb5&YCP3=s(Gm9p_+?oE~+`H=A@dPYIdqwsb-~`nQCUL
zF;rtTjrohFF@K@jhgAEJY9CPT1FF4GwfCv^F4f+p+B;NxhiY$A?QN?4j%vT7+M85+
zlWMP1?RBdChHAf|+G|vMjcTt_?NzG1LbX?@_6w^0f@(jb+Rv!=64hR!+KW_sk!mkc
z?FFj+gla#b+VfO<o@&og?K!Ibh-yEg+Ot%9mTEts+7GDq4Aq{Y+S62fnrcr`?J4IC
z3_mvXQnx3m+mp_Ro86wEZcjL$Yj%5_x;^gvU9;PFsoQs1PqW)&)a@~LezV)7)a_Ar
zNweD{)a?;=eY4xc)a_yRf@Ze|soR6>b<J+usoQpTd$ZdE)a?QG*=D!<soVYR>&<TW
zQn!0u&StlJsM|fRLz~_1rfzq;j%{|kle*pMI<wjBcItM!Yjd;PZPe{H*EP*<w@|lR
zT=zG--AvtXc0JSVwvD=NbG_E=b^~?0!EJ4J+e+QGy2WO<>!{mx?jxJszC_)=<UXz0
z?HcNKjazAUyPCRP?Y^qn?JDYamHVD%w=1dJmF}mS-7cqYm%CqSb{nN`qaLQ&?K0|i
znP+yh+oja)Qctwm?GoyCiDzxIn@ZhO&v3Kb#nkO$&t(i`hyJ;(rgqbXn!|;jo5$H-
zpxIyGd3c=td7Axso@d9|Z`SNLdtMu7zfrT_2=knc=_;DN!p#_GU()PLoOhi4ux3BZ
zEgNTF(CiB^qtzIHPP5N(o5$IoquHOsT{X^rNV6XTGL7+MH2aLkDy_+BO&-wX0Zm@7
z$?G-wY)w8}lh4%TGd1}PO+G`DPt)YnH2D-wK1Gw)YVul5UaiTiHF=dLuhQfdn!G}j
zmuvEJO+G=BPtfFLn!HStkJsemHF=39FVW=VH2FA9K30>D)#Rf!`Djf(Qj?F=<hUls
zH94xuQB4kOa#)jtnjF+*zb5-N*{jK3P43a;9!*}P$%{03fhI4|<oTLBUy~2l<ij=j
zP)$BmlRGrILz6{K7B%@`O+HwYXKV6oO+HAI57Oirnmj|3r)%<bO+HYQ57gu-nmk35
z+cddNlX*?%HQA%d9!+*>vP+Yln(WkMyC&N;*{aD_O}1#V#U*?I^Z)O_^FKVB?+1tL
z%E^DQ-~V`rb159hz!8C?7miLi=EBhqhX9Ae>2UlNj`!er3y%MT<7GI0495@Q_&yxp
zf#V@K?t|kFIBtUDS~xxr$7kTU2#!r~6yX?zBMHZ;aIA!5DICYZ5rLx@j!rn{!qE<g
z00;cp{|d)@aJ&V_|H1Jx96yHRhqbE$nn(Z%Ac2odfV|hnu-}2*gNgZ&Zr-Pxcj)F#
zx_PZ`eqJ{}qnj7$<|f@N>gJ$sCUx^v-CU`gOLg-Y-HhmFuWokg=3L!u*G)k;9n^IG
zRX5+$&9`*(|8(<Z-Tbj`{!ll+ubbb|&4+aJKHa=SH*eC-YjyMUy7?L1yht}U>1I(k
z2X!;4o2OC}ULw4h@W#JSh5-MlW&ha3+5GM&0}xY10-qEC;REyVCzUp)`}aq{W-*y8
z7AQA-9KgAM&e)w-GyIQvv#03#E&B*4_=g0L01`j~NB{{SfxSvVJxmZ7=8)<dwmK)o
z%`;VnB_%1NXs<4oySuwxN=Zs>kW0yII_?t1cyU-RNlLL47dwvXAQl^?TtzMuw{EdB
z*y$=Ol2R#uH1EDn7fGU9jMGp=N@bG%KurkNgiuY0=t7v7mEp9c$mwLUpvTiKX46_u
z(sDUP=V(r@$fXf8NhYoo6)7hT<m6;Q%0r&TPo3q8r%TeNWJ%6RO14-4JKbiuR2(e9
zi=4?Etho)gY7Y;b0@ZZ}C-QRV04&4}<?b&ia;YHYJ`OKZ-r&yB){>Ysz^Y{qUNxCp
zF?c0%xsTtfCQCDczI)|f?Y|Qywx!L(Gi+juj~$_XyROYHF6Q%<LRJ|O*JKCt5&`@X
zn_>z=c5liSy2~TwJaj$M^9{R!N;aot$5}#WN;P`ROSw%_Np7?(DnoLq(Q3H3NiLO#
z<Xmo-2cniurfERg+v7-ewF_R3=&Z2oXpQvehl?deT%(PeyF7k`jR91vyV@Wb(}a?|
z*9OPK?JzhVR(BCeq?GJN`Q!KZUAc+`3<&%DRfK&1&+H#R9Zxv$pd%7M0!RP}AOR$R
z1dsp{Kmter2_S*LX9Aq{XH3+5l*ttrZWK~N7yo<ypZLqIcky$%H{q-ODt8h$-SdLy
z7SE}kS?-tJ*SiPY-L5~l9&~N8oy<O9o5h~OwmJXZd86}OXP=XIJnPuzIL8sO|HXd4
zJ!|i>y=QyMd=!7W@U(T4HDdXzWxM4(%W)Q~`M>_2neR7cuTJf;Ge=bW62rO5V7360
z7IZ_<VSOS3emxZDl_~=xy+cxYC{BNZTT>Y(KQPAQ%fRl`tTNPJNM|z{xg-~qgtk<L
z3x1tFM@}hmu@mNFvfA&FNqyD_=5=6J2YzLQ?J{HC-dMLkBKo{>uQwj>_V_}PNHE$P
zwK3gXVz4A_loY9yOv@Rml2d4aaJN4w`uy=gEFOsTgkk&7NaV<fjfu@lkY9|mN|H|D
zBsa(-n~J40nQ<bsGPTe?ujmWK{oZ)c*8>}XMk9f67(xrR(7EEElFiFWxj?3M(%$B9
z-X7SVGvW(ILpJ6pBV4LfgsC09-~ckyGGsIw3`ZmVK^qe|qLw1~H8Klwc@dllOjz`T
ze&5u;q*W#&G1ve!8V-!hd^wpZmhzGUznBmDT80aTVZYI%{Whj=YN8|$7t2|gd>ctZ
z!ISB1nN&T@PytBTAGKBZa3mHAhI@TBW}%RP-|LgoaCSmk;Xp7J4Y467gqW33<jqQ5
z7Kxh8$uyy8cfcz`)r9=<P`D=)3WBxm1m=j3+26Wn+n6~s6P0WdW&!eYDqBj8r9_%t
zI35he1Hqm!?A98Mv7coekW%F!JCmqd5?Qi#1du2zwFa0>6?2t*L7T(u7L8wq^@a`2
zn*3r;ekdnql$vBRpl(i)mXkL6NIVdZ`}{qyv1>T&?e4ZQokHTAa<MSngwq=$O+E<S
z1e(0p?~ld2i=dAPP=AoUx(YCAygo!Q3Y{c$^g<ic4>cyATY-+6m2yU7&8CS(CJWOd
zdX0y=13u9giTgt&#i&2%5BU2QK#Q4|&^u!-aJkm6VR}{vL#AwLIUA#ap5~AEmUls~
zi8M!(FQzLwS&xFU*T6zEZW&uR3_A^nBlB&{5khlp!<B(tHr28;p_m_r3}2^>=@k+M
zc~dg0$oXVmE>x0=G@u8eHRO-`p^5l=g3&-I81Wx&V|+qF8LH$53Q{&#9#>69X@kJ6
zClK?6f<f<LS~VF%nLer*)l@&0g<xA@U+~C7ZOkFQM5PQ9<g_PevZb;@rk9gBi3;QB
zYU%kSVV^G+I)rvI7{SWJQbCU)4Q(H$$65vR#iHSGXh8=g$|back0#pEFWIa(vS6O(
zmrRrE(YNvoyE_L1(M2LOYAyj?rKBW_8Q5rA-q7qj*c0=HU^C;zb8XBTApsdk$wr^c
zNrl0RG^nLT#;8F#oh^*7SRfGWiG~8vU}VX`HfG&~kw}GNVI*IyG&OcDmPjBHfqkLp
zK)oGcw5wVs<U*_5hl3FqLD)YqT_0(nI%bxQIc8R?@kM)^pz(qg>h?#;km!xXeZC&Q
z7ur;qo5C#pNGVP1=?IgJnHxw*!^24>tK{S*vI5s^cx6GGV<Yb&lxb;cXNbnVzIezB
z4I8ct!J}qE$D5THh8fp_lBE4LU4*^F;Z=@oF)f#1t}b1JRbK=jw9`oJh#58}GA{UV
zDO)VT?D0f_!!f@<8f}M;I4&@0j^znM`eB?6Oov`SH8Cg^6v#C6d-5^{T<T!E?Us2B
zg(AK{Xc}Ctr_%a@KEIjV{Olwc4AGG#2SO3M6VTX_a38V(#xbq=C)3hMZJ;D`tzu_n
zY`AOy6@+0v5T6PS@esYSi~**=VaU$4h8ze7V!`+n8<T*+QNO5{D+BuN3A{@~E^cET
zpdnp<EEEm&A7EpWV*@KqkM?7&=PSizip&N>bAb{mvOc0UHdojaJ>n0A+q7F08pU9#
zSQ$=A<#Kkg0AsGwn!7IqgHl+aw>G(A8HR((FbwEq%%NFtot`%q@P_$yj5P#ndBwOy
z<4qX=P^5CLRm07OPxJ=j-dH>sfm^{~AQJU+&^``GzzaGX;9@_Vg%^Re<O;=B%>%Y+
zhtc9FkBwOhw}B1!f3&d1J3uW<>5amTRAiAGhSLKQ8Cg#2jS)7u*KUmsmfAJQ7m4@-
zv0fK62QINGyCDl1%ny_IiJ%Hv1_;OC5*cJ|ObBu(rG{$5HF>>>+;)x66io)M(a``5
z99Ca1WNcPKzhWiJsr(M_q`f^Mug@0@E_A>R*R%w*GNlOjN<)e=+%jk2I}{7sVfg7v
z3>D!HhFslp#gvpI8axOzbw`@Fpg-!5g>BHU4oFDkbpRMGwEk4PS_E2`DG-E)7`4KP
zbpYJ|NTt*e+@P1?kpgbm;W9f6mlt2_kp74_<cnGW`rJg#YqB`3z1ZasEed%T8F$I!
zs>>Jid3_7bHs&y>E;$F4C2Q1M0`d7naJTE#s!FOT#f+>#9#cbb?UT#0Qa0`v#-3h)
zc^Gb5eRTc*KQh7}Cm!w56$u~#B!C2v01`j~NB{{S0VIF~kN^^xWCU3F>6V?wo(ew$
zxghH%;X?-g;U5w}0!RP}AOR$R1dsp{Kmter2_OL^upbhzSXh?K|C@!o7~!XI!apQ{
z1dsp{Kmter2_OL^fCP{L5<mh-;FBfLV|FlXXTr&7i(@9~Dvc%jIY6}A9~OPlc*qAI
zdG<u3zCbK?m<jw(1OH@}pL&CDpQGAmnZCF;*y9gJ;A1K>|8EvvVT4zN_deMIV(Lf$
z2_OL^fCP{L5<mh-00|%gB!C2vz~4e(ik0m&HT-N~c3SoK|F!vl*MBg451jB12_OL^
zfCP{L5<mh-00~Sc0+*g`W*HNEg^5eBW^GZzxVSh6D|U&CVQpWjkQSH0daSToEvIh^
z85dzaK3Hs!EF~x9I2YNZv6R);=c<K-mAABzLo}qAEr_tbTV=DjX(*c-60>Cy*4j*q
zu<E1;Yn#f2vMkCQC9<kokI1>k*5ZwGu#X(sn2s!KR*v`f4#LvMm4P0JzZcd`PDur+
zG?FUz!d8~~Y^ocqx)oW<_YUNW1HE}zxl=CbZsp#!uv%J}o_j{5JY>8vYFNG(w#e*(
zl?h97Pq8%E3oA1Y6|%5$Yb`A2f_1`%$flXAB&C#1Z4i%xr5It^IbZ;*<i%mlNMEei
z8|d{1ITtLOSuR#!RZYDNus~b7LY8ONKoDyB%8$BxZRuoPrFrWt<;4X9u;g=6C)r7J
zt-C@7i(*HIc=SY`U;#g|H!W}MEmUCZ#_?VOH;Ih=!Lo?Cg4kWo)OnvEaivr#ki`KZ
zgm;JOA3|cSK>aG>vi>z|kMCdJ*C~pJh(Mzti%L<<NI9r{Z9!yMy%I>$ylA<h%RU+b
z*Yuy!ca*o0K&^pwr*!*N5f;WKOU1>-8d1)rC1RvuG^%xl4Ta*S0@RhfQO?E1q3qxg
z=TfA>vf)K<6nY~~>W#G4baYpRw5-;X%E3s`w`HY?Wmxvo6qhiqU%y_YjZezSu%0&u
zi&3WKfy&^xZba7wEsLwj#))gl#)%@V)CX&0i<wd}FG>aIgL0|@i|6KKabQG*#g@g5
zu$C|sT+C<7uoiU+iXw`685(RF2*7rZa!E@L8gywyFQ6tT%g~q$gSwR{QV-&MfI^lT
zO~*TeUT=q(Sg`~;DY1gaF7@;kVDWPK6q;s_&N@Ed-?Kmr!v9duf-VwdtU~L;E`t>Z
z$A=6+0M3;yq~*=fN1*e-vXMjG1F+m>xqAWUBC8cbzcX-jQykp{N4Hey?lW+7>oIqq
zq;p7mIanN>u5$`~l#DMm_y7ooC0NBYE`ldzWEj$r3NX?^J=Iqzydn^Y`yxHTkT)2O
zTIl@$yYT(L@a|+9>M^fK00|%gB!C2v01`j~NB{{S0VIF~kigCe*eoWK*<Abn-|AY-
z2>&je&)oq6{viP*fCP{L5<mh-00|(0i3waPS>23Dn|3Gj?l|#|6Yn_jzPl&hPqw&W
z;+@RA<J7x8Z9mzk-dC7iq)L;dMh_8}6jK%LH6-%J2j?P(lrCqaa+?0v<#AK_u#tJN
z$Lse+LlJYpq{X)o;$z3fM?;PK{yz#k8HdRHzg2jh%>Tb9ybS{WAps<S1dsp{Kmter
z2_OL^fCP{L5<miznt(RzZ?#%jlZBj&`G2NuQWpy|j|7ka5<mh-00|%gB!C2v01`j~
zNB{}!gaDcU$LIf@Ktg9EfCP{L5<mh-00|%gB!C2v01`j~lbirP|4;G?#OxyhB!C2v
z01`j~NB{{S0VIF~kN^_+2n6u?|06&`FGv6hAOR$R1dsp{Kmter2_OL^fCMHv0gmJ!
zzyF`)wTRhA0!RP}AOR$R1dsp{Kmter2_OL^Ffjp~|DTu-x*`E2fCP{L5<mh-00|%g
zB!C2v020_A2;ltx{!oip1|)z4kN^@u0!RP}AOR$R1dsp{KmrpJ!1@1)`JgKjKmter
z2_OL^fCP{L5<mh-00|(0{eb|^|L+gAh-E+mNB{{S0VIF~kN^@u0!RP}AOR#WF#&x3
zpO_E2A^{|T1dsp{Kmter2_OL^fCP{L64)OI;QRmkLoH$%kN^@u0!RP}AOR$R1dsp{
zKmter2~13&HvccYHL*W*MFL0w2_OL^fCP{L5<mh-00|%gB!C1aFM-<g|Ku$J<{Swi
z0VIF~kN^@u0!RP}AOR$R1dsp{*ckzQ|9@wM&>aaN0VIF~kN^@u0!RP}AOR$R1dzbw
zCxG++lfMqJ1V{i0AOR$R1dsp{Kmter2_OL^fCP3%0O$XAMhM-J01`j~NB{{S0VIF~
zkN^@u0!RP}Onw6R{6G2Y5KDjrkN^@u0!RP}AOR$R1dsp{Kmtf$X9URm|0dyeMtEI#
ziX1!hkM2kS2_OL^fCP{L5<mh-00|%gB!C2vz&=9Yps{=iV<I!fWM$Z{Y`I*KlS)ZS
zZO9e|$^5@b_>d7k6y6|5op%(G01`j~NB{{S0VIF~kN^@u0!RP}Ac4tDKzr%m##k&Y
z%b7Dw!rX3VUtk|*zr-r+YPN@UIbU`DtMex3`OZ_FL1&xeb;ncolN=@Y#kS?Pnbx<g
z-?MIYEOQ)e|AYNm`@Qz_95=exx#zk5=z7|9ldJ4n<?0rmahZj$2zenPOy_^ge~14Z
zzn%~AChotvySa<FHJsP;pPt)2=X+Lq4t4*@9C!aWWZ@$nlNoz+-pyZTwl>@D12*F5
zdN*S-u_mX}$1rw_<<w$nLnc?;w6-J_%2_2_EOd>Y4PIC$@p8Z%yWwM%T*||5OyI*8
zF3D25Sjdgo3g+NGP%6yABqA_>v`1@SENx%423Xg;BDLn#IofS_73SERz1I0$G_g;A
zEl%%fm*I0>t2l>C#dGA8lFX)SLFSImCqbZ3&`wj!$5@}S7nzqQQ5EcJR_AUx4FH%}
z3czX%31a{pUu4{RtiI78@$4j?0kGkDtb$t+4%8(u7G^8~anw(I7<FK6u7vrcKJdb7
z3B$lu^Dvg~*tpd>>NUK!Y*^7+-FJ@mPVCcH^C@mQo#ap-TCEmyEdyhPVE@cG38nd?
z5#m+LDJ0(lk<nb|RojSH@J!mC)oL@!H5To>D%a@8h_K#|r_oP~?1@#k=0~q)tF5^N
z^Qx|fXe=$W<7o8LGCTH0KP|IkYsgN^Xsq?oSgb9xV`}u%G9GBYW0Wn{R@u3zJ~x&Y
z4N$xge6Y2uYK2BTzrja~oQUT&_-K)jxg(m79rs1|t&Br!WQ)P0(a4Paj`atlk%^<n
z5U;h))vDsf(W4u@w8(nb=ut+3JG*h1KYFC$w{;INdf@!gBX;7|=z?9Nal`8la$sCB
ze4{bLZ|h-7Aya8`sqR8Be>7@@X`O2$dU4Ac#H%qHwBY6Wkn!qc=0`N<jV4K?dJD5#
zT8+f>N6!L3^!BZF9_z@Sxf8E-WItti-5J^Wqon8)<seiWGv|+zF>@lX2GIGV<Qg=Q
zSED%t&0W4L6-U>S=nb?j>Z@yX4S1m)3K$rp<5-6pyTHsJU2XV<T4>?7t`<(-iPySX
zSY>$KK@JRFzR{J2UufSga?q-MuQ0;2&b1N!{Lzzk;?<}Q-{=X3*VZ{{z9Hxu?Ki?e
zNm~qF^{kf}ej(Q_{MNBvx)ZN;tdBRm?jQ#S4Bu#<;TKBSA_uKlFEPTj&UIb%#~NN+
zN8b#P6W(IX!mk<O*TOq+{Q4t~Fz5{lAOR$R1dsp{Kmter2_OL^fCP{L64)0BSgjV;
zWEDPOY>d?oq8%~`|6Rh{@cjP<1MmL73kSaczc1Du<_QTP0VIF~kN^@u0!RP}AOR$R
z1dzb45THK+{25*k)PDf5F=hyF7JdO|lUew^ChSU#=obkf0VIF~kN^@u0!RP}AOR$R
z1dsp{*jETV=d!`aKxVt$YP$vU^j}nk&w{wmkoEtWwtXd|m=7d?1dsp{Kmter2_OL^
zfCP{L5<mh-U{4Uh=l?xH72`w#NB{{S0VIF~kN^@u0!RP}AOR$>ZxPV80>JtIeXCM1
zH%I^pAOR$R1dsp{Kmter2_OL^fCP3k0nTh=c;=^O{(0`_oa}kp<8VE|9^w41=?lzH
zEr(eD)BZL0r&}FNQJA`$v$A`mt47Xqv=`@?s>N&}EpOIN$xV`y8j?%pWU)YHX&@)V
z#w|&ykgl^(Muz2@*Yx7meTlVwV*iRIeW!^XyBtr4xN?QqQH!lZoKIyv;f_VRo2HX=
zJGzEP9PP(I#t+y*#w%rQvzc0yshwp|_urh6nnRc63e&;6m;SEBX1Rjdwre4Fmv2b<
z(4ECK^l3-?5i?Cywyr*u;s&{(H6tA&wHRzw7fpU?O;BsnAdGsjooHIJv)t?ncl$Et
znLQEjo{tl9KBY00%@;b_7tb?QXV%qLYDg*!%4J!pudy-9p;omv=1c~QS`}%XdCaMy
z_8d{u`o_HM9gTg6d2R2cG(jqmiPQwnyThsKy2#PK5~|j>!>TRG!$sJgv{)K}L4B;6
z&e?edH-w}ebSyln=0*=)>_eu@c1NN9<~RWSU;pMvb~yq_^|QMiXio$f$vN7)4>MJ}
zwKg$WDprQeT5l~w3n<s?r|6Af-HQH`*BRIIdLJYNt@?UfQu&$=&g61k8w$G4+u&$F
z43ds0<l<c)q+VX9C%ZOr-10t=#-!)4A!adKP~<_mB(7MwR$Q@e`SQA?n%ueo<)8Ni
z&Pfnw_4usDU0tbh&&&A%xF0GNb8@*}UfamM-idIBx-_V+THSwAV)g0biG8PwiFIpN
z_OF1jC-tp>dKjw<J%ajhb*?0N(msqh>)f&hxaG_$aypqQ74wD{sKctgYI3xn2yLjV
zZb+-oD!KL;Dc3vX^x`$#mezY{2uWLYy)$88MBLF;J$BI1K4*?eU86yTOQn)643=wV
zPb18l^>~oALW^}op&1vXyxbvflu9t7mgf6Ip)PSr-|>lc%h!sXo%M`2O1TR7ROHQy
z;iJ|ShSL&3SS)miL{hSOxxr6Ybw<X~epIiida}k+-|DQK)VEZFK3B+|TalaWSL<bK
z92c6r>A@+<CRaj2x73G;v7OvHy3Ugw?Gd=6r-M}O#=Uk^k*t5*Sk+jsE&b9w)SO7t
zwK1v1(?qqDcC;^DYEn~L%@&8{0^~3$Rg@vQpkz}L*~>dwC>Bz3c|ymPjcs5;zvCN5
zU3=JZ4<l7tR;2u}(M9Up20Zj^gnnKr<&35Tr7cT2#n27!U212_(Y|JlX-jCLLQCax
zF_qN-?5ODVUdX6Go&@!gd<OvPLwqa@uy=Yz9vexZkhyF|YwrdZu!B3=bZ)FyfsK~1
z)|Lz)1W+Befn0Gwvr3g@phna#7cBX27G7n9SB1CXcy$t705FS400|%gB!C2v01`j~
zNB{{S0VIF~kU&cUb}MT#S*^mKVD~>wwv+Au9PppK|IZ4~F~Wz!d+_}KhVYv3OW`Hq
zr(lJDNB{{S0VIF~kN^@u0!RP}AOR$R1dzZ!Ou%YkOe{G$$;m-Zc5<?j6YTxRm|*FD
z*zeC`VOUOhpRox4OXmOI0t5e$01`j~NB{{S0VIF~kN^@u0!RP}Ac4t7z+tm7CKF?|
zJ1m-Db~>z@08jo5<0Qqw_5UYZrDA@O01`j~NB{{S0VIF~kN^@u0!RP}>^cEl|9{t+
zVF)CE1dsp{Kmter2_OL^fCP{L5<mizjer?4Y!-e4XVXE#A2ngJ6#?^$1dsp{Kmter
z2_OL^fCP{L5<mh-014C+_#eB)WVU+dg53*5w76cVd;Xt^&;RwXP(}hs00|%gB!C2v
z01`j~NB{{S0VFU<3H+2i^gCD&WdA4H^S|9qp8rk4yQDxbQG<y1hXjxS5<mh-00|%g
zB!C2v01`j~NB{}!7X<#-W^tOi3-J5@{h~Ip5J&(CAOR$R1dsp{Kmter2_OL^fCMHa
zfY1LE;z36wfCP{L5<mh-00|%gB!C2v01`j~`vn1f{@*XE5etC?kN^@u0!RP}AOR$R
z1dsp{Kmtf$LIU{wKOr7;L;^?v2_OL^fCP{L5<mh-00|%gB(Pr)z~}${q8hOfNB{{S
z0VIF~kN^@u0!RP}AOR$R1STYa&;JwRK}RHj1dsp{Kmter2_OL^fCP{L5<mj`1p&^w
zf^nG+VFa0f!hMPBkFFt$-~5F67}H~>Lz)lfSW;+q+I~^=k6MUod-VcGdmv!0u2H0c
zoLnmA<Z?1E6{JBqoz%1zR?NMNSNA2>_K9l~$1U#@J6d?@5a(;w$!xkq%oY@RP%eop
zR<0FStXsZ(k=Rk6L`y$i7go=Av@e}&uFlIA((-2QluQ>>mAqU~%E@9OnJUSW0@*AU
z3~T1=dd~V+Ea^K<?3gfAhq!Wu*kObvSsshBqpNDFp66)qha4QX!yG{RgT>Mal)#9F
z`NGb#Fcz#;9_n1XHdIF(?V-7*s-We;NF_O3DxM>!l=_tU#)Mn>ZIRqqL>*n~jOu1b
z``o#vEf;Cc!HB{TxW<|{><PS9RV}Vs-G5SI_37e?eWydU*Cl4OiY0x=C)O=rD|+kO
zN2(6O#6Fd*l9M~cjZ!H!B$dQkY@MC;(WT{bs+1j8vc*D&sK}cY!=K(B>ndJML)uC<
zFE{w<@@%yq^ijLje&Elu)wb{xD~4yQ_1?XkIHY*w-c1oxLjs>P0nb*`@t<@aCV%=>
zwtB9k{lqSFwX5z%VN-TPHd&I>*%Dl)wfhy#CYx?_U`89S+Vqa4(GR)V(F4;9c%w79
z_ST%cs_yErqrI=oR1IlSHF~W@lhm%7jcx}wW~9-vG2qT}0ato@S?*G&REv)Gt}fG-
zq;^Nq7;B?8yYb$l(eWeRU}%9_-G~@jYPwU<?*PWCN+~wqPE2&0P<LBfA4v^a^ZjoZ
z!<ZNBbM4-A?Y@;IlVjh?&nJ?b>YQrU(S8Ixpq;99=TxPv6!XbUR?el%^Z^YX0m?0`
znXl>HY2Awclh^f$`V&zLpCkg>qgyy?PepZ!g69tCOXQJ{h+XgmIaL1y*&>P-R?OXv
zeZ7U3RtXzV0`*-^&q<S87n%Pz3-2+)hj79_B!C2v01`j~NB{{S0VIF~kN^@u0!Uzg
zB4D+!CbPxDviSVJKUFK11qmPlB!C2v01`j~NB{{S0VIF~kU#?gtA!!Y|BUwh&$KnT
zp@IaE01`j~NB{{S0VIF~kN^@u0!RP}>}LdU{lERJLa{hV00|%gB!C2v01`j~NB{{S
z0VIF~S`fhJ{}xct3JD+qB!C2v01`j~NB{{S0VIF~kidRMfV2FH;Z57k+;KLO<5b&&
z?kilEuv^)~g)dst=EF_f9UoZUu)JYvYdY>Uk;7p*n)&p8fW&er^OZ?cjAAtg%U#Yg
zRj1MAE{CMTpj?(=0bN+#or<vRq%I%bxMHp0qtUazv?UF$ttwd;6Rde3uSOm1vu2qt
zIZ<1oR*ywDjvBX4<yb7O7MUHl+P#q>vQlQ#`joJWrj(*9((8-Y&-Zm1YtA>WUq37<
zL;Aw?bxU7nO0X1Yol|Y?dwsE5&AB9R%$Buf@5ir@Z>)Q}6AuF=sgQ!yTZM;R8p4kD
z*gSK!dwhMB<l$mDSx)7R>VjHiZrEX!)%kCzF$hH}O>@pFbh8Dr0;v{rN0(J$oTPPE
zE!D-2_QXO{wNuN<ImJq;Amx&2S&_22a<Zmp(=|zVS=gAPajtdYXs*V&ldRRO$a1K*
zbC@gkna-A}PKC}i%~WMIB-$xikT+?oQA-tNs91uQNh~gGgs=mjlmPKhifu&D(PclK
zS-!hUU7cH<?Px!Jp}E>um+Ne~T#;cp?VLn<j8*_@r8V+wdYn6RS*rq#^F)@_Zis}I
zZ=5eu)J9)jE(i0M-BsMbEgt8~jPkd|u<M~=N#dDML7j~iq_5z+QOZ?d2N|+EOXH%!
z4erb(t*WQNON%J<VS&a=6C#x}E};&n9(8{8I7j=!g{Dg!+L-?T+4~kat%~yhbLKto
zocoytkp%=?S8j`d?`?007w)3mMDU8P%kB%jus8R8my6=%UGa`)MrKB4hNeblMrKB4
zMr1~2MrKB4M5ab$MrKO(f6nEd_c<>M((j)oIO6BL-{+Y*GjqOkIp@1)W=^4p23@|y
ztO^Pfe9fjL)T{p<hVPQGzHk;E=?mj==*uSX36zd>XKp1QP)8(V`yKWnZo|^_LB(xv
zX>RaH>G=aE`wObNIA5ifpFD`<d!g>OEZyneG`xz;!e>=7ZHo#n>61OxT_M!1w%`Q6
zx(Wd<jfH@!CHbLh`H4r8yp8fK3{1sOvA7=T<2_}!Z`|<MR7|6?$}IaIKE~y>{4r|z
z41R<3M^^q|;P;gF*49kU|B_KLM7pV`3onLy9R!^j^p3)_jW<L$;qWSJ<o}Y0{`o;_
z`8*ibPegTIGS<4+<hye1aAztBm9FoJk&;LyN%*Xk#3>HxUN)6g_7=I{zdsNj{%7Q+
zJb{mJ4V6P5;c88{E=YF<o6kdy1$)6`cWX~Ig(JAtRM<n_`wSNjbnB-O2;WMOe{%RU
z{gJuC#raVn7~pmjMZ*9Hyd2zOywR|&vDFoPo-N(pQ#&ezx^2jf?f3D5*KItWx5{7-
zNh-TP!ro%{vv0AN*jDxg`#RggUI_pD$Z#(%R4^bI5DW+g1OtKr!GK^uFd!HZ3<w4U
z1OH0~+#UNzgD&49MWtv&meskgXO0IG>^X@_o}0$l?<K2HP&bs?jJ+%MD!9B~_tXfW
zs3hk9hlmk|U_dY+7!V8y1_T3w0l|P^KrkQ}5DW+g4oe1X^%cpA&XLqP^f7u|bPl`M
z`Lg|WJ7s;%9Aw;M)I{e*Dy5Cm$iwpD#YG7Q-j@OW(<Ju3kwgT+K)^tLUj9_IeC2VZ
z8&4K4nO#|&ff>xrZ)j|5KG3wz^}!^sc{8V-F>i9kw3(A8pHork&y@Xl(|(`%o<WJ+
z^&@`D!35B}nV+hbPd<L1bu6&FrZe3J%a8nDn3S63Q*aAm(ig(B)b@#hPA-|HTS&s4
zw8nF&tjhPvPf^QHhvL+GH0+yV(bHpz?tZ@#h0Z@fp>RAXS6P0tT7Eo~YX)8`mChBe
zqZmElP5OLLl3;TEJ`vn2FFNt;d9=`}NX<U0s9=65nJqf#A;th*^r0#+xwKfEmi!`E
zn*b{i@!EuoyV9K*e_cyg7Un)@ngh?J;g04HTKmTKdsyIin|zQ;WmQ*xp;|r>vg?oL
z!=eOWxyX`qQ?8ifCGV4C@q~RcML|_p_0FfgWsg^1>UHHH%iw2JxYweB_tZm6mcpQH
zcy}!<g$WiN`qOqxR}_ZVJTA<%<X{;}&&yc~{OyxLXsu0CdrMcVKS_8$>15kGa}7<M
z8OSNq*mG8kI@`NC8Wt26;qWz@!NufOcEB9u(u)ZK-Nls)GA$W*!B3_wmtK_a<mboW
zHq_qXEok$zhUJvaFuuals<_u03hlt144-xHJt2p5e^5)|8)qnvds3(!_|x{?Cg{dn
z3E}R|kk7WiJl~|24~GKO<5uCH6iQh7VvkLvhvfNXqXE5;-#%eg`CR@?tvs*S%iTT)
zewV_Fyx?Z+cZ#0YnRyQz#TMA}dFS;=-2Y!r!A%scdMlRGyUC%Dfc0WA;nv!fpW|IO
zIly)2IvbmoLZ5ISvGA2adfs&h;b7v>Y(wEZ>BfV;@WLtYpH)v6UO0O{7hWu9W!2gF
zGidqH{^T-`{#^UgG%P#wR;&3~y0^zN<A{C<e2<%>zt*ivy#FuW)dUg@2nGZLf&syR
zU_dY+7!V8y1_T3w0l~oG%0NN?v%T!^hwC+p>k<qI1_T3w0l|P^KrkQ}5DW+g1OtKr
z!N5nI0fX(8BJ6dEy#YG_zWz~XLtMXLKrkQ}5DW+g1OtKr!GK^uFd!HZ3<w4ebq3tM
z0F|hFBoX%*QQ(Rc1NH`tu-7E^H})F)^Pzr?qWppZ!GK^uFd!HZ3<w4U1A+m;fM7r{
zAQ<?FGvIv+z?1)4QT~hl|3BibLR`LJKrkQ}5DW+g1OtKr!GK^uFd!HZ417cwFxXrE
z{QteM0^oJA0^lQ3?cy>81A+m;fM7r{AQ%t~2nGZLf&syRVBoN2z?}e~D&91J2wWtU
zq)0^94RwUHMXi)z_5WYkAK0(i&)5&yci7k2m)Pgor`Szw1#4r?Y!;i$PGE61ko9Jo
z^PaQEdEI&0dEVLTJn1~@Jm{=<?r?5#u5ng5oz7zCLT9dXnsbU%<BW1DoqmqvDE2${
z8}=*qcKbQ|Df@AIqy2z=mwlUkrJb`E+w<+&_9VN`KH5IQddJ#r?XaG=p0*yh?y){?
z-DKshE-PbQV4Y!2w(70X)-l$RmTvyj{EPW}^Oxq2&F`9DH}5w;Yku6k+FWV2nvLeE
z<~TEE4l(<gmMIy3Fn(qH#Q2`^4dYA3=ZtHNR%5Plsxi)p8AFVIhGj_l9{p8)yZ$}>
z8~T^@&*`7gFVWld`TA^ql3u5e(kt{nx~BbE`<?a+?MK>ow6AGj)IOtqOuI^3u3f0j
z(WYo)wJ}<y)>r+f`WN;0>MzwFtKU`cQ`f1tsH@c#YJ+;FI#nH`R<dq(E*oawXdh=&
z>#OEm<FCf8#!BNN{U`c0+Pm5kO;<OnOVzRB--n5T=nwwwe_x9J8~+a50Y_X|fdN`6
zEhyj*<`;5siYaS%lJ6BQf&PySz^xJPlF^7x<eStK$2Y3uT}&e~QRVB^89d-x^<0jx
zR?{3`rFIri$g7w0fGgA+IKE81jpIwzyE$H|KFINM^;<6XbM8`qzyq@C&p5tV{SC+M
z>K{37RsYWMQZ2%9Mk{l%pXefOAP-1u#p`d<ir3$$ox<ZZXwx~qKs$%y^R;G<&($t=
zv7f=&+GRXoo_0OQXKJ71_zdmy9M96e%<&BEn;f66eV^lL+D|#2s{NYd$=YiiPt^X#
z@pzrM*e}q@y2Arb)CX{Uf<BDndOg8$t$q^6)%s~1C-t*9j_V6JK3>mBR-plUZE2K#
zB@Z2`-{fMyC?oVw^MGOcJsc0wzshl?{%wvc^dE9OSbyHdenJEF9Xw!wzMJEI`a2x=
zH7Lh@jNTmgHU@KCW{l+6F={xrj0qeY#!QYi<2;V3vB<@KffOUl1Bl^Wz8@eNYYG9<
zdxm%UUVyaM;MXs`WAN*j-ZuF4OK%zc`lUU_&v`;`8o%ZE4dYK7?>4;4_cPdK^6Qsg
zH~IBTubTY&rB_UT{nAd8U%#}&<kv5~Z1U@uUNX;jGxIapZh8c`RW7|~^6QsgFt6Yx
zdfvQ|<89`rIDXFj0>{sqU*Y%}(;EQ1G`E_(|4UDsy#Gs2nY{l?TTI^nrOhVq|I(8d
z@Bh*h7UStZZXLz(CTlpyk6B5MAGJ>A_z~-LjyGCobNsN?#PLH`JI4=NmvX$px|ZVy
ztWR)!pY=J8@3p?f@p|h~7yIPiZEfZOcUjMJe5bXY<8{`n9N%H>;rMnNQt`)i={DPT
zv7hK#yFU-O)gH?6Ew<PF{YW?4y#GsUY~KH+8*JYHrR!|o|D|i}HlEOG`x1`3?Q1x`
z(*C#<g&PeBw9D<!08}Enyvn{OK$qBG3D64rn*my8e=k5e`^N$5w0{wx4*RzOYP0_s
zpceaY0a{}JD?p1KJwOYcBLdXy3<}T!XLx`va^eBH&^aMM^PR~7I?tIEpmUsa19X<t
z6rj0IYk=lB%L6pq$p>hrb7O#}JD&{DY0l>YbgFZIfTlQK3(zFz+X0&3{2)N5I6n>0
zNzShVG|u^bfW|t14p5!*j{w!MNPtqz4p4%X2Pnpl3D6ie3XoSdqgYMg9LY`z&<J)~
zfQGTT0UE*@0C}fWvP|HtVA%i-W|swMAiJ&*aR9qDaQ0*C0@Rn?8=yYyp#b$}j|HfV
zZ4Qvbo(Yh}UI>uEb_7Ucy8=XEslVT}6t{i3e*}Q}|7soR|AfTeWPf76W4~lSVc%!p
zVqaxnWS?c9VAr!NSQlH$8rj)w2Ajz0+3{>BJBsyUs`F3hug+`EZ=9byKXSh7e8c&&
z^9ASA&c~dqolBjIokh+C&Y8|M=VYhaInFu8DR*oqV*kVbv;BMfSN2csAK2fvzh>WW
zf6o3SDB|$n0Y=#sb{|`__F8XPJFOS2t=1FPM(aLnopp<~+FD_?SQlAyty8UWR?He=
z^|LHXGWVFTn%m81&CTYc<_7aFbFF!uxytM?o6U2~>E<bB${b-1G|NoIc-z=zyliYU
zo-#HW4;kx?+l@8Gl}653Y|J-i8<UJWW0X;0^f5Gjul|O<Q-49<sz0G`)bG>R>9^>s
z^%eR;{XBi9K0&Y1N9u$1-a6IZ(ROP)wCA;_wa2xGwR^QYw41eVZ5e3#&|e5NLw!$u
zQ+-8!QGG^zQhh{yK)qAFRlP>NL~T<SsAs9CsVAw4!{py6^|1Iytq=B}a`}J%U*UQ5
zfBmc6;NAoE5z3wa>yn84CCS*NJRo@3KLc>9^qw0f_wNCdIKEMx&GGf>e2%YG7jt~I
zn&bE?^-7NOYM_50%`4Q~x&JbCJ;#@-4{^Lw-Nf;7^(l_K)NLGR)t5QGSlz{OyZScA
zt(wB|QvVMC(Fl|wQ_%l_7ZvnB;B-O%18yqlf543e{SUaIp#K41P|*K?&(}J5Ugv77
zI6hmuj^laST8_`u?&A0iZ3D-%G*19{<(#1f&;OAA>00po4|tjuJpTipss+#gfG2Cg
z^FQE;Iy~^Z&;NkO>lVi+>-{)BQ6Iwb33`m<dVL(nwfd<XSL<^*PU;tN9M@YoK3=~Z
z|0Mu&AEkTapI4HR`fWVs2>ou3hv^S;JVbwt<4S!C#})c>91qrC;&`C`I>!U_w>a)+
z5RUsA4#$0r0UY->hH+eGcml{Pr(*>A2g+|5f&Kw(7=iu)tQmp+0ZffR{{U8uK>q+H
zMxcKHOUA8*yx^|@cXGVfc!1+~j7K<r+jx@Ww~S{v-ebJT@tejg9KT__$?<OEJ&t#o
z2FI_PeK~&BtmOC=a}38j&9NNsFsE?*vN?z2m&^+}-fk}8_(gLW$1j-O96xW~%<(q!
z4vwEQ@8$Se^I?vkF(2o6tNAp?Pn*wk{FJ$a<1OZHjyId{aQvi2Iex<G&GF;bV2(Fg
zBRPJ|s^R!iYXZlQSTi}^Xr0IL!`4EMAF?_*e$cv{;|<mg96w;)#_@gD-5lR*J;?ET
z>oJb+wzhD5m-QUScUmuTyv}-^<2$UkIKJH`9N%U;9Iv$paD1yhjN{-B0B-x2xc&#s
z^*>;){{eIT518wJz+C?W=K3G-mG&*3GLz)X?K=Xr%3dF!OY8>&w8DNgK+EhW1C+D3
z2B_11K0qDz%K>V$Uk^}=y(d6R?Dqn+*wF&C(CHnZW@li47C6HKbdeJa(1p&}0L^zM
z1?W6yW`NFd&I!<2&Vm5Vby@;6$5|Gj+0K;#n(5pSpy|%q0G;OC8K6_0`vNq@c{o6m
zoJ|3m;A{!dDbBM2I>~u4K;xX90UGP<4p5!*c7SRa2~dhz0ZOpG0gADT0F7ZI12l@I
z0yL7H6rd68)Bp`*a{@Gk%@0r|TNt1U))An=?2-TtWUB)-fZZIRe(d%D^<{Sls1Mr^
zpx*3}0F|*P0_3o#17xvn0W#Q20n*s30iy7AKUe!pGH8Fv)BbQ5g#U#87yADL`g_A+
zq5joTAFTSP)_-69E0=p+|3h#P`u{^v3A_kG|8pvO1VaCN3Q*{O|8ECE{|o)^wFH<0
zFo$bJq5pkOg#Pz=5c*%}f1&@y`+skRfO!9Z=*<Zb`oBjp^dE5w{r?}K@jsM^(EkS}
zQs{r7|Hb=%@&4a?4=mpQ`}$VA|Mz(i@BbxPy#JTvL+$;4bc3`ddXEHO|NAxjDa`%<
zCi^n1{Qo4({J)G{%+j!8eFhuPs#z5q1hf95&Oe+#IlqND|37rT?R?d_2WI@=<m8<$
zCj;~S&u}I?_0DLR?SG`B+yAux0(1R;Y5&;%uKjhG>Hk^#<M!3|O1sr=wCCB=>=W&{
zJ=E@R!x9|pO_=BZy!Djzn6<&W6K45$TRCf?b&ho!%<&&%Ram_(#e559_`hgwH6J%0
zGVg}@{nwZ)%q8Z0b0*C0Prz#bzNTip19SUdGM+V_G&UOd!khgYj8#UPagi|x=JnSY
zBa8utrN0NW`giEt^ey_M`U5bh|7QJ4y;E=2&(crT$HIF5!Friav_0A@+6yqBf0Op0
zc9(Xmwi;&hFV@b}rfaoYm3EY7tN()4{=ZXyuKqy%rurrIv+BpxyqZ<h>e=cv^#paa
zdbHY0jnKc*KhR&&AJK2quh7raPtdFBa+;y%(;4(+8mGt7BdHqwNA!=;Uq^ou{ciMY
z(R<jRO?Ei^i{5#7{8MIru>TIMIS#E*eM|J>L#xCe?$W~GtU?Lhm4}LaQ}i)p-57le
zS=UFON7l8`oyfX6`X;ijf~n8NH1pI!))jOhvM!?|k##ApL)J<<1zF4KTx5081<1<M
z4rE<SFGp58U4yJvdIz$W()*B=p^qSI5#5ZeG<^<PP4s1CHPYS4YM^_Ob%AOi>wL8z
zvd&e9A?s{d{a@s4o;m?pXTt3NV%Qn#g~*zvwjgVUdI_>lSFc0XG+6y#Ol2y}{x4dS
z)rXNaQGEhg<JD)7b+Wo0StqKmBkKg1{a;M8UZcpW)%qZ-TB}4>Qi~xguAPLe<FzyK
zwiA9c9i=s*C?mCYWQ~B;|HVQK({4o85be{*s?@%StP1Vx$QrDD4_O0Y^?xzV0oren
z)ld5qvifT8BCC(CBdfPwj;u0$D6$+qi7ZPWk1Ru<g)B|K09jODiY!H6i7cXDi!4e1
zWYLn|)4zbMy|DV9U!U}j{vBk!t^XKVZ|T26)*k&eWWA~X9a(P}QDp5ljzHEf;}~SU
zZXA!SSB(>q^@?#ivUVEhB5MaM|1XyMWupsOFBw-MYrFArWW8v74p}c4Uq;sR#<!5Q
z4Oagbb9m191+tzsevhnYjK3mlt0^PvX_F!ADRU6AwwT8uYqMF8tS8N>$a=z@hpflV
zCS+|gFGkj5u=>AP>PO9+koAc98DwoV??=|d<~NY_kokRNJqWA+i)n5!e~YXK%s(UR
zKJ%Z*x)*lGDxSCA>W{3uVfBA8>@KSsS$A3!k+se`16g-i4amCPYDLy<)}_c=Yh915
zTdhwa>lW)CWZi6i4Owff?;`64>nF&%&iXa7uCe}ztku>(kkxIg$hy)#!k@qapGd#l
zKAPiI_Hi6vV%KuK!k)<SGJ6)sIosO+!d?5VblSoG4}d%DERWM>U%_#UeIv(9>|p-~
zh`-nl_J07p5LW+t%as5(+rj=1fEU=o{ttjJvVX?oTxkD><N2`qzi{q(cCh~g#6QOg
z_J06;mJ{s%0C=tw?Ee6G4y^t!oIBe|ay-*Hnd9ls=^UTt1p7b0xu?SF|H8RboM8V4
z@K17r{T~2NaDx3G0H5M~g2z7zR{s~y9p`+B<FU>+IIeTP$8nAG6OL1``oC~)!ubQo
zG3T!wk8%FR@hE0;JQ7y_7tS5Qj^%h5JD%eq>;#T0*;I}z*qIy;hUNc-bOy4e91md2
zIqt`<;<zvS7{`6sXE^T7zQ}PI`x?g%`wqtz`w_<m`vu1u`yI!W1v}pW&&BQk%;3S-
zDCqw`i@yMTSpEVKz2~s_C-nb8{pH}ptw8_1(h2?l@A371v623VHRnkG6B+A&B4hne
zWUT**jP*Z}vHmAA*8i{q9qE4}WBpHLtpACO^*@oZ{wFfl|3t?6pU7DM6B+A&B4hne
zWUT*TT{_bLureL#e^{H2^gpalNBSSurz8CjE7Xzxhc)U*|HCSEr2mPG^*@oZ{wFfl
z|3t?6pU7DM6B+A&B4hmztJabJhjr^n|HI04r2k><I@15JdL8M1Sig?+KasKiCo<Om
zM8^7`$XNdq8S8%{WBpHLtpACO^*@n&(EqTg9qE4}WBpHLtpACO^*@oZ{wH#!_C@}D
zPGqeAiH!9>k+J?KGS>e@?x+0;rP5b>7g<>U6B+A&B4hneWUT*T(L2)ru<RY_e^~gA
z^gk?pNBSQYza#w*%ir~DQCYD5Cn5b$B&`2QNdFV*ZT-i^RHV1`Um*+Ye<ET1Pb94W
ziG=k(k+A+J64w7j!up>`SpO3V>wh9){ZAyU|A~b4KasHhhn@0}{wLB4#+T6*J#Tyq
zSy=xQ3G06%Vf{}etpACG^*@1~^NRYPz}|U9{ZC-`yrTXmuzy}r{}T!8e<ET1Pb94W
ziG=k(k+A+J(xc{0=!zaOKZ7i+|A~b4KasHhClc2GM8f)?NLc?93G06%Vf{}etpAC0
zw^h{tM8f)?NLc?93G06%Vf{~}+pSh~MYma(A`9z(B4PbcB&`2o$vx8lu;?D?e^_>p
z^gk@TNBSR@-Xr}Fi|>*CcbDH6^}o9S|A>NKB1r!er2h%h{{-oOg7iN@`kx^EPmum6
zNdFV0{|VCn1nGZ*^gluRpCJ8Dkp3q~{}ZJD3DW-r>3@RsKSBDRApK8}{wGNP6QutM
z(*FeMe}eQsLHeH{{ZEkoCrJMjr2h%h{{-oOg7iN@`kx^EPmum6NdFV0{|VCn1nGZ*
z^gluRpHwog{|VCn1nGZ*^gluRpCJ8Dkp3q~{}ZJD3DW-r>3@RsKSBDRApK8}{wJRP
zC+^OFLjQkwX8;@)>i?d@<L!U+PWxLQ?7#QZfQM4J(EtD0+CuuDhV(xT>3<s1|1_lk
zX-NOmkp8D3{ZB*spN8~54e5Ux(*HE1|7l47(~$nBA^lH7`k#jMKMm=B8q)tXr2lD1
z|I?8Ery>1ML;9bF^gj*he;U&NG^GD&NdME2{-+`RPeb~jhV(xT>3<s1|1_lkX-NOm
zkp8D3{ZB*spN8~54e5Ux(*HE1|7l47(~$nBA^lH#(*HE1|7l47(~$nBA^lH7`k#jM
zKMm=B8q)tXr2lD1|I?8Er*dEIU9LZ<jP*Ya>3<s1|1_lkX-NOmkp8D3{ZB*spN8~5
z4e5U>WBpG<`k#jMKMm=B8q)tXr2nae^*;^ie;U&NG^GD&NdME2{-+`RPeb~jhV(xT
z>3<s1|1_lkX-NOmkp8D3{ZA#V|EYxaKMm=B8q)tXr2lD1|I?8Ery>1ML;9bF^gj*h
ze;U&NG^GD&NdME2{-+`RPbIAXsf6`E4e5Ux(*HE1|7l47(~$nBA^lH7`k#jMKMm=B
z8q)tXr2lD1|I?8Ery>1MC9MCcg!MlS>3<s1|1_lkX-NOmkp8D3{ZB*spN8~54e5W1
z^*=@WpCbKFk^ZMh|5K#@DboKG>3@p!KSlbVBK=R1{-;R)Q>6bX(*G3ce~R=!Mf#s2
z{ZEnpr%3-(r2i?>{}kzeiu6B4`kx~GPm%toNdHr$|0&Y{6zPA8^gl)VpCbKFk^ZMh
z|5K#@DboKG>3@p!KSlbVBK=R1{-;R)Q>6bX(*G3ce~R=!Mf#s2{ZEnpr%3-(r2i?>
z{}kzeiu6B4`kx~GPm%toNdHr$|7j2J|KXzm5%#*o-e7-&AMu}HKrkQ}5DW+g1OtKr
z!GK^uFd!HZ3<w4U1BWyN-UkW&FaNoa61W=p{vX>5`u|T7`@8!Ez(e{1Md1Ylf&syR
zU_dY+7!V8y1_T3w0l|P^KrkQ}a2Ze{y8Hb<U5>a1_YVMy;Y^i|fL$WkHnxH_veVc=
z=LzQ*&i&4<PK<rq>F*HdQkHaf+kbSLof#}@|Iz&?=oAbH1_T3w0l|P^KrkQ}5DW+g
z1OtMB4>1FM6?wEgXj(Sgm7ds@&9%2q$)sDF2YK%PrSAToyI-lhpXWZZ)O{q2y89=1
zfk&4H9__gYm%0ag?g6Fl0iL^8sk@iwE-Q7Hd2XlF?Raih>SmsMV5xf`?7&yvL&bTq
zjndeL=RT^`eU#_cO5K|0R!iNg=cc7@%Kj*g>7gY1ae0Z9mnKr~xk;(pmHS8TlaK)(
z%63TXFYI0R7W)I+!FKHvNjL-pf&syRU_dY+7!V8y1_T3w0l|P^KrkQ}_>eQ8L?oHH
z2giNsZ@GxN2irXuA^pG0{|mr}{DMUB1OtKr!GK^uFd!HZ3<w4U1A+m;fM7r{AQ;$(
z0ax{d{@1zw*IoUuyZT@E^}kfM&q=}|7!V8y1_T3w0l|P^KrkQ}5DW+g1OtKr!N6g}
zfcySm=>Nm0LdB&B1_T3w0l|P^KrkQ}5DW+g1OtKr!GK_(2L^=x?|~HI5)23i1OtKr
z!GK^uFd!HZ3<w4U1A+m;z+uLK!5)PD|894`|F?tvn0=Fdf!z+K_)jn(7!V8y1_T3w
z0l|P^KrkQ}5DW+g1OtMB{{jPsA|ENM^Rnqq)q~W9@QDS<3^G4Lk%!C5__p@8m96bv
zSvOeeqsUcqWNK%7SI5luwi)Tx1?kR+=Omt!$0nMhAE~?N80=Nh|1U{wFZ>1IP4*}D
zJN6Qo;y=NFU_dY+7!V8y1_T3w0l|P^KrkQ}5DW+g4jBgAE&f$+$A2htRC1Bx9wP36
zL?V)Iu)XkkfWN!%|KB`hE=v?tFd!HZ3<w4U1A+m;fM7r{AQ%t~2nGZLf`Nl!z}@?w
zKt#o0-+=f3_ekss_Ivgmdz(GT?g3N$Cm0Y62nGZLf&syRU_dY+7!V8y1_T3w0l~n3
zn*l9yr0gvPC;)dMfbNx|S7f-%r}cY_0D4EN<dP)-+{I%OH4@DKhg69B{vYQ5|F<to
z<R=&q3<w4U1A+m;fM7r{AQ%t~2nGZLf&sz62g-o={y!4Yb;6#N47Lg~lh0;%u{~@R
z+ss~NkFx972DY88g<$cYU_dY+7!V8y1_T3w0l|P^KrkQ}5DW+g1Oxwn4D3-Oa)e1A
zKO6M7?&5yZ+B*UFa`9m4<6nT}f8k;(efqE9w_H3xS~CgoRW2@<J~0g9yzAm#(#=(X
ztzwbnvt0jC((N##Ushavr1XhTLilf7tVy4G)`&hTZHazW0_DFOz5wt%dzwAY9%lEl
zJJ`*vn=NBY*oABko5IGjF|3mHWrp*f^QQBP^P=;N^Q7~L^MG@wbE|WWbBWXDEO5?p
zPIFFj63#GZfa5sCe#?H{e#w5$-eNyyKWN`=-)7%nUv78W3+?mlnf3&`#vW-8wtL%A
z>+jZU)~~D|Ti>z1YJI`_q;;*e(pqX=V9m0|TS;rERc`6#yXK$F-<Ur&zh{2k{G$13
z^G5SBv)ybo&on2SwPuxhlxZ9PGX7%x&iJ|U1LK><myFLEA2aes)<_#?8`F#vjM2u?
zMlU0x|4sjc{!9Hw`nUD3=%3d=p<k^p*E9P0`V9SKJ+2=Mn<J{)KeRt;zt(=DeOLRM
zc8~Tc?RxD}tyOE#&d?@m)!J~azh<icRR660R{fd!ef1ma{px4bo75}Ri`6D|o;p>n
zSC3N%sZ5pWU+M4ZFX#{Hx9FGY=jg}jRkVvPqUX}n>524sdJH{+Mx%d^z83ve^vBWf
zM87KjeOMSM_9TG>10M<oXhbGdUK8CSsZbu@x*@s^S=U8(AnTgw8^~H6eGggP)I!#k
zbO5q0rz4QHiq;_O5;_T4E9e|#Eu$A9D@WUq)k#+&tApNvtTuW(vRdf9$XY@-B5N^y
z5?KrBv&d?uFCl9I-G!`+=sU=|P}Pt%U+s&m^VA{8I!8?)>n!yYWX)A)B5RI1A6c{2
zCCHkou0Ymw^%`WIrmjWSsp{Rxnxa00tV!zQ$eN&TMb;_mi^w`jeHB^b)VGi|R#T8w
zr}aiwjaGrIlr{!g32hv*V%llQ8l#<qtWnxRWR28v$Qq$_BWsv;3$li2cOt7&+kmVJ
z?J;Bx)}BJvK<#;C4bXNXtDp8Jviicj$zspxqdUmztq(+2nLZL(j$Vf>OP_))L!XN*
zO<#a4s&^nu(Jx09(bphL((fo*(tG-S$l9wvf~<G+&B%INe-2r1=`SN|kG>mOZ|ZxI
z^@d>}Yq!x4S-Xs3$a>vKA?sCR0<vB)W+Q8-aUrsH7%j+p*|-E*FB#V%YrAn9vR*XS
zBkKj@VPrjTJb|oj#xuxz&e)EuXN}j9^^Ea0vbLHOSx=jNkoA;ViL5PV3|X7alaTeK
zIUQL~nCBtuadR=UHkr$i^_aODS&y2xBI^<JE@W*qA4Jx}<|br4WIm0o2hA6dwZVJ^
zSr3?dkaeF$kae$BhOG70U}W8GjY8I4)>vfSX`PC!b=FzPy2ENl*6mg&vTn1kMAlmC
zW@O!JtwYu=)&t18*?JUNYpgBEy209ptm~{D$hyXQ16ixB_mI_XTgbZ7?kB;->S#ok
z>E-qij#t?+jxVvtalFDlmE&dhT#j@0MI3k9EgW~)D>!bmS99EA-@@?{dmYD%?fW=h
zXm8}W*?xlK1@=~sFS1|Y_(FRp$MfwsI6lwb%kepm#_?HBACBib6&%lTMsYmbspEL2
zGl}Er&TNiPbLMk=s<W8mDNc^#NzRoVPjJ?7e2Q~B$0s@KIUeUc#PL{X6UTMVQykYg
z+c-`+FLRu5c5xhY-sX4=Q#c;Q$~Yd$268-tjo^3~OL07eox*V?o6d0sJBQ=JteNA1
ztb^kL@T$Gg#`>}AIPS~Va@>dA#c^-8f#WjvD8~-l%&`UU=nH8YY&*xAyS0DNo+*2W
zW5sLX5%=j)l5F_H040MY_AYyi{e|sfe}KON{F=SMeg<Cy`~mwe`xg5;`wF`sz6<zS
z_9^ypb|br*UBOneENf+pSR*^1&119JG&Yf)$ZA=f9mj^Uqgj7;1hbjSWanMyZ_b~c
z*PP!uzjl7%{M7l8^L^(#&NrQ}IbU|Z=zQM!jPpt7W6t%?RnBG3a_3@asgrgZoO7Ks
zof*zlXS{QQQ|%n@R5`~wgPd}wmt#6n`(O4y?7!N7vj1TJ*8Y|KbNeUu5AE;S-?qPD
zKV;tze`WZLz1F_TzQ(@7UIBk;m<xYrh{0bOEbATXRqJ_cv-PlbmvytX%35NbV@<JA
zR;9(vz2<A?^YE92hs@8KH<-)KX7dd5B=b14pBXjYG=5`jg}*1<Ykb1E(r7i#Go~6T
z;~2xy-_>8$f380Xe??fQU#~CIoAlZGiTX&rTvxQeXfJ6$(jJAs9o(v2p|xn|YE!hN
zR-xJIJL(_QZR&T`2jMRU*Qs6V0(F);POVb=suB7I{WX1>euJ)uzY|<em(p|SWSXEy
zQ!Dz9=qu5mMW2X%IeJI*+GsA?7@ZkCAvz*@WRxg>R<<iYR31^jpxmNdrYup;RwgNN
zWw2sK-j4h}@?7LQkqwbgN3MxvBNs(xM8-yjNBV${*iC*#o+4i-cax8iRU|{sA`?jr
z8bjf~vTjPM60vx7JeG*Z>ti+XnzHUFa@AF*s==jTSE?qSD(jALS1ewas7=Ppx=F~D
zOhPQ#cg5-x@dV_NN|tp?$Q4V~RmaNmR|KxwWGtS5w5rSUmxo=k+Oqs*1y`av9#7O(
zC(H7y0#|jSE>@pRr0UD^mtt3<KAtGcUxHk9sk#K@xRSeS;&sV*bzND01$O}($$B^W
z<pozf7OP9vrl1hZ0#_nd7mrofCn2q_z!i@t6LB~ZN}mh65>SXNcEzic;OZ>8;`OQ8
zYAF51o+|~{2ZW{KDTvikaK-Auos2<I+XGh&uCET*PnG4{Lay3sII-1t0r#<3eJbW&
zV@tsmOU6^ldZ@?z(!iBS)WwsrWCBXR#B(K~#vt)zECEbpxC_XE1^~$~=B^YZpNv82
z7jYM~iCA3>Vl50@?$tn*rE1FZ>A)3>L0Zt{fWl_(f=f@vlR$Kn?{Y6X4pke2SPKGI
zZK6I_8-oid%QqHWa8^8CQw=9xgj}&yA_=h?xXW#;)k!Gog@LOkmH>i0*9Czq5wC>{
zf<{)BpU+*;<l^xZxXur|5|HD0MOUmgS(|`Z=N4SCS|Bmywuy6)3+g8ZOq|VKP>5KK
z%l%p06_3}YYGdG<7r5eaw|CSepdROXF1JrXdq~wo=gXg2Z~<d*(Qa+e3Aqx`AM<Af
zu2`Zb7E4yUM9;>q1hjy%{4C!ET`C4m&TA$!0~d7kcugwi_OuxV7x0oucr`RV<bv8Q
z%by-{#a!2E1sBv}O{zKt<(kG_)v?-C(!HQl16K;V0yy1qVrt-Wiv?}TWpzs6N+h6Q
zP?J!u$psg*FSkzu(USrf3>)#<lsgRNCl*{V_@$t&L#zp5ms`~FAr}l_W%*M)7w`hL
z5rbw2g*e%FK^+1M?tf+ZlL8kMq2M|(Z~<Gfnrh&`EI+Q`az_)mYT*6^?t*p?+(WFf
zfeX4Qq~)<%A98s))^S&DJW=iORm)w_W1*~&d`;Np=2*>LsX|dx+?9lm?2U!Vu*<Eq
z1b4;aHPC#4!no&x>VY-^Rpbt7v5*S_%JRn-T+lm`v6S1b#&A~(x@g=T???MCpr$?!
zUEVF~sK5pN0$O3c+a`_+Trg_HYhg%+v_>Kqj2!M|R|PI;OTb?u4&@pVxZDO_pM=4$
zEI&NtO1b0LFxTaFDQGzm(;a<>a+h0(S~vM2+yw&+xPXacu?q$TxS-0AtJ)ngk14pI
z;E7bqja3o2pcg|2hatW!e{{hGthzTHxW>T+7Yws7ez`;s3S2Q5x@wX&E)xR_E+8-t
zcNpO7sIbeu84d`!YTT;rA9lqdt$ra_wM$`n$dyV#T7APVca%Fa<Vw2a^a;CMR*wj|
z5^k*CAy?dW^$NS(W>OY%!Lv+Ro?#c<=Ac|o$W`Y)V%Q;9t$XjV!Y+6k%9|lqjeAEn
zLau7JTzbfraw*h8uB6*c)Q}50X<6QT{(|-ub89FGJ-jUMJ%4c*3{Pcw@A<3fa@(r+
z{KZ`{x8-=xUj<hJ+H_god;a1suWG&LFYZb~A-u;g?tzwG<~@CR9%%c?YPh3$4_`3A
z)yCjHo^Wq3-m@3-RF`>=UdR(G^ParG15b>QntO}z9=yO)4No92u0z#$&s{|i-0{4}
zF64=qc~4#7aqr47l)?DzJ#@Jq_n9>gkEvxjpIq=HVUTny-FxKn;y_=5J3*?<d*TW_
z?!B|R%zNMhPZD}tB2^0my!X82dfcZU7{uab-s6_%fq^3xhrZ@LZ3P}U2Sz^cVGBIa
z&EPpYnXHYrkR#%;y695(r#8C8{i%s&+@I>`V)rK%UF7~GqYK@iL^SRG#G}pbPfTed
zz3S_g1#qlW8sS*0Tm;7&r2&rB%7t)DDHp&osmzCCLOCCfapgQX#*}kOuey5W95~h~
zXTz~pISY<8$~-t$D|6wPQqF{9QketCgmMNP<H~F}#*|s4S8csA6OMJt3^>**)8Sa7
zoDRoo<uo{^lxc8GDyPCRp-hEiT$uvLm@=94s;O5d!Ld%62*+Aw0vv0U@o=nGPJv@e
zIT?;g<s>*JloR0?SH{6Hrkp@}Ro5$H;aI2C!?9MWgJX?S3&(1u297DE8jeXN1;>Pv
zgkxMuz%i!8Nv~AB5`$x%ay%Ssl`(LvQAWeDS{Vh$lyV##lgdaqCX^~T#+4Cpj48uO
zuVlS4432fmP&n2qL*Q7W91F*4r4o)Q<rp|7l?pf}l%wGY!V8WuWf19=s8<HUu}(P(
zj<w1FIMyir;aIKogJVi5hhtLd3&(_VBpl;PA2`O8BS^1!z0w<wbxJQd)+%LitWg*o
zs}%>1DaD3kQnBEeP)s<+6$6g32u$j)k7$I|MO4CSBb2b3NR+VZh(cH@5+N)ZA%rDB
z0J6BDY>>7n>;Kp9{}pSGwbR-L+I*w6-dby|wsKapHP@O1>U@aR$5PBa=1y~)x!K%k
zt~b}3tIZrJ^tt9FGi44j`<RNc$Jl9XGd3F=jrGP_W3`bpnvJ=}B+%(Yj6Q~<@6mVa
z+w{%)Mt!}$R$r~>^k#joK1omML-anN*7s;TwQbsFZKJkcTdS?sa$2)CSDU1zv>{p_
zO;Pu#J3+H=RyV5a)wSwsHK#VKbJa;|N*$v1Q5Cv}?xfr3X1WoS`&zo1=4dmWODEA3
z9YXt1CAufNGrBFhIl3{rKDsu#8uWW}bZ&G~G!-2Z?Gsg$J<3jHo3dHisH_+NJ~RxZ
z6!fp~XOWNkubETp{+k@AFkHzu$!nBNlIG^?**D5JC|i+zy?mXr9og5)*C@M?eYLz=
z*^BI}<nE}2?7VzsbRe>?kS~vpLiT0ys^~amUn*Y`osR64@`~tuWG|POMO%>FCFi26
zke!t~qic|TvD^_|hwOH_ExG~Ot#V6r6S9}eOQKtmoskzuw<CLzyfC^8*=e~sx)<3^
z@&b7KU*xk<zK9M)c7uE&9fj-*<oR?Qvd@>#qtlUnu6z!ikL<JMvuF#l=gD*7?SC=9
zGvzsS4YJRWXVZ1ao+Zzu8<0Iio=!I*`*is<x)s^e<WuQ(WKWf+z}x>~ev{=%bT6_e
z$`e!z+2iF?)Pcx8Sw2Y}h3pgMaq2i^pCFG_rz5*wu7kJ##r$gJ8np%4)pAN*h3ur9
zP}d+kF2~e$$Ua^kqi#U<D0!5+3E3m%k?{7vnBNF_gt{Hs!{lM=E@Tgphp2mzT`5;;
z7P2ek3T+^=2g`%CQOF)B4}`b>#ry`y1GMSL?kD%t<|DhW+*fNsb|1NqwhGz3<=)yF
zWS7Zh+B#%AvZHN4wk2EICS)73p>0LBCTrSuWK)@HyO6EOinbToL?*h0Y)O{j?LWUh
z={<M@KML7<rM>z%WWOW5qfbZn+tS<md}O~Ry`{Gxdylk7Uxn;9r8o68$bLh5LtlsN
z-O_G-1G0BXyYx-SeqDN9--_&4rC0Us$bLn7Mc;+&ozhNt`(M1i9nucNLiWqj%f>)t
zza+h6j6(KyX}d8F*)K{j8q<;eg7kthAKA}K&l@es-X?7`Rw4U2={aK!vY(ZnHP#{f
z8R;2g1G2YDTa8V~ep-6k*oy3@q^FGS$lfAtF?Jz)v$WaRi|i+*Cru04Pe@Og1Cjl>
z^td?+*_)(I<~U?OCOu|ONA{!Aqvm{MKO#M1wjg_>w9#CJ?1!a?%{9n=NP5UzhwKNX
z2h9!0-XLv&xBtcZdq8@?+=}e`r2EY6$i7#)*W88d_0oECFS75J?zSvs-zD8;4Mg^x
z(w){QWUrIfS>up>hjfQE9oe@_w_Ed(eVcTf)q?D`(pqa3vTv1cwbmf}7U>pi9kOqh
zZniccdyTZl+Jx*Iq#LZQ$i7ax&f1RbYou$eUC3T7t+w_eyIXSK{ulYYQbO<lFGuhH
zSE2X+m!S9mE71G@W$68X4!!^HMDPDQ(EI;3^!~pEz5ic=-v2K~@BbH~_y5i4{r>{=
z{{JHM{{KSs{(nAt|9>8O|9=j8|9=*G|34SK|DS{2|IbG6|7W82|I^X?|I^U>|5MTX
z|0(GG|0MMOe*${{e+qj4e-e8CKMuYBAB*1q*P-|SHR%0+3cdeNp!feV^!|SgdjCHP
zz5gGH-v5t4@BfFP_y0rC`~OPx{=Wjf{~wIr{|`j({|BJ=|NYSW|Gwz`e;@Szzc+gS
zUxwcQJLvtth2H-g=>5O8pZEWY_x>Ng{pY>^H{1v6G6~-QyFmOW7!V8y1_T3w0l|P^
zKrkQ}5DW+g1OtKr!NB3jfYASkW37s75)23i1OtKr!GK^uFd!HZ3<w4U1A+m;K$wAo
z{ttVFB^VG42nGZLf&syRU_dY+7!V8y1_T3w0l~oG#DKwGl#XN*B=#nI4)*?k688PS
zmE8b4|97%WVDJA0>~3}*d!0Q7-vBs`O@J>0JOKLxPJk1{e}VzQfM7r{AQ%t~2nGZL
zf&syRU_dY+82CsrpenK~52Ay--+^?X|EnD3{q|SNz2AOHU+=eEInw(*Qt9pg(j&az
zUP_twTc$AYmnn|->nOJO+m8<Levej;_I?K|gT3FQl>XkYrfA-;s;J&CRoor_VO@Xm
zKhHlv>F50tg+K`G|L^`pnEOdU`EuCz|C=5xo+OZ9KrkQ}5DW+g1OtKr!GK^uFd!HZ
z3<w4U10Ng%GCMjlp1|i_Vxwd6(XpC}SYm8EJ~ojW1K)svZ#u~d5bSafabjbW^<!%4
z;j2lt(hE?&e+`a|m&57A>c^()#<<@^OC{RG{QnQG5=F{_0l|P^KrkQ}5DW+g1OtKr
z!GK^uFd!KCurT22e}!Ew!L0u8vGoANe}VzQfM7r{AQ%t~2nGZLf&syRU_dY+7!VA6
zFbw$b=;QUHV|AkwH5Ku?vDNXhso0phx>Ri{u9OBtSaNK<c1)@|ma40Z^bnjFn@o*~
zCE|6}wPa9ayq<`;iPwxy)K$c5$0p)qW2rHTy81+IwXL5fnPjA7@3L>OsrHc82fk82
zL-}6h-N<4xvhYuCm)`ndE<Kd$>T%swYWcCp%GaHoYh2KhZp`Hxn-;gG+j3b1>BKpc
z$IqQyF?alg>60reQAlOQh{{ZJWksefmtK_ate81#ZpF-b)2CO=o-=L6_&MiRoId&7
zQ5BU<?V((SaZn6&kL@0#mJb>vub%2vPE&iUS2Km*Bf`~Ea36G?c&VkE8*(c<(v=m<
z8ata7H+GIl#;PhNO`bA--t@T@!-w-4^=h$j2Cni#+!&79*p*w{-r4ZJ@tWG9;k4x{
zD{|=-Ii9WCg53N%p*=$R+S@8CngQi9t!bP|SBLA}Pk2?Hb&pod&p4Lkt21rQ=@s6g
z0kvI7x1l+cUD~iP(~@p$Y{iXV`c}a0w3(A8pHor!{wG&f%$m7R*9awFS(TsEJxVR_
zf+AhI|021RG-le;E_)4)ZOsiuhg(tT0;G)xQOM%iJto&<vGF;TUd0!R<TaJ5JncSC
zEk7Nuqv`<H!D|l}`PPFeGC#BD(iMZN@{#V5YWXxM$<Y0mgf~W9ko-XugrC@BIf|iG
z|FvPXP!BzItU|Bh?Pve}I*3|m_`LJ;9vJTU;bvSIDfScDO*EUi1V)tLrZA$eIG}_E
z3AdR+=MRrRC{<{A&6!2%EDR5Y!Ko%yOsk}f?aSL*+8dj*JYSwtDAQuC70TChydDRi
z!dMsZ*PPBab!Iwp8Fz#VipWzd#BoQM=1gb0Dc9b)vgc@3`F`EQ)$%isC;58RjA1x#
zgUe6nvJIJRwkw@=M=TG)(6CRS^v#}H^ghvW8h*3hCyI9iaWizs@2Y&??qO>AyrCq2
zA}U*Jx^)2zQJw8j*<O-ui_@JMcQjtu>E5P_q0*y0l?%t%_k6!#IF47QP#%?4tR=GP
zpl+leR3s?C2_ID2AEk8VzkQUhR$MDEke9j#z#~L|IrIpzpuMrP*&9z<8nd~E)^s-8
zxX2xb{D8KeMw0!W;}0T!useK|Bw1P2(A{4xKOTw@@dmaap^nb>B`{d?Oecji-6vLQ
zHpTNRtGZWp_fyOJ_m{6e(|dyVPxg-!gLDH?<vS1Z*&XG<?_x6p=>>O9_hEM5J59;`
z@*wVA9qrkSe{(D7yOJAVuDv7El!YhMF83L}G*alk8`R~&MJ}zXeUc7tt{sh??gPaB
zo`$NRp{@O}bvLyB|1z=u|HD>0qCA2D!GK^uFd!HZ3<w4U1A+m;fM7r{aF{b7J3XxJ
zhxPx-G4;v1n)-yC1OndcA&$5Hzq%$_ol1D?|M%{1{eLP}8;{kC_5X)?LlT!K7!V8y
z1_T3w0l|P^KrkQ}5DW+g1OtKrmjQ$AkYx5f$zA;~7!eEz1_T3w0l|P^KrkQ}5DW+g
z1OtKr!GK`kL(4#D{eN{uJPDrw7#mNFNybyD`WknF|KR<X-QE8$%6=!YciG?ApV?~w
z#eaeU!GK^uFd!HZ3<w4U1A+m;fM7r{AQ%t~9C{2yBeG1R-cj+65${Nph^$lb{l7!6
zLPd!M1A+m;fM7r{AQ%t~2nGZLf&syRU_dbN?=m3t|G&$ah%Xor3<w4U1A+m;fM7r{
zAQ%t~2nGZLf`LPi0ayRaY_A0Wi~j@zf&syRU_dY+7!V8y1_T3w0l|P^KrkQ}I1Cwx
zM0DNP|L?;3|HJSC#U%*_1OtKr!GK^uFd!HZ3<w4U1A+m;fM7r{;I98CuKuqx?w8o7
z*k8?+Y?iah*ke{1zchOpk2B5rh4q4ywNJOItSOe}%r$RiBkfA-9sBRb{np3W_0Gx8
z=j|KqR>w9UciyxXI7981?FZ~F?8oNaY?V35e3pIH{Jr(6nP!Wv71mSMM*AXbJ=?*?
z3i<^Df&syRU_dY+7!V8y1_T2KWS~!Ew7jUZaam)ov9qB$y|A&XC092fQZF~Px3*?-
z4P710jk$Eg()7yZ?VZipS`^gMz9^SzO*f?58W*&rn`;I}PAr_&)Y+cRHgt5hFG)A$
z8amSptIH$FLLitty;L~8Y{SC#&eq0UF4MLsSrM5mccweqvzc6b=gJ1iuAw=T?PzHP
zoPn|>j))v5XIEw$8apzDLd5$;s^!M6T>HXwu4!>Y)8fXqMd@rhmyNN=v2sw-hHO*o
z@kd2YkULts7G>I?e9f(ywseD=^n&*GrDJ+UhRaK`?QI=}WJkL+b*8g9oY$zz$TT^d
zzPKyhmdiA@@XO6KyN-pKbZ7QB_Zk9L3*p&@TxVm`(sXA-ra3#(C2gMwt?kWSE$M8P
zTgH6?JGvIMWST}C8982VOD}K8<kGDTt?9O|hFs%<;e8`<Ik&j0bwOKWrX^b_{;*Ij
z2P_PA8R^PGIegBCxOBP|n(b(83w+1AalA_Q<5aq~*C2fR7?-ImG@V>S`@)9h>GaZy
z;gK_C2y99hT2n&{)InF{qO_Z)TZ@a*&6&2NM?~fwC|+Y*d)vy^_O9$;x9kNH3P}yJ
zB7@|vOhayQx-~s;P~>Delg)Oep<O@~6(Z-_bB!(8quhPmdkAf6Z|Q1n%MS3`L1QOW
zS%V*|xgDB9XJanY-oJmOR_?%I9i5r>&P;A)KbPlFh)YVg+^v*Fjcqwd3#ujSx6{6E
z+xOCj3R%(74rF=l_eeK+xXcFVSxce8d;B#tH?GX~aj&_wG)K4>Qs@BLt_4Bw%KF95
z_8uK+;5_-~`W53<SFXLGsWa_fR2$@wOZRg7ogZsaXM0yiLt{3ZS=0vYC|Bln$(Hsk
z)L>T!G&Q&X`^9HoP^fQ1L2`}RrCG<l^p;H9(uSt?j!e4QKf^vIGF1)_27acU=@zdr
zS<7uv3)AW5fGpF!^yQhQ8AzwK1G-!mifp*Ox~Z{gvDb#&@c}Z(rB~#1ugwBL<A&z8
z4In4i4ppq$k)!3s?a(UP8e7xUWxTN|mstjN=rLVrEK#=^WYdkEFla!gFbKl%1zn>9
z+O6UisbDm;ceo^GBW01H^73>GlrrrVg;<fJ^~R2lhFm7sk~Y}u5@jz+?Dy<t_72;_
zc7q}Q6ATCj1OtKr!GK^uFd!HZ3<w4U1A+m;fMDPdVZhtuU-e${D-m6$P;77e|ETvV
z0L8<Ri2MGZy5IlX%id&vVt;3^iZ1{jA{8u(DHsq82nGZLf&syRU_dY+7!V8y1_T3w
z0nC6B(Pa2LfF@J-pty&Kdx%CNnr^eNN)hKPlJgaI4kONde4@aD0l|P^KrkQ}5DW+g
z1OtKr!GK^uFd!H>NCy7XyUL#-Ym#28>*L2ax=UeBX=!h2Y;mW}kMU3<7Ox*2s~(-G
zt4PGg#!_Pwi81k1s=g-fht!WwBrD=|V-q!FW63dfb;(2`Iakpn`2;sfwXv<SWo0(k
zbE<G|ydqvZwmLDkIzFZ*R#RJ_EJ-yrHd#F;QBzZ0ojf}Nsg8G3rS2*pSPB4>@q13V
z21;BJPmE30k4>e<)FzXuWc@w~$Lhu;Ymznb6c9h_Ajv<NXzu%esqA24ia3G+!GK^u
zFd!HZ3<w4U1A+m;fM7r{AQ%t~9I6c1WP#L6zCx0(u>WRNnO`waFur6A*FUZGQCHEY
zqxVMR%H5GiBFB+#={o5;{qOp2tM7mKTJu(SMEwt^d8j0pZ^&P!mS2`6-TgCd&FK~1
zp`o)KHdSe8g+E8Z79@cM`(e0l*o&p1v8_222)-W9kiI%`&gAiPCs)jyIqi&jlPjjp
zoHY5Iipu|M4wV(NW>!@8kWXdB2+s|rs2o*MiA(Les+=E66$h%0{Lt>+YWW4D<@^jp
zfxr8PyQRk>*vJIffa~|S{&08HXor+bV=N6WH*}q)k@ii-zpm1F?nQ;OtE|ea-M!TE
ziBQnv{DOKrxu7Bzwh`L5Y`sd#w*NEtUz}p<P?W{pWor58(ehOh*i5G-U0VE7yDZ3m
z?)VAQCqo-3$=|(NsH%!g8_=EZte81#ZpF-b)2CO=o-=L6_&MiRoId$ns9ID49(B^>
zDdXo&pIZ^*CqYDa3zN!<W$q>=jh!QEVpSD|Xv2r&cqI()lc-yUs=V24s^v3=ll*AZ
zK7yTBpulag1B%-?x^jzQ+n!8wC`7udgn74<HH4ysPWI^!g?mk*ka%TPXSbo2*AAES
zM|h<PMfG-JDJ?=OT!J1?*iW|ZrY>F|>aOV4)$-xP<*Tmn>N}K3$Vi53Iuv%W)g0u?
ztE12ypk_JC#l}*oTDP(whP&HMWrcg>l^%q+8+Ez0RcsmYSR#en2AuA1<JAn6Qd!~d
z|KslIgqzGV*sKcvl3vWdP`Il6m~KriZ>S~tGxpO?8iJF(_EO9UbHt-aH;1duOET1O
zcvQCm6;s={DtSbge-yDQ-=|wu%g5Ks`4jhPOZ=pU<xSx>%|mL!CG7DsytCh@NTCzm
z5&J5+n?f6}m9IW#pVr2651myYwtD}qkDqvutuT~+PlFRQmO}sdzqM3oUX7I%3tHM2
z^w3fZJ318`YfVW@{h*t((H(_hZ)kYf3-+<g6>f>%URiKQY=@29ydCbm5NU0=Y50v7
z$8g(h@m#-w;BdE+P<T~d>Q>b9sYB)bF{pFlGrV5lZqk-%#_r1wrX=3xZf+gBj~MuD
zugCa_!cEV8PAs1VWr!c341CwDa5+{TOgYfGJ(mSXsJghDKreyf_;&(a?qG+ua1q9a
zi_l~Ip0oAu*KXHb-Yu);CqSM@c@%`wDBhm2yZ!*V7SHH8Uld+-)v4W*T0V5Be9f8O
zpn&thxHiZyc+|i_2ifycu03^Z-dIYXR$xHjMDY_#?oNx_yE@?pw6LYUF^6v}@7I}w
zTNti?o<-pf1o>w>-0k@a_b!}4ZYAv5w(ngF&dIex=Uv=$kh@V~k0GdU_IR5_x0!vz
ztMaq+SGaXax?u=(A0J!2&HlWt05O)n7OqSjR$7_pQL$qDyt%Wc&4hDjOr8l(lEKrY
zTR%ZYJv?hdsJDY=k2iM+Y+ta%eH1FN4j$M5G7FC?{=-HUe8#@^Kr%yw^~iu>JS=UY
z9YbK{|8Cd=a69`MdzyWhJ<7hq?q#24YuSygo2_IWY!SPV&12KqL^hVi*$8$t>&tAW
zIPW@dI<Gk|JHK$AalY?ta=zv~;C$Y>-T9bvjdPikbCx;_oO7Mo&Q#|lr`j3i9P12l
zdO4c?FZ(U~PxemxSN3!E5ADb8`|MloRrW%AwmsG!VmsE`)(&f{^@w$sb%T|&F0@Xy
z64pSAns1mdnw!lB&D%j1w3ug^r<fznKE`{-tHyK2CgWb?GsZ2()y5@8yU}c%Ys@qz
z8g<5KqtYlhEJN1c(*LNxtp8kpTK|r|QNLfmQ~!j1oqn0#sV~y!>u2aw^b_=$K2#r|
zGhNaCq3zawr@f&4SbI|YhPFZbymp&*qjsg%r7h7Kw7J?e?IbO!jnD>Zy){+ctNulO
zMg5iftonWRG4(6zdiB%l&FWR^3bj>Tpq{NxSI4V0>Tzm?dZcR5f6+bkHTn|$8GVX=
zn?6jxNY~Mi(`)FZwBtYbug5AEPQid+Krry%W<YZ@G@?Y8iF_0MAHW-ld}9EwC-U_H
zyq3t<2JmVkUmd`!h<sH5^F+=E@CqVd5x~ocd|3c5CGw>KTuJ1W0bEYx<pJy>a#sMe
zM9v2AVj^E0z;+_H2e6gMtpQw0<fQ@35IGaTMMPc{z%-H50c;|2Qve%@+!(+HA~yu^
z0wP}!!1IZGegMxU^0@&#o5*Jea2}E81@KHFpBcb2h<ru>XAyZ;0A~<+MgUJI^63Gb
zM&xM$oJ!=W0h~<a$pM^5<cR?sPvr3dJekNR2k=B9pBTUsh<ri->xo<+z*-{L2C$mQ
z)d5TrIT^q>k>de8p2)`sa1@b81#l#hM+R^Nkw*k@7?Fnsa0roy1hA6Gl>w|Eazy|K
z6M1j|2NHQ;00$6xKmhv@xnBVL61i^x`w+QL0DBX;cL2+XToyow$W8z)B3l78h-?H<
zBeE7iN@N;9g~&<(36V(vB_ao%L3)o!@A+P7FOl{J@Esz(6Tr8L^mYK>BGOv{+(V>2
z0eq84ZwBxUBE1p7-9*|Qz+FVz6~Nbt^m+haCDN+_e1%A_1aK#jb_Q?<k#+>|Wg@*C
zz?X>hQUJFTX?p-)B+`oke1S+W1n_wxJs-erMA{a>=ZN%N0G}n&vjKdDNY4atE0MMa
z@M$7F9l)oE^ps&dC3%xp3uB42g-BZr<E0YsW+H7ij6EgZCyDf=X&NQoCy4ZfX;zeY
zA1Bh|rdd<s-9)5Kra8UD`xucPGtC7h-bab_sA;Y!@jgPNM@;kP67NPLZ8XjGCEkaL
z^ss3@R^ok#NDrCjvnAdKiS(dpzEa}dK%@<(xwpjo0FfTBtllNw`-pU(WsNBD-b<u=
zE$gHb?|LGwx2(A(-n)r(w`DCU@!mzGyDaO<67QWvy3?|5EAg%)(mKo9P~yFVNOxG)
zlO^8UiFCVVy-?!4jYzjy*6tGTS|Y8rZKcF}E0J!s?Exj;TZnXvZO2NyHxub*+n!S5
zT|=ZbwmrYZdjpYfu<gzg?{!4F&bF^B@m@ouYi#?@67Omvt+wrrCEji#b$ho_|K=U^
ziz|tAr52TSS-zZH?t@iil@Bf<m-t`>S>c0aWSI|gB<F)p(&>W^(&2+P(&mE}(&B?9
zWQh+Jlf^z*NEZ5_nKb)g0a@UKi^xSjxR6}vgZX5>56&a!`QRLKjt|ZvXZc_*nd^f&
zWR4GJli5C)NoM+BI+^Z+)5vK)IF+30gDGT+4<?aGKA1oz_}~<BiVsdAC;4C;8Rvts
zWULSBNSzOANR1CtB;|tyN%$Z}Vm=r{#`s_q8RdhKWTX#9kP$u@Muz!d2pQsoN>b^A
z3R2;N!DO%x29kk37(fR2pdabygTAD%5BiWkKIlz)`=E@J`M@EL4=iH&z#xVXG@|){
z66ynmC_adgh{4{GBJ33j_Wt`T{D}Vq1A+m;fM7r{AQ%t~2nGZLf&syRU_dY+7&v4Z
zpbGqPNL8YWuFDb6pad=kz6oH%k1dx;<Q39tPqMyluG8+(deax_H05z69{Idn7WsVS
zc1bcn5retUhb#dHUGVO6yH8Ndk2;E6t)i(hS%2b6R(iOn2{ACC=%D6L=T>$Ur$v{}
zIXuv`riGan_!cUfQ(by8d^pzq5-k*@r-`@T_eK2=ee(G;r70}Tv}Ll3(=fpXJ}ldk
zZfxTbLNmJy^Nt!}j&D!Xa|`p1dJL~x*6lW;L2@21b|_4}awib->BZa`@Ew}e&jaxp
z{tUK4kXs`>F_=17+kL!R-VQmpqp5?1$lhc~e{wQRr3@BW1cB~q1E{t_)C=FQJjK&`
zOlRLx;uGBU6Ghu=F7B+yvF@x#l0P059X_Mmn)bf^+UCt>4l;93!9mg^J(U;7aIYPm
z?3WKm2--H3EGUoOUGL6Il|$3<@fmKC#W{R9<jjL9P4U#83xmR|u2Q?}yh({ypW*dZ
zoEgR}$T*mkh=UHY?}obHh~$2kH0(Qvtz-sbCR_NF>-%&ykM6=E3f>#>L_`=&N;_*D
z&$dHM6{gLVrc?MdaB*VYJ~7<STEnC~@4K|c+0d8)w@g)eySo<J#c|>J%IQ}4ymLci
zbF=$_Tz?f$Fwm8RNE>==8~Z&yXdB^hw=N6gXjONryGAWP?l`h~kl!}KaZB_6Oi2?7
z$3DnbQplXsjpjZEByb9GO&xTjXlsWLcCUP&dM^ypg?Xs%99*1RVUX@IyeiMStJU%|
zV1-K(4LD6*S=hy>0X`Pq0$)H54;rDcl|9vCC`QTI!H|g4FCBBP&UUA~<u5l5^{O(I
zT*%PFwHOLJ$T|%5y94y}gB=k(%7V{6^U6O!x-f!dGcYN)VOe8KS9(9U^iEi(wW5P3
z$2;xt;qJs(_*6VRFf78eic3bJ*2Wd@7X{j6CwwzL10S8=x4nfP3LvKY#q`FOmV=0x
zY00HwB6R7%6-w}Z2T}h6*zVNj9#R4Z3SU<DDD3&62)^y^wWWO%h(iL)GF~0@5QsZc
zD|~)C)3Luo_+OrHfPT{%Oj7366pZ4{>1<PH#`{ip4~4AiKC(NhmY;kwxvF-bX5WDC
zVYr!x0;I3+zdwW`9%SDLWt2fT4K&V$`UPgon>^n`g@x}~!R=<>2i0OUcS&HvUkQSr
ziQMPChAd3*Z}M+6=&=R|rF$BnaD*PmCmdm);i;}W?mdOvko4*a$HiC+R|XC`NdEtC
zW7GZ@V7fc!@j)cCP%~(u?z(_|tAam-G_`lN6%#0J-i=LOIIN1yW|y~jLURe0gz|{q
zaJ8T@n{H@^C4GejqlxP3;##XhUb$RnLreRj42oC!3<CYO(T%n+)0xeMnqg?T4W-z4
zurb}|fnpJR$l6`SkzUxc5=PBMne6)ya=8{5+YdMlg6#8>=~2_cJ-xka|8)Z^^58+C
z0pvgrgDvVxuKpMM{~h$72Sh}{fM7r{AQ%t~2nGZLf&syRU_dY+7!V8`k_?Fb{}0J(
z6NMHG2nGZLf&syRU_dY+7!V8y1_T3w0l~n(#emTN{}x>$vS2_kAQ%t~2nGZLf&syR
zU_dY+7!V8y1`bIE3i_Y@<B%-AD70WeFd!HZ3<w4U1A+m;fM7r{AQ%t~2nGZL2f={5
z{{Kkn70G$aS!n;vXw?6u->jEwpVG?Ib?Q*Mk)9k~A5BDFja)!pBMtHnh`L<+qITy2
zl5Xps3cHr{m-D^Q{z2ZCIg20aKEUZ8L{NT3_iT4pKl!Su-VPnD>DC4CA?e_!e|TSx
zz<ZEea_qC^Q(>o_@QyZ}?Mu>4Is64nz6nMsVvl<_6_N~guJE>|@^*sCz}M%!4`%Lv
zABn0<x@W27lLwLfAXFVoV4IY-#ul$aidh!C(wd(3NGXK6`=b=k@waa(gt?@lu&O-m
zo(a2xLGJkD?S<HGN&(JX;%&WG2$8ORzY>Jc+qV=Y;qbNI8PF=BAh=Z)vU3X(RAj*=
zUHyI~;5F}lwYYGaOF$u@DzA1=htKuGwu2Kr?hBFjbI~KiIqoO+`(7$+gA$zTk?L>T
z*FB~CbhUiYAbE9z*8>WP7k)<sc?Ub>72F5e32=URTcAS24K;Bb`CvD+DNxEcR_ifk
z=o9<fFbg%x9yhM+=*%pG&&@XkNgSX*wRfN94sYRxR2<&;j(WaJdMsS2UOVtV5AAh6
z9^J22|0I|7Vn9{CynC8jem-P58Fk@emYwbG?#R;6*w)<8vM}fUb}q^V1-SFT1=!EY
zrNs%NxjR%s7VZz^P+8U4eJXsx9!hp(k0mRz9u(%50~e+kzchaoQgtvl823BmexAz?
zoTa-96Kr1QwpzCz`{%e7Pz<Qbbx(nPOW}@&_bv5fx+4d)o%YU5ZY9sM>%du}_@$ZR
zAQ-YHyX4CIAvf3A*tFF9;JROw+<|i~Mla12g;eDu-IHLzhD`B*UA)$XnH4Zl!|p;^
zcTdOy$JqmCU3yY!0rm;6x~zMmT0RX*F|@~a1sh6b7PYy1v$pdxbRM`2;ZsUWP!b9?
zKH)$$4!7O(qV~>WjbD7=%u)Q(oN*Ae?C}SBbjs!$b6r_}#T^IEl*ca3vKUa+(0z(p
zemw9T@p;Z>Vaq|Zd#hjZ{Yo+_jrIT7`w{>-it6v4vybT`2_Xp~36qeJY{+c7d+s$H
zIY}TFIUs?BWsaWRNoHr3nb};N8IpiWKtv=P1VlsyJ_JMrL`0NBL_{tT5fBg&5drxF
zBBFk;t9p96W@nEasL{^AzIv~!>-g1O^{T2q0L#UrP22L7W9X5G9OAebUt))S#D7N`
z{u-SQ77nt@u@qXfQ?T4ZXNf{1>r!`8ACH+AdYOZ<$&;;D*7biuA2fpLZn(M(3Io0k
z+4RL2s9E#Yj77EQGThWM!*pRuMqRlyoz!_^Z8l6d7H@i0Fw;?;N3}-JbYbx(S4gd`
z*8SeM!V#UkrM<58w{?Lvyoa>T4Zu?@_XBadkk{JKMaTn0NGriLsE||XwhkEk!qsb;
zTp>}e&#_vsYo@<0Le-A2FMGXr?8{E?GW)WFOEe)D^)bi*x5A}zg%YHKxV+UGNBsiV
zqv3YMCg*0QzVU?1DD@V^xF509hW$eI&a|SgtgG$$w6+0{SWGv1uLlvvpId6b=>Sz?
z(}8}8^-<8PK$Lp*D&{AsCpB(=tc%g^!NsU{ZK&Cko4%tVRrPMkri!;RgC5z`RGkl!
z;gQ_I4H_xJTkC+gT3P%{mn~Q{bJ=SD33FFNGtu{Dgk*bT!L;uYDEL=PX*Lf%kyflP
z$JGl^`>P&$1JuL`r%^OKbt$eDWa;bT(b7WkA#teinm81GJ+<GbF)O$Iv=Oiouo18k
zuo18kuo18kuo18kuo3uAMqrxjG)F{J!x=e|QPpTNtYwl)GNA?2>1ZmGRMW{wD4ohg
z)S#RQh&|LD|H+AI6gNGAsgxRzYRN=Akw_?NGM)-0<zyzBR8yL&sA^1;Q<-o$9$cY2
zjz*&qIg?4m;;~376PGiZCaXau6^~>RsdzLL4o70KOe(%icN`3bBZ?Z!D8Y0*6HCVA
zNIa3wD5+pvQ&cS(3x#8{oB(LW_ozUl=rxq-J|{v6@H`lc#?+V`0#8%PSUQu?;t@5X
zh82)R<y0`5lBJE*DGhzuXCXo(9ZDxsazu&7Ly?RUNyk(<CZ}Vvl1>0f>3C2D7&9?J
zdU_8N2yn)OaaB#onPf5^RN`tPtt3O4gaU;v6pjMaU`U5tkdDDaXW#$7&)IH!U?X57
zU?X57U?X57U?X57U?X57U?X57U?cD!kAUFnp@ujnQ?4fIBJnlh5dJ&-V&5aaCEU}@
zMrJ5|qvuN=(J|Te2=y6C{f|$~rx(Es&aJf3BS(&OTzD!{pDq@1S_%E}lj<QzHb@n=
z!D@vJsO^EZ#2P<`tG{NO?1q;l^_Mg2wM7V(tuC$D392uk*V)IT!$>ct)P~;1&E`Pi
z)l{D&-q)OLD4!6Tbh-lfAU=gRgo)4er>o(i+Hx@qI!glvT>mxjZ74(9IurRsd!vVp
zYfoVUP9?1jFts;Iep9Y;B0ch`Lmit1i&B+wR76)@GBnf;$@)ebOTArV)hWw?ld7J3
z6BK26Pl|J8R^<$=-+wYHpoV&6sY)l1#ncpoqVxXMUxK%%QyuV7>i}A81D0t}g#xdN
zg+#hD0S{f*t3wg_X1q$C%$6bRdX;g=*s3~I17%B6b&jo^4ti>nNbTpMhGGjk-dJ(2
zrdw*YIjvEaTOA+;H_JI7T}jPqk5trZ_Dx&3%4z6X;R|t=THRXB0Wxc?R)cJaY6)rp
zpH&~WyI6Yz*Hk$pRoLp@=q2AC)>YS_vFhhBV5DAY4Q2}Q8Zde=m^d_IM#Ipj?MlEa
z&{{rKNJCAoHBgaIuP22erh{{+ZGh?mr7=@z@Jcr%DVv5CDhq`Wp4zQ{;n;{3lxCw0
z_AbgYcrl>5Y?D@LrAJ2L{F1}c{umjDPLhCfX_cjRH7bi$TfH12O;o)AR)u;=K_@!2
z%BlT_0}8IykEkmK3I}P!)`z1Do3@-(IR!OX7oCS1tg4??dKg)%tKvbHXrgO1iwId#
z2UPCvD0FIF&~5b2Ra6WiPrJI4xooO;mJ+Sgz&gbP=022=!6-`)q9EcHuy-{lV!YQn
z%=r#@cDmeVc4+mjHZk6)Hp;cbB)y|$RG+HT!KlMGZLF-;4?H@E1CO0rsRUVBci^!q
zjWsIARZG3TSaV1(&Q&|TI9lwQ)>T%)xe*B4dQzzBSog?Ou&)YR2MXH!qB>Z>3DHBY
zSv75TR!*izo&X^?S=xtcAbQ9-c<LP9Chvk5%CqUJ#i;{@PJGon2BdXUx^fadQh`X&
zC=%6B;05?1G?A8Yk0ZnF?XY)HrXLfU5|x#3Y6XJ9r&i3blZ8YvZ3$&wAE8v;^$x_e
zX}aLJ$_mszZA+l`sTxR?&Ncit&aPC&gKVG7aLnOKRdXDwdM%}<t#y<FE(UpgB~<|J
z@I0J3X!L@7t?={}ie6asAy2B%t$WgIU}YT{kOiTaTcaLZs!Huth$ZC>8##-;egLJ>
zC|>VE;e1DGElf#zMYCzMzp@<8Paf*ryppIJ=nS}CHH=X=Iyh-`G^i9I2h^91oL;$j
z!HFy9`WGyoGj|nq`si3h?;(AiC)FZ`ywVFtb%d|yvt_W?U0DVV2TU)>hQo|v&8-pS
z2C{7Tical=UQw`EHC6Bb+mpG5?bb%XM!-hEM!-hEM!-hEM!-hEM!-hEM!-hEM&Q6g
zz}Ejiu=2}}t&M<<fQ^8SfQ^8SfQ^8SfQ^8SfQ^8SfQ`W3AYkwR?+t49H#Pz`0yY9R
z0yY9R0yY9R0yY9R0yY9R0yY8%76P2~A?1?Zq@+)zccnMMVE?lbuo18kuo18kuo18k
zuo18kuo18kuo18kun{<b5%9Pi4%)5%_3BRqcqz)|Vp)Cv-y>xx=~d|g>3V4^80~*H
z0yY9R0yY9R0yY9R0yY9R0yY9R0yY9R0yYABg}^x1Oou8f@qio)s1d&sYY7Eg<Y;p&
z8Vt&cr?+)5(jteN)sO;jC%SuEtC5zF(i{wjLXnt@unzl`U`r^}B8Qv9awHN7JIA_a
zvS!%WT4@Q#n!#syY|%ddzgHP*e`F(IBVZ$7BVZ$7BVZ$7BVZ$7BVZ$7BVZ$NKq0^h
zE2*6KY)bl@)Gj?JEE47lM+speAWRa*3I_{<^nK}0=~n3m=_}He(ifzipds*qbT0of
z|9k!!{)hZ6{FnHP_-;PQFX3nKP5cPn<$KrnqVG}PUB2smm-^23b@*2Jj`dCRjq<s<
zcexk1N4Pt<Yq_1=1}@Dl<z{eGxZxbdzQsPrKFHq2Ud3L-mf17dg=~zS$PQsXVcuY#
zVeV&cW_p+{Oc&G2%x6N3pW*3`=-22c=zHlK=*#Kz=^VX^o<qy@7@G0E?|s?(nD=h)
z_1;UpXM0z8kM&OTj`F%a?|NSFJmR^-bFF8mXM-p0S?ZbLnc^Alq1<n|pL0LxzRi7=
z`yzMQeTI9XJLaC~9^(4M^@i&i*Zr=WT|KTXt}a)rYrZSw^1FEFN6y!rPdM*&-r&64
zdA>8}T;-hOl$~RojI>_rlCn}#I#pUBEt2L*$4Ku;F-ei8N{35hq=O|<q9scFtMmu)
zJ@Jp?YvPOIv*ORiN5mhB_lVz?ek<NAeoeea+$CNrepalAXNhI8Q+iR%h;8C3@kH@>
zake-^42#X;Wa*cpUpzz{Ci+CT@OR-u;T_=(;T7pg;d$X{;W6PM;XdIm;Wpt$;X2_<
z(ocoUg^Pu4!g<05;Y?wTkP=!U<L!So0yY9R0{<oi4sta)VPzWrQ^HCpD61jrhlWhi
zrSM-+2~+o1WpZ3rW%Q5wfhh|siXpqtl!f5aNH`+P)c0#LIi|?LprTUuT4ah6SL2FI
zeb1DsY7G1XKdF1_WFV%#Ymr42H5?7g)ZG?Y1Vvh<?y8qTxOZA)AtTP;vB-i-Opb?x
z)E)J*P>A}rMJ6i|Iig0W+YK4Or-T5)U^q^Ft4;<s)NM7H994pHD5OxgT4W(5rYdrj
zx}_=uq~b~xa8apmnzE=IRwAJ|r1xf17KHqXDqunVKSCB%<)BL4WXe=k&m>ieQ#YD2
z1^kZ(V@i;^p-vW(Rq7j9CPN(5C=`ac9HYK&k?C=XLKt7O$Ydo3vIuoODGNr`DD~Ak
zSy+x!*VSZ@1T_=_cV97OiW*cQGu1eCZA}I^%i(xXp}t&`$&hRCMrEA3#+1n_#4i{D
zT&}Lk08u5RmzS&RWvWblsZJJwJioGDrYO|zI$0Pn?WvQ6LNc|hUM5GVE9zuH!0L<j
zGQj!rI++UYzECGqKz3QZ49d{w>tr(2-%CkZP_J*FtCPioVd|1PSu`A_F0Pj;5o%|h
zED}<w9d)uW#BY0@ECiT-woVp=GIUX$3~DuXVZBU^QQPWd&}dOx>t#@$x75jGC|4Jd
zG8IZbRjHHddA_+$7J|5(Kg`txyN6I0WW5ZjP$SN>h`=HkR+V$BA~`CDz+EsLJExZ@
ze0DF9e3mJSC?UPV$?_&s6qcdIgoMf)>qT;SLoboC-V}xODgc!#xUMFWBOr=}L){ip
z5ZYQuSlJ?inx`niP>B$!&~Sx|rYH!tQw>Gc(3v%n5`!PawaX%cHYcQn;{`$lpQ(|&
zDS~RL#Gz}5cG9kc9Eu#vVH#bFX=Dwi;Vh=14orjXn5r2}6%A84E&bFvY~TA->8Fn0
z?gw9<bX>h3eEFs0<o)2wi;kiD!I$4sKiv<${DIoKAAEU-I%Y7wjBrhNDuJSw?#$-3
zw)I-Fqfl7u80U2jg_=EFCrbPvL}J4bi4H|1G6a#Zgh)t4Bq$)F@`xxtL}Xo)e=3U0
zMD%wY`a25!#ifx)W>Eb1xFm<_bh{*0(ZBkZ_w$tWmh_zTpmdvbm2{C*md=nC!mM?o
zG(`MFd_#OjydUPJJ>nLzOKcVAiy@eK^1?^LYr+%4y}}JJw>)3S39E!Tf-H;?82)|!
zW&Sb#ZvJ}yQvPhdgI~cP%TMD+@orcfc)|CG?+)L!zMbqOb|~|A<`2v-m>)9VWOg%K
znKPNwm<3Fj8P5pxU+Le`PtxC~Z=}CSZ>Brx)%09ip~up!_XF=M-k*8D>;0Pd^S-UV
zbA9W5UB0X@={prx8W#DEgVlz(PxT$?o9G+s8{w0DjL*USjeDQ_6Zbmz8}2#oN$yeZ
z0q$PzJKU|@4cu3_E4eSgdc;=lTy8zr#bvn^*UGKr7IVjO$8vE_<&NYga$~uX+z^iC
zob2D&_t`(Oud}~_6^kd?pTere_t`tyTiF}fudr9LUto8#TiNs24eXih8aBnYvMbre
z>~ZX|Y#f1a|FIFU5wH=k5$Fp6JOI|G!fFskqY*ji7)!`vYCIHnjH$_BWT;P8V~#@&
zSrm8}Lc&B|af~))FvwFvA($9A4zb7}92v&Aj!~uzCa?NbH!M3w)?^SHSfNm5#|VoI
z)+fTM8g?9P%2XJ9hv9$OG2D>B7#I!R6^P$Krc6;Iay%3ds*Yi%OkZ<|L3(A!&^lRI
zjX8$Y$v|z;A=P9sxef+Hs^SnWGJrr|MR5pKnH+|RbR-DV1qW}+K*vzWPmMTyHJKcO
zX)P=jI5<NFQ-GiX%M*Z&gRRL_NG(k6V-Ch5gKuF0AmpGeGFWKQhyM;QA%n?4IO6b-
zvJlKe9BzvYCiZF+^2k*ugA_ZQRhgbcu#5pS4u^w~$)OnJC1uK@03A%BV8Z#&dKpY$
z|51~{3`S9-upskyQwBK!vn@3gr#{gKUGaDdkysLuXabSQ8Hj}25DA@*Nbod7)K)~4
zQxTC*(MMu&R%c@I)riDaArd_qk;qAigjXUGT7gJ#IU?#ZM3fT|k(cUz#TcE5#+M)x
zTZ~9_5h9U=h=fl-By>C?!3Bt@^AS;wLqwjZ`xT{iCK8{ENNf%w(b<SZW+4)uiAd;J
zM1sd4q8^Qiaug!+4BfAYS7*ZU&ma<OK_nVSBoad;97QA)K_nPPL=7RL1QC%{-LJ4m
zXF_oWk(i7~bUGrDW<<gPL_*UL2_A`vIu#M62@!dU?pMgIGr{;|L}EuE5}kxdWFjKr
z!x0HhKqNRG5!H`~au_1=INh(HOJ~&hSVUrD5Q!d&NMtl3;X@D!jY1?i5)pL-B1*Lx
z2}3p2n?HU1?QcZUi-n+KQ6F1mFrS7c(irtui%hSo`a0rAHJRSD1f!uS^%qm7>g%Df
zmL*dknlhMnLpu@=hp7+hWvWWOPs(7yQKkORDucOp6xPAsGi0zP2@8Lq!wl;)f3C@(
zQHL2mtTVl9%3zgEpS;8R?>lv}XjrA*uF3!tSnLSNklsJlWY8{!U`;7Ry=BT^4Hr6v
zpc<zBXvp+c3<v?%n1j@t78zg#&5cU^!6Ji25Lk?kQ*T&g&;&t)s8YW-WqQJ(aR^1I
z*G-w;amdij$<*&GGQa^AN~6?kRhf<etbIaasNb40Xo8{RfTU2b)@1OZ0$ov*dWDe5
zAvGAJUbe{eCNdn1Q@=4~5m+mSbxDxDWXe<}3TcCOje5}{gJw=&K&D=(m%+N#udOmU
z3Tvqf^?XeR>&Y=C1m)#dgbZ>G)*GL*$RIATW*w$}X^}y<5rXcLde)S|Dlrt92&}dJ
z!jS20I+PXYDi!LPnoM7&f^IBEJzXbLgCXiEQzk<<D+j}X{gb2&txrEul|hpZYv@o0
zL)6br8FV<X#w<fq|9DLXFv0R0<lE2cWRUIDV|6lpzu>1e8RTvx1RDF)qZS!-pCQ<k
zpnhV?LQrQw3hTs=m@++jP}BhDADc2&AL8h(1od!D2IWt$!x8EsQwCj_5)DDONIh7S
zq5T#ZgisIY^M7hcUxP7QZX;kLU?X57U?X57U?X57U?X57U?X57U?X57@ZW%de*WLd
z{gx6+@W=jVBVZ$7BVZ$7BVZ$7BVZ$7BXHm&uvKvSsKePs7cFPmnKKuZO5NIm&aOhS
z9FN3;!Bj|1#I#TxHYlT+L@E>sr&Hl@IwmJ0fk1#OX<dn8qFgAp_$N%8z^yMPy1F!-
zX`L{E)AFf8I-75A@h@1uBmnnm#RCeLPL#E_OrhABD1);}ozo|!r%zfvf$M}Xk=yab
z?&QYl9f?v$%gj_cyG~o)-K9sTrDZ<IPR^D)7Ua{}Ohzke`SQ$EN-LE(zrU+kSfi!N
zZP|2-f3h+eB;{fvwN{VIWL0NN<wUu=1RP?zle%l*B08JaN~vPDtDG(54F_GtY@wJf
zZ#38xM7q6Dtg?wxDchdc(rx8};UJUU0PH%gSgQGv%Csq9t%UU;fQje~3J(~y>T{+o
zS~CV~#&FFTsu^Q7W4vZmWQ$o3(+E+qgrZb^$(Gt6b?YEShC|3fK(Z~X=RC#_K~zo@
z%WZmY8P3vRYhkrgISY9RsqQFr7puUg3!uLZ1tN=q0sSht)GZQFV}4a`3CS(NNOLd*
zDgdE68>K~7nxn8;u0*$T4qP4=)s@FoP)#R-k)W2;G|<g}&D>}z5rLiQa0ZHMG<JZN
z#}GpMUsxb5#nCWYipl>>VGPDwlz4L-8n$Spt}x2_-GiV&6^q2t{9pPLCH)2d*#B$<
zYy@lsYy@lsYy@lsYy@lsYy@lsYy@lsYy=K`1Q@56a<C4{c@XXJQY@Gb;-t4Jhx7_1
zy&}DT;3v>dfsKHTfQ^8SfQ^8SfQ^8SfQ^8SfQ^8SfQ`WaC<45jJ=C!jD-SsVgSv|;
ztMC6wuSu`{k0N9z+eW}fz(&AEz(&AEz(&AEz(&AEz(&AEz((M|1%WYrB}BjfkCl$4
zq_?H#rH7^4rE8=M;RU-@AhQ422-pbN2-pbN2-pbN2-pbN2-pbN2-pbN2-pZ12#j<)
zraRab*-mY4zFgdhF7$wFHCQBPddZm)Zb!gD&ncw3JK;`>*~YaSG!lF3#omM5j>!%W
zy0T=cabbrC$=rm@jbtuD=0Y+jA#)COvy)j;1nF={ALyxhQu;u8(@2(0Yy@lsYy@ls
zYy@lsYy@lsYy@lsYy@lsYy@ls4panuwTS=N>vA~V;z^wJ3FXr7|9j8A0kDRSZL$%t
z5wH=k5wH=k5wH=k5wH=k5wH=k5wH<BfDv%JD2GS?<I?}QAti2I|DPIi0H?{0x{ZL1
zfQ^8SfQ^8SfQ^8SfQ^8SfQ^8SfQ^8Sz<>yFbc}kKR`vb=KS{rpekJ`}dPw@7^eyQd
z($&%zq|Zv{N!`*~DIuLKEs|zSacR0VNjg*-D$(NK#s3rkApS=Dh4@qPhvHr0H^r}t
zyT#9mTg9`)GsSlCG;z7OKs-hai${v%#gU>Qx`e+9?+CvWel0vH{8;$D@NMBn;mg7o
zg&o5ALRsh#T7{*;93du56a2z(f#E;l-{oK9pW`3n@8|E}Z{V-uFXgxJ8~7Z52ET%z
z&(Gjxej-1L=XuKazV8j+3%)0O5Bl!*-R!&8ce(E(-`Tz{U)s0Ix6pU2FXWrz8{-?|
zb8{bYZ*ebk&v1`$_j0#!*K<AGPVRiJ%yn?B+){217vrXJer`C&u%EE+vahkvv5&F$
zvv;sJuvf8{vRl{<Y=%9BUChp6BkWXm96OBlG9NQ<Gp{nwGLJI%F}E{cXRc%}VJgfz
zW({*Xvy7R?v@p%g1ZD)o(f^>|qhF_=ryr+(MBho@L|;Q+MsK4x(Rn&apF|%|A5E+O
zCBJF(f5p$sf4V>Sx&Qj#fX%|c$box1<%Ro4rns;97X@es(+>jNz3!X(vHqX8g02!u
ztH(t-9T(GcO!E$UscHT!-D;XIq&rOWR=RAOFQCsi&70|+rujU&$26ZqUvHYvqHi<J
z8|iyZ^LqLb)7(uzW136!%cl8E`YqF3pg%Iros8QwuVsdq<}5SDG`BNTOtZ#>Omm7k
z)-)%Wg{HZUS!J3}W74MiRHn-`uV&6R%_lP#ndX(u<)(Q#bFFDUk-6D4FJbOB&5M`^
zP4fxN6Q+3q^MYwUj(Nj0&t={>&9hm`G|yyt(|im&$}}IvPBhJ*VP(@CXJ?q^C_CRY
zhuIaTImn)2niV!@ny0hpQhc=%p;9!BMeQFlPi3z#T~1-IGtEb^x0vRM>^-J=0{gIO
z_Onl!=5g#xrg;qerfD9{erTFUaZb}bf)h>iaBj3|9>yJEnul<zX%@MoO*79OZ<;yo
zB-6}rNz?4*@}}9%Z8FVHZkuVQxXY?$>L1)Sruh@@Ce!>ecc*Foi2IRg{*ZgzG{4V1
zZ<^oZUN_C}a_^bux4D0q=C^#DX@1i;!Zg3(n_!w>_cfd5*L*Fe`BmRM)BLh;nQ4B>
zce-hQ!MDaVKkr*-nxFGkO!Kq8OHA`KzAH`hQ@*d8<|ll&o94%T_nGF$e2<#uM}5zl
z=0|+5n&yXnZ=2=^eIJ|VAMsw(d_O<TG~dUMGtKw%Q%&<de8e>0&CfE;ck+u(^Bw#t
zrulY0W14T{i>CP&{#?_1Gr!$5-^5>Gns4B*GtFP;Z!yi+^Y@tM>-dLF^R@g_ruiEF
zCDVKr|E6ialK;>&_XtkYe1#yI=F5fAruj1A2-AG2pql1OgriOKPT_ddyj?iSG+!hn
zP4hM(Z<@CVn@n>>*k+o~7cQkdl)fi>u5hJcI$OBjFl`cUF-#kTyA9Ji;YWt4EIekI
zio&yosY`g-Fy)0e4O32d-!QEa{$ZFpM8+^>#9@XhEsilvN%087bcQG!rqjh1!_+Fy
zF-)h3iw)B%ag|{@NlY516=KdXEfd!nrlsQfhH0_5-7qZ_FE>obi`N*Y`Qi<RX`Xny
zVVWb}YnWz<4;!Xq#U~8Y(c<%lX@>ZkVQLZIHcT<`Bf}JtoQ5eR@rFs2Mi?ep@*AdR
zX{uqGCWQ>sROx8LG)0<kn2wN^8K#L+t6`cTWek&F>M~5@q)motjI_ltjg~GkOrxY8
z!!$y=&M*y^ZZ=HAq&p4M5b1uyBubAOCSH2RFmcjLhKZ5hFic+QFNVpD_Wz+9f?g2*
zanh@B{{I0=dO*4u3G6>M0yY9R0yY9R0yY9R0yY9R0yY9R0yY9R0yYBwi3p5y&2%Vn
zIi`k{U@)S}ZHex3p)*m=7V^zq8}&E;#`PU-fj^QO>YPdWLfo~m8y)k0&wHBZB=>Xf
z(_AlzbA_7(KYycZne$0-@?ZClKhpW~e@3DpCMW%8#H3d&_#++P>m{@ZHuIG;>5*f{
zIyYy_iDXV&uO&MQg|($BrS6}-Z0^hzbNwr3&RRIvKcOn0;GZ%fo1Wm$=F3{UR`f4j
zwqViBWvl%s%w6rDxpKvl1&iUkMROOg@Go8h|F2xQaGHNYcQH4?zb;WsbtH<wcHw6&
z+bsSxom=UmM;>>WbMyFYKCNv)f7;d;ifc2u!unEMA>URmCQ@s)B79|vsk@9wE?7Kg
z?kfL;e!rUFU$Pj|QT0+!NX^R$O`E-y0zGokVUEp#zG9Hq*0+_)iE?+z8i~~d#)0^*
zK{QBvfMN|mG2TH!kzJc@>q@k12#c;n5w0QCV_}Mu4WnUN>j;`(8F4Tzbu4O@O&cm%
zdgN?~z#&#7OxL<sC|qmsiGhPRzG)PA)vD>NN(VjiC<uBI3c8lOYKU#+Y#B<c85xxf
zw`M_p&|jcXB9W&PnkueJJ3Vszc*g}N;!0r#Q}b6b0<6{x(@A~JsFr_g6@j3TPnMEz
zttU7d)tWLz4Tqbo)~TWf7tf{v{|Wvyn96W{t<@gtRar}ciwXW@p^(!OdH<Zb^JcDG
zxWX?J?y9AyR*kFf^a|T_Y9-?x864@{XvzNWl2*jkaATK-7^*@-j~urV?l9^|gsK~S
zI-zM(MT6o!lC0_GXV3|Dw3Q0o#gqoc8wYfLzX6e7)CE~**;J^c>5(%>IyN8FC~etv
zTOyxsD_4_vUcUibT-SvP*{c^Sl-#YwN{Svia-?I&Y*eODlF*;S$&!R*gDgb3LVFep
zfzhOzxjcEYHJdvUr4A@9U5Qc&T0JNfhVv;Qxv7s&GTCCOoKJLWHOIj|9p@7DZc%})
z79}z=iFBtP<9^E}Zd-d7O2wKgJ=8XoezG1^gEhLGTq57z4b5dOAyAj9ZYEEL?5Qgn
zW{*~NWO&rD($%@??$WDcUB#?(gGxg+3(S}pfn?LroWuRoZPuQ$-ce^Fn`_G#%Gpdd
zg@%b{+Dw-u=A}fgY`U2e3Dp2Fg6-@EETL1*w`;hV4BT=+SxOt9^poDE%|j|ldgPLT
zW3y6M(b~F-T1JEJD}}o<z1SNy-D*|ntLj-D={=G0eXRys9q84m>Y!<Jsgj^a1_F)?
z4l!$@)iH8tiQTZ?_0#HnkX5xBe6R9FG|7c>2ehvf{AF!J+00ENmpY(ywCS1OyZR`o
z@9NarHWl)<qE2|w1cSbFEd#%Qv9VmqLxT&Ws)H@%z#N3>8CZm#$~vA})hOp1eSx#w
zw9)g!@C%LRItLid6>{kYqq&m@44wF{K^#c?rp+TOIeO$=K;UGA!1}eB5>9h<^jZ7B
zOv@rN7X5wGAO=+w^ul2dn)M#377_qHq3MEXWi37Ou)`eNj>5y8>e$$f$7He!nDRlE
zeM{&A6n|@8^zHzNszQ#I`}ensME|a!gUq()HK;)Sc29bTQ78`Jh-l`gSUXRnHfORL
zB)0E9)^Jwr&ebY(FMpZ@=TlVFxt8J|^7eQmUe5E9=UbkOJy{Rqe!;!Tz1Tg$^?~bh
zSBJ~X@8&!CWBIYZ_k2J0eF-${=lTxeKH#3>zRqpp7IEX*57<Z8>)G?!73>t|Z_Lk`
zuY&&j@ys~-&-6p|ZaOD@S;~tM(c%2Eb1m_UI{W$ULo4IVQt#~9=kUe%_v{P$6l%vF
zf3bRxznHvdUwq20;nD~wHK9EXMcJ{~M>$x=!7$4Bv0mrNMk}#YD|Tj~<`nYT67-AN
zbua{i2}-(<&ux@<EJEL~_?y9e;tKA0)TVAf2ZC{+s0|(K^|*Qmq(rN6a@|jb_cZNP
z)AqB>5TwQ-m;p3x-!zb0wHg`sH})bjQ@5`(1AyeZ8znbV4WVg!x9J#S-pFyR=C(YL
zTczrD>h_Z9wy#K-ka$9Sk<6y;XPP1O5py$urtMt=xivBOruHH-<G1JZ0HBaD3g{oZ
zYh`RjF_AB2_2t^}+t(6qTxQ19+)UlR#*8SyR&!FTMv5ixvZiA|ppj!s-gOM*){=Ma
zrrW+EVM6PDa4+C$+OC-)^bvD20RGR^4SQT6{|z5Z-7(Ef6QJhtHfUvPS-0az(=h<h
z$Z;*}c1#_}Z7u6|G?{MuiiC-5(~ile<31u`aeKr-Zp|7rb;ktLEkwdS021R(#}J7|
zjx9*|2Xbpc;xN-~Uy-n+Zmj9Jk4RYDjv2_UiNyFFqja~mX2FD_R^`X<7)iKsHE=U^
z#|Se_NKDO1!)9T}!KPzKOe4n@M28RL)`I9krrW+EVL@rA>9~(bSlkX7$gPQ}e+RF-
zWsQcmmN+Y*KHW(bbXToN)!a1g;J^(Ytw35#$Q$7~We01zg`_laYr;8Y2Qz?E6V0X_
zwCS{u7?=P}+2J+aHjaVCsb>JE7APIMQxhjMVKtbh?x4U)|0Abbo3{Nt(=o)d)&<r;
zHGyi{e(peSYe;QRTirJ5=FBvSYaI4<XO_-S-7yQW!{z+&hNE&Ak{62lnqoFx9lI$z
zW}=VuVL5!%yB}-tjr4PL<D4bv|2<>#j))2Np$)+<btl)r)=L%Wz>cs9G<?t-=sNcR
zDU2@n;GaNULLEf4QOxtqJ<N?%8?%y$(J#?Iqrd9u@m%Ox=l;-fqGN_*4CLLL)OXC^
z_3+s|_*MU1LLE{y67<N*t{Glxq{FcQy*lU`ySzIE>$Rm!cg`R1FU=)3E|}Bemot%6
zFsj5griU8LR9C6&T8MmIiF|dB)8tGnk&J}{av~KEgw$X%kcb8oftZpErlLtDk%&h}
zRCb+!J~|A4G{y{dcxBfDWOFFCIb=O7u)${Wn98pCNPZ-ik4hCfI|E=DC~Yit7V<+Y
zyN*Nl2V?t@9ohDd3;mT{^JqQEmnc|#@L6Z23b|aOtE5diDXXpbFVD7jCYrbzuta?H
zj8q}5`BShNQ95eE#zbds!qFUuw(nZ}i?XR=p;X9}{j;+9L~)~kd3UKRo5~itOa9pq
zmF~Q;e(#@~Pj?kyC!NctTl|9ogTq@S;CMrqR)p=pd^wTh(po81%y#Khkrw|PP2U47
z`C;=<+n}Yo(aIjIfB9jB*{?4_0z&=_tOUa5eF9}_Hs9_q)uNaNC6sKw#MPGRTR1=b
z3-~+A<*ri8^y%gG*)q)an*rD9i`qI8?d{ppbR4tkaaoRrlwc?-2g9*gJQ4}-!N-am
zRHN~DBp6ebpd5)r!zzbY-CF$fa?qMVqL#r@Ij3*8wD?t7iA|Sd(}OZsPPCV*(M*)f
zpefLt)7K*sxwg*2I!y=4h=*ZYRunnR!9Eh+YsBBe25P!HRc`ScB?)~3`xEQ3DF_ai
z9za_MSjXD1&RJO<sk!SQIK6@dkqce4AP+M|eUGTcKe=4&)+U=abF@+!iiz&w`~u!k
zYw?@5`nLi9<f-XgbGlgQN)|Tg`w6K6XkX;ZdIr=ysyc0k4ZpIM%;x*BZqJrGx|8+Z
z_z#CNlFD^MS%Ov2a)%%C6qTYhnDh_)MXjp<^IgaVtz^b;K_~37L7HZ_v>IirwRI|v
z6GSqNrpJJsW?;l+61fugC%aBFb8Pa;{MvkBeSR{R)7ELZ7QbF2IgXn#U9V<G&zP=P
zIqsZu&aUj5i|Xj+EUu$N_OeJ0=CcNcQK;;igIW#&2QPwPwpGAv@m6-tLQ%Z%9PCD_
zZ${?oJD4+bTCohRK|Ygh@2^S8WOGo8TeyJ#%x<l?5f?dRguRO*)Lbm_8`l0QP@>V|
za*NptwFas=6IhPgzt-tXpz%N@E|K%kTs+4Qpd)RPmY~j>nTy3x*AmUO@~f9#%SXtz
zQ5l}ncbPQ<ShCDNl_;)$BxzVen^2%xy}ZF*Wx1nec56#(t<XWSYvRxbON(Ex)n(ZH
z4kSTeq7<0Q>8tH~)h<`ZL(tYhdzjEOO$Qvdvb)PreErbyz$SkSG`1Ui71kpvyJn)Y
zaSSd9blW_=@cWnQwMZ}hZJbf;p%fi!Ek&bGs_Z%jm-DgsTj&02)eoucIvNEv341)$
z+N>T^*>x1MJQG`b%`!CTo{T?=8cK{LAZ?$qq|G%3dgm4-z`e7pzIWbsdSzD}CH~?7
ziiYc8yI(EY{VH^CbM1Z=P}ui=m7-h^5S7$sYy@ls4kQEw?i+9^&C3+^A@wrs<DbTf
z?BCh*z3+N|<9*ya%RyIv)K91zsVudMnnm4bqz`7{N$7xqduVVe-q%aMqJs;Da5b#5
zYcU!njKo8cLs#hYH5g1RvJ58Nhi#8kcD16x!sVwShu*!OwJ+<=r*pZW3R5*0apyHO
zI?v;&9h#q~(y3TF5lshDK{*JE6`5EdDaTTQWGImgMb)6JMuK}XKlc}_A(lH5WoXu`
zD+4eCg9&zrzpFc$%clGbmiiNESi&onVBXdDq<sDQ_01g{lf`U0kjN);8%x;|nxK~w
zon1L?dNdr*Btt1#jw^|1EEU!?n4m|Ma3Z4x<ya^ZizH&9crX);%StGrC8BCNp#?!4
zPiyf^CUT6HUzaTw^7>4ALHZ~~mIs)bN2e>wbUD;$W?ok0San&zn2x7GCoo^q+O%~E
zU84Za5CVR~60c+E;(y(I-I&)-ZLQ`~GsL1c*{;optn>NmY)zkv>;EkCq6J;OXZ4EQ
zY|NFhb2Qag;%c)Ji8Zo`>Nb5@MEkPn)2nzNU#JbE1%azdUtg$wSp@sC2=!$V?#rUD
zl&gKET<t66YF{Z2_LcHr!<5%TZZsx?NnzR#>bibhD*9OZAQuG71wYaRh1Q_hRe(9V
zrms4cwayYO-$5e*t2RV?;Lj8boz;fIXeIomt^};rR+mybwRE<-v-eucX1cQLR6NN%
z4>z6WV#>d~DS>wV6id7A)z?*4TLsKkUuD-S6x;1Ij_rZ4t}>;Mg%!&x#?)4#g{faz
zskJlux(i+dnWCR8nF0%S)pf(RY*)(^y)m&ateEYHzNVrWO^0cQI%ArlnwVy&8CA31
z41n46Q};t}0Ze<S^rji=xoL)~ZJMDrn`WrMrWwLFJvQQ}S69>C5)ZvnR^@s<L}tC}
zHNn3DmVEl{)N6}7!98Bw*;v_iGOj!+TpSy$?tE%h8*0Z%*4i=pgvzd!I5tM*sI3?6
z%_svFiB=&0@gk9zSR`ty>{^a2=i-EW`@@)`JbS1$NsIz*#zw$Kz(&AEpdJAM1P<v5
zN_s-NR$5zcYx6b&HUc&RHUc&RHUc&RHUc&RHUc&RHUc&RHUfK&fVStKP?WqUA2ri%
zD#7Y%si0q7UAkAo%^{^FD$DZpE>O9L%L&#_H|}8*95+yhIw(r|gY*-4^>3GylundB
z<GaoGIe0D4$GyT%Vu!OX<}S}VPr@_P)8vud&%1x({<h-+N4tZn|G|O#hp4xy7pd=2
zH&MIM4@X`%*Zw_5O{y_{n53lp#XhVWi9gdwI0#v)(&NA@-chs+&6z9S_&OWdFDv-x
zpD=r6OY3sb#9t3LUbW8Fwe_`9D{SP#mYmiKw<G0p`tD1j)T-~k!+u?Bwp7sd#?$)R
zJ@BI{J@DEG911ubhca|YC#cP@hAnk1H@>p#JY*NfcHWgUXZvSu)UR9eugfO<rF1G+
z_PyZp4I(+V6B~j5b_77BXA`O~Sfz&nl^!`7fxWDaNQzbJnZrOmX#*1ALqg2Ba3&Iu
zCsW}-I24KmLWxi!kdTwnKv>JDu~;|})RG}MB(xrVgbxWZV-j!zC6oZ2Avh$|jco8C
zA;xk@sEp)T4VkG|Lxw{_C1j5e2{Gu9(6$+sT}9OF?8FBUn7vmwnzPgo2UCjvWw1wF
zgl+xh%jf%7bm#M04rv<=Ce?eOZB$y9>VVTFe*KSr-e(yE4{A=GATL=|k8~@fd!!#0
z$`#<i37n*<svjYRhC<%IV)jx$C?}Nt!C)-jk4BR9n9%ZBaQdkPw}WW;>PaC*jz^SG
zETpROSST0^g_V%0QnWnLnJxNj-_#EL#HY*ZbS2VAt*BoeBBOyv_xpjiMj37fB9)9l
zDJdE;M5#ov84ec(19CJV%j&;F?a0Wm!Dt=n%0tW1jfqPkSK!nUWJ~P?5vhY@Zo2Cq
z!NDS>ro*C3^nW02X;Jq03{N*c!c$c{!6$g?5Ae*d>^c*7+YZ!eGN#VSo);EqIl52{
zHChf`X{2BkFmS)st~?5ETN@7UKu{VPl+K8yc=WF_f^03N1Jzla(SBstOOHe^5xR~A
z9It6n2G+3XryZ*)SnSp5nNF0M`1B0ZK)=E$aggmfYqpOrRCcY!g=`7Vb#rX^skMS*
zE4$X9IN&2I%+UG<Y)WNU7CD%WqvX{a;6B=aP|t7sZyyZU>9Y~|Hz5Gy&@`%wcpU20
z$DuJ@wLE2MMZEerR9BOCIPf^sJ8m%g-!KkMppWo4)H_B_Ce@g%swo(Uwjmol4)t2b
zp{FA`9*27C$Ds#RcAbXo4?zuwcO=&56sWhT!>GF`$IFg8#WTbu;?ctIxsSQuaSw6d
z<i5b24mbNn>1A}-`-b<I-fw!EJ!3t*`&P%F9alTfacGVcsJk33j)~PD^)2|pKgZ`C
zpSR{pJ#V$!L$l*h3g-GsrDq~a4F;7T7YjvU*cR6UaW#|<gtWLENJdkkKsXbQDZzL+
zp(aE0Mk=<4p&{qPDm_P_z;H(MdPd7Zq0%!6N%63OKWs#$=WryzdB%?krGlAcGNQrU
zp=Ug@!Fk5l@~p>?<T%gx`aC<h(sLNH$EP>>k#IV{3}^mxM^t)T$O3n2Tz{Qfj}y7X
zvE)W?jaPccp<Zn});Q$%dg^gvccQqqv~>NP?#?bh`ZEufL(r^aFxjyOvyOy6t%sqn
zw)ocr25@NIpWNstB2c}a8adU9{mduUbfw_@Z7S7_&j&YW3)5G?HRm&p(+<nDQg^Pr
zyhGE<)8ULh+?QLLZiIBQp33Hqa;G`LupWD@O)lUz0hnCWZWAz1AiyQi=!RyvP5|GT
z0OM%W5@rr^usZIoX7#5uXE@xC&v3(i2s)^<;ZU-EbAW%!f;oOgX)=fR=21ySF=Z<f
z#dfW%e}~UQPoCO3v#V<k9Pe&jSb);mx<c#hYF$2aQDACwy0dG~kMSGFnHwD3UtQ@L
zi-%-*A&oc3{re$Pp+=9f)D<2k0zHRX1x#gArDrq>f2)R?QT~9M2q=m^QaAGvPY}?-
z`?@RzW%6o{8d-|-RL|5_BUcAfnI<Y{t#zo4<&`~FmWF2U5KFViH)!_Elkh#GtT{J&
zL8WITE;ufnapqWlFWQzvDm^2R?^v&yC-j;Ruk;*@EaNyJZ(|@R%2_=~w>N!~{f&*l
zzYzf#5)DCx91n>&H1>@_dns9J9S39I9uW!fFpV1*PR62Y0+wHcNf@Dp!YL&X3n}qH
z2CnEyCu4Frm`K1lN<bgsaTGTu3JYrCNJL4%ILe1?@HmRIjH5Ut$KxojejGKl(!(Nq
zyavmmHQ22kl^zB)2|H$@n#%3<K&a7%4PJa5L~{3F7_?uvr1}{kX?gvIDtSY&8IG?`
zhXu^&bU8R3{^|p;92_7GbSL1vD%zq7beCYUH-I*&0<a@C-5eTOwzxi}K}>CM60EIL
z;;w87x<(By6q*kYO0}(AK6lx2xY=cIw(j~_z-(|?RKIJ-(D$ta1mWTtxM(W@`-8ns
zsKO917DF9$z;7%b#{+T*7LS!a&iyr9F70)P%<@VPjk`ai!kXizeadU7@Lp80jM;@g
zV)9r8%ms&5dfX`FZIf{=JFrGfeO_cl6f<if(~Fr|&dfbxW0Tm}B{sK->-UKV8dNoG
zX=+2NJzpLbxGz#1bs5EFxCQJ6ww-PE9_5|pJ=F6X5E{QPQw#O3<`U{0_)!M8e>xw}
zOTGNrKEKivLM7&lcx_+Y>vnl*VZBy_iCiw{U#yka!+rDmO<BfS{1R%Rm5i!rFi(f8
z0%ce?NXl9uCWpd-psK2}s;RJSklce7IsvybL6}G*zz?^;>31FC6SsvfIG65+_7p_}
zc8;pifcamlLxbJ1OrdDKKCg^sS!jbyzl1OCHw4vlyfAG{uYq@WbOnWtuxsPD9IW?G
z(VE+vQ9A<fz-aI>wA`>wXIuyXdstm?)70dWKilPp+sE6r$xUXnP0VQfza{{JEq5n1
zbUncOL^;)Q%(|oIEG!?tV#A`7Pf-hv_ST?>fU5)>wtJCJyO*%sqGz7U?=rJ%Fgs)z
z#p+dQ_PP9K^}qdGzT7M~8+(}gW|wsnw6vgWT?9rL=qke6jSef}UPX|?!<F!i<@_bf
z7OYs^x_tHW6>}H$J(3vQ5&xO`(`Rs-qJHJxIylge?&>tp=fm@sy$|QdDm_8eALF$?
z(d_p1qxl0=U+BwKOJ6SPox5TcFk5q#9vKgz@%^sifzY`R?l3*sF!aASY9FV!9H&P$
z1|wowVCr3QP_;4FqH4ECqV*_Li59PDwbUV_5)FJ-e}G=UHd+ep@d8x1(lZ^^0DMW1
z*kA#waV3SS(`>Ceqc<<C^aN1VxqwCEV$rf7^&d2bfV+POH-3OMv1urUcuh<s*2Ipi
z^c;ySjb_5ze;&bUfBPtEuYs{Guo18kuo2j=2ng;ZHG;aD;%0K=IhK8g?O}h$R@|y*
zm8;!zoa-pZ1)kv^7j-r7cE9a@+<m9}DtCMJ=ZUa6PcwTQdnSA4evMSsv(1T0&jQ>@
z22m$D#2mlEGo@)*P1Bll`X89kPG1LC>o+G#T^o*pEAF!CqvpUpdb2{H@~gz<dCJ_#
zconomkAVB|;GX=W^o7hxYO1TNyy1vMSJzRfKU%6^p?`#aPyAYK<5A;hE?PHx*@_cp
zwVk9KABMqo^{(&K#-vt+g8=D5dvj91NUp1ZZcsNDN>d$hzg;#33#EZVCQ$Cs_f`WP
z-THNai0JF3FxhWYRedWtcL9tl@QVT4PQ|G_5Ju5>YzOZRD02Usiuh)Cbjh}H8-8mm
zUc(5gt*yBd9COg8-t{Bw<6vC^&QHulFAKCxkvAwI*if%39D-UQNMuDGP_J-Nwlljn
zQQl;{XQ1zKFI+xz`Eoz@nX3&4_k8gT_9N$_VGUNp7}8)kXe`feo>%FajY@Lm9Gu7I
zaId;bg!KXR)f^nZ^&Qz%hd&F;M;qbM2e@EeUmr44qXPoxdEia>C9~%)U*2}&%DKx{
zxA_+?ShQfp+&OIv7SCI<Y|+dW3zjUN21v=F-cBt};6Yb-YtavHIrw!Qa=@qrue`!%
z0I(UtNsHQ+&7C=?X<DTRUq^ldP6%A?-7mtPNt8#|*I9~?!W%(D#>weeJS4}1fvA#9
z1wz48Fc3?D=8l%iq|{hCl?kWguo1KbeS|lHhQLNpBpnXMf??PQT7+!yM$iz;Mi71&
z1aAZlX|NH5-vGfIK||0+5RA?7Gaq;ndx$>I#qW9;0>;xxO{lg>jVXL$z0iNiXxMU^
zg<@!gG&Bz_7W<O>;KtwEQX2sqf&WPaU@ILzk%V{VM6{J2fd&)5Zh#w1aok`wDxejz
zzL6jv#;vS-MFE=BxTQ%I$Hc;ssHP-B3N)!vOOq;En$!rA<0e(CZ&HU;dcw&5Ak-a*
zBVip96hLqNpUlexGtn2Wuk;*`1}C3u!+rW*@3;*x7C>8WgX#MBV9V`4YW#!-r~{9o
z`q91kH%x5wL3Qm>uKhi|X|xN7HC=JI#@*Z{7|p5(K2smIk+Q5FQ&KS^^l5J!TBaR%
z)8Fz|Rdq&VPH4>eOl?DmoXMC|7@Ydacw#eI=lnG#7M+3fb9jzpwQO`j^qy#j)E}f1
z9An`9zYi#Q=<@^mBl_2L7v1Lly+`w`@XU7q*>Sh@d+Ep0t<o2zGo&R_+_9?e*Th!@
zFaI6>dj1Q1g+G&D#UIB<_(}Y5-o?B6X$}93RSNoXF=#7DKyc8Gu|w!`m!Uojcez7M
zh5i$f)EM?3#vDRjwTC|c%bafuReH`qZT8O9sLdX>*KPJPq{f~0F9mf4T~8M^(jhn+
zt)`+{Aeu_5flxf04#bj?Ae^UABQY(S%%mgHJ!qu$W5DLtzrT?2C*T=4U3<J1to4;a
zxM=}2{Na-Fw65llTL@iy0cOCRiJX23Lq9EOx{xY0cUIp{L~BD@9@NyPLnVa;9(a=h
zp3j;N&ll!%g+#gpZ^9K)`tgFs8W6A@1@Cf!4qRM+hd_xnYR>vq`hvDD_-Uy&EGcH&
z;myC?JXp?JjNT@jTulvbf9e$$jHau;5t`as{fyLtFq)y7btF`C(5NXI+(x!u(sacA
z*&JxY!5b6)r2d2j<Tg4p4l+3A(uppuH}2dpI);<AY%vXbFR%{|sw^D^vk<{6g$eYY
zpz-dXd3vIkCfwpmPaCQ?n{hQCW-cl2ZMlI_H$Hh~c&M)*;G<TCfT^5Q>A|myY+Z{h
z>w&Ps*Q;<<%ZOQe^i5lQi9F<1^*OyMp#D~Mi5B)?t<ECCC1@~LuGh5>mX*3aKRHmY
z^cZgx7_DW4rMkT+l>?SXC<@jG35Jbsuk@_O#SgC;4l~yQ_j?lwJF=@#e};EthY>rn
zV=Fx;Bg+6Tkly-UfTC#szpOX21F{jY5wH=k5wH<BKoEdAWQS!AIZU5J2H_T}o_5O|
za+rPsDuV=g9e3Ec!Az`Rl~zL^;f=3hV`9NjG9k<9D6G=r+Xe8(*D%W}Exu#`uhI^y
zU!{eU<oG@Te3E>ad6HaUZlOlIpQiW+e82SV@NM!fWshN-*|AK>Gl6B8H<%}wA9xt|
z)67m-1-L}~h`CyPoPUqMo&O3yr}}do?Fa}o^)dAd^#t_;>J|omkc(q0yYV4)O6Oor
z*hkGqhQ0s8Tur^d_g^2FU-~|BkuM=1n8~nXZ6mOM5b%9O`TO$;n%uK3P44h<3g{T<
zyIg^2C>aWbBKjGhbT}MH27^i_s0CG6%Yr8NEK8F+d`ui}l8eTJ;nX&0)7RmZHXoWR
z4d45fHn^*4IUEB*&$ff9tY4v5^3U$jkKm;7d89$am4mCcknTSyYP1-7EpYiB@&(;j
zTD_D{UmEhmafEf*6dV^Y11=c>_p^qk>oqmQ6P<~YmZ}~CMK|VIw3&1@reeA)(2-pO
zm;31)+*XP-nratez&9Z{J8CYi)n8||U)S#2iduW^Y>wq{sJUQ49NIIb<|>x~RS7OT
zD0VK#xV0`#6k%meKRnfHi00&Sy`S5Jv!(bpK=d&}UU#k)TQkc6o1C^Bj)FmkE!B#;
za{C^6Fh|R8T(KPdubvs}=SmG7gu$#)BK7;O0xpXs3|qk8@HA=tp23PrPd8q}z;_7^
zH<!@%t=K?CI|tQ4ylyu9Frl*BdYW{^XsG&RUkIPzyFiUk4ut^{z6KNzkcL|ZNcc8T
zJU|*=KR^O~9enX8*4G(c)eORSdm6s$D|`4dPeZ_L;VV7(BF~Gk8vpPEVP&tTyEnMw
zt@@H4lv%wQDYX)n!&*D6)x)e?c=4}VHO#uv3auZi9DURd{oX+R7_CvIYTub2o8R}Y
z90TeE>g{7c?eIRT1fGe?Fkapp-e8^4sAEu;tk+Hs9}VYT3%FY0bFahArNKRK+F^Mw
zkD?L4T~@Dq1f?hU-wxdB%5Dxv9AC;aVvpMcRS8s=j01&YpqwbJ?QAciz69C;e0Kw`
zawDJ)?q)2l#0Ulsm*5*7@!^u;=t{)Cv-g6NE4%So_zUs$YQ%w6W&aiGwy^J<(f^sX
zt?qc%>_jfNq6n`8w@jIuPPW4d>#k;a^c-FHsSDuMVGRietcqCIb&=LtC~ib|h*_5T
z_eLRiH@=Sm*S-;b*S^g|E4%T%1Qo2fG{UTHdP&reZR4nQ;;5nRDs<HaI@XO?*o`zw
zsy_(>rL-S(i}h7}6CF6b4I7To`|Dc07M%2bObbd#vllc86xp0I<7zviSG65i*^RGr
zn~v)B2yZX^U}QYKztM4>9p@Y7IN9|jO8QuOUwT`5LwZ&Ewe*biGwEUJ2h!c}BEU`3
zSEZ|9|Nj!{Lg{>;&*$d;?)nnj&F0~*fHPPR^AF}P%)87NnM;@pne$z5Ff$n^?e+fH
z^Ha}G_oeO=nIACUV!sTh3O>(m;I8Ao<ohfi6Rr?GCmbe>au0L+T(7vEcRl8M$aR<N
zHfAl8_FnJ3+PleH@-Fo*@E+m)v-ffOPxPbo1N61@Zh9SEpcm3}=?V0q%s6HwGoRVW
zPGMKG7qDluAG80*KEeKk{kms8=q@bsO!XY@q1=CUKkNRv`)1Fbo-cS0^L*m@!1EMy
z6L%yxkz2_v=C*O?anEy4bGLCf`kH;6zT<rr*Nv|0T<^Hu?iuc|+wVTaU3Pc6SGm9D
z{<iyv9@=xT=TuMDbA#vmUYB>M_cPv;y_>yPc)#oYh4&+RIDIr7r4#fy^f%~x`QP&|
z^S|Ps;(y9N$bX-|lfRX}0oF{e1U-qJ{8s*4em&pCXZa+5D!+nX#Lwf85iSxo3!8+J
zkP|fFbm3%SsjxtpC45E*2?5~<*L|+1U4M6d=x%mTb|3Ga?asK{+@Ez<+-JG3aqn{9
z<9@{bp8JpP*W539M9&z{JkK$nm`Cv>Jzbuyo^w54@m%S-)$^d|ZO`vLFMEFF<-DW3
zA#cDt%bW9R-qXFG^Iqh=-TVK%_j}*;{?_|~_n)*t%XAZc3cZ}}pf96$&|B#5(6`X9
z)4!pgqo1VzM!(MtVOXYx2{O}|Nz7@?Nz4+a$b6N#in*Kl1M@2LYvvi|XUxOwcy=^<
z5X-a6*b~?}>``oloz8A&f5d)|y@UNG`xg5<_9gb0+*ob|Cvgnt;Ev;t<>H*moyo1?
zQd}!{Id?Jl7~DpAA9ok`A@>gV2KS0@vM=mAvHs`19}sxNbE|N@aJ6@o=WXU;@Z&i6
z<}u$PzKriI&x68`UH1w1d$zj%4k%WH?+T9tiq`;Q3Lx|=KqCh@yy^a|@C#ZHUT_}|
zX}^sAj<i-vOQ%UEf&R;UX{OX71*K`yBx#&9QW_$$l2iPf_`dij@pbVx;&bAY;-lgN
z;=ST`#9PE~h}Vj{#mmGU;ui57ah+HYJH&)|inv@{D9#m+7NeppHi;9&L&f2uAbN#=
z3Lgo77Ty$oYgAFM%i(l;o<W3PfXRGBeCJ?tHX_0Wm|Ks@IxO6Rxic~8LWF)85q>cu
z!Zu8{V&M`*d}}dTgN3JJatb2CMVMTOg)1>xfrZ;K`79y~_Jz-2;Z96;Ai^gwIRgtn
zhsh<FT#N{l#N6jGxfBt;9TP7mIc#?s<~lL=1<W}xp|EflCRbqcMNBS7#P>H$K1PHu
zV!Iy9l`yv(5#I-xypM%fV{#QHU&7={M11dH@-`y;25ff?<~CyP%ZT{?fVr<=axEgv
z(TMOo7Je0z>#*=#%w3N;8k6&|@N0-LVJsYlg*Rey118_V<m-s=2VpV{6I@<|n=psV
zgz*0`Cm`a(=@Y(*IN@e&XXN`W*a=40htcJ6h6~@qAKZq?t=J{bcOTAo9%r%eZS3TB
zM0lM2K3t@HM&bJoc5(-HVr1%_h+~E#;=@4lM!tU+e{eS@cVQ<u$9N<E?m<F^!A`!1
z2#>Sa_XGUFeb^4#eW;Yez1RuP93E$m4+rEk0>a-3_&eUnfcvp$IGH{pnMNKxfW7_^
zCO^b3G1fi<YYejR5O(q)BD{eo&RZYOTj3|z$s?Hj7?Xz)@fpSKr&#zXBJ^vR`xz#W
zA>zXU`EWqOli2PFOn#2Z<A~6|M#P6b6Q03#Ph;{Fwli9(3KsqX3vnd8X~cO`m?SYt
zAR_z{lV=g(4?%=6>d|wUTaTT*gvpDTynqRgneaU3euW5heR?)}gP5q8D2NEJV)6<m
zFJtl>M0`ft-@wA(WAZvCzr(};^0$cdVa&X4#KD*W1?$Abft}#=`EdG#KOiB4YYu}e
z7h}`_BiKJ7C&F8p{1KBk5%C$p8fo}5wtE+ocQAPyyTmB@43s{^b{}B!J|_Q%$$N<K
zhhZ`f3qQu>ub6y<$zKrRCt)%X3;%)1-!b_FlfNOtd<hZ$NKB?8B2tJ5|3rkj8k4IK
z;iH&D5D_t~B8FAOu!<N~9_J=6W0wpjG$vk5JcxL3G4<eL>Uq)^rg|UJ!XL1R@H2cT
z_T_}1<ttNT>c-e6i$6cgcPS-;%=a~l27-mN5n;Z`zfIks+r5ZF0D@e;h+G=}`2I>M
zx|6?BQ!zOl6FpcE>X8S6zWb~7JK<_%2Sm36qK9t$15Wo7i0&s4-A^F8pFng!fmpsn
z(dBUU6-tN`ikO^<Nf#ysO!Am?VzLI4c1+Tk81?;h%$<tKDoj>lvJ8_Ym@LF(0VeY?
zIS!L~n9Rjw4koi94SSS6T*o-0j#aQPn=v^blk+e+7n5@^IUAF+FxiBO(PnMHoY7{j
z!(2BeWkk4NWAZ%gnN|mbkO5K=WdIOM#x)dzWBcEKFannRLpklhy^{m?P7d6wQI{e+
z>S9cGVzL7h+%ZrWVs0BITQS*!2`;A8`5u?U;XV)jJs15w3;o@M{%#Z;A5uddO)l2Q
zT*Um5d78;Hapr2~9>=|o%N$M4S<bKU?>iNzpKq`JoN4C?&KBn=C++x9|24w7FL@)k
z`$^_(qR!Y)UN!VatL(-%e{cQ_T6!5}t{0WMOK?Ct3-40F^?vL9%T_M-!~Fq%xF{7i
z(8|ObP$F;Da?j@d@VZ~^>kJ&g)`~||c3UsG9!02aPV+B<JNF@^#agx$sqDs=T({vE
zc^4bOp8&z5%M6UAr{%RU=Akg0%TYVnFrlOnR$K8C1bF#%l)n5r&a(VEiUEQ3lJrrd
zT@Gq7>B+uut(Dzl@Zxe4PGy5Nz3R)1Sbe+*#{>LHts}7x@}$UdZ3}dze+|D^wy@9+
zH{NTxbg7L)%J9rBp1pb$Vqel^e`_OPBVZ$NAS0kub`M4U09I@qF%F*5jK{)3Ef7kB
zf=wt9mEmglNG6borxL+vIu?zj;cEBY_}X}5=WPrq-^9WxEfs_97#?|t_uoet`|rDl
zS^An0hw)1&z6#o~%I<@ZB|gMA0w3Z7+u@bn_|kc-0x+Vc0<at3E00wGM%1eSY&)j1
z+lRWEodvwRve$|}y>?}gZqHy4+JiH7|Hgf)zV&(fzA$*Ox*`4S1vk=b+1sPU`o&G?
ztxK%>0$`@QQ}F1eaiSOPd>T3rEq*vT*jdPf-c?yk>6aJdZ%Q!4v#`1vQBCQnc307U
zI5dn-0;3&Se5_9o%G_nFsXXaNhKc>yn(L~SxigEcQiXgPw9#}uGBY*%a-0~d->7N@
zwbIQ@Ww#&ItqN9d7-i}R=r_@3vPDhXi0|>z%gJ;@%?w6uTB4Zh(682lH<e=W06{()
z=;|((x^;cCL_UD8uZKsmfPveC)+I`CA6TG0S4bvu0Z@{IlY(G?%eVDQa|?N-Qm~D#
z?8dJM?KlsQDGw|SfWa&6EMGEj#mO_5&24R6R6P&d+In&}4~Jhtk!N;y5f0&&Pr_F|
zwYDzn&bPw9sphUfR>Ik1PnP6U8uF;YEwJc0EzlZ3_ko!)K@UbX2-<vv2x6tH1Whso
zlaTjFNeFo~ahaCd2p6t3!#U78tHxfVuXH^;fMIEOGM7!6pH0GieGrD@Ia($GuY)1i
z1Wr~T;j-Jc<wBR~<$A2HiIR{q%mZph40<xRPZ|@PdlYqt>p@DoPr6OIPP$y$CT)<`
zNUhRh=~zjXCQ2hDM*LWOOMFTEk$8vrb@2&!C2*NIM~sM5#L*%z{6lzGcvW~tcv!ew
zxJtN0IA6F)Xc49f<AfoClYgIooqvvhl)sn1g};`+j9<rh@Tc%w;C=wF?<3!vz88Ft
z`|kJM?z`T1h3_IbeUS4l_095ye5Z47b1!pGaSw8LayM{Sayz+mxh^irt>ETyQ@Jsm
z$i>)4*n8NU*=yKK*$P``Gwdq%cy<PyUGTGR=0kQEoL#t%xt!U?Y+%+ft;}NPSVm<g
zG9ws<{+ND?eu;j9{t<mPou|)$_YLRJ5qb(en&!R#@V@JP)%%S1Vej4Eo4i+fPx8+9
zw!n)B<Ge$>PS5+E*FDd99`)Soxy5s>=Q7V0&pMCnnE-brdfgwn-*mqKcO>5LzTJJj
z`wI6(?oIBT`*inGH|P4q^|tF}*Hf+sKegYTt{Yrex^}wGb#=Ltt`)9%u9$18Ym7^D
zQO@_AuQ{J}KH|K`d9(8x=cUeyv+T?`S2>S&&Tuw6{mx<5rWzI<Zzp-1`_D!|aF2B0
zSItIIJFh0Vs|fB(1a~FD?IyS$&(VALR%XqY5!B8v5Zq-1_j!W5l;AEQxQhvHC&BF?
zxa|b@S%SNW;4UP%Z3MTK;I<Il1q4^|ruP-4;ndD^YJLKDHo=`maGMBjBf)JTxb+0L
zj^Mfpu1s(xf-4f-nFQBGa0P<P6I>^~eP2-;M(ymV`3YP*!DR?eBe)d7B?&G;aAy!)
z8^N7UaHkPmE5V&gaHkO5YJyuua3?dj?JG({sGZAdegbzQ!7U}YB?PyK;1&|x2?TdM
z!7U)T`2=?y!ObJMxdb<d;ARutEP|WKKD)0diPX*+H9vuCA-FifeTLwo1Q#K=Fu{cg
zE=X`H!6^hM6WnxyYbLk=!A&E$Be_rZ6(ye9IjQC+a1#mcaDqF6;Kmc2pWqH7xN!tG
zmf*$^+@S<Fn&1v0xKRW*lHf)V+`;^WeMO0*c1krrffET%Ah;m}=OZ|d;8=oV2#zK=
zFTr^T&P{MGf^!m_gWxDDx8t9}{C!1<p?3VW<|l9;5!_!0?qh=cfZ*OIxc?)#_XzIK
z1otk%y+d$s6WpH&?k$4*Bf-5%aDNc<`-+m6+VR_(pTNCJaIX;DYXtWjf_sVJUL?2|
z2=3Pe_dLP<ir}6jxL*?7vjq1Gf_sMGo|YclSCrh;j-S>11nx0{`zgUaPH;aVxJL-?
z#{~B<!97H94-(u11otC?`ys*IPjEjVxcdn1`!&u*?YNiVzDIEP5ZrfRmJ-_2nF{Cp
zgu2ryQqp_UYtpmQBho$6&C)f}rBX#IOU;sB8Ya2L55+gc=f%gw`^4MC>%_~&ZQ=%T
zjo2zKW*%YgVQyxwVJ>AVOqt0rtC-`N8B8<dXWaCM^c&1D`g!_tdK<lgUPHIii|J!&
zm7YkCpc(JS-nYC@cz@)*!~2pq?>)o2%sa;$@lNrM_VS*8c;5BA>UqZVu;(VvRh~;c
zcYDtFw0Nd@#(9Q#obLDCue+afKkB~MeT(~A_hs&N?hf}U?k(=&pbqwt>rK}SuE$;X
zyKZ+~@4CWuk!zDH=Q`cB)HTZ$a=z_++4+?7LFb*$8=O}<cRJ5?b~%&I70!9ism?J@
z(HZ0C^DX=|ejGo9clzG<z3zL?_o(k)-z~mteV6&R_}2M4e5d$^`@Gyo+?(7B+~eH+
z-0j@;+!fqK+$Ju^oz5-gW^p0*ZT4mMDfU73PWA@&N_HoEF5AT>*%j<OHpWh6$FQP!
z?0)~L;zV(T$Os<`ZwW66PY6E}?hw8%^a$I9vxU5HhOkVSBSeHL!f1i#|G~e@zsf(u
zKg{3F-^5?VUs5eKweoZXb@6P1vy8*QZYE(jhv1GOxT6W~D1x($!@y6=SPQro!lh+Y
z26i#R&N3<kJIkmHILoLEILoLExS)HV`~Qj5#g<VSaF$USaF$USa7Wf+4ct_MYa+NQ
z1UH%BEMqP3#WF?%ZX)6GaDtmaaN`NiGDZVmEMqj_#(DO+|DQlzY#EgSXBm|NXBm|N
zXBo`_H@p^4;0_|VVFWjn;4EV;_|7s$1I{u=1I{u=1CA$rv5e8c&N4;=&N4;=j`5zo
zuRWWey4Y0<9XJQUSw>}kYUe)*JExV~`FDc*gy8;0aF($a_-PrV0cRPb0cRPb0rw%{
zi)D-kc9t<3aF#I|aF#I|aDS$++gHrSQ9CW8GT<zuGT{DDizjfF(HwBUC+uD)xZe?+
zWvm6?{g$wMmEc|>xR(j;Hw0%Hqk*56F&c1|F&c2cX7+i;JBHe68KVJb8I=L|bS-AU
zJw<Sq(Hz)4LD>DA;4EV;aA_H%0cRPb0cRPb0rx23i)D-kc9t<3aF#I|aF#I|aF#I|
za1XMdQ1hyN+TPPz%%)KnZzH&^1h<9YDg?Kg;Lazw^9b%-f;)%c&L+6C2yPR>Z6vr2
z1h<~x*7^3i|C>r(d}hs0;JOH|KyZ12%MsjKf?GpyS%T{zxORfe5S&JEX@W};T$11t
z1a}61(!RD*Q>cqit@#PuDFnBg;8qdb$pp8O;8qaaa)Mh%a3>PnQi5ATaEl3U5y34a
zxDyEOc!FCX&2W6Q_w~;H@<2tPRtiQ_JAXiMmN_oieV?$qm*DOpxbG6&-2`_R!QDx4
z-yyg=2=3bicRRs-i{Ne}xLXPC7RaT&QXQ`O0{eA065I_0_YH#kI>B8}a9<_3>j>^E
z1a~dLeOd5sp@vbXQobSF-?(3M4{$efWjJ@e$h*?ZcrNf1J@egfxPR$>*zE;J)!#hv
zWk=Dm+A-e|bsXV1*r6W}>V0PFLeON7BAuU0jzVfSqxV{$Znmz@Q(j&!X4h)yo_hU$
zh6VXGSp5nq*F}PIJQ50P0Yz2Qflw-(3?!3kGN7tjC=*YqnM6o!d~sF+RP^C$resco
z>%=<?WeqNI(4Xw{!}}9RX$Y&8r?es{ujKW6w&3Oq&?twOxU(t!8gl)eHeKi3`cNB=
zvEPVtQcHlQRjHo~x8NrHY<DNRtp3<SE|Gyi%7uLU^b|^Y03Q8@qz7>P@RNe+Qoz(l
z3#f7=7**4Xl9utM9kus7klr2k2K#~n!3tGyH&?tah+sfbAOI~;$|oSiatFL!2r!fa
zS@>Vq-kIJ=3vZws@WbK8ijDeXiv@TteF-GlKOd)gntxudP|U(viDiXy$29-UoVK=v
zPBfGgU4?bi{Do2~ttX<hJD)9YtX(!1({Jbx%3Nn5oy}ymbnV)HIksOf8mnpCnfiV)
zQyB=W`z^(nh|El<L5Hn$ww6zq^t<g_dOz_oD<)gi^gyvsfA?c{ban$_EVh5N_Ih24
zzxgwj-4U#w*N&^Ish+n#3ug5N&HY{^;S36XgbJTh8LgjE30X9UM>BAYB#08Y86P7V
zy>BXiy%2=9PDKIYn`cHhIHh9V`?OoJMs4(Fs<K<gaXS-(ZyqiB*ELNGD!ZrSIABeZ
z(L?v4N*-C+jbA&*H!_X(_TPR}l<Ox4>WIgVw~c^}fPnxU$!M}1$rz;{$%x3%7EiG>
zc%$G>?A?=*03RJ0HBMHw|Iglcz*kXh|KEFeXSVMGA_5{_5E0OX^n#$$L6D9DB9L-{
zKuAIoIs(Q<36O-EfQnraeWE@EE7(Ovuprp`54+gA|Fh@p-MvX}An?Se|3_{<^F1>=
zGdq2!oH-|ylpacm2_>Y1fL55p#H1&rrp1g;&P+^*PZ*z-oR$VxN7`Z_x;oOdMMic?
zR>t^HCdkCDY=ckezDLuD`yQvDJKgtaTJydKTsdit&*{oZQ@nDrXmUwqD;x+{^d{c$
zBc8O@pMe*&C<p6P2GQqGQKi8~Tr2%EE~Or1=K9z3@4L58s?QT6ZpKENqQVt`BABv=
zfH@uKYOb0&xIvN<7deYeNQSEhwPulV9pmDU_AD|!vBorVV5YsssWxl0?|6)MdGbBJ
z{xCCr4X%D<>aQkk_V6PhhW?01dW49N-%TyfT03;_<X$cyw)==6<YTnU(O>gX1Z#iI
zM|Ql`IsBvfsN;<gmRR@0Z2mRFdi?%1pV;rEurAmC!Mr#;|24gYng1i_^H2rhdjJQU
z(c?X3T5QAw@wRducXJMU0oqZCH8E$xM77qu)zFiD%~(4h_gnA4>Hi(pENh}QMEhBL
zQ(K{xXd{)olxu;*{&?Pmea4<+_kbKZTQ}fYtX-gG_~-xK|GEER|2qFX|B3KZeLwm3
z`(E`u>AM~D=PmKg_T|9O=VQ13(>|1b;pnG$!_j}mk-tGt7StmTeJtd$68Qh61Yl}=
zK28?tws8x4YMYh<uET4&Cc}hx7`oDKL<@VuI}{yg!rP){dU|GhYD!#MOkxPGyC!9h
z2aN;?@u@Kh8Sx3JS&8W>8F3+)@RE{Jn((%00aM+i@#C{H(_q3o2&1D3Z;OZt??7~?
z32%!i6W#&%oF=?2aKa0-;Is(G=ID6&?2^j!a2C8IgtOolM?4E2ls_X>I20rV=LTUa
z0z!fl6M{o%n{}AI&6*wT?rgK-Hg0`N<}jwg5pR#&+s*d&c40?1oGx2iVbr<hpELVS
z>6lq)-&&mo*N$UA`)EvV23%Rq%by;~g^k_pnBq_d+*X|cm^CpkXX><24P6Rw0XC&$
zLh{j`gL*reL-Bqz&O18Ulg<LWDvRu@^pt?wH<7DfaPBa=(5Yw7SJZ39#TgS^y#tOC
z=!0$}yZU2mP2ba!YdfXXF;yC#HyO%aJ?NxpMoDFV+6)^@t>4`ZJ&eW9kySU09sRI7
zI%9{ulX-5WgM4Z0lFGiAx+{_?b^qB`W>`gROc0t};VhbNB01JRFUWIMYS80gJGh@c
z)>hry$y<BGgclz%L-D5k=#B%!H?Bbgi6=Z97P@J+)m=A`CIZm0n-Lq?+H8HH)f!tw
z9OyZ+$${s{7S~?Q$;%GS>=d+b_=9}zi7{~c0%sQ;R7^AoMymIK^q(jKIJKm*57rx<
zeYJ?PAxupXD!6xK1vl?iQrQa~=2P{$yTK7Duis$StfaCh#zY!GTT~Mzm0D8S10QD4
zYj{NT;SsTpks3B^Px}Am!+tCu$4cN&EdiJlo{jyAW{S=2nPRd%Cp-&Xof9g1PS^z<
zXinI?Wql5?VNTc?1JRtYd5i3n^sMBJ<oGz46L!KUG$(8xF(*t%cbXG6uQ?|){M&s^
z{bPKv_FoP%&QCG}#xq8lae=m08?T%!f6TAvc_7QboL#_90{Qcg35$e*{xbg<{~1U2
z11*8oe^2=8`u(Z3@@GT_MU`-P@pLS0qWS!O*)PlSC!WN`zy<k*lgH=g&j2k@Q*uxr
zRM9lt;<IPM`FXjsVoQ(55TJVzLmV=InBsTY_YW^|$9(_!C6HRGyA^)=Ng(jKcKsCq
zt4Ln)Sg8GJp|Lr@9zYeJTB=nGDI7*fwOYt1jjWD$rj#mfW3y9R?^kls_kVwW;r;Dm
zOf3~7N>)6q+7zmVtbfs_mIkVYJe=AD4XZHN*h9zZCyDicC4bd7>8~mKgeCLb%(a3B
z7bSB!MPp&wJw3w~*-1Ske#ymdzU)A?TWReu%CMS3P5zn;9(&8*wFDBE6uM3Cl;}+_
zyxfZzl@pdsb=#gDs&?Cp5=eXISmXP<HiQ38x;icy?>0V|2SywBYR&_fgxrQ_hp64~
zY6LJl9h(RKcPcm9TT_;dhU!yr;tw;c`cDH>mRuMaFiO4GHJ4j5Dl%Y{FKZnElb4Ld
zfHZBWe@Y?S5y}ao6~aH>EoI5Dh%y!HUp6UAhDHWFoLU?b8Srpwad1Q}inWJ}I%?nW
zXZz0Zea}IrUkh!IcCGq5$lP134pQRe@8t*O68;!32Yqvm{X6}YzV8JVcs5WjOy;Mu
zPuXUFyl@V?f{kLaa4Ub0xKTb|yiz_%`bpX&t%n=`!=&b*)y@6Eo%rx?iLyjs_Kz);
zJ~T|L%=ciF-%)HnDWw@uTJBVt)w{R?fw<+p+=6a(Qj~%&hT8#?LxmBOh(N%XeAt;u
zC>?`Iw6_jm*2|(ah1%2J_|l8qeA$6&=c{%Y;RfIG!%p4N3y@lx?dBU+F|7WbF10kP
zTFCnMy42FlY9XVPbsgPDY`2`oYkTx;7_B+PCx_QDDWy4X<-j)~O6An`lKH-ZqgUXy
zV@@o!2O-+Ef=O?*rWa+_n^0<xK-8z~P_^4$lt6r}Pqq^fESmv=6$mba9wJeY!l6OS
zY@V&7JU_2}8C8-~(oy2~in@K-S#DaOR-*LM_@r>Pv@c6OlwY?B+m|(r^c$sxMaC;1
z%C8%5yXAJHS8(Yby%o91O)bsEXzh}+ThZb4kIB_SMoE1g4KTHIQnirv?;re!!{0Ks
z$5(gDG+N`UG4qWr?TI1mh5=LMC=H`V042u<|EJV$_|;re%TIC>0t1ogHc4;qwvOUz
zRo=o58E(uXbAx)VxmEdz)%-+j@u}sJTY?dt;*co_mgAP7a**!SsvP(J!if~T{CSB?
zDVqg}49{XcABTK@`!Z^32kEO34Z3qgIfJUaaMwTNTT)BUtQPWc8g!>>A?x3uQ%ch@
zq@6S9eo;o2IvRzR3ha>ol)u#Sn27R;Xu$QTlcdOyhgF-2)j}RlZ6;I;c{sHhk0Gfx
zqkSjps7+n{%eG8QW8KWblrGv4Qtdfid@0qRoi963?JiY2jCtj;U8{de|NLvxnONG|
zZF(@Hi`Mj_Oz9FzTe*G84pqDDMF|8#$7lUDnL75CY9(L<KJYaT+~5yv58NP*vc9yQ
zFg`clFrGE~t3KsZ<yqx!rBcaOhALge7sON{uli4XSm@z<$sh6$^LO`m54;tQI`9_I
z{>^X=;J@%E^ziTgFTD2HE00zQ02|wA<Y6H;wwBe{*iJ5~ybvG8BO6;w-lKp2VE=sJ
zE1sT{5ky5y;={hhM=NcI7w;uKN-B$xce7*`CO7CZ_kqZTU``$|Eav8t(24x<pdHdy
z@{>QUIA~|e&W~g7k(*l-1n%Lmy=Ptqh_A>F!fXW?GvVkIq5|H%32@)7aMl@)h>9$b
zsE`>7PAdYB#rcjR%1|&XKihsYAgD>4SsaA-+G*+0r~4q#2~;>8B5P-BPXyr%ARlAu
zG*H!(-5yH4Frw6h4SRs59pDztFA5IL&6tt_!ZF5{R9-|(v>mBt+^l8<A&nFBF%`LX
zO@(tuYO}(6t)>+L^C{#q2<*i9S<`G~nvn8vu52BfKJhnS!)i6qp`>yuri(6b203OU
zvJ@lB7<L-YsTTa0<yZ+ED}iGrP|p$oR?l1<ZHU#gC9rzNr=|j{=VWvxR?n6;tLG$i
zAXd+oEi)67;}YYNl44TgvOra0=J+I#Rg{$(6H3g^OixQqOG`^g1Xj-+3`DG+EnCE8
zB!#jvvy;<-)pG(qAy&_p5v-o$(VbX5Th?UtgquDgd`{PYTH;NgD|(kyX5%njO6=w>
zkNBof?GG>B=&4U;593D9pZ4*He$xkT7lgucgW@{IryS(!4@$9_S&&y0%0iJ!p_v7?
z+#<NaGX*||lQW8E$H4cvI3~WMb2}w0{-zit0l_yK0}bs4dZR(fU3Mt1BYb0vrxk$^
zqqM}-q~!E8Akvc(QWN6hj`E!!_d14sn<pk1pHNduQGM>EI~Tm2>*w8JHc^<LJ2X^0
zdMHdHa<W22qX!J@F?4hfm_K9{=NHa$oO{kJ9#mZI&U8H^>R*)6BQr8|eJ>f+d5;MC
zZrzuL@@m~0s&$uoPDy1J&3H(NQcL&R&|x%{BX1-y?qp*BcE%n1>QF|cgM8`GlFD(I
z!YiE->mPM>s2w!SfkWKJ8lPB8zaU);a)c(dgNs46Tcg(;sXf-wAl<i+4#axI6VV<I
zsoO8gP#NA7fx!pHoQzzMHfLYOf*XO;ibF*pA4CQ5axgSy<jtzp@Id&~Sgh!?X{H_h
zu94k>p-GI1Y!c0lKn(EzZ}wZcRySj+o}-V@3P4VOy3|ba^Z(;_@oV`KKFzw=7;Q8$
znEtvx2PEZd5WxBQzVf~8+X+ATYg<x9I(#7+<l^uA*PdMJv;AZ1`R)FvdON?QssRl$
zCt+o`b_W^w4oxcrfq1a?nw*h6J*OzYun4~~_UO|QWE>WEbOZ*%Cn_f|W(wTGEu7_k
ztU4McRaQjXXbs~>6)94t0j0HUZ4mqXQ_JmGx{sB>u@d-ult81BDgj3tnuP@IbyIu-
zxCUyt#-%30Amoo2m4dLEs`8-&t)_x4)3Xzk5>rATGb|}J1th;FCB|fAWo5*q!{RC~
zB{O?`Vxp~hem(}G)l{%WXncHDTw-cU60D{!#wWCz3P!A^=At{Trh-vcQ*-b+t)_yw
znp${LN#$%Doy(kHN4}b}_uuN;xFS&r^~m>OEUf-!8<02wJNPE#q1I-J`Gv9Bp^o-y
zEH@`JCVOI5K@9C^#$?gHY7EGufKQ<#N0{U-&>F~{hTFmzLdCID!uqpmsh1Z63pI$e
zFr#o*$E>W>gp{<jq;}K0%qWVDk82;BQB*J!GvJBgol=yYS0k3}5J>QKW0?Wh)<G>d
ze4|m2RL6{r#FWIuv~-AddQogzvJ<PjKuzr!m)tQv*<Hrg-hquK1?`{`7C;hODoG%V
z5RL{t^C&MrgNL!abQhC$)37a}!qJ1myWT~kBlgE5<!w1j%K8O%Hq#F#m@6Z<C<GHK
z;7gkhb91Mr9r>;Y7cFr~R!QY793d`Er4s;m{)UUhBWtsNLTe32@h7!YSZK_|;gRN!
zL3=SeBho?kjV`G&XeLV{d0YQyi_s{nB5yeYcP(2-Srxe=d8@RDw6$*Dt)xmthZ!`-
zc8@N?Lcr|>oPBg*i~kPg1<!Lfe1a1~#YN$hmF$KkRSL#JpNQ5C^YZgTm-a8IoQ~PP
zQlSR$pJn?m7T*z{SeN{cT5E5&w~dbItC5{GvbSO%vWH$;Z`V7l(^(I_;y&o-^gmpD
zPs3WK#dq*v&8)IGqL~GopIlNUqXV5?w&rd->YEpH9xl&d!Zz+`PTExC8vi2UeIGkt
z94fx8e`WMDdRRY!Ho#9oAK;sy5%2|&46q%v0^SXJ0dEA&fNMZE;3BI;zeqn{9|-#L
zx`O_=Rr)ghN__!n>$@KG^{oPpeOIyt`YbjJ^ao64+3X@Vko5sQfJ;GB-g3~DcL`|A
zD*}CapXi0^`}$_#58+3#wb&mt`E3v@#m878==wVqwEdj``u-GsBit_d1+@NsE`G%O
zftJ87peL{+XbNlvx&n{mI%n*6{Re9f=qsFJjkm^HBdo#JxmI_pvy}`Q3{L|chRr~W
zp$2*ke*=AZ<)9JoQqYMv4YcA-0KIr4K{H+#(2Um+bmO%G?Rdu-I_z`&u73;~@?HlW
zdC!BEyhlJ!-u1%!!U6F_&@yO<T<j^Pig98-XdcV}-Gde463{>RZ_r1$SKQ5h0PTez
zqyEC@*(0F4a5L&ZoGN932E^g8x6&K5Af|&J#M40&;z^(j(UN4?Yx$Xf0~!%O1Z{|~
zf?mXDKr`Y4pd0aaeiOfjujS=@F~5}0<<s~CTUVm0D!(e<fu6ztgF6-bfJ?*HHTW-(
z)L5mg0DXg(qsGA;<wDdscs6Jqj0e4grzpoOrs9)-l0TI{kl&Q|$S;8Y#_gcN@ov!J
zcq3?WTmyO>7l9_nIiSmN3TSg23;G-fgGR^hpwlrKv^t&!dL5g|jbsh9JN^dx9lw<J
zOYee)$Csq%q$i|@rTe5irCX)zq;;SP@dD6=*cY@Ro~b6OF=|`&WVI=1One1&CO!pP
z6Ssoi#M?k~;#Htu@iEY__;1j$cr$2OtOPxaOF+}&#h`03AG9rIfWF0{T7Rvlc9xc^
z#cA!e*4l|$WA%VO88kI2!Y5*T@htITaR=+lI`NS_PZh)m)rR8DYDjreGn9ukuH2&j
zq5i1-!d}<DWlw6KD>Jl@luYey<vh^txLZ$@=Idujlk`)S7J5rX(oc}TwzWU%*<A1k
zm=;5Dh7FtzCKyDH?FrfuoJP>r2F`|{%?Od>DFm$vS`h?o;A|MdP;!K;etw@%n(vdK
z*VlsDN;ZT~d@br4AM}kF3&lSG!MulT18oqk@dTJk&M*m1(yQlHv?fsSe^c<01S81t
zUb10EL~EjL6V2J=coD&9f(r>o*&tduXfy94$8iK>3C7qUT9XMTp`*Eto;k_I8sg@|
z<RzE9Y#}e02+lCoqFG8_W)aLJm_aa|U>ZRYK_S6Zf&zkkf;@sLHgNNPg019u0m1nQ
zCY6LWoE)9v!9o@-Y#*Y94NA0}>cBb@t@9{Ae}aAl=Mwa_fip}lXT@a0RCDt=vSF$@
z!&Gx~2RTylFf32bs5}`~fM{KAdl9Y62reZkA-IHK0l|ENc?1^|%q5sZ;MDu`wvC$)
zAh1UXwv*$7WOJI0)1)?$<81^R32r60ncyaZ>j<tT*g$X%!Bqt73Dy#<Ay`eYieM$d
z3W9QiGJ;ZqB?OBJ77;8YxRT%s0xUt!u&_A8!r}}Ii!&@N&akk!xt9W9VR1%<W$q!z
z={ATKb}rExfsRUJg5wAp5i}%dKwuG=1O|alpb@A93V}=@5pV)V07`VB;uL`(K;S3v
zA;^Ca{7&#2!LJ0r5d2K=6Ty!JKM;IR@EyUo1m6&RO>ltVD}pZxz99IV;4^|x2|gkC
zm|#Bw&n1{lFo_@s!F-EsV+bxH$2Z7^eUtOS<oFsn_9Ey>(3#*&f=&eK2<D4qizSF5
z$6aJ=P0)%Qcap6M!SMuCahxiSQ^j$rIP*#L!l>jKmAv^lIa1LvDmv5YaUapM4+$uL
z>~*qH#@IfznGca8CCPjQZ5m}$OC?(hg3^NEM1tl7%?O$joIpSs1L4s)7Hqdcw8jyP
zCBO<0Evx|18cmKD5{$BeYyAoO5u8iVo1h0lcY<yNXA_)7(8UJP$|A@>NAoIzrwN`S
zc!J<D1cO?SLG8sDPmUN1H!u&}z*KXC(rH{kUWO4+>oEq9%}M+Ov}qKX79v|V0i{f%
z7O7zoaLp-#k>rJj1Z_CksF`Z?B5e>ko`+z*Oz;xHZh{vGo+o&g;2DB<2<{?yo8V0X
zYA>eKP+ld+R|syiLA0;}L<=iGw7QbxIRsQ4=DQT&26D_Kz*LJ?AF^SkidHYOVOJ9^
zs$zy26Rl!;MrFpRF|fY2BWD;3XVf$p#=;rK!kH6`lg<tl%M}z3)5#g7lTou_*lakX
z9>C5dpPdNO3DO9#cZk**woSB7C&wg$M1ll@c!D^Bjs!GLFd8Qq#==>9de#p3;>XlA
zy*uXqpO%1K$f8wAu$EvA!D@n41S<(v5L6J96O<7wCs;<Xl%SMg3Bh85MFa~8t|Y)#
zCtBF*L<?J;Xkn`pEo^n7g{@Asu+@o{)9P?c7OiB81zVkHVXG4@Y;~fAtxmMC)rl6i
zI?=*bCt5Lv^pLNSf1?l9TVu7ewbL|1-3u$U%~F+gv2>!O@^_da{wjVdUhUuL{>uGR
zQTt!4?<fE1zB&HR(nAnUwLkH)YSyTh$9&DAx=RoFn?!x^KkayVeo577xN*2-AZ{GC
zIpVXWAt757ZgzwyTs%<9j!#X?NXSkF6^iK@z?PVi6q6PTrNm^XgyP4Cva*x26XFi@
zK*{B`vf0WrfPcK^i@_aKvJg{x=Byyefd(nl!TiGDl#JXNAS~}7$2^gobXgN^jg0vP
z6GO$>9xENFgaqv_iAlgkm!6!E2pI^g9E?;R<7t0M2h}ef6B4Q&on&Pc#)7`Y#F)6`
zn7Fv~qjVb5BUF@Cm{VY1bq8tNjzHyzD)P=Vy5~<R05%}-<w{@<cF!*?$S=g31LQHh
zFKq9r+JBB1Z+D;7c0)}t)dekkZ;9dogcgPlF4P+@CFJE72kG_oW2b{`gC@<4+}hen
z`j%9+r6U5;O4r6cEIERjhm+(}Beq}L*!(S|IEv0F+Q^p<D5*My_U0X@f5P5;y9goL
zk&P%UliRKG2m#NYNNyCT9d1!>dm0_tpoq<`-GG6^g6(pqWK0N+Eyw^>mNtJ~^~U4A
zi8k@QhvA0P9{vs?o;%9e<n7MK9|3Dz6)E|m-T5|AcIQD1H?hW5wTf&W&Bv5f1*!4H
z(0J>f0@+99f5ynxtfcB>d?j6MYE$E4Q&r1|!+|!ucFFjBfp7n(zlp~(|36m(z$MfS
zy9MzMwYJ4;$Jty$O(QyQYnw~x1au%Sq1G+4;*wI+fX_ZAIWZBqgi^8+V&F1GC?+#0
zD=jHAD-pOYK;=qR6AVOLLake5#HS}^gfbEn8<$iy#wWxj)Y{_`syYtciQT7lO)jD1
zN~#*+^Ja9Ad;+P{UBpVN8sgYeK8GG0@m#L<ks;3I>XY5Wn9Cj3x%WXPY(@Vek7~7f
znWHqMC@wB80Y5zvTr1Efsyo50%1~iO?${}yZ^gb!Sp6xe`i2`A#W~;sc*j6vv-8-Q
z`lZLjCBf7$>Cc<`fzoSyg+0r1l}M+$PGO}h5gPSCvqo`fN@7AaWfwGE11=_;86n<_
z62tcgH(LufsBW2_F)g<^D>o+=yjBa7P<NOapr0nAfP&b`wEr-Hp_y5^a5)p^snyf#
zyw7#C1HcqBuQ<CX98axhph&PFCo#cGmmSFdgMc|xAiGhY6lF{S=BucWKreV^224}k
zj8b$MVNv1qYGn}lXku1=Vf0XWphP4uK5B$ng|iBZ;Z0E=0@rnZUbXiX=S&HWw{Pfn
z3MR%;6RUM;1=c-tgL$Eh!eF>oaZc@665I*4TM2c{v1@Q6(YRB4hOG)ad<OzAoDq1#
z`Vnsbe*|a#FI&%Ak6K%;JFT1HynmHdYF%p0wx)t!z_Fkqpug44O0#0c5S)7t6nlv2
zVytkQc#7B*&cy@54`PAU#@u9HXRbAunU@J0g=>VBpfg~eP-GSe6NQU}AwqBA-@-O?
z5NI0s(fC68QTkkZPkI$jkhhz0(!J7c(gtajwAlE-oUJ{hZPV_9li?e+^`MP#v37|z
z6HbN4YooOxS|2zOPSQGPL9L0VYXS8~^$Ya_^)+>u`lR|GoG#y@UahVKNrns5>A-1_
zsg6(ws6Et9Y8;$Jw@@3Yvhus~t?~(+pYI7AP@Y#FQ?|kh`i;surChmExmYPua+I;k
zaHXHpRY_4!SAuYQuF8MN-^w4$ZwW2rm*DLDA^9%(=D;t359Rf8xqJnjn-|C-d6Ya*
z?qP=HbT~0TMQ$n^<|wnL956c>`;48&W5yQacJox@I%AF5+*oAHGp)c2oU>oq*K9v~
zlfB5EVh^&->?XF3m9fj&Y?jZmh0mn<>_XOCcu&|X>|`gi<C(_%;t#+R@xHhZBr`n0
zy0Ap?0dcd?nYCwwrD@_#;yR(Bz=e3ROuSs24LlHk(;uYK`@JIU5PAu{j(Aq1G7!5J
z2#8GoSKup|fdH(4Xmk&|3c4gH;6nx<Mi0-`Poy9U#w9Mv1=oZ2rUFsHUZJ49;XXG?
z?5LE0AR6;z=eel&@yKo-+1VpgJhFpFw(-c89@*3*8+oMekpoQk#lv_5pXjD2-=*?g
zYKl$Cc6xh;V-U2TJ@Q+R{K6ymd*pi_xyK`SdE^d{d|Yvh>|u}G5>Bt6`@Dj@+#@gZ
z$V*+)|C&qsE^)JSu}jT$saY;H)1_v()O44c=2FEjRpe5IE;ZGq3S4TwOU-eq*<p&k
z6sC*?vfVuVf;fj#4+j){l1Gm5$RQrtD@=;KlSjsSWNVLX5+((%x+MGEBfs{@k0@D?
zhSywbr%OHRQuk^v`a?(D`;G;yUkOlg3$Q0|Q+AiMIv7rWVfu9*x!xmJdt{kMF80WI
z9y!w^3q3N|BgcE>IH!?-q}9wYDe40~vad(F1F5KY@my0q@^p_p)gw>#$YvgSoJSfi
z$rD`CSL%^hgh@gB#UsD-$S*zeV~>2_BVYB%-5&X@M?T?^k9g!(m*fGL^zU;?-vX!W
zh}zvQb-PR5>{8dd)H;`1<x<OCYLQD_>Qc@~7Z5dPECb3JnSh!c_QzhN5hozRaAbe3
zV8F?7sf%1{uuJs}Q*5Y94RI;g9~<Pl4RomiE_I$uo$F8{Pj{&pmulrw$A>A_*QNTn
zRBxB+<x=64imZq0*4?GfajCOi>MVy6xbykp0{boO#tyjDhc4B{r8>LRnJ(4IrNVg=
zSeomW>QYHAmFQ9l_Dn>9`q&pHo(~h-!^FSCM0}Wt3lkl~L~NLd2@_|8iS}Wloq4Z+
zQ~idaW4`{|B@iA*n0~!SUS)<SNA^6n+<UOZBj<bMERQVm$SEE<f!ZO&bxW9%VbH({
zEt50D6wfecJCic|y|;Q1tntXp!@hNAre=H12tOC~3!UepKFV_(?ve5CbNKX83iLa|
zZnD#7MNv);yKy&!Z%NqAcRAEs)?w6LH_vaXN1ox4tvoV(@=R&AmjqWh?-g_&rsRe$
z<xY9IKkVk;Yj;M!Ulit3uN1Yr!o;R9aZ{Ms5GJa^#L6(SEKDp66D46{ZkU)JCJMsD
zB!`eb2otY|i6<R`?Uw8j$uG`Q<(K?opp;p+SXWsU)|J*=Sm}?qF0=+&J*`fGQlWv;
z!RlzWv6_MG|DOY220jSv3+xO$7T6NFJ#bxMjrpVbx%r;?s`;F`-MrVl&D@}zY>qLz
zm<i@-W(%{S$&Fu(uZ$0k*UX{jD&qxnvDwFX+}LW|Va_*;mBvc4qG+#Z+hLu5yLLVB
ze=pZA*DexT2syxEAH&awm40t6UTdp0(3twO`lb39>@vJd`wB4a-J;&Eu2D;2jXzl(
zrw&)!vu}a-{w?+rdzw9@9tW%ZuYpJY4Q01-BfE>;47U@?L1V!jSmjqJ3zhTPR5k%_
zCk$nM+1V_aoz7apodbgj;!on2;)mkv;%@ON;FNz#zFd4z+-$F@K_|j&IbY6}N6G_$
zFFs9<kz30r$hy2)zDf22PyDCA0soHlinK#|M7l@1T3R731Wt-VX##Nn50-jKXG(GM
zI=M_bmA@}F2i|{?|HQxGd-?Og@qZuR1o9SEgT#de!0A6p{$2h?-VZwv=fHkMp)x^v
zQh7kRQ~6D8sh+Ez4Se;NsMo=s$3AtZSPne!MPiOPRva$&6Hl=|75a!>#Vg^iK!1B@
zM)*PaOxPnlD{O<kmqped-WBdpoX&&%c=m_AH-q~!orQRz?O*ykQGlNxroYtvye_vQ
zOp3-e9(lD#UgeSNJ#w8#R(WKlN3QiqXHXMF(OB)dt_qWau@bimV13Wcd&re@kzMPN
z8$9wF$1msRzdctck#?~4;iWk@@AW)5$+0~+$>FdSqLT;M6)~Um$j3eM(Qpg`bCM3h
zn3HsyT<LiTmn1~C&2x1=Dz@J;FW!ee56;}%_5j1Kz0CnzRBsRk1#-VjZ3#a$?+a6G
zu}e9#SqQt(b-U7~U|@A(hR+I7=GHL9oShgh3f3?uVL%S`NN3q>dl>A55-pgjVobnO
z?@};Tb=+X8>QMb%s-H{2^woI^(^7|mX{kfOwA7(sTIx_REp;fEmO2znOC744OLcWA
zn5sHY&kh$nGvD#Zw>&bu)x?<@-T(n|ujgS;m=w*IJ@Q45+~tuwJ@Pq^+(9H%v-wQe
zRWP6ST%YntXMtq<eav&+?val;S>xtIL_tG&&~<yj@hCFOnL0qLw=VTuOFYu8dS)%~
zT%9?O9c-TGda*~&^+;#W#r8Yfbv47S8eE-OlkH)q>%p4gk<&eLnoIKRFezGv9y!$`
z3p_I4BlA4cnV4}=v~oSy$sXzK5!oJcJlBaXX}TGLTRE<)HQpmb9vP9|EZ3DMxunnO
z{_r;6;;^e=jq}K{9y!J%FY?II9(kchj`GNn9y!7zFYw6oUDEWjX%&ZEMa!Aj+CAOb
zqp-=0um`~!?vh+olyN>a@`D0?eQuMJtSiHQndNLN*p1+Fas@RAR_8Futn@G`S}9>t
zuoA;0w_=Fo5Nwf0h6g**JYPEz?_hb)+%_m#&V1eu93C=7_A)Kvxj4`6I&y%EMla`m
zu%36@iDWJJ;#}sDOI^Rr={f>jkaW6^O*&o2Cf%+hS?*VWF{kU;9^95DS<V+j0R0SS
zdT(3lk<N$4&P+u(4I*=T5d>pSFS1FeYHiZ3TFG)gV79B%p={FaP?ELUi`VHowg;z3
z>_Y_2OOEr=x04h8$^sew=)-5t>1Gg&Io-@Ao%Uyw6SU4g%~=<OUo0@EZ`mHQwFyx?
zI9<o~Fg834!qvlPeJ#B;Mor4~H^!x4yT<-bKrM`RDOg-NZlhdkq)Uy^-VV2W*KL?N
z$^Sylw;i+pV@tqkhaxlX_sFdtxy2*@?U8qR<Yte&(<A@ok#~6H?H;+wBX9G_jUIWc
zN8aa=ce^CdvMeFoJY84gL63aEBk%Rdd%~n>+~Scpd*n?Xd80?(;E~S8iapQ2&U3xi
zBR5!g`@)O<h=$>M;O=lQ`og0td@Y^Nh`m7&9`Aq*50gNKhg2Y)q1yKA4AnO2MkW}}
zN5OVo5`M8@I3Hx&)%m#C<U;G+L+UP~IP9s~4c2$zVy967mMB+2Hp3&E;h*6<&aXAH
z&M~(d9~;f}A=*OqUgdq|WcfU4A-|376@M0!gsi}N{~o^vo^PwiFQOR#L=s*;?oW)a
zR#Z7{n}M>UGr?W)`GM-%)z(c0yCkwt>;Xd6vuxIEn~!~H#`sY2tbQQiHNX?%65?Xw
z;$z}cf^i9*;?g_CC&s44r^cnFM0=8&n3@`&);16bbnzWcL510E?5uz$wJ2Gs%|;q6
z7YVT`DRHTB>9uo_5Niu4PD^ML5MbecG;<MZ9nJ+*M~w=p&Gsfm%SJq8BOyH@t#&rz
zAsZ=i@d>RV8?PMIY~%;+Z1j#=8Mb7UI;DI?%TQdbT`9@QwKEhKo0gcCmKYZdh~m1V
znxX8L;d+VEQEF*lh?0xA^w`woq`2gSTDgEHX=y2m>2WOsjLkZ#xtQC+&P7JlYKh>K
z9|GD3a&r?CK=Hto{Nhk>*hE`#V6Z!w_IMC2cWKbH;uGWH%1Mo}AucTzI#gOpQVZBl
z>3>vnH?_H)yS|XS+I^>cer85)@la6LFgX+)RG4q`I|lpaO`;JlT0e?QjZK3KFp0IB
z9Xv@-fKe^6c|eldAJr_)X=-Q59&l<my8)pY!6Cy31p9?%!IhaD;N%3=5uoH^=(M7O
zoU9y>u^sG{pPL;jj8<PM&~p-#QfiNNaVfFsNl=vuO(An%9M#NaHL)|-F>2;WEe6R0
z3ig;br65`+l4H|S;^UK`$<=IhDY0?D#+;PWBp}P%j%p?f8iyNQ?HU@=V^DBt2z7Z*
z4*^wdS5Z;0`^1dA38Cz0IZDFLk_>mYYUU_8HV(MB(^DG<6y>s`nxo7{c8+4AR*U-~
zg&tH_tt7^#r>Dm!Mrm3}vGJ)%Fi~g}P}K{LY96LGu=CI_Y98Frs5il(*47odprchw
zVr*Pod~&pENsNt8PDo2iZxGP5qdOE7m~}U_h_QP>sCY(x;bgeWl$S??TT!$eCB(v*
zoR$#fYm^Y1kd&O99%n+1zB#IuG*P#6lpeK`22aZ<oLn?$hTX`p{|9^J<c6Z<BtAAS
zB`q~RN^^^kg)tyCJ^>^f=?@&$oQzlPoY)GlYYzg$yLJzDn^lkj-y2(-QBihQZgI4H
z#Kp!#xx>V*R@aY<O-z9)bb=Z%jKxPaA5&yIAKjzo!ye4w9zh{Y3cxIa@oZ?H;IL`X
z%5rOEC#_R*dMtcH;44`pJNP6aJvlu-71)E#QAag9dECxU&*<3+&vE*KilssjcN)=S
zqU9$oHa;aaDZS>b8uF7Cn`lq#5_!O~u05*xxkME03{8!iA@?3*uv<<Zh-i(R2f$s&
zDbw=cz9}x}dgf&p*z<*G*-VAr51;><tq`)A8k?93Q-(A#Fh;ObacZ<w@OF9mK}Yp)
z`)Kjo^Ntkgu(g{7#1D6|(-VaNM0`|>(GcT&t$f$}tb2u5gol9N|1xW!b(X$KFVjcq
zef5*o&FTh_*>{1g!P)j6knwhdlrN2u`Uu|vUw>0U3cTxY2m;H#geYqK0>kXI(_bVV
zcJnassDGDdt3~xGsTxf8F#UK}s-1fYxWHBkR#cpukr|6J?%|Sl8cD_N=v?=S319b#
z0r9$pQ*0UcgYZ5U-S2H@-vJ&N=^$U)ucT@K-2s;9b^nArz;p#TC%aR8+`;8@(#4|g
zqdScr?FbwmJ-R4-vuJc~5e&`t4R1S=AVrE7goox&E6fT-1P)&=jtD%XXbPxqn?4Z~
z4cJi}>Y}eZ^(dZLm_Kd8#Gn&pc%gM3+&-E>SGBwgz=y9JqjgEud04?DZns^O3&6Sg
zGoTstk8B3bXO>j;qehoOt-!tfJFN(kWp4vb2@8FV$iR^Ef=~v<`C0k7K@ev!B|k3*
zblupC5xQ1puSu|wZEv{l0$()>F80)ts&g?hUFg*f2W5a7zsayv%a}Gh1UIAl4(J^m
z27;;KR$>SANVgK(MBGYjkM49Uu}#feiK!)3eet=IH&5<pL{@BJ)V1qEe_3c+tA`$Q
zI93Ax<0Sysl6zp6qHD=*-D}C+(Um?oZS8Bx-Oz!qCAV!Eic3vOOH9a!flVclxiTK4
zufUb#_?Y;(l%#~r_{6wSd<tAk?uvovT5{VKY4MrkGeU5083ur}@d*t8Z6gMNv(TLe
zfVMRU0FX@G1)q~->b9u7;IiH&Rh@CnTR0yFp0-DPDcM_1R@*Meo5}Ub@nPId1~KeK
zIiUPBVpl%cEi^G>I&AtB9^@wSgq-4u(=t(-e{cJfH7Fx%az}4xKiWm(x-JPj_mDw)
zK3qBui<dbM)@-orG$52y<Vlx-*-2{0gg@~bakWdhJ*UHbsBe!>!T5Oho-Ik`w%3cc
z<Q=>VJS;S&V03mUbJ~R1%$z*B4P5IQDnzV~k1FQg5tngrG51L&RcB%YyO3IvJ7qgW
zvBP(`6NYm-j6FX~k93era!RVwu$5lko#Osy&ClWwK0kA73WTd*MR_%Ks0meFo$f!G
zJ%LKER4o3psjQ>So;>j>DUlV`JfWm2867U5pzZ|fpgp!}NmUYtI)y?tjOa&gN~#j^
z*_rf=*O6oEUx7*g<Da8r+5byQ07j?Sh(_PW{=Ubc1AX7yw5*RzHTb@tfr04z-lj!*
zVs>&;YWnyP#D98Z{3lv3AUoOdB~|UvopivpIUy`U3vz9r`quwX<s<!*gmfR={{PC_
zZ@pvfwRVBT|83S5xc`5PwZU2o^8OcE3#^$|fi+RNM2VN*g}d%ur32Enz|ZdIn|TIr
z$hHF~eJkLWzeJ1&?)<?*rSP#>$=>D9$PMM6w5IAia38-wO;de5N3MiB_qTwo_ld%-
z;!iwXdPd%=_JN!IUuoOaE&2#OP7eyZ#eLi_DRR7$uCCSh>UZi3#i{aceXahLK2d6~
z{HQL}+G)G^CBkNLGdm!~1AlcxK3M81w~{YW8Y;UqS)U2g{udY%)vt8f7-XawK|>ZU
z0eJ;mL00^&yf6P)nhMhFXTd%Hr`0koO}o?BX53=DWBe#=7yB|l2z&3!%cUIY61ly+
zS;<g?>eC=~V6WcCXlk}Io0_ulleh?O4pj14pe=E`{ISwk*$eUoCaT-CaoSq#9lf2t
zK;NeCH{w9gKpEWo-zD@F_JPFu15ztxu)0@#1|)DR{8p*2P%gq<4AzWoW&5mgpuu2}
z)yFyq<SfKl?LdD)Q>%d`TRymJ@s+vXe8=2t?gA+VUF8GvwIHA0FKw1Gq=tMupUPXY
z-Ru$;FTM*m0=fzZgbd+YxJhv>Tf}!uTNS?+RQIcQsx#GdRGBxE`zrgDJB4(uK$t4t
z%08B6$+xNvv~#o{wWpPl`ZzsJ+afFyx3kUsfb_1?N*$-a1DX)ZgsxJ#UZDS|pTnL}
zwyA?aF8?hoU6>_iuxt6dVncB-o5in{ev)(K?aEY;y<et3Z7ehj_#(Z5F~T?pG%fgq
zkzzA3hqY(ryglD1jg<DuBb8>#7IlQ?(-s;}8+RJ}jjx1f#8ymUBiT>95_Bdkl6K2e
z<!6*dYEx~Hwm|pk8_YN}Xf_bGiX+93Sq6{iTcum&3`J2kC|~J=^jq{@MgyadG1J&!
z>@|H(Iq#Ddb%WNxE^p8o@RL+&K5cF@x0rXDx0oA1az&ZB&|F~7Gz-j$<~VZ%$g1dL
zo@1sdvy}GoKG2YmE`2OWf**94l`SQ#xYNdfZ(Rq%<s!MSx`uFhz`<C;vaN(GuC+1X
zTZPDd<$K7!K8bL7bMm*mDcQ>&AY5@hxmWthzNRPH*K{X)`Ch_x=MXOYf^d19joi2F
zGqP7=J_5e={m8!J7ka+pC&E?#CR{Uup07KfaG4YTs{82qGAG?@Mv;A`MOb+P;R?s!
zs^@Hbz*lh>;ra~1Wsee8HnS1Zw~g$}oqR3Fd_j4?K<+EB{Gi-+lK=8g$$i}ugv&M&
zmVZvqmu)1hj3M`RQwYm;6Rw#`&)4LWePu(!^)m>Ut)}Oz-XmPLl5j;SJzw<!VP!|c
zHCNE{HJ1@qI`y*db$Y&R0lBX{m2lZS!sR0gSN&*Xz*p(yf5r1;U-dIRuW;&pz4QKM
zlgWKW3&LeN<bVBjgv&1^_cAA)E3h27Z%q|FuW;JIx&vfihV=~PokHQ34I^A_5>{e5
z1HQ74$p4!4gsU46t~`zZWOGk}4hzi3GN&DurP+3<-?PZQ64Mp%tyo6xtFZn9zBPA~
zea&XVm1mOw^%CJS>}T9piS-5XwIlcCPCYJn+*dp0yW)L%zWOv9xv!#$R9P*3$I<hO
zru2N7Q~#A1AN1=>>G_J54t_}f*6bkr$}WWKo##t`qvxwJ-Q2hI7ka+NY5%LyKa?-l
zC*;>@S8Lv(a1~EVA4jHd>Hm>?<>iD+o%b(CJG7H4DgLrw>G_)P30Ds$tT<f;%`aYk
zEOqLCrSp90^KyFR^W{!_tA|p&D;-?pw9ASZc~PYQrT5c&%K8&7-9or}0%7Gk!j+DF
ztzp{(zST}UU6~{As}|o4^t@~Ug<Fd47{*7ZeXX_Vd3hsxzVc$iwQb0~;%TLQwfL}o
zK{;JT{+2rZX1QZu?xe4BGlgF{pZu+M;;rbW%&HdOOy@m4ocN}by%O6kw3kY9FUNiz
z@U3l2&sRI~u3Vv1Ykx~K$^Y7P!lmQXb~w``YvofEylfWP%WzoYzSS$pz9NC1uU<vC
z(!t7S$X=F3{>pH;g>LgExvy|OGi9xv=Rv}9OfL7W9Z3Gxo~bT~%zowD<X)yZ;S{o$
zV>jf!6@AEk^{s>zBj|bMcZACkxo`P5>W0X8SDZ`FSKmfhF-qMP`FuIP7s5H|FJD0Z
zsxTc;%!9QCk^a~H%XuG`1B7$Ran*^oJNK=;g>dyF<ZtChZA4`F<yf5%&S@4a#*zOO
zW61yN?PM?SO!l?m<{i@ZN5)fy<qN|lHf!ki*qj5t^0O%X+S!DwUm;xiFvSNu9oS9E
zmXrGmr<tvOmF(sCeu!t1W1mR=S2)dc?Od`~4bYoLrl;H)&dY~TxV88>gU@L^*;jSc
z2UYX`m=jMnVfpRkuN><M>RTfBwX5}8s)bwa_;cc4f$ao_U#I?7ZliEj*sft(fS(a~
z9{wyj^}TkZUacKeIG@*w%bf5|`K)}|s8;_K1@!)kJjdUSgcaX9?q3tGT1f7z78`vc
z)4z6;<6h+Wn@aYo2ORf{9QO;2nUUdE^>*BQI{sgD{ELozz^K;lSAItBD?f4k?<ZWj
z$JiSg?;3&pt#Lm8Rlk$J)t{65>QBkOuCeK>7Ot5S?gR&8$lscdW?H1bwN5;1op{#n
zCI4&pkpH!hI`(bwDOqcOPX2Cxl)j~X9ZYnvrGqkI=>Z2{ckpos?{ILfgC!15aqt2M
zyE=HfgU1st`NP4F9el~bhinY^miBWn*+Cp{!CfVL={F8K{iF0r$9|`SPQNI1+I?xh
z<37^C?hZQjTZ;7^@Rd64Wr<U-OK_YC_?A4P3Ojw@3HSS~U##z82jCOy9?+YY0_)BW
zaOb}ztUMc8y2WAb`Lp@0`30;#-!tDZ_n5oP9p>Za!?0$$3#9$s1goYhb0tXpTWFS;
zbIs|na+(BE0EU>oVBM4itK}AE15-7AH@-GLGF~%YhV|Wpu)@2+xZ0>NN{uUEoj%(r
z2910ZjnT&WpmA@Te!qT?eg~}It^@sotAQI~v3{98PoJq5>bd%OSeuU0hv@@A|6n)0
zv!0^I3HO8Myxsh9xI@2@U&YHnTi$e@!$<Rhyc<sjZGk6pllwtB!2hw=*z;@~yBj3z
zRkBhxpB3sI^i%W}`tiD{&C#ZS9)uCvxmsr}7Gw)H(=_!rkUH=#NEUofeHhlx*Qx8&
zrOIc@hss;ZtI96r8Rb#9m4A<NyK<9qjj|Tj<%^X|mAT3^B@b@wk5fh}L*NE~58)|c
z8))|1!5`vx^6TM_|02-lm(Mf#aNdWX$zwsAVPh__pV{Z^9gtq|B<uuiV%M+=kN`N7
zO;*lQQk6JZeSRWeAorEK$!E$*AbFszd@{%vY$yxTuhJLN|AE|rebS54v!IRPUg;Lt
zpQ!@r1D8wlqypH*$doRWI!G<}r~kq41OCtdmGC*dm`~y3`B**zbUdBQyYtS_LSp%8
zAP=D#Zv>i`MD`o|o_z`O7~h4~@)CQFJ;5Gk_pv+Kt?W9G%eay)1t}8qp=PGCNi2(v
zX2aP4)|;Kf(pdsXk!ZtCVojLE;3_BFp7}=n3}i{XCB7=|5}y&aiI0IS30qg>&8Y2?
zbVptcx-Y}pB!_|~%$}gt(AF^79`s^5Iwx%{nXset3Fx7G19)|IGC>LGaK#729qJN+
zpMT)DFZcX!{sm6_d*>VL$mn6$o6(&r>|a=kcaY^)wA@0L>(O!@S*}9Mda|rR3+kr{
z=;dfZ6*K{T30hFgOhCUJEtgT4`DmF(mRV?-NtPnC6q02MT2S#-K%an?@$@7EEvWV?
zpkIg<R81AohofZ}c^in90c7cm7F5a<(7U6h8$IcQ7F2Q*&{NTZdTauEJX%myO+Y^#
zEvTz0pr4ACHWb0hXlY57W@u?jmgCUUh%6w<1^S52zs9AM?FQF!rBi$z>eo;(0DE1E
z_ky#Rq#1`7d;!HWp8%^sU>8fJ5pm9;XS1b$ML13;$7uw`1Vz&05niT}V}bNtgd^6T
zK#CsWmNR+DA(%)oK~^IIpcXQ?%`6X!aKxI18_X173<0V;6WD07T}Xh<Kwu-uHbNc~
z5z8?7fUmTEWqtI0VFLZHDc|_gj^t$++=qId1RpAG5`331!S5Ha`U2W7wvT}J9l@6b
z9}~P!fcn$|+N)&SO@MmX0@@Q~dxT&s!QBM66WmO2Ex|eh)KC@BQ2kUuL)}sV?NWMn
zF~JN1Y%T$9vbxe&1tp+A=UZXJi&#baUX-e(zvY`}JAUAsVZ$fB0vo>a<=F7OFVlu!
zeHQ{40iVs_X~@3wY%qPc&|agl?`#{IV;LJkJd85hVvjM-z-y~U0xGOE(tNfuTjMMr
ztW<nP54Y6>KuGGX5w=WBJRhUp7vVTWeImlvOMNNA)=AwTVM85Q0UoP<AK}<q6C-R*
zv_=s&RXZ)h7QnZ&-?e1Vk$tUokFb5D4UVwArj3uVy-2}#YQ+(bk7^|mwtJx-{#Jb?
z;NOR-_M!5!fbR;jEwI~qU^b4ZKHJoOM)O-Vzd&<8n(v|c2AX@&+=b>2G#^LvVKld(
zc^8_S(7XxF4QN)Oxf0D~Xf8yv1kJf<PDir<%}GY4Z!xr`OuGq#ITOu7G;`4$kLEZu
zN1+K#7<>*uvk#giE3Pv%N}n$U%{Vmao6!bo66HXAkd4qqN0XxohMgXHGMbsjS|7M0
zeHNO@Xf{MswoT~+G+#&aN!#Q(#>Q|cj^AE>k#Vo<GT3<3rF$AXT{_)($EER0%43Yr
zT$fhHk1l<@DY~>`HgRdc{dV@7**fgP4w$hn{h`^(rT3ZrU3xc$dfpu2x@<SIUHacv
zH<uoYK8K(=7|lUw;=}>w(DvKUL-SlTaSp-yAl)0yUTF426X#M4rxq~xw!@x{CYCcu
zM7Lc!qj@HpozP52GYw6ge6S>>6VXgS6HAZ9A>9$pSTtkMJOj=4XtuNN_dy%`EC1~G
z`uD;csb$vl)pjT!P7!^Vi-O{xZyU2z;~IYt_MRVf#?MfCDQSG1d@h{v*U<Q`bl^i|
zjrUVdA<gf+2k#Q8{ap_jbB$?69_WTmF(&Yi%JFdGJrcCnx8toMb<Oi@NZY((^5*i5
z{5VCDuU34<TCQ^zsePU=cJ$Bx#D14Yupi{F;hg(Z<5Kn&`<OoiTnFFq5BaOoROM_X
zQ<(=E0yco&_{*f3(j=u6bjA<Wdcvvxg`nZRwZ2ThQeR-C!Wn#fqqQ;A=x_8i&f>d3
z+TH{F9_vQ9@vsIs92Qw~tYVORI2O*{2V3V_-K}IR7Ea!q!TyJ4{$_p;J0I_wubD4_
zW`mVxmO0#PV>SV)hOhFGAnz{$b}VL@_gVK_AF%f%ng7f`<8Mh>(tKr@QUJQ`Zw9%B
zOI)4yqd=d1SeyNc(i2)^xK(kVbf;!W*GcQ7l^U0ps((mVfJTD@e46@+`o1(=8X)zS
z&XLm9H>A_0HquGzD^e46CrA$*&2Ivo_fM(Y)UBZN;5PLJ^(wwrU9B$Hc4&`jA8Bvv
z4Ya+yoKMgdy_24(p8-22kLX+YrLd1OS<lut>lf)8_4Bm{`CR>a*lAg1oM<#Q41?=`
z!1?|G{S*Ct{SEyUeWy`wEH-u-&lryy4;c681NE-@sd`KO1nn2?TkUggx4ICd5zbbN
zK-WS@9iv{L4pRH7-PAKdN?{CWTsT>6sy0+rRZxCazEi#cnT+o!`;-@zXO+j5hm?Ck
z^TI94wMvz;;^_WZOOWr_05}Q);xFR2pgrLu@ojN0@U86lvsUHyK98_fxJ$TAxIwr|
zSWW%Hm|%>vJ~c)fLyUe#52K5<$J%bB7#)EVqLtCyIL_K+=myh&*MHEzGH$PDhd$=*
zSP2}g1k~m3G?SZm*|Rvoc#z-$f_n+>A;6sn!N669VBpq+U~HggD+y2mE(oz98%_`f
zgI2f(t#FOm^bEHbxY3Jjq=eZjv~8R;fO8AC3Alx86>d4<{zYDJt->u@uo}43;TEk%
zjSBR_a1F*8PER?z9A9K&RyezaY?xbaQf|%rF`S7@E5Y1Cw)@B@mIMgzL`Tv_&aDf{
zhD%#+jUd|v2qvbCTf@n57{O42Aq0a7aPbT>5pA1b?jm@YU?+NUw5?nH&}Q`|=uLnn
z$So>C^L%pbPJr7foYZY|>ulQ*#1#`zff%>}Bp6u8f>A=xsCW$8j4*JOC>V3;*(?Iu
zelVtyt(c&Q0IN|ju#N;^>%!OO6HFn%(iIFWPr<m095)l(NpJ@Nu5ATl6WMMf*hp|I
z!3_ks?iGxy$#xaNdV(r~N`kcnYY0{otRkT5H>lnXTwn{vjr8n#f@=tHNeu#-$To*y
z20<PIpNwE`BU={P-m-z4+sXC@!J`DP(X+?U2K)ZlCLSkSBH3QFK~gjVl|Uho2_yne
zzz9SFfgnKOC-5Q2e-Qjm@EgIe1iujcOz;!Ij|4vud{6Kl!M6n85PVH=fZ!{FFA2UN
z_?+M~f=>xPA^4bJzYW~NT`O+okZl6Nc!Cf?HUSnnw=&6=K`@$N6oJ!a29a$b!FdGz
z3C<<xL(qfZ90XEZFPQI;?QMcL30^1IXM<qwCEKfH+e5Zj$o4YXULx2{@B+c}HVEc(
zWP6ruJIMA7*`6lbQ)GLRY)>Fq*r&ObOEzqgl8n8ITi7?bg{_raQ*1Aij6Fw^vFAwg
zI@?h&uB6~a1o`B13Bh85Mf7Ys!88IK86<fY*|2v=G6J_QA;<Xy7Zc1Sn1f)J+8~f_
za>0rrTL<!j0~xn2C);HN3kY!N;+FH;ndoTFHt1mmK{-Jg!E%CS1WO6<_1waIatrgx
zEhnD~$qN>YKpNQv(!nlRDfTlE1d3jK^adXV_g!XhlyFQS$b&<V2KoSrZ)8J{Ak&R(
z_#VNyALFuC60D$SHyLl?Hd*!0Jb9@kz_E^7Ysj{m0LMDcb7A!_L0EL;+2%=yvvtjR
zXY=%k;7R7_!wasPlOlqP=DNcQ&fYM+Z9vXmHXp{FLZ>7!N9I-Lmvt2n+k{@&Z3G($
zZneCPKhAC@$D1r~$B(n?$njc&4FuO%oxQ9u>_D8Yx28lmQav!L2S)Y4s2&(qDqCTB
z8-E-apP>zLR%UIAh=m#?qXx;SMFI0R`dnyjuU!N;Sf3tJ8XyKYZ-b(<w_L0LsUWoJ
zd;XNJ6>9Ue)!KF1{o0fAaL{0P8*&63us*X!gVw)6uqN(dodq1}3Dy~~E^cl$woKqj
z517Bg+V~Um1M@B5N`Dcw0NepQ)boIMdI0cDrvP_$2Usa{(`Wo_d~1ARykYDBKKM<*
z1wI5;;=O<uypxe+#KJnLwb8<80=(KP@cM7mOZ6*&cYd}$QP0$S=x6Ccy}9<Q_Pw@O
zdr`Xw*863k4KNop0rt_lX>GKYnh$gXyrJ#^eE@e!Gqg`Y%1K-4U;4TFX#IRWO>Yc$
z3!c+%(JlkN{LXr@o~Jd{Z_uw+zXff9o8V4C1)P|_2y0_m`v5c!u7|q_!?ZZy9)D2N
z^?UVqfM@=3b%XwzAxifeH^FK8Bq<wYAdHZPNc};g|2a}8`9}E~xl&4!V&S}fKI{lw
zFFgzA@|w(~Kj5rBSuTS8j0tjvd?Dy0T&iB7&IfITz14H-<QV{t0nj?wQE8{NQkpBr
zDGYQ0d<B{Z-;-aLw}7sJ1@bJpkK9#0Lq1h*DW4#H3tALElHQi~N{>mEQiZfcYAu~8
zHI@vC^FR2H`~d%izt7*`ukfAxssF)WL#~2A-e1{w>~Z!GyO;fo-NLSARcr-tfLzYz
zu^Fs@<*-c9u{aF&AA7+*Vj7EQ9oQ+X1?XBdnZ$gc6XI*}Q}F}wO>qxsTzp#GF5WNR
zEp8HT6t5Q7fR@EYVu?6MEEcDT<3SI@2yw7@uGn4dEGCPw;%Q<K?mILRHBl6P6ZW(J
z<J<UFeiy%u-@x7hewEdHIbX;xVf*-OUc_^Gh>u|}@(cJNxTn&MpUIx(Nj!$P<tOu|
z><ekSbcb}av;l6~ye7OPJSTiFd|AC$*R~12;V4u6fiyj^qq@s6+dsYp*mroq24Ii&
z0QLbJfISiL{$BLR|A4B;!Igb-c!)py<nR!GrySzB{fUG9Z30~M2ntSn1X}b6GA?=q
z`8V_;<Dy59anU2lxabk&pXk|-1V0dbPw<`ei;v+cj)f-;7M?Vi581ow=7VTHfad*Z
zZbcK%x6J#Hz8B4Zqj`^HgV9$)E)T1lZKGAZAmgWBknz(m$cxk}dMO@tSa{T748-8(
z`4r1Tl)#26#?n*As2?Ur83A_J?cxE(CIlD>ZJQ!r=@T&w9<o??$YS9ki`9#~;F1y+
zlw_mQ<$f6tYpi}4_FR0%sC0pCN{|B<@NIzE0iWaXjzuBxc*nxy9jiZu!)2qu4#<!A
z=pfClXAF&pF%}-iSa28vv7SNUJ|g%~{s9}i8!D0@FE|qe?I>i!nV7&<D7ri85@;p{
znoyK35so+$1MMdiZW2Kb!9;=y%8-ZvxG)7i3gz|)$8qFyEI}87&ID%?bRtM6NFzuk
zNFu;>hQJck;do>pnaTe)jS2L>MzD`yFEm;@E<I%GFn|x&cEC<Swgt#lF<-qYd}?Uy
zR3CQfd3M9l?nd)2b%*Qzy!xI?UyM(0M{|?<h3o#D#$B4uk8eglHvtELb4F`Cqjhj;
z<do8`ML!#~6xaPpZGcPD3G_PjQ>Be^-Jj6ja_MRKbQPL#o-G6amrWawBaL0#D8{GD
z(S*}(@PlWZ#$!n1si#qdPZyyHXW`%nyQ}di(%6BGLVS8DnkBmFreVA7Vqm8=rs7j7
zB`gP{KR(^2C%FC#(9aAsF^>jzU*i$|QP)pCKBd^uzcCo&c?!)uG^e1S$!JbOmzii%
z%s7f_cwVb@K|gq2Yd{--)Xqn94w|#^DW2DADd@5T&8PK`d~_0Dqp{)B7tnmx7;`Z7
z3+QK;ZK}`Oru;3M-=O(5ng`JQ3e7Lk`~uC-(fka}Ptp7Y&5zOCZ`|bru7dyk&yLN!
z3get*xP3vMVeIk|=K;LJeky%nyjR2Jb<ieQ-4AjYus3Y~>~%C>Lvx?mx$cr=FQcEA
z(0mci-R7|BF|(cM{=9jakN6}Gl5zA2?H1Co-Mpus{_z{i{%wABkaRA_II)i~=pzvS
zm1tgp=H*t~aO;J8()QCaXkLWoXf!WGa}=5*(HvoAx}k=lOFWu!Xm&(17R?wmtMLaw
zAuK*fLHvb}>;wOKwlT*xX4Cn<G}HHtaKI=0C=%as9Gryih7;0NYysTjK91|4PwzcA
zL0-%!Nc*KH;H(<XsHLf}2DVS6Pm-GOZ{VaoO^H`bIL-e+eiLqiFB1;1D}i&l0{EA0
zKISE?ki8DtYew=RydUrm<N<g7T)r0g18#zI__z4a?0U8ZTG$Vum2MiphTp@V;UB{3
zwk-MK)^`G)d1pzZ#hax8Vq?*OX~`erDDg7Tc}HB+mB2m!Dx8upm9F69fUDZ(u6|J5
z0owjH1F!#+>=ED__?<WB9f2R=0g!I69Zu@qlYg6U0nTTglUeUn7Efb8*5A`#*I(A3
zhZFvda6-O{_zC1<c?xg}%mH43V!1P{?_=fDh%-X^l6PSn>3o?@X4#-!@O(B9I9R%}
zPArj~!A_+!X#30_?nc-g1rM9I0$0I0b0u(k!-+KiOnjT~f>Y_g<qztn=I?f>$G_}X
zg9jekD6}mFYIqCVY;#6PO{m=f55_mpK9<-mm@{!Yw9#S8c}g!aA6oId(reO7;zZyc
zvD<A2F+({;X`vjinBq`Hf_t(*$zO}3<WGrnMeHxXAU`c{m+u$PlJAx`!CueRVye8x
z=4DX(itT~RVL5O=>;x_d;J1Jss@=$Y@gVSh+yR^)8?;KB^TK$`c-7cto@6#LEmH>m
zkpX6J(11CUI83actgo$4tq-g>finOU_CTjhJCcDx_#?^|A0LMkQiwCW7c3aVajK=h
zju1Yo+D5iV2yh7@0{67NS};Zs&=gJUO}0x3@B~88dZ10~PS6d(e3ZNlA=^^~cz_|8
zcz_|8kCWqL<df!t#wc=p8o?S$Hkx<Sp(|(wq-W<NXtWTqE+AV!8$`V&K~sW81b9jy
z(lLlg#~`9}45Hz(L{u7}PsJiI2`HR`1tQY<oT%Vp3UrQ<7hG?NibOU}zzAT}f+Q)l
zm@@EGL(sO`j)JxY!Jxz&lril*bfj}<!N4;kQ9g?tM^b<n$u^qcLINr}<0bNP1p=`b
z3mTO*9dHZA%M@S?`Mi>RQuS+C{epAmZazakGYDu^W4vP9Kvyq1hR;bClMVN*L0Jt2
zpy~&CEp~1VT3Q)<$c85};j<C#S#;EP&@()=5rE4I!&N^_*^7>J^anb4$P2DOM7<e3
zqji(9f}Y_bMbwW&oAxa^t|WMq;0*%m7TT9+)4m|bcM0Ahc$?rY1npyj{Rrj_2v!n;
z@jk(O2pZY6_oVA;?&X6POA1HjsZo-&H>Bqxm$+cF_j8;-ij#^*+aqg{KIJvFeNrQW
z`%ZSn(ebm$JCQA2?j9LD{0c(yf;kd77OTh;$T41?b2zI#kvE}m$IG80KY8^R{i!zl
zMFL%p5<q$L@sarhTg`&h{S?5boL$Z5*|mHUv%jGItYlX6nOWQCcj`|67|0dCAOc${
z2iR;zV*p#<5I_=vt!V&kZ3#{$u$MRB*pNUa5D<L75`0JS1;CO1se_K}o8!DsU5%{&
z07vxYs-9}~l|vqCIRUUOsh<&is;~FoRXwI-w!e1?V8zj)D=1ec+XjMb^v&*!MWjPl
zP^1i(QEH!JQh>DtYY3(jOd}{JC^A??oKwlMz!+I)oVny>GC^O0J_I-m5?L>@^(5#)
z(A}6@b1V?qIrQvog0sxtzQ_OGwR7myVOF$3=AC#A=+OS_<AdVF*^H>+Y(~^@!Xs)U
z%qMCUt2W$x7ac9lt6L4H9HKVZ8jE+B>hs<|#SbPP&g$?B+X_zn>u9ZT;TXNNjyV4p
ziIoKO4B|7ofg}2G4;u9I!pfk=CkxaNl24rFiFk$U@Z|p)a=EV)3;5(bxsz;3A4pqa
z6`d)iN*aHS-v|=r(s*NbfIY~{U@hB`1+14rD&QQeuXP-p_}>6h(ng!78NV1W7*)m;
zqpNYez8_A^7wG-;hT0q2op9nlP;0GzukKK<QYWj)st<J7U$4wpM#IXhv5*q|7kJS3
ze3ajxQaurou)PtMgOltqc(U0g2ahZADH|SXJ1EWSxucGeh`${)uIdlPUDfRevxzqx
z>}mC9;>_yygW1IX2YY%X&-e=e{38ihuP}1C|G9d3Jm%?dUjiM<=V(6AwC$JW_=YFJ
z{qPGwWz=}k2{9;CI3)*!i|6OXr`kII^7C?MC6v#0J-3SPxwsG{iH8cu=46KhwJ)FL
z2C||Da$nHCeCDD2CWPZnD4*f_ts^m@WnvO&zKTdpuzb252(+5Y@TG{z?y$lP)XtWl
z*Q$J)?FGt&yohd*cz#mKi@}eArFQyB-1XrVT0ur3h$9~hB{(e<@&5SoA~zr;I!eHt
zqOl;ddU^(^B63T;&<%4+)G%Qg*AXv@EuZQJIx%V>M>kLSE$zz-+yKxJqNFT7CG59d
zdA{oxsx*q<G|y|^A-u+iy|yo(;(Dzk1#UxWSDx$ojh=$!aJ22pCm+IVM68nz;ni(@
z@#Q(L*XR`)t?^B?!?-QWEjO=W!FX}$e|gMkwaPBqaQhcUCWnUvFPW`Y*=6ea5u*4B
zuDa0n<8(DKnwM6qMny&=h*6{I2Y$kZ7B!mGiWYV>;oivHay?{sOsF`~4GFavEoANf
zm{`%=4Fvr$TA(N$vSURvHxzWpXrXHK$PN`v-4M_pqJ{9fWc!K}T+h%UqIq`vWc!LH
zhw|%o$_^FByMF6Rgxh}-DjK_<>nP6R+TVwY<J>@Xq}+W$`-(<~^6U1{go=i)-#QXg
zyNjk)G;jmK!0wIx^=L}40CO54ye?YEXidp<13^=Y7AR^{GTczml%j>I)s%EM1k_@*
z5Rpwub3H?aMDrZcl+;7{jc7`W>$k2%xHX+n0sFZJFV1L9Npb_#k#hG1?JM}9{6;h-
z=K8IpZfiHCRu!ThC_LJWUYCp*M=OMCe!S_I=O?uy;JzH1r01m`P15g%gk(nx8LdhB
z+(6JIqXmlAB+KW!p`b}d3stj8md|rTKx>E=BBDu_U+j8@ijC&kYm()259QZwlB%BV
zpUTegsq;W8d?DQ49<Pp5N2$YrKfMo}Y<5;tK%#vIwGG_gZlvlehZX$K%C~TX`we9e
zNWa^!yr;H=yZ2XXk7^HUJGHO1&$Qn`mR_vhUmv5F=yUbEK$qZqaEJU0qmj|l=w=Ks
z3XNQ2p0VDz!+6nn&UniN)tBb^=DB7M^DHyXJi}~j=7HSxO!HoIBkVA&HFtt^_IJ$B
ztR~hNICI}*J#6h)cEG*yhe5`Bm9kP<rc6?@)%EHf+8J=KJ`ZHQ-vYAUuYkRY3iCm0
zq0&iF6;Xa!-YGvQ-z(oKZ<I^rD}aN3wtT)kNDj))rB7hr<3;H?=}BoD+`(Tjt(MB9
z#UM>!ynL3@PLs8@`WB;)rAniuZc+!}A!yB8z$r!psSjv1cuU<2yyYVMo&CtZW}mT-
zKz`qAz{{|cJ<T44eUp1ZYTQP41G}271!;bzAUAFSo6U+@9-9dK=A(f-U=TZ(^<ZZK
z$9V!fLux8@mQtiRX&Bu3A14(`xzc6QJXr>ggRhklAWLwe`W)yg7_Cjzp4NT@4Fe<e
zg`i=esd1h0tJFw>!w$&@XW!rQFZh1`9&r5c0a*t-KrZ6Ld<*cKZvu{s4ZMo4<ja8H
zyac!~rt<<miD&aMAPsK_@6UVjbKpcMiN{K9q?XeC(mlXyev9;$v{w#*l)>+%ujIzE
zDW}N^aQC3Ce6HLBc8(^>neu4)2Kj1vty}?T<&Vmr$sft@$gjbzg&&pHaJJq=X`m!2
zu}XiCF>#JEMkxUaiPMz=Ws7o`vProKBo>sZi`C0Oy5f@{%iw<X9`!{np#BOwM_+*i
zgb%c~Ad9iN)>t#O1nqo~{eQ03L(9}kwJWp*+H9>@yBGGFHflG(3H&?SYud|t6TN}1
z>Z0CS@1>su=kH1S5aZYXKYqa5QumK;Bdi7O4~xZ1#kt}%F;AQzjsxuoL&Sb!53!4w
zB6bwpiLJ!u;&HX6*=&%_=JYrI6QA@r&cwIs-~tOAnwyNr)?_yZmwNE5$pPg=o7Yll
zj%G77o1%FFnoZC=9?iyR9*1TlG#jGX08I-`6HNn6;M|6oH8fQ;6*OfuB{Vsj49x(V
zAh8ER0r#IAkpDpQcQk)P^H(%~LGx!ce?s#|G=D%7xE&!Za65tt+>T%ZS0k9f)d(hV
zHG&CTjbH*-qa4tH^ASv<_aps2n(v|cCYr!q2!38ga}S!k(F86_a0f0+Fn6H&1e(YR
zt387B!)R_r6FBI>=iO-Dh34&OZbI{BG;cx^xOBni1~k{9S%oHW-Gci{G?$~f3{Bt=
z1b5&N1QWPr!7M@ZVl?O4rqTjwEFTTHKA{BY?Oo8lGn&AW3hq~-NhJe3tq>dVw1WE*
zq=Ca1M$ZqBJ{Qg2=<+(!{n6})F2I{92Y4=;lhK@nW{z#@Sj!sLrY(I7-trwj%|<f|
z%}g{iY!eutY!h1u+$RE>UxY5$8bRQQ{ZvO2TbFho(%7DLY`1)f?ZOA6dmA)QMzbZF
z*#2c~pLz#$`G4$v34Bynx%i#^&U&GCp-AbK);6WgWcDScG(ez%vP2RJt+8-t=7vm}
zWYU=lB;ADRhAlf3QW7e!Zn(ABy6{|4YadU271xJa6@6OKrxmw8p3mz4JKs4ob5Al!
zCIQs?5BYJ<eCM9!p7nm;cfRG#Bs4F?5agGkevs9L5acBx1bImauP33M){J8a`c05x
zuEQ{fdFEk=<LtmZ#7rdQ31S$)(2pUlxsm)PMkXPT2SYcev|zX#!(|vQBB6aH{=OYU
z{B52=euMuUQcoL(bPU(x@3)droQ%J5c8GaQ$dCKok;C*Xh8-ld--h98Oz9yZ-~}Z7
z8Kyjl;oC91AH!Y}+VOpeWG>{ywE>s}`TbqYvlByHQI1FP_e1#fTNr*5!*5`S{Uz44
zpe)X*31<*64U&Q@5d0RA-#Bhyxt9FKSu^3R0X{-fa6C;oQ^dX&q~MGYn_BQ2XAPtp
z$#0xBz+lL4oGD^c3x4D55Ib7%yB0&79TUzDNJEnJ>qzJrz;Hi?`!L)^Lb!V(PwD=`
zJqTD9NqIkphcSE?hEI{ujx*(Wn*0{Atayg}cH)>28Fu)+1Vh|$P8<ivGnhYw>8mir
zRpG?-<HQjlvhDCbui;aiSv&42!2C#^_}lq5{EhG6#M!jtDsti~veSKv`_YN($B8S=
ziRn(<zfR0=Y9{rFb4X~yww$=GoVfO!cqTYg_>`_0y53Ywp{?IVemlD`%wX7wPw@=_
z?}VpzY@J9zL(Xmt^BCfKCYl7$I(@ed<hLE)*@Ue)@5Y?CZk@Qoof|Pf?bkh+AK%l|
z?$|!emzva1^I%`>>m8pRSxz7FW4}OK6UvHl#~((`k3BMBkL*~=)a|@_)Kav+w5_|H
zEu-eg{t}CS@P_v}9~_~-xa&dV6mpvNn17S=qa)<UJ#NSM0S#7C|HICoj*x!~=6M9`
zH{$PixWwV}+v%)5>bjUpxI_IrUH-w?5!Qoy&@|veBoR|^pMs<~d8@q`?g1kKs7V7U
zyIlFw?|;FkhcJAnYik*cBPnJZhE~^;#r$SF=6pYh6%=cGAEvz5#k5bLe%$Y7hwEFV
zJRih7A8@_Q>Mxf4kn4A)JRg%L4L=%UuQaWc^W#!dpmrd~ff3`Id;!DHOWUi%EzOrm
z&yKp%{zH16A3f8H(ks=~Z~8iPWRRMj&GBAc29$#xha3kSdqKK=i-S<@8^FKYonRmC
z4xler04-mnqC7xx&H(zJ(O34rfUh`0^E0{&H~`0y6Huhbo&-O5yESxLC(x~Npk9kK
z+#H}~{Xn;u={r$N_Yvya_6@MSU!)4328#PBp!JLN;%Hop=|lJyz_DPw3(7-a6ljT;
zu%$$s0#^YjRYG%9s<jR&*cxk*o+Vrbpl`u8VUgM;JO)Dj7WoWCinz#c$d_nk!g(OH
z^PCbT4SWcsti>Xoja&(!yGxvjA}wC#PylBDxD<p(&<4DM+mUC`2s{ePL70gY{FL*{
z6);+j2E%L8pQJxXuYkYEpGYs2`5`0mL8R}LI3Wj3`%F7PH)k{OL2{-vd{6E$tpeO+
zk!c>_6hXiZt})5ro9`l%-DEVrW_;E78{=v4X!t$jH;rF4e#!V*<0p(qjPEx-W$ZWZ
zHEuILY<#=1$9R|VPGiE@YFuetX1v*04}Ko~#_Nq&8?P{4YLwuRk#>>ID4``5i*y4K
zo3ThJ`f8z8T`W?RCPru!rV&cxTBtCug<5>ENGSShk$g0ZmqxWTLb)CbwPj<W`l=S`
zdirc8iA;7B^fghbMUxc;!%b8W-DE-`Hj@eE&P*m06*Ez>AQKe}GEuQ06B7%vqoBRf
zMx~p@Kav)VB8p!dsrIUon(;Q8sK74Kwqyqyj>v8dCq}0{Ixv7#7u6_iBD$!?x069N
z*qdmC3&UXhZ-i`L!H9|Vi&O%fX%kR8NCs*X#=wly6)m&3U^x?&=Qq_LL`?{l%!^ae
zeE~24urdx91F<!ZA>dx{8*ndB8wVT_!W%IJyd1P90jG!XW()zRhu;e@Y`_q3deEQ6
z(Dr@uTYMG6M@b0$NfH9K3SoeRy6<85T?|j+QrUswb_};+2&G_aJ%%CF1Ha#aA>twu
z;v&++n1a}h^dSCz0K)=?n=ypZhO&quNr)jy_hHJt7$S}(A>Jt=-YFs8DIo?UA%-L&
z7AqmnCn3%!Ar>nkCMO~OCm}X0AvP=_RxKe`Eg|+MAwDW0J}R|iyX!DSTv<}_H{!%n
z0)NLbM66wcafA0?gW(+*BDO6dwk^FCQ*OubHVhH7myq6&Zp9R&I;0l--Haj99@1Oz
zcN2!oF+@s+DAPlWOEA0z!^Idb!Vp#hJcX42A*=)lVI@EaD*-}S0}#%`a4v@R7~Vue
z*N-tgh2f7d{2_)v!0;suVf{c(SRoL?3V{$;i0eP`_jfS-HiqBA@S7NZ1H-Rlcml((
zVfZ43|AFCGG5iXKU&ip?F+7gpzhU?ShF`+)c?`dZA!1#w&*Sf77=8}J&tmu)3_p$G
zr!f2^hX0D;Q4BwU;m0xj7=|Ck@L3E$h~c|2JcuE#e;2My7p@r>&Zf(XPelwZ7@9FO
zVQ9qAfT12k9fkr4oqxsfFBrat;h!=5KMenb;s0WI7Q_F+@Kp@|h~XbF{5^)h!|=Bl
zp26@p7`}qxuQB`;hX0M>FERWDhNm(7IfgG|_%jTDis64@_!A6q%{Xz*IC0H5am_e!
z%{Xz*IC0H5am_e!%{Xz*IC0H5am_e!%{Xz*IC0H5am_e!%{Xz*IC0H5am_e!%{Xz*
zIC0H5am_e!%{Xz*IC0H5am_e!%`okITr*6A9@mT$*NhX_j1$+46W5Fr*NhX_j1$+4
z6W5Fr*NhX_j1$+46W5Fr*NpQy92s0W&X3^lBN#q|;nNs?7{d=?h^x!_0sQ@b3=d=Y
zJ`CTB;d?N|73h2y{(cI>f5Gq&hVR7iNepq7ItTD~KZXY|d;-Hh4EJNW55vbX+>7BJ
z40mI=3&Wil?!a(6hTAa2UEq8Se?N-hJ22dW;UgG6jNwBVK8WE17#1+xjNv8>-;Uw^
z7~UrchB4VX9|yrUQDkBS{%J;lU~3ZYZV7j{gu7e9-7VqnmT-4Vdu+~nU6-L=FswFg
zGV~b^8;%-I7|s|);}+v_pvexIr<j|>omMYM1#GePf&aUcw$tFDy&Y`iZ2_x&N8zr$
z&$$Jt{KNL6K>MGxpN3m$*+H!5HG-GEoxo4n1YY|Nfk(fiP62Gnp8*YlQ;w646L1Sz
zZ(Ix1W4pNr{Pi6&9~IY{Pg%U;F|Y-H2xJS6ThCh0*kqvKkJ%?V>J3eXc0-Thh~czx
z5?E7PZEOOnug`eccoewU$G~@6Biv;7fnBxJmPwYVrQNd0(q}mWchi01VevTV8*H%&
zAj{BbtG8_eS%)rLyX}zeIC!U*?NfjY(d3u{cgCV=wOKR^aF>4uyuY0?oiv>=9XB6`
zTluv>Y45Zg2DyPFR@piQ?z4$U<+EUw?=;+WpA=76H(7h&M!Vfs19#acY-hkWp%?Gx
z`<$}#I9Nm6<T@q^QoD4@u+!LX=yC{PmGG4P1XvtA0$Sob;U>Gwz7{MV9(Q`dTVf4(
zo$msFibq^$q)Aevv`IPxJeea-(HV6KQj?)x>=F-I>&^8hFWmkg18<6loI9PHz~kU*
zYm;>++^iq5o-!OVoH86YoHPo?DaJ-)7g(t~VmtwMtfqh!{2JitM?orKC(z=Xz?WSY
zNF*EuX@$dPFUSIHG9L!XfwSf_7TMBhsRw>VqgW5z3a?lLG80q8Ng$ITSk79`fIj^x
z;8L8h90%!%qbAXK)_4Z!^;5=^hP8$*U=9DQ(QA^;lR%SXEyx@kF`opx4uYiy>?byf
ztHmwiQLu8@XFX;;ZJT6^N<ARs5tXL6&VoJ3qagj!<5~?;AyW*E#$#aFVUu)LI%!&K
zIb_*l=@NUajn<RkY2c_`1S^k+os&SbzTI_Ps*$!Bqc+jD8n{KLz?);ey~c42R%;`y
z)stZV;h1z(Is$quhonAfr}HfMH8|}&g=2UaMsW*xqwH~ZfiKFnV5hRFyk>ESu>Day
zDu};Li_nk$fkokQ^e<`=b~;JASvY|HZbe}i`W=S!t7-ne-_Uqx9m|J)Kq22t>^bvC
zdLT?-QP|4-%pO4Z+E7muD;KBFccDL1$cKJxq1}zF+><Ou|Fuv~W#zWf^xf#U7s`E<
zrN4{BknbM)eCwAPyo<)$(7&lD?4CxS@4tekZ%6;9P|uH9e)M+=^}LropGD)o?~xet
z{SV8B{!wAv&@U>y_rKET+g$89`oV?g=r0xOLw~oTu#Ju5u8V2@$FC$Ylt01B$7sBZ
z&C4$In+oHLep4Yvf4~s0X8D)1{PP%$ev_e{HVW_dvGm;}wg>}kzP5dqr5~p0yJnIY
z-s5Eo?_E!yKfayD+iz!a1B*Q@MnA2hupRxhLc8dv6=LQ;_Q0Q6KGu)ztRLIa|EopV
zRZpH<gvSFcX7lp6nZkQtVKMsiwFrB^z+m)m4DfyiZzeI!ZzGA#LjOfHeb=ot-p<Bn
zJNl!Ae0R|F0bJ+s9%)vthQ!dH7ihdYPxEcZ@rHZ_2BTkH$cO75>U)%>v*)|e53fbo
zjxppzf6b8Z5X<*8jdwjm<HynOuPE#g2@Lr@&hp{9gLc0}({}_}Je}qHFBX55#E_5W
ze|!zg$LigEmOkHphULS34DEHZd@TQ-85G`w=K#zLKDP+FO*H*+^al;;TWLMJr?PbP
zD-G#vAMUPY>F=TW9>@Iw^(>_6yJoTYQWgs|-uX)wf1AahV==B%QP{bM!S}Iv9gA16
zcs7f#VX;Kx9skQ>HeNgagTbF*@xQS6F&giQk{IUic^dC-rEx!=hp?|tQ}}VVZ}%)C
zFs!>dEPs~e{{e%y(D?C}Nh}I`k`&%yX3w9b@xJe}_=_z5FpJqb--qkmBJ9Kc3Gqty
z{3aG($Ks1<{5acxd+sGLyk84V-~CY<_y3;6(4W81_%XIF9>ez#g~!-??8kG&BJ6)7
zEw>-n1GJC%VP5gPh4YcElRdj>z8!uRPowp3W#`dWtOv&7eeC($SbQ_hx9?(>pTT=R
z!=Ar`#W@=9{xQwBAI}e{@0;xT$5{MM8t=z?;5}cZ`S<*SrtiV?&?4-y)AW7U(|AAb
z8yGJ(&U@}=`Qt2J!s0NAAs?HU{kTp5X7jaYCwVRk`|n`+a6Uz0-&|UL$5&{)hwYR7
z*e@uL;|}F;{{hU_#eTMq_TYYlbT(i6R<ZhUJfJ^6XZ3!a#83~ebC^FiE_+^M>Fhk(
z&(`1GH?VYeo;`u}nS}v1-%sHC0*v!%5uU*M0A}<21RL+iK2O_!g3Z@s|H)wNpGA1=
z*9>O!zSY2BHcwkGXE0lLTWcB2*5B3z3})}OcO`}QvVE}kItp)nD~<QR$l$w34CCKH
z;T`|O(g#@lFpc;Bl)=x^_z9M;AI~j|u+71q|B=N%V)1br@Bb5xx3Tkd-vboxpU2Xd
zvN%HH15O6Bb-4}a4chrMOMfqmaXmpgTaVk=InuwHJcoWgLGumZy0i#=lL-v-gX`HM
z9Jrc3@6Uh*zWO3AIG&ib^KMo@TSo)i8O+wtKre&4S^flr*D#okLtl+c9-CJ<TE71w
z5<|bAq40q^3hzDR@(Lp97fWw))t6yW*!w-#+A<8|bR)~x#>zkM+F5=M^?!*yzlS|%
z-|xO=mcGk%NSlA}6Rs1&B<;AeeD7oB*?Q<pQF!0?U8lJ69g<kFJf4H_{;OzxefLXp
zxg5;zw^;piB~Aa~{eLUfm-9jS>!r127|P*y7wCb0R{j#HOZ&VJ=#4TA=j>l;`~5h+
zaK2ci)91%xByIokjkNy0r(p~=^VrYug~t`A<#)mxgopq>-i`s4zQxh$hym4lk^Rq>
z4*|U^TO{*`z$)EK#;+K!f^6(h|H!(+fs{qKOsCs%(;}kbIrEZx?nz|QX{9Tt*4&y>
zH_FYabsfrew%J`-b<XTWCaKDaw35r+IHOnTNY9vKv*lCyv|1-OcjvlNiBzULCofE;
zRe6590vb}F{F%z-Q;D3M>{jJ`MqWx(aXZ&R9yOiJ*;2_mITj8?)Tk12M|=UFJJ=R!
zbH|g3h}$3chLX{6#G42PY)Lhj$fmmTpvGG#H>i2ghRw+fdelUBUWupGoV+oWZ_jk+
zvGH5gEYbI!)le=pt0|jFb|><)=4U#(l+Io`om#J^d*uXZSLW3u7MHtv{c4YD%jK1P
zcdkxWd%EEDJ3#$aN!zk&8z{1NCe&P=O@@DNxjmon%GK4@=HMl=Y8v|KNn|=|JGzs}
z-i<`<wKf{{hGMmYvTxkD(X%0y?at*hP%jp_s<sV=tkxe1E0J(W@p;=~(L_@5DS>D*
zpagtsBp3~ZqM?Kmi1__#LP`2!$w)L94Ep@BfRbqQ#UpVwUYo>mfu7rxZWxVhoxD`Z
zu7?>}rlxYXB)n6d?DzVjwLV|1-*4;4BvWlE6{Y|ZV<gcVv*nd_r5-BzJSahXlF;?e
zoVrHcppao@{b3Jbz+euBB<FqJaL|^{tjlG(vk8@s8R!;~IjDot?o4Jj=CG!mn%$6s
z9CEHV*8#PcIzh|i)HKXB)bFD(8GFsV*2&kl-gGTiM4phP$7Wyiq*RB$nmX7@sZ>5t
zO?kG$Xn7f5Es^O=rs&%B$(c4e->!DpVCZ2B&>Gz`l<H7AlS@*aDjVP?)V$WFw<+nI
z+Lg&cRU69daAoKE&dkP6TUy<qrt9PmHJR$}u-RtUlHEFIb}iYtw)^hed{yB<JMQ&D
zgzoi8Rj=S;#=phdbrue+Gm|69N#D{132oX0@qxO+0Tp}luuAhtgHNpma7N|lrqyg7
z2DY;;wQi&n3^pI^);gP8zN=f!_R<-_pKEgYESy%wS*MTX8d%nAI+YH!ZfPo!&Ezs|
z`BwKTx};m(&A5zPYnQ{}p^!OO((>G84KmCQ=+VO_R6N@C+uC|lY4wt9HJW_d)eQOM
z<twzc6xZp{C&d*APp-Sp1}~=e)X8Ko=9OH#I}Rsa&OOtHJs9V?UDTYblLK%vDrBI^
zAa$fVyYsLzWv?yY+XZ_XPTC<0aZTYs5@&C7EuB5fnuTOx%T2|Vy~b8t)3!B>I*9=R
z_=dnoV@am?;aFqS?u#Ki1(r-gyJV)O3kTw~%|*0L{e}I8Oeq{t@CB}-%}v%E#PbRV
z*5b2`^qF~FpH4wA5)*P0|0YIYVg&xb9)XJr2i}V3$z^z+)V#69=k-S+_4dK3-T)ko
zw_z&%xYk_hD;!vj2`g#g>538vDPe!a9SF3=-NB?c=vI8;kUJR&#Dhv3prC5>(!zmN
zSm;VxXj<5(LT;ZDy|{2-B|dp0eR4U&^rjUKv|#%6G<`|}&>c5CbW^Nva^XNTKEH%M
zzpOpAuKnR_3I|r;slD|^nmlgmWNE4+wO+~J4VYIp)4i@;W}j<$h1!wHtAHnWD(h5&
z>LW=~%^*}JNxE}T4?*!dDzvy_sSGG^J_8h%9PgC@+fC&&1i_G%1P~TELLjAcKwXh+
zm;kvp<~jh{(4GPM0+4Ob2$V<{ygz&@(@NYEhtGX2;`-iDtuIuYCIpF+c6VepU^mIw
zXFF<3v<{#KKt`45h9)JS?OiW7WtHx`RiJeiExTE6Q4{Uw6{9brRkFN*;6{rY>SUj{
zgbcMP*>!4uQ3s4Cpwjc}TG>)+g%y)mI|BYz94ay<W&FPxsSQmbHqYfkgNBn9)!^qP
zTA>mp1k_>@-ZZ78*U%YbsQRe1kT<~R1oFrq<&$z=uQz0?jN*eCt0H<&HpWoo-l;1H
z7wKG+rGl#u{JMV=WcgjT8?1MTk6J!z{=QjfnqpjF*rY$I`?1aiS)U&D?}DDF@CIuy
zWCM3Cz8oy=+yYHl1s(jFJC|@xhy@?PxI$eAlzO&T2CEY}_(e#1c_}Pyr8AZ5$mz{~
zuixwT`rO{I?Df}qV|4+a$LkNpg3(G(e8Fhg7hSB^>u(d*T);kcH<B(jSL~7oe_Y<3
zk7v3&lk$p&CPMjiQrfv<x4a&2G~o3Ihjz>B@dtdqNVHLJFudu4cB^e6=~k#>x0Wht
z#!y-Yv{q7XN_D9frpF)icmqDaFEped@WdAi_@m*4(2tidXg?ASq#v~v`>~+JrIJ&f
z^4x~zN}Y&$eEy&pPKCj%&mZ;pgRwv?)Sx#S|Mh});;wnaZyU`TyG8AdXOwJGUZV68
zj@y!qlC0FFh{qcXd42w&U5a@8{y-=en5Q?Hp1Po2+H9^Ted?|_F`7OBExj(QbU<Gc
zNV8LZ;4(G85v&M~vXT5@k1yZ{cHGd8hCTjJ$R7*V>&@nSFK9=5=8%5gHd;TMDH9bi
z4p@qcylUwp(z#rBhnlT4g&~hG9P`BjLwgqT1iZnR-#<rhv8=qHJ=-{&^lVkdo|X77
z^1M{10*Cs|zy<D(L!UZ2x;s;JE-Q5`=<$1j?Hn80v7jdq@P?xP*?LjD{(^QaUq?Fj
zmWmylKX-o1%I22kE9N&AQPh@pVhB*4PZ-v~RjSmhfX5#RhAN$e0Z$+n3x*?g(5t^*
z&|YPuq*qHT_DZwiR;*km!$BgqWiuUe1F$dC!<-_1*h0}De5ZySjDAl5xaIz6RByGu
zbV2)cPnh(HeBP_XCpM%MxSZ%pXR>NmUeVo2x>{+%e4c<W=8aV7oX-=Cgk!-#SZ}jE
zb3r?ISCDkBGP2aXAwlR4xnao?xmi`RiFSE;HVJ)dOx+1L1C_eu^#tJ14^%h|y`Eqc
zrpp)9+wI#fXqWEwlP)P0=Zn6%oCY*7k62O;2rt-Ag!UrDk<2KibfpRN#XNy<4E~0!
zMtBnP`MiK6f-R2x1?}BtqnC8=u8Q3wC%P81b<6a~rzBSCu%~x)tFozlC6vk+^#o(#
zP^E50JrVfU#bRE)(|KXf{kMBaFV|JsOU4eC$^FTozE)VJzKAF24+p(NQF?enzS#bd
z2ke=}F6=z&W|1Be&$>XQz%MPCQsz%oAXnhFX!%lkJsh9uROfo&A6P2&F$_mYC>$M%
zfBC|mFx&$Ag0u9Jbk&9Jqh%)P<Hm}!sQDa_n~v(Pj4Smt<OzBGuqKD@%8(}vU&Kgs
zrXJqlg7);@8q(3qXHNCpr%JsGdO|^81a5u@e*t|#PdFTjMPoI3r(PDW&|N7=zmWc2
z`iQh&ii1zP8|=5)uebfT?R&Nacscu>^~cs#rf--&W$HIQ0AA9A;1%7e`-$#(-DA4D
zbyp7gds4Secdu@}?snZ=ofn?EgxBCt_l&TY4CO!8KjXJYexFr^{z>%uhjJ`E!(Tbc
zHROs;&Z&7hMHq4!IoF}2(>KU%-C4M{&B}zsMp$;8D)54m*EtLQ5^^pnN7XYmROokM
z!rPE%=_%bbk)xTgJ>iy@>|2%I<v|j~zjIRy{Z1@+EiE{?r9IQ3<YeH*-MwC|EA%_?
z={ow<JoKa=;S99*>3==)5KTOt7=eG15xA((Z^5lXFGOa+g$QsVV56Ebm2T8oaP`q|
z!UTHtF>87(?rn=IVV^tZi~HTdaInp-B-FUu8}dg~uM&ihjQ7$)zYz=3gJjk;MU6z2
zSVUDWF7)g13BCH5RlfS@*I_!n`j|EN>f;TCey~*o@(!2d#-4Q<72tS8C>(e@o>|-O
zq7TM>`7t(Jg34r7F%+e{15Qq=qM#N*S2A(p!a#0E%7Gl9gh*;3)a=}x3^sKEof+Y3
zBc5r`bmdT5ir#8~5L2{PiFXreGB+H|Za7-qS;pLT1BVv`jX*5R4gL%AZoiw5mzWbc
zy`3o#<jA?(GFdkhX>!Av>;`#_B15>gbP;k3$TM_hHpp{3^B_<rXL5-oc?rT@$oG~-
zsz7?mTk8*05~+$*x=7Hp#oq$t$x^-Gw=8~aln6}GTbAWGH}}FNP&S_<l5}w6(s;|t
z*7C&)mk&N!c_q~eavs;NnNOqv)m-cRCC!T(hAW_UCX3a!vMC?o;$_es2o<4n!yR33
zT$OW~4hZlHNCvsHG{{1M^dE4uvLG%cClq)Wxf_H@7-mec<eUssEysai-ALG$FnwK0
zoRsV>UaAZ$Gi53qxSt{p_s~sPl9~D&FG#q!y$??bc6t%1sC%^uVr${RJ@i$tqpx~y
zLQzA+c5;OSchmY;(fTXkP#0i|pr5_keomcTIM9O$>*;Hh@T)2hnVE$H8?pS&wEW}|
zxA+Z(0~;`Rism+t?Jxz6_jmo1d{rm9F);%Fj3WSoGI!w)r`Y05B0dui!m-nZsr0;^
zNd#pwm_V_`nbWHgTL(dzPAo*R#hKH*J|EnBDc%?e%B1lL#TI9lvBd-HF`Z(IGlyb}
z2kyk@6kD9hutlf-Q^FO(b7t!&tnalxE`H8*2K3n1f?l=9^eL;!Iz`u^TTUo={aRN>
z_?7T|{Z#uWgco#w0{Z{B>0#kxx@U`j`g`>s06VkfT0+nr(H+rF`CwT4Oc3A|$OUM%
z|8z$HBllxp=oovioLuOig$Yy&$cs`ykn1{aF8K2G*Ju+&NO-e0Vd{;A{;M&e0}pL)
z=@S8xzN);Da6NNGMu(8lRIOkTEe@pkRagNf#l1W!ep8`;20o>Txwir-J{r^2^cEme
z0$2%Mc3!gVqCp@pyqHQCjCWd6@h5#s5XlP<KA{W7TV62zZcL{O#yfby%q#TI#OE97
zSd<VLBFn9&l4_>2gjKt}0k_xhZfRTsKVWd?0m_ujWU{$hV4z$>KmP2+Dt!Ez%<fnj
zDE9UGuT;BcCh|>;z(4Q^07t=xdyRf0ywgF3GU!VrlWvfyOt^z_CF%yYd)%D}D?xuS
z2pT@gAQXC|rjTbk=nMtI3DxgbRc{C+FcsAuOTvbXDS?<T(dJM36XAyz7y2*34f&V}
z_qAvI+<_rCMkDYMkvUM!3yy&~FdAQU1g^lC&ae_q&+%2uG<>wy8>sbGB-cS)FB;?t
zbu9%?R4dMxno|X#$ViD=uOQe6>Lyega${WWXkFEjYRYbCUcgI5Vlg77Lv+2aB^e3R
z*^^AC$4-Th^OP@A+Lgr@;Ujgi<|E}9-$x4YfN59@#V0&hf|=w({}q@-zp|dvS9U6<
z(vO*ES~MO2A?J8p1t#7Ud_upn9?e(wGEApmS<m3FEMP8|;&Y0*c#4?I8!(Z*55Zh6
z(k6%x)E4?D<2HVHIo-zRMzsGeHJLzlGeQ)bN{cf^M0MA6DZo9N-&)t&S`@u)EiKVj
zT%+6~9jqFqU8>rJI+_~Om~KOCW%VWhnAMly`*YsB96uB&^k0wj|L7`;o}I^Id^8*s
z&+=-%P-8gDt3|N?zdzG`zS6$Y9_ovhH7sA%tdUkHhdPibcwUzz-2p19la|HRhvAxD
zkn{QhN1^{(dTv?ix_w=pTRz{&2N#=#@-(o6OEVE;KaWP;j^}bH+4O%FKCX8OU{QaI
z?QZb@cL&&0n`aB!t^vDyHtV0k)88rUH^AH8$HBH;+}Z;E+oIN);L*+H^1H5fUFs5@
ze{%lH`9rXw_66s?&Q7qIw!+!q41=|`sZNLEFJSNQCysA9UT_?Be84dveh2L1e^UGq
zc#7L87Qm-n8(4r_EY21^;zgp-@~S9<HM#Fu_F5hWYkPNETEPciy~Pi9>@T&5;MML|
zV3F<%=8u|xXzm1Cax2UY<}la~oN9J}50*2gpMclB7r@uvfN49}v1<g+G_y?8!OorD
z_y^<5#*@Y`8$S)6(+(LQG;T1q8+RLTH(m^;*UuV$X?V%-BG{>W*6?n_KCoDKw;>I-
z2Im=qhCB4H=uhdtp?_Zgas6Ta0sU6}{rWC_T;HN!sGq5yrg!P1VCAsRG0QO>YzOM?
ze*ixSC+%MbPl!*0MZewl2kjfcQsNBoTW7YN1wVE#*<Q3AlYVzW{(dTb2Q1rt68s}R
zDeaUBQeJ8UOL~i?*^)<+rHdq^>s8lj*Y{jsb$u3W3O?o93my`CTz9%!UCY3x2m9wV
zUZykPzMLa$U&cX8IcNz7E$5)c9JGjo8ae1@4qC`T3pl8OgXVM4JPw-6LG>JT69>&P
z&Jd!-o{uFi*D_n!9_6422ZcE(#z8?23UH90gM1w1<)B&)@^FxwgJyBi^&B*lgRbMC
z8q=-kI!blI_N&Tu0`w*hk~!!~4w}J1S8&iY4tgU8P354=IcN$8UB*F|a?m9lbTJ3L
zfrBpMpvfS!e~v3FDr~ox>jcQgK~@fOaFB(A%p7FmAR`AEI7rVyIt~)F(6+yF&|f&{
zH4geS2mPPrsdF8ru(0iq<vIcS0|)({gI?vJ-*V6y4*CrTy~07i=Ad73(0_B#FFEKJ
z9CVt4e$GKJbI{MkpPuU|1%+*=%5?(tBM$lj2ff5W-{+toa?p1<=p+aICkK6pgTBo{
z-{PQea?m$8=<6JGf`h)sK`(O9e^~DqW>$B;m&<vDZSUux!yNQJ4tg&Ky@!L|%|Y+t
zpr>r_KG(VR2-^;p>jY?kgZeq>00;GP(0&fu$3c&C&|VJO!$G?_Xcq_V<e(iKw4H;t
zanM$~SC}^3{FQUg6SjA8P=<p#IjDn!(j2s&gYM*@l;fPghV{bsWVud&5*!rgAcce0
za?lzMx`Tt>#zCzd^i~eKor7-Upw%3-ii2+Dpp_id;(SzCINXd?pI)xhFKj!`LI1`<
zFL2P8IOur}`XUE?frCEJLB}}ga~$+p4*CoSeVT(l#X+Cspnv6{qkx5<BhCP4)^p`L
z0eY5$KEgpqIOu5(`Y;E5h=V@JK_7s--e;?y(TSXY{}Cw9ADozXIrTB&Vqu@)j5((`
z-tE}qNZFpTJ!#u!>k)01KU%(R`3%?r+--TAWr^OZ`!!@7^rusGExP$SzwS-CNxBVM
zNcbP&W#QYx^TKoRr|TON@3XL?(7znnL=REEcu>FSmIVt|w}4%!Bq)@j;?;uA4Ipig
zHsEH-Anp#boM4s@MD9_scu6V_f_=R*C}<JhB6+Oj<zz<g%;dp9A1LsnsxHX?frW@7
z$GOCCCRR4UdY#gp&U-+FQ>JzrK!`t~bjn?6knSbTrLr=J_%mH|xXVc;igm(6xoO4n
z`3stx*UW8cnG4#OU|1uup4o7Nf@$`Cq(j6^6$nt0DrE&k4$;sCsFs25I_qFgo{^&}
zb>xCZcCQC5f;^<;W)StWbs$p-(urVV5gt;bdZgb9RE$PSI+R2^=nZ(L6#AFpH3Bs*
z6`b5W56mv+Ks!|JoK@&wiqCFA`aftMMTO6qHw|?l|My?r6K^mv0uv)JF#>;&5rA9T
zM$Ij)pD2plj0se%!#^GLK|%pl3A*9h*y{!*?GUJpctOe|oM>wcMkDb^GzOAf3$YNr
zWA;yr`(l1yQVn~d{sr3l-w2n^4VXYLo&B0i=lPgUFP;4rE}iG$bNX@h<E8V1sY3r;
z{N}!6K7IoH<Gxa?UR4^e5~~@NF<d2*uV~4dRz8<Vr@-=(oCCAMXh@iTy%iMeCo*c}
zOG%0l!#7kI13v2by}TCGOUQS*y9@LH(xAOw7Ws(Pdi}M2Ur92gS?PdpdiiU5!4)xv
z-U7~S?Z`oIc>xZpeX$S_AYuv!WH@HFmP}uiu^vP|ma3iIt<0QBuC<wVytQ>^^^zV;
z&ZV0-D_dD`1LPj+wM%ePC!jm9z;D7tD)-<gau0K~3E~5wBzYsfKYS})r2i!MhcjEt
z(}$uBgJuq%mnW_?b99<o!3-75U3v1#vj_7x+J)m7HtV@uG+tBapN&&_6P>pTa-eMC
zz@*=xo%E?)h5kC6^UZIeWlLhY7jCOxQRt81OSoy1lLzncNTEN985EkqT>UtL#Pim_
z$M<QX&502hJOWPZd||TiKEdi2JIyico2-*eUl(2y|4;nB_(k#k!u!NN=~L2sq#d?z
zmHs|qi`cHQeoaUSD{SAkJ#Tx?cEEm_-7Nh^`XTv)3Rezp<(y%_q*`&eQA{d0J?!->
zzBXR~Bw~YrNhKozH(33LK#eK>HYF5|M<VZlgX2~_IQGzkBRFo1W)xx=(U@vpsR}ga
zACu96-}ZlKW(U6EAcn^X(qdo@KcDmDx<Iv9%@PgaRA#8H(_EqhHGDzf)m_p*cEe{7
z%$~WE{x&dQ8&%@5n7@n&YH+}k-vp}U8y%BA?})w=K&&`2)G%mZkYP|z3HDuZmEgfL
z#wF=Aq9p7l2&aZ|RaOhuifaxnk_UsDsa$qLS<;x)M*d-q!1+pb4gYv!I-X19v*~i_
zqIfH<Lt{4f0=&J3od|5j=ALFip^NQePb&%GAzzblCh40FW6iaRn(5_4q6d3xNEZ56
zQe-KHh)J*{5`BJG{Da;?Kee&Eg&nT12TYtfNf=24xdu>e&62%tBtc`6SG!ih(L!l4
z<D>FAB|aD+NxL?$qjlFTTi#Oi-cWooStAoY_=QR>3~~;k-BLBYAT?WvKn%dY(fm4$
zY`X27M4*8Pcnf~UDG?B?Km@Qg4n)A)FefDigI5Augc>WSY?0u!ws08KT9md3a6zbP
za>@k>YPcZOLOJDv1S@bss4;SO#ZVNzr}oBKyMzR#2F6(eQ5tO0zS&f}OSkKs5uAw%
z&ff@x3;in2&>B1e!{&;nn=6@Gl)i4<eE!~JqNa%vm>7YH5g5Y=fZ7>#@k7<lg2V!q
z&kw0<@IWi4dIR97qyLV<sgVFQHWp=ir~Z^MS^tb6b+~@*ddc;W{YUl}?VqvV0Mhn9
zGk?kaVe=mI9p<IdFZIt9|6J|*8T!e(&*<xPAJz>B4}lH9ly0@|W?fi!h0Y=TpYTiJ
zyYM&aKbN8>=G!O!jei7OitxMfmwr8#bQk*X!8N}WKkZSi3#^Kkp<Rlh<Mr6liFckD
zf!Ey#0BO{XyOYvNVR8YU#{|l@4Ns3pV!m*~uejTQOY06sVsHT-jDXK5e>@WKwMD#b
zJ|9qeIV?mez3{Z8FC2)1D}f+Tdeq_$rS!rYN{`yyp_E>@0;NYy@K8!GjFjG%*@ga2
z<dp2BCc47o<_=d)Um%~jnlY$?Ph9jvsK~(B$)&&vldLf<0Ny;AXBxN*Cq@&==|~Je
z6N`3C+^uYBo(Q3JWxygHWCVFKuwq+w%FC|4i;iIzf^GT~2*It$<lD>l;a~zG0(KQg
z;J1Q|8`^<S5FS?6)1`o6#Wa{kq@FUg1{x!^#71J!@9qYba4^IO{4#hkVt7&AkV$V)
z-JR-2;L7Gx5Gd(hU=+H+t1mOoSbM>5-YMUeaP;UEEj58S%+>n*?kxEJ%`?xktxXvs
zEeJ*ri#GmS!Nz}?DGF1nq|#s=vBcsb%>c_&!&7WgJGx4@^5il3N3*cY`vx#WTq(!Q
z*126>!##u+u3n)gdJ}2Y6Hj$kDi2vkXnZ9|D&|_7y5rEpVM^014OFbMl&2CqbWEIb
zV1|dO_b)eyX97bXoLP7WImt!d7>=qN%p#L1p(%rOpIHv3`pofJhq}(XztG=7IjtR(
z&rssD{;k$JoVU~#7&~tXvx*u4V+rDe_Z9l@#Fu=>dis*D2QDr3WDC4dUx3rM)_Az(
z_8#z6D+xyo+I;2RSKfYP|CKh|Abx6bHxA;Z(mepnmvD5E&C2aN`k+)Nyjp43Y0L1N
zP5WeM{dC`y_7-F=RbPAsmZh|}AkV0b-s-<v=OXtZJt|y18Y0tN=%>!)H&X&PT!AlK
z+>^sQ_N6;ov%6t8v}@6ksrMH8*U=rzzW60UlE2MI^zuSKbx8eYx)&#FKc+B9YeyTX
zb9oNz0&0+yjWL=l^g0cn6Q&4{>FqBX{Pxf2;r3qqnD}nX7mXK-JH(8*O1#nVBk^MK
zTJeOV(f;4|57`UChlK&*vErZpRsGM%AAPg(uW`JovoJtS=+MKf4o<THYCDG|h!4&x
z3|xv6xMdNJVBPELG>Z;*m}#9)lG~n=8bWIVEJvie(0?bpKq^1mSbnBG54iFjxpr_H
zPE-ci^;4=79FrwADQZtbO%r&?MHf9{aaYyRN>?pk6%Mw-zw!Yz=*&d1!KImGcUrAm
z2FTrLmrbL)t2(FqrlvwaHHE%;GOm|sg@dITys(3LXBA9AgS2NFJd)=?O@#WD0tF0$
z8h7X52WW&qoXu?(3;p-uA}r`=rKMAZh@)vRXNGd;Wbpn8UR1FP;`1F_18opY1I>-1
z7b_W1^E{w;8B|;WkBsR|W_>OCF$XlcjIAeAS&&))G+fPzF9`BTTg_J(uxSXe==4}3
z<PAiUK6e5<ytsq0c)%TvCL-=wG#FMw@npguS09;K7%*ZFw=bYQ95-d8@zhe0J%a>M
zHSaVAg6MBQ3nP#{N>`T$eA#=l-JP|0CAU6Tn+V0#wop9c27&LOJD3Q9fxbjrz?}>w
zLWxK;5Ch4NvKe{p7otpVp+Je(Hx4xU0$ZH(m8m0oa10@3X0{fWdk)T#GVR02n3+gp
z&>c`(`9yvh48;Q-2#C9fZH&sLi66!^Xo%$rEt?y@GHufwE=eR-nwKwZSv7aX0u5GK
z)DRnlQv&)}dXI{POl1ONtY;2Ki42zbSXvk`P^`vIcWa3b8Rz1I@2*{gH$~AL-T-wX
zLy?ClMIJ6K3|KXsn&`9$xU5VBy+PpA3{X!Rlv5Keb7}^tFAd76i4Nt|3{ck^lv5LB
zck%<&K?cPGq69IZo-tU0Xf+5ndJNVU1}5VxQK6JN^XOj~dyh~*(iuA1GmwNC5GYnc
z8;!oMu#!PER;p}_kDwx&%?b;hVG)Ex!7bV<7x!o@I);NSJ!F?cu|enw?$OrrCN1yM
z3iUzpVK5WMcp<1saldLdY*|Kr(3T}6AL1~h;U=SgyUv9yay(L8vDXv^F2NN`Wn$_o
zpeQB5_yKC{lHtQsfxx+6yHTeCfkAycPy!>$5g4}>2Hrr=399~CSHfGE)FimLCyqi9
zTOp1O(Z!~A|A3M$_0kdtWQKUoP}@}CrGUeE&kcnEYN3)+R&|r>HM*r>*;xe^9q~ST
z-7J~2qAJ&90av^Z+#U3ew$CP>PmI9C2%P5;a9ZvH{r~#}=>hw3`*Zd^_IvD#eU|-=
zc9ZQlmK(r5<Pq~b&2KZl-Pmb-o8bqLvG~_6G=hzf4+#GTe}eES_&@gB{D<FK81Uhd
zw2j)!pFM6uqs0Fk$)Ph9(+`A_@pv@q4o86a3C4rqwo6q)ZY7|AiR@%F3a;PBKyAQP
z2vxdQ$PEk}iiG?qUa-)+6In^X5s9}j;5!!FOcT5LBhU<aaHK@;NFZ13(lzbMI`HIK
z3$$szJ69X?dLu#bk{j^`LeXd}91h{f)h)N@^If^R+S-u{`@HCa6>ih~zJM28K!(bK
z>o9=rikg-i6=j`V1Lpk|II6YO2Ro@N(HzY4?Hb|+w*ydg_Da-ff(OLVy`c+zEu*13
z;PNO%NNc!~0cT!nnZ#&72aM<hyAh=SJ5eLDgqsuz5KnoI%0&k~B#Zz+_mLcdSt{pa
zM345urbuawfjqdDF*|9!aJf?tZq8a%Twc9kFPs>EApYgA<>-Q;Hx&042E6o(Pru5u
zOO(M#tE9pb8|UHzJiS(fpUftRJM~3DF__un1Avsc@f9DTNXhKi74AIj^~9pmA|y+2
zun2jjg;+CFv+zobl5p)<`k*yOkzx(D&P#j~w0RUk@9K`sb3t<F6b7hUmJAZ6vn!ys
zMYjGhD;yTg_1YCQby;CxCSB5O36+r8@gBsX!T@y>L*1^<o?Puo=r0UVcQUJJ@61&V
zC}6txpXYD*M0FD*FfjsEjle~P0qUQL^0DfWj}?T}8F<QQQbQp)d)}lud+I=%X+XvV
zD$P_k-LD4KU^J?@!@e-Ea-%*(C4KI;SlFA01VS<3g#nN3N-RXBnd+wb{qc|*3njqs
z>i~5zL3w0#8Xg(-MnQRGbrpDI)b9)Bk<}rO?2&L`U@9Jr+vz!0H*Qo~OYyIu2Bcaj
zXJ9_L#{eQ8@#tzgZ>#9k^*pc}s>Gf(JcuF!?eoUGfH?<av5+s~1pzd`fhl%ZL~_db
zUu{P+rzR9&Tx?L|(Dy`pt!8j46A48*scXl^00C6)!uo=tx}l_}+S|qwqESR}%Xg2O
ztH&~aJ2ac-7ILI)rHjZ4nKqU$B`Z8FT~L;vX>TTxU*DT!SCg6x1?^R&+}WK@V_z#`
z;dy0Uj=IlrGfQveLX;X(V~e9i%XmXYimRLy4i2NR$ryJ$nm(9+-&+{CoT4-dL?r4e
zV(C>b<*_ber|n+Q|34uJXM_{dbJ7!1QfiiNv@NjJSbu8$rd2UNXMW1O%k+ZIRQv;4
zzh6iRtA%+`be<qU_{FNu-mzwaipS1Um{u5|-tp++IlIE)NnHoh!*ezsp6{4l7`Pdy
zU^gX{=8XIB)G&>y-v%O530wgMeFg$^Jl74n<9L9!seWJ7=S{f%N)&v2MWSu)Xfhda
zhZKJ_(iZnCUe#OqjH!64YA&9sU;t~GIJjA`0jP4h*m|y{t*)i-M>tYbogO#`yTSco
zZ>`elPIcz984_mPML*hbOYR1q0SINb^+LPujU6eF)&$rMlq-83=sUX3)<~(=4uAA6
zQ#1ZRkGD3LTGt7j50C?mD>=0mtSH87I}~tTm96bnvP$hbwQ~*W`kHj-`Zb_E4ZLVb
zziNpuroArp25WtxN~{awpexMp@$%N^kL0c_$TcMLbztMM69fcuq!csHSVtU7cfg0S
z#OJ2RNy*7d1?OCTDzivVR1G~?&R9HZiL@(ofewv;e1He2f6qoWP7PaK=Ye<WBwotF
zbvX=ujphg(a}{L#MycRj8Xu<YaIMNIwWreCtfD*1lWSMg=?dMI-JO{(dAJAJ3~8_O
z<D`mKG%FT`dyZnEiXV}-l$uVKJ|pwN)jMp8C17@wtu88<rcJMWH#|4lk?I8Vq**|<
zHh??{3IOFs{)B8^SQuD{2Uy`g{D#aaeM2tb-mUPhIrm))Shv>5-5kO*qDJm0!9PcQ
z=(@tdeC+I_)KJ}=*A>sm@8!h6w0pm1CT#Xrw%c2ovwD8Jw+`O#tu^#kR$CHR9NGMp
z4h&5VWFu56Pxy=F6Gl^j9x+g))B<5pX`3FlsJ5+Eva^c~^Sha=xK(Z?Te($c7ta)=
z8(5o2x2-k>HY<RmiojO+wLTXfSZ85i9>wmK(w$j>2{z1@A70c|dx{J>S75`;)zGbT
zrq&k*sI9#meS;FqYz!#F<%I!invdQr&*5&C1BC%<rtdb|fL1Gyp4AnxAn7Z{&yN);
zoX9^h0uv)JF#`V(BLI9uY9x~K4QCT=eJ|k~Qp=F+hJx@7BO1Qp?CIeuuAqT$7}oF&
zXHQd96>g>##SeVLAU>gd!`Vf?Aq>gb>1C&Fw{V$GC+MEg^=jz<r8ckixb+j(ZRX#a
zPno}FzEk(KE~#tK&C<P5r<1-?`~$ARe&J!E8~(=h@64FI0gPBRynp?O8Af>s;~dwF
zbNw{M7XT02v3L^ZQNbs49_zu}@&Gl?KnK3QIPk!8pynAU&!N5o&w(0hpgf0q<T*g0
zMOZs6G^au#YD}6InnM{Ck;1^+D5HYfwy8fKj0&c|1a1>RB%KI;f&4+cyo}y46Rtrg
zmEFoA+aeMV27=KTSY8Z8lI|e*DR;-b(WE=9_#*K(pQ6U1ZDU|t09Cy%t90aOqkwpl
zi*0abP-;{L(dkZxKWGpZf=_~dW~7K^6sCta&yB#uNM;f_&$>)z9cVbhoqcVti%7cx
z4GE4EYLm6TNLO=9!?G^Ln`;YqHL5GxyK@^>-5k!gv?o#vqVsdBTbk1iE9c(c(3`2u
zKPj2}ix7X{z<=P`2XZC;!4L)l!P-Fp94J6C6ClE{GKa1vhz06&1~?Dv$k?={P)`?l
zA1aWEGy_Z$2$>L<7nIwxs6h@?m_!-bGP!HV!m7{+R}ksYLHemzQKNip6%`dsW%(*l
zCC-2??M_fSR?^T7&{Kw9ZBTQwWYx3ILuY)I8drO?TFE5}fD8qi`_t;mm6^b$$1p;m
zc{&&Te$Zb<feVs>{KGovqmq7H1q#2FW*J_CbtcOJ8zK*P0>g-}(^{HQ*BOM?;bn%1
zz=I-flbUTK%Y!^0+F?4w%!@268>F2o=466Ktqb9uhN-NWWzo_Fm0K%jP?AYdfhpyI
zml)MoFuuB5u8PgA6b4!;ArwF=p}xeTIFCCM&TMKWj-A<rdvLq<5Emc1tT1pJ<sQ%*
zx%$@?_kfo;(TIN#VQuY3VWQe>OTg}EEp88(Vg6xhSHP3fVx;<Ftax!#3@KXP3qu~2
zx4@uksm^R^1C$H0Wj}b`mopSsYH_&_su)I~lml0Lg_6ZZ4v)sd9bkuB6`#m+;T3==
zIJH<vMZxPUunO2#gJn%^7qWFeHCY&-rj9pLv!C@PA|K9=^Z0=UKEO)cPm~W(&+!4~
z76z#C#BRF7wS0i8M^F%q9~=c|n|M4i0uv)JF#><@5divsIUa_T{+~mniK1aRo2i#I
zdN$7?^#4-Kwvw_(r&n|H3v}rcEJU%CIn#oPXxNvCB*EV8z+!wt$<R4PG8CFgXqu^?
zUJa$@G~XoHL6qOzY1?JXTc5Tb6#r^@qs3<aU(+LyT>K*=ofmEr-UEN!zmE%T2tQg^
z7|0@8wO7Sn&O0BJ=`Ct+Jfmcj@)8B)p7ZF~4~ft~P*J@8kl!8l24e1@x2??$@;nd(
zVr|KALJdZe(aOR{L_8ntAkk`p1SB`7Mb&Q&^~;$+D&<e(YcTR<KJlrSQ)kJGvPvg0
zi3IA~x29B-D+g+a<^|Fe>qp&jp!U#nA#piGDObEi1{w)2)8Ri=5ntI%+zz$1L9TS~
z2m~!?Ua6hEZEX;(TSwFd+H1jrxSFeFNKkE71;v4Uwzn3nD5<rLw=B4A&HR-sRxDW7
zvSwxTf)%yJ(RI_&t!<*CQ481GY7ay0E8OulZ%no2mv=T7B?6!)aP>{hGyz#!+Xa#~
zwK0D!(&wWP%BaQ+Ch9vf$rN0lg2cYx>!XR|Qy3uR9!EW|Q19vnZF!=U0A`h%@l8tv
zG;s(CZ=M2G`kdTa91XVCz?%+T8z8^{^UoYN%8j=ySt+*@A{OY%9Ejwf+W-wuhOa5k
zURfdl>H0+tb+Sgwn%7+}VecincbHyPBqj&vZ3fYed@A1!Yf78HXcuQNUF#+Pg8mqx
z{DHpBku6a}_QrLCUJJ5?s?A7hR7j2GorSekqE1UgHjFgZ49z_onR3{#-Gp}lDm$<e
zfTZsR^ABj{0hM^D@CNKjn0|U(&@G*lYuZ(1LkhAc)h@L&2{lo*pG<ZgoCG;MM!<O(
zsT|yl<<#qD6tC|))MTo=W2mOaX1GGT3y;sjDtdgDsN)N~&ChN9n%_P)YqN!cBz~e8
z*>a`r^TOTS_vCK|z*m~u45Y6zk8ld8kwBIpKCq@RKn(;wQcLILb;T(dq}PpXzcs+4
zR6N|7LHGv6jo(^4`-+EOnSdUeMSD6BWfOAbkbi?L!W2)78geoKQ-SV$_`!|~Wh`WP
z@hv!fpiFTG;A^RX0hc^EGeL@moLqIX*Ou??0;VM}B5i|ZFE;}{OO3b{sQ%Hs3N-iM
z?bv`NskQGmZ|Y{Cu-DULg5KrNE0OvCV0g_)I1P;Xop=gR9>P41hX5v?Quy!|y63b!
zgi6yd2&S9<W{1W^LlYw~F#;1K@Xs>>PSZN!O}ej{tS78TtbNu;tR2><^;%=Wc)Q^h
z(>n}%^;ei~H7(G6&GAvwER)0d2jlmQ?=kh5J|#Y9dQwb?E5z$;*NRg_i{<C^@1JL6
zUY9*tTsUY({9v;QKc5XHGD55I?d{1b8$qJKtP|z+gZ@Fp9}0WH8FL`)_1=`b(eEo{
z3kRubsfQ@*s^Rs80f#tATdkih#Df=gbhRtF_BzBwM+ipunY945g^Cs+<~B5ItQPvl
zjFjG5IH;$Scm<ur3OH%;%5``dQHtd+1ThI>=)i`S3EB$>simsTb7{>S`dBjjlW7BF
zS%z-NWSoE-1!#2#rILZ}CY-7q$)K@&Q3LLq-Cz|e-wU40a8$3mx-jr|MC5LuP4QTs
zTwh#-(+dOCh!G{S8q7lm)8s20bYfL(6;6+bW6@|d8FUAtpg$7~B~)TVFXm3hfb|zv
z!x1oWacSWoHCaX(s14K9a2t4C2fK$C7Y<URh?IfaP-LJ^D;%We%&16C!(fq|O9}@?
zd<`}&mw{-0J_YvXoP~qbY8fRR8-SKPXvCZ>K?J9&leq&0a=5fPu7m`wO|yon;%la_
zUtTy!Z9`E^c_BB37ZnalSOw)iHxTZ#KO&ygU&^&K0Zfd5083k|Q@n7}tx7hP=>`ER
zFed_XL$La&PBC4u3&{$es#%{4#WxoYQtP}o;&xtG;Y?cDxgJ!JprqDn@4~4|3J0mt
z-py88bofI@CPx*xB1m<qgnNb-Q`dJwrSjaS79c6p#B}PL3J0kfv=FV%yi_4p^+|7t
zll!FH1jVgC7nYyLc?U|oS2G;*$em6PCeR~k-t=m2B;ZbGBNn1Z(!6PHamA+w6@Lus
zr^cBX^NGkBQdb)EjG9+IqXzO=1wEtY4L+mZP#B=jGcL!$nRglGIKoiWpUZGOBo+=*
zCDli%(c6WuD@>rq7XjW=iACj$4lyZ6)(lxabv3Q6z`^ZGts#t2!mujB$#p#B*VYIw
zLzC%jSAu3y+R3Mp{@w^5OLpsnm8Ek^F1L|B1CzVqNLYzS+I*3i8uIznfH#@+Clf(m
zJQ;|VRkpEYtS#zm3&rAzP&63w`}`5mVoyM+Kr|dulb}|Fxzvcy+vblZLor1O`D4j&
zB<4>j;kGt!Lh;1|!O|dLZg}PPbk~{yElUP~48)qHnXJlgk?0f1rYc>)V252vQ#x`W
z3D}umGrAZ}rR{l6_|d~R7Y<qwLE8FuT;&bpzH1zUYvAo-HR#0{L|h4L?)>6bBiss(
z2hXph7z@{EDy-Z!>INl8Og<3SZb>^Hv}XO(b#f^w=k*0*74Q3Im2thYN-j8z34@sI
z`H_(w>6Q;=nHi=Jm$6_=4Mb?sqyw=LHvIitrE52;`42anpnY6^UL+&rYe%3V@DUaD
ztaNpSX2!MtpE+gHL8v^P3Pk9Kx#=oW2WjB?r|V$xQ9RW)^y0}W{8pGDd{B@+ASGSD
zcNJWdorj#Yj?X%l+F!D-xBba>tMzBrywxDCvAklr&*CumoBqf2u;~)xyNv<E7YuLF
zpVDV^f6;BzO@m6#{cogiR6~O(=q}UEpDQ-tt~WQqeH<Y-GFf6=J=cv^_S)e7x!2?O
z`n_(i&+QG%UVoi8R_Bj;{2{P==hwxB>qlxu^Q>WBvB7!cXfWdO`(u$<O!v*|8>}xj
zSU-*i!yZ3KLxh9+hUy!fQ*3a~I2sIj0^V3C=+l3!`UYng8=O6k27{hJ0KR-a!!^}6
zSXXSYZX68;JYdY)7YP~mSKnZ?*kE)V4f;K>M!o)+QLMhfaIwMgI2!bMg0LyPVPkLg
z4F-!12FKB$*At9+175%Jm(@4uFE;2OdxO51C*%u7B7W0bt8dU-Y|uN72BV%xAR3Cr
zOkb_OK~J$k&o~;4ctRntHWe^;Ro&pmSypnEZoYP|I7`zaH8KivEqUSwt^p8XFlw5F
z?|yS?U5Ap8)od1oCN{RKoifusAz#x4X|TsJm)yHD(VC&huP^Kg6T_uJ^N*{3$A+23
zL7Ay}#VXHxU&s@VdL!Y8WkvN3))X788ApRbPdMTa2P2j*R^Q+?#Rjh#M}q-RB<K%>
zf?}}x2CptQc=b3M^m`()0JJEcth&LCGfL}hhNi^}x6XX<j^1F@Yh6_JJ2uG0L6J4D
zSnWFVdZI!2=z6W6tiHkN#RjL3y+Lox6OH*n0nc`Q^$kudHaKk@4MsgNe+X3kY+tLo
z!HrW((>_(x;su*_Zv@^k8uWYZ^;N%P!<6EnOwqhzmDBDGdtxDfI2yHor1}OgEjD=R
zxEchKD;5noW>nwc#l;3M9!G;Ak2eG?hKOTN^$lKBZ1AFSG#K;%7bF<;IgQmfIH}m+
zq;WJD@Bm@}2%fXM`UYLa23_N5&<`|-FBtMUU#`AEN3lW2I2!bMd@(S07;&wtzCl~D
zLEAVQ^m+o|111o29k0GYvDlzE)&`?>p%~C0p^(=n#j0=6Tx`%hjs~NI=!r#r(zmN`
z5U_blxEjaNU<8IV0w3P%3|NbEu4tgO45D#iFd(ZRj9UhPhOL&yb?V*)^8eo##987S
zEWfvW-|~6OR?9sWRhQ8<LNfa^=glk3bIo4zS0<2osGR-}@+(z1IE!ARQZrGFrF#eP
zOy_RSgLy8ZTF{coq;n-LcR*(W^KF^m1lr1g&jtd~7-$D1;g%1bBbQt)Gn4lqKTb{F
zUsX6r4OLV1yT-{&mF#+QBcY~<q&UdT=W?KR?kyagiR}AkoWn+~bQ}1!if6jP-Q0?X
zrqcU>PCH1rec>NuNGD!nVgx2eU}6L&Mqo@M0FoMS##5h4YAhs@8pOW%!K*Qq-MPb^
z@<D2xoZcxf1U<okk^ny~;GHubcLxK0#U1yl5jR}y`D2MVxQYxaAm&1Cm(x4th0~&n
z5>J9gToS}wsJU`_g}ktQg?x}&B&S!%3kP2zgP6;7d@m~IvalrPvSWGS;1&2qeW!$<
zuZ82jcdK|O2oAsHYPx(bS8r8G7*x1k8ze7LzQ~Hy`h0MgRq^I)(Crpz;*V-T7VdU9
z1-50N(MKh(Kmk&2SHL1D;3rhq4vgZKZnWBfFGsF!QAaFCEDksKcH}@WiDn&q&o#s_
zZArJRbUzGOi;v#%k^3eB74M@<cjX!lFfg*Bxi`O-Xl$*_X5!u1OiqT$Mwho`=?rZn
z#d67Y<16JKTQPc1k7ed(;#oy*$!6{ZVYc$ip-LZkQUY5+o^|QkXm<JSD_8SxOfUGc
z5^&|IBzom_*-Up=Q9^~!T$TX90;^K#B%p=eU_+S`Ybk3I(ssL28&=%Dn6HWo51ex~
zqsbj$17NV>PO$qVH!CoSorB*_U6^SK&gI{3Gy#QiRy&$R!#Jxgiau0b9JWA<nrQDN
z5`XgCP9@!&1KfU5XID3Mc*VBKwXK!JD6p0J=}dQ0Zp?In32dmL6AT~CD-G<%jT=2(
z8xvrg%G15RHqjebv+k1B?XF~7ZGx0`w_|CyLQ1>iZm<-kq&@I>mb|jrJ%7Q97MXJ5
z-SP@GxdikSK~uG;<42n4&bbr7sRv6~8)`cfO0E_argF6{bA1uF&ledqr&_@eI#O`R
zlw`9O+|^BWrf=3Re>oBfM#JD^4a895N+bgGawHmRQ<ETlsrZt?wm?8hdXs@z9607a
z;%<s~fR4rkZED=_Ym1i+W5bYN+gg$|p<@U_scM_joz82H@^Tk7&Koqgh&z;8puf67
zHySR1%ZnB*SG7{E<Qg#41c%oA^HP1KEB-MHS%6*}D4DA3Kn5cROAZGb-@PPr0b&^7
zji7=VX}3&e@rr7vWdVS}3UFh>V<s|BjKIVQOpL(92uzH?#0X4`z{ChljKIVQOpL(9
z2uzH?#0b1DN5E#hUHGWsm>~U5`l<9C>A3Vs=|j?!(rRh3G+XjWvUHJTbiL|2?fRbU
ztFF(wj<}w3?R7ou>TzA|y3{2)|K$9Y^M}q8&M!DW>U^)W&-tkHUT3Fst#gI5!SNTz
z8OKi?-*UX*IO_O-W5BW9_N?vQwtcoOw!3X<+a0zho6Y)X>nqk%)^Av!w|?Au*m}Ua
z)q20R%Nn<~SQmmFf|=q^#qWs6#ZQVK5}y=ziUlz*wu!67#o}yH7B3QwqQ~-C%Mr^{
zmc5pTEj^YyEv=SimU@fda<%1B^PkMWGXKybn)}R;n(sAtn%9C1LxVYNt}#zFJ4}Bu
zoiTmO^n&TA=_jVFDG62%8clUz<6ydJl1UGC4qi5%G=ACmwDFK}xAD`)CB`{MuW^R)
zVx!q`*6>TiONJK>#~hm+Sx3@wtE16TXa9r!W&26{m+hanKW#r`-)(=;zQNvZzumsX
zKF990&#+%?d(n2xRez!W49^<gZP;hnVz}FoHr!!oGR!js4c8c^7;O4K>t6vajc@3m
z*MD4pSbspjRe!&}OCQ&_=ojjv`kDG^dRKYr>YgqCp7`~TKLSqUWjZPk)FSMNa!`bW
z!W<OhpdbeYILOaIAe^UZ&&xrz9ON-=5~AZ7zj7@rgdH^;bS(#6!$H?^(A6At6$j1W
zpf_=l%t2Rj&~y&Ef`g`U&>J~uDhFN8K~v1{J=alc5_Vivt`nfi95ji8-oQaF4svpk
zgM;iGWaA(!2Z<bH;UF^ynK;PEK?V-eTfTa(qqI!e{^xR?0R0~a{fUEK<Djz~^gkT*
zDhK_MgZ{ulzvrOeanNr$=nMz_hJ#+=pkH&)uf*S->nJS|w!d7i6QG}Q&`&w&=N$AC
z4*D?%o#LP$anKJr=m#A15(j;sgTBW>-{qi_9Q2<Y^c~xja~-9{!uGG1>jdZo2Yro$
zUgV&!a?n>e=*t}R?;LcTgZ_<!Uf`fFanSP|^hFN(0tbDbgO1r=I@eKZ6t;h=Tqi)E
z<e-1$prai0aSr+z2Yr--o-0GEg&ntZ&}|O=x%S~!VMj~3PJo&@Xaxtog@cxJ&@v8M
z%0Wvw=oSuI%t4DdsF8zi=AeZfw19&eIB34pajv5Tn8%!QodDg)L9;pN1`ev@pja7#
z_3|tSeT0LKaL_Xx^fU*3n1epVK_BFx54im2IuZ+o?e8hq3DCPa=v^H26bBvRpm%c6
zlN@xAg9bRLpMwr?&=VZg$3go!XdeeX&Ov)!%LEO*P<{sc@2ygsFta+GuUxJ{*uH~<
zwsX)n4%*5=k8;pEIA{w8J;Ff`bI?N^^dJX4z(EBL+RQ<lIOy#hbU%#AIpV_egzdfM
zIsxk8pp6`~frGj^D9=GTr|D+FW&EAN6gK|RvBELe;kCbLo@u_s^heVVOkXr@H{EAi
zr<-cJS^AB1O!%d6LinukbKyI}mxPZB?-CvrdUf|ppOc=Jo*rh_b=M11D?ifh(3vVf
z8AGb^_d+Y59lEoaPZ=*{y4i4Yyk#fKO^m?A2>fG?fFwPAW8t6&C7e5`7ET3QX3N27
zPZmVzI*9x&_-J3B&vc<;4)`=o6LV>9jp%mcR5$?Tk-7^K;5T3aDgoXI65xKH7pke#
zRzoDfsY6*R0p2)WO-6!kY9!>2gknK=FdmG%6*Ulb!+$l<mh^+bTmU4%slQn&0p2(*
z7VyRVZQ*bTB*3W;St<eEsF45<VY^fUym7Du_~gPt>S6X0IzH%o^sy@o2LmYmy^mUI
zY#g`rx5n-Ia7s^ThpC$0k3ksx0;qjekQ6TpTN3>-5Y6n!WfPu`R00H{Gi`bFJgRoO
zS2oucWjo#Lx>HG|GojWh$qlJo2K=?mzjc9|ctUY|BcOJzbm!YM**XxTuB1^`mPC)$
zdPB9oP$fA-rmeQ7sI4|wj1bl$OG+qNu-@PcK+|ro*FQ*ty*eMJNi|O$#!?$eLuAcm
z>Y<c)GARpV!X5(+I}~zkf{}wqpn6vl)m%jUp%Q~l;1M;S?N+HJrJ<IXh<DObAu6_h
z?M#p$&F2yxu*p`z*XD|r=DA&6!$0(o@U&t6Ql)d4q8oE-TEKCwnr>FJ8&U~%m~1PW
zo59RhCOh0?Jb>8w1C2rdvJ1hR&ls|gA!|4|Oy&-H5H7oU<mbaYZBet}i~(H04)Z+M
z1>-~9{^p1{a}rz`Ri3Ja&0vuv0ScGd-eGgh%@J#R#NW>_S(awv%8Hf+!#qv2XEPnc
zjV{@S!;~YBw4+x^0C<p%FS(N7E(ko2{N*W1^tPwgwGXxCbw}Z#pQ^mN>B(I(|9rkq
zBlu+bw4W?uDAcP>5FcJuI9Q7>v5kF@UJs@sYrs+(STh6_B;LbnvV1J9A!AsF8o`5n
zoRm)|ayC)hlGNJtAP23bgQ#>yffYt@z*0Vhh;c=lP&{~wDW$`PB~&_K23M;&T#D6<
zaG;Ekg)IBQl~<^VZUI&gcWCfwq&i3`)d)T24hfdKd@!_XP6qaH&}mRg<xhZ86LefP
zyPp*(?|7C_+~pdOb_>jaUuPrdQ%@aHy8^X=T)R82D*2pyrmd6M4wb7xY|8Fx{A0EZ
z4k+e|k<iSsKXd9Y6DI4vsh2kEz9}_G0o|`1w>uU&qV^+}ePHkJZI%U=>&>s4e`fxg
z{xbTfdrtS1E~g6%ujyREYr?O<M!=VaFNX>TsYBYg318OTD{L71o1AM2X{v5%b#+Kn
zh5yBz@Z&qx6?r}70(xLBp2+n0T|D^~CEE$E?$z8ig@X<F<R<(&EUrNJFw2qBRO8Xt
zQ=cc^bz%f2MqpwDfY0(4JmDyxWijwse9-{ls7)Fibur<yP{+NL&$4)W0E`6&V&RxO
z6!iPtL7$p%$AO39j)uJ6Hc(IW2jX5hSE*lLcCJnf#=#2(80A)h&q96mQa;OK4WH!}
zY?ty`77ymLfTsOod`>m(7nd~cx4@G{h(qsWRgRn2vVu8*r7k&hc@;Pf@>0-aC7vof
za@3n{6}_+QO&1hdK?#;tT69=S{AK1wV2osv$qm3|=*XzGz-a(O(7{@tw^mb=yE_MF
zCEe@NK&qwN(#pD=JJsn%R2tC0wCV=zG0~j|tJLmH7m0H2_Ea(nY?U^k-rT@1$z;1B
z5wg{m*(0<eUx}Sk`YN7R9tZJ3>MOG#N^14Pxoj=rrzK`Z^YVo)tLCm)(7Lq9G-@rH
zVqezMI=?#$4ngy`l5x*;wxSVenK*fo7Ze9YUQP!EoHw@KjAOVE#;^kGV@xeI6Gt+6
zPzncc5xE6DsXVEEg-U25n5?ClWF_Xxxwo*C`sZcsmOFt1+k$=_o7McSO1hiUCzS|q
zoRdmyvC%bbHLDV5s-${5ig|Q6bXfi}Lk+A^14FHXwk{C;!y4=!tgpM-P&n8~N&Jlz
zi7S!#f75*hN9xVmBbD$07HSj3hi)hwT!3%-=sNnQuLnLri48CY_o<~-uGzB1J=-e7
zrX9R%>9%bx?R~O;Tgw}`wY-DLCev(UMw5=%V5!zh4OiI3*aWwcFIX%5W**{$qr9h!
zTY5Bld$f;Rnbsb=7cQwsxV$1l1uK2NcBN1C6b{bAgynRdm+Z`GP7j&;ItqgH5y6VJ
z&ng_O$HKSJ!sb!>1clD0V;h^bPdCTVC>VAcwiu%z<6dKwjZ=)1jG|EhN%u2`(}q)q
zlZF$9<A!6#oyIN3<Hlnq!FbjbHF?c7mJ^oamSdKqAcKF{a>&wW*=gBg*#wgKU6yvs
zTFYunlcf>l@uL>6rN$!L+HI?Cjkc(*#x}(=#WKkvS_Jc1^BMDL^C|O5^9l2D^D*;L
z^AYo5^C6Jh-)Y`r-em4EcbVHkc7L_#6>C81e~LIs6valdN9+>Y#kHUfuthv79uW_V
zr^Qp^S?d(*Bx{Ye(OPd^ZS4VFf-UALV5hLj+-R<s4oRD&9;wSb$qatHOlLs@;I!$K
z>7?m|>9{DkjybnDH#vKpUCwsUU|8*JayB~aol&RPwc6G0>H(dICaF=Xm!gtassYW2
zDbgfKG^{nO25I|7!%@Q#!(qcAL!WVzvB%hDY&Who9yJ~@9tI79KI0kVY2zu-C^%uN
zG0CPWpkpAKj)CsM5z}GQAyc1er)i666Zlo^GPRr5npT^d#CkC*Hi?_WLt-CjKAaR!
zh{qjWj<t>^N4>-AkR6j8CmqK@v*NT<bWQ=S0<TMUO>zm&GtN_>k8#X-1pGMcbe#pw
zjgzk9(rM`==x!Wx?Uas~qh{H*7PK$wZE)#hn<O3+&sasPV3k4R!fS1^wp-U)H(7Vu
zx<FH7lkJG@u<f|*nC+D9r0uMIihUAjGt}4{?e+Gx_SN<-`(e;_=(F#%Z?SK(AGM#b
zAGe>ipRu2|pK=^>^f`7qwm3FPXAPSSJ%%nryK%L#$=GPD2VIML%UR1A%W2Cg%SqQ6
z*D2Qt>6moNb<}m()#utG9X8ikk6Dj`Ps+pAL)Jc9kL{4H&$iQc)ONyl#&+5++6B98
zsFzNF#!9=iR_c>>N?W9(hMi+w!*peieKi(O2E!IXB)=^NoxvsSJ;34zS=`Cu)g+dL
zoo`|B4J>{$i(MoZh5dhK@yjH336EQ8y!W>({yvMp#Nua2EDBGoVeujs2UvUsi!C(n
z!+J!a?<EGmz~Un;#`lNkn;5*F#Vc8S6N_iE_zfh6e!Y*yyIFiMi`z&H{pewFoW)C6
z9A>dhV(7<XEbeCMzhLn<S^Q}hzn8^3NDSpZ!Qy|R>HBcJUBbS344%c}OKAM~Ur7w*
z{)@%`!JgxIKsg)_h}nGZWAnKW=Tj68NUYrdk{J5`Ef#;4*3)+}jrYIC;-9nl>nuLX
zV)nlKvEMFX{|1(h^9k@`1_xO@oy8)J_x+B=IG-+I*AFPX>o|*_WpO`?A7XKa#ka9|
zK8xKfzKq5@n`u076^WtW*Rb?<mhNEi`&qn~#rM;A8;*-h*!DRFvwYk3F!(+euVZl&
zi|bg7`vc13c)NtHXKDJ@pRo8VEdCga-^t>4usF}+J6PPvVn2(gvDi%G$Ih_$dn|sQ
z#G)`TgT;0l_y3W_KVtE}v-mj{A7t?(EWV4yx3jo`#U2(<VX>aZ2Y$uk@30uh55^zI
z4`LiYh;jTN#`%DF1<OC1#FDUUE{m^cF|L1DuYaZR&R>ui)(u-n+uusz?F(33%VK;#
zm#`h*59R~k&n5KL)8~CyKRoYZ@U5&ITaVlSjlmybF<Xz@*?R0tv-IE7xR2%QWBK|v
z)ASu77GKF?D~ToHu`f`#kM*OEwcE$q-LaPC$NdEPPcj(yn<Q*CvU*-&=})nED^1@z
zmBB|DypY9Smi|)~zsS;C8T=;(<2rzLvNV0?wJe^*p5uCP2|I6O@N>2vp{Mwb`CG>H
zy$0S#Vp#X@W$-Qr?_}`348DiKZ46c!+{EDJ43054N@5s?f4A){e>VYsm8GAu9Tlcj
z>Mwo14bLG-*ygmI(3an}j6ILqPIKw_evn_a3&JFAy)6GOyIe8-Gwk{M>`|`1U$XRX
z*qgNJ+b^Z*+XZ_&myYMEBy4xvd${!5>_<5G`>gzzSo{o&pJ4F=Ebg=)<I4Tkeo_nX
zxPs=}VQ~mtI-Y})umjIQi18eRIN+EvwEr&QiLH*Ba(RF^IQ}1d=K&u@nf~#~?#%3L
zncZL`V7Y~}0B4r%1r-5NK><S%QBl|=3yFp#CZTy2hz%4-A&^jvh@OY_j~&!g>|jOD
zf*sLQtcM-+^!~q@d3X1HARr9kK6)4O`S8ql-m>rePJ7GqJ`dLp;PI|OB>WWD7{Xx}
z*A9q(n2W1FSaGe$#z#3ev2s7h<b6yoWAbX(nl{V%f{VKkknbwj#%#Xe<*qG+KU8yf
zet#kUkE)lCzc^QIY3q0AyR~w;g+~4R56PbYM%IsL)cYei&%W=C*Rc4LnH<ODU?zi1
z>etULEa{?h?E|)|t4O)NP}dTEUEM%<jk=leE$UXnP4HvD^;;KT;?5&n>h3{!q&rUd
zIQJmJN4dwh*-n3SSMu@ZC)_g#pXP3}eV1%>ui)b?dB(kp@I7vF-5V97{gza@$@O1y
zwwql4B`10Wl232Xc%GXE82L0E&7}TZqhBu=JYRqQ-NJm<ubKZaJHLWS)~}g=G2@hH
zR$J}TkYj|`f5zl%o)x>gFYDKMX#KzUY}~cNsgduJRu8TJEW86V*B#H@R@HKj&{??F
zV)5pD?6G6K_=0PQ>ljxr=LmU>>p<ss&Uc)T%YSq(cHZv(tLHV#Huply9N}8}XE{{+
z<KM2^Gat4G$F(QcUVDK)g?Ra&_1TeOzpE+49)Sd=(lYaLhKJT*;8(Rs&KNq_(2#^a
zNntf?H|q2GoXgZbR~*TzXXx!Xq|+%CCFR~B$w{y>TI1~jea(`dM|)2ytEei4E!+_m
zH6`92Rg=q7JrlLpj@GBAQbt0}*|KiTcVtPbtgHyr{+g{}EJqZTRhPn<Lb7TioQJXL
zddw^J-h;~xhYgj+)VATUVOSgb38`sCWs~uvu!{+e&`D4U_4b&Os)1%`Pt7W+7q08I
z=F_Kf;Sw_2d|EMKLb=LYo~qGw4NtATw%qtJn{jJpX6<-atvkt!pV*s}g2qs>dyeI;
zJ*a9&)Q%STy|e%p%TxL*z*sCFa#&$35sjsS!TeBhER`SjCkpcusp3d}Q8D%=On`H;
zP%<!ka_zO_^yh2-*~Xj0^a}Q#ym1Wo&AU;)J=ivo)U@8URZqAL)&&f(LkC%Z;pvKu
zH6_U!yk0bG+11|a%zIH=jP@qInPpt>X%i+u(b=1<tc1UM!)|hK@8|*jVKyAw19q`u
z&ii!MUfe^Hqo$tF+pt^QI}Z0i;ZQgdf&xP%6!ypcZ7p@~a=r4`*Fg<S!|9y}yZiCT
zF22X$>lq9Erk2{Zm2qMd|8%_PHJ{oOD$2?#U|oG8Gjgw4#%FFRjR@r_?Rq7vrnArK
z;DO$NKmBp?_BXDk{;8<$<2{yrwAks2a(rBhN{;JZTCRU_y7xWygk)LSsH!9`VP=*2
zxb8TtNy5i__r9YCoEY;B95UqC-kFGfkL^uz?YpxdVV|{~{Rj)jkDNa2)M2NcF>F`A
zvAwN-xbrOI_hV@7sV}u@8!*_$5AB@s?bbC4u*;&?SpFW*F1(*yl`O~C)@UWf^G^$$
zr2R8uz{OD^+r`0YL1fxP%l9Hyg&w`q4c2Riw85+f#YlX!i&EKAZT~o7`7&F$Hh(CS
zJ={2H+9G|j4Wg^$2eeKDSMXlDw?=Ph;P0q|Kd|=NbM@Dy(PbTyS)bp-rx?qO6ZCux
z_aH<5APCTIny8;Lw3~()eng;`RIHyh^pb`g5}i;On~;hmlF&;k)I$s<q9L4KQc^!}
z=p_x=UM~szzsBp~#{RD%`u;DJ=N$bcE04C~KbAkCT#gn0v-NlWEMvug$nT-Mp4I%v
zy8(**nf|)|Vi;GPtV#O#M*|D;{F9+2F}j;ZRQi0RpN^iHT(#)zC-tnew`}Ig7|T5x
z+FCpxoqrrqlFZYPRVFaLGGp<t*Y;&=<F|VKx>EZdeSfnn?t4B+@mwu9j7|}5tqShe
z8rBu=)ynh}hI_SPa@%7hC^(;`M>7<hhqN((V461gg)_Nd7}E9P+H1!c<AL*y{z_&%
z@E`jAqvk`}t4oM>n8dZiuuh}U6*)ashHY>qrQRO>ipKRX7&Q+5V|uE}O~QdWvjyz$
zf7f#ZEcU(SdeC))Yqo2Y>jYQ6QlSjDooef2%f-6%8PZAO*EzE@e>FLyau(*?4XXfe
z2y5}j{lm)le^`AyCny}l6<|*e|5V$Wqc_%I{lcGi=*Y=>&tSsjGH7NMlqIKYAIfkn
zSQtyj3jN|DOVh7rANkc7+ef&vxVF`)-+*(Cd%VDOhq)kGU5z1bv3KC)Nf@c7cQKDD
zslqM*Z5%vgWdD&P^{(=SAiQvdg3<iogfR48i=*hu7f(p$7sWLnG5*wqh(EFu&Cm3Y
z6dOO1EUJOKikj)(!s&2|i0zt~N<h!7%Gg0&WBhhzXwCW`-ndpA?%V5~T8gO$t#hZl
zy3xDWncjCb-$n6xM<Esq)8DShX+miV&UILq%M0%;T27Oa=x&!*z!@WAPpnE#@_GAv
zH4RfJO=dJny+xS!DAU>poyd~O<;7L0;%cp9U~~_CyXc*tSE)HvDJt?Y-y@|Jy)~bb
zX%8_YQq^!)g6Wb}O>gXsO_r8b_der<6MZE$lQM%4bmie_J)@dBs-$94vf5jathw;~
zl&L=R9&Eu)dv)5r19(E8j1Jq#=}_^V6bg>bT$F5=Yh+Ebss`$xm@Mk!EuUOgreBLp
z2bt?^wKXik4FSDfZ0#)@XAG|N)EO;H3_JX3MapDNO|s~GU$x(lTXMIwDBIp6Sy0>R
zFkbYX^yj@G(?K(TA=TPeJNGpyK;NhpDn^}ia*WPWfpXa&Yg=vl&t4fbe)jj!H!`|F
z*c2Jxou1JNWBZKF+%sb{H%<1g*}gx*-#gfxpZYa*zukPX?M)x#$l6w!`*IfSst3_3
z@t3%3ZBA{gs9)mCs*OvW=|WWgmR^?HD|g?$D7)6STJ>f*%4ma5<YgABZMEp3XBwgM
z?p;zruwJ$O2eX4aTA-r^{-Z5``G<@3r`MQ&7^clX#KRa$UBtZzhiSX3{;Z!cCX9z2
z=AYn?CPT?cel+P%V0Tpr8>=v9nV*UlO$bFI(LgW}!z{*ydLm;MW7r|#Xd;#jqYH{z
zjA?p^F^e&bo5h%_pEqVPhP5$^F+~qIW-*58vlv%ES$nenlD>MV{t6mqx|`kh5LEA0
z?@om?oxjvHbka*TlNHIbw)@(dZu8Dpw{~2S+C`6*b)_bi)>Nf@6;%^^YwLgIr59)p
z^7KpEyRE(&I%DxL?VoYKn(e&qY^a%?4Nmm-2YLtE(YOrE<LCwBr#3Suw3F~&nl&b4
zoCq2wZ#2;U<$HqxJ;@GT*NUp0bT`{=EppdJJz}-j*68<f(zszW{ncN;jCeGw^`u5O
zbeJ}0SH+)DRA(;s|NkJ!)8#XvCH{hE5%j3598Wm@0^9tb+1J39em7gLJTK>m%-^>;
z*W`@Oc{t}Sw*UWg>1pZd|LA+j<d5ZyHa$mxR$6cJSAUbqW}Q>p+D(5AHW+Wu5vE^*
zBe55=N*nl(oLs5x2GoY%Q%YgQ$J=A%$bz2UBz9)%qiW1Lu!Wk*RfaQ5&Eaz@RT%OI
zf}#Axgu>$da4HqgPbQQ8{9q~)juaNAilfCvd+@5%2K@L%eWG6*z9+pXgf^zv0@8bM
zeBRS5;nFsV6NMEOHD35m?q4t%QvhXUN9*yiic{^Kh-Dpa$qyT6tEN|C=|f*Ms4PQh
zO=?<=H{G|#(jVqL5R6o8!{)AL4R-zT2JnJpuiC6Vv8mYfSy@(5TI16ua!{e-ilS;C
zrW;b_y)_G8)iu2fvios+4=%^FLRncp8lcVhIsfuD-hix3c+m&4`(#U}mX?*BpGs9u
z)z-tde~HK2b$UYEsfq2xRnvEToqKn-gO+nbt-r>P8g%NAp=|V--gtKc7U`-gV2Z0|
zEIS-Kq&hh^bL$phW&x(Ps<YD?MuY4@UZ;&j&J#)}?krRNW1;QY9S5xy{8YAv`ChiV
z#m%@>r)OLyRhMdWRK)(yP7+M5m>La_9a>$g?F7yw*x_@g6(QZs8Ix4omu@Ftywl6e
zO3zP~O;3NYvVLV9+iz4oq_$Pnzcj}CrC`V2S*uGAH+p9UdhhI#+E%arR+>3U|JIGz
z&2OFlxU|cIf{B|ya39DK+Dy)2{0Zd>du{8XMi0_(yfNbUFq6Zra!~_UJFIe@R;Vd5
z^y#5LM(O9MjRz_7B<YV*=C;o+M5P}pZ3$}+Gs`?oyU4cZPV8*aS*Xl|1S5c%CrK-j
z{uGX@OxBe2*&&7TB=L{ZudkA2-X(kf8O+XC?fEX%qiS0Z(QnWG#skyFd{z3P#hrXG
ze<ydHd3bGWSN%?|HI^JkWG1YBTc6Q`Yg@bMCGTlevJ?F#4XSO;Gu|3GM!0PLVhDm*
z_?zspbrh<j1v*;bzn}&7t8Lw1f0-GRXa(9Nnja>LTKD5#&IOo6Ywe_;FecFo4%?lj
z+JkCabM-{VBwE2CnN{lpYFpiUh%t#)ke)<Sr5}V&mXU(<3TMhW)ERR8;`qYxI`+gr
zD4ip}Ek0`bPQF=gv5a(`p8k_BlZ)h2<vz04`H<{^mp#Q6vW5N&E=)%i+NT9(9$MQP
zHM$i>-+xr57e96CR3GLX%Zn#zwvBXS*i%Z&Csgz<IX@qR*lISF(7QY}wYqoFbZkz*
z2xC$zKUrR!UtEgy^<-JTu1Zi--Fs4MVzLPH4XJ7QP)V$=n51n>$gi%f&^80)8$($v
z@+04xR28~d)v0`@`d@w7$+fM9Df25Y)q4!1en(w+U26;$q0{?9`WS|vQrV6-Q;JAc
zk7eo?Wz)A`dBq$}@nrP!u}G^;V^nF@na6qyVAv^Dl<ik%rciruz2zQIJ2N8c+8Ksj
zRpZ2N+esaf((I)|Q$zp3z1rC_vvX~$Ve`1wc<GI5qYFF|rq}gdD~76e8Fr5((I{Hg
zp%8+Z6IK#!?navxGD<h0qH2<(KkijnN~=M%iYiT^1iIcO$tl`o5?=>4lJ;U1+k1X_
z#nfu=)RO6E)wcSLj_DD`ZASXn+PGe~VrI-!ZI>TPoGRD0v=nO^HOB3X$sKL33JNV+
zWxCY1_SRqNEb~tM_8oMY4HpMSmw6P-%J9XN9}uo@pQn8v<$~{_;iABpxgMpB!wsJV
z?1UnJA#~sMk0S|ht9n#dXRGzoT_@=X?P!6H7Wn<Q06N({^>?Gu$sVC~vI7CU5PIlm
zjd#cht&@F}e!}Qvk2q|1RwK~KK2lF)d~Ze^5)X%?!NQ`#Fgn?X>mf!bdqldEjk(Z2
z>gU;7%l31j2iCTB*TW4vpd&JNKye}N{~cb8tDr>{(?5Lkjx#=drdOBfXG>pPPeKhh
z<xfTO1I3Y8ei-_y`H7-P91BRPNMVsb1kKgp9<CVe?WcGbYwf?0E^lUep6?`(#hgfQ
zEP&U**s8HIk&orDv@4hhELSGlb)hG_`oZ^Py+^UWY+A1u9Wz6LxNLfMX(ruw^&Z9d
zURe*$i1zD_Ve+*dPT6j3Hg{tUDIK<lK0S7_Y_b>KPh%ZwZ#tprwVJlIVI9`3!u{4Y
zg6C_`ho0A9P3-~CZJt(GQ>*pVcqYK+-6<Z?{XMM6z3G0={V;6EEq6D$uXImypXVOy
z9_9|Z4|g8~dvlMe_oz3iE$Y?kMQS;$=Z#PYs!_Fv+EsPAe!;GSTU<+B^Bi|MZgeb!
zRk;ftWsY-Ufo^~!>^Rbq=WsyR;67M-TWp_WzXUe>3hkrpC&3zBFZ&^OxAL{}q4Jtt
zfEB!2rAC<mi+`sm$0|P90^Cm#ZQsL&+;g^vVS(^X+j+LJwqdY07_=R3JIJPBZsK$K
zUDy?TOuh;B1h1Cwkq63Axrf|Uc1gd$`rjt$73nEh;k!jz3hR4SQZf7;9tPWd7V%s0
zBUtNuMtn%T1NQqG#mmJh;#uMlu`lfU`K_N?-?qMBUE`YJs&W;(M!N>N`nZmE9R{0x
z7U#FlkDMEvjn2!RQ=BEvvz$YmePJ=LyYm32?AYq~)bY0C1;-lL>ucvf>s{6xtqZNQ
ztQT6#tmnca;Q(vcdZaba>ahIF@}*^?<z>qgmisI#EQ>93ESFd+Erpg*mXj=TOE1eI
z7S5k%&RxI5@6G>kk+a@B&lBqZNT@p@&d)t!dZnX<xS3|l=2;@tA55qVp*%vJ33VlO
zAfW>Y?N5mFbB|x|M8Y^f_XzWlFgGEUkc$xK=N`E@NSIw7vA1nDL8!N8^8{H4<q#5i
zs{1#gUkGvj>L&<woS%EpPbB7#gtigdO6Uhd-xK<d(6@xXu}$0CRw@?izR2bY`kc^b
zguW#738Bq|IDhrX^CJ@W4?-Uj`hd_TLhlpe{M_RgI6wCw&d)vQ9i??|Td7c}dp-N>
zpw|e!N@xS2zY}_y5a-z*d2*iZK`)Y+FA#d3&~t>ICG-p-&d)u5f%9_@dfNWP-nP<s
zq3+S_?}643dW6tpg#Je8AwmxldVtVsLaPYfPv|~E_Y%5?(A|VM&*-Spoz7)@+e+sO
zb+=`I0mOMm2i-!#ZYK0sLN^iOe4!&3&KEl91`=~Qq3a28p3#x+IugctMlTcUPs)aY
zP9!vt&;UaH3H2j%JfXgXI6wFJJ<iWP=ok{S51|C1IH4G!sB6{UUR!+a1KB)5enPzo
z`3N0N=ud=t5$Z{(2ce?~9ZBd2LWgGwSDN#4590jXgO;f8?rpn_73vmde-E^PP!pl~
zgc=Cd6XJZ?BhPsxjPqrWusI~`8bVhSnoWrFY>!+x&-S1zNz5zU{r0w%&JyZoWb*`F
zO6U^LegZdoAYm61`ZJ*m2~8(7jnGs=QwU8aR70qmP!*vI2vriQK(BZ&d&Xmgy7RJm
zf=UUM5SmCRMW~oi5urjtNkZcZjU#j}p>rIfU%1=)hyaW1eWaszG5ReLyNd^iGJFE)
zqu(~?3w*GOzuzwB3l#N7^>g*zozED!Ho0DLJq5e=`i#L&M%Z`2=KQWl*lo`-d}-fk
zf7$+oKG#6z7%;o=wKmJ3tW_RRZc|$IxduAN@FtsOSZ-^wT?r2d+FZkdHd+1w-V5H4
zpOGJwZ<DW;=gF7CUqMnHA)g?J<s+mwrDvswq}!!dsZN?<ePkc~t+ZZmZM0ryt+A%8
zqpc@f<JO+mu2v^T{$E($wY+FqW4Y6^+%n&Cxn;6tg5?a$AWH({{(~(p>*aI|2x|@<
z|9(#`;1)Yu3@v1#R%po2KHHT-J@;k-O(0?1dj?_Ldj`b4XF%M029%UW@9o>MT&N$L
zEeq&uLT3>=lh7DKXAl}q=yXD(2#q8(g3xe61%yr`G>p(tLPMlagkHOM8_^4RG{rwr
z>_xFB#U2!oqIjh3aN*e9E7Fd!xU6Of4c#buDgJ@tVH6LccreAT6uVH&qu80^K@<<9
zcmT!yDegzH6UAKRl)b&@FA*A?**gT}AY><`5RwT=ghWDCLKZ?fgan@I|4rx@LO&Dw
z7ondB{b;Y;+g7?rsQ)gTC+J&3-w^tm&=x}fB=jYrF9>~3=rcl}68ePDW<nnm`iRg!
z2z}^SxVNozp-}%`Hc!yIgx(?aHleo&y-DZ|LK_IZPUtm4uM&EN(BBEYOz0&->j}N+
zd}wc5X_`>~Og2x@Iznp+Jx%CILQfESoX}&09woGf&?AH%CiFK#4-tBh&;x{4!?yii
zj#Q=y_4j1+1l>*OE<$$_T1n^*Lbns*W|r^^x00}12;EF*1);wZx{1(V2;E5N213i-
z2kmW})d=<1X7dCsCA5UlVnT}uwGe71#LZ0L7Z#APCPMQGH4<tdR8NSTr@$|8^Aw=D
zo@4j6m8yjLS=rwMT}9|hLRS#Fj8HA1nS{8R3H-vPB<vDG7ZbXO(4PriNQj%6z%Ot!
z6QHT+DDCC*haPoR_V+*+5UM0pL1+@8GD7DQI*(8(p%NHe%qbQ(3ZAW=E!h9R(X&DK
zsRn-oo|T>z@R(<KR-2*u&C@-twdn=VBfxXO7HA1<gtxi%?zQeU@Z`1<zTB3<n_Inm
zmU{*?1}fo2Z#;bI6}Sgs^*auabv@v-E)QPo6!@*%3eR<$;k#}F<_6Znf88p0uv-Bi
zb}efC&iwL0zrd^Jsk!igC%Cpk%V4u>BfR3RhhMxkm_b<ST9NfZ=b8rZc_r|lHwGT`
z2Em739A5N#z>i*@y~SQ{pCu{cR&g^{@D-Pk_F#u~{Ppl>w+4RgRuVsV)8O~6ME8GJ
zpnJlL>pt<kx_3Nyro%e_7RP4YW8Qk*cit-9i=N@ZPV=cZ4ZihC;Dc`rbRY)74__Rf
z_<Fz>U!Eh^p*RHlR{IwFX3SM=u&=kT<^15y&^;QKz(3y@_~{!2ABS;x?CSx~eR=SD
zs9+XjtFlG+gSbKS7YNUOt8~wZ%XA-tv*1l|TE=T)0emR-gO5Q!=T%Y2`sCX)&yIWU
zKhN;U2w#NoA}M>}qcJz*lTm=T#En_cjJx)esCg39d{L(TD(*OV={WPh+ya^(lw4t{
z?w`dYEd2}PMooh280-F8z!z%VNtm~vA?N;!$&Z-S{d;v1=B{RZ1Cw)^oXTX9N!{NV
z;)faQe#^kR-?C1^oUe`ZbKYiB_y2_Ry8kCg-TxD$?*9q0oW&c%r0%Z<=XHNIkh;Gb
zNZnseC*d01Uk#-0uLe^0SA+JLsHKM-&SW1Z4`)&}<dPqle4oi@nY@?D>zJI)WHpnz
z|Fc|SiS8#2QumVvsrylb)cvjH3X8uq;xE?yv4J0Dd@GX+n7ow9^OzjPWM3wGFxknF
zi+*DAA56Z;q<-CUg+=;xgVe7Zq<-BX_3H+CDvKXsQon9EuV1%Zp+)yo2l=iM-m;d-
zyO><cWG$1Em^_2Y{!HrE4fz~saPu!rZf5djCRw?gmouKjBrA8b?%ys~XlCVZX60^X
z<!)x>UdYP5@Es%l!l#+k{q5xn3zsmyg2@Ud&t&ohCi9up?>D5=@3&lGfquV1>h~Mu
z-;8(*bboSS-G3b9bauXo$)QZfnC!-+!;nq-bCN4G>CXw|Q|$aoCRw?gSh<^6xtmzI
zn^?J<Sh<@zvvfIzoc|e<uQK@vlQ%Qj#N;JR>i+I>h55RlJ4p8Y%xBNfe2)>Y@kb`v
zeb}hKKXQde-H#w7yPl2u^~C$9Sc?xij7ioWjZ;`Y>^e7|!Z^g_VN9~?+`z7L1G_&P
z)*0aqcQeWE&xR`*S2B4PlLMLbF`37t#gO%%Gx<7`k1}}+lM9$+&ux7vWA@zE_hrnU
z+j{og*0JZdj<r`Edv5F4{a?qP+q$_%`nsu1CYfaSe_fQZmq~UX&HL8id8}RLvFCOk
zdv52kcA3Z8W!?oW{#YhYV$#oK7bdNSocjfn>^_>ihB0fGx$HigdkH&V!sKu!k74pi
zCUXrrXB(3rF!>yl_c6JQ$*Y;1%;Y#G2Q$g;mpO+rwi)u8ub6y`$tN|5`%r%lA@%n2
z2ut+#gVfs(Qg1&<z5O8d_Jh>h4^qFcAob@EQhyF1_2&>$e-0t_=g=c8)}KR2z5O5`
zHp;Ph1(S_TUc{vS9YZ|5{UG)BgFJ$TyA8Q$E0dd;)Z5P^EYjN#Qg1&<z5O6-SiEzY
z9K>Xh$wQcw4cW4VNxl6%LJMoZmj7et7cr?n4+uYx@hB$yGTD>K{S4Xs6O;P$;1Qbj
z=K+$HyZJg6KATBa?&fnCvvN1HayPSbH?wjtWaVD?rV)SP6HMO0WDAqEOqMY@n#q1l
z_F{5>LoWE4$&Z<QiOC0;ypc)$Iraz(rZ67Q<S9&snLLb1{eJZbP5(5w=?x|yXYzI?
zS-G27xtmzIn^?J<Sh<^6xtk6!(#`*c$<0i@%;ZB%-o#`BlYeHih{>T$>hEojFrPg?
z^IgXI#vhnu_hI9+jPGTVUC%~#JsYdpd3HS;PiE|A@?a*}^=x3*vw_`*4Nn>24J(;s
z_hG|jj3+s)y@aUMDR>_9+~7%hj&gtEzSTX+-CO-iy<45E#$4Or58z_g@va=_<FFBM
zveWK()-l&{nxm8b@Ad`uGwfZIx0Gv@aY{Ga2e!Z1Cfa(+pUJn&6>>oOM!Hv;Dka39
z#J`D`iv2~a^-1eh*1=epe*QoDcZa18`tHLmLCgL*-{!oUb6-w#&a|8}bNb{Q{3|1)
z4rTaXX`tU&Fz)5P=8JTgwSP{~AN1$@1Nr`_*B|WTPxJ}LeBp4yACH$=O9Z&!+3CNw
zQ%8N_L?9LjoM*ksMCyny5{$&du@dWtCQ^rek$5Z=2~7~Yn@An<MH1mqFjy>(H<3E%
zi$+3;XtYplHIX{ti^c=kusL3Q+eB)=FBXVJLy>c(u6v$3l<>tv@nASIRvKd>b=((=
z#r+}wS<*risbjvlKNt*##z?Q2NFDXXBY~(tHd@}#MCyny9*&0s;ZbsdiPT|VA{>ZE
z5+me!CQ^rdi9`UuULZebB6ZN0h(>V9hS?k@QU~zc@pvLJ#5TxOYJU*VN&FPsl_paA
zeg1gJ9}Ew&J+bGhg9)EM6bJ?)Cn**aspGytFzgTb2P*wcq>lOgi3rTL4p1&Jkvi%N
zgo3enxS#TniPRBaAesmyLVcAVO{5O{g8pbImN?cPH<3Ez3&z5cK%|d-iiy-gpY}Qr
z`Q!F`Or#F@LV<)o=8xLHHj&!z3*mx=!eNJh&r=5yzECuQzo4VsMCv%cg3(AK>UZ2`
zA~n9i!6^J%`W&B{NR2OWEE0_ek9PJjks4oMe=w2o_i|1!ks4p%a3B_n^>E&3B6Y|Y
z4aEHM=#kD%CQ{=IjBkNIak$HCA~n9i(O@DN@9sL+L~4A2{fS^C;&m<E^VI%?FBS>=
zBf-O5Z<<JrFK|2%3d9ak^Gu}HzQBP{DAH9OZ6Y<kz#*6)NaU$aCQ{=I91R4*{)5z)
zO{B&bIOvZ@LI=2WO{CVoz==R8v7dXGsnmXdAQB1Xy62ck9mH1<4`|Tse#S)VfX^R|
z#{vnLM=_Dw?+b(@kzm5%IcZN*$NNMQ+IK7%iYcDUO{B&bI2sEl;<D#`6RBgqU^pBP
zB*Zob9w?f2D@M^WRt#8nHEdBGd4ibJRdC<yI>|Z~2Oa-d3tWD@>=yEK?8?lG58i)&
z`;{l8jmqX5p51D!`T6;dd~cs>SOXge-x*b<scMa<l%}SRE3K}EHw_J8jh>?vOw)5%
zR8cvd!%W<9<rT0>mdOp~>!!d=89NJS$Vs@AgKc-synBAWw_DZZ!s)$BlGP=B`fG0Z
zQp^T%pFV?d?hLrp8w}sK6DFi!W30yT-0Oh#_em%utbtdLLpI}J;H>C;7#QngDmSl}
zt2Mm*1~h{jnc5)Jqx{+#uJ$`bGAfroT@0VasIbwD#!0@!thD1wi%l1pD;-J(dmvG*
zgrpj0pR;|L^)s22=_2cAw<|Hu%}rR{LN~izY3j7Ub_XSJSyENHEf03<XgR@JpJs4d
zyViR1a9mVYQJvx=7@nNdXU0v^-R|kP$)sdCtjdp@l$r#iiToM(s?{%Y`c|x-T*!Wb
zk5xIj5Ka>LyLkJ%n*BgYMaB7<+j5fTT^qLS(|Pl(*JXzj6;sPm#%wCqXl<O@J|_G9
z!ir>7vHpYlm4eHLRC#f-DpMr5M3}6((#e#GoX`tJ&aeWIb9&A&A!AgG{cwi$(1~z@
ztzR<keo41N_R;5VcP((chn;1tM~6jzcyQ1jMlB)>!KJE6R-dn*s!pX}8@T%V%Rq~$
zoz)u3_(?uwyL(iNoGnfE?V_K{<d8kDSBt)N*w5)NCjOVmeXspawn@h6E+g3em@N^1
zmQPKhmrl~0iE!^m)+j}I4^D({QSR-iSqtTwEsbz1s@)0W(yW)Os3cjAJ2qw9Aca-1
z)R;o!S5{PO9!sZd*=XtTl4kxWaf1D_eu+~2%RCdnC)a<b23AYQ;m6bEEUTC}PCJ*m
z4%<h_T!`%h*l)0B7NyeNtn$^LT6%sd4B4~iQ2%-Tl$NF5E^siVH6@Lw{~$eOSfJc4
z9=kv^<_;&v=>{rGGEW|g3!hTk|0b)8mY2i$di{<*VEQLbZ#Dj-#C_$`UjyUg$KTl6
z_YcY2`2&`H&X7O-Fr`nB;?gMT((dHjB?uN@M^~_;1$M6mE-!-(sXr+8oZ1S#ubk*#
zUQs@M5_~ROSWid4S^3Yreqz_3Z#~MczPo$+X4f;^{spU_)L(DL3-fo-yVm>CneQok
zyX;Nx8X5kcUQV@xa#W$4Vz*y@x^}w>@Ez<mdcOSKmhFdSn@aosW+>a;*}k)@-xIWt
zx5KU4=6#gDBirnI?AXbqU)AmJ#B^VZe{8hE^Q@=IJR@!PXY?pszlYr54y#WHL(@mR
zOgvGvS=U*wu@1F*Jnws!dkQ_>-J4+Vuh89H-J~v83)Sw}oxj{w=<4p=<XrA7bar=a
zax8ZgI=b68*_Xp=Uw37bvRo-ty4yC{mfH$#-Q`X4a=B3M4oiE>r9!E@xM`pLEf=@@
zvpj}9@3pXVH^9=}V#(Q*^H|REoZ6hioB=uAb1dOtT=QA*2Wx-$7GAb{Z@G?GzyB7%
z?Y^t&ur?;s5`7|AaSCEhIdqY=%tY$2FAxs}BjF3Jx0pzc6(_991|!p~n@yy~iW3wN
z{J|;WktR|He8B`}W+OFXv5C}Jal#CxKU^g)-}BVrgfHw5heEMR$s+XIoBIxrxP_{9
z1pIwMabF|~tIZMNHEDq0-Btc=r;lmrL*an%id1VRebg8A`>|v$yevItCVj+*Ma*C%
zD6E$)X3~d!(O4o9hzT#qrs|KysYC>82Euc)srm<fv8X>Dhzifhrs^NSGEX?-j|*#U
zrt0s<{CEV*CBjoSGxf*fJD%wP+V2UQnfeFgKIrE7BYxpAo0<9tu}~F{M8Z*F4Oaj6
z{QeC_p|BB-$AZGcimCcXeSU2zIxIY-n5uuo=f_Je78V{*Ow~UO<p(JF#D!IMQ}qvF
z(J81sKlj;9)jx<&f?oc6?564;@C71RkPi!Y*-h2okIzCVo(Ksm9cJo}1^r+s5yJJm
z!(pcWfw(UijbY7CxXodv{(+b;1Pzi{RJg@qrv8B_)EV#>6IM7))j#43CE^ME{!LC(
z^$$ZSA?U~Z<3^{c`iFdB=nX~v!g8mn`Ujy>0o{U#u*_wu{sCV^d;P_QR+p*z`+d<M
zoQuVTr7kn|$0C0;fG=oRSnM)We`te5p_vg42ra6a`uk(}erb#K!a~(d{ryoN^nmaN
z5}H&~^^a(33it#IjjE~ohoPttkNN#Vz1vj%L->BgqtU1^&uyyyP`ZOdjYL40<2F@)
zsNDs_0e?ie+HI=-eqSPl{zpKV<=Nx<L#-D}_lX#m?i0e5o;|L=k=_q|$3Q^1+_T5^
z*V4!F{fb8uF`?G8$Mx6JLjeyRkXTHZfxhdWk7%HQ7l2+=@RAPw|6TO`JM{l|(Kx@s
zpnaqNk8z6MA2F-{k1-|&ie~lyH7)v3!mR#39`J}iVpjh@7K{c%ruF}0TJo@2{eQgM
zP;s;R|Ipx11cPSv{}ZuTEF3he|DW)OBC&*7{eOJaBL1jZ{r^N9^EIaR|1s5r9-%q?
ze+=i)n+-(F>Hmi@7>LHheslW&7|LlCkC@Z{*9LOf=Mpxn|Bqo@C}3LuKL{ngK*Fs4
ze;}gmTrjKuA4K;*7&NQ@9}Fg9iG*4G|6tUQ!KYdMe{JX(4w%*dhk7q&Zp`ZcV^$Kw
zF0=aoXmRM1o7Mjh<9hj{X7&HEjZNEZVp9Jfn;!5=H>>|23t@9m!mR#(B%<wOGpqj(
zHTZBKY*zn28u!PdF|+#rQG5l%ruF~v845+hX7&GL34BB&X7&GL2|p(9&FcSSmkYLR
znAQKs*E<|fnAQKs&I4@NG^_uQO%LIq->m+BA`-+`)SUi5rc{HmL_A_n{~urANGu+Y
znbZHr8dVGv!U41T|9Cmz#b{RlKNx`)e!#5$e*iC*NX)GMKUPuD!#1n`k12fYsxqtp
zkMCF_9x$u_A3{Gh5!#9VKjv34JsA)Es{TKQaTfV~!G0e8>-g8v0v#>T(E=SU(9r__
zEiG_`tY8xkwsBq7jj5(iuBn)$@3jz_wqTpue>>A2<W#DS%>uu+fh(IJt8b{E+wE-^
zyRj95==7mlrZ#c$Dxm*~En)v#8ufGcx4DJRxDn?MHFksP8^O~0(VAW-xARNCK{);`
z?F7^HNqHUA?R8T1!t)U_w>y85ZIEc=)c^9<ua13QY?DyOKCjX#r8OP<yvW9cj;|8k
z#I^VPy#819|D%yW0$tn={r~@#e*SLO!=(N{7V-VTxLN)GkRMBBA+!4bp=cx=51ZBh
z4?#~X95<`~4;@|1BAV6z4?{sb5i+a)kA>BQKe5mB|D({Kj>OFC|3^`^P{h3cKlBH&
zAZK3xAFEPWxi+u=9}gwM&_6S+{~yQh4wT=t{y+2wLy>@a{eLXfU<-hG{r^M^%c(K*
z`u{Lz7LG^E>;G$yMlfMk{~!8;&>oJ*&FcThd{DlGUXywK{{WVBas5r}{|BNGSTHiL
z{|_U8Fgayj|6f}k2?osT|3m*B2Jr;b`u`#9|AGFhY5o6DG=MD(=Jo$W&`iVr3)A}l
zp?DlG0Q36)VJs0tf8DhHKQ>QbiQ2sWKdgRX3zB*Lf9TH#gK_iv{}JeVg#zaF|Dl|R
zEi~r!|8es|LC?JYKfYhk2{Et#9}9&;iJ*D?|9Ajzz`fA_hwZdjBw=3vKOPT8Lw@u6
z{|Q(UjmFLE|6}(KjOLov|HuBRa0E?YR{tMLcVR!Q{+ZSPhuR%d<Ni0P|BwAsP}7J+
z&FKGQ|EC{@|De5(?}usqe;6!=QB(8!|AA-_UqJKv|G_{AT2ZF;|1qM0rs*XP(ItFp
zx&C0s-#r#(wQ`4Y1AN8JRchfMFW+^h>k8L}u7|`UJTYaeQl=!uV?@6)+WvwvL_Ao$
zP+2clDo@$>vk$f(Z;#l=*{`wB6z>!}*{8bxE&kPhn|-;%<N8kZD%~BTeVhGD>m$~C
ztT$U*t@Ew3T*IsvTdS-S?H^djst4LPSchAmadlTmsW&RBqqpO5M;EJT*=G6D@_}W8
z<$0G2yZP_8+-ASea=p69zCfL4^*Fy*Ur-;n{a`N@>%_~IH<h21E%rm48|_EgM>-#|
z%g&qKxynD>lDOD?tUKVo#P+@tvpoy%1n<kQ%g@V?%d6%8lm8+wksIWz<csBMxkNrk
z9wDDBA1epsBjtnPkxr6+l>RAwD7_)QAU!Uvl5U3;gJx-tG*g-)oiB}-PM1!Rj+eqx
zPw6mee|Ql5S^Qf3SbST2NqkCt(Efxn!08YtII6_4N}iZw{azey{Y-?mru8K2G1iS%
zzx7qy=hh>fK5JLoYs%5KHR@{h|I~}sYPD1y=NRs2bRMquQzL3G)eg^w@3>xeJ?(6D
z&T>|{ZgMSg)w?P@-#Jcnob9;CIng=R`Ksd+_!|7HW2y5r=RoH(t{hkA-^!oU*Y=-7
z%E`&GD5B{24sIxS^3RB56Gio(*~2fgho5H;Kg%9|l0Dp<J^VO(_)+%oAKAkXvxnap
zhl(hv=VcFz(}$vZZsyRz%AnOGQwFR0o)N(&TGh9+hi_&N-^d<r$R56yJ$yBL_)7Nh
z@7cqbvxhHb4>uZzD2|%U9-f^(w5q3P4jpf058sr(6C}Zoi(<FfM0IWYNSSKHk!49P
z%N)8{^>EhxP9_s|O!jbuk%1zrr)7=?r!!R_P9G`LjU+a-^w#X*51B)^tUQ^HtUjAL
zdYVO$CHo=S!-KPjU9*Q>vWI!u!_L{mgR+MQW)Ba@9`2t#+%J3BDSar~bF+t@?4dh*
zsAdmc*+Xac(2+f~XAhO^p)GqTXAh<9p_o0irVp)lOZG4)dnjZMm49asf5{&HoIU(k
z_VB0d;g8wFZP~;0C6uj7`V!*s`)q{o*cFtOZ!<^VWRAYh9DS8J+LAf?XXfb3%+VK_
zqt7!(pJk3d%^ZD_Ioj+vMtF87ubbc7X`@{g(dOyPniz-2rO!&9W720OPoMNz(GyRf
z6+N-^S*s_KK5O-ajmA<$Pmnd6=n14_%AVfon6k&Gg)4ZAdyY1aY@+8+MzHp3ct3l{
zUNzcT_U6+LUr$F6-RyNI%c7gT<FrHeV$%*^%*K5_d-$x=o-U*MNapBoMg;AxlD<1d
z$(?>ea5jA><1l?EBSKC#uQk~m(hmUQ{$f8j`;L4(^K*}7jvmb>`*$|8Co*T1+wIG;
zIjqa1dn$AEWIC>>er10&bNczr(R0}dUpo5enQ2!*9i+ujw3qkE=@?e^-RvQ|0{9{+
z*JRErS7#4rXMW;^^hr^<HhZ`<d$`2mC=u9a+c>MpqVr6Lk%J<ur)JNd<+#c*D;=3d
z5Y-{s2xmJTcWoCgtHaXak~5V(EOxvr9JJ$8nvK9ddAMKXV;$cLP8K&C;aukdZRL<I
zm*ZJyLdfNRAycK{EEC)Y6P*{gk@dvvuS{^>lLk>8pFKP$eP~tBa?al&5372H^PV=&
zjxv(rc6M8wpKTXGJImhZiY%!U(mx@pMVVyk&#n`8NG7V^rsGO#X*#Z`ewsbYzW7=%
zCi^T)e>EcD0hVrZ74ML*Rn0usl614{&g~*-cM9u+XgS=P&Fq%+4~xzb*~4_ZBUyoZ
z>UNoFIoy_xYjqCI9%gPZt21*mTAin;2N)L=kI9Rfqi3?oPELQRQRR0s5!PoT49p&$
zkUborUM1M|+r~Jjwb-Wgt>ZjCbJRC;bX?}>SoICThP3IFqWX3Aa7+5os(z435z8D!
z)4`&e{>q}`_nrG-;b{IQ-qmqB2g#l8OyGvHx=(KFG0DbF_e>Di=AJFYcJ&K83Cm_?
z_o%}3oy6L=r;RdbpO;%<3ZU2S{a8AY<h~0D?%usbznNG@>9wbDj6-};xW&3&@O<Uj
z<oUbj3D3Qrn>@{)S)SuOKF=RKxt<*N*X|G8uehId-{=0TyTv`*eWCk&_gME(^&9m=
z^;PvL^?r4Qx=6iR{j*x8o}&&^k5~O_H+4VN>RRQx*|pepjq4)Et&XMe8hDAL0$%Tj
zI|evH7~vo2knIm*mf%|ZJo}~gN_)~i!hV81Y(K(&klm(yf)V|*@Mk|mxd0XgM=ArA
zh;pRTSy61;Y@gcRvOQ<J!*-pm-u5@!Ok31;6g<$|<sUJ+e;Z@_hcU8WhH-tZTr8h1
zpCngHKS`fU?_d=Fh_q6=UTTyslWL@tG+H_tzT<mJT_vZu1~V7S#rfjp;$(4xc!oGg
zOo+WO%i*&AZ2i*uo^`$JG*>@Yz}4Ngze{v}=lsa|x^t~_weuF|66YM}#m;i)IOhRQ
z$??78W5))^I>!U<zU}>Iy}{aKy}~-hI?*}?eiZvy|71PHs#<=r{L`}0@)Bl9?zY@$
zSzx)+GSyOIIn#2A<rvG+mP0M>oPXzR$=-W8k7bWLj(&eFfCu)lotN4zcD7gtYtAQx
zMxo&&ivOVaA;k|UZld@;#f=o-qxdexcPPG1@hysPQhbBr28yp!d`)%;$L_pwb{)cH
zRWCHWL~%XE7b(6#@p+2RQGAx-GZfcRTubq3ice8|lHwB-AE)>j#Yb%?woB8^6B-`m
zat1y?aW%z<DBe%;K8p8Jyoci56z`&VC&iT%|BvDw6mO?^8^v3dx^`*0IYPrtT+YB7
zDc(SFImN$FTt@Laimeo{rMQ&h5{io{E~3~%v6<pRiVG+<*`H~bmb_YMn8)P|oJ(;I
z#X5>tQ=Cn47R9S5UP<u^ikDNojAAXtnG|PGyp-Z4&Of$G)6EhZrgJ$1r%{|raSFv6
ziq#aWC|*FZl41qLa*C5UTqrc!D9RKiiXufTMGM6oxWH?VZ%UKU@GmZB;7=5Pq_~aZ
z4-~(r_#MS>DSkuoYl>e{+(Pl66u+eS1;x)Pe&%|5H~T8M&C0m6!1F1dN3oP*35?*i
z$2GcAXei=x1{P9GQXEh5T#DyV982+Rif2(glj0bPXHXnX@pOu#D2}8!!ZV~@nhwvP
z!sUFq&@hzZ5Q?W#JcZ&QiYHS%iQ<VA2U0wN;sA>MDfXjyJjK2gkE5vFfbDS;)(Q<V
zE@xnrVuWItVvu5hqMu@Khjn<42qXCFcy)|gpbo-{a~$LM9;#Q(Q*%{C6<k|gTd@AT
z(Y3*~-nG`X2BZ3wt`)9jt`@98&vMOhO><ScN?hYzV_XHUK^P;)U4B;&m)Di&%5^C&
z!MWAB#ktwJ(Ye979wX*8&Q;Ep&K1sO&K74qR<ma~r#UN~CC>5AG0p<#AZI^k-064r
zaC)72&RnPB6dYR}TO6Am8!@V0j}`7Uj#ZA8junn&juuC~W0qrvW16GVQG$7eF^&Sq
zAV)t(+~IfhaCjYgj$DW05bRs+TkM<d8|@qH>+NgpYwWA+EA1=n%j~o4Gwjna?@%JH
z6IY8ji;KkB;&ic8JX0Kuv42moi)goQvwmWI!@5rVM0~@#8oCRMth24t#ckG7>zUU6
zo|T?@>tLx=I#U`fB|Muw8$4@0tK3`NTil!NXWEC```ZKdZuU<09OWzJedQ(PQRPnM
zdZj^`i8+m=GF<7e1e9({Cnd-BmF<1oOSVUCciOJEHDE^L0$b8H+}7U~uywO_vgOEM
zL2Kb9`BC{!`FhN2%#<&Xlk#x6zcp!{X}#Y1sP%m@N9-o{7n9;l@p|!5@qH;Eb(1<t
zInr=BA@`KK$aZO)^a(T>)=8_So25n4Y-zf^1@k=9JSCnno<W|tr-vucqj-eh=bxgD
z?QGT@YbRmxP%%f~IVN@@+)eC8*dYdZUi7WlpYXflaKdZFWOgKJ{N|D}ChxFbz{g#3
zx_16Rp?*IWe!R7TgzwM7dm7=3f41JqhcEt^g&)ttU$VYL!XIGa`tP9b)2v^S@FEs|
z9!o!TyS9k2@EI(;8*Pil4i>)92uIrt=ks6mE(^bvg|8JaAmMkh@W)vAQn7)AU&+EZ
zu<%OpP7;0=3;%+J4-{V_;XWh0!OFt(#IN}9#W%9>E=Ks`d6JzEU!u4BfkMLtQkU#`
z@YzyN!Y4}HJ%RAvMt)0WDVdGeNm#Ol{oYkZ_>woJ3rP4A(#$L$C^X(6H4vUFT~Bzb
zbSL4Y^eEv|rI!eYrS}Q{LHdfYL(bv3;aj;A;rHZjgrAWEgzu3D6Ta4{Z{5G-Gx_s%
zAIYVJ*UQrhKOoO0e51UG@I3iu!qeo{gbU?$gons)5RS>85bh>#BkZ)<d7k&3tqbAz
zY&{9Dvn2@MZ5vGZTHBd~ud<aAuCh%he2#54;gfBP2nTF86YgqTO<1(8<9Y6vwl@gB
zX8VNjqqc2?Z&mDs7bsl_U#j#ZT&g4pk5C2^K2|xC@KH)B;ZDkQp6C3i%qIMyvWW2W
z%FTrDS5_0gURg)@8s!bbQ<P5#k5{%4KE-Y)9JY5Me3-o_Va1-{`I@iog9*QFPZEC0
zcrLD4ZLil?_KerTB8wqgK4<cECLd+;R<(rBrg1epzkta<GdY3D0w((~c?6SgLpJ}w
z<oirM%cTBV?j$rXVSELXl}w(=<Ul6%*DT`aF=q8x$m+51HRJrkHB8>ZWD}E@Fj>On
z2quqZ@<=8<hFq|X$q$%(p2_=|T*l;VCaahn%j8K+`kCy?B>PM>eP(det4uz^<jqX7
zayPMZH?eXzv2r)DayPMZH{}}X=Ksj#hfKb}<SHhYGdY*ZsZ5Szaxjx2CJ$v&F=XR6
zOzNNAPD10;jPGQUUC%~#JsT_7d3HS;PhfmBlbxAl*Rz3L&jxm1Haup8H{8Y~yAK;K
zWn9YSNG6YC@+c-d8M6K-CjY_YdL|!W@&+d7F*%LNLMDeY8Dp{=lX~~0lTi1q!F8-%
z>ee!5_j%n?##b`Q?(@2{7_<Alj(yhay0G)?ewoL*AM;qd%wx~%Jl5@*$J%8cYnOSf
zyEX50BcFN4dxV@B*-m4}(SN!HjO(!UdM2-7a*8LHf8Wl()Z-;Q(c>pP+|!TnF`fd#
zM|j2)&h=FC-1w7c2H}r9Eree*%C)4$vqs2ktBqKAEi3<c&-!foPQubtJR1pzJX;7K
ziad#KQ)d02uKrK|wbg%j-`!aM|Mpkc|9{x&`u|pa{r@580qku3|8M&G|4irs?9KYW
zzWOi4cd`Djul`$q-i`JD0)G7;8WrvQ*RlTJ))Vo+c5b)V|8Ei+*Ko6az(*)POz}~Q
z{K72K@{77aeo+^=nx<Vv@qUW;QM{MpJrwyxUHlNgs0-v5b%86}Y5o63q45^37{Hq;
zuAq1;MSc|*Y59d&Ait;!yn&`&PVst*%P8`Ty2y%O)CKa3x<GzW7sxN_0vET_`u}pF
zv56}ra6ZLGiVG;#Q{)$BkrltF3*;Adf&8K_@EV#Gzo?5)eo+_5FX{sMMO`4js0-v5
zb%B>FGumb1f0@vD30G#|#S|~1$gcn+@`W^%U&TczzlsZ-N+VC9IGJJ%#cGOG6!}G6
z{1CsW3*;Adf#voG+okDRg~k%D7{G}XCs5?q4-vVThVpBG2<6uRf&3aEkY57?j-y$f
zOOam^L}Y$R5XdhH0{JCDAipFC90N7>_E>IODm3y-g1`}6nSsM87El~Ukze#fT7J<F
z$S?W<`9(kAV44-b28d984G_q$0p21sZsO7c->0~d;(HX|rT9)eE%>hx8aHq`17D~3
z8pT&BzC!V3iZ4-IPw_>HFHn4*;&T+ArT7fRbrjc9e464@u2s9a{*MdFui^svRa_vy
ziVGajP7D5vg+_iA7kDgJ1>i9h`%p|!<d<!cmS467Mrh<P#Sq0H#Q;S=#oiQs6!R$_
zP4Q2j<J#pl(jqh-$>j_@g5u#6|46Yr#cmY66#qc+Fp7s#JcQ!G6uVOFLNSkGXNuZ3
zr1p3NLv^APmoqSzqKBfJqDs+4(Mi$4A>NZ8II!M!ixr!%Zr#T_0NU37{|}A-<(S-K
z7yAEB@n7N>QrBJU|6`T?u3y~&KxP0O547)}yYJrX|GWF<{N8q}{I3o0x34drP!D&G
zdw?Gh<}anl59$!Qn1(K**g~<H;zEl2I1M@TV>}=~#sfCev<(#NDb`V(M{zF2Inw9t
z^3Gi)%;yJnKz>jMyqx=8AU_}k*3!_K6lYN6$7x8*kMV%~7!P<6P5Wnx7gC%~kssqB
ztEn_}N;{44?-S-<z~v0Aq*zXI62&r#6%@~-$dA+TL;M&I$dB=W{1^|IqFM1{JcRON
zJRm>D1M*`$AV0<f@?$*Ux$QLmzekuqhAT7h42q*Eo=I^OMSf6+toT74a5#-zK=Cw+
z!zd1=ID{fU#={TsV>}=~#sdy&r}6(?!u$bTF@XIk_M^xTClI+W4dsUf2<3+aKz>L7
z<c9>n1kEZ=F-DOeAs{V3LICn31Ry^`00!G>{J&C|pU;&F$d3?!f1;tiDE6Ru6h(eW
zfUNi-0gxXO0Qn&SkRK8N`5^&%uK(bE=wV_0LlhsR_yEP#6jxEa-*sBMd}1CF=HJET
z47`)#N{atS@pg*0QM{GnEfjC2xPszeDc(f!FBEU2cmu`d6t9QEe?He&+4Uip7T1>_
z;{o|G9*`g70r@c=@Q`+z4!A>@-<c~F@F0o@Qapg-{uKA4*ok5;MGr-OjE7>VG}J|r
zALAjigNE8EDim$d|37ut*J-yyxtwnk=36M{P!tF@{+r@26o01pFN!}={E^}|id!lE
zK=FHu-%<RQ;x`n(Mmx2~bO2s%UvN1CKd1N^#ZM`ILUA+2k12kn3SSEQ3$yq0%y8eQ
zzU}(l)yvt-G1@*^S!!DYt@FdBbHzIAqn0g}Lvw}-vv=!nw{I5`v9Pj>kYm?g9(ExI
zNB#S2iVHc=ofpIrlM7RmtG$DgMdy1*RaBH&WO&i_=lcWs{;1a<?Bh@L2`7ATKpBEJ
z$2LMDL0CGDR$6j$9u~%tUu|C~FW2gDVw-h1sd{ovX_>cra&={CQE3ILQ(8Wy0$xr^
zE6UrdPaO4$1^kH}>l61yG`Fz9a*M^%uutoAL77$`?d`DRH5pY^T6BJ4MU8i8vTSOy
zD&-xKDyk^=_Ajc@{FY2_t4c9n7$$pRH+6?g6!XC!bRZlkvskT#`?N|G=V?_sxy>q#
z%wC%lDki}XO>tRidCGfYby2c1)mDX~K3H&$1p+%(DC&y_18}x{o<$V>`?Nx3C0d30
z|5}AkuTFU@CU^^~DvF9HPpWLIHWA!ck$AX`Cn(~JhU2kds06k7_dc!7qzPJWPWZLj
zoRBOlnp~Ewsi^XvUY(rS=EVv7B5}=a^o|!N?2CnCF#kHiB1uo~)9Mr#Yt;#~S)Bo;
zHPy-DNu}l9fpB<LR*@`j>!O5wkp$e+!|(U@FT9X17KGE@IFiYY`?MD47izUQzRg;k
zQCePHF}2z|HC0$$k}50n7FDHo`c4b_qLGkhc6x`(1bs0$+71T_EjC+npH^nl_?_Qj
zr}sa>J79Wcvbx$kr8Mb1aZ0MZ#yh$+H8oY$*0l-vqVYh$-^Sw~@WHh}BoQBPQIzBM
zX>~3<SF6rBZC;y#it6gp!m^b9)TdCXK^0|X6;n&gCwd1@!c*fNf}0N1R^9x*SRfV+
zMRvSYeqS7ZFZ_{nEq41s`?PLT$7*#uqs_YEtHVB{1r@kFBlUYP{nk#^c!wq7SgwtV
zg%T)!JQ&`wVhBmZLjF*2EGqWHKCRfLXK59i*k;AJkI<;;=qe=3GGEvMTL0&Sit_SQ
zQH{5tqN=9N3dVi0Sll1NBevZeBNX?=6Nx||e3r%Gcy^ywuxgA}!J)ra!GTq!Q&Ls>
zZRnj)RWZpsD%IwvDHQX?{dfoN_%26CBA9^N^D!2ubKll!=AomzqEa)v{aUTkuf(Cr
z@`<TQ+ACymd38<IWbIIYHF^gQ8KPG@RgAYw(mS-YsH&p6VnU7gjEbtZz5=1BFCGa*
z{X2e|5t4|(lS^#0#pRm2Pp|3tQQ9@_*=FrWq{{KU6?+S+Pn?!2YU{C!_~3;IUA!Id
z%7`x!4Tr+fQ5IFbc%Rl_raD5uf;ny0VPvXkaus^6-jS0lEAen?Z_O#C#kfCvj2v0e
z(+e+`s9{ZocgV>8UUYRQlun#nwX;uMDC|pw1M$d?-S<$$=a0j8jems2?LK3l)^}Qg
zcE!$Yv$h5J$W6uF<{gOMAnG_GHL0Q|<sDUm&v!9~CR!~=j%@2nhJ1L5;9Bl@CBr_v
zb>P*Yz~b?A+ov@v8K%`tbKth)z~qdfgV~pR<mAHYqN>u$oeZ%;LEL$8;?c%E3GW7Q
zuMh|fv*0K8X-zH}qSYkTW=+x~EB)hER8gGLuFL3DRZ&@WX|Z=yvT7nebXt!d-}bhy
zQ~*~hj#vJUR|?)20*P?MKSZyeR>zKi9WBt&0v#>T(E=SU(9r@NEzr>d9WBt&0v#>T
z(E=SU(9r__y)EFdCWY6mXA016f5ZBfXonTKgg6{l@Mgju-kst)+cH}VtnAOS&9F_g
zRoY5y<85PX1-3!9ezv&HpSGZ9A8#LHFR%}?_p`_CetQqQ*Pdt3wQDwpwklhc&B{h)
zgR)*(tE^F0DJzu~$})HvtXF2iy8kp-;)6xLJ+<RU?Eo^{f;+P*sM#D`0egRI9BZAM
zl}cs2QlRux{EAn}RRr4>+eX`Z+Zx--UEA7&SHNy^Cpky@N_t;<NqSVe6P^Sb;0y2q
zDJcz?`ll`KiC>BDXKe*qOVf4%Ju5tI*xQ4(z|HOruqL?9`o49W*a>zA`@;g^1+YbU
zy|~)m;_m16yS?sQx1erOH>&H^HR{U$lD`%38=?P+>vsQc+4cSC+~A(!p60H1uW+w*
zukviQCU7^Fq^(D~$G8jJmF^Pm-YMB_yOHs<^-A|3_jr2&9vH#9tJi{Npd$}^zj=Fr
zc|wC^otZVrktfvuleY&5e$#qA34g+RC*j+9`+tbvqWw;1=%}*ad(iqxHa^bl28&RR
zmw20qIIkNt!uic2XZH%{bvuAK|1)m~5a)IKe|f_E{Y1|070&AhaB%)8*hI|OT*P_Z
zKn~6yCr&5lbptv$Ka#fti1@mJ9h@%}Z|37S=>~Xkex~>+Ij<Y&!TDz19$;soskitE
zHE?3IOMR`lEt?+gR>s=_1fRj%{{#1zdXo5mk~sTc2tPpL+96M<`$amFk6*W0Dkc1~
z#I*zBKP1g2;WtT(2-izD6TVPdO}JQEM|ha@2H}MC3E@9V+X$<&o#%N!$Xy7(FZU$;
ztehZxuRNIWb@G{nXY=;|@`QOcy!}7$INtsrcrb7O4;<p{|A7zT?f-#gc^&_IbGPvJ
z|MG;n8+iMF;KzCUf8g7B`+wkO-u@qWCU5@_e7<c(#*SNOVS#Rk4KigsehW@xGQs2@
znRFSlNw-gh+f%ns1*zMog4FF(LF#4{A$7BnkQcCYXES-CZ565RDBD`XeQg^E_q1&$
zyuWQL&vX8zD1<*!@(91E^dP)ii4(p-8AN!lGKTOprG#)H%;05S4|&3zAx6Dgbo*qT
zg%;gD8RQA<yl!s}+?lap$mUO(e1*venbggEb{3j-`(cpN*?HZ57+AL-2C3T*gVgPZ
zK{}0i3%_IXJto&Nc{h{n`YdGEXCb>j3)%Hqcp{6Z+Yjq3EY$7fL0XLS3v|0`xL<TT
zd618=^SZq`aHGa~!ZqL8SMcpLU$?u4cDNk=^D^xRzQ;)4(rToequW92EG&N9IKTLI
zCYza@$z&OmqnYf-WG^Q7H{_z9nf#c^mzZSjz34BD>zHKiy{L#WYwty@y%(|eUc}nF
zg|&CfMk9X9GY-y<RcB$zxyJb=gP065c?grTAs269@=Z<RzVbR(3e$G=S>9J+Mmd(=
z!ekSZx;?ng!cyH%9;9w34^sbJL+bVeAw5R?CEJ+%fXU~XykC>JKi+k6_PxORdjwLq
zqlb38p2gSgn}H`gIs0E|pQySjXU)E9gN}UneG3@(LDMXCZT5YTCp1;58wih8HxoWd
z-AdT+RtR@>=Mfg&J$Rn~r8`b|gL@F+$J`r*`h8#f-Twunof_-h<o<7*j-9lb_b9r#
zMZEn#@KE0VA2`a}{{wg9?f-#Yy!}6P@4x5m|AF7<?f-$F<L&=}@AHuFV#9TwWqkP>
zW_wl=u7+JeuKW$>@b>?Z-^m{GerO2r_WuxmFj}x}`+wW}|C{bPZ`c0+;N7nGuX+Id
zU$X#6JOH-u?tjMv9rpir|M~y#jk(+Q|6UN9rgFP|fKw<=rZ|maHN`55{0?yB%<ljP
z@|(JW{DyGgB$`zj#q%kiN3oP*3B`%+WdH9up^4uC4&--$1Nj}`z(TGVz;h^$rFb^Q
zvncYLx{=iw8hQrB(G*Xo$ZrToRwHRBzabo<!`sO^z%xSAsoW0%PoX%N;t+}_Q#^^{
zi4+G?<TrKWcL&f=enU7y`3>Q~<7s4mLpVbD4dFn3Lpbo5cG~~HR%nWF#Q^d<z=0te
z8l@PZ=%?75qK{%e#iJ?yiDEB`Jt_8}$ZrTo75EL|z$4me|Nm1$6Te{?$Zr@1@*9SM
z{AOd|!CaYvT`6{<m`9P{FpRVZ(a-}a@*9Q`d4C$pZx}`>zhM~2Zx{x8+R5SH6GD@N
zD+bU`k>4<kP#X=ED2f!V6!|T|$co<*4CJ>2KOxNLw*&+EEx|y3OYqA=(<1JNfGrf8
zDK4bAfMOHH`R!y5aJ|qpkINZ2m*O0X*HD~IaTdj^C|*hN3W}Fgyo_Qk#hDamP`s4l
zB@{2-ZTo+?p!}w8Ait>_$ZzTfZd1Q$m%Y}H3G=_@$_)I5;@1?vqWDjWUsB|EaU<u?
zY3OGZKc)By#my8yruY%Xe^C68;s+jIyENSzVg9>Z&cJslzD@Bhif>TdK=E~ouTgxJ
z;wu#YPVr@mFHu}i@kNR+P<$SviuTyy4|^qRxtxJdQ+$fzlN2AP_!z}UDXyXT2*rof
z_WyRU{?|Sp09O5~2Y?56>H**r-2=c@<ss#ErBE5E3{)b@kxFMpv2C+`YJ1D}ob7M0
z{a+7nc~$TPP-M%q+2tSQ&*Zn|=jDgx|C5)&Q(moHEf>otY4-o*)Az~(;CjvepY=Ug
zz}4Ngze{v}=lsa|I{X=~cHZJ#;+*5W*jerz2M>n*9p5`XhOfeP?LGSM82|tGj_LQL
zX50h3Nmy_?#ZeSTQXEZjIK={rr%@b6aVSN86o*prBS0WO0t61GX$Mg}nc_(lPi!aq
ze;b7b$8$LY`%>hGd<gAFLyw`@hhl<aoMMb(lwyQpm|}=xkYa!$KLSJ*dfSd_m#^2m
z!h)XM4*`2nJc=SeTtws}Xz1Y-|46Yr#cmY66#qc+FpB&L5XCrzhVmmogz_UmU>D_r
zc4@k|g#`z2zYFAte85gLlppdTbblJ^rl?YMQFKz|hkVG{PD2%nHi|Mui6TD&M9%yO
z5NNSK(=ILfrqINX0D=7Y0mu&+fZMo20=H7+2O9|eo`!x$@mq@DP~-;;$m%N^x`iS?
zen4b?`~c*~4?uqW0OZFHz)zi0yEN<up@|<q0QvC)@B^+2z)ci4QhbjhKVU#we!u|a
z2Mj=dzyN%cX2p*mJ`xs8=0brr6ssv#QM|y_uU(q%Lt#M~moxBuisw-*r8tq|1d1t&
z#T1Ju7E(-798Yl^#d9g1Lvbv{vtjVBJw`;hzWfLf$d3Sl{0I>EDpw5PEA3?e?=_)`
z9{~dS5g_n+?stLDQGABtI*R;|4{4vKq5O~!p-<A#Cn!EnkskpfEk6PTuAz}1q4;n+
z+5dk<Xj;wX3|vL=ev0=|yoci56z`&VC&iT%|BvDw6mO?^8^v2G-a_$aiYwY_Iso&P
zH*h%vms7l+;xdZYQEa7nEybl2mpH5&b9z|U3!W{Wjh^+MHSlS_%v0}~;i>eD_Y`>g
zdHf!)C)Xpur~O9vdiNUlO7}A8SI>YR^>}Dgx22uFOs!XEsFmt?wLtBs`qeyDacy;N
zc5QI2b**x(aJ9H*xu&^FTw`2=Tya+qSDs68Zgp;k4*yzBPv6<%oaLP6EOCx;4synw
zJ)C(?#j(}iB5oAdiYvtyafVnT7Km}tD=OA4)(vUxZpT_que-%j@0hixdkXApw4Dg{
z71)t5t37r$V5dO|_8N@AZi7MCZxF|hgC2@k$-}M#s9)N)V&}nT>^<0k-3M#2|6mn%
zAgtK6e!H!Q&5L=CT$^GO<gM}+d9%Dx-XO1+*UD?;Rq{%C1!g^3<a&9QJVTx)SIQ;w
zczKLmAP<uJ$#L0_SrD(BC+EtFEJ$0WEz)LbqqIR<FRhi<NUNlk(h6yr)FRbOv!of)
zG^tW5k;Y47qylM>)K7{_eyNA#mGZ<5@RqnjtQV(=<HbRuU(6E)>t^eEDOXY?LEI{C
z5jX$7|Mp}&{@aLa<@A2K2upRn(L7=4tyWI&3+I^{|I!6wZdQ*7=XL#1#GfH@dS5ty
zzM)68^gOX2iLd*$Mf_3X7;?TZi+`M0NzV6R=Z_L+k@LELVC0i4F5}NH`N@dC<VSH8
zIj{Q<&J&h=D6S{xUu5xL;Ps5V2uoJ8^Sb}#uEHE$uNYF-&xO?WbGr)H==!;kx_&O?
z8Z8~t-@xQtCZ{qvp2<^~3^REclZqi1f6e6EOg_ov|1r6U$;+55XL1aa1DHIT$pa0!
z=-*6!!sOqX{2P;hWwL?EKQozP@-!wBO#YEc)sQVeFu94z=a{^Y$z@FH{*=22ExJB5
zq^=JQc_It<Gueeny}i2#&3b!7>g^55%H4dE5wE$PNmlOWV#ci8&8*zbtlZ74+zVN`
z7rt-AU-&GO_cD1Mle3wuX7U^+Pi8W}WLG9dLoWD|$qh_C%H*v~>UzIjgasEfp2*~I
zCXZqA2qxWzZ2F!_T_3uO(DV#rUC$fL%H71u-Nee>#LC^o%H71u-E=TZFBx+FKbd@k
z$;X+zoyis^YneQc$x%$|&vh4JzWy9T?r)rL{Dnz&A2z<s_#r0Q^=xF<v++W9o?Xwz
zVT@x;c4v}Z&jxlq8`yo=@VpV;a6gmmK5V#}aSfB_GC7DzU4Oib(4gy&L(0badR>3K
zi%|a-<0qNCgULlqvgfmY5@Ys!)(>FJp3i#reAcn&vyQb(9eY0O*nM8dp3k}lBYhpa
z&+Af-E!p=P-gC=YIJ@ub`Y=A6Np}Ct+iLJU)=u--^E!_`uk%<t&13B}Z!(KNp2<^~
z3^REslQu)n{fbF;|IB@YF>9x}?EaZs%g&cEc{-EFGueyD0}MImXC^;pay^r}K6@8o
z&W()cF*%*dA|{72$?l&y-55I!dChlBzQ^P`r$E|wj+6TiqP?d$y(D~`(@%J?llu-L
ze#lus!Vh(hCv0<8^1S#f=M2JcIqL~O;ao=e4(w-8v>t|5{ybrEi*pU(TIYJglj#0{
z#b;3c|Hb`X0*U`8S1#cLTwb0R{o?Wy-i)adt~`rgb`=nQ$TgnuO|DA9^{yF&FLc!t
zE_N*=Jj}I{aNM<qaCg^w!Y<cFo?E_mZ6W-=DiD5F%_V%V>Lq-g8mIcw#&u}9LM8g|
zEtM+Q56Tl-&QeQAJ_FThgnO%8KM3*j)D{w+qpsk&`7@R42jvOPuTuU0=7*^MfAe3c
z{(o~F)&Fn4km~<87g7EH=3!L-zd26z|C_s0{r_f{o78{d_ij@Eg&W<Z{tKURllm{b
z$4%<Lu+>fKzi^hD)PG@>doABS3&*-Q5I)JhnXuozm2el2LfGob<9Wdso*sl>_rwXW
z@eCq-i)Res`JNKO7kQ=;p5U29xWLmwxQ}NA;ln+v2&<m8JU4yk*+BR`&t}5wJX;BC
zKH&7{*dbmH|9>|K+In>xIsm)g1ArX>*qh!-eM-F_JGmFBSF3+k%hYq!Ve0W1_jgnG
zQ?0IVUH@>s=DNmlt7B&#05{v;us>se&|Yaz+DF(=u!rqO*blPXU^&3h0C-4gRq9|V
z;Py7x|F6?E0E%p*Y$w{PcC!9|Iy3-!$X#TI9FrcwDEE4)QMyd3ky6rV>12#+drDm;
zr}%~VuJ|H60j?1zixb2%FtSaEy~Kk>m-T1sm)7^Jng+lP@Bw&{Ytpaj062rX4!{QJ
z0kq?vduTiO{~Oxj|L?akV&Cmja5Hw_3kyRO!xZ@yU_|CufPuYfWFN(RibqrY6UAN>
zds5^Vgz>xlf-vw%8u<w6g?3p(_*Pix<#Gn{E5N`*Y3Lyo|3Hyn0Y=&`G&GN5XNm_=
zJdol66!)jdF9_pz`2}GhzaR|s(6nxBYHyF#n6HI}{0cCTUjYX4E5JZIR}3J(0t~d$
zPz%KziUPp}|EBm0#h)quiz2_M`?auuUl0cJ3&Oyy%D{GMx-G&2egzoFuK)x26=2{u
zT$zFV3NVmg0S10fBl9c32>q0XenN3G#g8d|M3G+sM$Y^SFz^E!d6WIpc4@jVg#~YO
zIRp6>U?9H&419-1=GPAq%C8>+`Sn8}zkUdOg=Y14iZ4@qiQ;;S{Q4ns=GPB_{Q4pA
zImh?y(sZ8-3;5+kAital<d+kH{Bk0YUrq$_>xV#o{Se5n9|9ldst^1d#fK<9Nbv!R
z{Q4oX;@1y>{Q4n~Uq8fx|1>Tu;8YHO6c&!4INTLzmuBB8EF8k+3_O+MDHI1&JelH2
z6i=i$km3mx2T<%!u^+|bDfXp!9K~ZP9^+cvE=`ASK$OcF7~v4t_g?kYcKM-Cg#|0Q
zoPqrMFpys#2J-8}Kz>0O$S(*3Z>Bk~p!ipcH&Ofx#TzN!K#^Y%#_#eA!oX!T@^$W^
z?b39cg$0YboPmodwoq)w&VrqIsz%y{G;$Ng`4k%|Hc+gmSVwUl#kmycP`rlX)&I}l
za{#tgUHi19r$tyHgXDz(u?@1dharID1QN)05(1bcPtud6M3x*4J7$%LQ7BNtvK_m>
zG4!{Mf7?%?zk`lnXiHm0DNx!E9TZwR=%&9drR9%vhu*NBBwLu2P+KiG=k9ynUFY00
zl;F)u@Fuvk&&2%-HmK`lH3L{ug8P-=wMy_kO7LnWc$E^oQVCw61P58odCZv_j)B+z
zad`3P;FW(IUiLY#H8&0~_?+z}+qi8Pyk0Z#LVYb*{bS&z`C52QX5hv6T6h&^fL^{<
ze;&L5Kdie}cb<;XKCHb~d!CljJgnKJ;lP#O+w`-YXX9*)^(E`W)^Y2#)?L=~tell$
zUjiwBad`RP#h%A<EMs{IUiHV}HGdb_Cgdy(SR#BFtPftx&_5VHSN^wJxLDVrRr*ix
zc-p<-AHwYpyF(g}=GsQedt2S$@x<rTv}s;q&Qoi5s&VT5b0Z%ko^V)mrj~1<f1XGy
zcxv&7y_y#7u13m-TRj1PC=$>#X~!EWA8Pgbz*U$>bGr7WM#=|U!IPZ_`hTjfq45V=
zz2H;G6VjZbYiRu72?ZRTg#sE**U<QVtv>L>2j6cIyz6td=7Q??_jtj1BzW=*YZmGo
z8o#I2?}-FLA<cY!L*sY1`a|G*&#yU2-^lpgk=B66=ka+pC+Zs+zZ+a+f`>o9M{~TP
zk@361A7ua*ctCTkp^@>sgROy3I2a6TjxjVeesH+x4f=y_jl<B;`2A2GJZ%OwHe*BM
z_q7It;2|xfVT}!q9~}LGdl`R7V>UK4eot#CfLyd`jK+q>58ms-u)+E@deijB?`{u(
zlQ{68=5cGZrs<C#%7dph@bDCgXc*J<#}DPfs~H?G!65U$rs<C#%7a%hk2e(bGH;q2
z8bA2t3Wxk2FY`BZL*obUSI9GBfcdNKT79kUYc_2b1G5--7h^!>eggZGAMU^49M8x6
z1>W<yTEkZ_5BKk2C=v`ae}eb?2Fio~Gq*Psjxc|;pVvrvPpil4bGyCFAMDpQQr_JP
z*Bfv?$NbLT$oRq8xhD_^M}o|69F2_MA8z%+^(NwGe&uLn{C>EfdqO^cnE9onk@5TC
zejWjLmSN`Sj)uk`08fJ+Z@|mE0{n*Qe}6yR&ylBiKl2l3L*s}0Ib1N{`@iIDX#8+L
z2LuLu%!|&3#_wqjxcy<bhxs9_od(7a_w$H9<aRUPXEnQk{y&d-Tj>95HRruu)W3$A
zA^Lw8a~|NZ;XjrA3G)YFeS1R@jaxH5?e7ESVShr-%Y&L$;16)MI;Y;g8`ft89MCsT
z|9gS@4!s5X-wRHngTcn>e_tfv3%mvT--n#ydK#zy{k{lvp>g^j))z2P8mIsL;V`1#
z8m9jPfj}e>Y@GfN!1fY;3-o``=Lv@10{sszfqlMk<Me+JD)4w4r~knjeIVp+oc<5F
z!(mvz4b%Ujpa(qAHctP8?{=u6ar!^(@kQLe#_50HKEVJQr~hI3c!7V`F#QiMiaq{7
z<Mco5o)K8T4b%S-SU_Q4qx65c)g6H2BitzcAA<XJ&>!+QO8*DJKQORge2voo0Vogd
zg~PM-f3357Hf<II?{*BR+)pw654VFr*xfk&@AU$Q)7v=x@Adftz#nax{`Ur8gM170
zKisd~P`+XM-y8M@fj`_Z{qOUJQU4pJ|9wEf1|yBr|8P6=dxDMA|Ndam6Am^`|N8?G
zFVN2o)BgdV*XMUPPX7nseFpen4b%U?{_=U<jnn@@uNSTuK>zFSsxAM2nRBgE<M^ZF
zr;g_wk2*f%_^4yVakJwJ#~w#F@&JJ3{~g-8^8epBisb*VuPXolAjtne0`mV;wE;MT
zvj0erU{?PB-F{lCj!%-<(Xh<$F-lM-0gh5-;^GLjD>K`apj8R7O3<PNWdh--W|K12
zs00m4P_G1aN>C;cj%wD-j5>hE%nZpSz!CU2S-SwrB*0PXo66MJmEd2L;GdP?pOm0X
zs2kNR69`A3OduSAe^8eFy%LlOgrm&ARi?@W!cpq4XGZ>CV`PSYCTj@5SCrsSmEg~n
z;LA$zB_;S{CHSHelnHgCZv0T0Dia7tsoz(ozMuqU0^umLOduSA-&1D(?##&lYxK;}
zw`Da0D3bt3sozqjKCJ|wP=b#u!N-)~H<h4F0vt8;b!F<KO7Lq+@T*GjD@yPYCHSxs
z{PN7m|7*0&kW2y`fiekj1j;195%_soHvs&!68sM(_$ej$pb~sQ34T%u-me5@0>h{q
zpHQZLTnWnLhf!vk{4fG1X2xirhGB+e^1}%HkgOX3%H)Sps!V<ufrpftKd1!%MG1aD
z363ejQ6(r77)A}r1cnhftjsKv5Jsu@C{twu!zfiQFbop@TcyklfLkO`<6wr{lwhk8
zbj^(YKaGtUZj#ju;4&q6x)MB12`*KFrzpWCN{~~6i<RIaC3vzDT&M&WD8czkaGnx8
zNeRxi-7*sr(dgVi*8cUGsEYYtX6XG=ClPp?5|m4TL#kW?96-6qH-I-O%f43$-lzm`
zP=ePh!RwS@NeS*(f^v~>=!RV68^CLnnXjH9f&Vv|p?$KN0US_*{YtQ?1oPlbuZsLX
zRFzX^-m3)rlwei~W|UyB5=<+>JxXx55=<$<q!R3b8~98}_`?<ymDLO&uLO4~!JSI*
zawXWU1TRy9mny+al;CzHc(D@P#_BHBoU7Z+I9A*GY`bjV1dDzfoi~B~zkOf<FbNs~
z+rbLpYOn(s21|fVU<>dhum)%bdw_ohi-5lbZGq>(D&RMPCvd=V6ZX9h{?&C4=q7ac
zf(F6!;IICh;IaO5;IaNN=o5_C4_IHYK4X2v`hfLb>mAnp*1cBVy2;vM^;nl!=U6rD
zYwXMHGwdVm1MI!*9qfK~FUzx=*bdgiE@9`e8p~^zmo3j&9<e-Nxz}=sWxr)F*bLZY
z>9BY#ODuCN8uM%Bm(9<ZA2B~*zSn$*dB1tDnKy4TcbGlqCFVJ1jp;Sh%cf^ckC+}X
z-D|o7JO}JG@up3t4wJ{U#5BjGF}`Me+4zj{5#s~Kd%=6ae&b#vZ`@?;FnWwjjB|_{
z!)u0@4bK=JF+2b^1nw~GH|#a=hE0YJgU7JMFvp<Lzovg#|BU_-{R8@Y^>^s^>-Xw;
z{U&{f-lJclpQG34Uemp-dj{+XY}VbO+ppWJ<82#3j=>F@499>j!ymvZqG%z};dY$l
zFx&sCOX&u6H|q}S9@0IgdqMZA?hU;~KTqEb)(O_=FVUy;gZi8G2lW&BhxCu>U(mm*
zf5Tug%mbSS5yKk8C5Dt?&~UTipkc!Bs^JZz1*{-68zaUw#!HMT<Dl^&<737bjISEs
zFj-9VOwFc<X^rU;Q_3`Gy4iHlG+}zk^qA=d)2pU8%og)JbF(>OUSqz*oH7rZZ#Ew^
zPnaJvKW2Ub>@>V#u~_C=nk^B_8p|b?lx5Izv*n;=!t#*iF|h9Ns^tyV!p>ux*$BIa
zy@XA%gY3=hL3V<D2<%S0z`iQ~*?&0`KUGRv8Hr4}EM$hTi6#htN?~lO31Dn$YN0r@
z`{2ub60BE_gZ;__$bzMFTxl6bcPWD{YS3!l0Eg`+Xpn%z*Z|l<X5<wLV?$s7zd>Pa
z5NsiH&`Dt$9>nnrn6Y1>cnF`P;eV2R2WdU!-XEmx(B3l#dq}<^Y%mMzzna4L((-pv
z_!bIJP#7DCg8W~m@J^ckT?((E@UJQCBjKoq!r0K(LS}R>g|WdcfLjTC4>r67@Jb4Q
zpM;~AQWzU3gY-TMe}bmpK;a<@k5TwN6n=ohDGGms!d(=8k;2O<{3i-8BjFfJ;bSPw
zk??M8U~3^W7NjsXv<2{53S)y?07of|4Q~OA4OT5=?xy%2yPc*}e2;yY!W7?QU!X9>
z_t-NOruZJihO(eOpW!k2bi4ax!wU-7WV~4p-}M@)XAB$MTFBh>0|I~GI1=9VD21_s
zE=a$h!spTSQ3_v7;p-`k4WdDQZ18I#^8suq4d87w9UBG%nAY<FY%mO9+|J3&E!a>T
zz$X|FD*DS9C*<&*zh>W1z<3=jVs4>$zZ0(qfa!O+^Dt^3VEWzeypzDUI!M3nyo$o7
zQaC~3b_#E#Fb)?ocSb0T^8t*@En;rP^#F|5E5LV<@^|2M4e&=P{0c4qB?^C=!r!6r
zLlnmAd?9nkeFVOZ?jLvDN@2R5?&znm3x$w>7ll_)_(BSAr?8*GSqd+rFkMe~V1t#5
znA_-jI)DvV0!-J_fgjQQbUhuwA*BD1)OX;MG@Y)e1Gt_=%==lIj@tp4qcH9Vz#$6b
zbr0}53a>;Vz}V2+LgoP8Hvry8(=i?ZzKz0o-vRhT1il^bO8{fME@W=U`xd|$?*QX{
z4d9>A{CM93`0o_H3x$iA+viaDY6>r-a1Vu-Q+N}FH&gg*3MVOiI)$&HFy3FF{<{hM
z{=d=mf1@y+FSkET;iqW&_bB{13jc<}biN$WQkc${11C{<faE{WM&T%hS5bH^g)gIU
zkivZwUQFQ|DQuze2MB!Ie^Z#wm)m|o;cwFPuTz-rzqir(asZcG$lQkamqpASxL$y-
zC;9Kd?E;*kaDdi#F@-Opa0i8X3ZF?~JZ>m|B8BOEx%L07pbLub10?^guUh9R;AgGP
z3iylGhywnIb&Uc(V7){EUujJ#V8J@5fHzogR=^SKK?S_jI-!8=)`#TqEw5W2Q@}4<
zUsk|Rka6Ae1?yiGG#QB={+-P%&p!OT?IZ>KWm}U1K5Pps;5%)r74X%z?Fu+yyH<i1
zFe5)D?T+YC2=Fr$&dcrp!FA|zx&1$YFOb{+1K2CK{|E2_x&1$=_f4>S_b~dbN9!NK
z&j&t1L%fYHU_MZyFkX%T<LwecyiG#bNz+|4#M>jp<7p2e19}1qzwam?;O{Ai%>E(3
zpL59U9|C+I*!@#0caz-S-vZ{~v83IRFOcwHlVj5Dn8c6aV;Qco_&A0TAD<B7V--Sy
z=G#ESi1Pr`G?i~j^Dm{LorI&W)9_^);$^Xb8GW3>|3SkK((oo4;^PVOT~6T(Xy~Eg
z0vgVzA)VI;e@Ebh&(rWLH2gRXhiG^$4R_OU3k}bKvGz@6yfc-@uIpgtX}_v*{?hpv
z*#5uAxzoAM83c-aDZJPpWG^s3Xa0)$lcuQdKHc%U>vX%dZ)m@&Yt?l*hR9DlXf0}c
zw1{sq`!|b$Y8Zf7c4oD-$?=faJvpux>@7{KGct3vnyqW{`J%vlZ&5H57NUWK-vv5m
zA(uZY1YO~%5OPJ_0l^P)JJEoTpIe$(i%Tu0r55tRL_FjP#5^aKCRXF5lWEf2ST0pa
z#rU+NG_fA1*lEgQtF_1+tL)uzrHKtV(_ETq!4{9#<2j);aUqUgK%?gkq%!gBKz>1K
zVhv7MMiWkoWqW&Fkm~BoWn=F>t2A+e361al0?ly3l~=~H=``P$7n-)EgaNKA)ziy2
zvuF3^gmcc0W#a-DOY`~s@>2%+-t;Nwuxue!NDJ-U%3QXuPsrstVP9W53uDUkaGl#$
zxj+;u<nn;Q2rrw8w{ug$ADb`mg<`%PRVCz7y+WqIr`foW2VC_PQrQf&CKQBNL2N9~
z6_R{`E9QksZE}Sy2esu2+^S9MSFPOQ^R}+qzKY{BaV}d(3OO!cjB*GSLOw6#xpZoe
z!1d;n1-@0-C$KpoA>@P%B(}30{JFSfq0pCaZ)+PE7-&rnMsumSi_h@s!F(#;3aD+%
z^Sym(q0P(tdBGd@$3nqGI2caE0-m@p8Vv^Gd^pDQK_S7%q9J!E;SC0&-ayRfPJq-~
zz#R<*qoII1bgq!;Pvx>1H1sv`<sP?NrTw04wkIv%W{bJ>xykf$A#?iP<>f94y-^{a
z!pYHewx=z>M@S2WY{nH!XY)eA)th%^6NywzaP=3{86n3<Q|VM;&^4GXy5gyLrr_F>
z$qu;qXtr25J)bS+V#0Em3aRwz#e8A8CjesDpor~thkc;!<%Y<f<sIj5+TFSSg814{
z&$fZJ+xhifY44VJcrd;4l4#e3=l5<LVEJMpna#Cx=clu|6rbTX!)IXQd;w+<nkj7_
zPn*}r7Wf_!<$R&Q$M&?w;ag<#!cL)|&%+d;_@Idev<g@lCFv*mS}~}#Cz~5=FMr^j
zv7Er8`GX6?SC1ECg?5gv6_{XXPNC_A)AN8X8Hm3BMjmEEVNEaJ1KnNL(k-7;%W$Ds
zHWP=rkEW<to=v2LbX*)yC#*o2e``}2flct~ywI1;Ly>-Ik`*%u^BFcR^b6^BuDnCA
z?AdK-0iJVq8(NI))mN9+lqSx{>-Po?UBAbaKmU=Rq4JiG#<>YQ@G8X)?0}e+iWqY#
zQ<~@`7{7>O+&Ov2Tm}1Mp(8E8rqh|tBvL)KcF#mAT@Z5Ztc%-Q6kx96S%m+&GhfKT
zCQ4#Bn#?u9oX8Y*!dB|xI@Yh`V9xK%@V!F&x>PKe&1VyZZr8<R^Y3<b4d#2ZneMg?
zu#Mu0&!<r#+y<J@q%K%}e5-tFw{$CJb~6k03H#bnTd<erlddQ%qr9ty#SKqo=kLp<
zV7V7yDSBX2<q>YsxO!8WVgcqo=Vl9oeXyqZ%wWYNUtgM7fib?{N-=KQc|KY<+{W_4
z*~yld47+np2Jk85@%ghh+ryoY7vD}+w(Q`ub|^mU{6cBsJkrL+v<>YMIbr6PCeFn@
zIgK_uN4_t*OB3hd)J-(iSpSf9{6e=xd1sh~W-%~}0TBc1N)ubiQn!#*^}KP_J|R{t
z@X@q@Zjf;<I>>EI7kjpIsSLL@gKo^(47WB5_X#-I;Sxx;Rc;&Hb|C_4-XPZg*8c%l
z{0Lt3^osu+T=CuhAnaLT`JVOMVxUbzIEK<D&n*fk!ePOe2)f|<8FBf;iGYg_#QZLA
zA|wd$L<r1|xq&tb;!>10d2XRQ0qPPV5AO#m!jF?E74e*mitynCN<}=Uq#}+lO?Ywg
zJc7{Y=JvwHv)F6b4g>x2uZ-DeUSN9D^iy~p{|wmq%jhrDFNgQ$&+59Ef7Ny9+H~{m
zr<8xXx!S*Kf2{qQ?Kj$C?I&#a!F%X6wrk{Ag-RRx(@roaRu;St&T|)@4)3Ms`E&1%
z^IUe^wYL;<d?w$Q%@w+r#|u02+1MVTa3&v*!#SDnUfzN)5>4wjY$@L^@QpxGgP0ji
z543^_z*bL-c#GJuS$>gFFP4VYlTK#yg_h>#diRM7`F@_;T+Cz;2|17|B)QE(Z?+%+
z(HAZD^gt{t-6wq0zE9|HXG)b5;Yh|DTbgj=1#<#jFvn!F839&!8;+$6falQlvsDpe
z-c_17lWbmXwCG#C3$f(lC;Mv9>KTew=l7K+T1cxKXshDwi03Zs*w#@du(+K3tL4a7
zi<iF|$EVX-AhvqA-fT`l6nlo-4YVZOE9vAw)H+a58KAr1X4H&(L2pLSO}-g5;Z%Av
zdd^sX(%9_UA0NrDJlobR296*GVA(E}FWYC)1>qDNLoW!=E{cVa=@56&<@3ekF264n
zf(t^>?{X)C-gwjvR<n2?To9JvQuKoG>_T5SBDlRml!qobMH36)%CH#6&@02UvMa+P
zoItM(&sJO+PR7af%J3|`GQ4+dX<{MXYHly5G|Z6fD(3rAu~fF02QnPkmK%X<!*#)V
z5=&xE<W!I`4NfEvI~TOlhg!+wR?zh^MwmUoSj-4qHpfMIXr3dCOki4OIiAY_Q;AFS
znVupPt-~LSw0YcZ9)AtSWIP+oxAvBK0hs$IWL(938|8AL(C2MSWeRD`Omd+PyHasr
zDx`o<mCNH}U1D?=U?@OP<BDQE=|LgaM!2)UsRPbmAQ+B#BcSf<5Bt1<x1R$iJEz(?
z@dko;87^*FEE(%-;lQ@ZGLBoybtVDlc|nnBsgw<Dd_lgYTnA!&#uT~4svu7o<pD-`
z0r5Jj*A@;0aHE@x`8=>S71hZa1;edV%jU<~WPO_gW3l2SufkqDr6UfEmlUv<fS~CY
zI3Bp1{lJ{zn)o<AkHv|chqPEW7e{9{%vInF=U@`|@K6}jLd)`8PUry|sQHvKvyxo>
zD_NBcqdDOS?uJK4Q#V{vn(*N5?v^F=X4UX^SN{TpcfG05i0V%*Z`)N*ea};S0!Za!
z*?!=X;^pPyMCL!x$47YUStij`l_b^j7V;P%?2Dy~h(%E5;i6qiv4bsZp@h|PiLN4L
z$(B|nvv^^q4XJGo_>C)*Ex;oh?M01u2-4bAH;^*3mA+3@Tk>|pJxoM*0b|G+&M~}T
z_=NGdrmq+uGaWMj(D{V(kTd5z&&irU=lHqf0moI2jgF=E*X&=g-)P@tKh5@6+t-2e
zzueYreZ%@q>)qC!)-&0^vQM!e0_pDc>{83?mTy_^v+T31GaL_6>Hn#}Q{SUMOMi^+
z72PLwSL!ZM|7m}Ne@`;sQv8mNtzx#9|Ew7B44-3VG#b#7FngAqtk+$f&Fx75A-z$^
z^`_vqk<GwC4ji2vJPN_vN<5oM4|<0qxQvFD(N-3M=g-|hXUhtChQoClsw~qy?1M5E
zGiqqg$$FJ`yn%A3nufhNFB%Bst?ZJNwRzZ8uUel}?U{9|6|*)EFRN3nCn!~WdhKfE
zS(k{_I#rPnF4wwjm=kM-td%$rb9#nCVx>z?HkvE5R(=g`D2U3yWHEaf#;6kuZ9xn`
z{4Q<OGbgF7q~@XJVsmp;o0E-q=xi~sQ#G$R3ezIyQMKlds<<UXD`33vN71TR!E5Uf
zTBT$mEKtP>NSdGpSDp!`*O~qQP%LmmooG~`*;aM3c!$mv2enjnP-RA}Y#Xu6VIKL1
z4(zQqzGP^l{B!HomXUX8CCY>MJy@Mm7HL<mT%OReh7~}Yh8KvRLVb@3m1own;rTc#
z+Gkbw7%^wl@CkJ)^-7f<U%OH<XY;UAtW^C-@W?vg5NlOE669GeVzufB5V!7S!)CEo
zRRoARn}&6DD)mSR(AKV0%;_1rTC5ZfY?U)HmEQ>qryt~#%C)<Pt`cj9GL@TsWfAYt
zfY{7Z)n-%{r)Q{NYzGQewxd#}b!e~H&;r$lCT(r5p+2z@C{WqRr2L+tJz@ju2&-I6
z?xEdc8>$GaEaDsLfg)th!fs{|cX9ceC2}gV?W}DmA(n!TU9Hrl;j|11VhK1()k;Wb
zY4cEA%nWC#T4wPu^$zi3Uf6Wh@~T_~hj!E}q=u@?#6o~7>A<Uls!PREfGV|86{xyI
zECHxeD<MbKb}=)cN-eVtRa?cpfGV}TYN*;=uTUkbmJDq|h02!$z4TS2OP6nGomerT
zQ~k71nR#o)Qh-jiQWfaDNGt*9R4XAz=Y?WsK&M(}89FZz^Hw?TD$!}z>}8f~LKf$9
z&a0do9Irc`a1<P?fy#f>-fKV4_6ytRZM@BI{f_m6)&O|d8)cKAh5rO--JfZG68z|`
zF`sOD)HDKq0gpF+2{h&%hMyRA7(Duq>95iKRriG9ZeyqMkEXwyud!aG8`iaH|DwI#
zX0e~3-JtoI=3|<W{h;Ge{U39`ca-ew=o$n&qOo$fQrQxl528Y3D}fWnV5%%79tWD{
zg9b%rl><RKkPhlYqZf<W&rts^eOL~4Cs2PyLAF(C=QHh%U4BBN(sDTiXiT-OQN2y?
z=oYcJRc1!z(WU(o6PR{Ky`%EgsoKZNmV%?}p?l<74#=GPxO6clGVLy+0>M$VYRfIE
zZ9G-Jo@W#-UQ!S+snXTT;ptCf{L}5FXLOCM9kmWtw$pO34a$)D4)-*J$`qCn?+06P
zW=iK9D%XaTSFeA8xn#;CFuaeMvZ_bR!RESMmKXyEo9cC0%xicbbYuHe`#ilaFRj;Q
z+4g<#lsa9O@)|zPu%yF_MiJ3xwxDmrFyhrrI;xBj#x>QkG0g{07CVf#L6vDC9wAK!
z7mEEwc`IjynAIqhySsQ4ky&O+qe@q4S$}^y^(oPOaBjWsN|edL6YF$W%xc;rb$6A#
zyCSPj>TdJFIrX|A5>ibEkEzoIF{|mdX?(SogI2K*RTi^Eb~PVl#ZI8im7h(@Yc5EL
zI3G%h-%UJJ<%pQpp(yr2ed>tkr}=fM3+T!sc0oL$WnCC~53UxS{8eVJc!)QRTvMkD
zVphvNjT~+xgJNHRoKagzmAkTMWS`h6RH*XXRF+|bOmNEUTg>Pi$&1~COOjgmRBlP$
zk(}5+RI0LnDuvi57_Zpwl>X5+(kpfj$W67*O}Zzyj-<top%RrHn^XWa?i;wUj7aom
zm2X<8;M{vg2)T(iX!UPeS;lrdbKE3MEgoGBBNS)9c$tu9zjs7VOsZn7lGyQ#>=F^D
z-n+^&w%eLUH$W+Jvw?*sc19v5#l_PyA`zaj-AFsWlvlbuG>;H^lU_8$(@ZU|{W!-$
z=8Q>Lss^@<NY~+Ny%6sM%_HOnT%#9aUi-nOQA945aiMn0li>oPO}uoe;X*p%n@7+^
z7rr>m8`R~>DJ{!8Dkr2>Z_;8Xnn%!WQKWR#Iw79hO(SU1kv_n8R_TM7)p^P^j_nc5
zsK&fjRISP_Lp+O{Mpo46f|#{=RN_`tp?_sqK(8Y;u^^tsO(W=aq!t#$tj@#JIkrd8
zgHY}1APsH=y#&>q4q{$d1yjCNH;;J4PE`38;#q7r6yY%LXV|Z^huNj<9Lo=ly~fLo
zYYg9qNcuB;&G2F7ayXKDm>%;V@p>F&;AUF)4~orG&2;k>rNb++OwC;}B2)8t!!k88
z5kew+4hqAYLEwpqPJu2+XKx%y_F>5yQ1}JUnE|iM9rg$=Kj{9t!tOu<l;u3Z1UPJu
zg?aBZ<OxAL84Fj5ZDkW6EJ%c@p&JPhCghRabx)4(CECv^5ZCGl{amcb0<wpw22k09
zZi2j_AY`~E(29%g8RYf|gCK|)+Y`@bbIq+agb9(}aK06^Vv`x6FiEO#cQ(T#5$-~+
zm`=BW?rsptCc1rXRE;*%<08$upgC8$xqO?NZf_sbq{$bMrnOSE2kr;`skG1oYQK4q
z5ywJj${Yoc+Y?ZiAQH8TBW-T@-w_rOQiuS8L}5#JXEBG=hpF07H&!DC^+eD*A__?G
zlFx0x`tA8{P|!}skPbSP@IeAP=x^E;6$_~}s2k5jRoVQWnWzS|r!%R<;7nAN;d3Cv
zn9a>ZUGY@DFU=1U(cPJ-kS|1YSrE&R)ukq<RYgd1qX0{eDD84vK%F&T7O+gFdXnPY
zs+6;|GK`?QFV1A-p3-5W1igP1-C{+x^S5KmaFh<OkjtGv4w^BC6&k#cn{V7*I!sh}
zZ|kIediN=EHGyXKq+Nt;Bi(o(>6SK<ZgD4(Z6)Hg0gbIjYU-A6CS0vb#Fo(Zrrxdc
zZc?+JieZTrmp968`F1kBx+D}S_7SOx#;{bmk-XI!6+1~?^|>iuTFS&XSl*bn5}l`X
zm?*Ay(Z!~shgPwL!Kx+t>{P?;@%j6i(&6PqwJb|35>?BN*ac{Q>G0Wjd!edkk1JHo
zf~CV};nd4%2aQujFvA#Ta?_oyYZe2u7?{PtQG)@y<~HVZ=0V1IJ3N_f2d)3pbn~>Y
z!0Y@&%!|x}8eZeqShTlj{kk{60${&^(SOGnGX@Pma()MN1D1nNz(bCR!vwbdciS1;
z6Sh6JbFIIu^@FC~+K*`-zFf}T(5Y~mMD9k@aJR@|0Zxec)*~?=Wm%JTvWgs`mf@J#
z17PE+^+0-WX&#P>^`guwJU@}iqdjICOrBv$0s#$81q~u+tZ8_g*avkqh*`BenN#ac
z-lpM9o$90!eRet{N{MK#G9vL4=+;exDd!!=(mzxVR25Z~Z!n%=EMQtgqQA0??psWA
zJ>=o^=HX(!p^9ACrr|;zY>Qd-2d0DVY`rdsU(q)#i7dezk=k4<-&19hF5Y1xyM(yi
zs8r?5S1DvTlj)oi3ae*o8NN~+S+(UUF8k);D@5#8S)O8E!xyHG-nL=%%1ju+@Oq_&
zvPsWZt;0lG8KDc6s6^MK0!9mSN_8xtl;#m*oxw@(G{&z@V@0)$XvEP~L9thSPiY=u
z>h(g*>m5eI>;!G_cBO_km8Z4i40ZRcN<>+(`R~g3nT|0BnB6m7=RdqY(-Ut;7c6H_
zU1sO)Xn)#u!lHQ_{@Bi=3=M`ay$x7ktQQ_-XwZLV=Fwogh}kw1wKk2o#Z4G4S1QlG
z;xT6%n))%<JaUG(U!!Vk-a<!O>U2T8h1&fMiE^AK_65!kwZ2qd**qhsik(7*Do@?Y
zGWPE_CZ4lc>>gZ))Vil~AM%bY68ncrRrXJ%kYo4s#dGF~orBAVTIVL+K3Ydk5<7-U
zRCa7q0jIg4Z+e{AuPWcP@;=}hIachN`ZujC<NQcNy|dTrU8SgvXT(;gca>#e2bj9R
zXUm95>{YePnW*n;XYXR>Fn?#9pEs^Fp5YvJ^3Dy;FuRs*wS3$1CCh4KjNNaXXLtaz
zlz&$-=Nn>%o1C8k|9n(C($H@>c_wzLBU;DJz#qR9^R@4!7RsJ%SO{T7I-89rvqdmj
zj?9*KCHY(*0awEtKDQ;CO=J0kgfA2X83Qos<c+&s{&+m*;(2$><q5_-A+IkOj|9Ey
zmOT_kia<IYEZu-+T3$4US-l5I)Pn-_Ag}%eU)_Lu57_l9MzL8TT>WY^z>bw|5`bS#
zBtt~i3SfNT(vlf*Fq7m3kp#9k8%IWs!0bH8Cy+>wn*0Gg*;Fws5)QpxhDAIw`$bq3
z;3{|>F7T-gm_rsHjOdepxAX<jYx1&+bO{Mkx@dpg+b-sp*%PVJ9Ovo;7XZZg`8p6p
z$i}&jbegMZ7PZB>VmQ$iuS{Q)>4yh!m(=-+8ZH1k^wJk!35KXi7P0TX+I_zYObS+_
zi*sF=&t}fgrsE(eQ_&{px-`{?-X+(=Jg3QGd;W&nTiLk*j4r4(<yxQZ;`@b8J_f=#
zq$@HZ01pR3J@C%eTSW+91El53LOwDd2M`VBuNBKSiv>sU4gofsgg)?%0Ol2!!FO8*
zHp%FcR>%-k$_~U!hc6+IaUt^7^`!W$Uv2eCACE1Yf3KERnxpUzxLy99|D@xD(%}nm
z47DToxMWA}@cB4_+L3!)X-DpcU8Td@aF=gsqg_72ul{e<9(%LGAbV2^`4-sO2a;9o
z=&@f~I#`N?zHdvI#IemNT4u^!w#ZQ>;^ObFSk~QW>2`B1xL#COH`nco(b#TRyqrW9
za<^<Hw}`bOF#uS`G!bvaXdSoUUQz5++LJ{MNsAP<Q^hX5d@wDjlx*=ru{y1Yy(BA?
zwo?sRxc+YWl0_}leQ=jPQuPD6e3NeEt$lCl@K&-c%XbNt$M%`tDqxLnQLNGVmz558
zk#5j;@+ZZodc{s8?l#lAK)@^fX53)8cEu|^+^06-R4Q-qq;U#ZhcR5N7=zjQp#H;0
z^ddOh*enKSF))jP>0scv(qZC0jCufg9C-ln1YkG2NWPmr4hDV?6SrT~!0+RWrXqtr
zw{)2J1fvFiA7AK?d17&o5C}V;CZ08qEgdGFaHxUu$LAucQy9avoTstYzcU}P+`u^B
zaQ@NxYv(J@A34A0{I>I(&PSY|cYezGap#Af9|W$z0n4rIgX}lhhuQzLF0dYNJ;xfd
zCat{nYHPoB+<MUZy!9FD<JPZQ|788GZINxRt=;Cc#lbe<`)%(9zv&OyeqejfZm|8Y
z{VIFW@-=(L{xkby_OE~?!T+#-!u}D<XY7aUBlbJ&FWTQ{|1a=)f1Ukl%e@Yb{crYN
z_Dk%W?HAcs+Lv4IvIp&L_9lndzQl2c<5c^6dynH}=grO%*dzEIdlI{Xy_o%&?HG_p
zIMLy>|F``&)}LE{Z2hA3)7F2te$;xW^%m>()~xkXYnOGcb(Pg^ZML3bwS&dN*VtdN
zKLxvm53&Es{tG+A-fp?Ua+uu+p6btH{p{)NVs;M8THdt$+42kEh`eBVmc4?_vw~%m
zy$LuV-?iLtHCkR`b*zis!KT?C+ALP%bbprnE%!s|>OX<4{>wves{AYi<Tss}J)3tH
z1G5;I#lS2EW-%~}fg^$eqfVnW+gGE&WWRs}|3f0<1o{(!){tN~iTo9TE+f#(IB=dp
zB6pDBavV6%B+#WOFgaTZw4DSO<G|TQpsgg>f&!D%L!iwh*n|V8mp~gxupR{_r=LJ;
zNpKN~3}MI_AdxWwg$cxyU>6B`NRYsRl|WVs2_%wW!r6`>ll@C164zp~f0;!7CyAtE
zPhrS;7Ky}IGFveU%+^atBu0VB{xF8@X%dN1V6uM&K_>enB$A-ON>E_kNYcJWg0GS+
z>qtOQV8tjfTQ4M8zD|NiNf!Evzeys$K_XX@ppyhENZR8hc#K4zOM-Jqu$%;EqrhZ;
ziUi*x!ILC-0tIF(`3}|~iF}#_-?p8Gyuz3Na84(#+T_Glo9xe$oX^-gCg(KSpCf7C
zvF%|Nmg|@tk}TgN!FO%<)XVui$@yQlFW1ZYeUkG9+fSHEj|C*{ha~uc-Bz!%7fH?^
zInJvXro({K99j~9xn6|p|0BWwlHg4e{G9}UBf%Ra_$vus$AQC0pr4T7B@+CY1b-yK
z?@91m68we)zb3(}B={u>enEntli+70c!dQ2O@cp=;CCeWDGJOiuG7rYI{!k_{!D_`
zNR}UvfFRjn!f6gY33MdTkSrhurdfeMyJiguD0CKqh~X;@dA!z~P9hhRfS5Se%pnl5
zeWcN0h<TF)e<s22Nbn01yhMT*NboEPs5}~#$D;B`R37JklI1W7?j^w}3GO1ntt7aC
z1k{(^0D<~QkRm~p1ecLu3klYd;CvFCOM);7sG@ueftHehE*Ug;2|g_(Fyp|okOT`z
zFrNhTNN^Gf=91t<5}ZJS<4JHF363Sf91<Ku0w)O^B(SrNUurnh-3+Gv5zUWi{rfG4
zfd;<Da+zg|#bar)m@JI>N9OODKV|+n(D*;M{s}1jGwn9Zn}{-IHv%Qz=DgW*FVLFn
zfLrh>%TnMQeAE1f`P=3XBYuLJGtV<03mk@TJ3kB*^j(&e<y^DXa)McJ`XBSJ&5xLe
zO@A@{-V!z4XL{7~tm!{3e>Q!VU2OU!yTUZVo@E+i{lGEkvF|b`%sb7mSR9tH<yOn6
zrO$G{<ujIrmam!rX#S@8gY3hm@7O-)c-irN$9Ei0Iv#cWr{lAZPde^%j5%&|+~|0Z
zW1nNUBj(uZSns&Nah~I3$BDp&coFd*fb;M^;5l3+@fz$+w*R$#z;+MjUtDV&wB<mv
z0r4}o*){;DL1+0L@B&`4ya4=$)$G68PGkSYre%k$KW1;Yev!S&deD5cxy0_b_On-5
zyV$(d&8C6VAON4?LEEe5?dDD91MKORC)jV8KhLhQb=VeJ{|+3KPh0OaUkMzFwbo{P
z(D_HJ(HyWZVSj2r&U~S{)w~QiD#uuV3tX0uTCX?v0`KJ<>jK;B>|ag4wEcnouH9fh
z+w`*O`_@ZMcVkY(#nxwR7U0AD1o2*M-vVC^U&dUP{{lY8Q|xQN!wH!Sz{6PuT#&1Q
zt8)wcL+iM?)B5kGCxKt{Z?+HFi}t6>TpEYdVaEIz;Hm(B#f$haj&8?Z$K8$zXUTb`
zvtYVysz0&-X8${jfmsa9Vqg{nG7Q*0#Fzj?N3+54APV#je9zW9K1LvXBiB3d6<+Va
zcYeJCU-tD5Oe+|iH{hJkJgEiWD+~^NuP`|9<xOwLmp;86U;6ZReCgBM@nunO$CpLD
z9bYT;c6_bW+wry1VE-bn)BXh#e1^1uuZITbbtLlhII!JMf`3PW-WexB3`g4k2M5k8
z2t;$@UK?!JlSop){wD<KoqKU${|F9jmyzI76d3HgNgBTJ>YaTA`Y_3Y2|2xO3x=Em
zNyGPSy)#Roe<e9LkYGIyoC%Wldjj<m=w2My){tN|N$VkL__nTh?jg_zNtR9$U_wss
zz@ydM@#S0Zq`m$Zk_A&+dfV9;awc(L$M<u+Gew{ekery1)7ye1XPTt_ia;3@80@4=
zjwdigC}{(sqzzV#0)v%c*MUhzz5O1N6I0T9`!KG|K13pSV94=p4B0VW436)S$nTQi
zJ0y69WT9Oe!H@&fa|XwMVaRqL3Gh%1HqwIa0Ev7b39cc*J`&_efa^5aNb9y;B=Rs0
zoJADqog}9nBg^3I$7zIgGdTBS$o@GT*gk{<=K#rq$vT7cJtWJgNf!K73{KJs2U(5I
zt4WpzNfwMHgL9BXVsg;nyox{%kSurLz;P>y#H6CZc_o29NwVC611A}@{Y?U0OS0gV
zW3Z8)IZGt+?<5OdB%i>L4R=Cs$IHTC{~L~Uyg&+koMgd!f!=;OiF^YEdOQBM2K&cI
z7Cg%hj_;E!e<fK6uI>Luve3znCyK%TI*xSwfE1V@Sx6coUksK7IMOno1oKF65((y#
z;6xIfKmts@7%ayT=vWfWL4lDlt&C0=j&$CL0==_<A;-%kc!>m<pf)&OB+!pY@IxHf
zNIwZJYj9|Aq?sU+Q0IC(-K8EvX?puXoW=fGl5-D<93_#TB9T!X7|Ap>;w%OuUf~8K
zS-#FNF6Ru9Acz7Z;kX%$cr_Y8s~RE=Mp_v`Bw=<LoDq^nzL*hzMw9a<6lrq4mjvgK
zU^xlSMuCB_z6{3A7&2}mY40b&Z6v_+)8xcc(d5L-(B!<C6gZy*t4Pi}Nr30I$%)sk
z$$2}@Vj%O(K<1Kx%ohX3waIxG$?{PWe1z0;H-X4xH;`FwxQ0YtO|slWpespm1&JiP
zhM|i@l7SiUzzl|sBogoC1_R#94Tg0j@<KRPDUB~XZ~sC6BtyY7%j6s(&@c-0_AwmT
zJS1?F$U`J}l?3;ZU>pawGf2=vBJu8~xBrqrc#qWEG3NEQ(@4%!QDCtD2g&jayX}3<
zN^Ls>-u`&!GRLPJ?{&1nyZZtAHlQ3oW7}bCvHr#SsP%xg+v>3z+3&OWv)8lRfx^^U
zzGwM2;1O)LoNoS``6=^3bKLATy=nS}Y0Q*0tuUQv{1x^HAQ;0&tKmh%1BUAj7aLmi
zf7U;&f4_daeyQ$t-4nVG>T<gC!Q#MgwU21;*7j)I6+cc3KjtfwesB4!nI1Gu-vmDt
zn!cqN(}Vh_r`%o0{GsV&?w?L(!kwE+3Ft;uhOWGP%NWs|LYA39%|uOMS+Zu@GN!Pa
zuA13j_OsJ6My#gSs##POYaUx7YP%o}G!?yRQ9r(U3^{g_EQG4$6%}Jz#w2yEYQqyV
zH;)l5Eo!A&trMa$ee;;Y9=lpz(ab^17_rA*3lp-6k@u;ZqZ4)fn#bnX%PV5oJ0|Id
zA$2MhtX1mB`NoKP80tCFTT>}i7Ppm|3}_pZjK3qLGL=%3w933=!~{HQr%LB4mA$-U
zCy1l3Qm9e~t7Qy1*COaeYE>$I^NKUAWlYjrtCm^(a4lm*UyXic)tber)-om;r>|DC
zs7~K9My%7<s9C;7o%IIjk*!fj-OS<)Y95pH<d9_#71W8CYaS!&aj45x^2%_bFp{rU
zuSd+>JVuP<*Qi+hBF$qKadcHWAzPznF>jR*BC`fFW)d@3saUo~iS>pW9TqX{9g{5e
z!;DtLgxVU_i=9CRI#fQ3>KfIFrI4Kpl~NUJR4bOK(mAy?s;O6~a*Z~RAyX5?a5wrE
zl}f475^Wwuo&{>=mFB}J@+?p@uQbm_udbI@T%XOOSJlZYEzjmrWY(lsAEedUJbFdF
zyyDbp8bw|WNWExER^m)tn@yw0mqD$pGAs;;S=GOUv@)AU`^CKKJrF-c(<m~WQ>zE!
zx@;arc5`atOI9s%olvV<aaA^rB7X_BvWl4XjP4b)qIqA5*~&HP9qkj#pfy=pMrBF1
zjv`w=q)%u`Ru-DHB0ZzXf)gpA-m}UD=@~^H9BP$OS&yT{hXdKdRGs08*s?F2hS`D9
z-Ov~Dsw25`lMH)_^@c_zvr^z)N-ZyF!+_1_3RhkBM;mw5)g$%~Ty;&OP46giErBow
z4yM#fR!$nnWsNAWkH*D5!W@`dOU<K_>9Z>C{Y1n&emk8H%8Q+WEug0RiO}dSF)w^j
zwY*h6sB@_C54uCvrfUDHwCNp{%+<jMRqJi#2L(E-0aqrYl3Nb=pi^tfZn%~?N!!MN
z-1`8?pLeo$%ik@p7&aLE`rjCH`rX=>jAt8Lv~9L88&5F&#qcA;R}8lrcNy;yf7^|t
z#+!^c$tlCxf4^%nu>Z``;Vf1#EL}i!d7l#1j|T<@TKfb6{xi@P1*Zha-$1C%<7x8-
z+k}06>1-|q{sv;bapY@&&$xtmkKl^&dBFvK5?pYs5ibHRnHPbwx^h9)yMd5#74vQB
zR5Zuu2HRq>P{8l?`<nWf59C`tp5|6Q-?#5NL+NlDcld@u+TkOtd`y&nQ}K2WQlCZ6
z9(HCxsl9z&DwfOUvkB13y*QPLX9x1#uCBp+Z#L82wgH?iU_T0cTA_0*(>w;nV}eSo
z;E!sqqFsy>W&uh00@9OZp(SBoJL*Ngz~__T_<}FwT`er`5^|M+{7zs^_&C>@6XI|#
zrucLoJZgYSJX^kdv~&JxTcf_Fba)R@P2EF3go=jjT5#M^fKe6%j*s`IGSrJlzraCn
z_vBkycITQ5^2iKsD>6OY+H4P49~aW`{7zP;gv@Tl2f93FYhK8$EFDf^<*f2d5OrgV
zdC=%adj15ZU@ZeMl-+|Jc*KxdfH()<Im*ZY<*X#Ghbm`1HD`A(*f<ah1;JH1+=G)Y
zqGL4HL8);)V=M0#peojn3sY6Grxv+GiEuO?^SWY@sL$mOd3jeP><PI7d@$sWhC|*&
zzz4l4DtfaJmR&p^jRhj0v7g6DRAc`snZ|w&Cs2+3r<5A|b4rKz;^gD#DCVZK1EAWL
z!I9K3_*2Nhf3G6OY`mU1wmcdVLY@Idp2ZNeTM;wg_;D~nBmV>Cx_vkcRjzvqDc8Au
z?8kLfrcR!D_TRG@n8iRX48U@V%9qoVXgP&Lun>9qLVObGs_w!ubOU;F(Nyde!3MMw
zm!jL@lM8uIK=23Sf&d%P<v59MKu^jxpl+N%H=rk#8xZKWUWSvYZtIg+x7GPO?PM2v
zwT3;L_U^~PjV-0aefU;!EA=SzRKqsB>YUWre%DkE<Z1X1o8G;nh7+*2;qFb$TD|of
zxM*}tyd<ev_mZwxJCSLmd>&hcadCX10OreD!Gjo_|LE45E#_hZF#r{VYhq6}H`tD>
zFQGC!p%%&g7(~X4u|hjHK(5zdR}JWh0(kHu#YKBk1VrP-Hon@CA24zeM0e|DqJ0|K
zeG=v2@U5Do&c9?9qr{3?uxkc)Q&PW+la;5VtGuTYtfSj%6?0Q{Z^&t&1Hj%E+}J9O
zN5O_L>3(K6J<eD(zh_JbOgYo3<}VuG(Dj?IFef#?FaOL1&F{_Um`^nyYx<q(ho;BT
zk8CW`zux^D&AViT*J(==20{+!$=&{Gk$#ui1nZ3oK#cRTy+yu_@9T?Yd%@ZjU1ZrD
zqVA(@y*xMr%(Zp&^})P`<Sv2F#geUseFf3V7}}NcLadk*2C_Mz-k_c~Al-1rHgLR_
zxk7M7i-ok1a~1epj{ubDZoZGtKo*G4gVV-*UdSt|1Dbgt4(=9HdxUazct^-X#eLaa
zA&<BY5tl5Rs|R|^r(K04+8kUYTbo#^Y}8wDj@3mVc{4p5bJ^XnTeK-66(dhV#(Z18
znD0x)QrTjD=j2^zXMc*{NjIOJggQq%SZi<m#%oFwTKpMqqr~vj?+&g+Q)hR3cQ<h1
z6F{2hyWtPpEyJ;=0uNy@mKIv0sf;oOk@V^AZn22C<AU8XTomnxP}@o&!57m7Wnr4O
zu^3IKVya2&g#wy?T|%xu6%%lliWbT&nC|nzz~iKji)q-usImz$ZJiKL@pbB6Eu{OZ
z6zAh{uqs(45#}tP%GIeHFSJx)P^<$uM4P)hy1Ul_0|S=QMZ#dU`tyUZlzV+%U@2uY
ziBwN_H;I7>oj|_f;7?&o4u2DI<XaGDMr>7?1`I7)vy`i@t+rMBV9zKZ52<;s3pR!V
zuwTGcs?4PqF&imkM@`>3+OpDw29p@)(tS{c8?`mFCzBn>Tv$5%9>TfO(Yzw#h%R{!
zm}#*0APy2tZa$ZSo+onIUXJIa{Q<a1$k-*=P`d^<Ol_z=t+1g6p3JVssnnC%)5fV{
z!+b0A!FTQ{<tR<)@wh1W=xN{{P3ROcX7f|ivt0x=Fp3)HGmOdm&c(rO&t@?&i-B1T
z%wk{`1Md_J*mYMib2NK3W|!$hW{2s|rkhNgO%It~bbiQrgY#6=laBX*4q~t4GRQ)I
z+RtkL1v~-{g0%itZKt*qjfDJHWlY+~G_R;c{}V^;hg-`6e48v;$!+pkkphorV?Z62
z--R)KOWwE#2nVYTLZ7!Sl_{j#V%fOh>Vs!XR|>yN0;?$}k;;XE6ud^}a22th^dJ!G
za78V^bGgS8_Jsn$aKsx4c)k9x&l@P^OA{v%rT}I9KYJ8Yqg9^4n_|gWAH0P}d_iPM
zn?fFMAY7Lokr5u9fOT#odMxe&49Ai(62v#{7jef{-S_^9SHkSjXEE?D#DKRnVZ&4@
z-AkWd6ykkho(HaEILJp_em(*2Ut$4|D;P}(ejyM^cmw{qr3ou8MITY0Uda1GF+LLV
zd5<kkm~aw(41F3uhQcvoR}jC88HhSj9`)?}<4O|_976>uo<=XfzTgR^2@8&<&$3TT
z&$1I{oIsytpH@E0-nz6jVZ;Z;NPu!e8h&k?Dq90TyG;dy(|C4kfNLYZVx5oV*uZPY
z=4>G;IkN#dH+P%IKiQd$8$8^2YCPM?n9pyK<*t0Kn<2(~Wu-E{`deeaE31~_LBVg|
z_;xbk)t({aLPE&o1>n~6d3Y$K&veowq%U}+9w9{zHNjM8yNs(YF=NF<C39UR1L3g~
z7Q0F^;i8KS_NqC`Z1$=dCNtYrGL|{Vl+|7%2W7a|$U)ieHF6N9dyNcb)_aXCWd?kW
zEE4;Dawd39Mtpb$8=gKIqtA!_;BC0QyNni*8&8?>lX&rytCy9eJoXwnM1H&?tNPnD
zh<(D7S{~#v`vvh0o3g}}PKwUP)W|t!xAo<ObJ(k|1{3v01|3K96~_@``OZ_snD=v~
ziMfOtqP~HiRpG;TC`Cbec*O6AmkzFpkMAz#3*cl4Zsmv;0)I-eST+YwDLqJra}b^e
zxoob72RTwK7qBeP<v_wTn`y2gNLukIe|c%*1l-5{&6Hvj`TxAsHkZc~0eY!`cg|kq
z1}+WHF3>&~<$+Y-^08bBxqO0-@f?UO3tXDd^c11n^Gg%QW4zEOfoBy@0?nm~<8UgK
zaCz2PgCKzm)wJyY+o6CNgixJ7ac**+>-d4mZCYfqLBvIxOEec~0-B{@pz(F)XUun)
zN0|HJSN%`3hly8Dov9S<(wVAhww|LM1NK!%`v_+HKZ}8P5eD{0N)z4WIOoYx`8;NB
zwzst*k|ZhY<KcMDVA7$iA{1<M`w;aM6$Z1JxT^;osk*XhSFV_GAw?ljt1GyCK}ldI
z22Mx|#l9?D(?PNbt^v3<tZU?kx<YMK&<Ba<Acdn;21I`Z7bvm_InZAL(IPmflP(pp
zCb*susbl&^{XDv`Tq?h?Ja4}J^wI?Jzxctk=m?KuUTKr;PpMnf$@i`+76ehbsA>I%
zEu7r*AxM|36*AfWY<D-vfAtnKDG<kmo0a6saBCrzF3Y2UgFeJ{om4?A2{IDG&IIy&
zxibmEF~G3~iA$^}rPkmD*=!FIN9n}ny1U^Ug3J$T7RjhUE6pO^RM}j-KPL1R;bsO`
zuG$Srx>?*xkc0!FA+g$3y~Q+N$P#HB)S$|^F5p46tx$6)<;%WUFCk>OjcFd3^;nvw
zO6AE|tY*!tx2#($br(}V98w6+C$mKOs9L>yK<2f2&B)WGNIgsz2qJ0g;Y;)rX(8;a
z5*N5QJCF_f#Q~|IYn?bC5gQd>A2l!gD%(=|A`f0My9&j4DocE0Dl&Afyr>*of$ED=
z1w2($`;uSRw<^<98xK-P#141S&8VB}Os8P4!2_mPD0cwn5^xtl1W2CP0lU;XK0N^R
zfP^Hm+R91X3nGyq>payCa$?8CIy>=JDDQ(b9x1!ZIMlL<wXTAG5nVxP7%EF+!<tMY
zyV2vR-hcSeXhV_jB*+mkNSMjn2M60iTx?0Lp|r3q1<I&Z_Y>ue635ZV%;M0Dn*6ah
z3q)33T8ofN?6KP1%ZclNt26(PWN+!XMC7-wU$sRVMm>#EiOnl|D&Lqc_H0LF^41I@
zl(QL7<0P9n@IhdUK{4ClF%$9MB!$!IOZe?7O>8G*J7q0Aufkd=^D`RMD}@V!!h7lS
z^Y`0I6U5tb$wV&*BDVnUAsoy{5N?FAAz?w_BNG@2JA#vGzQCn`K`;ms#h_3+I0<E-
zCe5u}yOztti!aFc^O((nB@aPBl875-xMCTpX^K=}E^L)E7oJxz7wp!*F>}H0obx5{
z`S<V6L1)sr+4_j}!`9QSC$P_1nk^?;Oy+Sz!m!EUG0fBdpZ;<ELy-L%@wbCn$6O>`
zVX3zRDWc}Ttbfy=Rx`tF;w%PcG4Rigfn!UD&V&t2qalx&JJ1_u$Y(DdIs?ZNVr|D_
zPw7w#jv()@I~EB(Z%ptf0xo|r7IgVz{*Wum2P3XPT=2yro`^3N51m*#)Qk&}XV)DI
zgJHoN4F)3a<4cE@;S};lx}*F=y0CQUbR2&M-raXdFQmYyhofsw>CkC7oxIlWz>l>z
z21<ucg|kSbx%Dzqtl@XljoExYg-#228$&v8-0Ex^biEMA8*8t@VTun1{BAlG6inmY
zlva&St~}ohhBsQ{>GYW#+;6)&`CJ@9<QxLho19@~%{)$M?P-MrE|)F#B*n<2*!Acj
zw=UJ2+QS#FsPSAH8;lA$xGBf8J*|j+knhVDWYoW}4H1+;h{A2rl}(g2eh?!7G>ppp
z060ZklZD>2_@cXx&+RGZx%EOSFFojn+uR;tCN%O!7^+ZIg!g8pCL((C0hJa+S+;Xz
z-b_I|aaBLuu-B|?=R)HBk0>mPAbCrI2d7N706HU>oRjnyac1-lg}9{hC>D{vs8m8s
zlz(E9JdHOaxXca0TgV<EJ$NRU5rlZ2>&?RRM*)}ynV#BDNwLzQrFh}&50Ql<3d_yt
zWPsh|6ufHbZsLH5CGrUKb*GmOakwWpE+;)X!h9c?@6$FMLv6x<@tIIHJ2Hq2lFgQ8
z%zTl_(8(ta$}3G1iQo}ee_c_!Deqoy<>J4*bZ9aDcD>|7sa*SOPf7Uri{u}F{*|Re
zCzDy&L#h<7^hab%JgIbOA@0vo()t|PmIWuv0-Qz^hISaIieiS*ZU5)KSj>)o76UVn
z0l2OrDZKJ^wHq5-3Bs0gf^19aM%PvJ=C9F^>uNWcTJd>6N-*IH#{yvMDG~FzqVBNI
z6^nTSk!UOu^2DNWT}7e*8V$Lwb}tMD!hRng@_FF8ItQna>uR^`x_S(bC)d^P$=6l8
z^BHE2aVO*au=6Hor_<~Bwr$MzKHH%6Hq+@QyYaWi?;5{gywO-R?gUu?{A0e$e2lr4
zIh*+a;O>o?$KOAs#_6#woX;4jJI8-WXJ;Fo#lS2EW-)LSU;qxo75MleyqjJ4Fbu<C
z*nwjSwY3W!hUei3av1Jf6pDpC2?35kPs|f{`F&BhD-sFvz{&{)d~Uxd>WK#7FgzC*
zB8TCwh2cmj1{NX$0XPho;}mij?vfpbXXAKs819;U7@kl%bQVrO8Q-&a%>{|Q0%FDA
z6fGTU#{|F~0g}`(|7L4PC%0m-j|a{Tm<Qo7P0yj1DzNwibQ(96kxzqVgPMzy=6Z!f
zG8>0C1;i_&Z<2&Sgr4B`bMQV1mau`XR5n>uHvc4KQa!!Ad!Mg0BNUK{6_B(Dw|N3>
z$UX$HTk@_VA9In0z$hz{yTCML|3J<KFC1X*H4c_ndXPEKL02-h8*Dm3o;J+5aB<~U
zu#CuHG?$7)0X{vLPZ66jKy&t`g*L(C^+sdiXu=!uBs_r_AN7R2d?4<PdqdH1Jn9ib
zVEYABDk8yXG!TnN<DPgz2>JcNgf9{BB+eBw{V8A&^&&P(d^wnu5_v!hseZ&+l9`!m
zgnNT<T^_H*YY`bZ9-qjv*@6w<Y=|ObGhkI}^+l^L*}1iA)#fgcXXx(D$FKp8JP1dm
zyR&^l1}t=7*;2xULCrw-5Fb#j6>ceT)q02}StNE!vx;W2Kp1v!F$ETRI1p+mq>!i$
zcS*;(wPNRpC@f(zA*)#BZ;D=3Ne`fVSgvMLAEY9^z4%qLf@vhj5R#E?;$(w?hp{*Z
zTnSE5J=ffTL9GJcBhF?j$6r&(9~ckB4)IQz9b&=<lhgphVLEeTe6AH69CG_zZnvk3
z&8{M`BU0vcm3I|(vfT9kp3<QR-e#^lmuxd4x9ja%fd8<i2WLPS@3r&{KpeM_Ji>f^
zTj@{`W8<a`1RF;K$E~ReFA{KS)b8;qm~JFK&KLMr#iExld9>)oRo_jPJz4kVg^vUW
z#P!+K5K~ar!^zw}`GSX@$k)3hS%r*ER|qJeev_q+<csQw1=KnPCDtEOo#MedSOINr
zU=11s((>(`n}x>(;G6TA!HN~Mvvepx7<J^$f0qjHue=%?eDa5R>X*;c`5mQ0J{(ab
zvsB~_PUq~MS32ayl@JwxU5ZEgrqUq~P9z!tyNor^2baROX<Q8L&T(dr{z=B!@4U!q
za{R@y$GX+J(&}UX&v2LF3d5y_6^17Lf9rpue^Rru{9``He3ThtZeR*b%=ruF_neP9
z{{!p=e28Jt|118SCd0H;5-KWqr$;!)b+i5t-svA{wtw$>3;?mY9dDC_*o*?P33q(h
zuaStBMnf(dQABKR!x4noj4tv;5}pKTVY?zh9|#J7d;nP4PXt}O-|Y|bd|2>DBS35-
zDXKE(HM%h34uJ0jUjhjVbm0_2Y({0o=4KpEh|Q=9vAGGS6Jj$e5}WUXTi`}~h}}bO
zfzgJE%`%lYAVl$90(mjO;?kJZoXWVTKx)E+6BbAi8$l$C*b)blZeRrujE|&Z9Ap9M
zwSu7X#=mh3x2mg?%N3z4y8VMJcs>h6APC68KS886CWzG93SqDa!nB~(cP5w3$Kpr^
z07;-12Bio52+}F=dM9gSgF6zpU+q;NwFl%WZfDYU9}$Yws;+o-p8*<CG!wkjqei@W
z@GVcu<drg!>*M)=X5_ZxDtL-7@L)X>$j5HbI4txPquoGC=d#&CH=(<vT72zjaOh9G
zL{_U!%z$#cxMj$n3aJi7pg$6s+*cXfmz><NzkT{GqEXNhkOpy+-N^znl%tx^o30pf
zU@CZPt?Y16D(B*=;OHul(v*#h;-s=?t-Ix@n{IWno|FsOOjSX1n#8FIW9;<cb<_lc
zCTU{!dZ!o1NU)D<2GU#conZ)4dSwm%Ni_tfRD)DwunL8&Zq*vt0`R{$P$6mHedOq#
z0^F;#<R(TYKa2LAJQ6JC@kS%l4xy$uD-B}1ONTb#O}Go+-J{1$VH<)2Wj!uK4-`bX
zu9HWYZv-K*wRi`=m3UBz9u1VMM7Ls3MdGw*YLLpLWTuSZE$>+EKrEIwDsiWhnV6mA
z%}BZU+M8O?PDJGG;a|yp^q+l6(CR=!DK#2K5-ey_ku?SdAd>DW#9T3kVJiWRqR9mE
zq`tJk#({K6aI-bqg&HNT{My57L7N3MTzeo;A#4lXcwd-C)qQEABvsoDRP}4aTcOSO
z8%u{SBE<RCWVNXf=SOBEfE9b8e8tW`uXJb)jv!XiquK^8HOoqeR^vK4$mr%&zovjJ
z*#$T&z2F(EVjM2*yWY-=yIp@h+-fgnobPc)ou@jFbKGM4n(b4z`)pqGjpnR*lR08u
zZ2Fby1=Cmc+x2JZ?$VWX+clR?`mND~nLU~lng3ya!~B4GoOuX-m4BLL%=*gM#$&*F
z@jLnNy1~++eR#URH-;xf;s_rCli7UJ<rU(+PdWu;>`SDd1$Xqdu!p0q93IFpj~^V&
z$#$)VJ>H2;qJ1*e3(A^1!M#9I-V)xG)mV^p9bwHwqT^S`<DJ};1`LDfc5+*hKe)G~
zd;}{T`90HU$O=!WY;{}7s{rgp$m?5~K26NuzqE9yh$l{o$h;;*j-t$%cri~L)=}Jp
zlaoSHX?O&lbAUR4*BP)&o+H;HS@}4;`@}$x6-06ek|{7x0*XgOMwg56P<b4l4Y@q1
z=W-jfo#Yxuy{EvNAvTT#EXxA!IAK{PCbKN_IFYa{6AGIplMwB^Pj~J+c_q*GZ59LX
zU<?4;3pr*i3mnD~+ba@+ZKYSXt;7-AD~%%v+bg~(?hZu4es2`)5Jo`8LWp}@@M`XJ
z1)|}I$M1^;!Qmyaz4qWji}4W_Ul{TR;_&ny4+7f@In&f=2-_=OW_!&q9YW4AH5y_<
zFfOsZ(ChPYr9;R+rbaW5)Hk;m+-4Me-wSuA1m5!APxi}r!z`~AsX`vR4&_#Y>xMLF
zJ78YdR0cZ*Ue`+OLMjhJ6mUQgcMs*}z=JDp4oO$==;2z8%T<1EMcOM!lmdLmU<DRW
zz%{@R=3RxXt6YzZccDt!mPX4X!Uv-yEs@H{TJwAcRKerLHgG-yK5)HWZ%~!HRr|@i
z2J0(AbWKD@TzQbNa7$da5HjB3j#O~jylw8F$gTs`;Uq7lxz#)m+8#>bikb4^C1arx
z*#q$wL76fw-69?(=>?P~zsyt=;@S#1Krx8Ll>K~(ybKvXu4WanY~LVw1)<XfwOzww
zm<OG-QWFixJ0w)iwsoO{T*fs4-Uyn+Naq+aQNall9R9t)nT@xWS)F8MR<caer9%Rt
z;?|HgEXpV}HmS=?qS|zZjVzA048m@SBX&zn9$~(2Md?r!cj-p*1RFoPZ`yJzDTraA
zm^>963HjuM+~DlFJY^-z1C%jR<qF@_g63%Vq)A%;5r0K_QcGK{#2=WxIqdzq(jlJA
ztN}8!R4&canaGVl@FOp%<qLUyetYQ<a&W5A5apk^cpab8DFD~x9k?{PCdcQ<x5LGy
zL&!m@M&ltPHdf*kZXP?{zT1ag+YR>r?TqaPTfug^`Df;+`5Wf@&8yAFnFq`VwI1#9
z8oO?p_GbJ2<)3z+w#W3E_Hpe4+HvhQ+Forp`YC%@8AH>xx4)B}6qU54aVwsI*O84R
zDSm1h<pkR%_Vk3TIe@teWLPx^4^?@rksB}e_Hkg}0a-pm6cmxRga@!bAqI}rt59gv
zXe9C-g-t_XVh+`x&V!&RwqZhL_gc9vuw!#@SpXjQGEky~hQXdBHXo4%$_*KsjPa<4
zzy~LU9jb?juE8mm<dF$X^lTJ|y&tS*!lexNS>mI&&MS?xvKgCH5O&K-<H&ZjMnkw<
zNjYJ+mC&RcX`SG$+ohZrHK6^_svYCLM6}$JDyx5MrmRL96)=?wLW1zXC~#ohsF;p(
zcqCv{1EZ}h?g)Z~pl&+Ic7Q-(5>QacX4Ayh2L6%=3o*jbAO<^$9Z&L&%R{l3#*tC)
z@}7{KZ@x+YgBqimO`65PECyyVa5Q4TQySOey^b&n5{p8<kP!5Qc@T*4xLy88G~j~m
z*XN1|fj}Y=N<=|J@x;<Na;I39k4Y>PqC&zec*6mB3q>9cHJTIf6(@lWV!(ciod1>g
z)5K!i5Hm-CtYb^#$YEfatC2vOBR<4+cn^*xT!(~=>wugpmbnfICD-A`vrC7r!e`5^
zDbk6C*$cJ!#aMk~3b+DO55yKUSb=H>ITplM&C4A{BEk%8Y?S%x{{Y^uIxD2Qeu&)P
z(3(PiGl=b`2iK=!dqlTG?ug$Vc6<HaU^wXWc>Vsc$RAKBU%+!Q$o3+c`Zn;M0IY@S
z3h)=uJUIev207h@J%*P#@szxmsCY?`L{f_=e_JBI0gN8FM9Me{QpWO&2HZ63@eO36
z9z@bZ(xC7n-3e9B0DXlhQ~k+QPqLEczp!-ZN<x_#$odg!{zg7L5b#&X7eAut2jvlF
z=fj$LirruqAQ-sbRvLHUFL9Fve~IK#&gzhaPVk%Fbl)f^i)Y9eB``xoeqOh$mxt%c
zy37+yIMm~oOs+PaM^BAYe`uUUCdu9zr_VHjX>s0LSsZqqhB-l#XH4%i4LV;m-(Y6U
zJ?0IjpPL>q&oxI(W6qd!ozrA)a=h1Wx4o(TgC;Nj{-$|V^E~>M+n4{l9QRHLwN~a&
z?}UEPK9u&A#+&dOzJbSUc(>|q+CNw}a9ut_!{I={9|-#VkwDlN4tN4S(Tlx&8(vMV
zY|D!UeEwj-?+JnDzaZGBD)U_H6$`n&Avmr>!B995@ruQeo@N5xkA*=2zg}Qd-qh?i
zXcG#2E|x?}qVPHpY|BOy#XPa^S+>PJkV?mi4KCCXY8-rk_&5YP);_2j%k;Jtk+ocq
z9nK(Am)MLqrPN)>wT26{Nl`o`yFiPwi1a%1pk^8qzzlI5v{B&+h1Ti<J_jg5_O`*r
zlbCfQ+~nO3=N<Ze@1V&s+m%@i%wpi500XcQ5yL!WBTB+0c-$$w1Sicv0Tat!M4csx
zC}6h_sPmI>HbR{z7X|o)Ao#<AD;SESXMDHM#fQLdP$J~_1|soTA`%G$bv_ptBG33q
zFmo9JyFt7sd|YXqSQH`;@=5w251m1tn#%Nfaxp|Kl|}5H54}U)oyzn%?j54f$BCIE
zLZ2rk`h1*NJ0em6NhN)LQ?4|AEItwMpre`z`h4;=3z6qjLDp2r^LO_Hz*MRK^3w+g
zw$AaPUx%azixKWNpSwa@0J~0XjLs*o`&2U@w41OmWInwU{D6T`1S&BhDek+8;RP4)
zR<Po}&*ct);(p`^^9w|}q%54k0e#Z2gaLW(n9O$YNo)r>RixfDkT4aRBr<jaQ3R1V
z8d&Q?l2h<i<t@C0=Nf{VxAJIH=4n)uWPm-5nDV7}L362C8b6KP%r7H1^CL`M&j2+n
ze&1@3{oOl~-8%~Se|<<?H`#qk0spUWIy5YuQrN@YD!AVF$;D;;)7IO+sx(gQBkv~+
z+TALTf9E6q71vkxNC<jCU=JmZ^b5<L^^o2mmi<C@X0S67{Md&jUE=6L6utF<jph`{
zy~6va%pA;$(m1jIN+b_<tG)Z8r&45a8Jp=xELvnBqz@hs!50O%Bm_bQ&O~A~mYmqT
z=j<--F8W(a;~YLIFCcSD{$g5*M!5Q{o3ZQ9qS83A3P`LWB#)`su~Acm-wGCw{mA0+
zBmpfL^^Dps_7J^Bw7Mth(ugy+yeW3C$@FLU2(Fds^qLH^j|2Sj*1o)F8DyxM`QqLb
zMJmo(nePIj;JRSr#*Of>J^-#FYvj5}7=(EQJ;>L{w2cSTIi2FcQza)IiIh({pvqp-
z0%fDvwX0p9%IxMlL58Pxwk<G}%sOy}*@wj3%gC&3dqc6{T9?YC&}({?8n<QBKyG&>
zd5~5_4R3)r^=eq6L)k1OupVN+uyIwr(W7s)B?bF-7aZx}kT(f-zR`!T>?^Gt?s~b^
z*v@yAeCGpq0Y3YNva69Q*=Thgool;dd?o{KqG~paL`;FL5EnYY?I<)~B{v#Q7cuv}
zHM6$}wz+FfJDL+I%WV{Ly(zHwPUn5)@MSgE%}d8dtM7=y7FMOdYcjxdNvF$wUIAh$
zxoUF@^<cBm(@`vB*JgWac63`Yok96F7s)bK9}ddZ6-y!qwN<)@n%oMKGN7ytrp#$)
z5xQ#RzgUQNW;2OYPmMesk~^{0*?g^!i3SWVn~?Ai#?&fM4~KWFT3;18yMfF(P}HuP
zuLB4;sCorhM~i2{OuhQtL%CpGWV-l%p-$EdihTuFojm0!zp|@N##I?4W)yd=EE2D4
z0^U!mbduJ(F~61X?5*};HiKYJzu?;1haUZ^RMeRiVtZWM)>TPHb75^)2Y9*4fyXs<
zgrPiWyI&2;qE+|uu4Hz=MNTBL=~Ss~V;1}oqRpX7dU@d4d~!2iSPlHmdKtm;Ul+3P
zwxx69RI^^ZZcUY}XmYIDhu#y3*|!?mV8bX|JgAauWp*lcbrq0{#!kMkP|OKvcd55)
z;?Z`3&*m!4qVGjq{H?5h0^v;QR9`d;{vcp!!)8#Zb^@Wi=V$lTscjAHCi`GNDG0qa
zIyTi43Fd(SZ>d#kqO$~?rEgC4fogm0Y^!>JtDeUzp>{^lS}owOUng4^Ie=^Df^E8^
z8b;Ugsq|(Z{7_Zv`Fdf%wHhSz2GOFc(oPqA7VwJRQ2;hRNT64n4ir}_JG%xmu_{%G
zs}2@ZjnBMlUtc<#D!49;f)|zARc!%(AuznILarFAb`a54w`IYP$Cey8GpSM~8tBDv
zp!NZ|Pz_<UE(p-H*(`t`$SSp!$C_USuEc8R>FQct|1w<m5V#SJ9nfm2ju(0<=&G|#
zm5-6N>o2O(yNy}+Oe???O|06~Kr6Nj)DhMKB{zkeItWKpU$qop#ONwmPOH)>nr#al
zMRmT>#jpo}C--_4;!$p`w*BK&?4hvwp|u$VXgczRv`}p-;9Kqaxnio?(YJcbmW?jB
zm!+y5SGa~Pxgy{%zA_slZ)mkK1U3TsOg6>W&INKSt1`uEJ1IqW$L5VwIZAVd`nfg(
zzay6yR<7?_o6YViRzo{&xNF^tDP8a}{gpyD%`2qgs##m9!U5YTfRYzEiMcI8zK}2T
zq_CU~B6QJTrNGUMaRBO7WH)@BIY!4ZmY-OjvV77qV!6h$#uB!i;><a>=wEPlI=-dj
z9A9*Nto+kH2l@b6-8S7SonN<9cdYK%dMzA9>AGvRhNGyvvt3okfa5x5t$NDzW3Tg<
z#?Qhm;Ttc(?7Q?)%o3IvQ$TuU84x-IG8ZnrwdJC^+v3??pj&ssT?n=?q+$k_848I+
zJg|}{Wvt6j-jag@E(&IzsRLwqM}obT>i|w)KQiVfX_HOg672qDX*`TS+;v1#C9M^k
z6X0MHU{?km4>Gbg*rkCPxChw9eOX|D4q`J`L?s3?#lQqDjK8cVlIM8fV)P=5c1X+>
z*-!@uX9;1TY@?Pc>BO;QZx-w?AYMgp9|-w^5pK9NgP-KYAmJke;~0;Xi-OV)FtZcj
z6t>(BmjfrqP=7X>M^qK&U?Y#Qq9=QBriQ!S>bOofNds&8GkvziECyyVP>BI})FH-~
z>7x!Zuiyu(qT_D4JOr3m7;nQ7M1o=WqJ%pZkGuV0SJ)emfj_4Z?+WwqpJ+J52f)W@
z+?|MnTt+J{MC3AdFAN631Vg|rL_m;&I6WnT6uV`D6vXW*5v16y6r?z&G){b=60>u=
z=YnU@n-`YGoAE|?XES+#nhD{G%7-g#W??FWt}9<r|DkQF0t#w!j#HAWM7MIu(n38k
z$w|_c(<?kl#!^{$<|HkpdXK2Qr6>`CpF)+AA0Q6mZG-o~=}UgV0-XF#Ia7utrXV%3
z6sE@6TRK*p12|oZG*IE+@T?q9B~qYX3ipIOa+VU~28F_zU_uEFdeGQ~>p~2;&$M6@
zn0Y{@ATw}!@^F(N0yJ<9h`}Qrct}Mmz*#WMu(E3{x3`Ea;N~R@{N!WqNbV@WuTQ*!
z(QkZ80e&QQ8l>vm`Mh4HdSN@Nq;;M5F-?`*Ze<K?xx}jv5!Xl~i8<oVhent|jEs2c
z*-tj%w2BnLX1G%!wQabNaUF4RDj;1q8@3lP9+4dd>G|_Z<HVB%*`w2QR`UI+IJcsh
z+anYTXO_l;IQvC}o-m5nQuSLfAmZ)R|JVG5Iac!+qy02U`#)%2VAh#NOfl0Frr&BF
z({A{G_TB_OlJdM0u5MkeYs7FE7{)_kFf)=V^?ixU8ja?Fxfp2<hPFj@RkhTkzUV_5
zVX!lW!NzCe9J`4U%}kD&K_YREjei8&StoH=lC0ybla2XdJ{Ds_2um;_e9k7>FZurO
zQPtJm)oMvIgMswOhxA_c)>H5Cod0LtzdLVR_nDrwQ*v(XaTq_&JDo$$e&<!r4#$ts
z-S%I-a@)q0h0c;AR9Vvet1$)o^;5g)vKpn!D$~BbKwt>0VTDP!Q!qz-rz+gocu4Fo
zhHTFESB7jj25HU<Tqt1hxx8S*di@lG!o7mcV*Mx#;|MXitMSuT(PF25>Nd*JoN%x`
zWCl=>`?8SH<moxM`AkD^3JHlsA|RMB2y`SsqcDjRF#{~Wl)K}(*7zzO-E7*VK$8MZ
z3ao+xkPJuZ$;_FOO^BkGRd1B|>H8uQ{t8QRB^;Fk0pRvUq6sCQARhbMXeTBarZy&`
zL7y+;iH5GwPqAEyEN?{0%o~BjcsuRF*`aH@zgrtq&tQj{D4T*P8;JNIYO)-SOw>$S
zL`{~Zk+U(CqUNW7*K#{OgulS>T2gBkD;qFCRIpqL&FrPZieP*5QSUhwpiN2*L;79)
zrD#fR6`U)F{e#fvi_lBePI4=fC3W$Ivw9$ZWu11}S&-{0C|q%sthBjOwJll{+vWaD
ztg32S<1TM{$6qkezGXy}>U1R4nFRa3A*?V%HPqzejF)0+@{Gw#kt7>~>7<g+7P5&V
z4fND9Nbc!2Vk)UtI`6i6TxT<8t->&s3ho4DMA0$x$*c5JchQG^`Z~rRzKe}17X)5g
zv||0iB*SP$Ofu#|g<WM|J_!rHoFYDsdjZ`wRBpDs<pywoDzbkRwPVO<iUG=z>nvwN
zjHT2ts}UjJD2{zOvBF}o@vS-p;6DA-ezp)<E{=?i@XiEw!)DUO{4ii%S+n2&iCgqj
zd+Aek7I=`c_58OWX(vQRd~pk<EJ1rcIJQ^h1ilHj8{%bJB7w<bvdExY3TfDhpcT4b
z8yxH(Bsp29ieg+N0Gt$Nn?Q_a)3eY_z#zrCl1K#>wj^#Tzy+FM$?eS+_iM#DnZ7T@
zGAs0h5Bcyac#)c>y&Y4+rNTa;`!BnHzx!18r@LpnKhnLW`^t_T9Ruy(Z~u$-Uuzv}
z-P-DHc@d5Hk8{%bDE@oMIZA%4LpndTPCs>w((?<93(2jSD>zV!Yo!7}W0h%<xR+Bl
zAgn1q#T)iXs-nfEfC4<Cs85MXk+9;8M7;5^=8f3vm-%tTAl@v{=*BnTkDDToBM5Qk
z6<C2zQy&3`T(SrRNgwktp_9hMBP^h($xt#)x)b?qTAJ3TwJZVo&C{22mw|MdF4Pw7
z2A-`ejcQ{nX0YJ#c!C%I4qonF9T4S0UV|nd%1tA%johQ;AJRq*FsME^xkBJPH#D7(
z7boo-PHXwNR(~8&2ZmgT`PmFirEWZt#Q6{La5nZp{>WUh2s~dX0JNfQy*rtPe;&y?
zR>aEF^0tito(Mzla>KxJoxF>??hsfeGcdf1?j*6~&d4d_L95W#mN*ikp;<K(lhvd|
zy;DDxWanxJy>oNs1;3^x3n_!)d-MHGltK*Bn-{n~xko?6z`P&rW>0(<-}3dM=y0=^
z7dTIRL2g?(EEE3-zOG|@VWWZdK1ajysxEh~SjuD+zL;Y}#%+xiOaXrB8b)!|pt0%|
zT<%GiZAD)a`$yk`tX5J()@$vUe6f-S#&SiYhHOI3>3u%F9KamasAS7n)SL}xVC)C1
zMk`u$Zo{a4ilIfboI^SDeqZf{0C_h~C&6%ha}}tl@7GVsv{GU#zP<YW1)=53)|;~V
zdy@i93cO<}fMX<P(WPaGd&fPrfGP1Zn`BiD1-!@?8}eyE3HTdu@9=~*DFVEti0bjF
z2`{o|oH|N7F(qDRW6%RrL?Y<-V*I<U<6i?M9LrtHlyDh~5{_lBWlFeAr4kP27M9AE
zn_DQh=BKylrw-B^|0lUfzh)kMSz(XhX{>|__WZa7P}{<dXMarM6}?F7h*+j1Kx|oM
zjvXeYsM`mmNw5e=0!kga>x%~$UYT-%`Fnyro}aU(qAg=kmembR>&4qz@G5IG6yoOU
zPNsg$-ov6cqPtRc0U?5TTR@9cRetNOw~3Qr%JbA0vn)!JOd3oc(kfG&Qt^ZFT3l+k
zj9pny#zv?gbMBbqvORI)ENDd{-Qzb|EG9F^lm+3wi@k$|i{FBL9tq@Cpri%*AW>A9
zbf9alPTWA1qJv3I=dbRlb-w8BI3Qf(I3sjj+vVu|yUuTS{zB)YorMmm;}R<U|6JRL
z+BURxw!Y>3jB}>-uUmf~$o`vKf8Dvh>-V~T(Q&5wr|YwhtzBojezxnAU4^cA*RHOJ
zQ*ivy@x0?(j&EJyv%cei<MInU<l2VoiU{i3dak_Jq<*@O$#Az*{<3Itu|%;nnnpx9
zN#HWg@cao#1@m1-;5f&tAYLy74pu?HEy2FPS;xRIP)>IbvU8K%+rY3m?V>jmvk~Pf
z?sCwppKiBYfB8**=p=%^fGYXC3cMS`K0xsK6-`oo-gqz+Q6p+R{6773o8|h;Zv^gd
zLREs%;3fKL2d!a#ih1Iv_{mNBX@S1vrx_ESU-PxKpN7VXV@$aq(g0PeK3d7F?XN3Y
z<b!g_j$|~?7tO1oLP=yo7z0wn@AmpDz24yRR?q9r{Al!OFmo;yfoL48EP{r|chNwL
z$_Mm*26<vt^oS!vF~oKO_n{EmKQ?+~bnMWGsjs#iedS}$9(S0YaAlkpQ>V+XQ(I55
zUj1|jT{cYBkiYhF{WOCSXIxXh%r%{65ax_)%GYpB3`Cr9P5DbQ2vh|}#t_8$*hH_v
zaLajtOHb&h7>fAAx6)mhe;4aDY`*MBY$#@a+KO-6$R=RB-^v32>fwMw`l*l64?V#M
zZ6om4SwHw{R&43~h7akd7`F5-HdOiKwB6B=@{iLeGbuk`A?07EpJGWpgKVsJ+ZT^G
zuUq-a-fa0FjsgfM$kQdpZrB{db;QEG&vLfqh{Tzr1x(`1ZCZ)#0}^MJc487|ZX;yP
zL<C+X5eS%RTEmXYT=}Rx#nM8uqcT@{RKnSW<$q+(COOmDr0e?^pX<3=KfR7lneD}5
z#a_HYKix|!Z>D>(*v`2iez1un#4Z5-M-bYs{SUXqnlId>K$8MZ3N)rbFPhxm`X!<7
zulmmR-4CpPaos<zdurX!uT$5#d;h=Q|JM7Z-b8N{*#F<}`7b@6?zyLDu*cE;SKVj3
z@9*BzeO1>Fx_+zcV_n<3Hgx`d=O1+bZ0A(xEuDR?7hS*W`n2mF*PzSM@!vcCQ-{{!
zZvU6|KW{(XUTWXfzOn6%wm)k7xwd56Ep2_RFSh<J9^d@eq(GAbO$vYl;>oMK1&5>4
z;c|Hep|zv^Faq-v&<BhY-ENZbbOR@^B28SR$@=$OngG&_<0bk%;Qv(O6Ebk}%0`WS
zk#ghrHEbL%H@>1_<6yb*<qaGA%Z)E<)Yuy;H@>uC<ABk)|KxhJai2ZuEX26PY+HxS
zUi1C>PxhIO>kMoXuK(n^Ms0n@ga=Ocnr-V%!ZL7=*|^RmOtSe-cAIUlv!_I|Faa$F
zL3T7|<3HJDcDmlalcD#RNUBCJ_sLGP*ERON3Z*zfxHWqCPP)t<btVT`A$T(7Esyb?
z>}b>p9wp>4mQDjF+s#g(Z=1Q@?DtYzqsG>~)Y`DI`Q-*qwlr*PuC;-aNa<7F|8{fs
zS@x2nQDf^~5*jux@1=!Ln2oX8?50uPOA8-2+twkoWiKr}Xg01hut~W7g$Ek7E$^j;
zkC|=jO~Nwp{bu7jlPK?{g*me=ma82lZ1&Q^akCTll3gdey|gfE_QGDW>s7s%7G}&I
zbtY%CmljHmI@#={g`(LB^le>!FD(=rHMZ=fg?z)t=9e2-xUXU3@?KiVHEdkoOAFaX
zjV*g=A=9w2WiO@8##n83q_ga$l-afpnXP+i+H72BV3TnD3&$F@wd|#&*|y#!ECWxO
zjq6OpvX>^!wpgxql(5@N39}RSl3gd;y`-7Fu$Sz5)$AqJ>``ZOc6&)_)X8oy#m!Ej
zZ%c!{BsXeo-Ang2Y;1nHfrW{NjV*iWqYWEd_R>chHMZ`hSi{Day>yS+7^}^Wbmm^_
zb^f%l-su+BecS2oxv}Spp4M((d$#>hd!$`#?`!*i+rH8E<-T0s*t!>tA7PJEb&ff&
zbG8a!cl@Jp)bT$Y-*9}{vEcZ;W8H(!?M)fxy-b07_0#K_BZ8Ny-EAy$2MyQsHR5Tk
zd$48WdzpsKcWY8$trUO<#QUk$i#a6}VI@4hkrps3VQ~{&Pqm1W2udMO6d~pKRf@(F
zisaQ0I;DD)aNLXF^3yD{9J3M@H_D1X>J3GsD#mA7-T3(MOFhjJ!7;O8v1~Rx&C<{@
zvthB?Y<QaGn`36fqG>jK^fvwU`{)7kr8GN0*6id{$KFT%d{#n)6-0|0so5{MlT`!1
zA?jLcpC>J}Oq{oz%MHqzxxsuX<1Qi!so>VUemNfY`lV0+>mU&K0dqhF@IVORbFv%^
z_@c7n=AK1Hw0P|(5pTk;_#%p=Aa}cjtb!_#?0j)ajz+xEh>Be9nz!*N(QqOX4r&p}
zqj`XO;0N?U#2ZW?0b5XuhP`n)91OTGuv4q)gj9BEvidU7H?Ig0le7VG|M0L)^w=H4
zTT{b30>kR$aA<hv!C_?<fA8EitPF3R8{QEaK03KIH@stZ_~>2CQS}C7ml`4=HDGO#
zj-edS%X~RE58Q>OTT8<`?;hSaxz#(oa}W7@Zg}VLurj%IW_ZWl!}48Q3&T4OVm8F{
zwc&u%q-}h1t8aK)c38b@>;2?!j5SN98K2#n9^NrM94D`_!U1<p4rhl)l;Jxkhcm+?
z)5H5_ho^bp4{X^yu(|){8)_)HYxvG#(mFeQ$Lw%!cw1rkjz(RQ!y}WV^?meNcMXS!
zNA9xgWA9v+)KY4JeO^hld|bY&0agyYRBO4tJDSO~R7cj=#M7PFqo2Nl9$^o$@V25E
zP*=NkR<;4pck9*fzoJctL!Tw*<cB_7-%hinpuE8K$piZ7OX)j5%6#UE?_$@tWkUL5
z*#9wl0MO{TRqT0lBao=NRcvkgoK@`His#sGP&%aTKBP7F+pS?hU%l(rP%8|HtH)>t
z^522Aazgg~uyU<gb&DIa`e~k6a3AG2W=#J-O8^Qoov5jl-&gjU7D>1^@%Kmmw-j-2
zMYN|Gu0MKTiMkevJM!65jym=8#3JII$zlO+ODt6`b6c9Ja9bMGPqRdWd^(lM0O{kz
z{c=W2iQ9JX7I$Z5;#+<Z@&D|}*eq>Qph<xy1)3CSQlLqJCIy-lXi}g_fhGl-6lhYQ
zNrCqg1&IHDyW<}O=TAECci!XN>fG%32j@oTuw&lwsAJYK`(Aq2chtK$uKw{%$EQC=
z@UWZ?W-t_<*(7UnJg6x_DXw_~2<7(@BpcXiG=Bhy)DgcYsQ9kbA0yybP6x9X3eRkm
zWv|Z@QncU|`eXOfDrO-Ro-s^>*XWN;&<bWE6rQQH5nif4_EB2RG|Iv=6ujmaruD}@
z0!_2i@w=l`VJAGZb_*f$<CcmfX}PJo+n*{;9wAv*NILd3as)ud#!?~xl@M7$NXa3R
z7dxAwhQyW7W)+4+0=ZxY`4eamV2iN7=`4#=GGIl3*f5vlspVimqF4=V-U&dO5Vc?d
zIpo9?bb|zBlmZc;71dZ`ypr)|DgI`4EQUM{(3EyuR<ijF#rLJ4l}MKmqQC_ncU+sx
zW>jf1n^mQ33aFJCKv>R60PHDB{!q2ePsx@t#ZnHK6QFw@3H<1o7%uGgV8pPyI0gUa
zqJ+%Kz)YExk{JmEk;?h(B$D(-f)xedCMOqRIa7dTk<Ggs*h}g7UY{KtHGmQTz`$&7
z934~D5*nsBq0PwjJ6BW!Ya#5vSXRghMNX%Y=(=o;EMx49$mu;K2R4=i1KA-t+~MB6
zOqbnSCOeaj5#v@Vg9SrEBgBJ9`T^3%V%&ylnm{L%Dd@Ddi3H#=ZD(MupFl!-lB>FA
zHVwwuk<Ct~v>40Y9>bSR@p;+IM};9KU9zKvI-{T_jT{}5Hgl-oZ;t_1EpF2YtSFFC
zN-4RR&D%VEQdTE{18Uk+%3op!t*LqS`W-kNhPX#llfVf<=57Ef*3y4UQS2Uv;+kjG
zX}WWK&u(!izKlp>VhU5)oZVxlm9%R6AW~8LD7)q+RSaWwjAcyn`^*QD8uE{zDUsT}
zSbj5F-Ri^H*=#6aR+m?0+LkDLYH3p2uy&T^1#l=?D9I^6zm(Ku*2bJ4D>oh6cBfqf
z<Ez4?Q?r%Q1t7&{Che%ar?4kCnwhMjbDb{By@QdMT^vazaY&lPV}$3VH>SCboN7o|
zZ{KPdCoWGfWj3&Ug91)$ja$*l=;h6jW>q$?W8Y<E??aD#b0QV*WBD%p7FqW7ZJLi_
z%6MHlRWP4We${L;lgQeAw|%=%vES>hdDFT*$hnIHmw>Vttjh_AshVo{Xt)+6wOQMT
zr!<-hzWTV$+ILxw$QNVbS9~C2!5z>F0F}ofiw$D)wt3rqov+>3wGH37uUA0`bLkE4
z9UV6*VDVDfQpS2Su5oHCCOBM`x4YO+(CRAMTQ1s~PS(1bp6q(8?!!yVDFmyY$8NXk
zUc9vC8MvRSo06j1cI0xYX-Nxf+NNuUOe^L}sBO(o;OepYDO)=eevZ|)r^i@rd%EkZ
zTeHHNx$s?TPL`njS-vr^u6;(n=8aL(f5Fm+9L!8-va^{AfXW(grryp;p;!0~p>JPb
zq%+!ijq6vt?sm<!|5MlXUF+NS3g1MP@$<#bKk7Uue4%r)^QSuR@7mh+*In7J-|qTt
zLyRr|W|Rm52H#))>->L%%viL_jL%Y;@zFN@u>zGDe`=1&jL)uFW*jROAbTaVB=f-G
z{o+_DF79Vyh*qEyp~vU<M*~Vg@<mnPzJ}yDG7!WgQb<M?SS6GQ1j2E92sw+x$xb;l
zSxONuPBn%n`w_*+Laz2BX<uCA(hpKXP_YogRf=Q)R|!K6cN8Kx=2F>Yk+S{vGH87`
zQkoKo-><;4FXUvx?L+J$d3{1i%Ify{-9=5AB63AaLK1^K5Z^Kqf2M?l79?GTG&P%(
zh<9V5S{9_(@^kTg61ado)gB$5r8&KwWHg<-mH5|a$BRSZKs4Y{6(tz=M-tIQH13r>
z2~7@%JSub$VSi8!t5I(}<n?GFH5f->(C<fbWiLqX@hQO@iR?R3kkh%8c56_Ld;I{~
z_4p$Ze<X-epv3?R(v1*qmFWrG&B;7MU~l!({c4}&SD8b~0leUZH|U0ZT}09wuQ!5h
zU149y=LrTp7}Oi88h{ATgUBi<D|pkv>Ac$;^;ADZ%M8vYr;|A%DGX-wlgO4copiJ1
zFtLSvd_){`skh%wo@LqsqMjgkkqHsFtW2BCAZlJtO~?unrz<-`-VH{pi+mnmbrI5)
zRTfQxz`h1@dDQLoxP5_(B~F()Ddy!_=2~~o=E{5=Aym0)G9E8iSuSgnMXZC!x}wwc
zp&Rta^7JHnB+O4D(>e4aY&pa4^WCu7jJaBKX|Hgb8C~r+m{Gf`t))MxKbEB*>S31m
zM|k$V;n8Z{3CJhKH-b34cbk|@L!B}Kz1q|eYWO~A1ns!&eOUJWTz$Hy&H7^*dX?YK
zH;Qc}8RcLK`eP~jt$12z;aNK;&I^90ZqOei*mq6`^Wzkrt#ITV&>uTSYq^^GS*s^!
zE$a{z7SEskc{@f}r$0t;2%Qe*`z<`X4kZMLuw3Hmnig(oG#B(Dc!T9$8~Wtd3k?F@
zXcEo(CIy-lXj0(9Q{XcFF_MzV>0ltP!ZQTLHSEW!N74_Or`|IJd-UXmfBXd-vDdXE
zT;;gh>G1UZcHe*MlZhUn@4CJ&*JoXaJN~fqmpTU9ztuU}d9Z!bvCnZ$XQ=c2ole((
zcRgwTEOmapbFTA8oj-!KkN>`7|KUA7tC^f@X}!MKL%$^hsTZCjDD^OEmuMk3YCl_P
z)c(w6`eHZbRepw>wVzwFD&j68BZ~*LNrI9-N0krJFyz{BJS-`i-zNp4sz;IoazIMN
zwFKn$XwVZ^?NtF4S&)ZSBmpSM`6QGJX?YG>1y~w^z|OK&5+ik4$;+NjGF?o9bJX%^
z3^R0^85`wzwuCGg=uns|6t#3Y{Uxoxi7L>N8HmuS6in14k1SCe44QJ|crsnei${~0
zOcGLdDwWLKBxVbWN^}Lps9BurGST#zH0iBG(?_A#?I8%`34nBEOe;oNuAhWWxfG|$
z2gv@&=7BUPO4bdtU^=NtC?eX8v>U=j+?__YLJb*hX<fmMEe))G`oDv7ayoVK1z9Sm
zJ^({bftbRF#Lcn1X0as^QI?n;pkXB0j2|Eh6dCj_OTwfDOmeWllekCj$`G4nfc?y{
zOq!5?wasAP=Q$G!`#{Q7G_PrjCqf;P&BSVIs-{+er8&i)x{qR@ZPQ>uC6P~!x?;L3
zoF-{DdVB@rHENQ}!k~?96Qhc-Jj`vFM7>Vr>mYm#xng2GYea!HwO2b-M6%L_z%?$G
zFV0I2Vm$uqZbIc9rKHOL-YJ8khLVR#gIs}WX~fE{<66=#6y-@Xpw@7iNET?~kU9Pk
zUJT_Cye`;UDi?XewP|MJ`eGLo;rvY8d(PC0T)_SL5q+_PJ*A&N<@|*D8g2QBK7FyB
zK0)W=(Q`IpE1Zj%=Dj`u3j4g)4?sU@`D60WSo;BMKHZ5+^u<;-r#}AH&L8^$@6i`Y
zVh*R{E<UC8jZgZG`XWi%;dB@uuf6gH?3@$&EI0T%eeqJ--1rjL`t-&1w1m61J-2Bk
z_vMxPA_*BaUE7}981<`wP4Fh7SLllbfZplgu5HhiUE3B3_`K7>xq#;?xd2S9lU5s3
zgABb$vg(+8;d8FeFRw&~UL*;0%Dp!9{aM>R78*2vZBn2~fhGl-6gYnhK%yu4o=l1U
zSxEG-dZGA%>SEZ(P)sruRkVgB4e~!pKV+WR&*D;gjN~6O{jHzfv=R$4{H;kEBJ)yu
zc4HzM2?Zh^zYKrt8Cu0JrDu&x2_y)fKN*@MG%3)eK$8MZ3N$Iuq(GAbO$szA(4;_<
z0!<1uDbS?AdyWFVNa%A}>lH%lTdn_3&mBECb$`G6+ugs~)!%hxS6k=%+rHZR-&)VL
zezCRKdRyyFX!e%z)AoyPpJ_WPd{_8mVad@e{HySH?04bkg-;13K@k+gf$RljU_J7V
zqFY;cOEW|BJL-!xC-aV?0GwC`sEUz0H$6|Cn?f*R_0wW*)_R^;+_umXZgG2lQzGn>
zWk1j(0*K>~0!mnw;%XQkDiJvz2_z8P5s$;-wwd<gU=q)7^aZp)D50su;`TvW#g&`S
z8_LaV^u-%!1-H08Uuki>R9_^Rt4;^^x_O=k2H`yju(7G6eU7Hu4x^aB8&?*4eLbHL
ze)Apm85&IH5tzF_Kn=g2=N8lF*X(O#aq~W~Z9kljSdff(us|Rt#>YnX?WGP#EBU-D
za6mGF^%3c0##@mG7Z9LAPz;PH9RPQb2^8UekRf3kb^Lrdmc?{7e}5)9ot>fHJ`8xm
z@AgQlJSS!I5<-fKB?K+OZG8qYOOt?}C?L9tx+)D$72)5*Tp5grf;6a5O4G4EoY9Ji
z&Y4EEAVs!t=hd7vl{|(Nd<4m2DmyC`v%Emcs|5r-sqigIXW?6v%SrsT3KEhdWe{vd
zd~;HBq)R$GqX7j2K*EzizQ|yzKG~~<{c<o7vWx%0Y~iYvnjrns7^Twt!hExd@|#t*
zfXhbM2wYO+{2++rmpoy~gODG&RGiA@hs5ovY(9wqvjf@URN4J1LNP(YmF`y&HyotA
z-iz-TWpR~&SJZ&$hC^F%h<t^jk{jXy`u2V`2n5%1S&}()#)xs3OcxFA_cE27oT~L&
zIicu_*U=sJP>}gCJWt(LF4S^+rz|ua>>@o7jf0)|D_mPq;?igI#Z8nJ58uOSaemG<
zECPC{OA=`?Aah}(zfQp45xdH8YGc*n7KYoNRENAYoCWS>6Bz<!V#Z;|B<{8tlNgjw
z%)Jj`jdXtl3j#4PbT5!iUIzmn;O{ZIvSMUu#mL%<4GpX!MyBrJd48cXizMlb)4@Y!
zp11Ki;x0${ZX_LyX@7iv!w!9s<a%*BKEc1589O7d_VC@HFOuXiW<bpI6#+3`eUW5}
zaXQBMgRB8D_2?o9EhidWbIs}|1)3DNSQO}W{y@0W@j;>QKIHiOyLI1PSLnH<``@}>
z>;7w3!F7-87T5JISI2iczR~em>m#jGt(#hVTDCbpSozZ$X#Ie2U(0JP-)Z?q%Wt&&
zV#{Y*K2vwTE&tZ?V?w^GJEevd4@LFGJLui_h|CVR7vIHqpCt}-3j#rB3raqjD-!OS
z<_C$zlyXTwy=v>+mRkk}j}^*^jY#H`!I?N41vPXu6vz#8iyR)??!IGe6#sP}+B%H?
zj#5+|ag+l1kzn`o_34KQAg8oEh3-lxGr&wM42hmDVCHE<h&Pz4aoTPDJwa~xiO;9O
zi4lEq7hN8Di7yYE8~SiEl@c==!XOY!0V)+s8BHA&cR|)s;L;DDe^FK`q92K;Aeo~G
z1Ox$B5J}7~0WGvJ!D2EYCMj4TP|OIL9!AXqbtGAs8|<p@cWfD<tHzTU%)?GA^YG$^
z?fT*lTJj)&FOzw&$Zd3rCN6;(pA-3#qR}6GF@bm3Zsi?bTo1NwN=BZOow7XX))z-<
zEz61`yx87wN%Wm`zHvSut=YFpfp-%HptSlh-6C8k_X5#nMTk!Bc3R9uw-<;`?lxM&
zb#gCk^2dQv6AXl<2vR^oF&Fhp@u=#Pd~r`G?D5Hgh#H1Y?pE51>*QY8=<$2KT0{;3
z;C1n4TE%s8FIaSPL$reH<X))M$z855Mrrlc?C^NuN~TbG<fHmxgdUfl{}8WPv)*cd
zc2>)ekq{zr8}MleCMp9$J$PU@RamX$-B+csqEDnjO9n!ZfzQK2u|$HCL+3$Gb*O;~
z<m5(LC}fkOe~SomL%bXnaqU$uHUT(L+e8et4Ue=jPuz>Ie4)`QMC}sG5qi_NFN3HM
zdD?QX7-BmqW*CJ47?QFyw2Oxc4nmtYIIG1Kifh<EXpoE%WeeBlumM&%1i6eF3~)XV
zuhZB1RC^^<MR1peT3kC<a~Ib^p(#~jda(^vtGI$XJWRJ9SBJlFNhX`oa8`t9sc}{i
zHBYdj#PvyR&H&w<j~bivy}{~&)2&>*%X79^voXGCW45a{R=sRvTLw(^5@Cf`GXhyZ
z=ubK3ihdRAZFP^V*Ofo3AydBW(Rx1o_`Uj~pRTYIZhrjRaLdL*Upp)7t610@68fT-
zJ@sb(RFjtlX0LgyU4TO!tgeSXo8!j3P@yIp&==jbmgB~}(7qg@!J%AS*`>Gbe+lay
zhlIY@`=0B2s^@2V9_aZ<&$gca?tg?Qz@N7LR@*PMZEp*-{*L32`E$S#aop&*+~E}7
zz>odEdgYE8;m51*>+w0hW<TW%S^CHkeeqt#;&6WIrFZcuT37s!k?3cdIg@Y$P@b3a
zsX_dG(*X4D8L(h6k)3JP4b6kHy2Eh29_698<E%tPb1|!AQ^0&up$kAKb3}6VRzFU>
zKbcFU)I6Kp0bmwr<5SuQKndzTj`Ea#AL}u~0=Xv+lrn(dkD1T1d%2i+Oa`z#)v3UC
zz*H*b*;f;$re?Ti_;M5bSLcsd?j6k;Q|gGzy`1sIY+hrKVNq!LBfEDGG`v5oCS@bP
z>aYSM907GWpZnuMeQ|=F<Q%%~C7b(WJF)tSrrA$aHLOTgglU<5ngUf$$SO2Q1YQF+
zq8X@UvWV7axgx-`6EzF~o|C|jhtdY=yp#EChS*%eHL=VUoR4~G!+w2{C9OEYL$F^m
zFBglVgd;mb;X|yrR1akAA2BYIOb?izoS!U_hZG?2#pp%B1-_ToA1fUz1#o}dW4%9K
zsxY%u6B@o(|NBB7Y|XKn6lhYQNr5H>-f<MbeR0ToU%W^ZgrNW~tAn(dUsf*?1>ra?
z;R?bRH+eO`-x~}oQqUjwN&&A7r@gqMNa2Vlj{gKBzDNWL!ZF&5Gqf*m3}^}2r-iiu
z6ohxtDy|@W(V`&SPb;{B@WmPh;XYc;6@)Ju3PMR=+)Hox&+THe+KX#e5H_?UP%Ys~
z2(St*q2<me(zYe#lf7}oR0CRVB6i+iWt|_>t(8G{LT>}gGE)PZyriMtvsw^qppXWv
z*2HqHMFUo=FC<pQa#Q0m#I$HrdW>T#S+#}4=*XI0RAt=TXwl<tYRl;R_RyWg^?ffI
z`o7(?)Y$q&-*;z4iL1Bot3taF6`X(7_rt#DogWgSeSacc?MyiPzUsVmxijvUAJ9*(
z!zOh&{+O}hu{G~eB&Okz`xaFQUm+>2DDH)q7X#l<;G9C@xr7u^f_^EGQ2bKd6Y)!m
z;tfXQN;K?M;;Y!Fgu_=zN;2Ydifn8YwFyFlq2o4X1(JBJ0&c%P++1Fs9b}MJ#Dt6W
zR|GRpeMt9eS)c#7$6ZKHre$}+A5?%+4>xH!5)G;FjP@oH!9Y-nd!tdmH|h=h!X6l4
z-1!oL*XIas?(*a;zfJ&-pHXl^VMYd!tuQzTk5(I7Lj6MoCI-U?bdQ{$Mh=9%TCzY~
zKn1~Z<B1#elfCqd>rr|v$4m^bch*b)d|W?C(8e5&-wCpbzRk*)wYVm7mqg;;Nc|hl
zW7eX58HaGF6^RyrIzAHbja`|U?6ek>wxv?LGRKhD084o=SMV~WfLVPwo#Y#eRGMQm
zWyuZz)JZ$`@82&M3M2)Ar9Z8@Qv<kT9*-$h*Bp{dsp1I4W2|vx7_b@Jm|wZka?{+C
zOed%1;{BHA7z6B0W{$}t+1%VR4;jZCGkfGrGDp(BRZ?PK2`{+^(!N?s=PctN%BCQ1
zk4?!iLXqLei4I_yXB^NHDMIEMZU3m<t5Avo>`YU~aI_%N;8eEAA7_%?^4$pR+fL*|
zMD~sHSKAJ_M)F1W8ObRvbp}0#M|O_^%re6|nnSZMYBVA?(aF55YQqXm&S)8j&T~x5
zlRS9`GxwF?sb2Hpc{No#Y58=L`sR}{svc(@Ykx(<s%6Lr9FF5`w9I7}LkNZ2E}PHR
zBmwEH_aJDYhD*gP#mch`LML&kl**7wXzJ{$#+0dXxiDRC<bxS7R3wX<%4bC0yn39&
zS{(YoL~^paVz`{`aA&qaKe`>A$n=psWv;-VF^apLsDrA9BN<9Tmpt%2D=LRotPKpZ
z6|o0uHcQt{)pKYQEWgZ{Jfm6L@z1fNl*4AQsW8^f@U}5)ZPoCj8Ir9Ov)EQ*`5iU7
z@hmT3jI+ORP##HJNq7J;5l9m#9n2A2SJI_w@R2D^nT|<^_E?6apLX}y@R)`zW$Y%R
z=A{+n*kW*ryo)&^T8tqyBPOwflWj=Lxcjqt(1C0tOQAXUY+>qvT-;eK(&NG$v~q`)
zIhOH}{kEeR4ho0&?6TC;Pc(WQ;sI4YvO~M-8MF=dQvn)E0&Q#QzAYP*s(bT~J61$?
z)|fOR=SZ*%*-^_L5mXmEl2xsvQ?jxgp4%!<OIDLg=Hgjo1j0Tb+>PCFNgHm@9=Gei
z3p?yM_80(zEw4m-RGyht^f0~*{$E49hNZ7jvsWt~Najc?qw-;D)QwK&5nM!<7pbi?
z_I~VKN?4l__K&dx-=+%Z&9EIA_Q=W90U7Cftuxw7Y|A@gke?&V)-u`{xrq13%5V|h
zA#suow*Ex7jf~A@6ia90J?V<9BKs&y6%~{2h-V9S^E5h-BR4N5J66n>6nacn9pHzu
zxGu&4YD@2WW5tnaABHuBWs#~sXFP>`xB~>>*KX#8Q8;|sRE&-7Y{0$XWT0_b`*A2D
z%L#o&bLtd+8vA_AZi5=<-0r=1+EAMkb1Osy#rmDtQcV`M-PoD+xF(h{)n-hC)?4Rt
zIJpiEkJ!BNI0^HzDL;%20%zTdu2n0UPWhmf#i1oMzhrq=&{sH+RHlau#gu0K8jSha
zo-ZZsuCSfs<NIS0?%t&J%w&DW^CcWq>b9)HEEqQPho6fKCslbFvLJ?MG=s3a@>~sq
z4IkKF_pHtrjjAeg7@ZG*kIomgZF|RdXS35KD}9V6V|%t*SSoY*Fb12lrb)scQ0}y$
z`D<lDZP^aC`V2ad&exSC^!575K8W@X9swJp0kFOLNdjT-;Ia6zbtvez7Pxxbe?_>Y
z?FOOaSjQb5zV4QetJ;6i{++I~T_5lIK-c=tKkN8J`<L2JwB2C*2)C9WDWLgQ%b(3(
zn-pkLph<!E8U^$t`of)5pY-r`RG)OnRD3aoELHCzh#Q*39F^q}LyF{?BrHRcd9Dpa
zdlNxi$;*kNM3Os5G!921uEG-4@!;1<T&w7U*m3Q?loV05sNe68C`dJFgbI^Xe~8<T
zXEX5>cpds=#BfKE0|S{B-AY_4$|Vv|j=4xAuLp8!OcLQiLPpwTf+P=xUPPji=|!nj
zOs10elV{GRlO!BHC6_YFl$0}7pc48*I8Y_>zix9H<h|uV1z|XYS}C8+$@o8-DKn|K
z4PFc&^vMDu$)UZZGaMN`FfNTAl*We1pOVMt9n7hTUVY&X%Z+phSJc8TYk{l#a>2cd
zC58UP|J}Ir#;^723&geE;b8Wz@lA4A4r?AQD0$Ujm}F5&NKqvik)jDL7*{-gBz5(@
zPhYr&c4FqP@r{ax6e|&5B6_*LK)l`^929=sFm`R!7l^yN!@>M!$IG@Z<VJxX$$EVu
zLhG51ew<#=pWLA@?4(QU)1P2V>s_U)3|9nIR|l3QX*OF+U>RLjIjF-S{&Dt7JFaLc
z%ir+LN`XHkCFNYzBzvJn4NC1$yRmOHb%;i=rITbK7l^YKA9gmbrJ)MXR29Jk=Qt^<
z;t@$}HCf12wJyvkq@*FMXYq960q7!>kdqXjK_pt9JmrU(nE?)DBAdH-C@G6(@H$Nf
zZ1Ia)JwLcrUm(F+4#zB8Nj6?lkZub}=xzpq@Nr)Wd2kD2qLhajBrhV2j+|G6*ghms
z%h*1LHsJ6Zr7QFVKm1JBCcMh#g7sw%LwSr)02&B^u|x#(ff7nSTQEZTPzXJU5iU^p
zpuVt;KI~RDWiu%3z@WJ0!x?!>hCW#Hc>6Jlk%~!Jy`IjK=y+oi-(tM+_%(vi`r0ZE
zoMzJ|1)3CSQs7-lf!_8n3YR)QFLZvgGuyeZGu-)p*DJ2?y8fX3qwT}(Lfa49ime?j
zKWh1#mcMX(-u#(CEWmA!8-yPU&kIirS>dDjA^+I_TIuk#aI^K#Rs4>5y|s$w?}?_L
zyiH$-Gj1?VFT^8j_NlP&B-;RYg$tfA9V|9-TubMu+mlZT1bu!rD5-%6{Ju1#6GVup
zUkWGU36BzoBUm`tRgpQc4BVx%QHl7%MwP)rq;uIkEO#P956dEJq2W(ZfhlF<lmMN*
zVdkLBnVH!hk&i)7b%-PQIJKk{hmf!^1G_CtcUEA=!yyu`1%4Y7r!rVJ!#s@41n*^s
zqtO{yFLrGk5?N>^aUrtumL%Yj&?**NJ-!s-sWdSOH*@0d4GUkU2yn9^@iIx+x~3C;
ziMW54jfgaGl(?u^T+hX>2A)8WGGxlkFe&2*bp!&3bFYQNIYMNt32T8%pVAjTN>|>)
z!))cftK^VSg&a~xRDd;*eNBANRX{q~Z=bT_cJ+W1v-$#w7H~LDOfXv8aOxLn{ouos
zpaO%}J+k3eeSw4%I2`=IF`0W=T-gr4T3<Ly2Vl`|M=FBdBz@s-TDgb4sFiECrR%yA
zPTzatC~v;R+eCp&^#$V1?BI!*4-v2DKp5+scq<$0{18zB9iRnF33O<a90-OJK4j4i
zs|2Vt>Q$vkG?I|wL0OKgJ|(XC5>NsW$7Y9vDS-}c3`JzW#}^GHpadeW%Z3u@kVOf!
zmzFan&><To5OLHrtTczH66n$6`oeB{ApEpU_sO9PaqXX{R7@F!l@Mta{+8#jFsOt7
zSpXvA+op<T4$1Ejg>2<yE}UA{WZVpw^lFVv85k5Pn0;=aEm|qGcnVZ=V8+-y%l_(t
z@Wtlo!lsgs@^odck4*)<9hgVz?uc2|I+ioE0IsaGsWugtHgy&yX1UhNS(;NT&&8s{
zEcYo_TlATAstw&{ooYkBS*M!oI$13o&s4yrf^!DXO1&NN1u5HV22?U~N{F0qs8KXn
zR(p(9cou)+ZMrI&kEx|V@4D{^m$*Vg-!pwr^quN^r0=f25BCkM`=xb1(fdO0w|jrh
z^>x?du6b98{j~gX%YSK^2fp7_%i)&o<fnGTX32Ys0xfeuhiv{^o&tS8bR?E<(X2gx
z3iSQ3>*MD?N^^uJ1)3B%KMKhD!YtEZ`KiEq)O3hZvr1ubGMk-*kr@VfcOeH)6cvbZ
z2uO3QZf`g@Hok3dPWBWMq1;aGz*MO)b9hH6KR%@-M<XMJBjaPKZ3l;sZkx+Oh9`-R
z4H^C@(OQ<Q1+GUGeWAz%=P;YcyFqJN2D10pRa*jeBuRoohTuD(QKT}G?*L&jge#wb
zmc2N%B@hVsiMxX@5Qvcfk9gVN-f*}q`=H!wwxi8M!Jt1#+I#&$Pl){D_lG=mAP@aN
zZ<G!Pl}LpBjdo$wn?g${<f8*%0s+zw<I^7AsE7Vd1~#9-N_<|Ak2H;j{4_Kz7zmIS
z=8$*?Iyp?8H1qoXQ9hKHHWa-Wfwl++gLEW+)E^~H{h=^@RwzW@B@p(TgQ7MV3eZ+~
z9G|kEj^d4Y*@M_CgC;)y?u-=PpqI7}(`lI_hB<`--XNP^fX~W{U+A>FP${urJYEld
z)i7pGCK~Vr=>JEf0Y6+yh-gRt5#N?Ad-sitTehqzY;a354Ttv$0uej}4fp<h76D)B
zGKdffVJc7<qAk`Xl*|on@p=Yng*WOO^oAn*k1+Ye@_X3wJKC5NC!dM5jh5?u#(*e?
zcNZI+{O+^-?zj9Npud|#lJR^&OTA?tKFd6Ombv;Y&-YuN@5l4afyrFS05x#d+seCY
zS7BFfCNxCF+<yA63&thw_>hS2f)IkjloW?kT|pY?qS2S4#l$u~mxE_r3eGNw?1J5g
z1QifRm<*f%AtL9C1&e3T>J0`r>I(&W@ZHW%IU9Qc$IHVJnYSL18%|uKFWg6uNS%Q&
z95prkP#BP<QZVsL>1+W`4Jd8;Hi#;wZxbhP1Dyb^CudKg3|9og6cGeL+shd_H3usm
zvj-wy4(x!51ngkM_64WLc=kAlQWO#VB@@V_0?Y?FI$>r$I9g#o7}6KAv~rTYx7B>m
znB;vw6!x9pHCNFaisoZ<G7OLD2vIZ#Js^0}LhvI*(L6;9n4<Z}rj;03p=h3@otUEe
z$i_fC<O%sz5AinCXbr>GIAT#WtF)XcnvYZ~nlIBA6k5-)HI8s-4ZP9%innV1(WF3=
z0!<1uDbS=qlLAc&G%3)eK$8MZ3N$Iuq(GAb?|lmNIvhf;@MkS;A8!3>o7m=RJ>8mW
z{Z8u-g+Fur!10rgPdM&0e}2dD%Z{IN{DdP5@BdN9^^Qv&^dB5J0zzQ5l)_`jR@<jR
zd!K%?jjB8jQ*BYKeMJxqj(->KXfW^!t3CS3PWpV705xW#rQ5F|D+d7^ho|>ARF4JV
zF}P@-UN+|q`}C6?%(B9e#ABwqj(CCt{)ly64Orn-`pI_sjO*Dm)?2XsT7Te7ukiJn
z&6*TAKMFuK`f<7tnQHXtra(Lrg&J6vq6oc~0>m3vPN;CiO+;lmp!z)i2nob~kal9K
z(W4u+P*C&5{fZwd&N*7cRGde-iW3^yPtanvrH)>UN%t5Nzf?a7xKr2^nG*LX^%nM{
z7JAl?(F&$#J!;Xj-cQS!p7m(8p7m#M))$V`4ZFyd)EB~cx3O}Yy63KheyecLeMcAs
zmhtetfVO4Ry|p4Pi9pf~i9ja^(_HsaJM>f-wMkaD3G!dqM1YIQqRFiRO9B6yoLh-G
zP}LH^sARsEn*k0<vrr^}x0Qvr>Ljtk0C|vP5Cy0MNo~#=z%m1DGZJ}4Lz={0+e8>0
zVGAV1BETQX|Ix4*<VwATm-Axew2+I+)U6*#W|UM()jn|BEhIC_cwSa;;TWEvw|;=U
zEU*X*AGi(qS;K?y<-WyjHoWZ?cg3i;)q4osW|w;iuf{_T?!9yGzQcQ$d&cI~gm{(B
z!n;i4y11E`*UKKU7Hc3e+SRxW6N`JfHThhUxS5#WYYK@izNU~E=4%V>$E@v5?e?|Z
zi4ni1lvwm@3Voj1GT8cS+EK%QO(`+z*Up}}0@O4megQUx{@O<okAa$&)P2CV)TS+Q
zEU0NqybNjziOWGvA@Mt?DYX4e#3P}mrPmMlgxXT#t58!)92aT|i5Ej{AzT`23gO>S
zQwC>;nlj??P*X_UA8ZQ!wcUwhL`_St&B~!J6SXa)HVcn9Q`EGCXGLw9&2!*c5wsyZ
zalEMMPrWc|ONmQHZ7K23s3|4R8a0K)bEBq^xN)#Tg5jy<z2(z_#T$_5QJjgy#7?tW
z7kCgUYwjyIx12h=azmo&w7}07;-yjZbkk*{wubm*z;D970zMG-74WFAuYh}nZ3Xf5
zu&;pQg?$CQK<q2v5@KHg{}B5MIEmO-)O&N{{bApu-kTH065Afc%f!CI_RTAwZ2j2G
z;Y8d_T~64D=6!34yr7w?fZil-5&2RR0Y}f5k=S1+FvCco*dSiGx8*V63gO=!t&g_O
zw!G&0C)c#=8P|Vx?RRZ(J>)vqa-v0P8EBn%{+sacEzh<*-SH<qCyk$$mpfi+d93Bz
zttVQ4tK&Nz-!WKh^8YA*%=-6*`n~1r!d(|?EIQ6Z_v_~_2m9`Hd`h9xvGCN}>_S-f
z2Bfg>#Mx+q`WKnVK)_aIQSN{+rIGD1H?qhvErOh)E=}f{!AB$RHG>>7bvN*%iDwuh
ze5MF2HKLtj;z(>L79-f>g&6*!7VC1lm_?{N{vzIL)`3`ZT6U^c4pjEAs)A^;K6}f+
z>{J#&KJ3XcH<(NE1SCl1lbK0sv&7-5fxi_3hT)E7a<%&jR(C#Qajfz}c94+{kTP!R
zWCj4bV0S%T@Mi*BFK6buZgCSBGcc?0O1-V?!3VeK=PrYE=X9{3ci|};oz1~a3K&GG
zxuAY-J#BjrUnphG4ELAf6U=e88!mZdf`twGxl3qA=HetgRpH}wgMN<Sb~+s_r-JZQ
zyZw8%{<=UU*?Rxh>F3@@hhb8$@Dy@=oV%i;#C4)wKj)x}{lv%EJABjh+bsf;jzG>5
zpWQpMQ<>fJ`0NNpbSo9yNIvb01ijv15I7OY1r+v_0qFo(FbL8PB9omPPIA))cOnu_
zc$EMI`mly{<4Pa|c(p`8BD_*S@q`r3<HzKP9PZ@6q{25b-Lph&FPFH`=2C0PQyW}A
z*Rru50h;Aa3j9Z=z#jeFm27W!^7F~u+qGL18D>;j4r-Fu>ywd3ClQh&2z-|`HLhq%
zSP92vzfV6$RMSoln<#v9ldO2d!El&BH==DI;q^(;NZcdIiYjaIa9EQg!7KH19kdry
z*9qU;7*F`(0omixF4xbs&?=^{6TZn6cG%}cZ(iQ{*Y@><gsS92m+9xaXd|Y$6TV3_
zcahK)`Z=QWcXBXB;hTou?i&4EE3M$E$G%xs+>!J7ks<w@lalLm{NDfOn)P-RUYo+`
ziwvDx1RA`E1foa?u?-h7i=<xx?N*_xlSNC8F|LvlQ@H6ZxyFi9auL%Y@YMyD;hIg7
zfR6%{hC1d##RFZEY|d4LstNe-%P8SieNiwm#t4_MU5hKZF6<O>^<&E|X^iaEdq7L|
zx;@cqB^|I)wMl>$4H-$mCk%TF<*%@ADnW-D0}NT&Ad^Sqa@~OFRxG)u24Z}<#7NSY
zl!-Y+T9bd!G}Y~KfUsAYNwbfg6j4V^7_Q8KTcGgr1tVmeVJdXh@J)SR7m{zwVf)C{
z`njvvKD~|~Yir)8_IwrHomxo4@fQW7qJ<JtK=uL*R)HZR6!0ktRrYz6h_;H|X*kf=
zVF;JmUA5a|B}a7wZ8lx*Uhu*4WWk8r=SU1tHzP%nHUWUDLJdp<Fpg#rJ%Z>Gt$-y-
zEst~+TXo&R;KkZT7LAH^9}&HZMV1jqh73Vwpe)630o_C|u&7(C(oEG@7O~#?#G0L3
zmS;pF&D1CZ4ADj;l1+_Z?<F8$u;!-gY)M1lFg78!B#p1A-G<nLBj>pddtJ8*R|yXY
zJ!3tAo@;u9?mz8*qWiR~v*Ukv{A$OSItE+6-}>#=ueY9cY;z1c`h*_|-xGdK_-S<D
zKj<#pq@TNi{6GHdS<Q5Cr-!U}`qSi2_lLj_1ZgoBWu8XH(sKb?!VHJP)0_NiLiL1H
zpQOo<ECNAT4x>=8N&x6l<X|*`WTpYIB7WM7vm#G#40(M~kL=OnU>m%&idp-Fr!8!Q
zhgNX5;ps}Y;Zpsan^s@J4x^_je$OKx)z1ymL+bO)N+>+N=0j@KKujSF#9knEvjUQE
zN!-rvW~7J{SMvU=IIt?%339Pg4~0ZNn<l&gAi-hug3AJD4pxfkx9s6kB%k_X9UW!m
zD$`oj?BLi92Q+0)L6B-ZnW^2s{6rasrh+R;EJuTJ8}mlnkOmi7@XX7X-q!rW=1umO
z;>gcv*8+zZ5<DeHgqdA6vZqpmUks3j1YI$oh1yTEZ)qrrw!=<WXE3A5u05m6k0Gln
zEPZAhdwwFRrBw4iv7DFuieTrgwcH*-=3s`V-84=+dz2V#JgH*i@dT&mZla~eNkNnz
zAF3#EeR8LMZh&r1j<7B~{Wfd(7#tx<>_~$>SF7Nwh!M5~dlKYx>nf%?HB+gFr5iKW
zF1}-BrMYBLV{Q$ik~6y-E0%Yq>ca9uEf2_-XZ8B59oJZTF}^&@Lzp#mRoavrixE`~
zb%ZN8KFi3BtA|*>S3lQJ*U||$zW{6%hHOE1P3$6h9T~1V;8!PM1|nN#qRYA|YPJcM
z@Ro`tykSH?x0#mA@`sw5$5ox%&_muxhv9n2rz`Z39{t=0Y3*J7A?=N6*^_QjS99Sv
z+cqiCq`>MZ047<a`;sfZo}zKbL7WoT(qcp3PnhIQw1hLsPi<O>R0}5g{j?WnlAqcb
zl_P2d|M7rHzJ^wDCiy7~le~dea3=YwN+$Vz`njuV_50aL^3;`v1Ovn1Pp|Ino2{D^
zXj0%JQlJ-O54QsU?=Sn#^v(6{?z?i`i|c-K-TmuE*InKF_r2ff{h8jW-kW>-dVbLJ
zm7Yg?Vm<C2XZQc?KG$9B{&06+*Rx$`x<1ymzw3t1fA0MA&R_1F?cCidy54d<?fOMm
z&b7^TRmTrHexu`oj_n=m+yAEh_u4<#es6oAy`$}WZNJfWqHVlwbL+pfeyjCV>vU_V
zwYBBXTYkPJ-7?&Ax$_n0*PLH;D$bCz)A5|+%MRUf(6L4MN8$G`A}N|fH!0Ahz=|l~
zo7cJphr{J?xxClCzqPdknV+Vi#h8VR$kW6l%te{j@)Jpw0DxsPsX5=g+Ncv09LJ!1
zvUD1lSIkc9-{0C|^CVxyc*4MZykX;Txv|`^aj@L@-iD3+<;D|@8hb<K#vg6iI8bi<
zk%o=EM&thZnAy0`o^%$<-D9?`LuRi@jQ;tfX5%^on^f+fzq?UepE2Qq`6FiAdXumW
zeAsMUXA&lj`{xfeYHL!>H-FG<i=}P1;F5(2Vj6+9(3rV@e%$PIy?rM`?O<8k?)fpZ
z*ERON3Z*#N5XN(S^9RfxbtY%G@9t{UsdnG>&+kX4PP)VKEtcJO{qy@8wY7Y<y^Y#h
z*4ds$ZOuK`Kfk*{+wzv{pTDzFTXV<t&)?Cgt+{lz%<nSWVoBQ2%-nBV=65z|YN5go
zv#I@;DDTWI^V`j~_A@X)#FqKd22IU<*+0L{Y+7dqmSIQCw)QhHcjcD(tqq!*l=aRJ
zn@zFqZ75s2Cw=oDHv3>t+Vrv6l7sWNo1L&FZ8}x$Nbme@W(WJ3)ow`d{H+c8)b7WD
z`CHJ3-MIJ$Z7sDouJs<gxnX1Tiw(>VHEe7y#)0{0!^Y;G9GH(ZYFyrw1M}gAjm=#-
zFdu5z*jzmQ^FgyQmZTl&%zfEEA86FpLJPmyw$3Lh@67&rpV_$1B+M_;KkseS*4&!|
z^B%Kpy-8RGcAJgsOv2oq{quv3+L{#h%}ZumYyvw9*X~dM{7q&j>`%K+HXGDE{~@y%
zHmF^%svYW^A255=nOyA__09J;>SVV^x0s#qEm|Aw(ajATn;&jq{>FxlE$i}w4I7(#
zwAXosaJl2NLeEe2e4_hvZQp1+*Y;>zuI*skwQaqvKkC!_)V{0xI@YCo{;lV=o@X7O
zHGgh!bP4}Qcv<)>;ScFgjojb}2~#zN7oni%R~#1_N#G*Pas@-4Xww(xn00B6X-;1@
zT{tJ<vsa2!@9demf~L5KCnsT9LV9iK(A{IBBkp)A8+WH=Sc&uQ9DKnBm5gj=>$dvr
z(e5R<l*}34-O+FuVSoW|#E%fUsMjC$_56zS`zx4mvq_Tz?@kI_rZ1+biGmwdUZUQ_
zFsdw0(_(H^c?m|9MFRS2Izhj*Nef2(N+Rf$U?YhmXQt+r;!&SR@`trZ)B|^FzY@Jt
zUnHQgPM$YRcxj_I67^|ee<E;&zDST>O^4-|%0`vN1g+pkm6s}wDwpev1P9jX;Lg)8
zap&pJ?$8%idT9LIgY3|FY0bVz7C>WoFeCH1--p=oBAft=bIeV01@CU3FVy0#jC+%Y
zqa!UQBxsfRA0u{zJ&iyDt27N}ev;-)FW5UVncmB${|WIgMiQ{u+1bG<?YOLD^BH<t
z;#{0`vxxp6@%qK1GB_S3%z}a+OEXEC{Be9vI#x=PlT(7z74d}6OYym!TqsE34v^QB
zI9I#5Ym4E`Y&}<Z@~0Z7Y9tc$1tXCNTu38fAAa{#b)E!l@}T8h&(BTCnL;+>_W8m-
zUo;X5$%&v(^QnktRuWMpV@)73S`PYF?Z-(Ry6m%XMS`a5=&{nVQsCnIV_94u%1&CQ
zN0qS<NT}F=Sjwjcu`X^JK)74x;DOzuofFpbU4~cFXFGhW_UE(3tddRb1ik}8$yU()
z{$wtZQuA!42ax(p8=uk$Fv1G@QipuMkM$j4Xc7|#N*RDFH0&)Nli{>W{k4Z|2(u#U
z)ikoDSGm;+DI~6nCgLio(BQ=f4`^g-Y560&cXPVf`>&BSyfyjEw%aD>B}Wo>jfX>|
zD$12!^Tlj7RS-+$?1I-O0cwJ`WU`peqrj59*Kl#G=T(0qqc1A-EPv=uewI@P@NGEP
z)_9^B-PU}T;l_>AYt6WE;lZ~^5*VA&KrgxaP72{Quo)QWxOJeH$<VVEB`*D#zBofE
z{_qHAx!=XkftI|-)?=193Q~~(hiXjp95<W+Ng4gSp;z60v=ni{iM#e&!fjXYK6e7#
zPl=LS=WNW&w*GT0;Pxglt|>Bhm6*wr`~e!<b|RT~0aL-Buq_pkM1br%StR$qswr@h
zOu<t*pYE#ffM?@$w^*!L8XLe@k(>)o$0zv0usGe382}oG0s*n?3792G^^GZD!;=_e
z)iS{i`XWin;B;`uyO%2*@2=Jt@1wO0o=teU-9m1xdwC6Of8||zTdx)_b9~p)d8g|S
zI&bQ{%ykBK`|rB`uj}rX*I<t?wsp7ca(uV-pIiU7RqFW*<EQnp*3Y!w*Luixee2b&
zx3|9K>TJ8t^{VUD@^evsb@{J%>2Ix)@Z`I5>UvsV>SYJpF1CJOdG8%;12Hk?-nI9R
z(UI{32lwvXwRcBMY?#@7k36$0Lu_g$kO2FWL_Zn&#vyU_Py(Cvr5?JCZ|C&3IoUWS
z$02>Gi+-CE+_UZ#^K3DMqa>Xofr%^?$YDcxib8TSgL8%ZOG9qTl7uretSOjC9Pb<S
zB^FA{PnuUMPMUswiAD7CyY3YrWY#4{+xvyftJnUCpuThoJHPMdZ)s|%tg_JLUVmCE
zcngLs1mVT+4Muz+uO}SDe<J}?H3iG&eZZ=~ValX5q!LaW?<A#@N<Lf2CW;b!$!y+j
zcC<dPTJ{Qu5$WUe`Xk7p67WR5LEk!kiJ>fTKI0WI154}Z_cBU=H?Y)QQL@4HYRfIv
zG-&?aq(GAbjVW-MzQm&axr*&&qGE$)LtkRRAKXj%<xO7MqXvKiDuqL#h!pULf{4A<
z0#Zl~102)?HCsZ3LXClga4+STHzq<JkK$Fe$ff!s0q%4<cu3yMG$apu*<szwF9TB`
zQ;R9E<fM%(Q}hPl_q<3DM@<#o%N7;g1GIvx=w7Z=(LJ(BU%a25j-TUUfG@9E6=z`q
zspf4ZM6%bs$&_DS1-H6Pbh1TTwF)Z))9x6eqV?Qfi7moZP}zs_M+j1<&%bJ&Ska3w
z%{6l6tn|K`tn_a)CV(lZ5jo8!E|E$eW|h5OqarS^M$%~zbbQ`I7sng3590%FK)mtM
zaXu{`p3;}r(@pqUgArTvCR~O)Vw*Co#UolU4EW-RAMnK<Rg%?+EFt4tG#pZVK2+Q5
zuT=!p=aV@G^SVtdf*mawpc4>g346L~-fx+GYu$4z;LR#G?5a7m%I?-@H|EnC?so8p
zURw<~;)wx8z@BYxXrDLo_NufgNJoW8V(4-0_o}T9vI@G-h@QDP@&E0=D14x$OX#_#
z`~P<Tp!@0WFLnP!ce49HyV@RX`+mn4+LV^x=s41`y``(?r#c2Z`r3cg{=N2J>v*91
z=B_{Nn(Ml{tD|$!^)1&|U5~j&*w6Xw-e%t>1uhf?u&`H!Msea=eQ7fjZY3t%zG@1$
z#EMuLOc&J5ped75nN^W9aV?*ha|w;euRg+!_&sh#&J{~}4R%C;9L~Zwo){4oO(M`s
zun<9<Mc&jDOp22du=9#j<d=GVvIz{6*W%f1(fyD|U%G+L@sWLej_*OW4ro@G8lb`Q
zbyV5|l$^^q0fqC$hU%aZ_NAb^-OIj|I8K4jDM%Kb2+^xpG()S;-h02kbUpoMCpgsD
zt2U~k-7s1ep}Gd3yT!N!oLBq@%4PaL1<{<4NC_Y&0L?)-1vv#1JyCj#fa@{F!Nm=8
z@_v2kI`(vyP(*muR5tMyhj+)gWR>z!VG>{dNgvXeSWM~;z6jUf3A1M|J0lKfirLIf
zVz!{DWPhYfFoVqn^d%On%9Td1wy%up9mj-DdKy4z9HfF57aCvPq$2-AB;-{kCFlYE
zixLh?aT)k8K3^a%M|`Ts>y2EgFEPvrE;PQn(W`iUir1q8Hg1W*L~sS%t7Q>yX}~Jt
zy;>>aU9K<n(`s(Mc-4fkTVkR0T$%JLQ7^G@dZWbEajIJWL>q=CW3;&zB_E*U8zmdM
zUK4)hLY;^gX`HyebSqn7ezqK5GtW(nzzAC?4ojpcP_k~hn8h)QLrs;6nw+k1USo9y
zH-Q53v;Q5OlhY}X<`yeyULz#FxuV4N5q)Wh&7_~t<or&@8r-uJ<N8vRKH(v*Gk9$+
zds)lCxrHQeC;;vk$XaxVBW<?b{$0k3MX_xvz$6ahr04?DL^iXdlvKNRB5Ao+=wdP;
zJR6AL4Xvn=3PH<A1uZwk^rbMPCD(Sm=A^)MqO2&{5+G)75`jhxP#SUHEHY8J$)l0)
zyP#xeG~}URYU?b+DTV@@0ocGuUQFVwN@|5seTjiTeT;vq_2bEODK8#P!a+wamdNdR
zlekUJB$Fxe?$TtokdkK#)5*E&)8$5eiNQtP$_Hv^^F(?JI!|$%F{z&51x*MJ4Hv_T
z;!ELGqTvd7P|Tv^dGRYKh8%)o78P$PhQtEGUu7lyD{whmx{{Xg!|s($-WAB1IP4hy
zFF)*F*%;KcXgsb&RUCGg(*X@@gXOSe=*RpEzfyVFy-#0a_`5ug{}oFdzYx1fhl%jW
zF@0$ZU3j18W{OwWEWoeqnxV4%N-mUD$ntBxT9=XH-ziL}DWflY>35mQbfUnIcKZUh
zDmr6pRtxUfM{ld({s6>tn%(9Bu;n#57%1CCr%3b*<e$V?rK&Q@a?&z8X`l3~*1oZ9
z50ZG%*uO?TN4>503Vn`e1lMh@epgq=KXm+c$El7lbj)_#+j?{BH7#ESlK;mY&lo?g
z*R-E*|5SUa{jT=g+a>aIv5tY}xaUWKhpy9??xM%&BVKkdzJ7kZ5X(0))Fp}cm2kl`
z=S}+SM4_060Bg8&vT7rNz=eT5t0x8yD!CMu6SwT$H*P$#CiwwzfMUFg-$xT1nA?_M
zo_&y2eGuSc4IQCIn2V;kAKpkQaTmCsf<-i3lheR{dNp%h_3Jj=B*(`Cqp;7)D7;QM
zw7nG^+UurdN8AM<H4>mvndI;yS<1v5oph40Y+DH7`bDTB3dpIz@klv82d8g_^SDu8
z+C!hnnd#Tp-#I7GihJN}1rOI`1}khgt><k2>+Lq=0p!p5E#zkJCI#Nb6ad@5gKiQ-
zUZjyGVH9t#DfS~R#?mM)=JNk*L>kyeOSm-f+NPifc=|pS={5YGkQDI51Ax8-baf~Z
zjCz!aH{l8UAq|YsUR)Y@ZKFR7jDE$V1R)I!(<&|vyk?OGK1?eNd9P9$Sg$YLPOC5D
zV%C*_`}pFm`qFLm3|dI?;x#kt^`th+p0DJkSHPZMPzl!LgV!jyR&&VSu5?ySCXyQP
zeW6PR+YFHUz%l~C1=OxwEM|Mc1o4(cs;+oI%cupSTpbcO$I3X`hN;`O6?8>J32U?w
zMT>WHCF5>h?2Jd>Of;ulUs3MO>n63LQC9oZ>VabSk)bMQ!N-Z+H%ry|*2>xeH^-E;
zI<3uFTiL$|2;)v6fT8~6=va*hvK3`EyA@+#GJl#^KuzXr$~bZ{D>q@(CoDMXRiCql
zVi1}t=g6NHLxs1p#_oH9420xt0tWL*XN>=`?NB`fx0+2OVd-Yx>3Xhf<Lkkqt0Le;
zHJ#yHZuG<e*EedeYAKlUjUEk~%OtFB<;}I@xg=cO`S1-#Ct+*Q=fgYxK6Gi=ocSUk
zUDXtMK*Q!RQ<zg(L33hQfM86_6nFvK(e0$=3Bcs%k@C*6_Gsu0NrcCi14(^X;p@Wm
zq2zN*))hiOtwh0)`LAUSDQnF2r0kDcZK<`~vhu2BdA5XBAj_{x{mcDnaM`X-f#PQg
zZ>^~sB4Jw>f_E`@)tq{h0!<1uDbS=qlLAc&G%3)eK$8MZ3N$Iuq(GAbO$w}p0==CD
zVT1Eeg_e)CBwNOMukCH?dAa9XJ-^-aK+mzBvCdmMH@W`M^_#ATJG$EcPy5U5Q!Qs(
zKHm~(xu!*M{;B!%g!44)e4{IQUb9V;0;{D!|B5=mQpRvJxTWlkP2p%5e!!|C1p*{V
zBuVWWO?Z*7I-+P=BCZ8Pp*SpMIjg1Yjg5-et9b(91aT71SS@95SS)2}tEKFXN=w<L
z`qDV9zJfbm@LY9EW3-f;_FgCcs|PAdT=2MKuyowx?hVu9?%`YXrD<wt`^+R8^^G+f
z+79p8C2j>cznX=Db@aFb*s)2CxV>izxoo~D4o_;CBDK1$gn%osx)}j(vUqq;Qj8mq
zh95z_rx%bpm9?gxA6(&EFfDHOv7pq^%uBp5cy8+obhrXwl&ryM%4BK|eyc<^T`IuV
z7V-Hb(NH)P35TK)4;;z4ve+(g)uwOM3zJ>Q@AvqkUf+2;ui2#Pg)41=;96xAjnB*s
zbMpXDp>8s2=3+*4*i5rcwdAm_48%s&NzMH1Ws8iRHr`g(4V`*r?#6PYT8-y4f*_7D
zXB8d<@rLOnzPgXHrq6+`#sC@l=6i!|zA5YGd&8yA=u4AyiVxqzx7d5bW6Jv3;R#jq
z)%&}W8C5$z1pC+|c0*xGifeMQAPsb7<g_+~O}mow;ykfa81^N1gL-3GHz<aKX?)2I
zNAx8IfO&#DJG^1KL7n%313VRlt`d%?@<s)oieF!1;AMyTdTCz~sRY6K!isLRW}_wr
z-h~u^Z_`KUrr|D6ufydDS0hf`nDxYco%lB0LrXZv_WC9dg116`EhHgzbPya{&_l35
zWGSGk5hbiDfsl-}-b+VmFTUMh-x$#RemRVu;Mk7PD(>6#x`ksqOe?r=)9aNS8~Cn6
zw3_o>ub25QI9VQ~m%?X_u50GIY`h~Wm$j0YUImwRL3}^UJQQ>5l|<v-<xEF9iKH}x
z+5Ds%;005eB)on}%oe`0+s;l6_Z@o(T6C!7X7J^;OhKE_0B#DG0h8sc^gXruPI)43
zg4+R35uW=d3qmflY$>m3>;(X<rIwW9kO*fTH9K3N4_yY_qb@r|I}&cn;t4>wDdJJv
z&{@UsktY4A>&<}0G1&(1!}LvNBinIiRZbBN7_}O{theQH;TqvD9W4Vbm-XfQ?&-U#
zuYKLa&;#`L{A<tecK&<k-*!IT`Q^@^>HH`%`vu!~^u5@!x8)Y+mxX^4{zmxA>Yu*9
zZAr95$q&x0mOGu#|2U4Xb^7C1(A~^ggtx%#J<cMaj1t#Fe*N*w=)Qi0A3krrH<&%^
zs@yWL?^te!l8zSdN^iga==j~9gZ=|^^5I~HL4amM2Qqie#1GyvrT7l|_HN(nQPQc>
z(aMzIp?%Xw=i)x^$lXWwruH5?Fs|;rBNtDvAQd;q!Q7tDrndsuI}{kBaRTS%Fn_Q9
z_@zvY;0d_jvSAes{EYhepB5_d=txTm?k|S?$?vZ>sLO5u_gCJ!tlmJh?&IsNC2wsw
zsz1)~@lIUNSi-j~yeI)T4+Tto&}zDf@D3zSTMW$900LAv$|!*!Z@<qu|Kr$D&1W_#
z(0~Fr>W?!tMIMCvR{Ln3?caCO`OOA{HLIHxct=y<GW~G|v&wIXH^~hV!VU2_!&l{O
z#+#6E9`B$x1ZOhd+!Tt(<v=u^kiv-w6w_ffB+1@*Tnfblz^>K;p@2ubQh&Ui_Tm!G
zn;ZSnh)>ZH3Hb{B@m5;JC7d_Q63*icZjp;AZ&pe;m+Ox+s6!51@g@hZc-X5y?w}Xy
zXYOJ*)|+dVZ>;G<hR4(-a1AQ5hpgn)?J*1+WDk)G<Y7dCX)h+NOdpK2VdI)+=z}BB
z;)3Yja1?O0e*CvOQ-+O(wpw&yJU$ng>PkRZI2SAWqAYG$*qd@8n_r%hj|oKCj0$vy
zY-XtJcU?!K_;Dsm*s4FyKtxM?&D!dc8+}kPbPQC~*seq={BbKo_ohpi^`!^t{&<*&
z(Z2Z}loR+8Xc+#w+zv16e^-x?^q{`<0ORU;6xo|LT>ZsdaQN^HMAlde8*bN^?x#y3
z%a@qR$glV?f*dhNhcIr5^)$y0P`FuM3J!1aX8ST^#WlF~Jg>qH`r{1xn(MINs?cGd
z=itrmO$szA(4;_<0!<1uDbS=qlLAc&G%3)eK$8MZ3N$J3E}%fK<96W^;oHKx%hox1
zf7t7BrCnpLfa@BU(DA1oPjsB__)JGZ_*XRGKaNgr`Tqmq%fc@SpB3&CCh)U|zN+Jq
zYKUV&=$L*xsjx*q!%}<>GqueV70QmA0A2=nXF#{@l;z0}>t|-De&#;jw%t%yiwDZN
zsrQa=8ykdDRNO|<M9{M^g?gB>;h~Zeg!aJO`F_o3H7U@fK$8MZ3cPzMaG8FF1uAj7
zz*mU%*yBeri$t;(hXE&kCTq1K(AE*)hM!@<N!()b71)~3u&5+%YyJx2pJYvo2fR|m
z8w65dLRKW%qo|T69128(ay;Uby;tgISjZ8#HGgGe$fx>{B_R>GLO*kiKAGE^zf!g}
zpJCAy+}8Y+N?Y^$^fN59f_u|`#q_3q^fvtr3$ggpG`n-ZvSw@Z-fVHdR-BW?1BhG7
zrf226R%vct$=lo8i*2)Wna?9}Qv7)o#fxO#Kq%Af6j%$Ir&T*nl5-T1s@1^ZLTYHt
zj{Jo}690tctt?GE@X3%XUM;0G8u3H|F3>HR({7^m0J=inR|d0x4Bo6r^g+N{)jYt%
zsKItbOcq3jJ%+6G$V|`OTSXc-MSNiCqm`6~8K@kUe^#3*5*&Whx7Hd?b(1)rO^XM$
zRI#8;CCh%mHL+9$c=YDA6he|{CLFZRXEhZ-z=%_la^%yv!;whX<E9fWI}p##&JIq^
z#q&vIOT+ujA*hKBAg6OF%^eEFJ@H^f_9-5}2YEdbYTOqO`onQwLQw*8BH;JMm0&QD
zh$B;EG%EYOYQPKUa3vJgqJg;gb}ciL%x5!c1hMT>Z^h19g+H<aBB39=2_^s&hinOa
z?%amItbxDi^}tD>!sd^naBY%7kAcjk$oWA4J%%KtF!6YN7uXActfC3H50>ryRwn=w
z|23S;ZIg>~jG|)3#<g@V78?*_u|Z@Z%xU<Yc^&6V88wyi`zBPdz9ycd$nYF#Aeqsk
z979IPQ1!S$;4<HIy_b!NV77!Z!95<!GnB}*XdP+IpKtMc1}0pBY>adj@|)#R{0r1%
zxTxdCFs!Dr1&xhd<3(QMFMVQ2Ka-%gYMlqNeZ_P>Sow}Hoax{8y?|?@B7EvA@Oe0+
z(o^2JNL&w1>1P!Bil4fjpVDu$&%+jm_q}H9@P2{`P8R}MhkP_FD0$GbP=*i-XY2sJ
z1^6Do%135#{2Pq%oj~@*z60eElWBQUn;?jZWEAW2Up8wM-va#@OGLl&LT~7KVctG=
zw_VxwV)Y2*z2KwzT0SWB9qb!f_wAmZ?tkfirOVm!_buOTd7|ZH%O{DqKdO%lK_MZG
z8%)=6!E5}w!vAmiRCPn=uUD5e|87#?9Z7-9^s~&3le6YeFphnlewO)Z@}u(!@Ze|L
z=wZrv@FzCKqu^IUo`jT8RT9S*^h*&9zscS($zL4}$K%LueU>?OavuDNjlO8u7Yuu&
zK<hrs{5Clc{zRDvKg$waa~}MON*?@D{Vem4yMpVsXjbgcU80})1U=dRb005XGylDM
zT^S8_TM0c@!IfK_u@n|5Q2>7+7m@U!lmf4<iC|HYXiFs=w{gp}7C;vU%s@7UR9s?V
zN=8r^I_2g_Lqyqw(I)J4o+<h?af+tW5)%k!p`5v?7NjhCUQ1_-8c>Ag5)wS-hr~*b
z+NyP2hNC9j0LASsOc7jL$`yk@47xpGH_)n!BugZlheYNfWr}J+f@)GCbEsys^Vw|L
zAM(*ba@j(Wq^CrtZ2XS|*m$5|uveGZt4rk7>40QB2Apg>%Xm2{hlGlfxB5Y3*2R3O
zP@I)#H2Sy$8jHLuxW{rxFOlCZ#|zR{2qW(CQZbtccP$~+nM6n^O=h!d28_0}<<QvJ
z@U}g>_TD5RihArOR*l)*B#qrYHa@zizxu(H-2zRJOfH+xXJ-e~ik#5c6xgp)3Qu-t
zv{|H?L;5f!KbI>?W%*5#^F)v;NC2CV3OOXA<IJPMo~a2UNf3UMWD<j{Hb??=azJ8c
zA`7S)K{{f$C*)3Lm1(52BVR&dqJu<Jph;Q*0!68qlHdSr8yeX_=70<VfuSmzahbqH
z!tvAuJFYI8(d2W;SdutXDA1IYgu55FQJiaWjBXev9+6h$ADDNeDZ(%TAz<z+H$L~R
zBSVb!XN^g7y4_;2+haR+@7p@O`@p_^<FRepOj04TM~q9dF|x|({}3&F)zp?B0fIv!
zIT;%p-c!}BJWnP%^Zj2C>r8ZWUYiuhh7XO3JMY}RC&t#JSp7Q2m!@=b&xvkO18g3d
zKbblUtFs6*CbIQ~6=ooiBefvbwRzqdQjL91_J?Hs%*PqK&t06KFeRGvJduojbP>-Y
z;}LJ;DP%nIVw^w5*cbfdftdH8Rm^*W2!0P#l(-&-dhTO%C47df=bm_b1;5SbEBIB&
zeN2d~5&O0nhZNbTF@B)Mj1!HBW=4Y;KgMF_@xd-j2#4gLh}}988zSw=DZ~WE+hf+V
z%skA<ab})p>_9V*1#|2b55$i(a;{a*mK|o*vn^Cl7l#>M7pGZ_9cTPJi-}}3>mf!u
zk{2TfS$R~vig~2<_it_h9<v5Eu`JH|z%0orEng%WBIs$5WVkRSLZLU811=3RXV<7_
za{8J3=?Xrvk2AP7kpxudV{=TdF<uxOiTU{(V!(zIH|l4O(`o28^J&<H54;mN)?VjX
z;d00Kgua=+BYkb_{&C$Gdav(Y-}CQ1w{-65^mktF`d8QAx&GYspIwhQbIt>f?^XT$
ziDS_5M~>feoOFEN@iB+&*yp&_@gc|6j;mKD$2tC|@Xn2BcKp!pCEh(+i-LZZ=N;$L
z=-13eD2o=s$&5@R%2lO6bM4&3?HN=^LTieo!6MTwJz1VODA)!k2Su(+>))WCWjU;Q
zyvf%pTrm9l+3V=7bC_+6uUVsCM%cr}G4{Ca#QL#4n}P_@ce3q&*?o;>S(5@y3N$Iu
zq`<qH0??#xw8|n+5>4tgw1nSXPi{(hgMM#94oJax1Zb}QfKQ4fLJ<IjCHycFs}a8n
zY_PK|_d3_4KDjX*P=cXIFyh4{SpId+r9F8KbgL}&I@hf}Y0<5+4D4LD`edbU^?mwT
zmTH~*H#}+jH#~eyKYIn``##HqJD*&$es$aUf#H!m#r^p#u|ta^M4>|PuwWDuS3-)_
zC{c5og1mzY(Hqf+LD2_Cgdz<2qFg{ExRxPTKc7)DlhBa84B5PFwVhUEF6908dzMjn
zRvApw&_Lq3QW9EC;zBX)j{5!nNVQf@&gBNd`wznG<_28lbio}!n)^t|1BZfm(2JCq
z;jk3dJW(kal~sQr6p#86YU5FWzMyItLGt@Tekl+Q04~_C`6W344}_>126k}3{q}0&
zU=9}nua*@@@lU)>thI<=cqP)oOe#4|blKI2YBj>viQDwEmoqVk>kFPVHAgG`w1&cC
ztsk|1{}p{soC=p!96V5qoV~Q7#HA<nv+L<=KFp=LC*NMR$lIY6fyJ9Fv>07!kom=d
zMzFB;4ydyDzIto4te@rhSzHzQq>cD)F3>g0>t|U&ym1q3*r%UeM?dfhqsWw$3Tr$Y
zAqDl)WyGbRCo80&59()oXsxlJ+Urmgx4L{$Z}whCi*S|jrr_x4ysi5#*I&B+u;bO%
z&$)ix^+ngL>m#j)T|U>2*5SS{0voVTcyry$y@8hRwt8G|8b7W5t$m$;(f75MfA0Kr
z%Xd3xJ7-UC!<#w!zILU<feR9o{|h0!hF8G6ZeBw-(gj^N)$iJ?pT336(80d-@ePiv
zgjN)O&{8<Fq2(3lf2}`8v!+RbcQggCo=LWDbCJ7TBf`!LF=Gr&vV@xhue($~9iRow
zH)4i@B?i6vX)i5h?EB0nHT?gx_a%T)R@cJc?0ZJsS%krjBsi1V7hEHYpa@7%K%@B0
zl4K;A2{V&~xMx&~t;iy>2uY>2MO(r{yJ>4JQrl`*eckl6uhrT`+t*h6tVQ(M|J-}e
z_sw@RUsi&x{*!4voV(xq-E;4`=bm$JDjti(;_d`!bGm~fyu~1b(_VKX8cC$U>wX~W
zi>+H(+%pr_VU1=3bD!8bX6{+xQe`&W;O4Te;Qc-WhCg!_E_5x-ib={xkEBtf;iEh9
z?de21+mUxIMV(1kNw`K;2S9dD8bhxLfwczl8Yn4ryXLOxpxnLdl3cc<ooXJ;UEAK8
z1+$~e(uLs|?Fc**Ugrx9!DuU8?B~*}JChyh8#1!1t5Con@<k({sp1WX;Z8fErZGF5
z?rTKSYE`^SAgRNmqHBPt9gM%CtIPtI^hlL1?}<uj16838_!|}DU%I|kDg~0%oIW42
z+;FiE=b=&!1M)Pqq=<^F2NY$8;L+)aEj?g7Zuh<eo?%eG=bcmBQ%gzmCMtRDlv(vr
zP7YWB{E8KzbDH_Lf*w|Zz`#`?5;(cI$4f)malCU%JRS^q<M6n~iN!r08pF=sozl^J
zQgM%)hO?u0Cx7yuP~3A4jb&O*om8m_+EYUV*?!(x1p(E{0JCL}P*qy{<`?(W(?zC7
zLkD85>OeGH3}l>7iJ%TH(TUF+3&#9GFL;Ivg?*85IOtnd+;cW7tBwt-D!aNmlkLh_
z$H=WZpVS;EHNNt%fA<l%<GSLW8FWs3%+2P+hxo9lRGn6?sc;7@FR98kbx7@JUQt?c
zp-k1aUDb;gFB@D}Te-m24680Z{PtfurH=lR`3`q+&js`oue*#bAs^yT%&W5F^<VA4
z52^h4)kK*g503WR3zUxmtpNyuoKlEVr2%5v@-3iw4~)=gJ{zl$+(_c3pu%nV=)c%m
z#XaZKErGcwUaP)L!zv96`nk#leXT4A;I2&D!I~;lP`NKfwbO1FBu_VINQ!o`yA>Et
zVx<L2S-I|s#XYlVTbN{EEhiYLDej5U$hmA{DQ`#1h6I+vIY+x368--w!zF^@H-<|b
zzjOT9@wEMB<CDhE8b4;t7#obI8EuBQG+#4R8&1~$UUM7V@J|r_sd-!TTg`uJ4r)HD
z*{UgO+BMf{u7gHv@kA{=Wdb1@>0>Em5-21`X$af8g{LMgOXUlbi+jo8L90PY``7vX
ze%<NCy#e?fT8(y+@Rg(Os#<>iZ-gh+!ap2gx_dqx?X0x2G6Em%5$J(S!L#T}Rb(d`
z;YpP}M!Kv}p17J91=>=1UtT_Cz#%*u36l2+qyAtp8jVG)s`*4Pp#^2^RbZ>xo>t}t
zkJT|aWrw5Qh(8wg!&-c%axH#x5}31)6P#9q<}6Qw%qHaZLP8?5kr(YJ$t5f~ziBmi
z3H#*KWI_}JO<=DI)+=yF=8uT(s5c&T$HCAy83`m}!34R4t)sc{686a{aX9pe-cTqG
zSFYrEr`1S<B%S+UBOoU`c_Vm|-w0s$m`S5?_jr<?{62ARac?ah^ld4+T?$W*i@<15
zEhHv18o>~#yD{fjh>~DvT(qv##Z-fPK4;3yh3+`m$$%r9oNR3ptAqEHz`8M0U`7*e
zh$U9t?o=}8j(59>HApAH#rCwjC7XroSIY142Hw=*Jiodds-Y$!UF~3Dl7Yu73w0eJ
z*AkO?Vu}LB6TZ63JCe!n<zOw4b1w#qNGb=*yVDu>!c<($WHVqTo^&s66EmLnWYd7E
z%5M$93_KPH1|#mIFBx?QeZdsWP4IpYju0tVDkO^D*uVylmK@cLe5{~n3_7XMDLR1g
zdMKFn!=-u(uIp(an2C%@um*&A?C+dQZ-U|hU=ZP$%-N&8N6Cg<G8QjccYq*mIeTkM
zGA(C?4wR%Rj~1o3O0k03vl>AIq8Zc?Ttpi%UpvF)IzxVoY_uOvYMk79@^C<NrX>qL
z41gZTx9qM!SNqVVj&ud5qYmT)MkKsz{xW%@*qTp)u@|HRvnD32EYamyMr)AVBW^kB
z5U5Keix(C5*3k9)&MdCqvMg>~*C%QJBt{~~Y-N%v8S9!P<sao|f?b<PJ4?GZ(O{Ut
zg_!RI?u5uGwVL(P#`__bSX8TuECxy}lmdDpv8YF97hu-UUO#J;m#321KS(H~H3B>c
zl#8U4YgIK^e>6&~QzI@<#DoGW<JT3rOcp6E3?RlDPRBwi#~Pd~IT~4(L;DlqL~U5m
z?$B$s^R;2!j~uT%e(v~|W0mD?%gdIhEe~5ZSe9GnT0Hu@^;hWh{7-wP<{jaXa6mYq
zou_2*wexsf8F#e*);Aw*399*ZM>OxMMtnpAbw`Br$J{koVg|@}78du$=nB(gVoUi`
zvg8c33dshZcfq|{1~^BeOQ<v=Ap5%H<Os}Y83PzC?v2nzOvK_iNf@#O#BmMT5@jvP
zh60!<=b>xf(R8h6UUBbY+W6v4thR%4;}s2s%UUAO6EiL<_5?Ri@K7nKU2Fp86(oLy
zS!Ha!7zfJ*V02P&|0|^;T6HeM!;;+R5CLI|N)W;D7?dtu*_;dRj8i%C&>z^aXI%+k
zlfh9`3n_y<o?0rCj9)uAbaJ(~q`_1iMl=DwlSGg==4TZ5o=b=ALL4@gQz$-<sCNlw
zGD@JS#3Xa5sq_>lkko&9l&(I4#l4GY3s&M#a>co-b8z0MImdNTytN~+3heCLT-9JB
zF4oi(_g+r(q2}yC<p-aW?I0sMR~k$~(61fM7p|nOj6h`sDkE^TBLI@K`E-#&$=Opx
z+bIA~oA14Z2BZ4uQ$%t$kA|S+?5U|uA#c1X8I8MBei0;R310}b%Oe3dk=4aRVlWX-
zhCp&Qm*zsr*;7-((OAd_UhfhhIh#$Rkb!?nAvwF4M&K37Q)QB~dKxX=yHLs5x@2+h
zMRdp85W$UNJS1n*QGJkonb|IkU>wwiS*mUs$HZI=p(&NjCh{I|O48iQ9Es$?+XqOi
zT2iS(zAgzOoc4xga~8FW-h5NIeST_bOGmzQ`6c1pvX(@8Zgh5j#j=LhIak(SJ*PW6
z7A>kkcvzzfuaD?@9dm~uOe7>9U1X8TnM+fNZa74H;^|CDN+d^LnFp(p#wD;_rxS3}
zDoa5GI^g?{G+!;cBr}=^;=*B)EVz8`&}E28kX#N^NHP`gXqJmnld=rrIZ%3KdPosR
zytwy5#uf*V&SVM4IL<U!e=eXzF0DUA20$*nWvReZ<~u=#ejaVg`V+7zA7UARLIgk#
z_sU6$M{qU~<(UXym_)EMyF39QRG#7Na4v}~8*%<&KBz;Eq0>$!T$*h|6pE7#QjF&4
zKisl<ROf&F<3dP#zF<FS|G521dyVb?Y|q;svaPjUW}9aHoAq1P9oE&>3#=0?zqR~_
z<woZZojaTfXT)i%`c>6qRqLu&R=KML&>Hxxqua62G0pxr(@x7G%jw4F_4nvk>HT_x
z?gd@1u2pxg&ZvDs+pA4$&mYZCI9T>Ox-Hyr^C<Eg7LPo!;f#@|74&b9JhA?}qe$B~
z^0b0}&Bzn$=c=Zy={?UTXe?%p+3cHeno+krn_CS_dl#(mZRtEY8~bBq`^;uqyM4Xq
z%4w&cW;B+kP3Kp^OztE%L2{m1$~-FNm*?^K#^gL_sMaHq%c^uzs>t6PRc2DDNF|e}
zHzH@6tXdPiKzjq&N=mhOdc(>LDzyyA;Oh;^8PvxN*dJ1ZqAR}MpfZn2CFOZ)d;O3{
zBYj7M%E$3XrC!wb&QvDW50m&zWn$fsiEDaKlba6HX~?w3_q3;~&dEyP|JNf>(`%O}
zobxoj+En&QGuiYEykPV1`d7XCDw!CdBPzro_X8~6uKRcG#)rRMHM?(A&Zr^3M9uCN
zWm>i6PX22CU2EmE(_yBX%6CL+1fR+&R(JoduHiDNEbqHI<xCS!)9Y1gQY`PgI)+Ug
zktnEkS7F%1p;F@fu!#eu#JS-T`@*HfYlcl6EG2FqHnIGXYIbGi#6X2=Ls!}ucV*<X
zgAB7z9*mk@ZF1s43YJH?W>@QQY5k?%t(Mac)(AzxH^_+xX@oq+HM`QorIkm`zpF$B
zFtyc2t(<WS>}r-PI72;?3KLeht4Yo^Sv}VPrmA+gMa}^uq(*lNYS?WaHnBXMwYyEj
zCYC2a?QY|+iA&V5+b~>W1vTu}51Y6|4ZC&2CYHZz&2Fun80L%G(3PlRw?<Ao$S^CY
zVYeVB9;9G-lxud~He6Z-HQXwv9jp<Gf^U%%57Gz)HQYR0T6xs`yKa)x4zkdzQA26h
z0cubiYE^3Jma774P|G!d8XTJUg%dOn2#&iPS391ypJhM6)?u1r(i&eie%JUP#%^P?
zaf$s;_8-`<w$Il*Apd&6!{0xJKMTJQo&&{vP|b&1#3U6s(OX0kqM0dNd(3u!dqi`|
zF)RGvqu}d{dz+c)kl7XrhX%jP9jkGnJ)&Rw@6p>zD=H&U8G#S~2*3>~vjxK&(t~hA
z>Wc;7KH^&CeZ)a>L)u6~@P_o@R9_;QjDdPKyibsbxr32#%pHq0HMzt7aLOMK#A3d9
z6mCebp}Fve^x%{xUm}$Z`(h&8kglXrctd(naYMR-M&J$ULH>pmbR(D3XmsaxP<H3G
zepzwvRdfm7EcIqQZb=6!v(RhNk#t_&s^H&CLy2CeP|c?yw3LRpe<f-`V0a+5dE(@b
zuszFOmt%VM;W`j2!&7$59zjwD%DdNs+Vk2JJX?_f;AttewbEv&D=)|4A&Ax4Ts)mi
z%2qSJpf}`;dEplZyPHrX=2yLj9b9{fQ~wXw`NL|Lzv&DpW)JeTT!B!@2X(7kre<I3
zfw7~?>hg7%bfZgR)(#Q{<34!IV42#P*>Ks-aIFVo2FsKyP_;R=OiZCpC8n^JY4w+N
ziK+Oiw|o`-E5(iELYNJw+cm%q2iQXw(h0HETJAV+VsY=4bYUq@XLqp&<!j;bA^<gY
z@{vt_SgV)O1rcwP50cyD1}?<xs1+t~n-wH!QYJYxDO=o|V*KmntdECerOE`jbSE!g
zq62gn(Rl<rY1!#y78EKo%sEc7BS#b*b1C=`84)g(#7v^}vITuKvnv&c2Ry+4N}fN2
zq=ZA9?jcx<C1?|yu|3A+sW{CDj{p>yPfOSGbfHChxzM$cwCl1|H+l6X@7O*%tx{0M
zyn<GTs+b2=*ms;UFnCLpgLiO}^P8hoyS$^bxOXWX?vGuAQ|hB~y)Ugz^kQFLju?h3
zkc`mvgJHPN$kb2n_vIyqCBan%)3b$yA-Hx>gm^=geq>?bN-V7xqq)&9V*#YI{4Ce#
zohAYuj$M=6q5p<(yyg#r;|q>Gj*X6P^Y6?*G9NH+H{WcYXAYWA({Ipcb${2rs(VE9
z2l@9?@cAFrd|tB|JOZ?7uF))jALlGz^H(0{mWpviG+!4!F^<KJuBiVQUGjfv>O0Oa
z?q!estV^@y;h7Kd@-W!TF67zHx<sR^J=+CZXk<%J8vYQi#8&dGC))qev@$WP=UJK+
z;oT9?4;zWf&Jt2>1F6>4K%JowH*mz-0d0>IE=&Tz0*~%xlW=h_d%)*f{C+Ci$$*DV
zm`9d8>@M6xKhI2py@I{-(}R1(GxFBV*(h`SGqXY<_73!cy>zBCyBaJN6rJuOd#7x2
zOkdoS`|e_IMZgYyBi-rH*x(s%hxQcrvX@klV|d1>C|z|(1wmK2`uvx!ES1VXx+4I>
zoC2j*6n`8d!W`--BClju4-sKbj)tHx=g`!6D(M%4;HV$0@u?j?yn8A}MKH$q`V!y>
zGynjEIcsPx6y_Y75=w*<VlosVjv}%&3WYg`6vCVgjX+_}AzqjRO0I1*8r9toQFZsb
zoyEPalsVplXPQG}7UYcT%s@puBN+;H(ay0tC#ecIN<x`|hU3I+8eYOorMj6;Jdw=Q
z6<S~igV!|S!7wqGXkpKbg6oJl1h0lI6QnU+88?`(xf5WbCc=NS?cm<Q4W~7Da}@SS
z_MB)s&Ez$*`vh=i>VyB4xliy8B2)p+xf2ZS;5qJ89`<)?4@ft4w+lUyLaljt?JETb
zM?L~%E+2$*1*Orj%x*~Hl|~WF|5{Szit@FM@UAJCH>$-*7R2R3kH+>E@U+pKE(tK0
zu!B6e2@V-D&FRb_B9=xXFi7(Gls435E$?a}ypc-tGGNyTwvsvNwE|@e+R0(wol%R*
zQy;DHx<t0TTW2SdXA}4IDzzn&uDT@e7J{1jXWQE0xwst6IyPw&$(Gi3GS_HF)WtgF
z)m_<bf}-;{ZP<rYhBv7?To{pM0IXE2xs~cTFdt0;uXY0smDVXDdr5O4<~!#X_qNd0
zZ2fI0$@pmS@=8J>TKz~G><})I17Z>hAPUpIQJVMiOl2DV@|?${@;qm5CkH)C;QXe!
zU`m(#Rg$?4?<3F%GN0kl;m$|_rCChl<%vtNM3Nj(lEW+ik8YDG2@gi^8PQ>W1td*B
z7tBwYcbV6kmzlk0yXke)w@sfm-DbMR6fvD({HyVM#=XWnjH`_287CUvHXJhCYq-`>
zt$$1ZoW56|(_f;Wtb0TEjBW?$`Cp_vQTv+qN$tn9OSLY|A2nan+^uQUcr|*cVtju?
zb6vH4SIdeJp!lJxh$pM!)by>C6NBQ1TH=zDNZ*R#(w4MO`j*RS2Wy0)V50BIbg&0$
zgsgqy@4He?3mPSA4OY=8>02ge0*w;2OwvSBC>+-HHORR@qeLy&0F4rV-%>fpAdOSe
zYwWvXxJ>1GjWvBsAd_T%pr)7^@Jf1dHGPYRNn29-s_9!aTw29vyL`B`ig~thxU{my
zS54n#!=x=KeAV<_I$T;=->bTBft(hmnTlGmtie^&H(yQ)(^n;FNr9`n?-Dt!da?3|
zRrk#sCaFw7HGOmCq=U3TQS2N!t$GV&^6~Y}mXpE^Rq0qc_4xZPmh%AhsN_*09#3Dr
zoC%0WCDQ=f@%3FKXHaihIqCTNE*vILIpw(eE`U553o+aQUkWC(q<g$9CxTB4>Qkfd
zd@hNsG^|WQ%zsLy$hIb>B-8td)ero!iVSKsP4An<r%|bDdLOasQIw-v7ct_I)2Q}p
zdLOabQKV6=i<s#s(x}!&EOX>EI`w`LOB_WS)w%+F8kM?SeZ)G)B8{P1RjxiCmqeu|
zSD%+lqEgZHzB*-NjA}Ja@AL3!RH~ZZ=jPL>)aB|s2hx~_?i4XJDkV{=$<<fOB~htJ
z5KPmC<`pWjl@X|nKxG6fBTyNE$_P|OpfUoL5vYtnWdtfCP#J;B2vkO(G6IzmsEj~m
z1S%s?8G(=72$1*x&NA;7oIi1X(s_e3<P@rYShc&Vsmkkk*YRz~PDiUF;?RQq{|<YT
zJ!pI1_N?tb+jTadO>g~?^#N<j>b1OY`MzbF<$B9Z^V{a<%)7zM-%<XAuMP6!M_=<O
zI3M_E{8f#{E#XI_%OmTB;h!T*S4mYFfyxL}MxZhRAE6Pb?G=e0!H{lAW&g6Zz1MSz
zWmNz*XSDv_RdQl*tg7ZEQbh%*_c|_<N)6?i0=?JDnZO;bT1_g7LxJ8#E|*GGD!J-<
zuaR?sLt3@E2Iw2r^_J8mNe-2I2ITPfmUJZt8M$&5C4X;8X_918sYWeRNqcgTn#vWM
z{JkYD%0X%>&s5u6Ql|vJvub);B|pZsy(KkDl31lLrNsW;lJ+DtN3G=YDdX=|Dp0D{
zP@XB!TT-Bed8SsA%8Uv05)Dd5VI-GIXH;_4^%7l5mJ4Q$T3rKXO<gb1s4V4Bsb@eA
ze=pIiWH|;IIkhQ66f8@bRH{+SL^Lf+nN+m&%BPIKm#AEpGO5&5o~gE%=w7l+#9g*Z
zO{J+*+e@@BONmu#C?)py67@^DIcg=BPZ@tNQN%1|QmLUlQ=pfqWU@>!W7KL=nK6N0
zqMTXErBanjuDV{Lr^#}`JX5P{z^tk3C0d%L94hq;$l>oLDw-?@%rmt*)TRtk(=26D
zsYWdm(bFttQu+GjQ^wy*6*cJ=NSdcoQ+cMEUZT1w=|!vh(U!MOhejiuE<7PPH#(<Q
z^;eze_@3ix`|I|#c9U(J?JVmTt+OrvX%WqDm~S&znR-p<7{6w`)bNs_MgI@|I{ity
zhjfB=gZ5O-r!^iZWITQ&<zMFZn9YLr6wT~<v#_3;!5EjcirubsTYENFNG0Kkxdgnc
zmT&54ZSD5>y?(FT>jT$PF0X%<&pXTO^Z0^(Zz!zk6x<`NQ<&Rhlq+2~hDyC2U&!YR
z1vGyeRi%2l(mO|4sW&z&6oZ~dW8skY`cYM?l`Acdq0*?w2Y$Oke(g_3RVh44hu`$}
zF;p7y_<iuEQb^Y=%pBo2?Yh+>Xim}e%&0fts;Dtv5DOjfDj}G%!Bc#5(s}awUJ{Jx
z8q&>eV#1Zm<>0}-t`=}p15ahsSF6FWZEmZWFVwe!cN=hRlW9sf514o4YlJ=iP&nib
z>;5?6HqN=(Oxg%D{bofIM>5e#g&|U**B{kiGx7>=lq$S&3>5}F0eFEv7SMlx<Q1-!
zDqK5;3Im=%I0UxFhVw^WVW(7K=NKyVdje5!G#EAPA9;lZslvh-D)f1R{*X5mHBK9O
zg*mCh+!!kKdV(?d3m7+zyux;=!uHWu7>s#BfdKelGigR%VMeMjGlmMIo{&H44f;*F
zkyqF%RoFU)3L~DdH|q6<Os|f-!W*OtZx};`VNVz+KNv7C8+nB-QiUyJs4(OShXS!c
z%>1p9SJ)&~*ffR;gPur;(1j&D@(Pnug~>5g81O{=VSm7H**o$I<5Gq3F;wXHL`aQ6
z>!~BJ@Or7j>&H-`&l3&!;Uik_9(je=Nfll<h6=q<VKnCVTaS#q!bYjW#?e<8h<Rd>
zNF?aDtsZ%WS4$OMJ%$RSo|rcPJ|%6x9C?K+qzYGzp~8qK76<{0VZVIj6<#G(c-0sx
z40~cxe=HoaKQ;0Smq`^a8$*R5Pb?gbh60Ydkyp4>s&MI;D)h#JVPDAc;K(anB2~C#
z3>6Y4DjW@Zt0s)R!bMVri^fo4z~dz!F;rC?d4&t53Kx!{Lcho74+i|fs{b8%g_lYd
zUOI*f;lu|#hA-+&j=aM8Qib!!P@&i34}`tGnDeJ2uW+7J;k?mT=!cVDC>o8$;OsNf
z^N&@(T==~1F~Rw!^Eb{PJD+iW$@y95cISF$H)sP~<6P)Gzv^#QuU7q}>RVM`uG(9*
zqw4Oe8>?1VHCA0-bwO2Km8)t(mDceU$HSm0@NvgYpe=B%W0B)Rhu1OPalAukf6M+m
z`_Js(u|ID8ymhyAgY{Nx)_T453hTwzfb~r4NmirfAC}iFFIm28`I@EOB3hPOW?O=m
zvn(fDOy<Mp*UkTB{+{_sbDw#m`F3-^Ib=TDe2Up@ddKuf(=SZlH+|i--}Fh-CR2|o
zVOnOIYs#6z#y=T<Y5allDR{f!LE~m)(U><TjaM4y86(DtMyugnW3}Ob4F7HTq2Ufg
z!H_asWw^u;HPjd;8EpFZ^ncd>O8+DMqxw(j@6#XD&)3KFwff0=yYByVf6@I~_q^_D
z-DCDP`*rrk_KWO3`{}lygEqtyw$Isi+3vC3V$0Z8*_PPqZGPJswi9gz>)X~pSYNb$
zb^Lz1PwTeo?$UMYnsqC53v{z|Gj&sR4(<EeziMBG*A)+Gzo30cd%t#_woBWhU8%iP
zd#?5z?P=O7%|A77l#auiL#2OL{`KJ-fhzqeS{+>+G*gA`f8^2EdGs|N{R5Bwo=1Pj
zqrc_RS9$a|Jo*ZczHHbcoHy2?RTMQv*#2KU`Vx=6$fLjD(Vy|?PkHnwJo;lE{ZAf!
zfk&U`(I4^X4|((lJo<ee{T`2g*LY-HhHjFu{acEX0eyx?zsaLd^XNey{RWR7;?b}3
z=#xD9H6Hyck3PYpkMrnPc=XFW`XwIyB9DH7M<3(SN6mA_Wt>kHw(nDv4Cv>0^bsC?
zm`6X)qo3u`&+zC&Jo;%K{S=Sx;n4?q^piZ=$D_SGx|>IL@#q7V+s0)iPZqXsRg?_q
zeLT8_NAKs+O+31hNAKm)4Lo`ekA8wjKhC3f^XPgW{TPp~<I%f#^iJzn$7SeF6t>@{
zC>hXOdGr<@y_rXE;?Wy<w3|oQ@@N;2cJgQkj}~||&!agWUBjd8JesxreiSzgio7mi
zhlxjxJZj)kJ&$U6RKueJhi?BTkG{{N|Hq^6@#woedW1*c;nBl9`VSs`+kW%7Of%p&
z-c*zf=o>uxS04QfkNyvj{>ky}acR}@!uA^!B?Fq~(H0(U=Fuh|P4Z}hN8>yy^62$E
zx{61y<I!t*w2?=z;nAykbS00jaB9Y7B##reHz-O5bSaNs!J|ufbTN-E;?c`_bRmyk
z#-o?==mH*{&!d;{=sX^s%cFC6bT)9Q<H4y`3EMAFlnm(kJbE6Fp39>#9*y#7gh#_X
z8sgC)j|O<u&!ax8-Yz^s&i{j){+%A@H0N<n4V40@pZ@>X@mt4F!B&7s0R}n!+aIw%
zVE=^uW{?65cKY9E>9yQzxecTM15f|`c>Z5wj+-0IbIhT#(|-=n|6$XqCX4ZiX@=s|
zU(L?_c<TR#VUJ-8oc#}!o%#>rx&KamlYTjz{W}Ib_1jOd>urCx{T@#LgP;1J8^2S3
zsieyJf2>E!k5WDb0SAN~-{R3{cvN}DgT%^X8=%S~AD{;fmyF9&=o5A*&v<}7p=cGL
z$}=9IU*ltyXFP~ip78)xp78+v0-yIW9(|NY5Af)J@aTRX?dMVD84v1J9@_x@oUu4A
zLsuv4ct}w%pvp5Ipvp5Ipr7FrE6;ckt32ZY+Q%pE<<Z?dx{F62;L)8tx`Riz^XN7n
zRUX@*Ra;H(2y6cp^r>joIl>O*84pn984pn984pn9`4CX$84u9A_>%AB(K~pw$fG?x
zdOMFQ&v;PLt$ge)JbE*a-o&FfT7u&;V{3&S$}=9I$}=9I$}=9I$}=9I$}=9I$}=9I
zSw))x&G2X&kGAsYY93Xd5TGdK2?0>$2?0>$2?0>$2?5ZQH9IatS1s&N9vA>s9vA>s
z9vA>s9vA?<M$th)l_vy1l_vy1SMZ6K^XOGPdL@r8<5A@a0ZLY$5CB!45CB!45CC0l
z+chpjceb!Yc|r&YJASKZB%rVI=x=!R6&`(=M}N(uzv9vV=FwmB=r4Hmzj*W|9(|EV
zf6k*nbF_}jSi#Qzf}&(VpXbpZ@#qhE^!q&eJs$lok3Pqv&+_PZc=X!}6h5f(j0dRl
zj0dRlj0dRlPzUH7zNpzedNGgI^XNr9dLfTqz@z8$sPa$;%{Z5joyDWEs=ed#LC+L+
zD9?C+D$jU;D$jU;`V`Fo)XSrFJnG?5H;<mfqceH5mPc!Nw3<g}@aWk*dKQnK>3nls
zhVFD>$23LBfKKJn(|B|Wk51;%i9C8LkDkJ#C-dk@JbEIJp1`BW^XLQ~J&s46JX*!0
z#NOYjV7DBagmAoY=y+$es?D*({;b_#n_-=ANt*95J!brk;ZKH1`g&cP_5sZ^!XZd{
z{Rn=F(ggwX#JPZRM|!68oHz;09eO51(Hioz)YpR^xu6C2)`EUXHlI&}@-}&dtrebQ
zrM|6~x1<ZHR(KSKJV$bIce|L+)2Bp}@N`>iR!oAbcf8w`O~w;MkDEM-V$vGRZ3x1i
zNH7$Lgw<lApko$|30t*VZA=iyz1PYD*Yq4e5qiA<!a$jQK>wGea`1wk2v5?ba-C^-
zJ9SA8o=JxOHnfXf8MR)8Jdvm`3~wNp*-U`il^;~u0>T!pPG>*Hy~^|)M|wpBbmhHj
z=*YLH6X`7I=u7>XP2MAd=jqhC6!d_;cEk%E8fXR*1YJ3>QwRu~pi3_w<1S@;s-!NJ
zPt^8&j!ZOHLToQ|<Weqpy)Tu@<Xf_Zyz1l&c%sp0IIJ@Hf*x-Glq$o*y;{BgiDTTS
zLXVyFX|d{OTF?fs8?6Q-iiIM)#Ur++Z)Ef*zqhOQvHYMf39n)M%0Cw9s0D(cy(!$I
zH5fjAj62raV<jECP_<)o*S5E2(*=0dFz1?m)m%5cPabi5{b8S4hkQUbL7z8N-XT9I
z-320{i12Z((b#j0JJd6w$4nPWlWLcir!(+mS03Iw&Sg@qE-{mI1#(IHN>{fl39oFy
zGg__`>v!JcS_ZE_W?b;B7JSuAvs$;kL=82j_8mbJ4^|PMUs$g-nXWj--Co^eB;S!d
zk*mIrz{}6Bd?&mvl`pvJ69srqtk6BMKg^CQ7V(2_bopllvo3f*J{S|$Y0c)D$GATo
zJ$llgD+cY)fOWB<Ac8#-dHj^Dj(PQ-d3{kZOyhed*^UJRQJ-+9)?(2e<DTVvw4`U3
ztM+W}+Ek*0Zr<>q>f(+<Yc{*uwJg=v?wXfvO{Q{c{fd%>FbrRfTlPu6z&tG!356p<
z5&HG|G45B7&?AtJHLG?^qC4Ej;7L{G<|gJ+nF1J~!2{@pY)*AvMm%27*#|p;vR;Bc
z97K7e!tGkC^;uyR)PJo0Zn>58knlOmosGN=BIuQzSC^9WikCRAIJ`{Plr7un$hQi6
ze7+zUdX)E%*wXpJfxxX=o9(m5w0k$-EOk%0hOq7_KG)n#B1@P@#j~~eTpWE%UTuzs
zKn*(Liv-GhM-2D8!JzkMt=*nJro9tyB)ual!{xo34c3f6cdahgH?=MVJwBL#Auy*^
za#!Tj5iRyWFciE|>u|)5X%{kUNf+j-c0uuh*b{TEY?EttK0(+mwf+P^ZySt*2kh6R
zKg80|3wCj9wN+JB$Fx8BPST%&TvgeGo1M)Ra@khb5|QlLa~3Xyg<edmb;|GY2V*|3
z3KfAhBd{Q`XeV^)rDNKubb)m0T-A>>w=G)$MsYZ9o_qzL2aHXkYTt+0NqRxWzo2zG
z_Z-u%H04NFLaJR^k|&#$eBh!Ru-Yf_dIG^9u|X`O8)AM5=83_a7AiQV{jgg0XfnEb
z!SD#&jPEpTHr#FKF?1W&7}5sOu+ngaVS%CE5Ht8dM}E3tqAsnwTla|WIo<1ei@rv`
zK%ds%t$zgG0esys!C*0HEIXYo&g-2koJ*YZofkQyPOr1t>2jV58U$wWEO@x;jjGqG
zUaoqv>iMc?s}5E@UUi`A;i?D0s$f&q`l{Qj)>gGwwNzbSwW4ZC)%>c9s-jiis%o$?
zIJN4yDsz?KIP7@C@tWgh$BT~V9nU%rIv#f%0G)#e9XlMG9P1soJJved9W9RQ9V;A5
z9P=F)Iie1){bl<>`-Ao+cCY<7+Z(p$Z3k?dZ0*k1Y!}&FHo^L`b%ix*J=Jnpx5jR^
z&$mDB+~hpqd|6j-Kh?g%{;YGod9%64dC>WWd5!56(+fHgY!6;Hi{>lL^=6-Wx_N^6
z74r+`r_GO=_gIg!daX;W?Y2{GQQKPE4%_3l7j1`4Pn#Y!?XesHOMusOE6tCXp8y|;
zFIgV8nyrGh+Ul~-w_fC^cDNj;I*xOg9fJL^{SEtT_VxDL!3RUTy~TdL?Rwh^+Y;-u
z)`Ql^tp}_RTOYLUux_%hx881DtJ|Y{6s!_n(7mF2Q?Joa&`;O<^!55H^rC)^zDK`V
zzX!A$p4Pvhe?|X}WwYgOOOK`7vc{4ION*73D=Z5v^_G~$XQ{DFw@kE5uvlQbe#iW#
z`E|=1V3qN*<weW$mS-&oEsyK20DFTTUAJzhZnN$Q-AlT6^b^54Vx_)Yzf=E&{w4jJ
zrk$qErn|usquaE`ls1W`m8L693rzK<n8|0VF-<p3G)*vBOd8`m#y5?x8(%TLWPHK+
zobhSn6UIl4j~MqDcY?LX-Nqhcw{eXzZ4`|wjaL{K80(EOqt94loDNzX6O0z4#_*2e
zO~dPkSHK6w3x?+mPaB>vJZgHx^n~d-(@Ul|&BW=&M01TfW?o=kX-=EF&3Bu33iq~}
zbQ;}c;a*W6Ba$I_6N=%T1Wpp}?LmB_ekB+G8I0eK@n6$-W4xeSP)Z5P)$gzrTdEk`
z{2t4>>i~m0^$c!!pTX_d5I9-bavs7nSopmsBHn=Td<HkXjPWxOe;eb|4Bl(U_<F=o
z$N1Y2m&#v`cnst3M|?4XFcR`eVf^PYzHFp0{%MRa8!3$cImW+0Ae7&a_#ZI-Ma2IP
z<G;!9jVECI9}%y?_?Hkr7vukl_%e+DE8;gWcpr}E#@ku^MgxYsG2J!{pNG(ga594%
zUPJgi!mlC3{%+WacsIfX!i5OK2&W^oF?i2g2!Dm}I|v^|xC`N32-^`}P2gl<JARk#
z`2DuujN#bt?Km&CFTwB&5LP2Rp22N&o=z6F{T^}JPr$#5_(KTqMYtAW93kx|q^JD^
z=)&-62rUfW|Gx<T8zJrQWa0jABYptk0|<8_yaQnoA<obHuR{DHgtZ9qd*6@qXDgjo
zlZCC=&#mvWbX$Li@J9%rK=>d+?C)0W?^f*ZR_yOq?C)0W?^Y|zcOU((lZE@}cLn$?
zhChZ7`*q*P5MP6keqTtRMSLZ~*#u4!b|Kwv--kHT`SwGI<GQe&($6Ge$6r|f?a#3I
z9WODs(~IHXLVOb9ZzB8!hJTUaJ4}f8A#O%|J>pXl&mm5~`y^p!BjQL;J1KolhHG1v
zeg|zQ;MXI53#O;#K>J$|{{)MF;0y+L(fKk-c)*VMFB#nVHsXIn{AC7rOYQwG!6yrw
zFGm<bNa+&7DP2w$HvOH2Z=&S_j`=p>cx?It#^XHQgyXOY`@adl+onq}9qm7qGZ}Fl
z?@e?+m@I6>@3axu!Hx8LLO6csjg8jp1tPB_*(V9Rad>xSSaF+QMfgL6Pa^y*Lb^;r
z_vkVOup7e@1j4pOKMRygr!~M33x6Pn@pQUCI3)vslnh|_7h^o_4upT2;k!3r{uIXR
zt<MX`kquY+!}uEsoGfhkH9{np4Rl&UI1clMUW`X_*?{D-;TjCT8sQv-Gp%nZx8+@T
zlJH5wHag5eMi1D`YVFzfqODpj{DDoF|B!9IYCIihD1V==rBpApe<HR=hfr&~y%Z1W
zZ)fE`@TBcQwQ{%Jfbl=J9aN29hVif4URI620OS8@7gXb`S^Tb(>@H=ywj=p%o513C
z9A}TJ<-h-3`zE#U?esfM67K&U=AS{}WZ|CwLHIL-KSlTrgpVM+&;GDlx%dCbt~!sl
z)A<4QJx=n&vT>fXT{ZuwuzZ|%_u%q!&r%FO58>Gek7Mu?M-cuNA*C~@50|C;3nU!y
z>k!UI=tnpOp@G4ze?~~zqDjJ5%02=7Jce&Wi1TAB&V#M^y|?0b-HP9D>+vl8eeWUs
zJ;LV^eih+E2<bX7Nw|-$0{}$~zYHPL|9!a5+-GIsTj;VlN!WtR>Xzp)oYE<T<9FDC
z-+v3GQwXPY3UDr__aLP70pWUvZ$|pu{1W2NAl#2|JHj4>s}Wv_@Ir(&2<i4eN!av%
z4Bzwzg#U?<u9Fb|8N`v!H_`b4;Ykd~b#7A(@iP$O_OlVUosBpy8|ij2N!UoY3xItr
z{l@hObIu*YsnS}gge-msosY0Cf6@8)Q0cb+!1=6_Zg*^V9v(9NtE~KOIKOuEL*4Ws
zWHr5@nQNFX!1-wpoZYT~vzi9ZW{<*IOoX%71UPFw4RV1sAP1N(O9CX>fFvz|GZ>X0
z;HgYHr^zQb=`1Im?xgdcbOOXPp?pe|&W+MZQaW2c4d*;K?KuxS-*CR>eA)S;^Lgj9
za5{e+&g>66A9U`3)BAeo?asB%_J21ygvuHJW&4Zv=RxD*p#5?C0sF%srPyKLq&)e9
z1Y!xuBrdW?L3&YbcY#deIFM2Zw!<LFc+K`Q$QPam4+IB6(s01`u<b#RIc&16x7`lX
zhjv>FlN;FPgQO#B^V+IG-f^n!IGY)y9*3=OSYHF#$BWkI)#VD-c54e*YODZx#(e8V
zAR+NmS;eU!;{dsZ<?ulHfaQSYVatP-9hOa&^_JT$Yr%@61zv<$VOe6CZ@I`4wRkPn
z7MJBz%W)R7MF7tZZ<t>*zifWd{Ji;D^Fj0D<^$%3%@3M)m^Yc%!#q3YzwhaK1ecQh
z2L79n%W1;>l#BtsqT4f&ymV^@hOjbpX?_FJ?G(HNOCJi?Ju)EwD?)Ur^n=CeCycIM
zy>I9d(Tk%jZ}TYAKOs~P))!^CVIrs?9m79E4L|;5CQKFXn~Cr)gl!1vxeVg#5kDE>
zFA;tl;Q@rZ5Na6Q8bml1p&8@<#^4spI87C{-h=U-2(L$YDW;<g6{MpJJ-{De{8tcC
z2573Vg)&@Ih5IQZ0gy5h04c)<`QE|uC_@I}bmIj`84`e$ApuAk5-9IJmj3=X5&i-p
z-M}Fo-M}H;Ei8N+ws#x$d)sLkZenmtGve6ZZP@Q^*zaxF?=4qgI?A9;6}J5r@gE|j
z3?bAzi{abp#tH_j=OIoRJ-{iW2kFkjaP0SX?AP{NF&x{q1=H^^VEA7VQpN?!JIL_O
z*sdMdF?`2-gaL$8Fx~GEe*)pB5#Eikz~JWR8Qdw=FO@Il{}HD9Dv-ukjv;v*tD;Hs
zrwO|cAbbGfT?n%XS0cO^;W-FTVsO_#5x$P_#|XcUa4*8m2ya42`Mqhvu0@DP5uT3F
z&fo)YBYYX*a|pkHuovOS5atjzBAkcNi*O=B9fLdR`Cyu`^XG^^jgX!XApCyBZ$p?y
z*nseSgfkFQvYsaFc$eWj==lI}I-LN16~iAw_;G|C2v;FofRK_c<fCK@(8$8Kzk%?-
z5MsNxe-81j2(jJUTM)-~Z^w3T$98YWc5lOWZ==(Eny`&dbAXgw08(-RxPg_otqY-u
zke+KGK7=@3W&x+m>@?wiy37Kk%Qe7nv2^$U2f`f)dl1rd2c)|a@e2{wAUvMIt&}{c
z30vv11duLE0O_&>5Zk>K+r1Ury%pQN72CZP+r4!fmTO_~zW+t|-w3~h@KJ=j5w1g+
zLAU}T($9TJKlh!2;aUc_;5^*&GsNk#Hci-q-*XFo&n<L$gmC<xTj(+i__>(xY=rnd
zH{<u*jPr2w3oL%~*AU`7+<Y(MYZ1l~E<_kc=t5{^aMN1|e~s`tgpVQYMTqpdX$|5?
zpPS|(j`X<+>2nj(=SCctjYyvxah`8P`rLRw%fAul`NlNjIL|j;fOs`RoG<sj$MAb`
zT<%5sycg;7UL2Quaa`{0#`H;qix5T;PDf~CaKqmb;(XcgEaEsW8*sjCScl>52v;JU
zjnISeRD>D^@A(tLpCEh+;ll{GAiM=(Gr}tn;(WR1EX17*e&QX3uOj>bfm4Ouls*CO
zMEp*K8H9A6Lwr5rGZCK1;I8)(zJ~BW5k86Vvj{gKyb)mn;pGS;2<doF6?W0_o+>;*
z#~UD>hXCn#1Ek{(kd8M%I^F>3JOp?REAN512<s5i@rHOxpHqdM|HHy}Qu+iO*^Zr*
zJ^`on36Rn!z!pru6ybRY&$j9(3!h{D{|5N|<1GJ~|G$BL|CE;h%>Q4R-#>-rKlA@r
z?)R@``A_}-Dg6EowEU;u|G@sg<oB;+`9Fi&{xk1?M>xNKya#{-)C0gbRQ&!)9soM1
z2Y@>V_xmS%02s>e-!bq2P_h3%R@~=@sa%CU&n3dnJv{m#kA9Lz`*^gMM|bn+F2hyh
zVskYYxK>5UfNtf{`*>7oE)Iz|^Rb(FbR&=6%cC23^d25nT5&@~ALnE5=F#;$`Y|3=
zT7W}QcNsU2%h1ghcHX9_2+&)3^cEhyokwrt(HnWRn@893Xcv!m@~G0}8(LN1WAi+!
zH2H?aYxvl99?hD*KQ2R8FYHV!N(QurN1J){1|CiEXp%=0JR0Xwkw>rR(N#Qp9gkki
zqm4Xz4UZ~KzM+FFEv9i9x(kJ!4T_2YRoZw1dIcZ5j7Jyq=pr7yoJSY(=w&>5DUT{G
zgrONq3t>Q&7Q%qe<MS#Fh9OpIFbwEy>&4?Tbmt2@FHqDA==nUVG#G|hrNJ<uF+OpW
zM<YBM=Ft$326;5Vqe=^5sMp8GDlLQ|R%sy&sM10hP`B-K<1%#T3Okh+!hk9*gaK7r
z2m`9L5MChcd|J^3Ko9chH+b~xJo+S$evL=J%A-&4=;J*46(0REkA8_qzsRFs;L*o;
z^iju!<1)^`Gwf584Cv>1^m9D=2#@aN(a-YeXL$4>9{n_reoBGD2R(yFPv_C;JnG`n
zX*@cWM^EF?DLguvM<?;9(#9JaskHG1^pvU_$K|8Mgq_DL>IHNHk1B1vAy#SQ4XA@p
zZ0AuMk6L-u!lPy$HSwsCM-4ox=TRMxYI#)S{L;7#T}0UNo}y$x-{sLGJo*lg{)0!~
z=Fz|N=vzGczdZUk9(|KX-{8@|^5|c9^v^u{KRo&;IIfI`&qDB%@_TafaV-Pm)R@&x
zVAzY$htQ8OfG~(KgfNUSf-s5@%Zp%n5iBo)<wdZ(2$mPY@*-GX1j~zHc@ZoxisePI
zyeO6z#qy$9UKGoVVtG+4FN)<wvAh_T7sK*mSRTB9L&qbA<;AeP7?u~q@?uzCjFso}
zvhsXhRvsAK&~kiUR-Vtx%7X#Na8{nr%gXb4S$RG$mgmFrd{~|j%kyD*J}l3N<@vBY
zAC~9C@_bmHAItM&dGPQK>8H<+<-t=!49D{PSe_rt^J95_EH8lN1+csTmKVVC0$5%E
z%L`z60W2?o<pr?3AeI-z@`6}i5X%c<c|j~Mh~)*bydahr#PUK|UI@zzVR<1eFNEcV
zu)GkK7sB#FSRT@c59z}f#`3~gUKq;@V|igLFO21dvAi&r7smD>efW?*d`KT)5Xim*
z(uWV}!-w?YL;CO`efW?*d`KTYqz@m`2N>wF@{m5j+!t|dAJT^p>BEQg;Y0cWb9|N_
z>BEQg;Y0fHA$|CeK72?YKBNyH(uW`E1MKB#d0_g4khRZ`^Z_q(VmND`AL#?^SuvcA
zpC9SNkM!Y3`ha&JSvsT-KhlRE>BEoo;Ya%LBYl8*9LtCF;Ya!ayKf9<-`DTQ_91=v
zkv{xLAAY0{Khg&n6tetCAAY0{KhlRE=>r~&!E|iC_>n%q?3{%oeSkj!#BuzPKKw`@
zexwgS(uW`E!;ka<wty@@(g)blB97%DeSlRbhGTz`KKw`@exwgS(uW`E13V$Hd`KUD
zqz^yR2e{n8c<e9Ihac&~kM!Y3`T!GImLBQDkM!Y3`tT!t_>n%q92(Q(d_nqvC;wPD
z(uW`E!;ka<Hg_10?Zf@UkM!Y3`tT!t_>n&RNFRQr4?og}AL#=gR$}EMefW_+{74^u
zq>lj7M*!&~fb;=ov^0MJ=_7#j0gpssIO{JMdn3-iZvg2dfb;=Q7g#*f2iUnH&e|71
z`UoI>fGs7)V|hp)0i=%r(g(a5$I{{c0p`GnWBZUk0!SYLq>lj72fWL~(j$EYkUj!P
z9|5F~0MbVQ_m2S52fQ80@*{l&kUj#qe*};|z~B<oVf&Ci0!SYLqz`a2!qOpq1du)g
zxPO5A3XI3{aQ_G(eZYHf7?0zJ^a19>EF9@0fb<bS`UoI>z=Nik4#yAaBY^Y~K>7$E
zeFTs`0!Sb53NFi!^Z^#Wh+}z39|7Dy0!Sb5t|?20^btV%0Dm$Vj{U{`1KcZMIQAFm
z1D^C_;Yc3=qz~|(f#Fyl(nkR4BY^Y~K>7$EeFTs`f=C}hq>mudM-b^Fi1Y#OIA}dV
zq>mu(A3>y#Ao5q>mW8E5`UoO@1d%?1NFPDmKY~afL8Ol$(nk>Y53uEB<sp3pkv@V*
zA3>xKur9}RZ2W>qA3>y#Aks$==_82r0S~6Jd`KTbq>mudM-b^Fi1Y!zJ1{-_9^g)Z
z;Yc4rq>mudM-b^Fi2Fwn=_82r0rtw6AIn4f2qJw1kv_mJ7E6cwM-b^Fi1ZOe`Uv9w
z5k&e3B7MMHdn`ZFM-b^Fi1ZOe`UoO_6-4?7B7FprK7vReL8Ol$(nk>KBZ%|?{v}v_
zxPJtZK7vReL8K2b*JkOEK7vReL8K3Og&5<pJfx2x?jJ#<4{!~}(jk3-X+GlkeR2N?
zB7J~4IL70ALHY<HeZXtIG(Lp%5kmS1A$^39KER;_reo#7E0KsZ`VAp{gpfW$NFU%F
zhNVOL2qArhkUm04AK;Dy(_wi?A0ea<@TtJ!kv_ny2jXnLgpfYqSyv3l@{m5jC?3PH
zzepe8O^AgfeZWJ1h+}_|K0-(z;I$3ou{_*ALP#GWqz`av!O|gpgpfW$NFO1jj}X!a
zJVTA?v3*D%A*7EG(nkpB!|8UrUDI<N@$R}7G2b$a`W{L(bhMKP>}SoI4`IvGg_Z@G
zWV)#-Mf||j(--Zn9l6$3?P38uYGr1*S_*~s{H(e<z`@m)r!8H`r99bOb6p{oXvw74
zbfofiXLX9L9jUXdsbspasvtJ6$``s@Q?pz%W>`N=H=mWZRz{#Q0+kV{j6h`sDkD%C
zfyxL}MxZhRl@X|nKxG6fBQUlRaF~BAOw`x~=ZlVjW1{_t{T2JS!3zCWd$WBB*kj*h
zKEpi0^n1fL!<~klVTR`On)@}Knrk%|YwXfbI3m2NX%yB$K?V5XpMIWxp7ifB_`GmV
zS=b-}P-^QSQR5!$FYXH(g;TVeE9vv<!rN2BQJ-J*dE@S|Hzm43xSMc;r_&~PvMG@W
z1mfXfI4+)2+!vs^reUrr$v{wSN+d&xlZyL%G-@(NP3&S$wkH?&d1=H9j5sxsZEJHw
zth*iD^B-T_S4X2y!st_4(#<XFx{CWeCepqQ*JAidH{F!Twzi7x`Be2)=~S1iA>G_2
z)>zML&!sLnkNBc>C0gNegY!@C7Ta1+zrboOqzgpyBRgOxu22=;YD-?0JJTZZCu&V6
zXSqf)4Ay)>EOg{&5f|a9T)GX!Rbs0(nF2TV>2~6`S*jE~_Gi0NxrUY$JhsqK$bt9p
zyh|jHGl1jVLe`b*$iOoUV&0Vp_xCPv_Ke9P&;$Rs=2BD`25%V5vbx~UEsMaKL0Z-k
z_rOrrwFfeVU|lI^UA#3LuWJ**UwN)>>D>A`m(TUIC9NO}lS@GX8u)}|ex|W-3@(6X
zMi_$<Vh$WD`+{yS{0{`HVn?ARo15jjT+FS82MHFX(s^qV9Ny1zL8@q-H(CeM%+_pk
zKHHH?q*$xL8+WQ196HZ(kq-{<F{}c2|I|Y_tpoy-9f`s$7fu)$NRa2zVWjc-R4YS$
ztT-|d3);kHES;d_&+VE~+sFnq;3w{GXYjfGrQCBAUy3GTC9pEkN40xC_(+GQ-ALY#
zs9s7xRKQ<TJD}7+sZ{iSyfB?nY1y1qli1N(@LZBAuz7$5DQljW%eGxC=2PJymjs^W
z09huTRn?`jaDg{|8S~drANDdHur`UU`BZy04;ed4v**gp>P)sPV{J`!rdmOs3Y2EG
zo>xbR=YsR<2q9T-x#g1LJ~ySv+mP~(ljN?Wo^(~kedo}k99UEpgv{hZ%y(W^+*eCU
z{cZ!Mat<W*xj-X@`c`ny>;f;qP3h*L$i6Av3NwEe$fiLc46}}YVfs&y1rrjKJ{gO4
zRl{Ip3afzleXjaNbKp^w=2aQ7Ej8=%bRw6{XPXL*Zk!a2?uPDsTQ<{Jw-^YYPGNX$
z1Tx99=x7V8p-rexlle^q-z~GMYa6*~T_e}Ec&Upu9SBhLC?|Dwt=wS6G;VY?$`iS<
zrnZLFr6@u<gR5)Hr>wH(+OpYNQ)7h{Kecui89`Vf^DXW;ka^x+Yo)_EiiNm6m(J$k
zX#!YPU=0+>hbJEm9(U;|z-)GTt%dG(SaZZociHrvQQTKUXV`@}n@p?b5n_O~6{%sB
z73lybV>LG!CoL=Pn?dJd&ncK&%eIfBT*)UE_nl2^Is=QHpjbd7#eHYd$W<6=9PyUr
z{EP0Eapw&x1y)9&G6KVozzM~DE=sq!R=hPCluLtN2%a`D7#J#8Y^Ks++za2D20Zv_
zGz59@x285F<6&UJ1MZj@^|^zoP{J(+qD}6U7z>ELa8o!LNdON%h2}yY{H-bQa#zX=
z+8}Y@!6(ru<iX!k@Zb|^1oGf-@jUp+#eJvJ=+oE&^wufB$QIxMvDUj>#eJvH1@Yr`
z7&m4<TzW8K;Ko7O?veC-6l}NXic?0)mBLpl23G1?o$Bt&=8}Zz7A3yaMNTH<F(7#6
zCndAG^IBmq5;Lx)*+NT+*NstLH>k!|EBR-crG|+?w@<fgXy!W!EPp1ST9xV)^T6{R
zD_&aSfn2~)(LNKl^=39`*`}s^s&F&#odq$Sf$et2tXTuckFmiD)>P&_txf4vYf?UH
zD2m7avv(<!;p)t42hXfZQ?i_4g(Kw2bo$~E@~z`C*-Q%P_jsO$9rkYuCm6mgIRE1O
zx&1bK-1bY`cWs}v>MU<ser?GcZ#A}n7k01lB*U)_KQMe*vq=8cX-*UVEIcjTCcGeg
zL+BTF33m%!LP}_W@{Q!NC6zzJuZ4@tf`3#N^5G4ze^cM`;cb1T<&_brjKGIs1c04d
zNLP2{vJMk2D-Z>C>M|OP?9^exPF+evkexa_HROu~V_q@h_W42}(u^j;Zg@u0@Aiqo
zs1MWwlOZt*?9>993)!i|Q=*{o3@?d!eZWp#LZgtKI;>!)=Ftdbrw;S%6zoTHX*BLf
zhp9;OuJ+=-Ih2+9#A3!u9Ue0)B|r4q(2{O*&4J@T*|}Xy;MqcW=oNUL6n)|~pNzx)
zT_D0R%4CgXJVwD}k+MY)U(%QAK(;EnG9Z@ClO}cK$!oKU`aQ0C7Lx!@DxQJ_Oae+?
zpmnvuyNc|AQ;@>ufh7acD3y}pJAR%a1fgABU7jX*GA`AfqS8<heu6$=3lT87bE$kv
z%q3dt$di?I-cVgrIumh|2D*vJgp66<4T2nL&^#@LwpKNcPLYOZ;tFIc%ABI&On>b8
zw!uW8ia}>g8WAxnxUCZBM<R&S)B{;i9I4LGja`=5QrtJ2$x~1ob66H8j{Ap$72#q^
zcG8MKgpKuFi1`j6_lszQ*5O&_@P}B~I6z9M`0~Su_UIQMR$e!TRpuxKcNfyHB~6tf
z1$P&4A9hlYrnv8XHq+MN>MBd_KDc!X#C+$`cA=Q>uu{x-QE}h7G*W7yar6T$2)YwL
z44ZbPjg=Ajphf@~#4x2RNn{TUB9pg;lxxJ>(;S+Yg_DIx1mim69OpyMEzXIyf7pI!
z`?2lorW1@Fqto!V;TML_816INthrsYOd|+?fyDf8zUDaLedri@{Po!V)fe}zrcKYY
zrR+VGm2hDSZsTABC{SLCTx};)@s4JATDBQ(mb0yS*!*r#_W!*}ON#r_Y>9MYx!Q$d
zM<&tY3J2YBc;P!w?y2cbdJ|klx(Y2R*V=G!703Y-o~~rx1vhJ?Hc~|*87FL|r@FYW
zh1OD!MNYUl)!hMCJ(+a=99K4<ND{8Bts?`sIgQ1A&8&Xpo8K#~fXa7smn+}Ry}0yl
zF5GF&i8t5Ho^!DauFOS6bK%-Ilgb$%)9pTXAEi=qWdtfCFxC-(MLJH`30$O)kVQHi
zghfhJE>cIxDgJsIf~WW+QxhpM0=DY`&_oI*-C$K2amPZSo#c(fOTH<w$r}xZfvsOf
zbKxoe$dqI}l!$|=dkRkR*U~6F#UD|e;u~oMu0}`7PVv{!XgtLqp{Mu@iu;z*&^ET-
z9U&ZEvq-K>^6+#yF-c2jL184FOo=t;xRiGXuIgMzYpMoT%qwUKxMChLE^nZELqwxv
zHvV%?F53==P8jWDyVKl#R&n3ebWPq8!w!vEC^2|9sPJJVpK%nzhc2dURhM88RIyN(
zDNpu77MKT31fqOIZ+SrCkaH#RartyAuROJn>I13?2nOETu%q?RH$8Ao1Qx!>NLQ+K
z${$QlfCE_4lp<{=e^ikQhn0^VQi|Z3J*)9b7~_0nW3A@~kVdI!IB{t@K@2opnj7-N
zCh3feBS<r7IZJZc=A76@WN5=Qd_c+}nm-`r;GGzdaEPvyrIb6wU7nRbJG*6LAD?K(
zb)_>mrrU=Q^H2@4Ot#?S3LLlFJYe3Sew3aq2G)|Quff&!+ColD6tcPe&{}CAR9(p}
z$Mlj9_Ky`b6lFd~h|Fg>7h+y_T5;c1bd9^G2G_U`vCL<nYM6qIU7!#K%3=!A9Yze)
zNIwUm`Pq%L8YSvQGH7(wvI5H@Vdf7Wc|*Qb>fi;4gBQ>l&ku;?=DyTAx#?UbWl781
zT9yP_OuJetv5|GTEG5wAa7|;aN7cIOMT?iorJ`ma)zwoHCwwua&6;5)azkvfM<aRb
zDDJzG9n4lDfv6lfk$}}n*Scy!29z#S`2sl{F3dK&=20zxRaV8GVJ*A)2Vz~u5$mKC
z#eEH|DH10qi}8+n$9EWB5sueP5j0ak1K^iVpY4mb-L_k7N!tS32{w)OkA`o6zx=BW
z^Yy>g+#>(1!eQZl#`S7++Joi%ulAr?XnDH9Lq0Zm)CU%GZE;^K8+TkI-#fZBvP>;=
zUA)+@r8R5_uu1m*(bX_&HQ#Yj%`K6$av>%vx~b-TXO3x}Qytzx^lBmLvQ%4pBmC9Y
zkOg*#a^%X0TC$?N0n0}_u`!^s8^W%QQ=y5r<VZ^6l%Ew%RFFN<V6ICy&LUdmwT*-|
z&&F>c<_&CnAyG{OVqhU8yAt^;A0g$AH}t?LzsXP~&RsEk?n2Mp6?2FDa2`)%qx64R
z43pU|V0A$sypU=O`1uK-*aC-N)R*GSan)zCa1+{XJ({Kb`eMI^(J|`ly|1#AOJ)FL
zUbXuL<*NPuq}j!Nx6zO;ByD-o?u4Up77Rs1+BZ0M5rw;43NMX`35<enCKdPHN{cxQ
zi<zK2KTj?0yM@NOG1fS6<OIQB`M_4pN=20ssEj~m1pXaI0Hm#J=~9W(*7rc#3hrNl
z-R`2ncv^msNLxE;2ufSun+jsn2zV%jgE{zBa|cCl)Ex^ZgYHnIDHRc8N%)^1q^%t^
z7xL)uO-Y1&Vmy#cdO_Nnr%@<veNQ26&Cv+y?uVDQo><(shDJ|hi~D=0w1Ee&j<$7c
zi~HIc+qep2#w?(euiMAtvWdzxM>1F=kZB(EE!+_LQ3{*Ag^L$nT;Je^W9<!KP+7-N
z&RVp)t+kFG@Gft-IGus58yu?5hMPVJrwkdhKLrnLM0p2{Ut6>3f*b7Nl43Viz5+d~
zFwu*L18p+i?1oE1(6+)mMK`;oV>(un8R_7cg-T6(pSKQt54UB(IUE?yQd84dozGVX
z4*pcETE`}fCEk(IERxN<4@fe5b1IX}cY!r8sM$B-t*WZtmQo+zooE_L0bf;LYuF3p
za>e?dvy1z(l=zD0BJs)UTjMsb$g$w)XA~@L8M=N*OB)dcws9e5hw(PyBuy95|No`4
z+q%)(ZN1uBZ#^4cc>k5<JI0m9a}DnrUN?N*&}g{S5Y<1Z>5_lfYA(>6rLhV>v7cj~
zWS=yGHD7azuww+t#v#e4$Dxd4S;V?Ci~UpREV?H`XOTu2^Ag?wmpsHUbOkIuNx0Wp
z2AU3ZC60t6u_Sm*bqAXw@Sjl1?~bKl0}~VBa3Yk7dxJhv-9n#eImnks<nBnVj?!(B
z@<cMkvYW?-k~I<<N>@k45=y*SCc5LP+*)_57|)k9SDVF5Gg!;IVFB$R*2-e5n>w&`
zi|qw>LTqan)6E%o0qz`AU|G953wo{@WnxgaXcseN-7YPl(K?^M4xEyztd(Ghp9JG)
zsAiSO9Bz^`w``*XS5#p0&jsbZUhp@3jBc$I7XBbWfR2C#@PN-jTO%7ADUAB*Rflpl
zT>{P^h>6#nj<)vFJ(iqRVY$CJmj=BVv2`Bkw-8h1;Y(5I$@<8gfl1Uhh|PURrZv4f
z1;={aT?V&f>N%m<KbbAJ?9N#u$jhzje3I<)kMT^ZD)uw8LbkSQ1Xx@9nLVKtV!pQ6
ze=2Qy50f8igrk%0mB|mQi~Xn2<(yrcYXlX!hBVaBJZ2CkHE+^+#r~6M?li7IvVdY_
z<Ugs{e<ID#Boi8elT4gm>_36VhOl(wfJsZ&DbU@Ve=OJ8O4*eW`2S%9V3n+*)P{%K
z_lZG}F9JmGpuxxiz7L1nemf1p!|nT1qbYyfA56sHT$=<{qOj<7$Aj@Wc(w^e;=xqd
z7mXxODfZiFE<D`6KLs4$i-D%32nIp@78-?z+xJU{+kP{Rz{BnP{NeWaV!w$-vt?a)
zpQ;kwohtSl>6&>T>fXFRX1-{kB$V<*BkAo3PN$Lsj8TblW$l`g@=G1@f_JUY>ml|#
z`SxtVlT4x6POvUcbwGgy0>??rB*@*R&=GYrZJ$A{cfd#oo-p9Jm{FY((FanD`9Shx
zNqlJF17L|t${b3ex$0pN4wJQb&x9%;GT$?hWui&d3sl}SkplUPCRVXru7aN$uAu|V
z#k-~f1qMsXEW;J3yltYNhkR`EM|7F$((LL<ar0CfGeshD300Ox?p{c(HHxdKQjr6D
zS3b6Kp<%T`<=d!Ik;?u-kKh)H{ZG1vl5e4ubxB%L>b&YW8R<(`Nke*+T2<^fFy_$B
z#0c+~_}X!zdszMTbcvN#f5M~cxDc~LvsXAx=rb4}Gu~&s(YQ+Ub0e^n_HWtu+Ksli
zY`0pDSYEUI%yQ89eZ%h!-!be5OMq()ml=YZ7R`AYi|`Mjuk81C;Z^Vn@Phibt64r8
z?aeET{b(x3M4%eI3Wuu@;&5ly<l2Nt4>_)Qx2u&i4amVjDDC1j`bl-ger6ZP3{f?D
znH%N`g>%gusa#;cFQTJ~?6-ahJ^yoy{mhW7nX$uq<Dddpwz5-WRk;gVhu~EoQ1wvQ
z=1-?hW81t&m^u<+fYGCyp<Z4kv@!yf5x@}uW_uPTF2-zYv_x+|5P&r$rdV7xTEc8c
zl~kym>Vt=o;$Uj;h6nQE?qE`Ea*ItVpW83O%T{7E5QW<lV74PP7h|?H+9|PADhe-`
zh2SQspV@CQW?Q3GFx$*^DPy)ZTAtZHx!BKqlrjTfjaGJM1bsPE*%yKI#Y_5fhO#fh
zG}?Fjp9SBjrUCS2y0S0Alvune77fG`QRvGw8ijok6n$Y%p|CGPSznlkDC~<M_vNl^
zvENVk)K6T_R$1+s4-d;*vSM4B*i<cCJiC73s)m&f%jRBAj}RmIhNCz_lnGn9RI3KV
zu_o|hz?=k#@Xs80Xi9g2bgmg>wRx~dV?GC9uVX6qp#J27qFh~Kra=6vg7c)-4q_Td
zDkM$`sPaEBLIqGaRzI46UM6#53O7ssI(Vu{MOvCn=M&jZ@F~e3CO}FGPcSh~5>EwT
zw>JQ%O5d?M6%61Tm3KppY)nfMPtq`=m=BEpqGhi7E0@h*ymY~`m5uB(&v4O}E0{!?
zI~_!zS)T+yj4sgGhA&c(hN6L*un;|;q)Q|Tzz+p+kl6{}fLJ54ZwdLx7l9kYG-!N-
z{63ZGOy{y0;z4(K`6wKtnTug|jMivT1-zg67iOHFMoTz9=2BP+F&A$u_A__FceNq4
z9G!S_)XIlUHEw)-jHXM@L5cD(B_Z;;YX_>Y(XYN}S)<~k<5wTfRp)Y5x>RVU`9|%R
zGgs_)vqL}wegYN#cEH>^`dI~YLFs{3qn*?<rPx1{Hl!$RATs;=Z?QgsthttM7AR}h
za<XQ)Ok?g%naoI|HL8CrkT#z%s_m<ixH1AC?GbR8^1{g)ui*TobA$7ys$bhWZP(c@
zw4H6US$}H%rgfj`QqwucSB)<i=jrd%=k(X>FV%SE-(=xBIy&!aPP8r%+5tmcco#?Q
zUE$2(#_ybBKeKmOz?MM6X$>9p+O?^p6=YRQTE*@Kb7r|hqOZvx7E|82#s1}VDY%KH
zH*zbL<VBqsJhr5gU|tGt<;DDJs%1-g9`JBP+(>GJ+Mw{zkj*=(EOs5Rt=G|&@*WgP
z7{|<GHYB9>Era&CW=js>iOc<%KkN@DK_DLv`xEY9EERxj`%ui?6b=PKO+J5;ywE;!
zm-}Q9AH~q9vxCRzf_nhpMrE)0L<{|9JjXUb<malRU6L&(B?g2rcjS*Tcq;tepxj-_
z-jDiAAA_Nv3WqGqk9ZDwQ2$vnTfeHr*7I3`xrX;cNf%|UguE97`WS@#HZa>!%5QVV
zi?S0^%2t#((t*4yoHn||TnbdvOAgH>cC<CyRjwEXoG7y?M^4lzaiYwi9QjTo;Y67Y
zxfEi)<NRVjGq_%dSJB1~F(*2}c11ap2lArI`3zPdjX0mdo{kzR($7i0GO?MHT=G*}
zxgnU?VeRDxTXjkn7Qs>Tu|39O|4PQlN~`i<jI7FxYfznQV>iT5TEA+Hlg4es04DS*
zB@=4on9#F|{a4c1b8%lX4l>ffg~rPEl}bQm1S%si^ay~gatWm{l)LIB4gUVcG#ED&
zJ(0UEq9J(up`RM|Hu=J0EbLCkBVKsODHV4|n<8PiFB}O6Qh`7q6!U_t@^YFB<*xcE
zsaP@`PBw-8!1OW4swk_}D`b_-zbYP^^}MX|#9}{lq$*usNgDjgV*h-)UT#43PyLv=
z$Wh%RQ32*i24fVwrOe+Do?Cf8HiRnZQEN)GOE_K!pD2(PKy4gkqf~jcMa<>AsqQ+)
zCfCJcey=y`i+W?;V9*x}z*F)Sm3!bWs3L(<y|Yoic2vD>mj$aggQMFL^G+BQP%UsL
zN|`XI#Kez6qB@pa-EyY12Z;I-CfLI30=<0AK8|xxQaT;g>;p!ac}$kpEy5ZzC&^L>
zQ6XjiktG#U{n2s8Wh$f&>n}n7|6W1!uJilOFF1EN<IW|{nDsI1R?9n<KUkhLb()f<
zrN&n6ahg{&hcu69?v;NlH1mW%3V(nCehR;Tr$3EPD1TrO0#8wCBs716O7OoX2xe=y
zatks~NqRw7KN<;(umyF|DBOa~iY<tltKk-8=C>fY`eSx!IRDM^b=ibsKl2ZE0y3<p
zz`1Vy@?w9163k{P!<cubxy%@fc)yr^)m%3iLdD$R8ahfhA+JB>jr-wMMKKhMz>XYE
zxxpX-(5A2m7o^?*JoGY(O$a<_Q`;+egb+kK<O&QN3KWQ8HE6|wH%B4>xw3vXyk-Iq
ziNJ+e64d*%%^h&Q#cLS2AxmdEv#V1e18`Bt9hp?YMZ1urcWv~QKJq$YhIDA)#o*wt
z61Hb^;1S%@md_<TZPM#$bbm@^+*dZ#Nm}gg=8kky1UKb%VzM)xhqnRi_)%l4skGD(
zYqJ|u@JyiC4Hrvbtw8RTN;VT@u!%Vs{I}2|W>)8$;btn+>@H9z;3+ZR?H0k$cREEL
zog`-aZg2ul>@!ksc(ZYJA=~aQNgv$VCU}<;FB|1elha~UUKRR4Nm1>pP%dI9!A2NN
z&W_DfiKVS-pf(y#iqbwshPtF*m!>l-m*V4<hj-9Fqpwh+ULlxHv=s6R!woW@nu(3h
zLb&sSM+Rpw<+K?t*BP!RaB;_8(4#l9d3x$+CHQBti%8NOCd^X5t;AB`g%^B_kCg=5
z@!U*vYdYWJY6TOT4tPEfo<}SYcQmXPwe6USz^Yx?1>%1X+v2Jj<nD8Ty4w)89AdFQ
zPuG?^d~C@v%bW4IQOUoYK424PM!mR+o5{A$?0BUR^PTm@erCbDo;kkOn2&B>mqefc
zlJ^}IE>4t`1^2KD!lJS-{+3orS3`@&WJwtLy6j5#s6E%nWfFfW)dMJ$(I;`VqUhXE
zQnz8Ac^q^rEJ@u)e|tQm*q@~=!G%aoDl#`DPMCs9Q&5e0QV%c&ZHzOPI12e9<zKv+
zf}E|D_6sk2&77R=>|#H21bsgC+Bn$YI{&1<_Fu!tRcft_KxG6z(jx%E$R@f-p)k@&
z6emMOaWX}Naj!QLVPukqpfJ)nbtHGYa1u<=Tquk*PLVIb;UviXL*u$_RGb8vn`k@<
z8u^nTe2((_Y=`}zaH8QVt>IUO?;E~kf5d)|J!n7O_B-o3Yrz_~e9G8kOdBsX`iv(V
zZZotQuF`y7{@tUwQFEzgvF3cuOwB}autoI#pA)_!d`7rW=z(9H{sc`Pl}87g4#vSE
z{$=5YFA3YmQu(p<OKm@>`}|m1RmoEsfyxMcpd)ZXasTnk&B01GhnTmjxPO9jbFjkZ
zu>Uya=3t$gNQM$k$*9*YilHWVFqrVVV+p_44bQhEf?~?&PX!XN_uQ;3-b{)QgDb24
zo0P?y$=-9LvUu~<k%-*{;gsTjC(Vbuk9A4{oQ3!jP4VDK#r@2r7<V6QY4_RBEQ@jX
zvGTjmiN*cQgcz^FtkPB3l;VCXJ%`*QWgN4>aS{0cXra=@k&Ghm`lP-Uq@N)8OJqS&
z8w8eFcs&Kwxj|e=%*U315Rb@0l$UKFW<*;<aO|5)b-``O5I0`v_nth4kn&`6&2@Ry
zdZ=sg`h(#*SM@^iMllC&A?MdGowKxl!6N3Jlew27S6f8lmj$gMD&Yi^;Kb@UxI@9a
zuC8`B9JawgpitKV?p4HOo>&Tl<0*gLVkwXN;!-B}()wj?P)v6>fW{IL3@%L(5sarj
z*;I0p0`ED4EKk)*3RoLJOIla8f$l%mR3|bjSsMukk-Qnbiu|86D+eBFxCEfV6!W^&
z<-5|Q+z0w{pi-JAO9ohzXViiu7-VSVMMd(FL6<){gwOavq-2WwEKy+#Kwh(EGC}mP
zRdz$ub8d0Jg&ovW?8Ix8rDkK9R7wHa2Qi&s(PMr9kR!H&JZwKR{g*<_#jA_^nc4qc
z?3Fl;^`jvVQ%<XDHjf(RiPT7E(y$6!Y*i}>iUOln&x#fI8|ZSLzzL)xC>nHr!q-w-
z5o@fImKFEw=!ERSvyW9fF01Fn;(je{rZfkXF9pJus-clmoklt?piFhq2fDRaDyxjZ
zM`#2bmP5h>&CdkqCg&Pwt@TspuNdC3wt^49d$e}zT<h6ZhvjdYpE*x;YOH_be&2My
zqG_=G$o3`Mr!`k;=4kxnhXZq);@_H<!CV21brda!G-r%8?+1|&M)ZykqMjk@fMdnk
zbg@L4lYJ^&u>0WcFR$AlixFRd^nei#xD(NMG@OLX;#eT~v6kX~7hTvl;*ElR%&hqQ
zbds>qa4!Y!&50{dawVTj(+3hMhdz=9sq=?$KTQoQfj6H8k17^`O(%Ew<aQIZ&q~!0
zqt_OAa||0npKt6Sk1=`VE9?eh<GZvY+mg+sfDt>^_s*p&<x(q4+EPkhfm|rhY>~W`
zzy*Kl@_InBM!c@~K%!Fm0^BmoY^?H94hnAMT+0w1mn(ASQrFD+u9*$4ne{I6uuP&O
zJ)k5mIlOSSe8HkQi<dVv=4HSCwVt?Gpt*qiPl9#=`BbtEt!!mcP1+2nsx%y2TH$(m
z)c#i(gHG<{)btI8bZ9iF`2~1J3PlHD;?vDdYiD1%pdpp(Oed&50GVNAqSJB0nbw&W
zU1R|8#Wh!T>1)Faor#uoYm&@V{0ww7R0;;g6r!}!4n`QDuL9|*4G+FRLC4nZYRkhN
zYAQh#6QqVHrh{~{P&L=M3z$OYf%M}d;|lE`VwQV=(S>5b2fT)%oV&#2VrGkEZGl!6
z)ryN{dES#kV0BnU9AVD7TvFm`bW6U5Q0=0zbk-JI**jCp7moP4m4vH!8-qUXp}2Hb
z5-+(?XA@wk>+;5#OG(G(mkMp1*+4?-;XmYw6++Sj3t-hKTS%Y3l1N)Y+oS-P-0+6S
z@XvS*xeJs|G@~~-DH@CWnOo31Zo=8Ca;8zCs(%r=4nwG8v~{u4mG9QkxdsB+-dU74
zK-r#sN|QGkjyEO3M7GDgexPj6u8{39cS0zlv-7gO3B~=)%Li%_+KDD1oEw=N4?N}D
z$+@3-?vO&v)-MWGB{t^x;(q241TDzyXhF80^R#N8<a|nhc_~-rUzHK4j6h`s#yA2X
zSE^RZmF#er0t_ImRWoR?v{p@<UEI(7J9puRBdbe|>g+MOxc^jIu(Xs;;0__R#r@!a
z?-Z?OF4kfkY7d1zUp&TsV>X8w4t&D51=}OGk89($CDsGxN6nu!Z!rB@?=yFqSC}s}
zpQ(G-^mntvZnphV*JOK9`#VUEKkcj97qs8d_G@=(cPZP!W6GF8|E-&@J$}&0;UeyU
zO^w-8twXK#<37a9tb+SfGGy>%9AU%Sb1CZ85ct-{M!1ifBa&Bofh!}N<52O#3YtOb
zkreKNi!ChIH80zmgu_*dRU5tV`L^QzIwmb{V^g|HyF3+#(_jv~M*Tnbz67w1;@n@W
z`&JT;KnNg?LXt-E>XyP4*-;XQIEmvpCc!l5SlPm|Wh6O{1GHG&XMxv?qb>BcJZN7-
z8@nxiZC|0U2lS?|7yb80Ur&0y*PGt|-^`BIJCW>I!ls4F&Sd?Y*`4Ftnc10dzJu&>
z$VO>2IX>d1Zc$*>ib~ppZICXEVW$L-$YkdOKbm8Cx(`aaONxPr{DgZnpG?EV!#K&4
z_*EerN(e9(@DTnemy_wCYbu9iC7?;BU%sTyVsRt!5aJ#!l(1dhkJ2;JDBO?`V#w@<
z7h=b0a!KV-f)b(Pl8LZHnLSElrO{lPI)r0yuSx<p6xVR<NVzA~7m}qfgs30L{tmFY
zWC{#8rQ8KCHfVa!1oqtNB*giN{==@pVr~@VBgcE>D6?k*M{{7BtOk?ld^*)ICXw^B
zs9*Gp5fOflGEk5VW&-dPA^LC>?GL9Te%PM~i{eeID~H0gDR(lnm(He{L_OqvmE1k#
z?c)`qa-?UF-8Fg!<r2-OM)Tkjz1SU2VKD6)g!{shdq=W-a7bEw29tWTsBB)Vr<ncY
zfpL}72NF$wsB3d_C`f%<&ak7Dv=N*SAK-N#l(f-7oI4NX_*9wARa<@y-$}`)G|1<m
zB&3qFCe<^%T#wt-1Y4<&5f99OvaP*YbywzMD2d`M3?;m<axOiVPZsF}mYlKXU2+d6
zC)mV@8IR6vY-&^)vz>9FF$kTLTKz|CsbqtZY)j>=ZmBL%FK(QtTi*fil^U#tE~N47
zjLk{bLLwBS51mJ&*^be<G7P_GS${e#VaF)jykt8@r)tM2o4#br94EhHM7?Aim(_Yv
z>+e`}$yO}cqRUCPjI!a%YK-~1LgkQb<ng91_C0xdeCpL>mwf80qm_Kt0hJNTurewc
z#z^e14#gS2u7q)=Qo11dRyjy=w({^|c~nPRHA~)y?y>CS%{`mXEFt_2pI_Tj8XH>z
zPGbG+lfR@)JHT1zTfP9ps!5g%IxJ^-(YeAN(5yPv`jw=kVO~1Qsv~A8_wjgT<&cLa
zZ(_aPI48YPkB#(pHgJ}#SW!8&fyOYpE#b5(&aE8kpsDQSXNhsv)gX@CKR2HSweD$A
zphbaya0)o|2F>w8uk8PCwe2cf+P1;=O54fSzgnNNzTfbS;XMYgVWob*@Hc%%zf<U~
z{%Tigox-1mp9o(UJ}G?iAH0!GR!_T5^UkIooqR>*(B<++idiIGMn(3jE*;^=u82LD
zH&<v&50}cLZ5eusO~f!M_Q2y>3U&)2(wUJwihUI-uQ`@XdzkMRvN7~v&j{1OZPuz-
zA7_Gs$fa%+FR5BUiN+#f*cp!!MU_A}==X=N7b=G?qcy#WDWWcWIjyGD>=P_~Hstf0
z3#BqWE<Ng8P+onh@5fr{sz4&Nu_LlE*6)eML%x1bFc6O5Z!sL`_r!hJEeC@e+Y=p;
z{%e%o4qaB^LAV6m5b@)-XfT8aJ2oJb_6<=y7!^CjNJpSO8ue}Lzvh@+nU1cWT|21l
zf_CcihdPGn*xu#do+2)5-ErAR;R{(`87-QHJ5a&OLpCeHRvyd9BK}qCwa7B_<QbJi
z{qg`|n&8Xotm0H6i82u&z2RO}b!bO;8*qOs6=C@S{EQ+9fMk{N?9ys$lZ!a(W^6m9
z66(!aDqObW)s;iCp~A@_c@?%yVdD_v66^)VnemC<5|Ip0j*C??<?gQJ2;^0YZulK0
zA~KLWr&bmb6CW!VB!~n<z8bzQN69?ko_X7)Q!9t|P+Go{Rbc71+z?nM68LDvBse?4
z$|2eQ-5z#>aef_0qtU;+smZSOP>TXB3bZKjVp0GzbC3FqvV<s7?W8e`nZ4w+Oehsg
zN|B^T3TI(KSqw?|@@BIhe>NM-q#^AfMI>;xy6IDlv$bTU6b!*bNhFy;5wfwt>IV80
z@VaC>gN)a;M8)fp%?+}h`x2hl1<j`}S_sp8TEaA+2q%3j{Rmb$=}VgDq|bVELySq!
zhZOVRqE}@t|86H1bEsDl<){)n*-)$?m0<gb+B>2GhWXrpM9eE8E;s6duf&q4gs*Hq
zpTnmXS1DZ>F2VXyR)UGBsyk`AuA9-p0)y5I56oVefoh`$s@uZ8q(2shzs#sF3HO;<
zN%F)((A*280<l;&m`rAasd~bR%Bo&DE2wWzDcUB6iR%?Cb#f4p#M^{km+ZazMewAe
zUJxrwT!lN&&a3Epdd<vPBvXzew~-%@`cx9EOm>uo6HA(7eV#ozj8o3yWKmX+dohpb
zs=|`9s$qF6hc1?vtQX5Gt0jsW)}nR3>ZY!_ZigvMHcncd!pKTowntixF*^)z(kv6c
zse!)#sI}V~wVn#Ae_yfur{&*VSGzVCwz&NIUD|%_7Hw4crt*8AaI@xhLI&FZQQ;in
zctNZAKm0D(kFa0UzhIfwWTbzjChBDxaY^OSIPI~M?DKZK(qnP7U6!yDCZ1*6sutjs
zGcL91w_)ro3Yn4zX39M5DICtWp(n{!2U$-#p7br*&|o#jd|jz>NVX+-6Z<M3{}N^{
z9CeHWolrXO$;T)_J_2Q--`NE?+ylkJ*r+`5k-3pR4bft_?~+qk4AE1d0v(W1-k+1k
ztACfU%ahnW$utBcM#?3YrcBRxR=FK^{D^$>v5sz_N=F-$fH3(Ok=9p9d^9ecJ9%a0
z5VP~vEl-ul*V*0o<shpuA`$N#1uEn*1{naayE6-24zh3V8O@K446Su{LUsXPW+)kF
z+*cEk2xxoIh7)-Ke4j?gu=!uB`cT259?|6{c@V*ol9VjM03<Q9N6a3&2SGEEhNqD&
zeY#Ecw6|HN!IsLQE9KFqV~tjL1Io9ai19O8uZ3Ys3@z;VRm&;VF(r-U21dNDx9VLl
z(`l*ItQG}Y6ljbBkj%J(?jf0E#xf$A5%VEBcXYHECBmzNG@5;imyzx90F7ZE;$^1=
zQ(+N1W4|Yr4a7XbNGj+_1!0ai5R1YdemX1pLji1$v-Bypept3L7)xfOX(>qrKV+*`
zY%{z}wHcNTSFz3TGJZ1*!H*Qpk_mn+qk<o|;P^R7C(nDBRlj9TZ-wW_?v!;9=RpHy
zUyLsgc(J_Ekm`>3MPmNe+egl=<aSJ{CFRq^HoCIFq!;!%V5eE$y(v-XaD3E&D28J!
zia8yMdBh-fI#jjdaTI%+-^aqhNTe-5EMI0NsJW#j#XAw%`7GvfncTGM{;IJ<v&E9*
zQyC1dJ&q!Zo2v6GSx!$;sq`PM?WtPP%p}Q;K6j0Bu0@Zv=&2Sx)Z)&xuBjCTRF1Xi
zsTMudqGwv%krsQd-nQOHbsc9a-GpeK+ywc2W)_*c7k+HSEV9%Wsl(*T+4ntu1&&-s
z>72%nT#jFgGoQhvly`4VCI{Byu%|fW?khkt7ix--;gc=qlvbZ!IV9U}ZDR{YV$y<N
zhvO@;xJKm~`wX@2Zc(5`fffZ?6lhVPMS&ItS`=tephbZe1zHqnQJ_VEmm&om*84S9
z$p2gSS>u+sSZ=o@jUO?-%XqKh=T%96TrU#bu<!pf&D%BK;F0DIJU;sm5}%(v_2rv#
z%W;*dtjx}4Z0@e6+1V=RHa${#Y!r;W(LB@zywKxQyVZ-xZuNZWKqQa~XFQQ`T7sRw
zP{0$5MKYdf+LuYjlHpV+8&X)>@M|U&bHsdeGGCvujXUy%+)+;TaEPgh3b<#y#JTs6
z<wsx?I+cS&)dUq&udOjGLPHz6SjLUDi5Uro{Zcp)hG@6S_gy6Fo`pkPHH$3`r=((f
z0{>OL=_xW`ZR!0|)%9Q`3S|n~ARGWgo5F)5bg5LLma}1^ddA0{S^$D;l_xi%ILw1$
z{Mab*dk0T?CAc+*Mu%s7EO`uhF4-$zNMYqGHnVFP`AU*PZC?3UNe8z+6k05<^bGsB
z4pW*k{|Qf){7_Bus(NW#+D%LY%FYG*>AUXlp>`WfGE#TsT2`~7raD(XvvnjnyQ)t#
zxpIm_zoV<HuH}pY!<riLxAkrB3kM;=HrH)vd(VNMW85SYrkYVbrnzD*QEtyHOz)$d
z@YQEsPo7(ulIXltVaIG;ibN2RVf#lKM$XEVe89-gFuNdNG$o%bR%6UJoL-qq(e~Wx
zky+?nFJS>AmDEt}NK<KU!-`*9y5B9^=VRlG4KQVd)ebSG+sgt=Y?#g~ui1tfuV%h#
z+xA`LfCG9h`$m)H!F8*Ss-ZHtn5~+cWHzX(f}v#GqO$yL)j?H15AuPews7WQo3Mco
zE9Tz<@!kp9+lF=5G2~=#O-!-6tBxp?;-qg%_TN<P;43Cit4!^a2Q1U~=~4+5{X=}3
zS5&5C<u0aH-o>evM=Mj8(W5bDW3)@{tgm(fz<u;J8iVxmT_d(y)}la*0xb&sohjh3
z-l#cASJJtD;`)s1u<MPkq-(n?YQ5BYf#p-S1C|HOE?c`zG##&dRQFojQr&**@2pQ)
z4_V(>{k6Ty_Mq)f+ns;sX0(cLQQ+@I0gNEAk+O0B36&{Xf00Q~UR;%)Jh3t*D<m>A
zmKQItx>LU~TbbHHmx6bkC+~GGexW=iDihC^Tp^Dy9Q0AC$OwEvL}LE5CzO`_@IV&{
zd6I!l3jZa+PKrhS5h>dM3kfUs@j@{p8#5$=_hZDz8f;cT@I9rNI;2|iJ?XB2VOavI
zYSj>&AjYyO)v0cMxxp$|Xnzjw)XD`gw<tGA8fhcC_HCh1I1&`2v5=UGz`tHliUz}}
zWE8rh{%|xJNT+-u{E<Xcvw>8~?~8<@$zV7v1tX&0mz1Jy(B02ZfaBA~L?5eCgk%dn
zIFTymGT<%Ax6p!1Ny4&w!R210vTe|rxd4XQj=^ez>Y$&f4%RVeSIcZtd2a(dDG+|K
z*h#XnKqB1;Tl0O}cW&?|E=kO=Rc4Zp?jiC$^*AQ;W06z`R;|&z$^Dh7?R2PJcPSfc
z9GhhE`_<pAM_p&GOvyUQH@t>5{pG|_k$V#?!KnHg^@N~eTOjqQuGa59mi`puCDfUr
zW>^PA$~l>rie<u3g^x+7EtS@}MQeFtR9Xin-$ae)Kd=rirkiKRI=Fat)<Ll{)k%Bo
zWDk373ZGyR=U?poH`5BTz5m7B-XGQ9#8tn#_pc?BZI@;#_X))TifqM%={sCZJe&r?
zU;*~gEE$L7VkkCD?WQqIvEky==JWYlUYY8pPcg-Yi&v(@Nk1`ZnLMR3B^wf8`U@BH
z`U|Lmtm|K`0bxsaadk4=Zq=O4wWbchQ=D$@#VcS|?@*l^TTv|vv?%ZoM*&Pw?R3<$
z396GQWJTcNc`B}+3_8gKwVuYX399onF_2D+X@AHQh{oXIIhBn<^D3J0_<YewRE)&3
zzH|~3)J60uHbHf+Oh*F#Xv#08uy>G+_p-f1XLav@nM=0k&1SAne&$+MnUbyevLoqE
zs(IxwzCm-6=2L?0c<XPi-?Tnyz0EpdO&KpUUTCzMZZ>>YZ!+yPt=B!F`HSX9nx{<X
zn(W4}8b5A)clFmaVtSA1E#!AWUlD56(4NYO#=n{pj5U6HP2;bj$*l3)Y2$CWurhTu
z{cPUK?0Ic(dQa8Y)#=`W^Jg3c6GbK*hRUa%?!<oLzpDd|q{oI~N}t$ck#HCvlKfFm
z6gv!0&=-w*l3{d%uoTT?qrObqAC(%}VWDW*M!lP!AwjQMF06E{V{>@ND~!-R3Nb3;
z5d$94@7c9^EB-)x+F?3BQz$^&U)gAICTV9JMPsKCfGStLoyIH*W^-7}7K4$+-+Zur
zMLq9z<0)ylAM_+tB-%L2$(ejAr+Tt_xLrNjD(z1XGW&w`p$0Z5Dy5~P-{G9vNF9|a
z+2{MXyzbl1?Np@szToTDSEdfok#J*yW%LqW_p4U(^64RSP^j`^Mqje}E!TI5CckX{
z2oi>o%hGVb4{sbZ@B3Igg!xVnGy8?cj~drirpD<cC$U#pXTLCeKNBlcvi%Nbvtj$p
z4r12%1+#9Mn{|1c)uGB%i6*mc^mgMs$zaOBDNXIqag}M=6*c?lZYR5fV8mIO*3n|v
zntVGxy3?{JY4*|Ge%gGd+~t*N*~K*b=x$%>i=~38P&yLENB1?f2=>w4Uj69egMW}K
zo9qWBxEQnPzIp8jID0DFSJ>8QpQ<H6E2c$(mlg%EQXZk>feqR&GH62~43lB?FzF&I
z<vfjHgSP9m`3N&&r94ERVuQA8WyqHeg#F<_7K2u{j=%<OS9Q>0+LG-fu*G6m&0<kD
zmcSN^U39Ss1F2tqX;Hpa+ZF{{6lhUkE($obf7UpJbsF=-=DW;S!r$KoW|Qf+rf+LM
zuYH^F0pT6OI_38c;VK~~^a%;!mBPu;2l%b#dz$YFXKFOUndJY*euTGbh8la~1>CJY
z_yQiD?a_hC!?Nt@q%2FTd4HYdc02=4zdM<ROF767HfvhUS$SBNA(R)mn)k1m%vK(j
zJq%oT9$oBf-mfgzw-w4er1C`44Icxg!tgk;7+0+Uk*psdgmnsP8cjM-E+Pd2_oEPD
zC#SS<a)-MKLSzd2e`1`CSWz2J;z`&b9fLV?;@_Nj!p38{QE4qrr&i2i4-`8i_Z5Y)
zBF;aFv9k;e(7=AV8_vu#u&_#sA{qeW^3GXiSHJ|JTx>cIQ*F3Iw*NLR?JvU?U4B*N
zVcDL%>~2o;e(sQAt$SBt*xf7T%OyBgUsHKl7Dh}kq8Jro?3^J+oV^Zw(f?<*x7&(u
zQJ_VE76o3~6gaN(u<R{D-g{}L$=)l9W7LP`(^d98na1AhVfkQH-g{}LPs0|<CrV<*
z6H57DA1)e#P>UFic+z4l4BKGQXebNEfDg-uukzkYGrcn7kA?g&eC<1-^6)OYEtB_N
zn(3Ln*Tb^tlf3uROdq}XdRRVwmG@qnX}b5iv$yhaH)T)0SvI1snQod<-!tQHbq8^9
zN8P9qoiu#WU`f>7GnOiqix5<ztor$op#fIC%GRf<@Z89LSb!yVS7m3fNqm8;)q#){
zt4@7kCuSrqlN`xO`BY&rIWodn`oy-c$JYkVK5VSD`TT7&9y8TGg^B|>mw@V8A(b5~
z$+hqd7REifGW?H>c!rZh5{#n5VJxYi2PRZ=IK`+VQZx&rzf3xua(<w;aqeDK#A;&o
zTK5K8cXvChJd{W>QWEhy3sC68`eSDS%ZPz7>7aYn#@vC`FV^9J!uKbNC{(wNzA|`*
z$>+(rz>JX6T*lViReizo1eQ*N?wO}pw(1+)gL5U%nL1bE>}j*6%$6`q{4CKUvo_d0
zn45(ZNXg8RG-sMr@4;<_9mUz=3$rF<XHThHb5aWN<x}r5j7Y4W>%3Z;P@X-dZhPd1
zFjLK%A(U|EOia(6I#-3rexYvrtF@v#je7aR8+Dxu<E#`uoHFtVI@S%xNS`}-&eXXQ
z=SZ79Y1Wk466(jZ*ai*~cSx{BUX(v3#Ke24>e!&ZN~l$TisqfV!y4E7Tn|I~|7O>O
z>k8MUuC1;MTwd4dt|czP`77u5oL_c+!g<g+<m`8LIWKg!Io-~sPOanDj_*6Z;`pTF
z1CB==_d0HMT;vcPXE>HQboSrae_;Qr{ZsbG?T^~;v)^XF+WIc*1J*mN?bd+xZ0iYD
zqviLOA6uTaeA@CM%fDORY`N3&8q269Y1wJ%Fh6g8&ioDYXUrcqzuWv4^J~r5f-jLW
z_n0@B&oM7Io6RB9M@)xIZ#CUznlu$nY11xK!W4#N!bv8J@u$Xb8b4?Jqp@Nv88gOS
z<3?k|xXO64(Q5dU;b(?#89onxh7TF;F?`gp$q+THHmoq%^ncd>T>owT7xYi)->ZL{
z{$KRh>&Nt2eV^X0`-|=uy6@<|sC!a(*gkB3m3_N?z1?R&(|(*?Z~Lw7hqn7|x7)6<
zjo9|tcG%)JzwIpB@iqfABz|Q5y7g)6e=PK`?q7AU)7_xkuN%-^qU+SH)4fu+Qs>bA
zRr|l%Bid)QAJa~0->!YV_D1cvc2K(qJ{!){uGO9jKaGDARNfhckG-_lwEyh2cj}jG
znT7dFHTPY^!>f6C6%P;caDs;icsOp@tvSD0Vym*+qq(oh!z+0>%EJN=M|e2Q!#od%
zcz6X5b37d6;Q$Y_Jd}8t;bEGGDdXJ>Lb^W9ef_GO0Wam@ULIb?!%KMB$HUz`?B(Gu
z9`^8XCl9-MxPyn=dAN;-T|C@s`s{*`u2*y4Mpe#$2_A0X;U*ro^DxfC^*p?YhZpkj
z0v?{v!}EB!j)yTGMtK<FVc23?5YqK%?h{ox1Ge$d%R?Uz*Yfa{JY2)W)jV9q!*h9f
z4i8_!!?SsK77x$l;Tb%1Te}y8blsZ!PEq9yxPpf#^YA1dF6ZG1JUpI<$MJ9(50~<A
z2@hR7bn?)_Lpu*`JhbxAVteO;P;$HGKD{buKphXYDtMXZzBlvm0UqAZ!+Ux7CLX?#
zhi~BF>v{M(9{vjt@8RLyJiLpCujS#LJiNoPZ9xc&HN(xSoB?m*;f*}Jfrr=eu)@Ph
z9$w4C*YNPwDv0+haPZ#0@$j!a{0k5N%)>wN@Q*zF0}r3);qQ6)J0AX)hri+BubsCn
z$UExN-1`ev&VWDX;m>&ZQyxCY!yohTM?Cx?4}ZYJ@AL3`Jp3OXewT+wc=#P2ew&Bi
za(#S3NO!U3-mj~22K*Wizskd}@bJHR_$3}b!^1D~@C!WrJP$v|!_V^YGd%n>51;1Y
zQ#||>7U@kd)Ey?H#-jPA#`vu9QN#C4&l^^2-(-5f>FtPOzovtx%T3!%Yp}mIlHZvv
z0gq<l|55(BE>f9ZDhoAVCQHP2E7H+wj~`nKgCkp$yT&`(h<CBEQd=|-@&#j29CP@f
zP38+nMQc?fQ~exR^SdNTc?frl{!lCs#V_Q~{K5G>Bu0GU091~n{y<3d&6Gsg_a!g*
z?t@_Hc!zW8Vxd&XmZ`M<=ui%PeK-d7`Pu?vTMA71v?pE6d(wkadWaae8_$&oJ!!Dd
z$q{;+QWK)0Tqau4QU;dts*?W^;)Z2J8uye7u!2{_L46V)P)9~fFyu6mFC;TF8K~PY
z4HTtNsM>z;`6J<IDCCcczOXMA04<ba^MyR>2>W^k;<Da5fXa=fytzV~oY2;u8%Y*(
zQmL(@TH_n+m1(D}nqgw^?j<act}^YVJ}ZDxFLyr<R|pFfZu*#Czy7wG7<SK~bf8~3
zl{or#k~ouxXRMe{C(#{Lacy<tJo{k*GCPqj=j-J>lc>sBX4$Iq<zuS7Zp}=N{hr>P
zTjdJRq{56@-B`~kI&htvY4kB&8LE!=s-1~=2^@yliOQ*A<HGfmp~|#_cE}2I^U_^M
z-e*xg)LQp-!fR&{OkH9|VQXQ)y%A@AnbJP1s#95IEfrPFWV|wMlWTq@8%m0-P*UxE
zkg7eCImTUmNwB@Z974(mlf+^}S|(=6ozD&7d_wN4=Tc)1EQz=_BqBx-`honBRECAo
z5`=mn*@MG8`F_X~<#Xv=VT|~4%t&(XM9wHRmdlr6WpkzqWCDZi)Y{6ll^!T}vNjwg
z26V;P6=T7*?jcDU9Z#0igR3jk7J7dNyWcoR&oDiuSy=tG1^om<zhMb&3e#`shK|9s
zi;FRvt&J(nAqP8`1N4tgzgy61w=!!{phbZe1zHqnQJ_VEe^3fIj9=C`j2(h0WPF$D
zMB`tKcNzB@pEUl^*a3Nfk}K*ur~2zWUpPxxs`;Dd=bHbgc~bM3=FOVhG!ytGKl1-j
z1qf-@%&(=!(}i>AcjrI#T~4?D`hRKyv>M-{K#Kx@R|+`Yn$zc~0JQQ?p<79&;M+}1
z;fNvV;GaaJnL2OxX_DykB_sZrCl*bHVfF-m$Dv#gzvJ0(Hk`?T0UCqho9X5BDW=Zb
zy)qQ^hk~h$FSD#NeH=|<YPsE1G#ne*lWA;qb9}l6^<Bo-7gbzAZ&Ft=D4tN6K7mFv
z1>x=)A@%9wX#!Ia?&gKm@5olBmr;(&{j&Cz(7h1i=r#N*YAa?QL~B3*{U3?pLs^+~
zGJWdGjjwed&FiUgDh{c4!r`muRGb(GRWq^Y!~B;ewVOHuXyDPK4+8i{7xXxQ&${VD
z0X`cwRgZl%z(3pg0m0&H0jOB0Gd^(SYM;Bt%~<m8S{E>D+>C)=H*JQMUpJXO3TA%Y
zWQDC?H&tQq*G-*a_18^qQ<(jAlRYw%ziwLF>}gd_G6+VP{WTKcYi4esrvY=_ARi3O
zbw?XLBarW?FEdRU=JM<GRL=#r=0;>APadKM1YH=_o3E$oat!0SzMx2FHkErOd=B}j
z63lJI_^1I<gaxf^GGCHL3#A-1hG8F+-Lk013Uk_*a(xjdasKIlu*f(|y~yZUfurR!
zY0N(Pc%er*QXwXe*s%#tX;cbd)q|6^%JdoZ(e3Qfr8syQOiFq8=45hUty`@l#lCgt
zRHohZ5$3k3M}3%~DzGquSJjZ=JcssYn&UJ%jaF+v*>1A^)_SqwR@=91|7m-N?N-As
z+hw+r>vC6z^AFA+IX{fs*st)v2CMKv;jO|Q%pyQSNT@prYy@x^Y1bWJnLdxMnQml@
zu-=!)fv!Ad$cDmTJ6L5Ctd3>j;nH9^NtDNqWiPC&XY;POyM(i>5uBT)Cfq%{J2r3c
z+2w{|^pYfv5Jmp2Qh6|$$9*sCU{k70pG{xPburc<>l|$M<??y=h$Nrkr6hNG4E3^h
zW|^{n&uD&ZWN59s(_O@A_AnF*Gw!R2$@elj;2VPhL^J`@>L{!p7uTxhSJ(p1=L@h0
zFhH#WL-1h2J&5~BgzAwt)g#_!%_!Ik+Cg<MZT;P%z+zAUJKr`sTeF>S&uMTdkdi{M
z_L>Yu0-m5GC9(6(Mm$+D2D7eWBpe84ZaKd)y_$~0dj{AzT!>92_jRBu&GV^D13OAp
z0rkIkb8N&iIfw!!^PX%0%Pz<;mAoaG>F^ec18ro#Lv)wLHi$Wi!M1ToKzTC7WVYO(
z+l63C62nqD;|~NSKNu6KOxPC+2V+?&2&1dXSSTn4Vv$%fosC9gnTQk&B_q*TG$f@$
zA|hi)yIo*Qvg&S-)YA)T24ZF<H35w~DpXY-gt7Os;s$~=gtnqs7#bS$%ot{wv8;N`
zHNfI;c;s&wZ6Dd@kRPh{Oh`X}h37SG+qQ2=tXl(NFXCL)olfG*ktXDj>TVv0uRwPk
zGyZPkt^-Q6nXz=)Js_25zk6e@D2*fAW8GXDOlAt>>B8s)vp!SJa`E;CioguNxQ7-z
ztlG*HO(%<9(jTa~UC}?wlE3~3SI*(@^x0(_1sMLxjSbhj&8Rpk)2rwNcD;p7V2Ze9
zlLNgv$d2JzWx<DdwcHmtxUp>z>4$*vCVNhIuGZ+mjP%i1whr!*t(b!I>7~((^Vzd9
z19{L?Cgu-<Pq~&RF+OFFick4Un!xy!Jv^ThOYSu^SvHy>^emU(9qM&1jjz^=2o#;e
z#h9<RRi<A--{#E*_BLO_>vfeyVB$%&I-{*V+Ul=rnYj)((y6Rpnald=WHuw#D9>s$
zl8|I7>#v#1`pIN=^i4-iVKaGh_s&dU{cHw9K8=V#sy@zz5!E&!(6BQS*IPCJvKWh{
z7m(+<mFab~(_SQZ(B3-x7R9ydbWGj9dsl3%Oh;+VHSA$!15dYJ#0ycq?N<i=&J`c!
zMR010<&!JZ5t`FkET^Si$>I<s8@EZh(s`BXFim7@x?W>LJ3CM(`2r|(>_;8A<xIoZ
zG_J>8qpnrXBhEKDcR0<CCmaXtf3d$0TJNs_H{kWQ71l3VZ?(2t{%ARDxx#WL^z-jA
zZ!vwrbd%{K<L`}+83&A~Ba{0Y{!LW2m^IqvLPy*zTujMl+>uXCxO2mVve<2w#;A+-
z>{vcOfv=`t^oTx>7<P;Pbw1y^K*$@8;dn?)R5mO5$O58`<r73cfk@CNT(9vQn`rEg
zL}jB==%ywrAMi$EVj$uZ{?JgN8<aw2D|d~x)bEW({2_lxJJL|0?Mk7tJZ)oz`n*x9
z5}^HFLxrwa3YBgDHCCwTg$9Q|5Z2w+K%oaJ7g|V%oIDpjQl3}jQf1W;@LtM9ig`n>
zluYH(KjG#fH!z$`yQN~WP=w$!STh4K!9gr=U^|q^Crjlx@%luZGGucDwSCwh^J4n}
z16z7c1NBT)&R2*dGX)zW4hqEyZ8#j!k2O^2I;Bwg;IpwpBi>jb02h1upEOixR4G(u
zP&HO)*c*#QgQ1vVUqgk4l|mzp4{d)4g~ohh*zo0s3JofShMFoA^JB~(Hg;+fm90uv
zU5#fI2z$ffV89>wN1LA)YRXMi7G@SrR2F7pOjH(TuKPPqUkf!OB`OOu$s{TZGjAj+
z3o{iYDho5Z6BWNQv;&O~ZGX_~16M5?OjJZAA72ys1iZe0&mV~;Dqba@wkGoNdwrp3
zBoIzi)++g|Z6Y7h>-WWAvocXxqvW%u@qBzSuRj#<Mf?XUt7cXLt5g{++DgC|_4=cM
zKp3PrM`^-2s*>lqD)vRZfmjGStcl9mN<L>dkx$qQRn}Mp`JAcbb7m9yguKB(3{^^0
z+)6&~Ch`e-gR!7L7)?}8Q}Q{jiF^XyU=(Y^@PW$8nOD40mC@q8V!t;O3dKTr#VeF1
ztWcFa-&gGOhJt7UKF}vA`JB{5KB5=O$MA=osGO+eb7JH9h%qnL3s~GGD#t7N9N$Df
zQM&N(`4g38N<Pb)$R~oue=romY_LShXGs(JguM}{fs@(EspR8qBA<{qLUusN$FAgK
zZz7){@(CcPM8&G)V{IazfHw;HOEKUOY!H^bXPN5^=QhWy?QgQZ$NG%bW;xp&FpV1D
zY<R!^YkGt3T<tC)ueoPlzw_Qb&vxTj<;s&af~6bj7L9<v;&F{xqtRLfvqrDd;oOOX
z=8=(Pu7o2a_}i-*b=MkexCEhqHx`XV#7J!lK8C@tUknRZY6aofi_B}8)K&_lX~gkC
zZPRc7By0G)w`a3Cw5WQz(KDJHhyBn2H$3^`IHTmI7K`h*Qw)od08SK-;*)>^Xk;+p
z6AD_b_LGa;&XLM6X=cYUn%P$<4rOunPvrvOn7vr9Nq(;gNA1|F)-=iQ_50zRJ}eAt
zb-K4Na+4-1L!?Q2>NZJs2nS_s82C*n3e#JwCY|FW1)L8~)N7s3>+@q5?yGH`&l@0b
z(kBdQ_4@sb+`8dPj<habw{=}z9q##eK@kJWCr0WFHLTBY>>7>;IjzCayT~m%SQ)6k
zFH9k%ZK_FR`=~V12NM+JOp}RfK|#GVDy4JT9Fevm)+i=SbzWF7=JiE<!9Z>Ekm8R8
zgJM(|&>D^BFLLuHg^EPlm#h26s`G?Tgj>)-iTLb*>V2{_<nDnLgjC@`0(QRPfYU8{
zGRb=VGKhs}%ooEV_~=oG6pT4crh=q3nOuw9%#li(w6gw0GBeWPXJn@&J0#hWB+>QW
zT!g+KC==8)DS}lcOqYm48cq7rA~)$(l_Y7>S#@7rVuTt)c6TN&sn-N7$HUN?h}JeC
zj3)T~{*aK=n$7>U$W55ERrZlKTvN9VsxP$4!hPqAg?ku+L3f0yds%RfeCCLpK)nWs
zynz5XqqX0&Aa)e!ppl@kPiwKfbFmvNR4$u+w5b|=$@ZP@>N`|5o*gQ>iJWo0W(G0W
z$3oFq?R&+BCm4x@W5Q)xt95jdo0+U!N?N(P?rW_MFlwo%?wo-o26pk`Is**bEuRlB
zQMgoVvu$7GRvfJCA+5Nyek*320BxY|h)V9=g*^NpU`<6tMX(eZg&CrHFUjvk3w$BW
z9!IUMf_^V%#6VOO_Gs<)$RalnYskK8U#$JIbtzU=nBgWj8Z|;JI8mofY+*^iZ)j%S
zFB}#gVf4m2ozaJO2C@AX`m_$msf*oCO{JH#bD-{fZ0HQN-rE$xA;FAUyYLE%-jE-T
z+(n@mt^D~Sw{ob`LmGKO-A1Y=7Va3oPJ03|w8tN=^T9?6Y?;AZi_oKWI-gkN_KZ}z
zNqg#luvP6jTGOpwlgLT~TrBL)jv8<Q@CZT?Nb(8YS{K9;7WaVsU}ZaLQvLaayq9@6
zeXrL%tUB<%>Ws5M#2bPEx~N~+u0_9C<mNd{&udN)eyDN%mn-Kw-9BdD2OIb2+U>Tl
z+CFZ3x9M@y?WWzP4W^Tgj~gF0zRqx;@Wbk_>s^Km3|adBc43dONeDst|DWT>^t@hr
zNwxGQ=$!OYVXiyn(?FrGY1!h&zA;qdSWHJ^n1oUupD!wTf)Rhplggwbo>(drNd<$!
zblMl2kHj(imX+WhiJB#JXNz$DSCobekS#4qMQE_iA#BX74yFskZCkf*ZIAbOu=FJM
z2pJ?I$Emhq9N0_6wu#|<+ji)t7Q1>B<AiicH#$=GB9X~*Rs{uRxjHKPyS^w%17jm?
zV<TWpL5=I6l<^Snh@SoUIA^G14i5}0W=gQO2=7YF44Q{E$y5Dcd*Ef!Q=pt6PxXWC
z!CaWZzf=U9GggD0v^4h?_p0q3?H%s+<jBx!MQyfSniz9$kVbN)weCVGogoz*9z(4r
ztf+~!&W$BatPL{O{_xQ{w6H8G2J30Rku0!{+(!a9aOGm5N{nQ=43ClCGSU9#yp9k{
zmhcIgmSlZ4IGK_L3dM<a?ooN|zmE#i!Mzl16C#NS@Vcs(NUP#~N`AbAl^b<NB|{<-
zOC^`DhSEui*u7lmrumQr@&g&>{!!xTi@Z8)`D+vi`=Ne9oL|;Yln$h&+5J6TO-KOW
zn5A{@b4h2IOZTv@Y9A9&s}-l69IH(4qGR?tW^k}i5vN_)uKf4x#Pzx_gi&P|aZEh5
zkBFzrUg4@S=F2M6vO~DZ)s*`!^t~|YRO|U|Wbb|9`E8>`=|bx@*Fd;%2Nm37!i9Zv
z3Kwptw^nPn0vaIOXbjT;>C<kQ$K185GTlX=lBJ!5zNNE|Unq-grT6Ao^No$o%dV?*
z?|Vso!djJWQQ)7Q0?-`TL<fCUgO*rYiHMjTH_~V}|MbG0=X8R`u=%I=G$|9xMEo$j
zl8t7ASc1heo>Vdt^N9XzI2jc)kzm9J4TKH!DW-wYyD}7xiOFy*O)RCf(<G*W(5uow
zh|>h7fzZoqAi!qJdYXKKJWcgdn=LoIqB4CE{j}Z6R8D)FUye4UC`&D>%!3s3S&dSk
zm?d|k;^K3xP{|hvrgNc02HV_3_oOshkPUugofaiVy5T|_D!)XBc(9B`XdO44a~dbW
z>L(3*x@@7PHc$`|l|`dUdVOY<h|;0J7Fm2HG_^Xl``k5Zed?Koo2;ouk`;yOrWamw
znm>S+z=gE`R<#6_C0L{H3WM|lnp1U<I$dAUY+i^N4LP6B<&4vE%_|$rc{fb=y&d7r
z2wy{Z7s7XN=x)RHCWHqOUXSn<gl7@HfiwfI-$M8{!VL)DL>x*LzK-y32)7~p0O0||
z>u`Mz;rj@m14b2vM-ZS=BD@pf-3UKMcrC(@kS-uV9$L5^;SPlFB76_wR>YeSEC^O$
z_-_~fh5+l$!ea>kjqqiJyAZyL@K%JMAbbYlhX{8fya(YB!W$57M7SH_W`tW1?nSsC
z0ZITuJIYv&>k)*52(JS^1y@q{N6}FD)DvO|K7<6q4uri3g9uL`{1?J&@C=~|p(p4-
z>GytI2`wK)Aay47`78?`#PvV$458N_5%wc|2;q7JLenD%e`0@=`sWaa5J-FxfwZ%L
zFp6*`!U2Q{gtsC5l?Bk3wujK=9SDT(gpLm*JcsZ@lz$SgV+iCPob%B4cpa{=FF|QH
zjOzywu0<gA_yYo|?`;UAet0Le-K5QzAdvQxkU_iy*FJ>%5I}paT@FGCm;~}ZmLQOK
zwUpgo!Sw{-S0Rve#M5-pS9mqT)d(b>gnJOkvsWR2ZuA|xSR6?s@79ZW64!=sB7z@b
z5+Q&PMA(2p=zS_e7QupWKD%zj^&tcafzaRzgggQ%kJN+Erb??H;BP|5aRktn()Z`M
zK8!%#Df$ud%_#g1;dz9=pk5#x8BeqikoQX74W6gttpk650e>5D%_4jW;VTG#MjZMj
z4TPScF>N2(p<Rab!w82EKo?3!(37?gag;s=V3OZW2qFUM<NYj<vd&<Chj1k{IR{}i
z!de6$0=YM=(P&5;$h$cUf1?l3_Z7hvd1%ltH0UGbDy%~wWn74W`U<@WI}ylxzX+in
zfz*Zck;@SJ5J*4jLLm2%``?GqiEuf>1IYJF2&8Xk5J+DmX}CuN`f0v`@I{2D5I(`K
z1e5rWvVix}`e{+1MS&ItS`=tephbZe1zHqnQQ+lG0f()qIYDR9xPIdLjO(!Ljjp6?
zyDMso*-o*(-FlDZXXf>0uX&}(uN&6&=z_Xabe8I`_7~d6wGV6k+CSKe$fWi2PeK9h
z)tVLcn~GlWk@_hwfmm?S3TiIeo>Rc{9-%Re=e<Y8^B$%NjOV?F=Xsx4na<PXQ)Qm_
zp5?F@QqI8+)=ldx(?hZtMuDX@&G+6pKT$?1e*uGYDaq#p-#_KYe@QU^W63Z)Mn+PZ
zNIEJdlVM*29B(E8P;!G8U9MWzB38cgP<hC^_sbHMvh5m}Js=X5#B3$?00*0nnOv3{
z<}SNcZOA5v;pR;$&A}ZfMxbDGK_WJOQ3YyBl1f~_b7iRwEb}ptd7^E6aKZzBi^Yk;
zh~y~^7RK@!PewM^;Moslq0De@!~;gSXQVLRpeZ>iBl@INHkFRSI9w_vB||V4mklB|
zl?`Q~_TYmqM>HrxGY<-n>97<^B~wyV5~HFN^d*x=o01b}nC@z$uQOct80EVA7N6_h
zAq#a73FR573MM?Urb@NytCrtvsg5ycVpqxCvpK$Ddtb-)9edmx5?d3y66{7uN@Oq&
z3M1<vtHVS%tWdas2Sd5c`59!cZy`BOUMs976T2JxAq<2eHwxRM9=GHj@Dht1IMyG9
zi9T4CNe)QV*62VXpCN`+X@nwy!j1!~L$;1w2JEF?A<Jd3!>c{Yp}?Ya(W-dHF^r%s
zeCNcJnB%5IB8M@^#h9;yoWua7#*MNW5@F8^6U2b16y&egSv~G6$1sTHo<aZIS1K1V
z^sD_-PIj-7eXHVN&qs}U;nZv&(FIwj=+pIkm_kgy2bx;Lg^~U?XaJFpQW(K>72mc&
z5f_@(Piu7u%$VV-4g%`5mGt|5RmYz(=fy_AF>Q9Kroy=-(^V$Cd<~oMnmnU2ou%)p
zA}jn0d+G?aEZ9hD(p@R~n8fw56{X5_hE{u$9cS-RY;`T>r)WiGI!!C`3ihq$JdTDc
z(<z#IDN8lZ^A&0|x=+3Y)<dl-wkXh|z^oL2D9&Yc_%l(QKH2FJCa-?=<kd$+aW17X
zRZ+mx<|7RaQJlT>DJF{3w=yCIGnp9FtFSG(geI|VNuO$4(nk~6wxo~WmOvC|H%(@u
zIDJ$U$6*}T*oCCVbei$U#;+RtjB5?|nR5DH3rXY0jfY){>aX#B<1NN<@;gHk9?irr
z{9nd*Yd*B_xxOel-UO?-SJSW8oy;okr7z(H()J=Oc4O5<blta+Ro1HXFqNAo%OEOb
zT^f|~R9u>m*_SIxRNtE1S0Zvq1St!znb<UWE-kO$s}GFxP?7l|w-%*=(*9z=&+b)n
zteSYG*}?uEaU)*MuQ)c6$>)`4-09&`d9<21T*_6eN1lxwBne8kh=H_t5hk1wE1Qp9
zwQc(@_bR%L*hehD62r0mDzX68QihAH5=UJMxj~^5sfZF04pys*sG}%_7@k;4mPp~~
z27DChNC|4H0al&!s0vimPRU%Z9!Ex69!E*U$i!r=QPFYrvDe2;!CTfpRV{-Xw`4nc
zW@Y*+c^NF*&k`=JvkdMSE0v*Kk{lg{h6dd$P!0zAo2+SG)yZ%tGZ|u>qm<7L48qFe
zU~&ZeOKdpl4HIs1x7WREVw5m|@)O{h<VtS*qn<8s8xiqyLzjZ&Lms2@fB9UgJc)^8
zLat_Y;!u{o#AzDoq*RvA4gL2dU#|(om9e+2vRq`%45?Uh!$u`^PKdF3H`(bHlNine
zaO^SemiI>Pqer+KiXzF;LJqnU*y<giUl1k|e<=*zmQj^)_a^APj9|09et3ZV<&Uha
zOpnuBSIev8OO3n&u_>lGugU2bpV(K^teGI)rDRun4HsiZOi>-PhkS;wq%qYk#A)+k
zis3UnN}pn%;XNxe$v`F<Nv4CQs~U5(gDM?VSLsqPQB9w2k_N5ES`=tephbZe1zHqn
zQQ+@Rfyr=X`Ze-Wjd24nRgMIhQtU8}CM4?Es4S%iM{?j^m)dsu#6Y;sT4nH87f)WM
z-kB@3!4qV;M7#&#Bq-G8^S8<CUwJVl>wwJrX@87++Alw@KSlFS-C>REeXfUb`hT-)
z!gYn~QrA}31un1abk`D>;QW>Id(JOAKjA#+9CG$MyPOv~+njFaQm5AOYsdE;UvYfW
z@d3vpj(Z)qI<9hvjx!v~96I}N>_4!7)&42_<Mv1G_t|f=Uu}Jt^#SW0)>m5t*0ZfA
zSdEt7TYhYL*79k~hb;eYd9&qC%WEv7mZW8;rNjKZ`8oI(_>B3(=69RlVt%dpTJx3W
zl)1;e!F-N+x!G(EnLc7VWO}RVF4Lr`XiA%QnG&Y3>0HxECX4Z>#%~%wXZ)kFVk{Xm
z#$Mw_W5l@1c(T!I_><vhhHn`@Z+MU4A;Ud}j~X@^qK4Im6$YFB&-$P1zpej*{t5ki
z^>5Svi+)U>)%WSI*V}b}(fvaA9o-joPwEcC6T++P+hH5QXFt<^oLz7Gt?h@lui0+5
zU1J-u?X&H$#ch7uS+?VC2J7#vKeB$^`n2^w7W!A`(Ee5XzuF_(XS5&FPHEq+eLddF
z`<?#=pAENYZ`6)!2eo^&TeRoNZ%VsXdn!zR;C%^yBQoal575V|f48nLMG83e%e6Xr
zS5?s5zn6!5cz6j9`*^sUhrK-9W!SAbzgYsQvKrRhzm11oJlx8|?L6GV!%iM<=HVtD
zZscKthZ}g<!NYbQ#(B7&hZphiLgU>FLb@T%{ZUoUfDs;sc^KnikcR;t`g!Q%p~%BF
z9(sA`;o({yzLJM)c(|H}t4yC=5Ypu|_n)cC8So4qx_NjO4^QLasXScC!&7*;f`=#b
z@FX5C=i!MwJb{PD^YAzxF0+^xgmeR%`|YZn0c||A^3cIUGY?HXH1g2ELp=|5Jk;_~
z;Gu?t_x+8Bf92s{c=%^)`+|^8(%koZRnCCF<Kb_4_!}Pniif}C;s5dQe|h)|9{!w%
zKjYy~dH53^KF7l!^YBMJ{Gsjs1tDEpbKiGWIRhTy;dglWZ56yybN@jePVjJ?hx>Ur
z#=|lXOFS&{@Jb$z^02_e5grcnFwesw$3+W5SS%8<s+<8O9%gu$=3$D5m-BER4`0Q@
z%Xrw&!%I~Vult)k{C_<B1`nU*;n#WiH6DJIhhO30mwEW#Jp2+5pW)#bowqE=J4$Nq
z`;01Qz)$n=X&yes!%y+>6FmGl5C4mYALHSZJbZ$OALZeH^6(=({4ftc#KZsK;RjtG
zUl2;})7&?$${BEqhlhFiULHQi!$UlLHxK`vhwtLyJ9+ph4<F&-zwz*49=?NzZ|C8^
zVv*kTLfxS=YfjO0YwSAP4{Q(EZnbq;p0<3z@(#<{#*pjBuBTn^alPKP&(&o-P5TY)
zhqVLRUhNu9x6y9+qv1XF4S10LYLlAZYCAL!Lbv$3U6m;-<%QhDL?aR};qz|QsqRq+
znh+aw*Pi@#^snphuZkP?%ZA|t{(k(dQ6HAp+}5|fFC3(|k;73w8QJw5=%I-?CtYoY
z7XazNItW`2z)eYM&;vQ-a>=vCN~Ip%Dl3~^rCb7sgm6|@guyfzTvHvJ`Wu!WJhw7s
zp$Ay(^e<88&{XlZIb~L#btP7GSEfv~Q%o+Ex2_50EVDFL!r5r90Ee0E=)Gzd&W-jJ
zA;g;-!2zjz492mCA-xItan_s_l_?`Fh6(5;I03yil_>*FO|TM;bCJfrM*B#!o88uP
zEegC?6xdjqa?oDQ4ALYNMspda4<R{CH6r|?xUVpjoY>bUdopVC`C@RD0lTs=9O?7>
zLU2d!tW4RtL5g$qDH|7KKCUvQp)qVK?;x(KW8w{0R1P1Y!}&JZ8>rCHv>wYgsazU#
z?|`>g_r^jIf(b;Lf@-Y<{C+7DlhU4SI+^kWvtbwvO$LG<DUuE+rECyxaDuQ6Da!^?
zwSo=IB-04Zla~#K_5s{)jzR7r2|*>4mYpfBC{cwJn4zyKB2<~`MCLw=`9_+MC}D|F
zrnd4R@n-KS!c0@Lm>y*8d0$&<Vl-JQq52+F00t$8$Ssgrr^YH_?sKqM7#kS$6f>iq
z^4Q3Tl*g?y6JBMEQ}ng@WAzL><zY3mn9T1RF6@_vrI9lIo+u`qSYzk1%83_OU&$vq
zRvs)A*SR?z6!LjlRGXb0v#XrQ?++p;QZbu^Cmiy=U={Sh1Qn9mA1oL42i@`qwZ2kG
zT}zu=C7i3^gAQA<R0#+&HnI{x)mG_jj_t3h93GcHUOD+w(xD8x7pH$XD~I>12WAI`
z>ftdi#$0(#<#3tS@`hnn%a`!FYc@p;+B5pGB4Aykf2MErlg`oamV3v1+@x=-JM)Yd
za|NPDw$9zSWLd0oxJ2Jdn!SNKOQczQAzmpbv(&L7Q8_HjEM3L2Q`SuK0Gam$x1w@b
z7Gq)yr4DYPbXMiCtoayW#Te^S24A>Y^geIYSEiiu=U`mUBGL5cV6HV9{VGU)STU4R
zei$-LhCIPwD&&d6hO{RMv&flXBn36cVEt*X?x&*p)#n_Vij97X>rMA_+VLxsgJZ>D
zA2)BSJ|!^Wj4$M(Pvo6Mfez-6i7`G!;8QloS5@XBnuO$s-KuPbNF2;FcdS$POfy@i
zTJ=KyHnwG&^S0{NY0bH^N$7fC3o3j$0wGMfvex?gg;g`nb6N|;5Pl6eD?{w?uq>>|
z#11=7o6o9ddF8My(8$CNJ66I=T{H_-)94A6!&lKFnDl?gjP(CuS-y}-|99}x|HoGj
zPtfO1W`lgW{Izq~Z_zB#-KMdZ?7Qse+1<9E*uHLi5;g$VI6vilpYvMXZO##AzvK7v
zFXn)2UaXaFopNk2)z<oHQQ+lCfxCQ_DL4I$KG-b}(oHYn6&%kwJ4yk9FwbUL;;rd-
z59TsZ%*GOqD)i2B->Nn7O+)cay!~K&QzE`M-d-j+H4q<&cSK421c^@#kn}zAz1_eZ
z3vNyFlAQ<l^zAGs`+@^o13M@7^o0)Y9o{{$hN>rY#*^LcVtjK~d{1}#P<)d}@L0Sf
z9^X1n;yX$F7)jqd(4Hrl&wa~iX7jeey_<Zasa$-2X7iT8)X28sy_d+j?-^(xjc@Lb
zr^nj|<D0tUsczs+!FXppzMsYqkoX`;AC7P8ji(3r-1iLU#k7CpP^vFK*4Ysg)59Cb
z(*C{qw48l>Q&&70Z}*WblH=`JQcYApOtO;i*b;BQBED%Lo*|9cREl3RPUtigmq=sy
zvbJp6R><^)ikAeojY`Av<K6K+<L!m`=3YYJVtiwi)D$f$fY9<CJFiG?-aVG|#SSJf
z8O`%K?(q-$Qp4qJ+Mf^aWi?Jj<68&XH^etZ2{FbALGjKGvYPKFEs^gWitieakHr&R
z@zglp`Q|u?Lta3aTm|y{QN+sc*gCXrf9jI<iM^L>JDBW?jmbInbhqz_cLd|z<L$^_
zjHhXz0kIh^kpCDfw5K;Z*6oj#)0?;C)1X7j&$npTL})|G?;B4K?>>lD?N4#7+D7P(
zR^iol#-;A|UF;R-X%A%ttF}ud?M7b)Ne9|P@r_-qFZYrTS3c_9kf!<aslM2Rw0j$R
z!R|p;a<y%{x<MPX4Q-i-Zyt*Gvd)V#(7{C7JY_YuhBR|m-|liMuqD)sA+fh_V_9wq
z8n|t5pKpJ9B)<!tIlre*jt|CnjuYy46DrPh2%b8j&3iA|xq<eFDqYf~l_GhIGyPOf
zLoe7&=!FrC-Z0Zc`7E~%W%8MX+%e_ncKUaV-Lzv>%NU6F4zzEKClc|Uag2ckC_K=<
zDUP1DZ6JPh)4St6@%Em0qBq{%-JT#l8YJ8vPwXMx%^%;;&3eMl&fcNj?K?Ndw(J_(
zyJOoGa$!9iw`}b0-I?v_4Q<+WaF57Wc6YqJGrqAizO%c%J)Y<$gKbMZ0n!bi18&$8
z-^TLZofz!d*}E}uiJ0HMb13TH##$neg+W4PP_1XCH&NV6s6@vAod@}%NteiM+TBCm
z9j?7e)w{!pAtMJ*f!29a!D`QwaW{E4m_=#N8#=1zZ6lpS+`D@V>3z8FERdquXzmW6
zhg`BV-#bkD($4(uO@rk2A-O&1Db-v>k~`i~wU1H^a-k>D+R(|7Z&7u8&_3-a&&#=z
zVSqNW35wB(j-w2n)99>@K`0kR2P63`@R_Gb=kJU8Svx>A)PHY&%`s11W}I)d!@XrV
z=$3F=k%6Df9mMerb=d5_SehVSX6Sha+q%2K0))+*8J<Jq$1-5io=6w=)zdb@q78(>
z%RNE86-i(#GIczSVOx>JY4h1iFRx4;N1tL_k;F=Pi-!_aFqt}`GPRT@v8_mAW-Bta
zgeI`9NP^#rEUQepXfjhoPEbW;*IS8k>DJGSLxE&v>MWV1$t;0vqAbmIZEb|32_s8`
zh5WEon&Ejv1U=Fw#@hToSXv@nZ^GsV3*Cb)H8c&&9vD?3o?SiRphvdTQffmVJd?g?
zrm44yoG_fh#h9_?J)Oq%uqAIDme~#o{4SYQ>xOTHatYa-#$~f&UuEi4xji11kHRY>
zwNed8RykQU5+{rDVv{IEvO`GKh~-A<8I`G(v{0rrx@qZ_!r+K|YjQXR^<wv`BHS#m
z-ddSDMXra5)kEc%r-`Wny&?JH^oUj|Eef<K(4s(#0xb%(DA1xnivleQv?$P`K#Kw`
z3bZKjvZVkVg=x&XBO3i9`g`;x{a*b=dW-J&x+A(N-9x(9>R$V@ZFs9;EeiZ2Qb0I)
zL2HHMfwh!t$&Lp$k>i0VIUaZ=$3Z2>18ZmuJ093{TGk&<hs9XH6V6iC0Y1McDvDW;
zm`$gGVHmv6W<(qhtfo(~<AF^pQ~m&a)uxhR91omJli2aVCe`u4IW&PC4{WMA9(V;!
zX2%1Y=<&cCdMZ<AQ_kwUtMN_C7{0K>8sb8DKBQ?t2yvlU)U${rE-Y8Sp0J`~i;x#e
zhnQk?Moh5|yL^F#6WO6#)k3@?ZwS#uUI0awP9)NYYAJMxFjkKPm{g(Sr(h;a^#jVu
zIg?{-LL_CTCe=J<l}o9;wFx1W+DvAZRH?nS39*$rnanD?QhV>5f-JSS&n?wb=YC$a
zrS^t7<y>lSKT7DO_6A<^r8b=iCmd4@ruMO_?8uxlF}07?5saz5sVYe_x0Fns=W0b}
zYHzBQo2k8r(d1Y{G_?;_sZx~~m`$Rl_Q`r;HMMtDDRWF2n>vry6SS$lt&Y@9?M<_Z
z;MCr!mcyw{jVI~~<<#CdtAtLSTh(GZwaF@(o!Z2B;#dMawa?5$il_FW8j+sbTWaKc
zYHyi`kWZb5Y9xMY?@>fy<|qDBo53tHK(#kEDiBng!)#JPwRg@cB2?$rM&*TSv#3r1
zDxsm;n-mG6+N4@>qS|}v$QISPNf9urO;e<e<Rq1@LRFZEn2A=FB(o?g)Cfydwc7?^
zpSsqYk;C#uja7TP#_~4H^_HOZW9EM~-e|qudeFFDdwTWPnz1IVYpqL#=PX~e{L%V|
z^(U}z_jUC)g-7a?*58Xn0lc^DB4w@0_U4t9sdaSQbr;*MbvD24>e;+2?(P{)j*mci
z$jz)IxT$a)RqYZ3=`_TeL!Ll1mW8jnY}AtqMl&9tFB*x8kyzH3PByTsN-9OD<#?Fg
z^dvmV$@T>xq?awi(t8)Fo_CflREh1O%0-xkmojiRM@6Hq7|Tz1AQ}~FQ{;y{gD}d_
zrs!tD3)Ns!%DXowlLHI9+finMna#-#*mWN%s}-_P8)CeFX10+NYj!SGhXpe?R`(;b
zZk?1HR2~QFJg)LkP$#uC$X8Fv6no;?lHj*smWR|H4eAuu-npwMzM-pg+roOJD<=mO
z#c^itbx!TQS$E66h{!h3X*ifbzY2Inzef}UHL*w#eSB=tBjO+Kt*^kg1HRLsH0v(G
zGXORJ-{#H~;VQ2PWm*^s$V0sxI`k!$=jI*CjdOoL+AC8r%B>lb<=r|t)#&*Sm+Mce
zOoiz*b2DQkb-sjEUsM_^>H$d&$guH9HCt3FGRJZmLSG9R8?vVj)rey;s!_&b<l)0W
zbu=-^M$l2Ysz(pIac0CETLgNp>HURBI8WLuQz6<pDom)dv!0OXJo~r0XE*7g4nm#*
zTA#^keH3BSroK6_W8<e|h^c3HE>(XuV8_NsQ<)u`P9yzN&GsREi{_oG@Ap6OpI|{p
zX}g$oa3_%tj&Lz%>z6fWAFBy?D#$$rEp@}%V?EVMZ&9E{fffb+*(qSvAJKU9PiS0E
zxUO}rcWInYIInfCcWN9@IIeZ9cWCTS*sq1vdyVZ0+qJg!HjVWO>$TSPR*mHe%e9vE
z7LEA{*ymqw)|j3!U29rz(iopGUTa)$)EJ&HTx(cw(7>wxgNyh3&;IsW?Qc=w<xK%h
zPwu%|c)BjG^^1PdBl<jI*e&|k`TXm|h&L3DMgk$>4uiXy=fmEx7!8O~;WoqN%{(7M
z`C?Fv2)7s>Z07l(HyjKELlNO7LsRV!c*EeB1x4WoV^i(-dtodv;PVUD8JlXq59P;#
z!H_U%Y^wdDHxdYopx<kZjkn*oE)?@dLZLt)CR}4`y#07S>Wzxgpg$&DWoo?rcs}Bd
zM#M-cCQO(bZ$F+7d!x~CG~^e?O-;2w<c$SGVP8xbGdI=#Af6A1p@2{_H`V@tHx`Y6
z0>YK%rrICyieWJl2nYppQ|<SA#aKubL&C77srLK4KEFR4_6b9lrrIxheL<fXi3mAM
zGwlz?yuOGp7>Ec1mS)-?jC%bsSo(|za9rE){Nq~}jNo|;-=L7THq-uK*c%83eSxTu
zv^LfLkQakD7!3&ftWC8)=nbF)L}S8bwx-%2@cJ<Ug@eMSwx-(e_XfzRfGF&-HPwC}
z=!XWxgg#qS?H9d)Sj_MD3BC4a+8>DFd4CxFr^nt*`vXyLFc=F3!a}#bnf3=F-XKax
z`?uShX@4N>4f(}j%qMg?nrc73-{?J&sBp2PsrCo){r87rL7~&pRQvJ$_61<bP}t;X
zs{MX%I1~(H{3V=CwcqEB_{CT-CUiKPYQN|WN5z0IAjF-`wBL{KcQh1<Mum%<&9vW-
z?{_fl_xXeiT+OuKA3^!C7}kI1xteLeAK&j_OpHZ@n5(Jwhp>LY2S^kmuBO@_B<lx%
z#4m)fc6KAo`eQX{u>U`zaUF3z=(^nHb{=s)=)BzNb{ug$=(ybBwjZ%SXulkG0gu=o
zv|Vm<TaQ>Dv|es?TaH*Bv|Mg+n~#_uG+%CZn~s<sG+l0T8;=+tG+u6W8;%$rG+b_Q
z>yIqf@2pK~CA28eqCkrRlmfHy2O?PB<NJEMVg20mWBupD-bgSahJ3=UhHIO7KI9F@
zM1MFS+-!KFndgJ}K7qjz5^gkVnt49pjrwCD?9Z<^Hr0N=msB6$r;4$u_WQgse<X<Y
z^|i*P+Are!=nG<h_i9t)?Wg>Km@gc|`siv?<L#&Xff(2`zL0Rx)Oh>p^P=B}C6;i&
z)Oh>xd<6Sre-Qhd{pP0HAIAPT76|)=vbm}DhrD2q#jw9Enwx5W&`VrUM1sPoxvBPJ
zf94DM@%~0EO|{?e_50EOn2@(L)qd>H;6(%biz_TmwO{mNaToJPg+WU*?FWCrAH(<+
zg{-xi_JcnV4EZDBsF1NX(|+&=Lg;|ekdU%A(|+&=g0XNE@9%PJQ|%Ao`DhgU-B;O~
zYJZTlKZ^ZrzpbhE2fRTa7#uNSudS)}`@LXpV23JPVr#1XK5r1aBhe@9wl~#&5&L6o
zP=mrQdo%3^e*pXIF!;ke?aj0w{DE*7+f%==!`@8$!5;`kqlCY)&CyKz!5_faKj4oD
zTOCccpM1YTK2g}>XsZ3-@5cg>pikKBXsZ1IZzLuLB0gcGv#Iv`$^J6r4+$HbO|{?W
zje@%z5QTPUQ|-t1Ta5a_A6oBhrv2a##BjcV`R77cGwsLoA_hP>BAoAPrv2a#!~y|K
zK*Bm#Gwla|AQp=T!QYCynrc7z`>~i$3=3f_a@`2C{?u8&`qugJ{RV%>9~OeMKG;fV
zQJ_VE76n=qXi=a=fffZ?6lhVPMS&ItS`=tephba~4Fw#gr!^-Cr)q2u*ebTPZHukV
z`UmTetY0)$OoOK7CWG-=gH`{${)hS-gkhmq2n(kwzgo>_^=IqDn%gy77&(^lWI@(X
z@-Z(lbVB7Z*-{xZVRq7t3A4v!8)Zx>{v_Un+3}Uf&Za79%-P~e%-Q0N$5kGa-EQ2@
zjF_F&v^M>Y0$fcKCH9@kky2rps`M6$?y(Wsn{)0U^xC`Hce;lQnOruPX4<{Pcv(7@
zO-WHH2EF=N#uF5iVNWa-ig_}b5L~KeqCp70&R@-bEj;kjnoO)!Inm&%F;;?uP<J8g
zPNm@zCs!uQ+jHpIXA0?(cQ}_W7KpAg)w7pIJY%J{@!UwJFkbQu!bv!3Z=0;ZTx!cm
z`-xwWHkQA~Q<BPx2L8G0N2IY(u`qJ3RplF1^tXwTdZx_g)ZB(aGet$4X?l-J#S%P8
z!$b#UE%Bpx<i@?>$l|N~Z<EG%6bo=&UfPx%mff(b$ULJ2&u*I2d|5`y!-IOQN7XfQ
z!v17_tX^tvm^kR3OQ)WBO`Xlb_GOjF&Xg5uSIb)DCn;Lw3)2~#mB%>0GbcgU^f9+u
zYxE@Zbz3Trola|UlaAHm<)MRqR1bj~x~hXvMf5s-V-<VnynifpKcE`o?A0GrIlQ^q
zYDR0kabMi4Dv!xNg5vCD*3lVvGq1kr45xCPVMSNvv6XU<w6MpkD&9@bcPCaJJB1c;
zD$8$abz17EJhp<SFyGlH8Ji-OMx%o)MC+$Tfq!ZWV1*_7y<_%nPo(y4qZr|`^E+m2
z;6&KFeN1+2*DDXm6XBUV98Ezg$rFucqMl$n6Y!+6*|aABMWjeZ^rs`y$nwf#%jjTb
zW=c+683?2TVj!A=JG{qauXk**c%o{tDEqr(i^UW9#Uf?~r+Q{Mae2C!D`Ul$zj<Hf
zF$bN6?q*)iPHcL)m>3?-6(zMh!rpj?yM1CbSt?QEOY>>{{8xpr9y2Vt>ld1$g}R5O
z@?arTnqwh2kSh<4rRV}s&I#YCE2MO}O-600d?D2)1tQs$Uy`!XEdGU(SkA(Fln>(j
z*`Oan*x{_?gDO*~4U4~I8&<<`)3&cv7%QfwHhf?9OQm#M=g9uTkmO11hw-G{<3*V&
z-qDiptgYc7Th$Gg%cH~!)QerIjfKo+DUVg=QMHnn`Rm+?bh^MTY@=-faq*X(bFL%Z
zo^6F4<iC+lw`bhFnfh~fd(!T+4_t8es#OD{?#&l>^seh+ril9cVedp<?f3Ur&4Trg
zlGXZZFT2)RlyarKki5^EYw4QJN%@Ro-bvML)-PlWKkE2K%|Ve~n9EB8(mwRXq-=+&
zW-AemvM6R5DkfWd^37uHX>4R@q%b~GwcS*mQR>+L(|i>I1b1p&kGndYpLgzYeBV*9
z|IvPfeTi+*`fKZ}trpAcET@~_X%3n0Fr8%lSEJYPLBj_97xa5|hjkZdU$1ow2Lv55
zcwxWno0X`T%^K};p(Ab<%yeEh?#L%6-10ILJKEA%nrwBlWBL393}kV7zrJ-M<XVCe
z2&M=ZYdrJ*3??c@rBGuNg+iD$==Vby_ty;+dZ41Wkd{uKi>B&TrNS0hd8`C8k7akc
z;NFlc5leL$Y%6<m1H;L*TPhZ@%^x3>M%)ANi%HyK!kAtnpDdN*dE$r?b|bU7fjYzy
zy)kGd21DAx2I`rpXcgjURn?r=8xe^nZVZBw!KiLY1BD)_Xl96`QI)z##6dlyUdU5I
zqDOZ_1NBTyzPd^r&0kg3oG)>rL<}hsi|RcM6nbFtYK1tOKdVYzJmNsy82X%%p#E(Q
z)H5-8P$AAARn?p?al&37WPHVdVR=J^9#9H>zKKFZC^Q%nqlViXDimVa@~ox#T@!^u
z8af;aMMa~~P@!d|(BCvsC`72CBkcDZ_cv5%Q7QCSO%w{b>p%dik;b1kROqNu=>IiQ
zsL$(%sJ`D1RsIG(3X>yBp}%ONP)K-(0;1oK@7eqdJusP{8QMQnmAYs{n@EyJAqg2a
zU(-N66O&gc#QBM;n)4jm5I+w<cpSv}RYQdiDuw>Ii9#dZK+q4Z56eJ9g=UpPf7nE!
z5OjwguP<!*W<!N$ltRDXM4^z5hwTD*-so<q(3Dc>|1?o35vh+s>D~Ith6=r0DfCDa
zg$BH#fIkovZRa&q=&O`MzuiQkeh9xqxi?_@UIT?5nCzb!+TT=_x_CpI8exH!f&G#O
z>Y13_s}ScKs%p-6XhZYc@5idf{<($<y+kSW>x~x*b%ZchZ^4M8y`e&PD}{cwi9(^n
z5DkSw5yuA_Ds-1p=$D%)G=i2w^gQHT+fbo9l|sMNM4?36F$8@B=R*w@x<e`Si%k?7
zf(fFC&mVN1*ifO{ltMq>M4`}|hux7_#C2Okg>F>}{cID3LK!m<42l74Sm(b~NK9@~
z3jK5wg%S-;Um)bO>g}4lbcZ#rU%DQ4z0q~EYr=Jf>r&TN*99)G>vY!=m*D)B^Lx%O
zJ3rxkzjMgh@9c73=xlSkolBis$FIRH_=@9`jt@8<aop>;)p3<Wbe!Q>=Fr)HWB-Bu
ztM*UXAGbehzt4V~{c7vGtPfc406!sMJ==PM)oA&><;Rw1EuXf0$nx)&H(Tzsyv8zW
zNm_PVI?T_TpEG~M{2B9y&F?n9#r#^>7rfG(GWVD_n9ngUH=DtU_=xF{>8+-_Op~Uf
zDQ((iN|?f?b4@3iEXJQ2ziIrO@sGxev1H5`dyN~75#uW3$wsT;PllfvzGe8l;XQ_j
z4EGp5YPil2HLNzQFxd2e*8g1pZE!T6(7#vzHvPZouh(bwefrJ%G2LHuztDY0_eI^4
z;B_p}?<{o7J1%o<bG~2rKgUJ0)6hO_e-&&o`s`=gkF)D-zqN0-{m}L`+f%j=+TLlq
z-*&t08rz6%pKXUNZu8sDvK?<TSbqmuj;~vvw*E(z8{*g|e60F+>-tipfK$I*%MPfo
z(>xI2VVH*@9tL?B;Gy5JNppU)6j5b0sd->64`0c{H9Yk2a1{^F<>5Izd<75B=HXd9
zJd=lK@X*b}(|LFr4^QRcO5@!NLb}&z9$2o*8Sn%i9?!$$cz7ZYm-2844_!QT^3cIU
zI}dF<wDQoxLo*LeJT&sqVEXKWQ1Tkh{eM&C4ER?b{)K}NXgGNPpLqC39{z!c&-3v2
zJp3IGf6K$)@bK3>{1p#>$;1ES;s07p3qrc9H1|KJ${Fy-Jp2(4f5O8b@bLRQ{2mYg
zhlk(g;SnBwhlk(h;kS7BO&<O~9)5#|&sy6Tgme>{`@gKp8SuY(_$3}b!^1D|@bf(U
z91lOs!_V;W(>#2dhfneFQ#|}64?n@fkMr=qu(nu;ug19M{{K|v4EPZqewc?Ja$M9}
z$u#@5{>ONZf1w}b;p05~01w~K!}sxUnuk+7Jj}!Q^6))8e2j;Oc=&GT!3F93W19OP
zQRNKyZ#;aMhwtFwzw+>HJbZ|U5AyJ>JbVie-^{}Ycz8b#@8jXUJbV)m-{^YZf{?DH
zx&Izj&VYCG@Gc&{mWOxn@OB>F#=~2Acnc42=HX2|ype}D@bG#bUdO`<4<|8v7h=l2
zQgi>+R^1-WM|GVV^Lxz?neR4FVy~Svcbns8pZN^)QnO(CrRlq-XG~9;-fMcubT@X~
zSDKQhZd2UkGo4{tY7&gUG=A6kjPXh1dyNkn?>0^vuQVo&-Nv}lXFS8WRR5&@QT^Te
z34K!EsrTtm)(g7lbkFEMsOxl{<a{2s2A^`iM}LN{+qMUL*44J9&^`DrcB}8T-fNw-
z=B(Y;nDq=uApFv$v0H4vv^{Hk()OtBZrg-?!k)BuTAs7V?6){qIZtw$9nU*{?D)Fl
zDaYg3t^d+;w`I~O82(`RrQtclcMZ=Po-sUacoLEe?=?J%{r|m&yA8J(CJhsYD-AhA
z(y+(SZRj+_4KafcJb^O|CmWU;ECxaU2mLSg&*{Ibe^&pD?!CH4br0$8)!nVTMK`IN
z&|Rs^>5}@GzFVKuPwMXl@8D_6y{_k7|L6KKY$<--^+nfH@Tu^)>piYVU|I1^uDifn
zxz=^SHR>9KoyALBJ6xOLZz1XuU8`K~m*=nbN$aE5yR8$}q_xxPvz}}foR8a2whOlB
zY|nsa@sRBn+m-e!?R)HT%Xh)mc*wrmeun*S<=bS^3Az(BZ`#kUBl7iLE5k{0U9NfU
zU)c3W?D`D5eu!P)!LF}mSNkKjoUPjyvz=kHSbu4K_661w;|DglG#ZjSYOB;z_w-DB
z6SbURwN0~Y7rRE;^-OX_d6&r72L^S|&XkAvcHJK|OB7Ph)X&52e>KEU)b&15zq;Q2
zZ~Pl8=QsMe`u;aQN8*=j?mAA-wf~L(&EnVSujKCk4;H^(e+w7?uPlDI{vj^@4i-P8
z{~#BCfW=Q5x%$76^@h9ND5t;HE?@8b9lIW3*H5$SG`qfqU2kUB61%>NT{p9<pIuL3
zSA%@L<A2%pYwY?lcKvsDeFM8*%dS_jYY)3#z^<#<b(ws<{ZH)r19ts9yFSjYZ)4Zn
z*>#*<869rFnBfq+p3bfo`Fh*0+4WoO`YGed9G$lsS93UQjB(g)?BuZ3$n}Fa{KlA5
zr@!Ib#t9BTWxR#MhmH4g_yOai9KO-`K@N`^pXTsh<Fg#zV0@0lUgIA)yxe5ruwXh_
zjbHy$(`pWX#T4W4f0{Zu{D^4}hwnD!IDF7F!QqVQ77lMS-OJ&q=}``!Y5E|CZBVXL
zjo;V(+Vm`kzh!!k!=Ez!fy3`LTR8lH`D6~?XkN|XQFDyLd(E93-eBItVXyiBv-c)|
zaU9pRXwP6D0EDQ;v?!Wt%L^B)XS#cOHc%9ejTR+tBDjbWD5$5q2h-%t^k{kpi$qaE
zi=t#ZQoJUPEyp2}mpnU;f5bdcN`79x<M=0b7RSktv;QPc@?vLm^0T~`#qs;Mmg(sR
zdH@VaNS0E7EuyNrtNNa*x^?T;t$R&h`pw;QzI3?zz25YP|EBu~eCglr{<JUs`R<?g
zr9ad2UhYd?{`PwP8_mC4xEDX&<KurXewfV54}7-gU%7j(2W_OCPgKdjA3qn_9K`QG
zej*aM4t#uHWGL|YU6Ip)`8P%$4a)z4Z%5u6nEw}%%Ype{jr??A{?9~yBQXC*B7Yf}
z|3YslFn_l9*1-I1uN0Vnu=hY<ezI2$%;$UOxi<&(AMKCZdVe73y-#%Xz7&-I@xSZ+
za$x@N^?p4t{|mkU8kqmtzRiL8-`6+9?F{<frFr!G-`97)cV2$tOrIH4?<d~VHy@ZU
zfxzeCW1sk;{?CVYENzRWmmxslfALuVSH1APxTpV5eCc=e|Gh803H$|m;r^FRH~7+j
zx{3Fte|3}SOJCje3is5qk9id{2;Cq1<4s=;8crYk@}_SF=Ks_{cVPY}NqrwjGzE#v
zPowfJ+=n-le?RnX`Y+vVeCVq*O~u;}{RmCJK>wxU>W8v4eUSc3#j+3aG~G-7{op^-
zf2p|o!C#^2MfxulS3gL_)elx^{sjGZKmAvv|8AxKwv&H9@Gbi9@6msMArgsmkMt<$
z{Qpk}{-1#_4lMfY0Q~3wKep*(o8G(WF|QrKlJkFjj=kgz8=wE<v+E<?(`(P!b(1q|
z*Ji+4&1RrS0jq(QeqY5Q%bH>cFa#I^3;~7!L*Tmv0T6qx#}Uf&+>71=Lr8iL3?b<~
zFofh!cusO4`B{JR$NkCA_>-UZC%p%TP?h(<5R%>lLr8iL3?ca={;Is^hfwN0KZK<B
z{1B2q)LXhP(7m5~(R+RfN$>d~B)#W{ko2A(Lh}1OBtY_`{^Upe$q)OJ-UCB;*Lz?H
zN$-InB)tcQkbJ>kmG}G*O1<ZYko2A(Lh^lmpS~{8y_b8@dwvK>@A)Alz2}FJ^qwC=
za^6D%B%ksppY$g$_>)igljr@($NkC2{K+|ga@L=m@h7MK$y)!PUl-_}<z6g%YKElc
zPnP`2qCa`gpFHbNn*L<opPce1bN-~^PwM`p=1*q*N!6cx#GjlTxc$07_YC*qgPxip
zdD@?Rz@I$jPoD56kNcD3{^T)#@_v8vs6TncpFHeO9`Yv-`jhwhllS_Q2Vk|j9?Jw6
z>W+G9hUADpIqXjk`IGPVC-3$r_xh7}`ICG6$w7ZI^IftWv(I1%Fa#I^3;~7!Lx3T`
z5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^
z3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07HNw
zzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~
z0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=
zA;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-
z7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoW
zfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}
z1Q-Ggfj2k;{oL<!H*v)q2cF&ZQ~kf+-`O|PTaJ9F=jXfsXZNjL`#YyQKHC17w%-kZ
zHQXKA!xh)`+Z-{|3E#?vdNS}t4;O;JhK9IqjtlpMy1DjKc}p#tylV3YkBkf*oE$$r
zethguxKkEoQ4l3TO!A^UD2aoKOf)UVMG5kkmt>@roXCX2;ZW$uIJNnwT!)gp!y#%C
zP!-U!gqm?ft5wYE+ymu;r5ieb+_DN?LByn^X*n%sGRuicM>7dAo=k?ga5!vjFfrQv
z1w@Px*fqzDDSNsSm-(TRRa6UeL3E^|88Iy;lR<QdN-8DF+;_rlZ8IB8$NU}h=eGhO
z^E(2&<)~%bX0~APL*;V8)YPhJmH1P6vuYGfyK0uE_~E&-YTNv@sq&}H(r9)nHZnSl
zMy1Nzd81I!pgZ|WtyD59f&H0`W+XY4l$Ya>ii&YrRMOnH!|m+{HW-KE{9~v;hXVWa
z)VNkL%T?a0@FVok(TY_r8<n7*O++*4lp+OCl#EJ}2tCgITezb`*<gz1JLYE*Nsk7S
z<aX?M-YoK?YE{juw!t4YDmHYiQPK?DrM8|mOLjGC%o;(YDnKfblvv(*2}G(Wr?`I!
zcXr;g!K9v_pGK5U22wg|R1FP}TPw#OwPuXUI2xDy*etLdoR7xt=)r@*1d8!=A_L=a
zDeF|CQZg>aCGLL$f&XKJ2|PDnMFj2*Byg;R=9td!uUN%l=)|NlUai2?45B9<6_cq<
zGQFIhcvO~^xRl}kDcsfd$_CR@ny(;wMgr*>ui0f&Gp(A<9~&CiO|`%eK?hF5>JUVd
z9EFuFl@3@CWFRS(iKn@L2zPgXbc0Enoi8JjP6d*5>d*mxSk=zy7O;@9SuL-YrVRdg
zMJ?H7t5W5Mri@ZGh&U-K$#IxR%lk`;%1SaVDcs+OdwL$(VB&J~B}802khl@6RIOMA
z{-|0q3jBepQM7|d5u*|euVetP5P_7ml1y>m3P&Q+29r{lFVv^faw+7XrQy-0S+!Et
z=0{Civ!;#8T+qs;WTH|ck<Kh%!Jz~Oq?k@~e-rNQ9oS%k=H|~Lf=&nbjashODh4dZ
zhmGotRXK+S9q{%Uvzq5iM%B(YVeLvfDvM$|vs`F|lDHgCNpbG4fVw~3VCqWqc|=_>
zr#PfeA1Iv#?#>^rSegN12uXsF5-<XlR8*Eyab-F4gOYeWl@Qb1H^Y5>|7C+odU!sE
zNP1gfhaE*S)jh^6f8b~k3CXCONs6fe5|U9xPNq{5_ZQ**{<#e%!J5|*31fjIc=>m&
zq!$WE5N^)El|&RaCvsvrkAo5=kxaon`t$InO~*Evrs{ka(R3t`rc>klWA~1a!T)0?
zhlk+*WBh&-#9~*72<j{ajVh2}moaZe0m2kTRJcD44-C9>g9)?dA8FoM9)W1onkf}5
zRp)acNbo0)1qnn-JQ`1>;{gj2lqBRt5(J1p2?K;1Ow;uI!-%Hwz|Qgxz|o`pF+(>i
zh)JBV(d0TlK62!6P<P2NgQQeqxvZziK$?<BE8HJp(hzy<hatcaU<fb-7y=9dh5$o=
zA;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-
z7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Ggf!7X!
z{=OaDo7)tw{d4W#+dkd?Q2RUDZ)*E??_c+RrMKMsaIf4`>Y3=dxBIE~Uu^q}wqI)d
zT-%4+&a~avrqqAAVUBCR_}YCxYndVNY9nxy^9t9=Z3&0A9I)-05qjdb<C2(8ZgO6J
z5@+|*?AvAM<qJ6H1kKqV7Y#itrDZ`?Qwc$lHBrclYDO?JnRGTQXTY18w#9k*3H;XW
z^sQ}4C6kqq%Z^)|mmkMPx6z_oXUvjr&Dgg&FF%G0cF=-1YgVx+K&em$S3);BFVErP
zTWIl?yg8M>$$9xK&ZTrb4s^(38t5=_Hl^cnL`NRyP&yvpE*XZQClhf&&uVEwk<uwa
z)kRH!Y#>84l8H<P=$OK9Q92&qmILQs2_vnGK!<^gC>@V`=+JQirQ>lw9XC5KYq<DU
zLdWA<ir@^TR(v+$ygb{5y5xn^l)_sce_XQ)1+{D&J5QR%3_os871dplyUG>g?z^xT
zN38&!9{1icrxpu$+#QKj&1%6IBrf%^t4Dt5&^Y)xYdD0A9v(Xm?pJaJ;(#w=>Vy1R
zdNg8J)oRTi<c(SIv1k^-IhtCC=!T8mFoJidL7sT^0}pY=qcy{>@>Pphi?(^7WLEd9
z;F(9~t9iA`Yifzl8hp)085Xabwu-%3q7NO1!V-9diByc7Q9&*b?ZF5SKLVexR?GHa
zELH_SSyiJFg~1Uks@1BQgSM~}%ozE^SSp^7laiE5rj$e`4US2ZORAWenTh7-vK3Po
z)Drjt1^0@$I$JH43r0-T3|#_mkr_jjlF7I#YI-`J)H0fEWHWNYKrRMzxoiR^fu`l+
ziJYPvYC=z>lRCKOiW~ck(zIEzN(iF^`d%21k*Yf75(3{0Zs(AXFXHQvejLr#f$)-T
zOd8Xw4XFAHt7wi!)LJ!fRR;M(YULa_<U4Gbc0^aJ(C@M+rDI|`CZ!?;Ys$8270n>{
zftyfc%Bsu_@@OuBTdqm1Vqny83y`VTwCW%@A;WVKI+l89B(K{B9WN3|qb?bN*{PQF
zgJy}gfilsL!0*^SJ_jBvi_t@X@05Xnhz`}N;CK}|cZ?3fs5ntI3-<0ExOKO7d5yLE
zhZU_wvr4*&>L29Y3MC%Cu#uE;b2+tO8)eIeho|e~i+uM{3*2m0v3EngXqH?TS&@P<
zZ4?H1#Bm~#yJBeS-F;UKO~c3&Pt1=wFVEna>&(%ad&4!2*80n@`Zxu)IgNQ!o&9fu
zoSHAE`{{ko%T-M6r6Q$vU@4y(1FlpZDj48K5j+v*%&C=lR?aNId>)JlJg^NIp}3Fm
zpOZFrnpqzdq?q3ceNn1T0^^eSp~Is*jP%KpS~La^nOeoNtz30NI7No>gaG5PXq6^n
zM}TSJ!H0Ya9v;PQpgt#c!R%3^-toM1tpj)${)DErEE%Y~c17UBjM+i-(ZH?jypV-i
zXbZa|n1WUqce!F($U8I4df=8S0viDZ!?sq1QOyI>nJWWNP)l>mM(j@KWgGYE5beRP
z$^B?jK>Ku7Oh)(<rE?{4KL#V9;u`^5A9P-R6c2#;x6#+b*OB$#>bzXW?bR#a?BR21
z=Vc2Qs<h=!>@00fOC86x{oboBX0i4d0t|r-Mxej<Gu(~s&vCsoy$?qIBl6dg&v*Yp
z_m{h0?%ve?se!*5_?3Yx1K&TO4jdUsw?7wpU;VfJ{`O=$*Y>Tp-)Z|icabyNKGNp2
zeU3xECfkp0@E5;PtMC0x_&aY@+8A97ft3*eoyrz0oKRiFlUNraUpni&vI)ye&yNtP
z<;it#>^*K&T{pMHH|&vGwP0E2@P6KqC0SRbgdiH3xS+reRmd2UD&#;pBPOz0B_+pO
z*w2rZ&<6cP$yRg5NWlc*`w(pBkJSo>O?L4)@Ssj(Ff{q9=G*xx@OoX#lI=Iz_`<%d
z8mmCv6)dAS_Wfuxlmn-+#+-ql&VmRXtLD)zR;U=Zp;okf3~zuXIfguhqe^rEc7;{d
zL^=gQ70UJfU13fD)kU=edtTTBg5C$7x7EsAG+!+iTG*|_hCGp>A4)gyRoL&#tL@R@
z6Xol@N7wvaQ{OfDH|nr8U!gncPTC@43H4>8mZK`@W2y&=u%91<S|;d2NRL5w@n}2c
z-9zyc@Ut8KhaSNgd3NYaJ{E=X@U$8U+M)}5jqFHP*^R&5d8ME1##3~<xx4Wd2Ag-!
z{pt*}P0lNQ-i_6hu-Sg4*O$}%^drtI5lqapF-pv<yxG3i-8SAJ<K9Q(gVwfezrEt1
z<c}Qlz33f@Fuptk(QOCm1)6Ni(Wpc}@FpFbyH?$nug-R_WjDUVd8G$;`###m0lRTJ
z^kIZ_`$ovt)6OehWHbI&`nJ0nUtyxJk#FDXywZuAqkHiuy?gPP^GXLUJVG1pTooqR
zg1@lx8p=u;0t|sy2LX^*--IWyM_vVS26)UZJ{|*SXRq9hbLiRGliSxKVQz6=xe32T
z&(5CQCZ*Lh1pCmEw>YnC#zpk(?8(O2*(*2T0(y4#r2p*fM(33QTujdZpTuW?uMS$Q
z6@~yqfFZyTU<fb-7y=9dh5$o=A;1t|2rvX*O9c8uJsi)yz-{`<rqlg@-f#8&Qs1%O
z|F<_E`NznGNKem4y8otoraRpAeAk;hf4DQ+aj9c-`-|;6+OD+i4SzJuhkiVi<X#wf
zWuQDzhDz4|OCgwjy1R!9Zwbxs80rqa7pq1)j~3K9o>-@XF(S5%g*dk8R80qKNo>`t
z@o-`Vryw(Vqr^k#VQj7jp%Fc%bZ~qErgRVk)))6$9uyPNBm{*`#zPl4Va**e_H<`A
z`pyyf%x68HX%<oVWB4$;rXfSoT&+-;3ush{rqU4HG!gp8mKtq$8+~RSjmD#CIg?Nl
z;e1PthTTS=UPq&H6rr0G+iqx~(b=cD#xR)ow7PM_K#FGMl#*21o@wDb$D9i;I8S;$
zbFITbj6#50MNG8)TT6|ecN=}8)kdYkL?)V%k`P6_-D;`P$J|CAUq_?qXeO>Cq(u9l
zx76sY+bA&(Cd^<>@B*djs0aa2WwGOQON~yujn1rt(iB9bhw$H-&QJ@D&N|h`fUkL4
z-Jk&v;3T7BCKFG}ozpFR=a^G*!LdD`xz-*@M8$MGlS*~|bxVzw-9{f>N23bFHJ8Mc
z()CD7jh5U-t#vdShuGW+IiBwNT1$-<+(wCgcxwY*j><ChX{P($mKr_lHhOLyluFUK
zBug2o`~PaG(Y)KJxsFD~sGJlta=K@#g+^zcTw|6^d0O4DS*BzlzB#P9V$UD8@SS6h
z?t)`@K68z;3<BCK2|1NaNA7Q_(X893wvI+q(F8EQbRzPLEj9Xx+bFS0Z)w0Q5F|d6
zOvlr`ds=GrVYkuAbx;aX+~H<aJkk4;Ej2pfHhN|qjiLzaa#~9Dy`!Z@A9NdiXdR8l
zql%P-yIg%AZ>iA-+(yY|yw>^@!j`8YX1UTo+(M(X&dJ8qKII{G<EFM0RZ?(4PU?TT
zh3_15j=SKH1L4-d5g~GWQcftF?rf>iV{W749&FagPvRM9R7^_prpqlgdem+7{&h5(
zjwa#$U|Jq{Q%j8=b{i#@H7&s#2PT$I%d!L;!3Wp88Eomnv8VgoFMPgLSYW%Fil$&Y
zr6^-hN8Ebezm9s6(Ug)B6Npmw!w_HyFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyT
zU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg
z0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`
z5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$z%?S!AF6RTh6W-7
zAKrAe|F`->eYf?FL~1>s=>9*u{-mp?b63a7_VaBE;m?GAJ2bH5x5oWM!0$DF&x)_Z
zw`Ny-;F=4w^Aopnp`Kk(Q3(C^3=MJJ92f2hb#v|a*Nn;>f6SON?P_JNE8MvxnxHtS
zNDu`_fuJBkCCQYMP%_*fhQr|loO;clx>5z!{DX*$F?gnD85!d>yKHKvRkQhfP95dP
zYgzti#X{i<4LgV?5#rrItO$sl=!=~Q)QZuhl#0u7?)SrOZ9^MO)BKI|4{QaZ=6eFE
z8k;q=S`~$b<ZCuWV9d_(M+>#72Y9o@pD1Zov1pa}gO;XNP51)>N6y(O=cG}wAtQip
z6!s(;Pbl&-x}hYQkx=lA-wn67-?qVY*XB>6zPvw>>d}f-E&~a?F<UNJX4QnKmm?>~
z1X+|)f+RsOlOW2{K$!wzWR_C~QCHGpDxTzi8z}qd4X5mQbIR^jr&az~tyDrJ&6w3Z
zOuV91HTY2@Tbr7K+#t#zfJ;(|E6e8}gmy`0AZ}BF`>k+C$CoykveNu9MA=ASpLyor
zh@~6+QFY4T$ALsGA4F0zniNGvN-ys$6vIW5({b)M!=0V~b%RNIeEujR=}aI=jmc;8
z<5d-hK!thdp>)4h(2YtEeGq^(o`SKsoW4Xfm6VfGg8OQ?tLw=Prmr%87}0lMAblf6
z{hTq!kEmK6Sj$Mo(2Y{nR0}o?N{B2QM3xdwrZNc>esT%dj4RP}T!B!m+*iWg-4AXs
zS<~|e5n1DbWDOTAOV3-ilFqB}|M9$9DU;+qs&<Y)ZdrvO(&8|c5}8b9IcX@wY#M?A
za=#kx=^5N$(jK3`xA}<l3_Zdyj7ojwCMy7RX~8TRLG;Nm?!>f|Tuz@HO=l7*N#cGv
z%tdb6VEStF_aOR$89$kEXeonvcGxNjjVZ`CpKB7t9aa)z053uDZ{uP-&V4By`T9mn
zS?2tHL|G<qP>xni-I%S5B)}c3RihF(#UOlcJdsX7u(+jDOpIn=h>8mLi{aj%-e_v<
z`B6m8p+IVmS~EsvJZ}^V{J2&z%T=_dp*|Zbmq*pA8ZiFk4A3P@0jvW`Aedx2C30U3
z_kC)k>6+)}hY?{@frOnhvNk4b)TkO77OGC6ReA&@EyPR?!sO!bGv;QjiXJ3Z%4rCG
z92XPI#Y!lF$g~+L#eE^%U)g9XOY`qWM6SA2k6JY(TaL|EjZzbdQBFnE=|ln~tEB@H
zND>t>oshZDhc_MHXp)|ozZ;Q+wiqi){~+~GRn%fbDyG{2vV;eAS~8kZU;r*(tbuk(
z1c5Wb{akoJ+Gq-A=kG!ko?4B<5nGEIvmjkrwTfo&`%UP<rrc46kjP?6Oe)K}FBz5M
zz-kokXT#9s2Jb=7&JQBu_5>0)di>bX$bBw%1W^PpXF+TPf-Ng@A{9VRA}S?;Qjz<a
zaDUrdxi@h?#|>QQ`)1#7_kFRi()G!%XS?!UN4k{G?{xl6=hwnt55E|m2;Up}o6!41
zbD=4Cxc>VJ_k-N`aF20$?j(0IbQgTE`_p!(`{xG!G5>bw%6(njmT<^P;UI{ieK+K*
z)v`Spi%kJHs%4|F^NSrka&UNPT!7(y7FZQc#<B$~8!M_dEHAOSVj*^<nl~zk#)r+4
zS}_efHfl^)K?1T1YOMrvUnL3;Me4OzL0*R!arKiqqo5WoJ4S+y#(;Ha(vk!MQd)sO
zQ^~lz$+>cGC;HBQ`k9*`=YTJ#`;2qt9!$&pF8a{G<Bw}rp`ey+W9LcJnBm6?@VP?;
zqf!MvTgsVJyCQd$E5_Y-X=o#%L8-m>jybhhxa00fByv{_W#4^Q3_TKg;)w^HEAJr<
zyp1-{HMt*zSlEJCHtZdz4SO<j5Y!u0v#7#O3--~xmE-lLIG`B?+v|ew$qEp(-$&5a
zyPPXyIEO@d4($sc&!hd@5?E1n@PF978#ZsDPT;es59WrPE2H>*5^6lOZ}YG*SAz;l
zrhO-G*_w{vFV;$Cb&lUzsTGV}ck=J9_XfWc<Op>ae8h<FBRW_90K05xX3j(!1pE;k
z*Y@8wa0Iie83GJ}>x{rn&Xv3IoZmwD+}_)cOR%m3huVv?DHGm%yX;)K3+Iqn%%Q#8
z<7zUIPO7>f$thJ(^mtZKlPS=p8A(Ic^jtcp8(W+!d+=Mg)9SaWdLpZ(a*A<_b0vd|
zZlguF&X^_Lnz3(luB36n4qEVL#JU7170RG|z0tXn!o|1H;w^b|D*xW2&XpwQ*dHFC
z`L`@x62{G`qPo&DP&KOsV~{^Zz5_P-crQ{`XRv0?vrnetV8ql1`L)0hA<Nw$(mfg#
zvj{2?wGhz_8}D;qYdQ$58tn~iUghnE(pk%!1)WD!gUT5#Fsl1;ct;Vb7&)V2l%RMp
z!o!ci*H_)*RK+k#AZyaa-Lzt5%dXln(08U|q7oD3*r+vADp;yMQc?AS5zSX&)mCfO
zyj2<G_ZO^+sh0R-u*^hsSmOqH_swLaXz7^q<ID`IOH4$n>XiE#uoVTp2$Cpau>u0=
z*U@YpKD%Talg6})HVFR0DjI;1f;DAhQIrq{%4lQCs>}`6(U{bzJcnNfi1eCP9R&3!
z9z%dF-D;87ZKFVTUL=X2I;sM2)dNLPDK;_*hC6mo6zzOfMW4R|*N^hikHAA&8EsTC
z{>vYD8+k-4>bQ*O-^PPv#KS&sj?ZBM0(yZ65X&pBfO@G=h|9~X#qDZjxHKu9S-G@m
zmMhb?;eWXq^|l7o+vjZm(=Grd8?<5PYUL)y8VFs`>4hf6S+i=ZdeJO3DPICTM$HAS
z(N!b03hKa7vjRPfM+S6_rWG}$d7PNoO*#%#jyk}NW|%t$um-PWRY`}qRYyRSDd_G9
zrn_^rIj7^3j2Lfz(6<Tv5F!p8e8GNW+TcmQ*tC*ErdF|RD_7;mM@9}s3dXci7~~NP
zTP}qjcCI9d6xvI9nk%xeb9w_`S1|Le^K~R#$9*~7&un(C$hg_}ZKlm$n{=Hs3n2dw
zMg;y*bSy}^5dS#|Ai?oOy;DgszY{PiRVRVDO8n5_Q65;qWJxU=gD!Rx0_D*Y0y&(T
zh#djOiuZSF0lnl-E?OCIFg5C(@;i4=G$uKJ<QNZW|HP)5-bv}!N}l&jNcym664rA(
z6K@wL2X+io#$;Ko<_FP7c<0)Z`n~gvR_C2tG|M-iXr4QVcI|TOL{RQLeB^i?Uku5z
zSp;9ym_#s*c0momQ;pd{)DN(Z*?A!gJ84_k9l@RAu1Kpdm*t8Hi%J!kxC|?oiZ*Ac
z>tVK_4b31gMyhjVSZIJ*F58h^aIQ#XE}Wx-GGIs6Wahc!hRnIh<be_lNW;cwfCsH9
z&~~7iKN<1P?PasQzk86om7C`J&h_2jC->dj`<>n|^<M4$RCiC;A9sDO>&33K9bfDC
zg^rin|6Azp(9Tc~_xIe_xKDA<!z=Y)5Z<5?u@xB(1hlhweo_H#$Q95`@3b940$LvD
zPyuaddom;E#H^tS>39|iXrdyhxs)Lo>9nF|l42s0O@e?nh2NqA+R!%1Ff=I(Vj2i&
z1}>rk+K@*;({TY6(1w-?Xc{i20@@H3&@MgdT*=}NeExpYfkW#T&<-8o$LnHQU0Q3X
zkFi*`7UEkF%T7U)cD+eYQ_Tf1k5c8ZVaf4XF=itH)Tc~AJ8?Tkg%(ggU_s9nZBW4^
z7BnVt+mlE%oP?*4E)wfl$dX)_`C#5efnCKaM%k)VW65+@lM{(tCM)XMq$=uhQBCJ$
zUDb10!-&g?q^ji%NmeqcY!1}ON<6DchMI*_?S!EujF>9N(+NG96XHrPB`9KC6EaYX
zkd<;7T~;%qnlM~}@sL_M2X+#N4b$dh{JZZ{D<wk(5w{^cf}99qXZ#H%C(d}-dqY%g
zCRh0vnC22nq={frE>DjXOjsN-Qy2JEC5ZW1=ZcDF-P4nF*100Yt1>`e%b^LP%_Eo*
zQDJ8Y2|JU%obIP@aIQRz0lGx@jYF?vVTTA#fwGQwpa#kz{;|3Gs=o>kzLvE<>RdU4
zyXg=evq4LJV=llffR3H;b?jEbx$+RsxsTQnuJ5p$u=000S02PK?4>VkZpP7|>eIfe
zJ5iM@EJ&ajHCkEo*|Q7*hCqu5fS`OF&q^vN?*l<umeRl(#&I@X1ok08`54Zjg7UuY
znkFaHswN4FtY<*Z$>~DI068bEDTbsbvgwq81m*kjTU1cqw@pidB&BMG27>YtTto%s
zeI7yiFfO2i@;<+y{3hqhAzb_x!g2O(0d-*2)YQVWuqqwItI`W}Rob_1VY#(494tGp
z1&=kz&aE9`t)R>FNGjLye9|vFw|GkFioNSNXY)$Lk{FZZrRr2k0!cYYOkPoM+C<k{
zMYEu;XQ~gdjaRQ?5%|1O(rsjsI>_&s2s#{Xh|Hd?_jyp-RaLVD8i5@L@rm+&t1@bU
z)$Ux&BJ;Y>XqRi_TI5IUafSdxfFZyTU<fb-7y=9dh5$o=A;1t|2rvX*hY0ky{VKPO
z`vb1`>%G6;D|LRc^Ru1LcUC)3cfPH2bH~56eXz}L+uHUs{nDn#`)}{>@B3feAM|~_
z?+bmO?t7u{fxi8HvHEZSP=BodE&XpH5QOh&5sI)9`b3Mbtor!HLFY;Y>l>fbh%Pd-
zZhhl%FdPHxBwn@ogGWY&4o;4r9zQ;I2rCvdxm*sep=p8^j~jxbrjtT8uIWNN6Nh`q
zsSH?@=GLHCte@n70X$zf14P!5$Yu?iMs{U&GeLBJ45^ch*(!R%_eBBriYqGEz%VhM
zbQOP14J6|+q;K13^TiW3m{jqHkMlz(j^A_S*n#7xCn(TJuZe!hAv7{r^x)F60_{ZU
z99W6g^@qWBYA2j4ZFuy|-%3Z1d)RhuU9{D?62=<xchGt_dr^Ofb0vgJ_t4VLCSwoI
z0NU|`^b8=gwf7&x(N$*!dw?N;5xB{D={z1k^k^xCY_OEnCg-Kcy~8R6M@ug~hI8oA
zQfhlzPsWkKjgZYqSpj?#q=a-Tn*@s*RgxqnkxCir7U!io{1!c0N^Og48A(eSM(P&l
zr5RjAkCsx6qotRoaREJAO8JkLZgyU(;bJ-=Q(KCLZq|y=<(-$Rc&dJIADJ|%bu;?$
zM{8!bFn4^$!n}Pgl(xXz@sYaQ0zZW9$%%Ihu-LVsWrGL%UoZ>RdGsv0Wd%mb$OT5u
zs_<s9oCj0I6%Li`TDB_AN>UUqw@uk)s~Xkvu5mnAOK7l)2s3%JY81eh7wQ$Vb7i<S
zCgj1e9g@Uc9x>X6(Y^N&3GRhe%^VmRVyo2pg||#PDW}CaTq}nQhZ(q#oo@M@2bLiv
z<t{^hBLy#eY+^(N487#x=ww`M)Osb=O?&Ihk!y`gfP=*eLG8B$_Z$T^UMJ6^hxy(7
zZs=mbcW~kkWM8y<Nu~6m7=365dS>NE8nw7a;&P+u17s{UGRU_`!_rWEzY-tbA5RS@
zhWC%bMbU(`UmhEi_s8Yr*pepWDfk)6BxNNr6dy?`W5copx4P5&!EsJ<zcRAq@yuvC
zHIf-krbfn6GML`QN5o-892rqYhNNLxOuCP+fYy#>NHxye>iF|6Oc<vX9>5?ilOH53
zc;$`a@&mK^Tb-9|%xs*uQfA{CpIx8Xhdv2iU|r9=1MXeHERqTZDX<QE=}})!cmG42
z@2YMq>mk@9+=y$Vi$(@58u28^BAdO9WRN|=4LFA`8ky~D5tG3lVF15H7mds|FjG(^
zEu&|^9-$u>(M2QESTwHm;R3p7Wc-T;+^p)w#nf;&gAI2fx5t-zL&+)`Kt?ytt&3F1
zwyw*U(+w6?9XN+tRAmCpxQKWOF2wj&u>H^W?9-fcr4!GjXDlk~zA>y6@h;}@@d?i^
zhHhh)UX_4*37&1tYIhQvYy=|LVwKp>eVe<5`(du{kNbYU&+b!uzY$4A-VwQ}=Rdl(
zcMf&l(b?1St&UeZezfCzJDpCQTZBiK{DwAj|C{?;P$7Jodzt$r_kL~)|1KTPoi8uV
zS!){Rpy-{0d$*1_S7JD4hK!rN?#`^Gi-w&i+dsV4k6_O+1Q-Ggfel6g<g1;Svr+kK
zk1Jp8@Up-?NWOX}&Y|+vp6zix1s><Jx*%$zC@6{u_gYd}QHbZzwk#Dll3EJnt9RhH
zsC>0&TUt!32`O&qAYZ)=7g70Yk4L_`0~b*FYL8#Of_s&3#l<%fUc6^Z!J6s(@7$&a
zQlRjP;zy{$Yp+k?m2$2KxO9>-^UnI^r&aIX^@lgu1=};=GKI$?%KNFyls)U#EO=IL
zatjYD7}nBjEhre4Y9>`zWt^*6MfX-C5<1ZJZMd^pS<hB|jT+<lM(w~GyH@Y**Fdds
z{hlt`8ls<Ox0vAOB>02%@7dAw_>y|DxMVl)mUzUsWxGgs+ugXEjV}!^xs#2*2=9F1
z?i2BzcJ24GRdC5R4YyM3I&PSh%lERd3%VUoJ-RpAQ{M$`$GLPDv<K~i-r~#Ye)?U`
zm2G%pTpFYE{*58Kd&iSsI>)j*xoT|sFFQAej;p^QSE=c+q1Tr^Lj~?1w;=3OcF_>?
zm6k6WPdis`!`(Ii5bdsjZR?VY#_kYmezlkkUGJbJ-|ESMv9r}TcDCN@T)CBeOB?+b
zSA1Uw`+~*g&A5KLxa{#QF1I^Zw&2njZOVI^LcSHedw-{~R<XYr0t^9$07HNwzz|>v
zFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$
z07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|
z2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-I>6M_Ejr@33Xk8yqfN8iW$
z&iCnk_x9b=*WUZBZmoNN*DrQ0cD=u2vExTNKHUBbp_8F~p|^&5xPRgPi2F3WQvdxU
z`0LlWqwtG<J_gkV{Xjdhp!_Cz{m$h{aNHRR5ht{d-7YzoAI2HP;q_zNjijt*a^U4!
zQzZzym(0pSI-w^7HL0tqR4$#=CG}0t<umvt;_v#gZMm$Nh{tn=4)srX>%Z-0=kh~1
zgZRIGtnU7Lt8@85oKM_eKj!y-eUo$fG%h6}sUD*dsV?Q6%MXB$(@^O7A?$ecv30wR
z9x*D_TGcG@V<pYf4eT^}Eu^>LG}^A&Wm7Y)n$4@cR&P%uu88?+Uaj&q8zNFwE#AN%
z!Glv}!@iS;KvG(sH*MawibmBe8a8<l#j4WPs>&O)$o+B!2a8%EYL#wjb`*jjRV>@e
zLC7kr7&A&j&5q5OCEc2_1qcf`ZB$~aUNlP(w~AEgmeMb^WA$&R&XntcbZRBDs>so@
zTCmhY72>>9XROLO8@E$3W`wMoowM_5<(yDd3o~lP5UOfr%Bb2xO|XR${(7|lAEDJM
z;8Izr=FQSMc&2pDj=3SLd_k&!cw>;4MJW>#<(RB&ydP|j$K8f=Y~rQ5jtVd2c!74{
z(&$q4XK<9sH9Y551kbKq7j4je4&qkoX4SMxgS_h>yGc;5T3}GG$Xzis5$?V#R<0O#
zN1k|M{yyjODLmPp?jn=T4ajue2iB`Gq<}S@^s=T+ka5DB(f#!O&gJ8n;%AB1{m0%I
z&bPgTcxQb`PVf^#4*iFWqzQ<W2Hv&nrD(t|eZuv^?R(N&1+LLoTCb<x2zg>vFWn<`
zZaGG{bHhh>yk#HV?{qGY<8IzZMsa|LZaO1iKpgW9h^^<H%lG5)FmIA~U60zY4sXBJ
zxqK9V5OKo&n9m3IHs|sYT=*{XZJkR%8~9M$xh7Ho%Vr2L1g;+fH#(Q^#Z!@lmzgEe
zWq_R=@UW9vBx~P;Gl;A`yFCjr9aTA%6q4Cw90I;((?V9urG-Qy6Bo5~PD>gF$lCA0
zFA-ULcAG9KVlt^DG!U)Fa0wBuXFa0zD9$IM^{ijC-t1f+!KEZP#Vn57_sql2<zdX}
z-Y;NoGP`cUdb}a^l0X0`=HrNs1ASmAdo4sqbi>vvW|;^y^$^~^C}d?2C`&j_w?-<j
z%gvfqE9fZ1D?Dyal~D6#bq-`yo!22eD+s)E!9sk+$Qe+lX4pj33l7yfJ`4iAZK%3Y
zs>f-S#Eg=GxSJVCP9&uibdIzZ`BjqE86#%H<Asx8E-3B`#ddci)F<gw@`Ni9xN%!%
zNVheK_X4${PHj?JwDVQ9QPzS)O9DgIW3mLt9f#Rox_&dB)x;2B2rvW~0t^9$07HNw
zzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~
z0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dhQN0}
z0{xL+<p#I}7x`dhs^>dBf7|ng&eNUubf!AK!Tmb-Gu(^ZMeZyV*MEN$Qw07&Z0wqY
z_y;+^T~lQ-Bde02$tmy;l1`<COjgMXqMj5bDUr=34CITif?p#3LC$Z}bxF?X@njDC
zgOqUz@egv|;~&Jr`NTiS`DOk=O1PBx2RV=ZgS-zM@)favkdF`-C+Dw+e-Pr_N#~DR
zGe%`RZxjkVbydY5G)u%M-&!CD_7>uC(Nsna*tmgm#R3N(;93uS(N%4J#;oS~tZExc
zg*xHW`MTdbey0(git=Mct7=qtwdylOEtjKeX)ao+m10%Z2A_6GSxV`tlrF@jbVg8g
z@T{n25-B0AX61M$7dJ%72=p6rCw~aM=z$x-!-i=`Tqk(xm<WFG;*p}In>o|asb@S%
zj!8+^vxvZ})vBtULw+?haCm5yz-fn@S(U_e@-_9Mw_`W>yyNd38uqvtse2PaB`X!J
zShjNEDy7YfODhy<E0yhTS~$b!O&#3H0J%*c8XkK1UfvKIZdkk+jh{Gq`al!>)Ke#w
zW@Y2|5APq^KQ+|s)%%AFL-#Z*E@}J<?Lz4aEu(i=Y#Y7qZ#}0LY@=-1;Nx)GkQ%-i
zy}s?hVGS>g)yMf!t6*w#e8oWX7kL5#SDTd5AlEXyTGIKFRptFHt?X3hpmVuE9K`it
zw@K$+7m4ee{@^m|9A>`6J?nYoqwuUZqx+KXTsCo&&u2)JZ$KY~yRlQj2|QzvSHgNa
zD2L>^o``%;Lp1?)pxoy9Zi!nZX}#nY(9bDp%X8pS#LC=no|&L?8xyp9!mZQu)bP;6
z!}m_`#)RO$2Cf&$-16p-`Q*)U=a5^ihkAGZG~Pg8ytH1Fx3p%+b8B?l@K@v3zKb6^
zJj(ApeB?MRm($>pYZ7^=je4gg#&5~AY&77VpWuXY*Q&lDJr2fJ6CfIHBjuLeM(%Jf
z=kd%Vo`%l{xQ*n&?^MZ}DZwP2@=nsNhI2Vb*uow%M}z!EUJs!Jd|Mj0W#ZfNyw5?T
zPi#mzmv#K4O1`Lb?J#m&hw|MoakDRE2rvW~0^c17^!J_MZt4tk1AjO0dwpAb|E~83
zd!O&sdfOuZ5czsU=={GsKiBzz&e_g~J9l-y86NwT`#aB-xgqX(M8(4!M@rv`4sGLV
zXEief7y=A||I`TF=q&VNftx5yFMv;ISxWai3lYy&;R5)CUg*IYMCW^9yQ=1tq^4^^
zCaysI6*;X4*|?k$;)<%KKtmW$rKC4G3*Go7qVv75Et8PbsdxtYgkI>xB}C_Yp`r6#
z=)n0z=X=4g^S#MgXvd`_+{%S|xE0M=Xd}9Y6y7ylShv=9s9XkZ3=a8$!kbjV5wl%2
zOH<&dxvYXZcG^_=?37u`S=dMPT0jU^$od>dlTD|=pByHRhe5Tg8zk}yL|1YBJ?mHv
zY?h$J;CDyiJ8&eH=nA1#ra*68%i>Tc2ag;a9vT;pR;;szR*jKlEL*U$v7%~MA->97
zu@E}~byp6J51S>mVj6aA7!w<XBD~dZ_?otKeOj$Vi<S|CKqsk~n21T~7=Z}@6F{+4
zM^f-2DIit0Krn2CPZ>7mYW%1H(OvH3EnCyk7Z*|Bmbr!=ITMq_n4DauN0wru;_8t-
zN@E@TWS4AX(wJ6lqEGe|dezLH>?#`kbzNG~(9K%$x~iSsm?uOth}~14H%hvVP#NTR
zOb}oi-laVXiu0fjtg2?oKCc!E4b7s!?}(MHa;@A@x}vNSQY*qKLa|&$1wpFBCUIA&
zwji=R(n`!(2;+I?93k_}RU=-{aaIqqa$QCkFtQM48AMZg0W_5hoHwI;!nyn;QG)Cu
zL|vPrav5r%`?!D`B)X3a0ScOie&z}9r)@ptTs}`et(SaS_!>C{D2pD)Ef8hVh0V?9
z9VlWR!;cb0%!SUivqp|<yZE1aO=ZM01YTnVAk;?<PhWZtjzWE;lb`{vdN|Da+xy$U
zz-?~(_qKuW9he!oW8j8OKi~VWz2E5lTIBoN|G)O1Xn&!-*8X7o+uLt!`}a`M_q!+b
z7Vg(V!yz%WJ=Dkj1NSG~&vKvPz5>7WCp1eV0@gFG_1{0?-o9!Tq0p+2yoL|7e<A$B
zYuG$%njzpp05(%^1zr#i5e~sUMWO+1au#@;O#~+HsoP~|;dY!uwtn1G+cQZqo=iz;
zAth;=ponrxP!sXApi7B#$`C~{siw9#3)}HqWbem4wM|u0iHxR5sau?dZMcYR{<x>=
zyT99<h1+le+5K@(`L}<YorSHqm_)tfp4w8dW(IzvrNE-^f2*@_E67yg(DzALrsAGj
z_h#`F2~WwxmI~SGK=@0~VHFK3G-_60w`D;r9}^5;)&krb_KPIY5bw1dB2k8@)ew9M
zL=&0;LnQ$p{PFcKb<17*o#||?Vok5GgRF<W%+7&zLe#Wi$5?|1nTA>va<!7K7U3)v
zY#s!Nb5s=|vL@{BNYGBVEdjbcXGn=mGGWL|c9AnPGf_>gWUW%RfUJLD+lRK3N=!_m
z-5zX*4cNowt*W4deT0y&m8ya<Z5D(a-m*e0PPGIXMuluENmT-_D;Cg{6xV851Me<l
z5LvW@qAj^$MknbPPfi&n1A>K4%}q{2*ib#Uq#|mlR5Ys<BWhKqVpT)Sm&`|Nuw8~#
zHlB=m_pB%Y=rY?UF%49<yk`X~sQ9a31=TEOl0B{EExTD%BxF0bLUF+^Ha4}$C<y()
zK6Up*!3M=jlQI<e)r7g#q!?Z`ZL3M4W>=cl3u6?1n~?&g(EC=YQ85Z*Yg8J0?v;Z}
zjn9EPr5KkdCIT#$CZP1xkyA;fNvS$LPKa)_PQapY)u-|((r)NR1*(}iWFIPzm8KeR
zknf!=)x3%V??>~f2#@O^#X!Tx2-CeJiK}g*I~a#Zz!2D#M9Sr1Lg_UP%olCLD5Chm
zc3GXl>MPr*D_MYrFV{3U8E4_mm`h(I+fVK(SJhCj{dzH^y1HRQS&_GqbuyuP6|1u!
zSi-m9b+W#MZ-SgR`Et6S8F3bF!3e*vM%Te>(|gpXh`<9Qtjv+Qg8!U^h|Qo8tj``&
zT(`o3RZ+sGIWXfUOR$;@9;yd|o)G9*pAcZq6s^)k>`2)l!JpLvdI=9;G&^>hMRm%U
zEUTbI+qrvU!o#YFJ<x=gJ<%-6lH3$!LvE$mNNK{$f*OxfwnH;qRzuSs_R`34S;{WA
zg+P-e?=(fUG`I;&by{76hmbtCM)bUogU}c1NP>>F&NdL^@Ny2YXli04<^7_=5I=i$
z+ow8{I=UvwsA2x3v~2!#pR;f?9>((>bQlNd*VfLJV4~dQn<!iFcNT6W4Q!?jP$Q{p
z5x?O0V>51s9At1$Z6<Qq9%tbOoIgd|>TC%~BHhP4LjG!h_ILacgsJ}`H}I8#pB#8(
z;P9ru>R0=Z^zZH85qTxD5P3RsHgY6#Yox2^?>h<|CptE@f4lwh&==j`)1iGKA#_`)
zhx=df>-%}aS$H?W%{;KQEOd^W_dWb-C;ECrZyXKfGq6D$BCLFz44aFuV^;3x<bx9v
z$HqoZj~pC3HUU4B|3NO{iYKi?t!Ny8<G4x@AKJMOjZDBp6BBj52Y((%mm6@o%PoP!
zFMm!qvb8Dv9O9kJ%X4rFL+S}GhwB^VwKP*fAzoLiNY!;X>{;PUK+3W$TE)sV*{(#2
zuXx}(TQOjze4HOgw^8_m7C9lcBMr{odc1QlgRt$I!CegC-20I^Jzuw{w;?ia8Khp`
zD)Ho`)W))@suw|=2QdT2z%(43T2{g4Yc?3t)5B5_9!%JTLxxeBHY-*M?OK7?@ALBd
zi(5e^x*O-r(0LSS4@+<6z=at;2j^>ityHsXAdnR5uz+S|FRq4aRxWNnTRU4*L}%eH
zoP9s7-D}(01YwSAKl*AjN7f!gfFbb4L;zS*%FCJ@Q2I)lIIzMb&Zav?2Pu6MIEN~I
zo$ab9rE|Il_dAm+{6{eoLPpJH1zFP-H7DsxHl6{cuY%vAN?&JNE}lzfGNK}Z(pSbs
zRO#z@l)e%!ph{oIuk;1`BoP<iLb#@bFM3`)>ny~u%=6w6n!j!}u6yMJtrkaW)q-W6
z<BuD~GQZy{fQE%w`mBNaHEV8R)$;8gD%Mm*E%L5SiuXf6lT_w&<U`b2HE&f0`TYf}
zVyY$nm{rYtb&a4g6$68{BW0JV7A92<DXOuo;JI4~1K_$Ex$vOxDS*}+jBe_iex4^<
zMWpaU&{`F>GRGe%fmW?#RQdg8!LTPrK(c~$IZFEg#64ot5~QMvz)jMEZj<_j`h8q{
z9TzDC1fFbKJ?1k_G*)$MmjY;!3xjYCYAU~69|eOj>KlYNlwcnWvqr$V^;v`TEO+{H
zx}R=$7T$#i>N8ZRaNZcgIVca@j+}6Na)Nf{^1g)L+!cYN0b_O$B&8|1*KC6sn4wl}
zVRr;8e)v@<Vnf_){hrh#&cbf8AB|Cl5g=~X2Sa2M4^4yE{vEWYfGjlJCL`VfwQPt%
z_wVv`|JH-f!cNj^7j4xQDc8jUwmJ(ta0~CC)%k8xMV*Cr;?hI3v~x8``#ZkHZ4P~d
z8~E119}fIbuho01H{E-CZ+qk`k)MtHm(J}Szux}uo%ghTC-jZ_Z+oQeU${SR`$F4)
zZTr5qi*1#*N7^3wu3anJek=UiDjL2^khus9>=Yh{&(X8fORr-tL@#h&lj@jnatRda
zH{HE7($9MI5y0|1isdyZOOg7vQr2LFLq{`iwM4N@3d*Pisa{v%jp$?<mQ<d806zrF
z>ohWtZSX{?W##Gotg~<u4~wTK3CFk;z!V!4@G;)=)yP0v%kyBNtO7?r3&*$MtzxbK
z=Ra1iIs*sNQNDg=fzDR&p=@5Q;xk^|((G8x7T}~86gLJ)GX<I!?o*3}x!O7WFZ=@x
zw_Jmry=Dl*(1dPT72y~h0mBV@ILJk(v+HEm^GBS8<Aiv+eqRb7s3LNVSvc7(8ihGt
z&6bd6sQ?04r4Bvnu*O*yvfH(4RZv6B@goNh@M>iWG*X};!iou~j8p)1Sy^<H04j)?
zJor#hd8pRZObgs)z%d!|^?^>uY;4_K&q9~|%@Q)$wuw==S%PCUWdB`%q6p{WAWFf>
znr1}7fMOgk092N~w0TsWHg$fuRyk)>tDO&WVk;c!ozB8BT-{zeI<UqfXc)rEcLG0I
zhjJ@uF79ikE%q!!fFZyT2tWXo7Kbo%sq0f+OSOYuo^uf?E$+iPRB3T>J2;<8CB&2@
zq!eVS2F7VZR?(91pLj}9)TFG+Sx{Qsi{GM3i;LSdC7zKJ@tgrli+gYpRa#v1C@tQD
z3n-(#=vP|6`QCn9Owac&(wj=p-RUfh;Wg(2?;$Mp;=0uqURyJ|fGkzdBa^eWAh5b)
zs#SH~!MYFk>XN%ruS*1AsTFNlP|cX<%-G1#F#&A9;)0kEL{WB4)Ufh=oyJl`7l0b`
z){OR_R;{8LM126K8O9VWqJ#BCbrQ_Z@Np6r*<htbRxE>X`wCmO0a{@3)zEG<Rd%=n
zANh(My9YgoSplX&gUwI1mOniL=UeXS7CqZq<tciywaQcUd~21b$SKz<59#$Yu2r6^
zpLDJAn0wx}%5&~%7d`A+@;L66V4afJd6PS2H}VXsZUsfJnk~CLly(+IF(aX7P#0Y@
zsMRMB$Ydk<T`H4ZMCz$wUru*__eJiO@Sl<W|E0dq^nIkS);G~N)Yl950RFW5V0U-d
zSG#_$E8o@C`Olqy*7@%6pVfc6FNQuF`YgwVyTexaBcY$GrxE{dKiqyefRD4RYeFF0
z&E2`y3ZOT7*ZS-m{JBdHI9EIHn)^Ii;6qdEUUR|ztaJ)?e0UEC`#|ti2)5Q}XO2A^
z@>z6kmY8~LhL$!mU?U$Fb16YFWF35B=2S40&uCgEr5Z^w7rbctt_B~6tzK}ep!+u}
z^%k2iv@PGvgp0u^s%GJ_*pbF9VDtrOryFn&xC;5OfycZ0yjrP<##{`PyVaT<%VeZv
zN=&E3cpB~qNC~*6TR*{Qe(#XqS*aC_U3c>DrnP}_pKhqTmYj1)@~d|b7@rBeIx>Ur
zF0i-X8<%@M8ff=MFx(uDX)7I;1TJg`4Hz7t->MqOSOQ%c@U{q7-uZ&>iOTYWk@@Y;
z)pk6&oOfY?HZ<j~P}hIt)rH5F#@r_7YMW=#3r)c?cs1<H=|1CJ4Ph$g$sOR()U~Nc
zm#yQ+oU0sZfaqUCQvr&$miuFqv-qTskgbZdh%Ot4L#JtPgxAJE-t8=+tH<Hcqx8KM
zZU#4-q0shuU)!C&;nb8}!gb*dbRqNxU)>ma41pC9xXD?Z!LyPmPeKM#o+QBHV{sa1
zlg&ZM0OiRdx-lFM5#>q9*q(_?*<@Oj1wE-I!Np55C1i3S!X)HmE|JQ~GPpn4;w+*Y
z#o-W@t&DBCbT*Mm>2d8AXAyb)4u^>HBxE#{CyS5b0-`(#8Ghx-jm{$S2ObU)i;s|j
zEk2$(<t$p5g}(nSghv_c7USwh)shHign2^;fkWrfW|1EUg?rYT9kVqRt{U*7psV!e
z-Wsr2gE&WS?%6!ru=C@z?Ft_~Yh~f23CtqkB%zXpn`Ov6VsvQaAU{)qgN})^T3O+a
zo@b@?69A4u3Q(T`av3-!j=`~pQFr!&G7IH~Bkv;xHOJor=ABk)$}4MuUl&<^)yzYn
zJMgC6cV6a^ctFtE9n;{_-;}XCcKq<}*s&Av|D$w=-@>N8e$ro6r`(M`y;%b%YH-8Q
zfcqo{41+>L5#*Z8kfm&yPZ_wMmxyESg1|RaPH9kPN%ehxuzATbXR+jy4vZins@1NA
zDPF|$s6NF(@L4SQa=QCNA?`-FelQT<bfmw%Pwv$tKhX0#J>A{=x*qPF?)X&uZ?=7>
ztt%W4Wx1!;_`4!ET3YyobLdts)T2Uv4;O;JhK9IqP%89<y1DkT*>b@G2^HKgjT_Zk
z865={K=&5aiaI}Xatvt;GlCRPrNf=FD2sw931X5L<v~drj3=WBSyVDoP)QQ*DJN2)
zL*Y>9H#yY!#{CqW`w)fupoOLs;^Re1P(qNBiWEdpBAQ5~GpY1)f)deWIxVG?(0$=>
z_(wOGAj>&`2pS6{=+O8*$A|cFbdZU<t<Gq1(1akGlxQL;Co;-%niND+T8@VfgxlIa
zxxqBeZ+70Z6^NSe3Z}|EsvY)+VDLnQxX+lIu`0TaZ1*&9UWHC>3lJT`4k9}qO-gY|
z2_QQjO{L><IvsjXxV`<+4JO-i#+rAf=X~LiZH|GmgLf~p2hk))lL;jm4;Y?uG!5PY
z<V0vJ+|hCO2Gf*xMi5P@z>Yj@RP8*(@qlG^zf}Pn1-M}`6-0~_O+iQ#C9`~7O3`#8
zCCjPMNVv1}mJKGR;tU~T&_Vig=5gxKf#ox;F(QM=5@Aw_aVfr>EHMfNN=gn50a^dC
z!DP*coqdQd6X*h_4}T4L*#4+7jc;%i)LIE7q{_<5wypp=<qXWCL<-o)(p3RUGRaIr
zltcT%U0r{)!E~N?_98MTgS(G<k01eMT$bsXc1MX_a1ep%Xj*|dEz1`-AW&4m$3`Nw
zH{9L*V;fAM?(9JXq8o?H$0w3;i&GU|wW%>~5Fsh(DX<R@=&4jRBd1|$2<-{?^h|Fs
zA!nToB4p2Mgd99FGIVfq{Pg(ou|q-RB%xn2Vg{JU5^+RMMuAK?iw<SNkw|)j$vNYs
z5IJuRBxn55nwc%k9iOp+C`d%pz}}MZ{YxoG00jzYbVI3dZ*SWMQ;>5Kh=O<^1@-ml
zl#vC?W6(Ai3PGeO(R4Z~12qAph*BahiJ=6L@*5jWis{4=DVac0Jk$O7_{fpN<ceJo
zHSuUBo=#>0s8OP@R3%|(#lwAlKfJ-z6degsGqf5t<HTD?-8oJ$Mc^tZEe1@Mcof8i
zxFm<9aDV^%H<+UNHYbKiDh85t;J`S47~d-dQ$+B}dI*dGz{Zj8NpS$M`WVDJ#UMiE
zD6Fl?`0`~}mZMTafuB$;yy-W&FTxkRu793%?nFo$K*aL(z%$f=fu1~akRP>*Du~PP
zsaUl#NM&FTIR}QV$QCjPMKLO-;Xo~5sSu;G1YU)u(4FCdflqDlaLGHn5skqD=AjyJ
zBiQ&H1@T|yM=Mqt)JOruNSUal$Vz(oY=#n)pU8xEhtXKr*xhM=`zda7I2rEx(XOps
z&vunM|99t?yX3A@10NW8wCzh>V*~rc2M3gaJKz!e+xGiyUuyfewhy(<w&mJ}+r+l*
z==YjOZQJqiN3XdOR>7--0BC4$@oH$#;OkJ%jI&5wWju3+XlTz|+bP;>>Qbi3{QxlO
z=O={htW|*!P;0Q+rzYMHfX)Bfqd>KOnSMUvEDm55qSHpPcP|>*aCM+=X}&zbBsJnM
zX@wdX9`J~=y8hx$UPW%NN@^8s$l-iAo2!9B6dAtpMFY&<L1%99*?@?Y(SfgqE3eK_
zWUVj+5CU*|g#rq=r&kYck0+J1s2Y->N?H~Sa8$6pfq=AvoJot4o&wt(MTXNW6mGyh
zy?O|oRAxXROUucdokiq0JRBk>yrGAv2`}i-yKp|$sy}o)2U)~x56wEW6%O4{;Dfqv
z&Co-{Vi``vh$#X+5qrpUB1S9{=!w`v{u8kmrkzD%KJdwh$n1V--Dh9N40PENu7os9
zmDYk(3ujyCc8YsKf~-nZ2w^}PCH7H}2lsr5gAOn<A;&J@3xx;P1Gi$()giDv0q-a(
z1Rt2<OU4Wj?q0x$2Y;kuLY7)U_k|Aw89WN&SGM3%Ow=_kIt2CQ;g$Cw*O71$_}!p`
zfWPFF?^FxiOD0x0QCr=~8a?N!o21kmiPEz;aFhvNOR6^VW(m=6Avl5@Bao90h~}%y
zLMp6Uhn(@%A(Ki1j<ATQNMd$ONm&{VVZ-g2miATSDmeMBJKz)tsrK%`NTNLSBk*@L
z0uHWHJZaiS@FO-Fe=8Mfckuk%c(_&1BPTqtqG6AzW&9q$6Z$NPd={1(uG;9gX~gYJ
zVAV4#lof3_*9?5CVocf7mAD*OI8!u($<T~S6`~{;0^b79G<u=Xq)M%5SMjC8Ww;k@
zvngz;#{yddi+DJxZWPreHr$o)A9Cq`Ne6=q0NV8pqc#FBl=wS;#Rux$AM}tr0Gbvi
z74+Ew#hxw>DD`x5K&ji!0cGBf4k)g7bwH7~vjd8~-5pTuc6dOUr^^FMNv8)CG`gJ>
z2A#VvaT?mh`@#t9m%)XSCs+)2+~i*{APx<WuLw->b^-h|RC!_nfW=R|jPYoBiSozi
zK+pwc;2hkLgsYe6DyM2g0y!Rqh{@<k4(dT^ka|gMpZdXkGXs3IxZmtu@6Vu9bgz%V
z(3$QX&LVN=w~xx+0mgkb5`*<NXK@p*j;{1)Hjk@ClRs9o@^JIGbeFT(kBd!Olh;So
z8a5Fi3AJ>?v%mYRaQ^>4xc>L`SNg~M2m5dD`^&!H>HB>5rS5!pXV*V<<vLDwjCRQF
zSK*=h@2_#6<37qg#*K16O@+_P^xxM0IoI0b>wfy#gU;fecysi<T?E$2b&F3PC0668
z4HSUW)cF^mg%e`zpp1BjsOvw8`|pII>RMJ7GP0q7NUBRh29Dz(nNU)xR9sE!*%kz?
z;EkQ>ev3`~lYw+(RLT`FoFF1r-Cr5pYeH^kY*%vfxs_>dQQpK+E`)%JgHRQ7#W{h>
zaE4&aYDPh5uy#Q&*#a2WfPW1E9H|IY=o84Rv7ozNXk~&0&ni*5i%K;h=%il-m)N8)
zo2_OmuL*(cNwcaN7&TTWU!eDf6g5%<qpnibJ(EYKQ4{xo<ML`A%w@3OY;>3a#$zk_
z(P^-0uZj3|^RDAM^F^lR#C5ODA5u%;t+&GOJaps`k+2}7IKIt5o%*fDlxLkq;!|gS
zlFnz>UTVV!CvgAW-t}M-tp{GOFQLiqi@nYwar^Qd@k$$-d>w1Tyz$b#69IX*@C<$G
zY1lK|iH8ihVBmGl>>uHvL#xY*fzFVZ4RUCcjByANPX;;sK}I?9Fw}}pt~LJM@UyWF
z?OczuxPxftLUh0eNC<0~EB;xsPRAE8UWu0=s;-#a`mnS34q|^uFL6w+qC9MQjoIof
zz8%jR;<qR?>GNB(-&uScE`5Tc<CS_^>L$2L@b~MM6WEIk0fxZq3IR~Gk|;y;cEcH@
zXiX=9#l6M5NS{Hs8%WF{db{Dw_G~tl77bAYds{6hDDiY$NTdHq1_<Mlo`qcSXSqlM
z64BcYXSOMlq(B4NEa-A?#Z6FM?ir6R_szJVzQgnDazU?5f-_LP@)@dEzWAuK_$JJR
z-%I=hht6D&P0AYfjCgCZ7Bp6O6Y(k?F9q+B>UT?h8|sGAHysm^BDUqt#p>Q3y!R7a
zai*@(;>lrQb45uL%?Q;OED?pTQER*GUSfaW9CvGn9UA!Nz?UHcz(+gp8psda4;}#S
z?){72-|8**7(L@XLp|^6tPDKf`IgT1j=${qsgBDX?}JxPxWCEJ+qr+@eu?`6_mkL<
z;1{5#9~}6efyV|OBg`bUjk~u+wleTh2q@Uf&v#K|y}r5jYd45!g?9EVLx3UhIza$L
z7UHCeiYzLKEFe=rHt|B`$tIG_0k0&ZB1wk$q@t3Hx;>rFfmweRE}Er81BGMM1UUDW
z1YL$RZn&licQqxDWQfBmD#@tZR6QfZV_6*}nK7><qk1G6;(UfmGOAyafe#@bz3GQc
zZqKYizxfPY6CcKM&ihW0-JZH`Ij3$>b71TNEX1q@h+x^l=X0ZeNmIqjT#tPVv{Sc@
z0auqOs1>^Hqt@L<xn=0yPq0=M&Z~_<o}39o48VAhG(vQmM1FA9oG?QCn$Lzp^crP?
zmgJlBNWGm@tX$4Esvh?f9<c|4`XQWlKIA<(f=oDEY?67{m|5~HuE5O>I$pYN8p<Vd
zmIl{t(HYWmR~I)ri$i#t&}+#m^#Q*4Zr}Vw>OgN;k&xPbvC~<+8xQ$sAE!h9b*v6-
zY8W?u;^gTABl#=|(o@)fYGlYdMH2TOJ2^FV-+q!%Pn}fobMBx)4si<wqw#$C!3UN-
zf8@ajXwCS^<HeJ4k|qz2B?|g(Uyby88t>sRYP?523ct6i+R)2s8k)e?J?=i@Ebb+m
zHsXamqy{Jg>qBz=`aKe7hU)j!t;e0kJ*3t8;^OM}u8GHiR&NjweyY_|eOkR+oy80;
zeH$J0ogNh7j_>cjP8MwTnGAt7BLHF?iGV_9+N7(HihGxd$=kU%Ig7+SA9ZJ;ZmF+5
zAghsxC{$LP+$JUrxE7qq#z9t#;d-dnY0@LBkq8x3R-5$8YM^xz@OxD2G)c8i{o()M
zws02Lwy*7v+Ag#e27aY~v|sM$`wn&eZP(Yju6BL0%jr7UHQ4pG@P7|~Dtv!<U-)Kt
z-1i&W#C@ClcHeCcjQVc#rW*O&)4a2I4s)VQl>Zs8<CV~JvgP$#fy0?LStWN*)V)_s
zAomp$$bSX==jf`jG3qzz*XXjOu|~BXDFduo&f>AMkMM0HV2L_GtXV+TF}=gu*m|$C
zm?ujOwL>@DrDh#IPhf$W!u8Vy#@Ot2Qv${^Ib2GOWehi3=Gstd`*&{GGdS1r=PqaQ
zDE<NxgeatW0&aleYu(oNs5%Db3jh{z&Q8~5ZR>=yc#MEWXRYRf<%;*nfVOTvTUJpv
zKW(bWSxg=xsNmy!@~oPLYiZP1E!~~K3Vc8QJh}pFo9|U^Frz&<2N$d1sBGstNM^4v
z1pZSY04utRClOuIHDb#Tv-uI6U7yWJF*AvCs6Is7p2~{JWKz|IxDii-y;mIh09CU>
zDh&m?kxt}N;C+1YVf+?d?6qxbN`vRKGI$?foWMnNvDZ9{{X@8*&Nh}U_7CD>y4Y)V
z@8b_Si>EQa`5@(|+WJ*5b$cwtpZt6dt76tddJC$U>%tBL?EUS$DkqYAMM+hXlBy@u
zx+G;2*@T!$=9GkyO(=Q}x-2Pc2{ork@tm4LnQ)s#121RkIN0pT$*e|IGxf^=cC84$
z&7(OJE*{K*yCSO?104p6Z5GqjVvObsV5<}(kH$3JM&69lF|gCK;W>QE%0}7XK^DA?
z=SxT_A=uy=9aKW^)XstKNywR{6pnxra06hex&IP%k{D0YZ{C04aEkuf@L7c%uxA=a
zXK-$&#H5s~((<e#e3RoVDj?L?DZ{?L2U*ROR#L-04!mbzx9zS@pnf8EbZ86)FLfE_
zI&YU7Zyq3PYa@faDM_P>IFuSrrBg}p(6c`yWrl{+Qf6dC9)&wa@{)#<aIHI+R^y71
z$z;>Hl%7c{Dct~mpk|GPMDRy7qaT6SbKqr9jRQxJvyuq1ekz$wLBvH#*R^CilUq`|
zq$V{@RdjH<BW9(PB&w1OZgS%pLje!NG8vJ?9N&WpF*^i9K_W>kcbm4;#Y4iPg`1Rj
zH7o^9bSqF=t|6O0>?}Tj`ODM2M0C_{xLy<NHJVz$<xgQ&TIcdey?4@=)BQ}?Sv-Ns
zey>f*ejRUWu6J;)`ZV0Ro6bAG#h+)NRG)S`SDR?a(s0eQ3!YtVYN7g8n@@p;ik=N%
zeMYTrfryw7wqy=iIUC!y){P7$XYn{5m?Q{%NNc`rYjEZMuCH)!=6<=Y_ZNGAtoMap
zyLWHzyLxZ#TIibT+SRqC^Rw+AZl7<r+D~)8+&<F&_JNlNUL44^-#Bo@{k=NyBLg2A
z_z;o^+XuJ{ubpIg>D|uN+wd&>9*fLEbKSztp+h6fJ!@e<O<1-O6RNCcQ-+|SQ#K`=
z1j`|?+!xerTsBh4IOOUr$Tq6$CeQ0Pj$Wa}yE^bGQGsY@#GD^Ku5sD%J{97ps&IOB
zCqF)8+BVd{kBlEUc0A}{30d4%APQ{JnuhRZr7B(a8)r<Z#Kt@N^jZ)ji}hj=-*9Uj
z0FgCn$#QpXcg8$c%8ho&vWqHi+}jH%wXw7RfC4xPYgPnTy&C5Gczwr9JhZjSC9vTG
z$H#|84;?tXd}Vf5;#E(+Fo3jg3ECb5rMegv?1&V&0XRp$!@Itjx8LSmCB}4gw_*Bs
z8#g*viDex<7c;TDUdY{wtEuPG)3U3?XpSzYCM>5{iM3okr~Bf~&ebh=B0ooWT;}U|
zIrXe>-jNSx>~!E`ZJ}o&L00wjdL*@|_gl=n69XNZtzv*rD<I>PChEhMCh1UJQmc2E
z(gzzubJfGL71(EEfookaIptg>29oo8DT5DK;dr|7SYuR3GFO((5*U@l!AX5of?o6L
z&3I7GQ@y6?s_NFkzjruS$rVDXVl_86W#l`Zt2g3_G(?H+Yz}YlAGYm(?N(scGDF~v
zfWS@8RdNTHE<aPC@ROx9@Pt0^!Z-yAzpK4ChbsK0wy!1V&lcxu1iwWUepB0I31YX3
zIW2vQbCtLap$fmLhQjYEaXLbm;HhOxFmZlD7uzYk1P^?*&3+^F2cv-@@H#;NSO>Yt
zR+n6nZD%S0jN+|cMqzGW%N7zC1@C1P<~ChbMNsc)5L)9Zx%NUCg;{45fKzMt|HG%b
zn?v8^dcW5D3%#d1{{v$DeX;Y$J3r9*VCOxZ672HZH&r)fH>LXWeJA@yL*I0N-yVu^
z|HAzR_gi4~{{^>q8h^Q2fq#UO-1Q0$-TRHu_XoDYGCc?sorN+HUk_k0l6%f~V;bCQ
zfDQoyt{G7XRv*h7W+ks?)rvJ8%hyUM0)qe%&;^j*Nn{M65g9`;O9J=<(XAO<FiO*A
z#VR4)Lhm=)n0=S01K6Jofj0sI5Q|&GixOGkxJ&3XJduFNvRRx>Hq6{55RMnfu{jZr
zxl7yOo@G3hO~^u4Qb27gt8kVXH&h{;HN;FBPRrt%6vW~tr|LvF<}PiM<Rl!m%1IE8
z7sx?5S@XC{^)>G{XW<NPn+V6;CBJa|CTD@1q7yqi?viU~_uMIG;UUZwKUgnYx5^m#
zg@K^ZyiMI+4?%$FX|qa#N3DhOH7JY^RIy8=SqS4)G{DJ`nk`us@STFg$Iyn6-jO&w
zf)Feau^QZT){y6;Iez5e0f;R%RYTkv{3(GiB=C<!DuBAItPSoIK*v0j2d{Z5^21m6
z8A@Y++bF1u4W5;-l@W5%Oe!gz1-fmx`v5LN!PSiAd!lF*A+R>MUxFP@G~oQ*J=TLW
z5wN_U%g%vQm?${U%NA+|9DJ)qAqU>fz`GNii5G0442p1}I%By@4j4S4PcdvEmB{1_
zDUnGgj7IG6Q59U5^24>tIip&o2io9?Plme};Fm8*Ne;I!5*wxl_Z-D~bh3kdsa7ap
z6`ZT(^&Llp0}brm#nZ<`A-&Y!npef>s`Ok%ccrYs>fTH<jSI17I8wLg*2UUSg;!Nh
zFH^NOu^(uBD<9)Y0)HFw+@<Bw&{g?@byn5RfvwvdSiafdR1$fPjPms{g<Qd83-Cl<
ztzsJt-O}t>%@!mDf}p`shzTQ#q=oy`Vqva!4*v`PK<AWe5QI%Lgkh*aw?OzgW=xwl
zcn#CB$p!LlR2byzCcDcn*5;gr2Z_M7hX`DkT!G8JzGEF&?`a?F1)ciB1HPPYaEg9r
z!&V<?&hj?*9QuHgFQ@zId!2<M#^YI{Kjof#9V_+eGy{vCDa5o6;<0eZ(9K#AtMd=|
zOTc+))gUFF<A4*ua0d?`pK#~t(23*s965I2`00rW5@2LC|I&4v;QPQwvr)j@I9|~)
zkDTLmkkygHFM|Y8v%x!_bq-iNd<w93i1F7@#kYQqWrwps0?85mHTPVACf+p>UO49)
z3tQ)VorSY_EI1u>GeULg$g?z<lWBPq9CNyy9jzWSCA2ibYQ__2pp<S!z-9Fu56c2x
z)$kL@quBDN(1J(12suQ<9f!Tl7T)755F_R%>DO#NZp;;H75+Z74+8FiH$wbQ+p1MG
z6q$NdEtzJ4KV6%$?1DONpEKuZOx%Oc0=0hbqIJ0@$?NJQn6n$~|G(@1XYWnG<GAws
zz-|y{^U^V+gW^zSNh6XNRd-e24P7QdP@+T<6hVs8OlvUJRn<TZy1SZP)c_%ltgtlF
z$QoIeWknf}WknXi`6jj}+1OsfcE0i2n{48V{W;lqHpypi;v=?WZ<22vXKe4rS$lu)
zsOoBT0R#_lB>55gDB`_W@A$pz|NiGs#rD9NAFTa<ZR<C-zO{96>-bi6>#m{mL;B$F
z4F3Ayq5g07|78D<^k?DykNW*f{B`16iIv2AiESf)KC(RW=E$em&ow+=KJG0s4k@Sf
zUhPnNOCxkGaZ2yiZc6WC-V$S<GQG#xt6cB#<;T3GA-dpxfFC}uUNN1=V-kiV_7!9$
zomZIwD%4VxjHb$&yk3GOu9lXyQZX%O^^%r_wx?0dWHvzP`39)i;3TFT_AJOAVr`0m
zSO_hLUE;JW{sxf_A3b&S&`C=8A=DBgd4sZR1pB_Xr}UuU(FSSXi72jWVh4eeVoGmv
z*CiU(W30g1H092=OwE;vs-o7?X9+C@?|-?J*#w2g2r|Mlc-Cy$B!H^J{1p5CIl9~o
z1_rTk&jGqD9gt)}u+3gg#vm&=1iB-22Kk#x%XQQP!&DbhX*hG__?gL*hmsRdO?31I
zm|6qL?#$P^QvR?%zF=CWaDhODL!v$bC3u*Iwdy?Fqk??{Hcizsjr(wXnxKlnufZw_
zJpY4IG^v+V>Sepey;VBWJ~KIktHG={@kPzRjj`WX5m?J5s^%>XGSWt6huo_HX+ub^
zYqMH*cuUMPJAY8V3Zi1EKYWqAI{advx3q=!<Rzwf7kl+XOjLwOgYbfaj6bxVR%;6&
zH?*8CMKG*=cy)+@%U3)*Kj1C(u?4Zn7eoX(a6MKomPov7iR^m8TVjs$&)0d^0<rz|
zI$U>o@4rAh#dPjtuXY*9f|B|^n#(DvS7AX!qu%zO+lhzcFI>Z0R#bI)2<YC@ZETh2
z*iw2eVwE>>48yA}j?oP&ps=kTVg_IhGyh=x;CpS?ac_z1y)don*lWQWhSP9j8IdwT
z7SMm-SxbI*>J{>TrZ5P-TD)OR7r%jz0)k@hCT}SmzbE$EjT5?Vr@STR>3WinZ!q}s
zDAOFYo@LQr7<~e29SCkNeR{LEw3BWR&Tf3wXE!b}FWUa?0CwXN6WVij<Ewj$8=%E*
z^_G}SpR*fZ-3{+4g@R(}IWRgG!!5r;TFyfY;QeznnYa83VRSCg6yEYHdx}avS5Yfj
zSuGS`_LEH)<YJ*vmGhNqDO;?h^G2o!M&~^JinsjA?ov8yRP<b_07j=vvpD(tN{9S?
z-=P_t{C%aH`~{=4MYB0G^OX*x6IGt2YxfOK8ozSI1n|{8IxS;N+6X*RuI9cwuft2w
z#@AkQ7Er*%DunCiu0iOAN`TbO7o(pRKHYuAui7p{pgi1sUpFmb|Dnz}Ed2c*Ficjl
zSxAr=@L7Uv%3zW1I(|y(;jFOO7a<O3z;|7P9qDTou4en0jTYFEggfm&oF<M>BdVo3
zt!tperyUx%W}4A<mNBhPTaBvis|5T1znea{#!{&Ytj21KDTD@pR?nZKBatOmV|tpk
z6;UPOdQ3AGh+qBc8q<&0r^c0951VrPmUm+Vv7d>>eujAN+wo&t{y6qyu`kCKV>7Xt
zEhHK)a$?`Y&p+r%k8Qc1m!QQi@mK#}tyQ4^r!P-s;iam#bUQuFzRX#xuYHKA{;M^&
zVLrC^t?Q$^ZZ%u;EL2XgIhgjauY=5fqpZRf54g>eh)~D^TYzvESW}^AN{DJ1+c(OU
zmPb1b&2s7q1j|e5Whg33W&TG^7m|qNnN-Q|qxY)t*-bQzdk4^6dr0&VYCxVVBRrIg
zOovqBBI2~!pt|>?>-Uy-mUM3%-Q$-U=@NMg^RB^`=Ta}KOHxQz#b(8pxmId2e;d@@
zC+M#EiDR6+yJ8aH(t{?~ysGFb0?KFPys8(#0W0JX=R()yl2%P;bI8z)bo7N4>5T0P
zN!@j>Zyu=&q;qPDh-AzIZFhFuZZ%UDr<fsyv@4Jm5rRHtp3~~hn(3r?Pm;|=en9&I
zrz@?H5$)HmK2H5#y9)j11*y@eCdiASi!gwZ@TL(4(>4hY(c!q=Esc(jN}Y+2f^+R|
za;LJpkO&D;r1$KjW&G(3SIX{V-})l;gp|@DZ?s8(9`zxdV4bsz8tL3qo}N~7`2rLd
zR5g>#Wu^2(_p04pL6zP0>4tP=m5~vLCPI?!3X!}^Fb7C0-2imP&ky*nKJk(F4*ah1
zv9f;>GFmE=_H9w_k{BG9>^`Czmr6+`w;GGJx=+pO4z{2^X0}-4;m#tql_PzUb>^gP
zyPqrv9SeuOlAKwSMm$5@v-_qV9VhH*^C*~{wJD<2&^p;}9IDl%=X9m0RgID&SJPn9
z!%R<=i`g8pcGncWq*gP<qVl{{fyM-f5QjsZt4f4#$8Z-T;oKmU<#m@r4t#YblPsuF
zSgzXSWa*N1-I@CE)gA6HBm?vy>z)75^n-2%DczZVKKpP)0R0Z!vNg+brO$TniE*+Y
zplt%lxs?9wL!Z4@l^&8pb)K3ycA`w!5^dK^Ry0?-H=Mghi|c=HK<v3riD1|#sC<yI
z;Dba08T?X?mcxg{UIHUOSb9tP#)_nnzZb~{>@68yEws*{_&N(d=uvp?=+}I<gLcBi
zQIP0=?o(oX(ncxm)j7K;)x`u8!Lw(Y-9eo-!4O-wnGi`P$#Xs(winQ_$|T6C7OVz*
zG41QD%J9YrraZc)yE>NQd}LwzuBV+sS2Lla(sKt6A1IVE8IU5S?6{mgI58oYRAoY*
z$Q2Hi4rFp_@o@fmX-Zb*oU9fhln=ca*?BWY&Jhs8W1&vn-8tFEJDVa^U$yE9Jy|*M
zSnKI0+@nbsa+a=3Vm*X|i(@=Qp)&dugmbT!j!J~*ohgM+F$jceMj$*2wMEyAj4<^?
zZXQmLa3yjnvtcFcI}quzB<>1Z74#v*AYJ{I?s=SgW8TtkO0#}Z=QL{|X}VHct3xv+
zt{vHSwKav#@~f@NKW0Fxfs@RFS8!J4Yea;`jB@>y;k6#+B3&RL5D*9m1Ox&C0fB%(
zKp-Fx5C{ka1Oftqj}8Lc6TcYSGw@Vw=O6C;XFLD?&L7_S%+AMmW_Nxf@j_y1<U3p6
z9r@PC?AF<>PY(aw!0THd+Ir{K!Nh+Wcq;KziEr=tr5*3@II^R#{UZDM=wKp7A`lP=
z2n50i;F!EDzba5iWs#A%Qt0b@(rT_)g;#Mz8rESDl+i14DVNsZG&GwlD%DInQ%t}7
zNpC4j8Q!mz7{mMZD^}8IIxT7vq-#wVx(yPXT$*OXnYCSqnksFiKO0cbI7Q6CyPI+(
zC~(ZVb~D^2H9B%MVygmCex1mMh$T5OM5)2p943DVnYXqXQi$Dubn@uI15+~m3KQ{n
ziv8N9sj*nEk>t~^ReLryId#x#Xe|qh8z<0D<Z;=D&uJ$%D~{H1l6Gr`yJMG$RTHtR
zfvfhKxhfIn!=+3yuNF%gY6<KsL>x31+tMMkVZj%x?dS$EIj*-G#0NlN<Wx$jN=i*9
z>b60Rb$BR1RfU7~NWD)el0(u;EVFp80}%^6lC3h-+4MMoRDSvevtc+y;}90<Wr8Rq
zx*aR0kSHk>9dK`oTCnv<tO8lpCA`Q-xElYIx0Inf#hc(eB}z1O^=suCt&(TFC53kP
z{C?iutJ7KRk(KTBmRMjYZb$NZgmD5_V*QM_B(uJ7i<H;<uH`P?=Plhw)zA;{k>0rW
z&e-oQeTtSH=Vb?1oh9KT1k$VfX<;tCdi~C=&&F;EpVI8#uo+<S@3_st>(JcCZh@{p
z3rEK_?qA=Xu4>gnx?&=#)>47i%r)*`?`YgF<!J`jxPQG{;~oa5IhxJ2>R;yur|2n*
zjOzE4NZwdTFF$2?>;DwHr?>CjDfo&7_42>kwd23^4R)6izx~Za;CXLpg6&`y`6~8C
z#BM)K3`j#JqJ|0CyFo5q=I@%hZ_$jpg)0lbE{Gv1Jjd9zjtw!np<!)oxpoUi#Ubxr
zSePs_FkhH&>^ki&jk7NCz3@h0q!hA3<;KCxpc$5^jllIe(*=PsKjO>MPR^N&#P-?Q
z<t-hgdyF4eZ*-Z@;Q%>6bNK=C#vpOT!#&r4M4)bJs5%(4R=O-A4hPA-v~qrsyoQ4W
z-u#gK$<@iwfdD4=&}5FuYs4mrc?0A`;A?v}q7#dAiaFrs=hSPv4O7+A1(*imoMIjU
z`8oAk=$yKfw$0C}*SgQCTf8OaE|6OWy%tyoZO7*6A4tW9-x+>&_}oA${-g2d<M;Ia
zLTst;i+!!W&-ESed!X;Gz8m6y75~ri-;DoC{8z5~ZtHtH{>kg!=!dVt`1gPK`uvgX
z@wR{PksOv76cBj%khgS%UURQ4FpBk!;Mqank@U)%C0cjX;}jHlb19{ent}H*;t_*{
zY=o<_YRj(64Hq%L49i6rFT61WZ8TENBD84R6&5&bL38!lhvy%BG~-UsJ^I8W>SNBm
zRj4=PP5&S*m#mogx(}+kdM4*|YOxyZmPe~_f(4%)zK;%gKZAz`$CaV@*IJYp%o^UQ
zrVJ%#xvlAPWwEI_PNzFAo_er;pre7)ky9p~!-!7Sc2dPcI-Siz`#q0fX*42M&^mFn
zm8@HO%O+mA=(lD=#y3z0rH(@3Y1AOjx>DRrQOYnY?U@-^S-`cO?ZWdL=n&ag(GTi%
z7h7<>W5DT-)uN+vnl`G}_}~gDV@8JaAHNk<k>Qh+DjXB=wHD0lT3Tz7xg!a`?A%rx
zuWSRJx%_E^Ka)bLVJ@(qw9J|b!bEN~9T?gz)@;q_Km=G^<(#TS^eCHRc+%#ZO}Nyf
z2GlZ~n7L*RWEYv9Sr<GBzc({TOoq4}9CN6z7PO*SRSH?9R8VtOHCHKS3q{pbi;AAj
z-%S>g3?fd3Vs%hic=G1KEU{bD7-BGirM!|YDe$eBP3NE;TgcN7VTR~?C<{EiB#p&}
z!C55Db|uBEUQ>sUoSZr(pBiVO>$-lMK7}QI+N`;VjB8Cpi57I^^oi34j~*E(ToVvW
zkA{h*H^>X=k*<{C*QdRu!*sL#n9MiZ)jgVl5ti~;LYB_9&DJ7QcBcQF1_6wz@YSDL
zwr`ULV<wgQ-M}`QZoq_o?3ll_%Q7=raLO_pVmUS0go73r)F${^2aX>Kl(W~eo11qW
zN`n(VN*SE9n(5;I@Wo3u3Jq}Ymk4r$I-^U0(FX-=zYb#J2467c2gl1}v^w2xE;4hx
zhs)(hj!qstaP;Kl<f(G`5FFg;CbfM-ToJZY%Vly*vA>fztVV;jVQ#mvnqXyHwPxVc
z?7%VFK4OcMrKtl?PL!obA3u7`cXrmX>RY4KfnzY#W5GzE<UH4I)f|lv2_}GL#!8%N
z+3jXo3cYIVmJ_O)prIKCsfK>U%a`vuWY;yTQI-yn_mES*i`guu4jei}J~=db?7)%Z
z<SX55xrp9Xqtg|DF<O?<A8PUoQ%ACw8PwszFoFyhs`4_#d~ufac%C@US<q^=PIrS8
z66xhYvw28!H99|}C*TCOtO|PfsVVZ;qvWrXq}x3u{ovGHrkVaKS+_if?!bH#kicex
zgI_*r&S*}Zt=Cmw2Y{e|$YLcU`-EJa#%$>m>(CTV=7s|=RDLUK0WFnf!z9i|gVj*(
zDvEZ4BD3bXwMv!cCN_KrYT7K0XT9c-{-Q%O=n$6G1k8sP?S@$%J4{kfk-uOv3foq`
z7NJoNh}c%7J0bwV-^_eS(n2L-r{hM@aIm08`E1)VU4Q(cm{p-(CO?liJp(sfKpI6x
zbozWni^vH2IGUWV_%((CVF80sQ#~2H#&CL9jee8i0;sXmRMj?Mv4x|OEF)Umf@Zlm
zrw|RDoqD681gnDpJ|P@&h7uzdI-dl;>#Oq5vfmFF#*qf+3Ur-hbizRaoWq3k3BU}K
zXliw>E5+5Y<3c6yd%LE!SXu`HvOXMguXh#3O6o~FN6TE&&UhWJM##eW@_jc6s$L)<
z5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Oftqk3It12mW&`5&NZB;ztv;#4U;bk^g=0#|FPV
zxHy<XqW^P$>{ny2#7@S3K6XET{6C4`7_9jJ{;vK1RYX!&sf^&Q2dRu8K6k|$v&_?n
zbeMQbpI}lWD5wxGLWG?!9cX|>Tw?*9%&eBLq;q*WV`kyo46$3~V#!F$1ua`Bn1+!r
zsksd(&-#A;I}xOzAOpT*9X@)9n;fk|0^1Ph|IDYq*5%Qix@%uYXErSTdBm*Q&QwF2
z3&eM&3}inF+^}UK|A7Omf)cp)3One(4?aS`XNE)hgOJx*j?+<QEu^5gnl41?t@irt
z?{-z1$#1?3(Y3t&gq+QE^j3Y>Ipwfdsfg?@$2<YQFZjAURC~nt;lSz<*^p;K|7xBv
zMI&+{@NlRn#)v$pzGjy0wARkE8?!bfj?oQ52!x-ta%)To5YZWY2bQ+oSfko5-$=b6
z64yOJr<h|iUvfu)CV!&mHslG4?Pd6{D)Sf%>^ti4sk_)2dm*2_M6q={9I6iEcFsXs
z*4rj`TSi=%bv&5)<)Zx1QhoV`4X52yXt{=4+KF?vYw1DkD_<de)|#2^)tOHGMr`~l
z59-6-MTH7!pXY~dp#5;UhYg}>Gks;IEf=4I0Qh29*)={l{Bp{>$TXE-JI34l5DS2<
zI>NX?djOjA`yl-a9Yb825<Yr(Quw&xN!>?GuzQ$HD15y5RdkLNo)R1*ehGeb@Lz-D
zVpZK(rT(tuB}2zUP&JhccJhN`fG34_(yIEy+n#&1JwAC#+84$RGHisy@I}*|O^z)`
z8tBR9n;Y5T#=47zyVP5WzomH#kXBRAcyuF&b~3Uz;4OB86h<c)2Z_w1)gVPCnh8t_
z>x@ZC!d+}4A|RqV_SgYn%P{SG=EOff7oi!v>eRr-V@mk`R@`;cyEw{}d2i<XE>PyZ
z3R2}$-o^d&@OXq*+NH_cLuh2Zi~DHtr+M+gjlma-4aiq{%!$th0s;Ynz(*f}?fril
zyDfgPFL5HFCT<(~|3?1V$p1X@ZvU?j-qwG7;J<A7hkXwXtPEU;U)=Wh27Yj$IdEp+
zfq}t+-x`ejKLfupI5={A<oHJ)sSnZ!&u{TAGR?^IZFV`<140}z;an$4gHa>=UXun>
z4m4k7xKp-f5KB`g8dSb+EL3KhcBpJM<Unm#CXs@wHG2VN>rF64TBN+3F-qxD7J+Ka
zYQ<}K7n#-1OONw@d^8Aj(C2}UXYvfkAqnGFiUWDpUMes^@VVrFF8QB_6m~A3zB_-L
zckv*l%{*ow6t726ct=gB5QA`bP3hQ~aS{_!+ShK>tT_@k9Kj)Be~g&1u;_w5ET~On
zhm5-r0WdL5Vyhs&BaJ$F)SdxXjChirPGAtkA@)&XuHEB3_6y#{?`3r33||fb-DoxD
zeMTCb)UJcheLTW*T|-z`vsJfTYA6oK!4TsifP(dmfS7DO)9~ZT{ocigD9OmI!Q%D7
zbs8G@R%|QZ)M@YHG5Q@d)QZ>lWYv;UsirG(Q7cvCY=wlWua-&(GM>#=l$>JfMdMcQ
z;!*mQKM}k0hMLc-nG9mpUwn*aF+;6*y<@0#@d(XehFbA@x1rWe-bJPs{c(=pt>h^W
z0)2vh#0m5|c`JwQ@8b30!BXs|?js6ij(2@^CsLTPoL|qbk>fXe7bj^cX5$vG6C1a5
z;S=7)hiUSsct>tLZp}$krs+a;U&9JWRJWMj?TOz60s?_+iU2kzGg;@GbB@HI%jB_-
zi{YI;2TRk7%z&LAU~_vmBB8(m#;n`<0XDb0s%O-yl2@xZz_PRnet^w|4zLW(;0M@T
z&jH3P-}wPHM-Q-AtnX?$kJl7eQQ3zMftSIPdW6yzKfrlX^(z+itwR)0*Ek!w{4Ybg
zcU?%I%a+0g1Qq3s29X9`a{C98z}1)j+75cI=d<H_$qq?ukYKGuKLeQXD@uTK1+f>R
zBPLueEziR&M9YM>5B_XyB(BB=ox!nzpC9_#!0Gs34H-ix<EsBNv~Os~;Qtu>w}bz5
z@Mp<S=j7=At&{$d{@3|Oy^Ce`{(6Ct#&+=ZCZ@Zyi<OpTz?>GU0x(ozcC$3zPAZ$v
zX<EfpGihC~l(HqW02@xNQqpr3L(Ak17;;wARU@Zlj9j`>gt1UAYo<%NYPwjd=xO!g
z&>QWD@t~?GfuU!8hB)^^WIb*<YS}5eA&FsZ5x%8TN;-AOUVv0qGsat*Q8TI4DLGW1
z?mATM5ApjwWMRo(rc6pqgl*vn>P%8L@znUl(d5Ka6I?KLV)D$y$rHy<k+*$VRzx@f
zQ?Oel>AdKZN2ZQUhJK$sed_4s<m03=CbtSptnfV#<FcyOZaE&WI%LzuQ$iM0JjIy}
zwGDSE^w(9D!}c3z64e#(ztU%kfGwO9AuOB?*G&xDBH*aQut^JbAwq0fcW7AZP$5`$
zL6FVjNTNqUcL5KxQ%5b0kTqDjT(80+P&Y$$zyR{eqbEWMAra~&4XA>1T$-#_Vdg5q
z49sXFeA-k~TY#3sOyG%z#%H=J9?j>xi%&5&NQxg35iFW^W3GW6d8MqD=e>(hvNo6t
zptv2dS~?;+FzyJmMyi2Z6Qxo_{19~WVvPHs`lOpRNaO4U@P=%w;o{%zO3i}jf)>?E
zc+zq#JDKw?o~93h&+swc2#9Aj1mt>D(`N3Ix|N8IX|1`oBOQkZ(SzQ_Q}n|*{$Yqo
zv!S^envcEv!M$VfIQtA89%r)Hgjw_Hu9V@SpSwJ7lBnTKR}H&jvEfHQxEP3@2?PWJ
z0s(=5KtLeyK}KME|3YkM{A_Ia9}j<H`1RrT@TZ6G8NO-gFNc1=f4u*bTmH?K|82`?
z{A}>^e0(nU&3G<;M|>pq7qLHx{YLCJ`kn!I_Zjl{b^jB8B+C6OacFqmyRzX1UxZp)
zlM?PPpJDXx*^kDPJ0ut$+t=+|$KbwosP_}<Tc@02Y2<Ob+Idg#HtcrdbIBK8$VJ9U
zIEZO9Gz+ek;5l15pu@K*@x$Fwth{_r8Ru{DF4}bBJT4PC8}X_;(wK)(-EJ*XPpT4L
zwNB!Mi6JtdP?8Igx|5(zhB{7HHNSsXD0av5pb>r^oZa=9cd^c1hg<j}3topIZ>(L<
zL%$OdPFZ((7i+YB=7KeTwo7qS@h;BM+$VTbVHd1x%tS1<rM}@UBMJ%x1Oiu%0HnxO
zx<R=V*(Uzbl{Avg)yYb(gu}$3$v*#r2$yx5!iCHBo@}P5q;u7hoGZcxE}PG1<YJ~;
zkaOv3u~5_sik4F#T&~csxNzCtoy}ybW}&L+5H5d?X7Pj64hfg1X$BWA+dabN&(drz
zT(+rj`SqfA@fmv9y)(^DAp06f1~<fsV$#A5fN>ep!t2AmTgPnh`b#m0ZI(>E<~eXa
zd4;l!C;{jiGR{j`C+13&1_{YTv0ZqQuC<a7s$^s(Eh|c<J2fjS_z$UmOppz-L_0Q>
zOjvUrtRuq`l7Ql369K7bNL~_Q-WSMDBJ#p=l!)v=mJ*Q{$W<cpLNb<4E|c%{_MQt|
zIt7Dqbqif03WNkO5xF5@Ohhh|#6)EHLYj!Ikf0_qw<ENP$PNo|BC?q<CnCca?Ch1K
zyMt|~HJeEo6eU5jrl_PSrI(b9S<;KLlF2D@HmktMIbSTwnPO3`<Z}5+(Nt2s=m+wl
zh?c{$qKNE}+$bV9EJKROUM)w8C=!w>MdWtmOA(nNSyLBm<g}cxx3onn>1ASH#0^Rt
z2riN?sl^;T1-Hzm-Evbl{Qu2cCS=6K;V)T}o2ob93z*iI|M%Y%+a3SD__hn%et6sS
zBdOt~ksF5pV)&Kelf(aL_;<Ga$1UI5Vh;3g*%$xW{y**io&M=<|FZu`|LAaOcu)NM
z`fnQ^@_+jOuYp~|iQxpJQu=Q~wI9_#{rAMqU!$?5y_Fj%LBlC4XHTJ+HuBYsDQESZ
z0lnj*E|=0;Mpg|aS2c}7+RSG>+gll=1kX#y7{TLwG+7A5FRlgGoXyelgHWn2l_eck
zmI;`Dn&-yg?{@~S5u8~W%Gs_Xk0z*VW{4Q!Pggp5=maE~Emt~hx8P{pfPgpj`oDa&
z`;xaZKxazlh)2BrLy9^f)&*47Kj*D%VXtv64|amrI5-37Eq{oU&}f=VP6aqjCNbMI
zgm1wZaPaXlNYI_9Ndyj})^CtZGTL3<3L*pD+85_<bf@c$zSmoc)7*!7_XpR6Y2cO^
zA`I>DR&Jyp@K=Cy=N;b4Hk!g|b7wVezOt2ObK2aYwE6Si$_N`dmr^@j$}+^ivAM|n
z+*2p@?kw?L9k?AQ>MNy`qK3Sv12AHjLW&T#6vQIHk@1<`o|%<fMpJf)A^`;6%&$7e
zG2Ar{NMl!qx>AOb(%+S`Yxvju{_8c`;-VUXzy}|Jo4u8r=oa8C0*5G?r`21%m7O%1
zzu}$TIi1`?#SB8Gt!$@R{0;B;Z+LJEo~0T5PCL8DDCG>Zn9a$RVn&y<T1kUdO<t3;
zRUK>uvr^6Lgj=u}Zt3i9)hK2)c>2zN%)8j8SuC(r{A>_p?c#GZogYzW@7%d<Wwj9u
zm>gfAh4{eEl7STq;6N<UWS^Dm_x=v=;ylgZr`*}@Q|{#>-bI%lXg?5VC+XQM<~3}9
zUyaBE(nip`4EDkmuz!QsY*?iy>bY%L@R&{9rBmWI^n3>5o3FDQ7C@|emEh8lsHcDF
zE-rUqqKLaBE{BLHPa~7Ek3zROq6ut1<sKzOU{BayQ36X}OQ7JZp|ZdhEr><xbp(N<
z4z0$d@mUjoovbP~umdsCV)O^&nt-$*;okz%#B##Ur}ml2nIyt6;6Vcci>B*#yWt}6
z>CwsY14pN)o}M~2acsZuj;3xJR=eKokme@uqC+<ury0)P(14?TFd$nr)!)}df$D5m
z%J9x_#%_;1RbQI*RuXiBe%U8=u6Tp4Ng`3U-$p3)1OnmeEvreWlrhAHbrFNbAp);!
zL-SpNiMRRGRflgyskC${>Qtz~3bm!xrt3Hwu=w1b!y&Emqz-Sb04`cO`c(5-Yh8yC
zc?;O>mTt0z4v%f-41{oF68x!=5P;J(+688TwuD5Y`Z*@SxeJN1f@vZ%Lnevl2VrU1
zuVjm@f4E>etx-Hv=qm+}6k1F4<DLX%glaada}i#c)h|nHz8w4=6s^3E9dNZ~Rol1S
z7Q1mki*5b0tv|K3y!Elf|Cx9$VI|It{MW&KgEtR+XW+L6ere#<fpY^|{BN!LIT_Ey
z{y6q;VorQ_JQ4eUVt*L>cI+2oUypq;){1?O{?Hvd&>Jx@-iX}0o1OS~HoJi<sDImS
zTYmQnJ`<k^1Ox&f1_bc3VqUEH1Eft&cyr)6><yDNZAe*HSg=|CZffsIYjDr0mGZKt
z6d`3TRpEm`ujFJkr|UT_ua=Zj1}`)gi<ZC8+Pe#tBHmMZBaIgti$2TWIPK0GXN3ir
z<!_vJ_Z#O%Z{>Sv*SMW!`&Re>`O+b8MWS@o>kI7R)4pQ5YKl{h6TV9aN>6QMw9ynn
zB#{NXhc+Ux`4nm(36%Cxf2#YXc?;fDsV_H)#Ph<1Y&yY9=af}%x1>*7jfRC-hc&R1
z?voB7^q^Ifo^H?B2tYXR%vp=~Nw%ZYNRRb4{A4bM=^<4~fv|z24XbLIc*jvz796H3
z*>%XaP~bmAT-HIpw-$9frMWh2alrF3WY^T{De%fFsk(-MMJ=A^q=;pBj{Tin)F5Ek
zbef2Y-@bt7go7B7vt!ItCn1)|A6eR42BAx=b$X;JBtz}a3DH+y0O8~!78@Mh?Pbny
z@&CIerwMBy2^J=>3c|Q0txEnTPn5lMM)yiQVl@1l7$nZ3$=RuxX1?GEgBbkM8rCzO
zDsY2BT517CC~HZdL#J4CpOb=zER1HF;55SCrNM@G)kGb*wfK)dw)i^>akzsX5@v3#
z<GTgSPzN+Cm*Ak=QS^1Nv^f=xxNw?2mvqT`=zVilyp=l{M>fOvalnzihKmo!8w)ti
z-*9chcKt-xfj9h&x3Zh{WIyl8)k!gWTp@nmTe*WZz}>;LH_WuZf?2`<cXbVL*HLff
zcGmt7A7H@tzoOG=!dtnGw(uOU?#3%Trtb7sZlx7*aYTEt=SYTv-XDD!u2<1Vfq+2Z
z$`RP!e|v0K%#OwXd;GWJKeXe|cf7f6X4~m)<6AEb{fD7n9r~%EA09e4bZ|%+x_zg+
z^T{ngx%1G@+xzy#Ux?T75&!ACx9{HW9<2U7$UVR4tvpW8#1}Poh%E-!&n5KEluFjD
zW^*|+Q_NKgImIYdONfSCs;Y=VZE96TF|&EIXyo;Dv6$1-dBs#KVA83omQ(Y^>^j!-
zq~#W@$6Jn>wA_@#%=NE*gSaA?S1^7nE|Oc3xdZc4h7Wry%r7?gu)Pr68Jv|R)e#{Z
z`sGHu-lRk<IJ8hsags)@M$L159UBO2nLlk#<}ciM3|`;PHQ`a&Ftz=o-ik~wfeAJd
z3xlwTCcLtqnx#WWk9yzdtvpI6?j>%vyLffCweQjWyB&);tOvKsQ2?ShOCeK!V#)7N
zgZN9SAWWQV)@=B#Bh=jZlM^I5c0n!{pjOy1Ku|B+vopw<i7s+xF<2V#hz+5*!N^x)
z%ieAfzCDOmgb(+5pc3!Bq&ZA;00c1geT^`@y<Ocoyd~JR;vWKmzi9}7Z^K+ka=y(1
z;oB$~9M}(rsr&`Pw|Ri3aK6pL9;IaF4G79*1^!(i<*pXxl4(|;8=O&aMd^h?RtMka
ze)<*X+brzPDn=H<^->;u8|L(l^KBMFd>iKW%|Fn)`8FT(R+tYsE+=2$a`G=d=&j`G
z!SOm*!dbXt*3EiX1m)svWbBv0#kt%&ZynYOad~>KnIz{VebQ5XO{QN|Ol6c5yz5)!
zPF-kOh_-`&$lwqW*S9ifA2>2@Sf=mVQC1I!y_h;^w;jiX(n2EzmW11O5FjUC$Re~(
zDW551;Wo6Wc6@7f-Ns?gkpf{_`Wmxu7*Q}yud|L+iz!eOH&;H<(BaDPFYGE8iV>#H
zWXqbd;MwRfT)7+vGX)%)lc$e^JjkSp_Z!COxjgCF-ce4!j2^=T90Km6RWRIoBdGM0
zI}<J#;>+v{kCiZ6IwRRn38bKdSKy+{)n)>z9cQ#aw1^pZEr>WF2L}Pw!-s)EK(uSG
zRVun`$;r>(?ycnL4)(r>6Ket0e65!Ctm`(3^~L2cXdH>mRV1fj7YJ3$d_?*w!(Y7D
zTS?OqymCJu!H1Z9+{ZjkK|4p42$2X*>oiq94V(;>Wj{!XjGz@D#LB5jI5Vbt7g~)+
zH|eG=!#j|!AiCjB_U^gxj$<{29AAxh+%qG}O!U?Y*WOcv@2X3x*{*vNbjaMxx3h(^
zEDPv%o^z)bBDi+`#<^mH*%cPX$X}qlcK+Sija?)TG-e;67c^HRS&Zn#Y39NS%l&Ye
zCRp4BWnAW-nJeQiu2#k!@2Yxm%?AUzq;+*m{2~w#2nYlO0s;YnfIvVXAP^7;2m}NI
z0s(=5K;Uu_*xvt>u^s)T9XnGy%<Vt4?U%Ox$<`f-+{hEdXNO)G{F#A29N5-h>i<dj
z0bKLva$6MT1p)$rO-2B_y0W=VG+x|(dn`UOj#fruas2DRf!HuSfsVw7WBrF=*T0}a
zALWqcXq6gF35mA#abow@Hwa%!5RIy`l9!b9n3^6_3dvl)Sjgm}atdiRom1jJ&^Ivf
z(kAml+b?b<LwX`|NE5!YI?)?GV^)Yz5c<a?4mf;F)DTWFYGnCjUMXgjV(-ZE$wD>_
z(O~?`eS?E1H+f{UFOHCr<uEc#)vC#20t(4!!6FTs$uvgDP}E>@m?k9)n}nVT%q8>1
zT(OXie}CW5(4I{m%*=~J{$P4n9$#?8PsYTlGtwy%LLzD`*<?PO$>t))l1&yMr7h*+
zU+NnkzG0Kca(>&317t8SM6S7zg*X-QK+YuTHB+N1<dAq$FCkQ>1ce@=_OoElyTq6w
zYQ&jjzEH&U_0C=<SxjdN#bW#=jQCGBdBo4XxP=UuxC`!`y*0dr!cNnjCC7(vh8Z=!
zbh41oWz=-<_|nN@sgN(`<1hA&jC^~O$M?dEaWXzVa;w3^RE?M>5Oabvv(PiB!3ivx
zxXNNvgXSGMC5^^8B7~3Jfhy*(l+8vQlxni1meiaYKi`)~d}EWx=z1@ZF-}I#VQA5I
z&P*C;WU}qnY<n(h@|0vDlUJgS7A0BC=krQF{zBi@tv|TQ1AE?ko(znL+<F%$4Typu
zD7e-R9Gf~K9qi0m^7zCl>7-e$F)QMp5vpUkQnHZCWiq8z%ai7mRJB;l#GmimwrzTo
zM>yv_M@IPI8Y6_I3$ANv>cnwrqS3B%iFMR?ipio<%%&s8Q%oX2bgr0=Ki9W?yRymS
zsd<ZJJP${XXHBtc)PM@fVnKn9X72<QlM2H6melxS-;N#qn>--fTOb3Ph#b&*LieaK
z<&#Bt?8~h_6S3$DNhL?l%lHDu^y`~ECev$^F{Lo32=ZgKHDK?_hyLc0rECr+kG->#
zPb!F|md?l9eLEq=-&}Ed&2!dXZj`=_@;nwbHCYTOqvSHZ1Ii_pLJ0>&-01^gn>--W
zg7_m45C{ka1Ofs9fq+0jARrJB2nYlO0s;Ynz(*T_?HJy0-(#^YJNy2k@89<QFMZ$W
zd$X_H_gLRx-;c(>6aUUfd-Q)(M;E{2+K+sPxAa8F3MTdjEMu2W&=h7F8+&6<uBueC
z1uZA*6%`)MjEV`%*o-Q}Z384UMj>OE@MyL)Nxx#2v9ULHYlW;)%BHIoG;zGEi90^-
zEghpN%vLt`M#olm=_t)$wz9D|R@=%hJx;Tkt!(TKZY%pEHE-!LYNz%yk5D_c*c(@D
zD;pAo_<Y-O;@zHjAtjETHv&eq1KE%dXWu}Uy1;TGV)sc1J_GqX1Ww#NmJ@A$+cK+W
z%S5!qz`W772qfMy9AY->%vxrRdOIV2`Ex0ykeV@FBEOPn5r@HaWFqE~8?FIUS<98-
z;=x>PFH0(0wA*gG!o2=3Xs$l{@ce_1X58tyN1u2^eayMH3Xl-};6Yk0SuyW*A5?So
zOwKo~3_1oMVa&TOoc+`A0mRWlO39_vbPCRI9an~3W@}MiFl(@cGi9w|$ZbuRnY3+n
z*TR;MaGP+-G<_@HVj-Q*!plfD4@2HU9{xqRiKpKa!-oG2cxY?cj$L)BWwF_iVgJh=
z%mSa5fe;R6ib>g>lwnrdGc$1C)`B+=*OXn`uF2*(>Um`KINik-T+bPBI%l=$IGv`A
zMl>=D7;YhD%*b{__S;ew*+EsN4oNVkMr&0pI5}%AcEZkd%$Lb@xUDuE$r+BR`zFz}
z(uTRfdet%^a&}C)(R8Mp+G5Q{M4MIP2VAalPE{g$mkq^kK!_n<{3$Pl#Gg?;n}K9B
z8S+TRX9S$_f>t!E@cg2b3Tm#Z!p1%eiM^>76+N53n=CpRhL&<g^F0mwvlO1-c}VK)
z)-(nkOmYdz4J9R)&S%pQ)MX0!&>&$Li=u6qhA#%eDU!xw!)Q23yET()wks*82EQs!
z>hO`1Q>Wxp<HYMnvHQ2_Q`jD-&6?}zv(_}zyO=(4`ry$c<H@E`4ZII_xi*G@Z^wgR
zkt}Uh?Q#Rx?KN4w#)jj8v2@33JZxhc*pd=!Rau%x#8m^9^hAO!8CW>3DLJzmak9*u
zB9mg|Pp9Zci%}2Ger-|;zEvI^A6s3iZZ{XDa{1x%BS$9>9yoe(a`II9kV$-$m&>DN
zzC+67gra{XaZFua6-?`*JaypM>hBPYOPV_H<b?F-<42E`nFn;~5`_*N>nX8!6wUzW
z+O3+SjrAD86BmVR`lXjfrIcnEt7e3J!d>4VqG5O?>MP#4ixfX_=#Z2;G<od6k>jgA
z)6EvuB%u>IDx*KTrq7zAG+fx~QLS0H>NZ!GMStKeTQlZ~cXFyD7W`wh4E=~hnyX>1
zR&@ua_ARR-eQHYj)T7d;PD<+(#onUf%P>5?WHwgV(IqV0wrj3#8{QF4nlqYHXIO+f
z+2h#KFWJ?<h*CI_**-xhaW*#`+`T=Mjdr_%m1Km&fENpC<3(r9bC)hHH;D>LPo+>)
z(Q6J_CNt=wD@~Bd4)D)Ec34WCl2YSR>WNjegtbdT%kdpg_aZ+7dMYPHD?LXARAV%v
z<RqVMTc#WFQ8^T!PZ~{r-syENifzuQ0ybSJ6EOkZMdmBo2FgS=6$%KrW_MPXiD;_3
zNOX5rmx=05)i$7?0!IU6?7i(QXqJm}b2Q~dK-<Z*B-G&G{*5Tb$d%|C{5*Y~@6JZ#
z9Waa|4Nf9QWJ|cA&2w(=0>v6iA>c^8uC0;hYL&Hf+BN9WMK?#{^R1DEJ+Myhxz2YX
zha|xjx`r2!!z3mE!g}$b0JspFaH>m4cD9h=AQr#U&C-b(P6)=1A1~qt7hWbT&@>?S
z&BnadvKutm0{0!emTQsi+kQND<G{AqwzJ!&wtjQ#Pj3BNBmZvXS4Vz+Waq%Y82I^t
zuMV6aum?^J>>1b=AM$@<KN0(_*tcST7JDn^#hS6t#*QZbioGWXUcC12%Ii|&wjb{w
zxGoKeMg#%^fe$7EU@x&a>C7uk>`lVKVj<Ew2kXr}s-mW=s!~8Kv#Kg*(*;%5su@Mj
zX{M1zl(SMLQvwHzMNsD)tT%TfXlK@}n58P3(8C<8Hwg!eg-PcetT#g(EG^8zdb68@
zb(6QmVyJ(d@u}XV@fKgc-&>ld{HxbYo_@vrt5aqR1TlQ*`_7?#F4k02TVO1#ji3?D
zZi@8Tk8qdV1u2}pFEntIRTim-cX)bdUE!|SsK0a=EBM9txw8mQg&0&de1dRP4c`Ym
zynhiVoJioFE}8B%tOK}T&XTMYl;Zw%{Km0&e`5wN`0ZB9UP#t;t!gsvm5qD1B@@<@
zlVZtoO{+L55{D8TIe5mG(L6W?u!UKa4O?y!c9+~n08?<MkWUyis6z&OtxgPOXavjo
zcC7);+X@Lvuqf;ECSfJ8j;5k{1PJH_Uu>il;eMsl>+lD99LoX2?qEpddA?2nrAx<3
zVlGv~Tms@@E)+m{l*}jbS<6UN-xVxrnEVNOr8Am(&1!b2*(j=tQb!G#;jntvAhNix
zCf}Dn3#ioNGXDH0y`|4GPirN<e*#ZyAFPFdljNDMlLTJZmdafz!!PdfmOevA^YW+o
zXg<VV*Fs*-dRG{n^F}Q&>Yi=i@ySzgdR*6LOfWDJsRD(uL;aPt|B}AWE^!ieyq#Ts
zT;aXm(x>U9F*jqeH`jABw)Aw@{O&q`qqp=FTdg<p`3+nGfA`MPUEb0e+E3>EEcRxX
z^RxTBr6+0b5#Hm$_0dHjg6R(?xgdHa5ctp|u)Y7=v0d?}V>>5y{OOJ#+3}?v>h^!R
z{TH|Y)b<;Ozcu_1hu<7t9RBR^zTsPj{<{Ag{Xf|MbpIn;ey?vh{^#-Ek3YTY=ikTw
zN&Khd@5Nt_e<A+)_~$<m(8T{F_T}$RN6rs=%RKb?bL^yhJD?=Of~YyGR@3UAZ~0;<
z6}G2J27)L^y3!dnm(Laxz5omIv!vEoOu|)Yit@NqX;aB(3zdRwBI*}hO&8K~Ny%1Z
zyhRif{9C19sHq*^aySNh>}`+=%i$R4vA2g`JnbzH(yQc4TqOSXbtV<AiBr{pA-#`R
z2g+DWuJ-Y7HBKHlN!i1_F8)KD;r-I&Nhw5igelt5a?n&crI#hbLMJtrrLx>8OZl>-
zreR}+AGIvqTbA6#Ch|rvNoqWC5QMD%&<fNAIuyp`hYirY<pDae=T*KABT0;!HD}fq
z6Ibj|b-6!Go4ma%?JaMiDg5dDc0ifXA(G~T=NlJR+YM)zx7-(|9p3Ju9q#s)<21Lx
zM=}@**UrDY<x}6CO)pv%2z;mzxY=9!0^Lz8%0cWcL^(*SMLZ>+qsg2T_7>rUJxf#g
zc7AJ5K4+vWW;Q1mVYn@4m26tBAb^3KD-<*pF%L8Z-~lIWk$%NFVQ=l$^<oY>U^zsm
zTw0)6obUBki0?H|Gq~o~TitxGk9kXNn$54Nx47okD+j$Lm!5NPIP7$I>xwyFCv0v9
zy{5f>$o89r-61+Lj9X<J6~sbsRLNaHwY)Y0Q?!<s0gWu^W8ntUX#7FQz|DHorA`9E
z&49H<b$uW&LKs8R6%w!~n(el>mRCsC=IG?ng9oN$+(Ms+mQ0HM+7)whv0h6}P8|ey
zu!X3ZsY!p(NT=6gN5Lpe>O2blCf#m@f+G|QYBrNe=ko<9+(4NrAF#I`w^|^KB>Znt
zYuNMmNe9ivHX^7uEJSX+f=HaXs7RcJE<PD|=TBjG%xMlg9}mwApzcm~$)?#X#hYoh
zqk2PGW1*0nd&}XK(2@9tNR?1H&46SfTs8#gl&hUDcoMW&ocR_@4&;{8=}r$qwA2Rr
z(c9m!n|szw6i;tjC4n149q{>fT#gwXP9YRV9RW6p5124Igqa+Qtw};~_J+qik0Z;W
z$B6d{evAZU`!(AlK0SY#n**nEiynRcsZ3aYXS-4mRCB4xs67@`GxpZik?}no(v#kj
z%^G0gfn#q)kdv1^5g16LYaqK$drNiJj(^Yx1mx8njFa9{jaBT!c;nR`Hcxs>bF51L
zG8?=`R|trS&2?z7eK3K*2cL;;`_8uC-1d*Qy}#{^ZS8FjZ<7apd*GMx-haOT_V^Fc
zXn&tUA^H<P9lt-mKYnX`Aoky4zl$IIiT4maNb$CN%X=s+UmRgu=_|ojvKnXGCKNoO
z4Mr}O8KTNsOeuNDE>fCIyu`>*;e_m@ULpU60*F?_cJ((-??X6KEE>6@l9n|si<nEr
zbY89~`H~FZVc9eS?_>+PVrrf5izZZji}{M2L)c|GtD99Bp#ya}Q^=U`JW)-T^7?w;
z=hKynqG}M;<g~1ug)*vKNf(N85kU#FT1lxCjRJXyhhyNzzCs@2yTj}LE5k2s@s?TC
z+V5|3)UIv^`_h#UMxedW#Wc2WygXJe`+-u*(1!(qlS!BHXOzCq@%-*7a%S>OJ{uI-
zA6#kVCBMd7ecvcv<>ZkLWi<TjE?Vbl9RCijr`*x#J8J7%tz13@IxA=*XaT*sR7HnO
zXU?@d-x3A_{bt<f05saQ5a%GOGpp;kB+KA1-zC?UZSXm7c^5m=SQwVrS0c`NU#NEF
zT!Y)YR{t(f_LgsBX9kxKd?h&cgK@6GJAkBEb0PR8L@Q*$(37+pAc#qDZI{pjL^IqW
z-usBMl)u<WIB*DK?~|a9uFrB(8pZHc)6@~u2{l2%4Ek68{}Bt`B!o8CY$TN#ExQSo
zIf;6?A_-iNRU!+Cw~&O>KuMdoEkmNjOGw`fbcuORueFIZSR!5%o3Ips!lf_WrryuG
znnwXd-+~m?NrGd-VmWhZ%U8NMCVRc*TPVU@y!4g90L9fzrdVw7?w(^@BnSiq0s;Yn
zfIuJ?1GRc%_`ZG{Y{BIlXo}C}-;=FE?35?bPSeE#*n%YmG_a}3h{v5avwB*A3({M?
z<(>2^&K7)ocOh4(fKJatL2h|RR})Z>Ti#An_}l934x?~+8_nR1!neB_g|~RiTWL0b
z$G?3mYz18yHPl`n@|F{n$oMh~vK@Q-idlt`0tm|Z+XxWROu9(jxb>ta0oSa{a4e)0
zrYb3gNRHMr@eDH}HX@K@%%ZhlV;d4nZWg~R#4Zals}QPml)N>#<gdf{qAV(!8xsAk
zVt|GCU*QJ~s)UhIAp4W#hLrEf{iJ)T)Xz60h+=bfbGg!25RWvP5q7%4#d%!&-(UH?
z{I2b>Z^mwpoxXYJ?K>XZ{_M7IZvEq}A4`mnn8WW3{mS5P4vq}m-*0buvF~F1KgIXN
zPH*tX@b(cei89X2UVo3rO&8jZbJA49s#ZbqM!9=bi%B(?g%jo;?}*4r7YYS<N8HyJ
zkH5Of+>u%DUNVpZ2GZ*f_F%1T9)sO;%eL!;<1QTq>pjBNqgqI&Gt@P4x8H1a3^^Hy
z>r2`Ay?uRsr#E>pRqq}$m`vng&S;H>Hr`s4PQn_^t`l43sG;PO>0D7Q_Bs?*^T`Yp
z7ci82`nGJjYm<jE>)o~Xyo?hYQ2G?3mX6XCjISdHlS{&qyP&T20gideC9@edlg`HP
z>g(^{vB`shriesF<3vu(A+xHrYtRX>7tGdFvu0Z^Rd}7KH(@|2O>t{S=>#*`A`+vh
ziOVK4xlE}Lv7xfbY_X)~OK}Nf{mo4t>x{RD43#*d@7+)#hY63IJ|UfUps*P=mP|5}
zEnw<;4~GoKg1k(855fg}eUryxdAt2Z*n7%7HFXqo)3PA1;}7k%j=FR*3rEU@h|#2z
zxtxk|#&;t`z~Uy4rsnM;qltE;+{Mkd^*Qi5m;^LxdemfAEkO$0J3VSL2anN8I=%~G
z0%kUOK<9_O+sKF(BG+0lqRx3oBu?#y)^=y@mh~*exyKHkgi#%_zGp7mov6_&$!r0k
zD?q$<MYX^oq9pSmdh><&ZE&l9|0a*t_HH4AjdmN&&kA;gPzUCx4~(xpgGwoxQ_1<)
zGbZHZGsRp%iQfWO`kU<v+weX{#zfpk_Z}7?BPfq}!WVu=Opa2-f`f=z?Hx!lna`E-
z#ccdz7|8E!^5iUfH<5un9XXKkV^gPa*aZ_p<@@84$E3*$<zyb9G3BF1SHKt)1@669
zFFgcQDU^yiwG_Vz(ExsClSfzcZXlzJJ~_Z=ZMMuNF=q9dqH9D;QOA^gGFO1N|K6hz
zIRzz~$*b`j5C!0sO&(Cw+d&5ONaS=)k^SRH)CP*Fd>|MMHIc#v95qXbjRKb<c>VUw
zQVt;j3M2%~4mkcVZ}OmQZyOm@^a1gxMS0JRLr&Sv%;5srVNqj3^c0-q#eDCW5IrS_
zNEAwZ8=U{&zR6>H%1e+j-5NPjI3OaT4Plib5K10<ruTkA4q_VQi=}u1o&V!a?);oL
zOgbMOiGfEhAOeBFP)&u5Giox@$vh;Kpon@F7y_SU6*ZHI55vj-&u#K}KJN{Z@!TId
z86Z<lqfG)qozk2+$yaQR8jgw;#3G!mx=<CwI6(jnT&RQB!PEcwxYtj{GlTK;l6N@E
zd{0Je2XZ;5Yt(ct>V>Ny;t5Dq_!{b&H6@9yRm^AO{lfo0z!!f60s;YnfIvVXAP^7;
z2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;Yn
zfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB
z2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9
zfq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx
z5C{ka1Ofs9fq+0jAh7ueY#)9-c2oT8v2DM&ZF$>E+iKgM*mlRZk*$9^Yz#jz^hZPg
zdgz^j=LW2SGyVT1{`KJJjriI4Q}GAmL$N=L{rhdwwjHrW{DlAfS@@U8fA{}%{NBin
zYn=GcuW^0frRrY(UT>u`6uY%A{+fNnaoT45xsN~hoNm`@TGKK2J!zQ>(v&q**Y+nK
zXtvCU9?)&Wl=PbBI1k>nsMTwCJ(NhemRmE&q!YH|Se2S7O`SL{O*Gndv!%I~-AGu*
zn53GfY2<Sm*{JA6Ija^6vSui{jO0ost(f^-sgy8GM{ik8^3j-d$aGEJb)+e?HE-#r
zbfRT7bgQY=q~luM3^yRP9n+Aic1wEPY*oybtvRmMm`OOU=C++N$voFITUOm{xLPgI
zGOK3GZ0M#lmXPpAmS$bI>5QdPO*NlvwlveVTb9;H>UKR<so68BS$jctZ5fTobK&}B
zS4}HL8STo=mNjqH%o$V02(%g-w$^rM?beudOl!@x9qG7fIrm9(rrBK3TzxiSXf8lY
zD{3*Nswp*_aJ8ABPnzp$`dm_PnFhLTX|-uhN0%MmWu8qtkU$?DyWP@FHXt4K&e*NR
zF{#<I$v4xeh4qMx7l}q&cgLg!t6|s+4nQY36Ub@hj#*>BPFr<thSy0xJVJk!_Kubv
z({-ASq<PNVyXq4%fvg(x#i8(Y?j3!iZMGIA%u>rl4U#*Hg=E*8ZP#p#(lvuowX6z$
zA7%CGb)!?+xLvPn4dbZQ0BU<j<+FYvyJ1*t#q3+vchXiTiS%v1geoM|o2Y6v$86dT
zKArC@g#$+2YFLhog^O<w0G4^nT};%>d9yYq)lI`{*As~cQe+oA^gxR2h{W^HSG^UD
z?xFMd^F4IKCatL*-pc0&$!^`w8`^=C>8_OFFYfkMK1;jv%3fY-=jtszfeq{)sF^KS
z8n+u&Yi7OeUA1bMqOpW5oh38KriA`;8c1QI`IE%5rF}rF;Z9@MtI~nvha{}e=?1p!
z*fC3Q*^XUx%kmkv_{#FsqEojU<<um$C|#u3-}s2GE3$^JwzB=S3;XC=o^ERH?AT~I
zw19(lCQnMN+t`*`GQ4uxx-DZdmD$QIlcihktlctMyk)7gdiMvllHrG{4X@$RGM4cE
z1aL6VjS-A+S~;_F1zXjTM-vpVwU1OBI5?$TZ1N0FG>yz8nFXv~Y#$tXO2S=iVxwq{
z#h&Gw_g0>vOXeBAJcgzZlifgCW7}am5xo(x*vegtZPy8J<uh#Q@8p&BUG=$rkGJw^
z+DeI6d1Lemdat+gG%fcaFE_Z>4HS!QF}_O|tY}ss@HYa1o4u7&bT{70cH`n5r$8QM
zaAZt{kBr4T)85KSnsS;K+*37-Vph)=WlgQ-<!nJO$)#+eAeYigu9&TsvLz*VtGDt5
z{pwEs)o!h5YDTV_&wt!onWR~F@T}W8X>*6Sa-3%HdvNhK&>M9bxggkV{T6TK7|s3!
z|L#^0pRNV^?d1o(m7|O*ws_tZQ^gbKnl;;UDS0~n<b(`@uOJr-xe_IdH!}2SvKTk$
zg55GCTpKMy?Mm$i8J*pboOZ=0{UqJd37sZs4kMDS2BC&Yhn$EWtxX#*EG#5v7b`8x
zkhO+ZTXZak63C8LZ`RC|QpuXtY%XVJin&T5rx>MbNhxGYRW+M0m|9g)%xvB)8hJfk
zEavodUNO~5p_o=xEvM#-*@w->yw$QBghoGNJg6!Py+S**IcdLzo3!PaNy|-bUb7KI
zIPlZk^dUnC5}91|gf=I{cP8Nz`G;%t)gYa;-4JPCNGYY1n%gWA-6y;x>4b(ijoTs7
z&m1{^X7c2r<it}GjFu){?_~33!O83n1szb!YtYB18*>eNq2Uw6{(k8tiT_3%d18<P
z0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM
z5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI
z0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVX
zAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO
z0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0j
zARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(Kp-Fx5C{ka
z1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m1Ox&C0fB%(
zKp-Fx5C{ka1Ofs9fq+0jARrJB2nYlO0s;YnfIvVXAP^7;2m}NI0s(=5KtLcM5D*9m
z1Ox&C0fB%(Kp-Fx5C{ka1Ofs9fq+0jAaK<PZ14Z&*v|NLY~+88{NBhv9{GupuZ%oD
z^2kW8|E2!fEq}P>+gqCPv+?QR=UD9P@kiov{EqlY>@Q+}5c`Ap)3FOz-HDA=u(GjY
zAE;70yk&JTc57dJ`w_=!o3XDBzxb@TtPGK)FX=pO=X1~LcCDs09dqB4mboBJ)HKIE
zP%~SuG;TMl*3ACI1I?EC&;z<{n39fM=fS%cwR-KYhZ2dZRddbOSVET0w$0Y!SVF=d
z`p;>{ZCQ;OmcrA<q<!YR*>I;VV@#C}96u!0?3w9?RyW6vS$fNM?5bOq&sYt^UU16t
z)S^?j8|Bnw(`;$3WjC}M`G~eb+F^AWnyV#GXf4!xq^`}FWBW$S<ugZ)pP4*)C^_-e
zgfw|lLdwKb;}b_izn_>qGja07@l#3joEg-}iXNLfarz)h=bt`#Wa`Ld==aIfr;bie
zK29pzPe);qcBh+~J3F>-ygXJem)nlna`6B1DEV&x{shKko*N_MbzIGvl`E#^I`U|O
z4qiGoB~4bVmTpQXTDH;FU1_SREi{0iG=Xkd4e2y0lnz;~M6+etEz4aTlhTQnsgZdi
z7}u>v+cljrNlCbiO><1r8jFbsQe@5^dLTvSFY)~IpYxVeboS4u`0Ni&AJ%FPnzbFv
zwdPG{I?-;-HSC2(A~AiWfw?sumvrN(JtG~q%$k7`<95BSHH@QH!%Q&XLn&Bv$*x7W
z>-)TAnYB8{TkSh!x~A?r=%fUA^tP*2YIK<HtSM3KB*SW<h}~M009ea44XN6)>r${z
zq%(HQxDW8?X6-)of5B`uZL8tp-|b4xa%O>--IAWP9Lv7lTfUF>>2BVE8z0jgyCEH2
zZ0NH^Z~0R+Q{$O~8=s9>tl#}WZF$idfq+2ZBaHwK*n7hV>{sqgd&{4sDW};9_LV(K
zCSA={D;e1+<w|l^)pBwvozLK3g^XTQ(uSU{-0CggL%+I{f3;gHXhkD$6m>LlcUKd4
zeB4{Ui>BPc3*WxLZs|L`<?o>xdwIrfI&KFUxpK2*>$iBz63zYu&%Ra1<z?ww?aMEC
z%XiXi;qTOW-p5yyB2(5(U0aX*a4olnyY8^vs#k1#j@+KQ={V9jZbm{dBtU3L8v!GM
zOU7;E`ZUjh*s$s#CbU|@FdcNaNopFC{5vaXtY*!b5*Z|EkzHdb=t%CY=Hkl!JgzT^
z(oDFOY)O+G)0OP11d_>g$dyj+I*>T7S<j@Us$Db8)_u~#tfkNL+E5H%HBH?D;X`1>
zr5pUehTB(iZA!WrW(^lAt<Y%MO^kqDmZXIP&E_FcNYW{@-sG($r8B0a&D$34RC@b2
z{o7xvETV0_);7qUuhnW&lM+_JFc&O$wz~@`0QwDtf|E>WZFkmgVLoagQE<1PwB6YR
z=rc@FT2V_WrIgAjiMnlARm;T8&_q>9WmJ$dRnQs@V96*(S(<g-rZbjGSq;#Wj+<<l
zZmI(MDTS|!DJ7pur&F3-!?eqqD_8jvkbx&5iYP9fO0;G(35qD$YBy4#zvi4&rdTv`
z*b1_yWs7pQn9j=;C0~-$IVGD`@K+&MOkJ{;qM1%-i}{M2GYwtN>Sk3grd3_e6f$Nh
zo2#ZvdHvG0<kOXkqG~1@*Rt58MMbWp3q`qTX7gFCq*RJVA(bGsqup-lCPPREt}~#I
z#{9{d*8Npah+`~FLP(BDe4}D96Pk-GWjZPcYbNw7`Q&biQFGlB?9AHjnjtl8vYN3i
zuyV<&)IhAxYqfTVc)nXYHEUtXl7;2;tStJy2HMUbi_G6PY@3jsN;*LP+%1{OnWVJ9
zb{?g=QwJr7J_Tf}fqh!5CFd(n@Iem+Iwl2qq(WKRJ3dzS9~J(F<COW{^^2aFJd@A%
z6b(_ky={$3DP6*bl<q>Sglfk#V6@D4Vfm<yqpwW%Vo$BSuhHKhGMzcsUhkuEiO~I0
zqg|68>TWygTg;?^bC{fK!9u`ej?nl1{tJzgf+X|R5l*MaM{s)hU!LYKh#DSfwK2&*
z@e@7ok?ljp*vDi4Di&Xe{j0?9C4MdOjl^4t#l(0*P3%f+8QL=V2ZKK|_~V1~{lC=z
z_xs=JpNfBf@bmH5U-oDF?}+_Q>?gMTc7K2Db3;W`w))Rc#CEMtV!xy8Q_(qBmwI0E
zmNWEL^ZX~)4bH5V&gCCWXVkn>Dx~$iW-5hhA*&P>rK+W|$<wM<RE>hJ=vvOm=~|_f
ztLREGUBTur=BpJ=&lU89e;|@WFj==-P3$&PPvT-oRjo!r#txJ55AyUe<RD*mnl@gV
z4Rb-(wR%&tW*WHO)8Xs=t2<tr@RlE^-F|hEUB>TR@nuY(VpFpwE{}tnW9GBcM1x#|
zhC~y|Kk2ocHdM7>W=pb}$Jv|J3%Xn})T*p!bVbb;3Wcm*jJ|<+wYV)-RU3JUuYI$)
zxXo~JQ3UnHN(NV_lVWwGR3)EL3h81#S1P4*=}e)Jzr^)cOsQ&0EhJoRCfGxo>uUO3
z(!k}`aLj3QUc+mYoprLrGhJ25<TvYZSJ|E<XG>_`j!An*58%(!M;f(bqwEX}j)8Ra
zC#w(2(MfB3bseM`@&`vQvL9QW9d+oa-~kw&Gbo+7$|D5}`7ye-pX2NJ27lXJ=4@k=
z90_ldcXlA<(XN!?7gcZh5xQ+&eu6jm(O{>A*Gg!mP-a(%>lQAyuX{lR%Z0Giy4J!a
znPD3_KssD7LONa^7i_P$e3;JT!+g#nm|*-0!<0{SP5G{*w|t1E9OEAcysWiOrCr|g
zIQ`<2{EHjI<S|yzL7F?oa|bst{GElqU%k3}N_;I4_&^|Vv$y;pUH`YT_5am7PN``n
zjpPSbCo8!U_T&9D*_UV#-p3eC;k=Kp?$NZ2mamqwa<QbCauyFXxsuOh<!aTa8o6wt
zl-70dK1%c}&inZ4Zty*FYC5au!RaW_EY9ipYKYU3rx~2n@zril$4%aHj%I(H59HQa
zYi9P96W(%`-Vi^ulc!%XVYP9#G^MXLg2QF7J+2e0K7tW&t>|Y)nfT<uRa4PXgkHb}
z;xDER(to*9cX^j=0iJaD$ngUIr>?b<V18s|B_}H=;Imso!VIa4-I7hA)TXly*aMu&
z-e^xL4amvBuq3YMu|3+6%0=XbC3F$lfs`&HFOb+p<b|Yno!sc&;{{KJQC)BKC@S`v
zJ)M2w8-F^JBc%7)jD!1IABe;IYCExg>xtNneOherox$gK{>Poaw)5?sU))(w{B`1Y
z6Z;dlj$9o2-JyRm^v%JGeOmBSiT}6wH~a4Gdpz!JJrUR9+Td3Qzk0R(_{e@A|7PsI
zjSdcT@$HS4{jijK1sA<WuirPg0OH*%zJB>*M<QZxB9({K8gF^9SHTf?+D_BbExYYV
zr%xWGPg<YvK1J0a9C{_InqJK3!7Wy@`Kk;yvnm(0iYBY2oT_Q2u4J^#<y^_(c6BZv
zpmKrW9`c0|gr!f!2~Z?h)jy`D;maesYU!}{CCwpXdCIzV@BnN<Ai*UKj<oOdPReJ<
zJ|s1XBpxiNT5W&CUGCq$3kwU$*~LoBGGq;E9gB|TP&SMM7FEqmWi+*_;1bN|i`lHI
z7!|WvRZEIef!c(o<+2&gsOpAN$mEL^EuYO-vZYd0%cTq1O35^;`G?KMyw$QBM2>UB
zcu-XoeuZwZ{i>SR3+a-kfg4xIqUl00tEIE)Tp^vwYejS;4Gx}e=vl2;Dk^y;qndi5
zs#eTO#en1>qJ96e4nO`bgM<K=2vowR-{s*K{i?fMuN#aTuS=r@Mu=ucKgn15CofT!
z$Z=K`-qdUKQF3qcJG5>ZR=eJNi$ZdFEKJY8(@oDqa(R?y^Mm7^KyvBzdCQ-phsui%
zqv_ubm`vAyU4PeBG~Qy<6d?W<dzUcCKHHTt{34z|&rqno#GgO!e)Je*`}oc%OXZYa
zW}5>_V5xFw$rDYou42K4p?k?$UH+0xva7s}I{dTDW%JLT@s`VUPS5Y>%RhpFMt9(q
ztB`%BYaQ)6pYfJIP22SNJOAB)?*?IH=l1QozrGu{AcSwB8xXv|r|C#I@9*6%-rq5A
z`6&kE2nTZT>ZTRyXrK77kY=Kv0s(=*bwmIx)hT)waZc+y;Iu;Wh)erq_^^G4uvDL*
zDg3B?XU|4NwRmZrpkHy8>N~sh)vRI|dbJ3a>T#OIS*q{&EY<CUa_r{5AB}DOwXNUS
z`qtLPt>atOt-A)}1OH**2ZrwK|CKFg2LE{Q-}L?HwoecK^5FZy&-V{D28)C8;F+O;
zp+|;tL%HjSqG;-G1_I{`-ts)7IG$mb^Lqi24?U_`s3FZIn|d8;hD-$mkNE=80LUmQ
zD47w}ec7nhppXG=Ke?{e7NAHMymeE7GRF+q2ki=d`yMy#bmp9rI&}2tNz?!xHlMa%
zS9Gm{rI3MMr;2AWUZ;7b=+(SshxYxYM|j^qdQ>+|I)F1E&ZNn+6m<7}caL7m&SI)V
zDUK8EMrfi<wxH_>UC$0heED`2=fBrmZn4E;bHF1=VrFR(XiGs!tZ72`0X!t8>qgi!
zhNKxV<*>k&!OEH^8lHBI^Io{hC`@83*hPRD6Jl~CxPBW|(X)x#W&<i{Q1K%i5J#HT
zP*ue=8<J%pfvR5;o(|I|l=ju@`u>yNa+6V`H}f$BBzBm<25b&dW5p_^TCBk&U@D0A
ztldI;z!laR1XobNHa+_}1^iwY1-#E&ZqVEVyvf0}XK3&*W9{pH_JB#SNIS@de(!ZN
z2_W=4N3*%m?>#E?!<E{msr+U99(ftNT`9vuYV4j%jRs$x?fPoh*5BXq$Cvs_<O>7@
z0v~b&K&)GI>vLlLT|%r={fF7`iSRBV)@Nvn&llOV5g`MJ^(y^}6YKBp&KYVc12xnf
zh;@Tzabo>lpIFCHsM8F76u#Si6n@NGuF&k;*-`%Pt&H)CiI~6slkuhR@s=0pZT7m#
zua+wo{H%Q?QK61mC}}19C7YE(8u}*C+t>2xqO6z&NG)<Dvsluj^;oasT8)+xt)uFC
z4M^5*{fTu6*Y2X1Nxnu&Mb_1z4fuRq$kS1*E#?9xi7vTI$R-8mC+X{;BoP*@Ks&aJ
zcBP~%(?y7uiV!26fNu1)>^GI1WD|JxM5Ql;iB@FTKJqKETl)T9U*A9N`^m%uJ12J*
zM}BO?8h$VF3y}La5?@TThKBooJFz!0Jo0~!e0%3VPkcS`?}DFy>7Ocz;9q`<_`g74
zT?DZ1lywWN${hI>+?Zbo-<a?1HqsT{OhZtN8}r%ljrpE`W4>~acVRodgx)ByOX&S8
zzJ#a^9}W>%@;gKjFH0?GgW=?(cTm2XG1H}DK{hIB7?A1Y4l3qhMV18*u9VXX_$&I#
zfL1`q#PI-3y9`M89Svspb#0Ltg3$&g9GDuMH^4IMJ}B!qn6m)Mu=O^5VD9I71`fWc
z5xX+<kUpsKe#N7Zc!^*h9EhF)UWPDGL`GeM0j1?aVA5g^0Lc57yngG}v&@=NtK02{
zOOJItIcX=*I?O21Nowv0qre5bH5Z)nr>uIrC4Jfg0|xe-H7G;eC)ti}5C%)VjfeAM
zSV4}Q{c4XrqMA~&>!>b-E<QZMb*L}27IizNxpv*sWhBY4K&%r}#Y(CUR~lxE=Q%0R
za7vo}og^MKHea4k_1eAwHiJX-RABc}=F6s|`WCvGzJTk882C9~z$?FF2Es0by)gUh
ze8tn`)_V6=mpvKn3csO4ZSoXiDaZeL)Sj^$kF+g=|NbcaWthy~&$mJ2cD|uPJyw8g
z7?O~SsJ18(+g<$6s*-Ia!D<l%hSsjRlGf5^!FNF#GtiCZws6&gn!ON3tb`XlA47*E
zfktMJ9bCn`u#K@^GW?tfc#YR^wLRlq7-6k&x$XN`#}(`u#`&Y(g<;yli$i=I5p1w)
zGXrajmf1QBuQ0l{I;)DWC$?h3E2(D<oj>GV7^DO87WjbrKA>kLVact1J}TaY0eVGo
zGo|-$y!1i2*SpY9zu{&w?+>nh2fZEJ=HHmNdKYdAUzG3fF6MHoS<ov`t-o+X_@aE@
zzbNnUF6^Wk{Au}q_tWx5@4^n6%^8#L--?Zghwt+=kw1Lj+q02}*beW)R{9lZ&AkuS
z+=WC}%5dV>VmJAtVgE;&k9C!~6DdPoDZ3KiiQU-s)y>|8kJBRj3I9HM!Yk>WTK}Q0
za^e?(fIvVXa2W`IJNQEQXnBtuEyWz<1>YAwl-|1&by}BE@0Ax#dlzn|P4m<E{XH9b
zl58L9izQ;mV~Kx~cw_j&@DC6DzXMMV{l}sIW5`CL|1$>{0WZd$jy)24WcZI_<hR~G
zLqCnQR|mWcchlSYhq)2^@)bX~#%Hz0j0vAFj4C_~DXw(DacsC^AzI(`(UmbWnwHlM
zIiDtszpRmmHg{E*!S*W}RkK=9^6Ca2U1w$?meZ(P7($5J5DJ=bY({*y_(UnZWz4|K
z3RA(x!-<rk1&DN6+6VTKEy1ru4X-Zp8BK+oKEJob4;sc}z%9yt(u6*1>T{-%ghMxc
z9xfOdfirR&B5QbGqq0U$4*MLTljaPOQ7%%ECEh>~E=tg|CGS4S{;1K+ePL0i-E!~{
zYZ1R6WF*{44i!sws?w<^9h5>9Au%YvMUBKE4H;aejmIP$fv|p4@*0ZxHN5PS#Mey?
zzJ<sPVU*|<bv3gX4GKKQ0QMOW`wfPedCny-TgYPpF@ck)%WJKQg|{n4>QBN#XuhcO
zKj{^#rc*;OksYTvm!`PB%TLoReVS&|*Xd~*qR`iTcfyeXv}VJvPNbytRS9$julEj(
z<ewfOf_6!R51e_z7U*_<a=jm`>pv*r&<O?-Se-iawiEUpk&SpyzW7P+0`sl)a*4fL
zmap!qhZ6;SjPJgi&(N9~8^y{PUC$%IDAcjnFF+U0C6z`lbr*CrM+n>K@_Z2_{w!AS
zz0Ni%1#E`97z2Q_8J4dRo1yFEz|)9%gyT=FW%9&gPT>5M;q!P3?qLsWE-qY-;1sOd
zq1WZfkG_5)OhYa2da>$V*iHNTrTh72>ib~c*|@Ae==ZhsfxfH3Cb@%7K4+6GZ-7lA
zdlz=mZyx81WAGB^MJzV3b(1!@s8%2#5D*A_SP<CWcLSdDUyTiaWBB#q_VA~N?-{;n
z=r8+k+VY((r?wpI`?c6t`+lMC>pQ=9>$81t_Bnl@?t9q(*?Oq&hQ57?|DO1x#J^7b
z>uWz=@2qzrM=$-C_+9X|>r6pkt*3nInVvq6iKuR$)p1b|&FO_%TdP~toEL_PlPzn8
z=;{)7z;WV?zmt7QJH#`zrj9-QRq0XpXJe_$m`jKn9->z-*JAtH?m|h)DpfNBnfwLj
zKZt9weJvzvU>=0HsNrkfqK2Ei3(TDmSLpp3SLnUKd;)O-_G^TsWzK;7l;M_lfjRm)
zKg9@vuU(p=ouZ=mtI_*LKQdu*^=rG%Lzt3gq%~K${#u~NO*j>SvJ{aRv5EG*4ilzD
z6|c;|)SpQ$@%WT9q_^;G&9>kunea$bM8H3f6$3UIbO^K>ORltCB2p#7Ro`JiH!EkC
zcYy_^@O#&#5WdH|pwRKi9K^xZ3vBp*-SW>aV~vQS0s(=*2M+;AM_JSjE*)JaB8+Sr
z=h<lZJX?l>^M(C1g-aHe_iTjkj;moG{fb`=%e$*;LC@r~|9^XL0^Y`X-w6ZY1%jk#
z$%kxOp~tdpQ;dd~!43MPE?coK>#*VkE<L~uNLV01V?a^#kvtq(mL1tmn&xV^n>5*q
zaUFjm<z^eH-S%tK<7>O^K6#oR`M!43v}yCTX*d0nZM)BQyY2UTj~UDW!vhql_!uIQ
zfp=!!<3I25KYxEo!_mO-^ZC*6Gq$6F!RYg&;b)vj1FX;tFP~eXe}-70eZIiuw;pl5
z9(fd4ngZuWj0<VXCH&~q{G?sAt*ripW?u1;loD6cX;D>T@JNg%R56=WBryUDSwvFe
z`Iy`c)X`gkb6LVC5I{yb1u)NHs{Pg3f5MX_5m7D-SV@3RCc?-ORjR@{P%kRtNo@vL
zK4V%%1XMinH-p<C{O$@WVnjs>AR!j?GKi;$+#_xIECNXlSW?NDCgx;K5n})s7t=X8
ziPQv9Nz)L9kVeu3%Tv<bA0CMnfMXqX^J-HIdXD&A&NR5RMWeik0~97i2^fWve2v^2
z37WM{qG5(0%aUn>vu==cgu597Oa!6D?MK9JS*valzrs3QHFJ-=dj5WC|M}T_j0-8o
z>uY=!TN?dqG9}FbWu+m##)>9mPv|D!roboty$bdH|7PdK&PTg~op-hW_t5W$ex-db
z@Sg+!G4QF-7elXv9<x5XLpOyU3~lck2>oT3(xs4nj{Upzj^|x{mr?+8tSMjr5Cmw3
zf5G{{*PMJHR0Is@f~yE#qbh=Pj~N#Z(WUrN&R4#+>I2mtaK;_*iNt*jq2MG32T!*{
zkJ(64Nk$ZS`X{wGz>bqySxl?g^V3o~m&S3BS99tLd{E5XM)rs_JD#9Y8DozAL}`%2
z6?BJso8mhS5MW*t2vuL=khF(^9o-46L|s!5jc#RJkW(=!k&MOS2{{sv##6HFb_^})
zTpclS{v7_+ZqR!>grm@aRfJkU>bx)H`1&7T4F{5?ujB6Z$!BQ(NV~rS%dXJi#m^rY
z<QDQlf>JqnWaJ3X?m#Zvjpy|Z4GQ9<?N+lkL98n7#aY*49o&rT1$ElBc-(B%k@cY#
zdB8lfsWS#ndBE|)U7Pq1@ygty<)}vzNjBuDa*<PeMR2?Oj0*?p%AWPJL-sZ6kZpcS
zzc6H6V3}54;s(RluCZd7<!@M<46FkUGkAbcS(-YP&r<rmVPdk>sf%Wl$XHV}gQ>|f
zu?iV7A8X&UweNK1SywRKtnZj(+gV!!2M-;yYUTQMvWq#g$I|?*<}};Btp0n2dv(o6
zq<M4^IO4OECfpJKH5bJ)pU96J7anF)^>#j0E#2?cZ|ysb3lCA9%06DVLv!1>p~j30
zEYHT{{C)?xhwb2~KiK}#_u$p=D$p1mw`+`E>tD$!360S)yT<6XEovNjh!RM_28|Je
z$TClMQ)2{e6@w7vR)E)tU4Ws6nkB)mzLfxdTyW%?d9APa)2;niLj&(wj{+VA-l-IT
z@_dBuRa|*KN0jH$C^nx5X|ZXPB+By#>|5bnzqSIs9LRQUq6T_8PWZY5H@5^kdQ-i(
zcU&L*?e^ac?rYx@xVhsWJHFlVMeB2^<8vLac0Air=s1B#tUvpAtI+%MmY_h#fA!tF
z+K#+5U|h&jKIUVb=Xw2Y%p@<y;wqI%(*r}P*1jQMK-T<~W5N0Sr^UOfI#S|RX3V?B
z%X+m0t$_KvFbTmZUl=ogPavTFq*8sx{9VdcNtQ$M)2b3~Ac&>6?$E0Gxb;IPNp`2K
z&Q2l}!@Tx13H7jkOw;_V<fpyfie}vousB6GZ`X6RZ@^PTQeNwKt#KrNMS|o)DPOLy
zmOOE?fMl>}jxhUGt!NtoVm5MG#Tt-3oh<G>ohwh8<g>auspqUQ+O7+ga<**$P3k3X
ztY*Wfbe+05n7?cI&-GoN)=oK|oYc{Giwb~~Km?6h%XHRJDeMcmqDdgD%h1W6oK)B_
zmk?DZl+&ZtaUe&GBg^!#5Dy_?Gb|RP%GlT_ED^)PD1z;6Wh9d<^0q1r!jD8pkm)rn
zJUUg#oviu#5M_`e97Votq?W*Urz|vqh$G$R4ipQ~Ny{2Mpdie?M7@oc^qH@93bTlX
zUfmleX+Q73Hw?wo{h{Zdf8MyjQhdx7n4Iyti+r@6U^&naj5_oKuUkUb1Rw<pNN8b)
zC`TL-jdLQwC%_??pg~hrq#Vx^&EA8?g(v8V&CPPJw>MAp;4QwxtKE9to=X`QG}<SH
z6WG#!5Q7f}P|=3Um9g-2;bbAaYvhQ?l2pY=k}B{d3{H&mB(D<@iQ$NuB|(%tX6IX8
zyDj*^=5)5G;YoW9ulEJNg;2q3_6LTHWj^2x+3OphntEy~)_bUZ<eK%tYsjO3M*)ul
z9tGYx6u`OietNF)bLBOLA%fx)4aE^+<-GK^8hcOMmjJbr^mV=`XaxT?_*cQ-3yuZl
z;HP`%+g@$^VDM*K|EXnPOS0w8z}ImT|FmuKpM|dWS;}#JgePZuW7W3SBQsMcg(FHy
zFHaDJc4}13MU!z^%BIAKEG5NQmY}IA(TJFg<Rb*iMnO`tCXA}IiHg-kE#%nEF6ppB
zM#6Gp34>~**M$nux0n>kiP3zX;K0dwF&j-JMF|P)RV69MG*u3-zg^R2X<Rh4o7yoC
z6mpfa4yW@B2NuZenyOUbCiNJJcrKSR0K#uDep*>M4^#iD%;KIqbwS;>Zcz!!L=&@@
zJFJGfiM4sW!~nxgcO3Zb1NR@O@eLSQ2aOBQFkzsJG0SgQ%<?K<7kFC+LC*Q*HwXvK
zP{+-Z;29`P7~JiPTw(IYJ5OOUSeq@@bg7>&WWp>R^G)r0W?EN1gEGs;fY)ymHG5w3
z`R5hm0?RBhEAuJhBCuLBZt<vR`?PI<E*ml~FvR%-ybVhxU2Ho-V1`Z)6&{%JhQquU
z{KdeFZ>zJ#>+Cy_0<dQk=^W+30I&BaWF;Gqr4wQ@mVyIRO2%28j^yE1n@njD#DXC!
zC)kCP^eG+;@cNcCa(G5mDWSlrpTVbdr~cQ8Q$P0C33|V&p&)Q?j*Jd(^acOS1tjh%
z$5XfV{<N>%=Y#c_LAi75@$07b7=C69%$@t0z3%igd*wsMg*-h<e&Qt8yR4eaX<mm!
z8KIRB*B#otdBvAIL$x@f`SPkK%hj3cVw^Cq;H>aJr-K>yUWV&3)m&XuHmT<F#9Xhq
zZNO6W@=~YH-YhgN26cDaj0bgBZ1#h?D|S;t-6gwKq3)91z)*L|&DOyB&6V}__nVf7
z`f{5QqVAGukEkoQOcV9xE>;TGBW|duyWg@|)Ri;yMMGiDl2Lz&88zxl-R&E!Lv|BK
z-E%c-NBxDG;iK+~%?46;#WIJ~m75lkx?<B9QdexZlhj?Zn@s91*{vsamliRkFxuE{
zDfQ1;W|g`NH497K1)H&@?n=$>Qg^{_dZCvr6+R3s6STzDJ@GmC&jQnWU^_uMvzbAV
zI5fV9m*RRFFHDJsKp8g(GreE)_1d_I_ZSx{^n`ma=PBFk*kat<l&f`5>(_lZ`(N^P
zp6dJ`o!{*I&CU;Y-r4!F)}L<8wr*|vjh1=;AGUq8?Ro!8-EXvMZF}3qwp-hL!M|_)
zp84s{w*D2$ZngE1enqw3UlSDAXUz37p_O~MUbKYPWj$P@X*g=fQ^{mPiYFp+GI8d(
zG1pCNJIAq|F20Rr(Z$?E0ir;KNTAg-lkLdC-2!ni1xh{;1*@afvD7A_4U;D_IP?(r
z1;qyb;Fh}G+Ei+fJCPcYQLP97Mrvbk${Uq{UX#uVyT%JeRe(n;u{zr9vCSubE*o=Q
zY?^SP@}i62N&}&4`RkYigC1I?7<;cV*Gab=Zri<RiLuVK&vcBYWfi7q;+8;0KWxke
z>GM23>Y_ua6$UC(MQwYd>niXvR883)Hs%=0^C7n3U9@|!x)ZqV^S*}dh_A#A#@uGR
zfN=4)&Bh#qh~|RH#VxTYqM);?mcq>r$mxr>-e}A*h*d5}T&&3va}05t%Mllya>NbB
z+(z20xf*$5CbYm%wYijY5qhP$9!Cd*ZGXHH=hZm}fcC|{&M&mw+{EtV-Re=`T|t3}
zF?SPPUtD`}u|J!L#}%j{#HgH;5WbaE#B@9t5u?dSBAbe;iC9|2Q-1qXZ}hLkK7p+T
z%7@JXKi^v3*b<8*H7$a3`X=K7OJ!pkPd1zCY-|7l`v&mFZJpm($p&zNp;7aV<c(Vq
za>o=O433&_SZ~xetP2dfpKn-iI5(``UkZHcT`?cLLB5SB@M5<ycOB(^Ug_Z6z^c`8
zHb*&kE`n;`R<b#`Yt0-<oy^$Il`%|9m>ZiH1uPAm9c*AZrps;t1z>@kTz^HJGt6+%
z!PqnFA_G8{Yic?>XHW14Y@9t0PGpbR;0Mew#=(r8sbAcBS&L+(=*x25@5q{2Hy2^q
zIVLqr<JqVjz}nq)mFu^s<6+?cCw!s*5&FMFMrbm$J9sE~U+}$cohURvW*cAe{SH3(
zd-<R-cPCwmKhABe3#(p<dnP6e0L?vIp4KWy$2DNS?^mWux$*iq>ts3)+qo76tVRT8
z2051!v$?2-oS)fzJTE6A2v>I3gxlioYWgf1Lrt=sAwijjWZh;=H^WSWXDI8J`|4g?
zCvHm?#VUZ*_Y|_Rh1oBblPnj>DhWBKq|}HMl~qNRa`~LB#*;}2@F9_?mdYk&NzI0f
zg)CfcNvwAmlpz@8Lz6Ri?3WX9Dz%D&iT<#nX0>QCpN(i*K9$G+!1XAJR5}mM0Vo@Z
z0h%PQ$x$gDr_BPlAA*@4u2C#(!$4=nSzvAF#>0@)R3h!MzNO{2Qs3ZlT`mGLh4n3&
zTGzf2g+rJTZj|M9hlezvW%OKlU+Gl&q$chmiiyXjD?4W<fqXtRsmpilPsCg|X~!lU
z3nQ++s*F*02n&0jxURzu9?39>D@QHhK9yMi4cor^Qlb)_F!@7z0EDt1EFTs`ggB6I
zrG0{ULU_2K0%|}I_mpyiYb1KfdSqIV1rbpD?)TBE>ua^$?WXfJb*v_v-ME*&06oPv
zx~098W6Z^ZrGZ<~>RO9M{nlL0Z;4(tEadg+)oPb;*ACye&13Q%`d^5qci2VK1){Cm
z>L>}GnKb5Zr>p23SJ*AQjWy4UsF4Q-Gk`(BHbnk|J&ye<?IZs^k>ML1`GKu2BM=w_
zYlEauVxzM?Ih_$?@)J84yIHVTPxiTnddaP|Dwl{lVlhK2;jpg8n`*$A6X-M;;Txxm
zPFgr#I$0`DmoQ~+b4;1OqsAP|Lov(Id=@MP^VKkJea0NiBEfyB79474*_hixyTOry
z7ur`qB%iPK58k0`+Z&cg0gnRjLJIV>Zi4-PyD#_$!T%Wiso-qzkzhKwwdJdAa?8%P
z)|L(aGp+xn^*{Ny_uSh$*LtqC)Oxh_J*_`z>oY&C-)+0C<M%s${~b@d$BemQ%Gk_u
zUHY4rc<|IDajwbbhPa$iD2EB2&Is`QXOJ}Ph^8Y36{-!b3Q-x!y^DIdR8@5vz&u`^
zIMZ&-C27@XpJfN=o9{fHiKyrJn3whRCbBY1AxJ`+M@V`&<bi~eD2GIdGx(;Al@M=V
z$T2*=0kdKfx4qqFUT+@fNiybGP63{A;!PJ$=HRj2M}-NbXa`Kcf^=}t8FM`Az!-mf
z7XM<&=VToAUYc<KJZ&SCC#pb_A)Zny1)%bAQ6B#tBdOr4G<za#mxw1>MMuU-@^fhS
zzGK_>8*?n#z${mazuA6O1Z@45&rFU4yB7mF;nuP@`+*${K*NMACKLrqI29o-Sp~qk
zax|S+<a{g_jm2U2dXVx~-0t<}7Ptc|nwHf7{5{9gMVM=-W{;Y?k3PfgQExi!QJai8
zmP>-Oh;Q<o5OZleFZm`BNK%fHU>o2~oqH4R+3C0kuEle4M@e7XVPEU@#@sGi$^*aN
zq=8@2Ta7uE?!oNo#$)5<2}Osxvii(PE%?2_JAW^964d+kj-~+CfoNX`3uGOn5?C}l
z?2BdrNJn!lp8(%27W!ABvd3=0(hcz4Vqr^KOGUJVmQ%1>unYoxw^*?47I)LO`5Ihs
z?iM#0b1c08x2`W()^$j52j9^z%Nv|W0gnRLhyrIHFy`)|jQd9>IP14+E9h0RYz&8b
z1+1C7ee{~Jsm&TvuTrS8Oll79%rc?b>}5G5et=P~pcF?Hn*N+>R_*3ADSB<qX~dbq
zlopnNSzaVmp<X^QO<&`MvGGQ;S5Nz=eVx8<`Pwt>ZEf=%FSkA8`&P$89r5<p%uh#G
z`}f=bto;|;f42S8<WpN*&R<q}`|tT)wSN4tzq|}4;s9NvALq`uUw#`4*EYv=7$Gv$
zXF?}F6IAqFDiikrF(M%BN-a<8)tRDJvmcCS1cKe>yq*!p8wy>@8jEc8Ix48U)A`f!
z%kiUxU$lRgxr6r;<poE_NrBo};#Q<J)(B%xrS>rSRj&J)um5dpp56~<qsDqm<x&A-
zFiAmwR_lMW{?IqTZqRIfF-u@&LM;w5SeIZpa<-r$0<EzbQfTXS?Qtkr8f({VwZh;8
zz&DlI{A-Qbi(N}yYPD)|d7!bVp=7Zd>uz-ZwExNo%i7CqzJWHcBzUN?v=0E;%jyXD
zER9{2t_db6hEvT=P+xY@H67Lvtx{oW9g(%Dsvj}t-p90%JX-q8ma@raEVK2xP}8MN
z7pmjHyR%%KfQZM(0TbLlRx8)9eA!_vv)l!DE2V-~M8bw~rG(kTLo{{>N6J|!K+E{A
ziae%M+B3qy-ookaNn`F|DyEGx?&!<**bQ4BT`1e}xNoE5=$H)}bB9?UKg?^R`q$xb
zczSwzNTof?@{SF`XNq`Qjfpb+X5?fzN@9&CiH8~8Ek%ptL24(KRzoaj^Ha#7NxW&q
z@$$4-sEW|ei4zLEcA&L|?vY&46uqETAp0J&%f4SGil>8)l3>TbYc3EEH9X>|q0i?F
zY7QEBKRgO}6!0kEQNW{sM*)ulYe9jYmb-j6`G42fo9#_(_=gRDvEj!yNE`Y$boU$y
zZR-5z&Ohn=YUdX_pY9y(d^qrTfnN=b1`hat*ZB$jLg2N)rvfhoDuMS0_6D{FuJivZ
z`K(3n7ONu=^FO@UwRdm%^Ty=_W06^?w*QQaNU@$s78{Jqc0;QFOy7?fm$`AA0ap0W
zSn>*jp|mP7jDuOHK;`%jle!gu0dqe@47gX00ooiu9cm$;N0Qc3m0QP!u}XPrQoq}{
z%<QobP_e*&#v!`w0KP}%BrNI&wSt~7E=MSf{RF?Y{RnBJq!a)j4@*9CH2~JSKt-j4
z=pOfS@BLi+)_3o`@<#4az@vai0gnQUQ{Z~zvfWF<KMOC3hztyo%XTjb|17*DF5A5%
z{ImTjS<9-CR8~wU2-a~7SjXACln~QMB(A2_cvMr9n~lqMFA4wb79|!}<8m|}ztOmC
z_mc3>*1RMx+r1?GvraFG8;r}$OM=-&{IeXC<i&f8%Ph9@6^7X2pIx<8b7XQ7>DQV5
z^29jOY!m@Y1H~!Ma}xh1oGK`SS~^XWv>+X(uo6<Z8xkGy)_Z7NoF?qL1I&f02}R;g
z2p2m<b&@RhIP(z{r~wQZPIpCBt1J<5Z43R{e`x>Ck)xs+(8+$XfKK>-RkccZW}+BA
zgcd3Xj_xd!;LC^j$z6J32<6<UXa+55rNY>RBAt#7LBUIOl!&sH5ojG|gaL^}bkC%n
zIBlbyn4J-)baDqMM>LtWgz`JJnJHm6>ehD%Wj&`7J?O*~FnDI{!Gy9DjwGB|jA_!k
z6mv6=s#;zv>Ds7v3aU>UX=t;ZT6)xan<=KgX?Nto%h1NMkVqE5O<u?tyg7#j4jD8G
zJ1omCLxKoVs7~do!{EfI$qI&Ru7YKcTgl*S;ovm3`#B96ZwU8>T(ucKvlb8UUc`dB
zU&C96sjaFJW|Xj~ye7hi79AHWjTY6}xN(^U5*m*)K6BRc6kfC0v@Y`qo0UDl%RdXX
z_GNp3mwz_+gmIb0cg=3+gS$F&Y6IZi0pqg3gqTj=fQt~*%p1ZO>=8%)*}nUY%l%Xi
zU|t*k*+8=!#(;5|1sAc1C;#lm#g|^%xXeP0SXillw!Mj65eJU4_@T1~S9(xKPwQuV
z-IeYqyAO6f*EZ9pwC!x$-nOCj8?C?DI*&`A^qumlzL@Wft-1B>6x{S$Y>jzeJqmaf
zcz00%{Pb?RM>Fqx{~79a96_<&DW4Z7vB%qe`u%4Jn{5wW@So|Aq*6&OEyu*12CVW}
zG@chzvJ@BN>1aBND^fB}*lc^~g8$5xsGQ8@V)<wcY_>gg!GFfaX4^v-{AU{2Y!<q}
z+3Yi%%|8Dj<1%v|{4~QB_n%oco4rys7V{Ha0UcJrW7{x|)<TW91Pg8lJsMXk<#K64
z1G7!?XHMy1ygez67nn{(V~Kbw1+XH9LSeE<_Q!LhBZrTTPE|D9)3Ibc7L6ulIT-;6
zO8wKsxgd|wBW*^ryb8i3k)u)-0ZE`K6#$@6{#}ZPtMDcOpQ?^BC=MOrJ3|QYDq7Bn
zb`U0qYO=<kr@~Sy9Emvj^OOr#I*0oJ2y(6rfRmYe7F<f1W3d5)MEG4CXgwiHz*?8&
zYwO=g`#@e2`4a^Ku}$Q{x?%`M0s(ZcE3RcDt-CNiUREXwb%h-JyuK7wWBOF;n<Rdh
zT2*G(nApHNNxJzo7gXx&;;86##Y>>Lo2?MY93iYCc&N~rVTbpG>bO^S(^giKKy#Mr
zTUYqdp3^xv^NeZ2vC0%=Sd}_AQ9$%%Yk;>bfzj5NYl)7NyiFp87ukqtCmBR-xuVyT
z8aI>GEr<$1wh`zwps6{B1v#$MA~%p1!2#^eRrmV|ywm+cY!O*+J<TC?5^#g4GYeUV
z#gv}mvd$SxQnc?{E86r{yWN@3t;t4*bJ!k{=RZRvNP9${|4i^)r*WBuyZ$JHy7r&B
zIuVkgybXu2L`h0!rV(I?Zkd~&sUu*QO>}7Jn`G)S3(dqR1<I%;HxkWUSmMzc9q3z`
z@F9R-QT2pUBoA4ueKCj-b5kRJnV8NQI)}-R+Wtj;u}zEK#4<u#6`Rk|eTv+`0PX-4
zVwIRX5`CO+L*%=C@4;`YN~;F4BH>5N_Z~;(ba^gwjqfxyS6{Z}WVSB%oVnR#%-tqa
z+ivVnTRpZ9+uUvzX@rf5lDf9fWY}(KZ8Y|Z`6h$vu+1#t6Iz$KIcCq&+)U=?6*Fly
zD3+)_U$gs61K*?+;e1KvIC6AP!Ao>l08|)FAH9Oq%{{%J^KESVj<5Gv@BJG-x8c<d
zo4drWTe~_#|GoWU`)Ar`+MjIS)85<mzuUg!|7-sFZU0yN=lqI4?fW$(J3Q<AH{XBr
zeckt~zIorj_npUw{IP#ck;VVK?=JJZ`+xm8_j0dvjVRFjxt4YH$XKIpdewLo@F=k6
z6oA^~19ol7S)xrzN?^_&r^P)?)qa+!O<1;D7Q^j7+n>ut6KUW#h_OUc7GwE{jO=c*
zDkgw;n2ab9P0a)G;WA5x%VN0wXSZaL_%to$(s`&&j?*Ss47dNRO>J_FUSKiY{<BWC
z$tL6SQF@t0Bp~4|iC=r^LF4ifY907knRj{BN)ua@2R&NB1`0V?1uFu8I3Ql+5y`+q
zFQ~aqFw-4TEy_yB;vQ{D+aNa3hGt-BGJB#6Q?PuES#1sp2Qd7qkfkOml^CLG>1=gD
zog(2V)VRrnePKY?;7f(u4wkEjwd#yQp^MAJIH_;9^bva?!qrp{>9CY0ra=>DbR~v9
z%p%HEi9$`Kz;m}@EX83&Wg+Zvos55@Sz=|K8MT2z*ASk~*F}uWOu)2^hURlNWavW(
zTtQ{Uy@jH75OF@RA1+k^eTnvVZPF$l9mGsB!AoncvWIMqHa>*uCz6TC!#-=zLd~OO
zi`r66>Ml*1k1f$CyzuNz+63zXnb<ySec;p{+)n3G{Z%%)K{BoDo-;cE;2$E*FCvLk
z2<%#BW^$(}90g$OBvcFpsM)47Ab>zsKrCUI5a=9k*N321074K7w9=_Uh3E-O)kXs?
zww6a7Tg!EbWzw)09;T({UPwe&dz6p=Z1AjRTs}y*pYv(H{k)AuSDqzl)pGE5Dm@R_
zVp1Vs+82#o+G<!|_8WOkOu|`xf2{UsCMQ;#OAaWkO%AlV)Gb(v8L}>FQZ51VWE-?w
zW+_2mzE&)?`Z|{oJgH6s0<u0?$Wc@%+TE2OQ#CoVc_6HcahXL;&$8%5|5+C+eBFw@
z`n8G`$3h~_HP|=XXIy@St~lckzTzwg;<vy-iml{*j;&-PIZ+=nF7KnIEK<>b)*koR
z+)D%}xW1<Lo|aGe`uwl^T1qW@178dLa^T}V-|zXep5N>KX7IDYmx6`h;b6Su-#Y$V
z#~%R)@ZYzNwH|Nz$ABETEzskC-TCqPTE4XAjH_3nMS)S{^7G6wMr14DWlLGiB48^g
z%T!5OuGB15uuQ>rB!%N)c8$1=mElKU(s6_qXG9J#CqgTU(-Z6OIr|y-GC2dEb(9bX
zpl4V&xC7A3S9b(9XvN`MlcP;?-<oqSJ5LQw_;S|Xy>oroxD?hszHyzi_6x;~GytCr
z;{x42bi%H1{)BKDGs2!@Cj^9CBN~A0v~avbCJNX&kiQR}XvCLMLku-8fm<BIX+WLg
zhPD}(pQQcZY{9vW50<p4I9QM!g5Bn~)wn!L?~Ainc&>dn<Ld~cMOr>aT5kP^bzbxt
z<MIq65*NN+cA@d{P$_g0|1XE8@$br#2f`>!;4Lw0PTOD0%Y6~!@-!{sa^=hXtq7B4
zT`z#K6_}!3Kma+6nZi`5SXNZgxO|E}^$4Hw8y_iD3dj(G|I8?*@~L_^N6>f5PT!Z?
z-KzEZ0)JsGEANX(fp;7QpzoQa>wtUDoU`;jWm?Snt8+x(Q=%n&U7qV#BGFVfu1au|
ziKy^Khr^7LNG8Oj5|7H+s462R9`rpE^eL|IIk!cTQqgE4l9ZtDIY}>Zea|_YzUL`=
zfp0nI8uUE{dYS8c&M|!te9_10PW3U3@0hFB_qgq}RF$)m5xc8$*6~DH!XHL0=k%e8
zLatKQ5iv*4daVSP@G$q47Gd4P9vZgG%Sa$(UL`)^5T|jwcB)D+h`Ij8Gz8mxln-j<
zNc6N6)`_#a!_%E4ZM7Oik{g=Y)^gz{ZH-O<Pz#p0lUil03_qAgA9y7T;e7~T$+o+y
zr>mB7>TdTl^lpd3DoT81np9Xp1;Mlnbt)^A^MqULs<dK?5}VGdQ4J&vhAAh|pax>k
zE}_k#H!yw9B2{p1XK78+pb*xE^GZ?I8oFRUzeFdvN~xg|n{KJ5RpR6zj97hP#93&z
z4E2)zUb8sTsOp)0%D6m6_m4BX`2Jxr&1=4luE7E_n^<J&fbYuFP1M}q3IDD+N`fzh
zjLRw|$xAJqBv;44H|>70CVD4J*Ry!8Z>HzT@MW;H@`g^rdfm**9@UE^UrSia@b$7}
zLsqv<Rgm-9Wwk-OUBrc}LZRvjTnD73Z~8j!?6?j%f8S{T&Gs*~PqpWIztH<i@4nvT
zhOc*jvinT;)3}9y{1yL`-8=k){_A}I>iaw2|Ks~DeCq!iOX}~i|MuT|)p-oN{>h)P
zSINE`qA}l1C;JQg*kr%STK~3lZt+ZgD^8iW+PqOAb4g$8?(8kA57U%_&Qx?=r&^CT
z($OpNDBw}Rqrj>tu)(-!PfqT?0aE8hmX@4Loj3H$si>CJl$5CCVp%bki$uk=qUA&g
zoG8&^lC0!58yBCaybPB*Z`hJe=i`xVEDJ}5iw?!*4Y%HCTx5z%E{EPwlS3~)Lu=u3
z=nYOebfa-`hF)g)ivAlm7t7Nx?Kdu-rpL&Sb+BXPhE<E92em4(NDD0FkVMpyz~_~W
zzlop>G{6#r61^gCk>niFi2Wb9kCsUZjC7X7BA14i5I84cMg{of5J6P5#7L6Z6t?m)
zB;W;XVvzwS!r^edtm-0inTY%;_#4y$l;L4Jt^h&uVMQ5Z@ejg@vO<6)Cm=(f(ulzp
z?g=jPoGwYxG#A@=JOkQ<Pi}E^f<NfI3aNm{MWEN$AoAFBGA5EGv0O7R|C;jwE3aLV
zotNw~pv5GbH8H3gE{WMIvbof|T_rxTZsn&6+O%7_4o`FLE8%FxbiH+Z25q<%>(%n4
z>BZnC_N`gw>=Q&ET+(3l2LLJDW2#dnO&t>U<>4AYRP;wDi&LeOJA{1#0Ti0R3{w#&
zK*9@jqSptU5S(N{{YkjaR(9B41HlHs+Bf}bSf~%p(gP6C8DSicl52Px)zYWKwx@?o
zRRXGLluLWR=KEi(+DqU54{b2!yX+F_O^{LNLynT*3u$A%lgX$GXWOr_jLJL%R_%(g
zq7VVMG@nQY%JL)=w{!q7Z#$j2Z(C*{GcY!ZE063to*6z0rQbBxX$F6_hz0yO!Jraq
z4hzR8A(d#E?L+1l>cQaF?3%Z9&)~A6Y-7UB<0HESCXLucT6swicUbHi42Vw}^Fca!
zX2X2)xLCKaCy;ccE3|6?p%^EVZFytPb~xs2-vh>cJ1yaki8onxN4-3O<GvxwJsB;B
zLE*>dCS$&hR>5`PH&JhbL1Vs^mhR!BaY<ELqZ~E}shLfpC-@cLCjTS8p8I<4?g@7P
zefNLu{%ZFt-OmKi1htMIbbPBL0W5&cZEdZ8?|;Pnzzg7@?`ZGuv<~+ETyG(Gu=hmo
z30s@3_qP18?dQAZ>$%&EE7#MB_oLiGe}2_mqQxB&-?kH4mZ|gsuwAYSdl_a8VH=}y
zEuT#%VxpE%;$kcblW8`aLpru}A|a>ZV4G8F6Ko?O`D&~o7_u=So(nZz5?xW?k(z~`
zwsNWf3prwOs~kc{7+`upp*)2mqBtg|UBIZE(ro^wc3Zd`mk0j^BuoSfV2*`-+OlxS
zlC)lKq&3!!d5<>mUl}-9kg;YmF04*w8mE8O{nB`qXql~RrmECrt`=zyewNlF=B<>W
zBv~bEwK*;wJ#ZA;(<B@jOU`bxt!t5%GW<>IHD=U}S)=ZkCGxHdMQ}-L#=AXcraP=b
z9kJ+6k!E((nWILblq*gF#c7hTTM$@EW~dwZE@H{T5;5~d>L%C4L5CX7hE2wmP4+GJ
zJoo*)vXPc@z4>|YBv-C;lmuT08drMh>ORNay3W6ic@mq`CP^e>&2P**9uCN7b*;dh
z%P8Ugng<UZBa#~cI!7lJKrRgo(wU1JtQEup`1ri7)#aS6R*g1)O#8GYJ+x2M?f46U
z+0jl96HgrQ^7^=#MMS<X4u+W5<O=rBntNolX%=JlPUFf3IvEV^@pImV$8eqAloqR)
z*ei3uabZ-h^f)GRU)i|ARN}J-7(;R1;#Aga|L-%dFrNQT-l7AeRWhzH{+}gX^`CEF
z{_Vlp@YmiojD<H)j{@&J3gC!k(hfg#Uxr%v3X^oWTKMJun3~L~ikuSVtQ-+zT0A0V
zWAU5_xXeU68j&S6pW19(X`wqDR|~(qMU~Q7HJw%g3v?x5-~3*NTKI~emT<N3%Qdy|
z6(7A|dPF+a!f^CvI&3bQy-eMc&H_p9L-ZK<2*>bwdDR@ho1-FC4X=a-?mWIS1#N6)
zn0QMr<uvK$+qAS_rriUFph-rZXf+H?GP#6Cd956l>m>rnEKb-+!XqyMHMts8$$YUo
zk*o2`qy?K|;5qQm@PRGq&nd-XO|T$$frV#ot@Usxcf<RdmANtB_2E*c@3YD3QeUM!
z@-nG9YfrTIhbzUoV{W4+@}0M@cq8&C;8DP%fJXt30v-iC3V0OoDBw}Rqku;Nj{+VA
zJPLRe@F?I>z@vai0gnP61w0CP6!0kEQNW{sM*)ul9tAuKcogs`;8DP%fJXt30v-iC
z3V0OoDBw}Rqku;Nj{@&J3iSA&^=<Nfe`D__H~f0fU-Wcz_jcVEI@$S&;O};PucM{?
z-nLxpOD#VZSn&U;@B6s*qsxA-jznl8dv!G|_w;PrZ0Z)Dzw>F_*y;1*+sKG72uScw
zf6&)Dl0(FLp*kZR(FnW{1(i8?Z1>S2wNMpy(^S0xFVe?xy;>;%{=FDzk4O<olw?s#
z2vTHNmWCs-At{<nL{n~8<U|ZO$-c{hK;Y0i!@QSg6J(@&Tt{l<g*u{?fKWjYMFey7
zZexlLNvTLA9%&p?bSNU>FY5dGKue3X&SQFRHb%xY>N+M{u9U;&X{~Z}Tmv`|Vq%fd
z332N**(hFHY0Pbaks%r5OU4=p7#WHrBGFjd_vJuq>)q=-z}bznkv@!Yw!?LZ`>a@Z
z0_{a#m?rE-g7O?PAI;#KGFB?<)k2O&&<g{ls;U!^XA-cq-EG+NkQ|T3C6{5#Ly>es
zj;4HX2HM&J>pbjJvl4l)1beb^RW^dB>{q5rNX%fpTHS4E(oiHCO{JraZ&VtJ#uKr4
z(zk%2{mD8HtvWkIhIYtxXtpVP95L<%WUvx;jTew^;xGf%b{UwQ#=z3iMB_Wdm1sPL
zi@uA2_VzEV^T4vRJIKJ^>pHL_GgBvp+TP+ej1<;YQjW(P-jAFbil$<6BISD{(9!Yg
zIu8RU!XO!k`-$-AR3Ue=hSo<`ogy5?o6?XwByUg8#G?S+rlOo2ic0BtGSN8H<WMY{
zmJ><e>w#eK<T?*^W_Ey#^l{fWW}AuxN~EG8Ge^0^_K_tQnw-F_!zbA|y2MbN91T(5
zYk|(r=sJ%sH+vTuo#;Bc6XRuNqELI0ZWA&-6iuhnZf_|*6pzGWQrtHe2!%rHJdVoj
zHZqP!T*t9%Tq%uV%h&SCR1si6z+e<cbiJG_PzXl1Va0}GIJOZlUC*e<v7vZ8nv&DL
zpTV&Hbe)GaF}sxv>j4Z4Y!|+b*ch+fN>!mSd}P{z?-G&UvO*564!03Shhp(`EP?UV
zv0id?D4t5C5;5Nw0$p7f*L_3+8PSOAi?S~#!~zqbz(W<4<d}3DQDi8Vj>$=vy)ZHa
zC?{-(zMl?sch9Z!h-Np<_EYYo({)UIixc)2N;U*jVY*Nqw?juAKeC@f28~Qk()W6l
zGF`44ql_7t!W?XTlk!j^EvM5_-)93oJ+tdP?o+c{$eVO$KWx0@PDR%eF=0<BS5`4g
zDT7JAy1i0qC=rPzBQCq5G?a`<>7?ZQslbK}xpf}e^Rs<qXe5nXBWHEssBkEsCs<x!
zH%RC_@G_O@5<yx52nzupBU}k#FkMC{r7<<ZM>X;xxRQ*dBWcO^lY!pe*gB7}ID50X
zu{4fwZ@Ds&EtgN4{FJb(0;C`uY;FTe4JG1IBq2A<MkzIvlHv(4R-Xxgkn234@!6Zm
zfRe7S?9rV7;^NHVl7mTN0U;}o%iBo~rQ{f-Ip3$~V90>HKaT<)1w0CP6!0kEQNW{s
zM*)ul9tAuKcogs`;8DP%fJXt30v-iC3V0OoDBw}Rqku;Nj{+VAJPLRe@F?I>z@vai
z0gnP61w0CP6!0kEQNW{sM*)ul9tAuKcogs`;8EbMOMxDLuTSv(U%uY+y*F(r_59DC
z7rOtnd#vjRUC(y~Lq8ts?>vRL_*a6PJHF5%wqI`F)%IW79&i22)^f`~x14RcF7WRH
zclj^*??nYy`}s*18j(o8mHq9ReK_a~Z1(RO3HpAECK+x&TvTR+0#c$^NF2XDmCGTr
zEI(B&&LCdBE^I6+52YiiWGd!=!PiWqd#y%)a}|wBL+K>KFp~cN*;J#utww*n`9>q@
zp>#rurQ(57Q;qJl8vW`j8chwQ5y=%v2fp1@qYqk*{>rKvl@KDBO0~SdsYdU&8vW%}
zG@2ZerFcq`T7IvoM(?#6{ZFfCG%<uQ{kRlu-Pu&5!&aleu!=_GLvn%y#kPK>sYX*)
zqnB6FXbg>}5wqI1qp3y{R--?^ibe^*1)}QZw$C@!Xv}K#%d2RVfKDV6=|uZYO*I;^
z8hvvWjmij9mttwT{d`l6N>-x_t7sHp3<(+FA^^N-X73%c8ok(jqXZ}+LC`)rrkZMW
zht=pCt7w$K8l(_L-tpb08XdG6eSH;;0$?B(O(f&N(WV+5uo``B6^)X(|5#dz1^=L_
zM(?s3om)ktBuF38`%>q=rW)O5HTpBFXq1G|Ba|}L`TZsuJw3a%ldvnZcY|N~f~{4(
zs#K?RLD#B6wT!S^UC9<{H2l%R*o2Z3v`VF15vIqrk}#%~v<f0wNvLj7(W@gxtx^?`
zK{{U;Yvgc9V0;=F4RR>oL_hb;3KnsG+Sbh#vQ;u-*CSD2%Y^=<sYd&)MnAiXMoHj!
z0-@Jkhns42i`D2)t)fv9(jAY>@vh%!s?k2H(VuL-Q4(bx1$s!Nd$_4aZ?+o!%qkj1
zB(x01O75O-s?nRQMnAQRMoGkSIvG#*oM@ua)3Z0!R@o<Pt*+ZDlM+LzR3s6VdVaTw
ze(sswWD)1%wr;L)l}T|3FUeRUwPB>GMz6CP{n#oRjST^TC@se}{7n;$o}S%Mdm}$;
zYjyqJ2(Z{<aZH}xA8DeWduF>W;=E$(=1SiPz|vyCy^(vr-c+L@tI?0FqEP^tp~<KW
ziFxIG)XKzb?=Fu59tAuKcogs`;8DP%fJXt30v-iC3V0OoDBw}Rqku;Nj{+VAJPLRe
z@F?I>z@vai0gnP61w0CP6!0kEQNW{sM*)ul9tAuKcogs`;8DP%fJXt30v-iC3V0Oo
zDBw}Rqku;Nj{+VAJPLRe@F?I>z@vai0gnP61w0CP6!0kEQNW{sM*)ul9tAuKcogs`
z;8DP%fJXt30v-iC3V0OoDBw}xYADbX`i8I9KjibP{-NIQ_5N}1uY~@O(5FIj=(f&S
zN4Dc|$NlZ6{U5eI5Ba|5yX^1xOTN$hKH}49%c$XRucixcqh}+={PuR==79e=#b@;2
z+@DM5vsy|^i?W<n#h9cd#B?^E7F9K#QsOGmo+Iha#{2+%>Nft=mTWo_NyO7~^5v>A
zKiolT{P7d)V&9F=KAS5Si^`;~4LnxRrUeT9yFGO8WJSCG-dtJLgdFgG_4~HYC=<o4
z_lH8&Lba$33x~_PUI1LMFfut=Eay&Y6=CPhB<>6q)L|hNQRK81Rm4a(uZb}wEsLp~
zq>6DhmP@Dd*=$lyhg40^RSJ{ULb)_7?AEGUuBr>#X)QNJiiC2W{~)Nux=<Zg0646a
zgsdh^>3}H)WO0_ZXzRlCc%iBl3pxQR4l$U|Vbn6IRSFYYsj3u16)mq-v=Y)Y42J~#
ziNbibI;jtb!()Z&_*8Z%SDpy#Q`uvh7A8Y0<bZlyE}bwdW`jJY<;F{er>8VMoGq5K
z;R!$@YnAY^acw^uAF7_N)>U39mnVP$PHUem>(y{Xl4JBAQIbVDAu6@DL~9fx8=yF)
zV?1I(Bg7Haa#h5aa7dY|j+ZOL!c$XEO~pc0Wy~6qQmrbvlS3-TTGF*q?UbTp47^MH
zVpW#qR6|ijZY)YR6eXolu{@@irz$y(kr7nV#>$nMVPUdTCb=(0a}|wJjy{Y+bt+dK
z7N!d&wLGok-ILc%-aNgoYeoA{@?v(CCnl7Vy1!7;o&(NwRVkGC_{dfACkl6GCUmtr
z1Zvz(t6}Br3U0^yE@Cbf-EXL9WBRF_zUW0opJ=>x2W^!;T8T#JbwRiTbFnO-w==@t
z!}<>4lvbG$O67t+)6lC4Jv&t>s*M$s!LS$Hc<l~0(($UY$hDlFt6c%H)B;;n7Fk1i
zrKoF|c(`z?Hud+CQo$+~RBci#sR9-sTba6mHy|kLM4^OfP4K@@X=JQLoh`va3CmIw
zCd#EkwOqlP)Jmrcm2!!!H9B-rI8LUnV0#&4-72ao<S{*_Dp=TgV2lqP+;dE@EdgB^
zn8cD*D#aOLx;#}xpK`gW3hF^0Pie(6R<yk_eS4@#%7=wwc{&ujH%xY}`|k~tT`ctc
z^Rpwye41{2#?yS`yKbG9y;<!#Ecgw^e2VVuJ$wusP?B_%1kW5W<`Z<J=Q{aaz4cqX
z4ZwXD1#n+#yU!Pj*x80dqJZ5F>zlq-`gIgD0`HcU2>h}zfY(r}j^YrIg^`21@jk{z
zOUi^ce4vo4l=X7Hnh{U1O&}v4ozXFOGT}pbopiHMisT_{)v&r$1ry)49Sjc)W~_xj
zC>%N>;J0mtk)>c3+ZOqtRV{l0m-rGlZ?-K?v#7Qt2e)qzq2JnRGRMZSx9H<y7IRn^
z2Sap#OB{)q%jHU;irq1W14tp*`Gjm(R#R21MnMWyXC`r|Vh3rQyLn?iPT%O6d-xme
z7-b6=XE0mOqoH+O$=7NPV>-ti)45ME=A(4%voarhVC@-&>y7ycZFVznV<SCL?>6RT
zTKoVnZU?>Hc^;py^{?MXjHTCAj{+VAJPI^T0qm4J>^tSnw;q$FL=wgCZ75Dk*v<!O
zG3QrqzO5%P=es%3;|u*!=qsVmhR%czblu)H-t}nUqk+?*zRvFif2}JTysl$D^uI%Y
z+p#b3M}a2;BY}ZHkNNTcaaV8Co%SABZwiD)e2M1UfTH64bb4?_#g;9JbXHRnDNVi6
zn1763x|JQhTW;ZU<E_U0aeCoye&J?_>k}fbibU?b!I(crFW<s1Z=TT9!qfyN=pI^b
zp75Bra#BL^?uOz>62p<28O}>3WBw@RQhw|a-tMZ^D(^qKUpPv&BEn%NNE1y4QK?Ar
zTr{Do2{D<*KTxSCVmhfRVpPo{!(=+8WFxA(%EO^&*>k!IodDI`9Iehku`;e9{nLJ>
zG&ZG-X~F<Huw4Mt55Y{SK=}jmmP?SrOqC0(3_2Jh_;FdENO(k0gkD93rUk#CyCGaV
z#Qo|xWVZJo*w5<RAylTIGh))e&QeP$D&%EdsT4Gwa_CAHZK3)CM8l~PRT3ygFwaDA
zBnl9)%;;LS0C^N*HtQ-hCa89@jImV<kosr1YKZo%rddIQHT@8JLDeI=rARqen1GD=
zfkLTNfNWYU7D_vWvYu0k)@EV~GVV+WqXM4}<xM&)OJQhBCdz6dU(oP^SfL!22#>!4
zB@^UjsIxGJTsf>%%M*p1h$6A7DH9H*61%2{kI9jU#Qq&3%DDAb!HB}X2~3IS@KSa1
z9*3c!m_{#ang*h7vB_mMHH~n07*hR&QoS3x5%P>VQv{-$6T*8B9XT*^Ob9=~MKZUh
zCiK&~O>@(PR^!BheY;2}p^RCXMq@&QB28VnPQ&V&fH_(!S55T>6d>6dGOd)UVpY(~
z!c?hPIH@5Atf`$~+mV~Dj?HWrEgfEZqe3HV%pYNLQIzjEZu*R?oncQH^M_a~+j%Qj
zr%Py*ZHJ8cgR}+1+&Nuj+jV@O&A&;b-<aP|yZpj?IZ*;{={;4r=KHB+%s)bp)kisj
zHZH%h-eJtYk3N&+&$PRqgkb-=&7&FSkq7A`+&t3PzY?nhxQ++tQ=IGQ+mcjM67mIW
zQE(mi(Mz1`=(BMh_tFcT>*#ZG9UG1Ld+6osS>O9MLkS7y_fcBNncpo$S$Eh`671UJ
z+hmT0{TKI)*zf7P4J8NcC0qKsK3t;#IGA1Zs-3Zk$SB^~P%NjQrkHiM=l$|1;8DP%
zz%`;kPv?K|_4vNw^L-<9Pj900`OeYcAB8>{e7x;jq0!KRwh#C>n4ivn>-<aKH#+}A
z=kJA{4gFH+OQA2-x@iAiD_zTP=w?$AAdaHP>3++PqAmR^k=9;%$e1rsR^nsNvy-EL
z)pFy}DSfh#E0mGW_o3s5VRZxN&csF~mQP5qzegg`tQeE?2{Dz7Ma6tH647$0SUM_Y
zS73=J(%wOcSCfkR-uDVqlSB@p<~T*rYfY<#3e31L1MeV`R&Jc|$FTSye=rpvAqno@
zzhBS`swNi8ib|z3YO2=VCD+B}sOjnHp*&jCW;AM3hZTM-TpcGiXGl@Hrc`p{#Jrvg
zOX;vOS(PQRs#L}_;us)4rA#U%+$848mB})*Jn7uX&V~jt3{C+<<5h@R%^TLGWYm%=
z_ZDIKf!D&3a&_D;JxY<Vlvr;OPGBM&B)7o~rbSJ1Gp%~2!JJBZrX`OR!sfhdICETw
zY@W#sX5b648xnnHe>tZVGuBkd@Trg)o0_auZ&tfV9Y@LvOkZQo)dF?MSVfr-_7dI1
zRXi#ToK7XSFIRz^xJh*!MBHQ4Tg0Zm$L_$wY~{o}sFHO_rBb3PfyWFMkV@>?`En6T
z6J3BBfhrA<i+ddNrGdhx2svID8*dZ{XZ^<fIFr@5g}dL92(R5*c>xYa8tui)C-{zb
zbrPdFPk$)ZXZRnCX`_=0R39)fo3D=;wFeF!IwlO*t`F?W3}?*6LY9lQUigAB=Ue8z
z_++eAV=f!JX?pRh%yqL&WyB&*E8$BfW7W>qPP32mB`0La%E@fcEc5(!{4HZCcRj6Y
zM)FA0M)DbBUS+di;q%T#kFZ`VbGFr(&$8C1dF$?0>h(TE`;2*ovLSc!ZfvxlK3k3X
zC+XEVzuNBl8lLujW-VE%wW<qp@CRt`O?jF~#$)!9ej;J#9VNlg7k%57>j9q1IiBk4
zJ<$5m<(~4cdlc{};8EZjPypJz57G^aEBUs-dI_rlTK>6f(E3_7(G&Fft_!^C>-}!;
zf9`#=_tU*f@1fpQ$1iq#yh9BBp#3*meh^#;em3x``3Y8o9|%4i+!ovv^pTJE=TTtI
zC}2Ek%zucoZD+%bBN8l;$rcMBomMqP&1zcyeS3~P@_6`gd0ML+Ma)B?%FMK>L|Tfb
z(^@_$sgazb%2Gs*#*=X+mq==<yponwHJ{8y!-pZ}!Td>r5A5HECiMw9Wcm%;THZ4;
z2@MCB_@|&$3A0}g%W$!P$OAamLm&=Ml5WA6Uo3{<Ol!3Ry-TGCi8HL{;6ARO)Q2W#
z)~hY}@Sh@5t-Y<Y2aWk>DUr{2aU#EsB|@7&@?m&Kl&VZ`Li~|y^e008cIx|VyWM6c
zhx@YmG6pl@T|{N2;mgroH92kY(82wO9y)Xo#m5e2gu&xX-$s5O!OvP-%uRWb>V(1F
zBm4G0&ML8Fz*Sdv=-|HH`}eqZsaE-lyJj2G(j#0}nB2|n?T2d%lWJ<%f`K;;oA`ol
z`Gu}V)>Mu8XPC5?<TKhu)~xr(CcZR?v!ISQJGfT@bfbuJs*EWJuAtuUwA+)+?MKt$
z`+S<U!+oCxOR6M-q#0jBd~KkFWup{M6%_cPTRRl07dRbEGBKC`DW>%ty3?4Sro09B
zEf+Q(P%0;(MLwt%5Xti3BTA)&?N8GYL2-)SsPjR$n-$udBf706=pOv4@3U*Rf3JB(
z5CosM3xWa>D4%nb1Up-svkahy8AlC$K3{um&AaYZ=uyC<fJXt30`Eu)Km+hJJw><%
zpr82NC!;uAChdny|7|ctmuU$%MECbgE3p5<C#poB;yzLRTjGgqGAn1}DfmPc=_T$H
z)o=5OI!P~ZpQwJPPt+!3{waF-M#e7mZzguDp4Kn<HU+-z55Cy(FTt_k!Hz%g_!4CM
zWXC6Zf4290Zz6c-hF@!uHeA~9xxly0Ps?{&ez)ZpT0YhCLQ92wd_MN?n!o6l*8+dI
z=9PLCzRM`E&seyTaqWIK^S4?`g(|$L;Wa`16^`zNs|MT@RIL<dI0a!jBFl+rBASw=
zR3aKpV}To|jD=0KwzD7PwY@W>XQw!vD^Jcqtj%O{+n7LW6^!gYu<ziu<wI|Gp#~ve
zDNhI^Bv@TIIu3#Bs-(OP(}BNvmrY%7xbH>^TyHD{=}FCb3xV(!sYJwBXrslPlMwpj
ziCjd69#f2{T11Q`(^)Z{mhxgeCrjz9l8VJs`OU^cD}9P{62cZO3%@hscDBh_@Yy*6
zfpP>JjD>bu%FVjMZ9WuTXD`~?hc0%|5_=cp@Yh}l&|=P;2sPeh!A~!6-b8TnCg+RB
z{D<kT`ss(bGGo<#cdJl>P`A955Yyc!&JoRJ2E(tNLTF{NOV>y#PW;GR0eYB@X&qGK
z>)N85g4}WxTtx3y^BIIIW7NfG5c)zVv<?}<5^y}rBk$N%+m>dR5e9yQH4U%R-_L%e
zH#}u&s7-x0)ZK!m<%W{GrsIZ++o9oZK=!F=&mEO9UH6()#Wme)QkSXcUO{DUK8J4J
zr;CJ&*~~ta{-VH<o}lbL1*b{)vH@^QDb`S#tUKTy8;?34LQyK=EYc-FMmdYdBq<VU
zC`w4YD5q40;Dj3$rIaX1@**CSYoIG%+BvfKYrcV%9PK!HZg8ADPyjDn?<fhDjfIVj
zzdyh^au@ACWkPF+NgPZm6dK)Ef&idVcrsysc?_O)T2a+UL$<{eV$07~@~E-U%bMKC
zo3so84)1HiHPe7yqJ^i-u!4}>33zP_yS5Qa0OO_woiN9J#=-_VGVUw3)!{34hq2H@
zuW}Q|)^=A88$@l&Prj$^cHbudbH1MIyZ?9hH@knM`}OW>ceeYH?pXWZwSTew>GsjK
zuLe5X7TP}Rf6n{_4hIr}ZGlYzpZ|OQKlT5q`-=?xh<o|ltaSEfV_|^4YlCx8+gzsC
z?t*@DQmIq}S>LNG9^h=ySlGd)(TCYI+Ga_n#6x&|CR-_}A|jHDGcX@hDOFb{CW~5F
zQzco;=Cir9mW^itdK8bvm3$1P*?c??O_ZES$f=kVOG&Y4I+xJmS%u&fN-0T;$%^uT
z4Hj&ldY>#wFM_4pPCN4oR}gKx#)9qD;#5%!FWu(I$>{I}h9FB#?YVJ{I(##@sR@Yt
zIRMVtipX6mjdA86Ru7&4`FCr%%FHC9C?2dwta4m65voWf<Bj#|_O`Ka^Jc9cqm#vP
zHD4K<D%g6Y@|k5TLKOVe>5?{WE1FhHB?X-%Mcb_!G0a5`-at{z6?G!x3z;z7_)FD{
zu!q3pl}lP?crPhEM*i7F{(00n?rcs4hyxzTgmsPl=UJ6md^68yu)pQXq#mtAP$Ja~
z!m$})rn3~bE(2R@5m<vY+d5by1;HYyM|^s!pjFxJ4<0UR3ZN2?KqWJJKzootI702P
zoFg;dNJ-fR7=j~8NiR=KJGBmS(|*hy8-35Octx-EjX3NWj0=~=wvpq{f#9+&*xUw1
z=gbs|MIzu007xX?$j(La390>?NG>EAqA1{0QUw*finiK=65YMqep+wqgA{ugE#Xq^
zHtXcH-W(<)e{+HYu!&PZc^EMk?xas~TlY4{*(eMU42$hMgkw-Q9Ul@N%#Ds5J~j$0
zLt%hmsWKqT?YA2X+h`>`LVsJk)nsk5_<U`5to3X3>hmbzQNW|XJA?w@6mO&ZC|CY%
zCD=_;9L4?h#ZoefBj7!>n4e)=VG>=~LQD7&u(dxGk7skKY+Q^eS_&xI5lvLmK;Frw
zQfV!r=H;{`L6LbYeTuW;TeoE62`!e2s|wVPx6n&m?YPyZcD$Kh;A+RMPPHQxpquGs
z&hc)g3edCT#==dM6F&a{m+n@rjC7UJ7#{ZuhTMd@arI)SUA-uPb*yRknzxQwsxy0(
zQ%zq6gr-P13TV|vU~K3>061G5odEA>!z#9ru`!V-TWeF0V9Kq3w60C)w}B~H95w~E
zrc(YOOl5Y(7y@m1Ig|0(HCKfaz^b5fV6ncU9lnW=xIz7}h}LEi9S4VDc8^l+Y5xuo
zPd@1jeKYjyp$nl`LeC)Xe|u<i`~TVg`SwV=(Do0lkG1Y@jkJ6bH}OwkUmzLC(SNTG
z`2By+K5MwSz1U+c>}0YihfKa})hlpkaY{P?WMG2+Ok>^mBg~zyz^n@Q@Mu0IY6%I5
z_-Z6BrqX#yl(KOpoy+GVk|wQo1(Kk8GoGFqL0PaiR7`}iCK0THf(T=Zw-1Ot5_at9
zX$8>Wm8yMh^2uO&r4t1KkiDmXUJeEqLG)BTfceF7&cdevLI+GVB}-t!f#XkN?!_D=
zDjit$)LEVc-k+K(may=$1>m^>?hTRpV?ewT^+_!U5Vf30;GwAu<+5fW^eqi$pIm-F
zkit^rny%tuvd7i_uuKOtCU|^(Onqk1zM|<`Z@gv4?qYFIsal!gH@h!!SFrcv9E{A=
zl>%k33c0-K5=`E1EQ~N!(X;GKy33&|x`s0W=Q#s;;^+BYL?&ebPG(8)%q_;k{j|F;
z-p;#wjg?7E@3HQf=e3#B5MGX$bFM=&ff~%fb6lxSnq?Ilj%|VLD|7>^xyv`N(ikun
z7^>C?e>W})O>=7E-7=sp^WFBHG#2h*GjR`p+>+oOOvoB-fzXN%Qyz_L#qV-R{?Ll2
z=~b>3zpLGqT<}nn*YJGus`4oC&ZYpCy#x1u8xh)~bfuYkyZ)H0#-waMFGiC|MT|w^
zf|AnYtQgVav8a?tYf=)aj}{n^ziB(!BE_>(RMoN?nqXl5d}rBqE5ta7Ho?WXZ8kA3
zOfPUTZktn#yUAD>qL<&pHl%Hv&4ctK?=cocx><dK<7IAJH6!VwE2M1XO32Uz8)-G;
zq6J-s9lWOYB3IUKg^JkqV)*15UXnX}(xAf(<igz9O+qf0Yvv)Bi}j`=ms{|1YsMru
z=F)CDa(SLyW@aRpi`=B-a>Z^|a=C0bF}Yl}o10uNPuomS?6Q^PC{lYLHaWUhNZ4?~
zfHPZ^FeorXlx2q+-YbNGNxVyd0jjZOZiNzv4N5RAP|w%fpNRRX@mX$*;-)C#oI@;7
z0=GXk-tTIRVz=4&eVIi5!F)0iS}T!$x83@;3bPHD{muQbQLyOo{gv+q-wVFZSm%ww
ze+mA1@Jqp;2pTP4Yx$|bfxtcf&--5Rf7Jhc?@xAh`N#eH{F3##G4zLc^j|~gLo=bV
z&{*AZ_*Zqmm;CvJv2cuWlzfvOxH@5>0o1tV2fjy^?7_+};*4U*5B!W8u$@s14Tqmm
z1I{yQqp`s72st9{07Il*V4(W^2pk}y6hqTDOM<g#kwMuT972D<g<WSp)~2;=32PnQ
z7ah(m1Wzsm&zExPp{arzdKkJAz`iq`6WsYo<~VwxK?{Yx9-+ss+1Ebfea6D0^i7^^
zVMp;m;GkBWE>}(pdI@N11YVFL2qJkPu()X=GGcBl@tX?787HsgG!lmkX<`Pk`4iMo
z$?};Imzf;&7{szyC^0~Ds4D~=f!_kLI^&^fMCc<qS%rQ<9KH?*oKlII0EdJT)XUNB
zXJG!E5hjbIImM+5=uDZQq)!y|+!TRvL|{L)nv$G~u!#cFUda*iFkpRXaG+=bkU#H<
zZCt>tuMoUNK?lkqf{rW5s))MHktjlu03o9D6Xhu~5C+vhBpC|~o|vOH53B&Sx!+hg
zL|=-?UqHM00*>+*(0Q=+V=JHU-klx=JPLReSU(EDY{+otxi#@FVoj8Z*>Iozbh(R2
zpbyg$E`i?FzY+~TB+!TGQ(OYQYfB2IMJ*!5h}n?kpy6lvUAD8FWuf6``CZPl9P%cE
zc<1uwU6#D*^Z9>i{V3(tysi{@Ib<xnpK>oBH@TNpD+}rmU1o4n<a{zEMMOo-CB;}O
z8xzx7E-R*FEfPuQfk~vsSD+~{>wXJzRMfQc7U!xg#l`X|FdUZaYo1$3ijmwx`1gmF
zTc}F>(oYhX!J0&D6Xb0M@w>%>d5c@-Ad)L=YQhFbZ4;U;ZNXAjZOaj`PO@g=4AUdn
zdd6*~RJ36iYXT1Y&BYw{qfywgm)q;Lr8IUihynlz(ZeL&)hLq;ct6bK-w-6IYpk;v
zaUC(&ghC4^m{iQ&6$dPfpAC_$`Gi8wY1PyD^S%xKh_ClEz1iNwz3I-6c0S#COX#)W
zm)oBURYFg;mHZL&6MA3hz5WRKH?*nq??SKo{-yKhL%-GeTOnU)T{q^HR*s?MS9<U2
z?|Ug}ER^Vr`PdUo#u{ApF>zoDk>-$z4<kNA5q4L~lL#52XGKI!CDjBl^3`NQ5@T@<
z9#KgRspgbKKB6SzswOq#oM77Xt*l>@3Xt33g$<Z<_#r?xrHQhf{ZUzeYT4Kp_3Dv`
zSI^?90gy&~2#J)3DpRE}RbhscIVFw=1q3%FlE{G&)pBAwm6JtPO)7}CkLDurM3^rV
z)8nDBmaH7f<#PF`DCZ)Gf7K!>F|9_CL;zHh5|Ml~EywC>A$}7|sXT!McGP2nrYXoF
zC7vQ?;T(Y;!A)X<y%!PUI`a9kGzGedFm{?VS{$pCrzUlAaw=Pdiv;dLs>1>S+7l5_
zfG`1(L5Mv=<GS=~pzXG8Q7--s$Fzyb%rqf9_5Kc1oHETtD|#o{rwf(g4~fwo@||}c
zKE8ARzFqj0#xIxK!+VBLWmzN@bhlP&f<fY`zZEIv%oBlZrcBWru9k$YN0Bg)q~12O
zD!SBM>xf)y+Bzs~YUM@L{A|R9(zHHaJH2dY&e|(#O?$cN%Hi&9Wpo+~6Ljx*fn!k&
zTAO;~^j_H_x!UDnK7Z{O#tTtn;VDXum$*nbcy)^3rgIalamdl4!8UY0)|Ma%oZ*X*
zx`^=Uj)Vmt%Gj44E1;{7?uBF-(a@#vo{Y8hXb6uzLjhfXnXROez5MoS3BRm`m*Fd~
z7J<V&RUF-*3vWAlzEDfLFfhnRVlA!Z19F^aih0J>{8yS!Eua_+EJ=@<f_~6NBW^9o
zRfc#TGZw}e`^EJVgO;1iRUM}AXJLr=+@EEz-k(LI+6wN^GT81;z88G2ubzXsmQO;B
z!_ca@kzkORI2cToSrQEW!b(yCER5ULL4$q0KiB%<YdI3HEsp{o1w0CH3P5ema<}l~
zVSs@2#3bx)qxOAjfT*p1gqCm~XP`g30zDwq)=$u<xY~MPOEe#o(rQ|cqXP%l>^1as
ze8sob_Z<`e|EGJ;0{{QM4ga>`FE)H;!;2dp>Hd}Oi`_rf_5TI`BKSM-4fuF)Iye#x
z2XF3}>NwH<FYVuLA8Y-c*2}GPt=muu`#AdcXTHOZ-&gq~*d*BR^~R+xknzQ|ap^tu
zG=D{5GJAN{GW))LM}>os>`rOoE@BWqK;hoaunl2<p`;1>N|5V|9M^-SiciNNva9)+
zm``glNUB*?OsVOVn3N)FKB}ank!adI=btT?A8EP7TF#M{8PL3$>Y53g6mB|)<md!(
z0-igXyFz(!S=~(4mxCe;$as_Ri&2VI1cg&GJ_8|OS^VTMNx&Y9h~+}DQWz7VL_qw&
zm|BJaTqx)er*kLikDC0fszpsiRChIOX<;2Y1&pYcx;;Xog#d5jqG($bSfz?UG-<sA
z?waG0UEa1hb5qF8j2u3^>%i`zJ@4ORz8mvZg-PDIVJ`66<WWnsT|@_ZymYcuo`&m!
zF2KEjDA-RSOFcsraln<ss{pP9HTd%J@-+M%ptztq9^!O>uViWpWHPY{1O){Im*TL%
zQ=vDw&wR+Zw1u(4C;8&Bgw|^`TQ(S%SnMC?8N=WrFZJ2?*>Ld8&Bmo$Xg6QvduI3=
zOOw|q=AbscGUnUN@K;G>J~G8J!^;CSHocG4M7Ah&eM(WQRLP3K<eI8#`mlhwzL`mF
z7?Alh4O8gD#-*Ft6q?{u$W>%p&smNc!-74{In;N;xWwW-XSpFaTodtX8B|xb>-HI!
zZlu$bOL<|3ly|>ziJ=;q#At8!W#AZ9uJR~d`f+}62K=18*+JMF3HZjBLiT011MJPE
zPFlj*n;l5Bn~&zwvAC$_atP*)rlVpyABAEypNJ!jQ%U7hiOt3(264!j>W(crHK#)R
z8%^A3Tw?fx+$z7LW|hCh@DI6FeuvX4e}i#}0UdHTxgDF?e)eLgajAu!{aoj^W7TKB
zEj{1S$B#aCXuq%<nq+u>Jw!CZNb>-F@Qg4*y~3y(e<ieVKcQVg1zF8x8*gkE(R+dp
z<ueN=WZhdzC$B<RP4%!tI6=Y>Ox_oXq*8S%_hnFs@{x2bnvZL-coz6C@kkyD`D84W
zQ<8F0R-=-XPG|@c$mgQDXd)g@$gy-X2VA0POpc_}YP=DJ$YKj@*n2fAEb#VX$Q~SW
zunDQf*@R{6aWK3|(QC^rkZ42pYDh}bNitvX-tfJ_mv}jrfS&3#Kr_qrbD6Vz_HN@+
zfUXAPKDHC@unu#@eM;CB#7l%2to>xbX2U>3`HsDVocav0)GP^}L0}|94n6xUAJ04Q
z)CV$@IcdnWvCSL&Tn-SasXgmz&Un~GKSWQ0QT`%aj`&4pEu>~go|hecdyNH_=jC}`
znRPTby9Xi^^;z1jJ9tg@d^*F%!ZY-u#xL44ur9mBquW#TX+9kXiLhU#C8j~6e<g-o
z2>UvHil2sqTN1!+izIM*poxm32@)m6G7s?caj<qiF0kAK{CpgAo{yW11(t~5MmE$z
zhX3F7XTD8skNA53y7#wx7kWS0JKB4oH_`QTU7zfFyz8ORw}W2~{%UYO_!DhP+au=3
z{|vs#ZMU`luhze5{bTl7nw#*hHd3Iir{#&pQm^EPOo8t2|ByT2HUBoHz$W7oi<#vc
ztV}o97o*0dC=);UnINx;_;D&XUe>DukI-SlhO9=kh$4&eyp$GWv3wGO7o2J$vAm)r
z2|Rp4Z9>>^MDqjAlD3C<7#i{dB@*CCTvT(*fPzTTgvH}KRDUYmXNCo67L#EKEd4cr
z_F=vwgd^vJtGSApjs!%dNB)?D;3Cc@83a(BDu61r=h;&nFyw%KU~*4sY_Y4A>LOPv
zlR0Qz7rD4dmq$xLgQ@8$?fn+WB`V*!DIRH}!&12_u%Xxeq}A5BUfOh^Txw*k*~{~b
zz@AV&kEwQaca_0vVv*zKYPzljB{T#8N6@%TL;@Bx&Ur97_(GR)DNI+~OKptRk>AE5
zfgQ&dtiSEO(}bo22M-++xEl+WkTPU{<s=KLeR9(GMCK;LzqL(FvxH4X{;M_td4a8Q
z_<hvj?Jm`kgLrkzdy3d4mAdV%CYLntF7l*tX^2jTS)No_b`eathJA_1N&CERnCX~>
zqMc2b`%=cG9khfSoMcOYS$<!I_K?B8a_yn)&>jvLmly=>2%p^!nZ-#s0H2(An;xfL
zw>=8HRVe`NID;eR+VL<&z=ZMt5(60KXHl4F$M2xK0O$R}{VTBqLp#2eK4luRwm_en
zfJ!~DLOU+dOI-R7*QEbT43v{g|6!-}5A8Su=j7V)FxQU1RVnQC%cFot0gnP61w0CP
z6!0kEQNW{sM*)ul9tAuKcobMW3iSAY-Ph;8%h!Ia{T`tGf4A)$ZNJ+6TK7k~4|U(y
zy(#pu(1$|B&KKJCwokU5YI~w>XIppcKev9{|2hAx|E`A5bN;OVu>XGl4u79N=npp0
zOaCAFW}CQuJ#K9~xp=Mc6lKUTrl)A!(&pOy^C$EINd#)e*i##s4jejw{ZDIIIAW{B
zUz$eTPnz-f(Dk063LUQNjXQL`w;PujLLkS0h_@fm3wuZ-Cr}{|Gidu#%WaGI-MivZ
z;9X4tC~F_3D~u~^qfpjH<TRAE3|)~cYokP2%diu<vNqbEPQ{Y>NFpl6fJ!08U`Q9!
zNhv3$lE^xgmE&31)S;|BXjj%ow?q=DTs)bI5m)B@c4ckUrmTI0Uf{~ws8d-B+b4rW
z<F?Nz^(5&2n(wB@7m3l`V;`MN9JQkfjE=$Pn`TimItG=`M<@47EASV<=u-C4$y-!8
z5?2&0DPwdA`{-ob=;HR#$<EQe*lk?e$2=lBm<21k79J7Dj_x{iP&i8c5@^WP3f^5)
z-Vjxw_mqe^9&Xlfejvd(`w#6J*)PCP@YtRMi}+d(hr`5+`eeECOsR0Pe2RjOFgFL}
z4i{Br252E-UQ-CDDa8??iJ`?>V(6jq>I5^~*HSYv*LGUhgJx(JcjpdQ)Jbu?@D!r2
zNP-tc0EyKyFAyuLPVq`u5@JA30I>vMrsa|@Qt(n7ONjd_&X7k)Dkiat#5q%A<9G;N
zg>Q+Lj4JW`ay}e1F}j>|^AE|f*tAi^r;UQ1)k@hMo0aPci*x<GvI#cSuyF90Fmn9Z
z!-tOSJN7v7u_f=(bl#}>hgfgEX)kTltjxW#-CZ4KbH=5I>4G>D=L>@RWUtlKF&(&n
z*pmi(5`$ticU<DUv6t=?W=YU^-ng`f(&B7^)8cLHykP?bq4Vt^QtH;`8=r90kHZGC
z0jCXX!ZqRCZQuW{#$5sd0u21}0Z#wLy(RGa7!aoU`udW_rJeMJav$)h#V0F*H7NJ}
z6O8Z(eUvl8Q3oTu&A9X+y_)8|vO7K4h7N~^rt+UR9;jZ4M}c<_1$tWl#&?51?1LBo
zV;erb;p_&z=ewbAgnlLT`Or(DQ=t!r?hIYucCzh(mVay$+XDWu`SE=YI)Jl&-LLo$
z`S0`J=i40cb8a=c@mS#hb^g}$D)tHo>`Su!R^t+bbm2^J!pSD$fv4L2mwcanE4_@f
zBgUmkdOUsPX|@q1ukrD;#*kHZ_d?<>I6YCw5gwO1_br+|p4>%orv@1YKY*$-nXQD+
za3qSiZp(zt`|c(;5qCnDYxH@z72>MhqjBHF<T#QN3=haV<&o&#Saj#!XmV$K=iWUD
zDH)gdM)vH9?2Seedo0ck6(A>3GC7h?L}Kxg=&odJ&(4UPj7q7!(ReJeH@1s3lHQ$4
z?n>`YBzNseMq*Mlx=Y#_lXmTj?HZAHMx=z(!O?b>+gt&MK{TO}3d~^=(bx^+9;~5m
z)vof9FPjVQ=+je$Y;oq;bU9Qz;+v1ge!{rKQ0QiP!i}VLOrJQgPpGvbj8v<TBbW+n
zvJ6QfThx%jfy9`r0=YLkgFKgIB54R1DzL)ny8;vU0lG?NITIImVIuYt=U`+*K*j`s
zX^>=?lNvxPNID1PE15)&1cG5v7co{Xmx~;)k|bO}?uZGN8Up>%N=SoPE|K)H*gROe
z4bGXw``XU=ZgJg7!0)iQD9-OBUAoHIc+^_5v#ZHI_+m16EAES#v<H_7VZrX=4txT(
z1K!Sej`kX%eZJOLTzlsgdKB;|;8EZjQUJRgLnt)&PNF(wsDxZ~81K&~v+;Zi*gr}_
z$s>2N5(kuhIxcF_NGzEG{(~CHLv^Uq-I9B;#<xV|Y&M;ik_wv0**DTSqFOIyX$kjh
zjoXxo3cbL&#JH17gkS5E^fLErjhm<sJ;tR`dIY`F$+p}0s+Ei`CKnoSwGtvUp<%pQ
zOVT0=NF8b<0&+Z5#kmbApj@R)^@j9k5$T}`XfXwX5J~!_VzDr$m2z5`spEj^M6`$m
z7`QyG;|}OPk#D*pa$^^ANo!(J19X5`1RIbo1KMc?QDMqdb-WDyoBe!r;5<Yca2`xJ
zC=5j}PgQan3v)v1Hf^k2nHe_CZle@g6)H{24kBJnoyt{*!NSlH0A#DmazU}jEtrK`
z(3G9Kvsg-^6eOwY1U~LTP_=o`hV^85%y25E<!j9JHrr}k`Vq#IP4g9DAwOKx`GLjH
zpzX~4g{T2Dj_n|5sK%ua($1bu^3GmkIqTYhIa$*Q5>z-7ULLi{Z7;eSQJ^RIUf<3B
zGrsOn*WY&ie%DvJX1mH=@9+56jz91CM2FF_r|spo={Bu(-hZa+!LHl8f}wv3{YmIT
z=*L5c$;bB(zN#+^h`+-dj4KF!#kXJf-M{*?3Z41K)j$0<ee%V-jVs&PQN<xyUS0K3
zwHL|nrU|^;?t-pBR#Pb+ATq}2<MhaiCv&lEUQUQ4;S9lMiXmq&lF`W7B*`%#CFESx
z9fuHBCVd>K^eD0*($|eERRJa|0Lzv0H0h;qg6*(~AZ2}6;yfZ2F>J`=T5+;mA}ED5
zD1OM6=r=V|sca0^;bT@zvUKK7!bru=Cf+BJ)Kic4-w3K6k)=p1mQ9ONHi66oN(9#2
zs1g;WSXPb7u<Mct<l0e`1_EJNlHHGS>l6d_;<#|MP$`sFa`^o)PcZfxO-dqhBGL^`
z0#AveNox0TlGh!3>>=b$bUZgm^!QbzYRu>9{cd5!i{KgV*O0;lCJ#Jqm+x_AF9%;F
z8&?MCS}}N1#8<6DY#k>R(a#V*YL(Loo8#T~^X*lfcvtRnlmyQtjVpK3k-hi?JMmt9
z2cCFzCS|NGB10x%hR;9>VyI=zIY?A!>~?E5+GZes63RC^2~kHrzpVOf?-IM?)f}Q}
z;|h!W%kekoqC#49%3~_95JAokz1p|WxU!YbgjqkY&r;8^mDtQKe2a1Ab~@8I{L!l$
z_tti+?Zy=rO}L9U)V>6Xy0-?#-=;^b*X_3v1+X9-hz_qp|8ONt=P=hlyxPAKK4!CV
zWr#k-^$)LZ0SL2_RV7tL6OM5GSD}Bn!ou~r{^8Y{{^1IX#pn8mSL^i;S6DDU*FU_<
z^$*t@R~TX~cRD+7MhIVVz}B88W4pyZw)6ebxR%eR6ERUsK&=u>Dyo=8u5(dNBV$r3
z9+Tvhim}~nAKUpY*+eXtOem=wMsgFq#7A=8HWG$O%13g(VI&Ncl#k@R6(QX6&9~9)
w@w)0!z@vai0gnP61w0CP6!0kEQNW{sM*)ul9tAuKcogs`;8DP%fJK4-9|8TFsQ>@~

delta 100485
zcmeFa2b|o*^#`t<)oP_(mFvCxe9gY|_G07Saql)R_<RM78*bRUXOLwurh{oB2?Wy<
zLJh<Rgiu2b5FoTPdH|c|E7)}YZ)UcP?{>i<5dQz)KewNo_r7|g(P-M6(L6nEfBkgJ
zcKE-bNS(Tr<4`fjSvJAHyt^(Sz>&tTyKZm2=2*$9^=R*E?b`i!WGvsK&3cIwI8GF;
z`O=n^t5$Bz;;pr)W%I^O>((55QuFG~Z5y}k;mBVmC9%+ftc8|M>sGa`-MHLov6gaM
znm4r^-?m|+(rMXav1XKHBazeE)R$Dha=v_pT<bj7(dAeoJtAd`gD$Gr{;26%Zi!ed
zrm>sffh_rE<#J2)9pa7wg2QMl$m1GIbB#e49oRl`*w}Sz)-*0yxwdgmWaFB3YaNXh
zi6dh+uUx%p<za_rZdljiP{wcF)V5)5vuQl8g)e$~M}@Vv)^SJnnIF|SA^Y{}8xUH2
z7s<EzE_p@C6V-$2$Lf3P8=a7covLoBH9pIS2vx>s5ZzL4d?o@ZH9p-8q|ErV1xShU
z>CuqLLF3awKt3@(9SEe?_!L5}+c>lmNSASF4v+)Jp)in-jYCC1J~9sRKt41MLe+2|
z7zbN{yl)&_0A#;$a3~OcpK%Z;`krx61M-gXNd(Bhj8B#WdE5A8ERZ*iPa1)|VSEA^
z<z6>>JAk}o^ezPQqS5OH@~qKY2;|R3&pIGa89noW{K@F?19{x&DFgDT(T&f0#OPiQ
z<c~)8cpwj#8{Kt4A2Paeh95M#;I_H@jjowM?lZbZ{q_NVdxlNB6=~ht8`}Nav)ZlN
zmAL56)-tpMTn0o-{B_<s!!j?!iL`@o$l}tz&^mYDh<Z>bRQ@4Ze|IVze!kYBeaS6V
z2XWdVNb*DNJ?$;+Rqe0Z3)-KxC$&ek2ejX7d$rrOo3tCWtF<e%%e0HM^RzRy(==U+
zYMZqawN=oZo3$m{0&TW7O`D{R)kbJx&8H2~8nl60g;uQPX_=a=*)^norGBdRs2{2O
z)VFo@HT7@mi|VuLpVUXy2i1GkPW89y&FZhzYt&z=KT|JO&sWb<cdFaf4)r8;y}DXG
zPF<lcRTrvr)amMEb(}g<9jf|OmpVwTR4bK#rTtYYseXE@gNGe+e*R<r^dBp6Y3_Ia
zPLocPbR7H_e*9^ve|qY}|FxsT(&Xz%GGJb?(b8`2*=U)M1G)3yMoS*)Rs~iIGM~Fq
z8B!xH$3wf+PQneG9PgFVDGYzPdBIak36kzKXKj=7ko0^E@2A*-VzekmJu!N8jIM~$
zXpCMMqqh+%I&Q;PSHJ2!aD4emh*vu;7vPcpeo^_Dvq6TCIeK}PPuIS*yhO9dTP4df
z94y7b5*#eX!7(^kgoA}RSb&51IGBfnxj2}EgV{Kkg@c(mn1O@oIGBcmsW_N|gQIaU
z83&Vit1ek4Vs-)!#^Ycd4#whO3=T%)U=$8U;$Q?0hU4HU91O$3P#lDD5W+za2LT-T
zap1#&7Y803xN+dZ!4MqiO*m}C!C)K=!a)NL>TytqgIXNa;9wvQs&Oy?2UR$z#6blP
z%5hMJgHjxn;Gh@>MK~zLK>-f(agc|DTz&<FIhf7H0ZaiTOC}C7aG>Ep#esqY83#@r
zIB+20K*WI^2LcXkIN)($#Q}nv<@av4@S{|#_B5{M9_?co;h*lz9L3+Kx!#ibd<&Yq
zapUH;NgdaM_{rn}SM(Y<@I>-JVdSd4&sy$XQs53Zy4{T)cZJ72)a4uM_BHuKezz-V
zzAzX)bhy+75t`iopg-j6yrmJ%_lUA~F(hl5Vam%<q4PfN^Y{<zv3AY8bR7yxi4J4F
zv<@{~I?BoGP2vPjdr`X)G|ybEUj17A3n+_|)!AyT@}=^ea=p@_%v1)-pUZ!iuazV6
zba{aDQ|HsptDRe%Q=OHLgN{Er_Bb{>j&_twz0woXFQtvrB&k&F79SHY7uSmu_|9+r
zIg(=Yst)Z=tVXw5ElzXyQ%W%g>#chI5RtRwTa?k_Qc|RX$8}gyd4_reP2rHs753IQ
z#iK4x6V(%Ja(lx5fTzAO9(7U5sP3VDPm|vp4Cp?0{or`q1?l3to5Dd)Ampwe6puPD
zeN>-26!N(18{$#tq>Jim3j1`AKj5pckH?*rCay2s6b$=<fk1s-JnD?}Q9U7#&*iPJ
zjYpl9E^4Sr_lLsJ4C`y+ai^q<8-z0OLaVGF7>_zReN=BK9P<0?tK(58ri-cvnnD4W
z&+V@t5RW@PUEDyE$L$M-g7sDLsAJPb^*04Pevc<qUm1@&I(1ZisL$Wz@_T(=SA9i1
z?#R?}hx&X?J}<PIV10Q!>hN??y-lH@&ke1sEFN`Os;IilJ=EuI@`S=3pTE8|9ygpS
zE{^JH3VLDS2-layqXyGQbp?aIptrs_9@XDJst%(OB<pVS`}}Zc^+oZx-u`iERA{vU
zSI8HtFN{ZZr;iFfEDU|2ARcu{->5nn58Xq(;iix)9D<_FkH>B78#fu%<M#O6?)toV
z)IsT@hMEFypEnS$&y7c|Jv^!&8<8Og!6v`U<p~GtbK-Fa9v(Lt6*pQK4}$gC@u&mR
zNA*HpL!SDqc+^TZs-DmZkOMzdZa4syn;DN=&c;1Fs>khuL8(3?9<?-GR9{oT>-UE}
z^;$e?aWbmTXeG!2=pC=i?+eze@wkP_xQ9peHhF_?$V9yokD8Y*s;4RB@wx)8dO037
zHy%|#Y_NwMz_1+j2He4VXFP6pJZ|5p?j}#z<MD>-9r37{>7u%tf-axe>#mpLQ8gM>
z@1t%Y2d*YpFyw(YBgW$@X_EDXp$vjPh-!~Vb*76NYVtu=VXPP8QAHe8Z|ke@+(SW&
zg}p&n*jI0h$F-+RHVDbW03NRA<56wtq6VN0!XaOv-Wrc;oxD+pSxkx?_+hYjg#y8P
zcq&4*GoA1xqPo2m?(k5Tcc|ap<nsE%;eY}&lqRu&gLUw)v~Ai<tr}LYPpNy<P3k1I
zL^+`RQMpW6t&CD~<oD!z<qPCiIV8(X&exrHI?r$}ak`wm;}yqEj_r=QjymZ}=~?Mo
zX{$6<st|j{$6>m0qBu@0!1J9fyG6X@c6BL!A~Vj>FvQMTGBcIQL(EstM}^sLf2+sU
z>~Xa>G{po>RM6Ja;szz|bvHD|1dUYC4js9<xwXaHFgPX{j0HtmKEFHA*6I&742m5e
zL{DgjfxWG{)g5eThzS~~AQ*0IZ*LB^wl&np1obgNyMINfJs4<jsEY~er~rDq-|t${
z+}uzb6Vy@x49DJ<=78VRP!ki>P=N>3O0&BeZew6fFpvt`ydlU^2+pXE394fPPkU>i
z#n;x>Fd!xvKn3o0PiRG`CD77P6%$lp0o-_aMVo7d+tpARJ6?&87iYEyeXXHDb3;Y!
za0N}Lc}1JM9aKWNp*$uir|H0O>hiU=v^SK+j+fCB!p+Tr_SVn}e?w_ZP)Y^u?V&)M
z+XaG>n4lykaJ%9DT0EYH;+UYA3ZOn)Ty9sOt)VC;D58QkH}r~7AQWmSj0p;<z~>6K
zd0N7)!G?mEpnwY8UT@gz@wc=z<i`a0RL~p@dVJm%cc39JCdi|LmSD*1Y4iHq8ggTT
z+?b$kg*yPJH8<qM1UXdT4K%x3Jni1rhU}Oin+k%yFbrlcpRXY+Cdi@!pLd1d=MA}A
z8!}^pOe$#hu4q{iZihS1hzT;Nprs|)>hZSw{0&-6pizOp-RoNs^m@GwYD}QU1m2L#
z-3$fRpu_}9>>BPB?qI8{+1nt;1TqzbT357q+ufe#24_s*qykT~$K4VNuLw6dVgd&h
z1cPCixA>s-NHKvFPb$z7@IW~>h%tdk1?`^J=H`%VMQejSCa_aMTdObF><Ncj8ibfY
zh+U(#t<C3Y_jwv@F@cQ=JS{CNe9*Lf4SY<%6M^Jzb%okpzBZ5f!ue=Gc5CYjmwQD^
zdvgPd#X}^X4)d5`!0+|?9PntcNqL6T_QQ(sdF@f{9_<!*%6F-DmUfD^0iNp}qfOVw
zXaRVVSEglYg8Df;yL%HJD?h2;2M_D6SAVXar|y8qb0?_FU>!CA9>_JRRcfB<P`*~W
zm3NfCDbI+FeSdo21OH{L_sh`_l>yt!NAjC{B$4{Z;a7dz59^X^5aO>fAG}N{Lj3*a
ztk?7E5WkONn~h>yWeg9G(c@zD=9s+4yh<)wZiR;i=B!@Z2Y6k3oW-ggw0F*`ue`^C
z@!MA2$%7uHOWYxZr)$_I!qY`+BjM>HbTHxRDsvFw=`yl`@N}72Pk6cxtRp;K=+zRQ
zF63$mKY6l_A6E<{fUd==2~XEr0|-wSQ&ohgtEEc9)74M~;puXxobYr#Q$~2YUMVF!
zU67Ozo~}5G;ZX$KJzY{15dmE@6cU~;3JM5MC;j<^r?dJz!qaJcF5&64Jcsaf-knW&
zI<d|oJe@da5+2Wt_04S=1kky!MtC~6RS8cguL|Mm>{KQ^oqak9Pp6j-!qfSqM0h$s
z6bVl!fOf)@8D5)!dEG*%a5f^Kb2OgtFbRXIu@at6vhV{a2mE6KTMbR>dz^MqI{-t@
z+c4<70>jQzFz`G8L(iQs`1}fnpUYtYx&Vft(_j$V3d7K97>Jg`P&5|?qe(Cv9i{03
z%>`ppHH=CHFfPfOpm8uZ^}^`%o-^~u|LH&eCBF3v`hReb;!8*Tn=hvM>FEUjrQ>><
ze5JoUFaD4}{fA8Kd!%KByTMQLA3}T`dDQRaLx=DE@ss-Cg@<E@3-%V47Z1VX`E<m?
z;_x<{;4R4hI@ToTTCLibpaD))hvFDNx9T>l#WG|F4x5^A*w~1}!Gm!)Xb=t?8gN)&
zkHfk;9M;z2u%-rw0|(-;x*CTA2H>!&3Wt@IIIO6^VR<<Y%gS(AT8hJx5*!v6+jJmB
zMHmzo;;^6qhxz$9%*(@JZY~aUa&VZPjl--g9A;+XFe3wpnubGF#i63$P?mA%bmGwA
zz@a4JP!w@!x8qO{Y}Pu9#b(2R=W%GY;t-LC>x%OYP7p8T)R$Ex-`c6(hF)@7p24O0
zq_|_Ita8%m9p;vM(eyxK>pZrZUQv-^JN>YOctd^Hus<O9w{{Nu1OM>zR_8Vc?BiIz
zDZhS?B_sa7cMsg+F3SNMZ07tVySeerT>U@a%~b}#@3pkQO6A*rdRieY#s3RG{Rh9u
z6^`%ti5bjKXTgua^OfKJ)4yH(qf7O)`4bKv*^iI>CqMl^Ir%?57p7Pj<vvg)@wH^v
z`6Qcpdv0zW9>A|dy10e2Lxi7-=s)e{w;XlEcRv6Zo;W1AO)pNP+wx)?-Ch^ZG%Z$J
z6%wzC;k#q>xftC?sbq=K!Waz_>X3qTTi*5<R<*BMbCf2MxfoG9wJ*^NSj1a&yoLK;
z-;qyl$iv?JPp~7O+>qCQk{x*{^Vo*G4(yMzBY%WeSNacbb`@9DN2aIsAKdKfFbk_x
zhFOQ1Md?4P3D#kkN_nM!!$|8pjjrZ?4{NLMZ=`i3W=!85=chK(QVuiH`oC*-#o<Ao
z!)8|;HoM}m*%gP)t~hLV#bL864x3$Z*zAhKW>*|GyW+6f6^G5PIBa&sVY4eRtib`8
zU2)j#io<4C95%b+u-O%d&8|3NcEw?{D-N4oad?pDu-O%d&8|3XcEw?{D-N4oaoFsN
z!)8|;HoM}m*%gP)t~hLV#bL864x3$Z*zAhKW>*|Gy8;_u9Dvyshs~}yY<2}!s5k(#
zD~_05aoFsN!)8|;HoM}m*%gP)t~hLV#bL864x3$Z*zAhKW>*|Gy8`QA9Dvysht00Q
zN*D)Vb_IsQH~_ON4x3$Z*zAhKW>*|GyMnzx9Dvys2WD3R2w{}xu-O%d2YJ|d!vUCG
zaoFsN!)8|;HoF2VZXAHw6=!jnFATBO=`fMvk8lY8F-CCxr!<^}5nN9-a3_y__qh5W
z#`tm6!jX^Q`u7;h|7}y-ZyBBS!-mCgiTESM3w_^9{%-{T-w6J{5gg{={~N*oLluy6
zy8gcr{747p|Bc}NUVZrA9Q^-NbMOi}2mgXwsyxkU`?P;*e}dQ5?$&PBuF@`n7u2?x
zWuxqqbnO#(-Qg|mW$ih5TkZ~ciR~BK`P!-4$?)3RvDzGMqBaa(R2!h>YfkkWcs1=^
z_3!GR)ra9-wBM*#su!ud;O(<@YKyu+odWNhdDU9ASk+Xka!7d}b}0U$JO)2K-A~>l
z>w6&hw||Z&eyE@RLnU-1>4^3HetO?S$BX~9pRLK(q~qWx{LTAOE{-1#e{SKm3(&oo
zy$cc61lHFiy6BVcASL5D6*@}nPn>fYI*A*A&nZXZg~SSo7k`&H@*K4b5<jF=l45jV
zjE;`cr7;?b(Mw|VE<zpBT_hXo6E^&=*;9Bgq7dFh+iZCWU-=&nWhZ_X4zHqZ!+3<Q
zeSv)O+>-6qWjGX;5`GEc7Zd&%!Y?BHLc%W~{CvXCBm7*#&msJ5!p|c7Ov29~{B*)k
zBm7jd%`8kI;AkS4O!!HJpGf!#gdb1%afBaB_%VbZP54oSA4&KTgda}$qX<8Y@Iwh7
zCVYtSL7P>F4dws=ej@M@-b;87;oXFH5uR+v^JF_-Alvag*^U>;c05nE;{~!E&y($V
zfo#X~WIJ9U+wnZvju*&wJdd~Ib&Eju<9V_lFOdCsp6tg9WIvuK`|(0C$pqPs7sz%z
zPqyQEvK=pw?RbG~$Ma-6ULf1?JlT#H$aXwWw&Mk|9nX{Pc!6xk>pa<y7s!4*Pxj+^
zvL7#y{dj@w$Mdis4{d_kju*&wynwgkZD3^-(+POw-v?v=KgsBiwZr|OAMOARaRcax
zUx1c4AM^y)1zWWBpby%#V|8s2D1~XD7Dj_&@Plfo2jx%->LF8eYBo?2pMjG25Y)sQ
zpeSAhRq+HUi$8$6xE&P6b)YhS21?^xP#Xp)j?JJtR)X?a3hHAPD3I}>Lc*X#8bOUz
zf+EQURU&~h`3lrY7bui}Df(;5UqP!ptvm?7NV=c=v+wtFhQI5le^-PbS+1wdp;+~u
zzhlH7<fk7=GPZkuwBNiRCFxEWT5m(}X0ma+d<7nYAGiD;Qxk}&2}INcB5DE=HGznl
zKtxR-q9zbg6Nsn@MAQT#Y61~8fry$wL`@)~CJ<2*h^Prf)C8hx0ueQVh?+n|O(3Es
z5K$9|s0l>W1R`nz5jBB`nm|NNAfhG^Q4@%$2}INcB5DE=HGznlKtxR-q9zbk6Nsn@
zMAQT#Y61~8fry$wL`@)~CJ<2*h^Prf)C3}G0ueQVh?+n|O(3Es5K$9|s0l>W1R`nz
z5jBCRnm|NNAfhG^Q4@%$2}INcB5DE=HGznlKtxR-q9zbg6Nsn@MAQT#Y61~8fry$w
zL`@)~CJ<2*h^Prf)dV7H0ueQVh?+n|O(3Es5K$9|s0l>W1mdyEKtxRttF8Y-Y9jse
z<Nt4JVu1Kvzh?0V`RPZJjP14`?YHPhOB$<+J+PeEk8Z&1Iy6{x(}hHck_m^cAm$#1
zPBLFFM-~4sUQGx@P0-bZK-7dl)Pz9Pgh14UK-7dl)Pz9Pgh14UK-7dl)Pz9Pgh14U
zK-7dl)Pz9Pgh14Uz^*0)q9z2QCIq4;1fnJcq9z2QCIq4;1fnJcW;G!&s|kUq34y2y
zfv5?As0o3n34y2yfv5?AstJLp34y2yfv5?As0o3n34y2yfv5?As0o3n3A&mPnAL<p
z)C65k2t-ZL)r3IQ1YJ!CL`~4ugut#Q1ZFiM5H&$p69Q2abTuImH9=Ps0#OqJQ4{QH
zLLh2_t|kPcCg^HHAZmiHCIq4;=xSn&z^o<&q9z2QCfL;kw(gCuCIq4;*wsYmH^<u1
zv)C0B()Qzp=^=Qav>*G<_@}17CV;z_;*Jq;_+`vyZmYtJk0$k9jy!hyHy0mAy7rJW
z=ueL`KM~bq`S>v}Fa9q5Pfss8GKn<sKl<ta+3ElB*}62)R{InFmi@RFH+Mhltj4RA
z`z**d*1YOmCA-l!i&Z$bV-G`XSmZbhnO)<H8*hLF5E5@Nx9{dn?DWV!1S__GzzYsv
zSd%X}Af1c?Kl~UNd!X{2Lm+;^;l~&Qk8}tu`nEA}hKMron*~3}%Uj>_?v`vz|I^cp
z{woswTk`gOG9cdZ@BQ?DD|(0cL;v(2I>B#EPk62GPw#u+zl@LWm!t2U0dxH&{69<>
znBYC#1$1EJ+t|U2-*^}@Smek;rh9w-Has$ZZQ;RCJ^tp_-FRR-hUc{}tzDRXjSgx{
z$)L8FOzaks_5T7gv71NM|8vO1ZWdYp&ma@KX=MFBg-q-wllA{ZGO-&^*8gMi#LhCB
zEdNK6dEIcb{2xZ<bz!pn50ZJEpT4!_B@;V0S^p0q6T3z-u^U9z|FvZOKafo929WiC
zC7IZjll6Zonb;L;_>zTWVwXqO|G8vdmra)cnPgt4k$Ig$mj6z&{1;(f2ZNfOtp9Cf
zV#mI<b^VFrC>_6-+T>Wvfh*02v}@pn(>85_R;!8NpYlm~o_mhE23$=JQ8VD_?DNVU
z%EiiNWxf(r3gpk^zsbLsFPBf2m&qgL3fba()A_LTTIWt@yK|zm&M7(egSWAp9OpXL
zTAxY#o0VSlJta3lwOf&#jjR81!PM{6gu{K(Fb>Fulvzhx`Z$d7V0SIl=~z<=al+A<
z&)t|>9QQ3YI3d=Pj^f~ScN29eHYg!KOpKj~VIN`*DaA>@Vd=!wS6Ce@PWnXhg}_T4
z_77Ie$`gK&d~u&(HR;6E57@xe;<)Rt>ONw)K5<GF_xClRk31%h`}nF#C#G(_DpQN&
zuDmMxi(@{ysQ<3={&Lo3S6OOt+)Y<$Ix%(4RgzK+KIvlaxQbKCeQ_6DMd`%U?N(t*
zal+G9K{_#%KX$K`pIRPwsg;*n9QUG?n_3+AoRyPK4BoPIaF>;xS|0b1m6c9Ry<%mi
z7RNndWuy~R=U2LxS|0a!rKT3gy<92j#MH5soLU@rX5}oi>iq^8;+2YeuyUk6J?^wh
zN-0h_suEL+<Ibt<L=5epbymqZq!Ln}9(O`zOD&E&p5jxB<G!Y>adAF&G}hn26uSNa
z(RFEt#Oq7>D>?09?OJUo_&J!U)oGHtAKuQn3APc}sx!d9aVEG@`HOO=a*1-1vOozb
zh2Y}y@8ERm3i%ZISb3CODI@1w&ObV@bDr)z&N<0h?{qlccRb~|*>Rp@onxlM?Z}dP
zq!*;$Nta4nq=iygDiXgC{~`WC{H3UitCowSVSCMLf7||u{d)T@`|<Y4_6ECC_&|7C
zxJ5W$I8m4-c;KN+ukA(KUYlv#YFlI*YAfcy<p0Uv$6v`e^UdhPbU(|R?9T+XbP!1o
zWA$W*$MJ*AJ$GuQ;FDW^2_KpTjz->en(IHv9+pmZg}?=$*R?EOxQr7wqS;_@_q%;d
zQ;I>ex!i6~z_%o|H~`uKhMK_Qg!pjP<!SQyeLhd%n1uW=)#Ygd7h_?+XHjagyD1b7
z`aHgc>BQjR(G~VAV8uz*1$q-4DuKVq`K&yly8JMPdOhH~ZC*Mt__G3UfOFG{y?#$9
z<eSq+99Lc7uG8)JgnhI7$YZK2+~fh5e4fCpv|=}Sd34Q8Ert=;?{f!zGy02(>H?(=
zIrn;}_m^YU6$1ZuVemFJEwwlZjw_+yLQ~U;eNZxC_mq@k9i{}}=?~nH9i39{17EIQ
zAGo=ioK74B7l^LVq;z7h4_xE9C#Dla`}0AApO9J(+QZ{<yTjwtiTytCpXMKzP7G;>
z0)erq#Xgvbg>;Y4Hzu7NJiWPt{?X~g;6=|L4vtDK_JR*wpF12JnNE!T5Qf6~h;(wF
z3#LQv;pxQgu*dHY9F<xOn#~n<2ff46i32bS`20gtt1j?a3Ug);cvMV%I!u7Uy)U$x
zbmD*uh8a&Vo!I9Og<OFE5%*JFFqMM7;PbfrsZV!d_p?D5C(?<*51%jO^`;Yh!r^c*
z;E9X-xYGourtk;l9+xwtFX(g_C0t%;k*;)NuR8!<D^o2y$k}f2+XhZUnX~n{hiQ<9
znxIl#o;2$Y5c_>Da1@+ecd&yqh}~frJ;SM&9a!v!bw{wzvLoTn6{dlpbv)sECUZ>Q
zV8-C`fJeB))*Xq#nRtALzTi*2>;N$gFyM%{|FT2J3kQ(nuHp@*UUz`l17o|_-*??X
z2WKeIkUtQ1`BN`DKpeosuRG<kL&r{BJ&?I@AoaQf#BQ%I5DcbRci^o1ph-ZZaHU>$
zfY|SKK}S!$?C|<@qEdst)awp7-323@KbU&m;q^9wi)k2~Q!hI}><I_l;c)6@2Y7A`
zd-RYy;7POYfHjfN7xaYEtUF+`01DTiZrR~!f(rKrJZY94ZfFv2cTjhwS$Du}02Vb~
zUz&A?3;YDTLhf|S4i^**=q-2ZWe3cz!{8S>9Lg-y`#&In=`#!i(4ySF)awoqgS&3<
zfS7vO0b-Zm6%PASFFQOicMpZ(-pI0}zdKuygHubNKahIe0aLsXc*+iVVcn5p*#Tmx
zG*7^jdf5SDFFgAQgyPE%z2CwC`?L)C)2urJQ0({t16_CYTXsM{21nCjSDIx9bkvYL
z90)VZj#-S4WDlr&KR5yPr(Jizun$F>Sa%%0>~O(ECKU9;2E9~$9WUW;$h^*J|I%Iu
z-}}AVN7}1+OY<qseEoc>+G^9@>$G1W{X^S5)7JUkl~SQg*FNW#%6D48Z`-@zwe3al
z+4eAaY`Y!&wOt9`+RlYXXC2_FZ6)|=TL50##)FSGFF0tc1ovzjxQ+Y@T(i9ojwAmH
zUwe5BTu1&6RyWsx^T^%m8LAHMBiE>{>SAypIawX02Em2oK($28RvoHE`BeEB+(`aY
zS6)#5q&%eDt=y*Ep!^b+Lgy%_Dp6&<a=daZJd>NIj8ldw9;IHXQ1TU3vB_V`J@S6}
z4fz%L8o;CSALKjbtKk<&_mkSb^{1y5^Uwb`e)<o65#c-k;L&LEud`{n<z-|M%;x3U
zA^hYSUPxDN=gkL4=8eSge5A;eIVpC6^&Y&?17q6Ht<#ffU{17IB#UJkT1J_rXeniu
zpe2-9j22Vo7<3F}7NJFyS%?-=W&v72nfYiwW#*xIl$nd>Qf3aCBkJU0v(apNXcn49
znVD!NWoDoml$nmEQ)U{PMwzK-DrKgiDU>-H9Zi|ZXfkCcp-GgPh$d2I0-8XX@o2ng
z)A7BIL*wY7v1lx1#-K5j8I49$W)vDlnUQEDWk#S8lo^hOQ|2gi6lI2?VU!t)hEgVs
z!juW25M_cW2n;xHu>??n9`YkUWqim-887lu#)CYRaU(ZnT*yV4A!rC?notvE8c`!<
z27_r3Dd0h95M>%r17+$_J!Zg|y$;pUL$#=uGBv1%G6T^-%2cCj$_zjQC{u;1C{u|l
zDN}(eC{vEgDN}~ZC{v0`DN}+<C{v7z38TaQN)bI&hzcoFfC?y+kMb##hw><si*hNG
zgK{X7jj}0|g|aA<i83jZfiftgA&oLBQYoV#*oMGW-zp=Sa!%x=i~~6+BO!@0A_7-)
zIJO<xDI*{-Pr*lQ$VM3+9Q2VRR%E3NB1Vk()rq~YOL-?EHFH<NOh;$IOy|Cl{|8*a
zeXkFC#XZZU|FGAO@ycocH2)2sG5t?Yb>zt3Y9($7zQ50yBlBwTU9Xt_)IMXp-^1y_
z|NIjC&o9CMEBq4R?^E)7_c)Pj9LMEzCI?UXPnK89!^OXe_lUo?trX{pA^WTLr|s9+
zE)y@aE#zOZcr9hz*W5eYQxN@h?nJJYo5PL4vn|_vJP&KchExNs@bO6V?q{7I-RK%A
zaQWbEmAGo=OA>D4bBwOxL_)nv^MzYhu5DenWn+oabrd;HU0Cx4ef*ea8ePMPoO+t(
z^N(M7-0{0AjIN<}e4X>CcWgelqoZZr>eZbmJm&=WvPM_f{QL#y$#BsSIhneh=G8$)
zm&<H<)>)+{GIp9^bOk!Ec+qJ`aGu}1;bmuSrP1YM&nud5ba~134D2C$a~n)fPgjHH
z%;%k1e4)|hF^_u1Sp=uM%|)*`M^03Xt{{892nU8R2dpJ<+fC#Ey=`mX+dh4n(bd@b
z+AGdw){H^MzOf`O{fZPa*FEdZo0jmiuNeErFli%5d*5g#ZImMIeWS?ToJ)O(qg?aB
z?P@{i&CfYQ){tVm0^Ip}IUy_zfDgMq=Xk)j*0ICU=E!r{q%(w1g?ELQgrhkx7=L|W
zyNS!>ZsyJkz(+(o<u{xG8|1cY0+U-C$*q$3dVu3r?sVL6b_~ukx@f-hX^|Gsb;AY=
zloZW;tjfv_yU{hnocNCOj2feBI&-6f3UQ~g2gIFDqibsCC+|4V!F4&sJZ+yd3T@zM
zHd4_PqieF6wcj}vqD(TI_mhg7Xr8j)Sw9cVa1Z|&E?i<fbG8jv+&FT8R-CPG;hwq4
z=o(83_af@5-j>@r<qhXMJiI?>UQm&lv-g10lF<$wXn=*oua-Xn3tdxNq0Q2U$w$d0
zveWqw$t`6{oFIu0i&u+7#4>xY5E4JOeQLW2twQrr0F@!$@@Ftz{FUWYaG(#LpyeKc
z|5v%ExqG?az%Tx18a+ZCve4IPt=bBkx&Fe;qDvl^!*K7LP2M860<+0nWswVk*=X*v
z$dw_em<{9>X~jrTF|J?$N@6`z5>mO_=sJ-cpsx3&GV=|aT&?FBUF*nUIs`~1i7!e(
zO{^gjIs{0}5U`pYr$s9DEm9Z)RuMTJ0wgj7oPLzibpk2pb5@e}BhewiJZ^iIuk#_B
zd=O<AT`Os)wa^&mgPZen&D#XIrV{Svc#<Y<W)dD5mXiatlZm9+7Q+W>=w~uc4H{kT
zB(c+vjU~4GH1+r9eeXKeOC9o?n$gupP9GVQb~)r?7)DyzixjOhx>{(C=%)xIv(YKH
zKtZk`(P(d!GUqg}S-GKN%(~4RH^Rqr+Sb+?UCkr{{qBGym=D_I;(2fn$Fa%dQRZ0Y
zfQTFGGID^Htk}0?cS4t1N-}iTaFTB^w{t|Xd>O*McnLX^7KfdVIf<%-D=lWOWXD%J
zhPjfx-<6_9*CKMIv)jm(?75xy*yIn;AZTq1$(gjZ3AnX|@G!7|xqyIM+kCTKld+1K
zM<ld;2_=c41=`mfBBAX|VA|Jga-5ce&^K?{M%OGNryn^G^4GMruH3vv;qK=KaF@VW
zpSi~+r}(+JPrT4}oo&_ywi9g&Z6j<F|0(|_YDW{0-|>OvE6eMai!3|1OH{+M-U5bF
z&W9a;aopkjjdQni395EZK(G{r6zN}_Vst;zqkN6gt(dpx$u)}OH?fBuP&-@9dotx(
zxU-W;4ryz36fH8kGtE14<YNLxcLpPoVNC4S*aOfgx@Go2(PX3BX?~C=A6;Q|JBWmS
zB|^@euzKBwmCb7_X0O|H`~ag{GUw;Z1E8687qSVI!vQ;UzzLP#Esz7WfSr8{__QrX
zH+*IW)b*LP^Eh)m{aNx#T>0HRIg?htgH(P9E?{LY;DE~SM&^nl*;8tCTZn{KzM~}3
zL7|9r^Y$V+H*9pB!eqwLH#0DroJ{0&G;xs8Wasfl*S5}YisXG*adepPm&$XY^rLJp
zu)2w`2gFm0jjpYoZDsN=EQ6iJ9DGZh<De{Zn9Iw3FQ034XPZ}L%DK?Rx<wL`b}=XE
zV$Q@Ddq7=0_cyh^2#TnPM59F{<05i-p+pMI-)G3~V4l&PPvo>n<dQ@RIYxIbk<k7i
z$NR(1u+g2>c`#GH8)fZ?8r|@TBdD64v|q}m(WKsM>Wh_9voKG-_|oM$e3{B!$T>c7
zyy*C&;}S=^V={bg>^P}O7%mKk_iJ7=t19FTR`|Afr&%FSwq+RIwdArbq@$}Drn^cW
z<bz7BA%|%jR&h%m$Q}@Pt~R>igIti8vuTm2=B!2XwdTk3Rfl=oyUr5xgTdKlX0bz7
zI}g6=R4nG~I{BZP(LI19vy@)Wd~j@eeI6uU#U@^4Of|YI&6Dfpry-{m=ClSG=4;*M
z<_Qh*AY2t?BsRUSLaJg`;;TxKSSgd3f*X7ZIY1k{(zlY&5{z#6`WD>DMJJP7DY=_g
zZdz?VTPIg_epw+u&reeL6<jfQh1D_IQR$GRkEP3`r==aXb8Ty+h5QS=$F|UVoNc0Y
zxaCwE*spR|$UJ{P*u(7N*Es)d3rMSNP11VlRq0hcc+9gI%|`cd^J<s;7Tna(&NJNd
zUJGzxbF^2k114y$_R5a|<2M67d5G@BO%?v2@zALyZ9EwzA^83o`NR}79y$-BjVB}C
zc;MDYF}I%4_trCwZn^@X-7AB1FDPF+pQh!jk@D3O*Mjn;YXI6bGH}zNlm6HNQJUCq
zUe?Xd%QEnw#7^}yiXbBalF?X3GS{wK+XlJ!#B)Cg=J8tJ?C<g$-ELBI=Pf2Rr_q{w
z)guq+Tz8bb-C8TH?w=PgNtEVRE0JF1pknZ35BFXdk<s3(k^wFNy|>A{JS=;lMuwQr
zh2`><Mt38LM=L@tNi;sFh(Sa`D?()|qJbQzZBXrdC(sS+iJX3xN6lZoZVP-EIob&g
z<|GRbSr})o^2u)7E*PChbV^6bpIR3}lPE?!hfY^qN{0N6{H%PHyj}Le$BsXf-jiOI
z9+lP#ON5C+ExZr+we4-&t+rpH%RvXuLp3lZeakY<QfK*#<sr-MmOYm9;WBNOxt6gO
zkHviM@ytTr@;3JXZm)MD%O*^#&EM=PyVFx<bknI9{kl<(Fm=x8IddwewXIpVAyP4J
z^O_T({m_XGZ9mzh{j?-LpaykMr#Z9&vT^@h%9KrZ-?D*Pp=%UcD;ac5-FdRny@ZZG
zt4Q5v=XTDB$RDFBxBxrd$-)YWPIu;!h*@Rk1@p+<w|fz}F0I9^lEkOnAO$+hp;^o-
zhH9k~99peeOtsEuvYyp9>(H#}^oKU<EIJv6<mcKsCk!~}IBAZ|=IvQSJJ-&WA471;
z9CBL*o#13;nA&`KLKB=s=S8tR;ciDKLa_tlX|mBhlbm{nWUe1C-)LquYQE0;W8^vu
zjJq>PMn}djNN2p=>=G@jXp+%Ajb5A1!L!Uvi=1QLwpgx%GMq{hXru}BoAyGjPazR#
zt!D}5nt5^=9<1qtjvme=jbR#F(v!(q^d>TKW0*t^(2kPXw?ubNF}f$xYNsEb%FOL-
zpC|tT%~$wmxFSml$G@eWpiSkkRpuyT6u10>bb-_%EtbYg_3**Xx5TGyt+sJCuZ_37
zYk7=+-g22`rKQAjp5<iAYRh8F7>nCdVbS0r%GYGb{TjFY#k}P<ZW`t$TeTs)nfZXD
zI1?sj9ki_IhpzI?!t3SX(2wafgx+qxU|zq6mI9rO(8GD86h<}2zd{H%y@k2yynZ(w
zGP+M97dxw&6n`Ea=RUqiZt6T|ue=pyz=V{pUT6j9m{7q*h1w8~hjy}+DdM~mn3gr0
ze_t$@;>y`fL^NBuv~m*PK!h_lF=yuD%Gt=|Gq-O(Pj5B4H;{au8z%Y8&F#E$k38QB
ztJH3~9;JOahxTE(09};Q+Rwo~l`cnVPt7SaS4U`1T}!S@dumQeVlaV@Nmrw^W9Bd&
zldeK(Gs@|kQ|M(UkQ8ah%%L4~q|r^+py#Y3+0TisQislyy`A$T@@L2ibNS<GwGS{y
zE|i1j=}Y92Mx&cu+vVWC+0K+)j(F+<qq~iqx2xQovPizu9P5!=&AesuUA(rGE8RW1
z&;=*8uqPEk3&bCvrGExwc?C&f2h|ZdrsG)ow7tt^OGYz4nycjg%4;3Yo1Lf9v0pri
z|C4mPv|EZu$MTm-0co-|1NER^^DeX<qL%Zj^&)wj^%Uze{uI7do@kxMPnX^D0r@rg
zH5i$UV<%guSf}7?TbFSixbbh1PpvX~;A@>AKHY!m$?_fM>h<bC^U{0dKT1XqUD*sb
zZ`vRi=FeNZYTcH#6O0~}+>uU-vjCYd@0G(%g+`A;4%4Mf!C_08pwUBDK(wV7z((_4
zxnU7MS}}U)G>$fwg7Olhht8#G9T)Vk<DNWn8Cu5$q>i^3J@DyLdV~1cV1c=QQ;FL=
zzEckCaD{B90t%oSd$QOAusrKw*J}ku&ij}u$})QB%#$|q0y2H@=NUb8NkAKKK}n+9
z=NLT&Bzf9+3k%|{*KPDjL_oVizIo>T^1!TJHAat><o!Il{?9j?50nk<ykU>rY|S)!
z;M1OPUptN?Wu2d4Zof*NYp%IgK1Mfs=+cpvTz)ynK~|mQ3N)+vIIDh~Rl3NbS<QzD
zX6$pQkX5>9q*=|6=M?I|M$(~mke{LscwrpQ7p;VRQVCFubYU3F5H4ug!Gu_`1LCPL
z*VSoDE2Z~?R~I)Y8r%{*u9ln1TiFgX;~Uuv`i-t5N5*1f{RV>rT|CB8#T{xRZprIv
z;r{6wf~_i;>Gc#d<z4_2g}rjMyfbR_z=v=lduO+qCBKnJn)labJI$}|kt^`%dnU>@
zIHP+TiD9g#89?S2d*qGSJN!r1{hZdLy`%jVOl9uZeyd%lU8bE4A2eLAwStMv(b{nM
zg5dxy4~+f4R6hn!Vvno82LqW~)T`8s!FyN~Ok$R+bKr}rVRf)tu4bt=Fok(vc@@4p
z-KpHDJf~ctTmTj@Cn+nHCCUuYd48o%DF(|Ii`=Wr@51Y8Ps<O;cgWX+r!ZaKAh*fq
z$P48u@(Aed)pEY<aDL@H0B;Sv<b1+;uk&i>CGgeiTb&)wwa#YeTzG|TsI$>o;mmdl
zj?Ww)I9_u+?|8&<m*Y2%-Hy{7TO7Z1oZwgrZx)Po1RV8_5{KqM(kCzi{at!SdQj5u
zlx~oIE^U`KO6}6Q(jxfm^+?GBui6*DGn%i(F7a*gW${UP{opq78u3!`OmUmIPFw*S
z8<WIgVv|@Y=7@It=k^cnuiO7(f7E`r{U-aB_6zMh?OW}u?91%4?Bnb~ctfGoo?*Ab
zH=Xtg{}BExJS6;1_?7Sr;XJ|6g-yb7!ZE@$VU*w%YJ@^~4E~L++x9QpE4Dw`?z7!)
zyB1z!ILmf2JSA$e&9_aq9c3G0tFq<VME(o@BmNCo+&#wM!{5yB;V<G(hp#fN=8xrP
z^W*stKZq~mGkM;6$hzP9PwTVRhpl_9zqVd(J>R;+y4iZXb+L82H8|Spv({RRtcsO`
z!S@~XSM(IRAN>|xhb}{Bqf^j&)QT3MqtS5W!b2_nv)t1OjdZU?m-&1P{d8twWDg6j
zOoD>QFIfOf&-gh7k;_@|3l{vG1(&hFOai?ia%mD3L@r^$#Vojp1sAelHw!Lc!TBsW
zj|Jz(0RD!1LFAmIC_i#G3(jJ}nJhSi1*fxMCkswv!Kp0Rfq_oTK0jixqU|hTswh8l
z3M)C81>0EA!GdTK<V7MZ*edIZs?3XQVMQk;L2hI-3pTM}BMUYpK~7{n3r=LgItJ*G
zwG4`^X2B{JoWO#WEI6J8$FZQD1#K*7jRW|$ZBC>mjxbokf@T&hPlD{ou`F1|f~722
zk_1_i#Vk0606J^QiY#J93t6y$1@l=jj|FpCFoy-RSul$QGi6?n_vEa|3|2Iq1=CnC
zl?79hATx3_3nsH*5(_3KK}JNMz@qUi7{`LKEEvs#Q7jnAf)Okj&Vr*7KyS;43`-yY
zLs<}JL5KxG76e$}PXaCCV}X|i9ty~}rL~AVDN-XtSkT0RMi#hOFo*>WEU0He9Sdp!
z=&`|HjnuHBfh?$I!2lLiv7nL#6)Y%E0wq$$f>LI1Qz9j-s5lAaNFfUfSdh<xA{OMb
zAcqCnNubM-tR#{nnJma)fyM%r1qusf7C2epV1X0^SpPU9Vp8Oc*jXU3z?KA#h?ND1
z1r`?Y4A}Y&3%<r6rhgn;zhXsSvfv9Ae9nT;Snw$e4zb`M3qD~%FQb1PTYHisX=@h?
z4zS>37Id@VLl%6%g7;alp8@*TeGJ<A9t+-O!8<JY7Yp8I!CNeNlLc=ifw=YcH~{@4
zZhb9|FnE;(|4ah=)_<_z?=1Km3;vn}!q%5r@DdANB!KE4Ve2cb=r1gIo(0db;8_;@
znFY_V;As{-#ezRE`bXIMBrAG?1&_1fu_Ul<eUt@{u;7m@csL38tq-z5e}F~zv)~~X
z{DB4cvf%eDxQ7LIv*0ckbS8k_#&6x5KmdNnf;(Ao2Md17g4>h8y7e{|+{%JmSa351
zME{^oOaY-y%#EW>OlhG_4>;s=xI?gx_%{}tZ^o9J{T7?BJnIs5ygK{(h}LIxb@uwd
zyFUBY<=O2zS)JW?1nV=pI=lIZ)@O8ec0O63ef#oEr>nD5==v<Scuv1`zBRUZ{_dso
zFJp`6Z(BOU%2|h{^SQCbGqZH=_aNZ8*rR}Nc@WU&IlwvbrDn3#)kkNuU>1P*{G&cP
zGbyTzPG`Y17BJJ#y66m6ax@DjvtSYnCbD1xGykZIj%P*VSTL3aV^}bn1<YKuE;^Ex
zFmut`C^Hw;YokXc<JCrov0!Kt)I>up2(o~ge%3_8tc00<)<nIm#1jK}{!tTkvmzG@
zhOnTC1&u5i%mQXES`%$xCG{+*!yq>Q7#OWhiUvlRx#+;?Kvq(n1l7?2EU07wGySZN
zma~#77L+pckLqX%D=KC|5eo`gP{4wG7UZ#jnTu9OnYn1S9?fRsWw9VL2?j(nSfH^$
zWr30eRZ(X8Srv7#5-AQ~{!tZ`;|K#g3z+F=Rn*2xcotY$fLLH*0mp#IHw4i6M^%JO
zM(MMVst7X|t%`ifp7cc$R7O5$!DlS^lm&;9pdxaR1uz#)tbZ#ay{xE*1>G#@V!;6x
ze9VH6SnweWK45{)%uFjH`&rRG7BCajipaaHgqfI@NB)(Rlt<oX!CNeNGXeCrvdHTR
z1mHCmFmute$Q!KWA1wGg3;xD}zp~&J7Q9RWnSYc;USdUbW=fuMmqlJ+C4XVT^DKCd
z1<xiyY2?o=c!mW}1BmON(#TUuQAq@5rtt?OC6Omsz|2KUB9F0>Ct2`F61bw5vA|@(
zr8<i)NrEBKi&=0H3oc~A?j&f6UciF$S#TZ;&P@WnDSA#4HAT;6!C5RglLcq6U>6Hc
zXTeSuoW_DvV*u-)rsxh<WUyd+5;R7c!fK43!b(nN!L}qA9PMC1lm!tCV)|!rbSo=5
zi3OWku!#j5S+Icx>sfFj3)Zn<Eu()1N7t~T)ht-Wf)kQpP;?~=j%UGfEND-HhG-iD
z^k^%CqAe^~!Gh&1IF<#=Sg@1@OIWa&1;@m}g3WCW(M55D!9o@+V8MJA%wxgaB&d(h
z0i&kzcz0toySw3vUX_gGitb^-l`Qxr3$9?n<t+FG3x3XmpCy4_68U2il|&w9!9y%~
zkOdF0;C>d|$AUkw;9eH|J_c~_Dv8{~itbK=;>cYr=w!iO7W^&=iXwNi;0_l2mIb$C
z5bIq<ky}~OEiAa11vjzaH!Qf31;1v&uUK#c3$AB+S5f3TR&*^3u1SKz$kmGTVlI#S
zBPX6Eo**vb{wM~-Li=9(b@mS1HMR?Fh7G~C*;N(;Y<gx`iYyY>10Fd!=f}<mxJ#W^
zIQKbUaX#kU3+~Y_=GI?wo0^MyICJ-}O1;Q=vAO$v`(Ut$>7kaW)FP&k8tVALAC0@&
z?RUerF*S{(+r~w(ZSD>RVfUIfDJ%jrmL6)jNcZoH%uV~`8rX$*lg;IFqCJaB5~;%G
z`Vb<ao9ji)=6Vx3PB+(!Qf#hMGeo+#UPO&pCK^41$yW3^bpBQpd)vzV+3gjc&MEt4
zWX&*o2GQMWYAjG>F8xqm=QVn$jUwGHFT%U>)F?4_Ks<Gh(NjlG+!ZSTvMb+t(?@a<
zSg`ignp3ZXUHND8WU<odVGW3jijFmU2GVO%!@(kR)!XvyMz95`Cih5fL5dEu1t~Xr
zsI@SCZ>-3C?oBy+9AvAKoI<lz2xdt=6-+r5_ARH=ZAMQyx%Sx|r0ffGJIC#p58*eb
z&E;E_vx;^tHhTOd#`(1*Mlmt4Y8zT%zW%mc+PU|T{A=q>Y>ZRR-N~W*(9N)SI}<f(
zL9IspQW>NaDUw`i|Hi)G{-pi4_RH)o_SyEM>^10Bq*%VRJZ-tratXA^5tbY{{Ti^(
z?&03#-o&N|A%|rqcMM&Qo3ECms>~%u&pcXC^>mtL-mc}%fHw|$=9*7@48?ofuT@;U
zbC@zHD;i_;Q1ieo^dw}Kmni;8U=~7+1Zfi~BX+e=tTV~Uv{=i8X)D*PT-CfOS}}QT
zBQ@lNen9O7X+J0>{a{T?OR&}BZTG<oA3dz)U@5MGX-pNA_N@ZA<WT04C7I*klAAWH
zT(_}e&g$kh%^Oy3Y%qGlB+5i`2PNifZxhS89%?B}Gg3@V)coyU--@8u>xGO2$w{;=
z6yuCgLt@%ziu-2djIl<~R8qVb(2^>JS6hk|KR+G%HZ@?RO}hm5ZMO%GQv1c^QCARO
zmNi=}!9AXuEz%xeQfB`C5HVcqnMkrn`+P}BBID5KsYx{L^Ce85A4krh`7i04f2dGu
z15PWng!K6{N{yZ|^rm8`#SGUv?<)6o{``>q3bqd#O=6rHq{W+I{`pgRtoi5{@<okC
z5494fg;;_+J~a!E9S~2QYV?dCr|*)?`|g(S=yZK8XM<H~&v262k+CYnRySZH#@dIM
z6dB`;o?+zV9g$eP?QhAQdmoT36{Df$7g{nn_&(pO+G&o@9d9`vCblI@98(;A`>CWO
z4X|^<TY>@ZCnxY5`4#*uo`+KoagV{vj9bky8A^cHUga*s-RTrd;qKA7Sv%JmJ?qFN
z&!+EgRZt7tgPF>&;Z3uiwM1r6%gqY<rrDEON^KL|`5LA@Rp6qa28OgKD#TN#8$GLN
zQ7GogUxAe^yzyY~d@@(b$3x%==7evOL*Pm_t)gW{Pt10(k(5J)X-t#{np?7z!82hT
zq$Y%P9IWU&4pMVM+F>h%*==i^;k~Ddnd`Q+ZJ2X>+v?TOVcW>XXg?{Z{iNBuqGd(6
zJ<tZXLCr(yZIt7FLX8b+gDLOZ&UQ8$J=EOrtSKb3<++_7Whz&qAoPf4awXa$%CPB}
z3-<_W7EUivhI<6H0;fHq%zUp%!8(xIe$)O?R+1P|pg$}jsnY&X#`Fhj%uVxI);FKo
zMh~^^rq<GBvDd-Qgdv~4!M2+Y`DLU>nECr<pIPyhB6U7l49zBMzR|OgwgqZtR+eEN
zSE5WB1-C;DzGJt8+X1!ojvWvc?Om>(yPC7!t39UOs{IoD9?j53C_W`evC1!)c{7!&
zBCr)2seR06SYNbWWX-n<=yhnf-*6vsSDVMoR3>FjGI|T?)v3L8b%y!%SISU$`=*x~
z2GWaF!_|AKsblPbc<L0RH;=YLJE@*(tch>IR;BaJv+j{)(>q(aRWo|&J4Lk5SDRh4
zmHaBBm%j59ORH$B(VI<kK}{~J;p>23DJNtOG<vD^BegcH&NOF!trRrm8a>o#mzG#X
ze#?fHn^v|ouMQf$nWPG1$q2Zh8(>P+OHD&*%N#&j=21Z(c<RJHv`UO#Y9mT3ctGC@
z-q~vODkOVnQ=8%ext)byDKFuM*h?)%X+x}vH^g3Q*+_4%3L0WBwSJ@xvC7mJ;D*>s
zEi7q6tSa$&SNMJ2kh?X<=(RHqu`1aRd#ME^&1Y5Ld}bQG)Dn^o%vEGyK5e4W%ahEX
zp_6K=iciMwx~tr4etK1|Y(BX}adfU(sJsuuX|I)BdNGY_R&FiKF*}Y?a=k_`B9hom
z;ReB4P*#aMRvNwVSuU_q+)3X%txCKab`=auy7}6dv0<sg=%J>Pv9yXjMh`WUToAkL
z2}_h(7*Dp5D-NIsGp99gShaa$#q_q78>@|;4k8;CJK^3XN&%iav!?HrbOcJ2D|8_C
zeY{FM0#UnkTA-DE3-mPT!du84?V??{GS@tCRc=nA!2W817lV6FV#=igk2=(%omO^*
zdF-)d)S-6lw6ZHo*kO?xw9~Sv0F%+44J5&0a%&aI+V7$E>ol_!eKQMcjJ!|?^}-qm
z4=8cS2P}?e>s#P~fuF;_c1cLN;CCM>gV9XuTmSwKe_6`rbW`HOM6k`EWV#7PhHr}!
zM!Y7P0<TnA9A-VQ)LWe9986^MWH>0QG>T&0fTL*UlR)$mda#(1B1#G=DWD{el3Yr1
zD9NTIi;_%AGB6R;dnmb^98^E2<TFZ+r{q&g4o#r+ASItr(o0D<C0&#ppyXppKBDA9
zN<J`ew<&X`*Ab-EQc^?7KuW4989+%DC6$y^P*P4w86~Bivjt_81#EK(R=?={g<W|W
z4YE=(qQpW8N8@}$$=8&8WnSS>riucM!gqE#lzA3ieTPc_MakQgyhX{Im<Z|{lw3;=
zYBnnCq2zr^_EWNtlJ_Wi7ZbrYjUX+b5<5M3G$rOEvNA|j#*r`i(FpbC*RnD}Rjy<|
zF=EbElo{~3*wJmp%gFbWE_ES(W({{br|r>3sduZ3lzqyXO1*rKJloj~mcw<9y^i_P
zThgggrg*zJ)&7C~9D9*)Ieek+CEH0h8-E=?()yY;Vl70spy`%pEhlpCP!|&(`?A_X
z&LRyoE#s9ObMXu%b9^6n?Fsj(eLhtI?nS}xD!65Z?>QjDUW1c?x98x!Yzt=*%`S_Y
zZ$6-^O~d-9NByn#PcPw#6)hXsCs#B3r$W85rb-2z@Vb4zfoNMbPNg}KsnMhHcwvz&
zBF7UoIT8t}&ZiDt(@Uz+vH^YaH?D8~;(lLKrQ-E~pGyA#w6Y4PGAxllvv{;p+poOh
zE@Jzq6qi(?WtHEZAL>XpRVv`z7QAIvqSgwWiaVK~A(NF{^NZ1nk|I;o@ocK(VlHXX
zvhwfBRNOyps#HASPS_PLN3CUjGIi4!r7UH|#ogKVPc1GfL(5A0<f&i70<X5<M;=_o
zLy;WrU>Se#0eqYKOVPR#oXW&RK^@kx@Ux3F`J?`FQ>7g9q>Gjn_sL(sh81_Kn<^Ez
zCkPIri&1M)pE4UaPO0iwhj9<Q{ZoodiqNvc@5&E$)QkP}rb@*d01xQFLbR;_r;_Z5
zrenM^wBMb@UHbM<DK05MC+6dnCMQbXd~dwckg~Mn9)MG&7V`~^mgV)iyMAR9cNCl|
z6=<K}>^2WA%k7g&zdMWh6LzIa#UFHq1KwQJl7mwjlDxCaCMuQv@)P$w+&`tbBnK_a
z{;vGQ9TcZb1-_Hu@@JzHvv4X*NiUtG^dHRQzKr{)6qjV7Wtn~Q)3?thTpp)NCFpXw
zy}?YhJ_DzM-;JXh=CD5ZhDR<>)d~{MlKZ8ckYu1`TA%#&tv`rMeJb}$#f!g`0v_E%
z8ah$!Q(liA-M_pbCF*{;UrGsyik2zgm7lnm=2WS81HrI6q@d$voJu%RUgl*}l$yTn
zDdEq#e@Y2Y&uE$RyYdrv`<yBj7)U*CuM@R9a4P;}ek{jj6q_ecRiu8!9d{GmKe@QX
zf!0Vkxv|OQ8m1|O`rTgKqjaj2V!o!q7jB>1OOXooJDn;OaO4f&%M#Htd!JPL-BsK@
zb*fZ+;2huUwWGBHPGx-Zu0ETl4DOeoxF_rWDa9oMT4w8$pT6@taA-{(UZ+YW=z{Uw
zZ$k#p<7Cz+GxWZomYU!Ntul~e?v!wn-9OE^`)qT>j1=7h+}soI*{RM82ZDZ&%Ziqv
zK6ezR3Of01pO};FKs=SC1istg^}>fr5OP?b<Ua1SRVde3%o{6}!R9NK%8i#+DSYRS
zDrL9zj?4#6vUHwVt3<_e?gMm=4LodLp<Sr$(zd~?gYDX4Z6<iv9*WMfW|-A3rOBM@
zQW`o>b14NDUYa6}G9Ps-oo2a5adn>TQEHK{9&*?$7FZeZR`p<#{UpiuN)SPU2x?D)
z>rQZ83GP6G`#8aUl;A#0a33VN_a)oHSkn6w2lpko_Y&N@3GST)_pb!^c7l5=!M$mA
z_?6G}+W2kQw3;M4Fv(UY*#SwmD#=zR*@`4vo@C3CY-xg3&mpW1rDoGg5{I?oBwLhZ
z3zKX?f)!fhEU)Dz*_<Sson*6;EPU^f)+euJ=t*8nvTBl5lB}F$oe5TrCRojpWThl4
zCRuxug^y|DOqg9kWuR`2AGc~K$y$;umtfUzlI+(>_NyfOWs?0O$$p+>KTER56LtYq
z0<Y!A5Azy0L5#I{&6Z^O1gn0UU<F<h-{bISAmJ}@lsipY&Mm|{3v<l}@-u`oT+8)w
zu}!N>G{gDQZCo9WSZ$sWR_b`^E3R_)=u&c)`EppP9a_f49r@7nt%A+gkz}I|U%v>v
zFw9{v=`0=!Pv)-fAI-Kto(^w2(eX?of_d{$rIH74SBb22elk>%ZD580E=9+1@{90l
z@E-XLd956l>*Orwm*Q;EBUakG!IJv|dxc#SZUV<?@A5D4P23pNqb)=apc~MoXy>lu
zj9%(`=lqf6QCW@o;JroTI?p|zTn78gy)N?PZU=qvTw~7ImQ!d>?^RA|G<xY?H+|w(
zgP&y5P43tM@zfzkZzDPT^cm(Kj!|yAbZoKByyX*carM$C%FB>8-QG6nK5~t@zDg}J
zGhWOMf#;XrLCoX8nxfT4Zv#onpbwvGO!pyWIXsc3``Yx`W)1snbBxhjN0QhQyQ_N-
zDFOTpyOtcK$qb~=HobvncZ;Xp+X~lZH@gSIv(4UtBtCsyII!>I!d>ueojT7tk3K^k
znA_QLKryYb3)xGzyy-*jYWz^!1MV|=saXPZ6z{q8vK!&m_)$0A2&Yd!tINz8Un$jP
zc}8zJ$qjw}SzVHN_zn-dOU(!8D7h1iUg}(dX1Ka<hT-WpeKVdu-L9sl1~o=+5h>nt
zVp{}wmo3~0kNw|3rO?C%T88&=n(6$Mm|$FH=4Gf=S!g?2j%J_{h=WhV{Tf`c3^!+I
zs88eX;g)4CFnVKKGc?-`xT24SN4~x6&P+p*-{_?~GfPR0HJHE1R2!O%Ug~&<Zs#{-
z&OLtJn&yoaGhvr|RohUbcP=TA<LD`ZX&Iz8g73Uuc2m8+6b{f$b=o%TalO**bXrXH
zeT!+QX!KGSJZI4zoqBj^F-R@!oK~YYBV3JiSDjX49o}O0c;G7RW_lg2M!K0!tFf-k
zoSCO$U!A>EnQE*nX=z*G4m1aY%}|YWlbSxYu1h|(?xow*G`n?uvzu-7(p_u1c~%$O
zJln+?z0}9fxzw9M9p1Gt-~Uqao3G|(iRNDwwWf1Qo~q)WK7n>H`i#ELTv@0_1{=L}
zbDNf19q#0GS37n<Tw?T6zpF;QSvpG@XI6Y&l9{>D=%w4(#sX3?b>{AU&TMm6kvg}+
z=p9XNK9)k!QARJ_v|bg9`bClIh8+~TaZPOq>daxqYB}U_1UYpjjVYMVDQXk$({%Hi
z_UT&Er{^Zh6tc{2W7p!kA4Za)g<0FTFi#(0^ins+=d2+Ys!iCC;OpV?`hqk8YUMzi
zKn?ES0leWytsLmx)!-&T?HXtks3|k=J)n>#K&=~Sm#8U83_;KYsAUpu0yRt%pteag
z*EM}}4Nbs9?us^nnphKX2)ivOSTBVIuGsE)415UQD&Ht)=+2Y09qLo+bme9xTWqrb
z!Y&G%ZGX2-;(y0iS%1qH!xqPfwp~J<@C0n!-zFX{J}9klSRKpYLzHLB1Ldcc<*KNj
zpqbVe`PXchORBgD+!QX5{@{qpWzN&I3)H`<OO)R$mEuwMU)%G9Q*HZT+vH*1Wxc}s
z7<^q)|H5{O5D?C?SKIFsYsFtmCrW>Gtag0k{F&^P|E{c69#Xez*IDo8PqSSkc8d!g
zcRPkjSHZ`bk@I0~6MSuElyaqF6D#cJ3ZDzd*`Bry<!|6~tiJ(&4!7{{*tQFm!bA2Y
z_JiVB@g8s)^`+wsXO;6_dA|IpvPiY4ExPuS^%<LFJ0QO8Yz8xhM(HB?JZG==nbxk}
zrh1g!@*y$HuEX~-7uoK&4d#Ew3)cO7kblm$%JzbgE!=6JZhucaQyL&mlRk1h;LLH}
zB2SX<Ql=<9>gn3!{8U@MFi!lZ^BBjqjvDD4d6)A;ty?=*{k1wsIZHku>Q4Js;a|dR
z+g-MS{DszUtZ(rr^G||9tFHxFxY<6@{)V_iDv>5g?>hE7M>ubgM=LUX4(9{)5$!>K
zoo$0KTzp@=!|_{(Px`rhiSrA2skTP#RKv<;^4DNUce>CcEVn&s^Mbbv#d<A2f`7#}
z+7=Otgx}le**_MK)y2=?3k07y3}><Pck&GRer2}uxq7blXKR-YHXOv4oO2vkILf7+
z@^<Gt+WXo<^=h?RIaS^#^7i$@tHKm;xKYNRZT-~x5B?-uhHa_skg!&`-ag9yH?c#?
zm3}3??s&@?bUr7qQUc2L%D>c)wR`yEZ8r*6N_KILLx09GQ`+lv$@$KcwKLVfsPo`k
zs70dRel<)~w%Oja&EW6l>#dhsAK;JSdu`_lLxg9+IY_5COEjgG4hOi!{?vJ)JXn4~
zISyPnXQ>C(U#O+Z%gQ!oxcsK7+rNSjpPpd%2rmm)3gcjUcB5^BEuVi4zH>0u+GV|4
zhmHJa_;rvY3BJg2jqP&V0dT8%nXub#u@AC`?H7ZWlBdL*#OtIGc!hpm`jcafW256A
zPQkg(dA##US(01jYm_12pXFKQ3FTFFqWT_uEa?vMap!o)`HoC!i@d@4iuO<KXz=`!
zr)*Z=(3~2tex;3tk0|-ICQYx^D&Pqb*=EX&8e}Ucx*ZcOx)T$7^fXLRbO(`bYr!Nl
zdMQECOE9r-I}Q`Htqqfm=oy%((OsB`(bF-}wvp|*jOYd`TTf*t3OW`>*I{UnuEhjJ
zO-fc{k{Mlvi4Z*j6EXS=Otk3FF|kK~Mh<RUi3y6{ib-bl7EFZb&6s3tBd4p|$mto;
zEAT-zdO3-*Eh1Rqg@BCc5_)toCSvp$Otk1COzhExl-!O9iq6L*Gdd3wAvzZmHF_r|
zV)PD7wCHa!LEAbou}2>xDEbH{nbALDB19j?MB8=>5FJYIWDGN+zr#e_rc*Ql6E!-X
z9E^^`M2n8a#2y_((c_q)=qOAwqa!g9q9ZWLi2ex^HTonbV)O}uw#Dl8RgCP>e`2De
z=-)BTjQ$N1A^KNL(6-$KZ95;6jBTV{WJJmSuo@kL4~o$yOtfetCiduHdhj(&P_zM)
z%xFC(LbMJO`?iZP$%v9YNHzL8Mw-6uVocTOAxy+5*{{{2WWUxPCHu7~O7?3rqh!BU
zh?4zUbsK4c;x^I(Gopnw6|%7`M#%=H7R|#4?a^FJGNNQ>7)8nca%MCO9~7c`CZQdI
z@G`qeNzT|t8e&F=ijmr(U?O(Nn1EX}Oza&FOi+i2NoI%LZb@u^W<;&{pc*9`x?<FV
zkrw4Ju}8kK4<a!KVu&JNVUigkJHkTb3xYaIF%ddS>?fF4ovY;Q86DO5h}tm#6S1QT
z6Ro2X6MIJmCa9y#esMAjk&o~}HS!@QV&nr%w8;CI*dzPxk0fHE$b0x;X5?K=gb3M6
zMjc*qu){+R@*QsbSMi*L@gcP%go)S@#6;@|U}Ep^ix(sk&WOB1Vn$vjF(WULn2{Gr
z%*YFv2py!Yqsa3ZWk#MO2P4mtC>=**f;uJ<S;s_jP~S?Lx7IO*2)B~vow@aKjD)SE
z%Vl&-$4Kp%hKblQRlF{dr_7F}Bxc7F@$tTuu5En^%j_M?F+u+iZ|?!##If}cORKh$
zwn#R@wk#V{LdUo_nsLB5RMVR=7-LF8FTv7^h$VDLLP^+ELK;a(BUR~v^d3mN>6et7
z<mM)XB)E|JojFIg2bufk{XgIL|IEW2{bpuoXU?42-I+Oaj#lmL9iPQhU-=kIRO%mP
zM68c8qSimch@<{tL|P3aLOnhdy!8(-WUs%U5sx;H5k;$IMAYUw*BVE!meV7O7NnSZ
zMpSJrBM$9iMg(m&BVKJ4BX(`2^R;&M3Zg74K@ZC!231DXAWE+zh|=rPLM&1UqV#%$
zD82Te6U($}TV39k{@ul*6b;9}s9lalX_qnL&~`E+Xxka_YTI08?P^kw60Fq!%Cd;{
zXBbiIn;CJ`H@Q}|c7;&ifTh&qNVnJj!jKTr4q&WyBO`Wgzw3(DE9}8eEK=2OVZ@=`
z?E0kr?f=cvlzNnDu^wewtw))5)c=d6iQ27<2=!kw;;sLJ5qtgTuAkVAA~;Ar+Cdhp
zXt#m(7sO(uSHu3bYY(}H$KO}f9%mP*8j6QQL-7zalnZY#gQa=2C#lRQ+zaC`_td|I
zY4vYL7!~W^a36@zBLq>Ny}{8ei#<pKKtq}JYB(zF+N<tYTkET6IGjWchm)$|EgagL
z>~cqNocn{;oF46M$w~KPHs)gO^#liDrGf*oPQd|;sKFAtzE~=0y<Q07Q@|T6U}^SX
zJ|lvLob_t>(6?(Rq<O6uC>nN*sA0#b8g`6B`wCymYOqpT*_zd(eJkA(&kIkm2fGEB
zvSCCF;-gdz;xp0_>?+;gdbtqnEPc_6L=7Las)j=9&`?MP4W-koH9=vp@~Sn;JzKBv
z1dr04j?kT+VMGl+&4?rT6sBo^Fd_t>V8k0lNw5bWlLxh{w)UsIrnP7#j4vWFjAK^~
z<Jev52;<-t!Z>QZVTl!L54+`8+Lac(3vVAh#E2NYlMyv|2P2N)?TmQBiHr!r+Zgc%
zQS$9U96$DOXGO)QPft&{7fV;dJsA<h$Xqpy%yop3xk9+BG9vbb2wsV~gL^S|a1SGD
za5p24;4WoFYYT-SK0Ulae0tb}`1EjuQILdiu@Y&`X%81FZ7(k|jFP8@2P&VpYxVfx
z2D-gYw_i`U$ARMrvJWe02!09)!7xMKpvH(j7*ZPBl@=bNYQ{~He~wXlt!#~Wf(x;L
z-~vX(;Cx2ZU>zfl;5>DIYmJ5ATo&mK;?v$9oWqb19;e>jn#CR-qkh`{j+0qVB|M1{
zF+7nGH9Ub4$9duLF!&T4f*7z^PZ0AcLChlt$3L=MHhUb>dUJ2v7bZhoFMkj{xgNCd
zjDijFqsD;^a$fZ0203CW^|8zCss)Mi6CvzXyPC$3MZS+BI}pKlgGIiMkYL=iSzb8S
zgh=_52o4~-@*5!>Kz0S0W>;_=*%da9K;f*BNCOdi%ByChc8lC|sB)5GzbEn?5qx&r
zm2U}6A@Vhme-VL41S|WC=<8eLSA+--61z%+M5T9{>cl*%NW?+JPQ*sUibVN~2##O7
zg6}H3@(V@&Oym@iABp@x<Ud5dp|X`Pjnp0T?R{{d*ugI?a$RA>A>KnMkq8cTyXrB1
z*a3Qy9Vs$_a_%64?^cJnjnYzxBoj%ZEI~qkLTd@(!_TgEA(TO+6OnWz%1-GGldny<
zjC(GV<$N6acC{zv#G!9jyAtY5BtRq;i4u~xn~ctt=A}4fjIzt*ilnpk{8&B<%(y=@
zN;gRbm@WG8WpXdUbISgb<X-8%#Jvy9n>_A*G3wtX_ccdH@0PDK8|ofeihi?49%U7k
zFKrg5pnPGJ81e<8@-IYR89NL)AS&M=`r5e9kTV43TjRJP_emXRvSRf282$&t?=bwg
zk#x1(rBXSG2z$^1YaFbOwm-xzCaHxZnEnffKV$e4hNmz@0kGImDlE32#Al50Cpz{r
z*27aH`pDJtC<mKHylDB(a2$}23YPDp#}3GI%*NrHWP3F0X8Cb5%8ErfZTxhL{7_#S
z9Tpln78*Gg8aWmcM2mYQ)=~M@IDV^qESH9yMLy1Ats*|*ETl+kk>94QD9;uesutxB
z<K5fjE~PkrE%LjVMKvRlw;*vpL*!{n6Obsc5W+EHQ7uNnLAk%6G#CpG$}`e%09oWc
zm`DDQ5v!Eqn2b+7<FkYET8E>aK-KMXC*xW8yp3LSySy;jVb3&uVe4x$o<1gbj`ljj
zcB+4VRz9-tIr#zjzdHKBb8=X)I?_$wv7N846Kobya0VQAwDpkD`z84j!SR7HJ}h-K
zj=Ur%`yHp+lGz3JY7A$I;6Vg3WiaF(BX*C=H34&t7l*aw5=F5pE>}6`8ZPc>%jKpk
z2V%+q3`;O97N5mjIf(Kw%*Bvmvc-?$O3%d9equ9M`edgkE>{=K)!CVexkfT1dYz?l
zxjH(lO$jZ6OqAtxPsebYbGZq8y0YK4uQB|W^B|UIY<)#e7hD?&JpGFNqTsq2fgkhz
z<a(&(N^nEQuK(Hfc3Zl8rt7QLbQmsBw^MG#Fk5WkX_ujVcaE{^b-A<e5BIQ^jBe~A
z+n?^aTtPMN)vf9C*rj%}`&PVEoron3W}$7G`(3K)lds9if@CG|J%TQ6#o6Xbd9B4Q
zz$@#d379S+S^!_8z>(;**X27c5#<x}`<62v>2k-t(sE^k5_a4nO>o>S<vFgGIy&~b
zn;pB{A1T$!G^IqzbF6ef=~(RE@0jmi@0jDB>zLsl=9uK}u5?s9j<IghQQ`W|QRaHx
zG0=6dqrkPxQ7`}Onj?SZNOsL|B)BFyBv*mM?n-u;oWI(Cb$%k>8<Fp@pLRZNKj}PR
z|JJ#|{)Ka%{S#-oBVFDuFP7)qpLX`NKk9VZ9}vH{-z~mrKPVoy9}xG*6>^#VT5+}g
zN^y$)a<Rz1RrK38IDWT3FL#sevdMn2>vy-}?rUETkCKk=DRz&0wSAs@kL@G(t?t9_
zH*L-C6VMCayCZ)}0sCmFL@Ebc&hw;;VGH*{X@fLc%9K3PmC`}?&#<lgfcstPdFg5J
z3-SdVdcN8na#z8saEA1WTX22ldQmzpORhWQWVyF%J1n=3m1oE+<x5;+U0JRK=V|Br
z@-FA2V1X(u-z;D6tcI1=*PW&EMtP3>qI@Lc?BcYFUyCn`hs2%oKyj&9DdvDp>JP*Y
z^7nGHqft(meg(JfR_T2uAU!HwD}|+MB~vPux=2=~r&8+v8l1e3cE7BYD_y|t`*Qao
z_f9Z5UFptocaZ;dHM%}<J+55nx*puYU+%iZwOD=|9K=5$KMpIZ-CTBO<Xh*f@;>L?
z&dZ(4mAjo2l;@SFoq2M-JV|+9Ip*vrHiMVUC&m5nsg(r=rH6^#m0v|sIju^L@8ksO
zq-t0D+A|%mJCBK*)w?Wb>;dUptI6uKmRn1$CDuh?6aPNzoz`2dA6VbE3D)0XjlCND
zh)uAKww2pTZ9hkB-@{|;Yx^|Y3Ht=Q%YLEV>N@3k(d~B}aThrrcQ152<lgLlR&v3v
z`rXp2%0b(+_Hr;nU1HCJ-H|T#FnDD=W`EU@1=g#(Ikr1CDhHHn9hW%10*9U-INpX~
zm>~`ptHh9awfKnmuK2Ul<IIFr;YY!O_Jz)^&d5RM^Ug1v4>+%MUhF*SoaQn)OI(sG
z-PK!pRXOPlfZ4Va;<Mtdu7To0*oNurst^^|e8(wQy=$dwqw=lth3#G2o3@v2Pud=_
z9fo!8TW$N*rLKLhn_UmNj)0Bt&umx2f%=`c&9;cG-nPPap{>}KW9wt<W=pemw5g-O
zK=v=z@2&r`ex^R9cCx+-yEIS2F3>gBJ=PttTz;{2nYtQwY-YfY&}eIxwU@OE><-CR
zyPDkgkG+X(;=9JicjPX0_|;}JJ%o{_1Mom(qh7fcz7c>>v<p8z!Iv9FK1>B%kHmI0
zk;O!YSQk<OkK*-F3?DHLyaWEA=<3H<Myu;1Bw_<aK5iU`96swYy7(!)>`4rtFy2@u
zr50I#Mf41Y^cHsE$EC&f8Y{};#E*B2_$|l@tNKw4j~JEj$wkJY59Hp)R`%=n_uz99
zlD}ZzD&~(c{1C$r*ah-TyzEU3U&ruO3}0cPT!Y~}jCmWwV;D0TLww;WcVYau7{Uh_
z+-nMk_&Q-9XktWAzQQQ@c7sAM#NTgW_y&frVf-}weH?#}!|(!(`8Nxtn=!l|!+jX;
z!f-o=mta_r;Yth_V>q9M5or#BJ6Nc|cOZoD9SGrf7(W)n3Jl9I#Fw~KfWLcV*bT#U
z43jZTzz|;=(j@j<!Pg-BnuOm!u+WX2=#HF5fC+A7lpDGOlHbP=S?Ycje?O1m(-=O=
zLWv{<OHlAVs=#L_Tze410~lV5;guL(j^PFtD$v~!eh@)|H&fol-wQEp#;^&)MhqJ;
zw6Rdd7RywLTQL3%h61K`VWIpm3#A({9^0y5b=3?^eE?GpTZGl(H;np=g=#1KeLp7e
zW})&s#{9`b6`3p_#?&2{`Uj?B9%U!~z86!eVR)5{<*NZqy$4f+EL7l*ApbJfPEEz+
zyD@nc3stPIj4f0Bn2Pc&Ex}YX#vq^66#RXNg%W-^sK^N!`KKmh>YbR1qeiu0%+C-;
z1Qmrvz7>;EwpBYOqsXWp{CyLqqRgufj6oq%75u#)Q_p9iDq;)@vMS?m>;h>JraCbO
z1zbh(jL6rsD5(&WU6_o6N(tfbYcaJCrn)f(g;Z7X_cfS$9;SLR21mJ?h`+DKRP0c-
z1IFOESAF=~z|;t`PEEro_COHS&iH#DCSySownIX$s9iDj1m^6HA>Lm8C;sk%sk>O{
zhF*6HGIB-!1b+|1)XOjx#2HeDqnOAaAt=Y>?U)SAhvX3$^CAAOz~9?2l{oYc#(aR`
zC=9n^>X-O?G=?;?-oxLUG4&t#dn|_Uk^EECCQLq#3F9%u0Vz+y-y1RYH5MvRArM=-
z{Z#yYDW<-FsUKs^+ZfKk5J$ZG8T>s9L%K^f$-mB`+>fzP0Y*X5uVXj|!!Qfox8v_x
z3}3-;K88USx=}pk1sL-p3zbjt_r;ic9sXW~Ayx4+{JjRkh~T~o!D0-b$8ZUTt6Av2
z0)H>X@L3F(VYrfoZfv)_9Al1RxC+A+n7R&suf^~Ph9uPW?6-mv6OlDcAm&_xzwt5!
zMNB67cnagUV7Q)z$^#fWFlGmakF!v^4?}ze$vfF^#g3_$V~9MK?!@2Ju*e?>c4J5v
zqZ~-s-|`-eKaJsD3=gtUnu#Ix?v)t-3x>qY+c0%9#t`$r!`}xmyb)8gG0dX&-HZue
zVR#3I)Ze$@@6R!O2*U?iD8cRqqDK&!@plwM66GiH_Y*91e~KZ=)zcXNCWbFz7<mqp
zu~;`URel*0-oOy$U49kw+=JoW7>|X@ALH+17`}z6+c3moD1U+RC~B&e{Z^1i%Fp<l
z8g-J||0Ro3ZFs>?7@oqIj`+I~!v+<0bg12GFHG%;VG;`!3x;Mjp(T$ZVvJSo&SLP3
z&^;c%&fJx1PHQfU6PA*Xck`5}>>=YmA3p`%W$OLL{iU5VQ?QI1)aTnK?o>p9;Vt$K
zjJTYynHPhOl;ttY1JX0n7HOR26Q&>ns!DdtU$IZ#4)_5KpTpLL@Hu<{K9K1{`CjV}
zpmF43iX_(GY$f23ZWj2T8E31oZLzI~?{TJFaus}|zhP^#odPweFF-fR4>~D>K>w*f
zD9tReM|Rt{+b@Ng#1r<1K)2=}FrRqEA)+QqH&A-%2r4^c9V<Ycr54m<u5&!?h&m2C
zegyp^H)!MhAr2JtL3`<b=_)BG&60+Sv&CtkCbJ8C@PPgbOq@Oy-xtq-64ie|FQ+$X
zEKLHPrE*ZX+T^^%d6V;6@#Ws4CiZZA<haaH3VK5a?bE@x&NHAda~{l@c3204zRa!a
z`=B+pQYzUSINa^359E#!P`LRKCLf=Jp4U5|NA?1!WJN)9>Q2xTx=y*$`G|9;a}j9H
zDBu_9sA!0*K@ls%(Fj^KcRDtMVpcJz`Fs!leQva`fmv5iP|*1pRG}^h?W&=mS9IEX
z9Mris!knWJ)R(@q9I@O0+EZ^ipOS8oE|)F>HLh8?%4N!CC8E?TE0hbBTBS;vtc(RU
zoKmo<oTKznx+!U}CZK|nn%Q}ub1o<yJuWT*&8XKM5zq?y7pVG-0#BOv!)!1KrabFF
zG3`ssKJ{hLFq<d!-MjB_?+8rG*247bEpY?r$9)bOK_fub>>m3Zdm<=S1wkk5pD;rj
z4jNE*sh`5Uc)e61FMuiabkL+41*%$uU?R@+gF1snsYFoTvPpkRP2iO6-_jS-$I`pt
z%IQVWl9~x#l!`z#??G`sOzsjuX{p}&HHg+|%k;l252#<cz5_ctpMYxJo1nXQ1hn8D
z0A;mXK{ab1s2Oc_>8=o{B`pSRsA`zskAY6U4LaWn0&<}v4aDeDdjUw?^&pJ`Oz9R{
zQ!Q^gpE9Owko!dTI?F+YY`-`jRHY7sWOcN^0utCCRIjcAEx_MEjjje1>RwXM(5OoZ
z<Csbgm$8wP6duZmKU~6yH$0X|5hKarJVt!=&k=c?2(HEZRv%#~CEPE<XmYqOBT3;t
zjQGR2jP9$)g-u^QZk;BF(^;A?h-;s|dfWo>)#Ijxul`e(mJ-IL`Q$Jz=_iG8=fxk!
zJpf-27tVb_T<1>?<GzG1I06-*d_i2u^#!x(7Pt(b62_I-<S;JQCWY~t<JZnmmMS8X
z7)jP}x55{^lp-%CvXaOmMp87K=O$}7uT0Xg+J5az+-vm(Z=|eOF_NrdV|>BaDe_q&
zI5YMI?`9}Pd!KT?$4HX)E+c;J4Mu#yFNh%XlC_r*g=8YQoa_tY=8!MQmeV6p8umr9
zhU?Ht8qR?IT9mG!t_a~aN3wQ5MOG3SK?M8W7eeNxXopy2vUVpUN!lHZ__doT=X@fw
z7)jP}hb!U>?WWjmM8ZT?F_NNP$w;!cmysk57rg!24$6YJ@P+nMmQ56iEb)bic_D0)
zFZ2jYOVKW&oa-1#((p$9h_;3<#18U>kbBA6GK|!4%g3kTZjw(!f$)V;1X8qxRN4Y6
z4V&iIX47^3h~Q>avNoO2G$P}Olo5#__foV83?^&i8A;NR!G7%m%CnS69c97s=hLpG
zNMfG0k&wnniZ+OH4rC-r8^DNPqtU1xX2_@APFXS|1m7X@B9W&UN!5BWlA_^oNY;8V
zl%#cM#IJQ?#Han6$R~^>Ybl7r4vPGX$j^+VYB)Aiv;>BdH7_Gcng_?9UvpyCa2k;g
zl*dA-lt?a--i)MbI4Dy>zcZ8^`i+sK(65a6L%%TM3r`_}JWLM#z))(4#$SDm9LMpO
zRR07e;;2js{fnXG&{vEkg<y=bLa~KO!9<L#|AVsNFiZ+g#>n6hBFMGW5Dv<e&|8%A
zO-u{n5cP+U%}GJlX%QhQcp>G%VVD$r4zmXDA+nE=)DRBJl+a_8^HECsh!KAXdo(Fz
zqsUW~1&3j32*+P)2zxszRDoGSIYd$!S(X|)$Y@Fk$7pis03}v4;tyR-XgiVBj3kHl
zFyaf(rbv8HB!zBdC^d8$BPpSsj3kF}q$Y>wFys$is(!`U9ih$sl<;+!HH`9{6uyQb
zUl{M}596J@;a!vk3-yJu(3J2dibTmz3SUasZD7P74m08nhbYU%l!gO6C5%HmIgEoU
zDH2{niHjNWhvzfm4bNjFHKY;2ftMP>ftwmCrpT^Dx)70&1X1)-gP#+6jmWD+9wLH|
ztJL5Pgd*6O)Zhw&_=rdimJ`Y%;wNH7QvWlN4~RU=h(Cml@Q0=n8cL)O5gbka;Gc+s
zIAHz3cL+ThA&Mg44_-lN9g$ihV~G?I!S?!t*j|5qBSzMLMFbn_ug8X_gplhgA?*8<
z&`6dgC6q@52YO1#fx|x~h;2#<;uuQ_zJPgx_Ypx!NC|Exgx!=9#D=B>v7sqJY-mc*
zhgs_XBJu+fY-mdTQw$}Cuw}_1l!WBa0v!IyAr$1~(0IxddteM8luP71A^{=_5j&D#
zGm)Q&d`aYEB5x3Rp2#Ca?j^!TT0}?=8U#t6gKG(`B61OtSwyA~!C{;nEG3jfq&E?&
zVGuh#IY>3E$G%Ul{~oi{e?|nK9+Bkww+T`e>z^b<Ra||Pp_K4+j0{g>Bq>Z%7OsR(
z!Z<CN<nTyX<!8EjvguLqU%bugj5-fGuM(fJodT~XbDR~<OxqJqn=@HBW4q3_-n6aE
zyv=-(xwkpR^t7@}_*VFbu-hFK!a|iWOz3THFn?u!6Z~qvYFlPo2Bn(JubW?IwB?Us
zwol!Oo&8yar(WpnPaiz{<F73&%FU_E&98&YVcG}>&|-EXI~hy;N(!@U>o9h7QL@-U
zL*7heU;iNeG?|H{qd$EGV|`yGtG{1AeG%S=j-mBE`xx2~{q%*HN~f&)+Kt`)m7EgW
zGB_tj2G;11P+xXPsE8dBA_Hr5NT@G6Bt$0F=#Ws~bfdU0of9L&YII1bZ=khZa7c*E
zrO_dwzT6=pvYJMRg!;xG5`xozWI&Bh|MkVwe{fQgOr@>G(@uRo3s<jRzN)0Z@!>5U
zGr>aaX)>4=t1LSLMrH$J5#q)b`sw+2c5K^3ETNAt3TNeNg;}=UCT~lhA%$xfBBSWq
zJ^}YdEhly1R2JFIq^kFcuR8FE>|7F$dZ!ypx+~ohHjUIz&%&GUu;I;n8{<3s2StZ;
zS9AeRk&!J*YFTgN_$?g^z&rG5-h^gv^rC#4jBZjt^`?G;b9!^Jwy|@Ifvow(#d!s_
zc}2kgIhaEH@6GX_Y-Lg-ddD{c_+L#2>Zk*HV+TNmW^!EV%~(vfFo{jQ@hB}>!Q4z{
zP<tD@rzXB=oVc~4-8i;M5sld|dR@`mdn*ZMmwtK`GGzNyIOM048Uwp4USn5hB_o>G
zR~aNgI$2cR>@*a=GR!!fE-g3u_g9YZo72H61x)))^1HA}e2cu=5KEP=?rVgguuv!#
zoaP^l!KKO!kKT}kH`qjt$co-ks+61i=nWmQ6?7Ok%R8}b*_u_W>T2fIE$yo}kp0S0
z*hg7LN|}-YgSVjrUO|JmKOM%+&dn{(&B?E=mGy>1jxGJ+;9f%lMi6)V$8&dErrtna
z&G(GK`}FrkGsY_itZ>$}flOBtLo;E-HIR8flBP^!$p{5(Nj8uLOX}~;036B8$;++H
zE`aN0t}2;eUa)~oR+0c@wh2H38Lgx$X2w_1t2dAhOJZFn8JAq7H#mW#R<n8A`Nr?(
zDMO-@E0k_Rh29|IU1OO&OP4JL1F#Kb)-u)<5S9kAXBmqSFU{8*Y}i4YXCfOiqen+7
zcY;;Q1}hdfgklXc^4mbBDq~msm+KAWe_S6=*#zUY3T19in%+Q$D*I8icVf+wMJqGf
z`nXVUfQK#Ett6|VnRcVMTS2R#5saoz?nj->arQKC#Ihedok>P4iG%&(Ik>ThewsXV
zZ>4th^F_y2C@F$X2GcD*!&a$u6+r=Eta}h>!(>$|^&qd^um;rES?R{8@$lr>1}#lT
zHtnUBX0e0sCDESal|xqOr!-8{$yRBW2TZOiQxZ02=?!#JdTYx?V6OGnD3}gj&lsG-
zF*wWEeR)#H$m+UPtD%qR7&&n{t5Zk4flh~$sAUCOr5+@U&VrL<WpR>~frS%avf}vy
zHKw!SBrI96Crd*f9S4uym`Mwr|Bgk75W$<M&GM^D%)6uTa=py#DbO4G;XP+#pXb19
zP3>rSmMR_C*zJo+)UDant$A66bvd=g^T3jR1Al-&n~mMxT=lc#tG^|rH}pb|Ur~oQ
z%l1VFFHpX>2<ma;L?<DmEJ1Ie1O4=j&SGb-nOW}!I?&%1o0SXavm59fKNnk=YaE{~
zWksCH<XrE+`ECENuJr!DaM$K^M_S#ble6?!|5xtP$yxf{{|k5N;4B@S@m=>{y`@L~
z@48E8&eDg1)Aax9Ej`leE*+hv3se99a>p0*Y#(WLZSQ&ko!gUVdvecr6ujGW4*FWY
zU8Gh&MP(Z2GNw%9T*j1XoXeOpjdL?org1J~$|4%)Gp0=Ae8!Y%oX?mtZ61HuS{`sN
zW6HD|K85oiQ>JnLW6HEv|1sc;tW4t^$dqZE1DT;3=Rjtt*6KiJP2Et9^B*%*<NU{z
zYMjfMQjK#NQ>t+;V@fr0GZVqlU8+rJt9Pk3o(GjY7{`OLJQ%}+(L5N%gONPAfb&IG
zs#WkwBY05W28L+Ec`%Fz=kuVf4Gh+X@}QIlks&-9%!5HZ7|4SGJSgEoF%OD(P{@OV
zRuHKhtmU^N0C_yf<v|V)vfIEQEsF>Jd63D2er;f&)|UYKA{(gn;gfpvpcfB%@}LI~
zy7S;X9(3bDR~~@MVyiE*fm&xiDT4={c#zJ6G#&)nzyK|k2Yw!;@E|$ThDx-KJn-?L
z0}qmTkiY{k4?H|jd7!j`NQox5p%P8vftv>|9yoa*^1#6ZdmAX$Y&@{W0P~hqtXcRZ
zp$!yiCJu!D;=!LB(99eN{mz5mc<?I^&M*-3mQ)mK=98Lu(8z-Z9-QXEFFg2}2S4%P
zR2wJ^{m6MsDh!?ElYZdA_idmc^dBDln+M<W;2R!%$Af=ypl|3a4u!tt!52LET-^a@
zO|rx{IEk&$ZfVO>q20`bn|N@52RHIye;XK~-N1wEd2n4Dh>Xy#ZA0bSH9WYQ2L=!J
z@!(1x?B&589_;49t{7kvTdrNfCtc2i%XqMp2RnGMod?@^u(b^g*S7FrGXpV+9j<NS
zlQy=2VcMlU*uVpw2kUuo2@lrsAj|`elh|Qeh))Xgpq>Y7d2lfg*6?684_5JDWg9p@
zqOIVNwwwpcc(Ak$6ogLj;GaDBj0d0c;1eEv+ydZ>sUY-G3u55IHjp3sfCvBJ!TUUT
zuMOmd-sQnNJb0T2#}UvMQ(ovTKIu&!yupLldGHz!Ugg0nJb0N0FY(|-?u#ie^a7vs
zJP)301G%ARd2o~mM|ki|8^{Sg&4Z_S5P6bEPw?O|9z4o}C=VXt!NWXwhzAey;DJ^U
zsmlr7---Yn=D~eDxR(d_w1Mo<-8{I92ZwlYXB)^0-9aE{6+D2lLbvlt2YGNC4{n7?
z%Nn*gzQQIeHEcm-j?&F>LVZ<zOx+&Mnxm|TWzmN7aV|avzs2*6XXYxM{hJr+4MT7S
ze%Vlr&uuk(b!09q9!6FxxfZsPM#i>i{UC>}q>*_oT3yL8md;nY!(tJc*rMf)oIvZs
z04#458%IYdV5qKvEM?JpMo#>K0IX+_;VfFu$ielDtpoLj0<7b%MOeoiatBquKxqWe
zSPkU*O<zK39;0TVvK*G%8_1$otjcT+giLA0BE*gB^oATPcH2dCY4oRyl;!AFj-99S
zPShL7Mxss&3OQt}@bFTlUuV4`3z-=!%pcYp`eRvoOBMfIsw{^UP_m9lZlQ9{atj5E
zDP`PZN-i#@Os)ezg~de$MMY3w-eg)XTTChC7E^NLc?ZiMWGF3GTeMA<C5tbb0)}n5
z(zT<s#qx|Z$7vCdNfqw@xbJpv01sT(8-tfCV{`QeTH2=e6fkblnszKg+z4%{#ujd+
z#h(Il9=LdgvdRpLZDesy_aZ0r$nu-8O38u#8IG52Ad`A|u(G&X31vZR$nGCWLVkQ}
zK*Gp)A4yoA@#89`2i%9ezg<2&b{}T7(s*sI;$xCJ91PkujG}IE$1>>ool}h;*Wx-a
zZyqoYHvk$YAxDX0dBibTr6VhWB*uAx)-C}tCIf)9N|(p2(v9VMCNI7%z=JXN(QK8J
z#5%8KnU2i<5sUK}&&l3jEJAeGx9pSj*Bhqe9ccZrz&KH_bY;tN(=e8LBp)THQ$cQa
zE%?%4Uc(xATZ{PtwvJh044$IgZ+QBt$;Q*SD{3?&q)Y?HhF~?77CyS`4YRP&A;zwy
zux-Zt6^_#zXiFs~4Sp!P95cnL>QB)d$V4DXdfr)*K3#8^Nxee51O>+Lnlc9ZiuOBb
z#1wdq8J8)UiJMpJ4dg-bvgz1|`M#*MQ<-lmU=AFUP3uhRrS6yA54!idHFu4>FBmhk
zxqfsUciitd01A@>9D@BYs2I+&MyyM%vn-z)1?!ayTzW$gYj9Z)BV)BP#84LnT*lyk
zxE;o<ElP*z59^hmz_VOKJynxxR79TT4(Li(W5|2%qJDbATCUMWtixzSj<`@HUJ5N;
zgGFrVYK#ji4;qJWR}^E&pOV{H{=PfU*s)1@2Oh+<9k&ddS42;hEt{1Tc&e=8Z{Q!R
zH>{)@#qMAn-K>;BJ!x}}OlB5&4d(`>rzb~mpe?$ov2sUkQMxl3S%zhjj1<z6?fmTQ
zy4<2#X1%guDR;|4_LQN$Q5u(p@v^)bdU`R|X(x4Np)Y!Lz2dfvf#(nHmeOb{z|oWk
zv9wFd#pc8QVgv2q#srGJP-u^khI@fAa0k9nXm^lCVnLu)v|%LH8TZe}7Yc3bQFROA
zs|!PqHV|p#72wF*0!!TF9q)2tVS!O|D!nAyVW+a3Jwj@T=e5Yk0+NEmb~ph2%oR%6
zT#&-^OcPD&IyFtXUKuDqEKipHA;HHl9P;b|8k-ZHzc|-9)5KfFVc<^mLi^{iHmlg~
zwOwHSw^g@xwj8pIgstzj<|eaY?q_-fimD&Y43bZWf@3~!zF*=gh&R@r2e$DGi*vHU
zSwx&ak=B&aLiMOP)8_HU;~{TeQC@Lz_PI&{e+}8i#iN9UBUve&#s3$VdfHk1hmvx$
z3cv%;xk{pxkwWzae^;M^OfY;8j^xf+N>O1>VeSROB^9icx;FmoTILzpjz8e^r!cpe
zIeUrcPfJRLP(9-B>yrz<hzifapMuPy{DQ2)>=D9>a#l*42MHtHtn@!eeX_IjiV9ne
z$me8d<Ybp*WtZd?WKv4GP(A$b>I3HPb8@n?!P#E>R)Jfa?A)T^!kS^M6lN8=&1X_>
zyZYp3=I23gouj{6QiciD=l^|upixBy=V%o;5z5KQE6O@wm|w<9;XE|FEGXUD)h92r
zIIk$@Ts_~CQYKUn{k!^rN1ptwY-ZR$o<I4SS$X;3PiCl4Tgpn|JfiHfDD6C=<mF}N
z<`?G|7q%~{C8boT9`bkf$;~V-Vh*LwRZ3nixK1h<BCHt9O5x-OeOxWJD#`7blnX+g
zS5S10?r%vMEL0DQt5m#)hCFcfla-YZek$5ADHk3p;OwVxkf7TKvSQYpB}GX_sZHs3
zj#`00=I5V72y!ziWuQ<!Ag)&J9z{8sMIgY1x#y}?4luExcz{q}!b;&Djb6Lb{?V8N
z4wVWE^3EXyEh!~Jb@AWV2Wpa&bB<Pl+aPeY1&?20Z4oPFY8#WljYWPt{$zs?WWmF+
zeal)>iiGOIxcXGa3vhO3K~_HKG_@}!2b{%#W3uc*VRZp3g&8qAmouAsrHfHIT(+L0
zf_eExMOo))YIY{26bRM%aTRRWf#3`yr<l2AX(v|M@T`GHcYeOGGLMxqrnQ3P&y9Vt
zpUcfoUREafTr12uhorWo<O$Wee^)VZ8I+$3-gMemEGx4Z#I~>?SI}};DYM%uw$!N<
zw_{XRW=?T&@wp!2ttmov_TSVew-`L6fIqEs)+e_xk9kcKR%EeKxQD_hSNoR=lvJ1n
z649PNttnYTb^pJwPi}TWUT*vPu$nTd$muVHGg&E|tF3gmQWDP}$PaIztlah^uQer8
zsO}e6pZMofZc!$TUhwYIuD_rZc*(&FxgU6t>C1}YJjndvR?6B{s0btvz5&{QPrywm
zrLR!kC$2*Ak_~yYi@}pl`^PS%6lB9QtEi6<>CH-6&?Z1opLAnPcO|vr93E|0k=c1U
z`R$(xttq{Q>Rwo}wjwLX$$@s<D$L9WZ;8zRZrl?C{3udNFF`l;WJN7%E9wPVDOq@~
zioq9QR!(8@Il8bVrKcdf!eGein8|d?bWD9vy+)m<PE-fEo_6hbU8Wv)4R`f)e&u|}
zSz~|DezSeI?L{MNmvR#<_K+SVeVZ4Z<J+7xBI(<_2*1s@4b&S|{QllUv#=8KOfhq}
zvIG=#8Wl|2unxb?OFTx}9;Mb8xKEjqt2gr6S|u<$Yb0$gnq!oRn|kSuZoGW^`E)rg
zVXQP1@baoRy6CfijImRLdGC?i)7-|cYm{LbdZUw@B9-_{^+wXrS`{nB8%gM3h}SBe
z`{|9OrbV;hlCx&PP(f1JqG@f3-KgBHbf2ug)=pirku<ib-o-E_Yb0$g;$v|<AGe0|
zM$+EeU57O)_C+t)tt_^JkL5;E-=fJ^5lqRlvtaVoNIF}wNhO<nk+v31zKV?1H!9sn
z=nbT!MU$_hK<k_lCSPG>2rYvYwJd{xtbyKbAHC7WO*o5j!r5c~{Gx)o?5w%@GKf&B
z>8QzkjXB6k(sQm`TzgDMjgAMD3}f&C<x-fqHj>T~O<V_HIg#R;nu7WBisrJ9%d@pi
zJL-+3Yee-O7--E3?d`>N;6TvhYb2#2YQVsj1^}Z;t%w*sFrLv~eMTc`7?H#dM2Ur~
zyjVP4Rnq>dMp8qhi%Lk$3-!kHNX%zrpABSUKHM04sDsA{9a55`{cctUTRnOsIU3P(
zW4Tt`(_vC3w1^bRs0Rl!Stk!8u?TTflHS;vWWAHIW21633X46*Kv}IZ1M4~@Rvgm?
z?5sDE5?SnG|2(~sbmU@sa087G?^LGs(;L(9S`zMoX9@REy^&PT)=<HA<0si4z?KYy
z%K16|4`2dKDs#lK0r4E$x<+pVYfZ3TwtFTPH^65MIMktQD`WavLD{P@2@56BE@7(;
zMWC|TNb0E6loAl_M$$ng(Jo0hwB1U#G7uJ0LM34-3AD;5$OfsKl5CW;$OaTdx@}a@
zK;z^4lpb9oCe>77vM+U8;K=6N_93p_uGP+aoi~VoIZ_=i`x)C7quXJnJ3L&-x5Slo
zhIh9zGP?h;@*mc@#n{RXQ?ZqUjcXoO4l==~wPh0gK}_(IlC$6|D{o%yd}tx5;Ke%2
zxa1Kf3|&LZ>J&Mc$pfvU$0Ec_XX}l$hQ6i0@ytG0nacW8>SNd*Rep!c(F*#8uEyeP
zlx{}<$CPDV^hSR9e6U}K9?qrO(qnJ1apW=OVT<0FWAwdNN%8d68?&)PM#UO))8k5)
ziE)Dz>eZhUg+WXdXoZ|aVNkp%Y^&EB$(_(%(l8z5i|#zEd}mFUZ3|2R^II0@G3R0D
z)y^%>C2**=hwV6=`u$$oWOO{DbP=V+wguwH;>S$0af{hIQg0lKP0(#v$5L9_`ScB?
zr?g?E-bhQwn<g8790Ue^@~rY0bkRt<BCX|$oDTWMN6#rfNUESD+BhjSZrYugVkAGW
zoIgWv9D%JIKo^}gQu=0;X4S8(S-YyPHeGL|RaEkYRB9hyUst<kb<Nzxbs3A6W(*xR
z(FS5io^VL)N{xq~XX|2(v~Eq(TN<dDTbDf_&KMMf^iD9cZc=;^y^$8NiLa&ceD&##
zl~~1CyOL^GE?T{)wq`N(&={_VN|`8)<|9Pg_3b;Amhws1N;|<N3H(ZSsbBm<{Mb0~
zkeb#D#w{&M)3_~V<2I*ovrTU#-!VHh<k=8kwE1<VNr;Glw7(mzG}GON1f1WrEM0>z
z(H0jqdPsbup<eu!%3$_%D8;rBcL%5E=GD|NU#$HKvT}?2<z>w`X1t<w0A>!sY{c)u
zfh=w`(w<9foUvC6?Ud2uV{psk1FA+FW>mGo@l{LI8)@$>1)D!O=E%il683}9ysmT1
zR}1XHK*tE^!7v2hh^ei8zj=h-I1VLpXCx-9$L~%XV0`v=f-~xR1DJW9J<B8u-<lk^
zJ4QR!*}t~CZ6|H}9X{I{;amHA_UG-l+V|Tx8Qo7P55u0JSr!t&BT^%+hQ>T1mC+~D
z*RLvXnmy;~jdPGMgYbT3Y$dy6hh=M*j@BD#uSj>sQgCei_^r~tJVkG${RMiBl$|v=
z;8jE$4f%APeN4^bMYW6INI}Nfnk9AfGAb7>uXA)at!8_j%O?O=`PJVt&y<>#n0eK*
zH7jfDRzZi;>MwOq853qY+!2cqfu}RE3B=Q(jHk(g`GtA&iVA8VH@^v1=65VMb!T_(
zQVw^f4H@dsq4E9cxV*jC@~1n72Gn9x%I=}Q#4F$~<SA>v8yh{;7hV1>cr&rWC(cXk
zZqG5V?E_WQ$0o6_nCSS$@v-A5_+{4|b%MqGrTK01E#_tB3P^s{w9Q;(?qTj|wwX>N
ze#~@-$uJqLlq|s<Hg+9z`;GfMspGth^v2cn_@Zy&VaE3-lvxFOBke$t0{k%Ew^~NO
zjEQR(ty)#PY)O{hNQZ~$=+7`C^10HD$tUeg5HHWi7uV>#;<<HMbF;IcnY2AYtUsSU
z`e|o^Sa^Os3%AeG8|ehsRk0kt=+chrI2(KS(;fvqL(14QgzYIbF2=5m^(`CSv>`#G
zyDZ(<^(`K-YNQ<r8qH;Jz$ez<FnDPbf(CCHH+X3ug6dHgUsHIP&c{2`!?djRVS2?l
zy|E6te4|PN?bD3f^$CU1wcje+91htw!lau0QHMuOG$(GEs5e<L_Z8Hz;XVVj;RD7H
zv*LQBr+TABR@Hk4>5a7Mw8XgaIhdy;`_xXr5IO-yO&{i0?=_CDQqo}p&_q)QDsUKZ
zDu;DNlfZFm7;vhI<_W~9Va9%+3I}7F;CmiE!iZ190$D9x34Efd0r6=V$ES681@UQE
zJfFOJBTXE9$c$n5CA_1P-l$=#_t9%`7;{&)Z1G~_jn|bNHb-(t*RyVi7jB3owjW(?
z{4-UZ0JEwf-xfB+>-h+A^HjZYEnaw8tR?IjcB=uWH(bWyZ`?{WBTfBWkX66QXMRUe
zPpDnMgp8P>b~AD^)Fg}E)G0bTL)~ibr8m(;kcuhyj;dL?l$~^1)m?9*spb%@Svfmo
z<4@d{t2fcHkv&r}euOW2eYtuYo0m1w2QYO@Idn^Q5jX^FO6F=_&bo!Zaj9F%4SNq2
zUj9w=i5sg$AbWmJ(cGfig4zyxQwQUp-zdJ3dQ&3T59RUw;M1Gv8<*s@yj5PeLJFOw
z+C^Pkj+zz*Xj*h=k-`T+<)X<$9kG_0>oG3ssjdN)izbz?KXgTt!bgak2Ix&PUb>xp
z_m#7*_`vvVos<@>>8CzvE)wCXXMzju+=asf5aH$`%Ke#olM5rpQ56KEu&3HNm0b)g
zq3o}(-bAzXQL#ROV=V0SSrg6B=@~T~-=T%AEDY#PG<hWn9v;s*+4h(z-E@PXKBC?x
z%z~40YL^5H9MQG?Y<o_*U436TqwEuQ8fB&GERWtqU-ug|tiVWoa~f4c)txGc6jpu~
zrc@YBL)G38nU0Y(hp#ZQ%G7?WzBK8g`i{W*`s;G$&w~?*b#;sMrXuPJdWw%E#f!sb
z>PYA%`ry|cbbrCPVU{{5Y2#wOiQIc`qcSf*jUQw8P}LuuFiR~J{L0RjFDkfwE><d*
z6>mQhwvOjzvz<TamK;o`=gtN2OmCt|0P*jFc>aMz_rnWFqAQHtauu{XntEU(_Rfs)
z1N~6mQm!7h0#~}@1;oS(`eGk+DA8+d9i=9g>rFI$pbAu=Qb!X_F=%X6(95Bt-bB+T
z8Z{MxRu;mj>1}-OQ+;#wCR!$-x>v;49T-Zh2K4l*z^4~*fIs6^!DPN0$C3(hBglML
zY~I!dMs+}aC@PIncbJFjP5caPq`#})L^CdW^^UYp9dkj(@Qdq~uFjaaX6`EZK3~3i
z(XyrRsG*tu5aX{7Dye65)|)!>_w=vRn=(i&E{bu~KTcg`PTf5;2@b+G(M+9KHiGpT
zEwoU(N5r=q?wF6I)5C3~cha&Y8I$W4uU=KVa8X9j(%RWWD<{ofv$C!iQ_x5;Z!@Vs
zs-LO1fZd~yr6<68(>7_6biUNjX$OnL?{yFlip#(N(I`iW!(&@$n`$e!{%jOgs;@&=
z)1-l9Z4}CyoKsYoSCd_nn{B;DxRQOxbT+1rSMxw-CSnUOBX*58c0b}PiM}^pO@|%)
zrU}$~(ncC>9O)npG=@x8MR+39w1^r%nspb=gJKclrO*%b6}`C-c{iHIE$BI=7^PFx
z<511996Ltifl9cDpEZs4Z!qgkq^fi&O_xUtM)m~tD&v=_>g;}c(<m&0&Xtco`&>EH
zaU`ZrkKI2q4aNwJ#P-}7)5;xaM+II)?HI*+mFA$-tE1w3b#oWJiF|+V%*XqT@<rbm
zuXeD&*HsfuGiU&fWCMsDUvJ{4T_f4ci6&b#lt-o;Q)a2m$7NF)R)hxH$Uy7E0tOmQ
zw&>L|vhAy(iDp++(~<Etg>gr7EE;zsaolZ!7r-Fw<n3dy`XlM9!I;|FUl<)SORWQS
zo+g@d(Zaz<kFlaw?arpj{h={5+ahj_WMWXlv2Ua(o2SCpKo7G$XrHcrtG)?K-doj`
z?g?Pvy0f{5>v`90&flH?aUOBxI66B#_RB$=<1_Qq=7Z*)=BaLv*=v-}QI8Aesm87h
zFFQBcL=y=T?J+3YQa)@_)z%c`=eXS-WBvWoerfA0y=f7)YIh&w_bPQrv}~@LY#pLE
z(INnGX!JQaMC$>>q0z{pOZ29NGzyj&_smxN886OPM}ch7mn=1WENeJ@y2c{JO-{Xu
zK3TV0kg;RAuceQoO3$c&p?W(kBsS5^ixxk|vZ<fXIGmGU?+QioldiFTy_?=d>NXo_
zu#Ppri|Ex^dQ%PZycgZayJ+pA#fvYht6RRdW_9ht3cYC#)!$6%cEh#AQ!*KzF=sFQ
z!u_hbz8k|tpJtfEt}*fK+M232RbkP)XaJ7!MF-4PWwxl;M6*E>{n1SHnWN?=e(E-w
zi9SvKNc2ai8-I;gnWN?=QpY3FA022Nogn&CjL%1@9U?Bd%Jh=})9`U}nVb)%;!<Tr
zHcO|aZ={dFJlqlKLFu4$jkNRs()q|pW$Zv?>v>2#4SCebpNBl_G^EqrdUW+wkq)o!
z11p1Jc!<vxCyN#005MbSEOrnbj$a)=I8K1IzZV^kIsVJh)riC6u-F^z|F(Z(e+x_j
zK5W0k{&#0r+m5cTvn{vP+O~tG#S3f$ZT)RsY(6k#{+sor^>gdH)|af0TkioIjeD(|
zt&6R*trM(4@C;jI?PE>1daYJV6BreYd}=vndCu~P<xb1>mMbh9ENd)(dv-Pc=&JgQ
z`nCEYysw^7A5d>ouU2=c@u!NN%I{z)@ryNeRpBjdYT8xd?cAxFsxWu5qbkgu?5GOU
z$qx1v%l`NhxFaN0VeSY?{Ehf)xcfxTc_SQORblQ3NmZCTLQ)mxj*wJ^&uRmAo}?<w
zohPXZbLUB_!dk38>{Lxvm^)8W6%Mvlb!M15Pck#iohO+Y=FXGM40Gp6W`wyTBs0R?
z5t12U?gYt<FdjRJovN7;=8lle2y;hBW`vit)n`U{F%K@{!G%0n#Dj%ASipn%+^L!w
z;W|EP9uI2U!1VB39@Ow)4i9Fxfob7cJgDM8Bs`Nt;c6aC=fN}{Oy$889!%!JBpyuU
z!Gsn7r)s8!$G0E`DtR!D2V;3KrVUIDkLJNB9*pF{1#MtTcm#q7iu#mrIiEC~2NgUx
zp9f_;7|MfE9t`2ZU>*$OPSs2a59E^u@SubT#XKnDL17!194_ENJ`eJE5Xo&rlfv0N
z$l^hN9^~+#9}oKSpbrmv^PpENh}2CA_iRM~dhnn-56<I3Hy(85K^Go$ZUYm;89eAj
z0M8*$45#x+X>DLaIF$!}9;EOfz=I?nbmW1L2OR)_3uKhQ3E@OODS-!G9(Z`5@<8E%
z%maxB?lv$!?Bbr?<HJrqN#uc}4OE8hJh1V=$^#1z1Rj{%K%_EkYD1OUUp)Ae2Y>M3
zcOLx4gI{@Yh6l|&Xo>;${;AX&+mgm<4Lmr_gI{>?a~l||{ltS)Jou3ZCwcHa1F`qd
zSnWT2(sw-gHxIt$!8bhkng{>l!B;%^k_TUK@1L>S=X}zMHZVr}Cl5a3!KXa<qz#PL
zKIXwkJou0U5$yvGY47vkJs!NvgLioFHV=;T;200y;=!9O0Ny{NwKrN21F!SoH6Fa$
z21aSG@Ze=0yu^bS+rUWe1s*()fZjhNwdeSxXL)dh2hZ@}X&yYqgC}|L1P>nP!DHO}
zXQcKhpA_Z6BRqJR2M@J@3$zD$@Bk0)=fUANP@zTc<I%l5xQ7RK^WYE<?&QH8Jh+_)
z2YGOt+R?ljKc%DH=a|=-xu;-t_&{6E>hO&`*w2F-;Ci;cMSpzCbv(G12iNf6>NXIm
z4jXN#I=qhuSMlIV9_;189v<xG!7d(L(FSIPFOLEC6r2^lj8EFhgB`4)9W5W4)Nj<6
z)ce${)H&)nwb*?OoS5C{UhW?6&U3x*dcoC8oF$GH2RN>=oV0uhcJyzu?6O=8T7tKk
zt~6b0T4}1mg}^t|htyltJ*uuQSC=FEY$lUhY>BSe<Mmn0wQNyub`P)KOuJ3AhEa)Y
z7+YZNF@iJo%V~?bl1_f!6jo<j5_Q-Lxdc-;&`iJ5V@zMCUcuI?Xdj9eH7eOE2W>pX
zBE(Ba=uNcgw3&uvW$P-3!+6yvdvAYkl?ulin`p;r1I_3wX?6YU)#_TXA=$+5J5~B;
z=uNTHW3;hdY3L)Q^NjR$YR}RXy=g5jQN)tY+Vh6h2-?u2b&yK?gu11)*S(7AgTUI+
z8pAPO?J}mgARo>;%&mca>891(ipMy%;z8TC#D{V5D;}HY=}mNyEVf)a&KJEVtWLqj
zKH9UT6_2rO#Unc#Zou!=j%6zzv{y?j9%IuDeJ(BbEyaouf5rw{m$YETgEnJnv2QH5
z*hhP^RMWBXHH8f*+MK1Wsj;nFQ?lh&Q#au?6F7Gp4^G~?gZ^pR6nQ9^+V|Lhm)-<d
z2+O6}ZjbX8sjrkOjdaX`^H^WGUw1#?=;PkuzTWzl^*;OCum-TyGC}yux=nb^nqWC&
z`PTBH<zdUM>>mwm_A3ekStGcz^k!PxpJ=?XT20wE!|U~q)0=56U#I=tNlfYI{62a!
zt;u)AkGo0yu6d5$Ol$K~Db4tJS7LXo^;*+JCimlDX|Op1Sx8HR6LD!UQdnF!e|}Bj
zyt<Bhvz6m;Wq=ccX4=|~$uy{*G}EpwvAnX4<;}FY8yh6?ESL3We#c^x-+q+&oleXR
z=*_evMHfztzwqV~y_xLgJx_a96MfNjrHO~kMzxUYwC45CDl~3Nl)Ci>Tdtk$U$$Ge
zYo<*ws{h1*Gzb+U7)NMpk2o?OIg(O1KYwn~{KA6y*?Kc+6Ot%SFlr)+=Ot_$tT%VS
zXTjDb^o5OT!$xR+B4`rTBz|C)HZ0VeY2R|wP}o;j53xhAPUFRSiT8Q*X3{y<XU8ty
z{cm@oadlndv|)NP?T%12C%|5NGwq+yh?#)<OIgrQw4+NSVM3s_zR)d6#&}Hym8@pk
zxFvQ@h-YV_-t5D!PN6!)RDhs+XtOp}0eF}-dof=uLX`gE-c0ZurM+Kzj!uY~k8D=#
z0k)SPy9O-YHp^JZl30U1^AmIW>dmx`O^>MwXFaC+>CLnSJ0^C;()o#<C#zfAcPnj@
z)1Ah{v#FW(VX4{U<C}eHSZ{V<&uv+RC6D(-kJlugG=tTFW_}mA5}rcMHmo#teWmfs
zl*IFxnoK<#ORJfh3~UyTFj-Q-txS_J)>H+chp<hk7ZwOiQNQI+Fm@kvr*#Hi^}+Ip
zSCjCab2HSZH`eEcMMg~+*5EgmCLS~=X23FbGZ`z4En`nI29+fmnNUsI7o-+XVja|j
z>!3;EHFNdm?pWl5`G$EFNuG;YUsa6AOxYiO^8CcV+#)-G-Rvwf?UfGuJ>aEft#gdJ
zUp3TS>Na)5RWHlk1*LKCq{Dq(ZEjEYZazG$H#jZ14?KZv0{1R6o#p?N8<M?W94<~w
zmy*B<$tBK7;A_+=fv+$3X=CIqvftPx$lWvDvfJ+Z%hl}q$@!FXFZgpA@;|vFF)B95
z#dhZSWv<g0x=G4sdShT_8GXBV3ZtF)^e~!14}@=ECZ$uu%oMhe7QUR3K=?97I)%3}
zk{;elky{u^4R2>8EnH8LXe_%^7>#A8hgVW0*-{U$rkryrvWAgPkuX})P7ha6>`aUe
zk06pwB$Wu-&hDh0LZqR!>`oe5$?l|~dF)Oa+9vO$ZJ;b@o4k{TM!Gv`Xq&u~)|b*c
z5{a0QhR_Oorw|$^?-Y89B5xzIiwN4T?-ZIxXe^N;BAto2kpvrwoFMWFkq3!fPXxKv
zDYzWXy>|*yvxCDau|JU%A{Hd|XwAG+{XYny9q{yUIYa5;EFx%^K0Rzhr2R<bLn6-+
zxrc~BL`QS)=^7d}PuI|GLb`@#%+obA;-0Rd5%=^E8gWk#eTx@{&_sE92yK(6hi;`v
zG*+J;3KFU%GKNSYkqja(B*6wW_nsd7C&8DAJV4|+A|!LcWrSuB8Ac?NNHP%tNj-{3
zdj0!^jxdrI9!;cx2-YGk%xV!4(ln?B<k7GeX&QD{nugt#rr~f%(@@saG!*1C4SOq1
z!`@2MkojpE3Tc{#%ufp;^V32fV9}vxiQG-(N+Q_xk+jevf)j}hBGQA12TAZ(BL5=t
z7LiAZ+)M<yo)%m~Xf~0NM9{{6S}>iEh@}1ml1Tk01Yaa_7|CjsmOywELxC_hG!V`w
z)SpNvA}FMRu#=D#iFTUENg`<8KA<5l0vh&mKtq-Uv<UWgKtt99G#niPZ695@naFw~
z%ZXe_1SKJ$O(KK>5zvMZq8e(w3E`*+XdMVq4MTq-3Z2AG2!y^Nh=VH-I!*}3SRnKS
zp}UCOLS!$I%ZXe<q@Kt^B6EpMAc7JY2n{5Jf*1&O$MF{k5idh3B@!=#XAlL6m%*<H
z5if&p5_*Y9l*s)=ZX$9mk*!3iYQfcnmJ+GP@fQeACwKvo^NHjV=|?1uND>hT5i^qd
zABp^v$j3z9Bk}@~XNcT~WHt7EY8Y;Bu7o#81&d7$=MV`Hu^`d#sh6r@p{W{{ma1Vf
zsoFJ^<x(O`h(w2Gbh^$QJ@QPT)N_sy-hA`rgGW@4@vI^&jAekxY3jjKswdjz0m*J*
zug6~{o69PhJ~3<_PqtCy@$@z3v*1b=JnQlFG){Rui@Ug8*7>fL)+(#n(r6uT`H!{S
zQf?VwIbq2HFLmd+GcA5&r`Pj=amwonMCT=V_JSdCV`yD!_3dyEvvDNJV~<uPdv0|^
z?|&vR?pziAZw>iBjfeaF<UW|?&3G{3$O4fy@fyd$IbIJ3Mew#~y4tykecNOhJ=c4$
zH{M?FU2V+Oz1@uEy0;?>Iz%_?-r-`zc>>)^Fs6$#>q#K9oF}=+87>Qlrcsuuu4FE9
zGDS{u_2VLOz=-mAR~Z*Mj&hE5O{K_QctadiqCCpAINtGvDA&5~!mP%s?cO4X>k|SG
zZ1?tdxPL<s{c^iE)oeU_wVW1B-Rb?>VwG-zPO<Is-W0uim$%ex{Ja}lUb)BH#hA0l
zn{amEiLTt^onsSwvYJ`J`1VJJcbU1nG4g6}YDXL(R@KhZZ1NvS)HFl8+S|+A!MKf)
zMB^>Usfu{H{4<r3V4Q)-VtfKvWgJ*m6<-2Y8OOC%!cl6KaL`y)_6`%Q@(*;mVvM=Q
z+pCXEk@)ViO87>xO8Dfls%}dA4_zP`H(djjP$}{|iu4+<UE@6+NhaiD#3nC7qT=J;
zrq~E|qqIknNcd>9srbCLDFS8bLRlWBELbI*itkFBVxlbgI=0CVP!@wC0}4|4FM^$n
z(bsvqj7X<Qd`sD+9hBCYB7Y~;mC(INqzFZxN0Gk~>R~*5o%duwo)a%MHnkVaVO5ii
zXRi0&B*<4AN3WLCjrBKplhfsg+GV$+;M?r8<nN8~Cpz|08LPl;A`-A<&qbC~<Zz{m
ziX67zn;cM9kTkRWw%aj>?VxfciE90RZy=!D$>q=}M@WIwAutUw4)6C4FyF+cRW}$%
z4#~FY<u`g)d6<4}nyK0ZI?^wz_o_j4p*lgDA(cqI+`k$fPI=F(tTu&B><l~mvkf5H
z8p2eNG}~w@I5mDMxHUs>z5wS*yRvaAI29D&Q>Bj4^^Sz!*;-XI>A2C%dkUL*7lL+9
zGby^!^lJ*6C6;ru#3|{<XANGanAS{cZ8Srl0)8IyvO#-0yAWpRq{&7LCsVkE6H;ZP
z>Q0HTE=(VXa?{5tIDOoluQ!)s8+OjbHcW{rrd_`%F?Zi5K4<jt2JbhZoYqWc_w+)_
zW!&HFo!U=tCRMjsTi8@`5I2>aB3{~EZyt!nZysdqn3{OZu>I;irs~b4&$c917%pEl
z{p#)1S#RbQ+ot$6y_wXKb<)6|Vif-7T?T6|bbydnu%_@USkNHSR3&ZYDaP^NyuH{e
zO##-7R%s^VD$STyo<hY*X_Q(rnJoj5dMhz=ay&CPt<sz6eBlmSDVywz9%}IZOJLnj
zO2*XflUTR2lb+4l9A_r6ZqLF9S{#^^Zrod%h}}-=z|`%N0<BAH(Cws)Ox-?->vmEV
zrkYNQuc>T%8rD3nHQDy6PpWsR8IsF=#{I4PA$tY5c2&XQ>!-GA+v~Op$a23)Jz#p)
zbdhO>=>k&`9FO*}5moKq)=O_DJ7IfBZ+m8|)x|efNWG#P?~*RE_JD@dGA}iJ1~eSh
z(V(3xxpvM-H-7gebo2Dkn|X!28OC3!si_eddYs!P;2A9wQ>V-ThZN1U`b*525tv_4
zR9I6puQnH$LkqsdoEaQ*XvLS9Gb5fkKD~Jf)(+Qilj>%)F5qropf{7@u&ag`qpwOF
z68+4V(8UI#OAEqulxT*brY4-1t2fgsaIB(i94z8`dxp3f1|O+6?o33PpJC{k%9GKq
zfrOFZ?524EjuCyGao;*Pl({QCVF5f_cumI{aE!mX4$CA3-5Ewwr-ZywZ0jQ#x=wvd
zJ)o{ur>Y66S=ldLC`|{WiB<LnP+WTw&dF`JPX>3snP#hc!t{&jdAMMi>3Y)+Q^>T)
zG!0grps(*`ecjCh84T}Xv8NYCF6l)Mp$glL()pegHjw6GHE1AB$AOgB+7Zxl(vl=r
zOb={7Pj8-$t-Epn7Bsz8c364QCSO7m(`0NWrAU&UX*g)Wrerf|Mp9wZ*r2Jxo713~
zmTv5JB;cSSJxG#^X>jxhEGgB^%V*C@Qhg-3n8wKk={}NNOgo2MOvM|~y8g6QvDgZ0
zV^gp>yYsO*(_%-YjNz%0%AWix9F%S*i-4CB>!ukux)VMIAt9~TSYw!wOvHP{BE*gT
z^=8rp-%7_srr|D6biAAp0fP_C<4H*R8<9E?k~z7sa24t5ErPwBW?m_Lnt!O?JPu1<
zLsb-v4;%@3nJIcRse;pb>9n)fOMB|gq!Laee45=@;Ydhj-8~wMqVAr`x;rV-!d|%Z
zD6R=p*<*7KMi5`8$MaQo_A@0|7YMMTXQ*4nU&L3$InKeN$$A=8@ZYd5a1C^>aE^C%
zbGe-FseRR`y3Dy*tyZhqJ6Y|^LiQK!HOJi9nxKpN88h-EW~{TySg|^gZ5#?qqk&zt
z*R~^KoG43t$jIm<bvH`;shy3|OQa4_^%ChPv$slbUPnyrg`BFQ9kUl!N&~%hdNXag
z=_I#R2HMRSyFwZc9UQ_|QvX(YjiEwn3V5PvraiXVvBF+oA%TzP&Fz<*`Q5!Lzw_mQ
zeulP9h;3EzZ1d`8X!FEJCF85x`EvV$Y1@tjY9{NAi|KVr<<5*R7g*Z1Nt~^pp_OkM
zTvh4Dw!5Tm!#e6`9N1VITvdU(+S=^G9I$QJK|e$5+cdbUS_ap)i}W)BvUTr>7$@+A
z%*?x_+pJbKYN}$7nrTe7>ak>!t(o{Jakmz){)pP>Al_$atCgBn#Rg6UuZu;9#*Y!$
zHnCPF{I2e<w8Aq1j!*RJAo-&^DieNF44BH^#TMH$Ew-5^+f3VH+XmYR%Nv%%7LWCm
z@U`_R>)qDttlL5Vc8+zNwVyR$b+dm_sN_R}#X8s=)lYf5nFaG&7B$*D6l%n88dSk1
z%Ng1OqQ_SidwdmST^ZERkO7xFYmpDLS|5G87kT<cAH6EE&=s3#x1YqqytG8hl*N-K
zNrW>hC&0J(ICZ^Rt30PXplo#>a9-iOMBL^a1txMkJ3ZoG;z{u&tKUq~Tce*L=Vvi9
z9MuLh!y%|o8#nb&oDF<Gqi}qmg?t~Boj)%pt0pH4Og5aMjUQrfHSqfk?exSV#BH_u
z8QQ(tTZj#-ZrzTiBZ{piL=&TT1{43VIQ28M%QM9I>{l<H0_v)t;Wvt^{d%f?hEDTs
zAU*eL!LaU2ybPXOXFOP6dTv#p_1r4a&#0J4--p%U))07G22Y82wfi$NCp5EQaGast
zBN`jC;>X7S!8!zVRkp$;tY?CF5qv|b9&j^1Rz4|*WWRKiG}QfqyUx`J{?L0lUvZ8W
zzZWlJ9W_MsM5^O#GNEO?>lekFugodQ1#^yt1<a1p*;bUelxm@R7TRMn%){jl#>{cD
z_iRH^m^UBJ9)n@0bCgnCSeT!iJ4?{2SSg&Pu_wyqI7?$WB{_weu<@Q#(7vSBlq#Wm
z=HJvOryvt7#uc_R&xqy2(ckRC?3uzvGgv7@phsioBJ<{Zdc_;k%Fh8CYG9nPy@|Ni
zlo>+x^#8Fw*(Hz{zSY6DR2+XW1x&OR7v)bEmP})%oZnU-^8!zwcJ;~5EGjO{JBMMf
z{FanyLiN<Ys}C5agSr%-qds7nub{XnyJ)Hqn!-w%)mEQl3p_>Vs1I1+0vloNTb2zr
z<5<cRp?dP))d%d+<>r8e$8(jE3rF9I@+S*xC$UmEn}c^R^t7`%m=E^x@`}%86|6O7
zl2ASI@9P7$+=`0gr4agy)f8;=<xdn=PGF^sY2yzLvUL}FQsSAE2j=Rs^U+3NoT;+b
zlnFxh_`j(X<jnz7g69xLR!VU;Sgac_%&BCh^lGbA{|jWFF>bNPd5%iuWas7=#gBY2
z%nCQcluDs`TwJBf;~M~m;PSx&V|z}qQox*AVeU9Vm&f{{R=T;ZT7NF~jBHmUFii(N
zcMf}ec`Yeph3YYJH3BQ6{j#(BwV9PI0;`b4#pkdK$4Y@wm{&YTIO`z{kJ%M!vTXg*
zBw80+Y^ByGY#DH%<|gZ6>)X~J*&}t5)dOEKqy<7>G1W%+%0#dYa3&2O{`3t~9cX>o
zCF*BL5rVWBs#~=f&hXkE)o@VPB*B0DgSS2Dz|h;in!WAwav=#mh)DT@K8UJYK8ONP
zDN+KVcTIKtyXL9^`Wdnybtv{4BXtmX6Levp2^Fq`r<DKQnm90Ny>jqKVr)6P{ddLx
zn;0m3y7l1U4rdk4A|34QH=&34xk-ITJqRmp!&FuIRJmPQsgx@z@(=P+`AT`AJU~{Y
z&!vZ?EwBpL&)w{P&b`|`)7{<mtLqKdO|CVr3Rl4Sqw`tkRnCRZ0Zv8yoOS9B(b9W=
zFC+VogbZW(T?vx8C;Qz;*x!TE&PL>p1edVCJApa3F>oG%D<1Cvpc?}j#*xQm7ZlW$
zQ004)TiD;l7;<MqA2_3nIZhn(LR<!m%P>y8lIXPb+TV##);$Ssb2?@79D+KeQT*}}
zuhWvVKVYQZ#cuJeJHe8>Kh?P8P(r@j?>3puqFEHPQ;k!H5;__g_a=DFDU|h;<VzIx
zCo_;|PBOCZZfRUc`hDsSFRQIDhMrG^nsp#B`?drCiLq<$gUTeZ-+kc}ClKJr-B4GL
z;kgHjtbCerK&6DzgN!!{rNr7NGt|c{QI7SWcW|5Clz}x(&e`v3ZAE9}^ShuGu|_(L
zSMN#4H;eo3O~`gT;xke6?8bt7p?Nl=^1hblS=sN-#`3okp(+*v(1A{F^M#3$rChk-
zDu-`Wskl(g6D^K69oIURInH+^+kdbhwePcEXdi4(uzhWN+;;i@)83uOMpeWC9Dg&r
z6w*Z~Ws4wSi56^uQf)b+Au4i2AP^2gLKPZlvE^vF@3M#(6%@+l<LHDd++abi<pu>o
zD?;R`2WO#`%ZeN-Y7xG_okBw5AN+%V^^ec~W_I42>rJ=Y?c{BReidT9H@*A3S>8l%
zoL74axMg{!r>iH5JvI5cvm<<(iPW|!yF8R+8Y@S_-GyNSHWyqNW|G@=i@$98Or|Xf
zE)O%&me}bt6Ksy<5vt92d)&}`pHG`{w!|(FGuEAUmip}6nK5ojp}%QmGy2}N)piSW
z><S6fW|TdcIrOWMl1|WOguA53A1UiU)DvTd+Z>C8mWGvO_Ewjop*D9rh4m9-GRjWN
z37(cNxq5EaejmLZVl#0oS;5g}u$!Gn{aFX3Xpk*py-3kOTf~SdO0$`;d0u`xOsX8%
zP@6a014aHAZ3eirim4?y%y^UHHY%3BC%Z|-{y1&=OKH3|{p?Xm&8mgxWmk$wu4pg*
zgS;^DT2nV9&pSDyH1a?GrTHK=JiKG*TS#a?`Pe=fjq#X(!*~n(!LDvK5##VSj)4z7
z)hKMl%iKV#1~CWxH$we@BUl1?el_}II6eYjIIq6JA#k@-^_>%N)KL;&As=s2A%Ed3
zHZrR&q}j^Mrb|ax0{0!!?BP;t@iF+O0M#7qJX1aK3b>!HT7?1l31cx3={SYS7>ssU
ziC7s8w*XTa*o5g=hLczU_N{7uk*dW+KI+v~Ne{v>()_`u!$}_`@(mw40yW9Y@eN3O
zh(m~v635_uEX6dQ3nPw3-~<oHk%=jAu>tR42M5+7eu8%~2|w~&ZQ?9^P5Lq7xBM>u
zhu9Wtcup?qdLn!G)MX@t&rH?#U>23Za=hv|0hL4|6?r(rNfn7BAXCp9E7givo%kDe
zVm4aiOYoVyI*&s9j$-_Qvnaw%oW|cM!9JAY7WN`hu73fEOPGt>*n*b$9M9qc9ni$y
zj8ZE4728S6v0JejxscI@KnCzBvayikq!aTnAA2CP^C4bD{QwVNU?yf@5q4t^C;mlj
zLE|J<FMNQ$XoGE72brOl@H(>a2+rYW{DLcZ2Ul?oX?Our_jLqr@bD+5Lat#qTKkvi
zfkalm+J)!P0qxNdDUi$ZB;pZ+1*nNm=!}c#j!^W#Gw6fQ&=7HQ{i8^{hUd|Y#!HC_
zsDj350$KI4Vp;Jj9E~82$D#(J@f4)-I;e}s5s7+`4$2HZfx8`+&P2)emtNA7;0PpL
z9}Vb;tO@C@R4ffJLPr*wG%mfD#-(#|Zc{uBsZ<)10dTI=Ap>&GlV@<jK{8n93QBNV
iM#XeEmn9=l-uDjv;l22l*IYgW<umaA&j4?FR;WABM#l;O


From 243e97f761ca74cd6dbfd95c884bdc6b4710ddd9 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 7 Jan 2020 15:19:33 -0500
Subject: [PATCH 043/188] so scripts - elastalert dev

---
 salt/common/tools/sbin/so-elastalert-create | 1000 +++++++++++++++++++
 salt/common/tools/sbin/so-elastalert-test   |  142 +++
 2 files changed, 1142 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-elastalert-create
 create mode 100644 salt/common/tools/sbin/so-elastalert-test

diff --git a/salt/common/tools/sbin/so-elastalert-create b/salt/common/tools/sbin/so-elastalert-create
new file mode 100644
index 000000000..2134bc8f9
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastalert-create
@@ -0,0 +1,1000 @@
+#!/bin/bash
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Original written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/Elastalert-Rule-Generator/master/so-elastalert-create
+# Modified by Doug Burks
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+######################################################
+#               Universal Rule Options               #
+######################################################
+
+#################################
+#    Function for Main Menu     #
+#################################
+
+main_menu()
+{
+while true; do
+
+rule_type_select_prompt
+    read rule_type
+
+    if [ $rule_type = "1" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        cardinality_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+    elif [ $rule_type = "2" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        blacklist_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+    elif [ $rule_type = "3" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        whitelist_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "4" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        frequency_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "5" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        change_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "6" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        spike_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "7" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        new_term_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "8" ] ; then
+        rule_name_prompt
+        index_name_prompt
+        flatline_rule_prompt
+        realert_prompt
+        filter_options_prompt
+        alert_options_prompt
+        final_prompt
+     elif [ $rule_type = "9" ] ; then
+        exit
+    fi
+done
+}
+
+#############################
+#        Rule Type         #
+#############################
+rule_type_select_prompt()
+{
+cat <<  EOF
+
+This script will help automate the creation of Elastalert Rules.
+Please choose the rule you would like to build.
+
+For Cardinality rules:  Press 1
+For Blacklist rules:  Press 2
+For Whitelist rules:  Press 3
+For Frequency rules:  Press 4
+For Change rules:  Press 5
+For Spike rules:  Press 6
+For New Term rules:  Press 7
+For Flatline rules:  Press 8
+To Exit:  Press 9
+
+EOF
+
+}
+
+#############################
+#        Rule Name          #
+#############################
+rule_name_prompt()
+{
+
+cat << EOF
+The rule name will appear in the subject of the alerts and be the name of the yaml rule file.
+
+What do you want to name the rule?
+
+EOF
+
+   read raw_rulename
+   rulename=$(echo ${raw_rulename,,} | sed 's/ /_/g')
+
+cat << EOF >> "$rulename.yaml"
+# Elasticsearch Host
+es_host: elasticsearch
+es_port: 9200
+
+# (Required)
+# Rule name, must be unique
+name: $raw_rulename
+
+EOF
+}
+
+#############################
+#        Index Name         #
+#############################
+index_name_prompt()
+{
+cat << EOF
+
+What elasticsearch index do you want to use?
+Below are the default Index Patterns used in Security Onion:
+
+*:logstash-*
+*:logstash-beats-*
+*:elastalert_status*
+
+EOF
+    read indexname
+cat << EOF >> "$rulename.yaml"
+
+# (Required)
+# Index to search, wildcard supported
+index: "$indexname"
+
+EOF
+}
+
+#############################
+#       Alert Options       #
+#############################
+alert_options_prompt()
+{
+cat << EOF
+
+By default, all matches will be written back to the elastalert index.
+Please choose from the below options.
+
+   - For Email: Press 1
+   - For Slack: Press 2
+   - For the default (debug): Press 3
+EOF
+
+read alertoption
+
+    if [ $alertoption = "1" ] ; then
+        echo "Please enter the email address you want to send the alerts to.  Note: Ensure the Master Server is configured for SMTP."
+            read emailaddress
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# The alert is use when a match is found
+alert:
+- email
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+ - $emailaddress
+EOF
+
+    elif [ $alertoption = "2" ] ; then
+
+	echo "The webhook URL that includes your auth data and the ID of the channel (room) you want to post to."
+	echo "Go to the Incoming Webhooks section in your Slack account https://XXXXX.slack.com/services/new/incoming-webhook,"
+	echo "choose the channel, click ‘Add Incoming Webhooks Integration’ and copy the resulting URL. You can use a list of URLs to send to multipe channels."
+	echo ""
+	echo "Please enter the webhook URL below:"
+	echo ""
+            read webhookurl
+
+	cat << EOF >> "$rulename.yaml"
+# (Required)
+# The alert is use when a match is found
+alert:
+- slack
+
+# (required,Slack specific)
+# Enter the webhook URL below
+slack:
+ - $webhookurl
+
+EOF
+
+    else
+        echo "Using default alert type of debug.  Alerts will only be written to the *:elastalert_status* index."
+   cat << EOF >> "$rulename.yaml"
+# (Required)
+# The alert is use when a match is found
+alert:
+- debug
+
+EOF
+
+    fi
+}
+
+#############################
+#      Filter Options       #
+#############################
+filter_options_prompt()
+{
+cat << EOF
+
+By default this script will use a wildcard search that will include all logs for the index chosen above.
+Would you like to use a specific filter? (Y/N)
+
+EOF
+
+    read filteroption
+    if [ ${filteroption,,} = "y" ] ; then
+        echo "This script will allow you to generate basic filters.  For complex filters visit https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html"
+        echo ""
+        echo "Term: Allows you to match a value in a field.  For example you can select the field source_ip and the value 192.168.1.1"
+        echo "or choose a specific log type you want the rule to apply to ie. field_type: event_type and the field_value bro_http"
+        echo ""
+        echo "Wildcard: Allows you to use the wildcard * in the field_value.  For example field_type: useragent and field_value: *Mozilla* "
+        echo ""
+        echo "Please choose from the following filter types."
+        echo ""
+        echo "term or wildcard"
+            read filter_type
+            if [ ${filter_type,,} = "term" ] ; then
+                echo "What field do you want to filter on?"
+                    read field_name
+                echo "What is the value for the $field_name field."
+                    read field_value
+
+		cat << EOF >> "$rulename.yaml"
+#(Required)
+# A list of Elasticsearch filters used for find events
+# These filters are joined with AND and nested in a filtered query
+# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
+filter:
+
+- term:
+    $field_name: "$field_value"
+
+EOF
+            elif [ ${filter_type,,} = "wildcard" ] ; then
+                echo "What field do you want to use?"
+                    read field_name
+                echo "What is the value for the $field_name field."
+                    read field_value
+		cat << EOF >> "$rulename.yaml"
+#(Required)
+# A list of Elasticsearch filters used for find events
+# These filters are joined with AND and nested in a filtered query
+# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
+filter:
+
+- wildcard:
+    $field_name: "$field_value"
+
+EOF
+	    fi
+    else
+
+    cat << EOF >> "$rulename.yaml"
+#(Required)
+# A list of Elasticsearch filters used for find events
+# These filters are joined with AND and nested in a filtered query
+# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
+filter:
+
+- wildcard:
+    event_type: "*"
+
+EOF
+    fi
+
+}
+
+############################
+#     Re-alert Options     #
+############################
+realert_prompt()
+{
+echo "The realert option allows you to ignore repeating alerts for a given period of time."
+echo "Would you like to set a realert timeframe? (Y/N)"
+    read realert_option
+
+    if [ ${realert_option,,} = "y" ] ; then
+	echo "Please choose from the following units of measure:"
+	echo ""
+	echo " - weeks, days, hours, minutes, or seconds"
+	read realert_unit_of_measure
+	echo "Please enter the number of $realert_unit_of_measure you want to use."
+        read realert_timeframe
+
+     cat << EOF >> "$rulename.yaml"
+# This option allows you to ignore repeating alerts for a period of time.
+realert:
+  $realert_unit_of_measure: $realert_timeframe
+
+EOF
+    fi
+}
+
+#######################
+#    Final prompt     #
+#######################
+final_prompt()
+{
+current_directory=$(pwd)
+sleep 1
+echo "Writing rule to the following location:"
+echo ""
+echo "    $current_directory/$rulename.yaml"
+echo ""
+sleep 1
+echo "Complete!"
+sleep 1
+}
+
+
+###################################
+# Functions for Cardinality Rules #
+###################################
+cardinality_rule_prompt()
+{
+    echo "The Cardinality rule will be alert when the maximum or minimum number of unique values for a given field reach a threshold."
+    echo "What field do you want to be the Cardinality Field?"
+    echo ""
+        read cardinality_field
+	cat  << EOF >> "$rulename.yaml"
+
+# (Required)
+# Type of alert.
+# The Cardinality rule matches when the total number of unique values for a certain field , within a given timeframe is higher or lower than a threshold.
+type: cardinality
+
+# (Required, cardinality specific)
+# Count the number of unique value for this field
+cardinality_field: $cardinality_field
+
+EOF
+    echo ""
+    echo "To alert on values LESS than X unique values in the cardinality field: Press 1"
+    echo "To alert on values GREATER than X unique values in the cardinality field: Press 2"
+    echo ""
+        read cardinality_max_min
+    if [ $cardinality_max_min = "1" ] ; then
+        echo "The Minimum Cardinality value will alert you when there is less than X unique values in that field."
+        echo "What is the minimum Cardinality value?"
+        echo ""
+            read cardinality_min
+
+	cat << EOF >> "$rulename.yaml"
+# (Required, frequency specific)
+# Alert when there is less than X unique values
+min_cardinality: $cardinality_min
+
+EOF
+
+    elif [ $cardinality_max_min = "2" ] ; then
+        echo "The Maximum Cardinality value will alert you when there is more than X unique values."
+        echo "What is the maximum Cardinality value?"
+        echo ""
+            read cardinality_max
+
+	cat << EOF >> "$rulename.yaml"
+# (Required, frequency specific)
+# Alert when there is more than X unique values
+max_cardinality: $cardinality_max
+
+EOF
+
+    fi
+    echo ""
+    echo "The Cardinality Timeframe is defined as the number of unique values in the most recent X hours."
+    echo ""
+    echo "Below are the available units of measure for the timeframe field:"
+    echo " - weeks, days, hours, minutes, or seconds"
+    echo "What unit of measure do you want to use?"
+        read timeframe_units
+    echo "Please enter the number of $timeframe_units you want to use."
+        read timeframe
+
+    cat << EOF >> "$rulename.yaml"
+# (Required, frequency specific)
+# The cardinality is defined as the number of unique values for the most recent 4 hours
+
+timeframe:
+  $timeframe_units: $timeframe
+
+EOF
+
+echo "The query_key counts by this field. For each unique value of the query_key field, cardinality will be counted separately."
+echo "Would you like to set the query_key parameter? (Y/N)"
+	read cardinality_rule_options
+	if [ ${cardinality_rule_options,,} = "y" ] ; then
+	    echo "What field do you want the query_key to be?"
+	    read query_key
+	cat << EOF >> "$rulename.yaml"
+# (Optional, frequency specific)
+# query_key: Group cardinality counts by this field. For each unique value of the query_key field, cardinality will be counted separately.
+query_key: $query_key
+
+EOF
+	fi
+
+}
+
+#################################
+# Functions for Blacklist Rules #
+#################################
+blacklist_rule_prompt()
+{
+    echo "The blacklist rule will compare the values contained in a text file against the compare_key and alert if there is a match."
+    echo "What field do you want to compare to the blacklist?"
+    echo ""
+        read compare_key
+    echo "The blacklist file should be a text file with a single value per line."
+    echo ""
+    echo "The file needs to be accessible by the so-elastalert container."
+    echo ""
+    echo "Please enter the full path and filename of the blacklist."
+    echo ""
+        read -e blacklist_file_location
+
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# The Blacklist rule will check  a certain field against a blacklist and match if it is in the blacklist
+type: blacklist
+
+# (Required, blacklist)
+# The name of the field to use to compare to the blacklist. If the field is null, those events will be ignored.
+compare_key: $compare_key
+
+# (Required, blacklist)
+# A list of blacklisted values, and/or a list of paths to flat files which contain the blacklisted values
+blacklist:
+    - "!file $blacklist_file_location"
+
+EOF
+
+}
+
+###################################
+#  Functions for Whitelist Rules  #
+###################################
+whitelist_rule_prompt()
+{
+    echo "The whitelist rule will compare the values contained in a text file against the compare_key and alert if there is a match."
+    echo "What field do you want to compare to the whitelist?"
+    echo ""
+        read compare_key
+
+    echo "The whitelist file should be a text file with a single value per line."
+    echo ""
+    echo "The file needs to be accessible by the so-elastalert container."
+    echo ""
+    echo "Please enter the full path and filename of the whitelist."
+    echo ""
+        read -e whitelist_file_location
+    echo "The ignore_null parameter If true, events without a compare_key field will not match."
+    echo ""
+    echo "Please enter true or false for the ignore_null parameter."
+	read ignore_null
+
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# the whitelist rule will check a certain field against a whitelist and match if it is in the whitelist
+type: whitelist
+
+# (Required, whitelist)
+# The name of the field to use to compare to the whitelist. If the field is null, those events will be ignored.
+compare_key: $compare_key
+
+# (Required, whitelist)
+# ignore_null: If true, events without a compare_key field will not match.
+ignore_null: $ignore_null
+
+# (Required, whitelist)
+# A list of whitelisted values, and/or a list of paths to flat files which contain the whitelisted values
+whitelist:
+    - "!file $whitelist_file_location"
+
+EOF
+}
+
+###################################
+#  Functions for Frequency Rules  #
+###################################
+frequency_rule_prompt()
+{
+echo "The Frequency rule matches when there are at least a certain number of events in a given timeframe."
+echo ""
+echo "Enter the number of events you want to alert on:"
+    read num_events
+echo ""
+echo "Below are the available units of measure for the timeframe field:"
+echo " - weeks, days, hours, minutes, or seconds"
+echo "What unit of measure do you want to use?"
+    read timeframe_units
+echo "Please enter the number of $timeframe_units you want to use."
+    read timeframe
+
+cat << EOF >> "$rulename.yaml"
+
+# (Required)
+# Type of alert.
+# the frequency rule type alerts when num_events events occur with timeframe time
+type: frequency
+
+# (Required, frequency specific)
+# Alert when this many documents matching the query occur within a timeframe
+num_events: $num_events
+
+# (Required, frequency specific)
+# num_events must occur within this amount of time to trigger an alert
+timeframe:
+  $timeframe_units: $timeframe
+
+EOF
+
+cat << EOF 
+The frequency rule has the below optional fields:
+    - use_count_query: if true, ElastALert will poll Elasticsearch using the count api and not download all the matching
+    documents.  This is useful if you only care about the numbers and not the actual data.
+    - use_terms_query: If true, ElastAlert will make an aggregation query against Elasticsearch to get counts of documents matching 
+    each unique value of the query_key.  This will only return the Maximum of terms_size, default 50 unique terms.
+
+
+Would you like to set the optional settings? (Y/N)
+
+EOF
+    read frequency_rule_options
+
+    if [ ${frequency_rule_options,,} = "y" ] ; then
+	echo "To set the use_count_query to true: press 1"
+	echo "To set the use_terms_query to true: press 2"
+	    read frequency_query_type
+	if [ $frequency_query_type = "1" ] ; then
+
+            cat << EOF >> "$rulename.yaml"
+
+# Only count number of records, instead of bringing all data back
+use_count_query: true
+doc_type: 'doc'
+
+EOF
+	elif [ $frequency_query_type = "2" ] ; then
+	    echo "Please enter the query_key:"
+		read query_key
+	    echo "Please enter the terms size:"
+		read term_size
+
+	    cat << EOF >> "$rulename.yaml"
+# Only count number of records, instead of bringing all data back
+use_terms_query: true
+doc_type: 'doc'
+
+# Query_key count of documents will be stored independently for each value of query_key
+query_key: $query_key
+
+# Term_size is the maximum number of terms returned per query.  Default is 50.
+terms_size: $term_size
+
+EOF
+	fi 
+    fi
+
+}
+
+################################
+#  Functions for Change Rules  #
+################################
+change_rule_prompt()
+{
+echo "The change rule will monitor a certain field and match if that field changes."
+echo ""
+echo "The field must change with respect to the last event with the same query_key."
+echo "Below is an example with a query_key of bob and a compare_key of source_ip:"
+echo ""
+echo "    -username bob AND source_ip: 192.168.1.2"
+echo "    -username bob AND source_ip: 192.168.1.3"
+echo ""
+echo "The compare_key parameter names of the field to monitor for changes." 
+echo "Since this is a list of strings, we can have multiple keys. An alert will trigger if any of the fields change."
+echo ""
+echo "What field do you want to monitor for changes?"
+    read compare_key
+echo ""
+echo "The query_key parameter names the field that must be present in all of the events that are checked."
+echo "What field do you want be the query_key?"
+    read query_key
+echo ""
+echo "The value of compare_key must change in two events that are less than the timeframe apart to trigger an alert."
+echo ""
+echo "Below are the available units of measure for the timeframe field:"
+echo " - weeks, days, hours, minutes, or seconds"
+echo "What unit of measure do you want to use?"
+    read timeframe_units
+echo "Please enter the number of $timeframe_units you want to use."
+    read timeframe
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# This rule will monitor a certain field and match if that field changes.
+type: change
+
+# (Required, change specific)
+# The field to look for changes in
+compare_key: $compare_key
+
+# (Required, change specific)
+# Ignore documents without the compare_key (source_ip) field
+ignore_null: true
+
+# (Required, change specific)
+# The change must occur in two documents with the same query_key
+query_key: $query_key
+
+# (Required, change specific)
+# The value of compare_key must change in two events that are less than timeframe apart to t$
+timeframe:
+  $timeframe_units: $timeframe
+
+EOF
+
+}
+
+################################
+#  Functions for Spike Rules   #
+################################
+spike_rule_prompt()
+{
+echo "The spike rule matches when the volume of events during a given time period is spike_height times larger or smaller than during the previous time period."
+echo ""
+echo "Example to detect syn flood attack to public facing webserver:"
+echo "Alert when the number of <Connection attempt seen, no reply>  connection states to my web server per hour is twice as many as the previous hour." 
+echo ""
+echo "The spike_height parameter is the ratio of number of events in the last timeframe to the previous timeframe that when hit will trigger an alert."
+echo "Note: This value is a multiple!!  2 = 2x as many; 5 = 5x as many"
+echo "What do you want the spike_height to be?"
+    read spike_height
+echo ""
+echo "What do you want the spike_type parameter to be?" 
+echo "   - up: more than previous timeframe" 
+echo "   - down: less than previous timeframe"
+echo "   - both: up or down"
+    read spike_type
+echo "Below are the available units of measure for the timeframe field:"
+echo " - weeks, days, hours, minutes, or seconds"
+echo "What unit of measure do you want to use?"
+    read timeframe_units
+echo "Please enter the number of $timeframe_units you want to use."
+    read timeframe
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# This rule matches when the volume of events during a given time period is spike_height times larger or smaller than during the previous time period.
+type: spike
+
+# (Required, spike specific)
+# The ratio of number of events in the last timeframe to the previous timeframe.
+spike_height: $spike_height
+
+# (Required, spike specific)
+# The spike being up, down or both
+spike_type: $spike_type
+
+# (Required, spike specific)
+# The value of average out the rate of events over this time period.
+timeframe:
+  $timeframe_units: $timeframe
+
+EOF
+
+echo "The spike rule has the following optional parameters:"
+echo "     - field_value: When set, uses the value of the field in the document and not the number of matching documents. Note the value must be a number"
+echo "     - threshold_ref: The minimum number of events that must exist in the reference window for an alert to trigger." 
+echo "       For example, if spike_height: 3 and threshold_ref: 10, then the ‘reference’ window must contain at least 10 events and the ‘current’ window at least three times that for an alert to be triggered."
+echo "     - threshold_cur: The minimum number of events that must exist in the current window for an alert to trigger."
+echo "       For example, if spike_height: 3 and threshold_cur: 60, then an alert will occur if the current window has more than 60 events and the reference window has less than a third as many."
+echo ""
+echo "Would you like to set one of these parameters? (Y/N)"
+    read spike_additional_options
+    if [ ${spike_additional_options,,} = "y" ] ; then 
+	counter=0
+	while [ $counter -eq 0 ]; do
+	counter=$(( $counter + 1 ))
+	echo "Please choose from the following options:"
+	echo "For field_value: Press 1"
+	echo "For threshold_ref: Press 2"
+	echo "For threshold_cur: Press 3"
+	echo "To continue: Press 4"
+            read spike_options_select
+                if [ $spike_options_select = "1" ] ; then
+	            echo "What field would you like to use?"
+			read field_value_field
+			cat << EOF >> "$rulename.yaml"
+#(Optional, spike specific)
+# field_value: When set, uses the value of the field in the document and not the number of matching documents.
+field_value: $spike_options_select
+
+EOF
+# reset the counter for the while loop
+	counter=0
+		elif [ $spike_options_select = "2" ] ; then
+	            echo "What would you like the threshold_ref to be?"
+		    read threshold_ref_field
+		    cat << EOF >> "$rulename.yaml"
+#(Optional, spike specific)
+# The minimum number of events that must exist in the reference window for an alert to trigger. 
+threshold_ref: $threshold_ref_field
+
+EOF
+#Reset the counter for the while loop
+	counter=0
+		elif [ $spike_options_select = "3" ] ; then
+		    echo "What would you like the threshold_cur to be?"
+		    read threshold_cur_field
+		    cat << EOF >> "$rulename.yaml"
+#(Optional, spike specific
+# The minimum number of events that must exist in the current window for an alert to trigger.
+threshold_cur: $threshold_cur_field
+
+EOF
+#Reset the counter for the while loop
+	counter=0
+		elif [ $spike_options_select = "4" ] ; then
+   		counter=1   
+		fi
+        done
+    fi
+}
+
+###################################
+#  Functions for new term Rules   #
+###################################
+new_term_rule_prompt()
+{
+echo "This rule matches when a new value appears in a field that has never been seen before."
+echo "When ElastAlert starts, it will use an aggregation query to gather all known terms for a list of fields."
+echo ""
+echo "What field(s) do you want to monitor for new terms?"
+    read new_term_field
+cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# This rule matches when a new value appears in a field that has never been seen before.
+type: new_term
+
+# (Required, new_term specific)
+# Monitor the field ip_address
+fields:
+ - "$new_term_field"
+
+EOF
+
+echo "The New Term rule has the following additional options:"
+echo "    - terms_window_size: The amount of time used for the initial query to find existing terms. No term that has occurred within this time frame will trigger an alert. The default is 30 days."
+echo "    - window_step_size: When querying for existing terms, split up the time range into steps of this size. This is usefull when covering large timeframes"
+echo "    - alert_on_missing_field: Whether or not to alert when a field is missing from a document. The default is false."
+echo "Would you like to set any of these options? (Y/N)"
+    read new_term_options
+    if [ ${new_term_options,,} = "y" ] ; then
+	counter=0
+	while [ $counter -eq 0 ]; do
+	counter=$(( $counter + 1 ))
+	echo "Please choose from the following options:"
+	echo ""
+	echo "For terms_window_size: Press 1"
+	echo "For window_step_size: Press 2"
+	echo "For alert_on_missing_field: Press 3"
+	echo "To continue: Press 4"
+	    read new_term_loop_option
+	if [ $new_term_loop_option = "1" ] ; then
+	    echo "Below are the available units of measure for the terms_window_size field:"
+	    echo " - weeks, days, hours, minutes, or seconds"
+	    echo "What unit of measure do you want to use?"
+   	    read timeframe_units
+	    echo "Please enter the number of $timeframe_units you want to use."
+    	    read timeframe
+            cat << EOF >> "$rulename.yaml"
+
+# (Optional, new_term specific)
+# This means that we will query 90 days worth of data when ElastAlert starts to find which values of ip_address already exist
+# If they existed in the last 90 days, no alerts will be triggered for them when they appear
+terms_window_size:
+  $timeframe_units: $timeframe
+
+EOF
+#Reset the while loop counter
+	    counter=0
+	elif [ $new_term_loop_option = "2" ] ; then
+	    echo "Below are the available units of measure for the window_step_size field:"
+            echo " - weeks, days, hours, minutes, or seconds"
+            echo "What unit of measure do you want to use?"
+            read timeframe_units
+            echo "Please enter the number of $timeframe_units you want to use."
+            read timeframe
+            cat << EOF >> "$rulename.yaml"
+
+# (Optional, new_term specific)
+# This means that we will query 90 days worth of data when ElastAlert starts to find which values of ip_address alr$
+# If they existed in the last 90 days, no alerts will be triggered for them when they appear
+window_step_size:
+  $timeframe_units: $timeframe
+
+EOF
+#Reset the while loop counter
+	    counter=0
+	elif [ $new_term_loop_option = "3" ] ; then
+	    echo "Please enter either true or false for the alert_on_missing_field."
+		read alert_on_missing_field_option
+	    cat << EOF >> "$rulename.yaml"
+# (Optional, new_term specific)
+# Whether or not to alert when a field is missing from a document. The default is false.
+alert_on_missing_field: $alert_on_missing_field_option
+
+EOF
+#reset the while loop counter
+	    counter=0
+	elif [ $new_term_loop_options = "4" ] ; then
+	    counter=1
+	fi
+        done
+    fi
+}
+
+###################################
+#  Functions for Flat line Rules  #
+###################################
+flatline_rule_prompt()
+{
+echo "flatline: This rule matches when the total number of events is under a given threshold for a time period."
+echo ""
+echo "Please enter the minimum threshold of events."
+    read threshold
+echo "Below are the available units of measure for the timeframe field:"
+echo " - weeks, days, hours, minutes, or seconds"
+echo "What unit of measure do you want to use?"
+    read timeframe_units
+echo "Please enter the number of $timeframe_units you want to use."
+    read timeframe
+echo ""
+    cat << EOF >> "$rulename.yaml"
+# (Required)
+# Type of alert.
+# flatline: This rule matches when the total number of events is under a given threshold for a time period.
+type: flatline
+
+# (Required, spike specific)
+# threshold: The minimum number of events for an alert not to be triggered.
+threshold: $threshold
+
+# (Required, spike specific)
+# The value of average out the rate of events over this time period.
+timeframe:
+  $timeframe_units: $timeframe
+
+EOF
+
+echo "The flatline rule has the following additional options:"
+echo ""
+echo "    - use_count_query: If true, ElastAlert will poll Elasticsearch using the count api, and not download all of the matching documents."
+echo "    - use_terms_query: If true, ElastAlert will make an aggregation query against Elasticsearch to get counts of documents matching each unique value of query_key. "
+echo "    - terms_size: When used with use_terms_query, this is the maximum number of terms returned per query. Default is 50."
+echo "    - query_key: With flatline rule, query_key means that an alert will be triggered if any value of query_key has been seen at least once and then falls below the threshold."
+echo "    - forget_keys: Only valid when used with query_key. If this is set to true, ElastAlert will “forget” about the query_key value that triggers an alert, therefore preventing any more alerts for it until it’s seen again."
+echo ""
+echo "Would you like to set any of theses options? (Y/N)"
+    read flatline_option
+    if [ ${flatline_option,,} = "y" ] ; then
+        counter=0
+	while [ $counter -eq 0 ]; do
+            counter=$(( $counter + 1 ))
+	echo "Please choose from the following options:"
+	echo ""
+	echo "For use_count_query: Press 1"
+	echo "For use_term_query: Press 2"
+	echo "For terms_size: Press 3"
+	echo "To continue: Press 4"
+	echo ""
+	    read flatline_option_select
+
+	    if [ $flatline_option_select = "1" ] ; then
+		echo "Please enter true or false for the use_count_query field."
+		    read use_count_query
+		cat  << EOF >> "$rulename.yaml"
+
+# (Optional, flatline specific)
+# use_count_query: If true, ElastAlert will poll Elasticsearch using the count api, and not download all of the matching documents.
+use_count_query: $use_count_query
+doc_type: 'doc'
+
+EOF
+#Reset counter for while loop
+		counter=0
+
+	    elif [ $flatline_option_select = "2" ] ; then
+		echo "Please enter true or false for the use_terms_query." 
+		    read use_terms_query
+		echo "Please enter the query_key field."
+		    read query_key
+		echo "The forget_keys when set to true will, elastalert will forget about the query_key value, preventing any more alerts for it until it is seen again"
+		echo ""
+		echo "Please enter true of false for the forget_keys field."
+		    read forget_keys 
+		cat << EOF >> "$rulename.yaml"
+
+# (Optional, flatline specific)
+# Use_terms_query: If true, ElastAlert will make an aggregation query against Elasticsearch to get counts of documents matching each unique value of query_key."
+use_terms_query: $use_terms_query
+
+# (Optional, flatline specific)
+# Query_key means that an alert will be triggered if any value of query_key has been seen at least once and then falls below the threshold."
+query_key: $query_key
+
+# (Optional, flatline specific)
+# If this is set to true, ElastAlert will “forget” about the query_key value that triggers an alert, therefore preventing any more alerts for it until it’s seen again.
+forget_keys: $forget_keys 
+
+EOF
+#Reset counters for while loop
+		counter=0
+	    elif [ $flatline_option_select = "3" ] ; then
+		echo "Please enter the maximum number of terms returned per query,  Default is 50"
+		    read terms_size
+		cat << EOF >> "$rulename.yaml"
+
+# (Optional, flatline specific)
+# When used with use_terms_query, this is the maximum number of terms returned per query. Default is 50.
+terms_size: $terms_size
+
+EOF
+#Reset counters for while loop
+		counter=0
+
+	    elif [ $flatline_option_select = "4" ] ; then
+		counter=1
+	    fi
+	done
+fi
+}
+
+##########################
+#     Start Function     #
+##########################
+main_menu
diff --git a/salt/common/tools/sbin/so-elastalert-test b/salt/common/tools/sbin/so-elastalert-test
new file mode 100644
index 000000000..575865bd0
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastalert-test
@@ -0,0 +1,142 @@
+#!/bin/bash
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Originally written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
+# Modified by Doug Burks and Wes Lambert
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+. /usr/sbin/so-elastic-common
+
+OPTIONS=""
+SKIP=0
+RESULTS_TO_LOG="n"
+RULE_NAME=""
+FILE_SAVE_LOCATION=""
+
+usage()
+{
+cat <<EOF
+
+Test Elastalert Rule
+  Options:
+  -h         		This message
+  -a         		Trigger real alerts instead of the debug alert
+  -l <path_to_file>     Write results to specified log file
+  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -r <rule_name>        Specify path/name of rule to test
+
+EOF
+}
+
+while getopts "hal:o:r:" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                a)
+                        OPTIONS="--alert"
+                        ;;
+                l)
+                        RESULTS_TO_LOG="y"
+                        FILE_SAVE_LOCATION=$OPTARG
+                        ;;
+                
+                o)
+			OPTIONS=$OPTARG
+                        ;;  
+                
+                r)
+                        RULE_NAME=$OPTARG
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+
+docker_exec(){
+	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	else
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+	fi	
+}
+
+rule_prompt(){
+	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+        echo
+        echo "This script will allow you to test an Elastalert rule."
+        echo
+        echo "Below is a list of active Elastalert rules:"
+        echo
+	echo "-----------------------------------"
+        echo
+        echo "$CURRENT_RULES"
+        echo
+	echo "-----------------------------------"
+	echo 
+        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+        echo
+        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
+        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
+        echo
+        while [ -z $RULE_NAME ]; do
+		echo "Please enter the file path and rule name you want to test."
+		read -e RULE_NAME
+	done
+}
+
+log_save_prompt(){
+	RESULTS_TO_LOG=""
+        while [ -z $RESULTS_TO_LOG ]; do
+		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
+		read RESULTS_TO_LOG
+	done
+}
+
+log_path_prompt(){
+        while [ -z $FILE_SAVE_LOCATION ]; do
+		echo "Please enter the file path and file name."
+		read -e FILE_SAVE_LOCATION
+        done
+		echo "Depending on the rule this may take a while."
+}
+
+if [ $SKIP -eq 0 ]; then
+	rule_prompt
+	log_save_prompt
+        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	log_path_prompt
+        fi
+fi
+
+docker_exec
+
+if [ $? -eq 0 ]; then
+	echo "Test completed successfully!"
+else
+	echo "Something went wrong..."
+fi
+
+echo
+
+
+

From 79ef0b6e1f7f4ee7a9b4f3f72d07b4c0f0117bdd Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 8 Jan 2020 14:27:50 +0000
Subject: [PATCH 044/188] remove cyberchef from proxy conf

---
 salt/common/nginx/nginx.conf.so-eval   | 12 ------------
 salt/common/nginx/nginx.conf.so-master | 12 ------------
 2 files changed, 24 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index b5cf6ef5a..23257b807 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -186,18 +186,6 @@ http {
 
         }
         
-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
         location /soctopus/ {
           proxy_pass http://{{ masterip }}:7000/;
           proxy_read_timeout    90;
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 265413fa2..0a0c31d6a 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -188,18 +188,6 @@ http {
 
         }
 
-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
         location /soctopus/ {
           proxy_pass http://{{ masterip }}:7000/;
           proxy_read_timeout    90;

From 209f60d99e1af70a25ba47a720da70e8176c5dcb Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 8 Jan 2020 16:13:10 -0500
Subject: [PATCH 045/188] soscripts - so-elastic-diagnose

---
 salt/common/tools/sbin/so-elastic-diagnose | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-elastic-diagnose

diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose
new file mode 100644
index 000000000..0a8acc0ae
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastic-diagnose
@@ -0,0 +1,33 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Source common settings
+. /usr/sbin/so-common
+
+# Check for log files
+for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
+
+# If file exists, then look for errors or warnings 
+if [ -f $FILE ]; then
+	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
+	if [ ! -z "$MESSAGE" ]; then
+		header $FILE
+		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
+		echo
+	fi
+fi
+done

From 1bfb8bbea280a4e7067cdba81c1b81c0872a1bd2 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 9 Jan 2020 12:20:25 -0500
Subject: [PATCH 046/188] Update SO-Auth version

---
 salt/auth/init.sls | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 0d82f6cb9..bed7d18d5 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -7,17 +7,17 @@ so-auth-api-dir:
 
 so-auth-api-image:
     cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
 
 so-auth-ui-image:
     cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
 
 so-auth-api:
     docker_container.running:
         - require:
             - so-auth-api-image
-        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -31,7 +31,7 @@ so-auth-ui:
     docker_container.running:
         - require:
             - so-auth-ui-image
-        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:

From 140feb5515a5f7952b82266bab8c4b792378e9ae Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 10 Jan 2020 08:58:50 -0500
Subject: [PATCH 047/188] Fix git merge leftovers

---
 salt/common/nginx/nginx.conf.so-eval | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 5c49c0100..d3e377881 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -184,21 +184,6 @@ http {
 
         }
         
-<<<<<<< HEAD
-        location /cyberchef/ {
-          proxy_pass            http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version    1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-  
-=======
->>>>>>> origin/dev
         location /soctopus/ {
           proxy_pass            http://{{ masterip }}:7000/;
           proxy_read_timeout    90;

From 686282da62c5b29deaff645f8d5622f77de1fd0e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 10 Jan 2020 14:34:00 -0500
Subject: [PATCH 048/188] Registry Update - Update Script for image pull

---
 salt/common/tools/sbin/so-elastic-download | 3 +--
 updatemaster.sh                            | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download
index 8155af414..d6a1a51be 100644
--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -7,8 +7,7 @@ TRUSTED_CONTAINERS=( \
 "so-bro:$VERSION" \
 "so-core:$VERSION" \
 "so-cortex:$VERSION" \
-"so-curator:VERSION" \
-"so-cyberchef:VERSION" \
+"so-curator:$VERSION" \
 "so-elastalert:$VERSION" \
 "so-elasticsearch:$VERSION" \
 "so-filebeat:$VERSION" \
diff --git a/updatemaster.sh b/updatemaster.sh
index 1bf22f07c..c66c01d86 100644
--- a/updatemaster.sh
+++ b/updatemaster.sh
@@ -11,4 +11,5 @@ chown -R socore:socore /opt/so/saltstack/salt
 chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh
 cd ~
 rm -rf /tmp/sogh
+# Run so-elastic-download here and call this soup with some magic
 salt-call state.highstate

From 7e1870e9d0961642bfe562587ec5bab36962c568 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 13:52:30 +0000
Subject: [PATCH 049/188] update image versions

---
 salt/common/init.sls        | 4 ++--
 salt/elasticsearch/init.sls | 4 ++--
 salt/filebeat/init.sls      | 4 ++--
 salt/hive/init.sls          | 4 ++--
 salt/kibana/init.sls        | 4 ++--
 salt/logstash/init.sls      | 4 ++--
 salt/wazuh/init.sls         | 4 ++--
 7 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index e34431a46..12f229d4e 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -117,13 +117,13 @@ nginxtmp:
 # Start the core docker
 so-coreimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.4
 
 so-core:
   docker_container.running:
     - require:
       - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.3
+    - image: docker.io/soshybridhunter/so-core:HH1.1.4
     - hostname: so-core
     - user: socore
     - binds:
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 4c5d3e644..b3f2e0ce5 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -100,13 +100,13 @@ eslogdir:
 
 so-elasticsearchimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
 
 so-elasticsearch:
   docker_container.running:
     - require:
       - so-elasticsearchimage
-    - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
+    - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.4
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index fce1c6b38..1eaa1ae5b 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -58,13 +58,13 @@ filebeatconfsync:
 
 so-filebeatimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.1
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.4
 
 so-filebeat:
   docker_container.running:
     - require:
       - so-filebeatimage
-    - image: docker.io/soshybridhunter/so-filebeat:HH1.1.1
+    - image: docker.io/soshybridhunter/so-filebeat:HH1.1.4
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 73b29b501..c08a74634 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -55,13 +55,13 @@ hiveesdata:
 
 so-thehive-esimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.1
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.4
 
 so-thehive-es:
   docker_container.running:
     - require:
       - so-thehive-esimage
-    - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.1
+    - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.4
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 0d6262600..686564f34 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -56,14 +56,14 @@ synckibanacustom:
 
 so-kibanaimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.1
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.4
 
 # Start the kibana docker
 so-kibana:
   docker_container.running:
     - require:
       - so-kibanaimage
-    - image: docker.io/soshybridhunter/so-kibana:HH1.1.1
+    - image: docker.io/soshybridhunter/so-kibana:HH1.1.4
     - hostname: kibana
     - user: kibana
     - environment:
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index c2b80346f..6d9755c42 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -155,13 +155,13 @@ lslogdir:
 # Add the container
 so-logstashimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.1
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.4
 
 so-logstash:
   docker_container.running:
     - require:
       - so-logstashimage
-    - image: docker.io/soshybridhunter/so-logstash:HH1.1.1
+    - image: docker.io/soshybridhunter/so-logstash:HH1.1.4
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index a59a1d215..5825ed7d5 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -64,13 +64,13 @@ wazuhagentregister:
 
 so-wazuhimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.3
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.4
 
 so-wazuh:
   docker_container.running:
     - require:
       - so-wazuhimage
-    - image: docker.io/soshybridhunter/so-wazuh:HH1.1.3
+    - image: docker.io/soshybridhunter/so-wazuh:HH1.1.4
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True

From c4626020a451cc8e00c1538f939c1b7e6a26e39a Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 20:07:54 +0000
Subject: [PATCH 050/188] update so-allow to allow arguments

---
 salt/common/tools/sbin/so-allow | 118 +++++++++++++++++++++++++-------
 1 file changed, 94 insertions(+), 24 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 1685e386a..ff5a8c893 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -1,4 +1,23 @@
 #!/bin/bash
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SKIP=0
+
 got_root() {
 
   # Make sure you are root
@@ -11,32 +30,83 @@ got_root() {
 
 got_root
 
-echo "This program allows you to add a firewall rule to allow connections from a new IP address."
-echo ""
-echo "Choose the role for the IP or Range you would like to add"
-echo ""
-echo "[a] - Analyst - ports 80/tcp and 443/tcp"
-echo "[b] - Logstash Beat - port 5044/tcp"
-echo "[o] - Osquery endpoint - port 8080/tcp"
-echo "[w] - Wazuh endpoint - port 1514"
-echo ""
-echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
-read ROLE
-echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
-read IP
+while getopts "abowi:" OPTION
+do
+    case $OPTION in
+
+        h)
+            usage
+            exit 0
+            ;;
+        a)
+            FULLROLE="analyst"
+            SKIP=1
+            ;;
+        b)
+            FULLROLE=beats_endpoint
+            SKIP=1
+            ;;
+        i)  IP=$OPTARG
+            ;;
+        o)
+            FULLROLE=osquery_endpoint
+            SKIP=1
+            ;;
+        w)
+            FULLROLE=wazuh_endpoint
+            SKIP=1
+            ;;
+    esac
+done
+
+if [ "$SKIP" -eq 0 ]; then
+
+    echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+    echo ""
+    echo "Choose the role for the IP or Range you would like to add"
+    echo ""
+    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[o] - Osquery endpoint - port 8080/tcp"
+    echo "[w] - Wazuh endpoint - port 1514"
+    echo ""
+    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    read ROLE
+    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+    read IP
+
+    if [ "$ROLE" == "a" ]; then
+        FULLROLE=analyst
+    elif [ "$ROLE" == "b" ]; then
+        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "o" ]; then
+        FULLROLE=osquery_endpoint
+    elif [ "$ROLE" == "w" ]; then
+        FULLROLE=wazuh_endpoint
+    else
+        echo "I don't recognize that role"
+        exit 1
+    fi
 
-if [ "$ROLE" == "a" ]; then
-  FULLROLE=analyst
-elif [ "$ROLE" == "b" ]; then
-  FULLROLE=beats_endpoint
-elif [ "$ROLE" == "o" ]; then
-  FULLROLE=osquery_endpoint
-elif [ "$ROLE" == "w" ]; then
-  FULLROLE=wazuh_endpoint
-else
-  echo "I don't recognize that role"
-  exit 1
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+                  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi

From 8c36b3b6953110157becc89b56ff86672b22ed33 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 20:17:38 +0000
Subject: [PATCH 051/188] add quotes

---
 salt/common/tools/sbin/so-allow | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index ff5a8c893..d76ddc83e 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -43,17 +43,17 @@ do
             SKIP=1
             ;;
         b)
-            FULLROLE=beats_endpoint
+            FULLROLE="beats_endpoint"
             SKIP=1
             ;;
         i)  IP=$OPTARG
             ;;
         o)
-            FULLROLE=osquery_endpoint
+            FULLROLE="osquery_endpoint"
             SKIP=1
             ;;
         w)
-            FULLROLE=wazuh_endpoint
+            FULLROLE="wazuh_endpoint"
             SKIP=1
             ;;
     esac

From 4d00f26c35875e89894b352630b9335aa818debb Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 15:51:38 -0500
Subject: [PATCH 052/188] Switch to Zeek and download registry

---
 salt/common/tools/sbin/so-elastic-download    |   15 +-
 salt/zeek/cron/packetloss.sh                  |    2 +
 salt/zeek/files/local.zeek                    |  120 +
 salt/zeek/files/node.cfg                      |   47 +
 salt/zeek/init.sls                            |  118 +
 salt/zeek/policy/intel/__load__.zeek          |    1 +
 .../securityonion/add-interface-to-logs.bro   |   20 +
 .../policy/securityonion/apt1/__load__.zeek   |    9 +
 .../policy/securityonion/apt1/apt1-certs.dat  |   26 +
 .../policy/securityonion/apt1/apt1-fqdn.dat   | 2049 +++++++++++++++++
 .../policy/securityonion/apt1/apt1-md5.dat    | 1012 ++++++++
 .../securityonion/conn-add-sensorname.bro     |   10 +
 .../file-extraction/__load__.zeek             |    1 +
 .../file-extraction/extract.zeek              |   21 +
 .../securityonion/json-logs/__load__.bro      |    3 +
 setup/functions.sh                            |   55 +-
 16 files changed, 3504 insertions(+), 5 deletions(-)
 create mode 100644 salt/zeek/cron/packetloss.sh
 create mode 100644 salt/zeek/files/local.zeek
 create mode 100644 salt/zeek/files/node.cfg
 create mode 100644 salt/zeek/init.sls
 create mode 100644 salt/zeek/policy/intel/__load__.zeek
 create mode 100644 salt/zeek/policy/securityonion/add-interface-to-logs.bro
 create mode 100644 salt/zeek/policy/securityonion/apt1/__load__.zeek
 create mode 100644 salt/zeek/policy/securityonion/apt1/apt1-certs.dat
 create mode 100644 salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
 create mode 100644 salt/zeek/policy/securityonion/apt1/apt1-md5.dat
 create mode 100644 salt/zeek/policy/securityonion/conn-add-sensorname.bro
 create mode 100644 salt/zeek/policy/securityonion/file-extraction/__load__.zeek
 create mode 100644 salt/zeek/policy/securityonion/file-extraction/extract.zeek
 create mode 100644 salt/zeek/policy/securityonion/json-logs/__load__.bro

diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download
index d6a1a51be..020a42f79 100644
--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -1,21 +1,24 @@
 #!/bin/bash
-MASTER={{ MASTER }}
+MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
 "so-auth-api:$VERSION" \
 "so-auth-ui:$VERSION" \
-"so-bro:$VERSION" \
 "so-core:$VERSION" \
-"so-cortex:$VERSION" \
+"so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
 "so-elastalert:$VERSION" \
 "so-elasticsearch:$VERSION" \
 "so-filebeat:$VERSION" \
 "so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
 "so-grafana:$VERSION" \
 "so-idstools:$VERSION" \
 "so-influxdb:$VERSION" \
 "so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
 "so-mysql:$VERSION" \
 "so-navigator:$VERSION" \
 "so-playbook:$VERSION" \
@@ -23,17 +26,21 @@ TRUSTED_CONTAINERS=( \
 "so-sensoroni:$VERSION" \
 "so-soctopus:$VERSION" \
 "so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
 "so-suricata:$VERSION" \
 "so-telegraf:$VERSION" \
 "so-thehive:$VERSION" \
 "so-thehive-es:$VERSION" \
-"so-wazuh:$VERSION" )
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
 
 for i in "${TRUSTED_CONTAINERS[@]}"
 do
   # Pull down the trusted docker image
+  echo "Downloading $i"
   docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
   # Tag it with the new registry destination
   docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
   docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
 done
diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh
new file mode 100644
index 000000000..51812edf5
--- /dev/null
+++ b/salt/zeek/cron/packetloss.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log
diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
new file mode 100644
index 000000000..aed6bb59b
--- /dev/null
+++ b/salt/zeek/files/local.zeek
@@ -0,0 +1,120 @@
+##! Local site policy. Customize as appropriate.
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Estimate and log capture loss.
+@load misc/capture-loss
+
+# Enable logging of memory, packet and lag statistics.
+@load misc/stats
+
+# Load the scan detection script.  It's disabled by default because
+# it often causes performance issues.
+#@load misc/scan
+
+# Detect traceroute being run on the network. This could possibly cause
+# performance trouble when there are a lot of traceroutes on your network.
+# Enable cautiously.
+#@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have GeoIP support built in, do some geographic detections and
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file.
+# @load policy/protocols/conn/vlan-logging
+
+# Uncomment the following line to enable logging of link-layer addresses. Enabling
+# this adds the link-layer address for each connection endpoint to the conn.log file.
+# @load policy/protocols/conn/mac-logging
+
+# JA3 - SSL Detection Goodness
+@load policy/ja3
+
+# HASSH
+@load policy/hassh
+
+# You can load your own intel into:
+# /opt/so/saltstack/bro/policy/intel/ on the master
+@load intel
+
+# Load a custom Bro policy
+# /opt/so/saltstack/bro/policy/custom/ on the master
+#@load custom/somebropolicy.bro
+
+# Write logs in JSON
+redef LogAscii::use_json = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
diff --git a/salt/zeek/files/node.cfg b/salt/zeek/files/node.cfg
new file mode 100644
index 000000000..6f9608113
--- /dev/null
+++ b/salt/zeek/files/node.cfg
@@ -0,0 +1,47 @@
+{%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+
+{%- if salt['pillar.get']('sensor:bro_pins') or salt['pillar.get']('sensor:bro_lbprocs') %}
+{%- if salt['pillar.get']('sensor:bro_proxies') %}
+  {%- set proxies =  salt['pillar.get']('sensor:bro_proxies', '1') %}
+{%- else %}
+  {%- if salt['pillar.get']('sensor:bro_pins') %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_pins')|length/10)|round(0, 'ceil')|int %}
+  {%- else %}
+    {%- set proxies = (salt['pillar.get']('sensor:bro_lbprocs')/10)|round(0, 'ceil')|int %}
+  {%- endif %}
+{%- endif %}
+[manager]
+type=manager
+host=localhost
+
+[logger]
+type=logger
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[worker-1]
+type=worker
+host=localhost
+interface=af_packet::{{ interface }}
+lb_method=custom
+
+{%- if salt['pillar.get']('sensor:bro_lbprocs') %}
+lb_procs={{ salt['pillar.get']('sensor:bro_lbprocs', '1') }}
+{%- else %}
+lb_procs={{ salt['pillar.get']('sensor:bro_pins')|length }}
+{%- endif %}
+{%- if salt['pillar.get']('sensor:bro_pins') %}
+pin_cpus={{ salt['pillar.get']('sensor:bro_pins')|join(", ") }}
+{%- endif %}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size=128*1024*1024
+{%- else %}
+[brosa]
+type=standalone
+host=localhost
+interface={{ interface }}
+{%- endif %}
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
new file mode 100644
index 000000000..f46d5dbc1
--- /dev/null
+++ b/salt/zeek/init.sls
@@ -0,0 +1,118 @@
+{%- set VERSION = salt['pillar.get']('static:soversion', '1.1.4') -%}
+{%- set MASTER = salt['grains.get']('master') -%}
+# Zeek Salt State
+# Add Zeek group
+zeekgroup:
+  group.present:
+    - name: zeek
+    - gid: 937
+
+# Add Zeek User
+zeek:
+  user.present:
+    - uid: 937
+    - gid: 937
+    - home: /home/zeek
+
+# Create some directories
+zeekpolicydir:
+  file.directory:
+    - name: /opt/so/conf/zeek/policy
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Log Directory
+zeeklogdir:
+  file.directory:
+    - name: /nsm/zeek/logs
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+# Zeek Spool Directory
+zeekspooldir:
+  file.directory:
+    - name: /nsm/zeek/spool/manager
+    - user: 937
+    - makedirs: true
+
+# Zeek extracted
+zeekextractdir:
+  file.directory:
+    - name: /nsm/zeek/extracted
+    - user: 937
+    - group: 939
+    - makedirs: True
+
+zeeksfafincompletedir:
+  file.directory:
+    - name: /nsm/faf/files/incomplete
+    - user: 937
+    - makedirs: true
+
+zeeksfafcompletedir:
+  file.directory:
+    - name: /nsm/faf/files/complete
+    - user: 937
+    - makedirs: true
+
+# Sync the policies
+zeekpolicysync:
+  file.recurse:
+    - name: /opt/so/conf/zeek/policy
+    - source: salt://zeek/policy
+    - user: 937
+    - group: 939
+    - template: jinja
+
+# Sync node.cfg
+nodecfgsync:
+  file.managed:
+    - name: /opt/so/conf/zeek/node.cfg
+    - source: salt://zeek/files/node.cfg
+    - user: 937
+    - group: 939
+    - template: jinja
+
+plcronscript:
+  file.managed:
+    - name: /usr/local/bin/packetloss.sh
+    - source: salt://zeek/cron/packetloss.sh
+    - mode: 755
+
+/usr/local/bin/packetloss.sh:
+  cron.present:
+    - user: root
+    - minute: '*/10'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+localzeeksync:
+  file.managed:
+    - name: /opt/so/conf/zeek/local.zeek
+    - source: salt://zeek/files/local.zeek
+    - user: 937
+    - group: 939
+    - template: jinja
+
+so-zeek:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }}
+    - privileged: True
+    - binds:
+      - /nsm/zeek/logs:/nsm/zeek/logs:rw
+      - /nsm/zeek/spool:/nsm/zeek/spool:rw
+      - /nsm/zeek/extracted:/nsm/zeek/extracted:rw
+      - /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
+      - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
+      - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
+      - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
+      - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
+    - network_mode: host
+    - watch:
+      - file: /opt/so/conf/zeek/local.zeek
+      - file: /opt/so/conf/zeek/node.cfg
+      - file: /opt/so/conf/zeek/policy
diff --git a/salt/zeek/policy/intel/__load__.zeek b/salt/zeek/policy/intel/__load__.zeek
new file mode 100644
index 000000000..4a4d603a7
--- /dev/null
+++ b/salt/zeek/policy/intel/__load__.zeek
@@ -0,0 +1 @@
+#Intel
diff --git a/salt/zeek/policy/securityonion/add-interface-to-logs.bro b/salt/zeek/policy/securityonion/add-interface-to-logs.bro
new file mode 100644
index 000000000..674b9272a
--- /dev/null
+++ b/salt/zeek/policy/securityonion/add-interface-to-logs.bro
@@ -0,0 +1,20 @@
+{%- set interface = salt['pillar.get']('sensor:interface', '0') %}
+global interface = "{{ interface }}";
+
+event bro_init()
+	{
+	if ( ! reading_live_traffic() )
+		return;
+
+	Log::remove_default_filter(HTTP::LOG);
+	Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
+	                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
+	                            	{
+	                            	local peer = get_event_peer()$descr;
+	                            	if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
+	                            		return cat("http_", Cluster::nodes[peer]$interface);
+	                            	else
+	                            		return "http";
+	                            	}
+	                            ]);
+	}
diff --git a/salt/zeek/policy/securityonion/apt1/__load__.zeek b/salt/zeek/policy/securityonion/apt1/__load__.zeek
new file mode 100644
index 000000000..de931eaac
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/__load__.zeek
@@ -0,0 +1,9 @@
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+redef Intel::read_files += {
+  fmt("%s/apt1-fqdn.dat", @DIR),
+  fmt("%s/apt1-md5.dat", @DIR),
+  fmt("%s/apt1-certs.dat", @DIR)
+};
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-certs.dat b/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
new file mode 100644
index 000000000..3f5e643ac
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-certs.dat
@@ -0,0 +1,26 @@
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
+b054e26ef827fbbf5829f84a9bdbb697a5b042fc	Intel::CERT_HASH	Mandiant APT1 Report	ALPHA	T
+7bc0cc2cf7c3a996c32dbe7e938993f7087105b4	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+7855c132af1390413d4e4ff4ead321f8802d8243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+f3e3c590d7126bd227733e9d8313d2575c421243	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d4d4e896ce7d73b573f0a0006080a246aec61fe7	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bcdf4809c1886ac95478bbafde246d0603934298	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+6b4855df8afc8d57a671fe5ed628f6d88852a922	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+d50fdc82c328319ac60f256d3119b8708cd5717b	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+70b48d5177eebe9c762e9a37ecabebfd10e1b7e9	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+3a6a299b764500ce1b6e58a32a257139d61a3543	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+bf4f90e0029b2263af1141963ddf2a0c71a6b5fb	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+b21139583dec0dae344cca530690ec1f344acc79	Intel::CERT_HASH	Mandiant APT1 Report	AOL	T
+21971ffef58baf6f638df2f7e2cceb4c58b173c8	Intel::CERT_HASH	Mandiant APT1 Report	EMAIL	T
+04ecff66973c92a1c348666d5a4738557cce0cfc	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+f97d1a703aec44d0f53a3a294e33acda43a49de1	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe	Intel::CERT_HASH	Mandiant APT1 Report	IBM	T
+1b27a897cda019da2c3a6dc838761871e8bf5b5d	Intel::CERT_HASH	Mandiant APT1 Report	LAME	T
+d515996e8696612dc78fc6db39006466fc6550df	Intel::CERT_HASH	Mandiant APT1 Report	MOON-NIGHT	T
+8f79315659e59c79f1301ef4aee67b18ae2d9f1c	Intel::CERT_HASH	Mandiant APT1 Report	NONAME	T
+a57a84975e31e376e3512da7b05ad06ef6441f53	Intel::CERT_HASH	Mandiant APT1 Report	NS	T
+b3db37a0edde97b3c3c15da5f2d81d27af82f583	Intel::CERT_HASH	Mandiant APT1 Report	SERVER (PEM)	T
+6d8f1454f6392361fb2464b744d4fc09eee5fcfd	Intel::CERT_HASH	Mandiant APT1 Report	SUR	T
+b66e230f404b2cc1c033ccacda5d0a14b74a2752	Intel::CERT_HASH	Mandiant APT1 Report	VIRTUALLYTHERE	T
+4acbadb86a91834493dde276736cdf8f7ef5d497	Intel::CERT_HASH	Mandiant APT1 Report	WEBMAIL	T
+86a48093d9b577955c4c9bd19e30536aae5543d4	Intel::CERT_HASH	Mandiant APT1 Report	YAHOO	T
\ No newline at end of file
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat b/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
new file mode 100644
index 000000000..f0a57f8c3
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-fqdn.dat
@@ -0,0 +1,2049 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# The following line is for testing only.  Please keep it commented out when running in production.
+#time.windows.com	Intel::DOMAIN	Test FQDN	T
+advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+attnpower.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avvmail.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bluecoate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cometoway.org	Intel::DOMAIN	Mandiant APT1 Report	T
+companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+competrip.com	Intel::DOMAIN	Mandiant APT1 Report	T
+comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+copporationnews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cslisten.com	Intel::DOMAIN	Mandiant APT1 Report	T
+defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+giftnews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hkcastte.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+hvmetal.com	Intel::DOMAIN	Mandiant APT1 Report	T
+idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+maltempata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newsesport.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nirvanaol.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+olmusic100.com	Intel::DOMAIN	Mandiant APT1 Report	T
+onefastgame.net	Intel::DOMAIN	Mandiant APT1 Report	T
+oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phoenixtvus.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shepmas.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skyswim.net	Intel::DOMAIN	Mandiant APT1 Report	T
+softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tibethome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ushongkong.org	Intel::DOMAIN	Mandiant APT1 Report	T
+usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+usnftc.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+uszzcs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+youipcam.com	Intel::DOMAIN	Mandiant APT1 Report	T
+08elec.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+09back.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+3ml.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+3pma.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+4cback.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+7cback.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+911.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ad.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-af.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aam.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aar.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aarco.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-bne.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+abs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+acer.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+acli-mail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-co.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+acu.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adb.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+add.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+addr.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adi002.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-dl.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.datastorage01.org	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+admin.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adobe.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ads.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adt.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adt001.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+adt002.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+adtk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adtkl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+adtkl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+adtlk.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ae.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ec.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ep.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aero.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aes.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ex.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+af.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+afda.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-fj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+africa.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+africadb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+afw.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ga.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+agl.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ago.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-gon.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-he.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-he.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-if.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-iho.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aiic.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aip.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+airline.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+airplane.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ait.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ja.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-jsm.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-jsm.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ak47.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ak47.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+alarm.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alarm.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+alcan.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alion.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+alone.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amanda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amne.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ams.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+amusement.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+analysis.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+anglo.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+anti.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ol.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+aol.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+aon.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ov.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apa.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apejack.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apekl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-pep.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+app.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+app.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+apple.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+aps.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apss.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+apss.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ara.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ara.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ara2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ara2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+arainfo.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+arainfo.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-rdr.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ares.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+argsafhq.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-ri.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+armi.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+army.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+army.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ascn.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asiv.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+asp.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ass.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+astone.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+atm.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+atom.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+a-uac.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-un.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ausi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+auto.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avast.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+avph.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+a-za.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-za.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+a-zx.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+b.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bab.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+back.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+back.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+back.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+back.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+backsun.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+backup.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+backupsw.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+banner.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+barity.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+basketball.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bass.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bat.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbb.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bbh.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bbs.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bbsfu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bcc.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bee.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bg-g.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bhbt.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bhbt.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bing.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bitdefender.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bkav.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bkav2007.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bksy.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+black.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+black.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+blackfish.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bll.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blog.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+blow.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+blue.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bluefin.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bmi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bob.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+bobo.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bobo.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+book.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bot.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bourne.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+bphb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bring.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+brog.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+bswt.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+built.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+business.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+business.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+buy.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+buy.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+buycow.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+buyer.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+buz.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+c.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+caaid.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cac.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cac.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cache.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cacq.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cadfait.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cais.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cais.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+can.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+canada.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+canary.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cappuccino.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+car1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+care.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+care.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cars.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+carvin.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+catalog.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ccsukl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cdc01.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cdcd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cdd.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cdrnkl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cecilia.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ce-ip.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+center.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+center.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+center.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ceros.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cetv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chat.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+chat.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+check.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+check.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+chicken.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+chicken.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chivas.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+chq.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+christitannahill.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cib.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cibuc.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+citrix.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+citt.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+city.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+class.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+client.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+climate.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+climate.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+clin.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cman.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cmp.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cobh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+coco.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+code.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+code.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+coe.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+coe.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+coer.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cok.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+com.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+comfile.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+commpany.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+company.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+compfile.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+compu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+compute.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+conn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+contact.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+content.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+control.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+control.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cook.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cool.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cool.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+corn.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+corp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+corp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cost.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+count.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+country.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cow.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cowboy.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cowboy.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crab.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+crackling123.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cross.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+crz.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+csch.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+csupp.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcn.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcs.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ctcs.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ctimoon.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ctisk.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cubbh.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+cubh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+culture.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cure.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+current.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cw.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+cwe.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cwe80.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cwel.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+cws.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+d.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+da.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+daa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+daily.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+data.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+date.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+date.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+date.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+date.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+datehelp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dating.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+db.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+default.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+defense.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+del.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+demo.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+den.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+denel.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+densun.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+des.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+des.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+develop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dhfx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dias.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+digi.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dith.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dlkl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dnn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dns1.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dnsg.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+do.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+doa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+docu.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+documents.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dod.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+doekl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+domain.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dorkia.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dot.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dotnet.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dove.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+down.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+down.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+down.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+download.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+download.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+download.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+downloads.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+downupdate.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dq.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+drb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+drinkwater.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+drop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dsh.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dsw.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dvid.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dvid.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+dvn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dyn.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+dyn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+dyns.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+e.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+e.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eaof.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+east.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+eatbeef.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ecli-cow.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+edit.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+edu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+education.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+education.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+eeaa.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eee.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+egcc.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+email.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+email.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+email.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+emam.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+en.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+energy.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+engine.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+engineering.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+environment.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eoaf.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+epod.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+eu.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+eum.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+europa.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+europe.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ever.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+everest.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+eye.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+f3tel.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+face.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+facebook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+faq.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fashion.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fax.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fcn.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fed.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ffej.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ffej.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fher.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fher.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fhh.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+file.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+file.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+files.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+files.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fileshare.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fileyp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+film.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+fim.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fim.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finance.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+financial.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fine.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fineca.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fineca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+finekl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fiona.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fire.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fire1.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+first.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fjod.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fkfc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flash.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+flucare.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fly.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fme.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+f-mi.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fmp.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fmp.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnem.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fni.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnpc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fnrn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fntel.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fok.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+follow.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+food.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+food.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+football.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+forum.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+free.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+friends.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+froum.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+fs.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fs.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fstl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftp.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftph.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ftrj.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fuck.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fun.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+function.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+function.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+funny.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+funny.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fwb.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fwb.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fwmo.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fwmo.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+fy.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+fza.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gaca.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gaca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+game.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+game.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+games.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gannett.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gatu.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gayi.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gee.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gege.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gege.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geneticmedicine.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geo.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geology.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+geology.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gg.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gg.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ghma.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gjjr.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gjmy.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+glj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+global.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+global.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+globalization.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+glx.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gmail.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+google.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+goverment.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+green.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ground.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+gsti.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+gsup.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+half.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+half.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+happy.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+happyfish.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hav.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+health.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hello.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+help.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+help.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hi.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hill.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+hm.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+home.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+home.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+home.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hon.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+host.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hostname.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hot.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hotel.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+house.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+housew.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hpd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hq.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+hrsy.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+https.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+https.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+https.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hun.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hy.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+hy.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iabk.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iabk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iai.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iamge.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+idtheft.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iea.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+iexchangefxn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ifc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+image.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+image.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+image.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+images.spmiller.org	Intel::DOMAIN	Mandiant APT1 Report	T
+important.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+index.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+india.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+indian.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+indian.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+indonesia.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+info.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.theagenews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+info.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+info.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+information.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+information.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+information.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ins.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+insat.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+int.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+int.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+intel.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+inter.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+international.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+invest.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ips.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iri.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iri.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+irl.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+irs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+irs.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+irsauctions.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+irssales.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+iscu.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+iswb.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+it.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+it.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+itau.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+itinfo.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+japan.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+java.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+jbei.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jeff.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jeph.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+jf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jfn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jfs.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jhd.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+jhd.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jhsfkjlhjsf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+job.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jobs.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+johnford985.appspot.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jr.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+juda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+jwss.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+kf.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+khoda.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+king-kl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kit.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+kit.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klape.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klati.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klbakerm.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbar.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klbis.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-care.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klcirf.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klcocon.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+klecca.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klecca.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klenvi.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-hqun.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-hqun.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kliee.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-knab.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kllhd.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kllhd.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-mfa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klmfat.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klnrdc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+klnrdc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klotp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klpiec.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-rfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-rio.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kluscc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+kl-vfw.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+klwest.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+knab.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+knews.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+koa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.petrotdl.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ks.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ksaa.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ksap.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kshan.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+kusw.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lab.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lan.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+launch.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+law.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+law.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lawste.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lawste2.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lcan.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+leets.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+leon.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lhd.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lib.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+life.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+link.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+linkup.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+linux.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lion.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+listen.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+live.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+living.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ln.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lnz.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+loading.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+local.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+log.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+log.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+log.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+login.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+login.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logo.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logon.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+logs.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lone.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+loper.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lost.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lost.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+love.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+love.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+love.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lovecocon.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+loveit.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lrl.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lucie.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy2.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lucy2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+lw.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+lwave.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+m.cslisten.com	Intel::DOMAIN	Mandiant APT1 Report	T
+m.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+macfee.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+magazine.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+magazine.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+magic.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.oplaymagzine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mail2.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mailbbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mailsrv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+main.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+man001.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+man001.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+map.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+maria.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+marines.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+max.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mc.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mcsc.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+me.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+media.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+medicine.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+medicine.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+meg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+meily.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+memberd.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+message.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+messenger.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+method.ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mfa.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+micro.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+microsoft.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+milk.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mini.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+mint.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mko.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mlls.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mobile.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+money.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moon.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moon.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mor.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+more.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mos.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+moto.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+moto1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+moto2.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+motoa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+motor.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+movie.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+movies.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mpe.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+msn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+music.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+music.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+mx.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+my.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+my550.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+myfamily.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mynet.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+myoil.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+mysql.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+na.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+na.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nat.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nature.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nav.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+navi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+navi.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nci.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ncih.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ncsc.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ne.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nes.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+net.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+net.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+new.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+new.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newport.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+news.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+news.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+news.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.yahoo.com.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+news.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newstar.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+newstar.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newstime.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+newyork.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ngc.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ngng.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nh.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nhc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs1.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nhs1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nhsl.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nic.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nicenews.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+night.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nis.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nod.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+nol.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+norin.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+notebook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nousage.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nrfn.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ns.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+nt.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nucor001.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+nukor001.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+nullmx.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+num.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+o.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+object.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+office.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+okie.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+old.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+oliver.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+once.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+onk.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+online.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+online.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+online.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+opp.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+oppa.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+opts.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+orca.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ord.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+orient.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+otp.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+otps.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou1.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ou1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ou2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou3.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou4.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ou7.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+outlook.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+outlooks.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+owa.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pacific.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pacific.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pack.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pact.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+paekl.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+papper.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+papper.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pars.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+part.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+part.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+parth.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pay.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pay.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+payse.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pcie.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pda.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pdoc.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pear.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+people.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+phe.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+philippines.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pic.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+picture.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pink.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+plane.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+planning.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+play.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+play.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pme.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+png.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop2.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop3.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop3.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop4.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop5.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+pop6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pop9.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+popw.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+popwk.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+portbab.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+portpop.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ppt.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+prc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+prefix.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+prefix.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pro.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+proc.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+proc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+product.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+program.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+progress.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+protoc.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+psp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+psp.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+psu.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ptp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+pz.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qedh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+qhun-mons.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao1.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao2.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao3.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao4.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao5.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao6.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao7.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qiao8.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qua.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+qual.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+quick.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+quiet.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+qusc12.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rank.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rcs.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+reas.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+record.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+records.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+red.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+red.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+reg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+release.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+report.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+report.regicsgf.net	Intel::DOMAIN	Mandiant APT1 Report	T
+reports.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+research.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+research.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+rice.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+rj.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+rj.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rnew.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+roger.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+root.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+root.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+rou.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+rsut.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+s.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+s.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saf.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+saf.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safbejn.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+safe.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safe.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+safety.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+safr.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sale.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sale.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sales.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sam.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+satellite.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sauu.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sav.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sb.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sbh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+scc.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+science.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scorpion.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+scpkl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sea.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sea001.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+search.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+search.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+search.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+security.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+security.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+self.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sells.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sells.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+send.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+serv.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+serve.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+server.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+service.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+service.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+service.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+services.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+services.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmailb.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+servmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+set.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sfn.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sh.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+share.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shit.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shop.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+shot.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sifcc.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+signal.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sinbg.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sisc.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sites.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sk2.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skills.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+skills.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sklcenter.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+sky.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+slnoa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+slnoa.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrfc.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrj.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrou.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+slrouji.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sls.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+slutc.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sma.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smile.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smlk.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smooth.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+smtp.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+snoopy.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+snoot.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sns.syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sns.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.cnnnewsdaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+soft.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+software.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+software.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+solar.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+soler.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sona.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sonah.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+songhong.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sos.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sotp.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+source.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sp.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sp.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+space.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+spah.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+spahi.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+spckl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+spcmon.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+special.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sports3.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sprts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+spte.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+squick.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sremx.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+srs.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+srvmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv5.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sslsrv6.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ssun.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+star.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+star.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+star.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+stars.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stars.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+static.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stell.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+step.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+stk.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stk.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stock.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stock.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stone.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stone.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stulaw.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+stuwal.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+stuwal.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+submarine.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+submarine.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+suffering.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sun.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+support.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+support.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+support.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+support.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+support.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sute.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sw.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+swiss.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sword.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sword.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+syn.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sync.ns06.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+sys.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sysj.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+system.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+sysy.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tag.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tape.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tclient.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tclient.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+teach.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+tech.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tele.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+telnet.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+test.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+test.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+test.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+test.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+thanhnien.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+thec.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+think.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+think.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tia.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+time.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+time.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+time.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+time.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+time1.mediaxsds.net	Intel::DOMAIN	Mandiant APT1 Report	T
+times.nytimesnews.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tk.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tnjs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tod.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+top.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+topmoney.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+train.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+train.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+travel.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trb.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trip.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+trip.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+triu.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+tt.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+ttl.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+tx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aaon.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-aeai.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ag.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-asg.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ati.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdai.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdai.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bdfa.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-bpd.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-cccc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ccr.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-chsaw.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-co.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-cti.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-dfait.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-enrc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-ga.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-hst.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-hst.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-irpf.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-kfc.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-man.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-mbi.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-nema.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-opm.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-piec.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-pmet.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-pnl.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rev.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rj.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-rj.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-sbig.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-tree.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-tta.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-volpe.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ug-west.hugesoft.org	Intel::DOMAIN	Mandiant APT1 Report	T
+unifh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+up.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+up.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+upback.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.dnsweb.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+update.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.progammerli.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.safalife.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.tfxdccssl.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+update.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+update.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update7.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+update8.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+updater.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+updatevn.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+upload.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+u-rfc.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+url.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+url.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+us.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+us.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+us.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+utex.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+value.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vedio.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+velp.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+via.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+via.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+via.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+video.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.issnbgkit.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.pcclubddk.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vip.sportreadok.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vis.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+visual.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vockl.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vol.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vop.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vope.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vopm.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+vpn.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vsec.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+vseh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+walk.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+walste.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wangye.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wangye.reutersnewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wapi.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+was.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+water.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wave.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wcasekl.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wcov.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wdeh.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.chileexe77.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weather.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+web.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+web.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+web.thehealthmood.net	Intel::DOMAIN	Mandiant APT1 Report	T
+web.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webdata.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webjbs.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weblog.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+weblog.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.usnewssite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+webmail.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmailh.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webmailw.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+webs.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wed5.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wed5.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+week.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+week.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+weg.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wehmail.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+west.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+west.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+west1.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westjoe.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+westking.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westking.comrepair.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westkl.blackberrycluter.com	Intel::DOMAIN	Mandiant APT1 Report	T
+westkl.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+westnew.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wfcx.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wff.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wgl.infobusinessus.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wgw.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wh1.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+what.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+whi.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+windows.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wins.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wish.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wk.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wmp.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnam.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnara.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wned.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wnew.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+woil.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+women.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wopec.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wopm.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+work.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+work.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+work.yahoodaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+workstation.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+world.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+world.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wow.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wow.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wpcs.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpot.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpot.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wptex.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpvn.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wpvn.softsolutionbox.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wrim.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wsyggfw.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wtom.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wwab.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wwebmails.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+wwt.blackcake.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.advanbusiness.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aolon1ine.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.applesoftupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.attnpower.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.aunewsonline.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.avvmail.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bigish.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bluecoate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.bpyoyo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.busketball.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.canadatvsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cnndaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cnndaily.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.cometoway.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.competrip.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.comtoway.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.conferencesinfo.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.copporationnews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.defenceonline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.doemarkennel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.downloadsite.me	Intel::DOMAIN	Mandiant APT1 Report	T
+www.e-cardsshop.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.freshreaders.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.giftnews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.globalowa.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.gmailboxes.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.hkcastte.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.hvmetal.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.idirectech.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ifexcel.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.jjpopp.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.jobsadvanced.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.livemymsn.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.maltempata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.microsoft-update-info.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.micyuisyahooapis.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.myyahoonews.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.nationtour.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newsesport.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newsonlinesite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.nirvanaol.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.olmusic100.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.online.mcafeepaying.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.phoenixtvus.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.pop-musicsite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.rssadvanced.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.safety-update.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.satellitebbs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.shepmas.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.skyswim.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.staycools.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.symanteconline.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.syscation.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.syscation.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.tibethome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ueopen.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.usabbs.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.usapappers.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ushongkong.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www.ustvb.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.uszzcs.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.voiceofman.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.webservicesupdate.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.widewebsense.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www.worthhummer.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www.youipcam.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www-01.marsbrother.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www-049.businessformars.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+www1.saltlakenews.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www2.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+www3.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwcb.newspappers.org	Intel::DOMAIN	Mandiant APT1 Report	T
+www-ctr.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwi.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+wwwt.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+x-admin.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+xawh.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+x-book.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+x-fmgg.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xinge3344.cccpan.com	Intel::DOMAIN	Mandiant APT1 Report	T
+xinge3344.ys168.com	Intel::DOMAIN	Mandiant APT1 Report	T
+xmer.businessconsults.net	Intel::DOMAIN	Mandiant APT1 Report	T
+x-stone.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xtap.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.arrowservice.net	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+xwclient.newsonet.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yang1.bigdepression.net	Intel::DOMAIN	Mandiant APT1 Report	T
+yang1.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yang2.infosupports.com	Intel::DOMAIN	Mandiant APT1 Report	T
+yard.earthsolution.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ysb.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ysb.purpledaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+z0.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+z4.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+za.booksonlineclub.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zapts.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zc.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zero.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zh.lksoftvc.net	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.aoldaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.canoedaily.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.companyinfosite.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.msnhome.org	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.searchforca.com	Intel::DOMAIN	Mandiant APT1 Report	T
+zone.todayusa.org	Intel::DOMAIN	Mandiant APT1 Report	T
+ztl.firefoxupdata.com	Intel::DOMAIN	Mandiant APT1 Report	T
diff --git a/salt/zeek/policy/securityonion/apt1/apt1-md5.dat b/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
new file mode 100644
index 000000000..421549121
--- /dev/null
+++ b/salt/zeek/policy/securityonion/apt1/apt1-md5.dat
@@ -0,0 +1,1012 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# The following lines are for testing purposes only.  Please keep them commented out when running in production.
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T
+#9593fcbd91fdb1a41d0304bf684d29fd	Intel::FILE_HASH	Test MD5	T
+#e2c33fa7a3802289d46a7c3e4e1df342	Intel::FILE_HASH	Test MD5	T
+001dd76872d80801692ff942308c64e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+002325a0a67fded0381b5648d7fe9b8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+00dbb9e1c09dbdafb360f3163ba5a3de	Intel::FILE_HASH	Mandiant Apt1 Report	T
+00f24328b282b28bc39960d55603e380	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0115338e11f85d7a2226933712acaae8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0141955eb5b90ce25b506757ce151275	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0149b7bd7218aab4e257d28469fddb0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+016da6ee744b16656a2ba3107c7a4a29	Intel::FILE_HASH	Mandiant Apt1 Report	T
+01e0dc079d4e33d8edd050c4900818da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+024fd07dbdacc7da227bede3449c2b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0285bd1fbdd70fd5165260a490564ac8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+02a2d148faba3b6310e7ba81eb62739d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+02c65973b6018f5d473d701b3e7508b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+034374db2d35cf9da6558f54cec8a455	Intel::FILE_HASH	Mandiant Apt1 Report	T
+03ae71eba61af2d497e226da3954f3af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0469a42d71b4a55118b9579c8c772bb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0496e3b17cf40c45f495188a368c203a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04a7b7dab5ff8ba1486df9dbe68c748c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04e83832146034f9797d2e8145413daa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+04f481d6710ac5d68d0eacac2600a041	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0501bb10d646b29cab7d17a8407010d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0522e955aaee70b102e843f14c13a92c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+052ec04866e4a67f31845d656531830d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0545a524a6bb0b042f4b00da53fec948	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05552a77620933dd80f1e176736f8fe7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0583f58ac3d804d28cd433d369b096b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0588ffa0a244a2c4431c5c4faac60b1f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05bc8309b93676087d5fb0b58ad5e9d8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+05cc052686fbdf25fb610c1fe120195f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+06598b0490133815541c5ac023623e82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+065e63afdfa539727f63af7530b22d2f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+078f1e2c528f2318b073e871f73efc21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+079028d315d039da0ffec2728b2c9ef6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07ae235391f7b290ea3a35067239a290	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07c4032f24ae44614676fbdfe539afe0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+07fe9f901fb4f14e16fb5d114a92b0fc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08084604344b5ed11c2612795b2d3608	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0829207a8400e2814990f79fbdfe7f4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+082cc969b3eb6786e3e951b450b8de0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+089c9e5407ddb464dfeca2e528536395	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08d7679a9c806a2f7d2be26fe9b425ee	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08e0d0f5cdfe1bc2e5fc1b992fe1e073	Intel::FILE_HASH	Mandiant Apt1 Report	T
+08f21a020f41f0bcacdc9427f84987da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0908d8b3e459551039bade50930e4c1b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+09531f851ef74a7238685fd287a395bd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+097b5abb53a3d84fa9eabda02fef9e91	Intel::FILE_HASH	Mandiant Apt1 Report	T
+09d372e4259980ac95fdadf1846578d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0b506c6dde8d07f9eeb82fd01a6f97d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0b680e7bd5c0501d5dd73164122a7faf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c28ad34f90950bc784339ec9f50d288	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c5858f293aed44ea00eb9e0019609df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0c5e9f564115bfcbee66377a829de55f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ca6e2ad69826c8e3287fc8576112814	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cad42671e5771574df44a23b3634f32	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ccfaeb11defb100b5ddb40057e8fce4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cf8259502d178a099ab2852e2bddbe1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0cf9e999c574ec89595263446978dc9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0d0240672a314a7547d328f824642da8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0d678350f05b274844da5d79fee75324	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0dd3677594632ce270bcf8af94819caf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0df42947e167cd006b176d305c08d57e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0e84132e5ad04351b644b8d8743fc4d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ec0fcd649f3d5aa2e19f110c0089164	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0f23d5b93c30681655d8a4258b8de129	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0fbdc6e3f79063a4773d4872fa1f15d1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0fed203f3df6a82c9124f24aa3d9d75d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ff20d023d6b54661d66fb3ce09afe3c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+0ff48a336655869a74611236e6e2d249	Intel::FILE_HASH	Mandiant Apt1 Report	T
+106338ad223b84fbc2528a55e3e22302	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1097ca5269dea866d5c9f2b0cc50af6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10a38dd9598cc31efe664cfaa8f37bf1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10a68e08c514d3b69296b0eb557d822c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+10bb5a8ae053e335fe047cf38db95452	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11504971bb85cdacb8ef7d45e6e2aeb7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11ccf3f93b00b01887e50283742cd1e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11d350127ff1e9ecd665c34326475584	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11dbecc954bf8a89d59407a992889cfd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+11de4b1ab84bcb8dd28ef0ea4641f6d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+120c2e085992ff59a21ba401ec29fec9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1224527e295380dce1ac9953c850ce97	Intel::FILE_HASH	Mandiant Apt1 Report	T
+123505024f9e5ff74cb6aa67d7fcc392	Intel::FILE_HASH	Mandiant Apt1 Report	T
+125ebbc6f0c957ee994fcef1431a93f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+129c6cd9d2aa895cf6fa137fa1d3a188	Intel::FILE_HASH	Mandiant Apt1 Report	T
+12a410d82a1fc9a8c18b350872e0d465	Intel::FILE_HASH	Mandiant Apt1 Report	T
+12f25ce81596aeb19e75cc7ef08f3a38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1328eaceb140a3863951d18661b097af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+13835f0d5aafbeda50560afc92c8b7b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+13f0b56c28995e4efc8da784ad862853	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1415eb8519d13328091cc5c76a624e3d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1486f48948db4f9afaebd69c7c52f899	Intel::FILE_HASH	Mandiant Apt1 Report	T
+150c4c1f589c4baa794160276a3d4aba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+150c95865766c2dd0562e7bedb6db104	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15137b710414e4e8508ac5ab27e2cbaa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15244d2321faa3a271ff0b1e5a23148f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15901ddbccc5e9e0579fc5b42f754fe8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+15d1330be5e27f6f51d011b0575ffa05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+165ef79e7caa806f13f82cc2bbf3dedd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+16e53c619803d0068611bb6d448d1d49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17199ddac616938f383a0339f416c890	Intel::FILE_HASH	Mandiant Apt1 Report	T
+173cd315008897e56fa812f2b2843f83	Intel::FILE_HASH	Mandiant Apt1 Report	T
+177e0270f25a901c216ffb2e7a36e5b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17f5a2e0997b59449ca2120b20b5b7ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+17f6602f1c507b006b9d09eedcde0096	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1809c3cc93332d7bc0799238519a2938	Intel::FILE_HASH	Mandiant Apt1 Report	T
+18316e6ebb356a66c8ff51e73c1bcc8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+18e5ef23b634344321b2b3f5fa80a598	Intel::FILE_HASH	Mandiant Apt1 Report	T
+19fc27aeb48b3ce8d00eb2e76dfe2837	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1a0c7e61bcc50d57b7bcf9d9af691de5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ae2dadd85cd97452bb26b2c901d0890	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1aea4d24f3bd2c51288ad643fc66e0d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1b36190794516da078decaff881d9864	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1b7eed9d2438b494197e95fe57114f9b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ba6fee7d4e73752b39a09b1396b69f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1baa7f5813e259c6346d1b02a1370d75	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1c16bd1488163c03cd506c2f71486a0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1c7538951b21d93ef7ecf3fa94ae5c5e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ca3ca9ec20474d07fc798f2b41e2625	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ce4605e771a04e375e0d1083f183e8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e314c972075b8058099fd8759c11ce8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e48f6ba839d2c4794e23c10e5c4c138	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1e5ec6c06e4f6bb958dcbb9fc636009d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ea61a0945bde3c6f41e12bc01928d37	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1ede2c69d50e0efbe23f758d902216e0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f2eb7b090018d975e6d9b40868c94ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f92ff8711716ca795fbd81c477e45f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1f9b32bac55ba4c015181ebf55767752	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fad25d4fef631f8ec3115e0944e4621	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fb4ce2e56ced51ddf1edff8ed15c21b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+1fff3f96f53c5bbdd39eb2351f12549d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+201fb83679a1fe05007fc6b8d6d96680	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2080f463388aebe6deb7edf11c01f7ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+20e2c8c7a98ddd4c16f6e878194c1e78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+212c724346400853d05a4440cabd716c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2156942db0293565c9420c1e254a2c32	Intel::FILE_HASH	Mandiant Apt1 Report	T
+215df0c319b98dad4f202849b097f8b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2198fea94bb79b001fcfd3e03b269001	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2244c60f4c1dc285c259f3ac5bf88ff8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+225e33508861984dd2a774760bfdfc52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2272791cadf422ce02a117a3a857f84e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+22aa55134d621672e93c6de928c8b122	Intel::FILE_HASH	Mandiant Apt1 Report	T
+22d9466d6aab8410bea006b5d3df8bd0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+23059de2797774bbdd9b21f979aaec51	Intel::FILE_HASH	Mandiant Apt1 Report	T
+23e371b816bab10cd9cfc4a46154022c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24259ae8b0018b0ce9992fb1d9b69e2a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2479a9a50308cb72fcd5e4e18ef06468	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24c4ed0a6cc4e9671b72c104977fa215	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24f1b8266f4faf550999581bf0edac83	Intel::FILE_HASH	Mandiant Apt1 Report	T
+24fefb8b9338e2300308260be19bbaab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+251c817f4144264c3e7a9dac03071daf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+255cd53f9bdb6f3755e621885cb34382	Intel::FILE_HASH	Mandiant Apt1 Report	T
+257258344edad17f689b1c6d14833cbc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+25f240aed433c4ea52ccdb898e43756f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2640cb47de607a8276c26e8a27f1150b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+268988aa1df82ab073f527b5b6c8bff7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+268eef019bf65b2987e945afaf29643f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+270d42f292105951ee81e4085ea45054	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2762fb36161086f7ef3f33232aa790dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+277964807a66aeeb6bd81dbfcaa3e4e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+277f95bff2e0fe317f86b5010bd83a18	Intel::FILE_HASH	Mandiant Apt1 Report	T
+286f48dda20e2ccc3250a6e09a130db1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+28dbd86bd86eb9153ecb20d883c41ae0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+28e64dfeab48030bc532ae4ace2c9e4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2976a62c2a829a153a9b0b5f433bdc77	Intel::FILE_HASH	Mandiant Apt1 Report	T
+29c691978af80dc23c4df96b5f6076bb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a214ce037f5f6bb01ddc453f0265d92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a4604fcae876dee445de5ad74fd7835	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2a84b88c4a2ce0fb6227f7990f465737	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2acfc925e66e1b820a67c4d0f3e6ae8c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2af105519133baaee57c9ade00543de2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b379d5346ffd386c28038630a9b0292	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b659d71ae168e774faaf38db30f4a84	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2b732257d8d9f09560fdcb7d84d430ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ba0d0083976a5c1e3315413cdcffcd2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2bd02b41817d227058522cca40acd390	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2bdc196cdac4478ae325c94bab433732	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c49f47c98203b110799ab622265f4ef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c78d8bb5912d8174042f81197d9b449	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2c9c691e15a48b20dbead0a6d6bf0300	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ca8ba14ff07ef8616372c53ee84d20e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2cdbeebcf4e0b6dbd24b8c7b4cd6d862	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2d08595e73de31a36c1187fcaac73bf0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2d57aa4e7f2f4088f1b96313b24c7602	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2daa4a4574ba06aa3203ae0e0b45b3b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2dd892986b2249b5214639ecc8ac0223	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2e8484f59899046452392c236460ebb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2ef062fa86537db34f5907a9775664a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2f5979eaa728550a352c1ffee0b31236	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2f930d92dc5ebc9d53ad2a2b451ebf65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2fae9efa753d3d821e1efdbc1335b966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+2fccaa39533de02490b1c6395878dd79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30a7aa13b1f8d272cb36576952e8b6c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30b3b17eab05ecffaa055b5091aa66f9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+30e78d186b27d2023a2a7319bb679c3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3107de21e480ab1f2d67725f419b28d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3120fc8630c5252002f26f6e11b09eca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3122fbb558e1a5f32c90eba31f674add	Intel::FILE_HASH	Mandiant Apt1 Report	T
+31b1d316b46c967c80fe7398a9e4cf41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+31e5e58dbdfad05175613e795298ebb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+321d75c9990408db812e5a248a74f8c8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+328c3ebb2fd2e170483e8d51ccc6c505	Intel::FILE_HASH	Mandiant Apt1 Report	T
+32c32e936cffa8ab370c7f3f2dd43d65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+335df3ffb8cee61c20ab91a401204df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3364813bcbd111fc5ec1e4265c533506	Intel::FILE_HASH	Mandiant Apt1 Report	T
+338782d2df367156a2c7e12e9526c600	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33d974011c4b047bf9874a71ba261a11	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33de5067a433a6ec5c328067dc18ec37	Intel::FILE_HASH	Mandiant Apt1 Report	T
+33e9ccd45ef133b2c100d5a4f50635d5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+341f5e7215826d07ada1ed2b96264c0d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+342939e5fe4770c545659a6bf1e50df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3441cbdf8de9472c19b021b241429b22	Intel::FILE_HASH	Mandiant Apt1 Report	T
+349f6cfb77bb360063c477e9b6ca24d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+34ca3fbcaac48498aeff6035b172bf69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+34cebbb4d35a66a7a7fb1ce857c195c9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35008d12dfa47447112495f430e4aefe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+351afebaf03ef12e6ad1b412612d0c53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35b9f05cf70017cc485af87660109dc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+35f32431a069398d25efda2dafa32d93	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36a7c3a6460c98e161e1005c925da0b2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36c0d3f109aede4d76b05431f8a64f9e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36cd49ad631e99125a3bb2786e405cea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+36d5c8fc4b14559f73b6136d85b94198	Intel::FILE_HASH	Mandiant Apt1 Report	T
+370c50aea66cc338b37801e1bd1c244f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37cf3f25895c27ca5e647bbfdc1d5b2d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37ddd3d72ead03c7518f5d47650c8572	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37df1896ba54e85ef549ccc1a88d34ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37e7dc80c1eb618b3cd1b442858afa60	Intel::FILE_HASH	Mandiant Apt1 Report	T
+37eee514b04167f8e17e2caa3bfd3049	Intel::FILE_HASH	Mandiant Apt1 Report	T
+389f43a8af199da8da6b7c75b2c69595	Intel::FILE_HASH	Mandiant Apt1 Report	T
+390d1f2a620912104f53c034c8aef14b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+39e28f48c138dc156d1436fd02222e45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a3e4bca1197e4abab03340ea97d718d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a45d4bfd1f919f167ce4a5e5ba00e15	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3a4cda1973cacd78740ff30774d6375e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3abe9c84fc13d0a82c1c3e0dced5825d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b0829e2e966dae17d4c235893a3ae8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b1b190407b868406c5c155a79f3d146	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3b320b90e024bfa48bda72aa7a82322c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3c1b2fabb7d74bc5be0820eae4107f8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3c4066b252722c873348d43b4c3ec0e5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3cda17269c246a2e3bfcda6fa02fceb8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d0c1dc5ac55f6d0e6b7fabfeb5158f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d328395d0cefc67e2909774125196b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d573866620eae070a220be89e113f69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d61d23c2be95177937aa50769c0c512	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3d6fe3928f2f5ce41622f3f958b894a0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3de1bd0f2107198931177b2b23877df4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3de60420845a582b0e44081b1138a7e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e12ffa5ad676a41754e2cc59e980e57	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e32ab6a2eac5bd1cddd3146d1a1348b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e3e6fe1a8c6ffc00a9c644997a4f7a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e69945e5865ccc861f69b24bc1166b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e6ed3ee47bce9946e2541332cb34c69	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e72fd40e47e232496b303734f1b2b11	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3e87051b1dc3463f378c7e1fe398dc7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3ea7bf3b469499f0f6d4a78af865138f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f19992be3606c136b15041207daf6e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f243b304358041fb163007e0c066d4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f33c0dab564c35485fd227d97b98443	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f34e41d8ea034e6246ef6426bc91336	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3f8682ab074a097ebbaadbf26dfff560	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3fb8f4cdcb4d1d48be2e473fd8727239	Intel::FILE_HASH	Mandiant Apt1 Report	T
+3fc26910f9c31bd9ba3ccb09132d9ca3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40831b3799c94b609a91d517d14bea21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40b1e9cf468f499d749c0863cfa6c8c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+40ee45b1343406b6f7ad6204f1af7693	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4111fbc14558385c10091543c439264a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+411d770b2939e968c692dbdd3116e179	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4192479b055b2b21cb7e6c803b765d34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41a5d40ecc735172b18b61e01a30a178	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41bb847963a8fce70ad21e70dd786107	Intel::FILE_HASH	Mandiant Apt1 Report	T
+41d623c1de3b0d182c51e56b2a3f3fba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+420deefd91db5e177b46e4134441a35e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4227f2872817cfc74d134ee9f3d06d14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+42462d31a2e5b1e4602a1a4d39abeca9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+435991e0c67f0c0b4504355b6d4493f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+438401c9ae36e9ed1bf4f410ae116484	Intel::FILE_HASH	Mandiant Apt1 Report	T
+438983192903f3fecf77500a39459ee6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+43b844c35e1a933e9214588be81ce772	Intel::FILE_HASH	Mandiant Apt1 Report	T
+44066f29aab6a9379f8dd30f6bec257d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+456d298649a7ec31a7250ed9312ebbaf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+45aa4177bb42eb3ded5edf397a4aaded	Intel::FILE_HASH	Mandiant Apt1 Report	T
+465b085d3ddd22f63d8f7721ce5736d7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46817cabd6618d2126067430a78f06a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+468ff2c12cffc7e5b2fe0ee6bb3b239e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46a86e3c12d5025aa78c7ddf46717c38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46acae84a04e41730d0502d9080bbb4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+46c36c11238100e155f6d418332869ea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+471005f73280264c48f769e1c21fbcc1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4749f6336eb86b5fa7029661f88ded20	Intel::FILE_HASH	Mandiant Apt1 Report	T
+476fea8761a03bef16e322996c2f6666	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4788960e489197f2633f581607eb0d26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+47e7f92419eb4b98ff4124c3ca11b738	Intel::FILE_HASH	Mandiant Apt1 Report	T
+494637c4ac6d04bb50a681e87b81043f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+494fca685834f3158d133f6b09cbb507	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4962cb3f255b2eaf48847c754d2a553d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+496f04719a365f9718919002eff5748b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+497f07f54a4c29fe3be1a15f4516e32d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+49bacedcd18f6d8929d43a10dae8645f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4a2320b41a5216c741bf63fce562961a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4a54d7878d4170c3d4e3c3606365c42c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4aadab80ce16c588b8719f15e84aba82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4ab62c8e525bee410cd4b6cfeea7d221	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4ad4258b73430fc3e843a2e59d8ee70a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4b19a2a6d40a5825e868c6ef25ae445e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c6bddcca2695d6202df38708e14fc7e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c858a80df0d6de5d69824c9502b65cf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4c9c9dbf388a8d81d8cfb4d3fc05f8e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4cabfaef26fd8e5aec01d0c4b90a32f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4cd3bed14aaffcf61f4d2948484c4c90	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4d21cc82e4031e1d6bb15541827b9e67	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e1a92036a577a87a6fa36168d192c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e3ddb5c27e45ee0e6dcc02e87b0abb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4e551abcd14506092a0f8d54a45f3569	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4f65bc571cdd9c9cd11e771e1db35a4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+4f763b07a7b8a80f1f9408e590f79532	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50361f8793258b6e883b31269e053ed2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50a3aaaebae6cee7ecb150ac395276b9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+50f35b7c86aede891a72fcb85f06b0b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5100f0a34695c4c9dc7e915177041cad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+51326bf40da5a5357a143dd9a6e6a11c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+51ce169debea41314f591290839fd55f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+522d32a505f78f09303e689999a3e461	Intel::FILE_HASH	Mandiant Apt1 Report	T
+523cf1c9741f5f9d11388a58de6a83a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+523f56515221161579ee6090c962e5b1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52509abd1cc7b7fb391b19929e0d99c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52bd3ceef33900d53315f89538128026	Intel::FILE_HASH	Mandiant Apt1 Report	T
+52cb7fed85bd7ff6797fbc70105a09fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+531a3b0acd95f55c3a7418d31f741357	Intel::FILE_HASH	Mandiant Apt1 Report	T
+53600687ec97c297f03b4f0f4710d0c5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+53b263dd41838aa178a5ced338a207f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+543c283d691939d99667e22bcb7be610	Intel::FILE_HASH	Mandiant Apt1 Report	T
+543e03cc5872e9ed870b2d64363f518b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+54d5d171a482278cc8eacf08d9175fd7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5537bdce991797198a9ff97ff1492f90	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55886d571c2a57984ea9659b57e1c63a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55bd26326db3d512b6bd9f75d6671819	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55f60194833efcbc8ac16bd0a1cced1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+55fb1409170c91740359d1d96364f17b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5613e6d7111b327307c02bec1701ac3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+565b6fedccab184c92e40483ea49a25f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+567395a3c720fcd09eb75b6c188b8687	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56892b0befe8b7a188fdb7e72a07e60f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56a5d0575c0c712deb16f465ac888a65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56c26b175ae23d90244805a6ec347e42	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56c8ff5c6832f1e31a59e0717c3ab79c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56de2854ef64d869b5df7af5e4effe3e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+56dff5cdfee293100b59096326fb0daf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57326cd78a56d26e349bbd4bcc5b9fa2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+575836ebb1b8849f04e994e9160370e4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5790c7c09735cf1ccf10625c7cd87f5e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57cbf78c226265cc1e61ad86779bf906	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57cfef3e32e60df11b8d2c5375f3185c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57e79f7df13c0cb01910d0c688fcd296	Intel::FILE_HASH	Mandiant Apt1 Report	T
+57f98d16ac439a11012860f88db21831	Intel::FILE_HASH	Mandiant Apt1 Report	T
+580a4c05982accc678a72c366b45815d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+585691777080b419b523938edd3ba2d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+588c40520a3cea27d2b35cd1fa05e23f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+58b020fd3bc0d34e8c4eaf0a3f3135af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+592a33f691daa01ccbfc8078ad961b43	Intel::FILE_HASH	Mandiant Apt1 Report	T
+59620925bf1c4f760c4bf225c7efd6c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a032c13942a46c5ae015f53d9ce138a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a3abb8053c271c58e879b3b9cf8c8f5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5a728cb9ce56763dccb32b5298d0f050	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5aeaa53340a281074fcb539967438e3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bac505fdc202e1c6507ef381a881ed1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bcaa2f4bc7567f6ffd5507a161e221a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5bd5a22d42c04db7ac1343a2a9f471fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5c4806b5859b35a3df03763e9c7ecbf6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5c6f30cc369cd164d44941d381e282cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5ccb52a8e3c31dde2ddbc486a2215e85	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cd578614afb50b925008b68b3accdb9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cd7526fc7d849cbbf8c9d1ffe97a991	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5cf0959687427850a92d7f69edd41b86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5d8129be965fab8115eca34fc84bd7f0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5dea347d29a3e9c21c52385a10224b65	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e17055c51724b0b89ff036d02f5208a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e1d81618eaf005b8e0cd63fbc9a4937	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e33a9835bced338cb1959c347ac6798	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e42780f52763c77d592044e535e4b01	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5e686bd284022e35559a9c6118df8f1e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5f837bbfd3b458321070e2aebca4ec46	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5fa50476240c9c59cb72b345751434ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+5ff3269faca4a67d1a4c537154aaad4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6040dd5b603483f738be6a02a63538f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+605c1dc91a5c85024160ce78dfac842d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+609d917a7f0c526b0d8091c8191da376	Intel::FILE_HASH	Mandiant Apt1 Report	T
+611b1577ba976f76fc01368545bc395c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+611c8f862864af818202865b78ad7ca8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+61daab56e07dfa3a236d8aec9eb80545	Intel::FILE_HASH	Mandiant Apt1 Report	T
+61e0da42d5d084af24d31fbcef4ff409	Intel::FILE_HASH	Mandiant Apt1 Report	T
+620c6a6cff832e35090487680123f52b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62a35021454e17f4a913e577d7ecd22f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62bee50b480f6a6aa427a00464baf376	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62c72767508e461cfe94b0c706e6d446	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62d60a1cd1e7ba73aebc98812e5ac266	Intel::FILE_HASH	Mandiant Apt1 Report	T
+62ea10608f0d54cd284e8d7be32f206e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+633cb95904ab9dc0a3de4ddd443494e8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6377ec0c87f4ec1e7897751dd85d73d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+63db2f4fd717723f0e6f94e0a6a62c7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6461ea41f179e660c40ed65aee1a4a2d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+648ce1c45927b24563dd8361a1b74311	Intel::FILE_HASH	Mandiant Apt1 Report	T
+649d54bc9eef5a60a4b9d8b889fee139	Intel::FILE_HASH	Mandiant Apt1 Report	T
+64fa1239f5aa9a9031e61533283f8c22	Intel::FILE_HASH	Mandiant Apt1 Report	T
+65018cd542145a3792ba09985734c12a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+650a6fca433ee243391e4b4c11f09438	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6510cee34da30c7ef5e5e39980402257	Intel::FILE_HASH	Mandiant Apt1 Report	T
+651d83c1b85acb204abd5bf7990a1298	Intel::FILE_HASH	Mandiant Apt1 Report	T
+656baf38fa5ee776e2576cead664d004	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6570163cd34454b3d1476c134d44b9d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6576c196385407b0f7f4b1b537d88983	Intel::FILE_HASH	Mandiant Apt1 Report	T
+668b92feb7cbcc7ac75ff97dcec28d10	Intel::FILE_HASH	Mandiant Apt1 Report	T
+66c287675cd4c7172590f71181e723a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+67504a0c2c2bf47efccdab5ca981ad7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6767eeb485232436de9553988765fb89	Intel::FILE_HASH	Mandiant Apt1 Report	T
+67f62f5accfeacf5e828c3b3905248fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6808ec6dbb23f0fa7637c108f44c5c80	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6846ad52c9208830ceaf4cfd81402015	Intel::FILE_HASH	Mandiant Apt1 Report	T
+687a58dcbc076b04bef4ec6050310fb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+689dcd40d5eae8c0d315265f3d90ffae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68af7be698e8a7408451c158c04a9712	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68c67a6e26855ebc2569d67689c69a6e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68d2fd5049e70942d164e4e25d13dd8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+68e5bff12ac33ecb98977afed51ebad0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+693f711d8fab66a3efca98a19a733d56	Intel::FILE_HASH	Mandiant Apt1 Report	T
+698fbe7ed1ddd7f5c76b86fad3f7a485	Intel::FILE_HASH	Mandiant Apt1 Report	T
+69dc1e1ee273e531e91c60eb86396cc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6a4fbcfb44717eae2145c761c1c99b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6a88f170ab6cb0f9b3252adc61b4f487	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ab7fa8e5fb63b8d0723387d0a1ffe6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b3d19cc86d82b06f5db3ae9d5ba8a5f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b4ac249f918be9f7bc64ae7fdda947e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6b6c4c0e2959df248be90d89899953a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6bf8f1f99ac5bba0db1b66518df378a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6bf9083f1567edce004bd1f7c456659d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c5c5e4049265fffc87973f3e4978b26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c65c697bcff935484a5cd2e7dd2e7d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6c9c9e40683467f60b910d5bad5285ae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ca59c9c4165796e08ba6ca3eeffdee6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6d2320af561b2315c1241e3efd86067f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6db47757ba324bb61ce3cbcabbec52d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6deae79fc82df523ba99852266a33f9e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e442c5ef460bee4c9457c6bf7a132d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e8f302794cfaae731840e345063e652	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6e9bedcf80f21171adb951a0d85d2adb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6eb99bed5b5fcb3fdb26f37aff2c9adb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ebbfa603aa4e90148ad0b726806c359	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6ebd05a02459d3b22a9d4a79b8626bf1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6eebee2aebd5194db62cb8230502378c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f4182baa5a57b717cb9d850dfadb60a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f551594fdf3539c62389c0cf0d2e16a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f6abd53e10567d1534514fc36fca2e9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6f9992c486195edcf0bf2f6ee6c3ec74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6faa4740f99408d4d2dddd0b09bbdefd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6fbf667e82c1477c4ce635b57b83bfa0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+6fdec862951e8b128cd7a07b2031eef6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70a55fdc712c6e31e013e6b5d412b0d6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70bb674fc97d7bf4d8dbbe3636f65c4a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70c10f8b4dcd01b07be6cfb4df0d3348	Intel::FILE_HASH	Mandiant Apt1 Report	T
+70e2827ab4af1a38dc09a02fa95b82fe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+71173ad2bc7b39342b1bdaadeaaa0d8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7127241c033c403b18bd281d0dfc4e31	Intel::FILE_HASH	Mandiant Apt1 Report	T
+71536d2e95420c55412c12dffea1a0a6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7253de652a025b2b4fa7b02e97a1ee6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+727a6800991eead454e53e8af164a99c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7388d67561d0a7989202ad4d37eff24f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+73a63c21a08b0ad2c69999e448f8e6a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+73d125f84503bd87f8142cf2ba8ab05e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+74b3ee9f3f6c52413db6e5c9ace34893	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75372eb37415140fa5464f1ebb8a0e74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+753ec12f61c2f7c9a5763c9063a16106	Intel::FILE_HASH	Mandiant Apt1 Report	T
+759b320aca72ba446e7e156407ebc10d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75dad1ccabae8adeb5bae899d0c630f8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75f37a69664362462ad491741a34f195	Intel::FILE_HASH	Mandiant Apt1 Report	T
+75ff4bd6b209b6f10472c4cd22e3f9e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+760339e927e391e289bd91bad4cd59c3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+769aeae232c6162cedcb6c7255640c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76ba06bac23a2c445cb982bf38b82199	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76bf44d7734ec8581e846a9f3005aed4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76c1b246703a10cb6e71a3e5b7b55b24	Intel::FILE_HASH	Mandiant Apt1 Report	T
+76f6c7301dbf0219eae991d65804292a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7704ad9e8e0e3d75075e4c294f698d53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7712d05c8b499fc7a1f4a6a6b6dee825	Intel::FILE_HASH	Mandiant Apt1 Report	T
+772c771e13e599cbf25bf9e0199681f7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77382bb7fd431211b32d84d4de74b043	Intel::FILE_HASH	Mandiant Apt1 Report	T
+775459afc5415984dfa2a0f533011763	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77afced93e20b1bb906796197fa1dd1d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77dc072fdd632c12bacc09ceb8e6ee39	Intel::FILE_HASH	Mandiant Apt1 Report	T
+77fbfed235d6062212a3e43211a5706e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+785003a405bc7a4ebcbb21ddb757bf3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+78524ba7f66c0ec4a3755e51709db1aa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7852b941a46e37fe9b332b1be77a6960	Intel::FILE_HASH	Mandiant Apt1 Report	T
+79841c13f645118a600d19def3642d1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+79f3bac2826f8511c96240758af116b4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a2692cafec377c444bc3147fc43e57f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a2eba5ca6f9b2cec61c5cc55dfca762	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a660a9e48f6065333f388f2c0a67bd8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a670d13d4d014169c4080328b8feb86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7a7a46e8fbc25a624d58e897dee04ffa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7ab86c938b960dfc0c4ffbadd4163666	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7acb0d1df51706536f33bbdb990041d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7aecb34616245eb6b2906358151be55b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7aef47f9fd84669976c4b152910a6328	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7af399ff99109a9501da73337c0bdf4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b3ce6c2af1acd119a25831fac670bab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b42b35832855ab4ff37ae9b8fa9e571	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7b451bbbdc840378b785bed6b9e30e0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7be6c90facbfe9ecf470fb27e6673fbc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7bfeb0eaa1c51513e60bc0abafb1be9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7c82cd17b0fa420f09f97e060621ed7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7cb055ac3acbf53e07e20b65ec9126a1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7ce16b35201d8d35965ec7aeebdc80ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d0efb2480834a6a80210b7342d51154	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d25a80fe2c42368adaea5fcbab866b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7d3140bd028f70f1fa865364b69c5999	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7deed54a40efc12ea03e3f1859522862	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e56369d466dd3d85a9b31f65ee8e551	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e64b28b0050d23970478c81e8037470	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7e8d1f26679a88268e273ab498e597f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7eedcd6d00b4f08b825b4c134b6d8f1a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f1a4bc267ace340a5aa7a0b79cbf349	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f26403f8e59a5f2728af2d3e0efaabb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7f398b00546c3a0946cd6142c308a556	Intel::FILE_HASH	Mandiant Apt1 Report	T
+7fc52a32337386d867a952a2c8644353	Intel::FILE_HASH	Mandiant Apt1 Report	T
+80856bd8ef7d5dbc3dc774f581855549	Intel::FILE_HASH	Mandiant Apt1 Report	T
+80bca9f272152280a462f84f1588c0cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8153b612499dbf432e2d9805b20ae783	Intel::FILE_HASH	Mandiant Apt1 Report	T
+815a89041dea3e56348f8f5c8b7d1457	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81602ce95a4b7f3d3cd1953a2456cd92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81b03cbcfc4b9d090cd8f5e5da816895	Intel::FILE_HASH	Mandiant Apt1 Report	T
+81ce61ed2dc567ce70589386563890ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+82390e18379710df84d48881a1c1d0ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+827040a5f5ae8de281a63899224b2f3a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+82b065518f085c6ceb0a9135ab51df41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+830a748959bdd1ad3b6a1f72aab6f063	Intel::FILE_HASH	Mandiant Apt1 Report	T
+830e5cd6d590aa65dd3e2c1a01b42259	Intel::FILE_HASH	Mandiant Apt1 Report	T
+831a67dc75e2d4505180888747bc8ea9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8387adb5325035baa3fe3a2b0cb4921a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+839c8c06c4d81f523078b0d45d8250ff	Intel::FILE_HASH	Mandiant Apt1 Report	T
+83b3711c32d28a87b173e7e5aba5f826	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8412a3e37499f8289faf54546824ab61	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8442ae37b91f279a9f06de4c60b286a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8454918f639a1b0719e00627f211d2ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8462a62f13f92c34e4b89a7d13a185ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+855ca1b45a247754ad91d50827a2e16c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+85c4081a97255ac7ca7d0d5554e86ec1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+85c828f5ea5d99e0c98017f6d6be243f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86a906db5686bbf487689937d15bf71a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86b1f3874bf741a3f9c0d74625af5f8d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86b68ad2e9c33eadf134285ea142ccc2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+86dd715a8d28788e68a575207d66df34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+871cc547feb9dbec0285321068e392b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8725870a43192cb0176c82012996910a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+874bb818208655b59a8c4c1ae2aef379	Intel::FILE_HASH	Mandiant Apt1 Report	T
+876ee736ebad6917a259456fc3a2f11b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+87efe3671ef8f1eca57f2d8f7e4711d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8845cb5b4e450cb10a3b6ca41a9b4319	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88b5f635ac9031bcdeda1f751952f966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88c7c50cd4130561d57a1d3b82c5b953	Intel::FILE_HASH	Mandiant Apt1 Report	T
+88dbcc682635b4013bcba5ad28bb976b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8913ac72cdb8afd98bd8446896e1595a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+89164a973ae081991a973aa9d5cdee7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8934aeed5d213fe29e858eee616a6ec7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+898a8a43c8708961094944fb42c278ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+89a2802e2f2356ce6a757f833c3ba3ef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8a7764ded8467bd0fd0c30adc2acc1d4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8a86df3d382bfd1e4c4165f4cacfdff8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8b75bcbff174c25a0161f30758509a44	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8bf9698c18b2aa23f71444af2571a6ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c57b287a1d2140ccedd6cd097d62ded	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c6ece2ade2bfad3171c925baa64af50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8c9871a9eb88ffc43507f988b222dc52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8cb321a7871706fb6246489cb7c4da03	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8cda4e0ee20ddd00003caf7947af7fe4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8d251ef81b1e2251601a7b2b0c03ec05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8d81eeaeb0bd74a1faab257079452078	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8dc3561ca52bfe40089f3ee0af7fdd9d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8dfbf8a46d3a302fd420305918e9414d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8e1ec7e556b8c6612b6c34e310c50b66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8e8622c393d7e832d39e620ead5d3b49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8f3d20c983f9d82a8ff17466f45ee757	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8f4863b4dfb52d8362c031d3720a6d97	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8fc5fb519a222ab919f28d21545774c6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+8fdb15f3d5480de78c61ccef23722683	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91dc97c4b66e3282e1aa831e0bb0bb14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91deceb64c795927c6ea07f695f67334	Intel::FILE_HASH	Mandiant Apt1 Report	T
+91f538c08b9dee1bb0c6b6c82f727c5d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9206ae65b685dc7ea1cf1ec02606de6c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+929802a27737cebc59d19da724fdf30a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+933b11bc4799f8d9f65466fb2e3ea659	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9371fcd92ef86ccf450af903bc74ec01	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9400fb97c145587b17fb456fac636771	Intel::FILE_HASH	Mandiant Apt1 Report	T
+94a59ce0fadf84f6efa10fe7d5ee3a03	Intel::FILE_HASH	Mandiant Apt1 Report	T
+950234183528ce107d65b700be1bbbd3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9548e5ed4fbacd0ed4a9d6a27f5d8fec	Intel::FILE_HASH	Mandiant Apt1 Report	T
+959c680c26f26e7f1dd61607942dc96a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+95d85aa629a786bb67439a064c4349ec	Intel::FILE_HASH	Mandiant Apt1 Report	T
+95f25d3afc5370f5d9fd8e65c17d3599	Intel::FILE_HASH	Mandiant Apt1 Report	T
+966db6a32ccf7e57394706abc3999189	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9675827a495f4ba6a4efd4dd70932b7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+973f4a238d6d19bdc7b42977b07b9cef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+97c83d85bd76a38b13cea960a1a97f70	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98409dbf432419024dbf028c004344c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+989b797c2a63fbfc8e1c6e8a8ccd6204	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98bddd6c789a883afa1de3524bb8ea8e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98cf219830733fb98fd2a957b7c4b163	Intel::FILE_HASH	Mandiant Apt1 Report	T
+98d257a13d176940910d6441a854d7a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99882234b814b860a22b4d441b92fd82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a29ccea951a950040f3944abafed40	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a39866a657a10949fcb6d634bb30d5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+99a7e4a01b813b9b26ba76bf0b484742	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9a58cc73e103fd5a14ef3564e35c03df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9a66fa24268d158341d497feecbed889	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ad292de00b2175a80b5909fa173cdcd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9c03ab63a45d29aee90b72ae89f2f613	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9c36333385d351e59d6c4372d757479e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9cb07b71dcd1ac9dfdbf9f4cdfd4f273	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d1d58e370bea4b5e79a1f914516cbc0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d5aabcda9106132d1e1b6cf6cae28aa	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d7499c3a01daba5c9b5090b079808ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d75897d9c0a5da7e95082ea5ae1f648	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d85a2ae1e7971a49cb417d97797ac8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d8a7970be7826d29732817c0cc84bde	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9d93fc89fb6e0a8142e837b2de045fdd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9dab4da07ed669b44f409eb60f3b0e50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9df30198f52b16925db1e3da61cfc754	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e30b1665077b7e65bc8ff1e7c752306	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e511dc5ad8a884f4416e68c54f742e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9e860622fee66074dfe81dcfcc40c4e2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ea3c16194ce354c244c1b74c46cd92e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9ecf9d5d8872fe55ab120265c3749ffc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9f11bc08af048c5c3a110e567082fe0b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9f3fbec4341f246aa6131ab01d6e4234	Intel::FILE_HASH	Mandiant Apt1 Report	T
+9fc3ed6c9b8056fbf155f79569ca7cb1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a039a61e4c274811b0388aa517d29fbb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1468ce16f2d17979cc1a61878c1c8c6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a14e8df8bc55f7459d24fe526f51a16d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a17bb80ae02c8b003cf69222fa13f506	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1b8aa19c92c257cbace54337f6672d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1b924b8c8fa157ae8775fd86f692053	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a1cb8a9f2b8926afeb254a64f1d78ee3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a24112e4b875038331d2672b6427763c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a241eec892637dec971bd925a40d3efb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2534e9b7e4146368ea3245381830eb0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a28ee614e3d783a7561cf8a5a469959f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2cd1189860b9ba214421aab86ecbc8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a2feee5e0ac3f825d4b7de7e0b95bb1f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a311516cdf06d3db4f49e67da5213ebe	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a316d5aeca269ca865077e7fff356e7d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a34234a27157851300d9b698f6c56d9a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a354e3c566645100e757f3e43c9b007d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a360b16c19ab9dea6763f777257c5f38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a38a367d6696ba90b2e778a5a4bf98fd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a40e20ff8b991308f508239625f275d8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4143ade719c2222d8602819a3e212ae	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a44312eb63de002383a57b5a93271cdc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4903f7c293993069f865468bd7cec78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a4ad7335aa391519cc5fc9140f2562f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a510d0c9b7930abaa7aa6b0ac294e675	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a517ca12e2648b0590a5af565f8346b3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a565682d8a13a5719977223e0d9c7aa4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a5b581c0600815b1112ca2fed578928b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a5d4ebc0285f0213e0c29d23bc410889	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6117891e42ee7db36253b57839c8b8f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a639f598d4c0b9aa7a4691d05f27d977	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6725f263daf3e94adc3668751b909d0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6a583aeaf4952787e15f30d289ca138	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a6b99080565aa7933d946b8b9d9d7476	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a70aaf335f7f1a04c7fe194602b11c14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a7117612ea6b6fa3307943f5ed21fbb4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a7f17c75519fb8a39d37c47617202b05	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a807ad465b2fe5859c85626e97eaf907	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a810ab506857c933df2bea40ae0eb548	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8b183fe32ad8d426e20227f3c8b7592	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8b2ac446c614fd5d4880d95369deb3b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a8f259bb36e00d124963cfa9b86f502e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a96a6c91e71e243f00a64f53e2fd6415	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a9993969be3ea340d420eea5868c0d1d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+a99e06e2f90db4e506ef1347a8774dd5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+aa4f1ecc4d25b33395196b5d51a06790	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab00b38179851c8aa3f9bc80ed7baa23	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab208f0b517ba9850f1551c9555b5313	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ab445da3ee4e81a84d644476f669d35c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abcaf816de63c632ec23d6bda3f02bb5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abe6ab89f957f6edf8f41b5ad198e5e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+abff707cb54a6e5a9fcbb3fef74dbddc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ac87816b9a371e72512d8fd82f61c737	Intel::FILE_HASH	Mandiant Apt1 Report	T
+acb99e5318f7001298df1aef51a9463e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ace798670a64b38aa7d065c776b49f17	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad3cccbe9ddff04b670d353b938f5da9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad7bdadde9a4da73ffc776c606dbb75e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ad8cde8841208ff226e04e8514dc699c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+adb2fc194b960e694aa450161f1df6fc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+adb62105427567ddc11124fc27921c40	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ae1dda87cc5998de79ecb68527bbd191	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af2745e8888f2ba17a9cf2e0779d3874	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af2f7b070245c90bd2a0a0845314173a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+af719814507fdca4b96184f33b6b92ea	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b0538781d47dde1e9a46a2610155c2d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b07322743778b5868475dbe66eedac4f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b0d4fbcc0c65c7d5ef7e1c4309c719cb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b145e4d19f5ecfaad45c795aee69c8dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1838a6c341260fbdaf288795cc63900	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1912db011633d98bc40ac568a4167a7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1ee00cec6c2318fa86f320dd7fc99a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b1ff1ef983a1aee3a395788ec441d006	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b2599b3078c28a278a3e7cd8b46304da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b305b543da332a2fcf6e1ce55ed2ea79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b36168ea438520875c621f5603db003f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3848edbabfbce246a9faf5466e743bf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3af1381f69e36b72e5b272f06aa1fa2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3bc979d8de3be09728c5de1a0297c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b3defdbd173738d44137f88a571647e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b43266a047b2895399f4883cfe37c089	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b47e5d095be9fd61016817359f6c2887	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b54f58c484f56c704858ccfffbb9d535	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b5a430a0696b5b25ae6b4fa5cbfe3333	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b5e9ce72771217680efaeecfafe3da3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b631a3d832f7c22c26554711188f59c3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b63452ecd2da62f30923a124bcd41b45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b661f78279ca0b2e0ae611013eb00f20	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b6f2f483e03b9399f055a1ba5e0713a4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b74022a7b9b63fdc541ae0848b28a962	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b743f6af7e307221ba425d6023ebe42c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b7dba6184f07b1e824362a2307d91ae2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8277cce81e0a372bc35d33a0c9483c2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b86e89a42a1c1bc6ea15096c68e38ba4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b883f8e5a1420d1f511266b9253c11c4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8dfe540bef505cd1adbd5f8ff31d028	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b8f61242e28f2edf6cb1be8781438491	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b92db06d17d3bf906c47a0384e771076	Intel::FILE_HASH	Mandiant Apt1 Report	T
+b9b3673a721578b230490f7dfc6df21e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba0c4d3dbf07d407211b5828405a9b91	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba10b9486043f76bb9e9a160bc1d2576	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba56035e10b423734e0ce01bb7bb8b6d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ba773e1608198cf8337c5902d7930710	Intel::FILE_HASH	Mandiant Apt1 Report	T
+baabd9b76bff84ed27fd432cfc6df241	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bac2e89bd92ce23e1e93a63d26dea01a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bb286e9969ca197b461286b679c0886e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc7092008ca37adf497b75eb98e2e175	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc723e4f93a3bf85f4d1e1910393d1a3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bc756bb6bf4e7b2058e8dce6ba8b1a79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bca9bd0abbb31a422458abf521a6a2fb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcb087f69792b69494a3edad51a842bb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcbdef1678049378be04719ed29078d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bcdf8cb0868daaec3ba6176e3e7d3cfc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bce4b77a4e4acc70a3f6f52ec0a2f033	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd15714360c12ffca4c3c1e86fc69d0e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd402e910e03b70f00685d8b8be5093c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bd8b082b7711bc980252f988bb0ca936	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bdc5e16aec2c3796fb879a5c260d6ca9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bdd2ad4c0e1e5667d117810ae9e36c4b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+be58ff564c854be419a19a030af25c86	Intel::FILE_HASH	Mandiant Apt1 Report	T
+be74bf5afd4ba64cc8ce237307e9254d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bebbbc50a561681f48d174d6b7c2824e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bee9b7835a02973678e9ead683da1ac4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf0d5aff9c1f33e089c9c85f03c6ba8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf0ee4367ea32f8e3b911c304258e439	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf80dbf969b73790253f683cd723fd71	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bf9aeefc53d97bb23d35d47986504cef	Intel::FILE_HASH	Mandiant Apt1 Report	T
+bfcae0468de0c7bcf92e9989589082f1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0134285a276ab933e2a2b9b33b103cd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c044715c2626ab515f6c85a21c47c7dd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c04c796ef126ad7429be7d55720fe392	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0a33a1b472a8c16123fd696a5ce5ebb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c0a494e643c42a89d5bf718ea274df04	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c110f08399c5dca64d7dc4539eb82083	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c116f5f89e24c7de3ea9cae83b7fc829	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c1bd23ece59e36143d80f7eec0e38c52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c21591aa72ac72872f5bd05bbca5e4da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2a79bb15a31fd6584d9bf0891673d14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2e06531a2e6de3c1b7d18b14af53fdf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c2fa9f567fd34fb14fee6a38b6644ff9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c307bad133cc160a0129fda4c57e0f52	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c30c7fa2eb06fc8c9ebbe955abe26edd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c39bc83c16f9db8a7c43a966048bca7b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c39e272e9ea15d61e0c8e6b749a1ad46	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3af09a9fc487314eb4c9fe92a01845a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3dbd79adfa21706f5451cc68331d31e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3de028cbc5aa0934008d95689d5f334	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c3e5603a38e700274d1ab30ce93d08b9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4188c3bb6982d41aa783c499113a8e3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c41e44045cebebfba234063de8fd7c4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c425b8782075da33cba5aae5ad612582	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4c638750526e28f68d6d71fd1266bdf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c4f144febf16ff8f36df15353d5347ce	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c53332a5bf112f03ed22b06d85140626	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c65617a4eedb8e0369ef8fe58ce20a02	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c69a708a2a8e4581dd95f90da3833840	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c6a29993234488fcbdcf45668eac9c47	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c6a4bb1a4e4f69ec71855d70d6960859	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c72edb12880a9af12b439a7a2d0584c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c763e041c8e85c195ade90e120338be7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c799e1d25839e1efb2b3d42d6d6efd26	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c7b48b6965642b504f6f36933762df8a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c8d2b7f92fff545b3b19e9b1e1057071	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c9172b3e83c782bc930c06b628f31fa5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c91eacab7655870764d13ba741aa9a73	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c99fa835350aa9e2427ce69323b061a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+c9f77569aa98f71cc42644d66d9f371c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca27a87928443e21dc279008008018ba	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca327bc83fbe38b3689cd1a5505dfc33	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca68ccc887cfe5d2194f6a4d3101ae66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca6fe7a1315af5afeac2961460a80569	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca899eda2c32e7d305272dd48bc8e1e1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ca9c1f8d709ed34d388dc7cba2bd7602	Intel::FILE_HASH	Mandiant Apt1 Report	T
+caf33d1e15953c0e782846e1709498f6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb15768a3e5c86d22289dcefec56d8a2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb3a9d7505be48019e242fbccc7e5f6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cb3c5c3f53ecb2cb656fb0f4b8de03f6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc0b9bf4ea738d63f06bfe411460412b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc17fe9f2d254ad28d050bf5c1df983d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc3a9a7b026bfe0e55ff219fd6aa7d94	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cc7c8aba24c66373502ba5934696b7b6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cca290cd2abe96392378b71e9835ce06	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ccfb7a84bb87cc8f86ddd260ad38ed5b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd2102c5db1ed828a9c196448c40af3e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd4674e2b7be30121a46a053205472a8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd677f9ede43b4b86b421db249c0e020	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cd6c1dbf08d8864b382678284ef13358	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ce003a75c85627cbc7e6eb39beff0722	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cf038194f0fe222f31ec24cb80941bb1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cf9c2d5a8fbdd1c5adc20cfc5e663c21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfc6112254a69030521d0d2bba152d4d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfce9478c880934b3548c3022a956e14	Intel::FILE_HASH	Mandiant Apt1 Report	T
+cfe738fcc07b9ece6a11c3390d43b5df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d0d5a20c5a6c4fddab4d43b85632b6a9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d0fb18b1e1f642f595a4746826350c21	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d16947b200afa74a917f055597b772c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d197c388184fef263b7944a7186bc6db	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d1a18c7de189170c588e7128ec3f8453	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d20f0fbd001fd30610c3317fd3c6f7c0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d22863c5e6f098a4b52688b021beef0a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d25be76b6d871a26eec08ad1bee0273d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d262cb8267beb0e218f6d11d6af9052e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d263fed2e1c18f2cb439afcef0cd1b45	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d271ae0f4e9230af3b61eafe7f671fde	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d2c616bf238fc18f9ea0a1643bd2d4bc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d2f1be7e10ed39aa8bc0f7f671d824d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d3358ed4001ec0366fa23fe82759df2a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d34e357461c55d90c52309c1ff952b4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d3f9d4bc51db1e602093e3003fc789d9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d41c6005a75a6d28480d63f540d36c70	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d47b04327157fb188c0e81886e346c48	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4ba6430996fb4021241efc97c607504	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4c1bfc5cd3e33643a562696d5d29bf2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d4c7f1f80883412f9796f1270accff50	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d5e56f7da9d2a78e49d3d0685e9613ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d5fd1ce9189cd54f157d691e317c0821	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d60ee4a39667a733c075bb7f7b36285a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d62cd4ad2a919b6acfa6d49d446dffdb	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d6a01b61f490488d61dfb9376186d844	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d74b169e98dd16d0f3af0dc770dffac0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d751c7f7d2eab52c43ab31312e229307	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d76ea982d614c66c5faa36ab5fdd8b41	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d776379bda9fdf695d6a54db8a5b4c72	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d7796209412da17b2ee2ccf2309b4abf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d7aa32b7465f55c368230bb52d52d885	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d802a0c3e0c3dcac43877bd488f2b042	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8238e950608e5aba3d3e9e83e9ee2cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8315c114107b7418c32f85e263766b7	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8b7b276710127d233abcdb7313aac36	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d8fdd9cfca25315635378dd2564094ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d915f1c6792eed61dddb30e512e6c202	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9b1c95fb4424cf69a0ac8e40b3ab39b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9c4ebd61c1aee52b3597aae048a592f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9fb6620e4402764bbf2088de02898ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+d9fbf759f527af373e34673dc3aca462	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da383cc098a5ea8fbb87643611e4bfb6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da52e6701c9eba92459c6be28efdba74	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da5ff7927d608d7ccc7495939d457bd3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da60673b4f2a4660d2734a16a832282f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+da6b0ee7ec735029d1ff4fa863a71de8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db05df0498b59b42a8e493cf3c10c578	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db2580f5675f04716481b24bb7af468e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db50416d9e67f4982e89e0ffb0ade6f3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+db5805604f84b7303fa04feb18ce8271	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dba356a4726b94731e6ea97aa73cfc3f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dbdd2a9c86e71ba0c9953ff4f89cc25b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc059121677ec7a038589cda28cbcc49	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc1cff84900afc9d292b305f9b9aae34	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc373f011e86d5528ca4824bb287c406	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dc78fd49b7f39fa3bb06b927e8413dd0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dcb90efe7e09d6900242af25aeca7b73	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd1222f96024ac28179c7508e4193285	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd1bede0e42d26fd2439a6e48547023c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dd21d1ea2146861a4219b1cbdaefe59b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ddf3db31f9fa21cd43ff19dde393aba8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+de016572ade175d37cfbfabe8174391a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+df4da15796910690b05e393561b86fa1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+df5c89d49ef8997c9b5abd8f808298c8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dff4d874b2bfc64a4d1805959c379074	Intel::FILE_HASH	Mandiant Apt1 Report	T
+dffd04ea26c03d3f6c67e10405abc5ad	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e06145fccac413d8c753bc822619945c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e0c4cbf3ed293e8a8df3f3987b42caac	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e0fc0fae758d7c6091cdb11d5ef98e0e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e1b6940985a23e5639450f8391820655	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e22f2e9ee73ab8b12ee5069f7e39a615	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e24e889e826df04f552e0d133548b693	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e43040ede0645a38ea5a35c26192126f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e476e4a24f8b4ff4c8a0b260aa35fc9f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e480c8839e819eaa9b19d53acfa95052	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e4a9b8993e55e3d0ba355b13d1f27a2e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e4be1e46775081b1d5405b3dd7dd1c64	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e50af782414228e52e59bcbe518b1966	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e5237615fde0977c0ea3626fba609ab8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e54ce5f0112c9fdfe86db17e85a5e2c5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e55f7d80d99b6aacb0c8d9ed46856d25	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e56e4b20ef6dc09d29be49481bd29561	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e649f31f7f3a7b15ce1290e8d096c058	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e64d657ce32118b415fa91dc05037c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e65c0b3f4dd2f3c9f728077ed1e48f7e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e65db662e449cab03a6c1ac51af41360	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e689b1fb0610b752f42adafc403fa49f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e6c25f9994b723d39c785ddfd38a31b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e6ff0431a9a9028808efc582405ea7df	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e7f728e3bce0e59c3ba973545a3b3a92	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e83f60fb0e0396ea309faf0aed64e53f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+e9df2f69ed3d9c895ad9d399eaff1bc8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea1b44094ae4d8e2b63a1771a3e61fd5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea3155748f9788b741b6799691250579	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea34b72cbeb07aaac2398704c3ca6b0f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea47431d832faff7802710dae0abb0d3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea502cd3504e74bac454835bd23e019b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea7309fa59e9347a0715f164edf6b200	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea7aeea782173eb19ef880c6a54456f2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ea8b6c2c083d6b7b2b6ebc015b0488ca	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb0c8b05ee6a4334f45968cf45656597	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb50c166074ae4f13cfea362dc7b668a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eb61cedc9793226a66e4611e6ea25d7f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ebf8eebe3aa218dea5e3f0b2222267b0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec09d3b72b282872db4afb0cc9ba7d9d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec3a2197ca6b63ee1454d99a6ae145ab	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec63f49236858c85168da81c1ac7802a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec82a53f44511ac09e916bde02cddef0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec8aa67b05407c01094184c33d2b5a44	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ec8c89aa5e521572c74e2dd02a4daf78	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eca18e3872fd32f17410167871fbd1d2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ecf18654e4a2668fb8b2e3db144809af	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ecf900c9d743631b59442240ac4ce9da	Intel::FILE_HASH	Mandiant Apt1 Report	T
+edb4faeee6542572aff2ec1b6affbd28	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eef298d0bc5b8c89f582e48556d77b6a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eef80511aa490b2168ed4c9fa5eafef0	Intel::FILE_HASH	Mandiant Apt1 Report	T
+eefa8d6c9a26dcc13604b11bbe5635c1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef0a6c79f99a537f932a5e64999972b3	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef29229f7b633f634db3a5c49a3f4a1c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef349196b0ffef5a02d30413c8dffc7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef6c375e3e6930e2b50e1e97fe6fbcc9	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ef8e0fb20e7228c7492ccdc59d87c690	Intel::FILE_HASH	Mandiant Apt1 Report	T
+efc2025431e7ec8f8784fe81389c77cf	Intel::FILE_HASH	Mandiant Apt1 Report	T
+effa99ea879e5be518f242d5820be070	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f02abd537e481109142b6170933d1b3d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f07ac0b4301fccbae233a44e07a2a634	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f0bab119faa296c680a10ba81693915e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f0d2ad2002557a86ecc780bf938b6dfd	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f113e1c754679164b0e137449b7631cc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f172ff6b65140f342e6ee51966ea3c4c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1ad5daacace5d4a7b18a03132ec2716	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1db65d3c48ad5a9d1576aefdca036d1	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1e5d9bf7705b4dc5be0b8a90b73a863	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f1eea61e49a3f86e95836d1c9f67e074	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f2009007bd6718582ad62ad29b742f6b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f2693de8b687c20aca98bfc1c5aa5b38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3611c5c793f521f7ff2a69c22d4174e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f38e76417c0f87322d55062428283e58	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3b54c188185ee0921848b3a6ad4751e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f3f2881a1cf3f81f1ecd952ccb616504	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f445b22897a27ac5852ee19589bea8c2	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4bea18e9d38ab9fa7c1cf6eea2bdc79	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4ed3b7a8a58453052db4b5be3707342	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f4f8067d501bfef385274912d2a833b5	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f627990bbe2ec5c48c180f724490c332	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f6549d4a4097bac446acf8b31d250d2e	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f65eee78ac150924cd37c7f1f3c96518	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f6655e39465c2ff5b016980d918ea028	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f67357d9fa1c3014050f2feefd39c784	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f7c63592ffb87b81ce45c89d207e9403	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f7f85d7f628ce62d1d8f7b39d8940472	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f802b6e448c054c9c16b97ff85646825	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f81991fab3b7d58d66629e26d21176ed	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f8437e44748d2c3fcf84019766f4e6dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f8892c6dacbf7ac756abb361e48bbc82	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f904ea9bc8e2d7ce13a6007183da5957	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f9a46d5024c05a827912a89ca270c553	Intel::FILE_HASH	Mandiant Apt1 Report	T
+f9ed623f13481da16a97aeacdca646dc	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fa11cb78f53db2d2718d536d4bd20b85	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fa66312d7e2ed95814f30871cae61d7c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fab6b0b33d59f393e142000f128a9652	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fab7c555a511f4d4e318817455bbb75a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fad92f849e3bbfab211af339eb6a8d66	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fade2270a6c7cb47893ac600a9a0509f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fae6eaf695af058af4b8dfee0709bf51	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fb671e6de6e301c892d2fdaa58f9cd9a	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fbde5068f85ce0aac2e9ff387b5f8c06	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc1937c1aa536b3744ebdfb1716fd54d	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc50743af221ccbff7b7c7ec378117f4	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc89424a2d33ea5af3f49b02e743773b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fc9d20d555a88fc827f3a2bfec4dfa36	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fcdaa67e33357f64bc4ce7b57491fc53	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fd37fa026747059559197461aa7c63e6	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fdef1329ae626656c8389f82c4f9ad38	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fe5ba680a96757ff232d4bad9c0db2b8	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fe8ff84a23feb673a59d8571575fee0b	Intel::FILE_HASH	Mandiant Apt1 Report	T
+feb406ff01d9fd5abc5ea079e0543e31	Intel::FILE_HASH	Mandiant Apt1 Report	T
+fefa3638e4d6f2e00b5194ae3fa0c931	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ff085d421518772ce2df75282363279f	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ff9aa093a37819af65a06046ea0c830c	Intel::FILE_HASH	Mandiant Apt1 Report	T
+ffcc7271e951055f12b61f520ce1e4c7	Intel::FILE_HASH	Mandiant Apt1 Report	T
diff --git a/salt/zeek/policy/securityonion/conn-add-sensorname.bro b/salt/zeek/policy/securityonion/conn-add-sensorname.bro
new file mode 100644
index 000000000..0fbe50297
--- /dev/null
+++ b/salt/zeek/policy/securityonion/conn-add-sensorname.bro
@@ -0,0 +1,10 @@
+global sensorname = "{{ grains.host }}";
+
+redef record Conn::Info += {
+	sensorname: string &log &optional;
+};
+
+event connection_state_remove(c: connection)
+	{
+	c$conn$sensorname = sensorname;
+	}
diff --git a/salt/zeek/policy/securityonion/file-extraction/__load__.zeek b/salt/zeek/policy/securityonion/file-extraction/__load__.zeek
new file mode 100644
index 000000000..b2707c803
--- /dev/null
+++ b/salt/zeek/policy/securityonion/file-extraction/__load__.zeek
@@ -0,0 +1 @@
+@load ./extract
diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
new file mode 100644
index 000000000..7f0f1c902
--- /dev/null
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -0,0 +1,21 @@
+global ext_map: table[string] of string = {
+    ["application/x-dosexec"] = "exe",
+    ["text/plain"] = "txt",
+    ["image/jpeg"] = "jpg",
+    ["image/png"] = "png",
+    ["text/html"] = "html",
+} &default ="";
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+    if ( ! meta?$mime_type || meta$mime_type != "application/x-dosexec" )
+        return;
+
+    local ext = "";
+
+    if ( meta?$mime_type )
+        ext = ext_map[meta$mime_type];
+
+    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
+    }
diff --git a/salt/zeek/policy/securityonion/json-logs/__load__.bro b/salt/zeek/policy/securityonion/json-logs/__load__.bro
new file mode 100644
index 000000000..780208248
--- /dev/null
+++ b/salt/zeek/policy/securityonion/json-logs/__load__.bro
@@ -0,0 +1,3 @@
+@load tuning/json-logs
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+redef LogAscii::use_json = T;
diff --git a/setup/functions.sh b/setup/functions.sh
index 98e2a1d81..e0fb60b0f 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -424,7 +424,9 @@ docker_install() {
 #      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
 #        docker_registry >> $SETUPLOG 2>&1
 #      fi
-      docker_registry
+      docker_registry >> $SETUPLOG 2>&1
+      echo "Seeding the registry. This can take a bit" >> $SETUPLOG 2>&1
+      docker_seed_registry >> $SETUPLOG 2>&1
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     else
@@ -433,6 +435,8 @@ docker_install() {
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
       docker_registry >> $SETUPLOG 2>&1
+      echo "Seeding the registry. This can take a bit" >> $SETUPLOG 2>&1
+      docker_seed_registry >> $SETUPLOG 2>&1
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     fi
@@ -452,6 +456,54 @@ docker_registry() {
 
 }
 
+docker_seed_registry() {
+  VERSION="HH1.1.4"
+  TRUSTED_CONTAINERS=( \
+  "so-auth-api:$VERSION" \
+  "so-auth-ui:$VERSION" \
+  "so-core:$VERSION" \
+  "so-thehive-cortex:$VERSION" \
+  "so-curator:$VERSION" \
+  "so-domainstats:$VERSION" \
+  "so-elastalert:$VERSION" \
+  "so-elasticsearch:$VERSION" \
+  "so-filebeat:$VERSION" \
+  "so-fleet:$VERSION" \
+  "so-fleet-launcher:$VERSION" \
+  "so-freqserver:$VERSION" \
+  "so-grafana:$VERSION" \
+  "so-idstools:$VERSION" \
+  "so-influxdb:$VERSION" \
+  "so-kibana:$VERSION" \
+  "so-logstash:$VERSION" \
+  "so-mysql:$VERSION" \
+  "so-navigator:$VERSION" \
+  "so-playbook:$VERSION" \
+  "so-redis:$VERSION" \
+  "so-sensoroni:$VERSION" \
+  "so-soctopus:$VERSION" \
+  "so-steno:$VERSION" \
+  #"so-strelka:$VERSION" \
+  "so-suricata:$VERSION" \
+  "so-telegraf:$VERSION" \
+  "so-thehive:$VERSION" \
+  "so-thehive-es:$VERSION" \
+  "so-wazuh:$VERSION" \
+  "so-zeek:$VERSION" )
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $MSRV:5000/soshybridhunter/$i
+    docker push $MSRV:5000/soshybridhunter/$i
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+  done
+}
+
 es_heapsize() {
 
   # Determine ES Heap Size
@@ -646,6 +698,7 @@ master_static() {
   touch /opt/so/saltstack/pillar/static.sls
 
   echo "static:" > /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls
   echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
   echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
   echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls

From 385644757c85fd97c64b370b9d8a7b1c9c128b5e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 15:52:58 -0500
Subject: [PATCH 053/188] Switch to Zeek and download registry

---
 salt/zeek/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index f46d5dbc1..90c07c7ea 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,5 +1,5 @@
-{%- set VERSION = salt['pillar.get']('static:soversion', '1.1.4') -%}
-{%- set MASTER = salt['grains.get']('master') -%}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:

From 8e7b2bc888c443da47e26bb480b16da08d412f82 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 20:57:03 +0000
Subject: [PATCH 054/188] remove double bash declaration

---
 salt/common/tools/sbin/so-allow | 1 -
 1 file changed, 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index d76ddc83e..d24350611 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -1,5 +1,4 @@
 #!/bin/bash
-#!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #

From 28905a43191cdc13911d5b83e7ce320c45ae3e52 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:07:08 -0500
Subject: [PATCH 055/188] Fix docker seed

---
 setup/functions.sh | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index e0fb60b0f..dd476bd9e 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -409,21 +409,24 @@ docker_install() {
     yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     yum -y update
     yum -y install docker-ce python36-docker
-#    if [ $INSTALLTYPE != 'EVALMODE' ]; then
-#      docker_registry
-#    fi
-    docker_registry
-    echo "Restarting Docker" >> $SETUPLOG 2>&1
-    systemctl restart docker
-    systemctl enable docker
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+      docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
+      docker_seed_registry >> $SETUPLOG 2>&1
+    else
+      docker_registry
+      echo "Restarting Docker" >> $SETUPLOG 2>&1
+      systemctl restart docker
+      systemctl enable docker
+    fi
 
   else
+
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
-#      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
-#        docker_registry >> $SETUPLOG 2>&1
-#      fi
       docker_registry >> $SETUPLOG 2>&1
       echo "Seeding the registry. This can take a bit" >> $SETUPLOG 2>&1
       docker_seed_registry >> $SETUPLOG 2>&1

From 1338f7125fcbf25eefb9bf794b8ec775110c968b Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 21:12:33 +0000
Subject: [PATCH 056/188] update Wazuh init for whitelist

---
 salt/wazuh/init.sls | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 5825ed7d5..76d3fb1b4 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -62,6 +62,15 @@ wazuhagentregister:
     - mode: 755
     - template: jinja
 
+wazuhmgrwhitelist:
+   file.managed:
+    - name: /usr/sbin/wazuh-manager-whitelist
+    - source: salt://wazuh/files/wazuh-manager-whitelist
+    - user: 0
+    - group: 0
+    - mode: 755
+    - template: jinja
+
 so-wazuhimage:
  cmd.run:
    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.4
@@ -87,3 +96,9 @@ registertheagent:
     - name: /usr/sbin/wazuh-register-agent
     - cwd: /
     #- stateful: True
+
+# Whitelist manager IP
+whitelistmanager:
+  cmd.run:
+    - name: /usr/sbin/wazuh-manager-whitelist
+    - cwd: /

From a960083d6e558361fc5eb57521acd7da37478f51 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 21:13:28 +0000
Subject: [PATCH 057/188] add Wazuh manager whitelist script

---
 salt/wazuh/files/wazuh-manager-whitelist | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 salt/wazuh/files/wazuh-manager-whitelist

diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
new file mode 100644
index 000000000..0cf675f5c
--- /dev/null
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -0,0 +1,33 @@
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+      WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+      if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
+              DATE=`date`
+              sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+              sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+              echo -e "<!--Address {{ MASTERIP }} added by setup on "$DATE"-->\n  <global>\n    <white_list>{{ MASTERIP }}</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+              echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
+              echo
+              echo "Restarting OSSEC Server..."
+              /usr/sbin/so-wazuh-restart
+      fi
+fi
+

From 4d2822477451637110de4e59147e3b30569a0b5a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:14:53 -0500
Subject: [PATCH 058/188] Fix Variable for registry

---
 setup/functions.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index dd476bd9e..4f712f977 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -500,8 +500,8 @@ docker_seed_registry() {
     echo "Downloading $i"
     docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
     # Tag it with the new registry destination
-    docker tag soshybridhunter/$i $MSRV:5000/soshybridhunter/$i
-    docker push $MSRV:5000/soshybridhunter/$i
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
     echo "Removing $i locally"
     docker rmi soshybridhunter/$i
   done

From ed3c2b1bac6246a99a0af63cd3e037de40d2ffe1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:33:20 -0500
Subject: [PATCH 059/188] Break out registry

---
 .../registry => registry/etc}/config.yml      |  1 -
 salt/registry/init.sls                        | 40 +++++++++++++++++++
 salt/top.sls                                  |  4 +-
 setup/so-setup.sh                             |  2 +
 4 files changed, 45 insertions(+), 2 deletions(-)
 rename salt/{master/files/registry => registry/etc}/config.yml (99%)
 create mode 100644 salt/registry/init.sls

diff --git a/salt/master/files/registry/config.yml b/salt/registry/etc/config.yml
similarity index 99%
rename from salt/master/files/registry/config.yml
rename to salt/registry/etc/config.yml
index db9f9c32b..d25a034b0 100644
--- a/salt/master/files/registry/config.yml
+++ b/salt/registry/etc/config.yml
@@ -21,4 +21,3 @@ health:
     threshold: 3
 proxy:
   remoteurl: https://registry-1.docker.io
-
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
new file mode 100644
index 000000000..f6f5a0a1c
--- /dev/null
+++ b/salt/registry/init.sls
@@ -0,0 +1,40 @@
+# Create the config directory for the docker registry
+dockerregistryconfdir:
+  file.directory:
+    - name: /opt/so/conf/docker-registry/etc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrydir:
+  file.directory:
+    - name: /nsm/docker/registry
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+dockerregistrylogdir:
+  file.directory:
+    - name: /opt/so/log/docker-registry
+    - user: 939
+    - group: 939
+    - makedirs: true
+
+# Copy the config
+dockerregistryconf:
+  file.managed:
+    - name: /opt/so/conf/docker-registry/etc/config.yml
+    - source: salt://master/files/registry/config.yml
+
+# Install the registry container
+so-dockerregistry:
+  docker_container.running:
+    - image: registry:2
+    - hostname: so-registry
+    - port_bindings:
+      - 0.0.0.0:5000:5000
+    - binds:
+      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
+      - /opt/so/conf/docker-registry:/var/lib/registry:rw
+      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
+      - /etc/pki/registry.key:/etc/pki/registry.key:ro
diff --git a/salt/top.sls b/salt/top.sls
index 265214216..a632104e7 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -43,10 +43,11 @@ base:
   'G@role:so-eval':
     - ca
     - ssl
+    - registry
+    - master
     - common
     - sensoroni
     - firewall
-    - master
     - idstools
     {%- if OSQUERY != 0 %}
     - mysql
@@ -84,6 +85,7 @@ base:
   'G@role:so-master':
     - ca
     - ssl
+    - registry
     - common
     - cyberchef
     - sensoroni
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 671eb2eb7..9947e983e 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -364,6 +364,7 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n45\nApplying firewall rules... \nXXX"
@@ -603,6 +604,7 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply registry >> $SETUPLOG 2>&1
       salt-call state.apply master >> $SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1

From b69249b2c07d3a342f8ec399ad1505875711bbef Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:35:37 -0500
Subject: [PATCH 060/188] Break out registry

---
 setup/so-setup.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 9947e983e..ee44651bd 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -365,6 +365,8 @@ if (whiptail_you_sure) ; then
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo "Seeding Repo"
+      docker_seed_registry >> $SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n45\nApplying firewall rules... \nXXX"
@@ -605,6 +607,8 @@ if (whiptail_you_sure) ; then
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
+      echo "Seeding Repo"
+      docker_seed_registry >> $SETUPLOG 2>&1
       salt-call state.apply master >> $SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1

From e92fcdc67ca50744b96cc3d284a3b40323606036 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:42:35 -0500
Subject: [PATCH 061/188] Need Firewalls

---
 setup/so-setup.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index ee44651bd..6eb6df55a 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -364,6 +364,7 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
       echo "Seeding Repo"
       docker_seed_registry >> $SETUPLOG 2>&1
@@ -606,6 +607,7 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
       echo "Seeding Repo"
       docker_seed_registry >> $SETUPLOG 2>&1

From a5421982898e39f37a60734b2b91132e2a16e33c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:48:28 -0500
Subject: [PATCH 062/188] Need Firewalls

---
 setup/functions.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 4f712f977..ff33db020 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -428,8 +428,6 @@ docker_install() {
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
       docker_registry >> $SETUPLOG 2>&1
-      echo "Seeding the registry. This can take a bit" >> $SETUPLOG 2>&1
-      docker_seed_registry >> $SETUPLOG 2>&1
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     else
@@ -438,8 +436,6 @@ docker_install() {
       apt-get update >> $SETUPLOG 2>&1
       apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
       docker_registry >> $SETUPLOG 2>&1
-      echo "Seeding the registry. This can take a bit" >> $SETUPLOG 2>&1
-      docker_seed_registry >> $SETUPLOG 2>&1
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker >> $SETUPLOG 2>&1
     fi

From d73c3159e71d19e922cf9aa31ad2fc75bbfae673 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 16:55:19 -0500
Subject: [PATCH 063/188] Need Firewalls

---
 setup/functions.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index ff33db020..39d788637 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -414,7 +414,6 @@ docker_install() {
       echo "Restarting Docker" >> $SETUPLOG 2>&1
       systemctl restart docker
       systemctl enable docker
-      docker_seed_registry >> $SETUPLOG 2>&1
     else
       docker_registry
       echo "Restarting Docker" >> $SETUPLOG 2>&1

From bfed2a9638d6e1172e361576e308fac08a9098b1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 13 Jan 2020 17:02:39 -0500
Subject: [PATCH 064/188] Need Firewalls

---
 salt/registry/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index f6f5a0a1c..611f4cb5f 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -24,7 +24,7 @@ dockerregistrylogdir:
 dockerregistryconf:
   file.managed:
     - name: /opt/so/conf/docker-registry/etc/config.yml
-    - source: salt://master/files/registry/config.yml
+    - source: salt://registry/etc/config.yml
 
 # Install the registry container
 so-dockerregistry:

From 4917a7284db6980cb28ae6d2d0e0e1409d2973a4 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 13 Jan 2020 22:19:15 +0000
Subject: [PATCH 065/188] add initial replay wrappers

---
 salt/common/tools/sbin/so-tcpreplay         | 28 +++++++++++++++++++++
 salt/common/tools/sbin/so-tcpreplay-restart | 21 ++++++++++++++++
 salt/common/tools/sbin/so-tcpreplay-start   | 20 +++++++++++++++
 salt/common/tools/sbin/so-tcpreplay-stop    | 21 ++++++++++++++++
 4 files changed, 90 insertions(+)
 create mode 100755 salt/common/tools/sbin/so-tcpreplay
 create mode 100755 salt/common/tools/sbin/so-tcpreplay-restart
 create mode 100755 salt/common/tools/sbin/so-tcpreplay-start
 create mode 100755 salt/common/tools/sbin/so-tcpreplay-stop

diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay
new file mode 100755
index 000000000..69cee2f68
--- /dev/null
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
+REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
+
+if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
+   docker cp so-tcpreplay:/opt/samples /opt/samples
+   docker exec -it so-tcpreplay /usr/bin/tcpreplay -i bond0 -M10 $1
+else
+  echo "Replay functionality not enabled!  To enable, run `so-tcpreplay-start`"
+  echo
+  echo "Note that you will need internet access to download the appropiriate components"
+fi
diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart
new file mode 100755
index 000000000..61e9016d0
--- /dev/null
+++ b/salt/common/tools/sbin/so-tcpreplay-restart
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart tcreplay $1
+
diff --git a/salt/common/tools/sbin/so-tcpreplay-start b/salt/common/tools/sbin/so-tcpreplay-start
new file mode 100755
index 000000000..e6886b80c
--- /dev/null
+++ b/salt/common/tools/sbin/so-tcpreplay-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start tcpreplay $1
diff --git a/salt/common/tools/sbin/so-tcpreplay-stop b/salt/common/tools/sbin/so-tcpreplay-stop
new file mode 100755
index 000000000..d12014260
--- /dev/null
+++ b/salt/common/tools/sbin/so-tcpreplay-stop
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop tcpreplay $1
+

From 348dbb752a6a683091b2c018bf88101fc7454e50 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 14 Jan 2020 13:48:57 +0000
Subject: [PATCH 066/188] source so-common

---
 salt/common/tools/sbin/so-allow | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index d24350611..c6b756cd1 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -15,20 +15,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+. /usr/sbin/so-common
+
 SKIP=0
 
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-got_root
-
 while getopts "abowi:" OPTION
 do
     case $OPTION in

From 2055350cec113280544443474482057960572404 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 09:02:45 -0500
Subject: [PATCH 067/188] Fix saltid conflict

---
 salt/master/init.sls | 37 +------------------------------------
 1 file changed, 1 insertion(+), 36 deletions(-)

diff --git a/salt/master/init.sls b/salt/master/init.sls
index c6e11279d..8bd4d3d3c 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -24,7 +24,7 @@ socore_own_saltstack:
     - group: socore
     - recurse:
       - user
-      - group	
+      - group
 
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
@@ -73,39 +73,4 @@ so-aptcacherng:
       - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw
       - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro
 
-
-# Create the config directory for the docker registry
-dockerregistryconfdir:
-  file.directory:
-    - name: /opt/so/conf/docker-registry/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-dockerregistrylogdir:
-  file.directory:
-    - name: /opt/so/log/docker-registry
-    - user: 939
-    - group: 939
-    - makedirs: true
-
-# Copy the config
-dockerregistryconf:
-  file.managed:
-    - name: /opt/so/conf/docker-registry/etc/config.yml
-    - source: salt://master/files/registry/config.yml
-
-# Install the registry container
-so-dockerregistry:
-  docker_container.running:
-    - image: registry:2
-    - hostname: so-registry
-    - port_bindings:
-      - 0.0.0.0:5000:5000
-    - binds:
-      - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
-      - /opt/so/conf/docker-registry:/var/lib/registry:rw
-      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
-      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-
 {% endif %}

From ae55b590481b1ca42eabda409b5873259bf9066d Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 10:11:26 -0500
Subject: [PATCH 068/188] Switch to using images in registry

---
 salt/common/init.sls                |   34 +-
 salt/curator/init.sls               |   10 +-
 salt/elastalert/init.sls            |   11 +-
 salt/elasticsearch/init.sls         |   98 +-
 salt/filebeat/init.sls              |   21 +-
 salt/fleet/init.sls                 |   10 +-
 salt/hive/init.sls                  |   10 +-
 salt/idstools/init.sls              |   11 +-
 salt/kibana/init.sls                |   25 +-
 salt/logstash/init.sls              |   12 +-
 salt/master/init.sls                |   11 +-
 salt/mysql/init.sls                 |   10 +-
 salt/pcap/init.sls                  |   13 +-
 salt/playbook/init.sls              |   18 +-
 salt/redis/init.sls                 |   12 +-
 salt/sensoroni/init.sls             |   11 +-
 salt/soctopus/init.sls              |   11 +-
 salt/suricata/init.sls              |   12 +-
 salt/syslog-ng/files/patterndb.xml  | 2333 ---------------------------
 salt/syslog-ng/files/syslog-ng.conf |  243 ---
 salt/syslog-ng/init.sls             |   18 -
 salt/tcpreplay/init.sls             |   12 +-
 salt/top.sls                        |    6 +-
 salt/wazuh/init.sls                 |   11 +-
 setup/so-setup.sh                   |    4 +-
 25 files changed, 76 insertions(+), 2891 deletions(-)
 delete mode 100644 salt/syslog-ng/files/patterndb.xml
 delete mode 100644 salt/syslog-ng/files/syslog-ng.conf
 delete mode 100644 salt/syslog-ng/init.sls

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 74256dabb..3ba2f1b11 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
@@ -114,16 +116,9 @@ nginxtmp:
     - group: 939
     - makedirs: True
 
-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
-
 so-core:
   docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
@@ -175,15 +170,9 @@ tgrafconf:
     - template: jinja
     - source: salt://common/telegraf/etc/telegraf.conf
 
-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
 so-telegraf:
   docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+    - image: {{ MASTER }}/soshybridhunter/so-telegraf:HH{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -236,15 +225,9 @@ influxdbconf:
     - template: jinja
     - source: salt://common/influxdb/etc/influxdb.conf
 
-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
 so-influxdb:
   docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+    - image: {{ MASTER }}/soshybridhunter/so-influxdb:HH{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
 {% endfor %}
 {% endif %}
 
-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
 so-grafana:
   docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
     - hostname: grafana
     - user: socore
     - binds:
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 74dd47a99..f846ff8ae 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator
 # Create the group
@@ -112,15 +114,9 @@ curdel:
    - month: '*'
    - dayweek: '*'
 
-so-curatorimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-curator:HH1.1.0
-
 so-curator:
   docker_container.running:
-    - require:
-      - so-curatorimage
-    - image: docker.io/soshybridhunter/so-curator:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
     - hostname: curator
     - name: so-curator
     - user: curator
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 999bbbd91..c5ba0d21b 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
@@ -109,15 +110,9 @@ elastaconf:
     - group: 939
     - template: jinja
 
-so-elastalertimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elastalert:HH1.1.1
-
 so-elastalert:
   docker_container.running:
-    - require:
-      - so-elastalertimage
-    - image: docker.io/soshybridhunter/so-elastalert:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 6036d5da8..aba6fd384 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,6 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -104,15 +106,9 @@ eslogdir:
     - group: 939
     - makedirs: True
 
-so-elasticsearchimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
-
 so-elasticsearch:
   docker_container.running:
-    - require:
-      - so-elasticsearchimage
-    - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
+    - image: {{ MASTER }}/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
@@ -146,91 +142,3 @@ so-elasticsearch-pipelines-file:
 so-elasticsearch-pipelines:
  cmd.run:
    - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
-
-# Tell the main cluster I am here
-#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
-
-# See if Freqserver is enabled
-{% if freq == 1 %}
-
-# Create the user
-fservergroup:
-  group.present:
-    - name: freqserver
-    - gid: 935
-
-# Add ES user
-freqserver:
-  user.present:
-    - uid: 935
-    - gid: 935
-    - home: /opt/so/conf/freqserver
-    - createhome: False
-
-# Create the log directory
-freqlogdir:
-  file.directory:
-    - name: /opt/so/log/freq_server
-    - user: 935
-    - group: 935
-    - makedirs: True
-
-so-freqimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
-
-so-freq:
-  docker_container.running:
-    - require:
-      - so-freqimage
-    - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
-    - hostname: freqserver
-    - name: so-freqserver
-    - user: freqserver
-    - binds:
-      - /opt/so/log/freq_server:/var/log/freq_server:rw
-
-
-{% endif %}
-
-{% if dstats == 1 %}
-
-# Create the group
-dstatsgroup:
-  group.present:
-    - name: domainstats
-    - gid: 936
-
-# Add user
-domainstats:
-  user.present:
-    - uid: 936
-    - gid: 936
-    - home: /opt/so/conf/domainstats
-    - createhome: False
-
-# Create the log directory
-dstatslogdir:
-  file.directory:
-    - name: /opt/so/log/domainstats
-    - user: 936
-    - group: 939
-    - makedirs: True
-
-so-domainstatsimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
-
-so-domainstats:
-  docker_container.running:
-    - require:
-      - so-domainstatsimage
-    - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
-    - hostname: domainstats
-    - name: so-domainstats
-    - user: domainstats
-    - binds:
-      - /opt/so/log/domainstats:/var/log/domain_stats
-
-
-{% endif %}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index fce1c6b38..e4b11ef3c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set MASTER = grains['master'] %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 
 # Filebeat Setup
@@ -46,25 +47,9 @@ filebeatconfsync:
     - group: 0
     - template: jinja
 
-#filebeatcrt:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-#    - source: salt://filebeat/files/filebeat.crt
-
-#filebeatkey:
-#  file.managed:
-#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-#    - source: salt://filebeat/files/filebeat.key
-
-so-filebeatimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.1
-
 so-filebeat:
   docker_container.running:
-    - require:
-      - so-filebeatimage
-    - image: docker.io/soshybridhunter/so-filebeat:HH1.1.1
+    - image: {{ MASTER }}/soshybridhunter/so-filebeat:HH{{ VERSION }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 917ee541e..1cf42a9a6 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Fleet Setup
 fleetcdir:
@@ -59,15 +61,9 @@ fleetdbpriv:
     - user: fleetdbuser
     - host: 172.17.0.0/255.255.0.0
 
-so-fleetimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.3
-
 so-fleet:
   docker_container.running:
-    - require:
-      - so-fleetimage
-    - image: docker.io/soshybridhunter/so-fleet:HH1.1.3
+    - image: {{ MASTER }}/soshybridhunter/so-fleet:HH{{ VERSION }}
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 73b29b501..9bde4065f 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
   file.directory:
     - name: /opt/so/conf/hive/etc
@@ -53,15 +55,9 @@ hiveesdata:
     - user: 939
     - group: 939
 
-so-thehive-esimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.1
-
 so-thehive-es:
   docker_container.running:
-    - require:
-      - so-thehive-esimage
-    - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 9ec6f53f7..bba867c83 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:
   file.directory:
@@ -61,15 +62,9 @@ ruleslink:
     - name: /opt/so/saltstack/salt/suricata/rules
     - target: /opt/so/rules/nids
 
-so-idstoolsimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-idstools:HH1.1.0
-
 so-idstools:
   docker_container.running:
-    - require:
-      - so-idstoolsimage
-    - image: docker.io/soshybridhunter/so-idstools:HH1.1.0
+    - image: {{ MASTER }}/soshybridhunter/so-idstools:HH{{ VERSION }}
     - hostname: so-idstools
     - user: socore
     - binds:
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 0d6262600..840986ff3 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,4 +1,5 @@
-{% set master = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Add ES Group
 kibanasearchgroup:
@@ -52,25 +53,17 @@ synckibanacustom:
     - user: 932
     - group: 939
 
-# File.Recurse for custom saved dashboards
-
-so-kibanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.1
-
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - require:
-      - so-kibanaimage
-    - image: docker.io/soshybridhunter/so-kibana:HH1.1.1
+    - image: {{ MASTER }}/soshybridhunter/so-kibana:HH{{ VERSION }}
     - hostname: kibana
     - user: kibana
     - environment:
       - KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
-      - ELASTICSEARCH_HOST={{ master }}
+      - ELASTICSEARCH_HOST={{ MASTER }}
       - ELASTICSEARCH_PORT=9200
-      - MASTER={{ master }}
+      - MASTER={{ MASTER }}
     - binds:
       - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
       - /opt/so/log/kibana:/var/log/kibana:rw
@@ -78,11 +71,3 @@ so-kibana:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
     - port_bindings:
       - 0.0.0.0:5601:5601
-
-# Keep the setting correct
-#KibanaHappy:
-#  cmd.script:
-#    - shell: /bin/bash
-#    - runas: socore
-#    - source: salt://kibana/bin/keepkibanahappy.sh
-#    - template: jinja
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index c2b80346f..88aac08d6 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Logstash Section - Decide which pillar to use
 {% if grains['role'] == 'so-sensor' %}
 
@@ -152,16 +153,9 @@ lslogdir:
     - group: 939
     - makedirs: True
 
-# Add the container
-so-logstashimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.1
-
 so-logstash:
   docker_container.running:
-    - require:
-      - so-logstashimage
-    - image: docker.io/soshybridhunter/so-logstash:HH1.1.1
+    - image: {{ MASTER }}/soshybridhunter/so-logstash:HH{{ VERSION }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
diff --git a/salt/master/init.sls b/salt/master/init.sls
index 8bd4d3d3c..f6ad5d70a 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 
 {% if masterproxy == 1 %}
@@ -55,16 +56,10 @@ acngcopyconf:
     - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
     - source: salt://master/files/acng/acng.conf
 
-so-acngimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-acng:HH1.1.0
-
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
-    - require:
-      - so-acngimage
-    - image: docker.io/soshybridhunter/so-acng:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index a0136ae9b..b964d7d37 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,6 +1,8 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # MySQL Setup
 mysqlpkgs:
   pkg.installed:
@@ -48,15 +50,9 @@ mysqldatadir:
     - group: 939
     - makedirs: True
 
-so-mysqlimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-mysql:HH1.1.0
-
 so-mysql:
   docker_container.running:
-    - require:
-      - so-mysqlimage
-    - image: docker.io/soshybridhunter/so-mysql:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
     - hostname: so-mysql
     - user: socore
     - port_bindings:
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a49dc00e3..f5a4e4924 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # PCAP Section
 
 # Create the logstash group
@@ -94,15 +95,9 @@ stenolog:
     - group: 941
     - makedirs: True
 
-so-stenoimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.3
-
 so-steno:
   docker_container.running:
-    - require:
-      - so-stenoimage
-    - image: docker.io/soshybridhunter/so-steno:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
     - network_mode: host
     - privileged: True
     - port_bindings:
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 770316ab9..6a129f84b 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -24,15 +24,9 @@ navigatorconfig:
     - makedirs: True
     - template: jinja
 
-so-playbookimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.3
-
 so-playbook:
   docker_container.running:
-    - require:
-      - so-playbookimage
-    - image: docker.io/soshybridhunter/so-playbook:HH1.1.3
+    - image: {{ MASTER }}/soshybridhunter/so-playbook:HH{{ VERSION }}
     - hostname: playbook
     - name: so-playbook
     - binds:
@@ -40,15 +34,9 @@ so-playbook:
     - port_bindings:
       - 0.0.0.0:3200:3000
 
-so-navigatorimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-navigator:HH1.1.1
-
 so-navigator:
   docker_container.running:
-    - require:
-      - so-navigatorimage
-    - image: docker.io/soshybridhunter/so-navigator:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
     - hostname: navigator
     - name: so-navigator
     - binds:
@@ -56,7 +44,7 @@ so-navigator:
       - /opt/so/conf/playbook/nav_layer_playbook.json:/nav-app/src/assets/playbook.json:ro
     - port_bindings:
       - 0.0.0.0:4200:4200
-        
+
 /usr/sbin/so-playbook-sync:
   cron.present:
     - identifier: so-playbook-sync
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 18178ce3b..690f2a7c9 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -13,6 +13,8 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Redis Setup
 redisconfdir:
@@ -44,15 +46,9 @@ redisconfsync:
     - group: 939
     - template: jinja
 
-so-redisimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-redis:HH1.1.0
-
 so-redis:
   docker_container.running:
-    - require:
-      - so-redisimage
-    - image: docker.io/soshybridhunter/so-redis:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
     - hostname: so-redis
     - user: socore
     - port_bindings:
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 19fcd8b4a..8339c3ba2 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 sensoronidir:
   file.directory:
     - name: /opt/so/conf/sensoroni
@@ -27,15 +30,9 @@ sensoronisync:
     - group: 939
     - template: jinja
 
-so-sensoroniimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.3
-
 so-sensoroni:
   docker_container.running:
-    - require:
-      - so-sensoroniimage
-    - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.3
+    - image: {{ MASTER }}/soshybridhunter/so-sensoroni:HH{{ VERSION }}
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 578789a76..d03ed9f04 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 soctopusdir:
   file.directory:
     - name: /opt/so/conf/soctopus
@@ -44,15 +47,9 @@ navigatordefaultlayer:
     - replace: False
     - template: jinja
 
-so-soctopusimage:
-  cmd.run:
-    - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.3
-
 so-soctopus:
   docker_container.running:
-    - require:
-      - so-soctopusimage
-    - image: docker.io/soshybridhunter/so-soctopus:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
     - hostname: soctopus
     - name: so-soctopus
     - binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a30010d5e..cf821ac47 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -14,7 +14,9 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set BROVER = salt['pillar.get']('static:broversion', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 # Suricata
 
@@ -70,15 +72,9 @@ suriconfigsync:
     - group: 940
     - template: jinja
 
-so-suricataimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
-
 so-suricata:
   docker_container.running:
-    - require:
-      - so-suricataimage
-    - image: docker.io/soshybridhunter/so-suricata:HH1.1.1
+    - image: {{ MASTER }}/soshybridhunter/so-suricata:HH{{ VERSION }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
diff --git a/salt/syslog-ng/files/patterndb.xml b/salt/syslog-ng/files/patterndb.xml
deleted file mode 100644
index a1b3cdad4..000000000
--- a/salt/syslog-ng/files/patterndb.xml
+++ /dev/null
@@ -1,2333 +0,0 @@
-<patterndb version='3' pub_date='2009-11-04'>
-	<ruleset name="FWSM" id='2'>
-		<pattern>%FWSM</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Deny @ESTRING:: @@ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-3-106010">Deny inbound tcp src OUTSIDE:2.116.180.66/3116 dst INSIDE:10.0.0.0/445</test_message>
-						<test_values>
-							<test_value name="i0">tcp</test_value>
-							<test_value name="s0">OUTSIDE</test_value>
-							<test_value name="i1">2.116.180.66</test_value>
-							<test_value name="i2">3116</test_value>
-							<test_value name="s1">INSIDE</test_value>
-							<test_value name="i3">10.0.0.0</test_value>
-							<test_value name="i4">445</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
-					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s1">www.example.com</test_value>
-							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="%FWSM-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
-							<test_values>
-								<test_value name="s1">www.example.com</test_value>
-								<test_value name="s2">feedout/content</test_value>
-								<test_value name="i0">192.168.1.1</test_value>
-								<test_value name="i1">72.246.55.49</test_value>
-							</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FWSM-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%FWSM-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ASA" id='2_ASA'>
-		<pattern>%ASA</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Inbound @ESTRING:i0: @connection denied from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@ESTRING::/@@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@ESTRING::/@@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
-					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@ dst @ESTRING:s1::@@IPv4:i3:@ (type @NUMBER::@, code @NUMBER::@) by access-group @ESTRING:s2: @</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2: @to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @</pattern>
-					<pattern>Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface @ANYSTRING:s0:@</pattern>
-					<pattern>Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @</pattern>
-					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
-					<pattern>Deny IP from @ESTRING:i1: @to @ESTRING:i3: @</pattern>
-					<pattern>@ESTRING:i0: @access discarded from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-					<pattern>access-list @ESTRING:: @permitted @ESTRING:i0: @@ESTRING:s0:/@@ESTRING:i1:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:/@@ESTRING:i3:(@@NUMBER:i4:@) hit-cnt @NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:i0: @access permitted from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-7-106100">access-list access_out permitted tcp INSIDE/10.221.221.21(52427) -&gt; OUTSIDE/10.222.222.22(80) hit-cnt 1 first hit [0x487d4278, 0x0]</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">10.221.221.21</test_value>
-						<test_value name="i2">52427</test_value>
-						<test_value name="i3">10.222.222.22</test_value>
-						<test_value name="i4">80</test_value>
-						<test_value name="i5">1</test_value>
-						<test_value name="s0">INSIDE</test_value>
-						<test_value name="s1">OUTSIDE</test_value>
-					</example>
-					<example>
-						<test_message program="%ASA-6-302013">Built inbound TCP connection 740617324 for inside:10.21.21.221/4087 (10.21.21.221/4087) to CWWAN:172.17.6.80/8192 (172.17.6.80/8192)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">10.221.221.21</test_value>
-						<test_value name="i2">4087</test_value>
-						<test_value name="i3">172.17.6.80</test_value>
-						<test_value name="i4">8192</test_value>
-						<test_value name="s0">INSIDE</test_value>
-						<test_value name="s1">OUTSIDE</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
-					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
-					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s1">www.example.com</test_value>
-							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="%ASA-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
-							<test_values>
-								<test_value name="s1">www.example.com</test_value>
-								<test_value name="s2">feedout/content</test_value>
-								<test_value name="i0">192.168.1.1</test_value>
-								<test_value name="i1">72.246.55.49</test_value>
-							</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%ASA-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%ASA-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='38' id='38'>
-				<patterns>
-					<pattern>FTP connection from @ESTRING:s0::@@ESTRING:i0:/@@NUMBER:i1:@ to @ESTRING:s1::@@ESTRING:i2:/@@NUMBER:i3:@, user @ESTRING:s2: @@ESTRING:s3: @@ANYSTRING:s4:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='39' id='39'>
-				<patterns>
-					<pattern>Cleared @ESTRING:i0: @urgent flag from @ESTRING:s0::@@ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s1::@@ESTRING:i3:/@@NUMBER:i4:@</pattern>
-					<pattern>regular translation creation failed for @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @(type @NUMBER:i2:@, code @NUMBER:i4:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="PIX" id='2_PIX'>
-		<pattern>%PIX</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
-					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
-				</patterns>
-			</rule>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%PIX-6-302014">Teardown TCP connection 2050472353 for outside:10.65.200.34/1252 to inside:10.0.0.0/135 duration 0:00:00 bytes 1476 TCP FINs</test_message>
-						<test_values>
-							<test_value name="i0">TCP</test_value>
-							<test_value name="s0">outside</test_value>
-							<test_value name="i1">10.65.200.34</test_value>
-							<test_value name="i2">1252</test_value>
-							<test_value name="s1">inside</test_value>
-							<test_value name="i3">10.0.0.0</test_value>
-							<test_value name="i4">135</test_value>
-							<test_value name="s2">0:00:00</test_value>
-							<test_value name="i5">1476</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='36' id='36'>
-				<patterns>
-					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%PIX-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
-						<test_value name="i0">10.245.102.86</test_value>
-						<test_value name="s0">Produccion</test_value>
-						<test_value name="s1">pepe</test_value>
-					</example>
-					<example>
-						<test_message program="%PIX-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
-						<test_value name="i0">10.229.201.171</test_value>
-						<test_value name="s0">Acceso</test_value>
-						<test_value name="s1">juan</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Translations" id='3'>
-		<pattern>%IOSXE-6-PLATFORM</pattern>
-		<rules>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>@ESTRING::%NAT-6-LOG_TRANSLATION: Created Translation @@ESTRING:i0: @@IPv4:i1:@:@NUMBER:i2:@ @IPv4::@:@NUMBER::@ @IPv4::@:@NUMBER::@ @IPv4:i3:@:@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%IOSXE-6-PLATFORM">F0: cpp_cp: QFP:0.0 Thread:031 TS:00000428205839105179 %NAT-6-LOG_TRANSLATION: Created Translation TCP 1.1.1.1:4227 1.1.1.1:1043 2.2.2.2:80 2.2.2.2:80 0</test_message>
-						<test_values>
-							<test_value name="i0">TCP</test_value>
-							<test_value name="i1">1.1.1.1</test_value>
-							<test_value name="i2">4227</test_value>
-							<test_value name="i3">2.2.2.2</test_value>
-							<test_value name="i4">80</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%SEC-6-IPACCESSLOGS</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>list @ESTRING::denied @@IPv4:i3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%SEC-6-IPACCESSLOGS">list REMOTE-MGMT denied 1.1.1.1 1 packet [0x7EAD30FB]</test_message>
-						<test_values>
-							<test_value name="i3">1.1.1.1</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%FMANFP-6-IPACCESSLOGP</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>F@ESTRING::denied @@ESTRING:i0: @@IPv4:i1:@(@NUMBER:i2:@) -&gt; @IPv4:i3:@(@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FMANFP-6-IPACCESSLOGP">F0: fman_fp_image: list IPV4-INTERNET-OUTBOUND denied udp 1.1.1.1(49610) -&gt; 2.2.2.2(53), 1 packet</test_message>
-						<test_values>
-							<test_value name="i0">udp</test_value>
-							<test_value name="i1">1.1.1.1</test_value>
-							<test_value name="i2">49610</test_value>
-							<test_value name="i3">2.2.2.2</test_value>
-							<test_value name="i4">53</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Cisco IOS XE Denies" id='2'>
-		<pattern>%FMANFP-6-IPV6ACCESSLOGP</pattern>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>F@ESTRING::denied @@ESTRING:i0: @@ESTRING:s0:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:(@@NUMBER:i4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="%FMANFP-6-IPV6ACCESSLOGP">F0: fman_fp_image: list IPV6-INTERNET-INBOUND denied udp ffe:4e0::(38346) -&gt; ffe:4e0::(40322), 1 packet</test_message>
-						<test_values>
-							<test_value name="i0">udp</test_value>
-							<test_value name="s0">ffe:4e0::</test_value>
-							<test_value name="i2">38346</test_value>
-							<test_value name="s1">ffe:4e0::</test_value>
-							<test_value name="i4">40322</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_Snare" id='4'>
-		<pattern>MSWinEventLog</pattern>
-		<pattern>Application</pattern>
-		<pattern>Security</pattern>
-		<pattern>System</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@	@ESTRING:i0:	@@ESTRING:s0:	@@ESTRING:s1:	@@ESTRING:s2:	@@ESTRING:s3:	@@ESTRING:s4:	@@ESTRING:s5:	@@ESTRING::	@@ESTRING::	@</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@|Logon Failure:@ESTRING::	@Reason:		@ESTRING:s2:	@User Name:	@ESTRING:s1: @</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@</pattern>
-					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_evtsys" id='4'>
-		<pattern>Application</pattern>
-		<pattern>Security</pattern>
-		<pattern>System</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
-						<test_values>
-							<test_value name="i0">7035</test_value>
-							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
-						<test_value name="i0">1202</test_value>
-						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_evtsys" id='4'>
-		<!-- no program pattern -->
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER:i0:@: @ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
-					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
-					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
-					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="security-auditing">4624: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
-						<test_values>
-							<test_value name="i0">4624</test_value>
-							<test_value name="s1">myuser</test_value>
-							<test_value name="s2">MYDOMAIN</test_value>
-							<test_value name="i1">172.24.248.117</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
-						<test_values>
-							<test_value name="i0">7035</test_value>
-							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
-						<test_value name="i0">1202</test_value>
-						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-18 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x3e7 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 49206 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
-						<test_value name="i0">5140</test_value>
-						<test_value name="s1">MYUSER</test_value>
-						<test_value name="s2">MYDOMAIN</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\*\ADMIN$</test_value>
-						<test_value name="s4">\??\C:\Windows</test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1e05bb9b Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 65518 Share Information: Share Name: \\\\*\\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
-						<test_value name="i0">5140</test_value>
-						<test_value name="s1">ANONYMOUS LOGON</test_value>
-						<test_value name="s2">NT AUTHORITY</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\\\*\\IPC$</test_value>
-					</example>
-					<example>
-						<test_message program="security-auditing">5145: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-518783779-1162290680-929701000-2097 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x19789189 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 4235 Share Information: Share Name: \\*\SHARE_NAME Share Path: \??\C:\SHARE_PATH Relative Target Name: MYFILE Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;FA;;;WD)</test_message>
-						<test_value name="i0">5145</test_value>
-						<test_value name="s1">MYUSER</test_value>
-						<test_value name="s2">MYDOMAIN</test_value>
-						<test_value name="i1">192.168.148.5</test_value>
-						<test_value name="s3">\\*\SHARE_NAME</test_value>
-						<test_value name="s4">\??\C:\SHARE_PATH</test_value>
-						<test_value name="s5">MYFILE</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows_dhcp" id='4_dhcp'>
-		<pattern>GenericLog</pattern>
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<patterns>
-					<pattern>@NUMBER::@,@ANYSTRING::@</pattern>
-					<values>
-						<value name="i0">0</value>
-						<value name="s0">dhcplog</value>
-						<value name="PROGRAM">dhcplog</value>
-					</values>
-					<!--<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@</pattern>
-					<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@@ESTRING:s5:,@</pattern>-->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="GenericLog">30,11/16/10,12:25:04,DNS Update Request,x.x.x.x,hostname,,</test_message>
-						<test_value name="i0">0</test_value>
-						<test_value name="s0">dhcplog</test_value>
-						<test_value name="PROGRAM">dhcplog</test_value>
-					</example>
-					<example>
-						<test_message program="GenericLog">11,11/16/10,12:25:04,Renew,x.x.x.x,hostname,macaddr,</test_message>
-						<test_value name="i0">0</test_value>
-						<test_value name="s0">dhcplog</test_value>
-						<test_value name="PROGRAM">dhcplog</test_value>
-					</example>
-				</examples>
-				<tags>
-					<tag>4</tag>
-				</tags>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Adiscon" id="4_adiscon">
-		<rules>
-			<rule provider="ELSA" class='4' id='4'>
-				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@ &lt;Data Name='TargetUserName'&gt;@ESTRING:s0:&lt;@</pattern>
-				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@</pattern>
-				<examples>
-					<example>
-						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC01.domain Event ID: 5157 &lt;Data Name='ProcessID'&gt;180&lt;/Data&gt;&lt;Data Name='Application'&gt;\device\harddiskvolume2\windows\system32\svchost.exe&lt;/Data&gt;&lt;Data Name='Direction'&gt;%14592&lt;/Data&gt;&lt;Data Name='SourceAddress'&gt;10.68.239.128&lt;/Data&gt;&lt;Data Name='SourcePort'&gt;500&lt;/Data&gt;&lt;Data Name='DestAddress'&gt;10.166.175.52&lt;/Data&gt;&lt;Data Name='DestPort'&gt;500&lt;/Data&gt;&lt;Data Name='Protocol'&gt;17&lt;/Data&gt;&lt;Data Name='FilterRTID'&gt;73486&lt;/Data&gt;&lt;Data Name='LayerName'&gt;%14610&lt;/Data&gt;&lt;Data Name='LayerRTID'&gt;44&lt;/Data&gt;&lt;Data Name='RemoteUserID'&gt;S-1-0-0&lt;/Data&gt;&lt;Data Name='RemoteMachineID'&gt;S-1-0-0&lt;/Data&gt;</test_message>
-						<test_value name="i0">5157</test_value>
-					</example>
-					<example>
-						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC04.domain Event ID: 4769 &lt;Data Name='TargetUserName'&gt;user@domain&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;domain&lt;/Data&gt;&lt;Data Name='ServiceName'&gt;IU-MSSG-ADSDC04$&lt;/Data&gt;&lt;Data Name='ServiceSid'&gt;S-1-5-21-1085031214-1292428093-527237240-496356&lt;/Data&gt;&lt;Data Name='TicketOptions'&gt;0x40810000&lt;/Data&gt;&lt;Data Name='TicketEncryptionType'&gt;0x12&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;::ffff:10.160.118.87&lt;/Data&gt;&lt;Data Name='IpPort'&gt;54144&lt;/Data&gt;&lt;Data Name='Status'&gt;0x0&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{CD66EF59-4404-F056-C1CC-5E12BE6B978E}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;</test_message>
-						<test_value name="i0">4769</test_value>
-						<test_value name="s0">user@domain</test_value>
-					</example>
-						
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="url" id='7'>
-		<pattern>url</pattern>
-		<rules>
-			<rule provider="ELSA" class='7' id='7'>
-				<patterns>
-					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s5:,@@ESTRING:s2:,@@ESTRING:s3:,@@STRING:s4: :/;,.-()@</pattern>-->
-					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@STRING:s5:,.-@</pattern>-->
-					<!-- httpry_logger.pl -->
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@NUMBER:i5@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|</pattern>
-					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
-					<!-- suricata -->
-					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@IPv4:i0:@:@NUMBER:i1:@ -> @IPv4:i2:@:@NUMBER:i3:@</pattern>
-					<!-- suricata extended -->
-					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@ESTRING:s3: [**] @@ESTRING:s0: [**] @@ESTRING:: [**] @@ESTRING:i2: [**] @@NUMBER:i3:@ bytes [**] @IPv4:i0:@:@NUMBER:i4:@ -> @IPv4:i1:@:@NUMBER:i5:@</pattern>
-					<!--Common Log Format-->
-					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
-					<!--%{HOST} + Common Log Format-->
-					<pattern>@ESTRING:s1: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200|46142|8583</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3">46142</test_value>
-							<test_value name="i4">8583</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||8583</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3"></test_value>
-							<test_value name="i4">8583</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">10.0.0.0</test_value>
-							<test_value name="s0">GET</test_value>
-							<test_value name="s1">ajax.googleapis.com</test_value>
-							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
-							<test_value name="s3">http://slickdeals.net/</test_value>
-							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
-							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3"></test_value>
-							<test_value name="i4"></test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="url">127.0.0.1 - - [09/Dec/2012:23:20:27 -0600] "HEAD / HTTP/1.1" 200 334 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11"</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">HEAD</test_value>
-							<test_value name="s2">/</test_value>
-							<test_value name="s3">-</test_value>
-							<test_value name="s4">Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11</test_value>
-							<test_value name="s5">-</test_value>
-							<test_value name="i2">200</test_value>
-							<test_value name="i3">334</test_value>
-						</test_values>
-					</example>
-					</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="snort" id='8'>
-		<pattern>snort</pattern>
-		<rules>
-			<rule provider="ELSA" class='8' id='8'>
-				<patterns>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<!--<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>-->
-				</patterns>
-				<example>
-					<test_message program="snort">[1:485:5] ICMP Destination Unreachable Communication Administratively Prohibited [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.0.0.0</test_message>
-					<test_value name="s0">1:485:5</test_value>
-					<test_value name="s1">ICMP Destination Unreachable Communication Administratively Prohibited </test_value>
-					<test_value name="s2">Misc activity</test_value>
-					<test_value name="i0">3</test_value>
-					<test_value name="i1">ICMP</test_value>
-					<test_value name="i2">192.168.1.1</test_value>
-					<test_value name="i4">10.0.0.0</test_value>
-				</example>
-			</rule>
-			<rule provider="Laurel" class='8' id='8'>
-				<!-- Rules for logs with interface included -->
-				<patterns>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-				<example>
-					<test_message program="snort">[1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 [Classification: Potentially Bad Traffic] [Priority: 2]: &lt;eth1&gt; {TCP} 192.168.193.245:38472 -> 192.168.193.1:5432</test_message>
-					<test_value name="s0">1:2010939:2</test_value>
-					<test_value name="s1">ET POLICY Suspicious inbound to PostgreSQL port 5432 </test_value>
-					<test_value name="s2">Potentially Bad Traffic</test_value>
-					<test_value name="s3">eth1</test_value>
-					<test_value name="i0">2</test_value>
-					<test_value name="i1">TCP</test_value>
-					<test_value name="i2">192.168.193.245</test_value>
-					<test_value name="i3">38472</test_value>
-					<test_value name="i4">192.168.193.1</test_value>
-					<test_value name="i5">5432</test_value>
-				</example>
-			</rule>
-			<rule provider="A Ratcliffe" class='8' id='8'>
-				<patterns>
-					<!-- via Sagan which has an extra colon in it-->
-					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<!-- via Sagan with extra text -->
-					<pattern>@QSTRING:s0:[]@ [@ESTRING::]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-			<rule class='8' id='8'>
-				<!--via barnyard2 using config to include year with date extracted-->
-				<patterns>
-					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-				</patterns>	
-				<values>
-					<value name="pdb_extracted_timestamp">20$pdb_extracted_shortyear-$pdb_extracted_month-$pdb_extracted_day $pdb_extracted_hour:$pdb_extracted_minute:$pdb_extracted_second</value>
-				</values>
-			</rule>
-			<rule provider="C Martinez" class='8' id='8'>
-				<!-- Patterns for forwarded messages from fast.log which contain [**]-->
-				<patterns>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@-&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
-					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] {@@ESTRING:i1:}@@IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<!--<ruleset>
-		<rules>
-			<rule class="10" id="10" context-id="ironport-icid" context-timeout="10" context-scope="program">
-				<patterns>
-					<pattern>Info: New SMTP ICID @NUMBER:icid:@ interface @ESTRING:interface_name: @(@IPv4:interface_ip:@) address @IPv4:sender_ip:@ reverse dns host @ESTRING:sender_dns: @verified yes</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="ironport_mail_logs">Info: New SMTP ICID 696117306 interface InternalNet (192.168.1.1) address 192.168.1.1 reverse dns host hostname verified yes</test_message>
-						<test_value name="icid">696117306</test_value>
-						<test_value name="interface_name">InternalNet</test_value>
-						<test_value name="interface_ip">192.168.1.1</test_value>
-						<test_value name="sender_ip">192.168.1.1</test_value>
-						<test_value name="sender_dns">hostname</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>-->
-	<ruleset name="ssh">
-		<pattern>sshd</pattern>
-		<rules>
-			<rule class="11" id="11">
-				<patterns>
-					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
-					<pattern>Accepted @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-				</patterns>
-			</rule>
-			<rule class="12" id="12">
-				<patterns>
-					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
-					<pattern>Failed @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-					<pattern>Failed @ESTRING:s0: @for invalid user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-					<pattern>Failed @ESTRING:s0: @for illegal user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
-				</patterns>
-			</rule>
-			<rule class="13" id="13">
-				<patterns>
-					<!-- s0=usracct.username -->
-					<pattern>pam_unix(sshd:session): session closed for user @ANYSTRING:s0:@</pattern>
-					<pattern>session closed for user @ANYSTRING:s0:@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_dns</pattern>
-		<rules>
-			<rule class="14" id="14">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_dns">1318443095.831281|0L5Ro2iPit1|10.0.0.0|23657|69.22.154.225|53|udp|31608|e2932.c.akamaiedge.net|1|C_INTERNET|1|A|0|NOERROR|F|T|F|F|F|1|20.000000|23.0.124.9</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">23657</test_value>
-						<!-- dstip -->
-						<test_value name="i2">69.22.154.225</test_value>
-						<!-- dstport -->
-						<test_value name="i3">53</test_value>
-						<!-- proto -->
-						<test_value name="i4">udp</test_value>
-						<!-- hostname -->
-						<test_value name="s0">e2932.c.akamaiedge.net</test_value>
-						<!-- answer -->
-						<test_value name="s1">23.0.124.9</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_notice</pattern>
-		<rules>
-			<rule class="41" id="Bro file transfer via bro_notice">
-				<patterns>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING::|@@IPv4::@|@IPv4::@|@NUMBER::@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@</pattern>
-				</patterns>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-			</rule>
-			<rule class='15' id='15'>
-				<patterns>
-					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@IPv4:i0@|@NUMBER:i1@|@IPv4:i2@|@NUMBER:i3@|@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:@|@IPv4:@|@NUMBER:@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@-|-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|@NUMBER:i3@|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@-|@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|@IPv4:i2@|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@-|-|-|-|@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@udp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@icmp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|-|-|-|-@ANYSTRING::@</pattern>
-					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|@IPv4:i0:@|@ANYSTRING::@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern description='bro-2.2'>bro_files</pattern>
-		<rules>
-			<rule class='54' id='54'>
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
-				</patterns>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_smtp</pattern>
-		<rules>
-			<rule class="16" id="16">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_smtp">1320612601.697404|SFiDYDwOSl8|10.0.0.0|45765|66.94.25.228|25|@woMgeVXDE|server.example.com|&lt;prvs=284e51a33=user@domain.com&gt;|&lt;user@example.com&gt;|Sun, 6 Nov 2011 14:50:00 -0600|"user" &lt;user@domain.com&gt;|"'user@example.com'" &lt;user@example.com&gt;|-|&lt;F3AC33A1A5033546890246040DCA32E303CDF29D5FE6@mailserver.domain.com&gt;|&lt;user@example.com&gt;|RE: some subject|-|from mailserver.domain.com ([10.0.0.0]) with mapi; Sun, 6 Nov 2011 14:50:01 -0600|from mailserver.domain.com ([10.0.0.0]) by mailserver.domain.com with ESMTP/TLS/RC4-MD5; 06 Nov 2011 14:50:01 -0600|250 2.0.0 10wk4g5v6k-1 Message accepted for delivery|192.168.1.1,10.0.0.0|-|F</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">45765</test_value>
-						<!-- dstip -->
-						<test_value name="i2">66.94.25.228</test_value>
-						<!-- dstport -->
-						<test_value name="i3">25</test_value>
-						<!-- server -->
-						<test_value name="s0">server.example.com</test_value>
-						<!-- from -->
-						<test_value name="s1">"user" &lt;user@domain.com&gt;</test_value>
-						<!-- to -->
-						<test_value name="s2">"'user@example.com'" &lt;user@example.com&gt;</test_value>
-						<!-- subject -->
-						<test_value name="s3">RE: some subject</test_value>
-						<!-- last_reply -->
-						<test_value name="s4">250 2.0.0 10wk4g5v6k-1 Message accepted for delivery</test_value>
-						<!-- path -->
-						<test_value name="s5">192.168.1.1,10.0.0.0</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_smtp_entities</pattern>
-		<rules>
-			<rule class="17" id="17">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_smtp_entities">1320613389.303478|zQQiHb1x3fj|216.33.127.82|37295|10.0.0.0|25|@VqmVdbY2Mm3|CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf|54399|application/pdf|-|-|-</test_message>
-						<!-- srcip -->
-						<test_value name="i0">216.33.127.82</test_value>
-						<!-- srcport -->
-						<test_value name="i1">37295</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.0.0.0</test_value>
-						<!-- dstport -->
-						<test_value name="i3">25</test_value>
-						<!-- filename -->
-						<test_value name="s0">CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf</test_value>
-						<!-- content_len -->
-						<test_value name="i4">54399</test_value>
-						<!-- mime_type -->
-						<test_value name="s1">application/pdf</test_value>
-						<!-- md5 -->
-						<test_value name="s2">-</test_value>
-						<!-- extraction_file -->
-						<test_value name="s3">-</test_value>
-						<!-- excerpt -->
-						<test_value name="s4">-</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ssl</pattern>
-		<rules>
-			<rule class="18" id="18">
-				<patterns>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING::|@@ESTRING:i4:|@@ANYSTRING::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ssl">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|443|TLSv10|TLS_RSA_WITH_RC4_128_MD5|-|48eacd8fda1a4f48188288ce09ba84d93b8b40aaafdeafd8bace5a1ba9f7c3ce|CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US|1286341200.000000|1381035599.000000|04918ecb442ca62e6e8f29272b9cff42|ok</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">443</test_value>
-						<!-- hostname -->
-						<test_value name="s0">-</test_value>
-						<!-- subject -->
-						<test_value name="s1">CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US</test_value>
-						<!-- expiration -->
-						<test_value name="i4">1381035599.000000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_http</pattern>
-		<rules>
-			<rule class="19" id="19">
-				<patterns>
-					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  
-					  host    uri     referrer        user_agent      request_body_len        response_body_len       status_code     
-					  status_msg      info_code       info_msg        filename        tags    username        password        
-					  proxied mime_type       md5     extraction_file-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING:i5:|@@ESTRING:i4:|@</pattern>
-					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       method  
-					host    uri     referrer        user_agent      request_body_len       
-					 request_body_interrupted        response_body_len       response_body_interrupted       status_code     
-					 status_msg      filename        tags    username        password        proxied mime_type
-       md5     extraction_file-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:i5:|@@ESTRING::|@@ESTRING:i4:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_http">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|GET|www.google.com|/|http://example.com|myagent|-|-|1000|0|200|</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- method -->
-						<test_value name="s0">GET</test_value>
-						<!-- host -->
-						<test_value name="s1">www.google.com</test_value>
-						<!-- uri -->
-						<test_value name="s2">/</test_value>
-						<!-- referer -->
-						<test_value name="s3">http://example.com</test_value>
-						<!-- user_agent -->
-						<test_value name="s4">myagent</test_value>
-						<!-- status_code -->
-						<test_value name="i4">200</test_value>
-						<!-- content_length -->
-						<test_value name="i5">1000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_conn</pattern>
-		<rules>
-			<rule class="20" id="20">
-				<patterns>
-					<!--ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	
-					conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i5:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING:s4:|@</pattern>
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_conn">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|tcp|...</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.0.0.0</test_value>
-						<!-- srcport -->
-						<test_value name="i1">19427</test_value>
-						<!-- dstip -->
-						<test_value name="i2">80.175.58.76</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- proto -->
-						<test_value name="i4">tcp</test_value>
-					</example>
-					<example>
-						<test_message program="bro_conn">1355091922.994655|fOFtbJ91cG7|192.168.1.103|52949|206.12.19.9|80|tcp|http|3.970039|2829|574725|SF|-|3706|ShADadFf|200|14697|403|591995</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.103</test_value>
-						<!-- srcport -->
-						<test_value name="i1">52949</test_value>
-						<!-- dstip -->
-						<test_value name="i2">206.12.19.9</test_value>
-						<!-- dstport -->
-						<test_value name="i3">80</test_value>
-						<!-- proto -->
-						<test_value name="i4">tcp</test_value>
-						<!-- service -->
-						<test_value name="s0">http</test_value>
-						<!-- duration -->
-						<test_value name="s1">3.970039</test_value>
-						<!-- orig_bytes -->
-						<test_value name="s2">2829</test_value>
-						<!-- resp_bytes -->
-						<test_value name="i5">574725</test_value>
-						<!-- orig_pkts -->
-						<test_value name="s3">200</test_value>
-						<!-- resp_pkts -->
-						<test_value name="s4">403</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="fortinet_url" id='21'>
-		<pattern>kernel</pattern>
-		<rules>
-			<rule provider="ELSA" class='21' id='21'>
-				<patterns>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=webfilter pri=@ESTRING:: @vd=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @serial=@ESTRING:: @user=@ESTRING:s0: @group=@ESTRING:s1: @src=@IPv4:i0:@ sport=@ESTRING:i1: @src_port=@ESTRING:: @src_int=@ESTRING:: @dst=@IPv4:i2:@ dport=@ESTRING:i3: @dst_port=@ESTRING:: @dst_int=@ESTRING:: @service=@ESTRING:s2: @hostname=@ESTRING:s3: @profiletype=@ESTRING:: @profile=@ESTRING:: @status=@ESTRING:s4: @req_type=@ESTRING:: @url=@ESTRING:s5: @method=@ESTRING:: @class=@ESTRING:: @cat=@ESTRING:i4: @cat_desc=@QSTRING::""@ carrier_ep=@ESTRING:: @msg=@QSTRING::""@ class_desc=@ESTRING:: @profilegroup=</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312 subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1 serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163 src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE status=passthrough req_type=referral url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41 cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an allowed category in policy" class_desc=N/A profilegroup=N/A</test_message>
-						<test_values>
-							<test_value name="i0">10.1.2.3</test_value>
-							<test_value name="i1">2163</test_value>
-							<test_value name="i2">4.3.2.1</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="s0">USER</test_value>
-							<test_value name="s1">AD/GROUP</test_value>
-							<test_value name="s2">http</test_value>
-							<test_value name="s3">col.stb.s-msn.com</test_value>
-							<test_value name="s4">passthrough</test_value>
-							<test_value name="s5">/i/79/65F987C952BDA0E84AE52464ADD59.jpg</test_value>
-							<test_value name="i4">41</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="fortinet_traffic" id='22'>
-		<pattern>kernel</pattern>
-		<rules>
-			<rule provider="ELSA" class='22' id='22'>
-				<patterns>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=traffic pri=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4@ app_type=@ESTRING:: @duration=@NUMBER:i5@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @src_int=@ESTRING:: @dst_int=@ESTRING:: @SN=@ESTRING:: @app=@ESTRING:: @app_cat=@ESTRING:: @carrier_ep=@ESTRING:: @vpn=@ESTRING:: @status=@ESTRING:: @user=@ESTRING:: @group=@ESTRING:: @shaper_sent_name=@ESTRING:: @shaper_rcvd_name=@ESTRING:: @perip_name</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @transip=@ESTRING:: @transport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@QSTRING::""@ dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@QSTRING::""@ SN=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dst_country=@QSTRING::""@ src_country=@QSTRING::""@ service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg</pattern>
-					<!-- Complete pattern, not used now because we aren't capturing later strings 
-						<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @shaper_sent_name=@QSTRING::""@ shaper_rcvd_name=@QSTRING::""@ perip_name=@QSTRING::""@ sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @vpn=@QSTRING::""@ src_int=@QSTRING::""@ dst_int=@QSTRING::""@ SN=@ESTRING:: @app=@QSTRING::""@ app_cat=@QSTRING::""@ user=@QSTRING::""@ group=@QSTRING::""@ carrier_ep=@QSTRING::""@</pattern>
-					-->
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
-					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3 srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80 tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6 src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A</test_message>
-						<test_values>
-							<test_value name="i0">10.1.2.3</test_value>
-							<test_value name="i1">53624</test_value>
-							<test_value name="i2">4.3.2.2</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="i4">6</test_value>
-							<test_value name="i5">120</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="checkpoint_deny" id='23'>
-		<rules>
-			<rule provider="ELSA" class='23' id='23'>
-				<patterns>
-					<pattern>@QSTRING:i0:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING:s0:""@ @QSTRING:s1:""@ @QSTRING:s2:""@ @QSTRING:s3:""@ @QSTRING:s4:""@ @QSTRING::""@ @QSTRING:i1:""@ @QSTRING:i2:""@ @QSTRING:i3:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ "message_info: @ESTRING:s5:"@ @QSTRING::""@ @QSTRING::""@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">"1" "12Feb2012" "23:59:04" "bond0.30" "FW-INT-CHCKPNT1" "Log" "Drop" "ntp-udp" "ntp-udp" "192.168.1.210" "10.133.3.10" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""</test_message>
-						<test_values>
-							<test_value name="i0">1</test_value>
-							<test_value name="s0">bond0.30</test_value>
-							<test_value name="s1">FW-INT-CHCKPNT1</test_value>
-							<test_value name="s2">Log</test_value>
-							<test_value name="s3">Drop</test_value>
-							<test_value name="s4">ntp-udp</test_value>
-							<test_value name="i1">192.168.1.210</test_value>
-							<test_value name="i2">10.133.3.10</test_value>
-							<test_value name="i3">udp</test_value>
-							<test_value name="s5">Address spoofing</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="palo_alto_url" id='24'>
-		<rules>
-			<rule provider="ELSA" class='24' id='24'>
-				<patterns>
-					<pattern>@NUMBER::@:@NUMBER::@,@NUMBER::@,@ESTRING::,@url,@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING::,@@ESTRING:s2:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@1@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@"@ESTRING:s3:/@@ESTRING:s4:"@,(@NUMBER::@),@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s5:,@</pattern>
-					<!-- Alternative pattern for PAN with columns listed -->
-					<pattern>@ESTRING::,@ TYPE: THREAT, SUBTYPE: url, THREAT_ID: (@NUMBER::@), ACTION: @ESTRING::,@ RULE: @ESTRING::,@ MISC: "@ESTRING:s3:/@@ESTRING:s4:"@</pattern>
-					<values>
-						<value name="s4">/$s4</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">46:31,002501000259,THREAT,url,0,2012/02/21 09:46:31,192.168.1.1,208.71.123.129,0.0.0.0,0.0.0.0,USERS-Network-AllowAll-to-EXT,domain\joeschmo,,web-browsing,vsys1,Users,External,ethernet1/3,ethernet1/5,forward-syslog-to-elsa,2012/02/2109:46:30,156730,1,50836,80,0,0,0x8000,tcp,alert,"network.realmedia.com/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75",(9999),All,informational,client-to-server,19630699,0x0,United States,United States,0,text/xml</test_message>
-						<test_values>
-							<test_value name="i0">192.168.1.1</test_value>
-							<test_value name="i1">208.71.123.129</test_value>
-							<test_value name="s0">USERS-Network-AllowAll-to-EXT</test_value>
-							<test_value name="s1">domain\joeschmo</test_value>
-							<test_value name="s2">web-browsing</test_value>
-							<test_value name="i2">156730</test_value>
-							<test_value name="s3">network.realmedia.com</test_value>
-							<test_value name="s4">/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75</test_value>
-							<test_value name="s5">United States</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="palo_alto_traffic" id='25'>
-		<rules>
-			<rule provider="ELSA" class='25' id='25'>
-				<patterns>
-					<pattern>@NUMBER::@:@NUMBER::@,@ESTRING::TRAFFIC,@@ESTRING:s5:,@@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@@ESTRING:i3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i4:,@@ESTRING::,@@ESTRING:i5:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
-					<!-- Alternative pattern for PAN with columns listed -->
-					<pattern>@ESTRING::,@ TYPE: TRAFFIC, SUBTYPE: @ESTRING:s5:,@ RULE: @ESTRING::,@ ACTION: @ESTRING::,@ INBOUND_INTERFACE: @ESTRING:s2:,@ FROM_ZONE: @ESTRING:s0:,@ SOURCE_USER: @ESTRING::,@ SOURCE_IP: @ESTRING:i0:,@ NAT_SOURCE_IP: @ESTRING::,@ SOURCE_PORT: @ESTRING:i2:,@ OUTBOUND_INTERFACE: @ESTRING:s3:,@ TO_ZONE: @ESTRING:s1:,@ DESTINATION_USER: @ESTRING::,@ DESTINATION_IP: @ESTRING:i1:,@ DESTINATION_PORT: @ESTRING:i3:,@ DESTINATION_LOCATION: @ESTRING:s4:,@ CATEGORY: @ESTRING:s5:,@ PROTOCOL: @ESTRING:i4:,@ APPLICATION: @ESTRING::,@ ELAPSED_TIME: @ESTRING::,@ BYTES: @ESTRING:i5:,@ BYTES_RECEIVED: @ESTRING::,@ BYTES_SENT: @ESTRING::,@ TOTAL_PACKETS: @ESTRING::,@ PACKETS_RECEIVED: @ESTRING::,@ PACKETS_SENT: @ESTRING::,@ REPEAT_COUNT_5sec: </pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">46:31,002501000259,TRAFFIC,end,0,2012/02/21 09:46:31,10.10.10.10,192.168.1.1,0.0.0.0,0.0.0.0,ALL-http-https-to-BASTION,,,web-browsing,vsys1,External,Bastion,ethernet1/5,ethernet1/2,forward-syslog-to-elsa,2012/02/21 09:46:30,632179,1,4074,80,0,0,0x0,tcp,allow,2986,1493,1493,19,2012/02/21 09:45:57,31,not-resolved,0,453403179,0x0,United States,United States,0,10,9</test_message>
-						<test_values>
-							<test_value name="i0">10.10.10.10</test_value>
-							<test_value name="i1">192.168.1.1</test_value>
-							<test_value name="s0">External</test_value>
-							<test_value name="s1">Bastion</test_value>
-							<test_value name="s2">ethernet1/5</test_value>
-							<test_value name="s3">ethernet1/2</test_value>
-							<test_value name="i2">4074</test_value>
-							<test_value name="i3">80</test_value>
-							<test_value name="i4">tcp</test_value>
-							<test_value name="i5">2986</test_value>
-							<test_value name="s4">United States</test_value>
-							<test_value name="s5">end</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ossec" id='26'>
-		<rules>
-			<rule provider="ELSA" class="4" id="26">
-				<patterns>
-					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@@ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
-					<values>
-						<value name="PROGRAM">$pdb_extracted_program</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">2013 Jan 18 20:25:08 (host.example.com) 172.20.0.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: myuser: MYDOMAIN: MYDOMAIN-DC-1.example.com: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
-						<test_values>
-							<test_value name="i0">4624</test_value>
-							<test_value name="s1">myuser</test_value>
-							<test_value name="s2">MYDOMAIN</test_value>
-							<test_value name="i1">172.24.248.117</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='4' id='26'>
-				<patterns>
-					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@</pattern>
-					<values>
-						<value name="PROGRAM">$pdb_extracted_program</value>
-					</values>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="">2012 Feb 20 09:04:41 (serverb) 123.123.40.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: bgreen@DOM1.A.COM: DOM1.A.COM: serverb.dom1.a.com: A Kerberos service ticket was requested. Account Information:  Account Name: bgreen@DOM1.A.COM  Account Domain:  DOM1.A.COM  Logon GUID: {CBB22EBF-4367-CB43-E5AC-2A8C13FD9641}  Service Information:  Service Name:  SERVERC$  Service ID: S-1-5-21-117536760-2556423787-3220343774-160533  Network Information:Client Address:  ::ffff:123.123.39.33  Client Port:  62513  Additional Information:  Ticket Options:  0x40810000  Ticket Encryption Type: 0x12  Failure Code:  0x0  Transited Services: -  This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.</test_message>
-						<test_values>
-							<test_value name="i0">4769</test_value>
-							<test_value name="PROGRAM">Security</test_value>
-							<test_value name="pdb_extracted_sourceip">123.123.40.23</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="barracuda" id='27'>
-		<pattern>from</pattern>
-		<rules>
-			<rule provider="ELSA" class='27' id='27'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: scan[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: scan[8077]: UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
-						<test_values>
-							<test_value name="i0">10.37.80.102</test_value>
-							<test_value name="s0">sender@example.com</test_value>
-							<test_value name="s1">recipient@example.com</test_value>
-							<test_value name="i1">0</test_value>
-							<test_value name="i2">0</test_value>
-							<test_value name="s2">-</test_value>
-							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='28' id='28'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: inbound/pass@NUMBER::@[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: inbound/pass1[22443]: host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
-						<test_values>
-							<test_value name="i0">8.7.24.13</test_value>
-							<test_value name="s0">test@test.com</test_value>
-							<test_value name="s1">test1@test.ca</test_value>
-							<test_value name="i1">2</test_value>
-							<test_value name="i2">62</test_value>
-							<test_value name="s2">8.7.24.13</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class='29' id='29'>
-				<patterns>
-					<pattern>@IPv4:pdb_extracted_sourceip:@: outbound/smtp[@NUMBER::@]: @IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="from">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">Queued mail for delivery</test_value>
-							<test_value name="i1">1</test_value>
-							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="barracuda_scan" id='27_scan'>
-		<pattern>scan</pattern>
-		<rules>
-			<rule provider="ELSA" class='27' id='27'>
-				<patterns>
-					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="scan">UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
-						<test_values>
-							<test_value name="i0">10.37.80.102</test_value>
-							<test_value name="s0">sender@example.com</test_value>
-							<test_value name="s1">recipient@example.com</test_value>
-							<test_value name="i1">0</test_value>
-							<test_value name="i2">0</test_value>
-							<test_value name="s2">-</test_value>
-							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>		
-	<ruleset name="barracuda_inbound" id='27_inbound'>
-		<pattern>inbound</pattern>
-		<rules>
-			<rule provider="ELSA" class='28' id='28'>
-				<patterns>
-					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="inbound/pass1">host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
-						<test_values>
-							<test_value name="i0">8.7.24.13</test_value>
-							<test_value name="s0">test@test.com</test_value>
-							<test_value name="s1">test1@test.ca</test_value>
-							<test_value name="i1">2</test_value>
-							<test_value name="i2">62</test_value>
-							<test_value name="s2">8.7.24.13</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>		
-	<ruleset name="barracuda_outbound" id='27_outbound'>
-		<pattern>outbound</pattern>
-		<rules>
-			<rule provider="ELSA" class='29' id='29'>
-				<patterns>
-					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="outbound/smtp">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
-						<test_values>
-							<test_value name="i0">127.0.0.1</test_value>
-							<test_value name="s0">Queued mail for delivery</test_value>
-							<test_value name="i1">1</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name='Microsoft Exchange via Epilog' id='30'>
-		<patterns>exchmtlog</patterns>
-		<rules>
-			<rule provider='ELSA' class='30' id='30'>
-				<patterns>
-					<pattern>@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING::,@@ESTRING:s1:,@@ESTRING::,@@ESTRING::,@STOREDRIVER,DELIVER,@NUMBER::@,@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="exchmtlog">2012-03-16T17:13:16.475Z,,servername,,casservername,,,STOREDRIVER,DELIVER,23065261,sender@some.org,recipient@other.org,,156558,1,,,TEST MESSAGE SUBJECT,sender@some.org,sender@some.org,2012-03-16T17:13:16.147Z</test_message>
-						<test_value name="s0">servername</test_value>
-						<test_value name="s1">casservername</test_value>
-						<test_value name="s2">sender@some.org</test_value>
-						<test_value name="s3">recipient@other.org</test_value>
-						<test_value name="s4">TEST MESSAGE SUBJECT</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name='URL via Novell forwarder script' id='31'>
-		<patterns>novell_logs_</patterns>
-		<rules>
-			<rule provider='ELSA' class='7' id='7'>
-				<patterns>
-					<!-- date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem cs-uri-query c-version sc-status x-cache-info sc-header-size sc(Content-Length) sc-completed sc-bytes
-	 cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) cs(X-Forwarded-For) cached x-fill-proxy-ip x-origin-ip rs-bytes sc(ETag) cs(If-Range) cs(Range) sc(Content-Range) cs(Pragma
-	) sc(Pragma)-->
-					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:username:|@@ESTRING:i1:|@@ESTRING:s1:|@@ESTRING:s0:|@@ESTRING::|@"@ESTRING:s2:"@|"@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i3:|@@ESTRING:i5:|@"@ESTRING:s4:"@|@ESTRING::|@"@ESTRING:s3:"@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="novell_logs_test">2012-04-06|15:57:49|10.124.19.11|-|10.0.59.189|dev.mail.example.com|GET|"https://dev.mail.example.com:443/owa/auth/preload.htm"|"/owa/auth/preload.htm"|""|HTTP/1.1|200|"In Cache, Fresh"|550|"1527"|Success|2077|916|0.000|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)"|"ASPSESSIONIDSSDSDRTA=JPNHAEECMAIOIDMIHNPJGOKE; ASPSESSIONIDSQDSCQSA=FGPFCJECCJAGBFBHLPHPKMPD"|"https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1"|""|1|-|-|""|""|""|""|""|""</test_message>
-						<test_value name="i0">10.124.19.11</test_value>
-						<test_value name="i1">10.0.59.189</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">dev.mail.example.com</test_value>
-						<test_value name="s2">/owa/auth/preload.htm</test_value>
-						<test_value name="s3">https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1</test_value>
-						<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="i3">916</test_value>
-						<test_value name="i5">0.000</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Windows Event log Firewall Filtering" id='32'>
-		<pattern>Security-Auditing</pattern>
-		<rules>
-			<rule provider="M Smith" class='3' id='1000'>
-				<patterns>
-					<pattern>@ESTRING:: @The Windows Filtering Platform has @ESTRING:: @a connection. Application Information: Process ID: @ESTRING:: @Application Name: @ESTRING:: @Network Information: Direction: @ESTRING:: @Source Address: @IPv4:i1@ Source Port: @NUMBER:i2:@ Destination Address: @IPv4:i3:@ Destination Port: @NUMBER:i4:@ Protocol: @NUMBER:i0:@ Filter Information: Filter Run-Time ID: @ESTRING:: @Layer Name: @ESTRING:: @Layer Run-Time ID: @NUMBER::@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="Security-Auditing">5156: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1924 Application Name: \device\harddiskvolume1\users\admin\appdata\local\dude\win.exe Network Information: Direction: Outbound Source Address: 1.1.1.1 Source Port: 1234 Destination Address: 2.2.2.2 Destination Port: 4567 Protocol: 17 Filter Information: Filter Run-Time ID: 70078 Layer Name: Connect Layer Run-Time ID: 48</test_message>
-							<!-- srcip -->
-							<test_value name="i1">1.1.1.1</test_value>
-							<!-- srcport -->
-							<test_value name="i2">1234</test_value>
-							<!-- dstip -->
-							<test_value name="i3">2.2.2.2</test_value>
-							<!-- dstport -->
-							<test_value name="i4">4567</test_value>
-							<!-- proto -->
-							<test_value name="i0">17</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="TMG-Gateway-W3C-Logs-via-Epilog" id='10099'>
-            <rules>
-                    <rule provider="bgreen" class='3' id='10099'>
-                            <patterns>
-                                    <pattern>@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:::@@ESTRING:i2:|@@ESTRING:i3::@@ESTRING:i4:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@</pattern>
-                            </patterns>
-                            <examples>
-                                    <example>
-                                            <test_message program="ISAFWSLOG">BOB|2012-07-05|15:05:11|TCP|123.123.123.222:40521|123.123.123.111:443|123.123.111.111|Local Host|Internal|Establish|0x0|-|HTTPS|0|0|0|0|-|-|-|-|4|1874698|-|-|::|-|1048575|-</test_message>
-                                            <!-- proto -->
-                                            <test_value name="i0">TCP</test_value>
-                                            <!-- srcip -->
-                                            <test_value name="i1">123.123.111.111</test_value>
-                                            <!-- srcport -->
-                                            <test_value name="i2">40521</test_value>
-                                            <!-- dstip -->
-                                            <test_value name="i3">123.123.123.111</test_value>
-                                            <!-- dstport -->
-                                            <test_value name="i4">443</test_value>
-											<!-- inside interface -->
-											<test_value name="s0">Local Host</test_value>
-											<!-- outside interface -->
-											<test_value name="s1">Internal</test_value>
-                                    </example>
-                            </examples>
-                    </rule>
-            </rules>
-    </ruleset>
-    <ruleset name="ISAFWSLog-via-Epilog">
-    		<patterns>
-    			<pattern>ISAFWSLog</pattern>
-    		</patterns>
-            <rules>
-                    <rule provider="ELSA" class='7' id='7'>
-                            <patterns>
-                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING:i2:|@</pattern>
-                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@</pattern>
-                            </patterns>
-                            <examples>
-                                    <example>
-                                    		<test_message program="ISAFWSLog">1.1.1.1|domainname\username|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)|2012-08-27|18:59:49|MAD00GS6|2.2.2.2|2.2.2.2|80|http|GET|http://search.twitter.com/search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed|200|Internet Access to Users|Req ID: 1f449904 |Internal|External|0x480|Allowed|-</test_message>
-                                            <test_value name="i0">1.1.1.1</test_value>
-											<test_value name="i1">2.2.2.2</test_value>
-											<test_value name="s0">GET</test_value>
-											<test_value name="s1">search.twitter.com</test_value>
-											<test_value name="s2">search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed</test_value>
-											<test_value name="s3"></test_value>
-											<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)</test_value>
-											<test_value name="s5"></test_value>
-											<test_value name="i2">200</test_value>
-											<test_value name="i3"></test_value>
-											<test_value name="i4"></test_value>
-                                    </example>
-                            </examples>
-                    </rule>
-            </rules>
-    </ruleset>
-    <ruleset name="Cisco SEC">
-    	<pattern>%SEC-</pattern>
-    	<rules>
-    		<rule provider="ELSA" class="2" id="2">
-    			<pattern>list @ESTRING:s2: @denied @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN denied tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
-	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
-	    				<test_value name="i0">tcp</test_value>
-	    				<test_value name="i1">1.2.3.4</test_value>
-	    				<test_value name="i2">53420</test_value>
-	    				<test_value name="i3">5.6.7.8</test_value>
-	    				<test_value name="i4">23</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-    	<rules>
-    		<rule provider="ELSA" class="3" id="3">
-    			<pattern>list @ESTRING:s2: @permitted @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN permitted tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
-	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
-	    				<test_value name="i0">tcp</test_value>
-	    				<test_value name="i1">1.2.3.4</test_value>
-	    				<test_value name="i2">53420</test_value>
-	    				<test_value name="i3">5.6.7.8</test_value>
-	    				<test_value name="i4">23</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-    </ruleset>
-    <ruleset name="CEF">
-    	<rules>
-    		<rule provider="ELSA" class="32" id="32">
-    			<pattern>CEF:@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@NUMBER:i0:@|@ANYSTRING:s5:@</pattern>
-    			<examples>
-	    			<example>
-	    				<test_message program="">CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232</test_message>
-	    				<test_value name="i0">10</test_value>
-	    				<test_value name="s0">security</test_value>
-	    				<test_value name="s1">threatmanager</test_value>
-	    				<test_value name="s2">1.0</test_value>
-	    				<test_value name="s3">100</test_value>
-	    				<test_value name="s4">worm successfully stopped</test_value>
-	    				<test_value name="s5">src=10.0.0.1 dst=2.1.2.2 spt=1232</test_value>
-	    			</example>
-	    		</examples>
-	    	</rule>
-    	</rules>
-	</ruleset>
-	<ruleset name="Watchguard Firewall">
-		<pattern>firewall</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<pattern>Deny @ESTRING:s0: @@ESTRING:s1: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
-				<examples>
-					<example>
-						<test_message program="firewall">Deny 0-External Firebox 1340 tcp 20 56 74.125.225.143 10.0.1.1 443 3449 offset 5 A 451109382 win 257 (Unhandled External Packet-00)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">74.125.225.143</test_value>
-						<test_value name="i2">443</test_value>
-						<test_value name="i3">10.0.1.1</test_value>
-						<test_value name="i4">3449</test_value>
-						<test_value name="s0">0-External</test_value>
-						<test_value name="s1">Firebox</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="3" id="3">
-				<pattern>Allow @ESTRING:s1: @@ESTRING:s0: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
-				<examples>
-					<example>
-						<test_message program="firewall">Allow 1-Trusted 0-External 52 tcp 20 127 192.168.1.31 96.60.118.121 55185 8005 offset 8 S 1125590318 win 32 (ATSBDR-00)</test_message>
-						<test_value name="i0">tcp</test_value>
-						<test_value name="i1">192.168.1.31</test_value>
-						<test_value name="i2">55185</test_value>
-						<test_value name="i3">96.60.118.121</test_value>
-						<test_value name="i4">8005</test_value>
-						<test_value name="s0">0-External</test_value>
-						<test_value name="s1">1-Trusted</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Watchguard URL">
-		<pattern>http-proxy</pattern>
-		<rules>
-			<rule provider="ELSA" class="7" id="7">
-				<pattern>Deny @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
-				<examples>
-					<example>
-						<test_message program="http-proxy">Deny 1-Trusted 0-External tcp 192.168.1.17 23.21.13.155 62115 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="" dstname="23.21.13.155" arg="" sent_bytes="1" rcvd_bytes="0" (HTTP-proxy-ExceptLunch-00)</test_message>
-						<test_value name="i0">192.168.1.17</test_value>
-						<test_value name="i1">23.21.13.155</test_value>
-						<test_value name="i3">0</test_value>
-						<test_value name="s0"></test_value>
-						<test_value name="s1">23.21.13.155</test_value>
-						<test_value name="s2"></test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="7" id="7">
-				<pattern>Allow @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
-				<examples>
-					<example>
-						<test_message program="http-proxy">Allow 1-Trusted 0-External tcp 192.168.1.22 74.125.142.95 2597 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="GET" dstname="ajax.googleapis.com" arg="/ajax/libs/jquery/1.5/jquery.min.js" sent_bytes="363" rcvd_bytes="30368" (HTTP-proxy-ExceptLunch-00)</test_message>
-						<test_value name="i0">192.168.1.22</test_value>
-						<test_value name="i1">74.125.142.95</test_value>
-						<test_value name="i3">30368</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">ajax.googleapis.com</test_value>
-						<test_value name="s2">/ajax/libs/jquery/1.5/jquery.min.js</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Sidewinder Firewall">
-		<pattern>auditd</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::type=@t_attack@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@@ESTRING::protocol=@@NUMBER:i0:@@ESTRING::dstip=@@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@</pattern>
-				<pattern>date@ESTRING::type=@t_netprobe@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,protocol=@NUMBER:i0:@,interface=@ESTRING:s0:,@</pattern>
-				<examples>
-					<example>
-						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_kernel_ipfilter,area=a_general_area,type=t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=kernel,domain=htpp,edomain=htpp,hostname=localhost,event=IP Filter session open,rule_name=myrule-out,srcip=1.1.1.1,srcport=1,srcburb=internal2,dstip=2.2.2.2,dstport=2,dstburb=external1,protocol=6,netsessid=5069c3d9000c7831</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">1</test_value>
-						<test_value name="i3">2.2.2.2</test_value>
-						<test_value name="i4">2</test_value>
-						<test_value name="s0">external1</test_value>
-						<test_value name="s1">internal2</test_value>
-					</example>
-				</examples>
-			</rule>
-			<rule provider="ELSA" class="3" id="3">
-				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
-				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
-				<pattern>date@ESTRING::event=@IP Filter session close@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
-				<pattern>date@ESTRING::event=@IP Filter session timeout@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
-				<examples>
-					<example>
-						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_http_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=28529,ruid=0,euid=0,pgid=28529,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=localhost,event=proxy traffic end,service_name=http,netsessid=5069c3d9000ab8ce,srcip=1.1.1.1,srcport=1,srcburb=internal2,protocol=6,dstip=2.2.2.2,dstport=2,dstburb=external1,bytes_written_to_client=1297,bytes_written_to_server=421,rule_name=www.isa.webproxy,cache_hit=0,request_status=0,start_time="Mon Oct 1 11:24:57 2012"</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">1</test_value>
-						<test_value name="i3">2.2.2.2</test_value>
-						<test_value name="i4">2</test_value>
-						<test_value name="s0">external1</test_value>
-						<test_value name="s1">internal2</test_value>
-						<test_value name="i5">1297</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Websense">
-		<pattern></pattern>
-		<rules>
-			<rule provider="ELSA" class="33" id="33">
-				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @@ESTRING:://@@ESTRING::/@@ANYSTRING:s2:@</pattern>
-				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @</pattern>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-				<examples>
-					<example>
-						<test_message program="">vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com/index.html</test_message>
-						<test_value name="i0">10.64.134.74</test_value>
-						<test_value name="i1">74.125.224.53</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="s0">-</test_value>
-						<test_value name="s1">mail.google.com</test_value>
-						<test_value name="s2">/index.html</test_value>
-						<test_value name="s3">1034</test_value>
-						<test_value name="s4">Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23</test_value>
-						<test_value name="s5">permitted</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="McAfee SmartFilter">
-		<pattern></pattern>
-		<rules>
-			<rule provider="ELSA" class="33" id="33">
-				<pattern>@IPv4:i0@ - @ESTRING:s0: @@ESTRING::"@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:"@ @NUMBER:i2:@ @ESTRING:s5: @@QSTRING:s3:"@</pattern>
-				<values>
-					<value name="s2">/$s2</value>
-				</values>
-				<examples>
-					<example>
-						<test_message program="McAfee SmartFilter">1.1.1.1 - username [03/Oct/2012:06:52:51 +0100]  "GET http://a.nice.url/some/uri?parameters=go&amp;in=here" 200 ALLOW "Blogs/Wiki, Entertainment"</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="i2">200</test_value>
-						<test_value name="s0">username</test_value>
-						<test_value name="s1">a.nice.url</test_value>
-						<test_value name="s2">/some/uri?parameters=go&amp;in=here</test_value>
-						<test_value name="s3">Blogs/Wiki, Entertainment</test_value>
-						<test_value name="s5">ALLOW</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="Netflow" id='Netflow'>
-		<pattern>netflow_syslog</pattern>
-		<rules>
-			<rule provider="ELSA" class='34' id='34'>
-				<patterns>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ANYSTRING:s5:@</pattern>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@</pattern>
-					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="netflow_syslog">tcp|192.85.128.47|35843|1.1.1.1|443|30486|2173|US|Palo Alto, CA|37.376202|-122.182602|HPES - Hewlett-Packard Company</test_message>
-						<test_values>
-							<test_value name="i0">tcp</test_value>
-							<test_value name="i1">192.85.128.47</test_value>
-							<test_value name="i2">35843</test_value>
-							<test_value name="i3">1.1.1.1</test_value>
-							<test_value name="i4">443</test_value>
-							<test_value name="i5">30486</test_value>
-							<test_value name="s0">2173</test_value>
-							<test_value name="s1">US</test_value>
-							<test_value name="s2">Palo Alto, CA</test_value>
-							<test_value name="s3">37.376202</test_value>
-							<test_value name="s4">-122.182602</test_value>
-							<test_value name="s5">HPES - Hewlett-Packard Company</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="BIND">
-		<pattern>BIND</pattern>
-		<rules>
-			<rule provider="ELSA" class='35' id='35'>
-				<patterns>
-					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
-					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@ (@ESTRING::)@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="BIND-DNS">02-Nov-2012 15:49:58.516 queries: info: client 198.211.94.24#55557: query: 174.2.219.178.in-addr.arpa IN PTR + (198.211.94.23)</test_message>
-						<test_values>
-							<test_value name="i0">198.211.94.24</test_value>
-							<test_value name="s0">174.2.219.178.in-addr.arpa</test_value>
-							<test_value name="s1">PTR</test_value>
-							<test_value name="s2">198.211.94.23</test_value>
-						</test_values>
-					</example>
-					<example>
-						<test_message program="BIND-DNS">02-Nov-2012 16:01:27.731 client 10.10.10.185#49999 (10.10.10.185): query: p.twitter.com IN A + (10.10.210.210)</test_message>
-						<test_values>
-							<test_value name="i0">10.10.10.185</test_value>
-							<test_value name="s0">p.twitter.com</test_value>
-							<test_value name="s1">A</test_value>
-							<test_value name="s2">10.10.210.210</test_value>
-						</test_values>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="IISWebLog">
-		<pattern>IISWebLog</pattern>
-		<rule provider="ELSA" class="7" id="IIS_7">
-			<pattern>@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i1:@ @ESTRING:s0: @@ESTRING:s2: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s4: @@ESTRING:: @@ESTRING:s3: @@ESTRING:s1: @@NUMBER:i2:@ @NUMBER::@ @NUMBER::@ @NUMBER:i3:@ @NUMBER::@ @NUMBER:i5:@</pattern>
-			<examples>
-				<example>
-					<test_message program="IISWebLog">2012-12-13 13:39:16 W3SVC1 MYSERVERNAME 1.1.1.1 GET / - 80 - 2.2.2.2 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11 - - www.fqdn.of.website.from.host.header.com 301 0 0 401 408 453</test_message>
-					<test_values>
-						<test_value name="i0">2.2.2.2</test_value>
-						<test_value name="i1">1.1.1.1</test_value>
-						<test_value name="i2">301</test_value>
-						<test_value name="i3">401</test_value>
-						<test_value name="i5">453</test_value>
-						<test_value name="s0">GET</test_value>
-						<test_value name="s1">www.fqdn.of.website.from.host.header.com</test_value>
-						<test_value name="s2">/</test_value>
-						<test_value name="s3">-</test_value>
-						<test_value name="s4">Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11</test_value>
-					</test_values>
-				</example>
-			</examples>
-		</rule>
-	</ruleset>
-	<ruleset name="Vyatta FW">
-		<!-- Note: Vyatta bug id:7640 https://bugzilla.vyatta.com/show_bug.cgi?id=7640 Trailing space missing from default log prefix "-R]IN" should be "-R] "-->
-		<pattern>kernel-</pattern>
-		<rules>
-			<rule provider="ELSA" class="2" id="2">
-				<patterns>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">[100100.226323] [WEB_IN-default-R]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.105 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=16822 PROTO=TCP SPT=51425 DPT=23 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">51425</test_value>
-						<test_value name="i3">172.31.253.105</test_value>
-						<test_value name="i4">23</test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[382188.344294] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.109 LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=55452 PROTO=TCP SPT=51809 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">51809</test_value>
-						<test_value name="i3">172.31.253.109</test_value>
-						<test_value name="i4">80</test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[387123.927635] [WEB_IN-8-D] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.103 LEN=28 TOS=0x00 PREC=0x00 TTL=47 ID=49372 PROTO=ICMP TYPE=8 CODE=0 ID=5799 SEQ=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-8</test_value>
-						<test_value name="i0">ICMP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.103</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[466981.095849] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.106 LEN=20 TOS=0x00 PREC=0x00 TTL=44 ID=39983 PROTO=135</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-default</test_value>
-						<test_value name="i0">135</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.106</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-					<example>
-						<test_message program="kernel">[451134.428328] [WEB_IN-9-R] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.107 LEN=20 TOS=0x00 PREC=0x00 TTL=37 ID=12252 PROTO=ESP INCOMPLETE [0 bytes]</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-9</test_value>
-						<test_value name="i0">ESP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2"></test_value>
-						<test_value name="i3">172.31.253.107</test_value>
-						<test_value name="i4"></test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-		<rules>
-			<rule provider="ELSA" class="3" id="3">
-				<patterns>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="kernel">[88829.069484] [WEB_IN-7-A] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.102 LEN=44 TOS=0x00 PREC=0x00 TTL=46 ID=22533 PROTO=TCP SPT=59995 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
-						<test_value name="s0">eth1</test_value>
-						<test_value name="s1">eth0</test_value>
-						<test_value name="s2">WEB_IN-7</test_value>
-						<test_value name="i0">TCP</test_value>
-						<test_value name="i1">172.31.254.28</test_value>
-						<test_value name="i2">59995</test_value>
-						<test_value name="i3">172.31.253.102</test_value>
-						<test_value name="i4">3306</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="OSSEC_ALERTS">
-		<pattern>ossec</pattern>
-		<rules>
-			<rule provider="shadejinx" class='35' id='35'>
-				<pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @ESTRING:s1:-@@ESTRING::;@ user: @ESTRING:s2:;@</pattern>
-				<examples>
-					<example>
-						<test_message program="ossec">Alert Level: 4; Rule: 18105 - Windows audit failure event.; Location: %SERVER.DOMAIN.LOCAL%->/var/log/ossec_in; user: %USERNAME%; Jan 12 13:51:34 %SERVER.DOMAIN.LOCAL% MSWinEventLog|1|Security|3151378|Sat Jan 12 13:51:32 2013|4776|Microsoft-Windows-Security-Auditing|%USERNAME%|N/A|Failure Audit|%SERVER.DOMAIN.LOCAL%|None||The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: %USERNAME% Source Workstation: %WORKSTATION_NAME% Error Code: 0xc0000064|3147595</test_message>
-						<test_value name="i0">4</test_value>
-						<test_value name="i1">18105</test_value>
-						<test_value name="s0">Windows audit failure event.</test_value>
-						<test_value name="s1">%SERVER.DOMAIN.LOCAL%</test_value>
-						<test_value name="s2">%USERNAME%</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="NetScreen" id='1001'>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:s2: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Deny sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fwgate-1">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="s0">IN</test_value>
-						<test_value name="i1">192.168.0.1</test_value>
-						<test_value name="s1">OUT</test_value>
-						<test_value name="i2">51271</test_value>
-						<test_value name="i3">192.168.1.1</test_value>
-						<test_value name="i4">80</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-		<rules>
-			<rule provider="ELSA" class='3' id='3'>
-				<patterns>
-					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:s2: @policy_id=@ESTRING:: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Permit sent=@ESTRING:: @rcvd=@ESTRING:i5: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-					    <test_message program="fwgate-1">NetScreen device_id=fwgate-1 [Root]system-notification-00257(traffic): start_time="2013-02-14 15:37:46" duration=2 policy_id=8 service=tcp/port:10050 proto=6 src zone=Trust dst zone=DMZ action=Permit sent=379 rcvd=377 src=192.168.1.XX dst=192.168.XXX.XXX src_port=36033 dst_port=10050 src-xlated ip=192.168.XX.XX port=36033 dst-xlated ip=192.168.XXX.XXX port=10050 session_id=253315 reason=Close - TCP FIN</test_message>
-						<test_value name="i0">6</test_value>
-						<test_value name="i1">192.168.1.XX</test_value>
-						<test_value name="i2">36033</test_value>
-						<test_value name="i3">192.168.XXX.XXX</test_value>
-						<test_value name="i4">10050</test_value>
-						<test_value name="i5">377</test_value>
-						<test_value name="s0">DMZ</test_value>
-						<test_value name="s1">Trust</test_value>
-						<test_value name="s2">2</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="ATT Uverse" id='1001'>
-		<rules>
-			<rule provider="ELSA" class='2' id='2'>
-				<patterns>
-					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @sport=@ESTRING:i2: @dport=@ESTRING:i4: @</pattern>
-					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fw,fwmon">src=192.168.1.65 dst=192.168.2.8 ipprot=17 sport=7547 dport=3478 Drop traffic to 192.168.0.0/16</test_message>
-						<test_value name="i0">17</test_value>
-						<test_value name="i1">192.168.1.65</test_value>
-						<test_value name="i2">7547</test_value>
-						<test_value name="i3">192.168.2.8</test_value>
-						<test_value name="i4">3478</test_value>
-					</example>
-					<example>
-						<test_message program="fw,fwmon">src=192.168.2.8 dst=192.168.1.72 ipprot=17 (layer 4 info unknown) Unknown inbound session stopped</test_message>
-						<test_value name="i0">17</test_value>
-						<test_value name="i1">192.168.2.8</test_value>
-						<test_value name="i3">192.168.1.72</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<!-- Bluecoat requires using a separate TCP destination in syslog-ng with the no-parse flag set and program_override("url")-->
-	<ruleset name='bluecoat'>
-		<pattern>url</pattern>
-		<rules>
-			<rule class='7' id='7'>
-				<patterns>
-					<pattern>@ESTRING:: @@ESTRING:: @@NUMBER:i5:@ @IPv4:i0:@ @NUMBER:i2:@ @ESTRING:: @@NUMBER::@ @NUMBER:i3:@ @ESTRING:s0: @@ESTRING:: @@ESTRING:s1: @@ESTRING:: @@ESTRING:s2_a: @@ESTRING:s2_b: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s4: @@ESTRING:s5: @</pattern>
-					<pattern>20@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:i0: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s1: @</pattern>
-				</patterns>
-				<values>
-					<value name="s2">$s2_a$s2_b</value>
-				</values>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="infoblox_dhcp" id='40'>
-		<pattern>dhcpd</pattern>
-		<rules>
-			<rule provider="ELSA" class='40' id='40'>
-				<!-- i0 = srcip, s0=MAC address, s1=domain, s2=hostname -->
-				<patterns>
-					<pattern>DHCPDISCOVER from @ESTRING:s0: @via @ESTRING:i0::@</pattern>
-					<pattern>bind update on @ESTRING:i0: @from @ESTRING:s1:(@@NUMBER::@)</pattern>
-					<pattern>Forward map from @ESTRING:s2: @to @ESTRING:i0: @</pattern>
-					<pattern>Abandoning IP address @ESTRING:i0::@</pattern>
-					<pattern>Reclaiming abandoned lease @IPvANY:i0:@</pattern>
-					<pattern>client @ESTRING:i0:#@@NUMBER::@: update forwarding '@ESTRING:s1:/@</pattern>
-					<pattern>DNS format error from @ESTRING:i1:#@@NUMBER:i2:@ resolving </pattern>
-					<pattern>DHCPACK on @ESTRING:i0: @to @ESTRING:s0: @(@ESTRING:s2:)@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="dhcpd">DHCPDISCOVER from aa:aa:aa:aa:aa:aa via 10.1.52.31: peer holds all free leases</test_message>
-						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
-						<test_value name="i0">10.1.52.31</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">bind update on 1.1.1.1 from corp-test(1368109376) rejected: incoming update is less critical than outgoing update</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s1">corp-test</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Forward map from host.test.com to 1.1.1.1 FAILED: Has an address record but no DHCID, not mine.</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s2">host.test.com</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Abandoning IP address 1.1.1.1: pinged before offer</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">Reclaiming abandoned lease 10.1.52.207.</test_message>
-						<test_value name="i0">10.1.52.207</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">client 1.1.1.1#64919: update forwarding 'test.com/IN' denied</test_message>
-						<test_value name="i0">1.1.1.1</test_value>
-						<test_value name="s1">test.com</test_value>
-					</example>
-					<example>
-						<test_message program="dhcpd">DHCPACK on 192.168.208.64 to aa:aa:aa:aa:aa:aa (JT-Mac) via 192.168.208.8</test_message>
-						<test_value name="i0">192.168.208.64</test_value>
-						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
-						<test_value name="s2">JT-Mac</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset name="FIREEYE" id='10003'>
-        <pattern>fenotify</pattern>
-		<rules>
-			<rule provider="ELSA" class='42' id='42'>
-				<patterns>
-					<pattern>@ESTRING::cnchost=@@ESTRING:i0:,@alertType=@ESTRING:s0:,@shost=@ESTRING:s1:,@dst=@ESTRING:i1:,@@ESTRING::sname=@@ESTRING:s2:,@fileHash=@ESTRING:s3:,@@ESTRING::occurred=@@ESTRING:i2:,@@ESTRING::cncport=@@ESTRING:i3:,@src=@ESTRING:i4:,@dpt=@ESTRING:i5:,@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="fenotify">CSV:0:FireEye:Web MPS:7.0.0.138133:IM:infection-match,osinfo=,sev=minr,malware_type=,alertid=16232,app=,spt=2791,locations=,smac=c4:7d:4f:ef:e0:03,header=,cnchost=127.0.0.1,alertType=infection-match,shost=thegibson.domain.com,dst=127.0.0.1,original_name=,application=,sid=504606,malware-note=,objurl=,mwurl=,profile=,dmac=00:0a:42:f4:94:00,product=Web MPS,sname=Local.Infection,fileHash=351f1dc4e958975661f02c86a485431e,dvchost=,occurred=2013-01-14T16:58:18Z,release=7.0.0.138133,link=,cncport=80,src=10.10.10.10,dpt=80,anomaly=,dvc=,channel=,action=notified,os=,stype=bot-command,</test_message>
-						<test_value name="s0">infection-match</test_value>
-						<test_value name="s1">thegibson.domain.com</test_value>
-						<test_value name="s2">Local.Infection</test_value>
-						<test_value name="s3">351f1dc4e958975661f02c86a485431e</test_value>
-						<test_value name="s4">bot-command</test_value>
-						<test_value name="i0">127.0.0.1</test_value>
-						<test_value name="i1">127.0.0.1</test_value>
-						<test_value name="i2">2013-01-14T16:58:18Z</test_value>
-						<test_value name="i3">80</test_value>
-						<test_value name="i4">10.10.10.10</test_value>
-						<test_value name="i5">80</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ftp</pattern>
-		<rules>
-			<rule class="43" id="43">
-				<patterns>
-				  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s0:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ftp">1360158824.989266|B6a0lYqUPm4|10.1.10.64|2504|10.2.20.40|21|redcell|hidden|RETR|ftp://10.2.20.40/./bandook.exe|-|-|-|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">B6a0lYqUPm4</test_value>
-						<!-- srcip -->
-						<test_value name="i0">10.1.10.64</test_value>
-						<!-- srcport -->
-						<test_value name="i1">2504</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.2.20.40</test_value>
-						<!-- dstport -->
-						<test_value name="i3">21</test_value>
-						<!-- username -->
-						<test_value name="s1">redcell</test_value>
-						<!-- password -->
-						<test_value name="s2">hidden</test_value>
-						<!-- command -->
-						<test_value name="s3">RETR</test_value>
-						<!-- arg -->
-						<test_value name="s4">ftp://10.2.20.40/./bandook.exe</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_weird</pattern>
-		<rules>
-			<rule class="44" id="44">
-				<patterns>
-                <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s3:|@</pattern>  
-                </patterns>
-				<examples>
-					<example>
-						<test_message program="bro_weird">1351197195.607686|mHKKLqyI4mf|192.168.1.12|137|192.168.1.13|137|DNS_label_len_gt_pkt|-|F|bro</test_message>
-						<!-- eventid -->
-						<test_value name="s0">mHKKLqyI4mf</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.12</test_value>
-						<!-- srcport -->
-						<test_value name="i1">137</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.168.1.13</test_value>
-						<!-- dstport -->
-						<test_value name="i3">137</test_value>
-						<!-- name -->
-						<test_value name="s3">DNS_label_len_gt_pkt</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_tunnel</pattern>
-		<rules>
-			<rule class="45" id="45">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_tunnel">1360153388.439863|FIRbnuXCRqh|70.55.213.211|0|192.88.99.1|0|Tunnel::IP|Tunnel::DISCOVER</test_message>
-						<!-- eventid -->
-						<test_value name="s0">FIRbnuXCRqh</test_value>
-						<!-- srcip -->
-						<test_value name="i0">70.55.213.211</test_value>
-						<!-- srcport -->
-						<test_value name="i1">0</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.88.99.1</test_value>
-						<!-- dstport -->
-						<test_value name="i3">0</test_value>
-						<!-- name -->
-						<test_value name="s1">Tunnel::IP</test_value>
-						<!-- desc -->
-						<test_value name="s2">Tunnel::DISCOVER</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_software</pattern>
-		<rules>
-			<rule class="46" id="46">
-				<patterns>
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s2:@</pattern>
-                  </patterns>
-				<examples>
-					<example>
-						<test_message program="bro_software">1360157307.572112|10.1.50.5|-|HTTP::BROWSER|MSIE|5|1|-|-|Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.1.50.5</test_value>
-						<!-- srcport -->
-						<test_value name="i1">-</test_value>
-						<!-- type -->
-						<test_value name="s0">HTTP::BROWSER</test_value>
-						<!-- name -->
-						<test_value name="s1">MSIE</test_value>
-						<!-- version_major -->
-						<test_value name="i2">5</test_value>
-						<!-- version_minor -->
-						<test_value name="i3">1</test_value>
-						<!-- product -->
-						<test_value name="s2">Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_ssh</pattern>
-		<rules>
-			<rule class="47" id="47">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:i4:|@</pattern>
-                  <!-- end securityonion -->
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
-				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_ssh">1360157311.364242|YDPUHZNdL05|10.2.199.248|41392|10.1.40.1|22|failure|OUTBOUND|-|SSH-2.0-Cisco-1.25|1119|-|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">YDPUHZNdL05</test_value>
-						<!-- srcip -->
-						<test_value name="i0">10.2.199.248</test_value>
-						<!-- srcport -->
-						<test_value name="i1">41392</test_value>
-						<!-- dstip -->
-						<test_value name="i2">10.1.40.1</test_value>
-						<!-- dstport -->
-						<test_value name="i3">22</test_value>
-						<!-- status -->
-						<test_value name="s1">failure</test_value>
-						<!-- direction -->
-						<test_value name="s2">OUTBOUND</test_value>
-						<!-- client -->
-						<test_value name="s3">-</test_value>
-						<!-- server -->
-						<test_value name="s4">SSH-2.0-Cisco-1.25</test_value>
-						<!-- conn_bytes -->
-						<test_value name="i4">1119</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_syslog</pattern>
-		<rules>
-			<rule class="48" id="48">
-				<patterns>
-                  <!-- start securityonion -->
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ANYSTRING:s3:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_syslog">1375571619.507641|QMOWsHjZqde|192.168.1.1|514|192.168.1.116|514|udp|LOCAL0|INFO|Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_message>
-						<!-- eventid -->
-						<test_value name="s0">QMOWsHjZqde</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.1</test_value>
-						<!-- srcport -->
-						<test_value name="i1">514</test_value>
-						<!-- dstip -->
-						<test_value name="i2">192.168.1.116</test_value>
-						<!-- dstport -->
-						<test_value name="i3">514</test_value>
-						<!-- proto -->
-						<test_value name="i4">udp</test_value>
-						<!-- bro_syslog_facility -->
-						<test_value name="s1">LOCAL0</test_value>
-						<!-- bro_syslog_severity -->
-						<test_value name="s2">INFO</test_value>
-						<!-- bro_syslog_message -->
-						<test_value name="s3">Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_irc</pattern>
-		<rules>
-			<rule class="49" id="49">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ANYSTRING:s1:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_irc">1352413490.163439|FB2AqwMeEy4|192.168.1.12|1045|212.48.121.249|5050|NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_message>
-						<!-- eventid -->
-						<test_value name="s0">FB2AqwMeEy4</test_value>
-						<!-- srcip -->
-						<test_value name="i0">192.168.1.12</test_value>
-						<!-- srcport -->
-						<test_value name="i1">1045</test_value>
-						<!-- dstip -->
-						<test_value name="i2">212.48.121.249</test_value>
-						<!-- dstport -->
-						<test_value name="i3">5050</test_value>
-						<!-- bro_syslog_facility -->
-						<test_value name="s1">NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_cert</pattern>
-		<rules>
-			<rule class="50" id="50">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@@ESTRING::emailAddress=@@ESTRING:s3:,@</pattern>
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_cert">1360154644.236015|10.2.20.60|443|emailAddress=webmaster@dox.site,CN=dox.site,OU=web server,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|emailAddress=webmaster@dox.site,CN=dox.site,OU=CA,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|02</test_message>
-						<!-- srcip -->
-						<test_value name="i0">10.2.20.60</test_value>
-						<!-- srcport -->
-						<test_value name="i1">443</test_value>
-						<!-- common_name -->
-						<test_value name="s0">dox.site</test_value>
-						<!-- organizational unit -->
-						<test_value name="s1">web server</test_value>
-						<!-- organization -->
-						<test_value name="s2">SuSE Linux Web Server</test_value>
-						<!-- email_address -->
-						<test_value name="s3">webmaster@dox.site</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_hosts</pattern>
-		<rules>
-			<rule class="51" id="51">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_hosts">1360154565.568704|192.168.3.35</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.3.35</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_known_services</pattern>
-		<rules>
-			<rule class="52" id="52">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:s0:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_known_services">1360154567.821951|192.168.10.100|2869|tcp|HTTP</test_message>
-						<!-- srcip -->
-						<test_value name="i0">192.168.10.100</test_value>
-						<!-- srcport -->
-						<test_value name="i1">2869</test_value>
-						<!-- proto -->
-						<test_value name="i2">tcp</test_value>
-						<!-- service -->
-						<test_value name="s0">HTTP</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-	<ruleset>
-		<pattern>bro_capture_loss</pattern>
-		<rules>
-			<rule class="53" id="53">
-				<patterns>
-                  <!-- start securityonion -->      
-                  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s1:@</pattern>
-                  <!-- end securityonion -->
-				</patterns>
-				<examples>
-					<example>
-						<test_message program="bro_capture_loss">1377263179.538810|900.000092|so12-eth1-1|0|3991|0.000%</test_message>
-						<!-- interface -->
-						<test_value name="s0">so12-eth1-1</test_value>
-						<!-- gaps -->
-						<test_value name="i0">0</test_value>
-						<!-- acks -->
-						<test_value name="i1">3991</test_value>
-						<!-- percent_loss -->
-						<test_value name="s1">0.000%</test_value>
-					</example>
-				</examples>
-			</rule>
-		</rules>
-	</ruleset>
-</patterndb>
diff --git a/salt/syslog-ng/files/syslog-ng.conf b/salt/syslog-ng/files/syslog-ng.conf
deleted file mode 100644
index 7b1601f02..000000000
--- a/salt/syslog-ng/files/syslog-ng.conf
+++ /dev/null
@@ -1,243 +0,0 @@
-@version: 3.5
-source s_syslog { unix-dgram("/dev/log"); };
-
-source s_network {
-	tcp();
-	udp();
-};
-
-parser p_db {
-	db-parser(file("/opt/so/conf/syslog-ng/patterndb.xml"));
-};
-
-filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_snort { match('snort:' value("MSGHDR")); };
-filter f_bro_headers { message("^#") };
-
-rewrite r_cisco_program {
-        set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-        set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-};
-
-rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
-rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) condition(program("bro_*" type(glob)))); };
-rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
-rewrite r_host { set("$SOURCEIP", value("HOST")); };
-rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
-
-template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
-
-source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
-source s_bro_http {
-	file("/nsm/bro/logs/current/http_eth1.log" flags(no-parse) program_override("bro_http"));
-
-};
-source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
-source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
-source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
-source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
-source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
-source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
-source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
-source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
-source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
-source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
-source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
-source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
-source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
-source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
-source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
-source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
-source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
-source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
-source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
-source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
-source s_bro_kerberos { file("/nsm/bro/logs/current/kerberos.log" flags(no-parse) program_override("bro_kerberos")); };
-source s_bro_rdp { file("/nsm/bro/logs/current/rdp.log" flags(no-parse) program_override("bro_rdp")); };
-source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_override("bro_pe")); };
-source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
-source s_bro_smb_mapping { file("/nsm/bro/logs/current/smb_mapping.log" flags(no-parse) program_override("bro_smb_mapping")); };
-source s_bro_smb_files { file("/nsm/bro/logs/current/smb_files.log" flags(no-parse) program_override("bro_smb_files")); };
-source s_bro_ntlm { file("/nsm/bro/logs/current/ntlm.log" flags(no-parse) program_override("bro_ntlm")); };
-source s_bro_dce_rpc { file("/nsm/bro/logs/current/dce_rpc.log" flags(no-parse) program_override("bro_dce_rpc")); };
-source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
-source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
-source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
-
-destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
-destination d_logstash { tcp("logstash" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
-
-log {
-	source(s_bro_conn);
-	source(s_bro_http);
-	source(s_bro_dns);
-	source(s_bro_weird);
-  	source(s_bro_tunnels);
-	source(s_bro_syslog);
-	source(s_bro_ftp);
-	source(s_bro_files);
-	source(s_bro_dhcp);
-	source(s_bro_notice);
-	source(s_bro_smtp);
-	source(s_bro_smtp_entities);
-	source(s_bro_ssl);
-   	source(s_bro_irc);
-	source(s_bro_software);
-  	source(s_bro_ssh);
-	source(s_bro_smb_mapping);
-	source(s_bro_smb_files);
-	source(s_bro_ntlm);
-	source(s_bro_dce_rpc);
-  	source(s_bro_intel);
-  	source(s_bro_x509);
-  	source(s_bro_snmp);
-  	source(s_bro_radius);
-  	source(s_bro_mysql);
-  	source(s_bro_kerberos);
-  	source(s_bro_rdp);
-  	source(s_bro_pe);
-  	source(s_bro_sip);
-  	source(s_bro_modbus);
-  	source(s_bro_dnp3);
-  	source(s_bro_rfb);
-	source(s_ossec);
-	source(s_network);
-	source(s_syslog);
-	log { filter(f_bro_headers); flags(final); };
-	log { destination(d_logstash); };
-};
-# Bring it all back
-#source s_src {
-#       system();
-#       internal();
-#};
-########################
-# Destinations
-########################
-# First some standard logfile
-#
-destination d_auth { file("/var/log/auth.log"); };
-destination d_cron { file("/var/log/cron.log"); };
-destination d_daemon { file("/var/log/daemon.log"); };
-destination d_kern { file("/var/log/kern.log"); };
-destination d_lpr { file("/var/log/lpr.log"); };
-destination d_mail { file("/var/log/mail.log"); };
-destination d_syslog { file("/var/log/syslog"); };
-destination d_user { file("/var/log/user.log"); };
-destination d_uucp { file("/var/log/uucp.log"); };
-
-# This files are the log come from the mail subsystem.
-#
-destination d_mailinfo { file("/var/log/mail/mail.info"); };
-destination d_mailwarn { file("/var/log/mail/mail.warn"); };
-destination d_mailerr { file("/var/log/mail/mail.err"); };
-
-# Logging for INN news system
-#
-destination d_newscrit { file("/var/log/news/news.crit"); };
-destination d_newserr { file("/var/log/news/news.err"); };
-destination d_newsnotice { file("/var/log/news/news.notice"); };
-
-# Some `catch-all' logfiles.
-#
-destination d_debug { file("/var/log/debug"); };
-destination d_error { file("/var/log/error"); };
-destination d_messages { file("/var/log/messages"); };
-
-# The root's console.
-#
-destination d_console { usertty("root"); };
-
-# Virtual console.
-#
-destination d_console_all { file("/dev/tty10"); };
-
-# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
-# you must invoke nsole' with the -file' option:
-#
-#    $ xconsole -file /dev/xconsole [...]
-#
-destination d_xconsole { pipe("/dev/xconsole"); };
-
-# Send the messages to an other host
-#
-#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
-
-# Debian only
-destination d_ppp { file("/var/log/ppp.log"); };
-
-########################
-# Filters
-########################
-# Here's come the filter options. With this rules, we can set which
-# message go where.
-
-filter f_dbg { level(debug); };
-filter f_info { level(info); };
-filter f_notice { level(notice); };
-filter f_warn { level(warn); };
-filter f_err { level(err); };
-filter f_crit { level(crit .. emerg); };
-
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-filter f_error { level(err .. emerg) and not filter(f_snort); };
-filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
-filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
-filter f_cron { facility(cron) and not filter(f_debug); };
-filter f_daemon { facility(daemon) and not filter(f_debug); };
-filter f_kern { facility(kern) and not filter(f_debug); };
-filter f_lpr { facility(lpr) and not filter(f_debug); };
-filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); };
-filter f_mail { facility(mail) and not filter(f_debug); };
-filter f_news { facility(news) and not filter(f_debug); };
-filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_snort); };
-filter f_user { facility(user) and not filter(f_debug); };
-filter f_uucp { facility(uucp) and not filter(f_debug); };
-
-filter f_cnews { level(notice, err, crit) and facility(news); };
-filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
-
-filter f_ppp { facility(local2) and not filter(f_debug); };
-filter f_console { level(warn .. emerg); };
-
-########################
-# Log paths
-########################
-log { source(s_syslog); filter(f_auth); destination(d_auth); };
-log { source(s_syslog); filter(f_cron); destination(d_cron); };
-log { source(s_syslog); filter(f_daemon); destination(d_daemon); };
-log { source(s_syslog); filter(f_kern); destination(d_kern); };
-log { source(s_syslog); filter(f_lpr); destination(d_lpr); };
-log { source(s_syslog); filter(f_syslog3); destination(d_syslog); };
-log { source(s_syslog); filter(f_user); destination(d_user); };
-log { source(s_syslog); filter(f_uucp); destination(d_uucp); };
-
-log { source(s_syslog); filter(f_mail); destination(d_mail); };
-#log { source(s_syslog); filter(f_mail); filter(f_info); destination(d_mailinfo); };
-#log { source(s_syslog); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
-#log { source(s_syslog); filter(f_mail); filter(f_err); destination(d_mailerr); };
-
-log { source(s_syslog); filter(f_news); filter(f_crit); destination(d_newscrit); };
-log { source(s_syslog); filter(f_news); filter(f_err); destination(d_newserr); };
-log { source(s_syslog); filter(f_news); filter(f_notice); destination(d_newsnotice); };
-#log { source(s_syslog); filter(f_cnews); destination(d_console_all); };
-#log { source(s_syslog); filter(f_cother); destination(d_console_all); };
-
-#log { source(s_syslog); filter(f_ppp); destination(d_ppp); };
-
-log { source(s_syslog); filter(f_debug); destination(d_debug); };
-log { source(s_syslog); filter(f_error); destination(d_error); };
-log { source(s_syslog); filter(f_messages); destination(d_messages); };
-
-log { source(s_syslog); filter(f_console); destination(d_console_all); destination(d_xconsole); };
-log { source(s_syslog); filter(f_crit); destination(d_console); };
-
-# All messages send to a remote site
-#
-#log { source(s_syslog); destination(d_net); };
-
-###
-# Include all config files in /etc/syslog-ng/conf.d/
-###
diff --git a/salt/syslog-ng/init.sls b/salt/syslog-ng/init.sls
deleted file mode 100644
index bcc86d238..000000000
--- a/salt/syslog-ng/init.sls
+++ /dev/null
@@ -1,18 +0,0 @@
-# Sync the Files
-file.directory:
-  - name: /opt/so/conf/syslog-ng
-  - user: 939
-  - group: 939
-
-# Syslog-ng Docker
-
-so-syslog-ng:
-  dockerng.running:
-    - image: pillaritem/so-logstash
-    - hostname: syslog-ng
-    - priviledged: true
-    - ports:
-      - 514/tcp
-      - 514/udp
-      - 601
-    - network_mode: so-elastic-net
diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index a6cc62c32..fa320836e 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -1,18 +1,14 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-
-so-tcpreplayimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 so-tcpreplay:
   docker_container.running:
-    - require:
-      - so-tcpreplay
     - network_mode: "host"
-    - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
     - name: so-tcpreplay
     - user: root
     - interactive: True
     - tty: True
-    
+
 {% endif %}
diff --git a/salt/top.sls b/salt/top.sls
index a632104e7..411679fcd 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -17,7 +17,7 @@ base:
     - idstools
     - pcap
     - suricata
-    - bro
+    - zeek
     - redis
     - logstash
     - filebeat
@@ -31,7 +31,7 @@ base:
     - pcap
     - suricata
     {%- if BROVER != 'SURICATA' %}
-    - bro
+    - zeek
     {%- endif %}
     - wazuh
     - filebeat
@@ -57,7 +57,7 @@ base:
     - kibana
     - pcap
     - suricata
-    - bro
+    - zeek
     - curator
     - cyberchef
     - elastalert
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index a59a1d215..cb1f79b56 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,5 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:
   group.present:
@@ -62,15 +63,9 @@ wazuhagentregister:
     - mode: 755
     - template: jinja
 
-so-wazuhimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.3
-
 so-wazuh:
   docker_container.running:
-    - require:
-      - so-wazuhimage
-    - image: docker.io/soshybridhunter/so-wazuh:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6eb6df55a..53e5ad0bd 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -366,7 +366,7 @@ if (whiptail_you_sure) ; then
       salt-call state.apply ssl >> $SETUPLOG 2>&1
       salt-call state.apply firewall >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
-      echo "Seeding Repo"
+      echo -e "XXX\n42\nDownloading Containers from the Internet... \nXXX"
       docker_seed_registry >> $SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
@@ -609,7 +609,7 @@ if (whiptail_you_sure) ; then
       salt-call state.apply ssl >> $SETUPLOG 2>&1
       salt-call state.apply firewall >> $SETUPLOG 2>&1
       salt-call state.apply registry >> $SETUPLOG 2>&1
-      echo "Seeding Repo"
+      echo -e "XXX\n14\nDownloading Containers from the Internet... \nXXX"
       docker_seed_registry >> $SETUPLOG 2>&1
       salt-call state.apply master >> $SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"

From 941106934bc15c9b7e847bb65806df034224f06c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 10:13:31 -0500
Subject: [PATCH 069/188] Remove Cyberchef

---
 salt/top.sls | 2 --
 1 file changed, 2 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index 411679fcd..78a39f328 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -59,7 +59,6 @@ base:
     - suricata
     - zeek
     - curator
-    - cyberchef
     - elastalert
     {%- if OSQUERY != 0 %}
     - fleet
@@ -87,7 +86,6 @@ base:
     - ssl
     - registry
     - common
-    - cyberchef
     - sensoroni
     - firewall
     - master

From aa3016d1b8df5bd77470feee0559da227e8f6484 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 10:56:24 -0500
Subject: [PATCH 070/188] Speed up Downloads of Containers

---
 setup/functions.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/setup/functions.sh b/setup/functions.sh
index 39d788637..9db6f4a9f 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -497,9 +497,14 @@ docker_seed_registry() {
     # Tag it with the new registry destination
     docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
     docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
     echo "Removing $i locally"
     docker rmi soshybridhunter/$i
   done
+  
 }
 
 es_heapsize() {

From e1414432383b22b49a20bb74355b786c3b197fd9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 11:05:36 -0500
Subject: [PATCH 071/188] Fix some contianer links

---
 salt/common/init.sls        | 2 +-
 salt/elasticsearch/init.sls | 2 +-
 salt/filebeat/init.sls      | 2 +-
 salt/fleet/init.sls         | 2 +-
 salt/idstools/init.sls      | 2 +-
 salt/kibana/init.sls        | 2 +-
 salt/logstash/init.sls      | 2 +-
 salt/playbook/init.sls      | 4 +++-
 salt/sensoroni/init.sls     | 2 +-
 salt/suricata/init.sls      | 2 +-
 10 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 3ba2f1b11..e2c18688b 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -172,7 +172,7 @@ tgrafconf:
 
 so-telegraf:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-telegraf:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index aba6fd384..e9d4b863f 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -108,7 +108,7 @@ eslogdir:
 
 so-elasticsearch:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index e4b11ef3c..46d6bd780 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -49,7 +49,7 @@ filebeatconfsync:
 
 so-filebeat:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-filebeat:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 1cf42a9a6..85370d20d 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -63,7 +63,7 @@ fleetdbpriv:
 
 so-fleet:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-fleet:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }}
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index bba867c83..c18814243 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -64,7 +64,7 @@ ruleslink:
 
 so-idstools:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-idstools:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }}
     - hostname: so-idstools
     - user: socore
     - binds:
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 840986ff3..58eb6a32d 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -56,7 +56,7 @@ synckibanacustom:
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-kibana:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }}
     - hostname: kibana
     - user: kibana
     - environment:
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 88aac08d6..61ad8826c 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -155,7 +155,7 @@ lslogdir:
 
 so-logstash:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-logstash:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 6a129f84b..907e4825c 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -1,4 +1,6 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
 
 playbookdb:
   file.managed:
@@ -26,7 +28,7 @@ navigatorconfig:
 
 so-playbook:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-playbook:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }}
     - hostname: playbook
     - name: so-playbook
     - binds:
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 8339c3ba2..44f29ef4f 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -32,7 +32,7 @@ sensoronisync:
 
 so-sensoroni:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-sensoroni:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }}
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index cf821ac47..fee02d760 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -74,7 +74,7 @@ suriconfigsync:
 
 so-suricata:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-suricata:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}

From cdabaabd052d967a182e532622eba4a93596463e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 11:51:40 -0500
Subject: [PATCH 072/188] Fix common state

---
 salt/common/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index e2c18688b..de7048c51 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -227,7 +227,7 @@ influxdbconf:
 
 so-influxdb:
   docker_container.running:
-    - image: {{ MASTER }}/soshybridhunter/so-influxdb:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false

From 916f77f0f2d3877ede4f07017ccb68a5027d8172 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 14 Jan 2020 11:55:07 -0500
Subject: [PATCH 073/188] Change registry path to /nsm

---
 salt/registry/init.sls | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index 611f4cb5f..ac6cc1795 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -8,7 +8,7 @@ dockerregistryconfdir:
 
 dockerregistrydir:
   file.directory:
-    - name: /nsm/docker/registry
+    - name: /nsm/docker-registry/docker
     - user: 939
     - group: 939
     - makedirs: True
@@ -36,5 +36,6 @@ so-dockerregistry:
     - binds:
       - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
       - /opt/so/conf/docker-registry:/var/lib/registry:rw
+      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
       - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
       - /etc/pki/registry.key:/etc/pki/registry.key:ro

From 593c8a9ea5f8357de96e5aba5b0ba13939de08a8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 16 Jan 2020 11:24:17 -0500
Subject: [PATCH 074/188] If contains localhost don't allow to move forward

---
 setup/whiptail.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index a3bee17ea..4e3134eb0 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -672,7 +672,7 @@ whiptail_set_hostname() {
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus
 
-  while [[ "$HOSTNAME" == 'localhost' ]] ; do
+  while [[ "$HOSTNAME" == *'localhost'* ]] ; do
     whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that isn't localhost." 8 75
     HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
     "Enter the Hostname you would like to set." 10 75 $HOSTNAME 3>&1 1>&2 2>&3)

From c19ce2d52736460f62d04107028c6360b37f00fc Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 16 Jan 2020 11:32:14 -0500
Subject: [PATCH 075/188] Update Error message if localhsot is in there

---
 setup/whiptail.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 4e3134eb0..171f180d2 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -673,7 +673,7 @@ whiptail_set_hostname() {
   whiptail_check_exitstatus $exitstatus
 
   while [[ "$HOSTNAME" == *'localhost'* ]] ; do
-    whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that isn't localhost." 8 75
+    whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that doesn't contain localhost." 8 75
     HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
     "Enter the Hostname you would like to set." 10 75 $HOSTNAME 3>&1 1>&2 2>&3)
     local exitstatus=$?

From 0b45d6f63841aa3f9f3f7796d34b2ed4aa3947c9 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 20 Jan 2020 14:08:02 +0000
Subject: [PATCH 076/188] increase free disk percentage

---
 salt/pcap/files/config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index 422c46bde..12c68cb0a 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -4,7 +4,7 @@
     { "PacketsDirectory": "/nsm/pcap"
     , "IndexDirectory": "/nsm/pcapindex"
     , "MaxDirectoryFiles": 30000
-    , "DiskFreePercentage": 5
+    , "DiskFreePercentage": 10
     }
   ]
   , "StenotypePath": "/usr/bin/stenotype"

From a39edad3f680a210dc3a4b5092d5f006d7897e91 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 21 Jan 2020 16:39:42 -0500
Subject: [PATCH 077/188] changes for multipipelines / mastersearch node -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/124

---
 pillar/logstash/mastersearch.sls              |   6 +
 pillar/top.sls                                |   6 +-
 salt/common/nginx/nginx.conf.so-mastersearch  | 262 ++++++++++++++++
 salt/elastalert/init.sls                      |   2 +-
 salt/elasticsearch/init.sls                   |   3 +-
 salt/firewall/init.sls                        |   4 +-
 .../conf/conf.enabled.txt.so-mastersearch     |  18 ++
 salt/logstash/conf/pipelines/6000_bro.conf    | 228 ++++++++++++++
 .../conf/pipelines/6001_bro_import.conf       |  16 +
 .../8000_postprocess_bro_cleanup.conf         |  17 ++
 .../conf/pipelines/8006_postprocess_dns.conf  |  47 +++
 .../pipelines/helix}/0010_input_hhbeats.conf  |   0
 .../helix/1033_preprocess_snort.conf          | 181 +++++++++++
 .../helix/1100_preprocess_bro_conn.conf       |  77 +++++
 .../helix/1101_preprocess_bro_dhcp.conf       |  56 ++++
 .../helix/1102_preprocess_bro_dns.conf        |  74 +++++
 .../helix/1103_preprocess_bro_dpd.conf        |  42 +++
 .../helix/1104_preprocess_bro_files.conf      |  64 ++++
 .../helix/1105_preprocess_bro_ftp.conf        |  56 ++++
 .../helix/1106_preprocess_bro_http.conf       |  77 +++++
 .../helix/1107_preprocess_bro_irc.conf        |  46 +++
 .../helix/1108_preprocess_bro_kerberos.conf   |  56 ++++
 .../helix/1109_preprocess_bro_notice.conf     |  56 ++++
 .../helix/1110_preprocess_bro_rdp.conf        |  52 ++++
 .../helix/1111_preprocess_bro_signatures.conf |  43 +++
 .../helix/1112_preprocess_bro_smtp.conf       |  65 ++++
 .../helix/1113_preprocess_bro_snmp.conf       |  47 +++
 .../helix/1114_preprocess_bro_software.conf   |  49 +++
 .../helix/1115_preprocess_bro_ssh.conf        |  66 ++++
 .../helix/1116_preprocess_bro_ssl.conf        | 186 ++++++++++++
 .../helix/1117_preprocess_bro_syslog.conf     |  41 +++
 .../helix/1118_preprocess_bro_tunnel.conf     |  40 +++
 .../helix/1119_preprocess_bro_weird.conf      |  42 +++
 .../helix/1121_preprocess_bro_mysql.conf      |  57 ++++
 .../helix/1122_preprocess_bro_socks.conf      |  62 ++++
 .../helix/1123_preprocess_bro_x509.conf       | 154 ++++++++++
 .../helix/1124_preprocess_bro_intel.conf      |  46 +++
 .../helix/1125_preprocess_bro_modbus.conf     |  49 +++
 .../helix/1126_preprocess_bro_sip.conf        |  66 ++++
 .../helix/1127_preprocess_bro_radius.conf     |  73 +++++
 .../helix/1128_preprocess_bro_pe.conf         |  46 +++
 .../helix/1129_preprocess_bro_rfb.conf        |  65 ++++
 .../helix/1130_preprocess_bro_dnp3.conf       |  51 ++++
 .../helix/1131_preprocess_bro_smb_files.conf  |  46 +++
 .../1132_preprocess_bro_smb_mapping.conf      |  40 +++
 .../helix/1133_preprocess_bro_ntlm.conf       |  50 ++++
 .../helix/1134_preprocess_bro_dce_rpc.conf    |  54 ++++
 ...01_postprocess_common_ip_augmentation.conf |  58 ++++
 .../pipelines/helix/9997_output_helix.conf    | 142 +++++++++
 .../pipelines/master/0010_input_hhbeats.conf  |  40 +++
 .../master/templates}/9999_output_redis.conf  |   0
 .../search/1000_preprocess_log_elapsed.conf   |  13 +
 .../search/1001_preprocess_syslogng.conf      |  33 ++
 .../search/1002_preprocess_json.conf          |  18 ++
 .../search/1004_preprocess_syslog_types.conf  |  19 ++
 .../search/1026_preprocess_dhcp.conf          | 140 +++++++++
 .../search/1029_preprocess_esxi.conf          |  31 ++
 .../search/1030_preprocess_greensql.conf      |  21 ++
 .../pipelines/search/1031_preprocess_iis.conf |  21 ++
 .../search/1032_preprocess_mcafee.conf        |  26 ++
 .../search/1033_preprocess_snort.conf         | 181 +++++++++++
 .../search/1034_preprocess_syslog.conf        |  16 +
 .../pipelines/search/2000_network_flow.conf   |  59 ++++
 .../conf/pipelines/search/6002_syslog.conf    |  11 +
 .../pipelines/search/6101_switch_brocade.conf |  33 ++
 .../search/6200_firewall_fortinet.conf        | 281 ++++++++++++++++++
 .../search/6201_firewall_pfsense.conf         |  56 ++++
 .../conf/pipelines/search/6300_windows.conf   | 161 ++++++++++
 .../pipelines/search/6301_dns_windows.conf    |  49 +++
 .../conf/pipelines/search/6400_suricata.conf  |  92 ++++++
 .../conf/pipelines/search/6500_ossec.conf     | 160 ++++++++++
 .../pipelines/search/6501_ossec_sysmon.conf   | 118 ++++++++
 .../pipelines/search/6502_ossec_autoruns.conf |  43 +++
 .../search/6600_winlogbeat_sysmon.conf        |  23 ++
 .../pipelines/search/6700_winlogbeat.conf     |  17 ++
 .../pipelines/search/7100_osquery_wel.conf    |  23 ++
 ...01_postprocess_common_ip_augmentation.conf |  58 ++++
 .../search/8007_postprocess_http.conf         |  27 ++
 .../search/8200_postprocess_tagging.conf      |  63 ++++
 .../search/8998_postprocess_log_elapsed.conf  |  19 ++
 .../search/8999_postprocess_rename_type.conf  |   8 +
 .../search/templates}/0900_input_redis.conf   |   0
 .../search/templates/9000_output_bro.conf     |  31 ++
 .../search/templates/9001_output_switch.conf  |  27 ++
 .../search/templates/9002_output_import.conf  |  27 ++
 .../search/templates/9004_output_flow.conf    |  27 ++
 .../search/templates/9026_output_dhcp.conf    |  26 ++
 .../search/templates/9029_output_esxi.conf    |  25 ++
 .../templates/9030_output_greensql.conf       |  25 ++
 .../search/templates/9031_output_iis.conf     |  26 ++
 .../search/templates/9032_output_mcafee.conf  |  26 ++
 .../search/templates/9033_output_snort.conf   |  29 ++
 .../search/templates/9034_output_syslog.conf  |  28 ++
 .../search/templates/9100_output_osquery.conf |  19 ++
 .../templates/9200_output_firewall.conf       |  29 ++
 .../search/templates/9300_output_windows.conf |  27 ++
 .../templates/9301_output_dns_windows.conf    |  27 ++
 .../templates/9400_output_suricata.conf       |  27 ++
 .../search/templates/9500_output_beats.conf   |  25 ++
 .../search/templates/9600_output_ossec.conf   |  29 ++
 salt/logstash/defaults.yml                    |   6 +
 salt/logstash/etc/logstash.yml                |   4 +
 salt/logstash/etc/pipelines.yml.jinja         |   4 +
 salt/logstash/init.sls                        |  62 +++-
 salt/master/init.sls                          |   6 +-
 salt/ssl/init.sls                             |   4 +-
 salt/top.sls                                  |  41 +++
 salt/utility/bin/crossthestreams.sh           |   6 +-
 salt/utility/init.sls                         |   4 +-
 salt/wazuh/files/agent/ossec.conf             |   4 +-
 salt/wazuh/files/agent/wazuh-register-agent   |  12 +-
 setup/functions.sh                            |  37 ++-
 setup/so-setup.sh                             |  71 +++--
 113 files changed, 5613 insertions(+), 72 deletions(-)
 create mode 100644 pillar/logstash/mastersearch.sls
 create mode 100644 salt/common/nginx/nginx.conf.so-mastersearch
 create mode 100644 salt/logstash/conf/conf.enabled.txt.so-mastersearch
 create mode 100644 salt/logstash/conf/pipelines/6000_bro.conf
 create mode 100644 salt/logstash/conf/pipelines/6001_bro_import.conf
 create mode 100644 salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf
 create mode 100644 salt/logstash/conf/pipelines/8006_postprocess_dns.conf
 rename salt/logstash/{files/dynamic => conf/pipelines/helix}/0010_input_hhbeats.conf (100%)
 create mode 100644 salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
 create mode 100644 salt/logstash/conf/pipelines/helix/9997_output_helix.conf
 create mode 100644 salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
 rename salt/logstash/{files/dynamic => conf/pipelines/master/templates}/9999_output_redis.conf (100%)
 create mode 100644 salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/search/2000_network_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6002_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6300_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6301_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6400_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6500_ossec.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
 create mode 100644 salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
 create mode 100644 salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
 create mode 100644 salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
 create mode 100644 salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
 create mode 100644 salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
 rename salt/logstash/{files/dynamic => conf/pipelines/search/templates}/0900_input_redis.conf (100%)
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
 create mode 100644 salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
 create mode 100644 salt/logstash/defaults.yml
 create mode 100644 salt/logstash/etc/pipelines.yml.jinja

diff --git a/pillar/logstash/mastersearch.sls b/pillar/logstash/mastersearch.sls
new file mode 100644
index 000000000..2fbc5be5f
--- /dev/null
+++ b/pillar/logstash/mastersearch.sls
@@ -0,0 +1,6 @@
+logstash:
+  pipelines:
+    master:
+      config: "/usr/share/logstash/pipelines/master/*.conf"
+    search:
+      config: "/usr/share/logstash/pipelines/search/*.conf"
diff --git a/pillar/top.sls b/pillar/top.sls
index d8c519eac..3a37fa861 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -8,7 +8,11 @@ base:
     - firewall.*
     - brologs
 
-  'G@role:so-master':
+  'G@role:so-mastersearch':
+    - logstash.mastersearch
+
+  'G@role:so-master or G@role:so-mastersearch':
+    - match: compound
     - minions.{{ grains.id }}
     - static
     - firewall.*
diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/common/nginx/nginx.conf.so-mastersearch
new file mode 100644
index 000000000..265413fa2
--- /dev/null
+++ b/salt/common/nginx/nginx.conf.so-mastersearch
@@ -0,0 +1,262 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+        #location / {
+    #      try_files $uri $uri.html /index.html;
+    #    }
+
+        location /grafana/ {
+	  rewrite /grafana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	  rewrite /kibana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+       location /playbook/ {
+          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /navigator/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          proxy_pass http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /api/ {
+          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /fleet/ {
+	  rewrite /fleet/(.*) /$1 break;
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          proxy_pass https://{{ masterip }}:8080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /thehive/ {
+          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cyberchef/ {
+          proxy_pass http://{{ masterip }}:9080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+	
+        location /soctopus/ {
+          proxy_pass http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /sensoroni/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+
+        }
+
+        location /kibana/app/sensoroni/ {
+          rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+
+        location /sensoroniagents/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 999bbbd91..7f5819a15 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -20,7 +20,7 @@
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 
 
-{% elif grains['role'] == 'so-eval' %}
+{% elif grains['role'] in ['so-eval','so-mastersearch'] %}
 
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
 {% set esip = salt['pillar.get']('master:mainip', '') %}
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 4c5d3e644..cde242a85 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -17,7 +17,7 @@
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 
-{% elif grains['role'] == 'so-eval' %}
+{% elif grains['role'] in ['so-eval','so-mastersearch'] %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
@@ -143,4 +143,3 @@ so-elasticsearch-pipelines:
 
 # Tell the main cluster I am here
 #curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
-
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index f70632c9f..a016a9767 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,5 +1,5 @@
 # Firewall Magic for the grid
-{%- if grains['role'] in ['so-eval','so-master','so-helix'] %}
+{%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
 {%- elif grains['role'] == 'so-node' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
@@ -131,7 +131,7 @@ enable_wazuh_manager_1514_udp_{{ip}}:
     - save: True
 
 # Rules if you are a Master
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix'%}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
 #This should be more granular
 iptables_allow_master_docker:
   iptables.insert:
diff --git a/salt/logstash/conf/conf.enabled.txt.so-mastersearch b/salt/logstash/conf/conf.enabled.txt.so-mastersearch
new file mode 100644
index 000000000..6464496fa
--- /dev/null
+++ b/salt/logstash/conf/conf.enabled.txt.so-mastersearch
@@ -0,0 +1,18 @@
+# This is where can specify which LogStash configs get loaded.
+#
+# The custom folder on the master gets automatically synced to each logstash
+# node.
+#
+# To enable a custom configuration see the following example and uncomment:
+# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
+##
+# All of the defaults are loaded.
+/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
+/usr/share/logstash/pipeline.so/0001_input_json.conf
+/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
+/usr/share/logstash/pipeline.so/0003_input_syslog.conf
+/usr/share/logstash/pipeline.so/0005_input_suricata.conf
+#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
+/usr/share/logstash/pipeline.so/0007_input_import.conf
+/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/conf/pipelines/6000_bro.conf b/salt/logstash/conf/pipelines/6000_bro.conf
new file mode 100644
index 000000000..4ba3d3989
--- /dev/null
+++ b/salt/logstash/conf/pipelines/6000_bro.conf
@@ -0,0 +1,228 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/10/2018
+#
+filter {
+  if "bro" in [tags] {
+
+	# Bro logs have a high quality timestamp, so let's copy that to @timestamp.
+	# Before we do, let's copy the existing logstash @timestamp to timestamp.
+	mutate {
+		add_field => { "logstash_timestamp" => "%{@timestamp}" }
+	}
+	mutate {
+		convert => { "logstash_timestamp" => "string" }
+	}
+	mutate {
+		convert => { "timestamp" => "string" }
+	}
+	# New Bro JSON logs use ISO8601 timestamps.
+	# Old Bro TSV logs use UNIX timestamps.
+	date {
+		match => [ "timestamp", "ISO8601", "UNIX" ]
+	}
+	mutate {
+		rename => { "logstash_timestamp" => "timestamp" }
+	}
+
+    if [duration] == "-" {
+      mutate {
+        replace => [ "duration", "0" ]
+      }
+    }
+    if [original_bytes] == "-" {
+      mutate {
+        replace => [ "original_bytes", "0" ]
+      }
+    }
+    # If MissedBytes is unspecified set it to zero so it is an integer
+    if [missed_bytes] == "-" {
+      mutate {
+        replace => [ "missed_bytes", "0" ]
+      }
+    }
+    # If OriginalIPBytes is unspecified set it to zero so it is an integer
+    if [original_ip_bytes] == "-" {
+      mutate {
+        replace => [ "original_ip_bytes", "0" ]
+      }
+    }
+    # If RespondBytes is unspecified set it to zero so it is an integer
+    if [respond_bytes] == "-" {
+      mutate {
+        replace => [ "respond_bytes", "0" ]
+      }
+    }
+    # If RespondIPBytes is unspecified set it to zero so it is an integer
+    if [respond_ip_bytes] == "-" {
+      mutate {
+        replace => [ "respond_ip_bytes", "0" ]
+      }
+    }
+    if [request_body_length] == "-" {
+      mutate {
+        replace => [ "request_body_length", "0" ]
+      }
+    }
+    if [response_body_length] == "-" {
+      mutate {
+        replace => [ "response_body_length", "0" ]
+      }
+    }
+    if [source_port] == "-" {
+      mutate {
+        remove_field => ["source_port"]
+      }
+    }
+    if [destination_port] == "-" {
+      mutate {
+        remove_field => ["destination_port"]
+      }
+    }
+    if [virtual_host] == "-" {
+      mutate {
+        remove_field => ["virtual_host"]
+      }
+    }
+    if [x_originating_ip] == "-" {
+      mutate {
+        remove_field => ["x_originating_ip"]
+      }
+    }
+    if [basic_constraints_path_length] == "-" {
+      mutate {
+        remove_field => ["basic_constraints_path_length"]
+      }
+    }
+    if [data_channel_source_ip] == "-" {
+      mutate {
+        remove_field => ["data_channel_source_ip"]
+      }
+    }
+    if [data_channel_destination_ip] == "-" {
+      mutate {
+        remove_field => ["data_channel_destination_ip"]
+      }
+    }
+    if [desktop_width] == "-" {
+      mutate {
+        remove_field => ["desktop_width"]
+      }
+    }
+    if [desktop_height] == "-" {
+      mutate {
+        remove_field => ["desktop_height"]
+      }
+    }
+    if [height] == "-" {
+      mutate {
+        remove_field => ["height"]
+      }
+    }
+ 
+
+    # I renamed conn_uids to uid so that it is easy to pivot to all things tied to a connection
+    mutate {
+       rename => [ "connection_uids", "uid" ]
+    }
+    # If total_bytes is set to "-" change it to 0 so it is an integer
+    if [total_bytes] == "-" {
+      mutate {
+        replace => [ "total_bytes", "0" ]
+      }
+    }
+    # If seen_bytes is set to "-" change it to 0 so it is an integer
+    if [seen_bytes] == "-" {
+      mutate {
+        replace => [ "seen_bytes", "0" ]
+      }
+    }
+    # If missing_bytes is set to "-" change it to 0 so it is an integer
+    if [missing_bytes] == "-" {
+      mutate {
+        replace => [ "missing_bytes", "0" ]
+      }
+    }
+    # If overflow_bytes is set to "-" change it to 0 so it is an integer
+    if [overflow_bytes] == "-" {
+      mutate {
+        replace => [ "overflow_bytes", "0" ]
+      }
+    }
+    if [dcc_file_size] == "-" {
+      mutate {
+        replace => [ "dcc_file_size", "0" ]
+      }
+    }
+    if [authentication_attempts] == "-" {
+      mutate {
+        replace => [ "authentication_attempts", "0" ]
+      }
+    }
+    if [file_size] == "-" {
+      mutate {
+        replace => [ "file_size", "0" ]
+      }
+    }
+    if [original_ip_bytes] == "-" {
+      mutate {
+        replace => [ "original_ip_bytes", "0" ]
+      }
+    }
+    
+    # I recommend changing the field types below to integer or floats so searches can do greater than or less than
+    # and also so math functions can be ran against them
+    mutate {
+      convert => [ "bound_port", "integer" ]
+      convert => [ "data_channel_destination_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "depth", "integer" ]
+      #convert => [ "duration", "float" ]
+      convert => [ "info_code", "integer" ]
+      convert => [ "missed_bytes", "integer" ]
+      convert => [ "missing_bytes", "integer" ]
+      convert => [ "n", "integer" ]
+      convert => [ "original_bytes", "integer" ]
+      convert => [ "original_packets", "integer" ]
+      convert => [ "original_ip_bytes", "integer" ]
+      convert => [ "overflow_bytes", "integer" ]
+      convert => [ "p", "integer" ]
+      convert => [ "query_class", "integer" ]
+      convert => [ "query_type", "integer" ]
+      convert => [ "rcode", "integer" ]
+      convert => [ "request_body_length", "integer" ]
+      convert => [ "request_port", "integer" ]
+      convert => [ "respond_bytes", "integer" ]
+      convert => [ "respond_packets", "integer" ]
+      convert => [ "respond_ip_bytes", "integer" ]
+      convert => [ "response_body_length", "integer" ]
+      convert => [ "seen_bytes", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "status_code", "integer" ]
+      #convert => [ "suppress_for", "float" ]
+      convert => [ "total_bytes", "integer" ]
+      convert => [ "trans_depth", "integer" ]
+      convert => [ "transaction_id", "integer" ]
+      # convert the following boolean to text for now
+      convert => [ "local_respond", "string" ]
+      convert => [ "tc", "string" ]
+      convert => [ "is_orig", "string" ]
+      convert => [ "local_orig", "string" ]
+      lowercase => [ "query" ]
+      #remove_field => [ "timestamp" ]
+    }
+
+    # Combine OriginalBytes and RespondBytes and save the value to total_bytes
+    if [original_bytes] {
+      if [respond_bytes] {
+        ruby {
+          code => "event.set('total_bytes', event.get('original_bytes') + event.get('respond_bytes'))"
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/6001_bro_import.conf b/salt/logstash/conf/pipelines/6001_bro_import.conf
new file mode 100644
index 000000000..34c43f6ae
--- /dev/null
+++ b/salt/logstash/conf/pipelines/6001_bro_import.conf
@@ -0,0 +1,16 @@
+# Updated by: Doug Burks
+# Last Update: 2/10/2018
+#
+filter {
+  if "import" in [tags] and "bro" in [tags] {
+
+	# we're setting timestamp in 6000 now
+	#date {
+        #	match => [ "timestamp", "UNIX" ]
+	#}
+
+	mutate {
+	  #add_tag => [ "conf_file_6001"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf b/salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf
new file mode 100644
index 000000000..3998df8a4
--- /dev/null
+++ b/salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf
@@ -0,0 +1,17 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "bro" in [tags] {
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+      #mutate {
+      #  remove_field => [ "message" ]
+      #}
+    }
+	mutate {
+		#add_tag => [ "conf_file_8000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/8006_postprocess_dns.conf b/salt/logstash/conf/pipelines/8006_postprocess_dns.conf
new file mode 100644
index 000000000..a1520e6dc
--- /dev/null
+++ b/salt/logstash/conf/pipelines/8006_postprocess_dns.conf
@@ -0,0 +1,47 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_dns" or "dns" in [tags] {
+    # Used for whois lookups - can create log loop
+    if [query] =~ "^whois\." {
+      drop { }
+    }
+    # REPLACE test.int with your internal domain
+    if [query] and [query] !~ "\.test\.int$" {
+      mutate {
+        lowercase => [ "query" ]
+      }
+      if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
+        tld {
+          source => "query"
+        }
+        ruby {
+          code => "event.set('query_length', event.get('query').length)"
+        }
+        mutate {
+          rename => { "[SubLog][sessionid]" => "sub_session_id" }
+          rename => { "[tld][domain]" => "highest_registered_domain" }
+          rename => { "[tld][trd]" => "subdomain" }
+          rename => { "[tld][tld]" => "top_level_domain" }
+          rename => { "[tld][sld]" => "parent_domain" }
+        }
+        if [parent_domain] {
+          ruby {
+            code => "event.set('parent_domain_length', event.get('parent_domain').length)"
+          }
+        }
+        if [subdomain] {
+          ruby {
+            code => "event.set('subdomain_length', event.get('subdomain').length)"
+          }
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_8006"]
+	}
+  }
+}
diff --git a/salt/logstash/files/dynamic/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf
similarity index 100%
rename from salt/logstash/files/dynamic/0010_input_hhbeats.conf
rename to salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf
diff --git a/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf b/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
new file mode 100644
index 000000000..b64b56bbe
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
@@ -0,0 +1,77 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for conn.log from Bro systems
+filter {
+  if [type] == "bro_conn" {
+	# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+		json {
+			source => "message"
+		}
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+			#uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+                        rename => { "proto" => "protocol" }
+			#service
+			#duration
+                        rename => { "orig_bytes" => "original_bytes" }
+                        rename => { "resp_bytes" => "respond_bytes" }
+                        rename => { "conn_state" => "connection_state" }
+			#local_orig
+                        rename => { "local_resp" => "local_respond" }
+			#missed_bytes
+			#history
+                        rename => { "orig_pkts" => "original_packets" }
+                        rename => { "orig_ip_bytes" => "original_ip_bytes" }
+                        rename => { "resp_pkts" => "respond_packets" }
+                        rename => { "resp_ip_bytes" => "respond_ip_bytes" }
+			#tunnel_parents
+                        rename => { "orig_cc" => "original_country_code" }
+                        rename => { "resp_cc" => "respond_country_code" }
+                        rename => { "sensorname" => "sensor_name" }
+                }
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ip_bytes","respond_packets","respond_ip_bytes","tunnel_parents","sensor_name"]
+
+	    # If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+	      separator => "	"
+	    }
+	}
+
+    translate {
+      field => "connection_state"
+
+      destination => "connection_state_description"
+
+      dictionary => [
+                    "S0", "Connection attempt seen, no reply",
+                    "S1", "Connection established, not terminated",
+                    "S2", "Connection established and close attempt by originator seen (but no reply from responder)",
+                    "S3", "Connection established and close attempt by responder seen (but no reply from originator)",
+                    "SF", "Normal SYN/FIN completion",
+                    "REJ", "Connection attempt rejected",
+                    "RSTO", "Connection established, originator aborted (sent a RST)",
+                    "RSTR", "Established, responder aborted",
+                    "RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
+                    "RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
+                    "SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
+		    "SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
+                    "OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
+                    ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1100"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf b/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
new file mode 100644
index 000000000..e7e7f12c0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
@@ -0,0 +1,56 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 1/3/2019
+#
+# This conf file is based on accepting logs for dhcp.log from Bro systems
+filter {
+  if [type] == "bro_dhcp" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+            json {
+                  source => "message"
+            }
+
+            mutate {
+                  rename => { "ts" => "timestamp" }
+		  #uid
+                  rename => { "id.orig_h" => "source_ip" }
+                  rename => { "id.orig_p" => "source_port" }
+                  rename => { "id.resp_h" => "destination_ip" }
+                  rename => { "id.resp_p" => "destination_port" }
+		  #mac
+		  #assigned_ip
+		  #lease_time
+                  rename => { "trans_id" => "transaction_id" }
+                  # new dhcp log format
+                  rename => { "assigned_addr" => "assigned_ip" }
+                  rename => { "client_addr" => "source_ip" }
+                  rename => { "server_addr" => "destination_ip" }
+                  rename => { "requested_addr" => "requested_ip" }
+                  rename => { "domain" => "domain_name" }
+		  rename => { "host_name" => "hostname" }
+                  rename => { "msg_types" => "message_types" }
+                  rename => { "uids" => "uid" }
+            }
+        } else {
+	    mutate {
+              gsub => [ "message", "[\"']", "" ]
+            }  
+            # Bro logs in TSV format
+	    csv {
+              columns => [ "timestamp", "uid", "source_ip", "destination_ip", "mac", "hostname", "client_fqdn", "domain_name", "requested_ip", "assigned_ip", "lease_time","client_message", "server_message", "message_types", "duration" ]
+              separator => "	"
+	    }
+	    # Remove fields with empty values (-) to prevent field data type conflict
+            ruby {
+              code =>"
+	    	hash = event.to_hash.each do |key,value|
+                if value == '-'
+                  event.remove(key)
+                end
+             end"
+          }  
+      }	
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf b/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
new file mode 100644
index 000000000..340cdafbc
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
@@ -0,0 +1,74 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dns.log from Bro systems
+filter {
+  if [type] == "bro_dns" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+            json {
+                  source => "message"
+            }
+
+	    mutate {
+        	  rename => { "ts" => "timestamp" }
+		  #uid
+	          rename => { "id.orig_h" => "source_ip" }
+        	  rename => { "id.orig_p" => "source_port" }
+	          rename => { "id.resp_h" => "destination_ip" }
+        	  rename => { "id.resp_p" => "destination_port" }
+	          rename => { "proto" => "protocol" }
+		  rename => { "trans_id" => "transaction_id" }
+		  #rtt field
+		  #query field
+        	  rename => { "qclass" => "query_class" }
+	          rename => { "qclass_name" => "query_class_name" }
+        	  rename => { "qtype" => "query_type" }
+	          rename => { "qtype_name" => "query_type_name" }
+		  #rcode
+		  #rcode_name
+        	  rename => { "AA" => "aa" }
+	          rename => { "TC" => "tc" }
+        	  rename => { "RD" => "rd" }
+	          rename => { "RA" => "ra" }
+        	  rename => { "Z" => "z" }
+		  #answers
+        	  rename => { "TTLs" => "ttls" }
+		  #rejected
+            }
+        } else {
+
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","transaction_id","rtt","query","query_class","query_class_name","query_type","query_type_name","rcode","rcode_name","aa","tc","rd","ra","z","answers","ttls","rejected"]
+
+	      #If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		add_tag => [ "dns" ]
+	}
+    if [ttls] == "-" {
+      mutate {
+        remove_field => [ "ttls" ]
+      }
+    }
+    if [rtt] == "-" {
+      mutate {
+        remove_field => [ "rtt" ]
+      }
+    }
+    #mutate {
+      #convert => [ "rtt", "float" ]  
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1102"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf b/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
new file mode 100644
index 000000000..cc3b6ad39
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
@@ -0,0 +1,42 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dpd.log from Bro systems
+filter {
+  if [type] == "bro_dpd" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+            json {
+                  source => "message"
+            }
+
+            mutate {
+                  rename => { "ts" => "timestamp" }
+                  #uid
+                  rename => { "id.orig_h" => "source_ip" }
+                  rename => { "id.orig_p" => "source_port" }
+                  rename => { "id.resp_h" => "destination_ip" }
+                  rename => { "id.resp_p" => "destination_port" }
+                  rename => { "proto" => "protocol" }
+                  #analyzer
+                  #failure_reason
+            }
+        } else {
+
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","analyzer","failure_reason"]
+	      separator => "	"
+	    }
+	}	
+
+	mutate {
+		#add_tag => [ "conf_file_1103"]
+	}
+
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf b/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
new file mode 100644
index 000000000..88c524ea5
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
@@ -0,0 +1,64 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for files.log from Bro systems
+filter {
+  if [type] == "bro_files" {
+	# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+	if [message] =~ /^{.*}$/ {
+		json {
+			source => "message"
+		}
+
+		mutate {
+			rename => { "ts" => "timestamp" }
+			#fuid
+			rename => { "tx_hosts" => "file_ip" }
+			rename => { "rx_hosts" => "destination_ip" }
+			rename => { "conn_uids" => "connection_uids" }
+			#source field
+			#depth field
+			rename => { "analyzers" => "analyzer" }
+			rename => { "mime_type" => "mimetype" }
+			rename => { "filename" => "file_name" }
+			#duration
+			#local_orig
+			#is_orig
+			#seen_bytes
+			#total_bytes
+			#missing_bytes
+			#overflow_bytes
+			rename => { "timedout" => "timed_out" }
+			#parent_fuid
+			#md5
+			#sha1
+			#sha256
+			#extracted
+			#extracted_cutoff
+			#extracted_size
+		}
+	} else {
+
+	    csv {
+	      columns => ["timestamp","fuid","file_ip","destination_ip","connection_uids","source","depth","analyzer","mimetype","file_name","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timed_out","parent_fuid","md5","sha1","sha256","extracted","extracted_cutoff","extracted_size"]
+	      separator => "	"
+	    }
+            if [destination_ip] =~ /,/ {
+              mutate {
+                split => { "destination_ip" => "," }
+              }
+            }
+            if [file_ip] =~ /,/ {
+              mutate {
+                split => { "file_ip" => "," }
+              }
+            }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1104"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf b/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
new file mode 100644
index 000000000..c37ac71a0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
@@ -0,0 +1,56 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for ftp.log from Bro systems
+filter {
+  if [type] == "bro_ftp" {
+	# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+	if [message] =~ /^{.*}$/ {
+		json {
+			source => "message"
+		}
+
+		mutate {
+			rename => { "ts" => "timestamp" }
+			#uid
+			rename => { "id.orig_h" => "source_ip" }
+			rename => { "id.orig_p" => "source_port" }
+			rename => { "id.resp_h" => "destination_ip" }
+			rename => { "id.resp_p" => "destination_port" }
+			rename => { "user" => "username" }
+			#password
+			rename => { "command" => "ftp_command" }
+			rename => { "arg" => "ftp_argument" }
+			rename => { "mime_type" => "mimetype" }
+			#file_size
+			#reply_code
+			rename => { "reply_msg" => "reply_message" }
+			rename => { "data_channel.passive" => "data_channel_passive" }
+			rename => { "data_channel.orig_h" => "data_channel_source_ip" }
+			rename => { "data_channel.resp_h" => "data_channel_destination_ip" }
+			rename => { "data_channel.resp_p" => "data_channel_destination_port" }
+			#fuid
+		}
+
+		mutate {
+			convert => { "reply" => "string" }
+		}
+
+        } else {
+
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","username","password","ftp_command","ftp_argument","mimetype","file_size","reply_code","reply_message","data_channel_passive","data_channel_source_ip","data_channel_destination_ip","data_channel_destination_port","fuid"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1105"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf b/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
new file mode 100644
index 000000000..3cff8faa7
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
@@ -0,0 +1,77 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for http.log from Bro systems
+filter {
+  if [type] == "bro_http" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+		
+		# Rename logstash tags field to avoid being overwritten by Bro's http tags field
+                mutate {
+                        rename => { "tags" => "tags-orig" }
+		}
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#trans_depth
+			#method
+			rename => { "host" => "virtual_host" }
+			#uri
+			#referrer
+			#version
+			#convert => { "version" => "string" }
+			rename => { "user_agent" => "useragent" }
+			#origin
+			rename => { "request_body_len" => "request_body_length" }
+			rename => { "response_body_len" => "response_body_length" }
+			#status_code
+			#status_message
+			rename => { "status_msg" => "status_message" }
+			#info_code
+			rename => { "info_msg" => "info_message" }
+			#tags
+			# Rename http tags field to http-tags
+                        rename => { "tags" => "http-tags" }
+			# Rename logstash tags field to tags
+                        rename => { "tags-orig" => "tags" }
+			#username
+			#password
+			#proxied
+			#orig_fuids
+			#orig_filenames
+			#orig_mime_types
+			#resp_fuids
+			#resp_filenames
+			#resp_mime_types
+		}
+		if [http-tags] {
+                	mutate {
+				remove_field => [ "http-tags" ]
+			}
+		}
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<virtual_host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<version>(.*?))\t(?<useragent>(.*?))\t(?<origin>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<status_code>(.*?))\t(?<status_message>(.*?))\t(?<info_code>(.*?))\t(?<info_message>(.*?))\t(?<tags>(.*))\t(?<username>(.*))\t(?<password>(.*))\t(?<proxied>(.*))\t(?<orig_fuids>(.*))\t(?<orig_filenames>(.*?))\t(?<orig_mime_types>(.*))\t(?<resp_fuids>(.*))\t(?<resp_filenames>(.*?))\t(?<resp_mime_types>(.*))" ]
+	    }
+	}
+
+    if [useragent] == "-" {
+      mutate {
+        remove_field => [ "useragent" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1106"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf b/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
new file mode 100644
index 000000000..841c4aa44
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
@@ -0,0 +1,46 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for irc.log from Bro systems
+filter {
+  if [type] == "bro_irc" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#nick
+			rename => { "user" => "irc_username" }
+			rename => { "command" => "irc_command" }
+			#value
+			rename => { "addl" => "additional_info" }
+			#dcc_file_name
+			#dcc_file_size
+			#dcc_mime_type
+			#fuid
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","nick","irc_username","irc_command","value","additional_info","dcc_file_name","dcc_file_size","dcc_mime_type","fuid"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1107"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf b/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
new file mode 100644
index 000000000..89754126a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
@@ -0,0 +1,56 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for kerberos.log from Bro systems
+filter {
+  if [type] == "bro_kerberos" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#request_type
+			#client
+			#service
+			rename => { "success" => "kerberos_success" }
+			rename => { "error_msg" => "error_message" }
+			rename => { "from" => "valid_from" }
+			rename => { "till" => "valid_till" }
+			#cipher
+			#forwardable
+			#renewable
+			rename => { "client_cert_subject" => "client_certificate_subject" }
+			rename => { "client_cert_fuid" => "client_certificate_fuid" }
+			rename => { "server_cert_subject" => "server_certificate_subject" }
+			rename => { "server_cert_fuid" => "server_certificate_fuid" }
+		}
+		
+		mutate {
+			convert => { "kerberos_success" => "string" }
+			convert => { "renewable" => "string" }
+		}
+
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"]
+	      separator => "	"
+	    }
+	}
+	mutate {
+		#add_tag => [ "conf_file_1108"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf b/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
new file mode 100644
index 000000000..2c22896d8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
@@ -0,0 +1,56 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for notice.log from Bro systems
+filter {
+  if [type] == "bro_notice" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#fuid
+			rename => { "mime" => "file_mime_type" }
+			rename => { "desc" => "file_description" }
+			rename => { "proto" => "protocol" }
+			rename => { "note" => "note" }
+			rename => { "msg" => "msg" }
+			rename => { "sub" => "sub_msg" }
+			rename => { "src" => "source_ip" }
+			rename => { "dst" => "destination_ip" }
+			#p
+			#n
+			rename => { "peer_descr" => "peer_description" }
+			rename => { "actions" => "action" }
+			#suppress_for
+			#destination_country_code
+			#destination_region
+			#destination_city
+			#destination_latitude
+			#destination_longitude
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","file_mime_type","file_description","protocol","note","msg","sub_msg","source_ip","destination_ip","p","n","peer_description","action","suppress_for","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1109"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf b/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
new file mode 100644
index 000000000..435a2ca3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
@@ -0,0 +1,52 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for rdp.log from Bro systems
+filter {
+  if [type] == "bro_rdp" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#cookie
+			#result
+			#security_protocol
+			#client_channels
+			#keyboard_layout
+			#client_build
+			#client_name
+			rename => { "client_dig_product_id" => "client_digital_product_id" }
+			#desktop_width
+			#desktop_height
+			#requested_color_depth
+			rename => { "cert_type" => "certificate_type" }
+			rename => { "cert_count" => "certificate_count" }
+			rename => { "cert_permanent" => "certificate_permanent" }
+			#encryption_level
+			#encryption_method
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","client_channels","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1110"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf b/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
new file mode 100644
index 000000000..0d3c1dc57
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
@@ -0,0 +1,43 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for signatures.log from Bro systems
+filter {
+  if [type] == "bro_signatures" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#note
+			rename => { "sig_id" => "signature_id" }
+			rename => { "event_msg" => "event_message" }
+			rename => { "sub_msg" => "sub_message" }
+			rename => { "sig_count" => "signature_count" }
+			#host_count
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","note","signature_id","event_message","sub_message","signature_count","host_count"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1111"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf b/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
new file mode 100644
index 000000000..743bd5716
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
@@ -0,0 +1,65 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smtp.log from Bro systems
+filter {
+  if [type] == "bro_smtp" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#trans_depth
+			#helo
+			rename => { "mailfrom" => "mail_from" }
+			rename => { "rcptto" => "recipient_to" }
+			rename => { "date" => "mail_date" }
+			#from
+			#to
+			#cc
+			#reply_to
+			rename => { "msg_id" => "message_id" }
+			#in_reply_to
+			#subject
+			#x_originating_ip
+			#first_received
+			#second_received
+			#last_reply
+			#path
+			rename => { "user_agent" => "useragent" }
+			#tls
+			#fuids
+			#is_webmail
+		}
+
+		mutate {
+			convert => { "tls" => "string" }
+			convert => { "is_webmail" => "string" }
+		}
+			
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<helo>(.*?))\t(?<mail_from>(.*?))\t(?<recipient_to>(.*?))\t(?<mail_date>(.*?))\t(?<from>(.*?))\t(?<to>(.*?))\t(?<cc>(.*?))\t(?<reply_to>(.*?))\t(?<message_id>(.*?))\t(?<in_reply_to>(.*?))\t(?<subject>(.*?))\t(?<x_originating_ip>(.*?))\t(?<first_received>(.*))\t(?<second_received>(.*))\t(?<last_reply>(.*))\t(?<path>(.*))\t(?<useragent>(.*))\t(?<tls>(.*))\t(?<fuids>(.*))\t(?<is_webmail>(.*))" ]
+	    }
+	}
+
+    if [useragent] == "-" {
+      mutate {
+        remove_field => [ "useragent" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1112"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf b/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
new file mode 100644
index 000000000..6a00a5244
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
@@ -0,0 +1,47 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for snmp.log from Bro systems
+filter {
+  if [type] == "bro_snmp" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#duration
+			#version
+			#convert => { "version" => "string" }
+			#community
+			#get_requests
+			#get_bulk_requests
+			#get_responses
+			#set_requests
+			#display_string
+			#up_since
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","duration","version","community","get_requests","get_bulk_requests","get_responses","set_requests","display_string","up_since"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1113"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf b/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
new file mode 100644
index 000000000..ef7eded01
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for software.log from Bro systems
+filter {
+  if [type] == "bro_software" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "host" => "source_ip" }
+                        rename => { "host_p" => "source_port" }
+			#software_type
+			#name
+			rename => { "version.major" => "version_major" }
+			rename => { "version.minor" => "version_minor" }
+			rename => { "version.minor2" => "version_minor2" }
+			rename => { "version.minor3" => "version_minor3" }
+			rename => { "version.addl" => "version_additional_info" }
+			#unparsed_version
+		}
+
+		mutate {
+			convert => { "version_major" => "string" }
+			convert => { "version_minor" => "string" }
+		}
+
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1114"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf b/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
new file mode 100644
index 000000000..a08d11e66
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
@@ -0,0 +1,66 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+#
+# This conf file is based on accepting logs for ssh.log from Bro systems
+filter {
+  if [type] == "bro_ssh" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#version
+			#convert => { "version" => "string" }
+			rename => { "auth_success" => "authentication_success" }
+			rename => { "auth_attempts" => "authentication_attempts" }
+			#direction
+			#client
+			#server
+			rename => { "cipher_alg" => "cipher_algorithm" }
+			rename => { "compression_alg" => "compression_algorithm" }
+			rename => { "cshka" => "client_host_key_algorithms" }
+			rename => { "host_key_alg" => "host_key_algorithm" }
+			rename => { "hasshAlgorithms" => "hassh_algorithms" }
+                        rename => { "hasshServer" => "hassh_server" }
+                        rename => { "hasshServerAlgorithms" => "hassh_server_algorithms" }
+                        rename => { "hasshVersion" => "hassh_version" }
+			rename => { "kex_alg" => "kex_algorithm" }
+			rename => { "mac_alg" => "mac_algorithm" }
+			rename => { "sshka" => "server_host_key_algorithms" }
+			#host_key
+			#destination_country_code
+			#destination_region
+			#destination_city
+			#destination_latitude
+			#destination_longitude
+		}
+
+		mutate {
+			convert => { "authentication_success" => "string" }
+		}
+
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude","hassh_version","hassh","hassh_server","client_host_key_algorithms","hassh_algorithms","server_host_key_algorithms","hassh_server_algorithms"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1115"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf b/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
new file mode 100644
index 000000000..930a670e9
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
@@ -0,0 +1,186 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 10/30/2018
+#
+# This conf file is based on accepting logs for ssl.log from Bro systems
+filter {
+  if [type] == "bro_ssl" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#version
+			#convert => { "version" => "string" }
+			#cipher
+			#curve
+			#server_name
+			#resumed
+			#last_alert
+			#next_protocol
+			#established
+			rename => { "cert_chain_fuids" => "certificate_chain_fuids" }
+			rename => { "client_cert_chain_fuids" => "client_certificate_chain_fuids" }
+			rename => { "subject" => "certificate_subject" }
+			rename => { "issuer" => "certificate_issuer" }
+			#client_subject
+			#client_issuer
+			#validation_status
+			#ja3
+		}
+	} else {
+	   mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    } 
+	   csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3","ja3s"]
+	      separator => "	"
+	    }
+	}
+
+    mutate {
+      gsub => [ "subject", "\\\\,", "|" ]
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_issuer"
+    }
+    mutate {
+      rename => { "CN" => "issuer_common_name"}
+      rename => { "C" => "issuer_country_code"}
+      rename => { "O" => "issuer_organization"}
+      rename => { "OU" => "issuer_organization_unit"}
+      rename => { "ST" => "issuer_state"}
+      rename => { "SN" => "issuer_surname"}
+      rename => { "L" => "issuer_locality"}
+      rename => { "DC" => "issuer_distinguished_name"}
+      rename => { "GN" => "issuer_given_name"}
+      rename => { "pseudonym" => "issuer_pseudonym"}
+      rename => { "serialNumber" => "issuer_serial_number"}
+      rename => { "title" => "issuer_title"}
+      rename => { "initials" => "issuer_initials"}
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_subject"
+    }
+    mutate {
+      rename => { "CN" => "certificate_common_name"}
+      rename => { "C" => "certificate_country_code"}
+      rename => { "O" => "certificate_organization"}
+      rename => { "OU" => "certificate_organization_unit"}
+      rename => { "ST" => "certificate_state"}
+      rename => { "SN" => "certificate_surname"}
+      rename => { "L" => "certificate_locality"}
+      rename => { "GN" => "certificate_given_name"}
+      rename => { "pseudonym" => "certificate_pseudonym"}
+      rename => { "serialNumber" => "certificate_serial_number"}
+      rename => { "title" => "certificate_title"}
+      rename => { "initials" => "certificate_initials"}
+    }
+    if [certificate_subject] == "-" {
+      mutate {
+        remove_field => [ "certificate_subject" ]
+      }
+    }
+    if [certificate_issuer] == "-" {
+      mutate {
+        remove_field => [ "certificate_issuer" ]
+      }
+    }
+    if [certificate_common_name] {
+      ruby {
+        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+      }
+    }
+    if [issuer_common_name] {
+      ruby {
+        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+      }
+    }
+    if [server_name] {
+	    if [server_name] == "-" {
+	      mutate {
+        	remove_field => [ "server_name" ]
+	      }
+	    } else {
+	      ruby {
+        	code => "event.set('server_name_length', event.get('server_name').length)"
+	      }
+    	    }
+    }
+    if [certificate_chain_fuids] {
+    	if [certificate_chain_fuids] == "-" {
+	      mutate {
+        	remove_field => [ "certificate_chain_fuids" ]
+	      }
+	    } else {
+	      ruby {
+        	code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)"
+	      }
+	      mutate {
+        	convert => [ "certificate_chain_length", "integer" ]
+	      }
+	    }
+    }
+    if [client_certificate_chain_fuids] == "-" {
+      mutate {
+        remove_field => [ "client_certificate_chain_fuids" ]
+      }
+    }
+    if [client_issuer] == "-" {
+      mutate {
+        remove_field => [ "client_issuer" ]
+      }
+    }
+    if [client_subject] == "-" {
+      mutate {
+        remove_field => [ "client_subject" ]
+      }
+    }
+    if [curve] == "-" {
+      mutate {
+        remove_field => [ "curve" ]
+      }
+    }
+    if [issuer] == "-" {
+      mutate {
+        remove_field => [ "issuer" ]
+      }
+    }
+    if [query] == "-" {
+      mutate {
+        remove_field => [ "query" ]
+      }
+    }
+    if [subject] == "-" {
+      mutate {
+        remove_field => [ "subject" ]
+      }
+    }
+    if [validation_status] == "-" {
+      mutate {
+        remove_field => [ "validation_status" ]
+      }
+    }
+    if [ja3] == "-" {
+      mutate {
+        remove_field => [ "ja3" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1116"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf b/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
new file mode 100644
index 000000000..c9e52df0f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
@@ -0,0 +1,41 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for syslog.log from Bro systems
+filter {
+  if [type] == "bro_syslog" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			rename => { "proto" => "protocol" }
+			#facility
+			#severity
+			#message
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","facility","severity","message"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1117"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf b/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
new file mode 100644
index 000000000..5ae07508c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
@@ -0,0 +1,40 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for tunnel.log from Bro systems
+# Security Onion syslog-ng.conf sets type to "bro_tunnels"
+filter {
+  if [type] == "bro_tunnels" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#tunnel_type
+			#action
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","tunnel_type","action"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1118"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf b/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
new file mode 100644
index 000000000..156a25786
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
@@ -0,0 +1,42 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for weird.log from Bro systems
+filter {
+  if [type] == "bro_weird" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#name
+			rename => { "addl" => "additional_info" }
+			#notice
+			#peer
+		}
+
+		mutate {
+			convert => { "notice" => "string" }
+		}
+
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<name>(.*?))\t(?<additional_info>(.*?))\t(?<notice>(.*?))\t(?<peer>(.*))" ]
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1119"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf b/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
new file mode 100644
index 000000000..97f0d6e28
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
@@ -0,0 +1,57 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for mysql.log from Bro systems
+#
+# Parse using grok
+filter {
+  if [type] == "bro_mysql" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			rename => { "cmd" => "mysql_command" }
+			rename => { "arg" => "mysql_argument" }
+			rename => { "success" => "mysql_success" }
+			#rows
+			#response
+		}
+
+		mutate {
+			convert => { "mysql_success" => "string" }
+		}
+
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1121"]
+	}
+  }
+}
+
+# Reverting to grok for now, due to double-quoted values in log file
+# Parse using csv filter
+#filter {
+#  if [type] == "bro_mysql" {
+#    csv {
+#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
+#    separator => "	"
+#    quote_char=
+#    }
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf b/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
new file mode 100644
index 000000000..1b2876eb4
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
@@ -0,0 +1,62 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for socks.log from Bro systems
+
+# Parse using csv
+filter {
+  if [type] == "bro_socks" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#version
+			#convert => { "version" => "string" }
+			rename => { "user" => "username" }
+			#password
+			rename => { "status" => "server_status" }
+			rename => { "request.host" => "request_host" }
+			rename => { "request.name" => "request_name" }
+			rename => { "request_p" => "request_port" }
+			rename => { "bound.host" => "bound_host" }
+			rename => { "bound.name" => "bound_name" }
+			rename => { "bound_p" => "bound_port" }
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","username","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"]
+	      separator => "	"
+	    }
+	}
+
+        mutate {
+                #add_tag => [ "conf_file_1122"]
+        }
+  }
+}
+# Parse using grok
+#filter {
+#  if [type] == "bro_socks" {
+#    # This is the initial parsing of the log
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<version>(.*?))\t(?<user>(.*?))\t(?<password>(.*?))\t(?<status>(.*))\t(?<request_host>(.*))\t(?<request_name>(.*))\t(?<request_port>(.*))\t(?<bound_host>(.*))\t(?<bound_name>(.*))\t(?<bound_port>(.*))" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1122"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf b/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
new file mode 100644
index 000000000..37d4393e7
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
@@ -0,0 +1,154 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for x509.log from Bro systems
+
+filter {
+  if [type] == "bro_x509" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #id
+                        rename => { "certificate.version" => "certificate_version" }
+                        rename => { "certificate.serial" => "certificate_serial" }
+                        rename => { "certificate.subject" => "certificate_subject" }
+                        rename => { "certificate.issuer" => "certificate_issuer" }
+                        rename => { "certificate.not_valid_before" => "certificate_not_valid_before" }
+                        rename => { "certificate.not_valid_after" => "certificate_not_valid_after" }
+                        rename => { "certificate.key_alg" => "certificate_key_algorithm" }
+                        rename => { "certificate.sig_alg" => "certificate_signing_algorithm" }
+                        rename => { "certificate.key_type" => "certificate_key_type" }
+                        rename => { "certificate.key_length" => "certificate_key_length" }
+                        rename => { "certificate.exponent" => "certificate_exponent" }
+                        rename => { "certificate.curve" => "certificate_curve" }
+                        rename => { "id" => "fuid" }
+                        rename => { "san.dns" => "san_dns" }
+                        rename => { "san.uri" => "san_uri" }
+                        rename => { "san.email" => "san_email" }
+                        rename => { "san.ip" => "san_ip" }
+                        rename => { "basic_constraints.ca" => "basic_constraints_ca" }
+                        rename => { "basic_constraints.path_length" => "basic_constraints_path_length" }
+		}
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<fuid>(.*?))\t(?<certificate_version>(.*?))\t(?<certificate_serial>(.*?))\t(?<certificate_subject>(.*?))\t(?<certificate_issuer>(.*?))\t(?<certificate_not_valid_before>(.*?))\t(?<certificate_not_valid_after>(.*?))\t(?<certificate_key_algorithm>(.*?))\t(?<certificate_signing_algorithm>(.*))\t(?<certificate_key_type>(.*))\t(?<certificate_key_length>(.*))\t(?<certificate_exponent>(.*))\t(?<certificate_curve>(.*))\t(?<san_dns>(.*))\t(?<san_uri>(.*))\t(?<san_email>(.*))\t(?<san_ip>(.*))\t(?<basic_constraints_ca>(.*))\t(?<basic_constraints_path_length>(.*))" ]
+	    }
+	}
+
+    mutate {
+      gsub => [ "certificate_issuer", "\\\\,", "|" ]
+      gsub => [ "certificate_subject", "\\\\,", "|" ]
+    }
+	
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_issuer"
+    }
+    mutate {
+      rename => { "CN" => "issuer_common_name"}
+      rename => { "C" => "issuer_country_code"}
+      rename => { "O" => "issuer_organization"}
+      rename => { "OU" => "issuer_organization_unit"}
+      rename => { "ST" => "issuer_state"}
+      rename => { "SN" => "issuer_surname"}
+      rename => { "L" => "issuer_locality"}
+      rename => { "DC" => "issuer_distinguished_name"}
+      rename => { "GN" => "issuer_given_name"}
+      rename => { "pseudonym" => "issuer_pseudonym"}
+      rename => { "serialNumber" => "issuer_serial_number"}
+      rename => { "title" => "issuer_title"}
+      rename => { "initials" => "issuer_initials"}
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_subject"
+    }
+    mutate {
+      rename => { "CN" => "certificate_common_name"}
+      rename => { "C" => "certificate_country_code"}
+      rename => { "O" => "certificate_organization"}
+      rename => { "OU" => "certificate_organization_unit"}
+      rename => { "ST" => "certificate_state"}
+      rename => { "SN" => "certificate_surname"}
+      rename => { "L" => "certificate_locality"}
+      rename => { "GN" => "certificate_given_name"}
+      rename => { "pseudonym" => "certificate_pseudonym"}
+      rename => { "serialNumber" => "certificate_serial_number"}
+      rename => { "title" => "certificate_title"}
+      rename => { "initials" => "certificate_initials"}
+      convert => [ "certificate_key_length", "integer" ]
+      convert => [ "certificate_not_valid_after", "integer" ]
+      convert => [ "certificate_not_valid_before", "integer" ]
+    }
+    if [query] == "-" {
+      mutate {
+        remove_field => [ "query" ]
+      }
+    }
+    if [san_dns] == "-" {
+      mutate {
+        remove_field => [ "san_dns" ]
+      }
+    }
+    if [san_email] == "-" {
+      mutate {
+        remove_field => [ "san_email" ]
+      }
+    }
+    if [san_uri] == "-" {
+      mutate {
+        remove_field => [ "san_uri" ]
+      }
+    }
+    if [san_ip] == "-" {
+      mutate {
+        remove_field => [ "san_ip" ]
+      }
+    }
+    if [certificate_common_name] {
+      ruby {
+        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+      }
+    }
+    if [issuer_common_name] {
+      ruby {
+        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+      }
+    }
+    if [certificate_not_valid_after] == "-" {
+      mutate {
+        remove_field => [ "certificate_not_valid_after" ]
+      }
+    }
+    if [certificate_not_valid_before] == "-" {
+      mutate {
+        remove_field => [ "certificate_not_valid_before" ]
+      }
+    }
+    if [certificate_not_valid_after] and [certificate_not_valid_before] {
+      ruby {
+        code => "event.set('certificate_number_days_valid', ((event.get('certificate_not_valid_after') - event.get('certificate_not_valid_before')) / 86400).ceil)"
+      }
+      date {
+        match => [ "certificate_not_valid_after", "UNIX" ]
+        target => "certificate_not_valid_after"
+      }
+      date {
+        match => [ "certificate_not_valid_before", "UNIX" ]
+        target => "certificate_not_valid_before"
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1123"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf b/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
new file mode 100644
index 000000000..0f1c53134
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
@@ -0,0 +1,46 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for intel.log from Bro systems
+filter {
+  if [type] == "bro_intel" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			rename => { "seen.indicator" => "indicator" }
+			rename => { "seen.indicator_type" => "indicator_type" }
+			rename => { "seen.where" => "seen_where" }
+			rename => { "seen.node" => "seen_node" }
+			#matched
+			#sources
+			#fuid
+			rename => { "file_mime_type" => "mimetype" }
+			rename => { "file_desc" => "file_description" }
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","indicator","indicator_type","seen_where","seen_node","matched","sources","fuid","mimetype","file_description"]
+	      separator => "	"
+	    }
+	}
+
+	mutate {
+		#add_tag => [ "conf_file_1124"]
+	}
+  }	
+}
diff --git a/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf b/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
new file mode 100644
index 000000000..6d6d48ad2
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
@@ -0,0 +1,49 @@
+# Author: Wes Lambert
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for modbus.log from Bro systems
+#
+filter {
+  if [type] == "bro_modbus" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			rename => { "func" => "function" }
+			#exception
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","function","exception"]
+	    separator => "	"
+	    }
+	}
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_modbus" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<func>(.*?))\t(?<exception>(.*?))$" ]
+#    }
+	#mutate {
+		#add_tag => [ "conf_file_1125"]
+	#}
+#   }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf b/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
new file mode 100644
index 000000000..0f1cf4c46
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
@@ -0,0 +1,66 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for sip.log from Bro systems
+#
+filter {
+  if [type] == "bro_sip" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#trans_depth
+			#method
+			#uri
+			#date
+			#request_from
+			#request_to
+			#response_from
+			#response_to
+			#reply_to
+			#call_id
+			#seq
+			#subject
+			#request_path
+			#response_path
+			#user_agent
+			#status_code
+			#status_msg
+			#warning
+			rename => { "request_body_len" => "request_body_length" }
+			rename => { "response_body_len" => "response_body_length" }
+			#content_type
+		}
+	} else {
+	    grok {
+	      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<uri>(.*?))\t(?<date>(.*?))\t(?<request_from>(.*?))\t(?<request_to>(.*?))\t(?<response_from>(.*?))\t(?<response_to>(.*?))\t(?<reply_to>(.*?))\t(?<call_id>(.*?))\t(?<seq>(.*?))\t(?<subject>(.*?))\t(?<request_path>(.*?))\t(?<response_path>(.*?))\t(?<user_agent>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<warning>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<content_type>(.*?))$" ]
+	    }
+	}
+
+	mutate {
+		add_tag => [ "conf_file_1126"]
+	}
+  }
+}
+# Parse using csv filter
+#filter {
+#  if [type] == "bro_sip" {
+#    csv {
+#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","trans_depth","method","uri","date","request_from","request_to","response_from","response_to","reply_to","call_id","seq","subject","request_path","response_path","user_agent","status_code","status_msg","warning","request_body_len","response_body_len","content_type"]
+#    separator => "	"
+#    }
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf b/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
new file mode 100644
index 000000000..732efb23c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
@@ -0,0 +1,73 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for radius.log from Bro systems
+#
+filter {
+  if [type] == "bro_radius" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#username
+			#mac
+			#framed_addr
+			#tunnel_client
+			#connect_info
+                        rename => { "reply_msg" => "reply_message" }
+			#result
+			#ttl
+			#logged
+		}
+	} else {
+	   mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	   } 
+	   csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","username","mac","framed_addr","tunnel_client","connect_info","reply_message","result","ttl","logged"]
+	    separator => "	"
+	   }
+	   if [tunnel_client] == "-" {
+             mutate {
+               remove_field => [ "tunnel_client" ]
+             }
+           }
+
+	}
+	# Remove the ttl and framed_addr fields
+	if [ttl] {
+                mutate {
+			remove_field => [ "ttl" ]
+		}
+	}
+	if [framed_addr] {
+                mutate {
+			remove_field => [ "framed_addr" ]
+		}
+	}
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_radius" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<username>(.*?))\t(?<mac>(.*?))\t(?<tunnel_client>(.*?))\t(?<logged>(.*?))\t(?<connect_info>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1127"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf b/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
new file mode 100644
index 000000000..7770de12d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
@@ -0,0 +1,46 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+#
+# This conf file is based on accepting logs for pe.log from Bro systems
+#
+filter {
+  if [type] == "bro_pe" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        rename => { "id" => "fuid" }
+			#machine
+			#compile_ts
+			#os
+			#subsystem
+			#is_exe
+			#is_64bit
+			#uses_aslr
+			#uses_dep
+			#uses_code_integrity
+			#uses_seh
+			#has_import_table
+			#has_export_table
+			#has_cert_table
+			#has_debug_data
+			#section_names
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","fuid","machine","compile_ts","os","subsystem","is_exe","is_64bit","uses_aslr","uses_dep","uses_code_integrity","uses_seh","has_import_table","has_export_table","has_cert_table","has_debug_data","section_names"]
+	    separator => "	"
+	    }
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf b/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
new file mode 100644
index 000000000..21ecac78f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
@@ -0,0 +1,65 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for rfb.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_rfb" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#client_major_version
+			#client_minor_version
+			#server_major_version
+			#server_minor_version
+			#authentication_method
+			#auth
+			#share_flag
+			#desktop_name
+			#width
+			#height
+		}
+
+		mutate {
+			convert => { "auth" => "string" }
+			convert => { "share_flag" => "string" }
+		}
+
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","client_major_version","client_minor_version","server_major_version","server_minor_version","authentication_method","auth","share_flag","desktop_name","width","height"]
+	    separator => "	"
+	    }
+	}
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_rfb" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<client_major_version>(.*?))\t(?<client_minor_version>(.*?))\t(?<server_major_version>(.*?))\t(?<server_minor_version>(.*?))\t(?<authentication_method>(.*?))\t(?<auth>(.*?))\t(?<share_flag>(.*?))\t(?<desktop_name>(.*?))\t(?<width>(.*?))\t(?<height>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1129"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf b/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
new file mode 100644
index 000000000..a2c10babf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
@@ -0,0 +1,51 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dnp3.log from Bro systems
+#
+filter {
+  if [type] == "bro_dnp3" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#fc_request
+			#fc_reply
+			#iin
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fc_request","fc_reply","iin"]
+	    separator => "	"
+	    }
+	}
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_dnp3" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<fc_request>(.*?))\t(?<fc_reply>(.*?))\t(?<iin>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1130"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf b/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
new file mode 100644
index 000000000..ca6cfe8db
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
@@ -0,0 +1,46 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smb_files.log from Bro systems
+#
+filter {
+  if [type] == "bro_smb_files" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#fuid
+			#action
+			#path
+			#name
+			#size
+			#prev_name
+                        rename => { "times.modified" => "times_modified" }
+                        rename => { "times.accessed" => "times_accessed" }
+                        rename => { "times.created" => "times_created" }
+                        rename => { "times.changed" => "times_changed" }
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","action","path","name","size","prev_name","times_modified","times_accessed","times_created","times_changed"]
+	    separator => "	"
+	    }
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf b/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
new file mode 100644
index 000000000..84256ed0e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
@@ -0,0 +1,40 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for smb_mapping.log from Bro systems
+#
+filter {
+  if [type] == "bro_smb_mapping" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#path
+			#service
+			#native_file_system
+			#share_type
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","path","service","native_file_system","share_type"]
+	    separator => "	"
+	    }
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf b/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
new file mode 100644
index 000000000..3b5fd6384
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
@@ -0,0 +1,50 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 1/2/2019
+#
+# This conf file is based on accepting logs for ntlm.log from Bro systems
+#
+filter {
+  if [type] == "bro_ntlm" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#hostname
+                        rename => { "domainname" => "domain_name" }
+                        rename => { "success" => "ntlm_success" }
+			#status
+		}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => [ "timestamp", "uid", "source_ip", "source_port", "destination_ip", "destination_port", "username", "hostname", "domain_name", "server_nb_computer_name", "server_dns_computer_name", "server_tree_name", "ntlm_success"]
+	      separator => "	"
+            }
+            ruby {
+              code =>"
+                hash = event.to_hash.each do |key,value|
+                if value == '-'
+                  event.remove(key)
+                end
+              end"
+           }
+
+            
+        }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf b/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
new file mode 100644
index 000000000..1b0e56a67
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
@@ -0,0 +1,54 @@
+# Author: Wes Lambert
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Updated by: Doug Burks
+# Last Update: 2/7/2018
+#
+# This conf file is based on accepting logs for dce_rpc.log from Bro systems
+#
+filter {
+  if [type] == "bro_dce_rpc" {
+        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+
+                mutate {
+                        rename => { "ts" => "timestamp" }
+                        #uid
+                        rename => { "id.orig_h" => "source_ip" }
+                        rename => { "id.orig_p" => "source_port" }
+                        rename => { "id.resp_h" => "destination_ip" }
+                        rename => { "id.resp_p" => "destination_port" }
+			#rtt
+			#named_pipe
+			#endpoint
+			#operation
+		}
+
+		#mutate {
+			#convert => { "rtt" => "float" }
+		#}
+	} else {
+	    mutate {
+	      gsub => [ "message", "[\"']", "" ]
+	    }
+	    csv {
+	      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","rtt","named_pipe","endpoint","operation"]
+	    separator => "	"
+	    }
+
+	    if [rtt] == "-" {
+              mutate {
+                remove_field => [ "rtt" ]
+              }
+            }
+
+	    #mutate {
+	      #convert => [ "rtt", "float" ]
+            #}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/conf/pipelines/helix/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/9997_output_helix.conf
new file mode 100644
index 000000000..5dd0036fe
--- /dev/null
+++ b/salt/logstash/conf/pipelines/helix/9997_output_helix.conf
@@ -0,0 +1,142 @@
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
+
+filter {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    grok {
+      match => [
+        "source_ip", "^%{IPV4:srcipv4}$",
+        "source_ip",  "(?<srcipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)"
+        ]
+    }
+    grok {
+      match => [
+        "destination_ip",  "(?<dstipv6>^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)",
+        "destination_ip", "^%{IPV4:dstipv4}$"
+       ]
+    }
+
+    geoip {
+      source => "[source_ip]"
+      target => "source_geo"
+    }
+    geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+    }
+    mutate {
+      #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
+      #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
+      rename => { "[beat_host][name]" => "sensor" }
+      copy => { "sensor" => "rawmsghostname" }
+      rename => { "message" => "rawmsg" }
+      #rename => { "event_type" => "program" }
+      copy => { "type" => "class" }
+      copy => { "class" => "program"}
+      rename => { "source_port" => "srcport" }
+      rename => { "destination_port" => "dstport" }
+      remove_field => ["source_ip", "destination_ip"]
+      remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
+      remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
+    }
+    if "bro_conn" in [class] {
+      mutate {
+        #add_field => { "metaclass" => "connection" }
+        rename => { "original_bytes" => "sentbytes" }
+        rename => { "respond_bytes" => "rcvdbytes" }
+        rename => { "connection_state" => "connstate" }
+        rename => { "uid" => "connectionid" }
+        rename => { "respond_packets" => "rcvdpackets" }
+        rename => { "original_packets" => "sentpackets" }
+        rename => { "respond_ip_bytes" => "rcvdipbytes" }
+        rename => { "original_ip_bytes" => "sentipbytes" }
+        rename => { "local_respond" => "local_resp" }
+        rename => { "local_orig" => "localorig" }
+        rename => { "missed_bytes" => "missingbytes" }
+      }
+    }
+    if "bro_dns" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "answers" => "answer" }
+        rename => { "query" => "domain" }
+        rename => { "query_class" => "queryclass" }
+        rename => { "query_class_name" => "queryclassname" }
+        rename => { "query_type" => "querytype" }
+        rename => { "query_type_name" => "querytypename" }
+        rename => { "ra" => "recursionavailable" }
+        rename => { "rd" => "recursiondesired" }
+      }
+    }
+    if "bro_dhcp" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dhcp"}
+        rename => { "message_types" => "direction" }
+				rename => { "lease_time" => "duration" }
+      }
+    }
+    if "bro_files" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "missing_bytes" => "missingbytes" }
+        rename => { "fuid" => "fileid" }
+        rename => { "uid" => "connectionid" }
+      }
+    }
+    if "bro_http" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "virtual_host" => "hostname" }
+        rename => { "status_code" => "statuscode" }
+        rename => { "status_message" => "statusmsg" }
+        rename => { "resp_mime_types" => "rcvdmimetype" }
+        rename => { "resp_fuids" => "rcvdfileid" }
+        rename => { "response_body_len" => "rcvdbodybytes" }
+        rename => { "request_body_len" => "sentbodybytes" }
+        rename => { "uid" => "connectionid" }
+        rename => { "ts"=> "eventtime" }
+	      rename => { "@timestamp"=> "eventtime" }
+      }
+    }
+    if "bro_ssl" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "status_code" => "statuscode" }
+        rename => { "status_message" => "statusmsg" }
+        rename => { "resp_mime_types" => "rcvdmimetype" }
+        rename => { "resp_fuids" => "rcvdfileid" }
+        rename => { "response_body_len" => "rcvdbodybytes" }
+        rename => { "request_body_len" => "sentbodybytes" }
+      }
+    }
+		if "bro_weird" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "name" => "eventname" }
+      }
+    }
+		if "bro_x509" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+				rename => { "certificate_common_name" => "certname" }
+        rename => { "certificate_subject" => "certsubject" }
+				rename => { "issuer_common_name" => "issuer" }
+				rename => { "certificate_issuer" => "issuersubject" }
+				rename => { "certificate_not_valid_before" => "issuetime" }
+				rename => { "certificate_key_type" => "cert_type" }
+      }
+    }
+  }
+}
+
+output {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    http {
+      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+      http_method => post
+      http_compression => true
+      socket_timeout => 60
+      headers => ["Authorization","{{ HELIX_API_KEY }}"]
+      format => json_batch
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
diff --git a/salt/logstash/files/dynamic/9999_output_redis.conf b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
similarity index 100%
rename from salt/logstash/files/dynamic/9999_output_redis.conf
rename to salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
diff --git a/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+		lowercase => [ "syslog-host_from" ]
+		remove_field => [ "ISODATE" ]
+		remove_field => [ "SEQNUM" ]
+          	#add_tag => [ "conf_file_1001"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro" ]
+		}
+	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+		mutate {
+			add_tag => [ "syslog" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1004"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/conf/pipelines/search/2000_network_flow.conf b/salt/logstash/conf/pipelines/search/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6002_syslog.conf b/salt/logstash/conf/pipelines/search/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+  if [type] == "filterlog" {
+    dissect {
+      mapping => {
+        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+      }
+    }
+    if [ip_version] == "4" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [ip_version] == "6" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [protocol] == "tcp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+      	}
+      }
+    }
+    if [protocol] == "udp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+      	}
+      }
+    }
+    if [protocol] == "Options" {
+      mutate {
+	  copy => { "ip_sub_msg" => "options" }
+        }
+      mutate {
+          split => { "options" => "," }
+        }
+    }
+    mutate {
+      convert 		=> [ "destination_port", "integer" ]
+      convert 		=> [ "source_port", "integer" ]    
+      convert 		=> [ "ip_version", "integer" ]
+      replace 		=> { "type" => "firewall" }
+      add_tag		=> [ "pfsense","firewall" ]
+      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6300_windows.conf b/salt/logstash/conf/pipelines/search/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6301_dns_windows.conf b/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6400_suricata.conf b/salt/logstash/conf/pipelines/search/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6500_ossec.conf b/salt/logstash/conf/pipelines/search/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+  # OSSEC Alerts
+  if [type] == "ossec" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+        if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate {
+                replace => { "type" => "sysmon" }
+                add_tag => [ "ossec" ]
+            }
+        }
+        if [message] =~ "AR-LOG" {
+            mutate {
+                replace => { "type" => "autoruns" }
+                add_tag => [ "ossec" ]
+            }
+        }
+		
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+			rename => { "rule" => "wazuh-rule" }
+			rename => { "[wazuh-rule][level]" => "alert_level" }
+			rename => { "[wazuh-rule][description]" => "description" }
+			rename => { "[data][srcuser]" => "username" }
+			rename => { "[data][dstuser]" => "escalated_user" }
+			rename => { "[data][command]" => "command" }
+			rename => { "[predecoder][program_name]" => "process" }
+			
+                }
+                # Wazuh 3.8.2
+                if [data][EventChannel] {
+        		mutate {
+				rename => { "[data][EventChannel][EventData][User]" => "username" }
+        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+			}
+		}
+                # Wazuh 3.9.2
+		if [data][win] {
+                        mutate {
+				rename => { "[data][win][eventdata][user]" => "username" }
+                        	rename => { "[data][win][system][eventID]" => "event_id" }
+                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
+                        }
+		}
+	} else {
+		grok {
+			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+		}
+	}
+	
+	# Add tag for OSSEC alerts
+	if [alert_level] {
+            mutate {
+		add_tag => [ "alert" ]
+	    }
+        }
+
+	translate {
+		field => "alert_level"
+
+		destination => "classification"
+
+		dictionary => [
+               	    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+               	]
+	}
+  }
+
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+	if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate { 
+                replace => { "type" => "sysmon" } 
+                add_tag => [ "ossec" ] 
+	    }
+        }
+	if [message] =~ "AR-LOG" {
+            mutate { 
+                replace => { "type" => "autoruns" } 
+                add_tag => [ "ossec" ]
+            }
+        }
+
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+                        rename => [ "rule", "wazuh-rule" ]
+                        rename => [ "[wazuh-rule][level]", "alert_level" ]
+                        rename => [ "[wazuh-rule][description]", "description" ]
+                        rename => [ "[data][srcuser]", "username" ]
+                        rename => [ "[data][dstuser]", "escalated_user" ]
+                        rename => [ "[data][command]", "command" ]
+                        rename => [ "[predecoder][program_name]", "process" ]
+                }
+	} else {
+		grok {
+			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+			remove_field => [ "ossec_timestamp" ]
+		}
+		mutate {
+			convert => [ "status_code", "integer" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" or "sysmon" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      #mutate { replace => { "type" => "sysmon" } }
+      grok {
+      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+      }
+      mutate {
+        convert => ["event_id", "integer"]
+        remove_field => ["timestamp"]
+        remove_field => ["year"]
+      }
+      if [event_id] == 1 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_creation"]
+        }
+      }
+      if [event_id] == 3 {
+        mutate {
+          remove_field => ["source_ip"]
+        }
+        grok {
+        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          convert => ["source_port", "integer"]
+          convert => ["destination_port", "integer"]
+          add_tag => ["network_connection"]
+        }
+      }
+      if [event_id] == 5 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_termination"]
+        }
+      }
+      if [event_id] == 11 {
+        grok {
+          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["file_created"]
+        }
+      }
+      mutate {
+        remove_field => ["rest_of_msg"]
+      }
+    } else {
+      mutate {
+	rename => { "[data][srcuser]" => "username" }
+        rename => { "[data][id]" => "event_id" }
+        rename => { "[data][dstport]" => "destination_port" }
+        rename => { "[data][dstip]" => "destination_ip" }
+        rename => { "[data][srcip]" => "source_ip" }
+        rename => { "[data][sysmon][image]" => "image_path" }
+        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+      }
+      # Wazuh 3.8.2  
+      if [data][EventChannel] {
+        mutate {
+           rename => { "[data][EventChannel][EventData][User]" => "username" }
+           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+	}
+      }
+      # Wazuh 3.9.2
+      if [data][win] {
+        mutate {
+          rename => { "[data][win][eventdata][user]" => "username" }
+          rename => { "[data][win][system][eventID]" => "event_id" }
+          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+          rename => { "[data][win][eventdata][image]" => "image_path" }
+          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+        }
+      }    
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" or "autoruns" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      grok {
+        match => [
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+      mutate {
+        remove_field => [ "year" ]
+        remove_field => [ "timestamp" ]
+      }
+    } else {
+        grok {
+        match => [
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+      mutate {
+        # Rename fields
+      }
+    }
+    date {
+      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+      target => "image_timestamp"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+      mutate {
+        replace => { "type" => "sysmon" }
+        rename => { "[event_data][User]" => "username" }
+        rename => { "[event_data][DestinationPort]" => "destination_port" }
+        rename => { "[event_data][DestinationIp]" => "destination_ip" }
+        rename => { "[event_data][SourceIp]" => "source_ip" }
+        rename => { "[event_data][Image]" => "image_path" }
+        rename => { "[event_data][ParentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[event_data][SourceHostname]" => "source_hostname" }
+        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+	rename => { "[event_data][TargetFilename]" => "target_filename" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+  if "beat" in [tags] {
+      mutate {
+	# As of beats 6.3.0, host is now an object:
+	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+	# This creates a conflict with our existing host string.
+	# So let's rename the host object to beat_host.
+        rename => { "host" => "beat_host" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+      mutate {
+          remove_tag => [ "syslog" ]
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/files/dynamic/0900_input_redis.conf b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
similarity index 100%
rename from salt/logstash/files/dynamic/0900_input_redis.conf
rename to salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
diff --git a/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..e95119562
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/defaults.yml b/salt/logstash/defaults.yml
new file mode 100644
index 000000000..ba6d19534
--- /dev/null
+++ b/salt/logstash/defaults.yml
@@ -0,0 +1,6 @@
+logstash:
+  pipelines:
+    master: 
+      config: "/usr/share/logstash/pipelines/master/*.conf"
+    search: 
+      config: "/usr/share/logstash/pipelines/search/*.conf"
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index a783a3f91..e5bb76b5b 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,11 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
+{% if grains.role != 'so-mastersearch' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
+{% else %} 
+#path.config: /usr/share/logstash/pipeline.enabled/*.conf
+{% endif %}
 
 # Special Docker path
 # path.config: /usr/share/logstash/pipeline
diff --git a/salt/logstash/etc/pipelines.yml.jinja b/salt/logstash/etc/pipelines.yml.jinja
new file mode 100644
index 000000000..07eeacfaf
--- /dev/null
+++ b/salt/logstash/etc/pipelines.yml.jinja
@@ -0,0 +1,4 @@
+{%- for pl in pipelines %}
+- pipeline.id: {{ pl }}
+  path.config: "{{ pipelines[pl].config }}"
+{% endfor -%}
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index c2b80346f..a35f77589 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -37,7 +37,7 @@
 {% set dstats = salt['pillar.get']('master:domainstats', '0') %}
 {% set nodetype = salt['grains.get']('role', '')  %}
 
-{% elif grains['role'] == 'so-eval' %}
+{% elif grains['role'] in ['so-eval','so-mastersearch'] %}
 
 {% set lsheap = salt['pillar.get']('master:lsheap', '') %}
 {% set freq = salt['pillar.get']('master:freq', '0') %}
@@ -46,6 +46,8 @@
 
 {% endif %}
 
+{% set pipelines = salt['pillar.get']('logstash:pipelines', {}) %}
+
 # Create the logstash group
 logstashgroup:
   group.present:
@@ -95,6 +97,34 @@ lscusttemplatedir:
     - group: 939
     - makedirs: True
 
+{% for pl in pipelines %}
+
+ls_pipeline_{{pl}}:
+  file.recurse:
+    - name: /opt/so/conf/logstash/pipelines/{{pl}}
+    - source: salt://logstash/conf/pipelines/{{pl}}
+    - user: 931
+    - group: 939
+    - maxdepth: 0
+
+ls_pipeline_{{pl}}_jinja:
+  file.recurse:
+    - name: /opt/so/conf/logstash/pipelines/{{pl}}
+    - source: salt://logstash/conf/pipelines/{{pl}}/templates
+    - user: 931
+    - group: 939
+    - template: jinja
+
+{% endfor %}
+
+lspipelinesyml:
+  file.managed:
+    - name: /opt/so/conf/logstash/etc/pipelines.yml
+    - source: salt://logstash/etc/pipelines.yml.jinja
+    - template: jinja
+    - defaults: 
+        pipelines: {{ pipelines }}
+
 # Copy down all the configs including custom - TODO add watch restart
 lsetcsync:
   file.recurse:
@@ -103,6 +133,7 @@ lsetcsync:
     - user: 931
     - group: 939
     - template: jinja
+    - exclude_pat: pipelines*
 
 lssync:
   file.recurse:
@@ -123,11 +154,25 @@ lscustsync:
 lsconfsync:
   file.managed:
     - name: /opt/so/conf/logstash/conf.enabled.txt
+{% if grains.role == 'so-mastersearch' %}
+    - source: salt://logstash/conf/conf.enabled.txt.so-master
+{% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
+{% endif %} 
     - user: 931
     - group: 939
     - template: jinja
 
+{% if grains.role == 'so-mastersearch' %}
+lssearchsync:
+  file.managed:
+    - name: /opt/so/conf/logstash/conf.enabled.txt.search
+    - source: salt://logstash/conf/conf.enabled.txt.search
+    - user: 931
+    - group: 939
+    - template: jinja
+{% endif %}
+
 # Create the import directory
 importdir:
   file.directory:
@@ -152,16 +197,9 @@ lslogdir:
     - group: 939
     - makedirs: True
 
-# Add the container
-so-logstashimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.1
-
 so-logstash:
   docker_container.running:
-    - require:
-      - so-logstashimage
-    - image: docker.io/soshybridhunter/so-logstash:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
@@ -182,10 +220,8 @@ so-logstash:
       - /opt/so/conf/logstash/etc/logstash-template.json:/logstash-template.json:ro
       - /opt/so/conf/logstash/etc/logstash-ossec-template.json:/logstash-ossec-template.json:ro
       - /opt/so/conf/logstash/etc/beats-template.json:/beats-template.json:ro
-      - /opt/so/conf/logstash/custom:/usr/share/logstash/pipeline.custom:ro
-      - /opt/so/conf/logstash/rulesets:/usr/share/logstash/rulesets:ro
-      - /opt/so/conf/logstash/dynamic:/usr/share/logstash/pipeline.dynamic
-      - /opt/so/conf/logstash/conf.enabled.txt:/usr/share/logstash/conf.enabled.txt:ro
+      - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
+      - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
       - /opt/so/rules:/etc/nsm/rules:ro
       - /nsm/import:/nsm/import:ro
       - /nsm/logstash:/usr/share/logstash/data:rw
diff --git a/salt/master/init.sls b/salt/master/init.sls
index c6e11279d..fb21f2388 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -15,8 +15,6 @@
 
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 
-{% if masterproxy == 1 %}
-
 socore_own_saltstack:
   file.directory:
     - name: /opt/so/saltstack
@@ -24,7 +22,9 @@ socore_own_saltstack:
     - group: socore
     - recurse:
       - user
-      - group	
+      - group
+
+{% if masterproxy == 1 %}
 
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 0dff9b855..f3e815174 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -129,7 +129,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
 
 fbcertdir:
   file.directory:
diff --git a/salt/top.sls b/salt/top.sls
index b6bd14bd7..cbe109d10 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -189,3 +189,44 @@ base:
     - launcher
     {%- endif %}
     - schedule
+
+  'G@role:so-mastersearch':
+    - ca
+    - ssl
+    - common
+    - sensoroni
+    - firewall
+    - master
+    - idstools
+    - redis
+    {%- if OSQUERY != 0 %}
+    - mysql
+    {%- endif %}
+    - logstash
+    - elasticsearch
+    - curator
+    - kibana
+    - elastalert
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    - filebeat
+    - utility
+    - schedule
+    {%- if OSQUERY != 0 %}
+    - fleet
+    - launcher
+    {%- endif %}
+    - soctopus
+    {%- if THEHIVE != 0 %}
+    - hive
+    {%- endif %}
+    {%- if PLAYBOOK != 0 %}
+    - playbook
+    {%- endif %}
+    {%- if FREQSERVER != 0 %}
+    - freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - domainstats
+    {%- endif %}
diff --git a/salt/utility/bin/crossthestreams.sh b/salt/utility/bin/crossthestreams.sh
index 23279ff13..197573bcf 100644
--- a/salt/utility/bin/crossthestreams.sh
+++ b/salt/utility/bin/crossthestreams.sh
@@ -31,6 +31,8 @@ echo "Applying cross cluster search config..."
 
 # Add all the search nodes to cross cluster searching.
 
-{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
+{%- if salt['pillar.get']('nodestab', {}) %}
+  {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 curl -XPUT http://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SNDATA.ip }}:9300"]}}}}}'
-{%- endfor %}
+  {%- endfor %}
+{%- endif %}
diff --git a/salt/utility/init.sls b/salt/utility/init.sls
index d4ff00b3b..ca8a8ef72 100644
--- a/salt/utility/init.sls
+++ b/salt/utility/init.sls
@@ -1,6 +1,5 @@
 # This state is for checking things
-{% if grains['role'] == 'so-master' %}
-{% if salt['pillar.get']('nodestab','') %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-mastersearch' %}
 # Make sure Cross Cluster is good. Will need some logic once we have hot/warm
 crossclusterson:
   cmd.script:
@@ -10,7 +9,6 @@ crossclusterson:
     - source: salt://utility/bin/crossthestreams.sh
     - template: jinja
 
-{% endif %}
 {% endif %}
 {% if grains['role'] == 'so-eval' %}
 fixsearch:
diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 2a7fe6d6b..8f54e6a08 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,10 +1,10 @@
-{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
 {%- elif grains['role'] == 'so-node' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
-{%- endif %} 
+{%- endif %}
 <!--
   Wazuh - Agent - Default configuration for ubuntu 16.04
   More info at: https://documentation.wazuh.com
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index 12ab7dc8a..dbf4a4968 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,6 +1,6 @@
-{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %} 
+{%- elif grains['role'] == 'so-node' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -43,7 +43,7 @@ cat <<HELP_USAGE
                   The agent will be re-regitered with a new ID
    -s|--silent    Surpress the output while removing the agent
    agent          Agent name (if missing we will use the output
-                  of the hostname command) 
+                  of the hostname command)
 HELP_USAGE
 }
 
@@ -59,7 +59,7 @@ register_agent() {
     echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
     exit 0
   fi
-  # Get agent id and agent key 
+  # Get agent id and agent key
   AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
   AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
 
@@ -117,7 +117,7 @@ done
 # reset $1, $2 .... as normal argument after the flag
 shift $(($OPTIND - 1))
 
-# if no arguments are passed in after the flags, we assign the hostname value to the AGENT_NAME 
+# if no arguments are passed in after the flags, we assign the hostname value to the AGENT_NAME
 #AGENT_NAME=${1:-$(hostname)}
 
 #get_agent_id
@@ -137,7 +137,7 @@ shift $(($OPTIND - 1))
 # Default action -> try to register the agent
 sleep 10s
 STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
-if [[ $STATUS == "Active" ]]; then 
+if [[ $STATUS == "Active" ]]; then
   echo "Agent $AGENT_ID already registered!"
 else
   register_agent
diff --git a/setup/functions.sh b/setup/functions.sh
index b102b531d..52f496ecc 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -224,7 +224,7 @@ configure_minion() {
   echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1
   touch /etc/salt/grains
   echo "role: so-$TYPE" > /etc/salt/grains
-  if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
+  if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ] || [ $TYPE == 'mastersearch' ]; then
     echo "master: $HOSTNAME" > /etc/salt/minion
     echo "id: $MINION_ID" >> /etc/salt/minion
     echo "mysql.host: '$MAINIP'" >> /etc/salt/minion
@@ -268,7 +268,7 @@ copy_master_config() {
 
 copy_minion_tmp_files() {
 
-  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
     echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
     cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
     if [ -d $TMP/salt ] ; then
@@ -546,7 +546,7 @@ got_root() {
 install_cleanup() {
 
   echo "install_cleanup removing the following files:"
-  ls -lR $TMP 
+  ls -lR $TMP
 
   # Clean up after ourselves
   rm -rf /root/installtmp
@@ -576,7 +576,7 @@ install_master() {
     #wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
 
   else
-    apt-get install -y salt-common=2019.2.2+ds-1 salt-master=2019.2.2+ds-1 salt-minion=2019.2.2+ds-1 libssl-dev python-m2crypto
+    apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
     apt-mark hold salt-common salt-master salt-minion
   fi
 
@@ -606,7 +606,7 @@ master_pillar() {
   echo "  mainint: $MAININT" >> $PILLARFILE
   echo "  esheap: $ES_HEAP_SIZE" >> $PILLARFILE
   echo "  esclustername: {{ grains.host }}" >> $PILLARFILE
-  if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+  if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
     echo "  freq: 0" >> $PILLARFILE
     echo "  domainstats: 0" >> $PILLARFILE
     echo "  ls_pipeline_batch_size: 125" >> $PILLARFILE
@@ -956,15 +956,15 @@ EOF
     fi
 
     yum clean expire-cache
-    yum -y install epel-release salt-minion-2019.2.2 yum-utils device-mapper-persistent-data lvm2 openssl
+    yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl
     yum -y update exclude=salt*
     systemctl enable salt-minion
 
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-      yum -y install salt-master-2019.2.2 python3 python36-m2crypto salt-minion-2019.2.2 python36-dateutil python36-mysql python36-docker
+      yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker
       systemctl enable salt-master
     else
-      yum -y install salt-minion-2019.2.2 python3 python36-m2crypto python36-dateutil python36-docker
+      yum -y install salt-minion-2019.2.3 python3 python36-m2crypto python36-dateutil python36-docker
     fi
     echo "exclude=salt*" >> /etc/yum.conf
 
@@ -1006,7 +1006,7 @@ EOF
       # Initialize the new repos
       apt-get update >> $SETUPLOG 2>&1
       # Need to add python packages here
-      apt-get -y install salt-minion=2019.2.2+ds-1 salt-common=2019.2.2+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
+      apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
       apt-mark hold salt-minion salt-common
 
     else
@@ -1022,7 +1022,7 @@ EOF
       echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
       # Initialize the new repos
       apt-get update >> $SETUPLOG 2>&1
-      apt-get -y install salt-minion=2019.2.2+ds-1 salt-common=2019.2.2+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
+      apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
       apt-mark hold salt-minion salt-common
 
     fi
@@ -1033,7 +1033,7 @@ EOF
 
 salt_checkin() {
   # Master State to Fix Mine Usage
-  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
   echo "Building Certificate Authority"
   salt-call state.apply ca >> $SETUPLOG 2>&1
   echo " *** Restarting Salt to fix any SSL errors. ***"
@@ -1149,13 +1149,16 @@ set_environment_var() {
 
 set_hostname() {
 
+  echo 'set_hostname called' >> $SETUPLOG 2>&1
+  echo $TESTHOST >> $SETUPLOG 2>&1
+  echo $INSTALLTYPE >> $SETUPLOG 2>&1
   hostnamectl set-hostname --static $HOSTNAME
   echo "127.0.0.1   $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
   echo "::1   localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
   echo $HOSTNAME > /etc/hostname
   HOSTNAME=$(cat /etc/hostname)
   MINION_ID=$(echo $HOSTNAME | awk -F. {'print $1'})
-  if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+  if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
     if [[ $TESTHOST = *"not found"* ]] || [[ $TESTHOST = *"connection timed out"* ]]; then
       if ! grep -q $MSRVIP /etc/hosts; then
         echo "$MSRVIP   $MSRV" >> /etc/hosts
@@ -1183,12 +1186,16 @@ set_initial_firewall_policy() {
     /opt/so/saltstack/pillar/data/addtotab.sh mastertab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
-  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+  if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
     printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/search_nodes.sls
-    /opt/so/saltstack/pillar/data/addtotab.sh evaltab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+      if [ $INSTALLTYPE == 'EVALMODE' ]; then
+        /opt/so/saltstack/pillar/data/addtotab.sh evaltab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+      elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+        /opt/so/saltstack/pillar/data/addtotab.sh mastersearchtab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+      fi
   fi
 
   if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
@@ -1242,7 +1249,7 @@ set_management_interface() {
 set_node_type() {
 
   # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
     NODETYPE='search'
   fi
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6c26783ae..1ae13d893 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -464,7 +464,6 @@ if (whiptail_you_sure) ; then
       sleep 0.5
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
       set_initial_firewall_policy >> $SETUPLOG 2>&1
-      echo -e "XXX\n1\nInstalling pip3... \nXXX"
       echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
       create_sensor_bond >> $SETUPLOG 2>&1
       echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
@@ -511,20 +510,25 @@ if (whiptail_you_sure) ; then
     fi
   fi
 
-  #######################
-  ##     Eval Mode     ##
-  #######################
+  #######################################
+  ##     Eval Mode  or Master Search   ##
+  #######################################
 
-  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+  if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
 
     # Filter out the management NIC
     filter_unused_nics
 
-    # Select which NICs are in the bond
-    whiptail_bond_nics
+    if [ $INSTALLTYPE == 'EVALMODE' ]; then
+      TYPE='eval'
+      # Select which NICs are in the bond
+      whiptail_bond_nics
+      # Snag the HOME_NET
+      whiptail_homenet_master
+    elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+      TYPE='mastersearch'
+    fi
 
-    # Snag the HOME_NET
-    whiptail_homenet_master
     whiptail_eval_adv_warning
     whiptail_enable_components
 
@@ -543,6 +547,18 @@ if (whiptail_you_sure) ; then
     BROVERSION=ZEEK
     CURCLOSEDAYS=30
     process_components
+    if [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+      # Find out how to handle updates
+      whiptail_master_updates
+      # Get a password for the socore user
+      whiptail_create_socore_user
+      SCMATCH=no
+      while [ $SCMATCH != yes ]; do
+        whiptail_create_socore_user_password1
+        whiptail_create_socore_user_password2
+        check_socore_pass
+      done
+    fi
     whiptail_make_changes
     set_hostname
     generate_passwords
@@ -557,12 +573,15 @@ if (whiptail_you_sure) ; then
       add_admin_user
       disable_onion_user
     fi
+
     # Add the user so we can sit back and relax
     add_socore_user_master
     {
       sleep 0.5
-      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
-      create_sensor_bond >> $SETUPLOG 2>&1
+      if [ $INSTALLTYPE == 'EVALMODE' ]; then
+        echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
+        create_sensor_bond >> $SETUPLOG 2>&1
+      fi
       echo -e "XXX\n1\nInstalling Python 3... \nXXX"
       echo -e "XXX\n2\nInstalling saltstack... \nXXX"
       saltify >> $SETUPLOG 2>&1
@@ -585,10 +604,14 @@ if (whiptail_you_sure) ; then
       master_pillar >> $SETUPLOG 2>&1
       echo "** Generating the patch pillar **" >> $SETUPLOG
       patch_pillar >> $SETUPLOG 2>&1
+
+
       echo -e "XXX\n7\nConfiguring minion... \nXXX"
-      configure_minion eval >> $SETUPLOG 2>&1
-      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
+      configure_minion $TYPE >> $SETUPLOG 2>&1
+      echo -e "XXX\n7\nSetting the node type to $TYPE... \nXXX"
       set_node_type >> $SETUPLOG 2>&1
+
+
       echo -e "XXX\n7\nSearch node pillar... \nXXX"
       node_pillar >> $SETUPLOG 2>&1
       echo -e "XXX\n8\nCreating firewall policies... \nXXX"
@@ -609,7 +632,11 @@ if (whiptail_you_sure) ; then
       salt-call state.apply firewall >> $SETUPLOG 2>&1
       echo -e "XXX\n25\nInstalling master components... \nXXX"
       salt-call state.apply master >> $SETUPLOG 2>&1
-      salt-call state.apply idstools >> $SETUPLOG 2>&1
+
+      if [ $INSTALLTYPE == 'EVALMODE' ]; then
+        salt-call state.apply idstools >> $SETUPLOG 2>&1
+      fi
+
       if [[ $OSQUERY == '1' ]]; then
         salt-call state.apply mysql >> $SETUPLOG 2>&1
       fi
@@ -619,12 +646,16 @@ if (whiptail_you_sure) ; then
       salt-call state.apply logstash >> $SETUPLOG 2>&1
       echo -e "XXX\n45\nInstalling Kibana... \nXXX"
       salt-call state.apply kibana >> $SETUPLOG 2>&1
-      echo -e "XXX\n50\nInstalling pcap... \nXXX"
-      salt-call state.apply pcap >> $SETUPLOG 2>&1
-      echo -e "XXX\n52\nInstalling Suricata... \nXXX"
-      salt-call state.apply suricata >> $SETUPLOG 2>&1
-      echo -e "XXX\n54\nInstalling Zeek... \nXXX"
-      salt-call state.apply bro >> $SETUPLOG 2>&1
+
+      if [ $INSTALLTYPE == 'EVALMODE' ]; then
+        echo -e "XXX\n50\nInstalling pcap... \nXXX"
+        salt-call state.apply pcap >> $SETUPLOG 2>&1
+        echo -e "XXX\n52\nInstalling Suricata... \nXXX"
+        salt-call state.apply suricata >> $SETUPLOG 2>&1
+        echo -e "XXX\n54\nInstalling Zeek... \nXXX"
+       salt-call state.apply bro >> $SETUPLOG 2>&1
+      fi
+
       echo -e "XXX\n56\nInstalling curator... \nXXX"
       salt-call state.apply curator >> $SETUPLOG 2>&1
       echo -e "XXX\n58\nInstalling elastalert... \nXXX"

From b275f81da30436e36c2cc6046e761a1e5b562419 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 22 Jan 2020 14:28:27 -0500
Subject: [PATCH 078/188] fix master state -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/241

---
 salt/master/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/master/init.sls b/salt/master/init.sls
index 54523d5f1..e01d19b58 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -25,6 +25,8 @@ socore_own_saltstack:
       - user
       - group
 
+{% if masterproxy == 1 %}
+
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
   file.directory:

From 71edddd846365ca2b26da258167f4315e829855e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 10:13:20 -0500
Subject: [PATCH 079/188] Update Registry to unpack new repo

---
 salt/registry/bin/so-buildregistry.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 salt/registry/bin/so-buildregistry.sh

diff --git a/salt/registry/bin/so-buildregistry.sh b/salt/registry/bin/so-buildregistry.sh
new file mode 100644
index 000000000..41e9a035d
--- /dev/null
+++ b/salt/registry/bin/so-buildregistry.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+VERSION=1.1.4
+TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar
+
+# See if the tarball is there. If so do soemthing otherwise peace out.
+if [ -f "$TARBALL" ]; then
+  cd /nsm/docker-registry/docker
+  tar xvf so-dockers-$VERSION.tar
+  rm $TARBALL
+else
+  exit
+fi

From 2c619db6ad81f10ad0ed32902fdc3eb4f2fb9dae Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 10:45:08 -0500
Subject: [PATCH 080/188] Update Registry to unpack new repo

---
 .../{so-buildregistry.sh => so-buildregistry} |  1 -
 salt/registry/init.sls                        | 10 +++++
 setup/functions.sh                            | 37 +++++++++++--------
 3 files changed, 32 insertions(+), 16 deletions(-)
 rename salt/registry/bin/{so-buildregistry.sh => so-buildregistry} (95%)

diff --git a/salt/registry/bin/so-buildregistry.sh b/salt/registry/bin/so-buildregistry
similarity index 95%
rename from salt/registry/bin/so-buildregistry.sh
rename to salt/registry/bin/so-buildregistry
index 41e9a035d..9231de1df 100644
--- a/salt/registry/bin/so-buildregistry.sh
+++ b/salt/registry/bin/so-buildregistry
@@ -7,7 +7,6 @@ TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar
 if [ -f "$TARBALL" ]; then
   cd /nsm/docker-registry/docker
   tar xvf so-dockers-$VERSION.tar
-  rm $TARBALL
 else
   exit
 fi
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index ac6cc1795..099219d41 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -26,6 +26,16 @@ dockerregistryconf:
     - name: /opt/so/conf/docker-registry/etc/config.yml
     - source: salt://registry/etc/config.yml
 
+# Copy the registry script
+dockerregistrybuild:
+  file.managed:
+    - name: /opt/so/conf/docker-registry/so-buildregistry
+    - source: salt://registry/bin/so-buildregistry
+
+dockerexpandregistry:
+ cmd.run:
+   - name: /opt/so/conf/docker-registry/so-buildregistry
+
 # Install the registry container
 so-dockerregistry:
   docker_container.running:
diff --git a/setup/functions.sh b/setup/functions.sh
index 225bc64b9..bfe626fed 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -457,6 +457,7 @@ docker_registry() {
 docker_seed_registry() {
   VERSION="HH1.1.4"
   TRUSTED_CONTAINERS=( \
+  "so-acng:$VERSION" \
   "so-auth-api:$VERSION" \
   "so-auth-ui:$VERSION" \
   "so-core:$VERSION" \
@@ -489,22 +490,28 @@ docker_seed_registry() {
   "so-wazuh:$VERSION" \
   "so-zeek:$VERSION" )
 
-  for i in "${TRUSTED_CONTAINERS[@]}"
-  do
-    # Pull down the trusted docker image
-    echo "Downloading $i"
-    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
-    # Tag it with the new registry destination
-    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
-    docker push $HOSTNAME:5000/soshybridhunter/$i
-  done
+  if [ ! -f /nsm/docker-registry/docker/so-dockers-1.1.4.tar ]; then
+    # Download the container from the interwebs
+    for i in "${TRUSTED_CONTAINERS[@]}"
+    do
+      # Pull down the trusted docker image
+      echo "Downloading $i"
+      docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+      # Tag it with the new registry destination
+      docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+      docker push $HOSTNAME:5000/soshybridhunter/$i
+    done
+
+    for i in "${TRUSTED_CONTAINERS[@]}"
+    do
+      echo "Removing $i locally"
+      docker rmi soshybridhunter/$i
+    done
+  else
+    # We already have the goods son
+    rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar
+  fi
 
-  for i in "${TRUSTED_CONTAINERS[@]}"
-  do
-    echo "Removing $i locally"
-    docker rmi soshybridhunter/$i
-  done
-  
 }
 
 es_heapsize() {

From bf6c309f1682863343b28e74fc8af88b3324ce3e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 11:09:55 -0500
Subject: [PATCH 081/188] Update Registry to unpack new repo

---
 salt/registry/bin/so-buildregistry | 2 +-
 salt/registry/init.sls             | 1 +
 setup/functions.sh                 | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/registry/bin/so-buildregistry b/salt/registry/bin/so-buildregistry
index 9231de1df..da50f44f7 100644
--- a/salt/registry/bin/so-buildregistry
+++ b/salt/registry/bin/so-buildregistry
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION=1.1.4
+VERSION=HH1.1.4
 TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar
 
 # See if the tarball is there. If so do soemthing otherwise peace out.
diff --git a/salt/registry/init.sls b/salt/registry/init.sls
index 099219d41..c0b4bf038 100644
--- a/salt/registry/init.sls
+++ b/salt/registry/init.sls
@@ -31,6 +31,7 @@ dockerregistrybuild:
   file.managed:
     - name: /opt/so/conf/docker-registry/so-buildregistry
     - source: salt://registry/bin/so-buildregistry
+    - mode: 755
 
 dockerexpandregistry:
  cmd.run:
diff --git a/setup/functions.sh b/setup/functions.sh
index bfe626fed..3629cda64 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -490,7 +490,7 @@ docker_seed_registry() {
   "so-wazuh:$VERSION" \
   "so-zeek:$VERSION" )
 
-  if [ ! -f /nsm/docker-registry/docker/so-dockers-1.1.4.tar ]; then
+  if [ ! -f /nsm/docker-registry/docker/so-dockers-$VERSION.tar ]; then
     # Download the container from the interwebs
     for i in "${TRUSTED_CONTAINERS[@]}"
     do

From d2c9689b44ecaad4af9f750cad890a07a076b96d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 23 Jan 2020 18:35:04 +0000
Subject: [PATCH 082/188] update TheHive init

---
 salt/hive/init.sls | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 9bde4065f..fca060528 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -83,16 +83,11 @@ so-thehive-es:
       - 0.0.0.0:9500:9500
 
 # Install Cortex
-
-so-corteximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-cortex:HH1.1.3
-
 so-cortex:
   docker_container.running:
     - require:
       - so-corteximage
-    - image: docker.io/soshybridhunter/so-thehive-cortex:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:HH{{ VERSION }}
     - hostname: so-cortex
     - name: so-cortex
     - user: 939
@@ -107,15 +102,11 @@ cortexscript:
     - cwd: /opt/so
     - template: jinja
 
-so-thehiveimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive:HH1.1.1
-
 so-thehive:
   docker_container.running:
     - require:
       - so-thehiveimage
-    - image: docker.io/soshybridhunter/so-thehive:HH1.1.1
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:HH{{ VERSION }}
     - environment:
       - ELASTICSEARCH_HOST={{ MASTERIP }}
     - hostname: so-thehive

From e687def4dcd36ab1bb42f0609c7ae0faa67c7254 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 23 Jan 2020 18:44:34 +0000
Subject: [PATCH 083/188] remove Cyberchef

---
 salt/cyberchef/init.sls | 56 -----------------------------------------
 1 file changed, 56 deletions(-)
 delete mode 100644 salt/cyberchef/init.sls

diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
deleted file mode 100644
index ff258c293..000000000
--- a/salt/cyberchef/init.sls
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Create the cyberchef group
-cyberchefgroup:
-  group.present:
-    - name: cyberchef
-    - gid: 946
-
-# Add the cyberchef user
-cyberchef:
-  user.present:
-    - uid: 946
-    - gid: 946
-    - home: /opt/so/conf/cyberchef
-
-cyberchefconfdir:
-  file.directory:
-    - name: /opt/so/conf/cyberchef
-    - user: 946
-    - group: 939
-    - makedirs: True
-
-cybercheflog:
-  file.directory:
-    - name: /opt/so/log/cyberchef
-    - user: 946
-    - group: 946
-    - makedirs: True
-
-so-cyberchefimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
-
-so-cyberchef:
-  docker_container.running:
-    - require:
-      - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
-    - interactive: True
-    - binds:
-      - /opt/so/saltstack/salt/cyberchef/build:/prod:rw
-    - port_bindings:
-      - 0.0.0.0:9080:8080

From d2a7ef1e64db316c286c258010053029ed912919 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 14:10:01 -0500
Subject: [PATCH 084/188] [fix] Misc script convention changes

* Remove sudo from scripts that are already running as sudo
* Also remove sudo from several so scripts and add sudo check
* Remove .sh extension from user facing scripts
* Remove superfluous # characters from so scripts
* Rename scripts to follow so-{subject}-{verb} naming convention
* Add shebangs where missing
---
 salt/auth/init.sls                            | 15 +++++--------
 salt/bro/cron/zeek_clean                      |  1 +
 salt/common/tools/sbin/so-allow               |  2 +-
 salt/common/tools/sbin/so-bro-restart         |  7 +++++--
 salt/common/tools/sbin/so-bro-start           |  5 ++++-
 salt/common/tools/sbin/so-bro-stop            |  5 ++++-
 salt/common/tools/sbin/so-checkin             | 21 ++++++++++++++++++-
 salt/common/tools/sbin/so-cortex-restart      |  2 +-
 salt/common/tools/sbin/so-cortex-start        |  2 +-
 salt/common/tools/sbin/so-cortex-stop         |  2 +-
 salt/common/tools/sbin/so-curator-restart     |  2 +-
 salt/common/tools/sbin/so-curator-start       |  2 +-
 salt/common/tools/sbin/so-curator-stop        |  2 +-
 salt/common/tools/sbin/so-elastalert-create   |  2 +-
 salt/common/tools/sbin/so-elastalert-restart  |  2 +-
 salt/common/tools/sbin/so-elastalert-start    |  2 +-
 salt/common/tools/sbin/so-elastalert-stop     |  2 +-
 salt/common/tools/sbin/so-elastalert-test     |  2 +-
 salt/common/tools/sbin/so-elastic-diagnose    |  2 +-
 .../tools/sbin/so-elasticsearch-restart       |  2 +-
 salt/common/tools/sbin/so-elasticsearch-start |  2 +-
 salt/common/tools/sbin/so-elasticsearch-stop  |  2 +-
 salt/common/tools/sbin/so-filebeat-restart    |  2 +-
 salt/common/tools/sbin/so-filebeat-start      |  2 +-
 salt/common/tools/sbin/so-filebeat-stop       |  2 +-
 salt/common/tools/sbin/so-fleet-restart       |  2 +-
 salt/common/tools/sbin/so-fleet-start         |  2 +-
 salt/common/tools/sbin/so-fleet-stop          |  2 +-
 salt/common/tools/sbin/so-get-parsed          |  1 -
 salt/common/tools/sbin/so-get-unparsed        |  1 -
 salt/common/tools/sbin/so-grafana-restart     |  2 +-
 salt/common/tools/sbin/so-grafana-start       |  2 +-
 salt/common/tools/sbin/so-grafana-stop        |  2 +-
 salt/common/tools/sbin/so-index-list          | 18 ++++++++++++++++
 salt/common/tools/sbin/so-kibana-restart      |  2 +-
 salt/common/tools/sbin/so-kibana-start        |  2 +-
 salt/common/tools/sbin/so-kibana-stop         |  2 +-
 salt/common/tools/sbin/so-list-index          |  1 -
 salt/common/tools/sbin/so-logstash-get-parsed | 20 ++++++++++++++++++
 .../tools/sbin/so-logstash-get-unparsed       | 20 ++++++++++++++++++
 salt/common/tools/sbin/so-logstash-start      |  2 +-
 salt/common/tools/sbin/so-logstash-stop       |  2 +-
 salt/common/tools/sbin/so-mysql-restart       |  2 +-
 salt/common/tools/sbin/so-mysql-start         |  2 +-
 salt/common/tools/sbin/so-mysql-stop          |  2 +-
 salt/common/tools/sbin/so-playbook-restart    |  2 +-
 salt/common/tools/sbin/so-playbook-ruleupdate | 21 ++++++++++++++++++-
 salt/common/tools/sbin/so-playbook-start      |  2 +-
 salt/common/tools/sbin/so-playbook-stop       |  2 +-
 salt/common/tools/sbin/so-playbook-sync       | 21 ++++++++++++++++++-
 salt/common/tools/sbin/so-redis-count         | 21 ++++++++++++++++++-
 salt/common/tools/sbin/so-redis-restart       |  2 +-
 salt/common/tools/sbin/so-redis-start         |  2 +-
 salt/common/tools/sbin/so-redis-stop          |  2 +-
 salt/common/tools/sbin/so-restart             |  2 +-
 salt/common/tools/sbin/so-soctopus-restart    |  2 +-
 salt/common/tools/sbin/so-soctopus-start      |  2 +-
 salt/common/tools/sbin/so-soctopus-stop       |  2 +-
 salt/common/tools/sbin/so-start               |  2 +-
 salt/common/tools/sbin/so-stop                |  2 +-
 salt/common/tools/sbin/so-tcpreplay           |  2 +-
 salt/common/tools/sbin/so-tcpreplay-restart   |  2 +-
 salt/common/tools/sbin/so-tcpreplay-start     |  2 +-
 salt/common/tools/sbin/so-thehive-restart     |  2 +-
 salt/common/tools/sbin/so-thehive-start       |  2 +-
 salt/common/tools/sbin/so-thehive-stop        |  2 +-
 salt/common/tools/sbin/so-zeek-restart        |  2 +-
 salt/common/tools/sbin/so-zeek-start          |  2 +-
 salt/common/tools/sbin/so-zeek-stop           |  2 +-
 salt/fleet/so-fleet-setup.sh                  |  4 +++-
 ...-docker-download.sh => so-docker-download} |  2 +-
 salt/utility/bin/crossthestreams.sh           |  2 +-
 salt/utility/bin/eval.sh                      |  2 +-
 ...load.sh => 00-so-checksum-offload-disable} |  0
 setup/{functions.sh => so-functions}          | 18 ++++++++--------
 setup/{so-setup.sh => so-setup}               |  4 ++--
 setup/{whiptail.sh => so-whiptail}            |  0
 so-setup-network.sh => so-setup-network       |  4 +++-
 updatemaster.sh => updatemaster               |  0
 79 files changed, 231 insertions(+), 91 deletions(-)
 delete mode 100644 salt/common/tools/sbin/so-get-parsed
 delete mode 100644 salt/common/tools/sbin/so-get-unparsed
 create mode 100644 salt/common/tools/sbin/so-index-list
 delete mode 100644 salt/common/tools/sbin/so-list-index
 create mode 100644 salt/common/tools/sbin/so-logstash-get-parsed
 create mode 100644 salt/common/tools/sbin/so-logstash-get-unparsed
 rename salt/master/files/registry/scripts/{so-docker-download.sh => so-docker-download} (98%)
 rename setup/install_scripts/{disable-checksum-offload.sh => 00-so-checksum-offload-disable} (100%)
 rename setup/{functions.sh => so-functions} (98%)
 rename setup/{so-setup.sh => so-setup} (99%)
 rename setup/{whiptail.sh => so-whiptail} (100%)
 rename so-setup-network.sh => so-setup-network (95%)
 rename updatemaster.sh => updatemaster (100%)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index bed7d18d5..9718d9bb3 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 so-auth-api-dir:
   file.directory:
     - name: /opt/so/conf/auth/api
@@ -5,19 +8,11 @@ so-auth-api-dir:
     - group: 939
     - makedirs: True
 
-so-auth-api-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
-
-so-auth-ui-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
-
 so-auth-api:
     docker_container.running:
         - require:
             - so-auth-api-image
-        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:HH{{ VERSION }}
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -31,7 +26,7 @@ so-auth-ui:
     docker_container.running:
         - require:
             - so-auth-ui-image
-        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:HH{{ VERSION }}
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:
diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
index af47611bc..24bbc218c 100644
--- a/salt/bro/cron/zeek_clean
+++ b/salt/bro/cron/zeek_clean
@@ -1,4 +1,5 @@
 #!/bin/bash
+
 # Delete Zeek Logs based on defined CRIT_DISK_USAGE value
 
 # Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index c6b756cd1..68f3f37ce 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-bro-restart b/salt/common/tools/sbin/so-bro-restart
index 8161b7cb3..f71de5b91 100644
--- a/salt/common/tools/sbin/so-bro-restart
+++ b/salt/common/tools/sbin/so-bro-restart
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-bro && sudo docker rm so-bro && salt-call state.apply bro
+
+. /usr/sbin/so-common
+
+docker stop so-bro && docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-start b/salt/common/tools/sbin/so-bro-start
index 87a47febe..3240b86e9 100644
--- a/salt/common/tools/sbin/so-bro-start
+++ b/salt/common/tools/sbin/so-bro-start
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
 docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-stop b/salt/common/tools/sbin/so-bro-stop
index 62bc2e1b1..8cfdddc3c 100644
--- a/salt/common/tools/sbin/so-bro-stop
+++ b/salt/common/tools/sbin/so-bro-stop
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
 docker stop so-bro 
diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin
index 8ad0326db..419d0a203 100644
--- a/salt/common/tools/sbin/so-checkin
+++ b/salt/common/tools/sbin/so-checkin
@@ -1 +1,20 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.highstate
diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart
index aab452475..ef0e3e4fe 100644
--- a/salt/common/tools/sbin/so-cortex-restart
+++ b/salt/common/tools/sbin/so-cortex-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start
index db383e2e8..a08969cab 100644
--- a/salt/common/tools/sbin/so-cortex-start
+++ b/salt/common/tools/sbin/so-cortex-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop
index 727b2c7fa..a13d1e2e3 100644
--- a/salt/common/tools/sbin/so-cortex-stop
+++ b/salt/common/tools/sbin/so-cortex-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-curator-restart b/salt/common/tools/sbin/so-curator-restart
index 043f04b7d..6babd0bba 100644
--- a/salt/common/tools/sbin/so-curator-restart
+++ b/salt/common/tools/sbin/so-curator-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-curator-start b/salt/common/tools/sbin/so-curator-start
index 676da0d2e..308171f66 100644
--- a/salt/common/tools/sbin/so-curator-start
+++ b/salt/common/tools/sbin/so-curator-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-curator-stop b/salt/common/tools/sbin/so-curator-stop
index 9aab50c8c..f815868ee 100644
--- a/salt/common/tools/sbin/so-curator-stop
+++ b/salt/common/tools/sbin/so-curator-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elastalert-create b/salt/common/tools/sbin/so-elastalert-create
index 2134bc8f9..fbe9527a7 100644
--- a/salt/common/tools/sbin/so-elastalert-create
+++ b/salt/common/tools/sbin/so-elastalert-create
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
diff --git a/salt/common/tools/sbin/so-elastalert-restart b/salt/common/tools/sbin/so-elastalert-restart
index 46e66ec40..861820037 100644
--- a/salt/common/tools/sbin/so-elastalert-restart
+++ b/salt/common/tools/sbin/so-elastalert-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elastalert-start b/salt/common/tools/sbin/so-elastalert-start
index 7101eec15..b731fcf6f 100644
--- a/salt/common/tools/sbin/so-elastalert-start
+++ b/salt/common/tools/sbin/so-elastalert-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elastalert-stop b/salt/common/tools/sbin/so-elastalert-stop
index 731312e8c..900c8ec26 100644
--- a/salt/common/tools/sbin/so-elastalert-stop
+++ b/salt/common/tools/sbin/so-elastalert-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elastalert-test b/salt/common/tools/sbin/so-elastalert-test
index 575865bd0..e72d928ed 100644
--- a/salt/common/tools/sbin/so-elastalert-test
+++ b/salt/common/tools/sbin/so-elastalert-test
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose
index 0a8acc0ae..367a145db 100644
--- a/salt/common/tools/sbin/so-elastic-diagnose
+++ b/salt/common/tools/sbin/so-elastic-diagnose
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elasticsearch-restart b/salt/common/tools/sbin/so-elasticsearch-restart
index e13a89ba8..42cf8ec40 100644
--- a/salt/common/tools/sbin/so-elasticsearch-restart
+++ b/salt/common/tools/sbin/so-elasticsearch-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elasticsearch-start b/salt/common/tools/sbin/so-elasticsearch-start
index 76a3baac6..7373c354c 100644
--- a/salt/common/tools/sbin/so-elasticsearch-start
+++ b/salt/common/tools/sbin/so-elasticsearch-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-elasticsearch-stop b/salt/common/tools/sbin/so-elasticsearch-stop
index 9d03a64ae..6ec2acb13 100644
--- a/salt/common/tools/sbin/so-elasticsearch-stop
+++ b/salt/common/tools/sbin/so-elasticsearch-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart
index d9cdeeec8..04f0a3bea 100644
--- a/salt/common/tools/sbin/so-filebeat-restart
+++ b/salt/common/tools/sbin/so-filebeat-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start
index e15c2e5e9..e9f36fcf0 100644
--- a/salt/common/tools/sbin/so-filebeat-start
+++ b/salt/common/tools/sbin/so-filebeat-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop
index 7a5e2f28e..4b7df4e41 100644
--- a/salt/common/tools/sbin/so-filebeat-stop
+++ b/salt/common/tools/sbin/so-filebeat-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-fleet-restart b/salt/common/tools/sbin/so-fleet-restart
index 264e9f8a7..2dfbdc3dd 100644
--- a/salt/common/tools/sbin/so-fleet-restart
+++ b/salt/common/tools/sbin/so-fleet-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-fleet-start b/salt/common/tools/sbin/so-fleet-start
index 06133ef58..d26d01cc9 100644
--- a/salt/common/tools/sbin/so-fleet-start
+++ b/salt/common/tools/sbin/so-fleet-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-fleet-stop b/salt/common/tools/sbin/so-fleet-stop
index d22df4704..94634633b 100644
--- a/salt/common/tools/sbin/so-fleet-stop
+++ b/salt/common/tools/sbin/so-fleet-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-get-parsed b/salt/common/tools/sbin/so-get-parsed
deleted file mode 100644
index 5b299e494..000000000
--- a/salt/common/tools/sbin/so-get-parsed
+++ /dev/null
@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
diff --git a/salt/common/tools/sbin/so-get-unparsed b/salt/common/tools/sbin/so-get-unparsed
deleted file mode 100644
index 5b299e494..000000000
--- a/salt/common/tools/sbin/so-get-unparsed
+++ /dev/null
@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart
index 52ebbacda..b0af550a4 100644
--- a/salt/common/tools/sbin/so-grafana-restart
+++ b/salt/common/tools/sbin/so-grafana-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start
index 660d1d31b..64b9cb3bf 100644
--- a/salt/common/tools/sbin/so-grafana-start
+++ b/salt/common/tools/sbin/so-grafana-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop
index bb0a19545..0f1a70f08 100644
--- a/salt/common/tools/sbin/so-grafana-stop
+++ b/salt/common/tools/sbin/so-grafana-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list
new file mode 100644
index 000000000..d241d444d
--- /dev/null
+++ b/salt/common/tools/sbin/so-index-list
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+curl -X GET "localhost:9200/_cat/indices?v"
diff --git a/salt/common/tools/sbin/so-kibana-restart b/salt/common/tools/sbin/so-kibana-restart
index 0349348cb..d2c5dbaf9 100644
--- a/salt/common/tools/sbin/so-kibana-restart
+++ b/salt/common/tools/sbin/so-kibana-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-kibana-start b/salt/common/tools/sbin/so-kibana-start
index edf7ec61f..032b18901 100644
--- a/salt/common/tools/sbin/so-kibana-start
+++ b/salt/common/tools/sbin/so-kibana-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-kibana-stop b/salt/common/tools/sbin/so-kibana-stop
index 007ee54d4..31a64f3b2 100644
--- a/salt/common/tools/sbin/so-kibana-stop
+++ b/salt/common/tools/sbin/so-kibana-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-list-index b/salt/common/tools/sbin/so-list-index
deleted file mode 100644
index fda5eeb2e..000000000
--- a/salt/common/tools/sbin/so-list-index
+++ /dev/null
@@ -1 +0,0 @@
-curl -X GET "localhost:9200/_cat/indices?v"
diff --git a/salt/common/tools/sbin/so-logstash-get-parsed b/salt/common/tools/sbin/so-logstash-get-parsed
new file mode 100644
index 000000000..5560539c8
--- /dev/null
+++ b/salt/common/tools/sbin/so-logstash-get-parsed
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
diff --git a/salt/common/tools/sbin/so-logstash-get-unparsed b/salt/common/tools/sbin/so-logstash-get-unparsed
new file mode 100644
index 000000000..5560539c8
--- /dev/null
+++ b/salt/common/tools/sbin/so-logstash-get-unparsed
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
diff --git a/salt/common/tools/sbin/so-logstash-start b/salt/common/tools/sbin/so-logstash-start
index cd2e168f4..82331196f 100644
--- a/salt/common/tools/sbin/so-logstash-start
+++ b/salt/common/tools/sbin/so-logstash-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-logstash-stop b/salt/common/tools/sbin/so-logstash-stop
index 528216ca3..e95083b01 100644
--- a/salt/common/tools/sbin/so-logstash-stop
+++ b/salt/common/tools/sbin/so-logstash-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-mysql-restart b/salt/common/tools/sbin/so-mysql-restart
index 1fcb885a4..b29a2e0ae 100644
--- a/salt/common/tools/sbin/so-mysql-restart
+++ b/salt/common/tools/sbin/so-mysql-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-mysql-start b/salt/common/tools/sbin/so-mysql-start
index 1a02b7658..e056f7a37 100644
--- a/salt/common/tools/sbin/so-mysql-start
+++ b/salt/common/tools/sbin/so-mysql-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-mysql-stop b/salt/common/tools/sbin/so-mysql-stop
index 998a48ac0..7393a00a1 100644
--- a/salt/common/tools/sbin/so-mysql-stop
+++ b/salt/common/tools/sbin/so-mysql-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-playbook-restart b/salt/common/tools/sbin/so-playbook-restart
index f05222eae..8a246c0db 100644
--- a/salt/common/tools/sbin/so-playbook-restart
+++ b/salt/common/tools/sbin/so-playbook-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-playbook-ruleupdate b/salt/common/tools/sbin/so-playbook-ruleupdate
index 6e2d16f5d..b29b63cf5 100644
--- a/salt/common/tools/sbin/so-playbook-ruleupdate
+++ b/salt/common/tools/sbin/so-playbook-ruleupdate
@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_bulk-update.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_bulk-update.py
diff --git a/salt/common/tools/sbin/so-playbook-start b/salt/common/tools/sbin/so-playbook-start
index 34ddf18aa..fb5df55f1 100644
--- a/salt/common/tools/sbin/so-playbook-start
+++ b/salt/common/tools/sbin/so-playbook-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-playbook-stop b/salt/common/tools/sbin/so-playbook-stop
index a1ebd7503..d0a84bab1 100644
--- a/salt/common/tools/sbin/so-playbook-stop
+++ b/salt/common/tools/sbin/so-playbook-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync
index 3fc13c199..f4c2c456e 100644
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_play-sync.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_play-sync.py
diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count
index 5b299e494..5560539c8 100644
--- a/salt/common/tools/sbin/so-redis-count
+++ b/salt/common/tools/sbin/so-redis-count
@@ -1 +1,20 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
diff --git a/salt/common/tools/sbin/so-redis-restart b/salt/common/tools/sbin/so-redis-restart
index b1e1293b8..e2ec4c2d2 100644
--- a/salt/common/tools/sbin/so-redis-restart
+++ b/salt/common/tools/sbin/so-redis-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-redis-start b/salt/common/tools/sbin/so-redis-start
index 3ef2d3c01..f64600b05 100644
--- a/salt/common/tools/sbin/so-redis-start
+++ b/salt/common/tools/sbin/so-redis-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-redis-stop b/salt/common/tools/sbin/so-redis-stop
index 34577814c..ac3d2d106 100644
--- a/salt/common/tools/sbin/so-redis-stop
+++ b/salt/common/tools/sbin/so-redis-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index 968b7233a..94137ddb4 100644
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/common/tools/sbin/so-soctopus-restart
index 144ddbf3e..3d8f67893 100644
--- a/salt/common/tools/sbin/so-soctopus-restart
+++ b/salt/common/tools/sbin/so-soctopus-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/common/tools/sbin/so-soctopus-start
index e0d2a2a35..db0a33302 100644
--- a/salt/common/tools/sbin/so-soctopus-start
+++ b/salt/common/tools/sbin/so-soctopus-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/common/tools/sbin/so-soctopus-stop
index f38eecc08..3747d6e34 100644
--- a/salt/common/tools/sbin/so-soctopus-stop
+++ b/salt/common/tools/sbin/so-soctopus-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
index 70b8d6aed..f5e861818 100644
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop
index 108424bb9..64d0a4298 100644
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay
index 69cee2f68..4b861890a 100755
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 #    This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart
index 61e9016d0..1a1ac971b 100755
--- a/salt/common/tools/sbin/so-tcpreplay-restart
+++ b/salt/common/tools/sbin/so-tcpreplay-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-tcpreplay-start b/salt/common/tools/sbin/so-tcpreplay-start
index e6886b80c..287404b96 100755
--- a/salt/common/tools/sbin/so-tcpreplay-start
+++ b/salt/common/tools/sbin/so-tcpreplay-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 #    This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart
index 4b28c0030..08cd8318e 100644
--- a/salt/common/tools/sbin/so-thehive-restart
+++ b/salt/common/tools/sbin/so-thehive-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-thehive-start b/salt/common/tools/sbin/so-thehive-start
index 17ec7bfaa..92fe88bb5 100644
--- a/salt/common/tools/sbin/so-thehive-start
+++ b/salt/common/tools/sbin/so-thehive-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop
index 6c56e0473..b326f699c 100644
--- a/salt/common/tools/sbin/so-thehive-stop
+++ b/salt/common/tools/sbin/so-thehive-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart
index 29c50f27a..fae36d8f9 100644
--- a/salt/common/tools/sbin/so-zeek-restart
+++ b/salt/common/tools/sbin/so-zeek-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start
index ccd475bb6..595fdb24b 100644
--- a/salt/common/tools/sbin/so-zeek-start
+++ b/salt/common/tools/sbin/so-zeek-start
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop
index 1e39a2c49..1b995e854 100644
--- a/salt/common/tools/sbin/so-zeek-stop
+++ b/salt/common/tools/sbin/so-zeek-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 32bbddbe7..cd082ff03 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
 #so-fleet-setup.sh $MasterIP $FleetEmail
 
 if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
@@ -16,7 +18,7 @@ docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/o
 docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
 docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
 
-esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
+esecret=$(docker exec so-fleet fleetctl get enroll-secret)
 
 #Concat fleet.crt & ca.crt  - this is required for launcher connectivity
 cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
diff --git a/salt/master/files/registry/scripts/so-docker-download.sh b/salt/master/files/registry/scripts/so-docker-download
similarity index 98%
rename from salt/master/files/registry/scripts/so-docker-download.sh
rename to salt/master/files/registry/scripts/so-docker-download
index 33b5065ae..a6c2aa7c5 100644
--- a/salt/master/files/registry/scripts/so-docker-download.sh
+++ b/salt/master/files/registry/scripts/so-docker-download
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 MASTER={{ MASTER }}
-VERSION="HH1.1.3"
+VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
 "so-core:$VERSION" \
 "so-cyberchef:$VERSION" \
diff --git a/salt/utility/bin/crossthestreams.sh b/salt/utility/bin/crossthestreams.sh
index 197573bcf..f838d041c 100644
--- a/salt/utility/bin/crossthestreams.sh
+++ b/salt/utility/bin/crossthestreams.sh
@@ -18,7 +18,7 @@ while [[ "$COUNT" -le 30 ]]; do
 done
 if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
   echo
-  echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+  echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'docker ps' \n  -running 'sudo so-elastic-restart'"
   echo
 
   exit
diff --git a/salt/utility/bin/eval.sh b/salt/utility/bin/eval.sh
index 03eceef56..636cc23ae 100644
--- a/salt/utility/bin/eval.sh
+++ b/salt/utility/bin/eval.sh
@@ -17,7 +17,7 @@ while [[ "$COUNT" -le 30 ]]; do
 done
 if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
   echo
-  echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+  echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'docker ps' \n  -running 'sudo so-elastic-restart'"
   echo
 
   exit
diff --git a/setup/install_scripts/disable-checksum-offload.sh b/setup/install_scripts/00-so-checksum-offload-disable
similarity index 100%
rename from setup/install_scripts/disable-checksum-offload.sh
rename to setup/install_scripts/00-so-checksum-offload-disable
diff --git a/setup/functions.sh b/setup/so-functions
similarity index 98%
rename from setup/functions.sh
rename to setup/so-functions
index 3629cda64..abdc869a5 100644
--- a/setup/functions.sh
+++ b/setup/so-functions
@@ -16,7 +16,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 SCRIPTDIR=$(dirname "$0")
-source $SCRIPTDIR/whiptail.sh
+source $SCRIPTDIR/so-whiptail
 
 accept_salt_key_local() {
   echo "Accept the key locally on the master" >> $SETUPLOG 2>&1
@@ -757,11 +757,11 @@ network_setup() {
   echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1
   nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1
 
-  echo "... Copying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
-  cp $SCRIPTDIR/install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh  >> $SETUPLOG 2>&1
+  echo "... Copying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1
+  cp $SCRIPTDIR/install_scripts/00-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/00-so-checksum-offload-disable  >> $SETUPLOG 2>&1
 
-  echo "... Modifying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
-  sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
+  echo "... Modifying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1
+  sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/00-so-checksum-offload-disable >> $SETUPLOG 2>&1
 }
 
 node_pillar() {
@@ -1107,7 +1107,7 @@ salt_checkin() {
   service salt-minion restart >> $SETUPLOG 2>&1
   sleep 15
   echo " Applyng a mine hack "
-  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1
+  salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1
   echo " Applying SSL state "
   salt-call state.apply ssl >> $SETUPLOG 2>&1
   echo "Still Working... Hang in there"
@@ -1351,9 +1351,9 @@ update_sudoers() {
 
   if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
     # Update Sudoers so that socore can accept keys without a password
-    echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers
-    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers
-    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | sudo tee -a /etc/sudoers
+    echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
+    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
+    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
   else
     echo "User socore already granted sudo privileges"
   fi
diff --git a/setup/so-setup.sh b/setup/so-setup
similarity index 99%
rename from setup/so-setup.sh
rename to setup/so-setup
index 5e5331d64..be34999b3 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup
@@ -17,8 +17,8 @@
 
 # Source the other pieces of the setup
 SCRIPTDIR=$(dirname "$0")
-source $SCRIPTDIR/functions.sh
-source $SCRIPTDIR/whiptail.sh
+source $SCRIPTDIR/so-functions
+source $SCRIPTDIR/so-whiptail
 
 # See if this is an ISO install
 OPTIONS=$1
diff --git a/setup/whiptail.sh b/setup/so-whiptail
similarity index 100%
rename from setup/whiptail.sh
rename to setup/so-whiptail
diff --git a/so-setup-network.sh b/so-setup-network
similarity index 95%
rename from so-setup-network.sh
rename to so-setup-network
index d12ad6181..a24fc76f5 100644
--- a/so-setup-network.sh
+++ b/so-setup-network
@@ -15,4 +15,6 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-cd setup && bash so-setup.sh network
+cd setup
+
+./so-setup network
diff --git a/updatemaster.sh b/updatemaster
similarity index 100%
rename from updatemaster.sh
rename to updatemaster

From 5603afd2bd1eac58e13fb832b94e533d13894928 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 15:36:26 -0500
Subject: [PATCH 085/188] quick fix for missing master search items in setup

---
 setup/functions.sh | 6 +++---
 setup/so-setup.sh  | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 3629cda64..f23da15ba 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -864,7 +864,7 @@ saltify() {
   if [ $OS == 'centos' ]; then
     ADDUSER=adduser
 
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
       reserve_group_ids
       yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
       cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
@@ -1025,7 +1025,7 @@ EOF
     yum -y update exclude=salt*
     systemctl enable salt-minion
 
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
       yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker
       systemctl enable salt-master
     else
@@ -1045,7 +1045,7 @@ EOF
     UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
 
     # Nasty hack but required for now
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
 
       # Install the repo for salt
       wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 5e5331d64..a2501dfb9 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -527,12 +527,13 @@ if (whiptail_you_sure) ; then
       TYPE='eval'
       # Select which NICs are in the bond
       whiptail_bond_nics
-      # Snag the HOME_NET
-      whiptail_homenet_master
     elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
       TYPE='mastersearch'
     fi
 
+    # Snag the HOME_NET
+    whiptail_homenet_master
+
     whiptail_eval_adv_warning
     whiptail_enable_components
 

From d4d5891c702097c82130bd8a95a1310ec77af088 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 16:58:26 -0500
Subject: [PATCH 086/188] [fix] Remove require from hive init.sls

---
 salt/hive/init.sls | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index fca060528..c5cf72d39 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -85,8 +85,6 @@ so-thehive-es:
 # Install Cortex
 so-cortex:
   docker_container.running:
-    - require:
-      - so-corteximage
     - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:HH{{ VERSION }}
     - hostname: so-cortex
     - name: so-cortex
@@ -104,8 +102,6 @@ cortexscript:
 
 so-thehive:
   docker_container.running:
-    - require:
-      - so-thehiveimage
     - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:HH{{ VERSION }}
     - environment:
       - ELASTICSEARCH_HOST={{ MASTERIP }}

From 4a288a0d63f74e26a43e644fcf7ec7f6245d01f6 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 23 Jan 2020 15:06:40 -0500
Subject: [PATCH 087/188] [fix] Further .sh extension removal

* Remove more .sh extensions
* Edit jinja markup to prevent whitespace trimming
---
 salt/auth/init.sls                                        | 4 ----
 salt/hive/init.sls                                        | 4 ++--
 salt/hive/thehive/scripts/{cortex_init.sh => cortex_init} | 2 +-
 salt/hive/thehive/scripts/{hive_init.sh => hive_init}     | 2 +-
 salt/utility/bin/{crossthestreams.sh => crossthestream}   | 4 +++-
 salt/utility/bin/{eval.sh => eval}                        | 4 +++-
 salt/utility/init.sls                                     | 4 ++--
 7 files changed, 12 insertions(+), 12 deletions(-)
 rename salt/hive/thehive/scripts/{cortex_init.sh => cortex_init} (98%)
 rename salt/hive/thehive/scripts/{hive_init.sh => hive_init} (97%)
 rename salt/utility/bin/{crossthestreams.sh => crossthestream} (95%)
 rename salt/utility/bin/{eval.sh => eval} (93%)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 9718d9bb3..c59a70ba0 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -10,8 +10,6 @@ so-auth-api-dir:
 
 so-auth-api:
     docker_container.running:
-        - require:
-            - so-auth-api-image
         - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:HH{{ VERSION }}
         - hostname: so-auth-api
         - name: so-auth-api
@@ -24,8 +22,6 @@ so-auth-api:
 
 so-auth-ui:
     docker_container.running:
-        - require:
-            - so-auth-ui-image
         - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:HH{{ VERSION }}
         - hostname: so-auth-ui
         - name: so-auth-ui
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index fca060528..fdabcbb34 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -98,7 +98,7 @@ so-cortex:
 
 cortexscript:
   cmd.script:
-    - source: salt://hive/thehive/scripts/cortex_init.sh
+    - source: salt://hive/thehive/scripts/cortex_init
     - cwd: /opt/so
     - template: jinja
 
@@ -119,6 +119,6 @@ so-thehive:
 
 hivescript:
   cmd.script:
-    - source: salt://hive/thehive/scripts/hive_init.sh
+    - source: salt://hive/thehive/scripts/hive_init
     - cwd: /opt/so
     - template: jinja
diff --git a/salt/hive/thehive/scripts/cortex_init.sh b/salt/hive/thehive/scripts/cortex_init
similarity index 98%
rename from salt/hive/thehive/scripts/cortex_init.sh
rename to salt/hive/thehive/scripts/cortex_init
index 506b14be5..786039bf1 100644
--- a/salt/hive/thehive/scripts/cortex_init.sh
+++ b/salt/hive/thehive/scripts/cortex_init
@@ -1,5 +1,5 @@
 #!/bin/bash
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %}
 {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %}
 {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init
similarity index 97%
rename from salt/hive/thehive/scripts/hive_init.sh
rename to salt/hive/thehive/scripts/hive_init
index 6c5168a66..03b43e74f 100755
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init
@@ -1,5 +1,5 @@
 #!/bin/bash
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
 {%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
 {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %}
diff --git a/salt/utility/bin/crossthestreams.sh b/salt/utility/bin/crossthestream
similarity index 95%
rename from salt/utility/bin/crossthestreams.sh
rename to salt/utility/bin/crossthestream
index f838d041c..c8768230e 100644
--- a/salt/utility/bin/crossthestreams.sh
+++ b/salt/utility/bin/crossthestream
@@ -1,5 +1,7 @@
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+#!/bin/bash
+{% set ES = salt['pillar.get']('master:mainip', '') %}
 {%- set MASTER = grains['master'] %}
+
 # Wait for ElasticSearch to come up, so that we can query for version infromation
 echo -n "Waiting for ElasticSearch..."
 COUNT=0
diff --git a/salt/utility/bin/eval.sh b/salt/utility/bin/eval
similarity index 93%
rename from salt/utility/bin/eval.sh
rename to salt/utility/bin/eval
index 636cc23ae..853693044 100644
--- a/salt/utility/bin/eval.sh
+++ b/salt/utility/bin/eval
@@ -1,4 +1,6 @@
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+#!/bin/bash
+{% set ES = salt['pillar.get']('master:mainip', '') %}
+
 # Wait for ElasticSearch to come up, so that we can query for version infromation
 echo -n "Waiting for ElasticSearch..."
 COUNT=0
diff --git a/salt/utility/init.sls b/salt/utility/init.sls
index ca8a8ef72..adbc9e73b 100644
--- a/salt/utility/init.sls
+++ b/salt/utility/init.sls
@@ -6,7 +6,7 @@ crossclusterson:
     - shell: /bin/bash
     - cwd: /opt/so
     - runas: socore
-    - source: salt://utility/bin/crossthestreams.sh
+    - source: salt://utility/bin/crossthestreams
     - template: jinja
 
 {% endif %}
@@ -16,6 +16,6 @@ fixsearch:
     - shell: /bin/bash
     - cwd: /opt/so
     - runas: socore
-    - source: salt://utility/bin/eval.sh
+    - source: salt://utility/bin/eval
     - template: jinja
 {% endif %}

From 78527ab87c0eb2de6632d03a451e58de549f816b Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:20:49 -0500
Subject: [PATCH 088/188] Steno - BPF Config

---
 salt/pcap/files/compile_bpf.sh | 37 ++++++++++++++++++++++++++++++++++
 salt/pcap/files/config         |  4 ++--
 salt/pcap/init.sls             | 36 ++++++++++++++++++++++++++++++++-
 3 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 salt/pcap/files/compile_bpf.sh

diff --git a/salt/pcap/files/compile_bpf.sh b/salt/pcap/files/compile_bpf.sh
new file mode 100644
index 000000000..44c5b8249
--- /dev/null
+++ b/salt/pcap/files/compile_bpf.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""
diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index 12c68cb0a..a41645e88 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -4,13 +4,13 @@
     { "PacketsDirectory": "/nsm/pcap"
     , "IndexDirectory": "/nsm/pcapindex"
     , "MaxDirectoryFiles": 30000
-    , "DiskFreePercentage": 10
+    , "DiskFreePercentage": 5
     }
   ]
   , "StenotypePath": "/usr/bin/stenotype"
   , "Interface": "{{ interface }}"
   , "Port": 1234
   , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"]
+  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ bpf_compiled }}]
   , "CertPath": "/etc/stenographer/certs"
 }
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index f5a4e4924..a91f6bfce 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -36,6 +36,33 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %}
+{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
+
+{% if bpf_steno != None or bpf_global != None %}
+   {% if bpf_steno != None %}
+      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
+   {% else %}
+      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %}
+   {% endif %}
+   {% if bpf_calc['stderr'] == "" %}
+      {% set bpf_compiled = bpf_calc['stdout'] %}
+   {% else  %}
+         {% set bpf_compiled = None %}
+
+bpfcompilationfailure:
+  test.configurable_test_state:
+   - name: foo
+   - changes: False
+   - result: False
+   - comment: "BPF Compilation Failed - Discarding specified BPF"
+
+   {% endif %}
+{% else  %}
+   {% set bpf_compiled = None %}
+{% endif %}
+
 stenoconf:
   file.managed:
     - name: /opt/so/conf/steno/config
@@ -44,6 +71,12 @@ stenoconf:
     - group: root
     - mode: 644
     - template: jinja
+    - defaults:
+        bpf_compiled: ""
+{% if bpf_compiled != None %}
+    - context:
+        bpf_compiled: ',"--filter={{ bpf_compiled }}"'
+{% endif %}
 
 sensoroniagentconf:
   file.managed:
@@ -113,4 +146,5 @@ so-steno:
       - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/log/stenographer:/opt/sensoroni/logs:rw
     - watch:
-      - /opt/so/conf/steno/sensoroni.json
+      - file: /opt/so/conf/steno/config
+      - file: /opt/so/conf/steno/sensoroni.json

From 7dd30ef07eff49a6d4d449b77ac9b41763e91b93 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:22:47 -0500
Subject: [PATCH 089/188] Steno - fix disk percentage

---
 salt/pcap/files/config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index a41645e88..0f06d1c7e 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -4,7 +4,7 @@
     { "PacketsDirectory": "/nsm/pcap"
     , "IndexDirectory": "/nsm/pcapindex"
     , "MaxDirectoryFiles": 30000
-    , "DiskFreePercentage": 5
+    , "DiskFreePercentage": 10
     }
   ]
   , "StenotypePath": "/usr/bin/stenotype"

From 3262854f4e37b28fa80aa562cfa22ceeb0504930 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:30:06 -0500
Subject: [PATCH 090/188] Steno - fix error name

---
 salt/pcap/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a91f6bfce..16d002250 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -53,7 +53,7 @@ stenoconfdir:
 
 bpfcompilationfailure:
   test.configurable_test_state:
-   - name: foo
+   - name: bpfcompfailure
    - changes: False
    - result: False
    - comment: "BPF Compilation Failed - Discarding specified BPF"

From dcf1dc6e092879abffbaab3b7ed7591b62c1e3b5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 24 Jan 2020 12:33:15 -0500
Subject: [PATCH 091/188] reorder pillar top -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/249

---
 pillar/top.sls | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pillar/top.sls b/pillar/top.sls
index 3a37fa861..99fe26556 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,40 +2,40 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-sensor':
-    - minions.{{ grains.id }}
-    - static
-    - firewall.*
-    - brologs
-
   'G@role:so-mastersearch':
     - logstash.mastersearch
 
+  'G@role:so-sensor':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
   'G@role:so-master or G@role:so-mastersearch':
     - match: compound
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - auth
+    - minions.{{ grains.id }}
 
   'G@role:so-eval':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - brologs
     - auth
+    - minions.{{ grains.id }}
 
   'G@role:so-node':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
+    - minions.{{ grains.id }}
 
   'G@role:so-helix':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - fireeye
     - static
     - brologs
+    - minions.{{ grains.id }}

From d54a41a1f012001681ed065b5f5487bc98785196 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 24 Jan 2020 15:08:09 -0500
Subject: [PATCH 092/188] fix so-buildregistry from returning error

---
 salt/registry/bin/so-buildregistry | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/registry/bin/so-buildregistry b/salt/registry/bin/so-buildregistry
index da50f44f7..01756fc67 100644
--- a/salt/registry/bin/so-buildregistry
+++ b/salt/registry/bin/so-buildregistry
@@ -7,6 +7,6 @@ TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar
 if [ -f "$TARBALL" ]; then
   cd /nsm/docker-registry/docker
   tar xvf so-dockers-$VERSION.tar
-else
-  exit
 fi
+
+exit 0

From 7875436efdf279f5b248b63cd4a3062a96df2af6 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Sat, 25 Jan 2020 11:27:10 -0500
Subject: [PATCH 093/188] Steno BPF - cleanup & simplify

---
 salt/pcap/init.sls | 33 ++++++++++-----------------------
 1 file changed, 10 insertions(+), 23 deletions(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 16d002250..6b5647d8e 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -14,6 +14,10 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
+{% set bpf_compiled = "" %}
+
 # PCAP Section
 
 # Create the logstash group
@@ -36,31 +40,18 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %}
-{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
-
-{% if bpf_steno != None or bpf_global != None %}
-   {% if bpf_steno != None %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
-   {% else %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %}
-   {% endif %}
+# BPF compilation and configuration
+{% if bpf_steno %}
+   {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
    {% if bpf_calc['stderr'] == "" %}
-      {% set bpf_compiled = bpf_calc['stdout'] %}
+      {% set bpf_compiled =  ",\\\"--filter=" + bpf_calc['stdout'] + "\\\""  %}
    {% else  %}
-         {% set bpf_compiled = None %}
-
 bpfcompilationfailure:
   test.configurable_test_state:
-   - name: bpfcompfailure
    - changes: False
    - result: False
-   - comment: "BPF Compilation Failed - Discarding specified BPF"
-
+   - comment: "BPF Compilation Failed - Discarding Specified BPF"
    {% endif %}
-{% else  %}
-   {% set bpf_compiled = None %}
 {% endif %}
 
 stenoconf:
@@ -72,11 +63,7 @@ stenoconf:
     - mode: 644
     - template: jinja
     - defaults:
-        bpf_compiled: ""
-{% if bpf_compiled != None %}
-    - context:
-        bpf_compiled: ',"--filter={{ bpf_compiled }}"'
-{% endif %}
+        bpf_compiled: "{{ bpf_compiled }}"
 
 sensoroniagentconf:
   file.managed:

From f22e5eb649eda4b7992a2e37f9239cb94fdf3ad7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 27 Jan 2020 15:18:26 -0500
Subject: [PATCH 094/188] Fix for install error

---
 salt/wazuh/files/wazuh-manager-whitelist | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
index 0cf675f5c..b8612f820 100644
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -1,6 +1,6 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
-#
+
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
@@ -27,7 +27,7 @@ if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
               echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
               echo
               echo "Restarting OSSEC Server..."
-              /usr/sbin/so-wazuh-restart
+            #   /usr/sbin/so-wazuh-restart
       fi
 fi
 

From 47f02389fc4c1f69691bde0707053e6ed60efc9d Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 27 Jan 2020 15:23:35 -0500
Subject: [PATCH 095/188] Add so-auth to master and master/search

---
 salt/common/nginx/nginx.conf.so-master       | 38 ++++++++++++++------
 salt/common/nginx/nginx.conf.so-mastersearch | 38 ++++++++++++++------
 2 files changed, 54 insertions(+), 22 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 0a0c31d6a..3cac44155 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
+          rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
+	        rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
         }
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
         }
 
         location /fleet/ {
-	  rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	        rewrite /fleet/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -200,8 +197,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -238,6 +234,26 @@ http {
 
         }
 
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }
diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/common/nginx/nginx.conf.so-mastersearch
index 265413fa2..6fa080f5b 100644
--- a/salt/common/nginx/nginx.conf.so-mastersearch
+++ b/salt/common/nginx/nginx.conf.so-mastersearch
@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
+	        rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
+	        rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
         }
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
         }
 
         location /fleet/ {
-	  rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	        rewrite /fleet/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -212,8 +209,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -250,6 +246,26 @@ http {
 
         }
 
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

From c38569d8a6abbf57d1e56fe7595da2e76d666d3a Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 13:07:37 +0000
Subject: [PATCH 096/188] Add script for CVE-2020-0601

---
 salt/zeek/files/local.zeek | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index aed6bb59b..92104dbf0 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -118,3 +118,6 @@
 # Write logs in JSON
 redef LogAscii::use_json = T;
 redef LogAscii::json_timestamps = JSON::TS_ISO8601;
+
+# CVE-2020-0601
+@load cve-2020-0601

From b754c88ab145b28de933c4642d38a17713b55620 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 13:08:10 +0000
Subject: [PATCH 097/188] Add script for CVE-2020-0601

---
 salt/zeek/policy/cve-2020-0601/COPYING        | 27 ++++++++++++
 salt/zeek/policy/cve-2020-0601/__load__.zeek  |  1 +
 .../policy/cve-2020-0601/cve-2020-0601.zeek   | 41 +++++++++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 salt/zeek/policy/cve-2020-0601/COPYING
 create mode 100644 salt/zeek/policy/cve-2020-0601/__load__.zeek
 create mode 100644 salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek

diff --git a/salt/zeek/policy/cve-2020-0601/COPYING b/salt/zeek/policy/cve-2020-0601/COPYING
new file mode 100644
index 000000000..ab2a4ef38
--- /dev/null
+++ b/salt/zeek/policy/cve-2020-0601/COPYING
@@ -0,0 +1,27 @@
+Copyright (c) 2019, Johanna Amann. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
+
diff --git a/salt/zeek/policy/cve-2020-0601/__load__.zeek b/salt/zeek/policy/cve-2020-0601/__load__.zeek
new file mode 100644
index 000000000..911b1404a
--- /dev/null
+++ b/salt/zeek/policy/cve-2020-0601/__load__.zeek
@@ -0,0 +1 @@
+@load ./cve-2020-0601
diff --git a/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek b/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek
new file mode 100644
index 000000000..32fa67739
--- /dev/null
+++ b/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek
@@ -0,0 +1,41 @@
+module CVE_2020_0601;
+
+export {
+        ## set to yes, to log suspicious certificates.
+        option log_certs = F;
+
+        ## The logging stream identifier.
+        redef enum Log::ID += { LOG };
+
+        ## The record type which contains column fields of the certificate log.
+        type Info: record {
+                ## Timestamp when this record is written.
+                ts:          time   &log;
+                ## File-id of the cerfificate
+                fuid:        string &log;
+                ## Certificate encoded as base64
+                certificate: string &log;
+        };
+
+        redef enum Notice::Type += {
+                ## An ECC certificate with an unknown curve was encountered
+                Unknown_X509_Curve
+        };
+}
+
+event zeek_init()
+        {
+        Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]);
+        }
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+        {
+        if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve )
+                {
+                NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]);
+
+                if ( log_certs )
+                        Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F))));
+                }
+        }
+

From a9ccd17d89034791fbf0de55352f889eb03b2fcb Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 14:34:19 +0000
Subject: [PATCH 098/188] Update Wazuh scripts

---
 salt/common/tools/sbin/so-wazuh-restart | 6 ++++--
 salt/common/tools/sbin/so-wazuh-start   | 7 +++++--
 salt/common/tools/sbin/so-wazuh-stop    | 7 +++++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/salt/common/tools/sbin/so-wazuh-restart b/salt/common/tools/sbin/so-wazuh-restart
index 3183479c4..34e2eee9a 100644
--- a/salt/common/tools/sbin/so-wazuh-restart
+++ b/salt/common/tools/sbin/so-wazuh-restart
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,6 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh && sudo docker rm so-wazuh && salt-call state.apply wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart wazuh $1
diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start
index dd64354c7..607f59ae7 100644
--- a/salt/common/tools/sbin/so-wazuh-start
+++ b/salt/common/tools/sbin/so-wazuh-start
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-start wazuh $1
+
diff --git a/salt/common/tools/sbin/so-wazuh-stop b/salt/common/tools/sbin/so-wazuh-stop
index dd64354c7..399d14567 100644
--- a/salt/common/tools/sbin/so-wazuh-stop
+++ b/salt/common/tools/sbin/so-wazuh-stop
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -14,4 +14,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-wazuh
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop wazuh $1
+

From 1de8902eef5c83a8ced2f7b77e5e2c9d33fa83b9 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 14:45:29 +0000
Subject: [PATCH 099/188] Add default to setup

---
 setup/functions.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index f23da15ba..5e1ef125b 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -714,7 +714,7 @@ master_static() {
   touch /opt/so/saltstack/pillar/static.sls
 
   echo "static:" > /opt/so/saltstack/pillar/static.sls
-  echo "  soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls
+  echo "  soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls
   echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
   echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
   echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
@@ -732,6 +732,8 @@ master_static() {
   echo "  cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
+  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else

From fbb9f099f9c42153db47133cf7409019bb628ca1 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 14:49:58 +0000
Subject: [PATCH 100/188] Update Elastic state files

---
 salt/elasticsearch/init.sls | 13 ++++++++++---
 salt/filebeat/init.sls      | 10 ++++++++--
 salt/kibana/init.sls        | 10 ++++++++--
 salt/logstash/init.sls      | 11 +++++++++--
 4 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 3d60f2925..a2493091a 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,8 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
+
 {% if grains['role'] == 'so-master' %}
 
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -102,7 +109,7 @@ eslogdir:
 
 so-elasticsearch:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }}
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
@@ -135,4 +142,4 @@ so-elasticsearch-pipelines-file:
 
 so-elasticsearch-pipelines:
  cmd.run:
-   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
\ No newline at end of file
+   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 1a59446b3..44cc7c65c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -12,9 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
 
 # Filebeat Setup
 filebeatetcdir:
@@ -49,7 +55,7 @@ filebeatconfsync:
 
 so-filebeat:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 58eb6a32d..d2cf30c1a 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,5 +1,11 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
 
 # Add ES Group
 kibanasearchgroup:
@@ -56,7 +62,7 @@ synckibanacustom:
 # Start the kibana docker
 so-kibana:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }}
     - hostname: kibana
     - user: kibana
     - environment:
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 388019abf..2d94c5354 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,8 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
+{% endif %}
+
 # Logstash Section - Decide which pillar to use
 {% if grains['role'] == 'so-sensor' %}
 
@@ -200,7 +207,7 @@ lslogdir:
 
 so-logstash:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }}
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash

From b995b09d52ec96648a5833fdfdd229c3195b99f7 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 14:59:53 +0000
Subject: [PATCH 101/188] Update version in all state files

---
 salt/common/init.sls     | 10 +++++-----
 salt/curator/init.sls    |  4 ++--
 salt/elastalert/init.sls |  4 ++--
 salt/fleet/init.sls      |  4 ++--
 salt/hive/init.sls       |  8 ++++----
 salt/idstools/init.sls   |  4 ++--
 salt/master/init.sls     |  4 ++--
 salt/mysql/init.sls      |  4 ++--
 salt/pcap/init.sls       |  4 ++--
 salt/playbook/init.sls   |  6 +++---
 salt/redis/init.sls      |  4 ++--
 salt/sensoroni/init.sls  |  4 ++--
 salt/soctopus/init.sls   |  4 ++--
 salt/suricata/init.sls   |  4 ++--
 salt/tcpreplay/init.sls  |  4 ++--
 salt/wazuh/init.sls      |  4 ++--
 salt/zeek/init.sls       |  4 ++--
 17 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index de7048c51..7ed59efa1 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
@@ -118,7 +118,7 @@ nginxtmp:
 
 so-core:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
@@ -172,7 +172,7 @@ tgrafconf:
 
 so-telegraf:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -227,7 +227,7 @@ influxdbconf:
 
 so-influxdb:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -385,7 +385,7 @@ dashboard-{{ SN }}:
 
 so-grafana:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
     - hostname: grafana
     - user: socore
     - binds:
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index f846ff8ae..e1cd4829a 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
 # Curator
@@ -116,7 +116,7 @@ curdel:
 
 so-curator:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-curator:{{ VERSION }}
     - hostname: curator
     - name: so-curator
     - user: curator
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 0e93ed885..599043d58 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 
@@ -112,7 +112,7 @@ elastaconf:
 
 so-elastalert:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }}
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 85370d20d..a27ad9eb6 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,7 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Fleet Setup
@@ -63,7 +63,7 @@ fleetdbpriv:
 
 so-fleet:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:{{ VERSION }}
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index c5cf72d39..01484e365 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 hiveconfdir:
   file.directory:
@@ -57,7 +57,7 @@ hiveesdata:
 
 so-thehive-es:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }}
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
@@ -85,7 +85,7 @@ so-thehive-es:
 # Install Cortex
 so-cortex:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }}
     - hostname: so-cortex
     - name: so-cortex
     - user: 939
@@ -102,7 +102,7 @@ cortexscript:
 
 so-thehive:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }}
     - environment:
       - ELASTICSEARCH_HOST={{ MASTERIP }}
     - hostname: so-thehive
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index c18814243..969215559 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # IDSTools Setup
 idstoolsdir:
@@ -64,7 +64,7 @@ ruleslink:
 
 so-idstools:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }}
     - hostname: so-idstools
     - user: socore
     - binds:
diff --git a/salt/master/init.sls b/salt/master/init.sls
index e01d19b58..44ae2d75f 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
 
@@ -59,7 +59,7 @@ acngcopyconf:
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index b964d7d37..ac49953f1 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,7 +1,7 @@
 {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
 {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # MySQL Setup
 mysqlpkgs:
@@ -52,7 +52,7 @@ mysqldatadir:
 
 so-mysql:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:{{ VERSION }}
     - hostname: so-mysql
     - user: socore
     - port_bindings:
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 16d002250..33d660c3c 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -12,7 +12,7 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # PCAP Section
 
@@ -130,7 +130,7 @@ stenolog:
 
 so-steno:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
     - network_mode: host
     - privileged: True
     - port_bindings:
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 907e4825c..049c5fab9 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -1,5 +1,5 @@
 {% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 playbookdb:
@@ -28,7 +28,7 @@ navigatorconfig:
 
 so-playbook:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:{{ VERSION }}
     - hostname: playbook
     - name: so-playbook
     - binds:
@@ -38,7 +38,7 @@ so-playbook:
 
 so-navigator:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:{{ VERSION }}
     - hostname: navigator
     - name: so-navigator
     - binds:
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 690f2a7c9..2e6bd030c 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -13,7 +13,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Redis Setup
@@ -48,7 +48,7 @@ redisconfsync:
 
 so-redis:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }}
     - hostname: so-redis
     - user: socore
     - port_bindings:
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 44f29ef4f..b8d0b4e06 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 sensoronidir:
@@ -32,7 +32,7 @@ sensoronisync:
 
 so-sensoroni:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }}
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index d03ed9f04..8a9506ba5 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 soctopusdir:
@@ -49,7 +49,7 @@ navigatordefaultlayer:
 
 so-soctopus:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }}
     - hostname: soctopus
     - name: so-soctopus
     - binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 6f08c2704..a8f15d268 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -15,7 +15,7 @@
 
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BROVER = salt['pillar.get']('static:broversion', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 # Suricata
@@ -82,7 +82,7 @@ surithresholding:
     
 so-suricata:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index fa320836e..bf80d9a10 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -1,11 +1,11 @@
 {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 so-tcpreplay:
   docker_container.running:
     - network_mode: "host"
-    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }}
     - name: so-tcpreplay
     - user: root
     - interactive: True
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 9623c29ac..42cf3f4b7 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,5 +1,5 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # Add ossec group
 ossecgroup:
@@ -74,7 +74,7 @@ wazuhmgrwhitelist:
 
 so-wazuh:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }}
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 90c07c7ea..e0f1f8c9b 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 # Zeek Salt State
 # Add Zeek group
@@ -100,7 +100,7 @@ localzeeksync:
 
 so-zeek:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }}
     - privileged: True
     - binds:
       - /nsm/zeek/logs:/nsm/zeek/logs:rw

From 38f42eafa57f6b2a9cb211e2d9ffeb2c924f126b Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 15:02:50 +0000
Subject: [PATCH 102/188] Add Features enable script

---
 salt/common/tools/sbin/so-features-enable | 42 +++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-features-enable

diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable
new file mode 100644
index 000000000..a37743960
--- /dev/null
+++ b/salt/common/tools/sbin/so-features-enable
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done

From c22753a8fb9847c52cb8a5166bd9b11e84e27668 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 19:42:59 +0000
Subject: [PATCH 103/188] Don't restart when running whitelist script

---
 salt/wazuh/files/wazuh-manager-whitelist | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
index 0cf675f5c..2a8450edb 100644
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -27,7 +27,7 @@ if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
               echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
               echo
               echo "Restarting OSSEC Server..."
-              /usr/sbin/so-wazuh-restart
+              #/usr/sbin/so-wazuh-restart
       fi
 fi
 

From b92cceb9866ff1d08f94ca33a9143fe2f301a1ad Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 19:44:56 +0000
Subject: [PATCH 104/188] Fix order of static add

---
 setup/functions.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 5e1ef125b..34de4a0e7 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -732,13 +732,13 @@ master_static() {
   echo "  cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
-  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
-  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else
     echo "  masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls
   fi
+  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
+  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
 }
 
 minio_generate_keys() {

From 5403dab027f47a9e00f54766dff52dcf801f3e9f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 15:48:40 -0500
Subject: [PATCH 105/188] Suricata - Initial bpf support

---
 salt/common/tools/sbin/so-bpf-compile | 37 +++++++++++++++++++++++++++
 salt/suricata/init.sls                | 29 +++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-bpf-compile

diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile
new file mode 100644
index 000000000..44c5b8249
--- /dev/null
+++ b/salt/common/tools/sbin/so-bpf-compile
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a8f15d268..81df5b150 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -17,6 +17,9 @@
 {% set BROVER = salt['pillar.get']('static:broversion', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
+{% set BPF_STATUS = 0  %}
+
 
 # Suricata
 
@@ -79,6 +82,32 @@ surithresholding:
     - user: 940
     - group: 940
     - template: jinja
+
+# BPF compilation and configuration
+{% if BPF_NIDS %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+      {% set BPF_STATUS = 1  %}
+   {% else  %}
+suribpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+suribpf:
+  file.managed:
+    - name: /opt/so/conf/suricata/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: nids:bpf
+   {% else %}
+    - contents:
+      - ""
+   {% endif %}
     
 so-suricata:
   docker_container.running:

From 8204ffdd0595e0b3abc9e880434590759c623c25 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 15:51:13 -0500
Subject: [PATCH 106/188] Suricata bpf - docker bind bpf file

---
 salt/suricata/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 81df5b150..5802e2b38 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -120,8 +120,10 @@ so-suricata:
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
+      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
     - network_mode: host
     - watch:
       - file: /opt/so/conf/suricata/suricata.yaml
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
+      - file: /opt/so/conf/suricata/bpf

From f536e89064984b94bc3f8cea358fe02d567b7ca9 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 16:12:46 -0500
Subject: [PATCH 107/188] Suricata bpf cleanup

---
 salt/suricata/init.sls | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 5802e2b38..65b80c9ae 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
-{% set BPF_STATUS = 0  %}
 
 
 # Suricata
@@ -86,9 +85,7 @@ surithresholding:
 # BPF compilation and configuration
 {% if BPF_NIDS %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
-   {% if BPF_CALC['stderr'] == "" %}
-      {% set BPF_STATUS = 1  %}
-   {% else  %}
+   {% if BPF_CALC['stderr'] != "" %}
 suribpfcompilationfailure:
   test.configurable_test_state:
    - changes: False
@@ -102,7 +99,7 @@ suribpf:
     - name: /opt/so/conf/suricata/bpf
     - user: 940
     - group: 940
-   {% if BPF_STATUS %}
+   {% if BPF_CALC['stderr'] == "" %}
     - contents_pillar: nids:bpf
    {% else %}
     - contents:

From ae087c55525e19553343a0084e9e695292cbbf4a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 16:53:19 -0500
Subject: [PATCH 108/188] Steno BPF tweaks

---
 salt/pcap/files/compile_bpf.sh | 37 ----------------------------------
 salt/pcap/files/config         |  2 +-
 salt/pcap/init.sls             | 34 ++++++++++---------------------
 3 files changed, 12 insertions(+), 61 deletions(-)
 delete mode 100644 salt/pcap/files/compile_bpf.sh

diff --git a/salt/pcap/files/compile_bpf.sh b/salt/pcap/files/compile_bpf.sh
deleted file mode 100644
index 44c5b8249..000000000
--- a/salt/pcap/files/compile_bpf.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014 Google Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ "$#" -lt 2 ]; then
-  cat 1>&2 <<EOF
-$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
-Its first argument is the interface (link type is required) and all other arguments
-are passed to TCPDump.
-
-Examples:
- $0 eth0 dst port 80
- $0 eth0 udp port 53
-EOF
-  exit 1
-fi
-
-interface="$1"
-shift
-sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
-while read line; do
-  cols=( $line )
-  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
-done
-echo ""
diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index 0f06d1c7e..4a612fbf1 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -11,6 +11,6 @@
   , "Interface": "{{ interface }}"
   , "Port": 1234
   , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ bpf_compiled }}]
+  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}]
   , "CertPath": "/etc/stenographer/certs"
 }
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 16d002250..97cc6f3db 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -12,8 +12,12 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
+{% set BPF_COMPILED = "" %}
+
 # PCAP Section
 
 # Create the logstash group
@@ -36,31 +40,19 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %}
-{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
-
-{% if bpf_steno != None or bpf_global != None %}
-   {% if bpf_steno != None %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
-   {% else %}
-      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %}
-   {% endif %}
-   {% if bpf_calc['stderr'] == "" %}
-      {% set bpf_compiled = bpf_calc['stdout'] %}
+{% if BPF_STENO %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+      {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
    {% else  %}
-         {% set bpf_compiled = None %}
 
 bpfcompilationfailure:
   test.configurable_test_state:
-   - name: bpfcompfailure
    - changes: False
    - result: False
    - comment: "BPF Compilation Failed - Discarding specified BPF"
 
    {% endif %}
-{% else  %}
-   {% set bpf_compiled = None %}
 {% endif %}
 
 stenoconf:
@@ -72,11 +64,7 @@ stenoconf:
     - mode: 644
     - template: jinja
     - defaults:
-        bpf_compiled: ""
-{% if bpf_compiled != None %}
-    - context:
-        bpf_compiled: ',"--filter={{ bpf_compiled }}"'
-{% endif %}
+        BPF_COMPILED: "{{ BPF_COMPILED }}"
 
 sensoroniagentconf:
   file.managed:
@@ -130,7 +118,7 @@ stenolog:
 
 so-steno:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
     - network_mode: host
     - privileged: True
     - port_bindings:

From 8b415b9db44b2143175ed448eec03abe500d70a4 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 28 Jan 2020 23:55:06 +0000
Subject: [PATCH 109/188] Update config.yaml for Elastalert shard/replica
 changes

---
 salt/elastalert/files/elastalert_config.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml
index 735ccb190..e71f41bf8 100644
--- a/salt/elastalert/files/elastalert_config.yaml
+++ b/salt/elastalert/files/elastalert_config.yaml
@@ -82,3 +82,7 @@ writeback_index: elastalert_status
 # sending the alert until this time period has elapsed
 alert_time_limit:
   days: 2
+
+index_settings:
+  shards: 1
+  replicas: 0

From 7150564c70aaf903d22162870f0268a663fd4883 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 28 Jan 2020 18:58:26 -0500
Subject: [PATCH 110/188] heavynode

---
 pillar/top.sls                                |   9 +-
 salt/common/init.sls                          |   4 +-
 salt/common/nginx/nginx.conf.so-heavynode     |  89 +++++++++++++
 salt/elasticsearch/init.sls                   |   4 +-
 salt/filebeat/etc/filebeat.yml                |  10 +-
 salt/filebeat/init.sls                        |   2 +-
 salt/firewall/init.sls                        |  40 +++++-
 .../master/templates/9999_output_redis.conf   |   5 +
 .../search/templates/0900_input_redis.conf    |   6 +-
 salt/logstash/etc/logstash.yml                |   2 +-
 salt/logstash/init.sls                        |   2 +-
 salt/ssl/init.sls                             |  18 ++-
 salt/top.sls                                  |  28 ++++
 salt/wazuh/files/agent/ossec.conf             |   2 +-
 salt/wazuh/files/agent/wazuh-register-agent   |   2 +-
 setup/functions.sh                            |  10 +-
 setup/so-setup.sh                             | 126 ++++++++++++++++++
 setup/whiptail.sh                             |   1 +
 18 files changed, 339 insertions(+), 21 deletions(-)
 create mode 100644 salt/common/nginx/nginx.conf.so-heavynode

diff --git a/pillar/top.sls b/pillar/top.sls
index 99fe26556..852efe27c 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,7 +2,8 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-mastersearch':
+  'G@role:so-mastersearch or G@role:so-heavynode':
+    - match: compound
     - logstash.mastersearch
 
   'G@role:so-sensor':
@@ -32,6 +33,12 @@ base:
     - firewall.*
     - minions.{{ grains.id }}
 
+  'G@role:so-heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
   'G@role:so-helix':
     - static
     - firewall.*
diff --git a/salt/common/init.sls b/salt/common/init.sls
index de7048c51..3098cdb50 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,6 +1,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -343,7 +343,7 @@ dashboard-{{ SN }}:
 
 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
   file.managed:
     - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
diff --git a/salt/common/nginx/nginx.conf.so-heavynode b/salt/common/nginx/nginx.conf.so-heavynode
new file mode 100644
index 000000000..39688f3df
--- /dev/null
+++ b/salt/common/nginx/nginx.conf.so-heavynode
@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 3d60f2925..79421003f 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -24,7 +24,7 @@
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 
 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
@@ -135,4 +135,4 @@ so-elasticsearch-pipelines-file:
 
 so-elasticsearch-pipelines:
  cmd.run:
-   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
\ No newline at end of file
+   - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 4706e4c5a..45936c180 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,4 +1,10 @@
+{%- if grains.role == 'so-heavynode' %}
+{%- set MASTER = grains.host %}
+{%- else %}
 {%- set MASTER = grains['master'] %}
+{%- endif %}
+
+
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
@@ -67,12 +73,12 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
     paths:
-      - /nsm/bro/logs/current/{{ LOGNAME }}.log
+      - /nsm/zeek/logs/current/{{ LOGNAME }}.log
     fields:
       type: bro_{{ LOGNAME }}
     fields_under_root: true
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 1a59446b3..8f4985024 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -61,7 +61,7 @@ so-filebeat:
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
-{%- if grains['role'] == 'so-master' %}
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-heavynode' %}
       - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
 {%- else %}
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index a016a9767..a26993cc0 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,7 @@
 # Firewall Magic for the grid
 {%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -584,7 +584,7 @@ enable_standard_analyst_443_{{ip}}:
 {% endif %}
 
 # Rules if you are a Node
-{% if grains['role'] == 'so-node' %}
+{% if 'node' in grains['role'] %}
 
 #This should be more granular
 iptables_allow_docker:
@@ -655,3 +655,39 @@ iptables_drop_all_the_things:
     - chain: LOGGING
     - jump: DROP
     - save: True
+
+{% if grains['role'] == 'so-heavynode' %}
+# Allow Redis
+enable_heavynode_redis_6379_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 6379
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5044_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5044
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5644_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5644
+    - position: 1
+    - save: True
+{% endif %}
diff --git a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
index fa650b538..f176e0b94 100644
--- a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
+++ b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
@@ -1,10 +1,15 @@
 {%- if salt['grains.get']('role') == 'so-master' %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
 {%- else %}
 {%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- endif %}
+
+
 output {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
index 660d2e741..ede940367 100644
--- a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
+++ b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
@@ -1,4 +1,8 @@
-{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- if grains.role == 'so-heavynode' %}
+{%- set master = salt['pillar.get']('node:mainip', '') %}
+{%- else %}
+{%- set master = salt['pillar.get']('static:masterip', '') %}
+{% endif -%}
 input {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index e5bb76b5b..6b07199d1 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' %}
+{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {% else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 388019abf..8d84bf962 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -20,7 +20,7 @@
 {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %}
 {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {% set lsheap = salt['pillar.get']('node:lsheap', '') %}
 {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index f3e815174..57579f6ca 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -2,7 +2,7 @@
 {% set master_minion_id = master.split(".")[0] %}
 {%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval'  or grains['role'] == 'so-heavynode' %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
     {% set ca_server = grains.id %}
 {% else %}
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -49,7 +49,11 @@ m2cryptopkgs:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -129,7 +133,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 fbcertdir:
   file.directory:
@@ -142,7 +146,11 @@ fbcertdir:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
diff --git a/salt/top.sls b/salt/top.sls
index 14556b67e..1608b93d6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -233,3 +233,31 @@ base:
     {%- if DOMAINSTATS != 0 %}
     - domainstats
     {%- endif %}
+
+  'G@role:so-heavynode':
+    - ca
+    - ssl
+    - common
+    - firewall
+    - redis
+    - logstash
+    - elasticsearch
+    - curator
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - pcap
+    - suricata
+    {%- if BROVER != 'SURICATA' %}
+    - zeek
+    {%- endif %}
+    - wazuh
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - schedule
diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 8f54e6a08..c5a61e8ad 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index dbf4a4968..8a8c2ab7f 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/setup/functions.sh b/setup/functions.sh
index f23da15ba..95b992107 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -1281,6 +1281,14 @@ set_initial_firewall_policy() {
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+  fi
+
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
     echo "blah"
   fi
@@ -1314,7 +1322,7 @@ set_management_interface() {
 set_node_type() {
 
   # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then
     NODETYPE='search'
   fi
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index a2501dfb9..8ee35a126 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -803,6 +803,132 @@ if (whiptail_you_sure) ; then
 
   fi
 
+  ########################
+  ##     Heavy Node     ##
+  ########################
+
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+
+    filter_unused_nics
+    whiptail_bond_nics
+    whiptail_management_server
+    whiptail_master_updates
+    set_updates
+    whiptail_homenet_sensor
+    whiptail_sensor_config
+    # Calculate lbprocs so we can call it in the prompts
+    calculate_useable_cores
+    if [ $NSMSETUP == 'ADVANCED' ]; then
+      whiptail_bro_pins
+      whiptail_suricata_pins
+      whiptail_bond_nics_mtu
+    else
+      whiptail_basic_bro
+      whiptail_basic_suri
+    fi
+
+    get_log_size_limit
+    CURCLOSEDAYS=30
+    es_heapsize
+    ls_heapsize
+    whiptail_node_advanced
+    if [ $NODESETUP == 'NODEADVANCED' ]; then
+      whiptail_node_es_heap
+      whiptail_node_ls_heap
+      whiptail_node_ls_pipeline_worker
+      whiptail_node_ls_pipline_batchsize
+      whiptail_node_ls_input_threads
+      whiptail_node_ls_input_batch_count
+      whiptail_cur_close_days
+      whiptail_log_size_limit
+    else
+      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+      LSPIPELINEWORKERS=$CPUCORES
+      LSPIPELINEBATCH=125
+      LSINPUTTHREADS=1
+      LSINPUTBATCHCOUNT=125
+    fi
+    whiptail_make_changes
+    set_hostname
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      add_admin_user
+      disable_onion_user
+    fi
+    copy_ssh_key >> $SETUPLOG 2>&1
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >> $SETUPLOG 2>&1
+
+      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
+      create_sensor_bond >> $SETUPLOG 2>&1
+      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
+      sensor_pillar >> $SETUPLOG 2>&1
+      echo "** Generating the patch pillar **" >> $SETUPLOG
+      patch_pillar >> $SETUPLOG 2>&1
+
+
+
+      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
+      saltify >> $SETUPLOG 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >> $SETUPLOG 2>&1
+      echo -e "XXX\n30\nInitializing Minion... \nXXX"
+      configure_minion heavynode >> $SETUPLOG 2>&1
+      set_node_type >> $SETUPLOG 2>&1
+      node_pillar >> $SETUPLOG 2>&1
+      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
+      copy_minion_tmp_files >> $SETUPLOG 2>&1
+      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
+      salt_firstcheckin >> $SETUPLOG 2>&1
+      # Accept the Salt Key
+      accept_salt_key_remote >> $SETUPLOG 2>&1
+      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >> $SETUPLOG 2>&1
+      salt-call state.apply ssl >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
+      salt-call state.apply common >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply logstash >> $SETUPLOG 2>&1
+      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
+      salt-call state.apply curator >> $SETUPLOG 2>&1
+      salt-call state.apply filebeat >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
+      salt-call state.apply pcap >> $SETUPLOG 2>&1
+      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
+      salt-call state.apply suricata >> $SETUPLOG 2>&1
+
+      checkin_at_boot >> $SETUPLOG 2>&1
+      echo -e "XX\n97\nFinishing touches... \nXXX"
+      filter_unused_nics >> $SETUPLOG 2>&1
+      network_setup >> $SETUPLOG 2>&1
+      echo -e "XXX\n98\nVerifying Setup... \nXXX"
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+      shutdown -r now
+    else
+      whiptail_setup_failed
+      shutdown -r now
+    fi
+
+  fi
+
+
+
+
+
+
+
+
+
 else
     echo "User not sure. Cancelling setup.">> $SETUPLOG 2>&1
     whiptail_cancel
diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 171f180d2..3316d6e2c 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -254,6 +254,7 @@ whiptail_install_type() {
   "MASTERONLY" "Start a new grid" OFF \
   "EVALMODE" "Evaluate all the things" OFF \
   "MASTERSEARCH" "Master + Search Node" OFF \
+  "HEAVYNODE" "Sensor + Search Node" OFF \
   "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \
   "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
   "HOTNODE" "TODO Add Hot Node (Search Node without Parsing)" OFF \

From 41e5c6ae90db10d0046512b9087eb9c96fb9dc0d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 00:57:58 +0000
Subject: [PATCH 111/188] Add data deletion scripts

---
 salt/common/tools/sbin/so-elastic-clear | 79 +++++++++++++++++++++++++
 salt/common/tools/sbin/so-nsm-clear     | 76 ++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-elastic-clear
 create mode 100644 salt/common/tools/sbin/so-nsm-clear

diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
new file mode 100644
index 000000000..79c7e99ad
--- /dev/null
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+
diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear
new file mode 100644
index 000000000..e45c10511
--- /dev/null
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion NSM Data Deletion
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+delete_pcap() {
+  PCAP_DATA="/nsm/pcap/"
+  [ -f $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+}
+delete_suricata() {
+  SURI_LOG="/opt/so/log/suricata/eve.json"
+  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+}
+delete_zeek() {
+  ZEEK_LOG="/nsm/zeek/logs/"
+  [ -f $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+}
+
+delete_pcap
+delete_suricata
+delete_zeek
+

From 5e0299e7bba58037b62268693cb0b852298d7790 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 01:11:22 +0000
Subject: [PATCH 112/188] Add PCAP stop|start|restart scripts

---
 salt/common/tools/sbin/so-pcap-restart | 20 ++++++++++++++++++++
 salt/common/tools/sbin/so-pcap-start   | 20 ++++++++++++++++++++
 salt/common/tools/sbin/so-pcap-stop    | 20 ++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-pcap-restart
 create mode 100644 salt/common/tools/sbin/so-pcap-start
 create mode 100644 salt/common/tools/sbin/so-pcap-stop

diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart
new file mode 100644
index 000000000..6095dc357
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1
diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start
new file mode 100644
index 000000000..595fd54bb
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1
diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop
new file mode 100644
index 000000000..d539d2f98
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1

From 48ebc5e2e3b1b06ccf8327873c46c8003777c4d5 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 01:13:40 +0000
Subject: [PATCH 113/188] Fix data checks

---
 salt/common/tools/sbin/so-nsm-clear | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear
index e45c10511..95ded5a4b 100644
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -59,7 +59,7 @@ fi
 
 delete_pcap() {
   PCAP_DATA="/nsm/pcap/"
-  [ -f $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
   SURI_LOG="/opt/so/log/suricata/eve.json"
@@ -67,7 +67,7 @@ delete_suricata() {
 }
 delete_zeek() {
   ZEEK_LOG="/nsm/zeek/logs/"
-  [ -f $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
 }
 
 delete_pcap

From 5bd037e88c45dfcda821dd9e82a563066b630caa Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 28 Jan 2020 21:40:28 -0500
Subject: [PATCH 114/188] Initial so-status script

---
 salt/common/tools/sbin/so-status | 137 +++++++++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-status

diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
new file mode 100644
index 000000000..3d086cccd
--- /dev/null
+++ b/salt/common/tools/sbin/so-status
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if ! [ $(id -u)=0 ]; then
+   echo "This command must be run as root"
+   exit 1
+fi
+
+# Constants
+ERROR_STRING="ERROR"
+SUCCESS_STRING="OK"
+PENDING_STRING="PENDING"
+declare -a BAD_STATUSES=("removing", "paused", "exited", "dead")
+declare -a PENDING_STATUSES=("paused", "created", "restarting")
+declare -a GOOD_STATUSES=("running")
+
+
+declare -a container_name_list=()
+declare -a container_state_list=()
+populate_container_lists() {
+    systemctl is-active --quiet docker
+
+    if [[ $? = 0 ]]; then
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
+            | jq -c '.[] | { Name: .Names[0], State: .State }' \
+            | tr -d '/{"}')
+    else
+        exit 1
+    fi
+
+    local container_name=""
+    local container_state=""
+
+    for line in ${docker_raw_list[@]}; do
+        container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
+        container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
+        container_name_list+=( "${container_name}" )
+        container_state_list+=( "${container_state}" )
+    done
+}
+
+parse_status() {
+    local container_state=${1}
+    local found=0
+
+    for state in "${GOOD_STATUSES[@]}"; do
+        [[ $container_state = $state ]] && printf $SUCCESS_STRING && return 0
+    done
+
+    if [[ $found = 0 ]]; then
+        for state in "${PENDING_STATUSES[@]}"; do
+            [[ $container_state = $state ]] && printf $PENDING_STRING && return 0
+        done
+    fi
+
+    # This is technically not needed since the default is error state
+    if [[ $found = 0 ]]; then
+        for state in "${BAD_STATUSES[@]}"; do
+            [[ $container_state = $state ]] && printf $ERROR_STRING && return 1
+        done
+    fi
+
+    printf $ERROR_STRING && return 1
+}
+
+columns=$(tput cols)
+
+print_line() {
+    local service_name=${1}
+    local service_state=$( parse_status ${2} )
+    local PADDING_CONSTANT=14
+    local state_color="\e[0m"
+
+    if [[ $service_state = $ERROR_STRING ]]; then
+        state_color="\e[1;31m"
+    elif [[ $service_state = $SUCCESS_STRING ]]; then
+        state_color="\e[1;32m"
+    elif [[ $service_state = $PENDING_STRING ]]; then
+        state_color="\e[1;33m"
+    else
+        state_color="\e[0m"
+    fi
+
+    printf "    $service_name "
+    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
+        printf "-"
+    done
+    printf " [ "
+    printf "${state_color}%b\e[0m" "$service_state"
+    printf "%s    \n" " ]"
+}
+
+main() {
+    local focus_color="\e[1;34m"
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+
+    systemctl is-active --quiet docker
+    if [[ $? = 0 ]]; then
+        print_line "Docker" "running"
+    else
+        print_line "Docker" "exited"
+    fi
+
+    populate_container_lists
+
+    printf "\n"
+
+    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
+
+
+    local num_containers=${#docker_raw_list[@]}
+    local container_name=""
+    local container_state=""
+
+    for i in $(seq 0 $(($num_containers - 1 ))); do
+        print_line ${container_name_list[$i]} ${container_state_list[$i]}
+    done
+
+    printf "\n"
+}
+
+main
\ No newline at end of file

From aa2fbc2d5324defee09981230468d5b685c4268f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 21:44:42 -0500
Subject: [PATCH 115/188] Zeek - Initial BPF support

---
 salt/bro/files/local.bro                  |   3 +
 salt/bro/init.sls                         |  34 ++++++-
 salt/bro/policy/securityonion/bpfconf.bro | 106 ++++++++++++++++++++++
 3 files changed, 141 insertions(+), 2 deletions(-)
 create mode 100644 salt/bro/policy/securityonion/bpfconf.bro

diff --git a/salt/bro/files/local.bro b/salt/bro/files/local.bro
index 42112f7ee..afe4b94ca 100644
--- a/salt/bro/files/local.bro
+++ b/salt/bro/files/local.bro
@@ -102,6 +102,9 @@
 # is currently considered a preview and therefore not loaded by default.
 @load base/protocols/smb
 
+# BPF Configuration
+@load securityonion/bpfconf
+
 # Add the interface to the log event
 #@load securityonion/add-interface-to-logs.bro
 
diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index 6a972cbe7..8f36be420 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -1,3 +1,7 @@
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
+{% set BPF_STATUS = 0  %}
+
 # Bro Salt State
 # Add Bro group
 brogroup:
@@ -103,6 +107,32 @@ zeekcleanscript:
     - month: '*'
     - dayweek: '*'
 
+# BPF compilation and configuration
+{% if BPF_ZEEK %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+       {% set BPF_STATUS = 1  %}
+  {% else  %}
+zeekbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+zeekbpf:
+  file.managed:
+    - name: /opt/so/conf/bro/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: zeek:bpf
+   {% else %}
+    - contents:
+      - "ip or not ip"
+   {% endif %}
+
 # Sync local.bro
 {% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
 localbrosync:
@@ -163,6 +193,7 @@ so-bro:
       - /nsm/bro/extracted:/nsm/bro/extracted:rw
       - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
       - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
+      - /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro
       - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
       - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
       - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
@@ -171,6 +202,5 @@ so-bro:
       - file: /opt/so/conf/bro/local.bro
       - file: /opt/so/conf/bro/node.cfg
       - file: /opt/so/conf/bro/policy
-
-
+      - file: /opt/so/conf/bro/bpf
 {% endif %}
diff --git a/salt/bro/policy/securityonion/bpfconf.bro b/salt/bro/policy/securityonion/bpfconf.bro
new file mode 100644
index 000000000..595aef8f2
--- /dev/null
+++ b/salt/bro/policy/securityonion/bpfconf.bro
@@ -0,0 +1,106 @@
+##! This script is to support the bpf.conf file like other network monitoring tools use.
+##! Please don't try to learn from this script right now, there are a large number of
+##! hacks in it to work around bugs discovered in Bro.
+
+@load base/frameworks/notice
+
+module BPFConf;
+
+export {
+	## The file that is watched on disk for BPF filter changes.
+	## Two templated variables are available; "sensorname" and "interface".
+	## They can be used by surrounding the term by doubled curly braces.
+	const filename = "/opt/bro/share/bro/site/bpf" &redef;
+
+	redef enum Notice::Type += { 
+		## Invalid filter notice.
+		InvalidFilter
+	};
+}
+
+global filter_parts: vector of string = vector();
+global current_filter_filename = "";
+
+type FilterLine: record {
+	s: string;
+};
+
+redef enum PcapFilterID += {
+	BPFConfPcapFilter,
+};
+
+event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	local part = sub(s, /[[:blank:]]*#.*$/, "");
+
+	# We don't want any blank parts.
+	if ( part != "" )
+		filter_parts[|filter_parts|] = part;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( name == "bpfconf" )
+		{
+		local filter = join_string_vec(filter_parts, " ");
+		capture_filters["bpf.conf"] = filter;
+		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
+			{
+			PacketFilter::install();
+			}
+		else
+			{
+			NOTICE([$note=InvalidFilter,
+			        $msg=fmt("Compiling packet filter from %s failed", filename),
+			        $sub=filter]);
+			}
+
+		filter_parts=vector();
+		}
+	}
+
+
+function add_filter_file()
+	{
+	local real_filter_filename = BPFConf::filename;
+
+	# Support the interface template value.
+	#if ( SecurityOnion::sensorname != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
+
+	# Support the interface template value.
+	#if ( SecurityOnion::interface != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
+
+	#if ( /\{\{/ in real_filter_filename )
+	#	{
+	#	return;
+	#	}
+	#else
+	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
+
+	if ( real_filter_filename != current_filter_filename )
+		{
+		current_filter_filename = real_filter_filename;
+		Input::add_event([$source=real_filter_filename,
+		                  $name="bpfconf",
+		                  $reader=Input::READER_RAW,
+		                  $mode=Input::REREAD,
+		                  $want_record=F,
+		                  $fields=FilterLine,
+		                  $ev=BPFConf::line]);
+		}
+	}
+
+#event SecurityOnion::found_sensorname(name: string)
+#	{
+#	add_filter_file();
+#	}
+
+event bro_init() &priority=5
+	{
+	if ( BPFConf::filename != "" )
+		add_filter_file();
+	}
+
+

From 3925ed52c7e03693a21015b2baad9030ebd436e0 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 22:02:18 -0500
Subject: [PATCH 116/188] Suricata - BPF hotfix

---
 salt/suricata/init.sls | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 65b80c9ae..dcea927ae 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -18,7 +18,7 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
-
+{% set BPF_STATUS = 0  %}
 
 # Suricata
 
@@ -85,7 +85,9 @@ surithresholding:
 # BPF compilation and configuration
 {% if BPF_NIDS %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
-   {% if BPF_CALC['stderr'] != "" %}
+   {% if BPF_CALC['stderr'] == "" %}
+      {% set BPF_STATUS = 1  %}
+   {% else  %}
 suribpfcompilationfailure:
   test.configurable_test_state:
    - changes: False
@@ -99,7 +101,7 @@ suribpf:
     - name: /opt/so/conf/suricata/bpf
     - user: 940
     - group: 940
-   {% if BPF_CALC['stderr'] == "" %}
+   {% if BPF_STATUS %}
     - contents_pillar: nids:bpf
    {% else %}
     - contents:

From bd395b835602ec81144ab4caaeec1b05f7437bec Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 28 Jan 2020 22:20:21 -0500
Subject: [PATCH 117/188] Update filebeat.yml

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 4706e4c5a..a8308a6d9 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -72,7 +72,7 @@ filebeat.prospectors:
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
     paths:
-      - /nsm/bro/logs/current/{{ LOGNAME }}.log
+      - /nsm/zeek/logs/current/{{ LOGNAME }}.log
     fields:
       type: bro_{{ LOGNAME }}
     fields_under_root: true

From 5213c19e44d0cc2db01f408f2540b618f3c440bf Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 29 Jan 2020 09:30:03 -0500
Subject: [PATCH 118/188] Suricata - logfile fix

---
 salt/suricata/files/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index 093612335..05412fa6c 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -489,7 +489,7 @@ logging:
   - file:
       enabled: yes
       level: info
-      filename: /usr/local/var/log/suricata/suricata.log
+      filename: /var/log/suricata/suricata.log
       # type: json
   - syslog:
       enabled: no

From b45241b42093697e069942db2d4f633d0ec3a675 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 10:05:20 -0500
Subject: [PATCH 119/188] heavynode

---
 pillar/logstash/master.sls     | 4 ++++
 pillar/top.sls                 | 3 +++
 salt/logstash/etc/logstash.yml | 2 +-
 salt/logstash/init.sls         | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 pillar/logstash/master.sls

diff --git a/pillar/logstash/master.sls b/pillar/logstash/master.sls
new file mode 100644
index 000000000..3be98f6b9
--- /dev/null
+++ b/pillar/logstash/master.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    master:
+      config: "/usr/share/logstash/pipelines/master/*.conf"
diff --git a/pillar/top.sls b/pillar/top.sls
index 852efe27c..8e8c22de3 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -20,6 +20,9 @@ base:
     - auth
     - minions.{{ grains.id }}
 
+  'G@role:so-master':
+    - logstash.master
+
   'G@role:so-eval':
     - static
     - firewall.*
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index 6b07199d1..88f3c527e 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' %}
+{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {% else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 8d84bf962..4ac72af33 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -155,7 +155,7 @@ lscustsync:
 lsconfsync:
   file.managed:
     - name: /opt/so/conf/logstash/conf.enabled.txt
-{% if grains.role == 'so-mastersearch' %}
+{% if grains.role == 'so-mastersearch' or grains.role == 'so-heavynode' %}
     - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}

From ef83d812d2778976d231489285e9a392bca03492 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 17:41:56 +0000
Subject: [PATCH 120/188] Set IP

---
 salt/common/tools/sbin/so-elastic-clear | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
index 79c7e99ad..2db400839 100644
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -14,6 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
 . /usr/sbin/so-common
 
 SKIP=0

From 306cc1127b295eb9086504eafd8dce32c18b52ca Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 28 Jan 2020 18:58:26 -0500
Subject: [PATCH 121/188] heavynode

---
 pillar/top.sls                                |   9 +-
 salt/common/init.sls                          |   4 +-
 salt/common/nginx/nginx.conf.so-heavynode     |  89 +++++++++++++
 salt/elasticsearch/init.sls                   |   2 +-
 salt/filebeat/etc/filebeat.yml                |   8 +-
 salt/filebeat/init.sls                        |   2 +-
 salt/firewall/init.sls                        |  40 +++++-
 .../master/templates/9999_output_redis.conf   |   5 +
 .../search/templates/0900_input_redis.conf    |   6 +-
 salt/logstash/etc/logstash.yml                |   2 +-
 salt/logstash/init.sls                        |   2 +-
 salt/ssl/init.sls                             |  18 ++-
 salt/top.sls                                  |  28 ++++
 salt/wazuh/files/agent/ossec.conf             |   2 +-
 salt/wazuh/files/agent/wazuh-register-agent   |   2 +-
 setup/functions.sh                            |  10 +-
 setup/so-setup.sh                             | 126 ++++++++++++++++++
 setup/whiptail.sh                             |   1 +
 18 files changed, 337 insertions(+), 19 deletions(-)
 create mode 100644 salt/common/nginx/nginx.conf.so-heavynode

diff --git a/pillar/top.sls b/pillar/top.sls
index 99fe26556..852efe27c 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,7 +2,8 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-mastersearch':
+  'G@role:so-mastersearch or G@role:so-heavynode':
+    - match: compound
     - logstash.mastersearch
 
   'G@role:so-sensor':
@@ -32,6 +33,12 @@ base:
     - firewall.*
     - minions.{{ grains.id }}
 
+  'G@role:so-heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
   'G@role:so-helix':
     - static
     - firewall.*
diff --git a/salt/common/init.sls b/salt/common/init.sls
index 7ed59efa1..4ae78f57b 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,6 +1,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -343,7 +343,7 @@ dashboard-{{ SN }}:
 
 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
   file.managed:
     - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
diff --git a/salt/common/nginx/nginx.conf.so-heavynode b/salt/common/nginx/nginx.conf.so-heavynode
new file mode 100644
index 000000000..39688f3df
--- /dev/null
+++ b/salt/common/nginx/nginx.conf.so-heavynode
@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index a2493091a..a97a2ae0f 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -31,7 +31,7 @@
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 
 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index a8308a6d9..45936c180 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,4 +1,10 @@
+{%- if grains.role == 'so-heavynode' %}
+{%- set MASTER = grains.host %}
+{%- else %}
 {%- set MASTER = grains['master'] %}
+{%- endif %}
+
+
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
@@ -67,7 +73,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 44cc7c65c..9d175943d 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -67,7 +67,7 @@ so-filebeat:
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
-{%- if grains['role'] == 'so-master' %}
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-heavynode' %}
       - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
 {%- else %}
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index a016a9767..a26993cc0 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,7 @@
 # Firewall Magic for the grid
 {%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -584,7 +584,7 @@ enable_standard_analyst_443_{{ip}}:
 {% endif %}
 
 # Rules if you are a Node
-{% if grains['role'] == 'so-node' %}
+{% if 'node' in grains['role'] %}
 
 #This should be more granular
 iptables_allow_docker:
@@ -655,3 +655,39 @@ iptables_drop_all_the_things:
     - chain: LOGGING
     - jump: DROP
     - save: True
+
+{% if grains['role'] == 'so-heavynode' %}
+# Allow Redis
+enable_heavynode_redis_6379_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 6379
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5044_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5044
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5644_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5644
+    - position: 1
+    - save: True
+{% endif %}
diff --git a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
index fa650b538..f176e0b94 100644
--- a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
+++ b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
@@ -1,10 +1,15 @@
 {%- if salt['grains.get']('role') == 'so-master' %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
 {%- else %}
 {%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- endif %}
+
+
 output {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
index 660d2e741..ede940367 100644
--- a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
+++ b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
@@ -1,4 +1,8 @@
-{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- if grains.role == 'so-heavynode' %}
+{%- set master = salt['pillar.get']('node:mainip', '') %}
+{%- else %}
+{%- set master = salt['pillar.get']('static:masterip', '') %}
+{% endif -%}
 input {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index e5bb76b5b..6b07199d1 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' %}
+{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {% else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 2d94c5354..dacbbbb00 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -27,7 +27,7 @@
 {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %}
 {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {% set lsheap = salt['pillar.get']('node:lsheap', '') %}
 {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index f3e815174..57579f6ca 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -2,7 +2,7 @@
 {% set master_minion_id = master.split(".")[0] %}
 {%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval'  or grains['role'] == 'so-heavynode' %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
     {% set ca_server = grains.id %}
 {% else %}
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -49,7 +49,11 @@ m2cryptopkgs:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -129,7 +133,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 fbcertdir:
   file.directory:
@@ -142,7 +146,11 @@ fbcertdir:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
diff --git a/salt/top.sls b/salt/top.sls
index 14556b67e..1608b93d6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -233,3 +233,31 @@ base:
     {%- if DOMAINSTATS != 0 %}
     - domainstats
     {%- endif %}
+
+  'G@role:so-heavynode':
+    - ca
+    - ssl
+    - common
+    - firewall
+    - redis
+    - logstash
+    - elasticsearch
+    - curator
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - pcap
+    - suricata
+    {%- if BROVER != 'SURICATA' %}
+    - zeek
+    {%- endif %}
+    - wazuh
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - schedule
diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 8f54e6a08..c5a61e8ad 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index dbf4a4968..8a8c2ab7f 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/setup/functions.sh b/setup/functions.sh
index 34de4a0e7..1fa8870ce 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -1283,6 +1283,14 @@ set_initial_firewall_policy() {
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+  fi
+
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
     echo "blah"
   fi
@@ -1316,7 +1324,7 @@ set_management_interface() {
 set_node_type() {
 
   # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then
     NODETYPE='search'
   fi
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index a2501dfb9..8ee35a126 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -803,6 +803,132 @@ if (whiptail_you_sure) ; then
 
   fi
 
+  ########################
+  ##     Heavy Node     ##
+  ########################
+
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+
+    filter_unused_nics
+    whiptail_bond_nics
+    whiptail_management_server
+    whiptail_master_updates
+    set_updates
+    whiptail_homenet_sensor
+    whiptail_sensor_config
+    # Calculate lbprocs so we can call it in the prompts
+    calculate_useable_cores
+    if [ $NSMSETUP == 'ADVANCED' ]; then
+      whiptail_bro_pins
+      whiptail_suricata_pins
+      whiptail_bond_nics_mtu
+    else
+      whiptail_basic_bro
+      whiptail_basic_suri
+    fi
+
+    get_log_size_limit
+    CURCLOSEDAYS=30
+    es_heapsize
+    ls_heapsize
+    whiptail_node_advanced
+    if [ $NODESETUP == 'NODEADVANCED' ]; then
+      whiptail_node_es_heap
+      whiptail_node_ls_heap
+      whiptail_node_ls_pipeline_worker
+      whiptail_node_ls_pipline_batchsize
+      whiptail_node_ls_input_threads
+      whiptail_node_ls_input_batch_count
+      whiptail_cur_close_days
+      whiptail_log_size_limit
+    else
+      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+      LSPIPELINEWORKERS=$CPUCORES
+      LSPIPELINEBATCH=125
+      LSINPUTTHREADS=1
+      LSINPUTBATCHCOUNT=125
+    fi
+    whiptail_make_changes
+    set_hostname
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      add_admin_user
+      disable_onion_user
+    fi
+    copy_ssh_key >> $SETUPLOG 2>&1
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >> $SETUPLOG 2>&1
+
+      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
+      create_sensor_bond >> $SETUPLOG 2>&1
+      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
+      sensor_pillar >> $SETUPLOG 2>&1
+      echo "** Generating the patch pillar **" >> $SETUPLOG
+      patch_pillar >> $SETUPLOG 2>&1
+
+
+
+      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
+      saltify >> $SETUPLOG 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >> $SETUPLOG 2>&1
+      echo -e "XXX\n30\nInitializing Minion... \nXXX"
+      configure_minion heavynode >> $SETUPLOG 2>&1
+      set_node_type >> $SETUPLOG 2>&1
+      node_pillar >> $SETUPLOG 2>&1
+      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
+      copy_minion_tmp_files >> $SETUPLOG 2>&1
+      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
+      salt_firstcheckin >> $SETUPLOG 2>&1
+      # Accept the Salt Key
+      accept_salt_key_remote >> $SETUPLOG 2>&1
+      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >> $SETUPLOG 2>&1
+      salt-call state.apply ssl >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
+      salt-call state.apply common >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply logstash >> $SETUPLOG 2>&1
+      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
+      salt-call state.apply curator >> $SETUPLOG 2>&1
+      salt-call state.apply filebeat >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
+      salt-call state.apply pcap >> $SETUPLOG 2>&1
+      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
+      salt-call state.apply suricata >> $SETUPLOG 2>&1
+
+      checkin_at_boot >> $SETUPLOG 2>&1
+      echo -e "XX\n97\nFinishing touches... \nXXX"
+      filter_unused_nics >> $SETUPLOG 2>&1
+      network_setup >> $SETUPLOG 2>&1
+      echo -e "XXX\n98\nVerifying Setup... \nXXX"
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+      shutdown -r now
+    else
+      whiptail_setup_failed
+      shutdown -r now
+    fi
+
+  fi
+
+
+
+
+
+
+
+
+
 else
     echo "User not sure. Cancelling setup.">> $SETUPLOG 2>&1
     whiptail_cancel
diff --git a/setup/whiptail.sh b/setup/whiptail.sh
index 171f180d2..3316d6e2c 100644
--- a/setup/whiptail.sh
+++ b/setup/whiptail.sh
@@ -254,6 +254,7 @@ whiptail_install_type() {
   "MASTERONLY" "Start a new grid" OFF \
   "EVALMODE" "Evaluate all the things" OFF \
   "MASTERSEARCH" "Master + Search Node" OFF \
+  "HEAVYNODE" "Sensor + Search Node" OFF \
   "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \
   "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
   "HOTNODE" "TODO Add Hot Node (Search Node without Parsing)" OFF \

From bd5b597aed7716082b5dbde8597d71defadb2bcd Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 10:05:20 -0500
Subject: [PATCH 122/188] heavynode

---
 pillar/logstash/master.sls     | 4 ++++
 pillar/top.sls                 | 3 +++
 salt/logstash/etc/logstash.yml | 2 +-
 salt/logstash/init.sls         | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 pillar/logstash/master.sls

diff --git a/pillar/logstash/master.sls b/pillar/logstash/master.sls
new file mode 100644
index 000000000..3be98f6b9
--- /dev/null
+++ b/pillar/logstash/master.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    master:
+      config: "/usr/share/logstash/pipelines/master/*.conf"
diff --git a/pillar/top.sls b/pillar/top.sls
index 852efe27c..8e8c22de3 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -20,6 +20,9 @@ base:
     - auth
     - minions.{{ grains.id }}
 
+  'G@role:so-master':
+    - logstash.master
+
   'G@role:so-eval':
     - static
     - firewall.*
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index 6b07199d1..88f3c527e 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' %}
+{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {% else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index dacbbbb00..f92f047fa 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -162,7 +162,7 @@ lscustsync:
 lsconfsync:
   file.managed:
     - name: /opt/so/conf/logstash/conf.enabled.txt
-{% if grains.role == 'so-mastersearch' %}
+{% if grains.role == 'so-mastersearch' or grains.role == 'so-heavynode' %}
     - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}

From f18718050950c4aeaf38c6278f2a98284dc4e50b Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 18:50:09 +0000
Subject: [PATCH 123/188] change bro user to zeek

---
 setup/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 34de4a0e7..5168e865f 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -851,7 +851,7 @@ reserve_group_ids() {
   groupadd -g 932 kibana
   groupadd -g 933 elastalert
   groupadd -g 934 curator
-  groupadd -g 937 bro
+  groupadd -g 937 zeek
   groupadd -g 939 socore
   groupadd -g 940 suricata
   groupadd -g 941 stenographer

From aa3fc725654d3f5d1147929b904814bd64f14ae9 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 18:56:21 +0000
Subject: [PATCH 124/188] Change bro to zeek

---
 salt/common/tools/sbin/so-zeek-restart | 2 +-
 salt/common/tools/sbin/so-zeek-start   | 2 +-
 salt/common/tools/sbin/so-zeek-stop    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart
index 29c50f27a..e9e00aafc 100644
--- a/salt/common/tools/sbin/so-zeek-restart
+++ b/salt/common/tools/sbin/so-zeek-restart
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart bro $1
+/usr/sbin/so-restart zeek $1
diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start
index ccd475bb6..a3d4c86f7 100644
--- a/salt/common/tools/sbin/so-zeek-start
+++ b/salt/common/tools/sbin/so-zeek-start
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-start bro $1
+/usr/sbin/so-start zeek $1
diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop
index 1e39a2c49..d09417c7f 100644
--- a/salt/common/tools/sbin/so-zeek-stop
+++ b/salt/common/tools/sbin/so-zeek-stop
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-stop bro $1
+/usr/sbin/so-stop zeek $1

From 817044a000b152e3b90d639fac935315b45986f3 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 16:26:35 -0500
Subject: [PATCH 125/188] chagne ls heap for eval and mastersearch -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/277

---
 setup/so-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index a2501dfb9..24aee03bb 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -541,7 +541,7 @@ if (whiptail_you_sure) ; then
     es_heapsize
     ls_heapsize
     NODE_ES_HEAP_SIZE="600m"
-    NODE_LS_HEAP_SIZE="500m"
+    NODE_LS_HEAP_SIZE="1000m"
     LSPIPELINEWORKERS=1
     LSPIPELINEBATCH=125
     LSINPUTTHREADS=1

From 0d225020721989f58b126e13c57216bdb84eb8c0 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 16:45:04 -0500
Subject: [PATCH 126/188] changes to filebeat for heavynode

---
 salt/filebeat/init.sls | 21 ++-------------------
 1 file changed, 2 insertions(+), 19 deletions(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 9d175943d..95736ca8b 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,5 +1,4 @@
   # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -12,16 +11,9 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
-{% if FEATURES %}
-  {% set FEATURES = "-features" %}
-{% else %}
-  {% set FEATURES = '' %}
-{% endif %}
-
 # Filebeat Setup
 filebeatetcdir:
   file.directory:
@@ -29,21 +21,18 @@ filebeatetcdir:
     - user: 939
     - group: 939
     - makedirs: True
-
 filebeatlogdir:
   file.directory:
     - name: /opt/so/log/filebeat
     - user: 939
     - group: 939
     - makedirs: True
-
 filebeatpkidir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc/pki
     - user: 939
     - group: 939
     - makedirs: True
-
 # This needs to be owned by root
 filebeatconfsync:
   file.managed:
@@ -52,10 +41,9 @@ filebeatconfsync:
     - user: 0
     - group: 0
     - template: jinja
-
 so-filebeat:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
@@ -67,13 +55,8 @@ so-filebeat:
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
-{%- if grains['role'] == 'so-master' or grains['role'] == 'so-heavynode' %}
-      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
-      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- else %}
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- endif %}
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml

From 07df8bff7ea76316de9cdf830666798c508dc7f1 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 17:00:39 -0500
Subject: [PATCH 127/188] add filebeat features back

---
 salt/filebeat/init.sls | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 95736ca8b..8528ecc38 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -11,9 +11,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
+{% if FEATURES %}		
+  {% set FEATURES = "-features" %}		
+{% else %}		
+  {% set FEATURES = '' %}		
+{% endif %}
 # Filebeat Setup
 filebeatetcdir:
   file.directory:
@@ -43,7 +49,7 @@ filebeatconfsync:
     - template: jinja
 so-filebeat:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }}
+    - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}

From 8b17d3ba6c0a2befea7a33c1d4f3ab56c374b259 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 29 Jan 2020 17:05:11 -0500
Subject: [PATCH 128/188] change ls heap for heavy node - issue 277

---
 setup/so-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 8ee35a126..b4051e32e 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -843,7 +843,7 @@ if (whiptail_you_sure) ; then
       whiptail_log_size_limit
     else
       NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
-      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+      NODE_LS_HEAP_SIZE=1000m
       LSPIPELINEWORKERS=$CPUCORES
       LSPIPELINEBATCH=125
       LSINPUTTHREADS=1

From 3277ca185eb742da3abd5df240ed28c812d109a8 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 29 Jan 2020 22:09:32 +0000
Subject: [PATCH 129/188] Update Zeek config

---
 salt/zeek/files/local.zeek | 4 ++--
 salt/zeek/init.sls         | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index 92104dbf0..843b39f2d 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -102,10 +102,10 @@
 # @load policy/protocols/conn/mac-logging
 
 # JA3 - SSL Detection Goodness
-@load policy/ja3
+@load ja3
 
 # HASSH
-@load policy/hassh
+@load hassh
 
 # You can load your own intel into:
 # /opt/so/saltstack/bro/policy/intel/ on the master
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index e0f1f8c9b..471b6bcd1 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -110,6 +110,7 @@ so-zeek:
       - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
       - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
       - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
+      - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
     - network_mode: host
     - watch:

From 3fdc5fbef41495acc719097ce17766da93366e59 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 30 Jan 2020 09:45:02 -0500
Subject: [PATCH 130/188] Dep Bro and enabled Zeek BPF

---
 .../cron/packetloss.sh                        |   0
 salt/{bro => deprecated-bro}/cron/zeek_clean  |   0
 salt/{bro => deprecated-bro}/files/local.bro  |   0
 .../files/local.bro.community                 |   0
 salt/{bro => deprecated-bro}/files/node.cfg   |   0
 salt/{bro => deprecated-bro}/init.sls         |   0
 .../policy/intel/__load__.bro                 |   0
 .../securityonion/add-interface-to-logs.bro   |   0
 .../policy/securityonion/apt1/__load__.bro    |   0
 .../policy/securityonion/apt1/apt1-certs.dat  |   0
 .../policy/securityonion/apt1/apt1-fqdn.dat   |   0
 .../policy/securityonion/apt1/apt1-md5.dat    |   0
 .../policy/securityonion/bpfconf.bro          |   0
 .../securityonion/conn-add-sensorname.bro     |   0
 .../file-extraction/__load__.bro              |   0
 .../securityonion/file-extraction/extract.bro |   0
 .../securityonion/json-logs/__load__.bro      |   0
 salt/zeek/files/local.zeek                    |   3 +
 salt/zeek/init.sls                            |  28 +++++
 salt/zeek/policy/securityonion/bpfconf.zeek   | 106 ++++++++++++++++++
 20 files changed, 137 insertions(+)
 rename salt/{bro => deprecated-bro}/cron/packetloss.sh (100%)
 rename salt/{bro => deprecated-bro}/cron/zeek_clean (100%)
 rename salt/{bro => deprecated-bro}/files/local.bro (100%)
 rename salt/{bro => deprecated-bro}/files/local.bro.community (100%)
 rename salt/{bro => deprecated-bro}/files/node.cfg (100%)
 rename salt/{bro => deprecated-bro}/init.sls (100%)
 rename salt/{bro => deprecated-bro}/policy/intel/__load__.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/add-interface-to-logs.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/apt1/__load__.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/apt1/apt1-certs.dat (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/apt1/apt1-fqdn.dat (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/apt1/apt1-md5.dat (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/bpfconf.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/conn-add-sensorname.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/file-extraction/__load__.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/file-extraction/extract.bro (100%)
 rename salt/{bro => deprecated-bro}/policy/securityonion/json-logs/__load__.bro (100%)
 create mode 100644 salt/zeek/policy/securityonion/bpfconf.zeek

diff --git a/salt/bro/cron/packetloss.sh b/salt/deprecated-bro/cron/packetloss.sh
similarity index 100%
rename from salt/bro/cron/packetloss.sh
rename to salt/deprecated-bro/cron/packetloss.sh
diff --git a/salt/bro/cron/zeek_clean b/salt/deprecated-bro/cron/zeek_clean
similarity index 100%
rename from salt/bro/cron/zeek_clean
rename to salt/deprecated-bro/cron/zeek_clean
diff --git a/salt/bro/files/local.bro b/salt/deprecated-bro/files/local.bro
similarity index 100%
rename from salt/bro/files/local.bro
rename to salt/deprecated-bro/files/local.bro
diff --git a/salt/bro/files/local.bro.community b/salt/deprecated-bro/files/local.bro.community
similarity index 100%
rename from salt/bro/files/local.bro.community
rename to salt/deprecated-bro/files/local.bro.community
diff --git a/salt/bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg
similarity index 100%
rename from salt/bro/files/node.cfg
rename to salt/deprecated-bro/files/node.cfg
diff --git a/salt/bro/init.sls b/salt/deprecated-bro/init.sls
similarity index 100%
rename from salt/bro/init.sls
rename to salt/deprecated-bro/init.sls
diff --git a/salt/bro/policy/intel/__load__.bro b/salt/deprecated-bro/policy/intel/__load__.bro
similarity index 100%
rename from salt/bro/policy/intel/__load__.bro
rename to salt/deprecated-bro/policy/intel/__load__.bro
diff --git a/salt/bro/policy/securityonion/add-interface-to-logs.bro b/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
similarity index 100%
rename from salt/bro/policy/securityonion/add-interface-to-logs.bro
rename to salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
diff --git a/salt/bro/policy/securityonion/apt1/__load__.bro b/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/apt1/__load__.bro
diff --git a/salt/bro/policy/securityonion/apt1/apt1-certs.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-certs.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
diff --git a/salt/bro/policy/securityonion/apt1/apt1-fqdn.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-fqdn.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
diff --git a/salt/bro/policy/securityonion/apt1/apt1-md5.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-md5.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
diff --git a/salt/bro/policy/securityonion/bpfconf.bro b/salt/deprecated-bro/policy/securityonion/bpfconf.bro
similarity index 100%
rename from salt/bro/policy/securityonion/bpfconf.bro
rename to salt/deprecated-bro/policy/securityonion/bpfconf.bro
diff --git a/salt/bro/policy/securityonion/conn-add-sensorname.bro b/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
similarity index 100%
rename from salt/bro/policy/securityonion/conn-add-sensorname.bro
rename to salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
diff --git a/salt/bro/policy/securityonion/file-extraction/__load__.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/file-extraction/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro
diff --git a/salt/bro/policy/securityonion/file-extraction/extract.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
similarity index 100%
rename from salt/bro/policy/securityonion/file-extraction/extract.bro
rename to salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
diff --git a/salt/bro/policy/securityonion/json-logs/__load__.bro b/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/json-logs/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro
diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index 843b39f2d..b902eee32 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -121,3 +121,6 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 
 # CVE-2020-0601
 @load cve-2020-0601
+
+# BPF Configuration
+@load securityonion/bpfconf
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 471b6bcd1..f650dec85 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,5 +1,7 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
+{% set BPF_STATUS = 0  %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:
@@ -90,6 +92,32 @@ plcronscript:
     - month: '*'
     - dayweek: '*'
 
+# BPF compilation and configuration
+{% if BPF_ZEEK %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+       {% set BPF_STATUS = 1  %}
+  {% else  %}
+zeekbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+zeekbpf:
+  file.managed:
+    - name: /opt/so/conf/zeek/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: zeek:bpf
+   {% else %}
+    - contents:
+      - "ip or not ip"
+   {% endif %}
+
 localzeeksync:
   file.managed:
     - name: /opt/so/conf/zeek/local.zeek
diff --git a/salt/zeek/policy/securityonion/bpfconf.zeek b/salt/zeek/policy/securityonion/bpfconf.zeek
new file mode 100644
index 000000000..bf6431702
--- /dev/null
+++ b/salt/zeek/policy/securityonion/bpfconf.zeek
@@ -0,0 +1,106 @@
+##! This script is to support the bpf.conf file like other network monitoring tools use.
+##! Please don't try to learn from this script right now, there are a large number of
+##! hacks in it to work around bugs discovered in Bro.
+
+@load base/frameworks/notice
+
+module BPFConf;
+
+export {
+	## The file that is watched on disk for BPF filter changes.
+	## Two templated variables are available; "sensorname" and "interface".
+	## They can be used by surrounding the term by doubled curly braces.
+	const filename = "/opt/zeek/share/zeek/site/bpf" &redef;
+
+	redef enum Notice::Type += { 
+		## Invalid filter notice.
+		InvalidFilter
+	};
+}
+
+global filter_parts: vector of string = vector();
+global current_filter_filename = "";
+
+type FilterLine: record {
+	s: string;
+};
+
+redef enum PcapFilterID += {
+	BPFConfPcapFilter,
+};
+
+event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	local part = sub(s, /[[:blank:]]*#.*$/, "");
+
+	# We don't want any blank parts.
+	if ( part != "" )
+		filter_parts[|filter_parts|] = part;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( name == "bpfconf" )
+		{
+		local filter = join_string_vec(filter_parts, " ");
+		capture_filters["bpf.conf"] = filter;
+		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
+			{
+			PacketFilter::install();
+			}
+		else
+			{
+			NOTICE([$note=InvalidFilter,
+			        $msg=fmt("Compiling packet filter from %s failed", filename),
+			        $sub=filter]);
+			}
+
+		filter_parts=vector();
+		}
+	}
+
+
+function add_filter_file()
+	{
+	local real_filter_filename = BPFConf::filename;
+
+	# Support the interface template value.
+	#if ( SecurityOnion::sensorname != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
+
+	# Support the interface template value.
+	#if ( SecurityOnion::interface != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
+
+	#if ( /\{\{/ in real_filter_filename )
+	#	{
+	#	return;
+	#	}
+	#else
+	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
+
+	if ( real_filter_filename != current_filter_filename )
+		{
+		current_filter_filename = real_filter_filename;
+		Input::add_event([$source=real_filter_filename,
+		                  $name="bpfconf",
+		                  $reader=Input::READER_RAW,
+		                  $mode=Input::REREAD,
+		                  $want_record=F,
+		                  $fields=FilterLine,
+		                  $ev=BPFConf::line]);
+		}
+	}
+
+#event SecurityOnion::found_sensorname(name: string)
+#	{
+#	add_filter_file();
+#	}
+
+event zeek_init() &priority=5
+	{
+	if ( BPFConf::filename != "" )
+		add_filter_file();
+	}
+
+

From 21e374c82e2616e22620a51338f3594b8b20fe6f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 30 Jan 2020 11:10:52 -0500
Subject: [PATCH 131/188] Fix SSL State

---
 salt/ssl/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 57579f6ca..83c7c92e4 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -2,7 +2,7 @@
 {% set master_minion_id = master.split(".")[0] %}
 {%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval'  or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
     {% set ca_server = grains.id %}
 {% else %}
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:

From 5dec2b1c87454fd6c38895bda9b17b94f70b06e7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 12:39:09 -0500
Subject: [PATCH 132/188] Move auth init.sls to docker registry

---
 salt/auth/init.sls | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index bed7d18d5..18850d534 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 so-auth-api-dir:
   file.directory:
     - name: /opt/so/conf/auth/api
@@ -5,19 +8,9 @@ so-auth-api-dir:
     - group: 939
     - makedirs: True
 
-so-auth-api-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
-
-so-auth-ui-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
-
 so-auth-api:
     docker_container.running:
-        - require:
-            - so-auth-api-image
-        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -29,9 +22,7 @@ so-auth-api:
 
 so-auth-ui:
     docker_container.running:
-        - require:
-            - so-auth-ui-image
-        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:

From f839f385539de16337208f7c88b79aaf5d9b946a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 12:40:39 -0500
Subject: [PATCH 133/188] Fix for jinja error

---
 salt/common/tools/sbin/so-status | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 3d086cccd..45b52ae35 100644
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -15,6 +15,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# {% raw %}
+
 if ! [ $(id -u)=0 ]; then
    echo "This command must be run as root"
    exit 1
@@ -134,4 +136,6 @@ main() {
     printf "\n"
 }
 
-main
\ No newline at end of file
+main
+
+# {% endraw %}
\ No newline at end of file

From 048c77695d63dc05d5df10e481c0335897fdc0f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 15:47:51 -0500
Subject: [PATCH 134/188] Fix Filebeat

---
 salt/filebeat/etc/filebeat.yml |  2 +-
 salt/filebeat/init.sls         | 15 +++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 45936c180..2eb2092f4 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,5 +1,5 @@
 {%- if grains.role == 'so-heavynode' %}
-{%- set MASTER = grains.host %}
+{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %}
 {%- else %}
 {%- set MASTER = grains['master'] %}
 {%- endif %}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8528ecc38..b058f1408 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -13,14 +13,13 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
-{% if FEATURES %}		
-  {% set FEATURES = "-features" %}		
-{% else %}		
-  {% set FEATURES = '' %}		
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
 {% endif %}
-# Filebeat Setup
 filebeatetcdir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc

From 59d6b7cb8a42e01fbf48adc299e8588e0c5d30e5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:00:57 -0500
Subject: [PATCH 135/188] Add log paths

---
 .../files/dynamic/0008_input_eval.conf        | 187 ++++++++++++++++++
 1 file changed, 187 insertions(+)
 create mode 100644 salt/logstash/files/dynamic/0008_input_eval.conf

diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
new file mode 100644
index 000000000..b2850a984
--- /dev/null
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -0,0 +1,187 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/bro/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}

From c32b2726fa23586cac880650defd35094d134bed Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:10:59 -0500
Subject: [PATCH 136/188] Fix Eval Event Pickup

---
 salt/logstash/files/dynamic/0008_input_eval.conf | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
index b2850a984..b02f9d516 100644
--- a/salt/logstash/files/dynamic/0008_input_eval.conf
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -177,6 +177,22 @@ input {
 		type => "bro_x509"
 	    	tags => ["bro"]
 	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
 }
 filter {
   if "import" in [tags] {

From 1e0d0d74e1b40e64869818e32e659362fd6b7635 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:16:21 -0500
Subject: [PATCH 137/188] Fix Eval Event Pickup x2

---
 salt/logstash/init.sls | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index f92f047fa..c61bee921 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -130,7 +130,7 @@ lspipelinesyml:
     - name: /opt/so/conf/logstash/etc/pipelines.yml
     - source: salt://logstash/etc/pipelines.yml.jinja
     - template: jinja
-    - defaults: 
+    - defaults:
         pipelines: {{ pipelines }}
 
 # Copy down all the configs including custom - TODO add watch restart
@@ -166,7 +166,7 @@ lsconfsync:
     - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
-{% endif %} 
+{% endif %}
     - user: 931
     - group: 939
     - template: jinja
@@ -241,6 +241,10 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/fleet/:/osquery/logs:ro
+      - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc

From d94065fa00d95b244796f607c5d6b653befb0bf2 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 17:09:06 -0500
Subject: [PATCH 138/188] evalfix

---
 salt/filebeat/init.sls                        |  12 +-
 .../pipelines/eval/0010_input_hhbeats.conf    |  40 +++
 .../eval/1000_preprocess_log_elapsed.conf     |  13 +
 .../eval/1001_preprocess_syslogng.conf        |  33 ++
 .../pipelines/eval/1002_preprocess_json.conf  |  18 ++
 .../eval/1004_preprocess_syslog_types.conf    |  19 ++
 .../pipelines/eval/1026_preprocess_dhcp.conf  | 140 +++++++++
 .../pipelines/eval/1029_preprocess_esxi.conf  |  31 ++
 .../eval/1030_preprocess_greensql.conf        |  21 ++
 .../pipelines/eval/1031_preprocess_iis.conf   |  21 ++
 .../eval/1032_preprocess_mcafee.conf          |  26 ++
 .../pipelines/eval/1033_preprocess_snort.conf | 181 +++++++++++
 .../eval/1034_preprocess_syslog.conf          |  16 +
 .../pipelines/eval/2000_network_flow.conf     |  59 ++++
 .../conf/pipelines/eval/6002_syslog.conf      |  11 +
 .../pipelines/eval/6101_switch_brocade.conf   |  33 ++
 .../eval/6200_firewall_fortinet.conf          | 281 ++++++++++++++++++
 .../pipelines/eval/6201_firewall_pfsense.conf |  56 ++++
 .../conf/pipelines/eval/6300_windows.conf     | 161 ++++++++++
 .../conf/pipelines/eval/6301_dns_windows.conf |  49 +++
 .../conf/pipelines/eval/6400_suricata.conf    |  92 ++++++
 .../conf/pipelines/eval/6500_ossec.conf       | 160 ++++++++++
 .../pipelines/eval/6501_ossec_sysmon.conf     | 118 ++++++++
 .../pipelines/eval/6502_ossec_autoruns.conf   |  43 +++
 .../eval/6600_winlogbeat_sysmon.conf          |  23 ++
 .../conf/pipelines/eval/6700_winlogbeat.conf  |  17 ++
 .../conf/pipelines/eval/7100_osquery_wel.conf |  23 ++
 ...01_postprocess_common_ip_augmentation.conf |  58 ++++
 .../pipelines/eval/8007_postprocess_http.conf |  27 ++
 .../eval/8200_postprocess_tagging.conf        |  63 ++++
 .../eval/8998_postprocess_log_elapsed.conf    |  19 ++
 .../eval/8999_postprocess_rename_type.conf    |   8 +
 .../eval/templates/0800_input_eval.conf       | 203 +++++++++++++
 .../eval/templates/9000_output_bro.conf       |  31 ++
 .../eval/templates/9001_output_switch.conf    |  27 ++
 .../eval/templates/9002_output_import.conf    |  27 ++
 .../eval/templates/9004_output_flow.conf      |  27 ++
 .../eval/templates/9026_output_dhcp.conf      |  26 ++
 .../eval/templates/9029_output_esxi.conf      |  25 ++
 .../eval/templates/9030_output_greensql.conf  |  25 ++
 .../eval/templates/9031_output_iis.conf       |  26 ++
 .../eval/templates/9032_output_mcafee.conf    |  26 ++
 .../eval/templates/9033_output_snort.conf     |  29 ++
 .../eval/templates/9034_output_syslog.conf    |  28 ++
 .../eval/templates/9100_output_osquery.conf   |  19 ++
 .../eval/templates/9200_output_firewall.conf  |  29 ++
 .../eval/templates/9300_output_windows.conf   |  27 ++
 .../templates/9301_output_dns_windows.conf    |  27 ++
 .../eval/templates/9400_output_suricata.conf  |  27 ++
 .../eval/templates/9500_output_beats.conf     |  25 ++
 .../eval/templates/9600_output_ossec.conf     |  29 ++
 .../eval/templates/9999_output_redis.conf     |  26 ++
 salt/logstash/etc/logstash.yml                |   6 +-
 salt/logstash/init.sls                        |   4 +
 salt/top.sls                                  |   1 -
 55 files changed, 2582 insertions(+), 10 deletions(-)
 create mode 100644 salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/2000_network_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6002_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6300_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6400_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6500_ossec.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8528ecc38..7dd59ef01 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -14,11 +14,11 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
-{% if FEATURES %}		
-  {% set FEATURES = "-features" %}		
-{% else %}		
-  {% set FEATURES = '' %}		
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
 {% endif %}
 # Filebeat Setup
 filebeatetcdir:
diff --git a/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+		lowercase => [ "syslog-host_from" ]
+		remove_field => [ "ISODATE" ]
+		remove_field => [ "SEQNUM" ]
+          	#add_tag => [ "conf_file_1001"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro" ]
+		}
+	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+		mutate {
+			add_tag => [ "syslog" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1004"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6002_syslog.conf b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+  if [type] == "filterlog" {
+    dissect {
+      mapping => {
+        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+      }
+    }
+    if [ip_version] == "4" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [ip_version] == "6" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [protocol] == "tcp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+      	}
+      }
+    }
+    if [protocol] == "udp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+      	}
+      }
+    }
+    if [protocol] == "Options" {
+      mutate {
+	  copy => { "ip_sub_msg" => "options" }
+        }
+      mutate {
+          split => { "options" => "," }
+        }
+    }
+    mutate {
+      convert 		=> [ "destination_port", "integer" ]
+      convert 		=> [ "source_port", "integer" ]    
+      convert 		=> [ "ip_version", "integer" ]
+      replace 		=> { "type" => "firewall" }
+      add_tag		=> [ "pfsense","firewall" ]
+      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6300_windows.conf b/salt/logstash/conf/pipelines/eval/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6400_suricata.conf b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6500_ossec.conf b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+  # OSSEC Alerts
+  if [type] == "ossec" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+        if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate {
+                replace => { "type" => "sysmon" }
+                add_tag => [ "ossec" ]
+            }
+        }
+        if [message] =~ "AR-LOG" {
+            mutate {
+                replace => { "type" => "autoruns" }
+                add_tag => [ "ossec" ]
+            }
+        }
+		
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+			rename => { "rule" => "wazuh-rule" }
+			rename => { "[wazuh-rule][level]" => "alert_level" }
+			rename => { "[wazuh-rule][description]" => "description" }
+			rename => { "[data][srcuser]" => "username" }
+			rename => { "[data][dstuser]" => "escalated_user" }
+			rename => { "[data][command]" => "command" }
+			rename => { "[predecoder][program_name]" => "process" }
+			
+                }
+                # Wazuh 3.8.2
+                if [data][EventChannel] {
+        		mutate {
+				rename => { "[data][EventChannel][EventData][User]" => "username" }
+        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+			}
+		}
+                # Wazuh 3.9.2
+		if [data][win] {
+                        mutate {
+				rename => { "[data][win][eventdata][user]" => "username" }
+                        	rename => { "[data][win][system][eventID]" => "event_id" }
+                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
+                        }
+		}
+	} else {
+		grok {
+			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+		}
+	}
+	
+	# Add tag for OSSEC alerts
+	if [alert_level] {
+            mutate {
+		add_tag => [ "alert" ]
+	    }
+        }
+
+	translate {
+		field => "alert_level"
+
+		destination => "classification"
+
+		dictionary => [
+               	    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+               	]
+	}
+  }
+
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+	if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate { 
+                replace => { "type" => "sysmon" } 
+                add_tag => [ "ossec" ] 
+	    }
+        }
+	if [message] =~ "AR-LOG" {
+            mutate { 
+                replace => { "type" => "autoruns" } 
+                add_tag => [ "ossec" ]
+            }
+        }
+
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+                        rename => [ "rule", "wazuh-rule" ]
+                        rename => [ "[wazuh-rule][level]", "alert_level" ]
+                        rename => [ "[wazuh-rule][description]", "description" ]
+                        rename => [ "[data][srcuser]", "username" ]
+                        rename => [ "[data][dstuser]", "escalated_user" ]
+                        rename => [ "[data][command]", "command" ]
+                        rename => [ "[predecoder][program_name]", "process" ]
+                }
+	} else {
+		grok {
+			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+			remove_field => [ "ossec_timestamp" ]
+		}
+		mutate {
+			convert => [ "status_code", "integer" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" or "sysmon" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      #mutate { replace => { "type" => "sysmon" } }
+      grok {
+      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+      }
+      mutate {
+        convert => ["event_id", "integer"]
+        remove_field => ["timestamp"]
+        remove_field => ["year"]
+      }
+      if [event_id] == 1 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_creation"]
+        }
+      }
+      if [event_id] == 3 {
+        mutate {
+          remove_field => ["source_ip"]
+        }
+        grok {
+        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          convert => ["source_port", "integer"]
+          convert => ["destination_port", "integer"]
+          add_tag => ["network_connection"]
+        }
+      }
+      if [event_id] == 5 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_termination"]
+        }
+      }
+      if [event_id] == 11 {
+        grok {
+          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["file_created"]
+        }
+      }
+      mutate {
+        remove_field => ["rest_of_msg"]
+      }
+    } else {
+      mutate {
+	rename => { "[data][srcuser]" => "username" }
+        rename => { "[data][id]" => "event_id" }
+        rename => { "[data][dstport]" => "destination_port" }
+        rename => { "[data][dstip]" => "destination_ip" }
+        rename => { "[data][srcip]" => "source_ip" }
+        rename => { "[data][sysmon][image]" => "image_path" }
+        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+      }
+      # Wazuh 3.8.2  
+      if [data][EventChannel] {
+        mutate {
+           rename => { "[data][EventChannel][EventData][User]" => "username" }
+           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+	}
+      }
+      # Wazuh 3.9.2
+      if [data][win] {
+        mutate {
+          rename => { "[data][win][eventdata][user]" => "username" }
+          rename => { "[data][win][system][eventID]" => "event_id" }
+          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+          rename => { "[data][win][eventdata][image]" => "image_path" }
+          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+        }
+      }    
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" or "autoruns" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      grok {
+        match => [
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+      mutate {
+        remove_field => [ "year" ]
+        remove_field => [ "timestamp" ]
+      }
+    } else {
+        grok {
+        match => [
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+      mutate {
+        # Rename fields
+      }
+    }
+    date {
+      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+      target => "image_timestamp"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+      mutate {
+        replace => { "type" => "sysmon" }
+        rename => { "[event_data][User]" => "username" }
+        rename => { "[event_data][DestinationPort]" => "destination_port" }
+        rename => { "[event_data][DestinationIp]" => "destination_ip" }
+        rename => { "[event_data][SourceIp]" => "source_ip" }
+        rename => { "[event_data][Image]" => "image_path" }
+        rename => { "[event_data][ParentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[event_data][SourceHostname]" => "source_hostname" }
+        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+	rename => { "[event_data][TargetFilename]" => "target_filename" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+  if "beat" in [tags] {
+      mutate {
+	# As of beats 6.3.0, host is now an object:
+	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+	# This creates a conflict with our existing host string.
+	# So let's rename the host object to beat_host.
+        rename => { "host" => "beat_host" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+      mutate {
+          remove_tag => [ "syslog" ]
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
new file mode 100644
index 000000000..08237884f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
@@ -0,0 +1,203 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/zeek/logs/current/conn*.log"
+		type => "zeek_conn"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dce_rpc*.log"
+		type => "zeek_dce_rpc"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dhcp*.log"
+		type => "zeek_dhcp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dnp3*.log"
+		type => "zeek_dnp3"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dns*.log"
+		type => "zeek_dns"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dpd*.log"
+		type => "zeek_dpd"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/files*.log"
+		type => "zeek_files"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ftp*.log"
+		type => "zeek_ftp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/http*.log"
+		type => "zeek_http"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/intel*.log"
+		type => "zeek_intel"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/irc*.log"
+		type => "zeek_irc"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/kerberos*.log"
+		type => "zeek_kerberos"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/modbus*.log"
+		type => "zeek_modbus"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/mysql*.log"
+		type => "zeek_mysql"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/notice*.log"
+		type => "zeek_notice"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ntlm*.log"
+		type => "zeek_ntlm"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/pe*.log"
+		type => "zeek_pe"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/radius*.log"
+		type => "zeek_radius"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rdp*.log"
+		type => "zeek_rdp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rfb*.log"
+		type => "zeek_rfb"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/signatures*.log"
+		type => "zeek_signatures"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/sip*.log"
+		type => "zeek_sip"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_files*.log"
+		type => "zeek_smb_files"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_mapping*.log"
+		type => "zeek_smb_mapping"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smtp*.log"
+		type => "zeek_smtp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/snmp*.log"
+		type => "zeek_snmp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/socks*.log"
+		type => "zeek_socks"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/software*.log"
+		type => "zeek_software"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssh*.log"
+		type => "zeek_ssh"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssl*.log"
+		type => "zeek_ssl"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/syslog*.log"
+		type => "zeek_syslog"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/tunnel*.log"
+		type => "zeek_tunnels"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/weird*.log"
+		type => "zeek_weird"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/x509*.log"
+		type => "zeek_x509"
+	    	tags => ["zeek"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..e95119562
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
new file mode 100644
index 000000000..f176e0b94
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
@@ -0,0 +1,26 @@
+{%- if salt['grains.get']('role') == 'so-master' %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
+{%- else %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- endif %}
+
+
+output {
+	redis {
+		host => '{{ master }}'
+		data_type => 'list'
+		{%- if nodetype == 'parser' %}
+		key => 'logstash:parsed'
+		{%- else %}
+		key => 'logstash:unparsed'
+		{%- endif %}
+		congestion_interval => 1
+		congestion_threshold => 50000000
+		# batch_events => 500
+	}
+}
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index 88f3c527e..47b487ebe 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,11 +63,11 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' %}
+{%- if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' and grains.role != 'so-eval' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% else %} 
+{%- else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% endif %}
+{%- endif %}
 
 # Special Docker path
 # path.config: /usr/share/logstash/pipeline
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index f92f047fa..4598ae53c 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -241,6 +241,10 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/fleet/:/osquery/logs:ro
+      - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc
diff --git a/salt/top.sls b/salt/top.sls
index 1608b93d6..b1ef40ae6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -72,7 +72,6 @@ base:
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
-    - filebeat
     - utility
     - schedule
     - soctopus

From 68e7dcfba069e6352d8b5138c4cc0d315a512d39 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 17:38:48 -0500
Subject: [PATCH 139/188] evalfix

---
 .../conf/pipelines/eval/{templates => }/0800_input_eval.conf      | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename salt/logstash/conf/pipelines/eval/{templates => }/0800_input_eval.conf (100%)

diff --git a/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
rename to salt/logstash/conf/pipelines/eval/0800_input_eval.conf

From 6b580eaba9b447f18fec25998a955043bb8ab671 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 17:54:24 -0500
Subject: [PATCH 140/188] evalmode fix

---
 salt/logstash/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index c61bee921..f52413006 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -239,7 +239,7 @@ so-logstash:
       - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
       - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
       {%- if grains['role'] == 'so-eval' %}
-      - /nsm/bro:/nsm/bro:ro
+      - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro

From c96a95e52604f388d457ebc059c6734bc406aa2e Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 31 Jan 2020 12:41:01 -0500
Subject: [PATCH 141/188] SO Scripts - fixes

---
 salt/common/tools/sbin/so-bro-restart      | 17 ------------
 salt/common/tools/sbin/so-bro-start        | 17 ------------
 salt/common/tools/sbin/so-bro-stop         | 17 ------------
 salt/common/tools/sbin/so-restart          |  1 +
 salt/common/tools/sbin/so-salt-start       | 25 +++++++++++++++++
 salt/common/tools/sbin/so-salt-stop        | 25 +++++++++++++++++
 salt/common/tools/sbin/so-start            |  4 +--
 salt/common/tools/sbin/so-suricata-restart | 31 ++++++++++++----------
 salt/common/tools/sbin/so-suricata-start   | 31 ++++++++++++----------
 salt/common/tools/sbin/so-suricata-stop    | 31 ++++++++++++----------
 10 files changed, 104 insertions(+), 95 deletions(-)
 delete mode 100644 salt/common/tools/sbin/so-bro-restart
 delete mode 100644 salt/common/tools/sbin/so-bro-start
 delete mode 100644 salt/common/tools/sbin/so-bro-stop
 create mode 100644 salt/common/tools/sbin/so-salt-start
 create mode 100644 salt/common/tools/sbin/so-salt-stop

diff --git a/salt/common/tools/sbin/so-bro-restart b/salt/common/tools/sbin/so-bro-restart
deleted file mode 100644
index 8161b7cb3..000000000
--- a/salt/common/tools/sbin/so-bro-restart
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-bro && sudo docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-start b/salt/common/tools/sbin/so-bro-start
deleted file mode 100644
index 87a47febe..000000000
--- a/salt/common/tools/sbin/so-bro-start
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-stop b/salt/common/tools/sbin/so-bro-stop
deleted file mode 100644
index 62bc2e1b1..000000000
--- a/salt/common/tools/sbin/so-bro-stop
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-bro 
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index 968b7233a..8bd209610 100644
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -31,5 +31,6 @@ fi
 
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
diff --git a/salt/common/tools/sbin/so-salt-start b/salt/common/tools/sbin/so-salt-start
new file mode 100644
index 000000000..c53a71535
--- /dev/null
+++ b/salt/common/tools/sbin/so-salt-start
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting local Salt Minion...\n"
+echo $banner
+
+service salt-minion start
+service salt-minion status
diff --git a/salt/common/tools/sbin/so-salt-stop b/salt/common/tools/sbin/so-salt-stop
new file mode 100644
index 000000000..fa3394cd6
--- /dev/null
+++ b/salt/common/tools/sbin/so-salt-stop
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping local Salt Minion...\n"
+echo $banner
+
+service salt-minion stop
+service salt-minion status
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
index 70b8d6aed..c73a5ac98 100644
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -29,8 +29,8 @@ then
    salt-call saltutil.kill_all_jobs
 fi
 
-
 case $1 in
    "all") salt-call state.highstate queue=True;;
-   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
+   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac
diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/common/tools/sbin/so-suricata-restart
index 0fabe198c..151e1a44c 100644
--- a/salt/common/tools/sbin/so-suricata-restart
+++ b/salt/common/tools/sbin/so-suricata-restart
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-suricata && sudo docker rm so-suricata && salt-call state.apply suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart suricata $1
diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/common/tools/sbin/so-suricata-start
index dd9bd8df9..9e04eedfb 100644
--- a/salt/common/tools/sbin/so-suricata-start
+++ b/salt/common/tools/sbin/so-suricata-start
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-suricata && salt-call state.apply suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start suricata $1
diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/common/tools/sbin/so-suricata-stop
index 8f0383164..7581f9c00 100644
--- a/salt/common/tools/sbin/so-suricata-stop
+++ b/salt/common/tools/sbin/so-suricata-stop
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop suricata $1

From b5bf12f8c8d2d40e0eb02463e866e59cd3fe096c Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 31 Jan 2020 15:06:57 -0500
Subject: [PATCH 142/188] Zeek - bpf fixup

---
 salt/zeek/init.sls                          | 7 +++++--
 salt/zeek/policy/securityonion/bpfconf.zeek | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index f650dec85..5284297a4 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -2,6 +2,7 @@
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
 {% set BPF_STATUS = 0  %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:
@@ -94,7 +95,7 @@ plcronscript:
 
 # BPF compilation and configuration
 {% if BPF_ZEEK %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" ")  ) %}
    {% if BPF_CALC['stderr'] == "" %}
        {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -140,8 +141,10 @@ so-zeek:
       - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
-    - network_mode: host
+      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro 
+   - network_mode: host
     - watch:
       - file: /opt/so/conf/zeek/local.zeek
       - file: /opt/so/conf/zeek/node.cfg
       - file: /opt/so/conf/zeek/policy
+      - file: /opt/so/conf/zeek/bpf
diff --git a/salt/zeek/policy/securityonion/bpfconf.zeek b/salt/zeek/policy/securityonion/bpfconf.zeek
index bf6431702..cf7b17113 100644
--- a/salt/zeek/policy/securityonion/bpfconf.zeek
+++ b/salt/zeek/policy/securityonion/bpfconf.zeek
@@ -10,7 +10,7 @@ export {
 	## The file that is watched on disk for BPF filter changes.
 	## Two templated variables are available; "sensorname" and "interface".
 	## They can be used by surrounding the term by doubled curly braces.
-	const filename = "/opt/zeek/share/zeek/site/bpf" &redef;
+	const filename = "/opt/zeek/etc/bpf" &redef;
 
 	redef enum Notice::Type += { 
 		## Invalid filter notice.

From a6a999af95ff70742b6d67b9c92ac40a9f013e88 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Mon, 3 Feb 2020 09:59:41 -0500
Subject: [PATCH 143/188] tcpreplay fix

---
 salt/common/tools/sbin/so-tcpreplay         | 6 ++++--
 salt/common/tools/sbin/so-tcpreplay-restart | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay
index 69cee2f68..887a49415 100755
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -15,14 +15,16 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# Usage: so-tcpreplay "/opt/so/samples/*"
+
 REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
 REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
 
 if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
    docker cp so-tcpreplay:/opt/samples /opt/samples
-   docker exec -it so-tcpreplay /usr/bin/tcpreplay -i bond0 -M10 $1
+   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 $1
 else
   echo "Replay functionality not enabled!  To enable, run `so-tcpreplay-start`"
   echo
-  echo "Note that you will need internet access to download the appropiriate components"
+  echo "Note that you will need internet access to download the appropriate components"
 fi
diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart
index 61e9016d0..ab6de62db 100755
--- a/salt/common/tools/sbin/so-tcpreplay-restart
+++ b/salt/common/tools/sbin/so-tcpreplay-restart
@@ -17,5 +17,5 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart tcreplay $1
+/usr/sbin/so-restart tcpreplay $1
 

From 820462e45a91020b980262da2257ec4720202cf9 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 3 Feb 2020 11:15:44 -0500
Subject: [PATCH 144/188] fix zeek state

---
 salt/zeek/init.sls | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 5284297a4..e7124727e 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,6 +1,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 # Zeek Salt State
@@ -101,9 +101,9 @@ plcronscript:
   {% else  %}
 zeekbpfcompilationfailure:
   test.configurable_test_state:
-   - changes: False
-   - result: False
-   - comment: "BPF Syntax Error - Discarding Specified BPF"
+    - changes: False
+    - result: False
+    - comment: "BPF Syntax Error - Discarding Specified BPF"
    {% endif %}
 {% endif %}
 
@@ -112,12 +112,12 @@ zeekbpf:
     - name: /opt/so/conf/zeek/bpf
     - user: 940
     - group: 940
-   {% if BPF_STATUS %}
+{% if BPF_STATUS %}
     - contents_pillar: zeek:bpf
-   {% else %}
+{% else %}
     - contents:
       - "ip or not ip"
-   {% endif %}
+{% endif %}
 
 localzeeksync:
   file.managed:
@@ -142,7 +142,7 @@ so-zeek:
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
       - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro 
-   - network_mode: host
+    - network_mode: host
     - watch:
       - file: /opt/so/conf/zeek/local.zeek
       - file: /opt/so/conf/zeek/node.cfg

From ad651dbea46c7e023036e2a79fd2f6e853e5fd36 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 4 Feb 2020 17:21:13 -0500
Subject: [PATCH 145/188] fix grafana for zeek

---
 salt/common/grafana/grafana_dashboards/eval/eval.json         | 4 ++--
 .../grafana/grafana_dashboards/forward_nodes/sensor.json      | 4 ++--
 salt/common/telegraf/scripts/broloss.sh                       | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index 8dd5532d1..069226d3c 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -1395,7 +1395,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1913,7 +1913,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
diff --git a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
index 83a1fc9e6..8e35246eb 100644
--- a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
+++ b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
@@ -1396,7 +1396,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1901,7 +1901,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
diff --git a/salt/common/telegraf/scripts/broloss.sh b/salt/common/telegraf/scripts/broloss.sh
index a7bec4dc1..9fcf2d527 100644
--- a/salt/common/telegraf/scripts/broloss.sh
+++ b/salt/common/telegraf/scripts/broloss.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
-BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2)
-declare RESULT=($BROLOG)
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
 PASTDROP=${RESULT[9]}
 DROPPED=$(($CURRENTDROP - $PASTDROP))

From c1dd26d97efb0c7d53e32d9427896aef3260c719 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 5 Feb 2020 08:12:08 -0500
Subject: [PATCH 146/188] Logstash EVAL pipeline fix - osquery

---
 .../conf/pipelines/eval/0800_input_eval.conf  |  1 +
 .../eval/templates/9100_output_osquery.conf   | 21 +++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
index e0f2e132e..d3fd00029 100644
--- a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
+++ b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
@@ -188,6 +188,7 @@ input {
   file {
     path => "/osquery/logs/result.log"
     type => "osquery"
+    tags => ["osquery"]
   }
   file {
     path => "/strelka/strelka.log"
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
index e95119562..132f0eb66 100644
--- a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -3,11 +3,24 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Josh Brower
-# Last Update: 12/29/2018
-# Output to ES for osquery tagged logs
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
 
 
+filter {
+    if "osquery" in [tags] {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+                }
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
+
 output {
   if "osquery" in [tags] {
     elasticsearch {
@@ -16,4 +29,4 @@ output {
       template => "/logstash-template.json"
     }
   }
-}
\ No newline at end of file
+}

From f042cb074fa30fec08c02fe5c0a28270b7b8b51f Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 11:10:12 -0500
Subject: [PATCH 147/188] add helix pipeline pillar

---
 pillar/logstash/helix.sls | 4 ++++
 pillar/top.sls            | 3 ++-
 setup/so-setup.sh         | 1 -
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 pillar/logstash/helix.sls

diff --git a/pillar/logstash/helix.sls b/pillar/logstash/helix.sls
new file mode 100644
index 000000000..e396a7aad
--- /dev/null
+++ b/pillar/logstash/helix.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    helix:
+      config: "/usr/share/logstash/pipelines/helix/*.conf"
diff --git a/pillar/top.sls b/pillar/top.sls
index 8b604283e..9eb5522fe 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -48,6 +48,7 @@ base:
     - static
     - firewall.*
     - fireeye
-    - static
     - brologs
+    - logstash.helix
+    - static
     - minions.{{ grains.id }}
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 2313d7786..aab749357 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -197,7 +197,6 @@ if (whiptail_you_sure) ; then
       patch_pillar >> $SETUPLOG 2>&1
       echo "** Generating the FireEye pillar **" >> $SETUPLOG
       fireeye_pillar >> $SETUPLOG 2>&1
-      sensor_pillar >> $SETUPLOG 2>&1
       echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
       copy_minion_tmp_files >> $SETUPLOG 2>&1
       # Do a checkin to push the key up

From b69dfd9b25031f067dc8448959f676b697385da0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 11:27:19 -0500
Subject: [PATCH 148/188] Helix fix dockers

---
 salt/top.sls       |  1 +
 setup/so-functions | 81 +++++++++++++++++++++++++++-------------------
 setup/so-setup     |  3 ++
 3 files changed, 51 insertions(+), 34 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index b1ef40ae6..1a5c30e60 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -15,6 +15,7 @@ base:
   'G@role:so-helix':
     - ca
     - ssl
+    - registry
     - common
     - firewall
     - idstools
diff --git a/setup/so-functions b/setup/so-functions
index 3693ee1e7..83f323b0b 100644
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -453,42 +453,55 @@ docker_registry() {
   echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1
 
 }
-
 docker_seed_registry() {
   VERSION="HH1.1.4"
-  TRUSTED_CONTAINERS=( \
-  "so-acng:$VERSION" \
-  "so-auth-api:$VERSION" \
-  "so-auth-ui:$VERSION" \
-  "so-core:$VERSION" \
-  "so-thehive-cortex:$VERSION" \
-  "so-curator:$VERSION" \
-  "so-domainstats:$VERSION" \
-  "so-elastalert:$VERSION" \
-  "so-elasticsearch:$VERSION" \
-  "so-filebeat:$VERSION" \
-  "so-fleet:$VERSION" \
-  "so-fleet-launcher:$VERSION" \
-  "so-freqserver:$VERSION" \
-  "so-grafana:$VERSION" \
-  "so-idstools:$VERSION" \
-  "so-influxdb:$VERSION" \
-  "so-kibana:$VERSION" \
-  "so-logstash:$VERSION" \
-  "so-mysql:$VERSION" \
-  "so-navigator:$VERSION" \
-  "so-playbook:$VERSION" \
-  "so-redis:$VERSION" \
-  "so-sensoroni:$VERSION" \
-  "so-soctopus:$VERSION" \
-  "so-steno:$VERSION" \
-  #"so-strelka:$VERSION" \
-  "so-suricata:$VERSION" \
-  "so-telegraf:$VERSION" \
-  "so-thehive:$VERSION" \
-  "so-thehive-es:$VERSION" \
-  "so-wazuh:$VERSION" \
-  "so-zeek:$VERSION" )
+  if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
+    TRUSTED_CONTAINERS=( \
+    "so-acng:$VERSION" \
+    "so-auth-api:$VERSION" \
+    "so-auth-ui:$VERSION" \
+    "so-core:$VERSION" \
+    "so-thehive-cortex:$VERSION" \
+    "so-curator:$VERSION" \
+    "so-domainstats:$VERSION" \
+    "so-elastalert:$VERSION" \
+    "so-elasticsearch:$VERSION" \
+    "so-filebeat:$VERSION" \
+    "so-fleet:$VERSION" \
+    "so-fleet-launcher:$VERSION" \
+    "so-freqserver:$VERSION" \
+    "so-grafana:$VERSION" \
+    "so-idstools:$VERSION" \
+    "so-influxdb:$VERSION" \
+    "so-kibana:$VERSION" \
+    "so-logstash:$VERSION" \
+    "so-mysql:$VERSION" \
+    "so-navigator:$VERSION" \
+    "so-playbook:$VERSION" \
+    "so-redis:$VERSION" \
+    "so-sensoroni:$VERSION" \
+    "so-soctopus:$VERSION" \
+    "so-steno:$VERSION" \
+    #"so-strelka:$VERSION" \
+    "so-suricata:$VERSION" \
+    "so-telegraf:$VERSION" \
+    "so-thehive:$VERSION" \
+    "so-thehive-es:$VERSION" \
+    "so-wazuh:$VERSION" \
+    "so-zeek:$VERSION" )
+  else
+    TRUSTED_CONTAINERS=( \
+    "so-core:$VERSION" \
+    "so-filebeat:$VERSION" \
+    "so-idstools:$VERSION" \
+    "so-logstash:$VERSION" \
+    "so-redis:$VERSION" \
+    "so-sensoroni:$VERSION" \
+    "so-steno:$VERSION" \
+    "so-suricata:$VERSION" \
+    "so-telegraf:$VERSION" \
+    "so-zeek:$VERSION" )
+  fi
 
   if [ ! -f /nsm/docker-registry/docker/so-dockers-$VERSION.tar ]; then
     # Download the container from the interwebs
diff --git a/setup/so-setup b/setup/so-setup
index 755e21c62..addfbdd3c 100644
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -213,6 +213,9 @@ if (whiptail_you_sure) ; then
       salt_checkin >> $SETUPLOG 2>&1
       salt-call state.apply ca >> $SETUPLOG 2>&1
       salt-call state.apply ssl >> $SETUPLOG 2>&1
+      echo -e "XXX\n42\nDownloading Containers from the Internet... \nXXX"
+      salt-call state.apply registry >> $SETUPLOG 2>&1
+      docker_seed_registry >> $SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
       salt-call state.apply common >> $SETUPLOG 2>&1
       echo -e "XXX\n45\nApplying firewall rules... \nXXX"

From 981dfa1cb20739f019fae0ea8732567f493d9e1e Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 11:39:37 -0500
Subject: [PATCH 149/188] chmod +x script changes

---
 salt/common/scripts/dockernet.sh                     | 0
 salt/common/tools/sbin/so-allow                      | 0
 salt/common/tools/sbin/so-bpf-compile                | 0
 salt/common/tools/sbin/so-bro-logs                   | 0
 salt/common/tools/sbin/so-checkin                    | 0
 salt/common/tools/sbin/so-common                     | 0
 salt/common/tools/sbin/so-cortex-restart             | 0
 salt/common/tools/sbin/so-cortex-start               | 0
 salt/common/tools/sbin/so-cortex-stop                | 0
 salt/common/tools/sbin/so-curator-restart            | 0
 salt/common/tools/sbin/so-curator-start              | 0
 salt/common/tools/sbin/so-curator-stop               | 0
 salt/common/tools/sbin/so-elastalert-create          | 0
 salt/common/tools/sbin/so-elastalert-restart         | 0
 salt/common/tools/sbin/so-elastalert-start           | 0
 salt/common/tools/sbin/so-elastalert-stop            | 0
 salt/common/tools/sbin/so-elastalert-test            | 0
 salt/common/tools/sbin/so-elastic-clear              | 0
 salt/common/tools/sbin/so-elastic-diagnose           | 0
 salt/common/tools/sbin/so-elastic-download           | 0
 salt/common/tools/sbin/so-elasticsearch-restart      | 0
 salt/common/tools/sbin/so-elasticsearch-start        | 0
 salt/common/tools/sbin/so-elasticsearch-stop         | 0
 salt/common/tools/sbin/so-features-enable            | 0
 salt/common/tools/sbin/so-filebeat-restart           | 0
 salt/common/tools/sbin/so-filebeat-start             | 0
 salt/common/tools/sbin/so-filebeat-stop              | 0
 salt/common/tools/sbin/so-fleet-restart              | 0
 salt/common/tools/sbin/so-fleet-start                | 0
 salt/common/tools/sbin/so-fleet-stop                 | 0
 salt/common/tools/sbin/so-grafana-restart            | 0
 salt/common/tools/sbin/so-grafana-start              | 0
 salt/common/tools/sbin/so-grafana-stop               | 0
 salt/common/tools/sbin/so-helix-apikey               | 0
 salt/common/tools/sbin/so-index-list                 | 0
 salt/common/tools/sbin/so-kibana-restart             | 0
 salt/common/tools/sbin/so-kibana-start               | 0
 salt/common/tools/sbin/so-kibana-stop                | 0
 salt/common/tools/sbin/so-logstash-get-parsed        | 0
 salt/common/tools/sbin/so-logstash-get-unparsed      | 0
 salt/common/tools/sbin/so-logstash-start             | 0
 salt/common/tools/sbin/so-logstash-stop              | 0
 salt/common/tools/sbin/so-mysql-restart              | 0
 salt/common/tools/sbin/so-mysql-start                | 0
 salt/common/tools/sbin/so-mysql-stop                 | 0
 salt/common/tools/sbin/so-nsm-clear                  | 0
 salt/common/tools/sbin/so-pcap-restart               | 0
 salt/common/tools/sbin/so-pcap-start                 | 0
 salt/common/tools/sbin/so-pcap-stop                  | 0
 salt/common/tools/sbin/so-playbook-restart           | 0
 salt/common/tools/sbin/so-playbook-ruleupdate        | 0
 salt/common/tools/sbin/so-playbook-start             | 0
 salt/common/tools/sbin/so-playbook-stop              | 0
 salt/common/tools/sbin/so-playbook-sync              | 0
 salt/common/tools/sbin/so-redis-count                | 0
 salt/common/tools/sbin/so-redis-restart              | 0
 salt/common/tools/sbin/so-redis-start                | 0
 salt/common/tools/sbin/so-redis-stop                 | 0
 salt/common/tools/sbin/so-restart                    | 0
 salt/common/tools/sbin/so-rule-update                | 0
 salt/common/tools/sbin/so-salt-start                 | 0
 salt/common/tools/sbin/so-salt-stop                  | 0
 salt/common/tools/sbin/so-soctopus-restart           | 0
 salt/common/tools/sbin/so-soctopus-start             | 0
 salt/common/tools/sbin/so-soctopus-stop              | 0
 salt/common/tools/sbin/so-start                      | 0
 salt/common/tools/sbin/so-status                     | 0
 salt/common/tools/sbin/so-stop                       | 0
 salt/common/tools/sbin/so-suricata-restart           | 0
 salt/common/tools/sbin/so-suricata-start             | 0
 salt/common/tools/sbin/so-suricata-stop              | 0
 salt/common/tools/sbin/so-thehive-restart            | 0
 salt/common/tools/sbin/so-thehive-start              | 0
 salt/common/tools/sbin/so-thehive-stop               | 0
 salt/common/tools/sbin/so-user-add                   | 0
 salt/common/tools/sbin/so-wazuh-restart              | 0
 salt/common/tools/sbin/so-wazuh-start                | 0
 salt/common/tools/sbin/so-wazuh-stop                 | 0
 salt/common/tools/sbin/so-zeek-restart               | 0
 salt/common/tools/sbin/so-zeek-start                 | 0
 salt/common/tools/sbin/so-zeek-stop                  | 0
 salt/wazuh/files/wazuh-manager-whitelist             | 0
 salt/zeek/cron/packetloss.sh                         | 0
 setup/install_scripts/00-so-checksum-offload-disable | 0
 setup/so-functions                                   | 0
 setup/so-setup                                       | 0
 setup/so-whiptail                                    | 0
 so-setup-network                                     | 0
 88 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 salt/common/scripts/dockernet.sh
 mode change 100644 => 100755 salt/common/tools/sbin/so-allow
 mode change 100644 => 100755 salt/common/tools/sbin/so-bpf-compile
 mode change 100644 => 100755 salt/common/tools/sbin/so-bro-logs
 mode change 100644 => 100755 salt/common/tools/sbin/so-checkin
 mode change 100644 => 100755 salt/common/tools/sbin/so-common
 mode change 100644 => 100755 salt/common/tools/sbin/so-cortex-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-cortex-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-cortex-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-curator-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-curator-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-curator-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastalert-create
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastalert-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastalert-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastalert-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastalert-test
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-clear
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-diagnose
 mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-download
 mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-features-enable
 mode change 100644 => 100755 salt/common/tools/sbin/so-filebeat-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-filebeat-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-filebeat-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-fleet-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-fleet-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-fleet-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-grafana-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-grafana-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-grafana-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-helix-apikey
 mode change 100644 => 100755 salt/common/tools/sbin/so-index-list
 mode change 100644 => 100755 salt/common/tools/sbin/so-kibana-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-kibana-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-kibana-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-logstash-get-parsed
 mode change 100644 => 100755 salt/common/tools/sbin/so-logstash-get-unparsed
 mode change 100644 => 100755 salt/common/tools/sbin/so-logstash-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-logstash-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-mysql-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-mysql-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-mysql-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-nsm-clear
 mode change 100644 => 100755 salt/common/tools/sbin/so-pcap-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-pcap-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-pcap-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-ruleupdate
 mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-sync
 mode change 100644 => 100755 salt/common/tools/sbin/so-redis-count
 mode change 100644 => 100755 salt/common/tools/sbin/so-redis-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-redis-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-redis-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-rule-update
 mode change 100644 => 100755 salt/common/tools/sbin/so-salt-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-salt-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-soctopus-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-soctopus-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-soctopus-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-status
 mode change 100644 => 100755 salt/common/tools/sbin/so-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-suricata-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-suricata-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-suricata-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-thehive-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-thehive-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-thehive-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-user-add
 mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-stop
 mode change 100644 => 100755 salt/common/tools/sbin/so-zeek-restart
 mode change 100644 => 100755 salt/common/tools/sbin/so-zeek-start
 mode change 100644 => 100755 salt/common/tools/sbin/so-zeek-stop
 mode change 100644 => 100755 salt/wazuh/files/wazuh-manager-whitelist
 mode change 100644 => 100755 salt/zeek/cron/packetloss.sh
 mode change 100644 => 100755 setup/install_scripts/00-so-checksum-offload-disable
 mode change 100644 => 100755 setup/so-functions
 mode change 100644 => 100755 setup/so-setup
 mode change 100644 => 100755 setup/so-whiptail
 mode change 100644 => 100755 so-setup-network

diff --git a/salt/common/scripts/dockernet.sh b/salt/common/scripts/dockernet.sh
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-curator-restart b/salt/common/tools/sbin/so-curator-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-curator-start b/salt/common/tools/sbin/so-curator-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-curator-stop b/salt/common/tools/sbin/so-curator-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastalert-create b/salt/common/tools/sbin/so-elastalert-create
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastalert-restart b/salt/common/tools/sbin/so-elastalert-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastalert-start b/salt/common/tools/sbin/so-elastalert-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastalert-stop b/salt/common/tools/sbin/so-elastalert-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastalert-test b/salt/common/tools/sbin/so-elastalert-test
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elastic-download b/salt/common/tools/sbin/so-elastic-download
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elasticsearch-restart b/salt/common/tools/sbin/so-elasticsearch-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elasticsearch-start b/salt/common/tools/sbin/so-elasticsearch-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-elasticsearch-stop b/salt/common/tools/sbin/so-elasticsearch-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-fleet-restart b/salt/common/tools/sbin/so-fleet-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-fleet-start b/salt/common/tools/sbin/so-fleet-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-fleet-stop b/salt/common/tools/sbin/so-fleet-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-helix-apikey b/salt/common/tools/sbin/so-helix-apikey
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-kibana-restart b/salt/common/tools/sbin/so-kibana-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-kibana-start b/salt/common/tools/sbin/so-kibana-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-kibana-stop b/salt/common/tools/sbin/so-kibana-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-logstash-get-parsed b/salt/common/tools/sbin/so-logstash-get-parsed
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-logstash-get-unparsed b/salt/common/tools/sbin/so-logstash-get-unparsed
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-logstash-start b/salt/common/tools/sbin/so-logstash-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-logstash-stop b/salt/common/tools/sbin/so-logstash-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-mysql-restart b/salt/common/tools/sbin/so-mysql-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-mysql-start b/salt/common/tools/sbin/so-mysql-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-mysql-stop b/salt/common/tools/sbin/so-mysql-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-playbook-restart b/salt/common/tools/sbin/so-playbook-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-playbook-ruleupdate b/salt/common/tools/sbin/so-playbook-ruleupdate
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-playbook-start b/salt/common/tools/sbin/so-playbook-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-playbook-stop b/salt/common/tools/sbin/so-playbook-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-redis-restart b/salt/common/tools/sbin/so-redis-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-redis-start b/salt/common/tools/sbin/so-redis-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-redis-stop b/salt/common/tools/sbin/so-redis-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-rule-update b/salt/common/tools/sbin/so-rule-update
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-salt-start b/salt/common/tools/sbin/so-salt-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-salt-stop b/salt/common/tools/sbin/so-salt-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/common/tools/sbin/so-soctopus-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/common/tools/sbin/so-soctopus-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/common/tools/sbin/so-soctopus-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/common/tools/sbin/so-suricata-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/common/tools/sbin/so-suricata-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/common/tools/sbin/so-suricata-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-thehive-start b/salt/common/tools/sbin/so-thehive-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-user-add b/salt/common/tools/sbin/so-user-add
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-wazuh-restart b/salt/common/tools/sbin/so-wazuh-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-wazuh-stop b/salt/common/tools/sbin/so-wazuh-stop
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start
old mode 100644
new mode 100755
diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop
old mode 100644
new mode 100755
diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
old mode 100644
new mode 100755
diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh
old mode 100644
new mode 100755
diff --git a/setup/install_scripts/00-so-checksum-offload-disable b/setup/install_scripts/00-so-checksum-offload-disable
old mode 100644
new mode 100755
diff --git a/setup/so-functions b/setup/so-functions
old mode 100644
new mode 100755
diff --git a/setup/so-setup b/setup/so-setup
old mode 100644
new mode 100755
diff --git a/setup/so-whiptail b/setup/so-whiptail
old mode 100644
new mode 100755
diff --git a/so-setup-network b/so-setup-network
old mode 100644
new mode 100755

From 799cf322654671e610825b978cff30b4715ec55b Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 14:45:07 -0500
Subject: [PATCH 150/188] fix logstash for so-helix role

---
 .../conf/pipelines/helix/{ => templates}/9997_output_helix.conf | 0
 salt/logstash/etc/logstash.yml                                  | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename salt/logstash/conf/pipelines/helix/{ => templates}/9997_output_helix.conf (100%)

diff --git a/salt/logstash/conf/pipelines/helix/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/9997_output_helix.conf
rename to salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index 47b487ebe..d7a51df81 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,7 +63,7 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{%- if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' and grains.role != 'so-eval' %}
+{%- if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' and grains.role != 'so-eval' and grains.role != 'so-helix' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
 {%- else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf

From ec11b9ea257f9939ab8c9b68ead3061c525cf5cf Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 5 Feb 2020 20:34:32 +0000
Subject: [PATCH 151/188] Remove Redis config from eval PL

---
 .../eval/templates/9999_output_redis.conf     | 26 -------------------
 1 file changed, 26 deletions(-)
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf

diff --git a/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
deleted file mode 100644
index f176e0b94..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if salt['grains.get']('role') == 'so-master' %}
-{% set master = salt['pillar.get']('static:masterip', '') %}
-{%- set nodetype = 'master' %}
-{% elif grains.role == 'so-heavynode' %}
-{% set master = salt['pillar.get']('node:mainip', '') %}
-{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
-{%- else %}
-{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
-{% set master = salt['pillar.get']('static:masterip', '') %}
-{%- endif %}
-
-
-output {
-	redis {
-		host => '{{ master }}'
-		data_type => 'list'
-		{%- if nodetype == 'parser' %}
-		key => 'logstash:parsed'
-		{%- else %}
-		key => 'logstash:unparsed'
-		{%- endif %}
-		congestion_interval => 1
-		congestion_threshold => 50000000
-		# batch_events => 500
-	}
-}

From 9779037e99117d77e0a9db11f53e30cb892833d5 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 18:16:43 -0500
Subject: [PATCH 152/188] crossthestream -> crossthestreams

---
 salt/utility/bin/{crossthestream => crossthestreams} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename salt/utility/bin/{crossthestream => crossthestreams} (100%)

diff --git a/salt/utility/bin/crossthestream b/salt/utility/bin/crossthestreams
similarity index 100%
rename from salt/utility/bin/crossthestream
rename to salt/utility/bin/crossthestreams

From 9f53d2ce3ed7f8978dee88cfad08b4cbf784ae2f Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 5 Feb 2020 18:42:55 -0500
Subject: [PATCH 153/188] Fix Filebeat Cert

---
 salt/ssl/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 83c7c92e4..de0d5d61f 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -133,7 +133,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 fbcertdir:
   file.directory:

From 725b56c858ba93335fe32c7c073ed5dc374e372b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 5 Feb 2020 21:07:08 -0500
Subject: [PATCH 154/188] add registry to mastersearch

---
 salt/top.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/top.sls b/salt/top.sls
index 1a5c30e60..607b33e46 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -196,6 +196,7 @@ base:
   'G@role:so-mastersearch':
     - ca
     - ssl
+    - registry
     - common
     - sensoroni
     - firewall

From 79dc6c84d9ed5736918e6db3f7666ef6a1835981 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 5 Feb 2020 21:19:07 -0500
Subject: [PATCH 155/188] add auth to mastersearch

---
 salt/top.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/top.sls b/salt/top.sls
index 607b33e46..ef2124a65 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -199,6 +199,7 @@ base:
     - registry
     - common
     - sensoroni
+    - auth
     - firewall
     - master
     - idstools

From d2dd0f09e9a1866f80c6937df25746be99b6f903 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 6 Feb 2020 10:25:01 -0500
Subject: [PATCH 156/188] fix zeek path

---
 salt/filebeat/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index b058f1408..45abfea56 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -55,7 +55,7 @@ so-filebeat:
     - binds:
       - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
-      - /nsm/bro:/nsm/bro:ro
+      - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro

From 7c00e7c2861eca190fe5a6e2dedb5b23d48f0cc7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 6 Feb 2020 15:23:03 -0500
Subject: [PATCH 157/188] [feature] Final changes for so-status re: predefined
 container list

---
 pillar/docker/config.sls               | 215 +++++++++++++++++++++++++
 pillar/top.sls                         |   1 +
 salt/common/tools/sbin/so-auth-restart |  21 +++
 salt/common/tools/sbin/so-auth-start   |  20 +++
 salt/common/tools/sbin/so-auth-stop    |  20 +++
 salt/common/tools/sbin/so-restart      |   1 +
 salt/common/tools/sbin/so-start        |  11 ++
 salt/common/tools/sbin/so-status       | 114 ++++++++++---
 salt/common/tools/sbin/so-stop         |   5 +-
 salt/top.sls                           |   8 +-
 setup/so-functions                     |   4 +-
 11 files changed, 388 insertions(+), 32 deletions(-)
 create mode 100644 pillar/docker/config.sls
 create mode 100644 salt/common/tools/sbin/so-auth-restart
 create mode 100644 salt/common/tools/sbin/so-auth-start
 create mode 100644 salt/common/tools/sbin/so-auth-stop

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
new file mode 100644
index 000000000..454eead49
--- /dev/null
+++ b/pillar/docker/config.sls
@@ -0,0 +1,215 @@
+{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
+{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
+{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
+{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
+{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
+{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
+{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
+
+eval:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-dockerregistry
+    - so-sensoroni
+    - so-idstools
+    - so-auth-api
+    - so-auth-ui
+    {%- if OSQUERY != 0 %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {%- endif %}
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-steno
+    - so-suricata
+    - so-zeek
+    - so-curator
+    - so-elasalert
+    {%- if WAZUH != 0 %}
+    - so-wazuh
+    {%- endif %}
+    - so-soctopus
+    {%- if THEHIVE != 0 %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {%- endif %}
+    {%- if PLAYBOOK != 0 %}
+    - so-playbook
+    - so-navigator
+    {%- endif %}
+    {%- if FREQSERVER != 0 %}
+    - so-freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - so-domainstats
+    {%- endif %}
+heavy_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-steno
+    - so-suricata
+    - so-wazuh
+    - so-filebeat
+    {%- if BROVER != 'SURICATA' %}
+    - so-zeek
+    {%- endif %}
+helix:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-idstools
+    - so-steno
+    - so-zeek
+    - so-zeek
+    - so-redis
+    - so-logstash
+    - so-filebeat
+hot_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+master_search:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-kibana
+    - so-elasalert
+    - so-filebeat
+    - so-soctopus
+    {%- if OSQUERY != 0 %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {%- endif %}
+    {%- if WAZUH != 0 %}
+    - so-wazuh
+    {%- endif %}
+    - so-soctopus
+    {%- if THEHIVE != 0 %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {%- endif %}
+    {%- if PLAYBOOK != 0 %}
+    - so-playbook
+    - so-navigator
+    {%- endif %}
+    {%- if FREQSERVER != 0 %}
+    - so-freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - so-domainstats
+    {%- endif %}
+master:
+  containers:
+    - so-dockerregistry
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-elasalert
+    - so-filebeat
+    {%- if OSQUERY != 0 %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {%- endif %}
+    {%- if WAZUH != 0 %}
+    - so-wazuh
+    {%- endif %}
+    - so-soctopus
+    {%- if THEHIVE != 0 %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {%- endif %}
+    {%- if PLAYBOOK != 0 %}
+    - so-playbook
+    - so-navigator
+    {%- endif %}
+    {%- if FREQSERVER != 0 %}
+    - so-freqserver
+    {%- endif %}
+    {%- if DOMAINSTATS != 0 %}
+    - so-domainstats
+    {%- endif %}
+parser_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-logstash
+search_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-filebeat
+    {%- if WAZUH != 0 %}
+    - so-wazuh
+    {%- endif %}
+sensor:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-steno
+    - so-suricata
+    {%- if BROVER != 'SURICATA' %}
+    - so-zeek
+    {%- endif %}
+    - so-wazuh
+    - so-filebeat
+warm_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-influxdb
+    - so-grafana
+    - so-elasticsearch
diff --git a/pillar/top.sls b/pillar/top.sls
index 9eb5522fe..42d40ec10 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,6 +1,7 @@
 base:
   '*':
     - patch.needs_restarting
+    - docker.config
 
   'G@role:so-mastersearch or G@role:so-heavynode':
     - match: compound
diff --git a/salt/common/tools/sbin/so-auth-restart b/salt/common/tools/sbin/so-auth-restart
new file mode 100644
index 000000000..8659b1e3a
--- /dev/null
+++ b/salt/common/tools/sbin/so-auth-restart
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart auth $1
+
diff --git a/salt/common/tools/sbin/so-auth-start b/salt/common/tools/sbin/so-auth-start
new file mode 100644
index 000000000..5330f662d
--- /dev/null
+++ b/salt/common/tools/sbin/so-auth-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start auth $1
diff --git a/salt/common/tools/sbin/so-auth-stop b/salt/common/tools/sbin/so-auth-stop
new file mode 100644
index 000000000..5ca6db7e2
--- /dev/null
+++ b/salt/common/tools/sbin/so-auth-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop auth $1
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index bbcfe4c20..3714e324a 100755
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -32,5 +32,6 @@ fi
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
    "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-cal state.apply auth queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
index a198377a1..889160122 100755
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -32,5 +32,16 @@ fi
 case $1 in
    "all") salt-call state.highstate queue=True;;
    "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   "auth") 
+      if docker ps | grep -q so-auth-api; then
+         if docker ps | grep -q so-auth-ui; then
+            printf "\n$1 is already running!\n\n"
+         else
+            docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+         fi
+      else
+         docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+      fi
+      ;;
    *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 45b52ae35..8d37395dc 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -15,7 +15,32 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# {% raw %}
+{%- set pillar_suffix = ':containers' -%}
+{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
+    {%- set pillar_val = 'master_search' -%}
+{%- elif (salt['grains.get']('role') == 'so-master') -%}
+    {%- set pillar_val = 'master' -%}
+{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
+    {%- set pillar_val = 'heavy_node' -%}
+{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
+    {%- set pillar_val = 'sensor' -%}
+{%- elif (salt['grains.get']('role') == 'so-eval') -%}
+    {%- set pillar_val = 'eval' -%}
+{%- elif (salt['grains.get']('role') == 'so-helix') -%}
+    {%- set pillar_val = 'helix' -%}
+{%- elif (salt['grains.get']('role') == 'so-node') -%}
+    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
+        {%- set pillar_val = 'parser_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
+        {%- set pillar_val = 'hot_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
+        {%- set pillar_val = 'warm_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
+        {%- set pillar_val = 'search_node' -%}
+    {%- endif -%}
+{%- endif -%}
+{%- set pillar_name = pillar_val ~ pillar_suffix -%}
+{%- set container_list = salt['pillar.get'](pillar_name) %}
 
 if ! [ $(id -u)=0 ]; then
    echo "This command must be run as root"
@@ -26,13 +51,56 @@ fi
 ERROR_STRING="ERROR"
 SUCCESS_STRING="OK"
 PENDING_STRING="PENDING"
+MISSING_STRING='MISSING'
 declare -a BAD_STATUSES=("removing", "paused", "exited", "dead")
 declare -a PENDING_STATUSES=("paused", "created", "restarting")
 declare -a GOOD_STATUSES=("running")
 
+declare -a temp_container_name_list=()
+declare -a temp_container_state_list=()
 
 declare -a container_name_list=()
 declare -a container_state_list=()
+
+declare -a expected_container_list=()
+
+# {% raw %}
+
+compare_lists() {
+    local found=0
+
+    create_expected_container_list
+
+    if [[ ${#expected_container_list[@]} = 0 ]]; then
+        container_name_list=$temp_container_name_list
+        container_state_list=$temp_container_state_list
+        return 1
+    fi
+
+    for intended_item in ${expected_container_list[@]}; do
+        found = 0
+        for i in ${!temp_container_name_list[@]}; do
+            [[ ${temp_container_name_list[$i]} = $intended_item ]] \
+                && found = 1 \
+                && container_name_list+=("${temp_container_name_list[$i]}") \
+                && container_state_list+=("${temp_container_state_list[$i]}") \
+                && break
+        done
+        if [[ $found = 0 ]]; then
+            container_name_list+=("$intended_item")
+            container_state_list+=("missing")
+        fi
+    done
+}
+
+# {% endraw %}
+
+create_expected_container_list() {
+    {% for item in container_list%}
+        expected_container_list+=("{{ item }}")
+    {% endfor %}
+}
+
 populate_container_lists() {
     systemctl is-active --quiet docker
 
@@ -50,51 +118,51 @@ populate_container_lists() {
     for line in ${docker_raw_list[@]}; do
         container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
         container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
-        container_name_list+=( "${container_name}" )
-        container_state_list+=( "${container_state}" )
+        
+        temp_container_name_list+=( "${container_name}" )
+        temp_container_state_list+=( "${container_state}" )
     done
+
+    compare_lists
 }
 
 parse_status() {
     local container_state=${1}
-    local found=0
+
+    [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
 
     for state in "${GOOD_STATUSES[@]}"; do
         [[ $container_state = $state ]] && printf $SUCCESS_STRING && return 0
     done
 
-    if [[ $found = 0 ]]; then
-        for state in "${PENDING_STATUSES[@]}"; do
-            [[ $container_state = $state ]] && printf $PENDING_STRING && return 0
-        done
-    fi
+    for state in "${PENDING_STATUSES[@]}"; do
+        [[ $container_state = $state ]] && printf $PENDING_STRING && return 0
+    done
 
     # This is technically not needed since the default is error state
-    if [[ $found = 0 ]]; then
-        for state in "${BAD_STATUSES[@]}"; do
-            [[ $container_state = $state ]] && printf $ERROR_STRING && return 1
-        done
-    fi
+    for state in "${BAD_STATUSES[@]}"; do
+        [[ $container_state = $state ]] && printf $ERROR_STRING && return 1
+    done
 
     printf $ERROR_STRING && return 1
 }
 
-columns=$(tput cols)
+# {% raw %}
 
 print_line() {
     local service_name=${1}
     local service_state=$( parse_status ${2} )
-    local PADDING_CONSTANT=14
+    local columns=$(tput cols)
     local state_color="\e[0m"
 
-    if [[ $service_state = $ERROR_STRING ]]; then
+    local PADDING_CONSTANT=14
+
+    if [[ $service_state = $ERROR_STRING ]] || [[ $service_state = $MISSING_STRING ]]; then
         state_color="\e[1;31m"
     elif [[ $service_state = $SUCCESS_STRING ]]; then
         state_color="\e[1;32m"
     elif [[ $service_state = $PENDING_STRING ]]; then
         state_color="\e[1;33m"
-    else
-        state_color="\e[0m"
     fi
 
     printf "    $service_name "
@@ -121,13 +189,9 @@ main() {
     populate_container_lists
 
     printf "\n"
-
     printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
 
-
     local num_containers=${#docker_raw_list[@]}
-    local container_name=""
-    local container_state=""
 
     for i in $(seq 0 $(($num_containers - 1 ))); do
         print_line ${container_name_list[$i]} ${container_state_list[$i]}
@@ -136,6 +200,8 @@ main() {
     printf "\n"
 }
 
+# {% endraw %}
+
+
 main
 
-# {% endraw %}
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop
index 64d0a4298..8d5770b64 100755
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -23,5 +23,8 @@ echo $banner
 printf "Stopping $1...\n"
 echo $banner
 
-docker stop so-$1 ; docker rm so-$1
+case $1 in
+    "auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
+    *) docker stop so-$1 ; docker rm so-$1 ;;
+esac
 
diff --git a/salt/top.sls b/salt/top.sls
index ef2124a65..6f7763c62 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,7 +1,6 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
 {%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
 {%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
 {%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
@@ -100,6 +99,7 @@ base:
     - master
     - idstools
     - redis
+    - auth
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
@@ -188,6 +188,7 @@ base:
     - firewall
     - sensor
     - master
+    - auth
     {%- if OSQUERY != 0 %}
     - launcher
     {%- endif %}
@@ -204,6 +205,7 @@ base:
     - master
     - idstools
     - redis
+    - auth
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
@@ -257,9 +259,5 @@ base:
     {%- if BROVER != 'SURICATA' %}
     - zeek
     {%- endif %}
-    - wazuh
     - filebeat
-    {%- if OSQUERY != 0 %}
-    - launcher
-    {%- endif %}
     - schedule
diff --git a/setup/so-functions b/setup/so-functions
index 83f323b0b..61bd8542d 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1036,7 +1036,7 @@ EOF
     fi
 
     yum clean expire-cache
-    yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl
+    yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl jq
     yum -y update exclude=salt*
     systemctl enable salt-minion
 
@@ -1054,7 +1054,7 @@ EOF
     DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
 
     # Add the pre-requisites for installing docker-ce
-    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >> $SETUPLOG 2>&1
+    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl jq >> $SETUPLOG 2>&1
 
     # Grab the version from the os-release file
     UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')

From f4b8211938b74be623887545db66f7324d5ffc38 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 6 Feb 2020 15:27:56 -0500
Subject: [PATCH 158/188] [fix] Various timeout fixes for so-auth

---
 salt/auth/init.sls                           | 1 +
 salt/common/nginx/nginx.conf.so-eval         | 2 +-
 salt/common/nginx/nginx.conf.so-master       | 2 +-
 salt/common/nginx/nginx.conf.so-mastersearch | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 18850d534..abbe514d3 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -15,6 +15,7 @@ so-auth-api:
         - name: so-auth-api
         - environment:
             - BASE_PATH: "/so-auth/api"
+            - AUTH_TOKEN_TIMEOUT: 32400
         - binds:
             - /opt/so/conf/auth/api:/data
         - port_bindings:
diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index d3e377881..701f558e7 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -246,7 +246,7 @@ http {
         error_page 401 = @error401;
 
         location @error401 {
-          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
           return        302 http://{{ masterip }}/so-auth/loginpage/;
         }
 
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 3cac44155..2c836962c 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -250,7 +250,7 @@ http {
         error_page 401 = @error401;
 
         location @error401 {
-          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
           return        302 http://{{ masterip }}/so-auth/loginpage/;
         }
 
diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/common/nginx/nginx.conf.so-mastersearch
index 6fa080f5b..1bd0ebd2f 100644
--- a/salt/common/nginx/nginx.conf.so-mastersearch
+++ b/salt/common/nginx/nginx.conf.so-mastersearch
@@ -262,7 +262,7 @@ http {
         error_page 401 = @error401;
 
         location @error401 {
-          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
           return        302 http://{{ masterip }}/so-auth/loginpage/;
         }
 

From 12d3ae92e7497b33229d5179d3d5963514db0b7d Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 6 Feb 2020 15:35:15 -0500
Subject: [PATCH 159/188] Logstash restart script

---
 salt/common/tools/sbin/so-logstash-restart | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100755 salt/common/tools/sbin/so-logstash-restart

diff --git a/salt/common/tools/sbin/so-logstash-restart b/salt/common/tools/sbin/so-logstash-restart
new file mode 100755
index 000000000..dec06f95c
--- /dev/null
+++ b/salt/common/tools/sbin/so-logstash-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart logstash $1

From 2f055d4c0033c7867bfadd57801c37d03c04c545 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 6 Feb 2020 15:41:13 -0500
Subject: [PATCH 160/188] adjusting logstash heapsize for
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/277

---
 setup/so-functions | 10 ++++------
 setup/so-setup     |  4 ++--
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index 83f323b0b..d0e6c60a4 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -664,8 +664,10 @@ install_master() {
 ls_heapsize() {
 
   # Determine LS Heap Size
-  if [ $TOTAL_MEM -ge 32000 ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+  if [ $TOTAL_MEM -ge 32000 ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ||  [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
       LS_HEAP_SIZE="1000m"
+  elif [ $INSTALLTYPE == 'EVALMODE' ]; then
+      LS_HEAP_SIZE="700m"
   else
       # If minimal RAM, then set minimal heap
       LS_HEAP_SIZE="500m"
@@ -695,11 +697,7 @@ master_pillar() {
     echo "  freq: 0" >> $PILLARFILE
     echo "  domainstats: 0" >> $PILLARFILE
   fi
-  if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
-    echo "  lsheap: 1000m" >> $PILLARFILE
-  else
-    echo "  lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
-  fi
+  echo "  lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
   echo "  lsaccessip: 127.0.0.1" >> $PILLARFILE
   echo "  elastalert: 1" >> $PILLARFILE
   echo "  ls_pipeline_workers: $CPUCORES" >> $PILLARFILE
diff --git a/setup/so-setup b/setup/so-setup
index addfbdd3c..4fd81629e 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -542,8 +542,8 @@ if (whiptail_you_sure) ; then
     # Set a bunch of stuff since this is eval
     es_heapsize
     ls_heapsize
-    NODE_ES_HEAP_SIZE="600m"
-    NODE_LS_HEAP_SIZE="1000m"
+    NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+    NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
     LSPIPELINEWORKERS=1
     LSPIPELINEBATCH=125
     LSINPUTTHREADS=1

From 3cfec72b407f64977b6b26438f163125ccf16156 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 6 Feb 2020 18:55:23 -0500
Subject: [PATCH 161/188] Fix Wazuh perms

---
 salt/wazuh/init.sls | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 42cf3f4b7..3942cfab3 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -12,7 +12,7 @@ ossecm:
   user.present:
     - uid: 943
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -22,7 +22,7 @@ ossecr:
   user.present:
     - uid: 944
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -32,11 +32,23 @@ ossec:
   user.present:
     - uid: 945
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
 
+wazuhdir:
+  file.directory:
+    - name: /opt/so/conf/wazuh
+    - user: 945
+    - group: 945
+
+wazuhlogdir:
+  file.directory:
+    - name: /opt/so/log/wazuh
+    - user: 945
+    - group: 945
+
 # Add wazuh agent
 wazuhpkgs:
  pkg.installed:
@@ -83,7 +95,7 @@ so-wazuh:
       - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/wazuh/:/var/ossec/data/:rw
+      - /opt/so/conf/wazuh/:/var/ossec/data/:rw
 
 # Register the agent
 registertheagent:

From 6ceb127c460a19b5f873ee4f5746727caa08300b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 7 Feb 2020 08:52:09 -0500
Subject: [PATCH 162/188] Fix Wazuh paths for logstash/fb

---
 salt/filebeat/init.sls                        |  4 ++--
 .../eval/templates/9000_output_bro.conf       |  3 ++-
 .../eval/templates/9400_output_suricata.conf  |  3 ++-
 .../helix/templates/9997_output_helix.conf    |  4 ++++
 salt/logstash/init.sls                        |  4 ++--
 salt/wazuh/init.sls                           | 22 +++++++++++++++----
 6 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 45abfea56..5c7287fd2 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -57,8 +57,8 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
-      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
index 553500281..2beafc8be 100644
--- a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
+++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
@@ -1,5 +1,6 @@
 {%- if grains['role'] == 'so-eval' -%}
 {%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
@@ -12,7 +13,7 @@
 filter {
   if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
     mutate {
-	  ##add_tag => [ "conf_file_9000"]
+	  add_field => { "sensor_name" => "{{ NAME }}" }
 	}
   }
 }
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
index 4bffd7f0a..1de235444 100644
--- a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
+++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
@@ -1,5 +1,6 @@
 {%- if grains['role'] == 'so-eval' -%}
 {%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
@@ -11,7 +12,7 @@
 filter {
   if [event_type] == "suricata" and "test_data" not in [tags] {
     mutate {
-	  ##add_tag => [ "conf_file_9400"]
+	  add_field => { "sensor_name" => "{{ NAME }}" }
 	}
   }
 }
diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
index 5dd0036fe..35b737593 100644
--- a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
+++ b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
@@ -1,4 +1,6 @@
 {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
+{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %}
+{% set CBNAME = grains.host %}
 
 filter {
   if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
@@ -34,6 +36,8 @@ filter {
       copy => { "class" => "program"}
       rename => { "source_port" => "srcport" }
       rename => { "destination_port" => "dstport" }
+      add_field => { "metacbid" => "{{ UNIQUEID }}"}
+      add_field => { "metacbname" => "{{ CBNAME }}"}
       remove_field => ["source_ip", "destination_ip"]
       remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
       remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index f52413006..af1d23c0e 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -241,8 +241,8 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
-      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 42cf3f4b7..2cfd28c86 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -12,7 +12,7 @@ ossecm:
   user.present:
     - uid: 943
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -22,7 +22,7 @@ ossecr:
   user.present:
     - uid: 944
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -32,11 +32,23 @@ ossec:
   user.present:
     - uid: 945
     - gid: 945
-    - home: /opt/so/wazuh
+    - home: /opt/so/conf/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
 
+wazuhdir:
+  file.directory:
+    - name: /opt/so/conf/wazuh
+    - user: 945
+    - group: 945
+
+wazuhlogdir:
+  file.directory:
+    - name: /opt/so/log/wazuh
+    - user: 945
+    - group: 945
+
 # Add wazuh agent
 wazuhpkgs:
  pkg.installed:
@@ -83,7 +95,9 @@ so-wazuh:
       - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/wazuh/:/var/ossec/data/:rw
+      - /opt/so/conf/wazuh/etc:/var/ossec/data/etc:rw
+      - /opt/so/log/wazuh:/var/ossec/data/logs:rw
+
 
 # Register the agent
 registertheagent:

From e4a73d97735b55b1eb152d6ebef4c8ec4a9f92db Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 7 Feb 2020 16:16:28 -0500
Subject: [PATCH 163/188] Fix Wazuh paths for logstash

---
 salt/wazuh/files/wazuh-manager-whitelist |  5 +----
 salt/wazuh/init.sls                      | 12 ++++++++++--
 setup/so-whiptail                        |  2 +-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
index 300dcf140..ac804e447 100755
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -18,7 +18,7 @@
 
 # Check if Wazuh enabled
 if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
-      WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+      WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf"
       if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
               DATE=`date`
               sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
@@ -26,8 +26,5 @@ if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
               echo -e "<!--Address {{ MASTERIP }} added by setup on "$DATE"-->\n  <global>\n    <white_list>{{ MASTERIP }}</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
               echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
               echo
-              echo "Restarting OSSEC Server..."
-              #/usr/sbin/so-wazuh-restart
       fi
 fi
-
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 2cfd28c86..5578cddca 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -43,11 +43,19 @@ wazuhdir:
     - user: 945
     - group: 945
 
-wazuhlogdir:
+wazuhalertlogdir:
   file.directory:
-    - name: /opt/so/log/wazuh
+    - name: /opt/so/log/wazuh/logs/alerts
     - user: 945
     - group: 945
+    - makedirs: True
+
+wazuharchlogdir:
+  file.directory:
+    - name: /opt/so/log/wazuh/logs/archives
+    - user: 945
+    - group: 945
+    - makedirs: True
 
 # Add wazuh agent
 wazuhpkgs:
diff --git a/setup/so-whiptail b/setup/so-whiptail
index 3316d6e2c..59db1b29c 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -109,7 +109,7 @@ whiptail_check_exitstatus() {
 whiptail_create_admin_user() {
 
   ADMINUSER=$(whiptail --title "Security Onion Install" --inputbox \
-  "Please enter a username for your new admin user" 10 60 3>&1 1>&2 2>&3)
+  "Please enter a username for your new admin user. The onion account will be disabled during this install" 10 60 3>&1 1>&2 2>&3)
 
 }
 

From 9740b23b1d0f6445ac2c56d561d51dc1ffc05009 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 7 Feb 2020 16:42:16 -0500
Subject: [PATCH 164/188] Fix Wazuh paths for logstash

---
 salt/firewall/init.sls                      | 11 +++++++++++
 salt/wazuh/files/agent/wazuh-register-agent |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index a26993cc0..657ff7814 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -359,6 +359,17 @@ enable_minion_osquery_8080_{{ip}}:
     - position: 1
     - save: True
 
+enable_minion_wazuh_55000_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 55000
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Allow Forward Nodes to send their beats traffic
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index 8a8c2ab7f..ae6ddee60 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -24,7 +24,7 @@
 ###
 
 # Connection variables
-API_IP="localhost"
+API_IP="{{ ip }}"
 API_PORT="55000"
 PROTOCOL="https"
 USER="foo"

From 3dc73278a222ab75b834bd4806c696f9fd827a0e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 7 Feb 2020 16:47:45 -0500
Subject: [PATCH 165/188] Fix Wazuh paths for logstash

---
 salt/wazuh/files/server/ossec.conf | 220 +++++++++++++++++++++++++++++
 salt/wazuh/init.sls                |   9 ++
 2 files changed, 229 insertions(+)
 create mode 100644 salt/wazuh/files/server/ossec.conf

diff --git a/salt/wazuh/files/server/ossec.conf b/salt/wazuh/files/server/ossec.conf
new file mode 100644
index 000000000..9d6fa94bf
--- /dev/null
+++ b/salt/wazuh/files/server/ossec.conf
@@ -0,0 +1,220 @@
+<!--
+  Wazuh - Manager - Default configuration for centos 7
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>yes</logall>
+    <logall_json>yes</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>ossecm@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+  </global>
+
+  <alerts>
+    <log_alert_level>1</log_alert_level>
+    <email_alert_level>7</email_alert_level>
+  </alerts>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>udp</protocol>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_unixaudit>yes</check_unixaudit>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="open-scap">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <content type="xccdf" path="ssg-centos-7-ds.xml">
+      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+      <profile>xccdf_org.ssgproject.content_profile_common</profile>
+    </content>
+  </wodle>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+    <directories check_all="yes">/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">^/proc</ignore>
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+    <white_list>10.0.0.2</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account.sh</executable>
+    <expect>user</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-ossec</name>
+    <executable>restart-ossec.sh</executable>
+    <expect></expect>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!-- Active Response Config -->
+  <active-response>
+    <!-- This response is going to execute the host-deny
+       - command for every event that fires a rule with
+       - level (severity) >= 6.
+       - The IP is going to be blocked for  600 seconds.
+      -->
+    <command>host-deny</command>
+    <location>local</location>
+    <level>6</level>
+    <timeout>600</timeout>
+  </active-response>
+
+  <active-response>
+    <!-- Firewall Drop response. Block the IP for
+       - 600 seconds on the firewall (iptables,
+       - ipfilter, etc).
+      -->
+    <command>firewall-drop</command>
+    <location>local</location>
+    <level>6</level>
+    <timeout>600</timeout>
+  </active-response>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+</ossec_config>
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 5578cddca..6a0b8681b 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -73,6 +73,15 @@ wazuhagentconf:
     - group: 945
     - template: jinja
 
+# Add Wazuh server conf
+wazuhserverconf:
+  file.managed:
+    - name: /opt/so/conf/wazuh/etc/ossec.conf
+    - source: salt://wazuh/files/server/ossec.conf
+    - user: 0
+    - group: 945
+    - template: jinja
+
 # Add Wazuh agent conf
 wazuhagentregister:
   file.managed:

From 9218121a236ad2719c7a9a10d7021ad1d1e0edba Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@gmail.com>
Date: Sat, 8 Feb 2020 12:35:52 -0500
Subject: [PATCH 166/188] [fix] checksum-offload-disable syntax errors

---
 setup/install_scripts/00-so-checksum-offload-disable | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/install_scripts/00-so-checksum-offload-disable b/setup/install_scripts/00-so-checksum-offload-disable
index 32b8d46e6..c2f449965 100755
--- a/setup/install_scripts/00-so-checksum-offload-disable
+++ b/setup/install_scripts/00-so-checksum-offload-disable
@@ -1,9 +1,9 @@
 #!/bin/bash
 
-if [ "$NM_DISPATCHER_ACTION" == "pre-up" ]; then
-    if ["$DEVICE_IFACE" !== "$MAININT"]; then
+if [[ "$NM_DISPATCHER_ACTION" == "pre-up" ]]; then
+    if [[ "$DEVICE_IFACE" != "$MAININT" ]]; then
         for i in rx tx sg tso ufo gso gro lro; do 
-            ethtool -K $DEVICE_IFACE $i off; 
+            ethtool -K "$DEVICE_IFACE" "$i" off; 
         done
     fi
 fi

From b341a7f0cd75ab3e28c3828731b5ced3ba765f87 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Sat, 8 Feb 2020 18:43:33 -0500
Subject: [PATCH 167/188] [fix] Move checksum offload script dir to pre-up.d

---
 setup/so-functions | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index 2f9642ddb..6ae66d5b9 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -771,10 +771,10 @@ network_setup() {
   nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1
 
   echo "... Copying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1
-  cp $SCRIPTDIR/install_scripts/00-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/00-so-checksum-offload-disable  >> $SETUPLOG 2>&1
+  cp $SCRIPTDIR/install_scripts/00-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/00-so-checksum-offload-disable  >> $SETUPLOG 2>&1
 
   echo "... Modifying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1
-  sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/00-so-checksum-offload-disable >> $SETUPLOG 2>&1
+  sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/00-so-checksum-offload-disable >> $SETUPLOG 2>&1
 }
 
 node_pillar() {

From 2804247f8891acdc5c07e596ef2ddd1247c88f48 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Sun, 9 Feb 2020 16:35:08 -0500
Subject: [PATCH 168/188] [fix] Syntax errors in so-status

---
 salt/common/tools/sbin/so-status | 37 ++++++++++++++++----------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 8d37395dc..1527ee4a3 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -42,7 +42,7 @@
 {%- set pillar_name = pillar_val ~ pillar_suffix -%}
 {%- set container_list = salt['pillar.get'](pillar_name) %}
 
-if ! [ $(id -u)=0 ]; then
+if ! [ "$(id -u)" = 0 ]; then
    echo "This command must be run as root"
    exit 1
 fi
@@ -52,8 +52,8 @@ ERROR_STRING="ERROR"
 SUCCESS_STRING="OK"
 PENDING_STRING="PENDING"
 MISSING_STRING='MISSING'
-declare -a BAD_STATUSES=("removing", "paused", "exited", "dead")
-declare -a PENDING_STATUSES=("paused", "created", "restarting")
+declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
+declare -a PENDING_STATUSES=("paused" "created" "restarting")
 declare -a GOOD_STATUSES=("running")
 
 declare -a temp_container_name_list=()
@@ -72,16 +72,16 @@ compare_lists() {
     create_expected_container_list
 
     if [[ ${#expected_container_list[@]} = 0 ]]; then
-        container_name_list=$temp_container_name_list
-        container_state_list=$temp_container_state_list
+        container_name_list="${temp_container_name_list[*]}"
+        container_state_list="${temp_container_state_list[*]}"
         return 1
     fi
 
-    for intended_item in ${expected_container_list[@]}; do
-        found = 0
-        for i in ${!temp_container_name_list[@]}; do
-            [[ ${temp_container_name_list[$i]} = $intended_item ]] \
-                && found = 1 \
+    for intended_item in "${expected_container_list[@]}"; do
+        found=0
+        for i in "${!temp_container_name_list[@]}"; do
+            [[ ${temp_container_name_list[$i]} = "$intended_item" ]] \
+                && found=1 \
                 && container_name_list+=("${temp_container_name_list[$i]}") \
                 && container_state_list+=("${temp_container_state_list[$i]}") \
                 && break
@@ -115,7 +115,7 @@ populate_container_lists() {
     local container_name=""
     local container_state=""
 
-    for line in ${docker_raw_list[@]}; do
+    for line in "${docker_raw_list[@]}"; do
         container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
         container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
         
@@ -132,16 +132,16 @@ parse_status() {
     [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
 
     for state in "${GOOD_STATUSES[@]}"; do
-        [[ $container_state = $state ]] && printf $SUCCESS_STRING && return 0
+        [[ $container_state = "$state" ]] && printf $SUCCESS_STRING && return 0
     done
 
     for state in "${PENDING_STATUSES[@]}"; do
-        [[ $container_state = $state ]] && printf $PENDING_STRING && return 0
+        [[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
     done
 
     # This is technically not needed since the default is error state
     for state in "${BAD_STATUSES[@]}"; do
-        [[ $container_state = $state ]] && printf $ERROR_STRING && return 1
+        [[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1
     done
 
     printf $ERROR_STRING && return 1
@@ -151,17 +151,17 @@ parse_status() {
 
 print_line() {
     local service_name=${1}
-    local service_state=$( parse_status ${2} )
+    local service_state="$( parse_status ${2} )"
     local columns=$(tput cols)
     local state_color="\e[0m"
 
     local PADDING_CONSTANT=14
 
-    if [[ $service_state = $ERROR_STRING ]] || [[ $service_state = $MISSING_STRING ]]; then
+    if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
         state_color="\e[1;31m"
-    elif [[ $service_state = $SUCCESS_STRING ]]; then
+    elif [[ $service_state = "$SUCCESS_STRING" ]]; then
         state_color="\e[1;32m"
-    elif [[ $service_state = $PENDING_STRING ]]; then
+    elif [[ $service_state = "$PENDING_STRING" ]]; then
         state_color="\e[1;33m"
     fi
 
@@ -204,4 +204,3 @@ main() {
 
 
 main
-

From d29cd1caee815cea5d11899b309a4584de263714 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Sun, 9 Feb 2020 18:03:30 -0500
Subject: [PATCH 169/188] [fix] Elastalert typo

---
 pillar/docker/config.sls | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
index 454eead49..2dc592b69 100644
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -29,7 +29,7 @@ eval:
     - so-suricata
     - so-zeek
     - so-curator
-    - so-elasalert
+    - so-elastalert
     {%- if WAZUH != 0 %}
     - so-wazuh
     {%- endif %}
@@ -104,7 +104,7 @@ master_search:
     - so-elasticsearch
     - so-curator
     - so-kibana
-    - so-elasalert
+    - so-elastalert
     - so-filebeat
     - so-soctopus
     {%- if OSQUERY != 0 %}
@@ -147,7 +147,7 @@ master:
     - so-elasticsearch
     - so-logstash
     - so-kibana
-    - so-elasalert
+    - so-elastalert
     - so-filebeat
     {%- if OSQUERY != 0 %}
     - so-mysql

From 301ff7750173752a766de8ca5ccacf16071ccb46 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Sun, 9 Feb 2020 19:06:54 -0500
Subject: [PATCH 170/188] [fix] Jinja2 templating comparisons

---
 pillar/docker/config.sls         | 39 ++++++++++++++++----------------
 salt/common/tools/sbin/so-status |  2 +-
 2 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
index 2dc592b69..ab2f18d16 100644
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -17,7 +17,7 @@ eval:
     - so-idstools
     - so-auth-api
     - so-auth-ui
-    {%- if OSQUERY != 0 %}
+    {%- if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
@@ -30,23 +30,23 @@ eval:
     - so-zeek
     - so-curator
     - so-elastalert
-    {%- if WAZUH != 0 %}
+    {%- if WAZUH != '0' %}
     - so-wazuh
     {%- endif %}
     - so-soctopus
-    {%- if THEHIVE != 0 %}
+    {%- if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
     {%- endif %}
-    {%- if PLAYBOOK != 0 %}
+    {%- if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
     {%- endif %}
-    {%- if FREQSERVER != 0 %}
+    {%- if FREQSERVER != '0' %}
     - so-freqserver
     {%- endif %}
-    {%- if DOMAINSTATS != 0 %}
+    {%- if DOMAINSTATS != '0' %}
     - so-domainstats
     {%- endif %}
 heavy_node:
@@ -107,28 +107,28 @@ master_search:
     - so-elastalert
     - so-filebeat
     - so-soctopus
-    {%- if OSQUERY != 0 %}
+    {%- if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
     {%- endif %}
-    {%- if WAZUH != 0 %}
+    {%- if WAZUH != '0' %}
     - so-wazuh
     {%- endif %}
     - so-soctopus
-    {%- if THEHIVE != 0 %}
+    {%- if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
     {%- endif %}
-    {%- if PLAYBOOK != 0 %}
+    {%- if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
     {%- endif %}
-    {%- if FREQSERVER != 0 %}
+    {%- if FREQSERVER != '0' %}
     - so-freqserver
     {%- endif %}
-    {%- if DOMAINSTATS != 0 %}
+    {%- if DOMAINSTATS != '0' %}
     - so-domainstats
     {%- endif %}
 master:
@@ -149,28 +149,28 @@ master:
     - so-kibana
     - so-elastalert
     - so-filebeat
-    {%- if OSQUERY != 0 %}
+    {%- if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
     {%- endif %}
-    {%- if WAZUH != 0 %}
+    {%- if WAZUH != '0' %}
     - so-wazuh
     {%- endif %}
     - so-soctopus
-    {%- if THEHIVE != 0 %}
+    {%- if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
     {%- endif %}
-    {%- if PLAYBOOK != 0 %}
+    {%- if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
     {%- endif %}
-    {%- if FREQSERVER != 0 %}
+    {%- if FREQSERVER != '0' %}
     - so-freqserver
     {%- endif %}
-    {%- if DOMAINSTATS != 0 %}
+    {%- if DOMAINSTATS != '0' %}
     - so-domainstats
     {%- endif %}
 parser_node:
@@ -190,7 +190,7 @@ search_node:
     - so-elasticsearch
     - so-curator
     - so-filebeat
-    {%- if WAZUH != 0 %}
+    {%- if WAZUH != '0' %}
     - so-wazuh
     {%- endif %}
 sensor:
@@ -213,3 +213,4 @@ warm_node:
     - so-influxdb
     - so-grafana
     - so-elasticsearch
+    
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
index 1527ee4a3..7f6e01eec 100755
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -191,7 +191,7 @@ main() {
     printf "\n"
     printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
 
-    local num_containers=${#docker_raw_list[@]}
+    local num_containers=${#container_name_list[@]}
 
     for i in $(seq 0 $(($num_containers - 1 ))); do
         print_line ${container_name_list[$i]} ${container_state_list[$i]}

From 34f6cec8e2d46046eeee2b855373b67f3de9188e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Feb 2020 14:32:36 -0500
Subject: [PATCH 171/188] Set Unique ID in Pillar file

---
 setup/so-functions | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/so-functions b/setup/so-functions
index 6ae66d5b9..b9367890d 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1207,6 +1207,7 @@ sensor_pillar() {
   echo "  nidsbpf:" >> $PILLARFILE
   echo "  master: $MSRV" >> $PILLARFILE
   echo "  mtu: $MTU" >> $PILLARFILE
+  echo "  uniqueid: $(date '+%s')" >> $PILLARFILE
   if [ $HNSENSOR != 'inherit' ]; then
   echo "  hnsensor: $HNSENSOR" >> $PILLARFILE
   fi

From fbeba98af8fc0042e1ff01c1644239ddadeb7fc7 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Feb 2020 20:56:03 +0000
Subject: [PATCH 172/188] change wazuh dir

---
 salt/wazuh/init.sls | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 322ce4883..0b2e49ff8 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -43,20 +43,6 @@ wazuhdir:
     - user: 945
     - group: 945
 
-wazuhalertlogdir:
-  file.directory:
-    - name: /opt/so/log/wazuh/logs/alerts
-    - user: 945
-    - group: 945
-    - makedirs: True
-
-wazuharchlogdir:
-  file.directory:
-    - name: /opt/so/log/wazuh/logs/archives
-    - user: 945
-    - group: 945
-    - makedirs: True
-
 # Add wazuh agent
 wazuhpkgs:
  pkg.installed:
@@ -112,8 +98,7 @@ so-wazuh:
       - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/conf/wazuh/etc:/var/ossec/data/etc:rw
-      - /opt/so/log/wazuh:/var/ossec/data/logs:rw
+      - /opt/so/conf/wazuh:/var/ossec/data:rw
 
 # Register the agent
 registertheagent:

From 76305d42fcff9affe18c40e58a2c108c04c319a8 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Feb 2020 21:21:22 +0000
Subject: [PATCH 173/188] dont manage config

---
 salt/wazuh/init.sls | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 0b2e49ff8..f3525ce37 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -59,16 +59,7 @@ wazuhagentconf:
     - group: 945
     - template: jinja
 
-# Add Wazuh server conf
-wazuhserverconf:
-  file.managed:
-    - name: /opt/so/conf/wazuh/etc/ossec.conf
-    - source: salt://wazuh/files/server/ossec.conf
-    - user: 0
-    - group: 945
-    - template: jinja
-
-# Add Wazuh agent conf
+# Wazuh agent registration script
 wazuhagentregister:
   file.managed:
     - name: /usr/sbin/wazuh-register-agent
@@ -78,6 +69,7 @@ wazuhagentregister:
     - mode: 755
     - template: jinja
 
+# Whitelist script
 wazuhmgrwhitelist:
    file.managed:
     - name: /usr/sbin/wazuh-manager-whitelist

From e07029bf6b492aeeb806efe7212f175144b5156a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 10 Feb 2020 16:59:06 -0500
Subject: [PATCH 174/188] [fix] Remove containers from so-status for roles that
 don't use them

---
 pillar/docker/config.sls | 126 +++++++++++++++++++--------------------
 1 file changed, 60 insertions(+), 66 deletions(-)

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
index ab2f18d16..2d67a1215 100644
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -1,27 +1,31 @@
-{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
-{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
-{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
-{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
-{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
-{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
+{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
+{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+
 
 eval:
   containers:
     - so-core
     - so-telegraf
+    {% if  GRAFANA == '1' %}
     - so-influxdb
     - so-grafana
+    {% endif %}
     - so-dockerregistry
     - so-sensoroni
     - so-idstools
     - so-auth-api
     - so-auth-ui
-    {%- if OSQUERY != '0' %}
+    {% if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
-    {%- endif %}
+    {% endif %}
     - so-elasticsearch
     - so-logstash
     - so-kibana
@@ -30,31 +34,29 @@ eval:
     - so-zeek
     - so-curator
     - so-elastalert
-    {%- if WAZUH != '0' %}
+    {% if WAZUH != '0' %}
     - so-wazuh
-    {%- endif %}
+    {% endif %}
     - so-soctopus
-    {%- if THEHIVE != '0' %}
+    {% if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
-    {%- endif %}
-    {%- if PLAYBOOK != '0' %}
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
-    {%- endif %}
-    {%- if FREQSERVER != '0' %}
+    {% endif %}
+    {% if FREQSERVER != '0' %}
     - so-freqserver
-    {%- endif %}
-    {%- if DOMAINSTATS != '0' %}
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
     - so-domainstats
-    {%- endif %}
+    {% endif %}
 heavy_node:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
     - so-redis
     - so-logstash
     - so-elasticsearch
@@ -63,19 +65,17 @@ heavy_node:
     - so-suricata
     - so-wazuh
     - so-filebeat
-    {%- if BROVER != 'SURICATA' %}
+    {% if BROVER != 'SURICATA' %}
     - so-zeek
-    {%- endif %}
+    {% endif %}
 helix:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
+
     - so-idstools
     - so-steno
     - so-zeek
-    - so-zeek
     - so-redis
     - so-logstash
     - so-filebeat
@@ -83,8 +83,6 @@ hot_node:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
     - so-logstash
     - so-elasticsearch
     - so-curator
@@ -92,8 +90,6 @@ master_search:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
     - so-sensoroni
     - so-acng
     - so-idstools
@@ -107,37 +103,39 @@ master_search:
     - so-elastalert
     - so-filebeat
     - so-soctopus
-    {%- if OSQUERY != '0' %}
+    {% if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
-    {%- endif %}
-    {%- if WAZUH != '0' %}
+    {% endif %}
+    {% if WAZUH != '0' %}
     - so-wazuh
-    {%- endif %}
+    {% endif %}
     - so-soctopus
-    {%- if THEHIVE != '0' %}
+    {% if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
-    {%- endif %}
-    {%- if PLAYBOOK != '0' %}
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
-    {%- endif %}
-    {%- if FREQSERVER != '0' %}
+    {% endif %}
+    {% if FREQSERVER != '0' %}
     - so-freqserver
-    {%- endif %}
-    {%- if DOMAINSTATS != '0' %}
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
     - so-domainstats
-    {%- endif %}
+    {% endif %}
 master:
   containers:
     - so-dockerregistry
     - so-core
     - so-telegraf
+    {% if  GRAFANA == '1' %}
     - so-influxdb
     - so-grafana
+    {% endif %}
     - so-sensoroni
     - so-acng
     - so-idstools
@@ -149,68 +147,64 @@ master:
     - so-kibana
     - so-elastalert
     - so-filebeat
-    {%- if OSQUERY != '0' %}
+    {% if OSQUERY != '0' %}
     - so-mysql
     - so-fleet
     - so-redis
-    {%- endif %}
-    {%- if WAZUH != '0' %}
+    {% endif %}
+    {% if WAZUH != '0' %}
     - so-wazuh
-    {%- endif %}
+    {% endif %}
     - so-soctopus
-    {%- if THEHIVE != '0' %}
+    {% if THEHIVE != '0' %}
     - so-thehive
     - so-thehive-es
     - so-cortex
-    {%- endif %}
-    {%- if PLAYBOOK != '0' %}
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
     - so-playbook
     - so-navigator
-    {%- endif %}
-    {%- if FREQSERVER != '0' %}
+    {% endif %}
+    {% if FREQSERVER != '0' %}
     - so-freqserver
-    {%- endif %}
-    {%- if DOMAINSTATS != '0' %}
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
     - so-domainstats
-    {%- endif %}
+    {% endif %}
 parser_node:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
+
     - so-logstash
 search_node:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
+
     - so-logstash
     - so-elasticsearch
     - so-curator
     - so-filebeat
-    {%- if WAZUH != '0' %}
+    {% if WAZUH != '0' %}
     - so-wazuh
-    {%- endif %}
+    {% endif %}
 sensor:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
+
     - so-steno
     - so-suricata
-    {%- if BROVER != 'SURICATA' %}
+    {% if BROVER != 'SURICATA' %}
     - so-zeek
-    {%- endif %}
+    {% endif %}
     - so-wazuh
     - so-filebeat
 warm_node:
   containers:
     - so-core
     - so-telegraf
-    - so-influxdb
-    - so-grafana
+
     - so-elasticsearch
     
\ No newline at end of file

From 9e5c96ddfa01e56fff3174539809c9c8f7ce1847 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 10 Feb 2020 16:59:06 -0500
Subject: [PATCH 175/188] [fix] Remove containers from so-status for roles that
 don't use them

---
 pillar/docker/config.sls | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/pillar/docker/config.sls b/pillar/docker/config.sls
index 2d67a1215..f3259dfc0 100644
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -72,7 +72,6 @@ helix:
   containers:
     - so-core
     - so-telegraf
-
     - so-idstools
     - so-steno
     - so-zeek
@@ -175,13 +174,11 @@ parser_node:
   containers:
     - so-core
     - so-telegraf
-
     - so-logstash
 search_node:
   containers:
     - so-core
     - so-telegraf
-
     - so-logstash
     - so-elasticsearch
     - so-curator
@@ -193,7 +190,6 @@ sensor:
   containers:
     - so-core
     - so-telegraf
-
     - so-steno
     - so-suricata
     {% if BROVER != 'SURICATA' %}
@@ -205,6 +201,5 @@ warm_node:
   containers:
     - so-core
     - so-telegraf
-
     - so-elasticsearch
-    
\ No newline at end of file
+    

From 521de8f154f17efc28a72ca26516a587cc3b7074 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Feb 2020 22:47:11 -0500
Subject: [PATCH 176/188] Update 9997_output_helix.conf

---
 .../helix/templates/9997_output_helix.conf    | 66 +++++++++++--------
 1 file changed, 40 insertions(+), 26 deletions(-)

diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
index 35b737593..aa586d3b6 100644
--- a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
+++ b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
@@ -3,7 +3,7 @@
 {% set CBNAME = grains.host %}
 
 filter {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
     grok {
       match => [
         "source_ip", "^%{IPV4:srcipv4}$",
@@ -17,28 +17,27 @@ filter {
        ]
     }
 
-    geoip {
-      source => "[source_ip]"
-      target => "source_geo"
-    }
-    geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-    }
+    #geoip {
+    #  source => "[source_ip]"
+    #  target => "source_geo"
+    #}
+    #geoip {
+    #  source => "[destination_ip]"
+    #  target => "destination_geo"
+    #}
     mutate {
-      #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
-      #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
       rename => { "[beat_host][name]" => "sensor" }
       copy => { "sensor" => "rawmsghostname" }
       rename => { "message" => "rawmsg" }
-      #rename => { "event_type" => "program" }
       copy => { "type" => "class" }
       copy => { "class" => "program"}
       rename => { "source_port" => "srcport" }
       rename => { "destination_port" => "dstport" }
-      add_field => { "metacbid" => "{{ UNIQUEID }}"}
-      add_field => { "metacbname" => "{{ CBNAME }}"}
-      remove_field => ["source_ip", "destination_ip"]
+      rename => { "[log][file][path]" => "filepath" }
+      add_field => { "meta_cbid" => "{{ UNIQUEID }}" }
+      add_field => { "meta_cbname" => "{{ CBNAME }}" }
+      remove_field => ["source_ip", "destination_ip", "syslog-host_from"]
+      remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"]
       remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
       remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
     }
@@ -56,6 +55,7 @@ filter {
         rename => { "local_respond" => "local_resp" }
         rename => { "local_orig" => "localorig" }
         rename => { "missed_bytes" => "missingbytes" }
+        rename => { "connection_state_description" => "description" }
       }
     }
     if "bro_dns" in [class] {
@@ -69,21 +69,31 @@ filter {
         rename => { "query_type_name" => "querytypename" }
         rename => { "ra" => "recursionavailable" }
         rename => { "rd" => "recursiondesired" }
+        rename => { "uid" => "connectionid" }
+        rename => { "ttls" => "ttl" }
+        rename => { "transaction_id" => "transactionid" }
       }
     }
     if "bro_dhcp" in [class] {
       mutate{
         #add_field = { "metaclass" => "dhcp"}
         rename => { "message_types" => "direction" }
-				rename => { "lease_time" => "duration" }
+        rename => { "uid" => "connectionid" }
+	rename => { "lease_time" => "duration" }
       }
     }
     if "bro_files" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
         rename => { "missing_bytes" => "missingbytes" }
+        rename => { "seen_bytes" => "seenbytes" }
+        rename => { "overflow_bytes" => "overflowbytes" }
         rename => { "fuid" => "fileid" }
-        rename => { "uid" => "connectionid" }
+        rename => { "conn_uids" => "connectionid" }
+        rename => { "is_orig" => "isorig" }
+        rename => { "timed_out" => "timedout" }
+        rename => { "local_orig" => "localorig" }
+        rename => { "file_ip" => "tx_host" }
       }
     }
     if "bro_http" in [class] {
@@ -98,7 +108,10 @@ filter {
         rename => { "request_body_len" => "sentbodybytes" }
         rename => { "uid" => "connectionid" }
         rename => { "ts"=> "eventtime" }
-	      rename => { "@timestamp"=> "eventtime" }
+        rename => { "@timestamp"=> "eventtime" }
+        rename => { "trans_depth" => "depth" }
+        rename => { "request_body_length" => "sentbodybytes" }
+        rename => { "response_body_length" => "rcvdbodybytes" }
       }
     }
     if "bro_ssl" in [class] {
@@ -110,30 +123,31 @@ filter {
         rename => { "resp_fuids" => "rcvdfileid" }
         rename => { "response_body_len" => "rcvdbodybytes" }
         rename => { "request_body_len" => "sentbodybytes" }
+        rename => { "uid" => "connectionid" }
       }
     }
-		if "bro_weird" in [class] {
+    if "bro_weird" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
         rename => { "name" => "eventname" }
       }
     }
-		if "bro_x509" in [class] {
+    if "bro_x509" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
-				rename => { "certificate_common_name" => "certname" }
+	rename => { "certificate_common_name" => "certname" }
         rename => { "certificate_subject" => "certsubject" }
-				rename => { "issuer_common_name" => "issuer" }
-				rename => { "certificate_issuer" => "issuersubject" }
-				rename => { "certificate_not_valid_before" => "issuetime" }
-				rename => { "certificate_key_type" => "cert_type" }
+	rename => { "issuer_common_name" => "issuer" }
+	rename => { "certificate_issuer" => "issuersubject" }
+	rename => { "certificate_not_valid_before" => "issuetime" }
+	rename => { "certificate_key_type" => "cert_type" }
       }
     }
   }
 }
 
 output {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+  if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
     http {
       url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
       http_method => post

From 0994f598c735ee78dd96f1d3e327568624bbc31e Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 11 Feb 2020 13:45:28 +0000
Subject: [PATCH 177/188] update Wazuh paths

---
 salt/common/tools/sbin/so-allow | 2 +-
 salt/filebeat/init.sls          | 4 ++--
 salt/logstash/init.sls          | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 68f3f37ce..6e0cd1763 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -86,7 +86,7 @@ echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
-          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf"
           if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
                   DATE=`date`
                   sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 5c7287fd2..ea7a84150 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -57,8 +57,8 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
+      - /opt/so/conf/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/conf/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index af1d23c0e..0d475101d 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -241,8 +241,8 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/log/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/log/wazuh/logs/archives:/wazuh/archives:ro
+      - /opt/so/conf/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/conf/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/log/strelka:/strelka:ro
       {%- endif %}

From 99b1a15306778041a37e7e9412d5b815ddbc822e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 11 Feb 2020 10:26:41 -0500
Subject: [PATCH 178/188] Helix Telegraf

---
 salt/common/telegraf/etc/telegraf.conf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/salt/common/telegraf/etc/telegraf.conf b/salt/common/telegraf/etc/telegraf.conf
index af9941bfa..5fda428d4 100644
--- a/salt/common/telegraf/etc/telegraf.conf
+++ b/salt/common/telegraf/etc/telegraf.conf
@@ -647,6 +647,16 @@
      "/scripts/influxdbsize.sh"
    ]
    data_format = "influx"
+{% elif grains['role'] == 'so-helix' %}
+[[inputs.exec]]
+  commands = [
+    "/scripts/stenoloss.sh",
+    "/scripts/suriloss.sh",
+    "/scripts/checkfiles.sh",
+    "/scripts/broloss.sh",
+    "/scripts/oldpcap.sh",
+  ]
+  data_format = "influx"
 {% endif %}
 
 #

From aa578bffba6b15cfc904abb902245dc938ee2c89 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 11 Feb 2020 14:53:54 -0500
Subject: [PATCH 179/188] Stop wazzuh directory management

---
 salt/wazuh/init.sls | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index f3525ce37..b8600503a 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -37,11 +37,11 @@ ossec:
     - allow_uid_change: True
     - allow_gid_change: True
 
-wazuhdir:
-  file.directory:
-    - name: /opt/so/conf/wazuh
-    - user: 945
-    - group: 945
+#wazuhdir:
+#  file.directory:
+#    - name: /opt/so/conf/wazuh
+#    - user: 945
+#    - group: 945
 
 # Add wazuh agent
 wazuhpkgs:

From 8b835284ef3ed1fffc8fd6fbf15c5ca3654be6fa Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 11 Feb 2020 14:55:44 -0500
Subject: [PATCH 180/188] adding helix eps count for telegraf

---
 salt/common/telegraf/etc/telegraf.conf   |  1 +
 salt/common/telegraf/scripts/helixeps.sh | 25 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 salt/common/telegraf/scripts/helixeps.sh

diff --git a/salt/common/telegraf/etc/telegraf.conf b/salt/common/telegraf/etc/telegraf.conf
index 5fda428d4..3afe0e13a 100644
--- a/salt/common/telegraf/etc/telegraf.conf
+++ b/salt/common/telegraf/etc/telegraf.conf
@@ -655,6 +655,7 @@
     "/scripts/checkfiles.sh",
     "/scripts/broloss.sh",
     "/scripts/oldpcap.sh",
+    "/scripts/helixeps.sh",
   ]
   data_format = "influx"
 {% endif %}
diff --git a/salt/common/telegraf/scripts/helixeps.sh b/salt/common/telegraf/scripts/helixeps.sh
new file mode 100644
index 000000000..8ddd4a0e1
--- /dev/null
+++ b/salt/common/telegraf/scripts/helixeps.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PREVCOUNTFILE='/tmp/helixevents.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.eval.events.out')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  EVENTS=$((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "helixeps eps=${EVENTS}"
+
+fi
+
+exit 0

From c6a7543366ef107d55a2b52765811e025cd72f2f Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 11 Feb 2020 15:53:19 -0500
Subject: [PATCH 181/188] fix pipeline name for helix eps telegraf script

---
 salt/common/telegraf/scripts/helixeps.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/telegraf/scripts/helixeps.sh b/salt/common/telegraf/scripts/helixeps.sh
index 8ddd4a0e1..d9d708499 100644
--- a/salt/common/telegraf/scripts/helixeps.sh
+++ b/salt/common/telegraf/scripts/helixeps.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 PREVCOUNTFILE='/tmp/helixevents.txt'
-EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.eval.events.out')"
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
 
 if [ ! -z "$EVENTCOUNTCURRENT" ]; then
 

From 41db668af66136f84f8e625e5da5abd435531965 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 11 Feb 2020 22:16:25 +0000
Subject: [PATCH 182/188] update Wazuh data paths

---
 salt/filebeat/init.sls | 4 ++--
 salt/logstash/init.sls | 4 ++--
 salt/wazuh/init.sls    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index ea7a84150..671530cd1 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -57,8 +57,8 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/conf/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/conf/wazuh/logs/archives:/wazuh/archives:ro
+      - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 0d475101d..222d6c586 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -241,8 +241,8 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/conf/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/conf/wazuh/logs/archives:/wazuh/archives:ro
+      - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index b8600503a..4a6526c13 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -90,7 +90,7 @@ so-wazuh:
       - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/conf/wazuh:/var/ossec/data:rw
+      - /opt/so/wazuh:/var/ossec/data:rw
 
 # Register the agent
 registertheagent:

From 73d5b637ad98326724b5b29ec5bd6a7ab1131d48 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 11 Feb 2020 17:43:05 -0500
Subject: [PATCH 183/188] changes to helixeps script for telegraf

---
 salt/common/telegraf/scripts/helixeps.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/telegraf/scripts/helixeps.sh b/salt/common/telegraf/scripts/helixeps.sh
index d9d708499..eee4f65c3 100644
--- a/salt/common/telegraf/scripts/helixeps.sh
+++ b/salt/common/telegraf/scripts/helixeps.sh
@@ -13,12 +13,12 @@ if [ ! -z "$EVENTCOUNTCURRENT" ]; then
   fi
 
   echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
-  EVENTS=$((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS))
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
   if [ "$EVENTS" -lt 0 ]; then
     EVENTS=0
   fi
 
-  echo "helixeps eps=${EVENTS}"
+  echo "helixeps eps=${EVENTS%%.*}"
 
 fi
 

From f7ab43e428e0e4050cc335903bdb0b6394368559 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 11 Feb 2020 19:30:17 -0500
Subject: [PATCH 184/188] Update telegraf.conf

---
 salt/common/telegraf/etc/telegraf.conf | 49 +++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/salt/common/telegraf/etc/telegraf.conf b/salt/common/telegraf/etc/telegraf.conf
index 3afe0e13a..7d65073a1 100644
--- a/salt/common/telegraf/etc/telegraf.conf
+++ b/salt/common/telegraf/etc/telegraf.conf
@@ -15,6 +15,7 @@
 
 {%- set MASTER = grains['master'] %}
 {% set NODEIP = salt['pillar.get']('node:mainip', '') %}
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 
 
 # Global tags can be specified here in key="value" format.
@@ -86,6 +87,7 @@
 ###############################################################################
 
 # Configuration for sending metrics to InfluxDB
+{% if grains['role'] != 'so-helix' %}
 [[outputs.influxdb]]
   ## The full HTTP or UDP URL for your InfluxDB instance.
   ##
@@ -148,7 +150,52 @@
   ## integer values.  Enabling this option will result in field type errors if
   ## existing data has been written.
   # influx_uint_support = false
+{% else %}
+# A plugin that can transmit metrics over HTTP
+[[outputs.http]]
+  ## URL is the address to send metrics to
+  url = "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
 
+  ## Timeout for HTTP message
+  # timeout = "5s"
+
+  ## HTTP method, one of: "POST" or "PUT"
+   method = "POST"
+
+  ## HTTP Basic Auth credentials
+  # username = "username"
+  # password = "pa$$word"
+
+  ## OAuth2 Client Credentials Grant
+  # client_id = "clientid"
+  # client_secret = "secret"
+  # token_url = "https://indentityprovider/oauth2/v1/token"
+  # scopes = ["urn:opc:idm:__myscopes__"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Data format to output.
+  ## Each data format has it's own unique set of configuration options, read
+  ## more about them here:
+  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
+   data_format = "json"
+
+  ## HTTP Content-Encoding for write request body, can be set to "gzip" to
+  ## compress body or "identity" to apply no encoding.
+   content_encoding = "gzip"
+
+  ## Additional HTTP headers
+   [outputs.http.headers]
+  #   # Should be set manually to "application/json" for json data_format
+     Content-Type = "application/json; charset=utf-8"
+     Authorization = "{{ HELIX_API_KEY }}"
+
+{% endif %}
 ###############################################################################
 #                            PROCESSOR PLUGINS                                #
 ###############################################################################
@@ -655,7 +702,7 @@
     "/scripts/checkfiles.sh",
     "/scripts/broloss.sh",
     "/scripts/oldpcap.sh",
-    "/scripts/helixeps.sh",
+    "/scripts/helixeps.sh"
   ]
   data_format = "influx"
 {% endif %}

From 0344ea78788b0229550009431fb6af537dc8fa95 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Feb 2020 03:34:12 +0000
Subject: [PATCH 185/188] update Wazuh path

---
 salt/common/tools/sbin/so-allow          | 4 ++--
 salt/wazuh/files/wazuh-manager-whitelist | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 6e0cd1763..61df47fd0 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -86,14 +86,14 @@ echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
-          WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf"
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
           if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
                   DATE=`date`
                   sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
                   sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
                   echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
                   echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
-                  echo
+		  echo
                   echo "Restarting OSSEC Server..."
                   /usr/sbin/so-wazuh-restart
           fi
diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
index ac804e447..ab4b15fd0 100755
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -18,7 +18,7 @@
 
 # Check if Wazuh enabled
 if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
-      WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf"
+      WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
       if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
               DATE=`date`
               sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG

From 718dacf29a35d3cbdd247a110f3ea6e393c87ba3 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Feb 2020 03:37:56 +0000
Subject: [PATCH 186/188] update Wazuh order

---
 salt/top.sls | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index 6f7763c62..4af085ae1 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -56,6 +56,9 @@ base:
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
     - elasticsearch
     - logstash
     - kibana
@@ -69,9 +72,6 @@ base:
     - redis
     - launcher
     {%- endif %}
-    {%- if WAZUH != 0 %}
-    - wazuh
-    {%- endif %}
     - utility
     - schedule
     - soctopus
@@ -103,13 +103,13 @@ base:
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
     - elasticsearch
     - logstash
     - kibana
     - elastalert
-    {%- if WAZUH != 0 %}
-    - wazuh
-    {%- endif %}
     - filebeat
     - utility
     - schedule
@@ -171,12 +171,12 @@ base:
     - ssl
     - common
     - firewall
-    - logstash
-    - elasticsearch
-    - curator
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    - logstash
+    - elasticsearch
+    - curator
     - filebeat
     {%- if OSQUERY != 0 %}
     - launcher
@@ -209,14 +209,14 @@ base:
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
     - logstash
     - elasticsearch
     - curator
     - kibana
     - elastalert
-    {%- if WAZUH != 0 %}
-    - wazuh
-    {%- endif %}
     - filebeat
     - utility
     - schedule
@@ -244,12 +244,12 @@ base:
     - common
     - firewall
     - redis
-    - logstash
-    - elasticsearch
-    - curator
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
+    - logstash
+    - elasticsearch
+    - curator
     - filebeat
     {%- if OSQUERY != 0 %}
     - launcher

From e76dc73ea62d7335266e4ac6a93f244621e2d9dc Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Feb 2020 03:44:20 +0000
Subject: [PATCH 187/188] change Wazuh install order

---
 setup/so-setup | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/setup/so-setup b/setup/so-setup
index 4fd81629e..6d86a0b7a 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -382,15 +382,15 @@ if (whiptail_you_sure) ; then
         echo -e "XXX\n41\nInstalling MySQL... \nXXX"
         salt-call state.apply mysql >> $SETUPLOG 2>&1
       fi
+      if [[ $WAZUH == '1' ]]; then
+        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
+        salt-call state.apply wazuh >> $SETUPLOG 2>&1
+      fi
       echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
       salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
       salt-call state.apply logstash >> $SETUPLOG 2>&1
       salt-call state.apply kibana >> $SETUPLOG 2>&1
       salt-call state.apply elastalert >> $SETUPLOG 2>&1
-      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
-        salt-call state.apply wazuh >> $SETUPLOG 2>&1
-      fi
       echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
       salt-call state.apply filebeat >> $SETUPLOG 2>&1
       salt-call state.apply utility >> $SETUPLOG 2>&1
@@ -649,6 +649,10 @@ if (whiptail_you_sure) ; then
       if [[ $OSQUERY == '1' ]]; then
         salt-call state.apply mysql >> $SETUPLOG 2>&1
       fi
+      if [[ $WAZUH == '1' ]]; then
+        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
+        salt-call state.apply wazuh >> $SETUPLOG 2>&1
+      fi
       echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
       salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
       echo -e "XXX\n40\nInstalling Logstash... \nXXX"
@@ -674,10 +678,6 @@ if (whiptail_you_sure) ; then
         salt-call state.apply fleet >> $SETUPLOG 2>&1
         salt-call state.apply redis >> $SETUPLOG 2>&1
       fi
-      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
-        salt-call state.apply wazuh >> $SETUPLOG 2>&1
-      fi
       echo -e "XXX\n85\nInstalling filebeat... \nXXX"
       salt-call state.apply filebeat >> $SETUPLOG 2>&1
       salt-call state.apply utility >> $SETUPLOG 2>&1

From e656e5af454e12f3218b365133d9d6b5c7fa35b7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 12 Feb 2020 09:26:34 -0500
Subject: [PATCH 188/188] [fix] so-functions and so-restart

---
 salt/common/tools/sbin/so-restart | 2 +-
 setup/so-functions                | 8 --------
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index 3714e324a..2e3c0a00c 100755
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -32,6 +32,6 @@ fi
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
    "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
-   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-cal state.apply auth queue=True;;
+   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
diff --git a/setup/so-functions b/setup/so-functions
index f4c2eb621..b9367890d 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1034,19 +1034,11 @@ EOF
     fi
 
     yum clean expire-cache
-<<<<<<< HEAD:setup/so-functions
     yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl jq
     yum -y update exclude=salt*
     systemctl enable salt-minion
 
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
-=======
-    yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl
-    yum -y update exclude=salt*
-    systemctl enable salt-minion
-
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
->>>>>>> master:setup/functions.sh
       yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker
       systemctl enable salt-master
     else