From fa17a78fb456209f9dea9ca18614416a038b727e Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 08:59:10 -0600
Subject: [PATCH 01/82] bump for v23.11.0 development

---
 docker-compose-standalone.yml                 | 44 +++++-----
 docker-compose.yml                            | 44 +++++-----
 docs/contributing-pcap.md                     |  2 +-
 docs/download.md                              |  4 +-
 docs/hedgehog-iso-build.md                    |  2 +-
 docs/kubernetes.md                            | 88 +++++++++----------
 docs/malcolm-iso.md                           |  2 +-
 docs/quickstart.md                            | 38 ++++----
 docs/ubuntu-install-example.md                | 38 ++++----
 kubernetes/03-opensearch.yml                  |  4 +-
 kubernetes/04-dashboards.yml                  |  2 +-
 kubernetes/05-upload.yml                      |  4 +-
 kubernetes/06-pcap-monitor.yml                |  4 +-
 kubernetes/07-arkime.yml                      |  4 +-
 kubernetes/08-api.yml                         |  2 +-
 kubernetes/09-dashboards-helper.yml           |  2 +-
 kubernetes/10-zeek.yml                        |  4 +-
 kubernetes/11-suricata.yml                    |  4 +-
 kubernetes/12-file-monitor.yml                |  4 +-
 kubernetes/13-filebeat.yml                    |  4 +-
 kubernetes/14-logstash.yml                    |  4 +-
 kubernetes/15-netbox-redis.yml                |  4 +-
 kubernetes/16-netbox-redis-cache.yml          |  2 +-
 kubernetes/17-netbox-postgres.yml             |  4 +-
 kubernetes/18-netbox.yml                      |  4 +-
 kubernetes/19-htadmin.yml                     |  4 +-
 kubernetes/20-pcap-capture.yml                |  4 +-
 kubernetes/21-zeek-live.yml                   |  4 +-
 kubernetes/22-suricata-live.yml               |  4 +-
 kubernetes/23-freq.yml                        |  2 +-
 kubernetes/98-nginx-proxy.yml                 |  4 +-
 .../aws/ami/packer_vars.json.example          |  2 +-
 32 files changed, 171 insertions(+), 171 deletions(-)

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 87aa7e02b..684e4a808 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -4,7 +4,7 @@ version: '3.7'
 
 services:
   opensearch:
-    image: ghcr.io/idaholab/malcolm/opensearch:23.10.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.11.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
@@ -42,7 +42,7 @@ services:
       retries: 3
       start_period: 180s
   dashboards-helper:
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -71,7 +71,7 @@ services:
       retries: 3
       start_period: 30s
   dashboards:
-    image: ghcr.io/idaholab/malcolm/dashboards:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -98,7 +98,7 @@ services:
       retries: 3
       start_period: 210s
   logstash:
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -141,7 +141,7 @@ services:
       retries: 3
       start_period: 600s
   filebeat:
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -175,7 +175,7 @@ services:
       retries: 3
       start_period: 60s
   arkime:
-    image: ghcr.io/idaholab/malcolm/arkime:23.10.0
+    image: ghcr.io/idaholab/malcolm/arkime:23.11.0
     # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
@@ -215,7 +215,7 @@ services:
       retries: 3
       start_period: 210s
   zeek:
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -254,7 +254,7 @@ services:
       retries: 3
       start_period: 60s
   zeek-live:
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -283,7 +283,7 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
   suricata:
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -318,7 +318,7 @@ services:
       retries: 3
       start_period: 120s
   suricata-live:
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -345,7 +345,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
   file-monitor:
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -372,7 +372,7 @@ services:
       retries: 3
       start_period: 60s
   pcap-capture:
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -395,7 +395,7 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./pcap/upload:/pcap
   pcap-monitor:
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -422,7 +422,7 @@ services:
       retries: 3
       start_period: 90s
   upload:
-    image: ghcr.io/idaholab/malcolm/file-upload:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -448,7 +448,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.10.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -474,7 +474,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.10.0
+    image: ghcr.io/idaholab/malcolm/freq:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -497,7 +497,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.10.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -530,7 +530,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.10.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -555,7 +555,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -584,7 +584,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -612,7 +612,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.10.0
+    image: ghcr.io/idaholab/malcolm/api:23.11.0
     profiles: ["malcolm"]
     command: gunicorn --bind 0:5000 manage:app
     restart: "no"
@@ -638,7 +638,7 @@ services:
       retries: 3
       start_period: 60s
   nginx-proxy:
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.10.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
diff --git a/docker-compose.yml b/docker-compose.yml
index cdfa5f761..c38dc4b04 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/opensearch.Dockerfile
-    image: ghcr.io/idaholab/malcolm/opensearch:23.10.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.11.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
@@ -48,7 +48,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards-helper.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -80,7 +80,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -110,7 +110,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/logstash.Dockerfile
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -160,7 +160,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/filebeat.Dockerfile
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -197,7 +197,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/arkime.Dockerfile
-    image: ghcr.io/idaholab/malcolm/arkime:23.10.0
+    image: ghcr.io/idaholab/malcolm/arkime:23.11.0
     # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
@@ -243,7 +243,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -286,7 +286,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -319,7 +319,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -357,7 +357,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -387,7 +387,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -417,7 +417,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-capture.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -443,7 +443,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
     restart: "no"
     stdin_open: false
@@ -473,7 +473,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-upload.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-upload:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
@@ -499,7 +499,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.10.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -528,7 +528,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.10.0
+    image: ghcr.io/idaholab/malcolm/freq:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -554,7 +554,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.10.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -590,7 +590,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.10.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -618,7 +618,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -650,7 +650,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -681,7 +681,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.10.0
+    image: ghcr.io/idaholab/malcolm/api:23.11.0
     profiles: ["malcolm"]
     build:
       context: .
@@ -713,7 +713,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/nginx.Dockerfile
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.10.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
     profiles: ["malcolm"]
     restart: "no"
     stdin_open: false
diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md
index c4ce70767..6d83e1717 100644
--- a/docs/contributing-pcap.md
+++ b/docs/contributing-pcap.md
@@ -1,6 +1,6 @@
 # <a name="PCAP"></a>PCAP processors
 
-When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.10.0 release]({{ site.github.repository_url }}/releases/tag/v23.10.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
+When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.11.0 release]({{ site.github.repository_url }}/releases/tag/v23.11.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
 
 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section
     * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory
diff --git a/docs/download.md b/docs/download.md
index 933dc8fb7..7261f51a3 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.10.0.iso](/iso/malcolm-23.10.0.iso) (5.4GiB) |  [`021103f8d8a4ac8a4c467dd4dc18e59fbb57f1b57c3927de702ef465953b0cf0`](/iso/malcolm-23.10.0.iso.sha256.txt) |
+| [malcolm-23.11.0.iso](/iso/malcolm-23.11.0.iso) (5.4GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.11.0.iso.sha256.txt) |
 
 ## Hedgehog Linux
 
@@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [hedgehog-23.10.0.iso](/iso/hedgehog-23.10.0.iso) (2.6GiB) |  [`65f3d15c102ab3b518965eb87fec8f4b61ee10e1aa366654576105265cb2a9c8`](/iso/hedgehog-23.10.0.iso.sha256.txt) |
+| [hedgehog-23.11.0.iso](/iso/hedgehog-23.11.0.iso) (2.6GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.11.0.iso.sha256.txt) |
 
 ## Warning
 
diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md
index 466656a72..1e5d240a2 100644
--- a/docs/hedgehog-iso-build.md
+++ b/docs/hedgehog-iso-build.md
@@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/sensor-build/hedgehog-23.10.0.iso"
+Finished, created "/sensor-build/hedgehog-23.11.0.iso"
 …
 ```
 
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 82b7ec983..3f8c9d3c5 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -272,28 +272,28 @@ agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     |
 agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     | 861.34m   | 14.36%      | 19.55Gi      | 9.29Gi       | 61.28Gi       | 11           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.10.0               |
-file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.10.0      |
-zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.10.0              |
-dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.10.0 |
-upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.10.0       |
-filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.10.0      |
-zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.10.0              |
-logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.10.0      |
-netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.10.0            |
-suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.10.0          |
-dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.10.0        |
-netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.10.0             |
-suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.10.0          |
-freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.10.0              |
-arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.10.0            |
-pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.10.0      |
-pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.10.0      |
-netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.10.0        |
-htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.10.0           |
-netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.10.0             |
-nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.10.0       |
-opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.10.0        |
+api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.11.0               |
+file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.11.0      |
+zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.11.0              |
+dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.11.0 |
+upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.11.0       |
+filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.11.0      |
+zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.11.0              |
+logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.11.0      |
+netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.11.0            |
+suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.11.0          |
+dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.11.0        |
+netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.11.0             |
+suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.11.0          |
+freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.11.0              |
+arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.11.0            |
+pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.11.0      |
+pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.11.0      |
+netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.11.0        |
+htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.11.0           |
+netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.11.0             |
+nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.11.0       |
+opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.11.0        |
 ```
 
 The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes.
@@ -553,28 +553,28 @@ agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     |
 agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     | 552.71m   | 9.21%       | 19.55Gi      | 13.27Gi      | 61.28Gi       | 12           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.10.0             |
-netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.10.0             |
-dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.10.0 |
-freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.10.0              |
-pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.10.0      |
-nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.10.0       |
-htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.10.0           |
-opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.10.0        |
-zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.10.0              |
-dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.10.0        |
-arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.10.0            |
-api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.10.0               |
-netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.10.0        |
-pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.10.0      |
-suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.10.0          |
-suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.10.0          |
-netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.10.0            |
-zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.10.0              |
-filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.10.0      |
-file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.10.0      |
-upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.10.0       |
-logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.10.0      |
+netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.11.0             |
+netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.11.0             |
+dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.11.0 |
+freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.11.0              |
+pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.11.0      |
+nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.11.0       |
+htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.11.0           |
+opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.11.0        |
+zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.11.0              |
+dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.11.0        |
+arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.11.0            |
+api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.11.0               |
+netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.11.0        |
+pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.11.0      |
+suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.11.0          |
+suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.11.0          |
+netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.11.0            |
+zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.11.0              |
+filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.11.0      |
+file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.11.0      |
+upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.11.0       |
+logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.11.0      |
 ```
 
 View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`):
diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md
index a6db45fdd..858930ab3 100644
--- a/docs/malcolm-iso.md
+++ b/docs/malcolm-iso.md
@@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-23.10.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-23.11.0.iso"
 …
 ```
 
diff --git a/docs/quickstart.md b/docs/quickstart.md
index 73aebc4b1..7262ab8d4 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`:
 ```
 $ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.10.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.10.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.10.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.10.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.10.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.10.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.10.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.10.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.10.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.10.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.10.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.10.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.10.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.11.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.11.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.11.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.11.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.11.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.11.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.11.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.11.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.11.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.11.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.11.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.11.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.11.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.11.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.11.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 ### Import from pre-packaged tarballs
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index b7bddc17d..c08ddc0d4 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -250,25 +250,25 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.10.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.10.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.10.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.10.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.10.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.10.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.10.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.10.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.10.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.10.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.10.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.10.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.10.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.11.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.11.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.11.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.11.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.11.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.11.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.11.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.11.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.11.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.11.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.11.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.11.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.11.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.11.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.11.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing.
diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index eba6174b0..fbd2e3172 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/idaholab/malcolm/opensearch:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/opensearch:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index e39248616..cfbb8b422 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/idaholab/malcolm/dashboards:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dashboards:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index b4f613ead..7631d405f 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/idaholab/malcolm/file-upload:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/file-upload:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index 7c2c734e3..70da6fc02 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/idaholab/malcolm/pcap-monitor:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/pcap-monitor:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index 42d6055f9..ec138d853 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/idaholab/malcolm/arkime:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/arkime:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index d3144c138..dff8c4274 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/idaholab/malcolm/api:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/api:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 0950ea0b4..3c1292517 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/idaholab/malcolm/dashboards-helper:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dashboards-helper:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index f40d920cc..3f02eb94e 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/zeek:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -68,7 +68,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index cdeb592f3..5e31720b6 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/suricata:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -61,7 +61,7 @@ spec:
             name: suricata-offline-custom-rules-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index c3dfedb56..9cf768a47 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/idaholab/malcolm/file-monitor:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/file-monitor:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index 0f91ed6c9..da45a94d1 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/idaholab/malcolm/filebeat-oss:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/filebeat-oss:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 2f4c8529b..8f9029b76 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/idaholab/malcolm/logstash-oss:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/logstash-oss:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index bd32f74c3..922f54f1d 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/redis:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index 84ed5d37c..0fef1bbf0 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/redis:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index 6a1ad30a0..55a066358 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/idaholab/malcolm/postgresql:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/postgresql:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index 2252e64a5..f81438018 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/idaholab/malcolm/netbox:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/netbox:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index 88702af7b..de5293761 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/idaholab/malcolm/htadmin:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/htadmin:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index e6f2d01f1..275cffe99 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/idaholab/malcolm/pcap-capture:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/pcap-capture:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index 3cd7caa4e..e9651aa99 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/zeek:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -60,7 +60,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index 19ae4f7e8..eade40dc2 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/suricata:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -51,7 +51,7 @@ spec:
             name: suricata-live-suricata-logs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index df89a5745..b9dc580df 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/idaholab/malcolm/freq:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/freq:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 95ab75caa..94e7861e2 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/idaholab/malcolm/nginx-proxy:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/nginx-proxy:development
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.10.0
+        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example
index 2b1f0a3b2..aaa65ca30 100644
--- a/scripts/third-party-environments/aws/ami/packer_vars.json.example
+++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example
@@ -2,7 +2,7 @@
   "aws_access_key": "XXXXXXXXXXXXXXXXXXXX",
   "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
   "instance_type": "t2.micro",
-  "malcolm_tag": "v23.10.0",
+  "malcolm_tag": "v23.11.0",
   "malcolm_repo": "idaholab/Malcolm",
   "malcolm_uid": "1000",
   "ssh_username": "ec2-user",

From 308a1b0d8b595231ef8f0a31f52e8b71d017d001 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 13:30:45 -0600
Subject: [PATCH 02/82] add option to auto-create catch-all netbox IPAM
 prefixes for private IP space (idaholab/Malcolm#279)

---
 Dockerfiles/netbox.Dockerfile            |  2 +
 config/netbox-common.env.example         |  2 +
 docs/kubernetes.md                       |  2 +
 docs/malcolm-hedgehog-e2e-iso-install.md |  2 +
 netbox/preload/prefixes_defaults.yml     |  6 +++
 netbox/preload/vrfs_defaults.yml         |  6 +++
 netbox/scripts/netbox_init.py            | 56 ++++++++++++++++++------
 netbox/supervisord.conf                  |  2 +
 scripts/install.py                       | 19 ++++++++
 9 files changed, 83 insertions(+), 14 deletions(-)
 create mode 100644 netbox/preload/prefixes_defaults.yml
 create mode 100644 netbox/preload/vrfs_defaults.yml

diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 8fbb0a628..4d5dbc7fb 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -39,6 +39,7 @@ ARG NETBOX_DEVICETYPE_LIBRARY_PATH="/opt/netbox-devicetype-library"
 ARG NETBOX_DEFAULT_SITE=Malcolm
 ARG NETBOX_CRON=true
 ARG NETBOX_PRELOAD_PATH="/opt/netbox-preload"
+ARG NETBOX_PRELOAD_PREFIXES=false
 
 ENV NETBOX_PATH /opt/netbox
 ENV BASE_PATH netbox
@@ -46,6 +47,7 @@ ENV NETBOX_DEVICETYPE_LIBRARY_PATH $NETBOX_DEVICETYPE_LIBRARY_PATH
 ENV NETBOX_DEFAULT_SITE $NETBOX_DEFAULT_SITE
 ENV NETBOX_CRON $NETBOX_CRON
 ENV NETBOX_PRELOAD_PATH $NETBOX_PRELOAD_PATH
+ENV NETBOX_PRELOAD_PREFIXES $NETBOX_PRELOAD_PREFIXES
 
 ADD netbox/patch/* /tmp/netbox-patches/
 
diff --git a/config/netbox-common.env.example b/config/netbox-common.env.example
index 882cc64ae..0caba9062 100644
--- a/config/netbox-common.env.example
+++ b/config/netbox-common.env.example
@@ -3,6 +3,8 @@
 # The name of the default "site" to be created upon NetBox initialization, and to be queried
 #   for enrichment (see LOGSTASH_NETBOX_ENRICHMENT)
 NETBOX_DEFAULT_SITE=Malcolm
+# Whether or not to create catch-all VRFs/IP Prefixes for private IP space
+NETBOX_PRELOAD_PREFIXES=false
 # Whether to disable Malcolm's NetBox instance ('true') or not ('false')
 NETBOX_DISABLED=true
 NETBOX_POSTGRES_DISABLED=true
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 3f8c9d3c5..91294d6c1 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -430,6 +430,8 @@ Should Malcolm automatically populate NetBox inventory based on observed network
 
 Specify default NetBox site name: Malcolm
 
+Should Malcolm create "catch-all" prefixes for private IP address space? (y / N): n
+
 Enable dark mode for OpenSearch Dashboards? (Y / n): y
 
 Malcolm has been installed to /home/user/Malcolm. See README.md for more information.
diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md
index 492d8fe1f..280698e90 100644
--- a/docs/malcolm-hedgehog-e2e-iso-install.md
+++ b/docs/malcolm-hedgehog-e2e-iso-install.md
@@ -255,6 +255,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
     - Answer **Y** to [populate the NetBox inventory](asset-interaction-analysis.md#NetBoxPopPassive) based on observed network traffic. Autopopulation is **not** recommended: [manual inventory population](asset-interaction-analysis.md#NetBoxPopManual) is the preferred method to create an accurate representation of the intended network design.
 * **Specify default NetBox site name**
     - NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/); this default site name will be used as a query parameter for these enrichment lookups.
+* **Should Malcolm create "catch-all" prefixes for private IP address space?**
+    - Answer **Y** to automatically create "catch-all" NetBox prefixes for private IP address space (i.e., one each for `10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0/16`, respectively). This is not recommended for networks with more than one subnet.
 * **Should Malcolm capture live network traffic?**
     - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **no** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **yes** enable life traffic analysis using default settings, or select **customize** to proceed to answer the following related questions individually.
     - **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?**
diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
new file mode 100644
index 000000000..0e7d4c736
--- /dev/null
+++ b/netbox/preload/prefixes_defaults.yml
@@ -0,0 +1,6 @@
+- prefix: 10.0.0.0/8
+  vrf: Private IP Space (10.0.0.0/8)
+- prefix: 172.16.0.0/12
+  vrf: Private IP Space (172.16.0.0/12)
+- prefix: 10.0.0.0/8
+  vrf: Private IP Space (192.168.0.0/16)
diff --git a/netbox/preload/vrfs_defaults.yml b/netbox/preload/vrfs_defaults.yml
new file mode 100644
index 000000000..866439507
--- /dev/null
+++ b/netbox/preload/vrfs_defaults.yml
@@ -0,0 +1,6 @@
+- enforce_unique: true
+  name: Private IP Space (10.0.0.0/8)
+- enforce_unique: true
+  name: Private IP Space (172.16.0.0/12)
+- enforce_unique: true
+  name: Private IP Space (192.168.0.0/16)
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 0e2f500fe..a41063f9b 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -12,11 +12,14 @@
 import pynetbox
 import randomcolor
 import re
+import shutil
 import sys
+import tempfile
 import time
 import malcolm_utils
 
 from collections.abc import Iterable
+from distutils.dir_util import copy_tree
 from datetime import datetime
 from slugify import slugify
 from netbox_library_import import import_library
@@ -238,6 +241,16 @@ def main():
         required=False,
         help="Directory containing netbox-initializers files to preload",
     )
+    parser.add_argument(
+        '--preload-prefixes',
+        dest='preloadPrefixes',
+        type=malcolm_utils.str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=malcolm_utils.str2bool(os.getenv('NETBOX_PRELOAD_PREFIXES', default='False')),
+        help="Preload IPAM VRFs/IP Prefixes for private IP space",
+    )
     try:
         parser.error = parser.exit
         args = parser.parse_args()
@@ -642,20 +655,35 @@ def main():
     if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
         try:
             with malcolm_utils.pushd(os.path.dirname(manageScript)):
-                retcode, output = malcolm_utils.run_process(
-                    [
-                        netboxVenvPy,
-                        os.path.basename(manageScript),
-                        "load_initializer_data",
-                        "--path",
-                        args.preloadDir,
-                    ],
-                    logger=logging,
-                )
-                if retcode == 0:
-                    logging.debug(f"netbox-initializers: {retcode} {output}")
-                else:
-                    logging.error(f"Error processing netbox-initializers: {retcode} {output}")
+                # make a local copy of the YMLs to preload
+                with tempfile.TemporaryDirectory() as tmpPreloadDir:
+                    copy_tree(args.preloadDir, tmpPreloadDir)
+
+                    # only preload catch-all VRFs and IP Prefixes if explicitly specified and they don't already exist
+                    if args.preloadPrefixes:
+                        for loadType in ('vrfs', 'prefixes'):
+                            defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
+                            loadFileName = os.path.join(tmpPreloadDir, f'{loadType}.yml')
+                            if os.path.isfile(defaultFileName) and (not os.path.isfile(loadFileName)):
+                                try:
+                                    shutil.copyfile(defaultFileName, loadFileName)
+                                except Exception:
+                                    pass
+
+                    retcode, output = malcolm_utils.run_process(
+                        [
+                            netboxVenvPy,
+                            os.path.basename(manageScript),
+                            "load_initializer_data",
+                            "--path",
+                            tmpPreloadDir,
+                        ],
+                        logger=logging,
+                    )
+                    if retcode == 0:
+                        logging.debug(f"netbox-initializers: {retcode} {output}")
+                    else:
+                        logging.error(f"Error processing netbox-initializers: {retcode} {output}")
 
         except Exception as e:
             logging.error(f"{type(e).__name__} processing netbox-initializers: {e}")
diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf
index 44e997720..8fe938f56 100644
--- a/netbox/supervisord.conf
+++ b/netbox/supervisord.conf
@@ -39,6 +39,8 @@ command=/opt/netbox/venv/bin/python /usr/local/bin/netbox_init.py
   --token "%(ENV_SUPERUSER_API_TOKEN)s"
   --net-map /usr/local/share/net-map.json
   --library "%(ENV_NETBOX_DEVICETYPE_LIBRARY_PATH)s"
+  --preload "%(ENV_NETBOX_PRELOAD_PATH)s"
+  --preload-prefixes %(ENV_NETBOX_PRELOAD_PREFIXES)s
 autostart=true
 autorestart=false
 startsecs=0
diff --git a/scripts/install.py b/scripts/install.py
index 09285cef0..ad3b6b022 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -1263,6 +1263,10 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
         )
         if len(netboxSiteName) == 0:
             netboxSiteName = 'Malcolm'
+        netboxPreloadPrefixes = netboxEnabled and InstallerYesOrNo(
+            'Should Malcolm create "catch-all" prefixes for private IP address space?',
+            default=args.netboxPreloadPrefixes,
+        )
 
         # input packet capture parameters
         pcapNetSniff = False
@@ -1511,6 +1515,11 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                 'NETBOX_DISABLED',
                 TrueOrFalseNoQuote(not netboxEnabled),
             ),
+            EnvValue(
+                os.path.join(args.configDir, 'netbox-common.env'),
+                'NETBOX_PRELOAD_PREFIXES',
+                TrueOrFalseNoQuote(netboxPreloadPrefixes),
+            ),
             # enable/disable netbox (postgres)
             EnvValue(
                 os.path.join(args.configDir, 'netbox-common.env'),
@@ -3671,6 +3680,16 @@ def main():
         default=False,
         help="Automatically populate NetBox inventory based on observed network traffic",
     )
+    netboxArgGroup.add_argument(
+        '--netbox-preload-prefixes',
+        dest='netboxPreloadPrefixes',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Preload NetBox IPAM VRFs/IP Prefixes for private IP space",
+    )
     netboxArgGroup.add_argument(
         '--netbox-site-name',
         dest='netboxSiteName',

From e20983ca8b8cadea24cfc6fdecc500f3a637885e Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 13:42:23 -0600
Subject: [PATCH 03/82] add option to auto-create catch-all netbox IPAM
 prefixes for private IP space (idaholab/Malcolm#279)

---
 netbox/preload/prefixes_defaults.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
index 0e7d4c736..dde5c6cb8 100644
--- a/netbox/preload/prefixes_defaults.yml
+++ b/netbox/preload/prefixes_defaults.yml
@@ -2,5 +2,5 @@
   vrf: Private IP Space (10.0.0.0/8)
 - prefix: 172.16.0.0/12
   vrf: Private IP Space (172.16.0.0/12)
-- prefix: 10.0.0.0/8
+- prefix: 192.168.0.0/16
   vrf: Private IP Space (192.168.0.0/16)

From edd49a142e59e010d5b6241c20be83d5a5bccc2f Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 13:51:30 -0600
Subject: [PATCH 04/82] reduce verbosity of netbox

---
 scripts/malcolm_common.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index ec7b7e45d..552557eaf 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -700,8 +700,9 @@ def DownloadToFile(url, local_filename, debug=False):
   | esindices/list
   | executing\s+attempt_(transition|set_replica_count)\s+for
   | failed\s+to\s+get\s+tcp6?\s+stats\s+from\s+/proc
-  | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b
+  | GET\s+/(_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b
   | GET\s+/\s+.+\b200\b.+ELB-HealthChecker
+  | (GET|POST|PATCH)\s+/netbox/.+HTTP/[\d\.].+\b20[01]\b
   | loaded\s+config\s+'/etc/netbox/config/
   | LOG:\s+checkpoint\s+(complete|starting)
   | "netbox"\s+application\s+started
@@ -711,7 +712,6 @@ def DownloadToFile(url, local_filename, debug=False):
   | POST\s+/_bulk\s+HTTP/[\d\.].+\b20[01]\b
   | POST\s+/server/php/\s+HTTP/\d+\.\d+"\s+\d+\s+\d+.*:8443/
   | POST\s+HTTP/[\d\.].+\b200\b
-  | (POST|PATCH)\s+/netbox/api/.+HTTP/[\d\.].+\b20[01]\b
   | reaped\s+unknown\s+pid
   | redis.*(changes.+seconds.+Saving|Background\s+saving\s+(started|terminated)|DB\s+saved\s+on\s+disk|Fork\s+CoW)
   | remov(ed|ing)\s+(old\s+file|dead\s+symlink|empty\s+directory)

From 94e8f76cdebcb52c0d1ab448d09acbd2cd070ffd Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 13:54:00 -0600
Subject: [PATCH 05/82] add option to auto-create catch-all netbox IPAM
 prefixes for private IP space (idaholab/Malcolm#279)

---
 netbox/preload/prefixes_defaults.yml | 6 +++---
 netbox/preload/vrfs_defaults.yml     | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
index dde5c6cb8..6e9fe981f 100644
--- a/netbox/preload/prefixes_defaults.yml
+++ b/netbox/preload/prefixes_defaults.yml
@@ -1,6 +1,6 @@
 - prefix: 10.0.0.0/8
-  vrf: Private IP Space (10.0.0.0/8)
+  vrf: 10.0.0.0/8
 - prefix: 172.16.0.0/12
-  vrf: Private IP Space (172.16.0.0/12)
+  vrf: 172.16.0.0/12
 - prefix: 192.168.0.0/16
-  vrf: Private IP Space (192.168.0.0/16)
+  vrf: 192.168.0.0/16
diff --git a/netbox/preload/vrfs_defaults.yml b/netbox/preload/vrfs_defaults.yml
index 866439507..d83018c72 100644
--- a/netbox/preload/vrfs_defaults.yml
+++ b/netbox/preload/vrfs_defaults.yml
@@ -1,6 +1,6 @@
 - enforce_unique: true
-  name: Private IP Space (10.0.0.0/8)
+  name: 10.0.0.0/8
 - enforce_unique: true
-  name: Private IP Space (172.16.0.0/12)
+  name: 172.16.0.0/12
 - enforce_unique: true
-  name: Private IP Space (192.168.0.0/16)
+  name: 192.168.0.0/16

From cab66bdc1318b5a11f89208f4dd7479032b9cb80 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 26 Oct 2023 15:20:56 -0600
Subject: [PATCH 06/82] address issues with NetBox database and Logstash's
 NetBox cache (idaholab/Malcolm#259); work in progress, almost certainly
 broken in this state

---
 Dockerfiles/logstash.Dockerfile |   5 +-
 logstash/ruby/netbox_enrich.rb  | 972 ++++++++++++++++----------------
 2 files changed, 499 insertions(+), 478 deletions(-)

diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 80a7fb50a..67e1ed0c4 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -63,11 +63,12 @@ RUN set -x && \
     pip3 install ipaddress supervisor manuf pyyaml && \
     export JAVA_HOME=/usr/share/logstash/jdk && \
     /usr/share/logstash/vendor/jruby/bin/jruby -S gem install bundler && \
-    echo "gem 'lru_cache'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'concurrent-ruby'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'deep_merge'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'fuzzy-string-match'" >> /usr/share/logstash/Gemfile && \
-    echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'lru_cache'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'psych'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \
     /usr/share/logstash/bin/ruby -S bundle install && \
     logstash-plugin install --preserve logstash-filter-translate logstash-filter-cidr logstash-filter-dns \
                                        logstash-filter-json logstash-filter-prune logstash-filter-http \
diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 6de233590..117f88094 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -3,6 +3,7 @@ def concurrency
 end
 
 def register(params)
+  require 'concurrent'
   require 'date'
   require 'faraday'
   require 'fuzzystringmatch'
@@ -45,10 +46,6 @@ def register(params)
   # API parameters
   @page_size = params.fetch("page_size", 50)
 
-  # caching parameters
-  @cache_size = params.fetch("cache_size", 1000)
-  @cache_ttl = params.fetch("cache_ttl", 600)
-
   # target field to store looked-up value
   @target = params["target"]
 
@@ -73,6 +70,13 @@ def register(params)
   @netbox_url = params.fetch("netbox_url", "http://netbox:8080/netbox/api").delete_suffix("/")
   @netbox_url_suffix = "/netbox/api"
   @netbox_url_base = @netbox_url.delete_suffix(@netbox_url_suffix)
+  @netbox_headers = { 'Content-Type': 'application/json' }
+
+  # netbox connection (will be initialized in a thread-safe manner in filter)
+  @netbox_conn = nil
+  @netbox_conn_lock = Concurrent::ReentrantReadWriteLock.new
+  @netbox_conn_needs_reset = false
+  @netbox_conn_resetting = false
 
   # connection token (either specified directly or read from ENV via netbox_token_env)
   @netbox_token = params["netbox_token"]
@@ -81,9 +85,6 @@ def register(params)
     @netbox_token = ENV[_netbox_token_env]
   end
 
-  # hash of lookup types (from @lookup_type), each of which contains the respective looked-up values
-  @cache_hash = LruRedux::ThreadSafeCache.new(params.fetch("lookup_cache_size", 512))
-
   # these are used for autopopulation only, not lookup/enrichment
 
   # autopopulate - either specified directly or read from ENV via autopopulate_env
@@ -201,7 +202,6 @@ def filter(event)
   _url = @netbox_url
   _url_base = @netbox_url_base
   _url_suffix = @netbox_url_suffix
-  _token = @netbox_token
   _page_size = @page_size
   _verbose = @verbose
   _lookup_type = @lookup_type
@@ -218,494 +218,514 @@ def filter(event)
   _autopopulate_mac = event.get("#{@source_mac}")
   _autopopulate_oui = event.get("#{@source_oui}")
 
-  _result = @cache_hash.getset(_lookup_type){
-              LruRedux::TTL::ThreadSafeCache.new(@cache_size, @cache_ttl)
-            }.getset(_key){
-
-              _nb = Faraday.new(_url) do |conn|
-                conn.request :authorization, 'Token', _token
-                conn.request :url_encoded
-                conn.response :json, :parser_options => { :symbolize_names => true }
-              end
-              _nb_headers = { 'Content-Type': 'application/json' }
-
-              _lookup_result = nil
-              _autopopulate_device = nil
-              _autopopulate_role = nil
-              _autopopulate_dtype = nil
-              _autopopulate_interface = nil
-              _autopopulate_ip = nil
-              _autopopulate_manuf = nil
-              _autopopulate_site = nil
-              _vrfs = nil
-              _devices = nil
-              _exception_error = false
-
-              # handle :ip_device first, because if we're doing autopopulate we're also going to use
-              # some of the logic from :ip_vrf
-
-              if (_lookup_type == :ip_device)
-              #################################################################################
-                # retrieve the list of IP addresses where address matches the search key, limited to "assigned" addresses.
-                # then, for those IP addresses, search for devices pertaining to the interfaces assigned to each
-                # IP address (e.g., ipam.ip_address -> dcim.interface -> dcim.device, or
-                # ipam.ip_address -> virtualization.interface -> virtualization.virtual_machine)
-                _devices = Array.new
-                _query = { :address => _key,
-                           :offset => 0,
-                           :limit => _page_size }
-                begin
+  _result = nil
+  _autopopulate_device = nil
+  _autopopulate_role = nil
+  _autopopulate_dtype = nil
+  _autopopulate_interface = nil
+  _autopopulate_ip = nil
+  _autopopulate_manuf = nil
+  _autopopulate_site = nil
+  _vrfs = nil
+  _devices = nil
+  _exception_error_general = false
+  _exception_error_connection = false
+
+  @netbox_conn_lock.with_read_lock {
+
+    # make sure the connection to the NetBox API exists and wasn't flagged for reconnect
+    if @netbox_conn.nil? || @netbox_conn_needs_reset
+      @netbox_conn_lock.with_write_lock {
+        if @netbox_conn.nil? || @netbox_conn_needs_reset
+          begin
+            # we need to reconnect to the NetBox API
+            @netbox_conn_resetting = true
+            @netbox_conn = Faraday.new(_url) do |conn|
+              conn.request :authorization, 'Token', @netbox_token
+              conn.request :url_encoded
+              conn.response :json, :parser_options => { :symbolize_names => true }
+            end
+          ensure
+            @netbox_conn_resetting = false
+            @netbox_conn_needs_reset = @netbox_conn.nil?
+          end
+        end # connection check in write lock
+      } # @netbox_conn_lock.with_write_lock
+    end # connection check in read lock
+
+    # handle :ip_device first, because if we're doing autopopulate we're also going to use
+    # some of the logic from :ip_vrf
+
+    if (_lookup_type == :ip_device)
+    #################################################################################
+      # retrieve the list of IP addresses where address matches the search key, limited to "assigned" addresses.
+      # then, for those IP addresses, search for devices pertaining to the interfaces assigned to each
+      # IP address (e.g., ipam.ip_address -> dcim.interface -> dcim.device, or
+      # ipam.ip_address -> virtualization.interface -> virtualization.virtual_machine)
+      _devices = Array.new
+      _query = { :address => _key,
+                 :offset => 0,
+                 :limit => _page_size }
+      begin
+        while true do
+          if (_ip_addresses_response = @netbox_conn.get('ipam/ip-addresses/', _query).body) &&
+             _ip_addresses_response.is_a?(Hash)
+          then
+            _tmp_ip_addresses = _ip_addresses_response.fetch(:results, [])
+            _tmp_ip_addresses.each do |i|
+              _is_device = nil
+              if (_obj = i.fetch(:assigned_object, nil)) &&
+                 ((_device_obj = _obj.fetch(:device, nil)) ||
+                  (_virtualized_obj = _obj.fetch(:virtual_machine, nil)))
+              then
+                _is_device = !_device_obj.nil?
+                _device = _is_device ? _device_obj : _virtualized_obj
+                # if we can, follow the :assigned_object's "full" device URL to get more information
+                _device = (_device.has_key?(:url) && (_full_device = @netbox_conn.get(_device[:url].delete_prefix(_url_base).delete_prefix(_url_suffix).delete_prefix("/")).body)) ? _full_device : _device
+                _device_id = _device.fetch(:id, nil)
+                _device_site = ((_site = _device.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil)
+                next unless (_device_site.to_s.downcase == _lookup_site.to_s.downcase) || _lookup_site.nil? || _lookup_site.empty? || _device_site.nil? || _device_site.empty?
+                # look up service if requested (based on device/vm found and service port)
+                if (_lookup_service_port > 0)
+                  _services = Array.new
+                  _service_query = { (_is_device ? :device_id : :virtual_machine_id) => _device_id, :port => _lookup_service_port, :offset => 0, :limit => _page_size }
                   while true do
-                    if (_ip_addresses_response = _nb.get('ipam/ip-addresses/', _query).body) &&
-                       _ip_addresses_response.is_a?(Hash)
+                    if (_services_response = @netbox_conn.get('ipam/services/', _service_query).body) &&
+                       _services_response.is_a?(Hash)
                     then
-                      _tmp_ip_addresses = _ip_addresses_response.fetch(:results, [])
-                      _tmp_ip_addresses.each do |i|
-                        _is_device = nil
-                        if (_obj = i.fetch(:assigned_object, nil)) &&
-                           ((_device_obj = _obj.fetch(:device, nil)) ||
-                            (_virtualized_obj = _obj.fetch(:virtual_machine, nil)))
-                        then
-                          _is_device = !_device_obj.nil?
-                          _device = _is_device ? _device_obj : _virtualized_obj
-                          # if we can, follow the :assigned_object's "full" device URL to get more information
-                          _device = (_device.has_key?(:url) && (_full_device = _nb.get(_device[:url].delete_prefix(_url_base).delete_prefix(_url_suffix).delete_prefix("/")).body)) ? _full_device : _device
-                          _device_id = _device.fetch(:id, nil)
-                          _device_site = ((_site = _device.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil)
-                          next unless (_device_site.to_s.downcase == _lookup_site.to_s.downcase) || _lookup_site.nil? || _lookup_site.empty? || _device_site.nil? || _device_site.empty?
-                          # look up service if requested (based on device/vm found and service port)
-                          if (_lookup_service_port > 0)
-                            _services = Array.new
-                            _service_query = { (_is_device ? :device_id : :virtual_machine_id) => _device_id, :port => _lookup_service_port, :offset => 0, :limit => _page_size }
-                            while true do
-                              if (_services_response = _nb.get('ipam/services/', _service_query).body) &&
-                                 _services_response.is_a?(Hash)
-                              then
-                                _tmp_services = _services_response.fetch(:results, [])
-                                _services.unshift(*_tmp_services) unless _tmp_services.nil? || _tmp_services.empty?
-                                _service_query[:offset] += _tmp_services.length()
-                                break unless (_tmp_services.length() >= _page_size)
-                              else
-                                break
-                              end
-                            end
-                            _device[:service] = _services
-                          end
-                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                          # if _verbose, include entire object as :details
-                          _devices << { :name => _device.fetch(:name, _device.fetch(:display, nil)),
-                                        :id => _device_id,
-                                        :url => _device.fetch(:url, nil),
-                                        :service => _device.fetch(:service, []).map {|s| s.fetch(:name, s.fetch(:display, nil)) },
-                                        :site => _device_site,
-                                        :role => ((_role = _device.fetch(:role, nil)) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
-                                        :cluster => ((_cluster = _device.fetch(:cluster, nil)) && _cluster&.has_key?(:name)) ? _cluster[:name] : _cluster&.fetch(:display, nil),
-                                        :device_type => ((_dtype = _device.fetch(:device_type, nil)) && _dtype&.has_key?(:name)) ? _dtype[:name] : _dtype&.fetch(:display, nil),
-                                        :manufacturer => ((_manuf = _device.dig(:device_type, :manufacturer)) && _manuf&.has_key?(:name)) ? _manuf[:name] : _manuf&.fetch(:display, nil),
-                                        :details => _verbose ? _device : nil }
-                        end
-                      end
-                      _query[:offset] += _tmp_ip_addresses.length()
-                      break unless (_tmp_ip_addresses.length() >= _page_size)
+                      _tmp_services = _services_response.fetch(:results, [])
+                      _services.unshift(*_tmp_services) unless _tmp_services.nil? || _tmp_services.empty?
+                      _service_query[:offset] += _tmp_services.length()
+                      break unless (_tmp_services.length() >= _page_size)
                     else
-                      # weird/bad response, bail
-                      _exception_error = true
                       break
                     end
-                  end # while true
-                rescue Faraday::Error
-                  # give up aka do nothing
-                  _exception_error = true
+                  end
+                  _device[:service] = _services
                 end
-
-                if _autopopulate && (_query[:offset] == 0) && !_exception_error && _key_ip&.private?
-
-                  # no results found, autopopulate enabled, private-space IP address...
-                  # let's create an entry for this device
-
-                  # if MAC is set but OUI is not, do a quick lookup
-                  if (!_autopopulate_mac.nil? && !_autopopulate_mac.empty?) &&
-                     (_autopopulate_oui.nil? || _autopopulate_oui.empty?)
+                # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                # if _verbose, include entire object as :details
+                _devices << { :name => _device.fetch(:name, _device.fetch(:display, nil)),
+                              :id => _device_id,
+                              :url => _device.fetch(:url, nil),
+                              :service => _device.fetch(:service, []).map {|s| s.fetch(:name, s.fetch(:display, nil)) },
+                              :site => _device_site,
+                              :role => ((_role = _device.fetch(:role, nil)) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
+                              :cluster => ((_cluster = _device.fetch(:cluster, nil)) && _cluster&.has_key?(:name)) ? _cluster[:name] : _cluster&.fetch(:display, nil),
+                              :device_type => ((_dtype = _device.fetch(:device_type, nil)) && _dtype&.has_key?(:name)) ? _dtype[:name] : _dtype&.fetch(:display, nil),
+                              :manufacturer => ((_manuf = _device.dig(:device_type, :manufacturer)) && _manuf&.has_key?(:name)) ? _manuf[:name] : _manuf&.fetch(:display, nil),
+                              :details => _verbose ? _device : nil }
+              end
+            end
+            _query[:offset] += _tmp_ip_addresses.length()
+            break unless (_tmp_ip_addresses.length() >= _page_size)
+          else
+            # weird/bad response, bail
+            _exception_error_general = true
+            break
+          end
+        end # while true
+      rescue Faraday::Error
+        # give up aka do nothing
+        _exception_error_general = true
+      end
+
+      if _autopopulate && (_query[:offset] == 0) && !_exception_error_general && !_exception_error_connection && _key_ip&.private?
+
+        # no results found, autopopulate enabled, private-space IP address...
+        # let's create an entry for this device
+
+        # if MAC is set but OUI is not, do a quick lookup
+        if (!_autopopulate_mac.nil? && !_autopopulate_mac.empty?) &&
+           (_autopopulate_oui.nil? || _autopopulate_oui.empty?)
+        then
+          case _autopopulate_mac
+          when String
+            if @macregex.match?(_autopopulate_mac)
+              _macint = mac_string_to_integer(_autopopulate_mac)
+              _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
+              _autopopulate_oui = _vendor[2] unless _vendor.nil?
+            end # _autopopulate_mac matches @macregex
+          when Array
+            _autopopulate_mac.each do |_addr|
+              if @macregex.match?(_addr)
+                _macint = mac_string_to_integer(_addr)
+                _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
+                if !_vendor.nil?
+                  _autopopulate_oui = _vendor[2]
+                  break
+                end # !_vendor.nil?
+              end # _addr matches @macregex
+            end # _autopopulate_mac.each do
+          end # case statement _autopopulate_mac String vs. Array
+        end # MAC is populated but OUI is not
+
+        # match/look up manufacturer based on OUI
+        if !_autopopulate_oui.nil? && !_autopopulate_oui.empty?
+
+          _autopopulate_oui = _autopopulate_oui.first() unless !_autopopulate_oui.is_a?(Array)
+
+          # does it look like a VM or a regular device?
+          if @vm_namesarray.include?(_autopopulate_oui.downcase)
+            # looks like this is probably a virtual machine
+            _autopopulate_manuf = { :name => _autopopulate_oui,
+                                    :match => 1.0,
+                                    :vm => true,
+                                    :id => nil }
+
+          else
+            # looks like this is not a virtual machine (or we can't tell) so assume its' a regular device
+            _autopopulate_manuf = @manuf_hash.getset(_autopopulate_oui) {
+              _fuzzy_matcher = FuzzyStringMatch::JaroWinkler.create( :pure )
+              _manufs = Array.new
+              # fetch the manufacturers to do the comparison. this is a lot of work
+              # and not terribly fast but once the hash it populated it shouldn't happen too often
+              _query = { :offset => 0,
+                         :limit => _page_size }
+              begin
+                while true do
+                  if (_manufs_response = @netbox_conn.get('dcim/manufacturers/', _query).body) &&
+                     _manufs_response.is_a?(Hash)
                   then
-                    case _autopopulate_mac
-                    when String
-                      if @macregex.match?(_autopopulate_mac)
-                        _macint = mac_string_to_integer(_autopopulate_mac)
-                        _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
-                        _autopopulate_oui = _vendor[2] unless _vendor.nil?
-                      end # _autopopulate_mac matches @macregex
-                    when Array
-                      _autopopulate_mac.each do |_addr|
-                        if @macregex.match?(_addr)
-                          _macint = mac_string_to_integer(_addr)
-                          _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
-                          if !_vendor.nil?
-                            _autopopulate_oui = _vendor[2]
-                            break
-                          end # !_vendor.nil?
-                        end # _addr matches @macregex
-                      end # _autopopulate_mac.each do
-                    end # case statement _autopopulate_mac String vs. Array
-                  end # MAC is populated but OUI is not
-
-                  # match/look up manufacturer based on OUI
-                  if !_autopopulate_oui.nil? && !_autopopulate_oui.empty?
-
-                    _autopopulate_oui = _autopopulate_oui.first() unless !_autopopulate_oui.is_a?(Array)
-
-                    # does it look like a VM or a regular device?
-                    if @vm_namesarray.include?(_autopopulate_oui.downcase)
-                      # looks like this is probably a virtual machine
-                      _autopopulate_manuf = { :name => _autopopulate_oui,
-                                              :match => 1.0,
-                                              :vm => true,
-                                              :id => nil }
-
-                    else
-                      # looks like this is not a virtual machine (or we can't tell) so assume its' a regular device
-                      _autopopulate_manuf = @manuf_hash.getset(_autopopulate_oui) {
-                        _fuzzy_matcher = FuzzyStringMatch::JaroWinkler.create( :pure )
-                        _manufs = Array.new
-                        # fetch the manufacturers to do the comparison. this is a lot of work
-                        # and not terribly fast but once the hash it populated it shouldn't happen too often
-                        _query = { :offset => 0,
-                                   :limit => _page_size }
-                        begin
-                          while true do
-                            if (_manufs_response = _nb.get('dcim/manufacturers/', _query).body) &&
-                               _manufs_response.is_a?(Hash)
-                            then
-                              _tmp_manufs = _manufs_response.fetch(:results, [])
-                              _tmp_manufs.each do |_manuf|
-                                _tmp_name = _manuf.fetch(:name, _manuf.fetch(:display, nil))
-                                _manufs << { :name => _tmp_name,
-                                             :id => _manuf.fetch(:id, nil),
-                                             :url => _manuf.fetch(:url, nil),
-                                             :match => _fuzzy_matcher.getDistance(_tmp_name.to_s.downcase, _autopopulate_oui.to_s.downcase),
-                                             :vm => false
-                                           }
-                              end
-                              _query[:offset] += _tmp_manufs.length()
-                              break unless (_tmp_manufs.length() >= _page_size)
-                            else
-                              break
-                            end
-                          end
-                        rescue Faraday::Error
-                          # give up aka do nothing
-                          _exception_error = true
-                        end
-                        # return the manuf with the highest match
-                        !_manufs&.empty? ? _manufs.max_by{|k| k[:match] } : nil
-                      }
-                    end # virtual machine vs. regular device
-                  end # _autopopulate_oui specified
-
-                  if !_autopopulate_manuf.is_a?(Hash)
-                    # no match was found at ANY match level (empty database or no OUI specified), set default ("unspecified") manufacturer
-                    _autopopulate_manuf = { :name => _autopopulate_create_manuf ? _autopopulate_oui : _autopopulate_default_manuf,
-                                            :match => 0.0,
-                                            :vm => false,
-                                            :id => nil}
-                  end
-
-                  # make sure the site and role exists
-
-                  _autopopulate_site = @site_hash.getset(_autopopulate_default_site) {
-                    begin
-                      _site = nil
-
-                      # look it up first
-                      _query = { :offset => 0,
-                                 :limit => 1,
-                                 :name => _autopopulate_default_site }
-                      if (_sites_response = _nb.get('dcim/sites/', _query).body) &&
-                         _sites_response.is_a?(Hash) &&
-                         (_tmp_sites = _sites_response.fetch(:results, [])) &&
-                         (_tmp_sites.length() > 0)
-                      then
-                         _site = _tmp_sites.first
-                      end
-
-                      if _site.nil?
-                        # the device site is not found, create it
-                        _site_data = { :name => _autopopulate_default_site,
-                                       :slug => _autopopulate_default_site.to_url,
-                                       :status => "active" }
-                        if (_site_create_response = _nb.post('dcim/sites/', _site_data.to_json, _nb_headers).body) &&
-                           _site_create_response.is_a?(Hash) &&
-                           _site_create_response.has_key?(:id)
-                        then
-                           _site = _site_create_response
-                        end
-                      end
-
-                    rescue Faraday::Error
-                      # give up aka do nothing
-                      _exception_error = true
-                    end
-                    _site
-                  }
-
-                  _autopopulate_role = @role_hash.getset(_autopopulate_default_role) {
-                    begin
-                      _role = nil
-
-                      # look it up first
-                      _query = { :offset => 0,
-                                 :limit => 1,
-                                 :name => _autopopulate_default_role }
-                      if (_roles_response = _nb.get('dcim/device-roles/', _query).body) &&
-                         _roles_response.is_a?(Hash) &&
-                         (_tmp_roles = _roles_response.fetch(:results, [])) &&
-                         (_tmp_roles.length() > 0)
-                      then
-                         _role = _tmp_roles.first
-                      end
-
-                      if _role.nil?
-                        # the role is not found, create it
-                        _role_data = { :name => _autopopulate_default_role,
-                                        :slug => _autopopulate_default_role.to_url,
-                                        :color => "d3d3d3" }
-                        if (_role_create_response = _nb.post('dcim/device-roles/', _role_data.to_json, _nb_headers).body) &&
-                           _role_create_response.is_a?(Hash) &&
-                           _role_create_response.has_key?(:id)
-                        then
-                           _role = _role_create_response
-                        end
-                      end
-
-                    rescue Faraday::Error
-                      # give up aka do nothing
-                      _exception_error = true
+                    _tmp_manufs = _manufs_response.fetch(:results, [])
+                    _tmp_manufs.each do |_manuf|
+                      _tmp_name = _manuf.fetch(:name, _manuf.fetch(:display, nil))
+                      _manufs << { :name => _tmp_name,
+                                   :id => _manuf.fetch(:id, nil),
+                                   :url => _manuf.fetch(:url, nil),
+                                   :match => _fuzzy_matcher.getDistance(_tmp_name.to_s.downcase, _autopopulate_oui.to_s.downcase),
+                                   :vm => false
+                                 }
                     end
-                    _role
-                  }
-
-                  # we should have found or created the autopopulate role and site
-                  begin
-                    if _autopopulate_site&.fetch(:id, nil)&.nonzero? &&
-                       _autopopulate_role&.fetch(:id, nil)&.nonzero?
-                    then
-
-                      if _autopopulate_manuf[:vm]
-                        # a virtual machine
-                        _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
-                        _device_data = { :name => _device_name,
-                                         :site => _autopopulate_site[:id],
-                                         :status => "staged" }
-                        if (_device_create_response = _nb.post('virtualization/virtual-machines/', _device_data.to_json, _nb_headers).body) &&
-                           _device_create_response.is_a?(Hash) &&
-                           _device_create_response.has_key?(:id)
-                        then
-                           _autopopulate_device = _device_create_response
-                        end
-
-                      else
-                        # a regular non-vm device
-
-                        if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
-                          # the manufacturer was default (not found) so look it up first
-                          _query = { :offset => 0,
-                                     :limit => 1,
-                                     :name => _autopopulate_manuf[:name] }
-                          if (_manufs_response = _nb.get('dcim/manufacturers/', _query).body) &&
-                             _manufs_response.is_a?(Hash) &&
-                             (_tmp_manufs = _manufs_response.fetch(:results, [])) &&
-                             (_tmp_manufs.length() > 0)
-                          then
-                             _autopopulate_manuf[:id] = _tmp_manufs.first.fetch(:id, nil)
-                             _autopopulate_manuf[:match] = 1.0
-                          end
-                        end
-
-                        if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
-                          # the manufacturer is still not found, create it
-                          _manuf_data = { :name => _autopopulate_manuf[:name],
-                                          :slug => _autopopulate_manuf[:name].to_url }
-                          if (_manuf_create_response = _nb.post('dcim/manufacturers/', _manuf_data.to_json, _nb_headers).body) &&
-                             _manuf_create_response.is_a?(Hash)
-                          then
-                             _autopopulate_manuf[:id] = _manuf_create_response.fetch(:id, nil)
-                             _autopopulate_manuf[:match] = 1.0
-                          end
-                        end
-
-                        # at this point we *must* have the manufacturer ID
-                        if _autopopulate_manuf.fetch(:id, nil)&.nonzero?
-
-                          # make sure the desired device type also exists, look it up first
-                          _query = { :offset => 0,
-                                     :limit => 1,
-                                     :manufacturer_id => _autopopulate_manuf[:id],
-                                     :model => _autopopulate_default_dtype }
-                          if (_dtypes_response = _nb.get('dcim/device-types/', _query).body) &&
-                             _dtypes_response.is_a?(Hash) &&
-                             (_tmp_dtypes = _dtypes_response.fetch(:results, [])) &&
-                             (_tmp_dtypes.length() > 0)
-                          then
-                             _autopopulate_dtype = _tmp_dtypes.first
-                          end
-
-                          if _autopopulate_dtype.nil?
-                            # the device type is not found, create it
-                            _dtype_data = { :manufacturer => _autopopulate_manuf[:id],
-                                            :model => _autopopulate_default_dtype,
-                                            :slug => _autopopulate_default_dtype.to_url }
-                            if (_dtype_create_response = _nb.post('dcim/device-types/', _dtype_data.to_json, _nb_headers).body) &&
-                               _dtype_create_response.is_a?(Hash) &&
-                               _dtype_create_response.has_key?(:id)
-                            then
-                               _autopopulate_dtype = _dtype_create_response
-                            end
-                          end
-
-                          # # now we must also have the device type ID
-                          if _autopopulate_dtype&.fetch(:id, nil)&.nonzero?
-
-                            # create the device
-                            _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
-                            _device_data = { :name => _device_name,
-                                             :device_type => _autopopulate_dtype[:id],
-                                             :role => _autopopulate_role[:id],
-                                             :site => _autopopulate_site[:id],
-                                             :status => "staged" }
-                            if (_device_create_response = _nb.post('dcim/devices/', _device_data.to_json, _nb_headers).body) &&
-                               _device_create_response.is_a?(Hash) &&
-                               _device_create_response.has_key?(:id)
-                            then
-                               _autopopulate_device = _device_create_response
-                            end
-
-                          end # _autopopulate_dtype[:id] is valid
-
-                        end # _autopopulate_manuf[:id] is valid
-
-                      end # virtual machine vs. regular device
-
-                    end # site and role are valid
-
-                  rescue Faraday::Error
-                    # give up aka do nothing
-                    _exception_error = true
+                    _query[:offset] += _tmp_manufs.length()
+                    break unless (_tmp_manufs.length() >= _page_size)
+                  else
+                    break
                   end
-
-                  if !_autopopulate_device.nil?
-                    # we created a device, so send it back out as the result for the event as well
-                    _devices << { :name => _autopopulate_device&.fetch(:name, _autopopulate_device&.fetch(:display, nil)),
-                                  :id => _autopopulate_device&.fetch(:id, nil),
-                                  :url => _autopopulate_device&.fetch(:url, nil),
-                                  :site => _autopopulate_site&.fetch(:name, nil),
-                                  :role => _autopopulate_role&.fetch(:name, nil),
-                                  :device_type => _autopopulate_dtype&.fetch(:name, nil),
-                                  :manufacturer => _autopopulate_manuf&.fetch(:name, nil),
-                                  :details => _verbose ? _autopopulate_device : nil }
-                  end # _autopopulate_device was not nil (i.e., we autocreated a device)
-
-                end # _autopopulate turned on and no results found
-
-                _devices = collect_values(crush(_devices))
-                _devices.fetch(:service, [])&.flatten!&.uniq!
-                _lookup_result = _devices
-              end # _lookup_type == :ip_device
-
-              # this || is because we are going to need to do the VRF lookup if we're autopopulating
-              # as well as if we're specifically requested to do that enrichment
-
-              if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
-              #################################################################################
-                # retrieve the list VRFs containing IP address prefixes containing the search key
-                _vrfs = Array.new
-                _query = { :contains => _key,
-                           :offset => 0,
-                           :limit => _page_size }
-                _query[:site_n] = _lookup_site unless _lookup_site.nil? || _lookup_site.empty?
-                begin
-                  while true do
-                    if (_prefixes_response = _nb.get('ipam/prefixes/', _query).body) &&
-                       _prefixes_response.is_a?(Hash)
-                    then
-                      _tmp_prefixes = _prefixes_response.fetch(:results, [])
-                      _tmp_prefixes.each do |p|
-                        if (_vrf = p.fetch(:vrf, nil))
-                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                          # if _verbose, include entire object as :details
-                          _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
-                                     :id => _vrf.fetch(:id, nil),
-                                     :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
-                                     :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
-                                     :url => p.fetch(:url, _vrf.fetch(:url, nil)),
-                                     :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
-                        end
-                      end
-                      _query[:offset] += _tmp_prefixes.length()
-                      break unless (_tmp_prefixes.length() >= _page_size)
-                    else
-                      break
-                    end
-                  end
-                rescue Faraday::Error
-                  # give up aka do nothing
-                  _exception_error = true
                 end
-                _vrfs = collect_values(crush(_vrfs))
-                _lookup_result = _vrfs unless (_lookup_type != :ip_vrf)
-              end # _lookup_type == :ip_vrf
-
-              if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
-                # device has been created, we need to create an interface for it
-                _interface_data = { _autopopulate_manuf[:vm] ? :virtual_machine : :device => _autopopulate_device[:id],
-                                    :name => "e0",
-                                    :type => "other" }
-                if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
-                  _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
+              rescue Faraday::Error
+                # give up aka do nothing
+                _exception_error_general = true
+              end
+              # return the manuf with the highest match
+              !_manufs&.empty? ? _manufs.max_by{|k| k[:match] } : nil
+            }
+          end # virtual machine vs. regular device
+        end # _autopopulate_oui specified
+
+        if !_autopopulate_manuf.is_a?(Hash)
+          # no match was found at ANY match level (empty database or no OUI specified), set default ("unspecified") manufacturer
+          _autopopulate_manuf = { :name => _autopopulate_create_manuf ? _autopopulate_oui : _autopopulate_default_manuf,
+                                  :match => 0.0,
+                                  :vm => false,
+                                  :id => nil}
+        end
+
+        # make sure the site and role exists
+
+        _autopopulate_site = @site_hash.getset(_autopopulate_default_site) {
+          begin
+            _site = nil
+
+            # look it up first
+            _query = { :offset => 0,
+                       :limit => 1,
+                       :name => _autopopulate_default_site }
+            if (_sites_response = @netbox_conn.get('dcim/sites/', _query).body) &&
+               _sites_response.is_a?(Hash) &&
+               (_tmp_sites = _sites_response.fetch(:results, [])) &&
+               (_tmp_sites.length() > 0)
+            then
+               _site = _tmp_sites.first
+            end
+
+            if _site.nil?
+              # the device site is not found, create it
+              _site_data = { :name => _autopopulate_default_site,
+                             :slug => _autopopulate_default_site.to_url,
+                             :status => "active" }
+              if (_site_create_response = @netbox_conn.post('dcim/sites/', _site_data.to_json, @netbox_headers).body) &&
+                 _site_create_response.is_a?(Hash) &&
+                 _site_create_response.has_key?(:id)
+              then
+                 _site = _site_create_response
+              end
+            end
+
+          rescue Faraday::Error
+            # give up aka do nothing
+            _exception_error_general = true
+          end
+          _site
+        }
+
+        _autopopulate_role = @role_hash.getset(_autopopulate_default_role) {
+          begin
+            _role = nil
+
+            # look it up first
+            _query = { :offset => 0,
+                       :limit => 1,
+                       :name => _autopopulate_default_role }
+            if (_roles_response = @netbox_conn.get('dcim/device-roles/', _query).body) &&
+               _roles_response.is_a?(Hash) &&
+               (_tmp_roles = _roles_response.fetch(:results, [])) &&
+               (_tmp_roles.length() > 0)
+            then
+               _role = _tmp_roles.first
+            end
+
+            if _role.nil?
+              # the role is not found, create it
+              _role_data = { :name => _autopopulate_default_role,
+                              :slug => _autopopulate_default_role.to_url,
+                              :color => "d3d3d3" }
+              if (_role_create_response = @netbox_conn.post('dcim/device-roles/', _role_data.to_json, @netbox_headers).body) &&
+                 _role_create_response.is_a?(Hash) &&
+                 _role_create_response.has_key?(:id)
+              then
+                 _role = _role_create_response
+              end
+            end
+
+          rescue Faraday::ConnectionFailed
+            # give up aka do nothing (and connect next time)
+            _exception_error_connection = true
+          rescue Faraday::Error
+            # give up aka do nothing
+            _exception_error_general = true
+          end
+          _role
+        }
+
+        # we should have found or created the autopopulate role and site
+        begin
+          if _autopopulate_site&.fetch(:id, nil)&.nonzero? &&
+             _autopopulate_role&.fetch(:id, nil)&.nonzero?
+          then
+
+            if _autopopulate_manuf[:vm]
+              # a virtual machine
+              _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
+              _device_data = { :name => _device_name,
+                               :site => _autopopulate_site[:id],
+                               :status => "staged" }
+              if (_device_create_response = @netbox_conn.post('virtualization/virtual-machines/', _device_data.to_json, @netbox_headers).body) &&
+                 _device_create_response.is_a?(Hash) &&
+                 _device_create_response.has_key?(:id)
+              then
+                 _autopopulate_device = _device_create_response
+              end
+
+            else
+              # a regular non-vm device
+
+              if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
+                # the manufacturer was default (not found) so look it up first
+                _query = { :offset => 0,
+                           :limit => 1,
+                           :name => _autopopulate_manuf[:name] }
+                if (_manufs_response = @netbox_conn.get('dcim/manufacturers/', _query).body) &&
+                   _manufs_response.is_a?(Hash) &&
+                   (_tmp_manufs = _manufs_response.fetch(:results, [])) &&
+                   (_tmp_manufs.length() > 0)
+                then
+                   _autopopulate_manuf[:id] = _tmp_manufs.first.fetch(:id, nil)
+                   _autopopulate_manuf[:match] = 1.0
                 end
-                if !_vrfs.nil? && !_vrfs.empty?
-                  _interface_data[:vrf] = _vrfs.fetch(:id, []).first
+              end
+
+              if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
+                # the manufacturer is still not found, create it
+                _manuf_data = { :name => _autopopulate_manuf[:name],
+                                :slug => _autopopulate_manuf[:name].to_url }
+                if (_manuf_create_response = @netbox_conn.post('dcim/manufacturers/', _manuf_data.to_json, @netbox_headers).body) &&
+                   _manuf_create_response.is_a?(Hash)
+                then
+                   _autopopulate_manuf[:id] = _manuf_create_response.fetch(:id, nil)
+                   _autopopulate_manuf[:match] = 1.0
                 end
-                if (_interface_create_reponse = _nb.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, _nb_headers).body) &&
-                   _interface_create_reponse.is_a?(Hash) &&
-                   _interface_create_reponse.has_key?(:id)
+              end
+
+              # at this point we *must* have the manufacturer ID
+              if _autopopulate_manuf.fetch(:id, nil)&.nonzero?
+
+                # make sure the desired device type also exists, look it up first
+                _query = { :offset => 0,
+                           :limit => 1,
+                           :manufacturer_id => _autopopulate_manuf[:id],
+                           :model => _autopopulate_default_dtype }
+                if (_dtypes_response = @netbox_conn.get('dcim/device-types/', _query).body) &&
+                   _dtypes_response.is_a?(Hash) &&
+                   (_tmp_dtypes = _dtypes_response.fetch(:results, [])) &&
+                   (_tmp_dtypes.length() > 0)
                 then
-                   _autopopulate_interface = _interface_create_reponse
+                   _autopopulate_dtype = _tmp_dtypes.first
                 end
 
-                if !_autopopulate_interface.nil? && _autopopulate_interface.fetch(:id, nil)&.nonzero?
-                  # interface has been created, we need to create an IP address for it
-                  _ip_data = { :address => "#{_key}/#{_key_ip&.prefix()}",
-                               :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
-                               :assigned_object_id => _autopopulate_interface[:id],
-                               :status => "active" }
-                  if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
-                     (_vrf.has_key?(:id))
+                if _autopopulate_dtype.nil?
+                  # the device type is not found, create it
+                  _dtype_data = { :manufacturer => _autopopulate_manuf[:id],
+                                  :model => _autopopulate_default_dtype,
+                                  :slug => _autopopulate_default_dtype.to_url }
+                  if (_dtype_create_response = @netbox_conn.post('dcim/device-types/', _dtype_data.to_json, @netbox_headers).body) &&
+                     _dtype_create_response.is_a?(Hash) &&
+                     _dtype_create_response.has_key?(:id)
                   then
-                    _ip_data[:vrf] = _vrf[:id]
+                     _autopopulate_dtype = _dtype_create_response
                   end
-                  if (_ip_create_reponse = _nb.post('ipam/ip-addresses/', _ip_data.to_json, _nb_headers).body) &&
-                     _ip_create_reponse.is_a?(Hash) &&
-                     _ip_create_reponse.has_key?(:id)
-                  then
-                     _autopopulate_ip = _ip_create_reponse
-                  end
-                end # check if interface was created and has ID
-
-                if !_autopopulate_ip.nil? && _autopopulate_ip.fetch(:id, nil)&.nonzero?
-                  # IP address was created, need to associate it as the primary IP for the device
-                  _primary_ip_data = { _key_ip&.ipv6? ? :primary_ip6 : :primary_ip4 => _autopopulate_ip[:id] }
-                  if (_ip_primary_reponse = _nb.patch("#{_autopopulate_manuf[:vm] ? 'virtualization/virtual-machines' : 'dcim/devices'}/#{_autopopulate_device[:id]}/", _primary_ip_data.to_json, _nb_headers).body) &&
-                     _ip_primary_reponse.is_a?(Hash) &&
-                     _ip_primary_reponse.has_key?(:id)
+                end
+
+                # # now we must also have the device type ID
+                if _autopopulate_dtype&.fetch(:id, nil)&.nonzero?
+
+                  # create the device
+                  _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
+                  _device_data = { :name => _device_name,
+                                   :device_type => _autopopulate_dtype[:id],
+                                   :role => _autopopulate_role[:id],
+                                   :site => _autopopulate_site[:id],
+                                   :status => "staged" }
+                  if (_device_create_response = @netbox_conn.post('dcim/devices/', _device_data.to_json, @netbox_headers).body) &&
+                     _device_create_response.is_a?(Hash) &&
+                     _device_create_response.has_key?(:id)
                   then
-                     _autopopulate_device = _ip_create_reponse
+                     _autopopulate_device = _device_create_response
                   end
-                end # check if the IP address was created and has an ID
-
-              end # check if device was created and has ID
 
-              # yield return value for cache_hash getset
-              _lookup_result
-            }
+                end # _autopopulate_dtype[:id] is valid
+
+              end # _autopopulate_manuf[:id] is valid
+
+            end # virtual machine vs. regular device
+
+          end # site and role are valid
+
+        rescue Faraday::Error
+          # give up aka do nothing
+          _exception_error_general = true
+        end
+
+        if !_autopopulate_device.nil?
+          # we created a device, so send it back out as the result for the event as well
+          _devices << { :name => _autopopulate_device&.fetch(:name, _autopopulate_device&.fetch(:display, nil)),
+                        :id => _autopopulate_device&.fetch(:id, nil),
+                        :url => _autopopulate_device&.fetch(:url, nil),
+                        :site => _autopopulate_site&.fetch(:name, nil),
+                        :role => _autopopulate_role&.fetch(:name, nil),
+                        :device_type => _autopopulate_dtype&.fetch(:name, nil),
+                        :manufacturer => _autopopulate_manuf&.fetch(:name, nil),
+                        :details => _verbose ? _autopopulate_device : nil }
+        end # _autopopulate_device was not nil (i.e., we autocreated a device)
+
+      end # _autopopulate turned on and no results found
+
+      _devices = collect_values(crush(_devices))
+      _devices.fetch(:service, [])&.flatten!&.uniq!
+      _result = _devices
+    end # _lookup_type == :ip_device
+
+    # this || is because we are going to need to do the VRF lookup if we're autopopulating
+    # as well as if we're specifically requested to do that enrichment
+
+    if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
+    #################################################################################
+      # retrieve the list VRFs containing IP address prefixes containing the search key
+      _vrfs = Array.new
+      _query = { :contains => _key,
+                 :offset => 0,
+                 :limit => _page_size }
+      _query[:site_n] = _lookup_site unless _lookup_site.nil? || _lookup_site.empty?
+      begin
+        while true do
+          if (_prefixes_response = @netbox_conn.get('ipam/prefixes/', _query).body) &&
+             _prefixes_response.is_a?(Hash)
+          then
+            _tmp_prefixes = _prefixes_response.fetch(:results, [])
+            _tmp_prefixes.each do |p|
+              if (_vrf = p.fetch(:vrf, nil))
+                # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                # if _verbose, include entire object as :details
+                _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
+                           :id => _vrf.fetch(:id, nil),
+                           :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
+                           :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
+                           :url => p.fetch(:url, _vrf.fetch(:url, nil)),
+                           :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
+              end
+            end
+            _query[:offset] += _tmp_prefixes.length()
+            break unless (_tmp_prefixes.length() >= _page_size)
+          else
+            break
+          end
+        end
+      rescue Faraday::Error
+        # give up aka do nothing
+        _exception_error_general = true
+      end
+      _vrfs = collect_values(crush(_vrfs))
+      _result = _vrfs unless (_lookup_type != :ip_vrf)
+    end # _lookup_type == :ip_vrf
+
+    if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
+      # device has been created, we need to create an interface for it
+      _interface_data = { _autopopulate_manuf[:vm] ? :virtual_machine : :device => _autopopulate_device[:id],
+                          :name => "e0",
+                          :type => "other" }
+      if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
+        _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
+      end
+      if !_vrfs.nil? && !_vrfs.empty?
+        _interface_data[:vrf] = _vrfs.fetch(:id, []).first
+      end
+      if (_interface_create_reponse = @netbox_conn.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, @netbox_headers).body) &&
+         _interface_create_reponse.is_a?(Hash) &&
+         _interface_create_reponse.has_key?(:id)
+      then
+         _autopopulate_interface = _interface_create_reponse
+      end
+
+      if !_autopopulate_interface.nil? && _autopopulate_interface.fetch(:id, nil)&.nonzero?
+        # interface has been created, we need to create an IP address for it
+        _ip_data = { :address => "#{_key}/#{_key_ip&.prefix()}",
+                     :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
+                     :assigned_object_id => _autopopulate_interface[:id],
+                     :status => "active" }
+        if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
+           (_vrf.has_key?(:id))
+        then
+          _ip_data[:vrf] = _vrf[:id]
+        end
+        if (_ip_create_reponse = @netbox_conn.post('ipam/ip-addresses/', _ip_data.to_json, @netbox_headers).body) &&
+           _ip_create_reponse.is_a?(Hash) &&
+           _ip_create_reponse.has_key?(:id)
+        then
+           _autopopulate_ip = _ip_create_reponse
+        end
+      end # check if interface was created and has ID
+
+      if !_autopopulate_ip.nil? && _autopopulate_ip.fetch(:id, nil)&.nonzero?
+        # IP address was created, need to associate it as the primary IP for the device
+        _primary_ip_data = { _key_ip&.ipv6? ? :primary_ip6 : :primary_ip4 => _autopopulate_ip[:id] }
+        if (_ip_primary_reponse = @netbox_conn.patch("#{_autopopulate_manuf[:vm] ? 'virtualization/virtual-machines' : 'dcim/devices'}/#{_autopopulate_device[:id]}/", _primary_ip_data.to_json, @netbox_headers).body) &&
+           _ip_primary_reponse.is_a?(Hash) &&
+           _ip_primary_reponse.has_key?(:id)
+        then
+           _autopopulate_device = _ip_create_reponse
+        end
+      end # check if the IP address was created and has an ID
+
+    end # check if device was created and has ID
+
+    if _exception_error_connection && !@netbox_conn_resetting
+      @netbox_conn_lock.with_write_lock {
+        if !@netbox_conn_resetting
+          @netbox_conn_needs_reset = true
+        end
+      }
+    end
+  } # @netbox_conn_lock.with_read_lock
 
   if !_result.nil? && _result.has_key?(:url) && !_result[:url]&.empty?
     _result[:url].map! { |u| u.delete_prefix(@netbox_url_base).gsub('/api/', '/') }

From 883147663db6eaa91130689027793981df728dd1 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 07:01:09 -0600
Subject: [PATCH 07/82] work in pgoress for address issues with NetBox database
 and Logstash's NetBox cache (idaholab/Malcolm#259)

---
 logstash/ruby/netbox_enrich.rb | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 117f88094..2d071a970 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -231,11 +231,13 @@ def filter(event)
   _exception_error_general = false
   _exception_error_connection = false
 
-  @netbox_conn_lock.with_read_lock {
+  @netbox_conn_lock.acquire_read_lock
+  begin
 
     # make sure the connection to the NetBox API exists and wasn't flagged for reconnect
     if @netbox_conn.nil? || @netbox_conn_needs_reset
-      @netbox_conn_lock.with_write_lock {
+      @netbox_conn_lock.acquire_write_lock
+      begin
         if @netbox_conn.nil? || @netbox_conn_needs_reset
           begin
             # we need to reconnect to the NetBox API
@@ -250,7 +252,9 @@ def filter(event)
             @netbox_conn_needs_reset = @netbox_conn.nil?
           end
         end # connection check in write lock
-      } # @netbox_conn_lock.with_write_lock
+      ensure
+        @netbox_conn_lock.release_write_lock
+      end
     end # connection check in read lock
 
     # handle :ip_device first, because if we're doing autopopulate we're also going to use
@@ -719,13 +723,18 @@ def filter(event)
     end # check if device was created and has ID
 
     if _exception_error_connection && !@netbox_conn_resetting
-      @netbox_conn_lock.with_write_lock {
+      @netbox_conn_lock.acquire_write_lock
+      begin
         if !@netbox_conn_resetting
           @netbox_conn_needs_reset = true
         end
-      }
+      ensure
+        @netbox_conn_lock.release_write_lock
+      end
     end
-  } # @netbox_conn_lock.with_read_lock
+  ensure
+    @netbox_conn_lock.release_read_lock
+  end
 
   if !_result.nil? && _result.has_key?(:url) && !_result[:url]&.empty?
     _result[:url].map! { |u| u.delete_prefix(@netbox_url_base).gsub('/api/', '/') }

From 20a89d58661a3e8a4b9a3351f7c560ab64d9bd88 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 07:13:33 -0600
Subject: [PATCH 08/82] work in pgoress for address issues with NetBox database
 and Logstash's NetBox cache, should fix locking issues (idaholab/Malcolm#259)

---
 logstash/ruby/netbox_enrich.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 2d071a970..96e4dc31e 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -236,6 +236,7 @@ def filter(event)
 
     # make sure the connection to the NetBox API exists and wasn't flagged for reconnect
     if @netbox_conn.nil? || @netbox_conn_needs_reset
+      @netbox_conn_lock.release_read_lock
       @netbox_conn_lock.acquire_write_lock
       begin
         if @netbox_conn.nil? || @netbox_conn_needs_reset
@@ -254,6 +255,7 @@ def filter(event)
         end # connection check in write lock
       ensure
         @netbox_conn_lock.release_write_lock
+        @netbox_conn_lock.acquire_read_lock
       end
     end # connection check in read lock
 
@@ -723,6 +725,7 @@ def filter(event)
     end # check if device was created and has ID
 
     if _exception_error_connection && !@netbox_conn_resetting
+      @netbox_conn_lock.release_read_lock
       @netbox_conn_lock.acquire_write_lock
       begin
         if !@netbox_conn_resetting
@@ -730,6 +733,7 @@ def filter(event)
         end
       ensure
         @netbox_conn_lock.release_write_lock
+        @netbox_conn_lock.acquire_read_lock
       end
     end
   ensure

From 16d5053e03de8b2e53c9632de2328fc2dc0248f6 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 09:52:15 -0600
Subject: [PATCH 09/82] specify lru_redux in the gemspec

---
 Dockerfiles/logstash.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 67e1ed0c4..cebe8a6ee 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -66,7 +66,7 @@ RUN set -x && \
     echo "gem 'concurrent-ruby'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'deep_merge'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'fuzzy-string-match'" >> /usr/share/logstash/Gemfile && \
-    echo "gem 'lru_cache'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'lru_redux'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'psych'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \
     /usr/share/logstash/bin/ruby -S bundle install && \

From 92b4b34112d90fbc8e6d24ade7620abe95c29ab8 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 10:21:44 -0600
Subject: [PATCH 10/82] address issues with NetBox database and Logstash's
 NetBox cache (idaholab/Malcolm#259); restore caching for performance reasons,
 but decrease TTL significantly and allow it to be specified via environment
 variable

---
 Dockerfiles/logstash.Dockerfile              |    4 +
 config/logstash.env.example                  |    3 +
 logstash/pipelines/enrichment/21_netbox.conf |    8 +
 logstash/ruby/netbox_enrich.rb               | 1011 +++++++++---------
 4 files changed, 514 insertions(+), 512 deletions(-)

diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index cebe8a6ee..0c2c9258c 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -32,6 +32,8 @@ ARG LOGSTASH_NETBOX_ENRICHMENT=false
 ARG LOGSTASH_NETBOX_ENRICHMENT_VERBOSE=false
 ARG LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE=true
 ARG LOGSTASH_NETBOX_AUTO_POPULATE=false
+ARG LOGSTASH_NETBOX_CACHE_SIZE=1000
+ARG LOGSTASH_NETBOX_CACHE_TTL=30
 
 ENV LOGSTASH_ENRICHMENT_PIPELINE $LOGSTASH_ENRICHMENT_PIPELINE
 ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES
@@ -42,6 +44,8 @@ ENV LOGSTASH_NETBOX_ENRICHMENT $LOGSTASH_NETBOX_ENRICHMENT
 ENV LOGSTASH_NETBOX_ENRICHMENT_VERBOSE $LOGSTASH_NETBOX_ENRICHMENT_VERBOSE
 ENV LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE $LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE
 ENV LOGSTASH_NETBOX_AUTO_POPULATE $LOGSTASH_NETBOX_AUTO_POPULATE
+ENV LOGSTASH_NETBOX_CACHE_SIZE $LOGSTASH_NETBOX_CACHE_SIZE
+ENV LOGSTASH_NETBOX_CACHE_TTL $LOGSTASH_NETBOX_CACHE_TTL
 
 USER root
 
diff --git a/config/logstash.env.example b/config/logstash.env.example
index 6370a05c1..b5e6f7e56 100644
--- a/config/logstash.env.example
+++ b/config/logstash.env.example
@@ -13,5 +13,8 @@ LOGSTASH_REVERSE_DNS=false
 LOGSTASH_NETBOX_ENRICHMENT=false
 # Whether or not unobserved network entities in Logstash data will be used to populate NetBox
 LOGSTASH_NETBOX_AUTO_POPULATE=false
+# Caching parameters for NetBox's LogStash lookups
+LOGSTASH_NETBOX_CACHE_SIZE=1000
+LOGSTASH_NETBOX_CACHE_TTL=30
 # Logstash memory allowance and other Java options
 LS_JAVA_OPTS=-server -Xms2500m -Xmx2500m -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true
\ No newline at end of file
diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf
index 50731cc12..66c0f34db 100644
--- a/logstash/pipelines/enrichment/21_netbox.conf
+++ b/logstash/pipelines/enrichment/21_netbox.conf
@@ -31,6 +31,8 @@ filter {
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
         }
       }
       ruby {
@@ -44,6 +46,8 @@ filter {
           "lookup_service" => "false"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
@@ -66,6 +70,8 @@ filter {
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
         }
       }
       ruby {
@@ -80,6 +86,8 @@ filter {
           "lookup_service_port_source" => "[destination][port]"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 96e4dc31e..fedc370dd 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -3,7 +3,6 @@ def concurrency
 end
 
 def register(params)
-  require 'concurrent'
   require 'date'
   require 'faraday'
   require 'fuzzystringmatch'
@@ -46,6 +45,28 @@ def register(params)
   # API parameters
   @page_size = params.fetch("page_size", 50)
 
+  # caching parameters (default cache size = 1000, default cache TTL = 30 seconds)
+  _cache_size_val = params["cache_size"]
+  _cache_size_env = params["cache_size_env"]
+  if (!_cache_size_val.is_a?(Integer) || _cache_size_val <= 0) && !_cache_size_env.nil?
+    _cache_size_val = Integer(ENV[_cache_size_env], exception: false)
+  end
+  if _cache_size_val.is_a?(Integer) && (_cache_size_val > 0)
+    @cache_size = _cache_size_val
+  else
+    @cache_size = 1000
+  end
+  _cache_ttl_val = params["cache_ttl"]
+  _cache_ttl_env = params["cache_ttl_env"]
+  if (!_cache_ttl_val.is_a?(Integer) || _cache_ttl_val <= 0) && !_cache_ttl_env.nil?
+    _cache_ttl_val = Integer(ENV[_cache_ttl_env], exception: false)
+  end
+  if _cache_ttl_val.is_a?(Integer) && (_cache_ttl_val > 0)
+    @cache_ttl = _cache_ttl_val
+  else
+    @cache_ttl = 30
+  end
+
   # target field to store looked-up value
   @target = params["target"]
 
@@ -70,13 +91,6 @@ def register(params)
   @netbox_url = params.fetch("netbox_url", "http://netbox:8080/netbox/api").delete_suffix("/")
   @netbox_url_suffix = "/netbox/api"
   @netbox_url_base = @netbox_url.delete_suffix(@netbox_url_suffix)
-  @netbox_headers = { 'Content-Type': 'application/json' }
-
-  # netbox connection (will be initialized in a thread-safe manner in filter)
-  @netbox_conn = nil
-  @netbox_conn_lock = Concurrent::ReentrantReadWriteLock.new
-  @netbox_conn_needs_reset = false
-  @netbox_conn_resetting = false
 
   # connection token (either specified directly or read from ENV via netbox_token_env)
   @netbox_token = params["netbox_token"]
@@ -85,6 +99,9 @@ def register(params)
     @netbox_token = ENV[_netbox_token_env]
   end
 
+  # hash of lookup types (from @lookup_type), each of which contains the respective looked-up values
+  @cache_hash = LruRedux::ThreadSafeCache.new(params.fetch("lookup_cache_size", 512))
+
   # these are used for autopopulation only, not lookup/enrichment
 
   # autopopulate - either specified directly or read from ENV via autopopulate_env
@@ -180,13 +197,13 @@ def register(params)
   @autopopulate_create_manuf = [1, true, '1', 'true', 't', 'on', 'enabled'].include?(_autopopulate_create_manuf_str.to_s.downcase)
 
   # case-insensitive hash of OUIs (https://standards-oui.ieee.org/) to Manufacturers (https://demo.netbox.dev/static/docs/core-functionality/device-types/)
-  @manuf_hash = LruRedux::ThreadSafeCache.new(params.fetch("manuf_cache_size", 2048))
+  @manuf_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("manuf_cache_size", 2048), @cache_ttl)
 
   # case-insensitive hash of role names to IDs
-  @role_hash = LruRedux::ThreadSafeCache.new(params.fetch("role_cache_size", 128))
+  @role_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("role_cache_size", 256), @cache_ttl)
 
   # case-insensitive hash of site names to IDs
-  @site_hash = LruRedux::ThreadSafeCache.new(params.fetch("site_cache_size", 128))
+  @site_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("site_cache_size", 128), @cache_ttl)
 
   # end of autopopulation arguments
 
@@ -202,6 +219,9 @@ def filter(event)
   _url = @netbox_url
   _url_base = @netbox_url_base
   _url_suffix = @netbox_url_suffix
+  _token = @netbox_token
+  _cache_size = @cache_size
+  _cache_ttl = @cache_ttl
   _page_size = @page_size
   _verbose = @verbose
   _lookup_type = @lookup_type
@@ -218,527 +238,494 @@ def filter(event)
   _autopopulate_mac = event.get("#{@source_mac}")
   _autopopulate_oui = event.get("#{@source_oui}")
 
-  _result = nil
-  _autopopulate_device = nil
-  _autopopulate_role = nil
-  _autopopulate_dtype = nil
-  _autopopulate_interface = nil
-  _autopopulate_ip = nil
-  _autopopulate_manuf = nil
-  _autopopulate_site = nil
-  _vrfs = nil
-  _devices = nil
-  _exception_error_general = false
-  _exception_error_connection = false
-
-  @netbox_conn_lock.acquire_read_lock
-  begin
-
-    # make sure the connection to the NetBox API exists and wasn't flagged for reconnect
-    if @netbox_conn.nil? || @netbox_conn_needs_reset
-      @netbox_conn_lock.release_read_lock
-      @netbox_conn_lock.acquire_write_lock
-      begin
-        if @netbox_conn.nil? || @netbox_conn_needs_reset
-          begin
-            # we need to reconnect to the NetBox API
-            @netbox_conn_resetting = true
-            @netbox_conn = Faraday.new(_url) do |conn|
-              conn.request :authorization, 'Token', @netbox_token
-              conn.request :url_encoded
-              conn.response :json, :parser_options => { :symbolize_names => true }
-            end
-          ensure
-            @netbox_conn_resetting = false
-            @netbox_conn_needs_reset = @netbox_conn.nil?
-          end
-        end # connection check in write lock
-      ensure
-        @netbox_conn_lock.release_write_lock
-        @netbox_conn_lock.acquire_read_lock
-      end
-    end # connection check in read lock
-
-    # handle :ip_device first, because if we're doing autopopulate we're also going to use
-    # some of the logic from :ip_vrf
-
-    if (_lookup_type == :ip_device)
-    #################################################################################
-      # retrieve the list of IP addresses where address matches the search key, limited to "assigned" addresses.
-      # then, for those IP addresses, search for devices pertaining to the interfaces assigned to each
-      # IP address (e.g., ipam.ip_address -> dcim.interface -> dcim.device, or
-      # ipam.ip_address -> virtualization.interface -> virtualization.virtual_machine)
-      _devices = Array.new
-      _query = { :address => _key,
-                 :offset => 0,
-                 :limit => _page_size }
-      begin
-        while true do
-          if (_ip_addresses_response = @netbox_conn.get('ipam/ip-addresses/', _query).body) &&
-             _ip_addresses_response.is_a?(Hash)
-          then
-            _tmp_ip_addresses = _ip_addresses_response.fetch(:results, [])
-            _tmp_ip_addresses.each do |i|
-              _is_device = nil
-              if (_obj = i.fetch(:assigned_object, nil)) &&
-                 ((_device_obj = _obj.fetch(:device, nil)) ||
-                  (_virtualized_obj = _obj.fetch(:virtual_machine, nil)))
-              then
-                _is_device = !_device_obj.nil?
-                _device = _is_device ? _device_obj : _virtualized_obj
-                # if we can, follow the :assigned_object's "full" device URL to get more information
-                _device = (_device.has_key?(:url) && (_full_device = @netbox_conn.get(_device[:url].delete_prefix(_url_base).delete_prefix(_url_suffix).delete_prefix("/")).body)) ? _full_device : _device
-                _device_id = _device.fetch(:id, nil)
-                _device_site = ((_site = _device.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil)
-                next unless (_device_site.to_s.downcase == _lookup_site.to_s.downcase) || _lookup_site.nil? || _lookup_site.empty? || _device_site.nil? || _device_site.empty?
-                # look up service if requested (based on device/vm found and service port)
-                if (_lookup_service_port > 0)
-                  _services = Array.new
-                  _service_query = { (_is_device ? :device_id : :virtual_machine_id) => _device_id, :port => _lookup_service_port, :offset => 0, :limit => _page_size }
+  _result = @cache_hash.getset(_lookup_type){
+              LruRedux::TTL::ThreadSafeCache.new(_cache_size, _cache_ttl)
+            }.getset(_key){
+
+              _nb = Faraday.new(_url) do |conn|
+                conn.request :authorization, 'Token', _token
+                conn.request :url_encoded
+                conn.response :json, :parser_options => { :symbolize_names => true }
+              end
+              _nb_headers = { 'Content-Type': 'application/json' }
+
+              _lookup_result = nil
+              _autopopulate_device = nil
+              _autopopulate_role = nil
+              _autopopulate_dtype = nil
+              _autopopulate_interface = nil
+              _autopopulate_ip = nil
+              _autopopulate_manuf = nil
+              _autopopulate_site = nil
+              _vrfs = nil
+              _devices = nil
+              _exception_error = false
+
+              # handle :ip_device first, because if we're doing autopopulate we're also going to use
+              # some of the logic from :ip_vrf
+
+              if (_lookup_type == :ip_device)
+              #################################################################################
+                # retrieve the list of IP addresses where address matches the search key, limited to "assigned" addresses.
+                # then, for those IP addresses, search for devices pertaining to the interfaces assigned to each
+                # IP address (e.g., ipam.ip_address -> dcim.interface -> dcim.device, or
+                # ipam.ip_address -> virtualization.interface -> virtualization.virtual_machine)
+                _devices = Array.new
+                _query = { :address => _key,
+                           :offset => 0,
+                           :limit => _page_size }
+                begin
                   while true do
-                    if (_services_response = @netbox_conn.get('ipam/services/', _service_query).body) &&
-                       _services_response.is_a?(Hash)
+                    if (_ip_addresses_response = _nb.get('ipam/ip-addresses/', _query).body) &&
+                       _ip_addresses_response.is_a?(Hash)
                     then
-                      _tmp_services = _services_response.fetch(:results, [])
-                      _services.unshift(*_tmp_services) unless _tmp_services.nil? || _tmp_services.empty?
-                      _service_query[:offset] += _tmp_services.length()
-                      break unless (_tmp_services.length() >= _page_size)
+                      _tmp_ip_addresses = _ip_addresses_response.fetch(:results, [])
+                      _tmp_ip_addresses.each do |i|
+                        _is_device = nil
+                        if (_obj = i.fetch(:assigned_object, nil)) &&
+                           ((_device_obj = _obj.fetch(:device, nil)) ||
+                            (_virtualized_obj = _obj.fetch(:virtual_machine, nil)))
+                        then
+                          _is_device = !_device_obj.nil?
+                          _device = _is_device ? _device_obj : _virtualized_obj
+                          # if we can, follow the :assigned_object's "full" device URL to get more information
+                          _device = (_device.has_key?(:url) && (_full_device = _nb.get(_device[:url].delete_prefix(_url_base).delete_prefix(_url_suffix).delete_prefix("/")).body)) ? _full_device : _device
+                          _device_id = _device.fetch(:id, nil)
+                          _device_site = ((_site = _device.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil)
+                          next unless (_device_site.to_s.downcase == _lookup_site.to_s.downcase) || _lookup_site.nil? || _lookup_site.empty? || _device_site.nil? || _device_site.empty?
+                          # look up service if requested (based on device/vm found and service port)
+                          if (_lookup_service_port > 0)
+                            _services = Array.new
+                            _service_query = { (_is_device ? :device_id : :virtual_machine_id) => _device_id, :port => _lookup_service_port, :offset => 0, :limit => _page_size }
+                            while true do
+                              if (_services_response = _nb.get('ipam/services/', _service_query).body) &&
+                                 _services_response.is_a?(Hash)
+                              then
+                                _tmp_services = _services_response.fetch(:results, [])
+                                _services.unshift(*_tmp_services) unless _tmp_services.nil? || _tmp_services.empty?
+                                _service_query[:offset] += _tmp_services.length()
+                                break unless (_tmp_services.length() >= _page_size)
+                              else
+                                break
+                              end
+                            end
+                            _device[:service] = _services
+                          end
+                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                          # if _verbose, include entire object as :details
+                          _devices << { :name => _device.fetch(:name, _device.fetch(:display, nil)),
+                                        :id => _device_id,
+                                        :url => _device.fetch(:url, nil),
+                                        :service => _device.fetch(:service, []).map {|s| s.fetch(:name, s.fetch(:display, nil)) },
+                                        :site => _device_site,
+                                        :role => ((_role = _device.fetch(:role, nil)) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
+                                        :cluster => ((_cluster = _device.fetch(:cluster, nil)) && _cluster&.has_key?(:name)) ? _cluster[:name] : _cluster&.fetch(:display, nil),
+                                        :device_type => ((_dtype = _device.fetch(:device_type, nil)) && _dtype&.has_key?(:name)) ? _dtype[:name] : _dtype&.fetch(:display, nil),
+                                        :manufacturer => ((_manuf = _device.dig(:device_type, :manufacturer)) && _manuf&.has_key?(:name)) ? _manuf[:name] : _manuf&.fetch(:display, nil),
+                                        :details => _verbose ? _device : nil }
+                        end
+                      end
+                      _query[:offset] += _tmp_ip_addresses.length()
+                      break unless (_tmp_ip_addresses.length() >= _page_size)
                     else
+                      # weird/bad response, bail
+                      _exception_error = true
                       break
                     end
-                  end
-                  _device[:service] = _services
+                  end # while true
+                rescue Faraday::Error
+                  # give up aka do nothing
+                  _exception_error = true
                 end
-                # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                # if _verbose, include entire object as :details
-                _devices << { :name => _device.fetch(:name, _device.fetch(:display, nil)),
-                              :id => _device_id,
-                              :url => _device.fetch(:url, nil),
-                              :service => _device.fetch(:service, []).map {|s| s.fetch(:name, s.fetch(:display, nil)) },
-                              :site => _device_site,
-                              :role => ((_role = _device.fetch(:role, nil)) && _role&.has_key?(:name)) ? _role[:name] : _role&.fetch(:display, nil),
-                              :cluster => ((_cluster = _device.fetch(:cluster, nil)) && _cluster&.has_key?(:name)) ? _cluster[:name] : _cluster&.fetch(:display, nil),
-                              :device_type => ((_dtype = _device.fetch(:device_type, nil)) && _dtype&.has_key?(:name)) ? _dtype[:name] : _dtype&.fetch(:display, nil),
-                              :manufacturer => ((_manuf = _device.dig(:device_type, :manufacturer)) && _manuf&.has_key?(:name)) ? _manuf[:name] : _manuf&.fetch(:display, nil),
-                              :details => _verbose ? _device : nil }
-              end
-            end
-            _query[:offset] += _tmp_ip_addresses.length()
-            break unless (_tmp_ip_addresses.length() >= _page_size)
-          else
-            # weird/bad response, bail
-            _exception_error_general = true
-            break
-          end
-        end # while true
-      rescue Faraday::Error
-        # give up aka do nothing
-        _exception_error_general = true
-      end
-
-      if _autopopulate && (_query[:offset] == 0) && !_exception_error_general && !_exception_error_connection && _key_ip&.private?
-
-        # no results found, autopopulate enabled, private-space IP address...
-        # let's create an entry for this device
-
-        # if MAC is set but OUI is not, do a quick lookup
-        if (!_autopopulate_mac.nil? && !_autopopulate_mac.empty?) &&
-           (_autopopulate_oui.nil? || _autopopulate_oui.empty?)
-        then
-          case _autopopulate_mac
-          when String
-            if @macregex.match?(_autopopulate_mac)
-              _macint = mac_string_to_integer(_autopopulate_mac)
-              _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
-              _autopopulate_oui = _vendor[2] unless _vendor.nil?
-            end # _autopopulate_mac matches @macregex
-          when Array
-            _autopopulate_mac.each do |_addr|
-              if @macregex.match?(_addr)
-                _macint = mac_string_to_integer(_addr)
-                _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
-                if !_vendor.nil?
-                  _autopopulate_oui = _vendor[2]
-                  break
-                end # !_vendor.nil?
-              end # _addr matches @macregex
-            end # _autopopulate_mac.each do
-          end # case statement _autopopulate_mac String vs. Array
-        end # MAC is populated but OUI is not
-
-        # match/look up manufacturer based on OUI
-        if !_autopopulate_oui.nil? && !_autopopulate_oui.empty?
-
-          _autopopulate_oui = _autopopulate_oui.first() unless !_autopopulate_oui.is_a?(Array)
-
-          # does it look like a VM or a regular device?
-          if @vm_namesarray.include?(_autopopulate_oui.downcase)
-            # looks like this is probably a virtual machine
-            _autopopulate_manuf = { :name => _autopopulate_oui,
-                                    :match => 1.0,
-                                    :vm => true,
-                                    :id => nil }
-
-          else
-            # looks like this is not a virtual machine (or we can't tell) so assume its' a regular device
-            _autopopulate_manuf = @manuf_hash.getset(_autopopulate_oui) {
-              _fuzzy_matcher = FuzzyStringMatch::JaroWinkler.create( :pure )
-              _manufs = Array.new
-              # fetch the manufacturers to do the comparison. this is a lot of work
-              # and not terribly fast but once the hash it populated it shouldn't happen too often
-              _query = { :offset => 0,
-                         :limit => _page_size }
-              begin
-                while true do
-                  if (_manufs_response = @netbox_conn.get('dcim/manufacturers/', _query).body) &&
-                     _manufs_response.is_a?(Hash)
+
+                if _autopopulate && (_query[:offset] == 0) && !_exception_error && _key_ip&.private?
+
+                  # no results found, autopopulate enabled, private-space IP address...
+                  # let's create an entry for this device
+
+                  # if MAC is set but OUI is not, do a quick lookup
+                  if (!_autopopulate_mac.nil? && !_autopopulate_mac.empty?) &&
+                     (_autopopulate_oui.nil? || _autopopulate_oui.empty?)
                   then
-                    _tmp_manufs = _manufs_response.fetch(:results, [])
-                    _tmp_manufs.each do |_manuf|
-                      _tmp_name = _manuf.fetch(:name, _manuf.fetch(:display, nil))
-                      _manufs << { :name => _tmp_name,
-                                   :id => _manuf.fetch(:id, nil),
-                                   :url => _manuf.fetch(:url, nil),
-                                   :match => _fuzzy_matcher.getDistance(_tmp_name.to_s.downcase, _autopopulate_oui.to_s.downcase),
-                                   :vm => false
-                                 }
+                    case _autopopulate_mac
+                    when String
+                      if @macregex.match?(_autopopulate_mac)
+                        _macint = mac_string_to_integer(_autopopulate_mac)
+                        _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
+                        _autopopulate_oui = _vendor[2] unless _vendor.nil?
+                      end # _autopopulate_mac matches @macregex
+                    when Array
+                      _autopopulate_mac.each do |_addr|
+                        if @macregex.match?(_addr)
+                          _macint = mac_string_to_integer(_addr)
+                          _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
+                          if !_vendor.nil?
+                            _autopopulate_oui = _vendor[2]
+                            break
+                          end # !_vendor.nil?
+                        end # _addr matches @macregex
+                      end # _autopopulate_mac.each do
+                    end # case statement _autopopulate_mac String vs. Array
+                  end # MAC is populated but OUI is not
+
+                  # match/look up manufacturer based on OUI
+                  if !_autopopulate_oui.nil? && !_autopopulate_oui.empty?
+
+                    _autopopulate_oui = _autopopulate_oui.first() unless !_autopopulate_oui.is_a?(Array)
+
+                    # does it look like a VM or a regular device?
+                    if @vm_namesarray.include?(_autopopulate_oui.downcase)
+                      # looks like this is probably a virtual machine
+                      _autopopulate_manuf = { :name => _autopopulate_oui,
+                                              :match => 1.0,
+                                              :vm => true,
+                                              :id => nil }
+
+                    else
+                      # looks like this is not a virtual machine (or we can't tell) so assume its' a regular device
+                      _autopopulate_manuf = @manuf_hash.getset(_autopopulate_oui) {
+                        _fuzzy_matcher = FuzzyStringMatch::JaroWinkler.create( :pure )
+                        _manufs = Array.new
+                        # fetch the manufacturers to do the comparison. this is a lot of work
+                        # and not terribly fast but once the hash it populated it shouldn't happen too often
+                        _query = { :offset => 0,
+                                   :limit => _page_size }
+                        begin
+                          while true do
+                            if (_manufs_response = _nb.get('dcim/manufacturers/', _query).body) &&
+                               _manufs_response.is_a?(Hash)
+                            then
+                              _tmp_manufs = _manufs_response.fetch(:results, [])
+                              _tmp_manufs.each do |_manuf|
+                                _tmp_name = _manuf.fetch(:name, _manuf.fetch(:display, nil))
+                                _manufs << { :name => _tmp_name,
+                                             :id => _manuf.fetch(:id, nil),
+                                             :url => _manuf.fetch(:url, nil),
+                                             :match => _fuzzy_matcher.getDistance(_tmp_name.to_s.downcase, _autopopulate_oui.to_s.downcase),
+                                             :vm => false
+                                           }
+                              end
+                              _query[:offset] += _tmp_manufs.length()
+                              break unless (_tmp_manufs.length() >= _page_size)
+                            else
+                              break
+                            end
+                          end
+                        rescue Faraday::Error
+                          # give up aka do nothing
+                          _exception_error = true
+                        end
+                        # return the manuf with the highest match
+                        !_manufs&.empty? ? _manufs.max_by{|k| k[:match] } : nil
+                      }
+                    end # virtual machine vs. regular device
+                  end # _autopopulate_oui specified
+
+                  if !_autopopulate_manuf.is_a?(Hash)
+                    # no match was found at ANY match level (empty database or no OUI specified), set default ("unspecified") manufacturer
+                    _autopopulate_manuf = { :name => _autopopulate_create_manuf ? _autopopulate_oui : _autopopulate_default_manuf,
+                                            :match => 0.0,
+                                            :vm => false,
+                                            :id => nil}
+                  end
+
+                  # make sure the site and role exists
+
+                  _autopopulate_site = @site_hash.getset(_autopopulate_default_site) {
+                    begin
+                      _site = nil
+
+                      # look it up first
+                      _query = { :offset => 0,
+                                 :limit => 1,
+                                 :name => _autopopulate_default_site }
+                      if (_sites_response = _nb.get('dcim/sites/', _query).body) &&
+                         _sites_response.is_a?(Hash) &&
+                         (_tmp_sites = _sites_response.fetch(:results, [])) &&
+                         (_tmp_sites.length() > 0)
+                      then
+                         _site = _tmp_sites.first
+                      end
+
+                      if _site.nil?
+                        # the device site is not found, create it
+                        _site_data = { :name => _autopopulate_default_site,
+                                       :slug => _autopopulate_default_site.to_url,
+                                       :status => "active" }
+                        if (_site_create_response = _nb.post('dcim/sites/', _site_data.to_json, _nb_headers).body) &&
+                           _site_create_response.is_a?(Hash) &&
+                           _site_create_response.has_key?(:id)
+                        then
+                           _site = _site_create_response
+                        end
+                      end
+
+                    rescue Faraday::Error
+                      # give up aka do nothing
+                      _exception_error = true
                     end
-                    _query[:offset] += _tmp_manufs.length()
-                    break unless (_tmp_manufs.length() >= _page_size)
-                  else
-                    break
+                    _site
+                  }
+
+                  _autopopulate_role = @role_hash.getset(_autopopulate_default_role) {
+                    begin
+                      _role = nil
+
+                      # look it up first
+                      _query = { :offset => 0,
+                                 :limit => 1,
+                                 :name => _autopopulate_default_role }
+                      if (_roles_response = _nb.get('dcim/device-roles/', _query).body) &&
+                         _roles_response.is_a?(Hash) &&
+                         (_tmp_roles = _roles_response.fetch(:results, [])) &&
+                         (_tmp_roles.length() > 0)
+                      then
+                         _role = _tmp_roles.first
+                      end
+
+                      if _role.nil?
+                        # the role is not found, create it
+                        _role_data = { :name => _autopopulate_default_role,
+                                        :slug => _autopopulate_default_role.to_url,
+                                        :color => "d3d3d3" }
+                        if (_role_create_response = _nb.post('dcim/device-roles/', _role_data.to_json, _nb_headers).body) &&
+                           _role_create_response.is_a?(Hash) &&
+                           _role_create_response.has_key?(:id)
+                        then
+                           _role = _role_create_response
+                        end
+                      end
+
+                    rescue Faraday::Error
+                      # give up aka do nothing
+                      _exception_error = true
+                    end
+                    _role
+                  }
+
+                  # we should have found or created the autopopulate role and site
+                  begin
+                    if _autopopulate_site&.fetch(:id, nil)&.nonzero? &&
+                       _autopopulate_role&.fetch(:id, nil)&.nonzero?
+                    then
+
+                      if _autopopulate_manuf[:vm]
+                        # a virtual machine
+                        _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
+                        _device_data = { :name => _device_name,
+                                         :site => _autopopulate_site[:id],
+                                         :status => "staged" }
+                        if (_device_create_response = _nb.post('virtualization/virtual-machines/', _device_data.to_json, _nb_headers).body) &&
+                           _device_create_response.is_a?(Hash) &&
+                           _device_create_response.has_key?(:id)
+                        then
+                           _autopopulate_device = _device_create_response
+                        end
+
+                      else
+                        # a regular non-vm device
+
+                        if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
+                          # the manufacturer was default (not found) so look it up first
+                          _query = { :offset => 0,
+                                     :limit => 1,
+                                     :name => _autopopulate_manuf[:name] }
+                          if (_manufs_response = _nb.get('dcim/manufacturers/', _query).body) &&
+                             _manufs_response.is_a?(Hash) &&
+                             (_tmp_manufs = _manufs_response.fetch(:results, [])) &&
+                             (_tmp_manufs.length() > 0)
+                          then
+                             _autopopulate_manuf[:id] = _tmp_manufs.first.fetch(:id, nil)
+                             _autopopulate_manuf[:match] = 1.0
+                          end
+                        end
+
+                        if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
+                          # the manufacturer is still not found, create it
+                          _manuf_data = { :name => _autopopulate_manuf[:name],
+                                          :slug => _autopopulate_manuf[:name].to_url }
+                          if (_manuf_create_response = _nb.post('dcim/manufacturers/', _manuf_data.to_json, _nb_headers).body) &&
+                             _manuf_create_response.is_a?(Hash)
+                          then
+                             _autopopulate_manuf[:id] = _manuf_create_response.fetch(:id, nil)
+                             _autopopulate_manuf[:match] = 1.0
+                          end
+                        end
+
+                        # at this point we *must* have the manufacturer ID
+                        if _autopopulate_manuf.fetch(:id, nil)&.nonzero?
+
+                          # make sure the desired device type also exists, look it up first
+                          _query = { :offset => 0,
+                                     :limit => 1,
+                                     :manufacturer_id => _autopopulate_manuf[:id],
+                                     :model => _autopopulate_default_dtype }
+                          if (_dtypes_response = _nb.get('dcim/device-types/', _query).body) &&
+                             _dtypes_response.is_a?(Hash) &&
+                             (_tmp_dtypes = _dtypes_response.fetch(:results, [])) &&
+                             (_tmp_dtypes.length() > 0)
+                          then
+                             _autopopulate_dtype = _tmp_dtypes.first
+                          end
+
+                          if _autopopulate_dtype.nil?
+                            # the device type is not found, create it
+                            _dtype_data = { :manufacturer => _autopopulate_manuf[:id],
+                                            :model => _autopopulate_default_dtype,
+                                            :slug => _autopopulate_default_dtype.to_url }
+                            if (_dtype_create_response = _nb.post('dcim/device-types/', _dtype_data.to_json, _nb_headers).body) &&
+                               _dtype_create_response.is_a?(Hash) &&
+                               _dtype_create_response.has_key?(:id)
+                            then
+                               _autopopulate_dtype = _dtype_create_response
+                            end
+                          end
+
+                          # # now we must also have the device type ID
+                          if _autopopulate_dtype&.fetch(:id, nil)&.nonzero?
+
+                            # create the device
+                            _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
+                            _device_data = { :name => _device_name,
+                                             :device_type => _autopopulate_dtype[:id],
+                                             :role => _autopopulate_role[:id],
+                                             :site => _autopopulate_site[:id],
+                                             :status => "staged" }
+                            if (_device_create_response = _nb.post('dcim/devices/', _device_data.to_json, _nb_headers).body) &&
+                               _device_create_response.is_a?(Hash) &&
+                               _device_create_response.has_key?(:id)
+                            then
+                               _autopopulate_device = _device_create_response
+                            end
+
+                          end # _autopopulate_dtype[:id] is valid
+
+                        end # _autopopulate_manuf[:id] is valid
+
+                      end # virtual machine vs. regular device
+
+                    end # site and role are valid
+
+                  rescue Faraday::Error
+                    # give up aka do nothing
+                    _exception_error = true
                   end
-                end
-              rescue Faraday::Error
-                # give up aka do nothing
-                _exception_error_general = true
-              end
-              # return the manuf with the highest match
-              !_manufs&.empty? ? _manufs.max_by{|k| k[:match] } : nil
-            }
-          end # virtual machine vs. regular device
-        end # _autopopulate_oui specified
-
-        if !_autopopulate_manuf.is_a?(Hash)
-          # no match was found at ANY match level (empty database or no OUI specified), set default ("unspecified") manufacturer
-          _autopopulate_manuf = { :name => _autopopulate_create_manuf ? _autopopulate_oui : _autopopulate_default_manuf,
-                                  :match => 0.0,
-                                  :vm => false,
-                                  :id => nil}
-        end
-
-        # make sure the site and role exists
-
-        _autopopulate_site = @site_hash.getset(_autopopulate_default_site) {
-          begin
-            _site = nil
-
-            # look it up first
-            _query = { :offset => 0,
-                       :limit => 1,
-                       :name => _autopopulate_default_site }
-            if (_sites_response = @netbox_conn.get('dcim/sites/', _query).body) &&
-               _sites_response.is_a?(Hash) &&
-               (_tmp_sites = _sites_response.fetch(:results, [])) &&
-               (_tmp_sites.length() > 0)
-            then
-               _site = _tmp_sites.first
-            end
-
-            if _site.nil?
-              # the device site is not found, create it
-              _site_data = { :name => _autopopulate_default_site,
-                             :slug => _autopopulate_default_site.to_url,
-                             :status => "active" }
-              if (_site_create_response = @netbox_conn.post('dcim/sites/', _site_data.to_json, @netbox_headers).body) &&
-                 _site_create_response.is_a?(Hash) &&
-                 _site_create_response.has_key?(:id)
-              then
-                 _site = _site_create_response
-              end
-            end
-
-          rescue Faraday::Error
-            # give up aka do nothing
-            _exception_error_general = true
-          end
-          _site
-        }
-
-        _autopopulate_role = @role_hash.getset(_autopopulate_default_role) {
-          begin
-            _role = nil
-
-            # look it up first
-            _query = { :offset => 0,
-                       :limit => 1,
-                       :name => _autopopulate_default_role }
-            if (_roles_response = @netbox_conn.get('dcim/device-roles/', _query).body) &&
-               _roles_response.is_a?(Hash) &&
-               (_tmp_roles = _roles_response.fetch(:results, [])) &&
-               (_tmp_roles.length() > 0)
-            then
-               _role = _tmp_roles.first
-            end
-
-            if _role.nil?
-              # the role is not found, create it
-              _role_data = { :name => _autopopulate_default_role,
-                              :slug => _autopopulate_default_role.to_url,
-                              :color => "d3d3d3" }
-              if (_role_create_response = @netbox_conn.post('dcim/device-roles/', _role_data.to_json, @netbox_headers).body) &&
-                 _role_create_response.is_a?(Hash) &&
-                 _role_create_response.has_key?(:id)
-              then
-                 _role = _role_create_response
-              end
-            end
-
-          rescue Faraday::ConnectionFailed
-            # give up aka do nothing (and connect next time)
-            _exception_error_connection = true
-          rescue Faraday::Error
-            # give up aka do nothing
-            _exception_error_general = true
-          end
-          _role
-        }
-
-        # we should have found or created the autopopulate role and site
-        begin
-          if _autopopulate_site&.fetch(:id, nil)&.nonzero? &&
-             _autopopulate_role&.fetch(:id, nil)&.nonzero?
-          then
-
-            if _autopopulate_manuf[:vm]
-              # a virtual machine
-              _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
-              _device_data = { :name => _device_name,
-                               :site => _autopopulate_site[:id],
-                               :status => "staged" }
-              if (_device_create_response = @netbox_conn.post('virtualization/virtual-machines/', _device_data.to_json, @netbox_headers).body) &&
-                 _device_create_response.is_a?(Hash) &&
-                 _device_create_response.has_key?(:id)
-              then
-                 _autopopulate_device = _device_create_response
-              end
 
-            else
-              # a regular non-vm device
-
-              if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
-                # the manufacturer was default (not found) so look it up first
-                _query = { :offset => 0,
-                           :limit => 1,
-                           :name => _autopopulate_manuf[:name] }
-                if (_manufs_response = @netbox_conn.get('dcim/manufacturers/', _query).body) &&
-                   _manufs_response.is_a?(Hash) &&
-                   (_tmp_manufs = _manufs_response.fetch(:results, [])) &&
-                   (_tmp_manufs.length() > 0)
-                then
-                   _autopopulate_manuf[:id] = _tmp_manufs.first.fetch(:id, nil)
-                   _autopopulate_manuf[:match] = 1.0
+                  if !_autopopulate_device.nil?
+                    # we created a device, so send it back out as the result for the event as well
+                    _devices << { :name => _autopopulate_device&.fetch(:name, _autopopulate_device&.fetch(:display, nil)),
+                                  :id => _autopopulate_device&.fetch(:id, nil),
+                                  :url => _autopopulate_device&.fetch(:url, nil),
+                                  :site => _autopopulate_site&.fetch(:name, nil),
+                                  :role => _autopopulate_role&.fetch(:name, nil),
+                                  :device_type => _autopopulate_dtype&.fetch(:name, nil),
+                                  :manufacturer => _autopopulate_manuf&.fetch(:name, nil),
+                                  :details => _verbose ? _autopopulate_device : nil }
+                  end # _autopopulate_device was not nil (i.e., we autocreated a device)
+
+                end # _autopopulate turned on and no results found
+
+                _devices = collect_values(crush(_devices))
+                _devices.fetch(:service, [])&.flatten!&.uniq!
+                _lookup_result = _devices
+              end # _lookup_type == :ip_device
+
+              # this || is because we are going to need to do the VRF lookup if we're autopopulating
+              # as well as if we're specifically requested to do that enrichment
+
+              if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
+              #################################################################################
+                # retrieve the list VRFs containing IP address prefixes containing the search key
+                _vrfs = Array.new
+                _query = { :contains => _key,
+                           :offset => 0,
+                           :limit => _page_size }
+                _query[:site_n] = _lookup_site unless _lookup_site.nil? || _lookup_site.empty?
+                begin
+                  while true do
+                    if (_prefixes_response = _nb.get('ipam/prefixes/', _query).body) &&
+                       _prefixes_response.is_a?(Hash)
+                    then
+                      _tmp_prefixes = _prefixes_response.fetch(:results, [])
+                      _tmp_prefixes.each do |p|
+                        if (_vrf = p.fetch(:vrf, nil))
+                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                          # if _verbose, include entire object as :details
+                          _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
+                                     :id => _vrf.fetch(:id, nil),
+                                     :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
+                                     :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
+                                     :url => p.fetch(:url, _vrf.fetch(:url, nil)),
+                                     :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
+                        end
+                      end
+                      _query[:offset] += _tmp_prefixes.length()
+                      break unless (_tmp_prefixes.length() >= _page_size)
+                    else
+                      break
+                    end
+                  end
+                rescue Faraday::Error
+                  # give up aka do nothing
+                  _exception_error = true
                 end
-              end
-
-              if !_autopopulate_manuf.fetch(:id, nil)&.nonzero?
-                # the manufacturer is still not found, create it
-                _manuf_data = { :name => _autopopulate_manuf[:name],
-                                :slug => _autopopulate_manuf[:name].to_url }
-                if (_manuf_create_response = @netbox_conn.post('dcim/manufacturers/', _manuf_data.to_json, @netbox_headers).body) &&
-                   _manuf_create_response.is_a?(Hash)
-                then
-                   _autopopulate_manuf[:id] = _manuf_create_response.fetch(:id, nil)
-                   _autopopulate_manuf[:match] = 1.0
+                _vrfs = collect_values(crush(_vrfs))
+                _lookup_result = _vrfs unless (_lookup_type != :ip_vrf)
+              end # _lookup_type == :ip_vrf
+
+              if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
+                # device has been created, we need to create an interface for it
+                _interface_data = { _autopopulate_manuf[:vm] ? :virtual_machine : :device => _autopopulate_device[:id],
+                                    :name => "e0",
+                                    :type => "other" }
+                if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
+                  _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
                 end
-              end
-
-              # at this point we *must* have the manufacturer ID
-              if _autopopulate_manuf.fetch(:id, nil)&.nonzero?
-
-                # make sure the desired device type also exists, look it up first
-                _query = { :offset => 0,
-                           :limit => 1,
-                           :manufacturer_id => _autopopulate_manuf[:id],
-                           :model => _autopopulate_default_dtype }
-                if (_dtypes_response = @netbox_conn.get('dcim/device-types/', _query).body) &&
-                   _dtypes_response.is_a?(Hash) &&
-                   (_tmp_dtypes = _dtypes_response.fetch(:results, [])) &&
-                   (_tmp_dtypes.length() > 0)
+                if !_vrfs.nil? && !_vrfs.empty?
+                  _interface_data[:vrf] = _vrfs.fetch(:id, []).first
+                end
+                if (_interface_create_reponse = _nb.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, _nb_headers).body) &&
+                   _interface_create_reponse.is_a?(Hash) &&
+                   _interface_create_reponse.has_key?(:id)
                 then
-                   _autopopulate_dtype = _tmp_dtypes.first
+                   _autopopulate_interface = _interface_create_reponse
                 end
 
-                if _autopopulate_dtype.nil?
-                  # the device type is not found, create it
-                  _dtype_data = { :manufacturer => _autopopulate_manuf[:id],
-                                  :model => _autopopulate_default_dtype,
-                                  :slug => _autopopulate_default_dtype.to_url }
-                  if (_dtype_create_response = @netbox_conn.post('dcim/device-types/', _dtype_data.to_json, @netbox_headers).body) &&
-                     _dtype_create_response.is_a?(Hash) &&
-                     _dtype_create_response.has_key?(:id)
+                if !_autopopulate_interface.nil? && _autopopulate_interface.fetch(:id, nil)&.nonzero?
+                  # interface has been created, we need to create an IP address for it
+                  _ip_data = { :address => "#{_key}/#{_key_ip&.prefix()}",
+                               :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
+                               :assigned_object_id => _autopopulate_interface[:id],
+                               :status => "active" }
+                  if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
+                     (_vrf.has_key?(:id))
                   then
-                     _autopopulate_dtype = _dtype_create_response
+                    _ip_data[:vrf] = _vrf[:id]
                   end
-                end
-
-                # # now we must also have the device type ID
-                if _autopopulate_dtype&.fetch(:id, nil)&.nonzero?
-
-                  # create the device
-                  _device_name = _autopopulate_hostname.to_s.empty? ? "#{_autopopulate_manuf[:name]} @ #{_key}" : "#{_autopopulate_hostname} @ #{_key}"
-                  _device_data = { :name => _device_name,
-                                   :device_type => _autopopulate_dtype[:id],
-                                   :role => _autopopulate_role[:id],
-                                   :site => _autopopulate_site[:id],
-                                   :status => "staged" }
-                  if (_device_create_response = @netbox_conn.post('dcim/devices/', _device_data.to_json, @netbox_headers).body) &&
-                     _device_create_response.is_a?(Hash) &&
-                     _device_create_response.has_key?(:id)
+                  if (_ip_create_reponse = _nb.post('ipam/ip-addresses/', _ip_data.to_json, _nb_headers).body) &&
+                     _ip_create_reponse.is_a?(Hash) &&
+                     _ip_create_reponse.has_key?(:id)
                   then
-                     _autopopulate_device = _device_create_response
+                     _autopopulate_ip = _ip_create_reponse
                   end
+                end # check if interface was created and has ID
+
+                if !_autopopulate_ip.nil? && _autopopulate_ip.fetch(:id, nil)&.nonzero?
+                  # IP address was created, need to associate it as the primary IP for the device
+                  _primary_ip_data = { _key_ip&.ipv6? ? :primary_ip6 : :primary_ip4 => _autopopulate_ip[:id] }
+                  if (_ip_primary_reponse = _nb.patch("#{_autopopulate_manuf[:vm] ? 'virtualization/virtual-machines' : 'dcim/devices'}/#{_autopopulate_device[:id]}/", _primary_ip_data.to_json, _nb_headers).body) &&
+                     _ip_primary_reponse.is_a?(Hash) &&
+                     _ip_primary_reponse.has_key?(:id)
+                  then
+                     _autopopulate_device = _ip_create_reponse
+                  end
+                end # check if the IP address was created and has an ID
 
-                end # _autopopulate_dtype[:id] is valid
-
-              end # _autopopulate_manuf[:id] is valid
-
-            end # virtual machine vs. regular device
-
-          end # site and role are valid
-
-        rescue Faraday::Error
-          # give up aka do nothing
-          _exception_error_general = true
-        end
-
-        if !_autopopulate_device.nil?
-          # we created a device, so send it back out as the result for the event as well
-          _devices << { :name => _autopopulate_device&.fetch(:name, _autopopulate_device&.fetch(:display, nil)),
-                        :id => _autopopulate_device&.fetch(:id, nil),
-                        :url => _autopopulate_device&.fetch(:url, nil),
-                        :site => _autopopulate_site&.fetch(:name, nil),
-                        :role => _autopopulate_role&.fetch(:name, nil),
-                        :device_type => _autopopulate_dtype&.fetch(:name, nil),
-                        :manufacturer => _autopopulate_manuf&.fetch(:name, nil),
-                        :details => _verbose ? _autopopulate_device : nil }
-        end # _autopopulate_device was not nil (i.e., we autocreated a device)
-
-      end # _autopopulate turned on and no results found
-
-      _devices = collect_values(crush(_devices))
-      _devices.fetch(:service, [])&.flatten!&.uniq!
-      _result = _devices
-    end # _lookup_type == :ip_device
-
-    # this || is because we are going to need to do the VRF lookup if we're autopopulating
-    # as well as if we're specifically requested to do that enrichment
-
-    if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
-    #################################################################################
-      # retrieve the list VRFs containing IP address prefixes containing the search key
-      _vrfs = Array.new
-      _query = { :contains => _key,
-                 :offset => 0,
-                 :limit => _page_size }
-      _query[:site_n] = _lookup_site unless _lookup_site.nil? || _lookup_site.empty?
-      begin
-        while true do
-          if (_prefixes_response = @netbox_conn.get('ipam/prefixes/', _query).body) &&
-             _prefixes_response.is_a?(Hash)
-          then
-            _tmp_prefixes = _prefixes_response.fetch(:results, [])
-            _tmp_prefixes.each do |p|
-              if (_vrf = p.fetch(:vrf, nil))
-                # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                # if _verbose, include entire object as :details
-                _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
-                           :id => _vrf.fetch(:id, nil),
-                           :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
-                           :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
-                           :url => p.fetch(:url, _vrf.fetch(:url, nil)),
-                           :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
-              end
-            end
-            _query[:offset] += _tmp_prefixes.length()
-            break unless (_tmp_prefixes.length() >= _page_size)
-          else
-            break
-          end
-        end
-      rescue Faraday::Error
-        # give up aka do nothing
-        _exception_error_general = true
-      end
-      _vrfs = collect_values(crush(_vrfs))
-      _result = _vrfs unless (_lookup_type != :ip_vrf)
-    end # _lookup_type == :ip_vrf
-
-    if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
-      # device has been created, we need to create an interface for it
-      _interface_data = { _autopopulate_manuf[:vm] ? :virtual_machine : :device => _autopopulate_device[:id],
-                          :name => "e0",
-                          :type => "other" }
-      if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
-        _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
-      end
-      if !_vrfs.nil? && !_vrfs.empty?
-        _interface_data[:vrf] = _vrfs.fetch(:id, []).first
-      end
-      if (_interface_create_reponse = @netbox_conn.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, @netbox_headers).body) &&
-         _interface_create_reponse.is_a?(Hash) &&
-         _interface_create_reponse.has_key?(:id)
-      then
-         _autopopulate_interface = _interface_create_reponse
-      end
-
-      if !_autopopulate_interface.nil? && _autopopulate_interface.fetch(:id, nil)&.nonzero?
-        # interface has been created, we need to create an IP address for it
-        _ip_data = { :address => "#{_key}/#{_key_ip&.prefix()}",
-                     :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
-                     :assigned_object_id => _autopopulate_interface[:id],
-                     :status => "active" }
-        if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
-           (_vrf.has_key?(:id))
-        then
-          _ip_data[:vrf] = _vrf[:id]
-        end
-        if (_ip_create_reponse = @netbox_conn.post('ipam/ip-addresses/', _ip_data.to_json, @netbox_headers).body) &&
-           _ip_create_reponse.is_a?(Hash) &&
-           _ip_create_reponse.has_key?(:id)
-        then
-           _autopopulate_ip = _ip_create_reponse
-        end
-      end # check if interface was created and has ID
-
-      if !_autopopulate_ip.nil? && _autopopulate_ip.fetch(:id, nil)&.nonzero?
-        # IP address was created, need to associate it as the primary IP for the device
-        _primary_ip_data = { _key_ip&.ipv6? ? :primary_ip6 : :primary_ip4 => _autopopulate_ip[:id] }
-        if (_ip_primary_reponse = @netbox_conn.patch("#{_autopopulate_manuf[:vm] ? 'virtualization/virtual-machines' : 'dcim/devices'}/#{_autopopulate_device[:id]}/", _primary_ip_data.to_json, @netbox_headers).body) &&
-           _ip_primary_reponse.is_a?(Hash) &&
-           _ip_primary_reponse.has_key?(:id)
-        then
-           _autopopulate_device = _ip_create_reponse
-        end
-      end # check if the IP address was created and has an ID
-
-    end # check if device was created and has ID
-
-    if _exception_error_connection && !@netbox_conn_resetting
-      @netbox_conn_lock.release_read_lock
-      @netbox_conn_lock.acquire_write_lock
-      begin
-        if !@netbox_conn_resetting
-          @netbox_conn_needs_reset = true
-        end
-      ensure
-        @netbox_conn_lock.release_write_lock
-        @netbox_conn_lock.acquire_read_lock
-      end
-    end
-  ensure
-    @netbox_conn_lock.release_read_lock
-  end
+              end # check if device was created and has ID
+
+              # yield return value for cache_hash getset
+              _lookup_result
+            }
 
   if !_result.nil? && _result.has_key?(:url) && !_result[:url]&.empty?
     _result[:url].map! { |u| u.delete_prefix(@netbox_url_base).gsub('/api/', '/') }

From 12b4f57bef273bc132b993f8d56a5c8aa5af6fc1 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 10:26:34 -0600
Subject: [PATCH 11/82] bump Werkzeug to v3.0.1 as patch for DoS 'High resource
 usage when parsing multipart/form-data containing a large part with CR/LF
 character at the beginning'

---
 sensor-iso/interface/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sensor-iso/interface/requirements.txt b/sensor-iso/interface/requirements.txt
index d1b71390d..da47d54c9 100644
--- a/sensor-iso/interface/requirements.txt
+++ b/sensor-iso/interface/requirements.txt
@@ -13,4 +13,4 @@ python-dotenv==1.0.0
 requests==2.31.0
 six==1.16.0
 urllib3==1.26.18
-Werkzeug==2.3.3
+Werkzeug==3.0.1

From 86a41d05e022e8244870a60e0c4a8578df7fef7f Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 27 Oct 2023 11:23:56 -0600
Subject: [PATCH 12/82] allow specifying capture parameters when orchmode is
 kubernetes

---
 scripts/install.py | 63 ++++++++++++++++++++++------------------------
 1 file changed, 30 insertions(+), 33 deletions(-)

diff --git a/scripts/install.py b/scripts/install.py
index ad3b6b022..890225a1f 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -1288,41 +1288,38 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
             else 'unset'
         )
 
-        if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            captureOptions = ('no', 'yes', 'customize')
-            loopBreaker = CountUntilException(MaxAskForValueCount)
-            while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment():
-                captureSelection = InstallerChooseOne(
-                    'Should Malcolm capture live network traffic?',
-                    choices=[(x, '', x == captureOptions[0]) for x in captureOptions],
-                )[0]
-            if captureSelection == 'y':
-                pcapNetSniff = True
-                liveSuricata = True
-                liveZeek = True
-            elif captureSelection == 'c':
-                if InstallerYesOrNo(
-                    'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?',
-                    default=args.pcapNetSniff or args.pcapTcpDump or (malcolmProfile == PROFILE_HEDGEHOG),
-                ):
-                    pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff)
-                    if not pcapNetSniff:
-                        pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump)
-                liveSuricata = InstallerYesOrNo(
-                    'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata
+        captureOptions = ('no', 'yes', 'customize')
+        loopBreaker = CountUntilException(MaxAskForValueCount)
+        while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment():
+            captureSelection = InstallerChooseOne(
+                'Should Malcolm capture live network traffic?',
+                choices=[(x, '', x == captureOptions[0]) for x in captureOptions],
+            )[0]
+        if captureSelection == 'y':
+            pcapNetSniff = True
+            liveSuricata = True
+            liveZeek = True
+        elif captureSelection == 'c':
+            if InstallerYesOrNo(
+                'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?',
+                default=args.pcapNetSniff or args.pcapTcpDump or (malcolmProfile == PROFILE_HEDGEHOG),
+            ):
+                pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff)
+                if not pcapNetSniff:
+                    pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump)
+            liveSuricata = InstallerYesOrNo(
+                'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata
+            )
+            liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek)
+            if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
+                pcapFilter = InstallerAskForString(
+                    'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
+                    default=args.pcapFilter,
                 )
-                liveZeek = InstallerYesOrNo(
-                    'Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek
+                tweakIface = InstallerYesOrNo(
+                    'Disable capture interface hardware offloading and adjust ring buffer sizes?',
+                    default=args.tweakIface,
                 )
-                if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
-                    pcapFilter = InstallerAskForString(
-                        'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
-                        default=args.pcapFilter,
-                    )
-                    tweakIface = InstallerYesOrNo(
-                        'Disable capture interface hardware offloading and adjust ring buffer sizes?',
-                        default=args.tweakIface,
-                    )
 
         if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
             pcapIface = ''

From b4f8d4436171ea51940e4b8af0cd61e6ba67f886 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Mon, 30 Oct 2023 13:54:22 -0600
Subject: [PATCH 13/82] Update Zeek to v6.1.0

---
 Dockerfiles/zeek.Dockerfile                            | 10 ++++++----
 config/zeek.env.example                                |  1 +
 .../includes.chroot/usr/local/etc/zeek/local.zeek      |  7 ++++++-
 sensor-iso/interface/sensor_ctl/control_vars.conf      |  1 +
 sensor-iso/zeek/build-zeek-deb.sh                      |  2 +-
 shared/bin/zeek_install_plugins.sh                     |  7 +++----
 zeek/config/local.zeek                                 |  7 ++++++-
 7 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 0dbad75e9..b9e43d863 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
 
 # for build
-ARG ZEEK_VERSION=6.0.1
+ARG ZEEK_VERSION=6.1.0
 ENV ZEEK_VERSION $ZEEK_VERSION
 ARG ZEEK_DBG=0
 ENV ZEEK_DBG $ZEEK_DBG
@@ -101,7 +101,7 @@ ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 # for download and install
-ARG ZEEK_VERSION=6.0.0
+ARG ZEEK_VERSION=6.1.0
 ENV ZEEK_VERSION $ZEEK_VERSION
 
 # put Zeek and Spicy in PATH
@@ -226,8 +226,8 @@ ADD shared/bin/nic-capture-setup.sh /usr/local/bin/
 
 # sanity checks to make sure the plugins installed and copied over correctly
 # these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh
-ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 23
-ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|ANALYZER_SPICY_SYNCHROPHASOR_TCP|ANALYZER_SPICY_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
+ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_SYNCHROPHASOR_TCP|ANALYZER_SPICY_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
 ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 25
 ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP  "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"
 
@@ -309,6 +309,7 @@ ARG ZEEK_DISABLE_SPICY_HTTP=true
 ARG ZEEK_DISABLE_SPICY_IPSEC=
 ARG ZEEK_DISABLE_SPICY_LDAP=
 ARG ZEEK_DISABLE_SPICY_OPENVPN=
+ARG ZEEK_DISABLE_SPICY_QUIC=true
 ARG ZEEK_DISABLE_SPICY_STUN=
 ARG ZEEK_DISABLE_SPICY_TAILSCALE=
 ARG ZEEK_DISABLE_SPICY_TFTP=
@@ -327,6 +328,7 @@ ENV ZEEK_DISABLE_SPICY_HTTP $ZEEK_DISABLE_SPICY_HTTP
 ENV ZEEK_DISABLE_SPICY_IPSEC $ZEEK_DISABLE_SPICY_IPSEC
 ENV ZEEK_DISABLE_SPICY_LDAP $ZEEK_DISABLE_SPICY_LDAP
 ENV ZEEK_DISABLE_SPICY_OPENVPN $ZEEK_DISABLE_SPICY_OPENVPN
+ENV ZEEK_DISABLE_SPICY_QUIC $ZEEK_DISABLE_SPICY_QUIC
 ENV ZEEK_DISABLE_SPICY_STUN $ZEEK_DISABLE_SPICY_STUN
 ENV ZEEK_DISABLE_SPICY_TAILSCALE $ZEEK_DISABLE_SPICY_TAILSCALE
 ENV ZEEK_DISABLE_SPICY_TFTP $ZEEK_DISABLE_SPICY_TFTP
diff --git a/config/zeek.env.example b/config/zeek.env.example
index e676366df..795c37583 100644
--- a/config/zeek.env.example
+++ b/config/zeek.env.example
@@ -56,6 +56,7 @@ ZEEK_DISABLE_SPICY_HTTP=true
 ZEEK_DISABLE_SPICY_IPSEC=
 ZEEK_DISABLE_SPICY_LDAP=
 ZEEK_DISABLE_SPICY_OPENVPN=
+ZEEK_DISABLE_SPICY_QUIC=true
 ZEEK_DISABLE_SPICY_STUN=
 ZEEK_DISABLE_SPICY_TAILSCALE=
 ZEEK_DISABLE_SPICY_TFTP=
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index cc8674860..500612e7b 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -20,6 +20,7 @@ global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
 global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
 global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
+global disable_spicy_quic = (getenv("ZEEK_DISABLE_SPICY_QUIC") == "") ? F : T;
 global disable_spicy_stun = (getenv("ZEEK_DISABLE_SPICY_STUN") == "") ? F : T;
 global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") ? F : T;
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
@@ -141,7 +142,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
@@ -155,6 +157,9 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
   }
+  if (disable_spicy_quic) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_QUIC);
+  }
   if (disable_spicy_stun) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN_TCP);
diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
index e0773a666..255a2d22d 100644
--- a/sensor-iso/interface/sensor_ctl/control_vars.conf
+++ b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -62,6 +62,7 @@ export ZEEK_DISABLE_SPICY_HTTP=true
 export ZEEK_DISABLE_SPICY_IPSEC=
 export ZEEK_DISABLE_SPICY_LDAP=
 export ZEEK_DISABLE_SPICY_OPENVPN=
+export ZEEK_DISABLE_SPICY_QUIC=true
 export ZEEK_DISABLE_SPICY_STUN=
 export ZEEK_DISABLE_SPICY_TAILSCALE=
 export ZEEK_DISABLE_SPICY_TFTP=
diff --git a/sensor-iso/zeek/build-zeek-deb.sh b/sensor-iso/zeek/build-zeek-deb.sh
index be76ad437..4be53b1b8 100755
--- a/sensor-iso/zeek/build-zeek-deb.sh
+++ b/sensor-iso/zeek/build-zeek-deb.sh
@@ -13,7 +13,7 @@ export PYTHONDONTWRITEBYTECODE=1
 export PYTHONUNBUFFERED=1
 
 ZEEK_URL=https://github.com/zeek/zeek.git
-ZEEK_VERSION=6.0.1
+ZEEK_VERSION=6.1.0
 ZEEK_DIR=/opt/zeek
 BUILD_JOBS=0
 OUTPUT_DIR=/tmp
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 4931d874b..682b41be5 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -98,10 +98,10 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/zeek-spicy-ospf"
   "https://github.com/corelight/zeek-spicy-stun"
   "https://github.com/corelight/zeek-spicy-wireguard"
-  "https://github.com/corelight/zeek-xor-exe-plugin"
+  "https://github.com/mmguero-dev/zeek-xor-exe-plugin"
   "https://github.com/corelight/zerologon"
-  "https://github.com/cybera/zeek-sniffpass"
-  "https://github.com/mitre-attack/bzar"
+  "https://github.com/mmguero-dev/zeek-sniffpass"
+  "https://github.com/mmguero-dev/bzar"
   "https://github.com/ncsa/bro-is-darknet"
   "https://github.com/ncsa/bro-simple-scan"
   "https://github.com/precurse/zeek-httpattacks"
@@ -111,7 +111,6 @@ ZKG_GITHUB_URLS=(
   "https://github.com/zeek/spicy-dhcp"
   "https://github.com/zeek/spicy-dns"
   "https://github.com/zeek/spicy-http"
-  "https://github.com/zeek/spicy-ldap"
   "https://github.com/zeek/spicy-pe"
   "https://github.com/zeek/spicy-tftp"
   "https://github.com/zeek/spicy-zip"
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index 4450fe3ad..af8208318 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -20,6 +20,7 @@ global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
 global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
 global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
+global disable_spicy_quic = (getenv("ZEEK_DISABLE_SPICY_QUIC") == "") ? F : T;
 global disable_spicy_stun = (getenv("ZEEK_DISABLE_SPICY_STUN") == "") ? F : T;
 global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") ? F : T;
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
@@ -141,7 +142,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
@@ -155,6 +157,9 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
   }
+  if (disable_spicy_quic) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_QUIC);
+  }
   if (disable_spicy_stun) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN_TCP);

From ed99af51fb1cd4dc1717d024f0ed5a673fc3a410 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Mon, 30 Oct 2023 15:05:40 -0600
Subject: [PATCH 14/82] point downstream to mmguero-dev/icsnpp-modbus until
 https://github.com/cisagov/icsnpp-modbus/pull/8 is pulled

---
 shared/bin/zeek_install_plugins.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 682b41be5..4d56ba8b3 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -74,7 +74,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/cisagov/icsnpp-enip"
   "https://github.com/cisagov/icsnpp-ethercat"
   "https://github.com/cisagov/icsnpp-genisys"
-  "https://github.com/cisagov/icsnpp-modbus"
+  "https://github.com/mmguero-dev/icsnpp-modbus"
   "https://github.com/cisagov/icsnpp-opcua-binary"
   "https://github.com/cisagov/icsnpp-s7comm"
   "https://github.com/cisagov/icsnpp-synchrophasor"

From da45848d7c1c89a3a1b272b6d976a07cf52884b6 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 30 Oct 2023 21:41:08 -0600
Subject: [PATCH 15/82] Working on zeek v6.1.0 build

---
 Dockerfiles/zeek.Dockerfile                                 | 2 +-
 .../config/includes.chroot/usr/local/etc/zeek/local.zeek    | 6 +++---
 shared/bin/zeek_install_plugins.sh                          | 4 ++--
 zeek/config/local.zeek                                      | 6 +++---
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index b9e43d863..248ae4789 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -227,7 +227,7 @@ ADD shared/bin/nic-capture-setup.sh /usr/local/bin/
 # sanity checks to make sure the plugins installed and copied over correctly
 # these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh
 ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
-ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_SYNCHROPHASOR_TCP|ANALYZER_SPICY_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
 ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 25
 ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP  "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"
 
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 500612e7b..71728bf7a 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -109,7 +109,7 @@ event zeek_init() &priority=-5 {
     PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
   }
   if (disable_ics_all || disable_ics_genisys) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_GENISYS_TCP);
   }
   if (disable_ics_all || disable_ics_opcua_binary) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
@@ -124,8 +124,8 @@ event zeek_init() &priority=-5 {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
   }
   if (disable_ics_all || disable_ics_synchrophasor) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_UDP);
   }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 4d56ba8b3..47ac71e7d 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -73,11 +73,11 @@ ZKG_GITHUB_URLS=(
   "https://github.com/cisagov/icsnpp-dnp3"
   "https://github.com/cisagov/icsnpp-enip"
   "https://github.com/cisagov/icsnpp-ethercat"
-  "https://github.com/cisagov/icsnpp-genisys"
+  "https://github.com/mmguero-dev/icsnpp-genisys"
   "https://github.com/mmguero-dev/icsnpp-modbus"
   "https://github.com/cisagov/icsnpp-opcua-binary"
   "https://github.com/cisagov/icsnpp-s7comm"
-  "https://github.com/cisagov/icsnpp-synchrophasor"
+  "https://github.com/mmguero-dev/icsnpp-synchrophasor"
   "https://github.com/corelight/callstranger-detector"
   "https://github.com/corelight/CVE-2020-16898"
   "https://github.com/corelight/CVE-2021-31166"
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index af8208318..deadc9ace 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -109,7 +109,7 @@ event zeek_init() &priority=-5 {
     PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
   }
   if (disable_ics_all || disable_ics_genisys) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_GENISYS_TCP);
   }
   if (disable_ics_all || disable_ics_opcua_binary) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
@@ -124,8 +124,8 @@ event zeek_init() &priority=-5 {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
   }
   if (disable_ics_all || disable_ics_synchrophasor) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_UDP);
   }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);

From 70c77737b0b95d3c8afd195226b0d55c3736de00 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 08:36:25 -0600
Subject: [PATCH 16/82] update some of the documentation for docker compose
 (v2) as a plugin rather than a standalone script

---
 docs/authsetup.md               |  4 ++--
 docs/contributing-dashboards.md |  2 +-
 docs/development.md             |  2 +-
 docs/host-config-linux.md       |  4 ++--
 docs/host-config-macos.md       | 15 ++++++++++++---
 docs/kubernetes.md              |  2 +-
 docs/malcolm-iso.md             |  4 ++--
 docs/malcolm-upgrade.md         |  6 +++---
 docs/quickstart.md              |  4 ++--
 docs/running.md                 |  4 ++--
 docs/ubuntu-install-example.md  |  8 ++++----
 docs/zeek-intel.md              |  2 +-
 12 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/docs/authsetup.md b/docs/authsetup.md
index 4fb27eba8..49b707643 100644
--- a/docs/authsetup.md
+++ b/docs/authsetup.md
@@ -71,7 +71,7 @@ The contents of `nginx_ldap.conf` will vary depending on how the LDAP server is
 * **`group_attribute_is_dn`** - whether or not to search for the user's full distinguished name as the value in the group's member attribute
 * **`require`** and **`satisfy`** - `require user`, `require group` and `require valid_user` can be used in conjunction with `satisfy any` or `satisfy all` to limit the users that are allowed to access the Malcolm instance
 
-Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs` (or `docker-compose logs nginx`) and examining the output of the `nginx` container.
+Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs` (or `docker compose logs nginx`) and examining the output of the `nginx` container.
 
 The **Malcolm User Management** page described above is not available when using LDAP authentication.
 
@@ -119,7 +119,7 @@ options:
   -v [DEBUG], --verbose [DEBUG]
                         Verbose output
   -f <string>, --file <string>
-                        docker-compose or kubeconfig YML file
+                        Docker compose or kubeconfig YML file
   -e <string>, --environment-dir <string>
                         Directory containing Malcolm's .env files
 
diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md
index 5cb37c561..25baa0e4a 100644
--- a/docs/contributing-dashboards.md
+++ b/docs/contributing-dashboards.md
@@ -10,7 +10,7 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa
 1. Export the dashboard with that ID and save it in the `./dashboards./dashboards/` directory with the following command:
    ```
     export DASHID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx && \
-      docker-compose exec dashboards curl -XGET \
+      docker compose exec dashboards curl -XGET \
       "http://localhost:5601/dashboards/api/opensearch-dashboards/dashboards/export?dashboard=$DASHID" > \
       ./dashboards/dashboards/$DASHID.json
     ```
diff --git a/docs/development.md b/docs/development.md
index 37da486d6..8207e3582 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -38,7 +38,7 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{
 
 and the following files of special note:
 
-* `docker-compose.yml` - the configuration file used by `docker-compose` to build, start, and stop an instance of the Malcolm appliance
+* `docker-compose.yml` - the configuration file used by `docker compose` to build, start, and stop an instance of the Malcolm appliance
 * `docker-compose-standalone.yml` - similar to `docker-compose.yml`, only used for the ["packaged"](#Packager) installation of Malcolm
 
 ## <a name="Build"></a>Building from source
diff --git a/docs/host-config-linux.md b/docs/host-config-linux.md
index 7bea01eb6..57350c335 100644
--- a/docs/host-config-linux.md
+++ b/docs/host-config-linux.md
@@ -21,9 +21,9 @@ Docker starts automatically on DEB-based distributions. On RPM-based distributio
 
 You can test Docker by running `docker info`, or (assuming you have internet access), `docker run --rm hello-world`.
 
-## Installing docker-compose
+## Installing docker compose
 
-Please follow [this link](https://docs.docker.com/compose/install/) on docker.com for instructions on installing `docker-compose`.
+Please follow [this link](https://docs.docker.com/compose/install/) on docker.com for instructions on installing the Docker Compose plugin.
 
 ## Operating system configuration
 
diff --git a/docs/host-config-macos.md b/docs/host-config-macos.md
index 9ab66480e..e3b8d0f72 100644
--- a/docs/host-config-macos.md
+++ b/docs/host-config-macos.md
@@ -25,16 +25,25 @@ $ brew upgrade --cask --no-quarantine docker-edge
 ```
 You can now run Docker from the Applications folder.
 
-## Install docker-compose
+## Install docker compose
 
 ```
 $ brew install docker-compose
 ```
-This will install the latest version of the `docker-compose` plugin. It can be upgraded later using `brew` as well:
+
+This will install the latest version of the `docker-compose` plugin. It can be upgraded later using [`brew`] as well:
+
 ```
 $ brew upgrade --no-quarantine docker-compose
 ```
-You can now run `docker-compose` (at `/usr/local/opt/docker-compose/bin/docker-compose`) from the command-line
+
+The [brew formula for docker-compose notes](https://formulae.brew.sh/formula/docker-compose) has the following note about needing to symlink for Docker to find the compose plugin:
+
+```
+Compose is now a Docker plugin. For Docker to find this plugin, symlink it:
+    mkdir -p ~/.docker/cli-plugins
+    ln -sfn $HOMEBREW_PREFIX/opt/docker-compose/bin/docker-compose ~/.docker/cli-plugins/docker-compose
+```
 
 ## Configure docker daemon option
 
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 91294d6c1..28b631d65 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -219,7 +219,7 @@ Settings that likely need to be changed in the underlying host running Kubernete
 
 The steps to configure and tune Malcolm for a Kubernetes deployment are [very similar](malcolm-config.md#ConfigAndTuning) to those for a Docker-based deployment. Both methods use [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) for Malcolm's runtime configuration.
 
-Malcolm's configuration and runtime scripts (e.g., `./scripts/configure`, `./scripts/auth_setup`, `./scripts/start`, etc.) are used for both Docker- and Kubernetes-based deployments. In order to indicate to these scripts that Kubernetes is being used rather than `docker-compose`, users can provide the script with the [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) used to communicate with the API server of the Kubernetes cluster (e.g., `./scripts/configure -f k3s.yaml` or `./scripts/start -f kubeconfig.yaml`, etc.). The scripts will detect whether the YAML file specified is a kubeconfig file or a Docker compose file and act accordingly.
+Malcolm's configuration and runtime scripts (e.g., `./scripts/configure`, `./scripts/auth_setup`, `./scripts/start`, etc.) are used for both Docker- and Kubernetes-based deployments. In order to indicate to these scripts that Kubernetes is being used rather than `docker compose`, users can provide the script with the [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) used to communicate with the API server of the Kubernetes cluster (e.g., `./scripts/configure -f k3s.yaml` or `./scripts/start -f kubeconfig.yaml`, etc.). The scripts will detect whether the YAML file specified is a kubeconfig file or a Docker compose file and act accordingly.
 
 Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**. Users will need to run [`./scripts/auth_setup`](authsetup.md#AuthSetup) to configure authentication.
 
diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md
index 858930ab3..aaad018ad 100644
--- a/docs/malcolm-iso.md
+++ b/docs/malcolm-iso.md
@@ -45,7 +45,7 @@ Finished, created "/malcolm-build/malcolm-iso/malcolm-23.11.0.iso"
 …
 ```
 
-By default, Malcolm's Docker images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker-compose pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this:
+By default, Malcolm's Docker images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker compose --profile malcolm pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this:
 
 ```
 $ ./malcolm-iso/build_via_vagrant.sh -f -d malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz
@@ -83,6 +83,6 @@ Following these prompts, the installer will reboot and the Malcolm base operatin
 
 When the system boots for the first time, the Malcolm Docker images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup.
 
-Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO does not include pre-packaged Malcolm images, or to retrieve the latest updates, run `docker-compose pull`. Finalize the configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig).
+Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO does not include pre-packaged Malcolm images, or to retrieve the latest updates, run `docker compose --profile malcolm pull`. Finalize the configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig).
 
 Once Malcolm is configured, users can [start Malcolm](running.md#Starting) via the command line or by clicking the circular yellow Malcolm icon in the menu bar.
\ No newline at end of file
diff --git a/docs/malcolm-upgrade.md b/docs/malcolm-upgrade.md
index db4bcda1b..284ad1359 100644
--- a/docs/malcolm-upgrade.md
+++ b/docs/malcolm-upgrade.md
@@ -20,7 +20,7 @@ Here are the basic steps to perform an upgrade if Malcolm was checked with a `gi
 1. pull changes from GitHub repository
     * `git pull --rebase`
 1. pull new Docker images (this will take a while)
-    * `docker-compose pull`
+    * `docker compose --profile malcolm pull`
 1. apply saved configuration change stashed earlier
     * `git stash pop`
 1. if `Merge conflict` messages appear, resolve the [conflicts](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts) with a text editor
@@ -51,7 +51,7 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r
         + using a file comparison tool (e.g., `diff`, `meld`, `Beyond Compare`, etc.), compare `docker-compose.yml` and the `docker-compare.yml` file backed up in Step 3, and manually migrate over any customizations in file
         + compare the contents of each  `.env` file  Malcolm's `./config/` directory with its corresponding `.env.example` file
 1. pull the new docker images (this will take a while)
-    * `docker-compose pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker-compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm docker images is available
+    * `docker compose --profile malcolm pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm docker images is available
 1. start Malcolm
     * `./scripts/start`
 1. users may be prompted to [configure authentication](authsetup.md#AuthSetup) if there are new authentication-related files that need to be generated
@@ -63,7 +63,7 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r
 
 Technically minded users may wish to follow the debug output provided by `./scripts/start` (use `./scripts/logs` to re-open the log stream after it's been closed), although there is a lot there and it may be hard to distinguish whether or not something is okay.
 
-Running `docker-compose ps -a` should provide a good indication that all Malcolm's Docker containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not.
+Running `docker compose ps -a` should provide a good indication that all Malcolm's Docker containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not.
 
 After upgrading following one of the previous outlines, give Malcolm several minutes to get started. Once things are up and running, open one of Malcolm's [web interfaces](quickstart.md#UserInterfaceURLs) to verify that things are working.
 
diff --git a/docs/quickstart.md b/docs/quickstart.md
index 7262ab8d4..fa180672e 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -26,9 +26,9 @@ You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's D
     
 ### Pull Malcolm's Docker images
 
-Malcolm's Docker images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker-compose pull` like this:
+Malcolm's Docker images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker compose --profile malcolm pull` like this:
 ```
-$ docker-compose pull
+$ docker compose --profile malcolm pull
 Pulling api               ... done
 Pulling arkime            ... done
 Pulling dashboards        ... done
diff --git a/docs/running.md b/docs/running.md
index 48b633446..832be809f 100644
--- a/docs/running.md
+++ b/docs/running.md
@@ -37,13 +37,13 @@ To temporarily set the Malcolm user interfaces into read-only configuration, run
 First, to configure [Nginx](https://nginx.org/) to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than `GET` and `POST`:
 
 ```
-docker-compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
+docker compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
 ```
 
 Second, to set the existing OpenSearch data store to read-only:
 
 ```
-docker-compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
+docker compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
 ```
 
 These commands must be re-run every time Malcolm is restarted.
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index c08ddc0d4..c23a67b91 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -47,10 +47,10 @@ Enter user account: user
 
 Add another non-root user to the "docker" group?: n
 
-"docker-compose version" failed, attempt to install docker-compose? (Y / n): y
+"docker compose version" failed, attempt to install docker compose? (Y / n): y
 
-Install docker-compose directly from docker github? (Y / n): y
-Download and installation of docker-compose apparently succeeded
+Install docker compose directly from docker github? (Y / n): y
+Download and installation of docker compose apparently succeeded
 
 fs.file-max increases allowed maximum for file handles
 fs.file-max= appears to be missing from /etc/sysctl.conf, append it? (Y / n): y
@@ -227,7 +227,7 @@ As an alternative to manually copying the files to the sensor, Malcolm can facil
 
 In this example, rather than [building Malcolm from scratch](development.md#Build), images may be pulled from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm):
 ```
-user@host:~/Malcolm$ docker-compose pull
+user@host:~/Malcolm$ docker compose pull
 Pulling api               ... done
 Pulling arkime            ... done
 Pulling dashboards        ... done
diff --git a/docs/zeek-intel.md b/docs/zeek-intel.md
index 065b7e701..20cd52427 100644
--- a/docs/zeek-intel.md
+++ b/docs/zeek-intel.md
@@ -13,7 +13,7 @@ Note that Malcolm does not manage updates for these intelligence files. You shou
 Adding and deleting intelligence files under this directory will take effect upon [restarting Malcolm](running.md#StopAndRestart). Alternately, you can use the `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` environment variable containing a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) to specify the interval at which the intel files should be refreshed. This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:
 
 ```
-docker-compose exec --user $(id -u) zeek /usr/local/bin/entrypoint.sh true
+docker compose exec --user $(id -u) zeek /usr/local/bin/entrypoint.sh true
 ```
 
 For a public example of Zeek intelligence files, see Critical Path Security's [repository](https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds), which aggregates data from various other threat feeds into Zeek's format.

From c9742bba335942feac28c913303d6688c0d6cbe1 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 08:40:07 -0600
Subject: [PATCH 17/82] update some of the documentation for docker compose
 (v2) as a plugin rather than a standalone script

---
 docs/host-config-macos.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/host-config-macos.md b/docs/host-config-macos.md
index e3b8d0f72..0f86696e2 100644
--- a/docs/host-config-macos.md
+++ b/docs/host-config-macos.md
@@ -31,7 +31,7 @@ You can now run Docker from the Applications folder.
 $ brew install docker-compose
 ```
 
-This will install the latest version of the `docker-compose` plugin. It can be upgraded later using [`brew`] as well:
+This will install the latest version of the Docker Compose plugin. It can be upgraded later using [`brew`] as well:
 
 ```
 $ brew upgrade --no-quarantine docker-compose

From be6a9dfd72025067b5a0bb0557816b6e79f4f871 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 09:11:13 -0600
Subject: [PATCH 18/82] fix zeek build

---
 .../config/includes.chroot/usr/local/etc/zeek/local.zeek    | 6 +++---
 zeek/config/local.zeek                                      | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 71728bf7a..76dd9b86b 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -190,10 +190,10 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|synch_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_TCP, synch_ports_tcp);
       }
       if (|synch_ports_udp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_UDP, synch_ports_udp);
       }
     }
   }
@@ -209,7 +209,7 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|gen_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_GENISYS_TCP, gen_ports_tcp);
       }
     }
   }
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index deadc9ace..1a7842447 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -190,10 +190,10 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|synch_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_TCP, synch_ports_tcp);
       }
       if (|synch_ports_udp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_UDP, synch_ports_udp);
       }
     }
   }
@@ -209,7 +209,7 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|gen_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_GENISYS_TCP, gen_ports_tcp);
       }
     }
   }

From 3aa72fc42167f9fae31f606d12f71a42449024c6 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 12:18:51 -0600
Subject: [PATCH 19/82] use spicy disable protocol analyzer for LDAP

---
 .../config/includes.chroot/usr/local/etc/zeek/local.zeek      | 4 ++--
 zeek/config/local.zeek                                        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 76dd9b86b..f34b2a398 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -142,8 +142,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
-    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index 1a7842447..284a8f905 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -142,8 +142,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
-    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);

From 30a05d90a5787a08bc81e67e9fc4194e4ee82b53 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 12:37:54 -0600
Subject: [PATCH 20/82] point back upstream for a few of the plugins

---
 shared/bin/zeek_install_plugins.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 47ac71e7d..0458dbc62 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -73,11 +73,11 @@ ZKG_GITHUB_URLS=(
   "https://github.com/cisagov/icsnpp-dnp3"
   "https://github.com/cisagov/icsnpp-enip"
   "https://github.com/cisagov/icsnpp-ethercat"
-  "https://github.com/mmguero-dev/icsnpp-genisys"
+  "https://github.com/cisagov/icsnpp-genisys"
   "https://github.com/mmguero-dev/icsnpp-modbus"
   "https://github.com/cisagov/icsnpp-opcua-binary"
   "https://github.com/cisagov/icsnpp-s7comm"
-  "https://github.com/mmguero-dev/icsnpp-synchrophasor"
+  "https://github.com/cisagov/icsnpp-synchrophasor"
   "https://github.com/corelight/callstranger-detector"
   "https://github.com/corelight/CVE-2020-16898"
   "https://github.com/corelight/CVE-2021-31166"
@@ -100,7 +100,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/zeek-spicy-wireguard"
   "https://github.com/mmguero-dev/zeek-xor-exe-plugin"
   "https://github.com/corelight/zerologon"
-  "https://github.com/mmguero-dev/zeek-sniffpass"
+  "https://github.com/cybera/zeek-sniffpass"
   "https://github.com/mmguero-dev/bzar"
   "https://github.com/ncsa/bro-is-darknet"
   "https://github.com/ncsa/bro-simple-scan"

From 2a804c62a83ac02c20ab382ac7b95cf06169af4b Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 31 Oct 2023 14:13:31 -0600
Subject: [PATCH 21/82] use prefix.description instead of VRF for identifying
 subnets in NetBox (idaholab/Malcolm#280); needs testing

---
 config/netbox-common.env.example             |  2 +-
 docs/asset-interaction-analysis.md           |  9 ++-
 logstash/pipelines/enrichment/21_netbox.conf |  4 +-
 logstash/ruby/netbox_enrich.rb               | 46 ++++++----------
 netbox/preload/prefixes_defaults.yml         |  3 -
 netbox/preload/vrfs_defaults.yml             |  6 --
 netbox/scripts/netbox_init.py                | 58 +++-----------------
 scripts/install.py                           |  2 +-
 8 files changed, 33 insertions(+), 97 deletions(-)
 delete mode 100644 netbox/preload/vrfs_defaults.yml

diff --git a/config/netbox-common.env.example b/config/netbox-common.env.example
index 0caba9062..000500b0c 100644
--- a/config/netbox-common.env.example
+++ b/config/netbox-common.env.example
@@ -3,7 +3,7 @@
 # The name of the default "site" to be created upon NetBox initialization, and to be queried
 #   for enrichment (see LOGSTASH_NETBOX_ENRICHMENT)
 NETBOX_DEFAULT_SITE=Malcolm
-# Whether or not to create catch-all VRFs/IP Prefixes for private IP space
+# Whether or not to create catch-all IP Prefixes for private IP space
 NETBOX_PRELOAD_PREFIXES=false
 # Whether to disable Malcolm's NetBox instance ('true') or not ('false')
 NETBOX_DISABLED=true
diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index dced1e2ce..228541cde 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -31,11 +31,11 @@ As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBO
     - `destination.device.site` (`/dcim/sites/`)
     - `destination.device.url` (`/dcim/devices/`)
     - `destination.device.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars))
-    - `destination.segment.id` (`/ipam/vrfs/{id}`)
-    - `destination.segment.name` (`/ipam/vrfs/`)
+    - `destination.segment.id` (`/ipam/prefixes/{id}`)
+    - `destination.segment.name` (`/ipam/prefixes/{description}`)
     - `destination.segment.site` (`/dcim/sites/`)
     - `destination.segment.tenant` (`/tenancy/tenants/`)
-    - `destination.segment.url` (`/ipam/vrfs/`)
+    - `destination.segment.url` (`/ipam/prefixes/`)
     - `destination.segment.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars))
 * `source.…` same as `destination.…`
 * collected as `related` fields (the [same approach](https://www.elastic.co/guide/en/ecs/current/ecs-related.html) used in ECS)
@@ -78,7 +78,6 @@ The [Populating Data](https://docs.netbox.dev/en/stable/getting-started/populati
 The following elements of the NetBox data model are used by Malcolm for Asset Interaction Analysis.
 
 * Network segments
-    - [Virtual Routing and Forwarding (VRF)](https://docs.netbox.dev/en/stable/models/ipam/vrf/)
     - [Prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)
 * Network Hosts
     - [Devices](https://docs.netbox.dev/en/stable/models/dcim/device/)
@@ -99,7 +98,7 @@ However, careful consideration should be made before enabling this feature: the
 
 Devices created using this autopopulate method will have their `status` field set to `staged`. It is recommended that users periodically review automatically-created devices for correctness and to fill in known details that couldn't be determined from network traffic. For example, the `manufacturer` field for automatically-created devices will be set based on the organizational unique identifier (OUI) determined from the first three bytes of the observed MAC address, which may not be accurate if the device's traffic was observed across a router. If possible, observed hostnames will be used in the naming of the automatically-created devices, falling back to the device manufacturer otherwise (e.g., `MYHOSTNAME @ 10.10.0.123` vs. `Schweitzer Engineering @ 10.10.0.123`).
 
-Since device autocreation is based on IP address, information about network segments (including [virtual routing and forwarding (VRF)](https://docs.netbox.dev/en/stable/models/ipam/vrf/) and [prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)) must be first [manually specified](#NetBoxPopManual) in NetBox in order for devices to be automatically populated.
+Since device autocreation is based on IP address, information about network segments (IP [prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)) must be first [manually specified](#NetBoxPopManual) in NetBox in order for devices to be automatically populated. Users should populate the `description` field in the NetBox IPAM Prefixes data model to specify a name to be used for NetBox network segment autopopulation and enrichment, otherwise the IP prefix itself will be used.
 
 Although network devices can be automatically created using this method, [services](https://demo.netbox.dev/static/docs/core-functionality/services/#service-templates) should inventoried manually. The **Uninventoried Observed Services** visualization in the [**Zeek Known Summary** dashboard](dashboards.md#DashboardsVisualizations) can help users review network services to be created in NetBox.
 
diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf
index 66c0f34db..a4370ab8b 100644
--- a/logstash/pipelines/enrichment/21_netbox.conf
+++ b/logstash/pipelines/enrichment/21_netbox.conf
@@ -27,7 +27,7 @@ filter {
         script_params => {
           "source" => "[source][ip]"
           "target" => "[source][segment]"
-          "lookup_type" => "ip_vrf"
+          "lookup_type" => "ip_prefix"
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
@@ -66,7 +66,7 @@ filter {
         script_params => {
           "source" => "[destination][ip]"
           "target" => "[destination][segment]"
-          "lookup_type" => "ip_vrf"
+          "lookup_type" => "ip_prefix"
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index fedc370dd..7ca8d0e13 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -20,7 +20,7 @@ def register(params)
   @source = params["source"]
 
   # lookup type
-  #   valid values are: ip_device, ip_vrf
+  #   valid values are: ip_device, ip_prefix
   @lookup_type = params.fetch("lookup_type", "").to_sym
 
   # site value to include in queries for enrichment lookups, either specified directly or read from ENV
@@ -257,12 +257,12 @@ def filter(event)
               _autopopulate_ip = nil
               _autopopulate_manuf = nil
               _autopopulate_site = nil
-              _vrfs = nil
+              _prefixes = nil
               _devices = nil
               _exception_error = false
 
               # handle :ip_device first, because if we're doing autopopulate we're also going to use
-              # some of the logic from :ip_vrf
+              # some of the logic from :ip_prefix
 
               if (_lookup_type == :ip_device)
               #################################################################################
@@ -630,13 +630,13 @@ def filter(event)
                 _lookup_result = _devices
               end # _lookup_type == :ip_device
 
-              # this || is because we are going to need to do the VRF lookup if we're autopopulating
+              # this || is because we are going to need to do the prefix lookup if we're autopopulating
               # as well as if we're specifically requested to do that enrichment
 
-              if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
+              if (_lookup_type == :ip_prefix) || !_autopopulate_device.nil?
               #################################################################################
-                # retrieve the list VRFs containing IP address prefixes containing the search key
-                _vrfs = Array.new
+                # retrieve the list of IP address prefixes containing the search key
+                _prefixes = Array.new
                 _query = { :contains => _key,
                            :offset => 0,
                            :limit => _page_size }
@@ -648,16 +648,14 @@ def filter(event)
                     then
                       _tmp_prefixes = _prefixes_response.fetch(:results, [])
                       _tmp_prefixes.each do |p|
-                        if (_vrf = p.fetch(:vrf, nil))
-                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                          # if _verbose, include entire object as :details
-                          _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
-                                     :id => _vrf.fetch(:id, nil),
-                                     :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
-                                     :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
-                                     :url => p.fetch(:url, _vrf.fetch(:url, nil)),
-                                     :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
-                        end
+                        # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                        # if _verbose, include entire object as :details
+                        _prefixes << { :name => p.fetch(:description, p.fetch(:display, nil)),
+                                       :id => p.fetch(:id, nil),
+                                       :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
+                                       :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
+                                       :url => p.fetch(:url, p.fetch(:url, nil)),
+                                       :details => _verbose ? p : nil }
                       end
                       _query[:offset] += _tmp_prefixes.length()
                       break unless (_tmp_prefixes.length() >= _page_size)
@@ -669,9 +667,9 @@ def filter(event)
                   # give up aka do nothing
                   _exception_error = true
                 end
-                _vrfs = collect_values(crush(_vrfs))
-                _lookup_result = _vrfs unless (_lookup_type != :ip_vrf)
-              end # _lookup_type == :ip_vrf
+                _prefixes = collect_values(crush(_prefixes))
+                _lookup_result = _prefixes unless (_lookup_type != :ip_prefix)
+              end # _lookup_type == :ip_prefix
 
               if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
                 # device has been created, we need to create an interface for it
@@ -681,9 +679,6 @@ def filter(event)
                 if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
                   _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
                 end
-                if !_vrfs.nil? && !_vrfs.empty?
-                  _interface_data[:vrf] = _vrfs.fetch(:id, []).first
-                end
                 if (_interface_create_reponse = _nb.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, _nb_headers).body) &&
                    _interface_create_reponse.is_a?(Hash) &&
                    _interface_create_reponse.has_key?(:id)
@@ -697,11 +692,6 @@ def filter(event)
                                :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
                                :assigned_object_id => _autopopulate_interface[:id],
                                :status => "active" }
-                  if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
-                     (_vrf.has_key?(:id))
-                  then
-                    _ip_data[:vrf] = _vrf[:id]
-                  end
                   if (_ip_create_reponse = _nb.post('ipam/ip-addresses/', _ip_data.to_json, _nb_headers).body) &&
                      _ip_create_reponse.is_a?(Hash) &&
                      _ip_create_reponse.has_key?(:id)
diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
index 6e9fe981f..0fdb935f1 100644
--- a/netbox/preload/prefixes_defaults.yml
+++ b/netbox/preload/prefixes_defaults.yml
@@ -1,6 +1,3 @@
 - prefix: 10.0.0.0/8
-  vrf: 10.0.0.0/8
 - prefix: 172.16.0.0/12
-  vrf: 172.16.0.0/12
 - prefix: 192.168.0.0/16
-  vrf: 192.168.0.0/16
diff --git a/netbox/preload/vrfs_defaults.yml b/netbox/preload/vrfs_defaults.yml
deleted file mode 100644
index d83018c72..000000000
--- a/netbox/preload/vrfs_defaults.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- enforce_unique: true
-  name: 10.0.0.0/8
-- enforce_unique: true
-  name: 172.16.0.0/12
-- enforce_unique: true
-  name: 192.168.0.0/16
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index a41063f9b..ab1aba957 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -249,7 +249,7 @@ def main():
         nargs='?',
         const=True,
         default=malcolm_utils.str2bool(os.getenv('NETBOX_PRELOAD_PREFIXES', default='False')),
-        help="Preload IPAM VRFs/IP Prefixes for private IP space",
+        help="Preload IPAM IP Prefixes for private IP space",
     )
     try:
         parser.error = parser.exit
@@ -277,7 +277,6 @@ def main():
     sites = {}
     groups = {}
     permissions = {}
-    vrfs = {}
     prefixes = {}
     devices = {}
     interfaces = {}
@@ -481,33 +480,7 @@ def main():
             with open(args.netMapFileName) as f:
                 netMapJson = json.load(f)
         if netMapJson is not None:
-            # create new VRFs
-            vrfPreExisting = {x.name: x for x in nb.ipam.vrfs.all()}
-            logging.debug(f"VRFs (before): { {k:v.id for k, v in vrfPreExisting.items()} }")
-
-            for segment in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "segment")
-                and x.get('name', None)
-                and is_ip_network(x.get('address', None))
-                and x['name'] not in vrfPreExisting
-            ]:
-                try:
-                    nb.ipam.vrfs.create(
-                        {
-                            "name": segment['name'],
-                            "enforce_unique": True,
-                        },
-                    )
-                except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing VRF \"{segment['name']}\": {nbe}")
-
-            vrfs = {x.name: x for x in nb.ipam.vrfs.all()}
-            logging.debug(f"VRFs (after): { {k:v.id for k, v in vrfs.items()} }")
-
-            # create prefixes in VRFs
+            # create IP prefixes
 
             prefixesPreExisting = {x.prefix: x for x in nb.ipam.prefixes.all()}
             logging.debug(f"prefixes (before): { {k:v.id for k, v in prefixesPreExisting.items()} }")
@@ -519,7 +492,6 @@ def main():
                 and (x.get('type', '') == "segment")
                 and x.get('name', None)
                 and is_ip_network(x.get('address', None))
-                and x['name'] in vrfs
             ]:
                 try:
                     site = min_hash_value_by_value(sites)
@@ -527,7 +499,7 @@ def main():
                         {
                             "prefix": segment['address'],
                             "site": site.id if site else None,
-                            "vrf": vrfs[segment['name']].id,
+                            "description": segment['name'],
                         },
                     )
                 except pynetbox.RequestError as nbe:
@@ -566,19 +538,11 @@ def main():
                     if deviceCreated is not None:
                         # create interface for the device
                         if is_ip_address(host['address']):
-                            hostVrf = max_hash_value_by_key(
-                                {
-                                    ipaddress.ip_network(k): v
-                                    for k, v in prefixes.items()
-                                    if ipaddress.ip_address(host['address']) in ipaddress.ip_network(k)
-                                }
-                            )
                             nb.dcim.interfaces.create(
                                 {
                                     "device": deviceCreated.id,
                                     "name": "default",
                                     "type": "other",
-                                    "vrf": hostVrf.id if hostVrf else None,
                                 },
                             )
                         elif re.match(r'^([0-9a-f]{2}[:-]){5}([0-9a-f]{2})$', host['address'].lower()):
@@ -600,7 +564,7 @@ def main():
             logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
 
             # and associate IP addresses with them
-            ipAddressesPreExisting = {f"{x.address}:{x.vrf.id if x.vrf else ''}": x for x in nb.ipam.ip_addresses.all()}
+            ipAddressesPreExisting = {x.address: x for x in nb.ipam.ip_addresses.all()}
             logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
 
             for host in [
@@ -613,19 +577,11 @@ def main():
                 and x['name'] in devices
             ]:
                 try:
-                    hostVrf = max_hash_value_by_key(
-                        {
-                            ipaddress.ip_network(k): v
-                            for k, v in prefixes.items()
-                            if ipaddress.ip_address(host['address']) in ipaddress.ip_network(k)
-                        }
-                    )
-                    hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}:{hostVrf.id if hostVrf else ''}"
+                    hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}"
                     if hostKey not in ipAddressesPreExisting:
                         ipCreated = nb.ipam.ip_addresses.create(
                             {
                                 "address": host['address'],
-                                "vrf": hostVrf.id if hostVrf else None,
                                 "assigned_object_type": "dcim.interface",
                                 "assigned_object_id": interfaces[devices[host['name']].id].id,
                             },
@@ -643,7 +599,7 @@ def main():
                 except pynetbox.RequestError as nbe:
                     logging.warning(f"{type(nbe).__name__} processing address \"{host['address']}\": {nbe}")
 
-            ipAddresses = {f"{x.address}:{x.vrf}": x for x in nb.ipam.ip_addresses.all()}
+            ipAddresses = {x.address: x for x in nb.ipam.ip_addresses.all()}
             logging.debug(f"IP addresses (after): { {k:v.id for k, v in ipAddresses.items()} }")
 
     except Exception as e:
@@ -659,7 +615,7 @@ def main():
                 with tempfile.TemporaryDirectory() as tmpPreloadDir:
                     copy_tree(args.preloadDir, tmpPreloadDir)
 
-                    # only preload catch-all VRFs and IP Prefixes if explicitly specified and they don't already exist
+                    # only preload catch-all IP Prefixes if explicitly specified and they don't already exist
                     if args.preloadPrefixes:
                         for loadType in ('vrfs', 'prefixes'):
                             defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
diff --git a/scripts/install.py b/scripts/install.py
index 890225a1f..dbf96fc7f 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -3685,7 +3685,7 @@ def main():
         nargs='?',
         const=True,
         default=False,
-        help="Preload NetBox IPAM VRFs/IP Prefixes for private IP space",
+        help="Preload NetBox IPAM IP Prefixes for private IP space",
     )
     netboxArgGroup.add_argument(
         '--netbox-site-name',

From 69ce77ca783ddb61415f4223cf5d53dd2698d8f5 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 08:36:15 -0600
Subject: [PATCH 22/82] use docker compose as a plugin rather than
 docker-compose when possible

---
 docs/host-config-macos.md                     |  6 +--
 logstash/pipelines/zeek/11_zeek_parse.conf    |  4 +-
 .../includes.chroot/etc/bash.bash_functions   |  6 +--
 scripts/build.sh                              | 31 +++++++-----
 scripts/control.py                            | 40 +++++++++------
 scripts/demo/reset_and_auto_populate.sh       | 45 ++++++++++++-----
 scripts/install.py                            | 49 ++++++++++---------
 scripts/malcolm_common.py                     |  2 +
 scripts/malcolm_utils.py                      | 20 ++++++--
 .../aws/ami/scripts/Malcolm_AMI_Setup.sh      |  4 +-
 10 files changed, 132 insertions(+), 75 deletions(-)

diff --git a/docs/host-config-macos.md b/docs/host-config-macos.md
index 0f86696e2..200b7c485 100644
--- a/docs/host-config-macos.md
+++ b/docs/host-config-macos.md
@@ -14,14 +14,14 @@ $ brew install cask
 $ brew tap homebrew/cask-versions
 ```
 
-## Install docker-edge
+## Install docker
 
 ```
-$ brew install --cask docker-edge
+$ brew install --cask docker
 ```
 This will install the latest version of `docker`. It can be upgraded later using `brew` as well:
 ```
-$ brew upgrade --cask --no-quarantine docker-edge
+$ brew upgrade --cask --no-quarantine docker
 ```
 You can now run Docker from the Applications folder.
 
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
index 2853a8485..0c9716b53 100644
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -6,9 +6,9 @@
 #
 # to profile, debug:
 #   - get filters sorted by execution time (where in > 0)
-#   $ docker-compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
+#   $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
 #   - get filters where in != out
-#   $ docker-compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
+#   $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
 #
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 #######################
diff --git a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
index bfc6b2487..6dba56c0c 100644
--- a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
+++ b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
@@ -477,7 +477,7 @@ function drun() {
 }
 
 # docker compose
-alias dc="docker-compose"
+alias dc="docker compose"
 
 # Get latest container ID
 alias dl="docker ps -l -q"
@@ -562,9 +562,9 @@ function malcolmmonitor () {
       select-pane -t 5 \; \
       send-keys 'while true; do clear; free -m | grep ^Mem: | cut -d" " -f2- | sed "s/[[:space:]]\+/,/g" | sed "s/^,//" ; sleep 60; done' C-m \; \
       select-pane -t 6 \; \
-      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
+      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
       select-pane -t 7 \; \
-      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
+      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
       split-window -v \; \
       select-pane -t 8 \; \
       send-keys "while true; do clear; find ~/Malcolm/zeek-logs/extract_files -type f | sed 's@.*/\(.*\)/.*@\1@' | sort | uniq -c | sort -nr; sleep 60; done" C-m \; \
diff --git a/scripts/build.sh b/scripts/build.sh
index 1fd2251e1..a4ff97c27 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -15,21 +15,30 @@ if ! (type "$REALPATH" && type "$DIRNAME" && type "$GREP") > /dev/null; then
   exit 1
 fi
 
-if docker-compose version >/dev/null 2>&1; then
-  DOCKER_COMPOSE_BIN=docker-compose
+DOCKER_COMPOSE_BIN=()
+if docker compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker compose)
   DOCKER_BIN=docker
-elif $GREP -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then
-  DOCKER_COMPOSE_BIN=docker-compose.exe
-  DOCKER_BIN=docker.exe
+elif docker-compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker-compose)
+  DOCKER_BIN=docker
+elif $GREP -q Microsoft /proc/version; then
+  if docker.exe compose version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker.exe compose)
+    DOCKER_BIN=docker.exe
+  elif docker-compose.exe version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker-compose.exe)
+    DOCKER_BIN=docker.exe
+  fi
 fi
 
 if [[ -f "$1" ]]; then
   CONFIG_FILE="$1"
-  DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN --profile malcolm -f "$CONFIG_FILE""
+  DOCKER_COMPOSE_COMMAND="${DOCKER_COMPOSE_BIN[@]} --profile malcolm -f "$CONFIG_FILE""
   shift # use remainder of arguments for services
 else
   CONFIG_FILE="docker-compose.yml"
-  DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN --profile malcolm"
+  DOCKER_COMPOSE_COMMAND="${DOCKER_COMPOSE_BIN[@]} --profile malcolm"
 fi
 
 function filesize_in_image() {
@@ -52,14 +61,14 @@ pushd "$SCRIPT_PATH/.." >/dev/null 2>&1
 # make sure docker is installed, at this point it's required
 if ! $DOCKER_BIN info >/dev/null 2>&1 ; then
   echo "Docker is not installed, or not runable as this user."
-  echo "Install docker (install.py may help with that) and try again later."
+  echo "Install Docker (install.py may help with that) and try again."
   exit 1
 fi
 
-# make sure docker-compose is installed, at this point it's required
-if ! $DOCKER_COMPOSE_BIN version >/dev/null 2>&1 ; then
+# make sure docker compose is installed, at this point it's required
+if (( ${#DOCKER_COMPOSE_BIN[@]} == 0 )); then
   echo "Docker Compose is not installed, or not runable as this user."
-  echo "Install docker-compose (install.py may help with that) and try again later."
+  echo "Install Docker Compose (install.py may help with that) and try again."
   exit 1
 fi
 
diff --git a/scripts/control.py b/scripts/control.py
index 798ab9da1..d72119094 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -114,6 +114,8 @@ def __exit__(self, *args):
 
 args = None
 dockerBin = None
+# dockerComposeBin might be e.g., ('docker', 'compose') or 'docker-compose',
+#   it will be flattened in run_process
 dockerComposeBin = None
 dockerComposeYaml = None
 kubeImported = None
@@ -2267,30 +2269,38 @@ def main():
         osEnv['TMPDIR'] = MalcolmTmpPath
 
         if orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            # make sure docker/docker-compose is available
+            # make sure docker and docker compose are available
             dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('docker.exe')) else 'docker'
-            if (pyPlatform == PLATFORM_WINDOWS) and which('docker-compose.exe'):
-                dockerComposeBin = 'docker-compose.exe'
-            elif which('docker-compose'):
-                dockerComposeBin = 'docker-compose'
-            elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
-                dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose'
-            elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'):
-                dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose'
-            elif os.path.isfile('/usr/local/bin/docker-compose'):
-                dockerComposeBin = '/usr/local/bin/docker-compose'
-            elif os.path.isfile('/usr/bin/docker-compose'):
-                dockerComposeBin = '/usr/bin/docker-compose'
-            else:
-                dockerComposeBin = 'docker-compose'
             err, out = run_process([dockerBin, 'info'], debug=args.debug)
             if err != 0:
                 raise Exception(f'{ScriptName} requires docker, please run install.py')
+            # first check if compose is available as a docker plugin
+            dockerComposeBin = (dockerBin, 'compose')
             err, out = run_process(
                 [dockerComposeBin, '--profile', PROFILE_MALCOLM, '-f', args.composeFile, 'version'],
                 env=osEnv,
                 debug=args.debug,
             )
+            if err != 0:
+                if (pyPlatform == PLATFORM_WINDOWS) and which('docker-compose.exe'):
+                    dockerComposeBin = 'docker-compose.exe'
+                elif which('docker-compose'):
+                    dockerComposeBin = 'docker-compose'
+                elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
+                    dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose'
+                elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'):
+                    dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose'
+                elif os.path.isfile('/usr/local/bin/docker-compose'):
+                    dockerComposeBin = '/usr/local/bin/docker-compose'
+                elif os.path.isfile('/usr/bin/docker-compose'):
+                    dockerComposeBin = '/usr/bin/docker-compose'
+                else:
+                    dockerComposeBin = 'docker-compose'
+                err, out = run_process(
+                    [dockerComposeBin, '--profile', PROFILE_MALCOLM, '-f', args.composeFile, 'version'],
+                    env=osEnv,
+                    debug=args.debug,
+                )
             if err != 0:
                 raise Exception(f'{ScriptName} requires docker-compose, please run install.py')
 
diff --git a/scripts/demo/reset_and_auto_populate.sh b/scripts/demo/reset_and_auto_populate.sh
index d07634217..38dea9057 100755
--- a/scripts/demo/reset_and_auto_populate.sh
+++ b/scripts/demo/reset_and_auto_populate.sh
@@ -57,6 +57,7 @@ NUMERIC_REGEX='^[0-9]+$'
 # get directory script is executing from
 [[ -n $MACOS ]] && REALPATH=grealpath || REALPATH=realpath
 [[ -n $MACOS ]] && DIRNAME=gdirname || DIRNAME=dirname
+[[ -n $MACOS ]] && GREP=ggrep || GREP=grep
 if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
   echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" >&2
   exit 1
@@ -77,6 +78,7 @@ RESTART="false"
 READ_ONLY="false"
 NGINX_DISABLE="false"
 MALCOLM_DOCKER_COMPOSE="$FULL_PWD"/docker-compose.yml
+MALCOLM_PROFILE=malcolm
 NETBOX_BACKUP_FILE=""
 PCAP_FILES=()
 PCAP_ADJUST_SCRIPT=""
@@ -86,7 +88,7 @@ PCAP_PROCESS_PRE_WAIT=120
 PCAP_PROCESS_IDLE_SECONDS=180
 PCAP_PROCESS_IDLE_MAX_SECONDS=3600
 NETBOX_INIT_MAX_SECONDS=300
-while getopts 'vwronlb:m:i:x:s:d:' OPTION; do
+while getopts 'vwronlb:m:i:x:s:d:p:' OPTION; do
   case "$OPTION" in
     v)
       VERBOSE_FLAG="-v"
@@ -120,6 +122,10 @@ while getopts 'vwronlb:m:i:x:s:d:' OPTION; do
       MALCOLM_DOCKER_COMPOSE="$OPTARG"
       ;;
 
+    p)
+      MALCOLM_PROFILE="$OPTARG"
+      ;;
+
     s)
       if [[ $OPTARG =~ $NUMERIC_REGEX ]] ; then
          PCAP_PROCESS_IDLE_SECONDS=$OPTARG
@@ -161,6 +167,19 @@ else
   PCAP_ADJUST_SCRIPT=""
 fi
 
+DOCKER_COMPOSE_BIN=()
+if docker compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker compose)
+elif docker-compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker-compose)
+elif [[ -n $WINDOWS ]]; then
+  if docker.exe compose version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker.exe compose)
+  elif docker-compose.exe version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker-compose.exe)
+  fi
+fi
+
 [[ -n $VERBOSE_FLAG ]] && echo "$(basename "${BASH_SOURCE[0]}") in \"${SCRIPT_PATH}\" called from \"${FULL_PWD}\"" >&2 && set -x
 
 ###############################################################################
@@ -199,7 +218,7 @@ function urlencode() {
 trap clean_up EXIT
 
 if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
-   which docker-compose >/dev/null 2>&1 && \
+   (( ${#DOCKER_COMPOSE_BIN[@]} > 0 )) && \
    which jq >/dev/null 2>&1; then
   mkdir -p "$WORKDIR"
 
@@ -267,11 +286,11 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   fi
 
   if [[ "$NGINX_DISABLE" == "true" ]]; then
-    docker-compose -f "$MALCOLM_FILE" pause nginx-proxy
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" pause nginx-proxy
   fi
 
   # wait for logstash to be ready for Zeek logs to be ingested
-  until docker-compose -f "$MALCOLM_FILE" logs logstash 2>/dev/null | grep -q "Pipelines running"; do
+  until ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" logs logstash 2>/dev/null | $GREP -q "Pipelines running"; do
     [[ -n $VERBOSE_FLAG ]] && echo "waiting for Malcolm to become ready for PCAP data..." >&2
     sleep 10
   done
@@ -283,7 +302,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     # wait for NetBox to be ready with the initial startup before we go mucking around
     CURRENT_TIME=$(date -u +%s)
     FIRST_NETBOX_INIT_CHECK_TIME=$CURRENT_TIME
-    until docker-compose -f "$MALCOLM_FILE" logs netbox 2>/dev/null | grep -q "Unit configuration loaded successfully"; do
+    until ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" logs netbox 2>/dev/null | $GREP -q "Unit configuration loaded successfully"; do
       [[ -n $VERBOSE_FLAG ]] && echo "waiting for NetBox initialization to complete..." >&2
       sleep 10
       # if it's been more than the maximum wait time, bail
@@ -318,7 +337,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
         fi
 
         # get the total number of session records in the database
-        NEW_LOG_COUNT=$(( docker-compose -f "$MALCOLM_FILE" exec -u $(id -u) -T api \
+        NEW_LOG_COUNT=$(( ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -u $(id -u) -T api \
                           curl -sSL "http://localhost:5000/mapi/agg/event.provider?from=1970" | \
                           jq -r '.. | .buckets? // empty | .[] | objects | [.doc_count|tostring] | join ("")' | \
                           awk '{s+=$1} END {print s}') 2>/dev/null )
@@ -349,7 +368,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   fi
 
   if [[ "$NGINX_DISABLE" == "true" ]]; then
-    docker-compose -f "$MALCOLM_FILE" unpause nginx-proxy
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" unpause nginx-proxy
     sleep 10
   fi
 
@@ -357,8 +376,8 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     [[ -n $VERBOSE_FLAG ]] && echo "Ensuring creation of user accounts prior to setting to read-only" >&2
     for USER in \
       $(cat nginx/htpasswd | cut -d: -f1) \
-      $(grep -q -P "NGINX_BASIC_AUTH\s*=s*no_authentication" "$MALCOLM_PATH"/config/auth-common.env && echo guest); do
-      docker-compose -f "$MALCOLM_FILE" exec -T arkime curl -ksSL -XGET \
+      $($GREP -q -P "NGINX_BASIC_AUTH\s*=s*no_authentication" "$MALCOLM_PATH"/config/auth-common.env && echo guest); do
+      ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T arkime curl -ksSL -XGET \
         --header 'Content-type:application/json' \
         --header "http_auth_http_user:$USER" \
         --header "Authorization:" \
@@ -366,12 +385,12 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     done
     sleep 5
     [[ -n $VERBOSE_FLAG ]] && echo "Setting cluster to read-only" >&2
-    docker-compose -f "$MALCOLM_FILE" exec -T nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
     sleep 5
-    docker-compose -f "$MALCOLM_FILE" exec -T dashboards-helper /data/opensearch_read_only.py -i _cluster
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T dashboards-helper /data/opensearch_read_only.py -i _cluster
     sleep 5
     for CONTAINER in htadmin filebeat logstash upload pcap-monitor zeek zeek-live suricata suricata-live pcap-capture freq; do
-      docker-compose -f "$MALCOLM_FILE" pause "$CONTAINER" || true
+      ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" pause "$CONTAINER" || true
     done
     sleep 5
   fi
@@ -381,6 +400,6 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   [[ -n $VERBOSE_FLAG ]] && echo "Finished" >&2
 else
   echo "must specify docker-compose.yml file with -m and PCAP file(s)" >&2
-  echo "also, pcap_time_shift.py, docker-compose and jq must be available"
+  echo "also, pcap_time_shift.py, docker compose and jq must be available"
   exit 1
 fi
\ No newline at end of file
diff --git a/scripts/install.py b/scripts/install.py
index dbf96fc7f..6a6479923 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -72,6 +72,7 @@
     DATABASE_MODE_ENUMS,
     deep_get,
     eprint,
+    flatten,
     run_process,
     same_file_or_dir,
     str2bool,
@@ -80,11 +81,12 @@
 )
 
 ###################################################################################################
-DOCKER_COMPOSE_INSTALL_VERSION = "2.20.3"
+DOCKER_COMPOSE_INSTALL_VERSION = "2.23.0"
 
 DEB_GPG_KEY_FINGERPRINT = '0EBFCD88'  # used to verify GPG key for Docker Debian repository
 
-MAC_BREW_DOCKER_PACKAGE = 'docker-edge'
+MAC_BREW_DOCKER_PACKAGE = 'docker'
+MAC_BREW_DOCKER_COMPOSE_PACKAGE = 'docker-compose'
 MAC_BREW_DOCKER_SETTINGS = '/Users/{}/Library/Group Containers/group.com.docker/settings.json'
 
 LOGSTASH_JAVA_OPTS_DEFAULT = '-server -Xms2500m -Xmx2500m -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true'
@@ -2570,22 +2572,27 @@ def install_docker_compose(self):
         result = False
 
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            dockerComposeCmd = 'docker-compose'
-            if not which(dockerComposeCmd, debug=self.debug):
-                if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
-                    dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose'
-                elif os.path.isfile('/usr/local/bin/docker-compose'):
-                    dockerComposeCmd = '/usr/local/bin/docker-compose'
-
-            # first see if docker-compose is already installed and runnable (try non-root and root)
+            # first see if docker compose/docker-compose is already installed and runnable
+            #   (try non-root and root)
+            dockerComposeCmd = ('docker', 'compose')
             err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False)
             if err != 0:
                 err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True)
+                if err != 0:
+                    dockerComposeCmd = 'docker-compose'
+                    if not which(dockerComposeCmd, debug=self.debug):
+                        if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
+                            dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose'
+                        elif os.path.isfile('/usr/local/bin/docker-compose'):
+                            dockerComposeCmd = '/usr/local/bin/docker-compose'
+                    err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False)
+                    if err != 0:
+                        err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True)
 
             if (err != 0) and InstallerYesOrNo(
-                '"docker-compose version" failed, attempt to install docker-compose?', default=True
+                'docker compose failed, attempt to install docker compose?', default=True
             ):
-                if InstallerYesOrNo('Install docker-compose directly from docker github?', default=True):
+                if InstallerYesOrNo('Install docker compose directly from docker github?', default=True):
                     # download docker-compose from github and put it in /usr/local/bin
 
                     # need to know some linux platform info
@@ -2617,7 +2624,7 @@ def install_docker_compose(self):
 
                 elif InstallerYesOrNo('Install docker-compose via pip (privileged)?', default=False):
                     # install docker-compose via pip (as root)
-                    err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=True)
+                    err, out = self.run_process([self.pipCmd, 'install', 'docker-compose'], privileged=True)
                     if err == 0:
                         eprint("Installation of docker-compose apparently succeeded")
                     else:
@@ -2625,7 +2632,7 @@ def install_docker_compose(self):
 
                 elif InstallerYesOrNo('Install docker-compose via pip (user)?', default=True):
                     # install docker-compose via pip (regular user)
-                    err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=False)
+                    err, out = self.run_process([self.pipCmd, 'install', 'docker-compose'], privileged=False)
                     if err == 0:
                         eprint("Installation of docker-compose apparently succeeded")
                     else:
@@ -2639,11 +2646,11 @@ def install_docker_compose(self):
             if err == 0:
                 result = True
                 if self.debug:
-                    eprint('"docker-compose version" succeeded')
+                    eprint('docker compose succeeded')
 
             else:
                 raise Exception(
-                    f'{ScriptName} requires docker-compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}'
+                    f'{ScriptName} requires docker compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}'
                 )
 
         return result
@@ -2894,7 +2901,7 @@ def install_docker(self):
             elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True):
                 if self.useBrew:
                     # install docker via brew cask (requires user interaction)
-                    dockerPackages = [MAC_BREW_DOCKER_PACKAGE, "docker-compose"]
+                    dockerPackages = [MAC_BREW_DOCKER_PACKAGE, MAC_BREW_DOCKER_COMPOSE_PACKAGE]
                     eprint(f"Installing docker packages: {dockerPackages}")
                     if self.install_package(dockerPackages):
                         eprint("Installation of docker packages apparently succeeded")
@@ -2915,7 +2922,7 @@ def install_docker(self):
                     else:
                         tempFileName = os.path.join(self.tempDirName, 'Docker.dmg')
                     if DownloadToFile(
-                        'https://download.docker.com/mac/edge/Docker.dmg', tempFileName, debug=self.debug
+                        'https://desktop.docker.com/mac/main/amd64/Docker.dmg', tempFileName, debug=self.debug
                     ):
                         while True:
                             response = InstallerAskForString(
@@ -2932,12 +2939,10 @@ def install_docker(self):
                         eprint('"docker info" succeeded')
 
                 elif err != 0:
-                    raise Exception(
-                        f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}'
-                    )
+                    raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}')
 
             elif err != 0:
-                raise Exception(f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}')
+                raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}')
 
             # tweak CPU/RAM usage for Docker in Mac
             settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser)
diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index 552557eaf..843af368a 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -99,6 +99,8 @@ class UserInterfaceMode(IntFlag):
 DOCKER_INSTALL_URLS[PLATFORM_MAC] = [
     'https://www.code2bits.com/how-to-install-docker-on-macos-using-homebrew/',
     'https://docs.docker.com/docker-for-mac/install/',
+    'https://formulae.brew.sh/formula/docker',
+    'https://formulae.brew.sh/formula/docker-compose',
 ]
 DOCKER_COMPOSE_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/compose/install/')
 HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/')
diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py
index f7c80e85a..a89849165 100644
--- a/scripts/malcolm_utils.py
+++ b/scripts/malcolm_utils.py
@@ -297,6 +297,17 @@ def EVP_BytesToKey(key_length: int, iv_length: int, md, salt: bytes, data: bytes
     return key, iv
 
 
+###################################################################################################
+# flatten a collection, but don't split strings
+def flatten(coll):
+    for i in coll:
+        if isinstance(i, Iterable) and not isinstance(i, str):
+            for subc in flatten(i):
+                yield subc
+        else:
+            yield i
+
+
 ###################################################################################################
 # if the object is an iterable, return it, otherwise return a tuple with it as a single element.
 # useful if you want to user either a scalar or an array in a loop, etc.
@@ -634,11 +645,12 @@ def run_process(
 ):
     retcode = -1
     output = []
+    flat_command = list(flatten(get_iterable(command)))
 
     try:
         # run the command
         retcode, cmdout, cmderr = check_output_input(
-            command,
+            flat_command,
             input=stdin.encode() if stdin else None,
             cwd=cwd,
             env=env,
@@ -652,11 +664,11 @@ def run_process(
 
     except (FileNotFoundError, OSError, IOError):
         if stderr:
-            output.append("Command {} not found or unable to execute".format(command))
+            output.append("Command {} not found or unable to execute".format(flat_command))
 
     if debug:
         dbgStr = "{}{} returned {}: {}".format(
-            command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output
+            flat_command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output
         )
         if logger is not None:
             logger.debug(dbgStr)
@@ -666,7 +678,7 @@ def run_process(
     if (retcode != 0) and retry and (retry > 0):
         # sleep then retry
         time.sleep(retrySleepSec)
-        return run_process(command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug, logger)
+        return run_process(flat_command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug, logger)
     else:
         return retcode, output
 
diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
index 44113adf2..a1c4d1f80 100755
--- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
+++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
@@ -32,7 +32,7 @@ fi
 # -u UID      (user UID, e.g., 1000)
 VERBOSE_FLAG=
 MALCOLM_REPO=${MALCOLM_REPO:-idaholab/Malcolm}
-MALCOLM_TAG=${MALCOLM_TAG:-v23.05.1}
+MALCOLM_TAG=${MALCOLM_TAG:-v23.10.0}
 [[ -z "$MALCOLM_UID" ]] && ( [[ $EUID -eq 0 ]] && MALCOLM_UID=1000 || MALCOLM_UID="$(id -u)" )
 while getopts 'vr:t:u:' OPTION; do
   case "$OPTION" in
@@ -217,7 +217,7 @@ function InstallMalcolm {
         mv docker-compose-standalone.yml docker-compose.yml
         for ENVEXAMPLE in ./config/*.example; do ENVFILE="${ENVEXAMPLE%.*}"; cp "$ENVEXAMPLE" "$ENVFILE"; done
         echo "Pulling Docker images..." >&2
-        docker-compose pull >/dev/null 2>&1
+        docker-compose --profile malcolm pull >/dev/null 2>&1
         rm -f ./config/*.env
         docker images
         popd >/dev/null 2>&1

From 4be0d17cc2e1f4798fc6d13e9b61a2c520621741 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 09:55:53 -0600
Subject: [PATCH 23/82] fix issue with logs

---
 scripts/control.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/control.py b/scripts/control.py
index d72119094..0ab1f8e50 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -60,6 +60,7 @@
     deep_get,
     dictsearch,
     eprint,
+    flatten,
     EscapeAnsi,
     EscapeForCurl,
     get_iterable,
@@ -784,7 +785,7 @@ def logs():
 
     if cmd:
         process = Popen(
-            cmd,
+            flatten(cmd),
             env=osEnv,
             stdout=PIPE,
             stderr=None if args.debug else DEVNULL,

From fd69cad435c0562ac06a3442a8f11e864065d215 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 10:48:51 -0600
Subject: [PATCH 24/82] fix issue parsing dns.ip

---
 logstash/pipelines/zeek/12_zeek_mutate.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
index fd9fdf627..6d3b61636 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -410,7 +410,7 @@ filter {
       ruby {
         id => "ruby_zeek_dns_answers_ip_extract"
         # todo: adjust this regex so it at least sort of catches IPv6 as well
-        code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))"
+        code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/).join(','))"
       }
       mutate { id => "mutate_split_zeek_dns_answers"
                split => { "[zeek][dns][answers]" => "," } }

From e5188807dd1dc2aa3de8ab8b462aa08e2e7edd9d Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 15:28:37 -0600
Subject: [PATCH 25/82] make sure preloaded prefixes get populated with default
 site name (idaholab/Malcolm#279)

---
 netbox/preload/prefixes_defaults.yml | 3 +++
 netbox/scripts/netbox_init.py        | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
index 0fdb935f1..1788bb584 100644
--- a/netbox/preload/prefixes_defaults.yml
+++ b/netbox/preload/prefixes_defaults.yml
@@ -1,3 +1,6 @@
 - prefix: 10.0.0.0/8
+  site: NETBOX_DEFAULT_SITE
 - prefix: 172.16.0.0/12
+  site: NETBOX_DEFAULT_SITE
 - prefix: 192.168.0.0/16
+  site: NETBOX_DEFAULT_SITE
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index ab1aba957..65d6746b4 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -617,12 +617,16 @@ def main():
 
                     # only preload catch-all IP Prefixes if explicitly specified and they don't already exist
                     if args.preloadPrefixes:
+                        defaultSiteName = next(iter([x for x in args.netboxSites]), None)
                         for loadType in ('vrfs', 'prefixes'):
                             defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
                             loadFileName = os.path.join(tmpPreloadDir, f'{loadType}.yml')
                             if os.path.isfile(defaultFileName) and (not os.path.isfile(loadFileName)):
                                 try:
-                                    shutil.copyfile(defaultFileName, loadFileName)
+                                    with open(defaultFileName, 'r') as infile:
+                                        with open(loadFileName, 'w') as outfile:
+                                            for line in infile:
+                                                outfile.write(line.replace("NETBOX_DEFAULT_SITE", defaultSiteName))
                                 except Exception:
                                     pass
 

From c2f043e21152be4e089493879f5712b88be21ac7 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 15:47:36 -0600
Subject: [PATCH 26/82] fix start not stopping log display

---
 scripts/control.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/control.py b/scripts/control.py
index 0ab1f8e50..8eedfc858 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -785,7 +785,7 @@ def logs():
 
     if cmd:
         process = Popen(
-            flatten(cmd),
+            list(flatten(cmd)),
             env=osEnv,
             stdout=PIPE,
             stderr=None if args.debug else DEVNULL,
@@ -807,6 +807,7 @@ def logs():
                 and (not args.cmdLogs)
                 and finishedStartingRegEx.match(output)
             ):
+                shuttingDown[0] = True
                 process.terminate()
                 try:
                     process.wait(timeout=5.0)

From 570fce916028ac57456774ee1170a73c5f51a50c Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 1 Nov 2023 16:53:31 -0600
Subject: [PATCH 27/82] fix issue with prefix name not being used for segments
 correctly (idaholab/Malcolm#280)

---
 logstash/ruby/netbox_enrich.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 7ca8d0e13..4eabb0bb4 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -650,7 +650,11 @@ def filter(event)
                       _tmp_prefixes.each do |p|
                         # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
                         # if _verbose, include entire object as :details
-                        _prefixes << { :name => p.fetch(:description, p.fetch(:display, nil)),
+                        _prefixName = p.fetch(:description, nil)
+                        if _prefixName.nil? || _prefixName.empty?
+                          _prefixName = p.fetch(:display, p.fetch(:prefix, nil))
+                        end
+                        _prefixes << { :name => _prefixName,
                                        :id => p.fetch(:id, nil),
                                        :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
                                        :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),

From 326b8f6febb2909e0059f4a9a7480ac218cbc44b Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 8 Nov 2023 07:21:17 -0700
Subject: [PATCH 28/82] update logstash
 (https://www.elastic.co/guide/en/logstash/current/logstash-8-11-0.html) and
 beats
 (https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.11.0.html)
 to v8.11.0

---
 Dockerfiles/filebeat.Dockerfile | 2 +-
 Dockerfiles/logstash.Dockerfile | 2 +-
 sensor-iso/build.sh             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 38fed5933..8d4e2e163 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:8.10.4
+FROM docker.elastic.co/beats/filebeat-oss:8.11.0
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 0c2c9258c..fa930f676 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/logstash/logstash-oss:8.10.4
+FROM docker.elastic.co/logstash/logstash-oss:8.11.0
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh
index 36d50c276..a2575756e 100755
--- a/sensor-iso/build.sh
+++ b/sensor-iso/build.sh
@@ -5,7 +5,7 @@ IMAGE_PUBLISHER=idaholab
 IMAGE_VERSION=1.0.0
 IMAGE_DISTRIBUTION=bookworm
 
-BEATS_VER="8.10.4"
+BEATS_VER="8.11.0"
 BEATS_OSS="-oss"
 
 BUILD_ERROR_CODE=1

From 5dbb346d0e28ed616e3da4d74cadbd8418bc24ff Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 9 Nov 2023 09:41:40 -0700
Subject: [PATCH 29/82] Fluent-bit to v2.2.0
 (https://github.com/fluent/fluent-bit/releases/tag/v2.2.0)

---
 docs/asset-interaction-analysis.md            |  2 --
 scripts/control.py                            | 34 +++++++++++++++++++
 scripts/third-party-logs/fluent-bit-setup.ps1 |  4 +--
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index 228541cde..651af3350 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -133,5 +133,3 @@ To clear the existing NetBox database and restore a previous backup, run the fol
 ./scripts/netbox-restore --netbox-restore ./malcolm_netbox_backup_20230110-125756.gz
 
 ```
-
-Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox-secret.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created.
diff --git a/scripts/control.py b/scripts/control.py
index 8eedfc858..dce0e2aab 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -608,6 +608,19 @@ def netboxRestore(backupFileName=None):
             if err != 0:
                 raise Exception('Error creating new NetBox database')
 
+            # make sure permissions are set up right
+            dockerCmd = dockerCmdBase + [
+                'netbox-postgres',
+                'psql',
+                '-U',
+                'netbox',
+                '-c',
+                'GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox',
+            ]
+            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+            if err != 0:
+                raise Exception('Error setting NetBox database permissions')
+
             # load the backed-up psql dump
             dockerCmd = dockerCmdBase + ['netbox-postgres', 'psql', '-U', 'netbox']
             with gzip.open(backupFileName, 'rt') as f:
@@ -673,6 +686,27 @@ def netboxRestore(backupFileName=None):
             if err != 0:
                 raise Exception(f'Error creating new NetBox database: {results}')
 
+            # make sure permissions are set up right
+            if podsResults := PodExec(
+                service='netbox-postgres',
+                namespace=args.namespace,
+                command=[
+                    'netbox-postgres',
+                    'psql',
+                    '-U',
+                    'netbox',
+                    '-c',
+                    'GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox',
+                ],
+            ):
+                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+            else:
+                err = 1
+                results = []
+            if err != 0:
+                raise Exception(f'Error setting NetBox database permissions: {results}')
+
             # load the backed-up psql dump
             with gzip.open(backupFileName, 'rt') as f:
                 if podsResults := PodExec(
diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1
index bde65a2d5..2fa6f40dd 100644
--- a/scripts/third-party-logs/fluent-bit-setup.ps1
+++ b/scripts/third-party-logs/fluent-bit-setup.ps1
@@ -8,8 +8,8 @@
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 ###############################################################################
 
-$fluent_bit_version = '2.1'
-$fluent_bit_full_version = '2.1.10'
+$fluent_bit_version = '2.2'
+$fluent_bit_full_version = '2.2.0'
 
 ###############################################################################
 # select an item from a menu provided in an array

From 0a6565d18b7a68632a5490cc3f556ce523dfd52f Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 10 Nov 2023 12:07:26 -0700
Subject: [PATCH 30/82] various updates for v23.11.0 development:

* replace master/slave with client/server for modbus (idaholab/Malcolm#291)
* modbus updates for icsnpp-modbus (idaholab/Malcolm#289)
* point some Zeek plugins back upstream
* added new visualizations to modbus dashboard
---
 Dockerfiles/netbox.Dockerfile                 |   2 +-
 arkime/etc/config.ini                         |  13 +-
 arkime/wise/source.zeeklogs.js                |   7 +
 .../152f29dc-51a2-4f53-93e9-6e92765567b8.json | 148 ++++++++++++++----
 .../composable/component/zeek_ot.json         |   7 +
 logstash/pipelines/zeek/11_zeek_parse.conf    |  78 +++++++--
 logstash/pipelines/zeek/12_zeek_mutate.conf   |  23 ++-
 .../pipelines/zeek/13_zeek_normalize.conf     |  13 +-
 scripts/zeek_script_to_malcolm_boilerplate.py |   4 +
 shared/bin/zeek_install_plugins.sh            |   4 +-
 10 files changed, 246 insertions(+), 53 deletions(-)

diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 4d5dbc7fb..49df64e4f 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -1,4 +1,4 @@
-FROM netboxcommunity/netbox:v3.6.4
+FROM netboxcommunity/netbox:v3.6.5
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
index 1175de8b5..3caf5a270 100644
--- a/arkime/etc/config.ini
+++ b/arkime/etc/config.ini
@@ -675,6 +675,7 @@ zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;
 zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID
 zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
 zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response
+zeek.modbus.mei_type=db:zeek.modbus.mei_type;group:modbus;kind:termfield;friendly:MEI Type;help:MEI Type
 
 # modbus_detailed.log
 # https://github.com/cisagov/ICSNPP
@@ -687,6 +688,15 @@ zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kin
 zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
 zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
 
+# modbus_read_device_identification.log
+# https://github.com/cisagov/icsnpp-modbus
+zeek.modbus_read_device_identification.conformity_level_code=db:zeek.modbus_read_device_identification.conformity_level_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level Code;help:Conformity Level Code
+zeek.modbus_read_device_identification.conformity_level=db:zeek.modbus_read_device_identification.conformity_level;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level;help:Conformity Level
+zeek.modbus_read_device_identification.device_id_code=db:zeek.modbus_read_device_identification.device_id_code;group:zeek_modbus_read_device_identification;kind:integer;friendly:Device ID Code;help:Device ID Code
+zeek.modbus_read_device_identification.object_id_code=db:zeek.modbus_read_device_identification.object_id_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID Code;help:Object ID Code
+zeek.modbus_read_device_identification.object_id=db:zeek.modbus_read_device_identification.object_id;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID;help:Object ID
+zeek.modbus_read_device_identification.object_value=db:zeek.modbus_read_device_identification.object_value;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object Value;help:Object Value
+
 # modbus_read_write_multiple_registers.log
 # https://github.com/cisagov/ICSNPP
 zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
@@ -2600,9 +2610,10 @@ o_zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;f
 o_zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument
 o_zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message
 o_zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success
-o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception
+o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception,zeek.modbus.mei_type,
 o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values
 o_zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask
+o_zeek_modbus_read_device_identification=require:zeek.modbus_read_device_identification;title:Zeek modbus_read_device_identification.log;fields:zeek.modbus_read_device_identification.conformity_level_code,zeek.modbus_read_device_identification.conformity_level,zeek.modbus_read_device_identification.device_id_code,zeek.modbus_read_device_identification.object_id_code,zeek.modbus_read_device_identification.object_id,zeek.modbus_read_device_identification.object_value
 o_zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers
 o_zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload
 o_zeek_mqtt_publish=require:zeek.mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek.mqtt_publish.from_client,zeek.mqtt_publish.retain,zeek.mqtt_publish.qos,zeek.mqtt_publish.status,zeek.mqtt_publish.topic,zeek.mqtt_publish.payload,zeek.mqtt_publish.payload_len,zeek.mqtt_publish.payload_dict.messageType
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index ecdfd3412..ddd1b0e1c 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -1116,11 +1116,18 @@ class MalcolmSource extends WISESource {
       "zeek.modbus.network_direction",
       "zeek.modbus.trans_id",
       "zeek.modbus.unit_id",
+      "zeek.modbus.mei_type",
       "zeek.modbus_detailed.address",
       "zeek.modbus_detailed.quantity",
       "zeek.modbus_detailed.values",
       "zeek.modbus_mask_write_register.and_mask",
       "zeek.modbus_mask_write_register.or_mask",
+      "zeek.modbus_read_device_identification.conformity_level_code",
+      "zeek.modbus_read_device_identification.conformity_level",
+      "zeek.modbus_read_device_identification.device_id_code",
+      "zeek.modbus_read_device_identification.object_id_code",
+      "zeek.modbus_read_device_identification.object_id",
+      "zeek.modbus_read_device_identification.object_value",
       "zeek.modbus_read_write_multiple_registers.read_quantity",
       "zeek.modbus_read_write_multiple_registers.read_registers",
       "zeek.modbus_read_write_multiple_registers.read_start_address",
diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
index adcd93ba0..ce98e6a07 100644
--- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
+++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:38:35.641Z",
-      "version": "Wzk0OSwxXQ==",
+      "updated_at": "2023-11-10T19:05:19.809Z",
+      "version": "Wzk1NywxXQ==",
       "attributes": {
         "title": "Modbus",
         "hits": 0,
         "description": "Dashboard for the Modbus Protocol",
-        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":84,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":43,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":43,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":17,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":102,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":125,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":140,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":85,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":26,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":26,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":18,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":67,\"w\":32,\"h\":18,\"i\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\"},\"panelIndex\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":103,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":126,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":141,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":156,\"w\":48,\"h\":19,\"i\":\"3711221b-ce64-447a-886b-6ad2c50322f9\"},\"panelIndex\":\"3711221b-ce64-447a-886b-6ad2c50322f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -89,18 +89,28 @@
         },
         {
           "name": "panel_13",
+          "type": "visualization",
+          "id": "f6d09e10-7ffb-11ee-9964-dd538601517e"
+        },
+        {
+          "name": "panel_14",
           "type": "search",
           "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
         },
         {
-          "name": "panel_14",
+          "name": "panel_15",
           "type": "search",
           "id": "10e72aa0-0816-11eb-987d-c591a71f172b"
         },
         {
-          "name": "panel_15",
+          "name": "panel_16",
           "type": "search",
           "id": "3ac0f900-0816-11eb-987d-c591a71f172b"
+        },
+        {
+          "name": "panel_17",
+          "type": "search",
+          "id": "624a1d80-7ffa-11ee-9964-dd538601517e"
         }
       ],
       "migrationVersion": {
@@ -113,7 +123,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:21:19.884Z",
+      "updated_at": "2023-11-10T18:35:25.331Z",
       "version": "Wzg1NywxXQ==",
       "attributes": {
         "title": "Network Logs",
@@ -136,7 +146,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNCwxXQ==",
       "attributes": {
         "title": "Modbus - Logs",
@@ -181,7 +191,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNSwxXQ==",
       "attributes": {
         "title": "Modbus - Source IP",
@@ -211,7 +221,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNiwxXQ==",
       "attributes": {
         "title": "Modbus - Destination IP",
@@ -241,7 +251,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNywxXQ==",
       "attributes": {
         "title": "Modbus - Observed Clients and Servers",
@@ -271,7 +281,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzOCwxXQ==",
       "attributes": {
         "title": "Modbus - Observed Client/Server Ratio",
@@ -301,7 +311,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzOSwxXQ==",
       "attributes": {
         "title": "Modbus - Log Count",
@@ -330,7 +340,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0MCwxXQ==",
       "attributes": {
         "title": "Modbus - Logs Over Time",
@@ -359,7 +369,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0MSwxXQ==",
       "attributes": {
         "title": "Modbus - Functions and Exceptions",
@@ -389,8 +399,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
-      "version": "WzE0NSwxXQ==",
+      "updated_at": "2023-11-10T18:34:22.366Z",
+      "version": "WzE0MiwxXQ==",
       "attributes": {
         "title": "Modbus Detailed - Request and Response",
         "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
@@ -419,11 +429,11 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:36:30.972Z",
-      "version": "Wzk0NywxXQ==",
+      "updated_at": "2023-11-10T18:56:50.612Z",
+      "version": "Wzk1NCwxXQ==",
       "attributes": {
         "title": "Modbus - Reads",
-        "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
+        "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log",
         "version": 1,
@@ -449,11 +459,11 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:37:28.218Z",
-      "version": "Wzk0OCwxXQ==",
+      "updated_at": "2023-11-10T19:01:32.686Z",
+      "version": "Wzk1NSwxXQ==",
       "attributes": {
         "title": "Modbus - Writes",
-        "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
+        "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "description": "Modbus write register and write coil overview from modbus_detailed.log",
         "version": 1,
@@ -479,8 +489,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
-      "version": "WzE0MywxXQ==",
+      "updated_at": "2023-11-10T18:34:22.366Z",
+      "version": "WzE0NSwxXQ==",
       "attributes": {
         "title": "Modbus - Transport",
         "visState": "{\"title\":\"Modbus - Transport\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
@@ -503,13 +513,43 @@
         "visualization": "7.10.0"
       }
     },
+    {
+      "id": "f6d09e10-7ffb-11ee-9964-dd538601517e",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-10T19:04:24.945Z",
+      "version": "Wzk1NiwxXQ==",
+      "attributes": {
+        "title": "Modbus - Device Identification Objects",
+        "visState": "{\"title\":\"Modbus - Device Identification Objects\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.device_id_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device ID\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Value\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "624a1d80-7ffa-11ee-9964-dd538601517e"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
     {
       "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0NiwxXQ==",
       "attributes": {
         "title": "Modbus - Detailed",
@@ -553,7 +593,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0NywxXQ==",
       "attributes": {
         "title": "Modbus - Mask Write",
@@ -597,7 +637,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0OCwxXQ==",
       "attributes": {
         "title": "Modbus - Read Write Multiple",
@@ -636,13 +676,61 @@
         "search": "7.9.3"
       }
     },
+    {
+      "id": "624a1d80-7ffa-11ee-9964-dd538601517e",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-10T18:55:03.788Z",
+      "version": "Wzk1MiwxXQ==",
+      "attributes": {
+        "title": "Modbus - Read Device Identification",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source.ip",
+          "destination.ip",
+          "zeek.modbus.network_direction",
+          "event.action",
+          "event.result",
+          "zeek.modbus.unit_id",
+          "zeek.modbus.trans_id",
+          "zeek.modbus_read_device_identification.device_id_code",
+          "zeek.modbus_read_device_identification.conformity_level",
+          "zeek.modbus_read_device_identification.object_id",
+          "zeek.modbus_read_device_identification.object_value",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:modbus_read_device_identification\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    },
     {
       "id": "da7d99a0-ef74-11e9-91bd-23d686ac8389",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0OSwxXQ==",
       "attributes": {
         "title": "Modbus - Known Clients and Servers Logs",
@@ -681,7 +769,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE1MCwxXQ==",
       "attributes": {
         "title": "Modbus - All Logs",
@@ -721,7 +809,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:21:16.791Z",
+      "updated_at": "2023-11-10T18:35:22.307Z",
       "version": "WzgzMiwxXQ==",
       "attributes": {
         "title": "Connections - Logs",
diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
index 6a1870503..2ed2174ef 100644
--- a/dashboards/templates/composable/component/zeek_ot.json
+++ b/dashboards/templates/composable/component/zeek_ot.json
@@ -201,12 +201,19 @@
         "zeek.modbus.network_direction": { "type": "keyword" },
         "zeek.modbus.trans_id": { "type": "integer" },
         "zeek.modbus.unit_id": { "type": "integer" },
+        "zeek.modbus.mei_type": { "type": "keyword" },
         "zeek.modbus_detailed.address": { "type": "integer" },
         "zeek.modbus_detailed.quantity": { "type": "integer" },
         "zeek.modbus_detailed.values": { "type": "keyword" },
         "zeek.modbus_mask_write_register.address": { "type": "integer" },
         "zeek.modbus_mask_write_register.and_mask": { "type": "integer" },
         "zeek.modbus_mask_write_register.or_mask": { "type": "integer" },
+        "zeek.modbus_read_device_identification.conformity_level_code": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.conformity_level": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.device_id_code": { "type": "long" },
+        "zeek.modbus_read_device_identification.object_id_code": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.object_id": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.object_value": { "type": "keyword" },
         "zeek.modbus_read_write_multiple_registers.read_quantity": { "type": "integer" },
         "zeek.modbus_read_write_multiple_registers.read_registers": { "type": "keyword" },
         "zeek.modbus_read_write_multiple_registers.read_start_address": { "type": "integer" },
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
index 0c9716b53..791859b42 100644
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -1764,6 +1764,12 @@ filter {
     mutate { id => "mutate_gsub_zeek_known_modbus_device_type"
              gsub => [ "[zeek_cols][device_type]", "Known::", "" ] }
 
+    mutate { id => "mutate_gsub_zeek_known_modbus_master"
+             gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] }
+
+    mutate { id => "mutate_gsub_zeek_known_modbus_slave"
+             gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] }
+
     mutate { id => "mutate_add_tag_ics_known_modbus_log"
              add_tag => [ "ics" ] }
 
@@ -1932,15 +1938,16 @@ filter {
   } else if ([log_source] == "modbus_detailed") {
     #############################################################################################################################
     # modbus_detailed.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
 
     dissect {
       id => "dissect_zeek_modbus_detailed"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][quantity]}	%{[zeek_cols][values]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][quantity]}	%{[zeek_cols][values]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_detailed"
@@ -1949,29 +1956,32 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_detailed"
-        init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
+        init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
         code => "event.set('[zeek_cols]', $zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_modbus_detailed"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
   } else if ([log_source] == "modbus_mask_write_register") {
     #############################################################################################################################
     # modbus_mask_write_register.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
 
     dissect {
       id => "dissect_zeek_modbus_mask_write_register"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][and_mask]}	%{[zeek_cols][or_mask]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][and_mask]}	%{[zeek_cols][or_mask]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_mask_write_register"
@@ -1980,28 +1990,66 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_mask_write_register"
-        init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
-        code => "event.set('[zeek_cols]', $zeek_modbus_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
+        init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
+        code => "event.set('[zeek_cols]', $zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
-      id => "mutate_add_fields_modbus_mask_write_register"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      id => "mutate_add_fields_zeek_modbus_mask_write_register"
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
+      add_tag => [ "ics" ]
+    }
+
+  } else if ([log_source] == "modbus_read_device_identification") {
+    #############################################################################################################################
+    # modbus_read_device_identification.log
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+    dissect {
+      id => "dissect_zeek_modbus_read_device_identification"
+      # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+      mapping => {
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][mei_type]}	%{[zeek_cols][conformity_level_code]}	%{[zeek_cols][conformity_level]}	%{[zeek_cols][device_id_code]}	%{[zeek_cols][object_id_code]}	%{[zeek_cols][object_id]}	%{[zeek_cols][object_value]}"
+      }
+    }
+
+    if ("_dissectfailure" in [tags]) {
+      mutate {
+        id => "mutate_split_zeek_modbus_read_device_identification"
+        # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+        split => { "[message]" => "	" }
+      }
+      ruby {
+        id => "ruby_zip_zeek_modbus_read_device_identification"
+        init => "$zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]"
+        code => "event.set('[zeek_cols]', $zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)"
+      }
+    }
+
+    mutate {
+      id => "mutate_add_fields_zeek_modbus_read_device_identification"
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
   } else if ([log_source] == "modbus_read_write_multiple_registers") {
     #############################################################################################################################
     # modbus_read_write_multiple_registers.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
     dissect {
       id => "dissect_zeek_modbus_read_write_multiple_registers"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][write_start_address]}	%{[zeek_cols][write_registers]}	%{[zeek_cols][read_start_address]}	%{[zeek_cols][read_quantity]}	%{[zeek_cols][read_registers]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][`]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][write_start_address]}	%{[zeek_cols][write_registers]}	%{[zeek_cols][read_start_address]}	%{[zeek_cols][read_quantity]}	%{[zeek_cols][read_registers]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_read_write_multiple_registers"
@@ -2010,14 +2058,16 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_read_write_multiple_registers"
-        init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
+        init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
         code => "event.set('[zeek_cols]', $zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
index 6d3b61636..83ed11143 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -1020,11 +1020,12 @@ filter {
                split => { "[zeek][modbus_detailed][values]" => "," } }
     }
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_detailed_fields"
       rename => { "[zeek][modbus_detailed][func]" => "[zeek][modbus][func]" }
       rename => { "[zeek][modbus_detailed][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_detailed][trans_id]" => "[zeek][modbus][trans_id]" }
       rename => { "[zeek][modbus_detailed][network_direction]" => "[zeek][modbus][network_direction]" }
     }
 
@@ -1032,13 +1033,28 @@ filter {
     #############################################################################################################################
     # modbus_mask_write_register.log specific logic
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_mask_write_register_fields"
       rename => { "[zeek][modbus_mask_write_register][address]" => "[zeek][modbus_detailed][address]" }
       rename => { "[zeek][modbus_mask_write_register][func]" => "[zeek][modbus][func]" }
       rename => { "[zeek][modbus_mask_write_register][network_direction]" => "[zeek][modbus][network_direction]" }
       rename => { "[zeek][modbus_mask_write_register][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_mask_write_register][trans_id]" => "[zeek][modbus][trans_id]" }
+    }
+
+  } else if ([log_source] == "modbus_read_device_identification") {
+    #############################################################################################################################
+    # modbus_read_device_identification.log specific logic
+
+    # rename some fields to make correlating modbus easier between logs
+    mutate {
+      id => "mutate_rename_modbus_read_device_identification_fields"
+      rename => { "[zeek][modbus_read_device_identification][network_direction]" => "[zeek][modbus][network_direction]" }
+      rename => { "[zeek][modbus_read_device_identification][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_read_device_identification][trans_id]" => "[zeek][modbus][trans_id]" }
+      rename => { "[zeek][modbus_read_device_identification][func]" => "[zeek][modbus][func]" }
+      rename => { "[zeek][modbus_read_device_identification][mei_type]" => "[zeek][modbus][mei_type]" }
     }
 
   } else if ([log_source] == "modbus_read_write_multiple_registers") {
@@ -1055,11 +1071,12 @@ filter {
                split => { "[zeek][modbus_read_write_multiple_registers][write_registers]" => "," } }
     }
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_read_write_multiple_registers_fields"
       rename => { "[zeek][modbus_read_write_multiple_registers][network_direction]" => "[zeek][modbus][network_direction]" }
       rename => { "[zeek][modbus_read_write_multiple_registers][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_read_write_multiple_registers][trans_id]" => "[zeek][modbus][trans_id]" }
       rename => { "[zeek][modbus_read_write_multiple_registers][func]" => "[zeek][modbus][func]" }
     }
 
diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
index 4e735f962..c4e74423b 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -323,8 +323,17 @@ filter {
              merge => { "[event][action]" => "[@metadata][zeek_ldap_search_action]" } }
   }
 
-  if ([zeek][modbus][func])                      { mutate { id => "mutate_merge_normalize_zeek_modbus_func"
-                                                            merge => { "[event][action]" => "[zeek][modbus][func]" } } }
+  if ([zeek][modbus][func]) {
+    mutate { id => "mutate_gsub_zeek_modbus_master"
+             gsub => [ "[zeek][modbus][func]", "MASTER", "CLIENT" ] }
+    mutate { id => "mutate_gsub_zeek_modbus_slave"
+             gsub => [ "[zeek][modbus][func]", "SLAVE", "SERVER" ] }
+    mutate { id => "mutate_merge_normalize_zeek_modbus_func"
+             merge => { "[event][action]" => "[zeek][modbus][func]" } }
+  }
+
+  if ([zeek][modbus][mei_type]) { mutate { id => "mutate_merge_normalize_zeek_modbus_mei_type"
+                                           merge => { "[event][action]" => "[zeek][modbus][mei_type]" } } }
 
   if ([zeek][mqtt_connect][connect_status]) {
     # this log entry implicitly means "connect"
diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py
index 42b9b366b..11c9857d3 100755
--- a/scripts/zeek_script_to_malcolm_boilerplate.py
+++ b/scripts/zeek_script_to_malcolm_boilerplate.py
@@ -50,6 +50,10 @@
     'resp_h',
     'resp_p',
     'resp_l2_addr',
+    'drop_orig_h',
+    'drop_orig_p',
+    'drop_resp_h',
+    'drop_resp_p',
     'proto',
     'service',
     'user',
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 0458dbc62..d1588bf8b 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -74,7 +74,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/cisagov/icsnpp-enip"
   "https://github.com/cisagov/icsnpp-ethercat"
   "https://github.com/cisagov/icsnpp-genisys"
-  "https://github.com/mmguero-dev/icsnpp-modbus"
+  "https://github.com/cisagov/icsnpp-modbus"
   "https://github.com/cisagov/icsnpp-opcua-binary"
   "https://github.com/cisagov/icsnpp-s7comm"
   "https://github.com/cisagov/icsnpp-synchrophasor"
@@ -98,7 +98,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/zeek-spicy-ospf"
   "https://github.com/corelight/zeek-spicy-stun"
   "https://github.com/corelight/zeek-spicy-wireguard"
-  "https://github.com/mmguero-dev/zeek-xor-exe-plugin"
+  "https://github.com/corelight/zeek-xor-exe-plugin|master"
   "https://github.com/corelight/zerologon"
   "https://github.com/cybera/zeek-sniffpass"
   "https://github.com/mmguero-dev/bzar"

From 61e3b6ef1f384419b16c065b160a0e1086146b36 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Fri, 10 Nov 2023 13:00:19 -0700
Subject: [PATCH 31/82] Fix logstash parser issues with ldap
 (idaholab/Malcolm#289)

---
 logstash/pipelines/zeek/11_zeek_parse.conf | 24 ++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
index 791859b42..f6809839d 100644
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -1822,15 +1822,16 @@ filter {
   } else if ([log_source] == "ldap") {
     #############################################################################################################################
     # ldap.log
-    # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
+    # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
 
     dissect {
       id => "dissect_zeek_ldap"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][proto]}	%{[zeek_cols][message_id]}	%{[zeek_cols][version]}	%{[zeek_cols][operation]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][object]}	%{[zeek_cols][argument]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][message_id]}	%{[zeek_cols][version]}	%{[zeek_cols][operation]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][object]}	%{[zeek_cols][argument]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_ldap"
@@ -1839,28 +1840,32 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_ldap"
-        init => "$zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
+        init => "$zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
         code => "event.set('[zeek_cols]', $zeek_ldap_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_ldap"
-      add_field =>  { "[zeek_cols][service]" => "ldap" }
+      add_field => {
+        "[zeek_cols][service]" => "ldap"
+      }
+
     }
 
   } else if ([log_source] == "ldap_search") {
     #############################################################################################################################
     # ldap_search.log
-    # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
+    # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
 
     dissect {
       id => "dissect_zeek_ldap_search"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][proto]}	%{[zeek_cols][message_id]}	%{[zeek_cols][scope]}	%{[zeek_cols][deref]}	%{[zeek_cols][base_object]}	%{[zeek_cols][result_count]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][filter]}	%{[zeek_cols][attributes]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][message_id]}	%{[zeek_cols][scope]}	%{[zeek_cols][deref]}	%{[zeek_cols][base_object]}	%{[zeek_cols][result_count]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][filter]}	%{[zeek_cols][attributes]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_ldap_search"
@@ -1869,14 +1874,17 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_ldap_search"
-        init => "$zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
+        init => "$zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
         code => "event.set('[zeek_cols]', $zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_ldap_search"
-      add_field =>  { "[zeek_cols][service]" => "ldap" }
+      add_field => {
+        "[zeek_cols][service]" => "ldap"
+      }
+
     }
 
   } else if ([log_source] == "login") {

From 3934eaee346dd28a5828d249b1de00975bf24ad1 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 07:14:47 -0700
Subject: [PATCH 32/82] elasticsearch python libraries to 8.11.0

---
 api/requirements.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index a2e4a9eb2..05578b547 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -5,5 +5,5 @@ opensearch-py==2.3.2
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1
-elasticsearch==8.10.1
-elasticsearch-dsl==8.9.0
\ No newline at end of file
+elasticsearch==8.11.0
+elasticsearch-dsl==8.11.0
\ No newline at end of file

From baebc49e7b671aa826177fb0956ecbfea51bae79 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 07:45:51 -0700
Subject: [PATCH 33/82] idaholab/Malcolm#275, integrate suricata version of
 nsacyber ELITEWOLF rules

---
 Dockerfiles/suricata.Dockerfile               |  3 ++
 suricata/default-rules/IT/.gitignore          |  2 +
 suricata/default-rules/OT/.gitignore          |  2 +
 .../AllenBradley_RockwellAutomation.rules     | 14 +++++++
 .../SchweitzerEngineeringLaboratories.rules   | 38 +++++++++++++++++++
 .../OT/nsacyber/ELITEWOLF/Siemens.rules       |  5 +++
 6 files changed, 64 insertions(+)
 create mode 100644 suricata/default-rules/IT/.gitignore
 create mode 100644 suricata/default-rules/OT/.gitignore
 create mode 100644 suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules
 create mode 100644 suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules
 create mode 100644 suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules

diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index 34c846a1e..66fa29c34 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -51,6 +51,8 @@ ENV SURICATA_UPDATE_DIR "$SURICATA_MANAGED_DIR/update"
 ENV SURICATA_UPDATE_SOURCES_DIR "$SURICATA_UPDATE_DIR/sources"
 ENV SURICATA_UPDATE_CACHE_DIR "$SURICATA_UPDATE_DIR/cache"
 
+COPY --chmod=644 suricata/default-rules/ /tmp/default-rules/
+
 RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \
     apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
@@ -118,6 +120,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
         chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" && \
     cp "$(dpkg -L suricata-update | grep 'update\.yaml$' | head -n 1)" \
         "$SURICATA_UPDATE_CONFIG_FILE" && \
+    find /tmp/default-rules/ -not -path '*/.gitignore' -type f -exec cp "{}" "$SURICATA_CONFIG_DIR"/rules/ \; && \
     suricata-update update-sources --verbose --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \
     suricata-update update --fail --verbose --etopen --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \
     chown root:${PGROUP} /sbin/ethtool /usr/bin/suricata && \
diff --git a/suricata/default-rules/IT/.gitignore b/suricata/default-rules/IT/.gitignore
new file mode 100644
index 000000000..4397c3a32
--- /dev/null
+++ b/suricata/default-rules/IT/.gitignore
@@ -0,0 +1,2 @@
+!.gitignore
+
diff --git a/suricata/default-rules/OT/.gitignore b/suricata/default-rules/OT/.gitignore
new file mode 100644
index 000000000..4397c3a32
--- /dev/null
+++ b/suricata/default-rules/OT/.gitignore
@@ -0,0 +1,2 @@
+!.gitignore
+
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules
new file mode 100644
index 000000000..c2159496e
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules
@@ -0,0 +1,14 @@
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP REQUEST"; content:"/rokform/advancedDiags?pageReq=tcp"; sid:1000039; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM DATA DETAIL"; content:"/rokform/SysDataDetail?name="; sid:1000040; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP TABLE"; content:"/rokform/advancedDiags?pageReq=udptable"; sid:1000041; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP CONNECT"; content:"rokform/advancedDiags?pageReq=tcpconn"; sid:1000042; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP ROUTE"; content:"/rokform/advancedDiags?pageReq=iproute"; sid:1000043; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-GENERAL MEMORY"; content:"/rokform/advancedDiags?pageReq=genmem"; sid:1000044; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-HEAP REQUEST"; content:"/rokform/advancedDiags?pageReq=heap"; sid:1000045; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ICMP REQUEST"; content:"/rokform/advancedDiags?pageReq=icmp"; sid:1000046; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ARP REQUEST"; content:"/rokform/advancedDiags?pageReq=arp"; sid:1000047; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP REQUEST"; content:"/rokform/advancedDiags?pageReq=udp"; sid:1000048; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IF REQUEST"; content:"/rokform/advancedDiags?pageReq=if"; sid:1000049; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP REQUEST"; content:"/rokform/advancedDiags?pageReq=ip"; sid:1000050; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-CSS Path"; content:"/css/radevice.css"; sid:1000051; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM LIST DATA"; content:"/rokform/SysListDetail?name=";sid:1000052;rev:1;)
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules
new file mode 100644
index 000000000..fe0f4a32d
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules
@@ -0,0 +1,38 @@
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - homepage"; content:"/home.sel"; sid:1000001; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - LoginError"; content:"/errors/err401.sel?username="; sid:1000002; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - default.sel page"; content:"/default.sel"; sid:1000003; rev:1;)
+alert tcp any 1024 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible SSH Login Activity"; content:"SSH-2.0-dropbear_2016.74"; sid:1000004; rev:1;)
+alert tcp any 5432 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible AcSELerator Firmware Activity"; content:"SEL-3530 RTAC"; sid:1000005; rev:1;)
+
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "http://www.sel-secure.com"; sid:1000006; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "commonname=http://www.sel-secure.com"; sid:1000007; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "issuer_CN: http://www.sel-secure.com"; sid:1000008; rev:1;)
+
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/scripts/dScripts.sel"; sid:1000009; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/css/sel.css?vid="; sid:1000010; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "commonName=http://www.selinc.com/EthernetCommunications/"; sid:1000011; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "issuer_CN: http://www.selinc.com/EthernetCommunications/"; sid:1000012; rev:1;)
+
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Telnet Activity"; pcre:"/SEL-[0-9]{3,4}/"; sid:1000013; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 1 Change"; content: "Level 1"; sid:1000014; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 2 Change"; content: "Level 2"; sid:1000015; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL 2032 Processor"; content:"COMMUNICATIONS PROCESSOR-S/N"; sid:1000016; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Callibration Access Level Login Success"; content:"Calibration Access Established"; sid:1000017; rev:1;)
+
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change"; content: "USER 2AC"; sid:1000018; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD SEL-2701"; sid:1000019; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD /SEL-2701"; sid:1000020; rev:1;)
+alert tcp any 21 -> any any (msg: "ELITEWOLF SEL FTP Activity - Current directory"; content: "/SEL-2701"; sid:1000021; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR DNPMAP.TXT file"; content: "RETR DNPMAP.TXT"; sid:1000022; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR SET_DNP1.TXT file"; content: "STOR SET_DNP1.TXT"; sid:1000023; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - potential file change"; content:"STOR SET_"; pcre:"/STOR SET_[0-9A-Z]{1,4}.TXT/"; sid:1000024; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change ACC"; content: "USER ACC"; sid:1000025; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Password Login otter"; content: "PASS otter"; sid:1000026; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR DNPMAP.TXT file"; content: "STOR DNPMAP.TXT"; sid:1000027; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR ERR.TXT file"; content: "RETR ERR.TXT"; sid:1000028; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR SET_DNP1.TXT file 2701"; content: "RETR SET_DNP1.TXT"; sid:1000029; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - File Retrieval"; content:"RETR SET_"; pcre:"/RETR SET_[0-9A-Z]{1,4}/"; sid:1000030; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Username"; content:"USER FTPUSER"; sid:1000031; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Password"; content:"PASS TAIL"; sid:1000032; rev:1;)
+alert tcp any 21 -> any any (msg: "ELITEWOLF SEL-751A FTP SERVER"; content:"SEL-751A"; sid:1000033; rev:1;)
+
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules
new file mode 100644
index 000000000..74bd84914
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules
@@ -0,0 +1,5 @@
+alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/CSS/S7Web.css"; sid:1000034; rev:1;)
+alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/Images/CPU1200/"; sid:1; rev:1000035;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"S7-1200 Controller Family"; sid:1000036; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"commonName=S7-1200 Controller Family"; sid:1000037; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"issuer_CN: S7-1200 Controller Family"; sid:1000038; rev:1;)

From b0826ddf2c3160704a6a05bd4b21c347181dc287 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 07:47:04 -0700
Subject: [PATCH 34/82] added
 https://github.com/reversinglabs/reversinglabs-yara-rules yara rule set

---
 docs/components.md             | 1 +
 docs/malcolm-config.md         | 2 +-
 shared/bin/yara_rules_setup.sh | 5 +++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/components.md b/docs/components.md
index df2895402..5a2b52538 100644
--- a/docs/components.md
+++ b/docs/components.md
@@ -25,6 +25,7 @@ Malcolm leverages the following excellent open source tools, among others.
 * [Mark Baggett](https://github.com/MarkBaggett)'s [freq](https://github.com/MarkBaggett/freq) - a tool for calculating entropy of strings
 * [Florian Roth](https://github.com/Neo23x0)'s [Signature-Base](https://github.com/Neo23x0/signature-base) Yara ruleset
 * [Bart Blaze](https://github.com/bartblaze)'s [Yara ruleset](https://github.com/bartblaze/Yara-rules)
+* [ReversingLabs'](https://github.com/reversinglabs) [Yara ruleset](https://github.com/reversinglabs/reversinglabs-yara-rules)
 * These Zeek plugins:
     * some of Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers
     * Andrew Klaus's [Sniffpass](https://github.com/cybera/zeek-sniffpass) plugin for detecting cleartext passwords in HTTP POST requests
diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index 1883172c2..e143fd7b6 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -86,7 +86,7 @@ Although the configuration script automates many of the following configuration
     - `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/`  directory will be ignored on startup rather than scanned
     - `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction)
     - `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`)
-    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base) and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`
+    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`
     - `VTOT_API2_KEY` – used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) to VirusTotal
     - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`)
     - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`)
diff --git a/shared/bin/yara_rules_setup.sh b/shared/bin/yara_rules_setup.sh
index 26a936240..a6d0ecadd 100755
--- a/shared/bin/yara_rules_setup.sh
+++ b/shared/bin/yara_rules_setup.sh
@@ -96,13 +96,14 @@ mkdir -p "$YARA_RULES_SRC_DIR" "$YARA_RULES_DIR"
 # clone yara rules and create symlinks in destination directory
 pushd "$YARA_RULES_SRC_DIR" >/dev/null 2>&1
 YARA_RULE_GITHUB_URLS=(
-  "https://github.com/Neo23x0/signature-base|master"
   "https://github.com/bartblaze/Yara-rules|master"
+  "https://github.com/Neo23x0/signature-base|master"
+  "https://github.com/reversinglabs/reversinglabs-yara-rules|develop"
 )
 for i in ${YARA_RULE_GITHUB_URLS[@]}; do
   SRC_DIR="$(clone_github_repo "$i")"
   if [[ -d "$SRC_DIR" ]]; then
-    find "$SRC_DIR" -type f -iname "*.yar" -print0 | xargs -0 -r -I XXX ln $VERBOSE_FLAG -s -f "$("$REALPATH" "XXX")" "$YARA_RULES_DIR"/
+    find "$SRC_DIR" -type f \( -iname '*.yara' -o -iname '*.yar' \) -print0 | xargs -0 -r -I XXX ln $VERBOSE_FLAG -s -f "$("$REALPATH" "XXX")" "$YARA_RULES_DIR"/
   fi
 done
 popd >/dev/null 2>&1

From 99afed6373e576d5cdf1b284bb29a5392dd7e5cb Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 10:29:27 -0700
Subject: [PATCH 35/82] update logstash and beats to 8.11.1

---
 Dockerfiles/filebeat.Dockerfile | 2 +-
 Dockerfiles/logstash.Dockerfile | 2 +-
 sensor-iso/build.sh             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 8d4e2e163..f6f069eb2 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:8.11.0
+FROM docker.elastic.co/beats/filebeat-oss:8.11.1
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index fa930f676..ef0777b55 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/logstash/logstash-oss:8.11.0
+FROM docker.elastic.co/logstash/logstash-oss:8.11.1
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh
index a2575756e..0bc69ef89 100755
--- a/sensor-iso/build.sh
+++ b/sensor-iso/build.sh
@@ -5,7 +5,7 @@ IMAGE_PUBLISHER=idaholab
 IMAGE_VERSION=1.0.0
 IMAGE_DISTRIBUTION=bookworm
 
-BEATS_VER="8.11.0"
+BEATS_VER="8.11.1"
 BEATS_OSS="-oss"
 
 BUILD_ERROR_CODE=1

From 9b1253a36a3ba2cf8bf62e859fba304f6beee745 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 10:52:53 -0700
Subject: [PATCH 36/82] Work in progress for idaholab/Malcolm#287

---
 scripts/control.py | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/scripts/control.py b/scripts/control.py
index dce0e2aab..fddecdb96 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -585,7 +585,18 @@ def netboxRestore(backupFileName=None):
                 f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}',
             ]
 
-            # if the netbox_init.py process is happening, interrupt it
+            # stop the netbox processes
+            dockerCmd = dockerCmdBase + [
+                'netbox',
+                'supervisorctl',
+                'stop',
+                'netbox:*',
+            ]
+            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+            if (err != 0) and args.debug:
+                eprint(f'Error stopping netbox:*: {results}')
+
+            # if the netbox_init.py process is still happening, interrupt it
             dockerCmd = dockerCmdBase + [
                 'netbox',
                 'bash',
@@ -628,6 +639,19 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception('Error loading NetBox database')
 
+            # start back up the netbox processes
+            dockerCmd = dockerCmdBase + [
+                'netbox',
+                'supervisorctl',
+                'start',
+                'netbox:housekeeping',
+                'netbox:main',
+                'netbox:worker',
+            ]
+            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+            if (err != 0) and args.debug:
+                eprint(f'Error starting netbox:*: {results}')
+
             # migrations if needed
             dockerCmd = dockerCmdBase + ['netbox', '/opt/netbox/netbox/manage.py', 'migrate']
             err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)

From de41962e69425fab78c16b740bd636700add8c48 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 11:56:32 -0700
Subject: [PATCH 37/82] better startup for netbox restore

---
 scripts/control.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/scripts/control.py b/scripts/control.py
index fddecdb96..b2e578647 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -639,14 +639,12 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception('Error loading NetBox database')
 
-            # start back up the netbox processes
+            # start back up the netbox processes (except initialization)
             dockerCmd = dockerCmdBase + [
                 'netbox',
-                'supervisorctl',
-                'start',
-                'netbox:housekeeping',
-                'netbox:main',
-                'netbox:worker',
+                'bash',
+                '-c',
+                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
             ]
             err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
             if (err != 0) and args.debug:

From 48bca91820d675dd90f1275ce90a045b8c6044a4 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 13 Nov 2023 16:34:19 -0700
Subject: [PATCH 38/82] fix idaholab/Malcolm#287; fix issue with
 SUPERUSER_API_TOKEN not being set correctly after netbox-restore

---
 netbox/scripts/netbox_superuser_create.py | 15 ++++
 scripts/control.py                        | 98 ++++++++++++++++++++++-
 2 files changed, 111 insertions(+), 2 deletions(-)
 create mode 100644 netbox/scripts/netbox_superuser_create.py

diff --git a/netbox/scripts/netbox_superuser_create.py b/netbox/scripts/netbox_superuser_create.py
new file mode 100644
index 000000000..6fe8be2e3
--- /dev/null
+++ b/netbox/scripts/netbox_superuser_create.py
@@ -0,0 +1,15 @@
+from django.contrib.auth.models import User
+from users.models import Token
+from os import getenv
+
+# adapted from
+# - https://github.com/netbox-community/netbox-docker/blob/b47e85ab3f2261021adf99ae9de2e9692fd674c3/docker/docker-entrypoint.sh#L74-L80
+
+superUserName = getenv('SUPERUSER_NAME', '')
+superUserEmail = getenv('SUPERUSER_EMAIL', '')
+superUserPassword = getenv('SUPERUSER_PASSWORD', '')
+superUserToken = getenv('SUPERUSER_API_TOKEN', '')
+
+if not User.objects.filter(username=superUserName):
+    u = User.objects.create_superuser(superUserName, superUserEmail, superUserPassword)
+    Token.objects.create(user=u, key=superUserToken)
diff --git a/scripts/control.py b/scripts/control.py
index b2e578647..25852c563 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -639,6 +639,19 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception('Error loading NetBox database')
 
+            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
+            dockerCmd = dockerCmdBase + [
+                'netbox-postgres',
+                'psql',
+                '-U',
+                'netbox',
+                '-c',
+                'TRUNCATE auth_user CASCADE',
+            ]
+            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+            if (err != 0) and args.debug:
+                eprint(f'Error truncating table auth_user table: {results}')
+
             # start back up the netbox processes (except initialization)
             dockerCmd = dockerCmdBase + [
                 'netbox',
@@ -656,6 +669,17 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception('Error performing NetBox migration')
 
+            # create auth_user for superuser
+            dockerCmd = dockerCmdBase + [
+                'netbox',
+                'bash',
+                '-c',
+                "/opt/netbox/netbox/manage.py shell --interface python < /usr/local/bin/netbox_superuser_create.py",
+            ]
+            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+            if (err != 0) or (len(results) == 0):
+                raise Exception('Error setting up superuser')
+
             # restore media directory
             backupFileParts = os.path.splitext(backupFileName)
             backupMediaFileName = backupFileParts[0] + ".media.tar.gz"
@@ -666,7 +690,21 @@ def netboxRestore(backupFileName=None):
                     t.extractall(mediaPath)
 
         elif orchMode is OrchestrationFramework.KUBERNETES:
-            # if the netbox_init.py process is happening, interrupt it
+            # stop the netbox processes
+            if podsResults := PodExec(
+                service='netbox',
+                namespace=args.namespace,
+                command=['supervisorctl', 'stop', 'netbox:*'],
+            ):
+                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+            else:
+                err = 1
+                results = []
+            if (err != 0) and args.debug:
+                eprint(f'Error ({err}) stopping NetBox: {results}')
+
+            # if the netbox_init.py process is still happening, interrupt it
             if podsResults := PodExec(
                 service='netbox',
                 namespace=args.namespace,
@@ -713,7 +751,6 @@ def netboxRestore(backupFileName=None):
                 service='netbox-postgres',
                 namespace=args.namespace,
                 command=[
-                    'netbox-postgres',
                     'psql',
                     '-U',
                     'netbox',
@@ -745,6 +782,45 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception(f'Error loading NetBox database: {results}')
 
+            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
+            # make sure permissions are set up right
+            if podsResults := PodExec(
+                service='netbox-postgres',
+                namespace=args.namespace,
+                command=[
+                    'psql',
+                    '-U',
+                    'netbox',
+                    '-c',
+                    'TRUNCATE auth_user CASCADE',
+                ],
+            ):
+                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+            else:
+                err = 1
+                results = []
+            if err != 0:
+                raise Exception(f'Error truncating table auth_user table: {results}')
+
+            # start the netbox processes
+            if podsResults := PodExec(
+                service='netbox',
+                namespace=args.namespace,
+                command=[
+                    'bash',
+                    '-c',
+                    "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
+                ],
+            ):
+                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+            else:
+                err = 1
+                results = []
+            if (err != 0) and args.debug:
+                eprint(f'Error ({err}) starting NetBox: {results}')
+
             # migrations if needed
             if podsResults := PodExec(
                 service='netbox',
@@ -759,6 +835,24 @@ def netboxRestore(backupFileName=None):
             if (err != 0) or (len(results) == 0):
                 raise Exception(f'Error performing NetBox migration: {results}')
 
+            # migrations if needed
+            if podsResults := PodExec(
+                service='netbox',
+                namespace=args.namespace,
+                command=[
+                    'bash',
+                    '-c',
+                    "/opt/netbox/netbox/manage.py shell --interface python < /usr/local/bin/netbox_superuser_create.py",
+                ],
+            ):
+                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+            else:
+                err = 1
+                results = []
+            if (err != 0) or (len(results) == 0):
+                raise Exception(f'Error setting up superuser: {results}')
+
             # TODO: can't restore netbox/media directory via kubernetes at the moment
 
         else:

From fd6d05012bc176e4c0d71d6ffdf46e65094f5757 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 08:47:35 -0700
Subject: [PATCH 39/82] idaholab/Malcolm#286, strip out broken Arkime and
 NetBox links from dashboards for Kibana import

---
 dashboards/scripts/create-arkime-sessions-index.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh
index 0355d25b6..fc5905513 100755
--- a/dashboards/scripts/create-arkime-sessions-index.sh
+++ b/dashboards/scripts/create-arkime-sessions-index.sh
@@ -194,9 +194,14 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then
           echo "Importing $DATASTORE_TYPE Dashboards saved objects..."
 
           # install default dashboards
-          for i in /opt/dashboards/*.json; do
+          DASHBOARDS_IMPORT_DIR="$(mktemp -d -t dashboards-XXXXXX)"
+          cp /opt/dashboards/*.json "${DASHBOARDS_IMPORT_DIR}"/
+          for i in "${DASHBOARDS_IMPORT_DIR}"/*.json; do
+            # strip out Arkime and NetBox links from dashboards' navigation pane when doing Kibana import (idaholab/Malcolm#286)
+            [[ "$DATASTORE_TYPE" == "elasticsearch" ]] && sed -i 's/  \\\\n\[↪ NetBox\](\/netbox\/)  \\\\n\[↪ Arkime\](\/sessions)//' "$i"
             curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/$DASHBOARDS_URI_PATH/dashboards/import?force=true" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "@$i"
           done
+          rm -rf "${DASHBOARDS_IMPORT_DIR}"
 
           # beats will no longer import its dashbaords into OpenSearch
           # (see opensearch-project/OpenSearch-Dashboards#656 and

From b7133e3f6047b20c28c7b97a7b852e36900be843 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 10:41:48 -0700
Subject: [PATCH 40/82] idaholab/Malcolm#285, allow customizing Arkime's
 freeSpaceG setting (for PCAP deletion) in an environment variable

---
 arkime/scripts/docker_entrypoint.sh           |  2 ++
 config/arkime.env.example                     |  1 +
 docs/kubernetes.md                            |  2 ++
 docs/malcolm-hedgehog-e2e-iso-install.md      |  2 ++
 scripts/install.py                            | 26 +++++++++++++++++++
 .../interface/sensor_ctl/control_vars.conf    |  3 ++-
 .../supervisor.init/arkime_config_populate.sh |  5 ++++
 7 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh
index 16a1ca30a..a7b2fe542 100755
--- a/arkime/scripts/docker_entrypoint.sh
+++ b/arkime/scripts/docker_entrypoint.sh
@@ -10,6 +10,7 @@ function urlencodeall() {
 
 ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"}
 ARKIME_PASSWORD_SECRET=${ARKIME_PASSWORD_SECRET:-"Malcolm"}
+ARKIME_FREESPACEG=${ARKIME_FREESPACEG:-"10%"}
 
 MALCOLM_PROFILE=${MALCOLM_PROFILE:-"malcolm"}
 OPENSEARCH_URL_FINAL=${OPENSEARCH_URL:-"http://opensearch:9200"}
@@ -48,6 +49,7 @@ if [[ -r "${ARKIME_DIR}"/etc/config.orig.ini ]]; then
     cp "${ARKIME_DIR}"/etc/config.orig.ini "${ARKIME_DIR}"/etc/config.ini
     sed -i "s|^\(elasticsearch=\).*|\1"${OPENSEARCH_URL_FINAL}"|" "${ARKIME_DIR}"/etc/config.ini
     sed -i "s/^\(passwordSecret=\).*/\1"${ARKIME_PASSWORD_SECRET}"/" "${ARKIME_DIR}"/etc/config.ini
+    sed -i "s/^\(freeSpaceG=\).*/\1"${ARKIME_FREESPACEG}"/" "${ARKIME_DIR}"/etc/config.ini
     if [[ "$MALCOLM_PROFILE" == "hedgehog" ]]; then
         sed -i "s/^\(userNameHeader=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini
         sed -i "s/^\(userAuthIps=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini
diff --git a/config/arkime.env.example b/config/arkime.env.example
index 183e970e3..8248a636d 100644
--- a/config/arkime.env.example
+++ b/config/arkime.env.example
@@ -1,6 +1,7 @@
 # Whether or not Arkime is allowed to delete uploaded/captured PCAP (see
 #   https://arkime.com/faq#pcap-deletion)
 MANAGE_PCAP_FILES=false
+ARKIME_FREESPACEG=10%
 # The number of Arkime capture processes allowed to run concurrently
 ARKIME_ANALYZE_PCAP_THREADS=1
 
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 28b631d65..02c62b0d3 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -379,6 +379,8 @@ Determine oldest indices by name (instead of creation time)? (Y / n): y
 
 Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y / N): y
 
+Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.): 10%
+
 Automatically analyze all PCAP files with Suricata? (Y / n): y
 
 Download updated Suricata signatures periodically? (y / N): y
diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md
index 280698e90..a537f9f65 100644
--- a/docs/malcolm-hedgehog-e2e-iso-install.md
+++ b/docs/malcolm-hedgehog-e2e-iso-install.md
@@ -179,6 +179,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
         - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices.
     - **Should Arkime delete PCAP files based on available storage?**
         - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion).
+    - **Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)**
+        - If [Arkime PCAP-deletion](https://arkime.com/faq#pcap-deletion) is enabled, Arkime will delete PCAP files when **free space** is lower than this value, specified as integer gigabytes (e.g., `500`) or a percentage (e.g., `10%`)
 * **Automatically analyze all PCAP files with Suricata?**
     - This option is used to enable [Suricata](https://suricata.io/) (an IDS and threat detection engine) to analyze PCAP files uploaded to Malcolm via its upload web interface.
 * **Download updated Suricata signatures periodically?**
diff --git a/scripts/install.py b/scripts/install.py
index 6a6479923..8408144ed 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -993,6 +993,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
         indexPruneSizeLimit = '0'
         indexPruneNameSort = False
         arkimeManagePCAP = False
+        arkimeFreeSpaceG = '10%'
 
         if InstallerYesOrNo(
             'Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?'
@@ -1032,6 +1033,16 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                     default=args.arkimeManagePCAP,
                 )
             )
+            if arkimeManagePCAP:
+                arkimeFreeSpaceGTmp = ''
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP deletion threshold')
+                while (not re.match(r'^\d+%?$', arkimeFreeSpaceGTmp, flags=re.IGNORECASE)) and loopBreaker.increment():
+                    arkimeFreeSpaceGTmp = InstallerAskForString(
+                        'Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)',
+                        default=args.arkimeFreeSpaceG,
+                    )
+                if arkimeFreeSpaceGTmp:
+                    arkimeFreeSpaceG = arkimeFreeSpaceGTmp
 
         autoSuricata = InstallerYesOrNo(
             'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata
@@ -1376,6 +1387,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                 'MANAGE_PCAP_FILES',
                 TrueOrFalseNoQuote(arkimeManagePCAP),
             ),
+            # Threshold for Arkime PCAP deletion
+            EnvValue(
+                os.path.join(args.configDir, 'arkime.env'),
+                'ARKIME_FREESPACEG',
+                arkimeFreeSpaceG,
+            ),
             # authentication method: basic (true), ldap (false) or no_authentication
             EnvValue(
                 os.path.join(args.configDir, 'auth-common.env'),
@@ -3471,6 +3488,15 @@ def main():
         default=False,
         help="Arkime should delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)",
     )
+    storageArgGroup.add_argument(
+        '--delete-pcap-threshold',
+        dest='arkimeFreeSpaceG',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help=f'Threshold for Arkime PCAP deletion (see https://arkime.com/faq#pcap-deletion)',
+    )
     storageArgGroup.add_argument(
         '--delete-index-threshold',
         dest='indexPruneSizeLimit',
diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
index 255a2d22d..097c2a186 100644
--- a/sensor-iso/interface/sensor_ctl/control_vars.conf
+++ b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -21,7 +21,8 @@ export ARKIME_COMPRESSION_LEVEL=0
 export ARKIME_VIEWER_CERT=viewer.crt
 export ARKIME_VIEWER_KEY=viewer.key
 # Password hash secret for Arkime viewer cluster (see https://arkime.com/settings)
-ARKIME_PASSWORD_SECRET=Malcolm
+export ARKIME_PASSWORD_SECRET=Malcolm
+export ARKIME_FREESPACEG=7%
 
 export DOCUMENTATION_PORT=8420
 export MISCBEAT_PORT=9516
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
index a47b80795..048e2944e 100644
--- a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
@@ -60,6 +60,11 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t
     sed -r -i "s/(maxFileTimeM)\s*=\s*.*/\1=$PCAP_ROTATE_MINUTES/" "$ARKIME_CONFIG_FILE"
   fi
 
+  # pcap deletion threshold
+  if [[ -n $ARKIME_FREESPACEG ]]; then
+    sed -r -i "s/(freeSpaceG)\s*=\s*.*/\1=$ARKIME_FREESPACEG/" "$ARKIME_CONFIG_FILE"
+  fi
+
   # pcap compression
   COMPRESSION_TYPE="${ARKIME_COMPRESSION_TYPE:-none}"
   COMPRESSION_LEVEL="${ARKIME_COMPRESSION_LEVEL:-0}"

From 684d69f58be57f099f128377e094ad2c063954d7 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 11:33:04 -0700
Subject: [PATCH 41/82] fix file type validation not working for upload from
 (some?) windows browsers (idaholab/Malcolm#292) by removig front-end
 validation and just relying on the backend to do it

---
 file-upload/site/index.html | 22 ++--------------------
 1 file changed, 2 insertions(+), 20 deletions(-)

diff --git a/file-upload/site/index.html b/file-upload/site/index.html
index fa4377939..a44a049d4 100644
--- a/file-upload/site/index.html
+++ b/file-upload/site/index.html
@@ -74,7 +74,6 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
     <script src="upload/filepond/dist/filepond.js"></script>
     <script src="upload/filepond-plugin-file-rename/dist/filepond-plugin-file-rename.js"></script>
     <script src="upload/filepond-plugin-file-metadata/dist/filepond-plugin-file-metadata.js"></script>
-    <script src="upload/filepond-plugin-file-validate-type/dist/filepond-plugin-file-validate-type.js"></script>
     <script src="upload/filepond-plugin-file-validate-size/dist/filepond-plugin-file-validate-size.js"></script>
 
     <script>
@@ -89,8 +88,7 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
             FilePond.registerPlugin(
                 FilePondPluginFileMetadata,
                 FilePondPluginFileRename,
-                FilePondPluginFileValidateSize,
-                FilePondPluginFileValidateType
+                FilePondPluginFileValidateSize
             );
 
             FilePond.setOptions({
@@ -100,23 +98,7 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
                 allowRemove: true,
                 allowRevert: true,
                 allowFileMetadata: true,
-                credits: false,
-                acceptedFileTypes: [
-                    'application/gzip',
-                    'application/octet-stream',
-                    'application/vnd.tcpdump.pcap',
-                    'application/x-7z-compressed',
-                    'application/x-bzip2',
-                    'application/x-cpio',
-                    'application/x-gzip',
-                    'application/x-lzip',
-                    'application/x-lzma',
-                    'application/x-pcapng',
-                    'application/x-rar-compressed',
-                    'application/x-tar',
-                    'application/x-xz',
-                    'application/zip'
-                ],
+                credits: false
             });
 
             // Turn a file input into a file pond

From f3c9872c7c8a5d807f989c39cf7ffc887096da44 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 11:39:02 -0700
Subject: [PATCH 42/82] improve error messages for PCAP/artifact processing
 beyond just icons, idaholab/Malcolm#276

---
 filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py | 2 +-
 pcap-monitor/scripts/watch-pcap-uploads-folder.py          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
index 1dfccf54a..7139361b6 100755
--- a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
+++ b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
@@ -77,7 +77,7 @@ def file_processor(pathname, **kwargs):
 
             else:
                 # unhandled file type uploaded, delete it
-                logger.warning(f"{scriptName}:\t🗑\t{pathname} [{fileMime}]")
+                logger.warning(f"{scriptName}:\t🗑\t{pathname} [{fileMime} unsupported file type, deleted]")
                 os.unlink(pathname)
 
         except Exception as genericError:
diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.py b/pcap-monitor/scripts/watch-pcap-uploads-folder.py
index dbc9a7fa7..2b7847f0e 100755
--- a/pcap-monitor/scripts/watch-pcap-uploads-folder.py
+++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.py
@@ -88,7 +88,7 @@ def file_processor(pathname, **kwargs):
 
             else:
                 # unhandled file type uploaded, delete it
-                logger.warning(f"{scriptName}:\t🗑\t{pathname} ({fileMime}/{fileType})")
+                logger.warning(f"{scriptName}:\t🗑\t{pathname} ({fileMime}/{fileType} unsupported file type, deleted)")
                 os.unlink(pathname)
 
         except Exception as genericError:

From a0dc39aad6a51a61f4c692e0b4ea9ad69fadaa20 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 13:57:02 -0700
Subject: [PATCH 43/82] idaholab/Malcolm#147, replace kbn_sankey with vega

---
 Dockerfiles/dashboards.Dockerfile             |  76 --
 .../37041ee1-79c0-4684-a436-3173b0e89876.json | 141 ++--
 .../4e5f106e-c60a-4226-8f64-d534abb912ab.json | 105 ++-
 .../677ee170-809e-11ed-8d5b-07069f823b6f.json | 153 ++---
 dashboards/dashboards/Vega.Sankey.txt         | 423 ++++++++++++
 .../a33e0a50-afcd-11ea-993f-b7d8522a8bed.json | 648 +++++++++---------
 docs/contributing-dashboards.md               |   2 -
 7 files changed, 947 insertions(+), 601 deletions(-)
 create mode 100644 dashboards/dashboards/Vega.Sankey.txt

diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index 566f90885..4a9156b1c 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -1,76 +1,3 @@
-# build ####################################################################
-FROM amazonlinux:2 AS build
-
-# Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
-
-# set up build environment for dashboard plugins built from source
-
-ARG DEFAULT_UID=1000
-ARG DEFAULT_GID=1000
-ENV DEFAULT_UID $DEFAULT_UID
-ENV DEFAULT_GID $DEFAULT_GID
-ENV PUSER "dashboarder"
-ENV PGROUP "dashboarder"
-
-ENV TERM xterm
-
-ARG OPENSEARCH_VERSION="2.8.0"
-ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION
-
-ARG OPENSEARCH_DASHBOARDS_VERSION="2.8.0"
-ENV OPENSEARCH_DASHBOARDS_VERSION $OPENSEARCH_DASHBOARDS_VERSION
-
-# base system dependencies for checking out and building plugins
-
-USER root
-
-RUN amazon-linux-extras install -y epel && \
-    yum upgrade -y && \
-    yum install -y curl patch procps psmisc tar zip unzip gcc-c++ make moreutils jq git && \
-    amazon-linux-extras install -y python3.8 && \
-        ln -s -r -f /usr/bin/python3.8 /usr/bin/python3 && \
-        ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3 && \
-    groupadd -g ${DEFAULT_GID} ${PGROUP} && \
-    adduser -u ${DEFAULT_UID} -d /home/${PUSER} -s /bin/bash -G ${PGROUP} -g ${PUSER} ${PUSER} && \
-    mkdir -p /usr/share && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch "${OPENSEARCH_VERSION}" https://github.com/opensearch-project/OpenSearch /usr/share/opensearch && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch "${OPENSEARCH_DASHBOARDS_VERSION}" https://github.com/opensearch-project/OpenSearch-Dashboards /usr/share/opensearch-dashboards && \
-    chown -R ${DEFAULT_UID}:${DEFAULT_GID} /usr/share/opensearch-dashboards /usr/share/opensearch
-
-# build plugins as non-root
-
-USER ${PUSER}
-
-# use nodenv (https://github.com/nodenv/nodenv) to manage nodejs/yarn
-
-ENV PATH "/home/${PUSER}/.nodenv/bin:${PATH}"
-
-RUN git clone --single-branch --depth=1 --recurse-submodules --shallow-submodules https://github.com/nodenv/nodenv.git /home/${PUSER}/.nodenv && \
-    cd /home/${PUSER}/.nodenv && \
-    ./src/configure && \
-    make -C src && \
-    cd /tmp && \
-    eval "$(nodenv init -)" && \
-    mkdir -p "$(nodenv root)"/plugins && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/nodenv/node-build.git "$(nodenv root)"/plugins/node-build && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/nodenv/nodenv-update.git "$(nodenv root)"/plugins/nodenv-update && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/pine/nodenv-yarn-install.git "$(nodenv root)"/plugins/nodenv-yarn-install && \
-    nodenv install "$(cat /usr/share/opensearch-dashboards/.node-version)" && \
-    nodenv global "$(cat /usr/share/opensearch-dashboards/.node-version)"
-
-# check out and build plugins
-
-RUN eval "$(nodenv init -)" && \
-    mkdir -p /usr/share/opensearch-dashboards/plugins && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch opensearch-v2-dashboards-compatibility https://github.com/mmguero-dev/osd_sankey_vis.git /usr/share/opensearch-dashboards/plugins/sankey_vis && \
-    cd /usr/share/opensearch-dashboards/plugins/sankey_vis && \
-    yarn osd bootstrap && \
-    yarn install && \
-    yarn build --opensearch-dashboards-version "${OPENSEARCH_DASHBOARDS_VERSION}" && \
-    mv ./build/kbnSankeyVis-"${OPENSEARCH_DASHBOARDS_VERSION}".zip ./build/kbnSankeyVis.zip
-
-# runtime ##################################################################
-
 FROM opensearchproject/opensearch-dashboards:2.8.0
 
 LABEL maintainer="malcolm@inl.gov"
@@ -115,7 +42,6 @@ ENV NODE_OPTIONS $NODE_OPTIONS
 
 USER root
 
-COPY --from=build /usr/share/opensearch-dashboards/plugins/sankey_vis/build/kbnSankeyVis.zip /tmp/kbnSankeyVis.zip
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/bin/tini
 ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSFORM_VIS_VERSION/transformVis-$OSD_TRANSFORM_VIS_VERSION.zip /tmp/transformVis.zip
 
@@ -124,8 +50,6 @@ RUN yum upgrade -y && \
     usermod -a -G tty ${PUSER} && \
     # Malcolm manages authentication and encryption via NGINX reverse proxy
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
-    cd /usr/share/opensearch-dashboards/plugins && \
-    /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/kbnSankeyVis.zip --allow-root && \
     cd /tmp && \
         # unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
         # sed -i "s/2\.9\.0/2\.9\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
index 441802ccc..a3db7ce3f 100644
--- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
+++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.1.0",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "37041ee1-79c0-4684-a436-3173b0e89876",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T20:29:05.468Z",
-      "version": "Wzg5NiwxXQ==",
+      "updated_at": "2023-11-14T19:40:46.803Z",
+      "version": "Wzk1NCwxXQ==",
       "attributes": {
         "title": "HTTP",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":14,\"x\":20,\"y\":48},\"panelIndex\":\"5\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":34,\"y\":48},\"panelIndex\":\"6\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":117},\"panelIndex\":\"8\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":10,\"x\":10,\"y\":48},\"panelIndex\":\"14\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":48},\"panelIndex\":\"15\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":99},\"panelIndex\":\"16\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":117},\"panelIndex\":\"17\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"20\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"21\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":7,\"i\":\"23\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"23\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"24\",\"w\":16,\"x\":32,\"y\":19},\"panelIndex\":\"24\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"w\":8,\"x\":8,\"y\":7},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"w\":24,\"x\":8,\"y\":19},\"panelIndex\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"w\":8,\"x\":0,\"y\":30},\"panelIndex\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_15\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_16\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"w\":48,\"x\":0,\"y\":135},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_17\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":14,\"x\":20,\"y\":48},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":34,\"y\":48},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":117},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":10,\"x\":10,\"y\":48},\"panelIndex\":\"14\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":48},\"panelIndex\":\"15\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":99},\"panelIndex\":\"16\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":117},\"panelIndex\":\"17\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":7,\"i\":\"23\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":29,\"i\":\"24\",\"w\":16,\"x\":32,\"y\":19},\"panelIndex\":\"24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"w\":8,\"x\":8,\"y\":7},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"w\":8,\"x\":0,\"y\":30},\"panelIndex\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":13,\"i\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"w\":48,\"x\":0,\"y\":135},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":19,\"w\":24,\"h\":29,\"i\":\"42a27d88-4f13-4d7d-b267-0ffd2a39ca3f\"},\"panelIndex\":\"42a27d88-4f13-4d7d-b267-0ffd2a39ca3f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -95,22 +95,22 @@
         {
           "name": "panel_14",
           "type": "visualization",
-          "id": "db357c20-760d-11eb-8496-3528afc64ddb"
+          "id": "6efd67a0-760f-11eb-8496-3528afc64ddb"
         },
         {
           "name": "panel_15",
           "type": "visualization",
-          "id": "6efd67a0-760f-11eb-8496-3528afc64ddb"
+          "id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a"
         },
         {
           "name": "panel_16",
-          "type": "visualization",
-          "id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a"
+          "type": "search",
+          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
         },
         {
           "name": "panel_17",
-          "type": "search",
-          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
+          "type": "visualization",
+          "id": "9cfed8c0-8325-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -123,8 +123,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:51:04.273Z",
-      "version": "WzgwNSwxXQ==",
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -146,8 +146,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3NywxXQ==",
       "attributes": {
         "title": "HTTP - Status Over Time",
         "visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]}}",
@@ -176,8 +176,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3OCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}",
         "description": "",
@@ -206,8 +206,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T20:28:57.331Z",
-      "version": "Wzg5NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3OSwxXQ==",
       "attributes": {
         "title": "HTTP - Sites Hosting EXEs",
         "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
@@ -235,8 +235,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1OCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}",
         "description": "",
@@ -265,8 +265,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MSwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -295,8 +295,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MiwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -325,8 +325,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MywxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}",
         "description": "",
@@ -355,8 +355,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
         "description": "",
@@ -385,8 +385,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MywxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NSwxXQ==",
       "attributes": {
         "title": "HTTP - Destination Port",
         "visState": "{\"title\":\"HTTP - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
@@ -415,8 +415,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NiwxXQ==",
       "attributes": {
         "title": "HTTP - Destination Country",
         "visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}",
@@ -445,8 +445,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NywxXQ==",
       "attributes": {
         "title": "HTTP - Log Count",
         "visState": "{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
@@ -475,8 +475,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4OCwxXQ==",
       "attributes": {
         "title": "HTTP  - Status and Method",
         "visState": "{\"title\":\"HTTP  - Status and Method\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
@@ -505,8 +505,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NywxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4OSwxXQ==",
       "attributes": {
         "title": "HTTP - Unique Usernames and Passwords",
         "visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}",
@@ -529,44 +529,14 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "db357c20-760d-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2OCwxXQ==",
-      "attributes": {
-        "title": "HTTP - Method and Status",
-        "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "6efd67a0-760f-11eb-8496-3528afc64ddb",
       "type": "visualization",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MSwxXQ==",
       "attributes": {
         "title": "HTTP - Version",
         "visState": "{\"title\":\"HTTP - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HTTP Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100}}}",
@@ -595,8 +565,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI3MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MiwxXQ==",
       "attributes": {
         "title": "HTTP - File Type",
         "visState": "{\"title\":\"HTTP - File Type\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}",
@@ -625,8 +595,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI3MSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MywxXQ==",
       "attributes": {
         "title": "HTTP - Logs",
         "description": "",
@@ -661,6 +631,29 @@
       "migrationVersion": {
         "search": "7.9.3"
       }
+    },
+    {
+      "id": "9cfed8c0-8325-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:40:06.603Z",
+      "version": "Wzk1MywxXQ==",
+      "attributes": {
+        "title": "HTTP - Method and Status",
+        "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Method\\\", \\\"Status\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
     }
   ]
 }
\ No newline at end of file
diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
index 7be4c3e46..8bae2a4b5 100644
--- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
+++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
@@ -1,5 +1,5 @@
 {
-  "version": "7.10.2",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "4e5f106e-c60a-4226-8f64-d534abb912ab",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T19:22:09.074Z",
-      "version": "WzExNzEsMV0=",
+      "updated_at": "2023-11-14T19:36:48.975Z",
+      "version": "Wzk1MiwxXQ==",
       "attributes": {
         "title": "SNMP",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":33,\"w\":10,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":10,\"y\":33,\"w\":12,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":20,\"y\":14,\"w\":9,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":14,\"w\":12,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":29,\"y\":14,\"w\":19,\"h\":19,\"i\":\"21d58bff-8812-458a-9c96-ad6bff972ead\"},\"panelIndex\":\"21d58bff-8812-458a-9c96-ad6bff972ead\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":22,\"y\":33,\"w\":26,\"h\":19,\"i\":\"71465d94-06a3-4a70-8cb8-ad4036300379\"},\"panelIndex\":\"71465d94-06a3-4a70-8cb8-ad4036300379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":32,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":33,\"w\":10,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":10,\"y\":33,\"w\":12,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":20,\"y\":14,\"w\":9,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":14,\"w\":12,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":29,\"y\":14,\"w\":19,\"h\":19,\"i\":\"21d58bff-8812-458a-9c96-ad6bff972ead\"},\"panelIndex\":\"21d58bff-8812-458a-9c96-ad6bff972ead\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":32,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":22,\"y\":33,\"w\":26,\"h\":19,\"i\":\"c79c7ba6-abe8-41c6-af4a-809a8b405971\"},\"panelIndex\":\"c79c7ba6-abe8-41c6-af4a-809a8b405971\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -64,13 +64,13 @@
         },
         {
           "name": "panel_8",
-          "type": "visualization",
-          "id": "f0bd55b0-760b-11eb-8496-3528afc64ddb"
+          "type": "search",
+          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
         },
         {
           "name": "panel_9",
-          "type": "search",
-          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
+          "type": "visualization",
+          "id": "11c1b480-8325-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -83,8 +83,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:47:06.069Z",
-      "version": "Wzg3NCwxXQ==",
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -106,8 +106,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2MywxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}}],\"listeners\":{}}",
         "description": "",
@@ -136,8 +136,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NSwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -166,8 +166,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NiwxXQ==",
       "attributes": {
         "title": "SNMP - Destination IP Address",
         "visState": "{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
@@ -196,8 +196,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NywxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}",
         "description": "",
@@ -226,8 +226,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NywxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1OCwxXQ==",
       "attributes": {
         "title": "SNMP - Log Count",
         "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}",
@@ -256,8 +256,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2OCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1OSwxXQ==",
       "attributes": {
         "title": "SNMP - Community String",
         "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}",
@@ -286,8 +286,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM2MCwxXQ==",
       "attributes": {
         "title": "SNMP - PDU Type",
         "visState": "{\"title\":\"SNMP - PDU Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true,\"orderBucketsBySum\":false}}",
@@ -310,44 +310,14 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "f0bd55b0-760b-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2021-02-23T19:18:42.059Z",
-      "version": "WzEwOTcsMV0=",
-      "attributes": {
-        "title": "SNMP - Version and PDU Type",
-        "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ3MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM2MiwxXQ==",
       "attributes": {
         "title": "SNMP - Logs",
         "description": "",
@@ -382,6 +352,29 @@
       "migrationVersion": {
         "search": "7.9.3"
       }
+    },
+    {
+      "id": "11c1b480-8325-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:36:13.000Z",
+      "version": "Wzk1MSwxXQ==",
+      "attributes": {
+        "title": "SNMP - Version and PDU Type",
+        "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol_version\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"SNMP Version\\\", \\\"Action\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol_version\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:snmp\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
     }
   ]
 }
\ No newline at end of file
diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
index 2fd7ec062..9de0cd9c9 100644
--- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
+++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.4.1",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "677ee170-809e-11ed-8d5b-07069f823b6f",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:22:02.745Z",
-      "version": "WzkzOCwxXQ==",
+      "updated_at": "2023-11-14T20:55:46.977Z",
+      "version": "Wzk1MSwxXQ==",
       "attributes": {
         "title": "Asset Interaction Analysis",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":36,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":12,\"h\":18,\"i\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\"},\"panelIndex\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":18,\"i\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\"},\"panelIndex\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":8,\"y\":18,\"w\":12,\"h\":18,\"i\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\"},\"panelIndex\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":20,\"y\":18,\"w\":14,\"h\":37,\"i\":\"618fe049-9298-49e7-adf6-31da64a796ad\"},\"panelIndex\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":34,\"y\":18,\"w\":14,\"h\":37,\"i\":\"707927bd-fd2e-48cd-a045-4db49fb90159\"},\"panelIndex\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":36,\"w\":20,\"h\":19,\"i\":\"447d6058-5433-4076-b0cc-60fb7f7b4c70\"},\"panelIndex\":\"447d6058-5433-4076-b0cc-60fb7f7b4c70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":55,\"w\":11,\"h\":18,\"i\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\"},\"panelIndex\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":11,\"y\":55,\"w\":20,\"h\":18,\"i\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\"},\"panelIndex\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":31,\"y\":55,\"w\":17,\"h\":18,\"i\":\"64f0e91b-4263-4400-812d-c378cd6d8565\"},\"panelIndex\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":73,\"w\":24,\"h\":22,\"i\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\"},\"panelIndex\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":24,\"y\":73,\"w\":24,\"h\":22,\"i\":\"fe600b29-f6af-4d33-b226-26743ced5290\"},\"panelIndex\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":95,\"w\":24,\"h\":18,\"i\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\"},\"panelIndex\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":24,\"y\":95,\"w\":24,\"h\":18,\"i\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\"},\"panelIndex\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":113,\"w\":48,\"h\":33,\"i\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\"},\"panelIndex\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":146,\"w\":48,\"h\":31,\"i\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\"},\"panelIndex\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"h\":36,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"w\":12,\"x\":8,\"y\":0},\"panelIndex\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"w\":28,\"x\":20,\"y\":0},\"panelIndex\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"w\":12,\"x\":8,\"y\":18},\"panelIndex\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":37,\"i\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"w\":14,\"x\":20,\"y\":18},\"panelIndex\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":37,\"i\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"w\":14,\"x\":34,\"y\":18},\"panelIndex\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"w\":11,\"x\":0,\"y\":55},\"panelIndex\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"w\":20,\"x\":11,\"y\":55},\"panelIndex\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"w\":17,\"x\":31,\"y\":55},\"panelIndex\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":22,\"i\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"w\":24,\"x\":0,\"y\":73},\"panelIndex\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":22,\"i\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"w\":24,\"x\":24,\"y\":73},\"panelIndex\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"w\":24,\"x\":24,\"y\":95},\"panelIndex\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":33,\"i\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"w\":48,\"x\":0,\"y\":113},\"panelIndex\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":31,\"i\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"w\":48,\"x\":0,\"y\":146},\"panelIndex\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":19,\"i\":\"3b28bc9b-393b-4cf2-b31c-3510b0994281\",\"w\":20,\"x\":0,\"y\":36},\"panelIndex\":\"3b28bc9b-393b-4cf2-b31c-3510b0994281\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -55,52 +55,52 @@
         {
           "name": "panel_6",
           "type": "visualization",
-          "id": "5e7be470-8183-11ed-8ccb-af218b39580f"
+          "id": "34fb58a0-9787-11ed-a26e-595ac55a6057"
         },
         {
           "name": "panel_7",
           "type": "visualization",
-          "id": "34fb58a0-9787-11ed-a26e-595ac55a6057"
+          "id": "b8d19d20-8246-11ed-978d-3910915d0e0c"
         },
         {
           "name": "panel_8",
           "type": "visualization",
-          "id": "b8d19d20-8246-11ed-978d-3910915d0e0c"
+          "id": "1d4da4b0-8247-11ed-978d-3910915d0e0c"
         },
         {
           "name": "panel_9",
           "type": "visualization",
-          "id": "1d4da4b0-8247-11ed-978d-3910915d0e0c"
+          "id": "e40049c0-821d-11ed-9877-cfe49c9ac04f"
         },
         {
           "name": "panel_10",
           "type": "visualization",
-          "id": "e40049c0-821d-11ed-9877-cfe49c9ac04f"
+          "id": "f0167720-821d-11ed-9877-cfe49c9ac04f"
         },
         {
           "name": "panel_11",
           "type": "visualization",
-          "id": "f0167720-821d-11ed-9877-cfe49c9ac04f"
+          "id": "20a4ad80-8acf-11ed-95fa-1ba69c999d66"
         },
         {
           "name": "panel_12",
           "type": "visualization",
-          "id": "20a4ad80-8acf-11ed-95fa-1ba69c999d66"
+          "id": "5e0b84f0-8acf-11ed-95fa-1ba69c999d66"
         },
         {
           "name": "panel_13",
-          "type": "visualization",
-          "id": "5e0b84f0-8acf-11ed-95fa-1ba69c999d66"
+          "type": "search",
+          "id": "2e27c5e0-809e-11ed-8d5b-07069f823b6f"
         },
         {
           "name": "panel_14",
           "type": "search",
-          "id": "2e27c5e0-809e-11ed-8d5b-07069f823b6f"
+          "id": "8d302e10-9b74-11ed-a51c-3fd00aab0ddc"
         },
         {
           "name": "panel_15",
-          "type": "search",
-          "id": "8d302e10-9b74-11ed-a51c-3fd00aab0ddc"
+          "type": "visualization",
+          "id": "3d477aa0-8324-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -113,8 +113,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:09:17.633Z",
-      "version": "WzgzNywxXQ==",
+      "updated_at": "2023-11-14T20:35:24.930Z",
+      "version": "Wzg2MCwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -136,8 +136,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5NiwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxNywxXQ==",
       "attributes": {
         "title": "Source Device Type",
         "visState": "{\"title\":\"Source Device Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -166,8 +166,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5NywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxOCwxXQ==",
       "attributes": {
         "title": "Traffic by Network Segment",
         "visState": "{\"title\":\"Traffic by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Direction\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Segment\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.packets\",\"customLabel\":\"Total Packets\"},\"schema\":\"metric\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.bytes\",\"customLabel\":\"Total Bytes\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -196,8 +196,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5OCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxOSwxXQ==",
       "attributes": {
         "title": "Destination Device Type",
         "visState": "{\"title\":\"Destination Device Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -226,8 +226,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5OSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMCwxXQ==",
       "attributes": {
         "title": "Source Device Role",
         "visState": "{\"title\":\"Source Device Role\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Role\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":false}}",
@@ -256,8 +256,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMSwxXQ==",
       "attributes": {
         "title": "Destination Device Role",
         "visState": "{\"title\":\"Destination Device Role\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Role\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":false}}",
@@ -280,48 +280,18 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "5e7be470-8183-11ed-8ccb-af218b39580f",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMSwxXQ==",
-      "attributes": {
-        "title": "Cross Segment Traffic",
-        "visState": "{\"title\":\"Cross Segment Traffic\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"tags:cross_segment\",\"language\":\"lucene\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "b1645e70-8182-11ed-8ccb-af218b39580f"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "34fb58a0-9787-11ed-a26e-595ac55a6057",
       "type": "visualization",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMiwxXQ==",
+      "updated_at": "2023-11-14T20:51:17.788Z",
+      "version": "Wzk0OSwxXQ==",
       "attributes": {
         "title": "Protocol by Network Segment",
-        "visState": "{\"title\":\"Protocol by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Family\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
+        "visState": "{\"title\":\"Protocol by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Family\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}}",
         "description": "",
         "version": 1,
         "kibanaSavedObjectMeta": {
@@ -346,8 +316,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMywxXQ==",
       "attributes": {
         "title": "Notice, Alert and Signature by Network Segment",
         "visState": "{\"title\":\"Notice, Alert and Signature by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -376,8 +346,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNCwxXQ==",
       "attributes": {
         "title": "Event Severity by Network Segment",
         "visState": "{\"title\":\"Event Severity by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.severity_tags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity Tag\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -406,8 +376,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNSwxXQ==",
       "attributes": {
         "title": "Source Device Log Counts",
         "visState": "{\"title\":\"Source Device Log Counts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -436,8 +406,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNiwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNiwxXQ==",
       "attributes": {
         "title": "Destination Device Log Counts",
         "visState": "{\"title\":\"Destination Device Log Counts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -466,8 +436,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNywxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Source IPs",
         "visState": "{\"title\":\"Uninventoried Internal Source IPs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -496,8 +466,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwOCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyOCwxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Destination IPs",
         "visState": "{\"title\":\"Uninventoried Internal Destination IPs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -526,8 +496,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwOSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyOSwxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Assets - Logs",
         "description": "",
@@ -568,8 +538,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:20:40.561Z",
-      "version": "WzkzNywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMCwxXQ==",
       "attributes": {
         "title": "Uninventoried Observed Services - Logs",
         "description": "",
@@ -603,14 +573,37 @@
         "search": "7.9.3"
       }
     },
+    {
+      "id": "3d477aa0-8324-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMSwxXQ==",
+      "attributes": {
+        "title": "Cross Segment Traffic",
+        "visState": "{\"title\":\"Cross Segment Traffic\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"source.segment.name\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"destination.segment.name\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Source Segment\\\", \\\"Destination Segment\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"source.segment.name\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"destination.segment.name\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"tags:cross_segment\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
     {
       "id": "b1645e70-8182-11ed-8ccb-af218b39580f",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQxMCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMiwxXQ==",
       "attributes": {
         "title": "NetBox Enrichment - Candidate Logs",
         "description": "",
diff --git a/dashboards/dashboards/Vega.Sankey.txt b/dashboards/dashboards/Vega.Sankey.txt
new file mode 100644
index 000000000..7b710e97e
--- /dev/null
+++ b/dashboards/dashboards/Vega.Sankey.txt
@@ -0,0 +1,423 @@
+{
+  // thanks to:
+  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana
+  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/
+  $schema: https://vega.github.io/schema/vega/v3.0.json
+  data: [
+    {
+      // query ES based on the currently selected time range and filter string
+      name: rawData
+      url: {
+        %context%: true
+        %timefield%: firstPacket
+        index: arkime_sessions3-*
+        body: {
+          size: 0
+          aggs: {
+            table: {
+              composite: {
+                size: 10000
+                sources: [
+                  {
+                    stk1: {
+                      terms: {field: "source.ip"}
+                    }
+                  }
+                  {
+                    stk2: {
+                      terms: {field: "destination.ip"}
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+      // From the result, take just the data we are interested in
+      format: {property: "aggregations.table.buckets"}
+      // Convert key.stk1 -> stk1 for simpler access below
+      transform: [
+        {type: "formula", expr: "datum.key.stk1", as: "stk1"}
+        {type: "formula", expr: "datum.key.stk2", as: "stk2"}
+        {type: "formula", expr: "datum.doc_count", as: "size"}
+      ]
+    }
+    {
+      name: nodes
+      source: rawData
+      transform: [
+        // when a value is selected, filter out unrelated data
+        {
+          type: filter
+          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2
+        }
+        // Set new key for later lookups - identifies each node
+        {type: "formula", expr: "datum.stk1+datum.stk2", as: "key"}
+        // instead of each table row, create two new rows,
+        // one for the source (stack=stk1) and one for destination node (stack=stk2).
+        // The values stored in stk1 and stk2 fields is placed into grpId field.
+        {
+          type: fold
+          fields: ["stk1", "stk2"]
+          as: ["stack", "grpId"]
+        }
+        // Create a sortkey, different for stk1 and stk2 stacks.
+        // Space separator ensures proper sort order in some corner cases.
+        {
+          type: formula
+          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1
+          as: sortField
+        }
+        // Calculate y0 and y1 positions for stacking nodes one on top of the other,
+        // independently for each stack, and ensuring they are in the proper order,
+        // alphabetical from the top (reversed on the y axis)
+        {
+          type: stack
+          groupby: ["stack"]
+          sort: {field: "sortField", order: "descending"}
+          field: size
+        }
+        // calculate vertical center point for each node, used to draw edges
+        {type: "formula", expr: "(datum.y0+datum.y1)/2", as: "yc"}
+      ]
+    }
+    {
+      name: groups
+      source: nodes
+      transform: [
+        // combine all nodes into groups, summing up the doc counts
+        {
+          type: aggregate
+          groupby: ["stack", "grpId"]
+          fields: ["size"]
+          ops: ["sum"]
+          as: ["total"]
+        }
+        // re-calculate the stacking y0,y1 values
+        {
+          type: stack
+          groupby: ["stack"]
+          sort: {field: "grpId", order: "descending"}
+          field: total
+        }
+        // project y0 and y1 values to screen coordinates
+        // doing it once here instead of doing it several times in marks
+        {type: "formula", expr: "scale('y', datum.y0)", as: "scaledY0"}
+        {type: "formula", expr: "scale('y', datum.y1)", as: "scaledY1"}
+        // boolean flag if the label should be on the right of the stack
+        {type: "formula", expr: "datum.stack == 'stk1'", as: "rightLabel"}
+        // Calculate percentage for this value using "y" scale
+        // domain upper bound, which represents the total
+        {
+          type: formula
+          expr: datum.total/domain('y')[1]
+          as: percentage
+        }
+      ]
+    }
+    {
+      // This is a temp lookup table with all the 'stk2' stack nodes
+      name: destinationNodes
+      source: nodes
+      transform: [
+        {type: "filter", expr: "datum.stack == 'stk2'"}
+      ]
+    }
+    {
+      name: edges
+      source: nodes
+      transform: [
+        // we only want nodes from the left stack
+        {type: "filter", expr: "datum.stack == 'stk1'"}
+        // find corresponding node from the right stack, keep it as "target"
+        {
+          type: lookup
+          from: destinationNodes
+          key: key
+          fields: ["key"]
+          as: ["target"]
+        }
+        // calculate SVG link path between stk1 and stk2 stacks for the node pair
+        {
+          type: linkpath
+          orient: horizontal
+          shape: diagonal
+          sourceY: {expr: "scale('y', datum.yc)"}
+          sourceX: {expr: "scale('x', 'stk1') + bandwidth('x')"}
+          targetY: {expr: "scale('y', datum.target.yc)"}
+          targetX: {expr: "scale('x', 'stk2')"}
+        }
+        // A little trick to calculate the thickness of the line.
+        // The value needs to be the same as the hight of the node, but scaling
+        // size to screen's height gives inversed value because screen's Y
+        // coordinate goes from the top to the bottom, whereas the graph's Y=0
+        // is at the bottom. So subtracting scaled doc count from screen height
+        // (which is the "lower" bound of the "y" scale) gives us the right value
+        {
+          type: formula
+          expr: range('y')[0]-scale('y', datum.size)
+          as: strokeWidth
+        }
+        // Tooltip needs individual link's percentage of all values
+        {
+          type: formula
+          expr: datum.size/domain('y')[1]
+          as: percentage
+        }
+      ]
+    }
+  ]
+  scales: [
+    {
+      // calculates horizontal stack positioning
+      name: x
+      type: band
+      range: width
+      domain: ["stk1", "stk2"]
+      paddingOuter: 0.05
+      paddingInner: 0.95
+    }
+    {
+      // this scale goes up as high as the highest y1 value of all nodes
+      name: y
+      type: linear
+      range: height
+      domain: {data: "nodes", field: "y1"}
+    }
+    {
+      // use rawData to ensure the colors stay the same when clicking.
+      name: color
+      type: ordinal
+      range: category
+      domain: {data: "rawData", fields: ["stk1", "stk2"]}
+    }
+    {
+      // this scale is used to map internal ids (stk1, stk2) to stack names
+      name: stackNames
+      type: ordinal
+      range: ["Source IP", "Destination IP"]
+      domain: ["stk1", "stk2"]
+    }
+  ]
+  axes: [
+    {
+      // x axis should use custom label formatting to print proper stack names
+      orient: bottom
+      scale: x
+      encode: {
+        labels: {
+          update: {
+            text: {scale: "stackNames", field: "value"}
+          }
+        }
+      }
+    }
+    {orient: "left", scale: "y"}
+  ]
+  marks: [
+    {
+      // draw the connecting line between stacks
+      type: path
+      name: edgeMark
+      from: {data: "edges"}
+      // this prevents some autosizing issues with large strokeWidth for paths
+      clip: true
+      encode: {
+        update: {
+          // By default use color of the left node, except when showing contributors
+          // from just one value, in which case use destination color.
+          stroke: [
+            {
+              test: groupSelector && groupSelector.stack=='stk1'
+              scale: color
+              field: stk2
+            }
+            {scale: "color", field: "stk1"}
+          ]
+          strokeWidth: {field: "strokeWidth"}
+          path: {field: "path"}
+          // when showing all data, and hovering over a value,
+          // highlight the contributors for that value
+          strokeOpacity: {
+            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3
+          }
+          // Ensure that the hover-selected edges show on top
+          zindex: {
+            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0
+          }
+          // format tooltip string
+          tooltip: {
+            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'
+          }
+        }
+        // Simple mouseover highlighting of a single line
+        hover: {
+          strokeOpacity: {value: 1}
+        }
+      }
+    }
+    {
+      // draw stack groups (countries)
+      type: rect
+      name: groupMark
+      from: {data: "groups"}
+      encode: {
+        enter: {
+          fill: {scale: "color", field: "grpId"}
+          width: {scale: "x", band: 1}
+        }
+        update: {
+          x: {scale: "x", field: "stack"}
+          y: {field: "scaledY0"}
+          y2: {field: "scaledY1"}
+          fillOpacity: {value: 0.6}
+          tooltip: {
+            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'
+          }
+        }
+        hover: {
+          fillOpacity: {value: 1}
+        }
+      }
+    }
+    {
+      // draw labels on the inner side of the stack
+      type: text
+      from: {data: "groups"}
+      // don't process events for the labels - otherwise line mouseover is unclean
+      interactive: false
+      encode: {
+        update: {
+          // depending on which stack it is, position x with some padding
+          x: {
+            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)
+          }
+          // middle of the group
+          yc: {signal: "(datum.scaledY0 + datum.scaledY1)/2"}
+          align: {signal: "datum.rightLabel ? 'left' : 'right'"}
+          baseline: {value: "middle"}
+          fontWeight: {value: "bold"}
+          // only show text label if the group's height is large enough
+          text: {signal: "abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''"}
+        }
+      }
+    }
+    {
+      // Create a "show all" button. Shown only when a value is selected.
+      type: group
+      data: [
+        // We need to make the button show only when groupSelector signal is true.
+        // Each mark is drawn as many times as there are elements in the backing data.
+        // Which means that if values list is empty, it will not be drawn.
+        // Here I create a data source with one empty object, and filter that list
+        // based on the signal value. This can only be done in a group.
+        {
+          name: dataForShowAll
+          values: [{}]
+          transform: [{type: "filter", expr: "groupSelector"}]
+        }
+      ]
+      // Set button size and positioning
+      encode: {
+        enter: {
+          xc: {signal: "width/2"}
+          y: {value: 30}
+          width: {value: 80}
+          height: {value: 30}
+        }
+      }
+      marks: [
+        {
+          // This group is shown as a button with rounded corners.
+          type: group
+          // mark name allows signal capturing
+          name: groupReset
+          // Only shows button if dataForShowAll has values.
+          from: {data: "dataForShowAll"}
+          encode: {
+            enter: {
+              cornerRadius: {value: 6}
+              fill: {value: "#f5f5f5"}
+              stroke: {value: "#c1c1c1"}
+              strokeWidth: {value: 2}
+              // use parent group's size
+              height: {
+                field: {group: "height"}
+              }
+              width: {
+                field: {group: "width"}
+              }
+            }
+            update: {
+              // groups are transparent by default
+              opacity: {value: 1}
+            }
+            hover: {
+              opacity: {value: 0.7}
+            }
+          }
+          marks: [
+            {
+              type: text
+              // if true, it will prevent clicking on the button when over text.
+              interactive: false
+              encode: {
+                enter: {
+                  // center text in the paren group
+                  xc: {
+                    field: {group: "width"}
+                    mult: 0.5
+                  }
+                  yc: {
+                    field: {group: "height"}
+                    mult: 0.5
+                    offset: 2
+                  }
+                  align: {value: "center"}
+                  baseline: {value: "middle"}
+                  fontWeight: {value: "bold"}
+                  text: {value: "Show All"}
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+  signals: [
+    {
+      // used to highlight data to/from the same value
+      name: groupHover
+      value: {}
+      on: [
+        {
+          events: @groupMark:mouseover
+          update: "{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}"
+        }
+        {events: "mouseout", update: "{}"}
+      ]
+    }
+    // used to filter only the data related to the selected value
+    {
+      name: groupSelector
+      value: false
+      on: [
+        {
+          // Clicking groupMark sets this signal to the filter values
+          events: @groupMark:click!
+          update: "datum.stack=='stk1' ? opensearchDashboardsAddFilter({\"match_phrase\": { \"source.ip\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\"match_phrase\": { \"destination.ip\": datum.grpId } }, 'arkime_sessions3-*')"
+        }
+        {
+          // Clicking "show all" button, or double-clicking anywhere resets it
+          events: [
+            {type: "click", markname: "groupReset"}
+            {type: "dblclick"}
+          ]
+          update: "false"
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
index e60bda9b0..fa067946e 100644
--- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
+++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
@@ -1,314 +1,336 @@
-{
-  "version": "1.3.1",
-  "objects": [
-    {
-      "id": "a33e0a50-afcd-11ea-993f-b7d8522a8bed",
-      "type": "dashboard",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxNiwxXQ==",
-      "attributes": {
-        "title": "Actions and Results",
-        "hits": 0,
-        "description": "",
-        "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":46,\"i\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\"},\"panelIndex\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":7,\"i\":\"12265d8d-1385-4adb-8974-941feadbc9a4\"},\"panelIndex\":\"12265d8d-1385-4adb-8974-941feadbc9a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":15,\"i\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\"},\"panelIndex\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":13,\"h\":8,\"i\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\"},\"panelIndex\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":15,\"w\":40,\"h\":31,\"i\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\"},\"panelIndex\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":18,\"i\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\"},\"panelIndex\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":18,\"i\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\"},\"panelIndex\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":31,\"i\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\"},\"panelIndex\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]",
-        "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
-        "version": 1,
-        "timeRestore": false,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
-        }
-      },
-      "references": [
-        {
-          "name": "panel_0",
-          "type": "visualization",
-          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
-        },
-        {
-          "name": "panel_1",
-          "type": "visualization",
-          "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_2",
-          "type": "visualization",
-          "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_3",
-          "type": "visualization",
-          "id": "AWDGyaGxxQT5EBNmq3K9"
-        },
-        {
-          "name": "panel_4",
-          "type": "visualization",
-          "id": "1c4354d0-7609-11eb-8496-3528afc64ddb"
-        },
-        {
-          "name": "panel_5",
-          "type": "visualization",
-          "id": "77bd1870-46ce-11ea-91c3-61991161aaaf"
-        },
-        {
-          "name": "panel_6",
-          "type": "visualization",
-          "id": "767e3d90-afce-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_7",
-          "type": "search",
-          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
-        }
-      ],
-      "migrationVersion": {
-        "dashboard": "7.9.3"
-      }
-    },
-    {
-      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:11:16.155Z",
-      "version": "Wzc4NSwxXQ==",
-      "attributes": {
-        "title": "Network Logs",
-        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
-        }
-      },
-      "references": [],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxOCwxXQ==",
-      "attributes": {
-        "title": "Filter by Application Protocol",
-        "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{}"
-        }
-      },
-      "references": [
-        {
-          "name": "control_0_index_pattern",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxOSwxXQ==",
-      "attributes": {
-        "title": "Total Log Count Over Time by Application Protocol",
-        "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "AWDGyaGxxQT5EBNmq3K9",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:18:09.590Z",
-      "version": "WzEwNTEsMV0=",
-      "attributes": {
-        "title": "Total Number of Logs",
-        "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Logs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Data Source\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"colorSchema\":\"Green to Red\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"},\"metricColorMode\":\"None\"}}}",
-        "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "1c4354d0-7609-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMSwxXQ==",
-      "attributes": {
-        "title": "Top Actions and Results by Service",
-        "visState": "{\"title\":\"Top Actions and Results by Service\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND (event.action:* OR event.result:*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "77bd1870-46ce-11ea-91c3-61991161aaaf",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMiwxXQ==",
-      "attributes": {
-        "title": "Actions",
-        "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "767e3d90-afce-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMywxXQ==",
-      "attributes": {
-        "title": "Results",
-        "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
-      "type": "search",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:11:16.155Z",
-      "version": "Wzc5OCwxXQ==",
-      "attributes": {
-        "title": "All Logs",
-        "description": "",
-        "hits": 0,
-        "columns": [
-          "event.provider",
-          "event.dataset",
-          "network.protocol",
-          "event.action",
-          "event.result",
-          "source.ip",
-          "destination.ip",
-          "destination.port",
-          "event.id"
-        ],
-        "sort": [
-          [
-            "firstPacket",
-            "desc"
-          ]
-        ],
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "search": "7.9.3"
-      }
-    }
-  ]
+{
+  "version": "2.8.0",
+  "objects": [
+    {
+      "id": "a33e0a50-afcd-11ea-993f-b7d8522a8bed",
+      "type": "dashboard",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:25:52.249Z",
+      "version": "Wzk2MSwxXQ==",
+      "attributes": {
+        "title": "Actions and Results",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":46,\"i\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\"},\"panelIndex\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":7,\"i\":\"12265d8d-1385-4adb-8974-941feadbc9a4\"},\"panelIndex\":\"12265d8d-1385-4adb-8974-941feadbc9a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":15,\"i\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\"},\"panelIndex\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":7,\"w\":13,\"h\":8,\"i\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\"},\"panelIndex\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":15,\"w\":20,\"h\":31,\"i\":\"505be51b-94ef-4386-a3be-aeeab4c7af74\"},\"panelIndex\":\"505be51b-94ef-4386-a3be-aeeab4c7af74\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":28,\"y\":15,\"w\":20,\"h\":31,\"i\":\"5f043fd6-3bfb-4203-b069-76557d93a035\"},\"panelIndex\":\"5f043fd6-3bfb-4203-b069-76557d93a035\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":18,\"i\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\"},\"panelIndex\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":18,\"i\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\"},\"panelIndex\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":31,\"i\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\"},\"panelIndex\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
+        "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+        "version": 1,
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
+        }
+      },
+      "references": [
+        {
+          "name": "panel_0",
+          "type": "visualization",
+          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
+        },
+        {
+          "name": "panel_1",
+          "type": "visualization",
+          "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_2",
+          "type": "visualization",
+          "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_3",
+          "type": "visualization",
+          "id": "AWDGyaGxxQT5EBNmq3K9"
+        },
+        {
+          "name": "panel_4",
+          "type": "visualization",
+          "id": "a9a46620-832b-11ee-a28c-7361f03cd201"
+        },
+        {
+          "name": "panel_5",
+          "type": "visualization",
+          "id": "ddf69060-832b-11ee-a28c-7361f03cd201"
+        },
+        {
+          "name": "panel_6",
+          "type": "visualization",
+          "id": "77bd1870-46ce-11ea-91c3-61991161aaaf"
+        },
+        {
+          "name": "panel_7",
+          "type": "visualization",
+          "id": "767e3d90-afce-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_8",
+          "type": "search",
+          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
+        }
+      ],
+      "migrationVersion": {
+        "dashboard": "7.9.3"
+      }
+    },
+    {
+      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
+      "attributes": {
+        "title": "Network Logs",
+        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5MywxXQ==",
+      "attributes": {
+        "title": "Filter by Application Protocol",
+        "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      },
+      "references": [
+        {
+          "name": "control_0_index_pattern",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NCwxXQ==",
+      "attributes": {
+        "title": "Total Log Count Over Time by Application Protocol",
+        "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "AWDGyaGxxQT5EBNmq3K9",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NSwxXQ==",
+      "attributes": {
+        "title": "Total Number of Logs",
+        "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Logs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Data Source\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"colorSchema\":\"Green to Red\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"},\"metricColorMode\":\"None\"}}}",
+        "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "a9a46620-832b-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:23:24.802Z",
+      "version": "Wzk1OSwxXQ==",
+      "attributes": {
+        "title": "Top Actions by Service",
+        "visState": "{\"title\":\"Top Actions by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Action\\\", \\\"Protocol\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND event.action:*\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "ddf69060-832b-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:24:52.582Z",
+      "version": "Wzk2MCwxXQ==",
+      "attributes": {
+        "title": "Top Results by Service",
+        "visState": "{\"title\":\"Top Results by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Protocol\\\", \\\"Result\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND event.result:*\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "77bd1870-46ce-11ea-91c3-61991161aaaf",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NywxXQ==",
+      "attributes": {
+        "title": "Actions",
+        "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "767e3d90-afce-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5OCwxXQ==",
+      "attributes": {
+        "title": "Results",
+        "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg3MiwxXQ==",
+      "attributes": {
+        "title": "All Logs",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "event.provider",
+          "event.dataset",
+          "network.protocol",
+          "event.action",
+          "event.result",
+          "source.ip",
+          "destination.ip",
+          "destination.port",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    }
+  ]
 }
\ No newline at end of file
diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md
index 25baa0e4a..dd0f36701 100644
--- a/docs/contributing-dashboards.md
+++ b/docs/contributing-dashboards.md
@@ -37,5 +37,3 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa
 ## <a name="DashboardsPlugins"></a>OpenSearch Dashboards plugins
 
 The [dashboards.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/dashboards.Dockerfile) installs the OpenSearch Dashboards plugins used by Malcolm (search for `opensearch-dashboards-plugin install` in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `dashboards` Docker image.
-
-Third-party or community plugins developed for Kibana will not install into OpenSearch dashboards without source code modification. Depending on the plugin, this could range from very smiple to very complex. As an illustrative example, the changes required to port the Sankey diagram visualization plugin from Kibana to OpenSearch Dashboards compatibility can be [viewed on GitHub](https://github.com/mmguero-dev/osd_sankey_vis/compare/edacf6b...main).

From 1ceddc715de7d0a306c73504eb585331a07be8bb Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 17:13:44 -0700
Subject: [PATCH 44/82] allow netbox to restore database from preload directory
 if it exists

---
 Dockerfiles/netbox.Dockerfile      |   1 +
 docs/asset-interaction-analysis.md |   2 +
 netbox/scripts/netbox_init.py      | 895 +++++++++++++++++------------
 netbox/supervisord.conf            |   4 +
 4 files changed, 548 insertions(+), 354 deletions(-)

diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 49df64e4f..bd3b3f5fd 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -60,6 +60,7 @@ RUN apt-get -q update && \
       libpq-dev \
       libpq5 \
       patch \
+      postgresql-client \
       procps \
       psmisc \
       python3-dev \
diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index 651af3350..28c40ac6b 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -133,3 +133,5 @@ To clear the existing NetBox database and restore a previous backup, run the fol
 ./scripts/netbox-restore --netbox-restore ./malcolm_netbox_backup_20230110-125756.gz
 
 ```
+
+If you have a previous NetBox database backup (created with `netbox-backup` as described above) that you would like automatically restored on startup, that `.gz` file may be manually copied to the [`./netbox/preload`](#NetBoxPreload) directory. Upon startup that file will be extracted and used to populate the NetBox database, taking priority over the other preload files. This process does not remove the `.gz` file from the directory upon restoring it; it will be restored again on subsequent restarts unless manually removed.
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 65d6746b4..9887ec736 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -4,11 +4,14 @@
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 
 import argparse
+import glob
 import ipaddress
+import gzip
 import itertools
 import json
 import logging
 import os
+import psycopg
 import pynetbox
 import randomcolor
 import re
@@ -251,6 +254,38 @@ def main():
         default=malcolm_utils.str2bool(os.getenv('NETBOX_PRELOAD_PREFIXES', default='False')),
         help="Preload IPAM IP Prefixes for private IP space",
     )
+    parser.add_argument(
+        '--postgres-host',
+        dest='postgresHost',
+        type=str,
+        default=os.getenv('DB_HOST', 'netbox-postgres'),
+        required=False,
+        help="postgreSQL host for preloading an entire database dump .gz from the --preload directory",
+    )
+    parser.add_argument(
+        '--postgres-db',
+        dest='postgresDB',
+        type=str,
+        default=os.getenv('DB_NAME', 'netbox'),
+        required=False,
+        help="postgreSQL database name",
+    )
+    parser.add_argument(
+        '--postgres-user',
+        dest='postgresUser',
+        type=str,
+        default=os.getenv('DB_USER', 'netbox'),
+        required=False,
+        help="postgreSQL user name",
+    )
+    parser.add_argument(
+        '--postgres-password',
+        dest='postgresPassword',
+        type=str,
+        default=os.getenv('DB_PASSWORD', ''),
+        required=False,
+        help="postgreSQL password",
+    )
     try:
         parser.error = parser.exit
         args = parser.parse_args()
@@ -268,394 +303,546 @@ def main():
     if args.verbose > logging.DEBUG:
         sys.tracebacklimit = 0
 
-    # create connection to netbox API
-    nb = pynetbox.api(
-        args.netboxUrl,
-        token=args.netboxToken,
-        threading=True,
-    )
-    sites = {}
-    groups = {}
-    permissions = {}
-    prefixes = {}
-    devices = {}
-    interfaces = {}
-    ipAddresses = {}
-    deviceTypes = {}
-    roles = {}
-    manufacturers = {}
-    randColor = randomcolor.RandomColor(seed=datetime.now().timestamp())
-
-    # wait for a good connection
-    while args.wait:
+    netboxVenvPy = os.path.join(os.path.join(os.path.join(args.netboxDir, 'venv'), 'bin'), 'python')
+    manageScript = os.path.join(os.path.join(args.netboxDir, 'netbox'), 'manage.py')
+
+    # if there is a database backup .gz in the preload directory, load it up (preferring the newest)
+    # if there are multiple) instead of populating via API
+    preloadDatabaseTarball = None
+    preloadDatabaseSuccess = False
+    if os.path.isdir(args.preloadDir):
+        preloadTarballs = [
+            x
+            for x in list(filter(os.path.isfile, glob.glob(os.path.join(args.preloadDir, '*.gz'))))
+            if not x.endswith('.media.tar.gz')
+        ]
+        preloadTarballs.sort(key=lambda x: os.path.getmtime(x))
+        preloadDatabaseTarball = next(iter(preloadTarballs), None)
+
+    if os.path.isfile(preloadDatabaseTarball):
+        # we're loading an existing database directly with postgreSQL
+        # this should pretty much match what is in control.py:netboxRestore
         try:
-            [x.name for x in nb.dcim.sites.all()]
-            break
-        except Exception as e:
-            logging.info(f"{type(e).__name__}: {e}")
-            logging.debug("retrying in a few seconds...")
-            time.sleep(5)
-
-    # GROUPS #####################################################################################################
-    DEFAULT_GROUP_NAMES = (
-        args.staffGroupName,
-        args.defaultGroupName,
-    )
+            osEnv = os.environ.copy()
+            osEnv['PGPASSWORD'] = args.postgresPassword
+
+            # stop the netbox processes (besides this one)
+            cmd = [
+                'bash',
+                '-c',
+                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl stop",
+            ]
+            err, results = malcolm_utils.run_process(cmd, logger=logging)
+            if err != 0:
+                logging.error(f'{err} stopping netbox:*: {results}')
+
+            # drop the existing netbox database
+            cmd = [
+                'dropdb',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                '-f',
+                args.postgresDB,
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.warning(f'{err} dropping NetBox database: {results}')
+
+            # create a new netbox database
+            cmd = [
+                'createdb',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                args.postgresDB,
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                raise Exception(f'Error {err} creating new NetBox database: {results}')
+
+            # make sure permissions are set up right
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                '-c',
+                f'GRANT ALL PRIVILEGES ON DATABASE {args.postgresDB} TO {args.postgresUser}',
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} setting NetBox database permissions: {results}')
+
+            # load the backed-up psql dump
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+            ]
+            with gzip.open(preloadDatabaseTarball, 'rt') as f:
+                err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging, stdin=f.read())
+            if (err == 0) and results:
+                preloadDatabaseSuccess = True
+            else:
+                raise Exception(f'Error {err} loading NetBox database: {results}')
+
+            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                {args.postgresUser},
+                '-c',
+                'TRUNCATE auth_user CASCADE',
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} truncating table auth_user table: {results}')
+
+            # start back up the netbox processes (except initialization)
+            cmd = [
+                'bash',
+                '-c',
+                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
+            ]
+            err, results = malcolm_utils.run_process(cmd, logger=logging)
+            if err != 0:
+                logging.error(f'{err} starting netbox:*: {results}')
 
-    try:
-        groupsPreExisting = {x.name: x for x in nb.users.groups.all()}
-        logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }")
+            with malcolm_utils.pushd(os.path.dirname(manageScript)):
+                # migrations if needed
+                cmd = [
+                    netboxVenvPy,
+                    os.path.basename(manageScript),
+                    "migrate",
+                ]
+                err, results = malcolm_utils.run_process(cmd, logger=logging)
+                if (err != 0) or (not results):
+                    logging.error(f'{err} performing NetBox migration: {results}')
+
+                # create auth_user for superuser
+                cmd = [
+                    netboxVenvPy,
+                    os.path.basename(manageScript),
+                    "shell",
+                    "--interface",
+                    "python",
+                ]
+                with open('/usr/local/bin/netbox_superuser_create.py', 'r') as f:
+                    err, results = malcolm_utils.run_process(cmd, logger=logging, stdin=f.read())
+                if (err != 0) or (not results):
+                    logging.error(f'{err} setting up superuser: {results}')
+
+            # # restore media directory
+            # backupFileParts = os.path.splitext(backupFileName)
+            # backupMediaFileName = backupFileParts[0] + ".media.tar.gz"
+            # mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media')
+            # if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath):
+            #     RemoveEmptyFolders(mediaPath, removeRoot=False)
+            #     with tarfile.open(backupMediaFileName) as t:
+            #         t.extractall(mediaPath)
 
-        # create groups that don't already exist
-        for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]:
+        except Exception as e:
+            logging.error(f"{type(e).__name__} restoring {os.path.basename(preloadDatabaseTarball)}: {e}")
+
+    if not preloadDatabaseSuccess:
+        # create connection to netbox API
+        nb = pynetbox.api(
+            args.netboxUrl,
+            token=args.netboxToken,
+            threading=True,
+        )
+        sites = {}
+        groups = {}
+        permissions = {}
+        prefixes = {}
+        devices = {}
+        interfaces = {}
+        ipAddresses = {}
+        deviceTypes = {}
+        roles = {}
+        manufacturers = {}
+        randColor = randomcolor.RandomColor(seed=datetime.now().timestamp())
+
+        # wait for a good connection
+        while args.wait:
             try:
-                nb.users.groups.create({'name': groupName})
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}")
-
-        groups = {x.name: x for x in nb.users.groups.all()}
-        logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing groups: {e}")
-
-    # PERMISSIONS ##################################################################################################
-    DEFAULT_PERMISSIONS = {
-        f'{args.staffGroupName}_permission': {
-            'name': f'{args.staffGroupName}_permission',
-            'enabled': True,
-            'groups': [args.staffGroupName],
-            'actions': [
-                'view',
-                'add',
-                'change',
-                'delete',
-            ],
-            'exclude_objects': [],
-        },
-        f'{args.defaultGroupName}_permission': {
-            'name': f'{args.defaultGroupName}_permission',
-            'enabled': True,
-            'groups': [args.defaultGroupName],
-            'actions': [
-                'view',
-                'add',
-                'change',
-                'delete',
-            ],
-            'exclude_objects': [
-                'admin.logentry',
-                'auth.group',
-                'auth.permission',
-                'auth.user',
-                'users.admingroup',
-                'users.adminuser',
-                'users.objectpermission',
-                'users.token',
-                'users.userconfig',
-            ],
-        },
-    }
+                [x.name for x in nb.dcim.sites.all()]
+                break
+            except Exception as e:
+                logging.info(f"{type(e).__name__}: {e}")
+                logging.debug("retrying in a few seconds...")
+                time.sleep(5)
+
+        # GROUPS #####################################################################################################
+        DEFAULT_GROUP_NAMES = (
+            args.staffGroupName,
+            args.defaultGroupName,
+        )
 
-    try:
-        # get all content types (for creating new permissions)
-        allContentTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.content_types.all()]
-
-        permsPreExisting = {x.name: x for x in nb.users.permissions.all()}
-        logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }")
-
-        # create permissions that don't already exist
-        for permName, permConfig in {
-            k: v for (k, v) in DEFAULT_PERMISSIONS.items() if v.get('name', None) and v['name'] not in permsPreExisting
-        }.items():
-            permConfig['groups'] = [groups[x].id for x in permConfig['groups']]
-            permConfig['object_types'] = [ct for ct in allContentTypeNames if ct not in permConfig['exclude_objects']]
-            permConfig.pop('exclude_objects', None)
-            try:
-                nb.users.permissions.create(permConfig)
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}")
+        try:
+            groupsPreExisting = {x.name: x for x in nb.users.groups.all()}
+            logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }")
 
-        permissions = {x.name: x for x in nb.users.permissions.all()}
-        logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing permissions: {e}")
+            # create groups that don't already exist
+            for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]:
+                try:
+                    nb.users.groups.create({'name': groupName})
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}")
 
-    # ###### MANUFACTURERS #########################################################################################
-    try:
-        manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}
-        logging.debug(f"Manufacturers (before): { {k:v.id for k, v in manufacturersPreExisting.items()} }")
+            groups = {x.name: x for x in nb.users.groups.all()}
+            logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing groups: {e}")
+
+        # PERMISSIONS ##################################################################################################
+        DEFAULT_PERMISSIONS = {
+            f'{args.staffGroupName}_permission': {
+                'name': f'{args.staffGroupName}_permission',
+                'enabled': True,
+                'groups': [args.staffGroupName],
+                'actions': [
+                    'view',
+                    'add',
+                    'change',
+                    'delete',
+                ],
+                'exclude_objects': [],
+            },
+            f'{args.defaultGroupName}_permission': {
+                'name': f'{args.defaultGroupName}_permission',
+                'enabled': True,
+                'groups': [args.defaultGroupName],
+                'actions': [
+                    'view',
+                    'add',
+                    'change',
+                    'delete',
+                ],
+                'exclude_objects': [
+                    'admin.logentry',
+                    'auth.group',
+                    'auth.permission',
+                    'auth.user',
+                    'users.admingroup',
+                    'users.adminuser',
+                    'users.objectpermission',
+                    'users.token',
+                    'users.userconfig',
+                ],
+            },
+        }
 
-        # create manufacturers that don't already exist
-        for manufacturerName in [x for x in args.manufacturers if x not in manufacturersPreExisting]:
-            try:
-                nb.dcim.manufacturers.create(
-                    {
-                        "name": manufacturerName,
-                        "slug": slugify(manufacturerName),
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}")
-
-        manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()}
-        logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing manufacturers: {e}")
-
-    # ###### ROLES #################################################################################################
-    try:
-        rolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Roles (before): { {k:v.id for k, v in rolesPreExisting.items()} }")
+        try:
+            # get all content types (for creating new permissions)
+            allContentTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.content_types.all()]
+
+            permsPreExisting = {x.name: x for x in nb.users.permissions.all()}
+            logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }")
+
+            # create permissions that don't already exist
+            for permName, permConfig in {
+                k: v
+                for (k, v) in DEFAULT_PERMISSIONS.items()
+                if v.get('name', None) and v['name'] not in permsPreExisting
+            }.items():
+                permConfig['groups'] = [groups[x].id for x in permConfig['groups']]
+                permConfig['object_types'] = [
+                    ct for ct in allContentTypeNames if ct not in permConfig['exclude_objects']
+                ]
+                permConfig.pop('exclude_objects', None)
+                try:
+                    nb.users.permissions.create(permConfig)
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}")
 
-        # create roles that don't already exist
-        for roleName in [x for x in args.roles if x not in rolesPreExisting]:
-            try:
-                nb.dcim.device_roles.create(
-                    {
-                        "name": roleName,
-                        "slug": slugify(roleName),
-                        "vm_role": True,
-                        "color": randColor.generate()[0][1:],
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing role \"{roleName}\": {nbe}")
-
-        roles = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Roles (after): { {k:v.id for k, v in roles.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing roles: {e}")
-
-    # ###### DEVICE TYPES ##########################################################################################
-    try:
-        deviceTypesPreExisting = {x.model: x for x in nb.dcim.device_types.all()}
-        logging.debug(f"Device types (before): { {k:v.id for k, v in deviceTypesPreExisting.items()} }")
+            permissions = {x.name: x for x in nb.users.permissions.all()}
+            logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing permissions: {e}")
 
-        # create device types that don't already exist
-        for deviceTypeModel in [x for x in args.deviceTypes if x not in deviceTypesPreExisting]:
-            try:
-                manuf = min_hash_value_by_value(manufacturers)
-                nb.dcim.device_types.create(
-                    {
-                        "model": deviceTypeModel,
-                        "slug": slugify(deviceTypeModel),
-                        "manufacturer": manuf.id if manuf else None,
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing device type \"{deviceTypeModel}\": {nbe}")
-
-        deviceTypes = {x.model: x for x in nb.dcim.device_types.all()}
-        logging.debug(f"Device types (after): { {k:v.id for k, v in deviceTypes.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing device types: {e}")
-
-    # ###### SITES #################################################################################################
-    try:
-        sitesPreExisting = {x.name: x for x in nb.dcim.sites.all()}
-        logging.debug(f"sites (before): { {k:v.id for k, v in sitesPreExisting.items()} }")
+        # ###### MANUFACTURERS #########################################################################################
+        try:
+            manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}
+            logging.debug(f"Manufacturers (before): { {k:v.id for k, v in manufacturersPreExisting.items()} }")
 
-        # create sites that don't already exist
-        for siteName in [x for x in args.netboxSites if x not in sitesPreExisting]:
-            try:
-                nb.dcim.sites.create(
-                    {
-                        "name": siteName,
-                        "slug": slugify(siteName),
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing site \"{siteName}\": {nbe}")
-
-        sites = {x.name: x for x in nb.dcim.sites.all()}
-        logging.debug(f"sites (after): { {k:v.id for k, v in sites.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing sites: {e}")
-
-    # ###### Net Map ###############################################################################################
-    try:
-        # load net-map.json from file
-        netMapJson = None
-        if args.netMapFileName is not None and os.path.isfile(args.netMapFileName):
-            with open(args.netMapFileName) as f:
-                netMapJson = json.load(f)
-        if netMapJson is not None:
-            # create IP prefixes
-
-            prefixesPreExisting = {x.prefix: x for x in nb.ipam.prefixes.all()}
-            logging.debug(f"prefixes (before): { {k:v.id for k, v in prefixesPreExisting.items()} }")
-
-            for segment in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "segment")
-                and x.get('name', None)
-                and is_ip_network(x.get('address', None))
-            ]:
+            # create manufacturers that don't already exist
+            for manufacturerName in [x for x in args.manufacturers if x not in manufacturersPreExisting]:
                 try:
-                    site = min_hash_value_by_value(sites)
-                    nb.ipam.prefixes.create(
+                    nb.dcim.manufacturers.create(
                         {
-                            "prefix": segment['address'],
-                            "site": site.id if site else None,
-                            "description": segment['name'],
+                            "name": manufacturerName,
+                            "slug": slugify(manufacturerName),
                         },
                     )
                 except pynetbox.RequestError as nbe:
-                    logging.warning(
-                        f"{type(nbe).__name__} processing prefix \"{segment['address']}\" (\"{segment['name']}\"): {nbe}"
-                    )
+                    logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}")
 
-            prefixes = {x.prefix: x for x in nb.ipam.prefixes.all()}
-            logging.debug(f"prefixes (after): { {k:v.id for k, v in prefixes.items()} }")
-
-            # create hosts as devices
-            devicesPreExisting = {x.name: x for x in nb.dcim.devices.all()}
-            logging.debug(f"devices (before): { {k:v.id for k, v in devicesPreExisting.items()} }")
-
-            for host in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "host")
-                and x.get('name', None)
-                and x.get('address', None)
-                and x['name'] not in devicesPreExisting
-            ]:
+            manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()}
+            logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing manufacturers: {e}")
+
+        # ###### ROLES #################################################################################################
+        try:
+            rolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
+            logging.debug(f"Roles (before): { {k:v.id for k, v in rolesPreExisting.items()} }")
+
+            # create roles that don't already exist
+            for roleName in [x for x in args.roles if x not in rolesPreExisting]:
                 try:
-                    site = min_hash_value_by_value(sites)
-                    dType = min_hash_value_by_value(deviceTypes)
-                    role = min_hash_value_by_value(roles)
-                    deviceCreated = nb.dcim.devices.create(
+                    nb.dcim.device_roles.create(
                         {
-                            "name": host['name'],
-                            "site": site.id if site else None,
-                            "device_type": dType.id if dType else None,
-                            "role": role.id if role else None,
+                            "name": roleName,
+                            "slug": slugify(roleName),
+                            "vm_role": True,
+                            "color": randColor.generate()[0][1:],
                         },
                     )
-                    if deviceCreated is not None:
-                        # create interface for the device
-                        if is_ip_address(host['address']):
-                            nb.dcim.interfaces.create(
-                                {
-                                    "device": deviceCreated.id,
-                                    "name": "default",
-                                    "type": "other",
-                                },
-                            )
-                        elif re.match(r'^([0-9a-f]{2}[:-]){5}([0-9a-f]{2})$', host['address'].lower()):
-                            nb.dcim.interfaces.create(
-                                {
-                                    "device": deviceCreated.id,
-                                    "name": "default",
-                                    "type": "other",
-                                    "mac_address": host['address'].lower(),
-                                },
-                            )
-
                 except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing device \"{host['name']}\": {nbe}")
-
-            devices = {x.name: x for x in nb.dcim.devices.all()}
-            logging.debug(f"devices (after): { {k:v.id for k, v in devices.items()} }")
-            interfaces = {x.device.id: x for x in nb.dcim.interfaces.all()}
-            logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
-
-            # and associate IP addresses with them
-            ipAddressesPreExisting = {x.address: x for x in nb.ipam.ip_addresses.all()}
-            logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
-
-            for host in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "host")
-                and x.get('name', None)
-                and is_ip_address(x.get('address', None))
-                and x['name'] in devices
-            ]:
-                try:
-                    hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}"
-                    if hostKey not in ipAddressesPreExisting:
-                        ipCreated = nb.ipam.ip_addresses.create(
-                            {
-                                "address": host['address'],
-                                "assigned_object_type": "dcim.interface",
-                                "assigned_object_id": interfaces[devices[host['name']].id].id,
-                            },
-                        )
-                        if ipCreated is not None:
-                            # update device to set this as its primary IPv4 address
-                            deviceForIp = nb.dcim.devices.get(id=devices[host['name']].id)
-                            if deviceForIp is not None:
-                                if is_ip_v4_address(host['address']):
-                                    deviceForIp.primary_ip4 = ipCreated
-                                elif is_ip_v6_address(host['address']):
-                                    deviceForIp.primary_ip = ipCreated
-                                deviceForIp.save()
+                    logging.warning(f"{type(nbe).__name__} processing role \"{roleName}\": {nbe}")
 
-                except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing address \"{host['address']}\": {nbe}")
+            roles = {x.name: x for x in nb.dcim.device_roles.all()}
+            logging.debug(f"Roles (after): { {k:v.id for k, v in roles.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing roles: {e}")
+
+        # ###### DEVICE TYPES ##########################################################################################
+        try:
+            deviceTypesPreExisting = {x.model: x for x in nb.dcim.device_types.all()}
+            logging.debug(f"Device types (before): { {k:v.id for k, v in deviceTypesPreExisting.items()} }")
 
-            ipAddresses = {x.address: x for x in nb.ipam.ip_addresses.all()}
-            logging.debug(f"IP addresses (after): { {k:v.id for k, v in ipAddresses.items()} }")
+            # create device types that don't already exist
+            for deviceTypeModel in [x for x in args.deviceTypes if x not in deviceTypesPreExisting]:
+                try:
+                    manuf = min_hash_value_by_value(manufacturers)
+                    nb.dcim.device_types.create(
+                        {
+                            "model": deviceTypeModel,
+                            "slug": slugify(deviceTypeModel),
+                            "manufacturer": manuf.id if manuf else None,
+                        },
+                    )
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing device type \"{deviceTypeModel}\": {nbe}")
 
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}")
+            deviceTypes = {x.model: x for x in nb.dcim.device_types.all()}
+            logging.debug(f"Device types (after): { {k:v.id for k, v in deviceTypes.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing device types: {e}")
 
-    # ###### Netbox-Initializers ###################################################################################
-    netboxVenvPy = os.path.join(os.path.join(os.path.join(args.netboxDir, 'venv'), 'bin'), 'python')
-    manageScript = os.path.join(os.path.join(args.netboxDir, 'netbox'), 'manage.py')
-    if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
+        # ###### SITES #################################################################################################
         try:
-            with malcolm_utils.pushd(os.path.dirname(manageScript)):
-                # make a local copy of the YMLs to preload
-                with tempfile.TemporaryDirectory() as tmpPreloadDir:
-                    copy_tree(args.preloadDir, tmpPreloadDir)
-
-                    # only preload catch-all IP Prefixes if explicitly specified and they don't already exist
-                    if args.preloadPrefixes:
-                        defaultSiteName = next(iter([x for x in args.netboxSites]), None)
-                        for loadType in ('vrfs', 'prefixes'):
-                            defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
-                            loadFileName = os.path.join(tmpPreloadDir, f'{loadType}.yml')
-                            if os.path.isfile(defaultFileName) and (not os.path.isfile(loadFileName)):
-                                try:
-                                    with open(defaultFileName, 'r') as infile:
-                                        with open(loadFileName, 'w') as outfile:
-                                            for line in infile:
-                                                outfile.write(line.replace("NETBOX_DEFAULT_SITE", defaultSiteName))
-                                except Exception:
-                                    pass
-
-                    retcode, output = malcolm_utils.run_process(
-                        [
-                            netboxVenvPy,
-                            os.path.basename(manageScript),
-                            "load_initializer_data",
-                            "--path",
-                            tmpPreloadDir,
-                        ],
-                        logger=logging,
+            sitesPreExisting = {x.name: x for x in nb.dcim.sites.all()}
+            logging.debug(f"sites (before): { {k:v.id for k, v in sitesPreExisting.items()} }")
+
+            # create sites that don't already exist
+            for siteName in [x for x in args.netboxSites if x not in sitesPreExisting]:
+                try:
+                    nb.dcim.sites.create(
+                        {
+                            "name": siteName,
+                            "slug": slugify(siteName),
+                        },
                     )
-                    if retcode == 0:
-                        logging.debug(f"netbox-initializers: {retcode} {output}")
-                    else:
-                        logging.error(f"Error processing netbox-initializers: {retcode} {output}")
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing site \"{siteName}\": {nbe}")
 
+            sites = {x.name: x for x in nb.dcim.sites.all()}
+            logging.debug(f"sites (after): { {k:v.id for k, v in sites.items()} }")
         except Exception as e:
-            logging.error(f"{type(e).__name__} processing netbox-initializers: {e}")
+            logging.error(f"{type(e).__name__} processing sites: {e}")
 
-    # ###### Library ###############################################################################################
-    if os.path.isdir(args.libraryDir):
+        # ###### Net Map ###############################################################################################
         try:
-            counter = import_library(nb, args.libraryDir)
-            logging.debug(f"import library results: { counter }")
+            # load net-map.json from file
+            netMapJson = None
+            if args.netMapFileName is not None and os.path.isfile(args.netMapFileName):
+                with open(args.netMapFileName) as f:
+                    netMapJson = json.load(f)
+            if netMapJson is not None:
+                # create IP prefixes
+
+                prefixesPreExisting = {x.prefix: x for x in nb.ipam.prefixes.all()}
+                logging.debug(f"prefixes (before): { {k:v.id for k, v in prefixesPreExisting.items()} }")
+
+                for segment in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "segment")
+                    and x.get('name', None)
+                    and is_ip_network(x.get('address', None))
+                ]:
+                    try:
+                        site = min_hash_value_by_value(sites)
+                        nb.ipam.prefixes.create(
+                            {
+                                "prefix": segment['address'],
+                                "site": site.id if site else None,
+                                "description": segment['name'],
+                            },
+                        )
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(
+                            f"{type(nbe).__name__} processing prefix \"{segment['address']}\" (\"{segment['name']}\"): {nbe}"
+                        )
+
+                prefixes = {x.prefix: x for x in nb.ipam.prefixes.all()}
+                logging.debug(f"prefixes (after): { {k:v.id for k, v in prefixes.items()} }")
+
+                # create hosts as devices
+                devicesPreExisting = {x.name: x for x in nb.dcim.devices.all()}
+                logging.debug(f"devices (before): { {k:v.id for k, v in devicesPreExisting.items()} }")
+
+                for host in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "host")
+                    and x.get('name', None)
+                    and x.get('address', None)
+                    and x['name'] not in devicesPreExisting
+                ]:
+                    try:
+                        site = min_hash_value_by_value(sites)
+                        dType = min_hash_value_by_value(deviceTypes)
+                        role = min_hash_value_by_value(roles)
+                        deviceCreated = nb.dcim.devices.create(
+                            {
+                                "name": host['name'],
+                                "site": site.id if site else None,
+                                "device_type": dType.id if dType else None,
+                                "role": role.id if role else None,
+                            },
+                        )
+                        if deviceCreated is not None:
+                            # create interface for the device
+                            if is_ip_address(host['address']):
+                                nb.dcim.interfaces.create(
+                                    {
+                                        "device": deviceCreated.id,
+                                        "name": "default",
+                                        "type": "other",
+                                    },
+                                )
+                            elif re.match(r'^([0-9a-f]{2}[:-]){5}([0-9a-f]{2})$', host['address'].lower()):
+                                nb.dcim.interfaces.create(
+                                    {
+                                        "device": deviceCreated.id,
+                                        "name": "default",
+                                        "type": "other",
+                                        "mac_address": host['address'].lower(),
+                                    },
+                                )
+
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(f"{type(nbe).__name__} processing device \"{host['name']}\": {nbe}")
+
+                devices = {x.name: x for x in nb.dcim.devices.all()}
+                logging.debug(f"devices (after): { {k:v.id for k, v in devices.items()} }")
+                interfaces = {x.device.id: x for x in nb.dcim.interfaces.all()}
+                logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
+
+                # and associate IP addresses with them
+                ipAddressesPreExisting = {x.address: x for x in nb.ipam.ip_addresses.all()}
+                logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
+
+                for host in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "host")
+                    and x.get('name', None)
+                    and is_ip_address(x.get('address', None))
+                    and x['name'] in devices
+                ]:
+                    try:
+                        hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}"
+                        if hostKey not in ipAddressesPreExisting:
+                            ipCreated = nb.ipam.ip_addresses.create(
+                                {
+                                    "address": host['address'],
+                                    "assigned_object_type": "dcim.interface",
+                                    "assigned_object_id": interfaces[devices[host['name']].id].id,
+                                },
+                            )
+                            if ipCreated is not None:
+                                # update device to set this as its primary IPv4 address
+                                deviceForIp = nb.dcim.devices.get(id=devices[host['name']].id)
+                                if deviceForIp is not None:
+                                    if is_ip_v4_address(host['address']):
+                                        deviceForIp.primary_ip4 = ipCreated
+                                    elif is_ip_v6_address(host['address']):
+                                        deviceForIp.primary_ip = ipCreated
+                                    deviceForIp.save()
+
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(f"{type(nbe).__name__} processing address \"{host['address']}\": {nbe}")
+
+                ipAddresses = {x.address: x for x in nb.ipam.ip_addresses.all()}
+                logging.debug(f"IP addresses (after): { {k:v.id for k, v in ipAddresses.items()} }")
 
         except Exception as e:
-            logging.error(f"{type(e).__name__} processing library: {e}")
+            logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}")
+
+        # ###### Netbox-Initializers ###################################################################################
+        if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
+            try:
+                with malcolm_utils.pushd(os.path.dirname(manageScript)):
+                    # make a local copy of the YMLs to preload
+                    with tempfile.TemporaryDirectory() as tmpPreloadDir:
+                        copy_tree(args.preloadDir, tmpPreloadDir)
+
+                        # only preload catch-all IP Prefixes if explicitly specified and they don't already exist
+                        if args.preloadPrefixes:
+                            defaultSiteName = next(iter([x for x in args.netboxSites]), None)
+                            for loadType in ('vrfs', 'prefixes'):
+                                defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
+                                loadFileName = os.path.join(tmpPreloadDir, f'{loadType}.yml')
+                                if os.path.isfile(defaultFileName) and (not os.path.isfile(loadFileName)):
+                                    try:
+                                        with open(defaultFileName, 'r') as infile:
+                                            with open(loadFileName, 'w') as outfile:
+                                                for line in infile:
+                                                    outfile.write(line.replace("NETBOX_DEFAULT_SITE", defaultSiteName))
+                                    except Exception:
+                                        pass
+
+                        retcode, output = malcolm_utils.run_process(
+                            [
+                                netboxVenvPy,
+                                os.path.basename(manageScript),
+                                "load_initializer_data",
+                                "--path",
+                                tmpPreloadDir,
+                            ],
+                            logger=logging,
+                        )
+                        if retcode == 0:
+                            logging.debug(f"netbox-initializers: {retcode} {output}")
+                        else:
+                            logging.error(f"Error processing netbox-initializers: {retcode} {output}")
+
+            except Exception as e:
+                logging.error(f"{type(e).__name__} processing netbox-initializers: {e}")
+
+        # ###### Library ###############################################################################################
+        if os.path.isdir(args.libraryDir):
+            try:
+                counter = import_library(nb, args.libraryDir)
+                logging.debug(f"import library results: { counter }")
+
+            except Exception as e:
+                logging.error(f"{type(e).__name__} processing library: {e}")
 
 
 ###################################################################################################
diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf
index 8fe938f56..1703592bc 100644
--- a/netbox/supervisord.conf
+++ b/netbox/supervisord.conf
@@ -41,6 +41,10 @@ command=/opt/netbox/venv/bin/python /usr/local/bin/netbox_init.py
   --library "%(ENV_NETBOX_DEVICETYPE_LIBRARY_PATH)s"
   --preload "%(ENV_NETBOX_PRELOAD_PATH)s"
   --preload-prefixes %(ENV_NETBOX_PRELOAD_PREFIXES)s
+  --postgres-host "%(ENV_DB_HOST)s"
+  --postgres-db "%(ENV_DB_NAME)s"
+  --postgres-user "%(ENV_DB_USER)s"
+  --postgres-password "%(ENV_DB_PASSWORD)s"
 autostart=true
 autorestart=false
 startsecs=0

From ea76ffb860afac4bfb7a91f239b88a882945859e Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 14 Nov 2023 17:25:59 -0700
Subject: [PATCH 45/82] documentation tweak for idaholab/Malcolm#294

---
 docs/asset-interaction-analysis.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index 28c40ac6b..a5f6e2b85 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -127,11 +127,11 @@ $ ./scripts/netbox-backup
 NetBox configuration database saved to ('malcolm_netbox_backup_20230110-133855.gz', 'malcolm_netbox_backup_20230110-133855.media.tar.gz')
 ```
 
-To clear the existing NetBox database and restore a previous backup, run the following command (substituting the filename of the `netbox_….gz` you wish to restore) from within the Malcolm installation directory while Malcolm is running:
+To clear the existing NetBox database and restore a previous backup, run the following command (substituting the filename of the `netbox_….gz` to be restored) from within the Malcolm installation directory while Malcolm is running:
 
 ```
 ./scripts/netbox-restore --netbox-restore ./malcolm_netbox_backup_20230110-125756.gz
 
 ```
 
-If you have a previous NetBox database backup (created with `netbox-backup` as described above) that you would like automatically restored on startup, that `.gz` file may be manually copied to the [`./netbox/preload`](#NetBoxPreload) directory. Upon startup that file will be extracted and used to populate the NetBox database, taking priority over the other preload files. This process does not remove the `.gz` file from the directory upon restoring it; it will be restored again on subsequent restarts unless manually removed.
+Users with a prior NetBox database backup (created with `netbox-backup` as described above) that they wish to be automatically restored on startup, that `.gz` file may be manually copied to the [`./netbox/preload`](#NetBoxPreload) directory. Upon startup that file will be extracted and used to populate the NetBox database, taking priority over the other preload files. This process does not remove the `.gz` file from the directory upon restoring it; it will be restored again on subsequent restarts unless manually removed.

From d111631a66f06a888fa8a85b241c0bf480f9cdac Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Wed, 15 Nov 2023 09:24:18 -0700
Subject: [PATCH 46/82] idaholab/Malcolm#294, put netbox restore database
 functionality inside container (still need to test K8s)

---
 Dockerfiles/netbox.Dockerfile      |   4 +
 docs/asset-interaction-analysis.md |   2 +
 netbox/scripts/netbox_init.py      |  59 +++--
 scripts/control.py                 | 347 ++++++++---------------------
 scripts/malcolm_utils.py           |   7 +-
 5 files changed, 145 insertions(+), 274 deletions(-)

diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index bd3b3f5fd..d4c64ad41 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -55,8 +55,11 @@ RUN apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
     apt-get install -q -y --no-install-recommends \
       gcc \
+      file \
       git \
       jq \
+      libmagic-dev \
+      libmagic1 \
       libpq-dev \
       libpq5 \
       patch \
@@ -71,6 +74,7 @@ RUN apt-get -q update && \
       'git+https://github.com/tobiasge/netbox-initializers' \
       psycopg2 \
       pynetbox \
+      python-magic \
       python-slugify \
       randomcolor && \
     cd "${NETBOX_PATH}" && \
diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index a5f6e2b85..c3e0fc678 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -135,3 +135,5 @@ To clear the existing NetBox database and restore a previous backup, run the fol
 ```
 
 Users with a prior NetBox database backup (created with `netbox-backup` as described above) that they wish to be automatically restored on startup, that `.gz` file may be manually copied to the [`./netbox/preload`](#NetBoxPreload) directory. Upon startup that file will be extracted and used to populate the NetBox database, taking priority over the other preload files. This process does not remove the `.gz` file from the directory upon restoring it; it will be restored again on subsequent restarts unless manually removed.
+
+Note that [network log enrichment](#NetBoxEnrichment) will fail while a restore is in progress (indicated with `HTTP/1.1 403` messages in the output of the `netbox` container in the Malcolm debug logs), but should resume once the restore process has completed.
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 9887ec736..87c0d99a9 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -5,11 +5,12 @@
 
 import argparse
 import glob
-import ipaddress
 import gzip
+import ipaddress
 import itertools
 import json
 import logging
+import magic
 import os
 import psycopg
 import pynetbox
@@ -17,6 +18,7 @@
 import re
 import shutil
 import sys
+import tarfile
 import tempfile
 import time
 import malcolm_utils
@@ -150,7 +152,7 @@ def main():
         dest='netboxToken',
         type=str,
         default=None,
-        required=True,
+        required=False,
         help="NetBox API Token",
     )
     parser.add_argument(
@@ -254,13 +256,21 @@ def main():
         default=malcolm_utils.str2bool(os.getenv('NETBOX_PRELOAD_PREFIXES', default='False')),
         help="Preload IPAM IP Prefixes for private IP space",
     )
+    parser.add_argument(
+        '--preload-backup',
+        dest='preloadBackupFile',
+        type=str,
+        default=os.getenv('NETBOX_PRELOAD_GZ', default=''),
+        required=False,
+        help="Database dump .gz file to preload into postgreSQL",
+    )
     parser.add_argument(
         '--postgres-host',
         dest='postgresHost',
         type=str,
         default=os.getenv('DB_HOST', 'netbox-postgres'),
         required=False,
-        help="postgreSQL host for preloading an entire database dump .gz from the --preload directory",
+        help="postgreSQL host for preloading an entire database dump .gz (specified with --preload-backup or loaded from the --preload directory)",
     )
     parser.add_argument(
         '--postgres-db',
@@ -308,18 +318,18 @@ def main():
 
     # if there is a database backup .gz in the preload directory, load it up (preferring the newest)
     # if there are multiple) instead of populating via API
-    preloadDatabaseTarball = None
+    preloadDatabaseFile = args.preloadBackupFile
     preloadDatabaseSuccess = False
-    if os.path.isdir(args.preloadDir):
-        preloadTarballs = [
+    if (not os.path.isfile(preloadDatabaseFile)) and os.path.isdir(args.preloadDir):
+        preloadFiles = [
             x
             for x in list(filter(os.path.isfile, glob.glob(os.path.join(args.preloadDir, '*.gz'))))
             if not x.endswith('.media.tar.gz')
         ]
-        preloadTarballs.sort(key=lambda x: os.path.getmtime(x))
-        preloadDatabaseTarball = next(iter(preloadTarballs), None)
+        preloadFiles.sort(key=lambda x: os.path.getmtime(x))
+        preloadDatabaseFile = next(iter(preloadFiles), None)
 
-    if os.path.isfile(preloadDatabaseTarball):
+    if os.path.isfile(preloadDatabaseFile):
         # we're loading an existing database directly with postgreSQL
         # this should pretty much match what is in control.py:netboxRestore
         try:
@@ -385,7 +395,11 @@ def main():
                 '-U',
                 args.postgresUser,
             ]
-            with gzip.open(preloadDatabaseTarball, 'rt') as f:
+            with (
+                gzip.open(preloadDatabaseFile, 'rt')
+                if 'application/gzip' in magic.from_file(preloadDatabaseFile, mime=True)
+                else open(preloadDatabaseFile, 'r')
+            ) as f:
                 err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging, stdin=f.read())
             if (err == 0) and results:
                 preloadDatabaseSuccess = True
@@ -440,19 +454,24 @@ def main():
                 if (err != 0) or (not results):
                     logging.error(f'{err} setting up superuser: {results}')
 
-            # # restore media directory
-            # backupFileParts = os.path.splitext(backupFileName)
-            # backupMediaFileName = backupFileParts[0] + ".media.tar.gz"
-            # mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media')
-            # if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath):
-            #     RemoveEmptyFolders(mediaPath, removeRoot=False)
-            #     with tarfile.open(backupMediaFileName) as t:
-            #         t.extractall(mediaPath)
+            # restore media directory
+            preloadDatabaseFileParts = os.path.splitext(preloadDatabaseFile)
+            mediaFileName = preloadDatabaseFileParts[0] + ".media.tar.gz"
+            mediaPath = os.path.join(args.netboxDir, os.path.join('netbox', 'media'))
+            if os.path.isfile(mediaFileName) and os.path.isdir(mediaPath):
+                try:
+                    malcolm_utils.RemoveEmptyFolders(mediaPath, removeRoot=False)
+                    with tarfile.open(mediaFileName) as t:
+                        t.extractall(mediaPath)
+                except Exception as e:
+                    logging.error(f"{type(e).__name__} processing restoring {os.path.basename(mediaFileName)}: {e}")
 
         except Exception as e:
-            logging.error(f"{type(e).__name__} restoring {os.path.basename(preloadDatabaseTarball)}: {e}")
+            logging.error(f"{type(e).__name__} restoring {os.path.basename(preloadDatabaseFile)}: {e}")
 
-    if not preloadDatabaseSuccess:
+    # only proceed to do the regular population/preload if if we didn't preload a database backup, or
+    #   if we attempted (and failed) but they didn't explicitly specify a backup file
+    if not preloadDatabaseSuccess and (not args.preloadBackupFile):
         # create connection to netbox API
         nb = pynetbox.api(
             args.netboxUrl,
diff --git a/scripts/control.py b/scripts/control.py
index 25852c563..4b07895d6 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -583,277 +583,120 @@ def netboxRestore(backupFileName=None):
                 # execute as UID:GID in docker-compose.yml file
                 '-u',
                 f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}',
-            ]
-
-            # stop the netbox processes
-            dockerCmd = dockerCmdBase + [
-                'netbox',
-                'supervisorctl',
-                'stop',
-                'netbox:*',
-            ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) and args.debug:
-                eprint(f'Error stopping netbox:*: {results}')
-
-            # if the netbox_init.py process is still happening, interrupt it
-            dockerCmd = dockerCmdBase + [
+                # run in the netbox container
                 'netbox',
-                'bash',
-                '-c',
-                'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill',
             ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) and args.debug:
-                eprint(f'Error interrupting netbox_init.py: {results}')
-
-            # drop the existing netbox database
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'dropdb', '-U', 'netbox', 'netbox', '--force']
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if ((err != 0) or (len(results) == 0)) and args.debug:
-                eprint(f'Error dropping NetBox database: {results}')
-
-            # create a new netbox database
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'createdb', '-U', 'netbox', 'netbox']
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if err != 0:
-                raise Exception('Error creating new NetBox database')
 
-            # make sure permissions are set up right
-            dockerCmd = dockerCmdBase + [
-                'netbox-postgres',
-                'psql',
-                '-U',
-                'netbox',
-                '-c',
-                'GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox',
-            ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if err != 0:
-                raise Exception('Error setting NetBox database permissions')
-
-            # load the backed-up psql dump
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'psql', '-U', 'netbox']
-            with gzip.open(backupFileName, 'rt') as f:
-                err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdin=f.read())
-            if (err != 0) or (len(results) == 0):
-                raise Exception('Error loading NetBox database')
-
-            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
-            dockerCmd = dockerCmdBase + [
-                'netbox-postgres',
-                'psql',
-                '-U',
-                'netbox',
-                '-c',
-                'TRUNCATE auth_user CASCADE',
-            ]
+            # get remote temporary directory for restore
+            dockerCmd = dockerCmdBase + ['mktemp', '-d', '-t', 'restore.XXXXXXXXXX']
             err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) and args.debug:
-                eprint(f'Error truncating table auth_user table: {results}')
+            if (err == 0) and results:
+                tmpRestoreDir = results[0]
+            else:
+                tmpRestoreDir = '/tmp'
 
-            # start back up the netbox processes (except initialization)
-            dockerCmd = dockerCmdBase + [
-                'netbox',
-                'bash',
-                '-c',
-                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
-            ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) and args.debug:
-                eprint(f'Error starting netbox:*: {results}')
+            try:
+                # copy database backup and media backup to remote temporary directory
+                for tmpFile in [
+                    x
+                    for x in [backupFileName, os.path.splitext(backupFileName)[0] + ".media.tar.gz"]
+                    if os.path.isfile(x)
+                ]:
+                    dockerCmd = dockerCmdBase + ['tee', os.path.join(tmpRestoreDir, os.path.basename(tmpFile))]
+                    with open(tmpFile, 'rb') as f:
+                        err, results = run_process(
+                            dockerCmd, env=osEnv, debug=args.debug, stdout=False, stderr=True, stdin=f.read()
+                        )
+                    if err != 0:
+                        raise Exception(
+                            f'Error {err} copying backed-up NetBox file {os.path.basename(tmpFile)} to {tmpRestoreDir}: {results}'
+                        )
 
-            # migrations if needed
-            dockerCmd = dockerCmdBase + ['netbox', '/opt/netbox/netbox/manage.py', 'migrate']
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) or (len(results) == 0):
-                raise Exception('Error performing NetBox migration')
+                # perform the restore inside the container
+                dockerCmd = dockerCmdBase + [
+                    '/opt/netbox/venv/bin/python',
+                    '/usr/local/bin/netbox_init.py',
+                    '--preload-backup',
+                    os.path.join(tmpRestoreDir, os.path.basename(backupFileName)),
+                ]
+                err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} restoring NetBox database {os.path.basename(backupFileName)}: {results}'
+                    )
 
-            # create auth_user for superuser
-            dockerCmd = dockerCmdBase + [
-                'netbox',
-                'bash',
-                '-c',
-                "/opt/netbox/netbox/manage.py shell --interface python < /usr/local/bin/netbox_superuser_create.py",
-            ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) or (len(results) == 0):
-                raise Exception('Error setting up superuser')
-
-            # restore media directory
-            backupFileParts = os.path.splitext(backupFileName)
-            backupMediaFileName = backupFileParts[0] + ".media.tar.gz"
-            mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media')
-            if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath):
-                RemoveEmptyFolders(mediaPath, removeRoot=False)
-                with tarfile.open(backupMediaFileName) as t:
-                    t.extractall(mediaPath)
+            finally:
+                # cleanup the remote directory
+                if tmpRestoreDir != '/tmp':
+                    dockerCmd = dockerCmdBase + ['rm', '-rf', tmpRestoreDir]
+                else:
+                    dockerCmd = dockerCmdBase + [
+                        'bash',
+                        '-c',
+                        f"rm -f {tmpRestoreDir}/{os.path.splitext(backupFileName)[0]}*",
+                    ]
+                run_process(dockerCmd, env=osEnv, debug=args.debug)
 
         elif orchMode is OrchestrationFramework.KUBERNETES:
-            # stop the netbox processes
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=['supervisorctl', 'stop', 'netbox:*'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) and args.debug:
-                eprint(f'Error ({err}) stopping NetBox: {results}')
-
-            # if the netbox_init.py process is still happening, interrupt it
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=['bash', '-c', 'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) and args.debug:
-                eprint(f'Error ({err}) interrupting netbox_init.py: {results}')
-
-            # drop the existing netbox database
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=['dropdb', '-U', 'netbox', 'netbox', '--force'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if ((err != 0) or (len(results) == 0)) and args.debug:
-                eprint(f'Error dropping NetBox database: {results}')
-
-            # create a new netbox database
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=['createdb', '-U', 'netbox', 'netbox'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if err != 0:
-                raise Exception(f'Error creating new NetBox database: {results}')
-
-            # make sure permissions are set up right
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=[
-                    'psql',
-                    '-U',
-                    'netbox',
-                    '-c',
-                    'GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox',
-                ],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if err != 0:
-                raise Exception(f'Error setting NetBox database permissions: {results}')
+            # copy database backup and media backup to remote temporary directory
+            try:
+                tmpRestoreDir = '/tmp'
+                for tmpFile in [
+                    x
+                    for x in [backupFileName, os.path.splitext(backupFileName)[0] + ".media.tar.gz"]
+                    if os.path.isfile(x)
+                ]:
+                    with open(tmpFile, 'rb') as f:
+                        if podsResults := PodExec(
+                            service='netbox',
+                            namespace=args.namespace,
+                            command=['tee', os.path.join(tmpRestoreDir, os.path.basename(tmpFile))],
+                            stdout=False,
+                            stderr=True,
+                            stdin=f.read(),
+                        ):
+                            err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                            results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+                        else:
+                            err = 1
+                            results = []
+                    if err != 0:
+                        raise Exception(
+                            f'Error {err} copying backed-up NetBox file {os.path.basename(tmpFile)} to {tmpRestoreDir}: {results}'
+                        )
 
-            # load the backed-up psql dump
-            with gzip.open(backupFileName, 'rt') as f:
+                # perform the restore inside the container
                 if podsResults := PodExec(
-                    service='netbox-postgres',
+                    service='netbox',
                     namespace=args.namespace,
-                    command=['psql', '-U', 'netbox'],
-                    stdin=f.read(),
+                    command=[
+                        '/opt/netbox/venv/bin/python',
+                        '/usr/local/bin/netbox_init.py',
+                        '--preload-backup',
+                        os.path.join(tmpRestoreDir, os.path.basename(backupFileName)),
+                    ],
                 ):
                     err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
                     results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
                 else:
                     err = 1
                     results = []
-            if (err != 0) or (len(results) == 0):
-                raise Exception(f'Error loading NetBox database: {results}')
-
-            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
-            # make sure permissions are set up right
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=[
-                    'psql',
-                    '-U',
-                    'netbox',
-                    '-c',
-                    'TRUNCATE auth_user CASCADE',
-                ],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if err != 0:
-                raise Exception(f'Error truncating table auth_user table: {results}')
-
-            # start the netbox processes
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=[
-                    'bash',
-                    '-c',
-                    "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
-                ],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) and args.debug:
-                eprint(f'Error ({err}) starting NetBox: {results}')
-
-            # migrations if needed
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=['/opt/netbox/netbox/manage.py', 'migrate'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) or (len(results) == 0):
-                raise Exception(f'Error performing NetBox migration: {results}')
-
-            # migrations if needed
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=[
-                    'bash',
-                    '-c',
-                    "/opt/netbox/netbox/manage.py shell --interface python < /usr/local/bin/netbox_superuser_create.py",
-                ],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) or (len(results) == 0):
-                raise Exception(f'Error setting up superuser: {results}')
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} restoring NetBox database {os.path.basename(backupFileName)}: {results}'
+                    )
 
-            # TODO: can't restore netbox/media directory via kubernetes at the moment
+            finally:
+                # cleanup on other side
+                PodExec(
+                    service='netbox',
+                    namespace=args.namespace,
+                    command=[
+                        'bash',
+                        '-c',
+                        f"rm -f {tmpRestoreDir}/{os.path.splitext(backupFileName)[0]}*",
+                    ],
+                )
 
         else:
             raise Exception(
diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py
index a89849165..a6ab66515 100644
--- a/scripts/malcolm_utils.py
+++ b/scripts/malcolm_utils.py
@@ -651,7 +651,7 @@ def run_process(
         # run the command
         retcode, cmdout, cmderr = check_output_input(
             flat_command,
-            input=stdin.encode() if stdin else None,
+            input=(stdin.encode() if isinstance(stdin, str) else stdin) if stdin else None,
             cwd=cwd,
             env=env,
         )
@@ -668,7 +668,10 @@ def run_process(
 
     if debug:
         dbgStr = "{}{} returned {}: {}".format(
-            flat_command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output
+            flat_command,
+            "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if (stdin and isinstance(stdin, str)) else ""),
+            retcode,
+            output,
         )
         if logger is not None:
             logger.debug(dbgStr)

From cdaf056fa46b2e38114fc768f3cb2200f994fee9 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 15 Nov 2023 13:49:56 -0700
Subject: [PATCH 47/82] bump opensearch-py to v2.4.0

---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 05578b547..8407b4f59 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.3.2
+opensearch-py==2.4.0
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1

From ecf55997607c82ac5944d49727a6d1f30e28ea78 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 15 Nov 2023 13:54:03 -0700
Subject: [PATCH 48/82] Revert "bump opensearch-py to v2.4.0"

This reverts commit cdaf056fa46b2e38114fc768f3cb2200f994fee9.
---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 8407b4f59..05578b547 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.4.0
+opensearch-py==2.3.2
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1

From 9d8861c03dad2734ec2b8a117ed7901c653bfce0 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 16 Nov 2023 12:08:02 -0700
Subject: [PATCH 49/82] opensearch-py to 2.4.1

---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 05578b547..247444029 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.3.2
+opensearch-py==2.4.1
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1

From cba9dc94155aacabba6f9df7e678b889387793cb Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 16 Nov 2023 12:50:42 -0700
Subject: [PATCH 50/82] idaholab/Malcolm#294, fix a minor bug when preload gz
 is not specified

---
 netbox/scripts/netbox_init.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 87c0d99a9..71fb6252c 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -327,7 +327,7 @@ def main():
             if not x.endswith('.media.tar.gz')
         ]
         preloadFiles.sort(key=lambda x: os.path.getmtime(x))
-        preloadDatabaseFile = next(iter(preloadFiles), None)
+        preloadDatabaseFile = next(iter(preloadFiles), '')
 
     if os.path.isfile(preloadDatabaseFile):
         # we're loading an existing database directly with postgreSQL

From c2e6008e7d0e7c891ea1251b2aefe169822c65c7 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 16 Nov 2023 13:11:58 -0700
Subject: [PATCH 51/82] for idaholab/Malcolm#280, on restore of an older
 database migrate ipam_vrf.name to ipam_prefix.description

---
 netbox/scripts/netbox_init.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 71fb6252c..ad27e4558 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -406,6 +406,21 @@ def main():
             else:
                 raise Exception(f'Error {err} loading NetBox database: {results}')
 
+            # with idaholab/Malcolm#280 we switched to use prefix.description instead of VRF for identifying subnets in NetBox,
+            # this will migrate ipam_vrf.name to ipam_prefix.description if we're coming from an older backup
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                {args.postgresUser},
+                '-c',
+                "UPDATE ipam_prefix SET description = (SELECT name from ipam_vrf WHERE id = ipam_prefix.vrf_id) WHERE ((description = '') IS NOT FALSE) AND (vrf_id > 0)",
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} migrating ipam_vrf.name to ipam_prefix.description: {results}')
+
             # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
             cmd = [
                 'psql',

From b22ea9623671685f2a332f46382e893d571552d3 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 16 Nov 2023 13:30:46 -0700
Subject: [PATCH 52/82] for idaholab/Malcolm#280, on restore of an older
 database migrate ipam_vrf.name to ipam_prefix.description (todo, need to do
 it in regular startup)

---
 netbox/scripts/netbox_init.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index ad27e4558..19d75ee95 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -828,6 +828,13 @@ def main():
         except Exception as e:
             logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}")
 
+        # ###### Missing prefix descriptions from VRF names (see idaholab/Malcolm#280) ##################################
+        try:
+            pass
+            # TODO
+        except Exception as e:
+            logging.error(f"{type(e).__name__} migrating ipam_vrf.name to ipam_prefix.description: {e}")
+
         # ###### Netbox-Initializers ###################################################################################
         if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
             try:

From 379054f86ac9757be426f341a004dcd5d709880f Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 20 Nov 2023 07:24:48 -0700
Subject: [PATCH 53/82] bump opensearch-py to v2.4.2

---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 247444029..19243e4ca 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.4.1
+opensearch-py==2.4.2
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1

From 54d7c15c61c94d6e36bbf2f3f70a0bf5d0814864 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 20 Nov 2023 16:39:00 -0700
Subject: [PATCH 54/82] idaholab/Malcolm#295, specify local networks via
 ZEEK_LOCAL_NETS environment variable

---
 config/zeek.env.example                             |  5 +++++
 docs/malcolm-config.md                              |  1 +
 .../includes.chroot/usr/local/etc/zeek/local.zeek   | 13 +++++++++++++
 sensor-iso/interface/sensor_ctl/control_vars.conf   |  1 +
 shared/bin/zeekdeploy.sh                            |  8 +++++++-
 zeek/config/local.zeek                              | 13 +++++++++++++
 6 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/config/zeek.env.example b/config/zeek.env.example
index 795c37583..ca0c9d6c0 100644
--- a/config/zeek.env.example
+++ b/config/zeek.env.example
@@ -1,3 +1,8 @@
+# Specifies a comma-separated list of the networks that Zeek considers "local",
+#   for Site::local_nets and networks.cfg. e.g., 1.2.3.0/24,5.6.7.0/24.
+#   Note that by default, Zeek considers IANA-registered private address space
+#   such as 10/8 and 192.168/16 site-local.
+ZEEK_LOCAL_NETS=
 # Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable)
 ZEEK_INTEL_ITEM_EXPIRATION=-1min
 # When querying a TAXII or MISP feed, only process threat indicators that have
diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index e143fd7b6..7ec63d604 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -99,6 +99,7 @@ Although the configuration script automates many of the following configuration
     - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration)
     - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh)
     - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
+    - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local
     - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic
 
 ## <a name="CommandLineConfig"></a>Command-line arguments
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index f34b2a398..79e5204f2 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -91,6 +92,18 @@ redef ignore_checksums = T;
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }
diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
index 097c2a186..98301dae5 100644
--- a/sensor-iso/interface/sensor_ctl/control_vars.conf
+++ b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -45,6 +45,7 @@ export ZEEK_LB_PROCS=1
 export ZEEK_LB_METHOD=custom
 export ZEEK_AF_PACKET_BUFFER_SIZE=67108864
 
+export ZEEK_LOCAL_NETS=
 export ZEEK_RULESET=local
 export ZEEK_INTEL_ITEM_EXPIRATION=-1min
 export ZEEK_INTEL_FEED_SINCE=
diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
index 35321e80b..c4879adf2 100755
--- a/shared/bin/zeekdeploy.sh
+++ b/shared/bin/zeekdeploy.sh
@@ -62,6 +62,7 @@ fi
 [[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
 
 # some other defaults
+[[ -z $ZEEK_LOCAL_NETS ]] && ZEEK_LOCAL_NETS=
 [[ -z $ZEEK_LB_PROCS ]] && ZEEK_LB_PROCS="1"
 [[ -z $WORKER_LB_PROCS ]] && WORKER_LB_PROCS="$ZEEK_LB_PROCS"
 [[ -z $ZEEK_LB_METHOD ]] && ZEEK_LB_METHOD="custom"
@@ -208,7 +209,12 @@ EOF
   ZEEK_PROCS=$((ZEEK_PROCS+1))
 done
 
-# we'll assume we didn't mess with networks.cfg, leave it alone
+# populate networks.cfg from ZEEK_LOCAL_NETS
+echo "# \$ZEEK_LOCAL_NETS:" > ./networks.cfg
+echo "#   $ZEEK_LOCAL_NETS" >> ./networks.cfg
+for NET in ${ZEEK_LOCAL_NETS//,/ }; do
+  echo "$NET" | sed -re 's/^[[:blank:]]+|[[:blank:]]+$//g' -e 's/[[:blank:]]+/ /g' >> ./networks.cfg
+done
 
 popd >/dev/null 2>&1
 
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index 284a8f905..33cc88681 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -91,6 +92,18 @@ redef ignore_checksums = T;
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }

From 301b2a7f60d797c66ebf15b3eceb5b10ca7324af Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Tue, 21 Nov 2023 13:29:43 -0700
Subject: [PATCH 55/82] fix idaholab/Malcolm#294, put netbox restore database
 functionality inside container for kubernetes

---
 scripts/control.py | 46 ++++++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/scripts/control.py b/scripts/control.py
index 4b07895d6..9b03d6d95 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -641,29 +641,27 @@ def netboxRestore(backupFileName=None):
             # copy database backup and media backup to remote temporary directory
             try:
                 tmpRestoreDir = '/tmp'
-                for tmpFile in [
-                    x
-                    for x in [backupFileName, os.path.splitext(backupFileName)[0] + ".media.tar.gz"]
-                    if os.path.isfile(x)
-                ]:
-                    with open(tmpFile, 'rb') as f:
-                        if podsResults := PodExec(
-                            service='netbox',
-                            namespace=args.namespace,
-                            command=['tee', os.path.join(tmpRestoreDir, os.path.basename(tmpFile))],
-                            stdout=False,
-                            stderr=True,
-                            stdin=f.read(),
-                        ):
-                            err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                            results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-                        else:
-                            err = 1
-                            results = []
-                    if err != 0:
-                        raise Exception(
-                            f'Error {err} copying backed-up NetBox file {os.path.basename(tmpFile)} to {tmpRestoreDir}: {results}'
-                        )
+                tmpRestoreFile = os.path.join(
+                    tmpRestoreDir, os.path.splitext(os.path.basename(backupFileName))[0] + '.txt'
+                )
+                with gzip.open(backupFileName, 'rt') as f:
+                    if podsResults := PodExec(
+                        service='netbox',
+                        namespace=args.namespace,
+                        command=['tee', tmpRestoreFile],
+                        stdout=False,
+                        stderr=True,
+                        stdin=f.read(),
+                    ):
+                        err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                        results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+                    else:
+                        err = 1
+                        results = []
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} copying backed-up NetBox file {os.path.basename(backupFileName)} to {tmpRestoreFile}: {results}'
+                    )
 
                 # perform the restore inside the container
                 if podsResults := PodExec(
@@ -673,7 +671,7 @@ def netboxRestore(backupFileName=None):
                         '/opt/netbox/venv/bin/python',
                         '/usr/local/bin/netbox_init.py',
                         '--preload-backup',
-                        os.path.join(tmpRestoreDir, os.path.basename(backupFileName)),
+                        tmpRestoreFile,
                     ],
                 ):
                     err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1

From 95b3c2a97f1bbd06213e926a940af23a8c3a626e Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 21 Nov 2023 14:05:33 -0700
Subject: [PATCH 56/82] restore kubernetes image names in prep for release

---
 kubernetes/03-opensearch.yml         | 4 ++--
 kubernetes/04-dashboards.yml         | 2 +-
 kubernetes/05-upload.yml             | 4 ++--
 kubernetes/06-pcap-monitor.yml       | 4 ++--
 kubernetes/07-arkime.yml             | 4 ++--
 kubernetes/08-api.yml                | 2 +-
 kubernetes/09-dashboards-helper.yml  | 2 +-
 kubernetes/10-zeek.yml               | 4 ++--
 kubernetes/11-suricata.yml           | 4 ++--
 kubernetes/12-file-monitor.yml       | 4 ++--
 kubernetes/13-filebeat.yml           | 4 ++--
 kubernetes/14-logstash.yml           | 4 ++--
 kubernetes/15-netbox-redis.yml       | 4 ++--
 kubernetes/16-netbox-redis-cache.yml | 2 +-
 kubernetes/17-netbox-postgres.yml    | 4 ++--
 kubernetes/18-netbox.yml             | 4 ++--
 kubernetes/19-htadmin.yml            | 4 ++--
 kubernetes/20-pcap-capture.yml       | 4 ++--
 kubernetes/21-zeek-live.yml          | 4 ++--
 kubernetes/22-suricata-live.yml      | 4 ++--
 kubernetes/23-freq.yml               | 2 +-
 kubernetes/98-nginx-proxy.yml        | 4 ++--
 22 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index fbd2e3172..af6a6dbf3 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/mmguero-dev/malcolm/opensearch:development
+        image: ghcr.io/idaholab/malcolm/opensearch:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index cfbb8b422..5145b05ea 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/mmguero-dev/malcolm/dashboards:development
+        image: ghcr.io/idaholab/malcolm/dashboards:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index 7631d405f..e932433c9 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/mmguero-dev/malcolm/file-upload:development
+        image: ghcr.io/idaholab/malcolm/file-upload:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index 70da6fc02..82e4ac482 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/mmguero-dev/malcolm/pcap-monitor:development
+        image: ghcr.io/idaholab/malcolm/pcap-monitor:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index ec138d853..cea3ced27 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/mmguero-dev/malcolm/arkime:development
+        image: ghcr.io/idaholab/malcolm/arkime:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index dff8c4274..531ef1fd7 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/mmguero-dev/malcolm/api:development
+        image: ghcr.io/idaholab/malcolm/api:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 3c1292517..32fffe4ca 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/mmguero-dev/malcolm/dashboards-helper:development
+        image: ghcr.io/idaholab/malcolm/dashboards-helper:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 3f02eb94e..dd32deba7 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/mmguero-dev/malcolm/zeek:development
+        image: ghcr.io/idaholab/malcolm/zeek:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -68,7 +68,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 5e31720b6..909e1791d 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/mmguero-dev/malcolm/suricata:development
+        image: ghcr.io/idaholab/malcolm/suricata:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -61,7 +61,7 @@ spec:
             name: suricata-offline-custom-rules-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index 9cf768a47..898c67eef 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/mmguero-dev/malcolm/file-monitor:development
+        image: ghcr.io/idaholab/malcolm/file-monitor:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index da45a94d1..78e097a46 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/mmguero-dev/malcolm/filebeat-oss:development
+        image: ghcr.io/idaholab/malcolm/filebeat-oss:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 8f9029b76..2bfc8be80 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/mmguero-dev/malcolm/logstash-oss:development
+        image: ghcr.io/idaholab/malcolm/logstash-oss:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index 922f54f1d..bbe98ce5c 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/mmguero-dev/malcolm/redis:development
+        image: ghcr.io/idaholab/malcolm/redis:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index 0fef1bbf0..cd0a7794e 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/mmguero-dev/malcolm/redis:development
+        image: ghcr.io/idaholab/malcolm/redis:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index 55a066358..3a781c71c 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/mmguero-dev/malcolm/postgresql:development
+        image: ghcr.io/idaholab/malcolm/postgresql:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index f81438018..bf0736efc 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/mmguero-dev/malcolm/netbox:development
+        image: ghcr.io/idaholab/malcolm/netbox:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index de5293761..11e507a68 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/mmguero-dev/malcolm/htadmin:development
+        image: ghcr.io/idaholab/malcolm/htadmin:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index 275cffe99..f43a1a2a8 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/mmguero-dev/malcolm/pcap-capture:development
+        image: ghcr.io/idaholab/malcolm/pcap-capture:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index e9651aa99..ba150acdf 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/mmguero-dev/malcolm/zeek:development
+        image: ghcr.io/idaholab/malcolm/zeek:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -60,7 +60,7 @@ spec:
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index eade40dc2..70431c864 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/mmguero-dev/malcolm/suricata:development
+        image: ghcr.io/idaholab/malcolm/suricata:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -51,7 +51,7 @@ spec:
             name: suricata-live-suricata-logs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index b9dc580df..49dfc7f57 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/mmguero-dev/malcolm/freq:development
+        image: ghcr.io/idaholab/malcolm/freq:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 94e7861e2..8f4269955 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/mmguero-dev/malcolm/nginx-proxy:development
+        image: ghcr.io/idaholab/malcolm/nginx-proxy:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/mmguero-dev/malcolm/dirinit:development
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
         imagePullPolicy: Always
         stdin: false
         tty: true

From 103da343362e860ae6eec01cfbe43cc7a82462d0 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 21 Nov 2023 15:37:33 -0700
Subject: [PATCH 57/82] for idaholab/Malcolm#299, fix a vim and libx11
 vulnerability in a few packages (by removing those dependencies which we
 don't really need)

---
 Dockerfiles/dashboards.Dockerfile | 1 +
 Dockerfiles/nginx.Dockerfile      | 8 +-------
 Dockerfiles/opensearch.Dockerfile | 5 +++--
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index 4a9156b1c..507442867 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -47,6 +47,7 @@ ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSF
 
 RUN yum upgrade -y && \
     yum install -y curl psmisc util-linux openssl rsync python3 zip unzip && \
+    yum remove -y vim-* && \
     usermod -a -G tty ${PUSER} && \
     # Malcolm manages authentication and encryption via NGINX reverse proxy
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile
index 12a43a9b8..5765943bd 100644
--- a/Dockerfiles/nginx.Dockerfile
+++ b/Dockerfiles/nginx.Dockerfile
@@ -117,8 +117,6 @@ RUN set -x ; \
     --with-http_addition_module \
     --with-http_sub_module \
     --with-http_dav_module \
-    --with-http_flv_module \
-    --with-http_mp4_module \
     --with-http_gunzip_module \
     --with-http_gzip_static_module \
     --with-http_random_index_module \
@@ -126,7 +124,6 @@ RUN set -x ; \
     --with-http_stub_status_module \
     --with-http_auth_request_module \
     --with-http_xslt_module=dynamic \
-    --with-http_image_filter_module=dynamic \
     --with-http_geoip_module=dynamic \
     --with-http_perl_module=dynamic \
     --with-threads \
@@ -154,7 +151,6 @@ RUN set -x ; \
   chown ${PUSER}:${PGROUP} /var/cache/nginx ; \
   apk add --no-cache --virtual .nginx-build-deps \
     gcc \
-    gd-dev \
     geoip-dev \
     gnupg \
     libc-dev \
@@ -178,7 +174,6 @@ RUN set -x ; \
   make -j$(getconf _NPROCESSORS_ONLN) ; \
   mv objs/nginx objs/nginx-debug ; \
   mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so ; \
-  mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so ; \
   mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so ; \
   mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so ; \
   mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so ; \
@@ -191,7 +186,6 @@ RUN set -x ; \
   install -m644 html/50x.html /usr/share/nginx/html/ ; \
   install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \
   install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so ; \
-  install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so ; \
   install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so ; \
   install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so ; \
   install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so ; \
@@ -214,7 +208,7 @@ RUN set -x ; \
       | xargs -r apk info --installed \
       | sort -u \
   )" ; \
-  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap stunnel supervisor tini tzdata; \
+  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap shadow stunnel supervisor tini tzdata; \
   update-ca-certificates; \
   apk del .nginx-build-deps ; \
   apk del .gettext ; \
diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
index 41845556a..7e64fe440 100644
--- a/Dockerfiles/opensearch.Dockerfile
+++ b/Dockerfiles/opensearch.Dockerfile
@@ -42,8 +42,9 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/
 
 # Remove the opensearch-security plugin - Malcolm manages authentication and encryption via NGINX reverse proxy
 # Remove the performance-analyzer plugin - Reduce resources in docker image
-RUN yum install -y openssl util-linux procps rsync && \
-  yum upgrade -y && \
+RUN yum upgrade -y && \
+  yum install -y openssl util-linux procps rsync && \
+  yum remove -y vim-* && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \
   echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true\nhttp.cors.enabled: true\nhttp.cors.allow-origin: "*"\nhttp.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE\nhttp.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token Authorization"' > /usr/share/opensearch/config/opensearch.yml && \

From e5405bb36e8ea9f63d025b28aead33904df20744 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 22 Nov 2023 08:57:43 -0700
Subject: [PATCH 58/82] idaholab/Malcolm#280, update existing prefixes to VRF
 on startup for backwards compatibility

---
 netbox/scripts/netbox_init.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 19d75ee95..ac93af265 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -830,10 +830,16 @@ def main():
 
         # ###### Missing prefix descriptions from VRF names (see idaholab/Malcolm#280) ##################################
         try:
-            pass
-            # TODO
+            for prefix in [x for x in nb.ipam.prefixes.filter(description__empty=True) if x.vrf]:
+                logging.debug(f"Updating prefix {str(prefix)}'s description to {str(prefix.vrf)}")
+                prefix.update(
+                    {
+                        "description": str(prefix.vrf),
+                    }
+                )
+
         except Exception as e:
-            logging.error(f"{type(e).__name__} migrating ipam_vrf.name to ipam_prefix.description: {e}")
+            logging.error(f"{type(e).__name__} migrating prefix VRF to prefix description: {e}")
 
         # ###### Netbox-Initializers ###################################################################################
         if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):

From 2bd95783dfbd866f02dd6148ed8f4cbe3eacc100 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 22 Nov 2023 09:52:27 -0700
Subject: [PATCH 59/82] rework y axis of results visualization

---
 dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
index fa067946e..a00e4c84a 100644
--- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
+++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
@@ -216,7 +216,7 @@
       "version": "Wzk2MCwxXQ==",
       "attributes": {
         "title": "Top Results by Service",
-        "visState": "{\"title\":\"Top Results by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Protocol\\\", \\\"Result\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "visState": "{\"title\":\"Top Results by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Protocol\\\", \\\"Result\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"right\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
         "uiStateJSON": "{}",
         "description": "",
         "version": 1,

From 280861879a1487b8f0fc42c03121222cbd20cda0 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 27 Nov 2023 08:14:02 -0700
Subject: [PATCH 60/82] update supercronic to v0.2.28
 (https://github.com/aptible/supercronic/releases/tag/v0.2.28)

---
 Dockerfiles/dashboards-helper.Dockerfile | 4 ++--
 Dockerfiles/file-monitor.Dockerfile      | 4 ++--
 Dockerfiles/file-upload.Dockerfile       | 4 ++--
 Dockerfiles/filebeat.Dockerfile          | 4 ++--
 Dockerfiles/netbox.Dockerfile            | 4 ++--
 Dockerfiles/suricata.Dockerfile          | 4 ++--
 Dockerfiles/zeek.Dockerfile              | 4 ++--
 7 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
index 372bd2210..962d5d402 100644
--- a/Dockerfiles/dashboards-helper.Dockerfile
+++ b/Dockerfiles/dashboards-helper.Dockerfile
@@ -47,10 +47,10 @@ ENV DASHBOARDS_URL $DASHBOARDS_URL
 ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE
 ENV PATH="/data:${PATH}"
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest"
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index 7a3c48efe..9f7ea6643 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -93,10 +93,10 @@ ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT
 ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY
 ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/
diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile
index b64cc998e..a65ac226f 100644
--- a/Dockerfiles/file-upload.Dockerfile
+++ b/Dockerfiles/file-upload.Dockerfile
@@ -49,10 +49,10 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH
 ARG STALE_UPLOAD_DELETE_MIN=360
 ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --from=npmget /usr/local/lib/node_modules/filepond /var/www/upload/filepond
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index f6f069eb2..22c6b6a9f 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -61,10 +61,10 @@ ARG FILEBEAT_TCP_PARSE_TARGET_FIELD=""
 ARG FILEBEAT_TCP_PARSE_DROP_FIELD=""
 ARG FILEBEAT_TCP_TAG="_malcolm_beats"
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV TINI_VERSION v0.19.0
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index d4c64ad41..376430171 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -24,10 +24,10 @@ ENV PUSER "ubuntu"
 ENV PGROUP "ubuntu"
 ENV PUSER_PRIV_DROP true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index 66fa29c34..a58988bc8 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -30,10 +30,10 @@ ENV PGROUP "suricata"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 248ae4789..a06c1aa5c 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -94,10 +94,10 @@ ENV PGROUP "zeeker"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 # for download and install

From ff81092b24b4c25b4922ae19698e98c0d23389e4 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 27 Nov 2023 08:19:08 -0700
Subject: [PATCH 61/82] update supercronic to v0.2.28
 (https://github.com/aptible/supercronic/releases/tag/v0.2.28)

---
 Dockerfiles/dashboards-helper.Dockerfile | 2 +-
 Dockerfiles/file-monitor.Dockerfile      | 2 +-
 Dockerfiles/file-upload.Dockerfile       | 2 +-
 Dockerfiles/filebeat.Dockerfile          | 2 +-
 Dockerfiles/netbox.Dockerfile            | 2 +-
 Dockerfiles/suricata.Dockerfile          | 2 +-
 Dockerfiles/zeek.Dockerfile              | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
index 962d5d402..72d86bf73 100644
--- a/Dockerfiles/dashboards-helper.Dockerfile
+++ b/Dockerfiles/dashboards-helper.Dockerfile
@@ -50,7 +50,7 @@ ENV PATH="/data:${PATH}"
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest"
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index 9f7ea6643..6bfd6b86e 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -96,7 +96,7 @@ ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/
diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile
index a65ac226f..35175bc9a 100644
--- a/Dockerfiles/file-upload.Dockerfile
+++ b/Dockerfiles/file-upload.Dockerfile
@@ -52,7 +52,7 @@ ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --from=npmget /usr/local/lib/node_modules/filepond /var/www/upload/filepond
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 22c6b6a9f..b8c4fcdbc 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -64,7 +64,7 @@ ARG FILEBEAT_TCP_TAG="_malcolm_beats"
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV TINI_VERSION v0.19.0
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 376430171..6409fc989 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -27,7 +27,7 @@ ENV PUSER_PRIV_DROP true
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index a58988bc8..e3b4638e5 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -33,7 +33,7 @@ ENV PUSER_RLIMIT_UNLOCK true
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index a06c1aa5c..b38defd66 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -97,7 +97,7 @@ ENV PUSER_RLIMIT_UNLOCK true
 ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "c646d115c152545765b7eea0f5c3591849f6d7c6"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 # for download and install

From 0a1bf3613d403828399fc101cc0e194e8a6effd7 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 27 Nov 2023 21:09:07 -0700
Subject: [PATCH 62/82] flesh out automatic config for virter

---
 .../malcolm-setup-01-external-tools.toml      |  8 ++++
 .../malcolm-setup-02-clone-install.toml       | 37 ++++++++++++++++++-
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
index efe878dc3..229af538e 100644
--- a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
+++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
@@ -22,9 +22,17 @@ if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then
     "https://github.com/antonmedv/fx|^fx_linux_amd64$|"$HOME"/.local/bin/fx|755"
     "https://github.com/aptible/supercronic|^supercronic-linux-amd64$|"$HOME"/.local/bin/supercronic|755"
     "https://github.com/boringproxy/boringproxy|^boringproxy-linux-x86_64$|"$HOME"/.local/bin/boringproxy|755"
+    "https://github.com/eza-community/eza|^eza_x86_64-unknown-linux-musl\.tar\.gz$|/tmp/eza.tar.gz"
     "https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz"
+    "https://github.com/neilotoole/sq|^sq-.+amd64-amd64\.tar\.gz$|/tmp/sq.tar.gz"
+    "https://github.com/peco/peco|^peco_linux_amd64\.tar\.gz$|/tmp/peco.tar.gz"
+    "https://github.com/sachaos/viddy|^viddy_Linux_x86_64\.tar\.gz$|/tmp/viddy.tar.gz"
     "https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz"
+    "https://github.com/schollz/hostyoself|^hostyoself_.+_Linux-64bit\.tar\.gz$|/tmp/hostyoself.tar.gz"
     "https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz"
+    "https://github.com/wader/fq|^fq_.+_linux_amd64\.tar\.gz$|/tmp/fq.tar.gz"
+    "https://github.com/watchexec/watchexec|^watchexec-.+-x86_64-unknown-linux-musl\.tar\.xz$|/tmp/watchexec.tar.xz"
+    "https://github.com/Wilfred/difftastic|^difft-x86_64-unknown-linux-gnu\.tar\.gz$|/tmp/difft.tar.gz"
   )
 
   for i in ${ASSETS[@]}; do
diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
index 297e537da..148577384 100644
--- a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
+++ b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
@@ -46,8 +46,41 @@ popd
 # Configure Malcolm on first login
 if [[ $- == *i* ]] && [[ -d ~/Malcolm ]] &&  [[ ! -f ~/Malcolm/.configured ]]; then
     pushd ~/Malcolm >/dev/null 2>&1
-    ./scripts/configure
-    ./scripts/auth_setup
+
+    python3 ./scripts/configure \
+        --defaults \
+        --restart-malcolm \
+        --auto-suricata \
+        --auto-zeek \
+        --zeek-ics \
+        --zeek-ics-best-guess \
+        --auto-oui \
+        --auto-freq \
+        --file-extraction interesting \
+        --file-preservation quarantined \
+        --extracted-file-server \
+        --extracted-file-server-password infected \
+        --extracted-file-clamav \
+        --extracted-file-yara \
+        --netbox \
+        --netbox-enrich \
+        --netbox-autopopulate false \
+        --netbox-preload-prefixes \
+        --netbox-site-name malcolm
+
+    # username: analyst
+    # password: M@lc0lm
+    python3 ./scripts/auth_setup \
+        --auth-noninteractive \
+        --auth-admin-username analyst \
+        --auth-admin-password-openssl '$1$owXoS5pf$YesZKhhWS0d3zVUUhdcef0' \
+        --auth-admin-password-htpasswd '$2y$05$a8jiJsLZ1mFnt5srJD3HAOKC8IUaZcOlsqp8txBlmMjW6wUXUtN3S' \
+        --auth-generate-webcerts \
+        --auth-generate-fwcerts \
+        --auth-generate-netbox-passwords
+
+    python3 ./scripts/start
+
     popd >/dev/null 2>&1
     clear
     cat << 'EOT'

From 9059cf2c59003b4c08eb60a44474c4f9eda75118 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 28 Nov 2023 08:00:55 -0700
Subject: [PATCH 63/82] one minor tweak to idaholab/Malcolm#147, allow vega
 visualizations to import for elasticsearch

---
 dashboards/scripts/create-arkime-sessions-index.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh
index fc5905513..c839d0fd9 100755
--- a/dashboards/scripts/create-arkime-sessions-index.sh
+++ b/dashboards/scripts/create-arkime-sessions-index.sh
@@ -197,8 +197,12 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then
           DASHBOARDS_IMPORT_DIR="$(mktemp -d -t dashboards-XXXXXX)"
           cp /opt/dashboards/*.json "${DASHBOARDS_IMPORT_DIR}"/
           for i in "${DASHBOARDS_IMPORT_DIR}"/*.json; do
-            # strip out Arkime and NetBox links from dashboards' navigation pane when doing Kibana import (idaholab/Malcolm#286)
-            [[ "$DATASTORE_TYPE" == "elasticsearch" ]] && sed -i 's/  \\\\n\[↪ NetBox\](\/netbox\/)  \\\\n\[↪ Arkime\](\/sessions)//' "$i"
+            if [[ "$DATASTORE_TYPE" == "elasticsearch" ]]; then
+              # strip out Arkime and NetBox links from dashboards' navigation pane when doing Kibana import (idaholab/Malcolm#286)
+              sed -i 's/  \\\\n\[↪ NetBox\](\/netbox\/)  \\\\n\[↪ Arkime\](\/sessions)//' "$i"
+              # take care of a few other substitutions
+              sed -i 's/opensearchDashboardsAddFilter/kibanaAddFilter/g' "$i"
+            fi
             curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/$DASHBOARDS_URI_PATH/dashboards/import?force=true" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "@$i"
           done
           rm -rf "${DASHBOARDS_IMPORT_DIR}"

From 2331293188005a2c65371d476f327bd20ca32a74 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Tue, 28 Nov 2023 14:20:39 -0700
Subject: [PATCH 64/82] idaholab/Malcolm#301, allow configuration of docker's
 logging driver to prevent disk-exhaustion

---
 docker-compose-standalone.yml | 30 ++++++++++++++++++++++++++++++
 docker-compose.yml            | 30 ++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 684e4a808..61e02840f 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -2,6 +2,14 @@
 
 version: '3.7'
 
+x-logging:
+  &default-logging
+  driver: local
+  options:
+    max-size: 200m
+    max-file: 2
+    compress: "false"
+
 services:
   opensearch:
     image: ghcr.io/idaholab/malcolm/opensearch:23.11.0
@@ -10,6 +18,7 @@ services:
     #   start but not actually run OpenSearch. It's included in both profiles to
     #   satisfy some other containers' depends_on.
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -44,6 +53,7 @@ services:
   dashboards-helper:
     image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -73,6 +83,7 @@ services:
   dashboards:
     image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -100,6 +111,7 @@ services:
   logstash:
     image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -143,6 +155,7 @@ services:
   filebeat:
     image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -178,6 +191,7 @@ services:
     image: ghcr.io/idaholab/malcolm/arkime:23.11.0
     # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -217,6 +231,7 @@ services:
   zeek:
     image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -256,6 +271,7 @@ services:
   zeek-live:
     image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -285,6 +301,7 @@ services:
   suricata:
     image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -320,6 +337,7 @@ services:
   suricata-live:
     image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -347,6 +365,7 @@ services:
   file-monitor:
     image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -374,6 +393,7 @@ services:
   pcap-capture:
     image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -397,6 +417,7 @@ services:
   pcap-monitor:
     image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -424,6 +445,7 @@ services:
   upload:
     image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -450,6 +472,7 @@ services:
   htadmin:
     image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -476,6 +499,7 @@ services:
   freq:
     image: ghcr.io/idaholab/malcolm/freq:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -499,6 +523,7 @@ services:
   netbox:
     image: ghcr.io/idaholab/malcolm/netbox:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -532,6 +557,7 @@ services:
   netbox-postgres:
     image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -557,6 +583,7 @@ services:
   netbox-redis:
     image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -586,6 +613,7 @@ services:
   netbox-redis-cache:
     image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -614,6 +642,7 @@ services:
   api:
     image: ghcr.io/idaholab/malcolm/api:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     command: gunicorn --bind 0:5000 manage:app
     restart: "no"
     stdin_open: false
@@ -640,6 +669,7 @@ services:
   nginx-proxy:
     image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
diff --git a/docker-compose.yml b/docker-compose.yml
index c38dc4b04..2d9bb36ac 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,6 +2,14 @@
 
 version: '3.7'
 
+x-logging:
+  &default-logging
+  driver: local
+  options:
+    max-size: 200m
+    max-file: 2
+    compress: "false"
+
 services:
   opensearch:
     build:
@@ -13,6 +21,7 @@ services:
     #   start but not actually run OpenSearch. It's included in both profiles to
     #   satisfy some other containers' depends_on.
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -50,6 +59,7 @@ services:
       dockerfile: Dockerfiles/dashboards-helper.Dockerfile
     image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -82,6 +92,7 @@ services:
       dockerfile: Dockerfiles/dashboards.Dockerfile
     image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -112,6 +123,7 @@ services:
       dockerfile: Dockerfiles/logstash.Dockerfile
     image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -162,6 +174,7 @@ services:
       dockerfile: Dockerfiles/filebeat.Dockerfile
     image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -200,6 +213,7 @@ services:
     image: ghcr.io/idaholab/malcolm/arkime:23.11.0
     # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -245,6 +259,7 @@ services:
       dockerfile: Dockerfiles/zeek.Dockerfile
     image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -288,6 +303,7 @@ services:
       dockerfile: Dockerfiles/zeek.Dockerfile
     image: ghcr.io/idaholab/malcolm/zeek:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -321,6 +337,7 @@ services:
       dockerfile: Dockerfiles/suricata.Dockerfile
     image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -359,6 +376,7 @@ services:
       dockerfile: Dockerfiles/suricata.Dockerfile
     image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -389,6 +407,7 @@ services:
       dockerfile: Dockerfiles/file-monitor.Dockerfile
     image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -419,6 +438,7 @@ services:
       dockerfile: Dockerfiles/pcap-capture.Dockerfile
     image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -445,6 +465,7 @@ services:
       dockerfile: Dockerfiles/pcap-monitor.Dockerfile
     image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -475,6 +496,7 @@ services:
       dockerfile: Dockerfiles/file-upload.Dockerfile
     image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -501,6 +523,7 @@ services:
   htadmin:
     image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/htadmin.Dockerfile
@@ -530,6 +553,7 @@ services:
   freq:
     image: ghcr.io/idaholab/malcolm/freq:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/freq.Dockerfile
@@ -556,6 +580,7 @@ services:
   netbox:
     image: ghcr.io/idaholab/malcolm/netbox:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/netbox.Dockerfile
@@ -592,6 +617,7 @@ services:
   netbox-postgres:
     image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/postgresql.Dockerfile
@@ -620,6 +646,7 @@ services:
   netbox-redis:
     image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -652,6 +679,7 @@ services:
   netbox-redis-cache:
     image: ghcr.io/idaholab/malcolm/redis:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -683,6 +711,7 @@ services:
   api:
     image: ghcr.io/idaholab/malcolm/api:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/api.Dockerfile
@@ -715,6 +744,7 @@ services:
       dockerfile: Dockerfiles/nginx.Dockerfile
     image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true

From 70684fbeaeebae8e83dcb879116f94dc65e31ae9 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 29 Nov 2023 14:13:07 -0700
Subject: [PATCH 65/82] idaholab/Malcolm#302, allow user to include other
 suricata config YML files

---
 Dockerfiles/suricata.Dockerfile               |  6 +-
 docker-compose-standalone.yml                 |  3 +-
 docker-compose.yml                            |  3 +-
 docs/contributing-local-modifications.md      |  2 +
 kubernetes/11-suricata.yml                    |  7 +-
 kubernetes/22-suricata-live.yml               | 12 +++-
 malcolm-iso/build.sh                          |  1 +
 scripts/malcolm_appliance_packager.sh         |  1 +
 scripts/malcolm_kubernetes.py                 |  6 ++
 scripts/malcolm_utils.py                      | 10 +++
 .../suricata_config_populate.sh               |  4 +-
 sensor-iso/interface/sensor_ctl/supervisor.sh |  2 +-
 shared/bin/sensor-init.sh                     |  2 +-
 shared/bin/suricata_config_populate.py        | 67 +++++++++++++------
 shared/bin/suricata_update_config_populate.py | 20 ------
 suricata/include-configs/.gitignore           |  3 +
 16 files changed, 99 insertions(+), 50 deletions(-)
 create mode 100644 suricata/include-configs/.gitignore

diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index e3b4638e5..ae4539970 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -42,6 +42,7 @@ ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_
 ENV SURICATA_CONFIG_DIR /etc/suricata
 ENV SURICATA_CONFIG_FILE "$SURICATA_CONFIG_DIR"/suricata.yaml
 ENV SURICATA_CUSTOM_RULES_DIR /opt/suricata/rules
+ENV SURICATA_CUSTOM_CONFIG_DIR /opt/suricata/include-configs
 ENV SURICATA_LOG_DIR /var/log/suricata
 ENV SURICATA_MANAGED_DIR /var/lib/suricata
 ENV SURICATA_MANAGED_RULES_DIR "$SURICATA_MANAGED_DIR/rules"
@@ -116,8 +117,8 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
       usermod -a -G tty ${PUSER} && \
     ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_suricata_processor.py && \
         (echo "*/5 * * * * /usr/local/bin/eve-clean-logs.sh\n0 */6 * * * /bin/bash /usr/local/bin/suricata-update-rules.sh\n" > ${SUPERCRONIC_CRONTAB}) && \
-    mkdir -p "$SURICATA_CUSTOM_RULES_DIR" && \
-        chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" && \
+    mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \
+        chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \
     cp "$(dpkg -L suricata-update | grep 'update\.yaml$' | head -n 1)" \
         "$SURICATA_UPDATE_CONFIG_FILE" && \
     find /tmp/default-rules/ -not -path '*/.gitignore' -type f -exec cp "{}" "$SURICATA_CONFIG_DIR"/rules/ \; && \
@@ -183,6 +184,7 @@ ENV PUSER_CHOWN "$SURICATA_CONFIG_DIR;$SURICATA_MANAGED_DIR;$SURICATA_LOG_DIR;$S
 
 VOLUME ["$SURICATA_CONFIG_DIR"]
 VOLUME ["$SURICATA_CUSTOM_RULES_DIR"]
+VOLUME ["$SURICATA_CUSTOM_CONFIG_DIR"]
 VOLUME ["$SURICATA_LOG_DIR"]
 VOLUME ["$SURICATA_MANAGED_DIR"]
 VOLUME ["$SURICATA_RUN_DIR"]
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 61e02840f..f7a2c2a3a 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -189,7 +189,6 @@ services:
       start_period: 60s
   arkime:
     image: ghcr.io/idaholab/malcolm/arkime:23.11.0
-    # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -328,6 +327,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./pcap:/data/pcap
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-suricata"]
       interval: 30s
@@ -362,6 +362,7 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
   file-monitor:
     image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
     profiles: ["malcolm", "hedgehog"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 2d9bb36ac..47ead0e34 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -211,7 +211,6 @@ services:
       context: .
       dockerfile: Dockerfiles/arkime.Dockerfile
     image: ghcr.io/idaholab/malcolm/arkime:23.11.0
-    # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -364,6 +363,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./pcap:/data/pcap
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-suricata"]
       interval: 30s
@@ -401,6 +401,7 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
   file-monitor:
     build:
       context: .
diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md
index f449a9c11..c612f6b4c 100644
--- a/docs/contributing-local-modifications.md
+++ b/docs/contributing-local-modifications.md
@@ -60,10 +60,12 @@ suricata:
     - ./suricata-logs:/var/log/suricata
     - ./pcap:/data/pcap
     - ./suricata/rules:/opt/suricata/rules:ro
+    - ./suricata/include-configs:/opt/suricata/include-configs:ro
 suricata-live:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./suricata-logs:/var/log/suricata
     - ./suricata/rules:/opt/suricata/rules:ro
+    - ./suricata/include-configs:/opt/suricata/include-configs:ro
 file-monitor:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./zeek-logs/extract_files:/zeek/extract_files
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 909e1791d..60a99c471 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -59,6 +59,8 @@ spec:
             name: suricata-offline-suricata-logs-volume
           - mountPath: "/opt/suricata/rules/configmap"
             name: suricata-offline-custom-rules-volume
+          - mountPath: "/opt/suricata/include-configs/configmap"
+            name: suricata-offline-custom-configs-volume
       initContainers:
       - name: suricata-offline-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
@@ -86,4 +88,7 @@ spec:
             claimName: suricata-claim
         - name: suricata-offline-custom-rules-volume
           configMap:
-            name: suricata-rules
\ No newline at end of file
+            name: suricata-rules
+        - name: suricata-offline-custom-configs-volume
+          configMap:
+            name: suricata-configs
\ No newline at end of file
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index 70431c864..5dee3fa68 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -49,6 +49,10 @@ spec:
             name: suricata-live-var-local-catrust-volume
           - mountPath: /var/log/suricata
             name: suricata-live-suricata-logs-volume
+          - mountPath: "/opt/suricata/rules/configmap"
+            name: suricata-live-custom-rules-volume
+          - mountPath: "/opt/suricata/include-configs/configmap"
+            name: suricata-live-custom-configs-volume
       initContainers:
       - name: suricata-live-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
@@ -70,4 +74,10 @@ spec:
             name: var-local-catrust
         - name: suricata-live-suricata-logs-volume
           persistentVolumeClaim:
-            claimName: suricata-claim
\ No newline at end of file
+            claimName: suricata-claim
+        - name: suricata-live-custom-rules-volume
+          configMap:
+            name: suricata-rules
+        - name: suricata-live-custom-configs-volume
+          configMap:
+            name: suricata-configs
\ No newline at end of file
diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh
index 44f795369..a0fe784da 100755
--- a/malcolm-iso/build.sh
+++ b/malcolm-iso/build.sh
@@ -114,6 +114,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/scripts/"
   mkdir -p "$MALCOLM_DEST_DIR/suricata-logs/live/"
   mkdir -p "$MALCOLM_DEST_DIR/suricata/rules/"
+  mkdir -p "$MALCOLM_DEST_DIR/suricata/include-configs/"
   mkdir -p "$MALCOLM_DEST_DIR/yara/rules/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/current/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/preserved/"
diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh
index b4bb406a5..3e04850eb 100755
--- a/scripts/malcolm_appliance_packager.sh
+++ b/scripts/malcolm_appliance_packager.sh
@@ -82,6 +82,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/scripts/"
   mkdir $VERBOSE -p "$DESTDIR/suricata-logs/live/"
   mkdir $VERBOSE -p "$DESTDIR/suricata/rules/"
+  mkdir $VERBOSE -p "$DESTDIR/suricata/include-configs/"
   mkdir $VERBOSE -p "$DESTDIR/yara/rules/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/current/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/preserved/"
diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py
index 0f63ae26b..6945a50f9 100644
--- a/scripts/malcolm_kubernetes.py
+++ b/scripts/malcolm_kubernetes.py
@@ -119,6 +119,12 @@
             'path': os.path.join(MalcolmPath, os.path.join('suricata', 'rules')),
         },
     ],
+    'suricata-configs': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('suricata', 'include-configs')),
+        },
+    ],
     'filebeat-certs': [
         {
             'secret': True,
diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py
index a6ab66515..cab6703d1 100644
--- a/scripts/malcolm_utils.py
+++ b/scripts/malcolm_utils.py
@@ -545,6 +545,16 @@ def touch(filename):
     os.utime(filename, None)
 
 
+###################################################################################################
+# append strings to a text file
+def append_to_file(filename, value):
+    with open(filename, "a") as f:
+        if isinstance(value, Iterable) and not isinstance(value, str):
+            f.write('\n'.join(value))
+        else:
+            f.write(value)
+
+
 ###################################################################################################
 # read the contents of a file, first assuming text (with encoding), optionally falling back to binary
 def file_contents(filename, encoding='utf-8', binary_fallback=False):
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
index 5ce6a4eae..96473ab4b 100644
--- a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
@@ -11,9 +11,11 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r /usr/local/bin/suricata_config_populate.py
     [[ ! -f "$SUPERVISOR_PATH"/suricata/suricata.yaml ]] && cp /etc/suricata/suricata.yaml "$SUPERVISOR_PATH"/suricata/suricata.yaml
     [[ ! -f "$SUPERVISOR_PATH"/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" "$SUPERVISOR_PATH"/suricata/update.yaml
 
-    # specify the custom rules directory relative to the supervisor path
+    # specify the custom rules and configuration directories relative to the supervisor path
     SURICATA_CUSTOM_RULES_DIR="$SUPERVISOR_PATH"/suricata/rules
+    SURICATA_CUSTOM_CONFIG_DIR="$SUPERVISOR_PATH"/suricata/include-configs
     [[ -d "$SURICATA_CUSTOM_RULES_DIR" ]] && export SURICATA_CUSTOM_RULES_DIR
+    [[ -d "$SURICATA_CUSTOM_CONFIG_DIR" ]] && export SURICATA_CUSTOM_CONFIG_DIR
 
     # all other arguments are controlled via environment variables sourced from control_vars.conf
     python3 /usr/local/bin/suricata_config_populate.py
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.sh b/sensor-iso/interface/sensor_ctl/supervisor.sh
index dc4920aee..7f1dc9241 100755
--- a/sensor-iso/interface/sensor_ctl/supervisor.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.sh
@@ -81,7 +81,7 @@ mkdir -p "$SUPERVISOR_PATH/"{log,run}
 rm -f "$SUPERVISOR_PATH/"/log/*
 
 rm -rf /opt/sensor/sensor_ctl/zeek/intel/lock || true
-mkdir -p "$SUPERVISOR_PATH"/suricata/rules "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true
+mkdir -p "$SUPERVISOR_PATH"/suricata/rules "$SUPERVISOR_PATH"/suricata/include-configs "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true
 mkdir -p "$PCAP_PATH"/ 2>/dev/null || true
 mkdir -p "$SUPERVISOR_PATH"/supercronic 2>/dev/null && touch "$SUPERVISOR_PATH"/supercronic/crontab || true
 
diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh
index 95d8a05d4..7a081f9ef 100755
--- a/shared/bin/sensor-init.sh
+++ b/shared/bin/sensor-init.sh
@@ -66,7 +66,7 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then
   if dpkg -s suricata >/dev/null 2>&1 ; then
     mkdir -p /etc/suricata/rules /var/log/suricata /var/lib/suricata/rules
     if [[ -d /opt/sensor/sensor_ctl ]]; then
-      mkdir -p /opt/sensor/sensor_ctl/suricata/rules
+      mkdir -p /opt/sensor/sensor_ctl/suricata/rules /opt/sensor/sensor_ctl/suricata/include-configs
       [[ ! -f /opt/sensor/sensor_ctl/suricata/suricata.yaml ]] && cp /etc/suricata/suricata.yaml /opt/sensor/sensor_ctl/suricata/suricata.yaml
       [[ ! -f /opt/sensor/sensor_ctl/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" /opt/sensor/sensor_ctl/suricata/update.yaml
     fi
diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py
index 85977b525..9f07e6982 100755
--- a/shared/bin/suricata_config_populate.py
+++ b/shared/bin/suricata_config_populate.py
@@ -27,7 +27,7 @@
 from shutil import move as MoveFile, copyfile as CopyFile
 from subprocess import PIPE, Popen
 
-from malcolm_utils import val2bool, deep_set, pushd, run_process
+from malcolm_utils import val2bool, deep_set, pushd, run_process, append_to_file
 
 ###################################################################################################
 args = None
@@ -49,26 +49,6 @@ def __call__(self, repr, data):
         return ret_val
 
 
-###################################################################################################
-def ObjToYamlStrLines(obj, options=None):
-    outputStr = None
-    if options is None:
-        options = {}
-
-    yaml = YAML()
-    yaml.preserve_quotes = False
-    yaml.representer.ignore_aliases = lambda x: True
-    yaml.representer.add_representer(type(None), NullRepresenter())
-    yaml.boolean_representation = ['no', 'yes']
-    yaml.version = YAML_VERSION
-
-    with StringIO() as stringStream:
-        yaml.dump(obj, stringStream, **options)
-        outputStr = stringStream.getvalue()
-
-    return outputStr.splitlines()
-
-
 ###################################################################################################
 
 DEFAULT_VARS = defaultdict(lambda: None)
@@ -542,6 +522,22 @@ def GetRuleSources(requireRulesExist=False):
     return ruleSources
 
 
+###################################################################################################
+def GetIncludeConfigSources():
+    global DEFAULT_VARS
+
+    configSources = list(
+        [
+            os.path.join(DEFAULT_VARS['CUSTOM_CONFIG_DIR'], x)
+            for x in fnmatch.filter(os.listdir(DEFAULT_VARS['CUSTOM_CONFIG_DIR']), '*.yaml')
+        ]
+        if DEFAULT_VARS['CUSTOM_CONFIG_DIR'] is not None
+        else []
+    )
+
+    return configSources
+
+
 ###################################################################################################
 def main():
     global args
@@ -643,6 +639,7 @@ def main():
         with open(args.input, 'r') as f:
             inYaml = YAML(typ='rt')
             inYaml.preserve_quotes = False
+            inYaml.allow_duplicate_keys = True
             inYaml.emitter.alt_null = None
             inYaml.representer.ignore_aliases = lambda x: True
             inYaml.boolean_representation = ['no', 'yes']
@@ -1073,20 +1070,41 @@ def main():
             os.path.join(DEFAULT_VARS['RUN_DIR'], 'suricata-command.socket'),
         )
 
+    extraConfigFiles = GetIncludeConfigSources()
+
     # validate suricata execution prior to calling it a day
     with tempfile.TemporaryDirectory() as tmpLogDir:
         with pushd(tmpLogDir):
             deep_set(cfg, ['stats', 'enabled'], True)
+
             cfg.pop('rule-files', None)
             deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=True))
+
+            # Hackety-hack, don't talk back! Despite the "Including multiple files" section of
+            #   https://docs.suricata.io/en/latest/configuration/includes.html#including-multiple-files
+            #   saying this can be set as an array, it does not seem to be working for me.
+            #   The sample suricata.yaml file shows it should be done like this:
+            #     include: include1.yaml
+            #     include: include2.yaml
+            # The reason this is a pain is that this is not actually valid YAML. So
+            #   what we are going to do is remove the 'include' section here,
+            #   write the YAML to a file, and then append the includes: afterwards
+            #   just in plain text.
+            cfg.pop('include', None)
+
             with open('suricata.yaml', 'w') as outTestFile:
                 outTestYaml = YAML(typ='rt')
                 outTestYaml.preserve_quotes = False
+                outTestYaml.allow_duplicate_keys = True
                 outTestYaml.representer.ignore_aliases = lambda x: True
                 outTestYaml.representer.add_representer(type(None), NullRepresenter())
                 outTestYaml.boolean_representation = ['no', 'yes']
                 outTestYaml.version = YAML_VERSION
                 outTestYaml.dump(cfg, outTestFile)
+
+            # see note on 'include' above
+            append_to_file('suricata.yaml', [''] + [f"include: {x}" for x in extraConfigFiles] + [''])
+
             script_return_code, output = run_process(
                 [
                     'suricata',
@@ -1109,18 +1127,25 @@ def main():
     cfg.pop('rule-files', None)
     deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=False))
 
+    # see note on 'include' above
+    cfg.pop('include', None)
+
     ##################################################################################################
 
     # write the new YAML file
     with open(args.output, 'w') as outfile:
         outYaml = YAML(typ='rt')
         outYaml.preserve_quotes = False
+        outYaml.allow_duplicate_keys = True
         outYaml.representer.ignore_aliases = lambda x: True
         outYaml.representer.add_representer(type(None), NullRepresenter())
         outYaml.boolean_representation = ['no', 'yes']
         outYaml.version = YAML_VERSION
         outYaml.dump(cfg, outfile)
 
+    # see note on 'include' above
+    append_to_file(args.output, [''] + [f"include: {x}" for x in extraConfigFiles] + [''])
+
     ##################################################################################################
 
     # remove the pidfile and command file for a new run (in case they weren't cleaned up before)
diff --git a/shared/bin/suricata_update_config_populate.py b/shared/bin/suricata_update_config_populate.py
index 6dda3c649..edcad9155 100755
--- a/shared/bin/suricata_update_config_populate.py
+++ b/shared/bin/suricata_update_config_populate.py
@@ -49,26 +49,6 @@ def __call__(self, repr, data):
         return ret_val
 
 
-###################################################################################################
-def ObjToYamlStrLines(obj, options=None):
-    outputStr = None
-    if options is None:
-        options = {}
-
-    yaml = YAML()
-    yaml.preserve_quotes = False
-    yaml.representer.ignore_aliases = lambda x: True
-    yaml.representer.add_representer(type(None), NullRepresenter())
-    yaml.boolean_representation = ['no', 'yes']
-    yaml.version = YAML_VERSION
-
-    with StringIO() as stringStream:
-        yaml.dump(obj, stringStream, **options)
-        outputStr = stringStream.getvalue()
-
-    return outputStr.splitlines()
-
-
 ###################################################################################################
 
 DEFAULT_VARS = defaultdict(lambda: None)
diff --git a/suricata/include-configs/.gitignore b/suricata/include-configs/.gitignore
new file mode 100644
index 000000000..a5baada18
--- /dev/null
+++ b/suricata/include-configs/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+

From 7338264007949ca4005e6e4b6ce2f0ca380167c7 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 29 Nov 2023 15:57:12 -0700
Subject: [PATCH 66/82] idaholab/Malcolm#303, allow user to include custom zeek
 config

---
 config/zeek-live.env.example                          |  1 +
 docker-compose-standalone.yml                         |  2 ++
 docker-compose.yml                                    |  2 ++
 docs/contributing-local-modifications.md              |  2 ++
 kubernetes/10-zeek.yml                                | 11 +++++++----
 kubernetes/21-zeek-live.yml                           | 11 +++++++----
 malcolm-iso/build.sh                                  |  1 +
 scripts/control.py                                    |  3 ++-
 scripts/malcolm_appliance_packager.sh                 |  1 +
 .../config/hooks/normal/0910-sensor-build.hook.chroot |  3 ++-
 .../includes.chroot/usr/local/etc/zeek/local.zeek     |  1 +
 shared/bin/zeekdeploy.sh                              |  6 ++++++
 zeek/config/local.zeek                                |  1 +
 zeek/custom/.gitignore                                |  3 +++
 14 files changed, 38 insertions(+), 10 deletions(-)
 create mode 100644 zeek/custom/.gitignore

diff --git a/config/zeek-live.env.example b/config/zeek-live.env.example
index ec6316eb8..3659dacac 100644
--- a/config/zeek-live.env.example
+++ b/config/zeek-live.env.example
@@ -6,4 +6,5 @@ ZEEK_PCAP_PROCESSOR=false
 ZEEK_CRON=true
 ZEEK_LOG_PATH=/zeek/live
 ZEEK_INTEL_PATH=/opt/zeek/share/zeek/site/intel
+ZEEK_CUSTOM_PATH=/opt/zeek/share/zeek/site/custom
 EXTRACT_FILES_PATH=/zeek/extract_files
\ No newline at end of file
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index f7a2c2a3a..d71385be2 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -261,6 +261,7 @@ services:
       - ./zeek-logs/upload:/zeek/upload
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-zeek"]
       interval: 30s
@@ -297,6 +298,7 @@ services:
       - ./zeek-logs/live:/zeek/live
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
   suricata:
     image: ghcr.io/idaholab/malcolm/suricata:23.11.0
     profiles: ["malcolm", "hedgehog"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 47ead0e34..d407533cf 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -290,6 +290,7 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-zeek"]
       interval: 30s
@@ -330,6 +331,7 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
   suricata:
     build:
       context: .
diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md
index c612f6b4c..53e32eddf 100644
--- a/docs/contributing-local-modifications.md
+++ b/docs/contributing-local-modifications.md
@@ -50,11 +50,13 @@ zeek:
     - ./zeek-logs/upload:/zeek/upload
     - ./zeek-logs/extract_files:/zeek/extract_files
     - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+    - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
 zeek-live:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./zeek-logs/live:/zeek/live
     - ./zeek-logs/extract_files:/zeek/extract_files
     - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+    - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
 suricata:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./suricata-logs:/var/log/suricata
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index dd32deba7..059171135 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -64,8 +64,11 @@ spec:
             name: zeek-offline-zeek-volume
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-offline-zeek-intel
+            name: zeek-offline-zeek-intel-and-config
             subPath: "zeek/intel"
+          - mountPath: "/opt/zeek/share/zeek/site/custom"
+            name: zeek-offline-zeek-intel-and-config
+            subPath: "zeek/custom"
       initContainers:
       - name: zeek-offline-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
@@ -77,9 +80,9 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX,zeek/custom;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-offline-zeek-intel
+          - name: zeek-offline-zeek-intel-and-config
             mountPath: "/data/config"
           - name: zeek-offline-pcap-volume
             mountPath: "/data/pcap"
@@ -95,6 +98,6 @@ spec:
         - name: zeek-offline-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-offline-zeek-intel
+        - name: zeek-offline-zeek-intel-and-config
           persistentVolumeClaim:
             claimName: config-claim
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index ba150acdf..8aaac6c26 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -56,8 +56,11 @@ spec:
             name: zeek-live-zeek-volume
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-live-zeek-intel
+            name: zeek-live-zeek-intel-and-config
             subPath: "zeek/intel"
+          - mountPath: "/opt/zeek/share/zeek/site/custom"
+            name: zeek-live-zeek-intel-and-config
+            subPath: "zeek/custom"
       initContainers:
       - name: zeek-live-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
@@ -69,9 +72,9 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX,zeek/custom;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-live-zeek-intel
+          - name: zeek-live-zeek-intel-and-config
             mountPath: "/data/config"
           - name: zeek-live-zeek-volume
             mountPath: "/data/zeek-logs"
@@ -82,6 +85,6 @@ spec:
         - name: zeek-live-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-live-zeek-intel
+        - name: zeek-live-zeek-intel-and-config
           persistentVolumeClaim:
             claimName: config-claim
diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh
index a0fe784da..2f7fe76c4 100755
--- a/malcolm-iso/build.sh
+++ b/malcolm-iso/build.sh
@@ -122,6 +122,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/live/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/processed/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/upload/"
+  mkdir -p "$MALCOLM_DEST_DIR/zeek/custom/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/MISP/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/STIX/"
   cp ./docker-compose-standalone.yml "$MALCOLM_DEST_DIR/docker-compose.yml"
diff --git a/scripts/control.py b/scripts/control.py
index 9b03d6d95..f74d9e914 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -985,8 +985,9 @@ def start():
             # chmod 600 envFile
             os.chmod(envFile, stat.S_IRUSR | stat.S_IWUSR)
 
-    # touch the zeek intel file
+    # touch the zeek intel file and zeek custom file
     open(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', '__load__.zeek'))), 'a').close()
+    open(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('custom', '__load__.zeek'))), 'a').close()
 
     # clean up any leftover intel update locks
     shutil.rmtree(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', 'lock'))), ignore_errors=True)
diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh
index 3e04850eb..3f7256549 100755
--- a/scripts/malcolm_appliance_packager.sh
+++ b/scripts/malcolm_appliance_packager.sh
@@ -90,6 +90,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/live/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/processed/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/upload/"
+  mkdir $VERBOSE -p "$DESTDIR/zeek/custom/"
   mkdir $VERBOSE -p "$DESTDIR/zeek/intel/MISP/"
   mkdir $VERBOSE -p "$DESTDIR/zeek/intel/STIX/"
 
diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index 9337beb09..161106cea 100755
--- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -66,8 +66,9 @@ EOF
 
 # set up default zeek local policy and sensor-related directories
 cp -f /usr/local/etc/zeek/*.zeek /usr/local/etc/zeek/*.txt "${ZEEK_DIR}"/share/zeek/site/
-mkdir -p /opt/sensor/sensor_ctl/zeek/intel/STIX /opt/sensor/sensor_ctl/zeek/intel/MISP /opt/sensor/sensor_ctl/fluentbit
+mkdir -p /opt/sensor/sensor_ctl/zeek/custom /opt/sensor/sensor_ctl/zeek/intel/STIX /opt/sensor/sensor_ctl/zeek/intel/MISP /opt/sensor/sensor_ctl/fluentbit
 touch /opt/sensor/sensor_ctl/zeek/intel/__load__.zeek
+touch /opt/sensor/sensor_ctl/zeek/custom/__load__.zeek
 [[ -f /usr/local/bin/zeek_intel_setup.sh ]] && mv /usr/local/bin/zeek_intel_setup.sh "${ZEEK_DIR}"/bin/
 [[ -f /usr/local/bin/zeek_intel_from_threat_feed.py ]] && mv /usr/local/bin/zeek*threat*.py "${ZEEK_DIR}"/bin/
 
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 79e5204f2..6b2c84695 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -89,6 +89,7 @@ redef ignore_checksums = T;
 
 @load packages
 @load /opt/sensor/sensor_ctl/zeek/intel
+@load /opt/sensor/sensor_ctl/zeek/custom
 
 event zeek_init() &priority=-5 {
 
diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
index c4879adf2..b2fc59dc4 100755
--- a/shared/bin/zeekdeploy.sh
+++ b/shared/bin/zeekdeploy.sh
@@ -94,6 +94,12 @@ touch "$INTEL_DIR"/__load__.zeek
 [[ -x "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh ]] && "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh /bin/true
 INTEL_UPDATE_TIME_PREV=0
 
+# make sure "custom" directory exists, even if empty
+[[ -n "$ZEEK_CUSTOM_PATH" ]] && CUSTOM_DIR="$ZEEK_CUSTOM_PATH" || CUSTOM_DIR=/opt/sensor/sensor_ctl/zeek/custom
+export CUSTOM_DIR
+mkdir -p "$CUSTOM_DIR"
+touch "$CUSTOM_DIR"/__load__.zeek
+
 # configure zeek cfg files
 pushd "$ZEEK_INSTALL_PATH"/etc >/dev/null 2>&1
 
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index 33cc88681..3236e16de 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -89,6 +89,7 @@ redef ignore_checksums = T;
 
 @load packages
 @load intel
+@load custom
 
 event zeek_init() &priority=-5 {
 
diff --git a/zeek/custom/.gitignore b/zeek/custom/.gitignore
new file mode 100644
index 000000000..a5baada18
--- /dev/null
+++ b/zeek/custom/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+

From 1a199dcc349c2b0bb16cee53c72859a8324bcb65 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 29 Nov 2023 16:01:05 -0700
Subject: [PATCH 67/82] idaholab/Malcolm#303, allow user to include custom zeek
 config

---
 shared/bin/zeekdeploy.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
index b2fc59dc4..0e2b2999e 100755
--- a/shared/bin/zeekdeploy.sh
+++ b/shared/bin/zeekdeploy.sh
@@ -89,7 +89,7 @@ ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRI
 [[ -n "$ZEEK_INTEL_PATH" ]] && INTEL_DIR="$ZEEK_INTEL_PATH" || INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel
 export INTEL_DIR
 mkdir -p "$INTEL_DIR"/STIX "$INTEL_DIR"/MISP
-touch "$INTEL_DIR"/__load__.zeek
+touch "$INTEL_DIR"/__load__.zeek || true
 # autoconfigure load directives for intel files
 [[ -x "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh ]] && "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh /bin/true
 INTEL_UPDATE_TIME_PREV=0
@@ -98,7 +98,7 @@ INTEL_UPDATE_TIME_PREV=0
 [[ -n "$ZEEK_CUSTOM_PATH" ]] && CUSTOM_DIR="$ZEEK_CUSTOM_PATH" || CUSTOM_DIR=/opt/sensor/sensor_ctl/zeek/custom
 export CUSTOM_DIR
 mkdir -p "$CUSTOM_DIR"
-touch "$CUSTOM_DIR"/__load__.zeek
+touch "$CUSTOM_DIR"/__load__.zeek || true
 
 # configure zeek cfg files
 pushd "$ZEEK_INSTALL_PATH"/etc >/dev/null 2>&1

From 3684c75aa690ead9333360f9aba6628df1d51b3d Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 29 Nov 2023 16:47:04 -0700
Subject: [PATCH 68/82] idaholab/Malcolm#303, allow user to include custom zeek
 config

---
 Dockerfiles/zeek.Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index b38defd66..6c5c0cfc4 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -200,7 +200,9 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
     ( find "${ZEEK_DIR}"/lib/zeek/plugins/packages -type f -name "*.hlto" -exec chmod 755 "{}" \; || true ) && \
     mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/STIX && \
       mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/MISP && \
+      mkdir -p "${ZEEK_DIR}"/share/zeek/site/custom && \
       touch "${ZEEK_DIR}"/share/zeek/site/intel/__load__.zeek && \
+      touch "${ZEEK_DIR}"/share/zeek/site/custom/__load__.zeek && \
     cd /usr/lib/locale && \
       ( ls | grep -Piv "^(en|en_US|en_US\.utf-?8|C\.utf-?8)$" | xargs -l -r rm -rf ) && \
     cd /tmp && \

From 6861469e97bd0cebfd4bc57e7491a9f11f6acbdf Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 30 Nov 2023 07:26:51 -0700
Subject: [PATCH 69/82] httpupdate netbox to v3.6.6
 (https://github.com/netbox-community/netbox/releases/tag/v3.6.6)

---
 Dockerfiles/netbox.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 6409fc989..c075c03a2 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -1,4 +1,4 @@
-FROM netboxcommunity/netbox:v3.6.5
+FROM netboxcommunity/netbox:v3.6.6
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"

From b49939071f2c39b5dc454366edf204c9723a2aa5 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 30 Nov 2023 07:29:50 -0700
Subject: [PATCH 70/82] as it's Nov 30th and the fix for idaholab/Malcolm#298
 isn't out yet, renaming the release to v23.12.0

---
 docker-compose-standalone.yml                 | 44 +++++-----
 docker-compose.yml                            | 44 +++++-----
 docs/contributing-pcap.md                     |  2 +-
 docs/download.md                              |  4 +-
 docs/hedgehog-iso-build.md                    |  2 +-
 docs/kubernetes.md                            | 88 +++++++++----------
 docs/malcolm-iso.md                           |  2 +-
 docs/quickstart.md                            | 38 ++++----
 docs/ubuntu-install-example.md                | 38 ++++----
 kubernetes/03-opensearch.yml                  |  4 +-
 kubernetes/04-dashboards.yml                  |  2 +-
 kubernetes/05-upload.yml                      |  4 +-
 kubernetes/06-pcap-monitor.yml                |  4 +-
 kubernetes/07-arkime.yml                      |  4 +-
 kubernetes/08-api.yml                         |  2 +-
 kubernetes/09-dashboards-helper.yml           |  2 +-
 kubernetes/10-zeek.yml                        |  4 +-
 kubernetes/11-suricata.yml                    |  4 +-
 kubernetes/12-file-monitor.yml                |  4 +-
 kubernetes/13-filebeat.yml                    |  4 +-
 kubernetes/14-logstash.yml                    |  4 +-
 kubernetes/15-netbox-redis.yml                |  4 +-
 kubernetes/16-netbox-redis-cache.yml          |  2 +-
 kubernetes/17-netbox-postgres.yml             |  4 +-
 kubernetes/18-netbox.yml                      |  4 +-
 kubernetes/19-htadmin.yml                     |  4 +-
 kubernetes/20-pcap-capture.yml                |  4 +-
 kubernetes/21-zeek-live.yml                   |  4 +-
 kubernetes/22-suricata-live.yml               |  4 +-
 kubernetes/23-freq.yml                        |  2 +-
 kubernetes/98-nginx-proxy.yml                 |  4 +-
 .../aws/ami/packer_vars.json.example          |  2 +-
 32 files changed, 171 insertions(+), 171 deletions(-)

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index d71385be2..1963a0f74 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -12,7 +12,7 @@ x-logging:
 
 services:
   opensearch:
-    image: ghcr.io/idaholab/malcolm/opensearch:23.11.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
@@ -51,7 +51,7 @@ services:
       retries: 3
       start_period: 180s
   dashboards-helper:
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -81,7 +81,7 @@ services:
       retries: 3
       start_period: 30s
   dashboards:
-    image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -109,7 +109,7 @@ services:
       retries: 3
       start_period: 210s
   logstash:
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -153,7 +153,7 @@ services:
       retries: 3
       start_period: 600s
   filebeat:
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -188,7 +188,7 @@ services:
       retries: 3
       start_period: 60s
   arkime:
-    image: ghcr.io/idaholab/malcolm/arkime:23.11.0
+    image: ghcr.io/idaholab/malcolm/arkime:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -228,7 +228,7 @@ services:
       retries: 3
       start_period: 210s
   zeek:
-    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -269,7 +269,7 @@ services:
       retries: 3
       start_period: 60s
   zeek-live:
-    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -300,7 +300,7 @@ services:
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
       - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
   suricata:
-    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -337,7 +337,7 @@ services:
       retries: 3
       start_period: 120s
   suricata-live:
-    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -366,7 +366,7 @@ services:
       - ./suricata/rules:/opt/suricata/rules:ro
       - ./suricata/include-configs:/opt/suricata/include-configs:ro
   file-monitor:
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -394,7 +394,7 @@ services:
       retries: 3
       start_period: 60s
   pcap-capture:
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -418,7 +418,7 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./pcap/upload:/pcap
   pcap-monitor:
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -446,7 +446,7 @@ services:
       retries: 3
       start_period: 90s
   upload:
-    image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -473,7 +473,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -500,7 +500,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.11.0
+    image: ghcr.io/idaholab/malcolm/freq:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -524,7 +524,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.11.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -558,7 +558,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -584,7 +584,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.11.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -614,7 +614,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.11.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -643,7 +643,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.11.0
+    image: ghcr.io/idaholab/malcolm/api:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     command: gunicorn --bind 0:5000 manage:app
@@ -670,7 +670,7 @@ services:
       retries: 3
       start_period: 60s
   nginx-proxy:
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
diff --git a/docker-compose.yml b/docker-compose.yml
index d407533cf..85958b908 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,7 +15,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/opensearch.Dockerfile
-    image: ghcr.io/idaholab/malcolm/opensearch:23.11.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
@@ -57,7 +57,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards-helper.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.11.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -90,7 +90,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards:23.11.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -121,7 +121,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/logstash.Dockerfile
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.11.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -172,7 +172,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/filebeat.Dockerfile
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.11.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -210,7 +210,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/arkime.Dockerfile
-    image: ghcr.io/idaholab/malcolm/arkime:23.11.0
+    image: ghcr.io/idaholab/malcolm/arkime:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -256,7 +256,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -301,7 +301,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.11.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -336,7 +336,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -376,7 +376,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.11.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -408,7 +408,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.11.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -439,7 +439,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-capture.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.11.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -466,7 +466,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.11.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
     logging: *default-logging
     restart: "no"
@@ -497,7 +497,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-upload.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-upload:23.11.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
@@ -524,7 +524,7 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.11.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -554,7 +554,7 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.11.0
+    image: ghcr.io/idaholab/malcolm/freq:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -581,7 +581,7 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.11.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -618,7 +618,7 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.11.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -647,7 +647,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.11.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -680,7 +680,7 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.11.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -712,7 +712,7 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.11.0
+    image: ghcr.io/idaholab/malcolm/api:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     build:
@@ -745,7 +745,7 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/nginx.Dockerfile
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.11.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
     profiles: ["malcolm"]
     logging: *default-logging
     restart: "no"
diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md
index 6d83e1717..d8f0edd61 100644
--- a/docs/contributing-pcap.md
+++ b/docs/contributing-pcap.md
@@ -1,6 +1,6 @@
 # <a name="PCAP"></a>PCAP processors
 
-When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.11.0 release]({{ site.github.repository_url }}/releases/tag/v23.11.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
+When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.12.0 release]({{ site.github.repository_url }}/releases/tag/v23.12.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
 
 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section
     * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory
diff --git a/docs/download.md b/docs/download.md
index 7261f51a3..84bfcd2c0 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.11.0.iso](/iso/malcolm-23.11.0.iso) (5.4GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.11.0.iso.sha256.txt) |
+| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.4GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.12.0.iso.sha256.txt) |
 
 ## Hedgehog Linux
 
@@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [hedgehog-23.11.0.iso](/iso/hedgehog-23.11.0.iso) (2.6GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.11.0.iso.sha256.txt) |
+| [hedgehog-23.12.0.iso](/iso/hedgehog-23.12.0.iso) (2.6GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.12.0.iso.sha256.txt) |
 
 ## Warning
 
diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md
index 1e5d240a2..eb05c0ccb 100644
--- a/docs/hedgehog-iso-build.md
+++ b/docs/hedgehog-iso-build.md
@@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/sensor-build/hedgehog-23.11.0.iso"
+Finished, created "/sensor-build/hedgehog-23.12.0.iso"
 …
 ```
 
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 02c62b0d3..da570cb96 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -272,28 +272,28 @@ agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     |
 agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     | 861.34m   | 14.36%      | 19.55Gi      | 9.29Gi       | 61.28Gi       | 11           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.11.0               |
-file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.11.0      |
-zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.11.0              |
-dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.11.0 |
-upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.11.0       |
-filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.11.0      |
-zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.11.0              |
-logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.11.0      |
-netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.11.0            |
-suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.11.0          |
-dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.11.0        |
-netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.11.0             |
-suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.11.0          |
-freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.11.0              |
-arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.11.0            |
-pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.11.0      |
-pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.11.0      |
-netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.11.0        |
-htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.11.0           |
-netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.11.0             |
-nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.11.0       |
-opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.11.0        |
+api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.12.0               |
+file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.12.0      |
+zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.12.0              |
+dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.12.0 |
+upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.12.0       |
+filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.12.0      |
+zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.12.0              |
+logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.12.0      |
+netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.12.0            |
+suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.12.0          |
+dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.12.0        |
+netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.12.0             |
+suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.12.0          |
+freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.12.0              |
+arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.12.0            |
+pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.12.0      |
+pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.12.0      |
+netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.12.0        |
+htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.12.0           |
+netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.12.0             |
+nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.12.0       |
+opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.12.0        |
 ```
 
 The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes.
@@ -557,28 +557,28 @@ agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     |
 agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     | 552.71m   | 9.21%       | 19.55Gi      | 13.27Gi      | 61.28Gi       | 12           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.11.0             |
-netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.11.0             |
-dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.11.0 |
-freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.11.0              |
-pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.11.0      |
-nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.11.0       |
-htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.11.0           |
-opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.11.0        |
-zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.11.0              |
-dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.11.0        |
-arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.11.0            |
-api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.11.0               |
-netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.11.0        |
-pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.11.0      |
-suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.11.0          |
-suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.11.0          |
-netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.11.0            |
-zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.11.0              |
-filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.11.0      |
-file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.11.0      |
-upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.11.0       |
-logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.11.0      |
+netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.12.0             |
+netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.12.0             |
+dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.12.0 |
+freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.12.0              |
+pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.12.0      |
+nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.12.0       |
+htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.12.0           |
+opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.12.0        |
+zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.12.0              |
+dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.12.0        |
+arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.12.0            |
+api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.12.0               |
+netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.12.0        |
+pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.12.0      |
+suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.12.0          |
+suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.12.0          |
+netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.12.0            |
+zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.12.0              |
+filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.12.0      |
+file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.12.0      |
+upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.12.0       |
+logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.12.0      |
 ```
 
 View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`):
diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md
index aaad018ad..309c48309 100644
--- a/docs/malcolm-iso.md
+++ b/docs/malcolm-iso.md
@@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-23.11.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-23.12.0.iso"
 …
 ```
 
diff --git a/docs/quickstart.md b/docs/quickstart.md
index fa180672e..0a6accdb5 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`:
 ```
 $ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.11.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.11.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.11.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.11.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.11.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.11.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.11.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.11.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.11.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.11.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.11.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.11.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.11.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.11.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.11.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.12.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.12.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.12.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.12.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.12.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.12.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.12.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.12.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.12.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.12.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.12.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.12.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.12.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 ### Import from pre-packaged tarballs
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index c23a67b91..9278935e1 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -250,25 +250,25 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.11.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.11.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.11.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.11.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.11.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.11.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.11.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.11.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.11.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.11.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.11.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.11.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.11.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.11.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.11.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.11.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.11.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.12.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.12.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.12.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.12.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.12.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.12.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.12.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.12.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.12.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.12.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.12.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.12.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.12.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing.
diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index af6a6dbf3..5eaa62088 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/idaholab/malcolm/opensearch:v23.11.0
+        image: ghcr.io/idaholab/malcolm/opensearch:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index 5145b05ea..37453d405 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/idaholab/malcolm/dashboards:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dashboards:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index e932433c9..7f66c0fec 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/idaholab/malcolm/file-upload:v23.11.0
+        image: ghcr.io/idaholab/malcolm/file-upload:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index 82e4ac482..a9539e70d 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/idaholab/malcolm/pcap-monitor:v23.11.0
+        image: ghcr.io/idaholab/malcolm/pcap-monitor:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index cea3ced27..45c3155a9 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/idaholab/malcolm/arkime:v23.11.0
+        image: ghcr.io/idaholab/malcolm/arkime:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index 531ef1fd7..7f38aecf5 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/idaholab/malcolm/api:v23.11.0
+        image: ghcr.io/idaholab/malcolm/api:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 32fffe4ca..425cdf403 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/idaholab/malcolm/dashboards-helper:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dashboards-helper:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 059171135..365e159c9 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.11.0
+        image: ghcr.io/idaholab/malcolm/zeek:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -71,7 +71,7 @@ spec:
             subPath: "zeek/custom"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 60a99c471..4d74db91e 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.11.0
+        image: ghcr.io/idaholab/malcolm/suricata:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             name: suricata-offline-custom-configs-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index 898c67eef..c7e7f864d 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/idaholab/malcolm/file-monitor:v23.11.0
+        image: ghcr.io/idaholab/malcolm/file-monitor:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index 78e097a46..1df2bd614 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/idaholab/malcolm/filebeat-oss:v23.11.0
+        image: ghcr.io/idaholab/malcolm/filebeat-oss:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 2bfc8be80..5e068d077 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/idaholab/malcolm/logstash-oss:v23.11.0
+        image: ghcr.io/idaholab/malcolm/logstash-oss:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index bbe98ce5c..6340f9c50 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.11.0
+        image: ghcr.io/idaholab/malcolm/redis:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index cd0a7794e..0600302d8 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.11.0
+        image: ghcr.io/idaholab/malcolm/redis:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index 3a781c71c..326cd18d8 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/idaholab/malcolm/postgresql:v23.11.0
+        image: ghcr.io/idaholab/malcolm/postgresql:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index bf0736efc..ce5c2a908 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/idaholab/malcolm/netbox:v23.11.0
+        image: ghcr.io/idaholab/malcolm/netbox:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index 11e507a68..3cb338118 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/idaholab/malcolm/htadmin:v23.11.0
+        image: ghcr.io/idaholab/malcolm/htadmin:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index f43a1a2a8..fecdc11de 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/idaholab/malcolm/pcap-capture:v23.11.0
+        image: ghcr.io/idaholab/malcolm/pcap-capture:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index 8aaac6c26..74196b4a8 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.11.0
+        image: ghcr.io/idaholab/malcolm/zeek:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "zeek/custom"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index 5dee3fa68..c969a6ecb 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.11.0
+        image: ghcr.io/idaholab/malcolm/suricata:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -55,7 +55,7 @@ spec:
             name: suricata-live-custom-configs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index 49dfc7f57..2db4f7b9c 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/idaholab/malcolm/freq:v23.11.0
+        image: ghcr.io/idaholab/malcolm/freq:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 8f4269955..661489996 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/idaholab/malcolm/nginx-proxy:v23.11.0
+        image: ghcr.io/idaholab/malcolm/nginx-proxy:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.11.0
+        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example
index aaa65ca30..88031bc28 100644
--- a/scripts/third-party-environments/aws/ami/packer_vars.json.example
+++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example
@@ -2,7 +2,7 @@
   "aws_access_key": "XXXXXXXXXXXXXXXXXXXX",
   "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
   "instance_type": "t2.micro",
-  "malcolm_tag": "v23.11.0",
+  "malcolm_tag": "v23.12.0",
   "malcolm_repo": "idaholab/Malcolm",
   "malcolm_uid": "1000",
   "ssh_username": "ec2-user",

From e46b8d668704608e2ff6a91615b869c66bb35b84 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 30 Nov 2023 09:27:06 -0700
Subject: [PATCH 71/82] documentation updates for idaholab/Malcolm#302 and
 idaholab/Malcolm#303, custom configuration for Suricata and Zeek

---
 docs/README.md             |  6 +++
 docs/contributing-guide.md |  2 +
 docs/custom-rules.md       | 84 ++++++++++++++++++++++++++++++++++++++
 docs/malcolm-config.md     |  4 +-
 4 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100644 docs/custom-rules.md

diff --git a/docs/README.md b/docs/README.md
index d3aa19fd2..a1f428dc0 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -13,6 +13,7 @@ This enriched data is stored in an [OpenSearch](https://opensearch.org/) documen
 Malcolm can also easily be deployed locally on an ordinary consumer workstation or laptop for smaller networks, use at home, or in the field incident response engagements. Malcolm can process local artifacts such as locally generated Zeek logs, locally captured PCAP files, and PCAP files collected offline without the use of a dedicated sensor appliance.
 
 <a name="TableOfContents"></a>
+
 * [Quick start](quickstart.md#QuickStart)
     - [Getting Malcolm](quickstart.md#GetMalcolm)
     - [User interface](quickstart.md#UserInterfaceURLs)
@@ -72,6 +73,11 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation
             * [Screenshots](dashboards.md#NewVisualizationsGallery)
 * [Search Queries in Arkime and OpenSearch Dashboards](queries-cheat-sheet.md#SearchCheatSheet)
 * Other Malcolm features
+    - [Custom Rules and Scripts](custom-rules.md#CustomRulesAndScripts)
+        + [Suricata](custom-rules.md#Suricata)
+        + [Zeek](custom-rules.md#Zeek)
+        + [YARA](custom-rules.md#YARA)
+        + [Other Customizations](custom-rules.md#Other)
     - [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction)
     - [OpenSearch index management](index-management.md#IndexManagement)
     - [Event severity scoring](severity.md#Severity)
diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md
index 47b984eeb..0b3cb4cee 100644
--- a/docs/contributing-guide.md
+++ b/docs/contributing-guide.md
@@ -2,6 +2,8 @@
 
 The purpose of this document is to provide some direction for those willing to modify Malcolm, whether for local customization or for contribution to the Malcolm project.
 
+It is recommended before reviewing this guide to read the documentation on [custom rules and scripts](custom-rules.md#CustomRulesAndScripts), which outlines customizations that can be made to the behavior of Suricata, Zeek, and YARA.
+
 <a name="ContribTableOfContents"></a>
 * [Local modifications](contributing-local-modifications.md#LocalMods)
     + [Docker bind mounts](contributing-local-modifications.md#Bind)
diff --git a/docs/custom-rules.md b/docs/custom-rules.md
new file mode 100644
index 000000000..2a69b77f0
--- /dev/null
+++ b/docs/custom-rules.md
@@ -0,0 +1,84 @@
+# <a name="CustomRulesAndScripts"></a>Custom Rules and Scripts
+
+* [Suricata](#Suricata)
+* [Zeek](#Zeek)
+* [YARA](#YARA)
+* [Other Customizations](#Other)
+
+Much of Malcolm's behavior can be adjusted through [environment variable files](malcolm-config.md#MalcolmConfigEnvVars). However, some components allow further customization through the use of custom scripts, configuration files, and rules.
+
+## <a name="Suricata"></a>Suricata
+
+### Rules
+
+In addition to the [default Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and [Emerging Threads Open ruleset](https://rules.emergingthreats.net/open/), users may provide custom rules files for use by Suricata in Malcolm.
+
+Suricata rules files (with the `*.rules` extension) may be placed in the `./suricata/rules/` subdirectory in the Malcolm installation directory. These new rules files will be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) will be applied by either restarting Malcolm or when the [automatic rule update process](https://suricata-update.readthedocs.io/en/latest/) runs (if automatic rule updates are enabled). This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:
+
+```
+docker compose exec supervisorctl suricata-live restart live-suricata
+```
+
+If the `SURICATA_CUSTOM_RULES_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Suricata rulesets and use only the user-defined rules.
+
+### Configuration
+
+Suricata uses the [YAML format for configuration](https://docs.suricata.io/en/latest/configuration/suricata-yaml.html), and the main `suricata.yaml` file is generated by Malcolm [dynamically at runtime]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py).
+
+The contents of the `suricata.yaml` file can be adjusted via [environment variables](malcolm-config.md#MalcolmConfigEnvVars) found in [`suricata.env`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/suricata.env.example).
+
+For more control of the Suricata configuration, Suricata allows other configuration YAML files to be [included](https://docs.suricata.io/en/latest/configuration/includes.html), allowing the configuration to be broken into multiple files.
+
+Malcolm users may place additional Suricata configuration files (with the `.yaml` file extension) in the `./suricata/include-configs/` subdirectory in the Malcolm installation directory. When Malcolm creates the `suricata.yaml` file these additional files will be added at the end in an `include:` section.
+
+To apply new `.yaml` files immediately without restarting Malcolm's Suricata containers, users may run the following commands from the Malcolm installation directory:
+
+```
+docker compose exec suricata /usr/local/bin/docker_entrypoint.sh true
+```
+
+```
+docker compose exec suricata-live /usr/local/bin/docker_entrypoint.sh true
+```
+
+```
+docker compose exec suricata-live supervisorctl restart live-suricata
+```
+
+## <a name="Zeek"></a>Zeek
+
+Some aspects of Malcolm's instance of Zeek's [local site policy]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) can be adjusted via [environment variables](malcolm-config.md#MalcolmConfigEnvVars) found in [`zeek.env`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/zeek.env.example).
+
+For more control of Zeek's behavior, Malcolm's users may place Zeek files in the `./zeek/custom/` subdirectory in the Malcolm installation directory. The organization of this directory is left entirely up to the user: in other words, users placing files there will also need to create a `__load__.zeek` file there to [tell Zeek](https://docs.zeek.org/en/master/quickstart.html#telling-zeek-which-scripts-to-load) what to load from that directory.
+
+These new files should be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) they will take effect upon restarting Malcolm, or without restarting Malcolm by running the following command from the Malcolm installation directory:
+
+```
+docker compose exec supervisorctl zeek-live restart live-zeek
+```
+
+## <a name="YARA"></a>YARA
+
+[Custom rules](https://yara.readthedocs.io/en/stable/writingrules.html) files for [YARA](https://github.com/VirusTotal/yara) (with either the `*.yara` or `*.yar` file extension) may be placed in the `./yara/rules/` subdirectory in the Malcolm installation directory.
+
+New rules files will take effect by either restarting Malcolm (specifically the `file-monitor` container) or when the automatic rule update runs (if automatic rule updates are enabled). This can also be done manually without restarting Malcolm by running the following commands from the Malcolm installation directory:
+
+```
+docker compose exec file-monitor /usr/local/bin/yara_rules_setup.sh
+```
+
+```
+docker compose exec file-monitor supervisorctl restart yara
+```
+
+If the `EXTRACTED_FILE_YARA_CUSTOM_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`.
+
+## <a name="Other"></a>Other Customizations
+
+There are other areas of Malcolm that can be modified and customized to fit users' needs. Please see these other sections of the documentation for more information.
+
+* [Building your own visualizations and dashboards](dashboards.md#BuildDashboard)
+* [Customizing event severity scoring](severity.md#SeverityConfig)
+* [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel)
+* Populating the NetBox inventory [Manually](asset-interaction-analysis.md#NetBoxPopManual) or through [Preloading](asset-interaction-analysis.md#NetBoxPreload)
+* [Modifying or Contributing to Malcolm](contributing-guide.md#Contributing)
diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index 7ec63d604..fc2fe24c2 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -65,7 +65,7 @@ Although the configuration script automates many of the following configuration
 * **`suricata.env`**, **`suricata-live.env`** and **`suricata-offline.env`** - settings for [Suricata](https://suricata.io/)
     - `SURICATA_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Suricata, and the resulting logs will also be imported (default `false`)
     - `SURICATA_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Suricata logs (default `1`)
-    - `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only user-defined rules (`./suricata/rules/*.rules`).
+    - `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only [user-defined rules](custom-rules.md#Suricata) (`./suricata/rules/*.rules`).
     - `SURICATA_UPDATE_RULES` – if set to `true`, Suricata signatures will periodically be updated (default `false`)
     - `SURICATA_LIVE_CAPTURE` - if set to `true`, Suricata will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
     - `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Suricata will see duplicate traffic
@@ -86,7 +86,7 @@ Although the configuration script automates many of the following configuration
     - `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/`  directory will be ignored on startup rather than scanned
     - `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction)
     - `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`)
-    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`
+    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only [user-defined rules](custom-rules.md#YARA) in `./yara/rules`
     - `VTOT_API2_KEY` – used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) to VirusTotal
     - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`)
     - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`)

From 33c655c831509819e74d388f19d82a55c9872bde Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 30 Nov 2023 11:21:26 -0700
Subject: [PATCH 72/82] allow suricata config to tune max-pending-packets with
 SURICATA_MAX_PENDING_PACKETS variable

---
 shared/bin/suricata_config_populate.py | 36 ++++++++++++++------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py
index 9f07e6982..612e30a15 100755
--- a/shared/bin/suricata_config_populate.py
+++ b/shared/bin/suricata_config_populate.py
@@ -135,6 +135,7 @@ def __call__(self, repr, data):
         'KRB5_ENABLED': True,
         'KRB5_EVE_ENABLED': False,
         'MANAGED_RULES_DIR': '/var/lib/suricata/rules',
+        'MAX_PENDING_PACKETS': 1024,
         'MODBUS_ENABLED': True,
         'MODBUS_EVE_ENABLED': False,
         'MODBUS_PORTS': 502,
@@ -1021,35 +1022,36 @@ def main():
         ['app-layer', 'protocols', 'ssh', 'hassh', 'SSH_HASSH'],
         ['app-layer', 'protocols', 'tls', 'ja3-fingerprints', 'TLS_JA3'],
         ['app-layer', 'protocols', 'tls', 'encryption-handling', 'TLS_ENCRYPTION_HANDLING'],
-        ['runmode', 'RUNMODE'],
+        ['asn1-max-frames', 'ASN1_MAX_FRAMES'],
         ['autofp-scheduler', 'AUTOFP_SCHEDULER'],
         ['default-packet-size', 'PACKET_SIZE'],
-        ['asn1-max-frames', 'ASN1_MAX_FRAMES'],
-        ['pcre', 'match-limit', 'PCRE_MATCH_LIMIT'],
-        ['pcre', 'match-limit-recursion', 'PCRE_RECURSION'],
-        ['defrag', 'memcap', 'DEFRAG_MEMCAP'],
+        ['default-rule-path', 'MANAGED_RULES_DIR'],
         ['defrag', 'hash-size', 'DEFRAG_HASH_SIZE'],
-        ['defrag', 'trackers', 'DEFRAG_TRACKERS'],
         ['defrag', 'max-frags', 'DEFRAG_MAX_FRAGS'],
+        ['defrag', 'memcap', 'DEFRAG_MEMCAP'],
         ['defrag', 'prealloc', 'DEFRAG_PREALLOC'],
         ['defrag', 'timeout', 'DEFRAG_TIMEOUT'],
-        ['flow', 'memcap', 'FLOW_MEMCAP'],
+        ['defrag', 'trackers', 'DEFRAG_TRACKERS'],
+        ['flow', 'emergency-recovery', 'FLOW_EMERGENCY_RECOVERY'],
         ['flow', 'hash-size', 'FLOW_HASH_SIZE'],
+        ['flow', 'memcap', 'FLOW_MEMCAP'],
         ['flow', 'prealloc', 'FLOW_PREALLOC'],
-        ['flow', 'emergency-recovery', 'FLOW_EMERGENCY_RECOVERY'],
-        ['vlan', 'use-for-tracking', 'VLAN_USE_FOR_TRACKING'],
-        ['stream', 'memcap', 'STREAM_MEMCAP'],
+        ['host', 'hash-size', 'HOST_HASH_SIZE'],
+        ['host', 'memcap', 'HOST_MEMCAP'],
+        ['host', 'prealloc', 'HOST_PREALLOC'],
+        ['max-pending-packets', 'MAX_PENDING_PACKETS'],
+        ['pcre', 'match-limit', 'PCRE_MATCH_LIMIT'],
+        ['pcre', 'match-limit-recursion', 'PCRE_RECURSION'],
+        ['runmode', 'RUNMODE'],
         ['stream', 'checksum-validation', 'STREAM_CHECKSUM_VALIDATION'],
         ['stream', 'inline', 'STREAM_INLINE'],
-        ['stream', 'reassembly', 'memcap', 'STREAM_REASSEMBLY_MEMCAP'],
+        ['stream', 'memcap', 'STREAM_MEMCAP'],
         ['stream', 'reassembly', 'depth', 'STREAM_REASSEMBLY_DEPTH'],
-        ['stream', 'reassembly', 'toserver-chunk-size', 'STREAM_REASSEMBLY_TOSERVER_CHUNK_SIZE'],
-        ['stream', 'reassembly', 'toclient-chunk-size', 'STREAM_REASSEMBLY_TOCLIENT_CHUNK_SIZE'],
+        ['stream', 'reassembly', 'memcap', 'STREAM_REASSEMBLY_MEMCAP'],
         ['stream', 'reassembly', 'randomize-chunk-size', 'STREAM_REASSEMBLY_RANDOMIZE_CHUNK_SIZE'],
-        ['host', 'memcap', 'HOST_MEMCAP'],
-        ['host', 'hash-size', 'HOST_HASH_SIZE'],
-        ['host', 'prealloc', 'HOST_PREALLOC'],
-        ['default-rule-path', 'MANAGED_RULES_DIR'],
+        ['stream', 'reassembly', 'toclient-chunk-size', 'STREAM_REASSEMBLY_TOCLIENT_CHUNK_SIZE'],
+        ['stream', 'reassembly', 'toserver-chunk-size', 'STREAM_REASSEMBLY_TOSERVER_CHUNK_SIZE'],
+        ['vlan', 'use-for-tracking', 'VLAN_USE_FOR_TRACKING'],
     ):
         deep_set(
             cfg,

From ad937edca049ee77dd843794ba8c9d1ae8c735e3 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 30 Nov 2023 21:14:24 -0700
Subject: [PATCH 73/82] idaholab/Malcolm#298, bump opensearch to v2.11.1

---
 Dockerfiles/dashboards.Dockerfile | 14 +++++++-------
 Dockerfiles/opensearch.Dockerfile |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index 507442867..bf1c62e3c 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -1,4 +1,4 @@
-FROM opensearchproject/opensearch-dashboards:2.8.0
+FROM opensearchproject/opensearch-dashboards:2.11.1
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -20,7 +20,7 @@ ENV PUSER_PRIV_DROP true
 ENV TERM xterm
 
 ENV TINI_VERSION v0.19.0
-ENV OSD_TRANSFORM_VIS_VERSION 2.8.0
+ENV OSD_TRANSFORM_VIS_VERSION 2.11.0
 
 ARG OPENSEARCH_URL="http://opensearch:9200"
 ARG OPENSEARCH_PRIMARY="opensearch-local"
@@ -46,16 +46,16 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/
 ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSFORM_VIS_VERSION/transformVis-$OSD_TRANSFORM_VIS_VERSION.zip /tmp/transformVis.zip
 
 RUN yum upgrade -y && \
-    yum install -y curl psmisc util-linux openssl rsync python3 zip unzip && \
+    yum install -y curl-minimal psmisc findutils util-linux openssl rsync python3 zip unzip && \
     yum remove -y vim-* && \
     usermod -a -G tty ${PUSER} && \
     # Malcolm manages authentication and encryption via NGINX reverse proxy
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
     cd /tmp && \
-        # unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
-        # sed -i "s/2\.9\.0/2\.9\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
-        # sed -i "s/2\.9\.0/2\.9\.0/g" opensearch-dashboards/transformVis/package.json && \
-        # zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
+        unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
+        sed -i "s/2\.11\.0/2\.11\.1/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
+        sed -i "s/2\.11\.0/2\.11\.1/g" opensearch-dashboards/transformVis/package.json && \
+        zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
         cd /usr/share/opensearch-dashboards/plugins && \
         /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/transformVis.zip --allow-root && \
         rm -rf /tmp/transformVis /tmp/opensearch-dashboards && \
diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
index 7e64fe440..95ea31bff 100644
--- a/Dockerfiles/opensearch.Dockerfile
+++ b/Dockerfiles/opensearch.Dockerfile
@@ -1,4 +1,4 @@
-FROM opensearchproject/opensearch:2.8.0
+FROM opensearchproject/opensearch:2.11.1
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -43,7 +43,7 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/
 # Remove the opensearch-security plugin - Malcolm manages authentication and encryption via NGINX reverse proxy
 # Remove the performance-analyzer plugin - Reduce resources in docker image
 RUN yum upgrade -y && \
-  yum install -y openssl util-linux procps rsync && \
+  yum install -y openssl util-linux procps rsync findutils && \
   yum remove -y vim-* && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \

From f96a922ab3c9b2018f5904e5fe3dbb03c13d36d5 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Sun, 3 Dec 2023 22:15:00 -0700
Subject: [PATCH 74/82] update branding/logos

---
 Dockerfiles/dashboards.Dockerfile    | 37 +++++++++++++++++++++-------
 dashboards/opensearch_dashboards.yml |  1 +
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index bf1c62e3c..eae4eb9d2 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -75,15 +75,34 @@ ADD scripts/malcolm_utils.py /usr/local/bin/
 # Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way
 # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
 # internal opensearch code validating them AND the web browser retrieving them. So we're going scorched earth instead.
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo.svg
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo_dark_mode.svg
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo_default_mode.svg
-ADD docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_mark_dark_mode.svg
-ADD docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_mark_default_mode.svg
-ADD docs/images/favicon/favicon.ico /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon.ico
-ADD docs/images/favicon/favicon16.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-16x16.png
-ADD docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-32x32.png
-ADD docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
+
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-192x192.png
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-512x512.png
+COPY --chmod=644 docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
+COPY --chmod=644 docs/images/favicon/favicon16.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-16x16.png
+COPY --chmod=644 docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-32x32.png
+COPY --chmod=644 docs/images/favicon/favicon.ico /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon.ico
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-144x144.png
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-150x150.png
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x150.png
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x310.png
+# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-70x70.png
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark_on_light.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards.svg
+COPY --chmod=644 docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards_on_dark.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards_on_light.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark_on_light.svg
+COPY --chmod=644 docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_on_dark.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_on_light.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner_on_light.svg
+
 
 
 ENTRYPOINT ["/usr/bin/tini", \
diff --git a/dashboards/opensearch_dashboards.yml b/dashboards/opensearch_dashboards.yml
index d562229fe..052a81b3e 100644
--- a/dashboards/opensearch_dashboards.yml
+++ b/dashboards/opensearch_dashboards.yml
@@ -16,6 +16,7 @@ data_source.enabled: false
 
 opensearchDashboards.branding:
   applicationTitle: "Malcolm Dashboards"
+  useExpandedHeader: false
 
 map.regionmap:
   includeOpenSearchMapsService: false

From 5ae973eb86d229f8348f9d230edb457f4b6d0f53 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Sun, 3 Dec 2023 22:24:48 -0700
Subject: [PATCH 75/82] update/fix branding for v2.11.1

---
 Dockerfiles/dashboards.Dockerfile  |  14 ++++++--------
 docs/images/favicon/favicon144.png | Bin 0 -> 37492 bytes
 docs/images/favicon/favicon150.png | Bin 0 -> 37045 bytes
 docs/images/favicon/favicon192.png | Bin 0 -> 48291 bytes
 docs/images/favicon/favicon310.png | Bin 0 -> 87767 bytes
 docs/images/favicon/favicon512.png | Bin 0 -> 91937 bytes
 docs/images/favicon/favicon70.png  | Bin 0 -> 24851 bytes
 7 files changed, 6 insertions(+), 8 deletions(-)
 create mode 100644 docs/images/favicon/favicon144.png
 create mode 100644 docs/images/favicon/favicon150.png
 create mode 100644 docs/images/favicon/favicon192.png
 create mode 100644 docs/images/favicon/favicon310.png
 create mode 100644 docs/images/favicon/favicon512.png
 create mode 100644 docs/images/favicon/favicon70.png

diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index eae4eb9d2..1ccbca95a 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -76,17 +76,16 @@ ADD scripts/malcolm_utils.py /usr/local/bin/
 # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
 # internal opensearch code validating them AND the web browser retrieving them. So we're going scorched earth instead.
 
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-192x192.png
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-512x512.png
+COPY --chmod=644 docs/images/favicon/favicon192.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-192x192.png
+COPY --chmod=644 docs/images/favicon/favicon512.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-512x512.png
 COPY --chmod=644 docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
 COPY --chmod=644 docs/images/favicon/favicon16.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-16x16.png
 COPY --chmod=644 docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-32x32.png
 COPY --chmod=644 docs/images/favicon/favicon.ico /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon.ico
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-144x144.png
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-150x150.png
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x150.png
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x310.png
-# COPY --chmod=644 docs/images/ /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-70x70.png
+COPY --chmod=644 docs/images/favicon/favicon144.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-144x144.png
+COPY --chmod=644 docs/images/favicon/favicon150.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-150x150.png
+COPY --chmod=644 docs/images/favicon/favicon310.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x310.png
+COPY --chmod=644 docs/images/favicon/favicon70.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-70x70.png
 COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch.svg
 COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark.svg
 COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark_on_dark.svg
@@ -104,7 +103,6 @@ COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensea
 COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner_on_light.svg
 
 
-
 ENTRYPOINT ["/usr/bin/tini", \
             "--", \
             "/usr/local/bin/docker-uid-gid-setup.sh", \
diff --git a/docs/images/favicon/favicon144.png b/docs/images/favicon/favicon144.png
new file mode 100644
index 0000000000000000000000000000000000000000..e481f65eb74e5da216f8fbc934fc66e995ef6170
GIT binary patch
literal 37492
zcmV(`K-0g8P)<h;3K|Lk000e1NJLTq0058x0058(1^@s6=SJeV002AMdQ@0+Qek%>
zaB^>EX>4U6ba`-PAZ2)IW&i+q+O3^ilI6CNW&b&f8Ug{3cnk**!mMY|!|$~aAzevT
zx7w<$l}csgi4%t;;J$rthr8?g{`ddd*MI!Se}weD^?Ke?bIbYWpQk-7cD|_h&p$tZ
zhWk1HJ^!@dZ}IoPy?*`qjmS%hKhw`&^Y{Dy&g<{LexN+RuaCdKewF$AIraC0e!ua@
z2PUr^`QrC|_4k8P{CPb*|G1<6{N-_ef2VRj;?Fn#^Y2e#G1kkADPHkQA>I7fAB@T0
zDRo|p{P#}DH=VCTD*X3N?Y~~T>(4L$v3P%e^^di?`|s=N?@Mvr`S%U^A8YjcdU*fq
zwL2^H*E<UTy7J$?v35%LU;p{b+U>pS-rvvD^(V7Z`TBjRKOW_L#Ty4pna+=8eieSd
zd|l43#;?jFP8NN!n}c8T3N1uddxs~i(8CVj`E!QJEk5y!g+F7QF`d_HDzU}MHiY!}
zE9_WOOY2INJ(=uU;^p|~y@Ye!cCI%=<;pAY&KUTxaQ5*Zzpnr4#s8OIe}2&3nr;Yp
z{d29juc!fX8}6L{<y~w@*uQJ~p7lMyuD{sL{g;hR?BIKrx$=Ph9zP#3-taHmN@t%F
z?|bj(x_`_)l=b@oED_g!xtWmIfjff|A&0xfSVCYOEBn*A^O&AE*n#lAafNHMHz{Q{
zr$(>M&y;Z98{hczGSI?CyeZ=(l^yDA*7LmBPkAaf)Zg?z*ZaQtEpL6>+jGiKesj(x
zi&4F#@|3saQc5kY^qT5Z-<oTwwYJ(@YzYW^TW;lQwYAne7wvp>=chaG=zYYI#xvfL
zM;Udr(I@6JpZU%_%dE4_zT!#?_g{IHYt_|O|H6kUeb4uP`72-j+SfO>w$pz0yYnu)
z?za1%yY{=Qf8Vw6kDdGPcP;$xnmhKK_mzL`8ZVdf$43O=<aN*3vG@dbyto4xbac<|
z8lES*bMD#Q1h6-<YvFZsR&dAI!RHI{-Qmx@``6C>xBGUz&;MxO;=kLu%dPwWv2&MO
z_q%iddEfqvU0eM`lyo*oFLX`sv;j8W@YNn`HzxgG|NI(OzV9cGgn_VZgX^*>VD`7>
z*k6oeh4PGD!}spVv+U8Afuyi<4L|$(y)r)<-lw-c-x%8ypUr~Tfs5>WwRbI`?W=j^
z-0sqa;SE&8zB>-Nzwo%$H|x)bee?cG{qC}3U#+Hj?;hT3U>V`<-wL0Ie)sQz2@v_p
zjO;+{adZ8+XZgZd1<M$%C+@C%El)4^g?HWis?VN8#BVkBGq1Swm!7;Hki1TwKj!uB
zG<ypyKkNRyan}-O!&*Zx@9s~l6Fc%VNBnXX8Ck8o!d^SRb!GM}eY2KtKD&)E-}dpn
z{OvNi;f61Kb#xa$@@PD#>-9};wwLi@g6YGe+dII%hUI)6i(XBn+H<~T<=#IS(evUn
zJwXV@m+xz>(d(!y#hH00yW8^`WB1uUo`U<W;8trBYkbmT|36HzMJ#VU_ZXf1XVKnk
zL$qcMyR$4We|gq-?-hCaxH9&FDX;j{nacN0yfXLj-ErM4f1jbW3?!Gi=haVC`}Q8+
z^Je^+XWZq9<$2pq`3)}{+HnYgpoN|K`+lW80EmwDjFvX{hh@*!`R*#bGxYV<d*UJ;
zOTed}%5oRheC|$w?_ckwc0MY70ml|5Mw{Ooo;O_B0N(7E0Mq~c&o}R9EzIXC?>kog
zaALM*$03hm&DO*3{f+m-e85Lg2WTNarP4r!o7=nV{GbG)*4O4$v9gJwK_oEa9oOs?
zwlH#<EDZjEKd@TF{N86?-vg%Ph5IMp2sXhQ>g0}C*}gOHUs!n1Zvj7G?0FU!n`4xh
zdm>WwC$NiaJej)yO6vlFA9yXk^0slY&K2XF3#3on0C%LlgpuBl$DR4b5qHaJlonRP
zD?<Ig+@BKq!}Ej5cTeMmu&4E{4x5P?7_0&Zrl4~RI1dlC!NUgY<tZz_@l>9z@TrTp
z@ANL*6{zie{1Q=%elhFf8Sln}zu)-q|Ivx0>uKM>4Bv>w1GC&(DPJ1<-nh|#Ib2T+
zdES_2#d>hb(Y`iVz`_R+Kl(@yRz>Up=W@q+F~0|>nG5v5eg^>tH_I1xH84C-pWRLo
zVG>Jw-+SUF-v>P+9$~m`v3EUVkLfAvt@q{zHx4xUD~=kk51^Y1Kjc|MsS!tb3qFo>
z^k?D8c={+j4JL-w6d)6C#wGhM@2Xg2VU0Sz#y;j3OVAox;FE|;gwFOrfS{RNd(FJ@
z#u2ukifb-yhrMLi8@v7GC*}*##LgmDe2K<H#7*EK`mR0)e!4=de9-$~C7YY!VysVm
z^4ExsgKM(WU_nFFl%T68E)Yh30YSi^r$zirZI=D^-mq3yuEsE0xgjolEMN(~1YYd%
z0HYrvd(JTnd?IvW^>~6dP)3~E6NVi50a*S%Mo!#+LFKm*8rvqI09R=Ot=|Prl$(wR
z1N7xDW1+;ZmtY2B6Bmfggu&Q$<GCk*ygwi#M;`h9GWcEgJ;#Mlm5xitSX&N_n+&TM
zuQO<$`1g2i=f6*%t}|Gs*Fr=m!1+CV`-Z_>Xt}|Hb049t*|2eV0a*9|qc=e+`xor@
z_2~<^vWOaCu<qbVjO+qdSjTtaEk%gO8`%ul2mIk3m?J-z1RKm6X>#ue_rtXBu^yI}
zeK!vCC9#7r)CrK-OXPj=DVYde20$V>O<Z<?yX^_H;423e|2>{we|-U1s(DX>G&HJZ
zU@^c22GIq#TfN-4oS61CxByHe6~HRK>+O-nMup7|1v6IjB+#59)?u11ZD7BEv)oz$
zl3CwIYyho@s_tebqCl+X`(1H~;6wv>Aj?GP+Bd6*jk<C-d?R+K=jesoYOH!Jdw$q-
zlEX=0SedyazLr_dlZtRp*c_buTLmTsVg11V2_u0hZk}R%rEHdr8-p*SSlDMC1&5v&
zG6cVc>B1WG_h6M_5-o@;FA)<CEVD|)aCVXyt_@`H>SfCzY{YTgs>imj9dp8pzN7d*
zme&x(o!5++!nr`N*Uy9~%(>Q!z$BQ$D*Jj}<h6R>y#>tXuhm_K(}3gB#ZgeRf6&H3
z2<JA0P;70(mRP&}+&~Iz@#i<MKflYj{Vqb?SgCtzvaLmKFtJf#?z@50sp*>#*caBt
zcE20T*w0n4&3Z_21=c`2!2!_RbwN=HI>SqJH?1N?KEe?IieF>GLVukGjrMUz8GBrH
zOxP{Yh_DY*ZPts;B!mLpa{*@rKmr3)V*=t8G5;Yf2+=SWLPx#`T+vWKe1SXRo(~=g
zPw%FwaA6tcSo$|SGX@yU2m6H1?GC-W2fH>1q4^>lckCbH1i9o!;sb9T?U*A*P>3HO
zCoG5i3|KZ{!`L1mvcu?w39*XlyA}xdqNGq!#^N+U@C9CAC>W<%1y(t<11xYr0w{ES
z4lJ1aeb~B62<7Rn1koMv(jlBf51^tfMef*IgS1U>@8%()+i=28;Dd@!C`n;gKYS2|
zQ`vnj8-Il*=zn@D(Jl2j!Da01MbX@v7{sO_Vep5NZtnOY<^XC!9x5SYN*A1Dq6nbT
zd;l5<7KH8OXR(}MF<VEp{<wfZU5J4=5i%k@LL2N4y0b8?hNvNOHJMs}VB&X}vLXJ(
zn;}j()2i?#94y}O@mD$oL@cltadWSSWyQmvO9=?Hz&*EMgAqJwCZaa%jM$%{eIOm+
ziZ3KCm)NNQ42&Y@sV`p3l6CB8@Z5nIiAW&QVeSAg5clEZIc;@O{=UIycYGkTmRu8R
zM=&ZN5kX}81oO&ldp@EQfG+G5@0-t$?~Y0U`gLB|7%>52KSAGcv)6@~CAK0}`Dwu4
zh>FAT;5XbwC`4|(T%DiCY#T5P3B(Gpf2;`-1pfkJc?fO~t8NOa>m~F7Qk^gcy0(Cl
z#Geo$9h`yoVVVySa2p=bmP2Cwt&~MmSLfw}7ewbO)9f9JG7^Z0RRlaV8MX})8cC3Y
zGiHFX-*IAR^~3XUR>I*e`-X%+<6i0FX$a00F0t|HZm!ozxEIfv*tOB2r-XQUh>Btm
z(Txp|F7}l`7hmCHUu%y7$nNqR9r7>w>-3?FjsxS0S_QGHA3cZ1!h)X$WiPkVj;C1{
zDhA>Qh+zRNIbu47WqguY!)HOC97iR<LL5R&EHfGv+KoIzL}7tuw7z|D*AF_Vqbzu>
z1B|RA9J0V%6SU(k$1Drrj20#aLNs_3fM>#yFnYN>`r?Awe&4UPjPRfJPa&?{%5NTG
zCSa<Ay`b&_7jZllX2iqy#naaS1jhsa{Z6P0bo4qxoQ=n0KJ@zeUS$0@K@pOy-sz}Y
z_TvF12eE$y3>|R}{oG%U2tV$G00)ymI6_SyH0JaEM46v^82jg=K}4b)VSxL-0<Z9-
zmB9H`G^B5Ufu?iQZ2kTMPsX-k5b5Pjn?ORiez8x5^w$IIq!d#c*ek0F`78HK+8lJr
z>qAL+1h6^=K=1*x*T5j|)c`qwn0q$g#`6*_u8jGx{9lYe>yW_*G|2&fLebDHp@8Vw
zW}XD~z&*fhZX_gY@XiE>V1qC09jP=BVuVd#kGlXdUQ<wLQ57^BjSq}h^CRXb7MN?{
z{g`mmEpFC!T{u23Aixp!5EI1g#Io3iFTso0HxnEuVz44?2s>P+(TZ5-+00sBG;4Js
zz%gl^86dB)8DdLN6~DE?sw0oUMOi4gHu9{4769KT3XIum_z3f0*@M%<9DkNbc)$|&
zTIjyBYY;AfL(c=8sYB54j;A1}2Aqj!1W_Zn4D&&+O<V<T4Ox4@8ZH+HAr+(zXcP81
zyG#QkV}DRMd;AerVqnXE9W-1ZXm(|5Gc}W;fTOYtL>Yj-{&=WK9N}W=_#o~BQGLw)
z$BGxCZ1MZcn2rm>SRxvhdx9sJvPw;GTk3!geO%DVWLh&58(`*xaB@}>&W7(rs9%li
zgc}^a;~uZcR5lz-F^*}_0){f#Oj4hq&|t~9`4n*K32)@C_w{^8cnLo%iPb>^8em=s
z?EJ(xUkEa{^BX_<7v@B<p+MgU>N)D0aZDTm4#`9C145n*%)NSmkSQ0v!Ewx^L6j30
ze}!2-4BuMjZdmYpV=5i}g@o8}?qj+Ok7ME8=C|Rc2s)e&0tY?7`q~6@D<N!||LU7{
z8V7G7FKNP$i1+AXs9@P}P*$F3Xx_!ud_QReCQH=LaC1T&O9DT2XZM`5E1NuV*jGA=
zi10L{BpzN5;Zpr}Typ0dx<1t}DiT<gw5>MS$gRjlV5479j)leMyG0tXo)_P*4f{d~
zgY`TZ;wB#5fY5EcA1n-LK|G1IBU};?Ht;K!T?rpU(kwQ#=OAxjdk7ome9C?>;9%kh
z<@^oYxOlgqSA-U_J#j-#%{WMpA4qM;NPPf+Md3b@8KHt0+7)0xKw?h`sy2Hh@I#C$
z%%{#kSOpAR@Gs&0=Jh_jI1*Bc9GcKOC%QfqBgu=@`S(dU!c?gN7rkl&!wLIxaCn)v
zkEP({0W4ZiFg1cy6sI#wlL!+qfe~_i;gkgwj>M_r8m;!Cv%l<)eIO+GGQlEteHW+z
zREABjP+DHYrZIMIg!g9dGu>=8!FA1R;v&2qHMl&-L*P9qqDdTF;WLkd<$);}X(gid
zj^eBlM}!COBzr*L5^387`d}AXGy$zphB@3haTl|W8VnNzmsoF85`PG<g}^dPeuH=o
zdx7}&3p$Te5s#O2iVzDAD<-)Kt3`1wT(O?=71jb|V@aURb06b?4XA$7ybzmM$^Et`
z_I@L9xdm>C+emWjFTYTrS_Z*!Bs@7R1#9nUGck(&2Q<TA*9gDdAZv_$fZ0$Du0nv@
zd$Ro*yCu@Y7}YPK)*U6mBN4MRNHWzAe0INL#T%gErY7&cB~zHlA}nn)tKW`a;qM-E
z7o<gNUVylQ3<dWQl;<wLa#c75Pc$2X_95an7#fh?2(fG%j2rL8N)aCA+lfm-S(VVZ
zRuWJGo~~<ML`PWmGIe{-6cAGcQgr37dk}F{GU-t|eJ{EpKDb9~DzD|i#w3pAaiPIp
zAO|6Q6G8dO2YAk`<Ob*f56vso{@fES)?{;9CqjZ{P{QR}SUX&Vkd9le@D^71CGx@P
z(L~0Y_C~X)co61*vl7`7G1oLXvK0-7kxv9KqO;r=oEcX~Ai=Hj4QfiE0TVbCQ9Q$`
zz{9l-sUUd^&<fCcz$-U_zX+um{MW8f(W23#?s>Bj0H*0=Y-|FD7?Q^^507r*3d;PU
zX;72=V!7`jU-D>V&Z~9k$CnXme3A>B!+TJom@}v{@?8TM#^qsKa6e)^Y(J)ipQ9?$
z_h!8x5!Cugjq~=-+v}kk;9DgI;YDl>l>An1D+PG3Ncr)c?C<N*3!-eX{ooJ`6pmA)
zz;hBY6%Z#@<*HGxIhFqeFho7zpsrk|Mu}o3+fdx#@)eNs3lF*R0XX`GTH-Bit|x9E
zivWoUJtIUOgcZVevRD|qXM@NYG+QyjmoFkdf&nkZ$BEY)e%RlR&IL2rtT_@Eh}nBy
zzYZxzqcqG3hrnpQZ4mDrqII9V8#|99Aq9p<S`%Wt*vDw#{3-TWWkB8neBBHpR2r$G
zy_yg~fwrr>W<>C>(SQ%u&8*%q)jQ0Z0T`Lse)sZtT7n9M4B{R4G1ndl<v~r079nn#
zMaBJqqalzjk8+;bFlCd!9zuNh3mSHtF>8};O+?j~;FQ5$+_8?!=Ok__%I_CEHcH`K
zfDbrTVR9K8kh@t#fVj$VC-~@w*Mx?dzW6%mUz8A_UskO2pMy9+i?B2WXuR+hHMUan
zMpjPVG}?or!}c+5J`$M(hbKV3>&paP!Wilukq4N=AYY=Mfem(6J>3IXFa-ESUnbd4
zvXv{O2TJ+D%?(E{lplpZVuGKi{CG%8q=E{oXguecbKxx??AF6);3Tsw5WX)B{fg%)
z^}<$<EaQ)U@_9<O$H2c{xXs%efB}sm7<&#bMdexU2lNYiYY68=H(i9My@{NVPU6!Y
zPyroifnsbA$3|rNK64<ufDN#yA}@hhXJ}g-dw4dVs|6@G%9`!L-&+(spC#PP2VdfY
zpU1>|Jk<s!4$%Z`|5sI9&jXjs9yx@1A)9y<Q>w((ZpBS>J#kXP667I;fu#7JVZOgA
zHwpOc65$eQ(cYib@CaAWyg?DNzE717D{Dr@357y9H;|QxD}Rw>!Z)7$n0q3mhGMX?
zPzZ>)OdO*V+6+d6+g!>-W<-ypIyP0=xAtPc;EYZMu)!avdj_BF?Sp9q-pv{ruQrdl
zGJ#!%5-X?&=&`_P%rFRhayWv{gezI*0JSY*%F9Z?T-cy;nWPZ#xXZ}Sb@iH$N5I82
zqbJ5hqQP^{EUMvj#{F>;e;+O!`91;tB8VaBh~tBJMKtPQQb9`%xSFnEMBt-|KM#&m
zFmD3$Xn36g?>&SA79>69^9hlM{SX$>!wsUET$pAU<#yNzJ|9h}hQa0%ta4TGT?T7d
zhY(#uF@~)ylQ@Q3*aQ*Rtir~U;VlGbRL;GimC!TzKruI4-U>JZP#*vaqq|_CrpO4c
zybZ{BAZnONgzYNm5eW_Mha&>nh;be{A|2+D=rUueR)82>9dGnR4#W9@Yn}@T2%cUg
zgAy#oL#hfN`U_Y;FNAZ|0Y@zco%h0$KQmRRayAH)+8>?)(S)ykU?BWzVjJ_MTf@6C
z==x^@9-yde_0*pGiYhmaf`9HmYcrM+t9yo&x<y6U2jFbJ>+3i-OUc7S1^7VXf9kzn
zxRs~*#4%pG+dvWpp7X^F<KSynlLglJaGIX~49l1+u%wuW9ulkIkWmi>Fo^jHW&(x4
zu@=Aq^ucam%FhXYw@H_T%p%6N4$4S0(sLKNVPuUA#e{ZP2(j6Mh&l$bWPYn*(9=kt
zL9y&X97q5V0k~hqkojnjv-x2~4TPO&3QQ9_xDYtYO0cT|7M)R7V3m4g!`fu~A1bUW
z)Ny=|6UvnG?0F$%vD{Qqgs`u1fYWL!ZxPpoKM0TIJ$w(I2+&$^!4rpR_6`1aoBg`b
zRwY%enH^{UkzlZcgaMjWn7iJmY#<V6J*h8{;9Wd~d9WU!fTu=2gNPT9eQ!?<S4a=C
zB&a?SjmZ>wAzB3NoZy4GKxxM-3yQ|5i0{E9*=6F;9G6rF0+wa-Ih)K;qImko&V3zh
zXZ4`QxM@;~M}XcaX)+&ufIRY`2v$3TrJ53lBkCbeio(^P^&`G!o!~^M$%D-ydjf!Y
zy<BuHXjJu_<PGN7(m7p+T}CW(K)}qXFP;kV|CogQVnxslgds#C5XX9g8P@<hz3_s4
zvM%NF(AwNMkq>6~gb46w?vi^b4N@BUoC3W-3G1#{IRc_rubLO6U2^`gTBbBuX!L2;
zmn!#VRsaNy<CL->8hMD~Q6~%sC>TK6z0kNsZZs{C#`?Q}f=n1Y3u-BZoF067@Mc5e
zM?6Fy5m2f{7FHX<2pYuD@HK=kRu{-4kX)KgS<7@mve?GhjN@4!1UE+lm1&vZP|laa
zzJn+Ch=4(~!g+fD^YWorF?-$2qdgLnMi4-S;XMRqi*%t?BUpoAf)nocz({d`*F1Z$
zjtl)ngulgX_<REA;E!AevK&%3&STtc4|~K%VQJm7leRI8%pRJI{3Bd@&~;za(l}A8
z;>j-_o{8AN41WJ$w*|lr;}oB;Sx?eZpbEosA^aokXO>NHL$7tu38!N9HYK);X|irE
z>#4Bxt>R=6*<pMIe2)OqN@8k;hr#kNQMA(~nx8sEM4u-dmU|%Rkx=8Cy*3Pidu81Q
z7K+L@foWhtmZ|<Q0d&F39fimeSC0X^>E8KxsPC$qv%@mnNSJi{Adcvn8hAQu=yrp&
zE_62_Y>+y2Y!-xA%j9toETUN-$D<<*;5HQ|(V;2wGd3f)hsbH_S)<YK3OdtAgH{o7
zkk~qJsMh4Yp6G+KwMr_`E$POHdts$vA3#=JH|nGuiMM_t$CYsxKoD9f`+#t6kiI1|
zIiK359!&|<Li#=nW;(<=u-cE=DpUgAZK2MUtUBF&FF8P~rjjc1%|f?k4nKML1yIM|
zV{R5Z{CrtWICO$7pVjAuS|{ASgl7-s;E;q|Xxd(2lLr%^02bUk#)ue&#D)3AFw?zx
zJ(xA%`n$F3Nv)e(4xPJXFBhtWH6R`kqi?Ib(7Stb;oorn^RrVnr%}B5iy!><8Xkc>
z<>dH2!WuFXx9i3(7-Layt{BZca%(sN>+;I?-~-VV#tU~K&b(KehlbS8^GP-nNr&L~
zJm&V0Ly7wsf|0VGcUr?s>_&qmb2T3nIB}=%eHrSwz3*;jvWU4bfn-7j;)<(5J>z?F
zCAA<P@%Pd#y5jEu^EOYGVC@AC`BSbbCoC~`e!O>;H?V$hFc%W=fU2q77FVu}-YR9G
zQCZXsaKVz~bl-Ki^i_T&O;;b7M#=C!sAwH;eA}Ty?=c5U<fQS?40w8pFbYdjE&pjR
zk=7c%+X~D8l;A$dJ}^WGK-&Y(hgoz)yHXNMiHAg%bH0#J0{d>OB97UDE?4=`J$nmA
zZvb_1CTjq!JLXP2GFTWeU<Crk+gvur28t#NCxEi+Mv0=8*ouVQTIe>e<guyc5uo+^
zBL0#kq-+YN0HomC%QD0pn8AZ8#D+CWS|(;2rfE}Q5l-D8K4yivf&J784aXAAiQLeB
z9-0e6L4ugJh<ctOU1rK2{Vjilgxfk{mTpH2r!|+npEOMIEAlMrM47;PBP;v<)Emw1
z?O*q@J`hnhtm3qs6oh!dI980sG`o%aV$v1!27Fq!==FWxh(<hVul3?N8|pWkK)rQa
zEb3H0@^J{uN5TPX3E#}-eC}#76%2!i>MSr}wfi)PLc$ToJ2Sj2KSJF(tYcB3GqCY!
zL7>p_LSW%yg==xYW)L$LzOvkjD6w;Wu06wR@ka#HShSL>Nm;8d(QnYZiILQEYQ@z(
z6(&RyFyjrXOkFZz0M?BV!JmZ*b*yQ^qG0>5Yqp-vo2mvMZ+be<qVmY6m<uWiA_t44
zkemjvcs<eBi`5Z9poqjQi$|?cw)FBg$&6z?NB0m*kynjqf!k;g@WF9g)}GpB2tv!;
zmXd?&z#D{pbtqGWh{>UF>8c{*X_ala-Z+c(m+QvFpbPH;A*E?n_zo*Zp+V@Qhd^E5
z*3L;1;^xLkA=P17_kZui!Z+><V%vzgCMBPW_aDeV?7Da~4>aVm&~?c1H>YHaM<(#c
zcp8zyNikG8lgHd~BS5iJz#mCeZLx}PhDV|_6Iw<Jm^`Pz1g&}BcOv?*H_gnXCyd;~
zRL~4rKYrJ*Z5p|n*FfVW+<A(5(`>T!v!e@uFx-HDvgFP4SuloJ#m8ccE9J28(F^$r
zOP3{B0f4H93mv41xckkLdJGEEl&q_LV_O2ZJ=M-Y;%l{E$`JPp2}EQytXOQyPE1Jt
zv|cI_d6d=BDoq84m=VB1!rS_0^0d+Vw?^2mkO-+xHF=fVgav`?V8>5+3?%x!8+f}+
zn=DAm-LT)2K70xN9#1w*vhSK<Y>)StPh{q0>q4G$GNkq9-!E-``~CB^j^GA<E&gYj
zp-^@wcnI|k(Eo+pq7^)9hx=E{NLemal;_%qCz;14Y+5#QbV9)M&bb#H<sFy7xYwr~
zG~*#ncMU@(i~hADxY*n9nr|tx+Y_&Y984LIOmyFP4r_$)hfd%Y!$ZXec|)WF_Sgf&
z#FRstxpX)*xMk+^mWac3mMI%ZaQArrnmJle56+-R%7?(g-|b{LdT5!k|E$3s1@(Ro
zDr8J=FwgGWPc+7l2$0i*t_PH8Na|%q<FTv+UXIIazaGQ`nnRHZmB0mXWgIso5N$nH
z{h*Fc9s>twzxi*rkpR^X_kh*mnopCkHRW|}gXqZT;nCI{5#snrwQlB#FNm;IW^Y(7
zywKXSpEtMLj1?kVSwQ%)3j~EvoZ9jSDEx#SzX`I}`1#9{gmt<blxikn;^V<vTAoQv
z`0OA)1<!p^%w6)8hetSXHununGuQks6H!QnZ2B8jd9Q_Y>GoJPaU2zkI4QOr*jdrd
zdgu2v&S3+~^OX1YOdVFM*g|<(DQz0qBD>gN3{L?LmU+--p#vLMWw9*j=ZPU?<GZb`
zL_|P-^Hth8y(6UDD3R%5{;;xk&-I1H&z<|?`U8(+N3pVYlxvPFaBsFSm5}eNN#9}6
z!%_x3EkEC5iCJ!@HZYFiu@kZwhE>Pl)~aMD;-`7V*K-XI9>XPLHQG*G>HRjMudjiK
zw$3ppt`1Ca>o>M@lC(ro6FJeg8y3krCLVI+3nuk;5M;0-*bMBd*^<H!pJN8Qtez!7
z)}A0EI0eZ5Elb@_2_o=IgzZ;~kzkD9VagACCR1lO!N(!_#oFw3xdWc}LNiB)ia&4&
z6r~b&q}PJK9>HvQST~Pu@r@-wT)1kAPvpI$PUAo_$_ugZ9^5-iMVEMH#l(YJ9hb>$
zwBxd_6W)QH3^o+z3MQ3g;sGnVL1zFFF-lYuZi$sy=!LH={0)A6Sxhcdysc44&{EkF
zJLIt;e8VQFk`h)+sIbfoh5#^nL$KT2zql%b5(Nok^_cnY5UiaPy8#Jln1O`iQ~)~x
z9J+=hn7qc@Kl@j#+$kMW&Nby?NKuan790FzODB=D68dbWOL7M*fUBg(UWux-#%mVB
zxD9whyWfZohNQO3layQW@=DY10q4C1Q)@VIGB(O8R~>d6cskE*%>`I+6rt<3&>sDY
zfFq_%ObFZb-8pB=x8+^+u{bE2Xa_()>x^urX#_kK*{QcD_SxDt-s|PYf@hg`A8Da%
zJWFMZz@Xi#H67gpIp|gj9=&>OKd_@Oo;qO9*4Vr7UE5MlP@UTdrwxJ&eYe#s%AwgT
z{tC8{RH#u0oEHk<MyCT7;hsDd63jb-_e`_Z|BQow#=}$DHf0$Y1o8oMyi*l-w$)h{
z6hdF$%fnC<6qs|5Qyw#dZ3}qviHEog`srWskoW|dSVsq*R7SFt3+KFCl@H8~EH*N{
z6D}7LDK8umB3BRP`w5-z{!yDCtZMU*(D~*3KI39ZJ+tS*ts=wEl*KmvfZFg05ZsK{
zZ6<wMFcXJ(Eq;L4t6LRTKNFgeWV?d)9l_Ay{ujKR_<q0d1Di~yq;9B1Yg1I4)q>_1
zgof=xZ+iwr2>I9Cic;?DLx&E_GXX5ilZXg-6$o|?+3nD_YaHcC<OLhx>@Yn@4vRz#
zUsrbBjM9%a>fBSXo`tuM+ZdIybw($wD~&C&`yg&n%R-#ps*y?fXx9wiYap``(MG^#
zHJ^PYD98loQgq4WEpWDOH6C2RS$z=^{95YA=3Ta)LWOWLB<r+~&Hjmq2!R}aul{7|
zR;|$j<a11<2~=I!zOmEo{Uz^6EeBia*83TO2xxGv6inyh$@ljmw72CpZ=b#I&WhVX
z>$#*=jgT`C__FGjko&n+)?jfJtfk=w(1<sTaw?}xl4AuQk0*??>&@<}L3|9bhY-dU
zrFY=II$wiqPw52JVx0u?021I~+KAIUT(a=MbMXDzorl40`(d$=4y}QiLXNS=Xm@fL
zrwVBU4G-&RA)Zmz;z8^Bq39mgvYeg;A-<oVN*i1Al8txBO11~dQsdi$rC$VV00c^8
z_aFcfhLQxS)lQ95dh-zw>4hY=aO&8SU5-X{J5(ahJbse7+`zOz5ax`JTcLDY7>nM;
z%!{3AYPg&fwf)kB_?#jA+lO{Q!J!J4DiC0*nKJkn7=egL%fd!*@tm|QHRNYM50-vG
z&JbY5bX~Py4i#;c=G%Xy*TasU6J?7Werj$*0XOPDzkB`d+l|=UA9gL@r!d}p2GWe6
zT=vt<0GqG|i18hwy2Yk;`;@06j+eQOZ3!goVj{Fnp_a)Lk8N9a6G?UV={}?v)8EZ9
z^s2zmLz?i`c3~^ew7wtNp3ejcbf`^%kPJ}~^H}y(wM}fBYuhvB34QtSCH_F=NIgWz
zx0@PaHxjr(jCyLe>m<BD{Cz5tvMnmmU|T+jg*X|&Yy*?!q^G*!`L1^^Llct0MmYSG
zH$0X<n&XFpKR*Q|rdQb<9B~58rlK+8k!5j~oxS}s%n(>ROmm%sXbW98Hdd10ztMWw
z#O;APY6(@6K3f;DbVw?c=#HMUec#1qSQpHTgJtsEBAlkrW@ZilHDM0zPp3G=s>Sy^
z!M+<J;YHYQHs>jf+~!oVeICJcnq?`dv|K8{w+2g4KC6M>2yo0JE<Ae`%cDi(sP=Gq
z$XVXUmRt6Z@Cis@2{5~RSmgmNnD!}nxcB2(YU>w!v4bql+v+zW{&jl-su#RMMN{9_
z=z^qpl*ngKrk#VBLRGNhD#IitlG7fXhI|a|c`u7^co&;+YDVPf6|(0^qNhFx^&p#s
zqeHo1>{e*ux6fx=>zc@vVs?@3_sC`up`)FP&<$Z0`|!tO`_F}x0Lw(NMEne5?eRfL
zSSBBII<lKG%ZT5TN2d=kf<><yRqQe*{11w3Q|ANkA!a(9;T2e#b01KUsJHxr?w(9R
zJKxj6JYd2eAlz_a)9BC&izUBw`hh%$7PjqnA(RQ9bwk*5F(nM}`_maiM%ic2y}0tn
zj$lilWY@|9KSUAbIfI(zG^T#ooy;F)*>7v6%B!ddh7`B}S0-LtH1u?vwfRYQ$IcZl
z$>u6~`N(0LBD~fN`zg+~MLH5??3IN<r=vTUsiERYG+*F9Iy~!bFEgu6Q16f=qw|+9
zVv_}!2)@8p5u>d1s^<RkPj>)YO5DXHPCdRUch+HBmwakI9=lc3{aw=`ClJV{Kk-4)
zZX0vDAe1ffe2#LTAp4$1BhLe^(&A6{<|hkEkj7~@D4tJSW2@$x2??p3vluD25**YA
zJR$JO25QfRVYCq0=GX$Oy{uNcJkXt3=o051xM!*lYd^S&(qja|(U$U6WdHP>4?2pA
zETUiR{qg+g#grp3g3`QQVU>h8u}V7!BwFp{a!|3y&Q1iy1H+Ns2c3l_sDgCec0^pf
zsTymGWKQ<(vFg2T9iE<6HtVxdCZLZUbXY4i5Wa&F!941KdqcP0a@iJdz7@31$LWK;
zqd!h>8Xt5W^V!{8Zd9zpn{s`%30#9`hb>z@bXmG?Cp4}fu;TXxR&1k&a{M&FWHj4n
zHOBM4mTuY8q7L2;^B^elk#>q)|Lz+joND%e`-A^{{rblbZmy3<b$E1l0t)mP7T`JM
z9mj2%myx{?71x3J#~j-OMZdHYDS5H?gQ#7s?!>zxzQkfn>75^O8rtpMVUGvK(mNLV
zObhxk?gdM|EC3+vITir2Pkgtl*UEETxm)(n4Y6JXGbrW9^-O45Eb}-K08>TKSf+DX
zWP?ehb2uC9VqZA|4-XHDUYzbkZ&qgLAOOE*jGhZvna(Z!4#`Ltdov-{S(1NO+t_Z8
zkmI!Bk<}=c@DQZ)I%m})eJO~X#qAPdpJo?6(()oqnoL~b$1`Nz*^x8=CU>}1lorhK
z>gO4IF2r)1QKtndXjxG4&AIGrn%#2WK<%F{r#z0`n4tZ9X{+#SRLI{T5+c<Sf^t9R
zO($FlF7?!lug;mCb-siBvd`nS6VX27+j$7JfH^!nvGKDPliearc*3j{kJg0WA1>nA
zBKtROx9wI0FVOZmJ(bb$hp28K8%xiVj~^BTX<y3CV%zKLH#TswHkA*Zqk0aU57ke7
zdv14ILyc9eoDL@7EYZ`Fd3rS<7dE+?w@tY~w6Jzy-*fyGZK=VDLDqWmZT3grC*KAd
zyqO^E%m*mIquS&5Zs@)j$Vk_tXleF5IT#3n5tI{XcQd2g$}$jvwX+-Y<xSa+8%LrP
z>94E=1GHbnAq<wF+2fo~X)YI$W}MPocCk7k>9;hO=xpB}-q3`u+)qXV5Dxo-P{C(%
z|DK!MffH`xdj33uNnJKxJ}WUjT1`)g3RH+Zz>HXMq6OB70~TVxNmBz$wTEMQrXK4X
zY!v3nPy=_B-sYtmjKMbWTOL<`@hah+a{+9xvj&#MWQIDT>2a-XPT5-QZM`mN&sx|(
zG%VZK=@y*BHe26pD^|N;3{v8-hw{#uBKaKuzn);)Iy=ppG#d;6j)odxiDWm(px(<*
zi7v$W;zRGB*2R2AKoMymr<SAyG!UAwAqLS(4iWhJ51-4{0U~OxlCVAM3j^lwNnEi%
z<H$;$y`7mZ)d5MxMjCd1M`uJ>-L4=_*ca|2ff`al1nI#0(NN1l45w)41`yyfpXK$s
zPQh7-GFUfKzjpN~&XOPNPCRw704_Pv3Q?0ixk~NyIGf?N03CX_2}TwR@|--abpUxv
ziNPfoj~#z_%9|Ugk8`K42P{S8T7PAag69@DhM6(z1OhfltYhsEG{X#+DT$)gY2UWG
zu9{>d&gaYC+J|six32B^G;}pZXMiBy*q;|t5r3vpZJ6)B8$@*(xo-G)JQrw?6-Wac
z*&`T>8dhg~`!98gi0;o52dmYW4QPl!9^fMIn>m9|dOT;u4<a3rDNZY}PI|&gE!n9d
zXyF+xbpDw&Wnu7R6<_x-v+yJ<J91>EkGNRpMCe#@L&zIH^A}+*t688+WU>F`=|~(K
z*f1ji7#&Td?OEbV{Pb+)W;<9f9NWVWIHGsqw3#SO7N<P9a1A-aI;h~Fqw^d6QglCj
zr1kOjkarI^EX&Sz{h{6`bZDA}TczM(#C9TXNDghe6_&Q2rr?;6_9RcKl3aB={iWYd
zN@L&H!To*BX)~?}oUfl(Suoo+;Bf?SEPa-Gr5W&*#|)J{{nj^I7=TsWyM^}JvJKP=
zPxA%~PaA7%c6Zo5{VF<P4f9Ij%bpB?%QjD1)ljNqJP`bB#6$wXaP9U)a^mr(I4t}n
zNM@`!OG{Fluv%@+3^-tv<S|>VV*C5B%AneAVKq(k@ItaZifua%dCA1ha^?%1BOi!7
zpuzpMVv&PWs9wbl1R~rJittmSlJn`yc9fQD11G4?eM&Mq!R>OS(QDV|8$z^i`J6GI
zF%!<YN%9#Fii#;4&#i}gGNSzVb561>{m0cWqDL*bp0zMpN@OOrWe7W@3mt(&6y)?G
zlHdVHX8&{_!U?RPSFM=E#n<Gnrc&AR@FQ!1M&277HSyS<f|Ci>w(z`8k>J@<=h?$K
zyh)ym_sdA`$vs>42%!YD=81*H&u5<I+#Yi-3$#Fu+n&4R@CZw@a`T8jI=AXVDc>h+
zp%$`wRn3GQBkB3~o2E~l@b`I44Q#?coWC_@_C)VA+HC^FZE02gtoa9MC;W=fAZ(l3
zfFvOrvqx0lUiFMAia%W&pqh)99+tix8lNuP$~@d_XBa~?OAAULCQEQ{>+tp4c@TJ5
zwSLoNo;DK^d8~5y=}>jo9&2pd&)A+5DqxGz0YsRZ1(fKfYR(0BsHehh&Ur5R$Vl-N
zRLXl5xN*GQs%W>ZWj*NbpKe<eu}5EhhW^v}&c(V(o8?TB<&mMiW1e&ILEg)9TuYZV
zI^Dxres9l&$(JRux4qlVRL+=L_4a2b0mEjyZ%cO^(r|gUv}CEOUrPbA4O-p#E_k6w
zrk>V;m)Tac@OWtcc=XBr1UP}M-^j{pNzB|uML&k86v;*dgTq6VdYpQA=3-4?6R!)Z
zv@<L5<fkB4maKt!1W16W4~GP?sND$bVX<|uK~l1-{R39U*hgOZd7I{}c6lBLg4!H#
zI!Z5_gqB{Ih<TReokrotFQ;ZX$HT)3m=h7ZJuqsVo!$63fO!d!zv1or*TkIRk?FD~
zVw(nYDKHb;Md0M<Ay8i;Z!|V=|6|C)^{*)l>d|H!&uh28Q!3@@=}Zx^UPn&({jBiK
z!eQzd*fVbIp^bdOTJ2D9$Q4w=Y8R<;7&b75!4BH+0}sAULcq)k^wunwYS!M$Q34CB
zZ=ly6&F*Dwfh~tvAZv?b0nH?M#`rA#Wt&8?C(nwVeA`y6azKMa@W71A7Vg@QsCM6=
z<I8D{ZNI|p0rI-bIjM;EumBTD!!okl37%LjXm^&*wU$MGH+myx*nY)GwzI-)th5Q-
z#x5|cIZ?r*C?3~XVXREUYSe;PcGQu*Kk}KWAyqpa;0N|&6FFHrZU#Sqao#NL>mmL=
zr{rz(8nMW-`)LFEMaZ{}bSJPiltYh}ry7b|q$DIc@Z2`^6uYx)?zSQ%7S--YA}QX3
zs$tiVMgh)WaN2V6?y58o0&Zv6K~9nbGtJ==P2iQ1Xci2B&p<nX?=kHCT-hGF1U{Oo
zDMbAD%)Feq2`@Sph&W;UhSMcs(VqQ14Y`!f_Y7qqf})noHbBtbQ#y2^<12~k75cT4
zp%@;D&b>{qoYFY49$Jts-2C46%&Wsd;&Tmrnh;tH#pO0Zl3_d;vGt{Wdhq{L5YIvf
z2MnQ*;*BQxY)B*|JCxGN$yck~lOs!`)xM^8wda8q+xHH4vAQnS(*l^-gbf7Q#{`_G
zW^+2w5mL#-e)bTV!VlY83P}4N>%cJwr#nUq(QQ0*=!U1f$rzoK8NpGV$Uu<!zS7Uc
zr-K#Yv_BRcAFNO2(k!>^Eb$>`AWx{)oFZ*a@0VmB1$K=;fkzJT;L7<N-j0Avr0GP*
zV0EZ@ug6C22`37MrPq2yOU5i$B~~Mc&!opIqlxiNZRN1)6$yF2BOP*ZBoMdtm?8GC
z!L|td)Et40(L2I$*)E&w^>-R?Lxfdi!>K%I_j+niP9xA7lJIl<3k%0gr^i@m9VZ{=
zS550U6BaZ&h2UpMU$JQPHRtBskCTxBfSrp;z?l}b=%3D3l88H7slg!;VXu?0a<%0F
zZn9q`p8Y<bVaddd+Nv)5j-C0pZM6A@2XH%AJ1y6`-a6qjFIxL&4#IF&PO|y6n*p>l
z)uSci49qzKdln1W6!-niv^`Am8CFE?GtVkVpZARL!&B~4U+5eR3?dU{Wp7~xnTSJg
zzB7r<T0RJ$Yw46>S3its^X8ciXW_YnZ9Gv<n%;M2g*a$4?-LdC%Nn&?`yVH7w>r!p
zC@}pJ|1!dFoe_SR!C%S;0OY@SgZ>WiIYWBxf7dI@quX9+fo-)E?J+@X1U{1-(2oOf
z|AN)v*1M-Vo@;{d(?U)tKX13exIj)^<ZM~_A0hC)_n*_<oHHcHcu<+8<ulv)I(!*B
z1~Q!^Srs83tH<zp7VD}*6+B64CJHQsbKKapm^=9iK9Ge24(oNOwC6fDh19|O;j}_%
z1G+5e^1SPDJS#hC`Mx~Hu@<YG2KHpx`}J8`<Seyvx|wn2860M4<GDYcyA!TgG`+p^
zYex39T*rB+Hk7wbAVJw);WYb&y&WYTClv5&y*oD%ea*deJ0c#t>b8y1G9UBWGdUFx
zXunS$;3=1K+N#6g{1+%zZ_ez1c?a;ScI$JpMXeHoY}o@#x1wj3xK#)4!zaP-KXZ?J
zb%eM5kOa!lwnD7Ja^GBWK}$B}r<-sO&L;c#MUe~~51jMnQOi}HJ33ex;Bx?J><?TM
z-S&WL(35j&0+!>rcJA<4_^8|I(8p7NW`+WVb~zFcU193h^@C5rzKdsm@g&Hir<thJ
zd<HTF2Q=D^`#5lvP=biFKq;)t&Q3?6IGAu1WWj`|cZ;<Aj<d9akXxL6Vi5nf<Bi&I
zWKAT@fVNW$xxU%Vc7}OMBDd`dHay?MVCE2n(Xgww)BQU{v;ILK|6b8^{q+SPKApiv
zj@#fNScTUX;R)TlEwd=2Zm$!!RZ}d_83GzCc)JkhroDKS201c-Tf;ae8%9X5RIS>0
zjrhVJ5bn;11tp53t*0}B^UqX1cFn1Lmd7^rOdi%ho?YCIE42t?oCBm_9sGPUBx{<)
z>SvfPVQC;NX1lCRab(g|(K!mhT9;{u4T{x?5`hSp!*SEu)9>)&Gk{oEx_9em0P*Dn
z;uf69_ergxBuISN$V3Y}UCkbaByn;0!JOMpn`xc8hxTDDNKCnVz(vetn7D*noH-23
z!#B*;!Knx<DB3-m#Ket1y*7w7WOperzytp>ihSkwRSG)Xjvx<{u>ajj+5twy#jTj{
z=Lyzr^QjZ`0y_Nej@@|dC32+EcX4N`ARAg99^{mT-P5_x!{KdhS^qErr~f>Y^LOed
zsF-)X&R&<cpp6Y>({qgX?-VVY;2(#0*y+4n!Qi3BwvoHq$#w?QBcGfq?2K`C$_e~7
zq(PXG5zat3vtRbl4M4t~tA>O>BSFywgyY}O&(<R1o!8F=imeN1%K262_+bWZtZrY&
zJaGWzFxdr6gJZ#isBPa+^YRu#)^vFuP`87J2L$lUsxKZF1B@)5WXjp}Nav)Rwe-jO
z<FqY1z4kzAnFrWBpigrvUV#cHKSE2A6P=u;x?v9z_=w3x?(NL$(P|qwWf7p2q~)@?
z<Fk7M3Kq=hn5BWiFaKX3&{TxNc3{9J{=+;>)8}w<B*R)#FzDGfGh878c?p8Zk~@Pt
zE8-#U>H<e7vl3I4V%j;L^jRPXz()z}_jJI89Z!8+Y2-7gcAh$&FIsd;Byb#5loznD
z&ud|{7kV6FOiUZUQ^%)?*q^E6mx1Gvem_5zDfiL}dUu9~d0`@R<t787+7r&cg(1(5
zKbxMB8|XvU1m+KLB~jJ`IaBCPCesdjD{!5~Dz)*Q!fly>CClT?y?2_2PLP~P%LhIG
z7**T-A5;9%!uLP;^K#fym&+2re@4vLct#wx6PZ4t)yj-R{2yG;QEhC*>!fPijQxLT
z*ev*Zc6d4y;%mi^$s72`Nm;DtJ6*9|lEkW>Dk>-GvwIz!01lsSQ;y~N<BaEZ=pclk
z5=)08L*UNmFk%PKlE-QII^BfW>jzj{5aqm6@Fbwb&kRi`sUXYFu<#dTf1-ou5Zi#;
zwrAPtP(Qh(9|G=-0er%0M~{#;c(!-G&O~H_GV2kNg^Es4>V{}Xf}5`LI&by=E(Cqr
zPFj6U>DoDCV^!mFBYv0lqc+9w(^vqv_PyKU#oICIgfC=+S$i)5UfJVTe-2h03Pv!3
zKXHl6z;gz<IWDm}wt1T)C)ipySN&h<U`aMCB4MF1u(F*eGHP=bqCl}7!<MSNp6IYC
zB1HF8Cj*{t*$-A&p!lHQmA4LoW;JY+cchyggeGpm0mq|UDcwA0d=Z&n)?fh{XA2MR
zO&XGLk)2&s?I$+O$wuggIB=Q_GEW}#gv%OmL(4J8@y*XvqvmLgi<)CN<{0cvuJV5#
z>C}J)LpVZmoFQx18PffK`=1-|M601&{|_7Z1{kSp&j|nk00v@9M??Vs0RI60puMM)
z00009a7bBm000XU000XU0RWnu7ytkO2XskIMF-~$1O*ZR^EgTL001BWNkl<Zc-riJ
zcVJcJ-T&t~=kAr<o148C31KHJ!wev9QE}8(t5(IfuN{t>8ytPLN^YoHZLL<&TD4A`
zIFY?Wm;o|??7i=vXFR_@5)hJeL!zkod;R`-&wlRb`R)PyL?NlTxHzS_xH#pfl?YAD
zPfPF<{RE(&=m#U&PfGw9Aw(A*rql)kyqaN%GAdH5HRzP`J*Aryz21N>%B*g-JA*D6
z%Qyv53~1DHuiX*wP)c0@g#XKnNB+;ST83y0dUfK|DJf%;lgyJ;N_k3Zk}f+bL2p(n
z7`;{_4>K8+YMoX_<T64}UPmbiKncf*=(Ty_aQcOoR;RD}M7L}2!8S*DxVqOErm9vd
z*@lKDd-?9Yt;aoHu0<57=O+ODh-uNHMTx;+AeZO)c`7-VmzAN-NQ@6R%UMCD)5#cx
zoCPmX@I0jq%RnwukdCeZ%}fg;#&9)sIu&FrKnS4I5`^nnD3xC?7o`+lABVOM7d>{O
zhqiaRkQg5ZgI>jZeZlTvP&n4!>Dv3on!}q<)Y%Sryj=HB06LFp+O%nm-{+le(9=t<
zx+G<BVw`qNT#Q~D9jPHYodPl$3%M+`$|s5xK~8|z%b~N&P5bOV$XJG?rA9!lQo`;M
z;rI75CSw=_Q#cE9+Uf-YJnEb5w6?xiG#ND{F(Hfr1$aTETu`vJv^fs%+28WjKVRPW
zg~!X41E4<v=m)0sv=mvmflSYz7Il68w8X1YQ^FGx;|;7*DFZ{k{ipf;JdW4)P`ksA
z2|3Zk7_NpO0(PeWn_UDUK(v{KPRpDD#P&`XJ$SfXOi2nSsmVsh=?Z{h2*M01^x1rY
z#%6nU+5YAaKU;r%P1W(fV;(Oj`~;xyk&=^QW9H0=x_NOy+D+rKBgZ8rgt099-5HcT
zFXBjLC#95P()bv1@>zlaw0H6F`Y9s9&*Vy!0(Fgj;*p9@an_6^)?`$Z?p`kl0U}Hq
zFod9`%^5sV*Sq`6jmKYE`^B-3yL<iip8)h75zB(i$c@Xm>av_)O`RNfTULfSTCJ9U
zukT>9`*5JVjb1P<iD)!uKD(z+K(Aed*?1<9I8MO!(ndk2RUmJ2JWBv{c6%U~F)$g`
zU>E|Qk3)4$Py613t*?CaY3095_qW&mSVY`;4<NaWCG+wV#$R(q&L5}cCftykWYjXu
z5BJ&}Ct`bP1I?WnN5aEYLyq^_1ax)_NQjlep#PdH);HP2Lr2=hixy<E8nv7Rf&#j_
z-7pz7&<=o65Gm>#ZSJ!D&F_5hY2`E9cQsdV0;N9z=o`}H@sU}}ZkcMypPqDmVtkl}
zd_%o7on=rP?bpTwMGHlWyKC{{?(R^m6nA$mPH}gK;_mJgcXxujyUV-Jf99P@W@qwY
zH=8~8vFms41RaREdExK5$8!IA_gx%p5siI@9rOI7OfwrCTry{om|-?|UB@qqB5Jid
zFIluVfR?Goy!#mHf%F*~Vo)ice26&yZe!-?^VH-b(GDZsP>dKh+b+2}0u;2UgoXX}
zi>UPU+V<u7+U(<c>EeAAr}nhhDHSNve~wmjuJ>WGM!TNr=6*NOuGfq!YLp-c%%|fc
zk$fWRm1ms|-YQ$_XxclxpV`Mujj-qW1<^#Thy;T3qZ`Yau~03yA1+u%bF3vjh#ZY-
zHIi-R(#eDWLYakC<E+k?=_&L%c67Na`wVr<Av`2Ji3B^p*mhr!y(Wa|K6?lG^3e&*
z?0r9G#7-$K0U{oPKRmuC=2i}$y`Ts~kEC}wcphh~;%#+U{hXbB@eD868zW7jzUHzM
z_|vA@;~$yfpeSWVXG$+B^wjDJ#!0%>-JrZv)rRi+{qmqLzQCaqbem`m5p|v?vgQ&2
zhg|3LNO&DlDk}*)Tf)<Y1FT(rX*gg)u^Flv(ep6OlyVS3Pg<$x#~7RUA(C<l0s7B(
zxzSz4`}_MvL%CyG4l`AA>qp`#Lhu#h%#v20i@Ddq*Y~gz@7F7<67M^Ajy>5R){uc{
zHih4p>n)SJ3JPgOi!>5O%3o5J!9NCDH-2_C>{l>yED&5iKRWJ1biUo|%4MYJdm0Q=
z3@78<N)I=b@=pga1$?cU_HcUmtY_>?V?}-0!5=oDhEx*jP@DkOlj9rBU$x7q6*C-!
zqgr$hHofs<f)a;+8`(n&X&Xsv<h`0(@QhM>Abf`x1m%*=kF45`y!Fl}AJ8etum?qo
zPS)_e{+lkHxW4;oq1N#sHJ{dqq_E+7Wz*l^PvhOCTZz*6_Ie;g#sAer@e4#Fv9c9d
zQ{iC0C@u{KY56Ej--#-xkvSw~$Qyd~41T6TR~5Rd!=YXI?<1}gdoYnd@jt5>#J$FZ
z+{)?w$IICf48{)c&E-l$-A&krD4(I=1BLKWx65^RTkR&J*Uafy?z`n~!@8HpnT~Ou
z?B|0C&-dpwhSB?(B$nj#8!z>XCbQ{WyHr_9{^!1L+5LmZV}^CPg`+S}>Da=8aFToW
zL^E-TdT_*W=>CEvVd#jx87xOQFibd__0HEh=y2bMLb-%TZC1hEky0FWRFf)YMw^@v
zHm)cEVCX=Ulz;Q3Qac8iQNtlA%kw)c;I-r9mo6CM>rp&PZRZbg-QrkQDvRb{y<yD+
z1N+I&q>ku{wd*zvpVcS5`K$F(J;m3Fj;3%-`p>Yw&bk#BtF?9Z67N8=5Qo;A2b*1_
zNNv|VBi=!Xl~D;gYH*)kJI-gj^QvC<%Ktko&ZR@H6$#0b<i{K#rd|c7lM}*T7BY&F
zgA}YA!Rm81qef#4=K#sOPR#oCo#Br^MXLG!?Ui9(B^p%Cy`9)%%?BDtxx{Eh;+^&2
zuW^&CCp+IfIzRp_yaOb?z{+&>@qEVv24CmV`c8va;zm)x8M!aJ&6*h&6mCq7Sw?K~
z<M#$FZx}oaGYlp&j*NWrp!gJOf?P6Z$&l|cb4FyL;nQR!6N3Ii5E%2n>I=r<19YTv
z$uJI&&`3hiX@+4;b{4c4===L<cXe$k6QzR$eI=Nv1q<-g+(qC}2nuEuQn5YdoDzb-
z9Zk+0j3NI%nm{an%48MZ_Wmta{$$x=P-*s9(#}s}FM2pbMiOwn5ION~>8LkuqMo_n
z({bYV1#P-jRM^{i&lnGfZrM{!+Bb_Teh$PFW~3m2;;w)Uz0xP=R+g|hem3(mBw|s%
z%WsPoW+0Q4XJuNI!D}f;tUHxW4#Fq2?IOV$p`AC!IBh;XbWb(k+HpNK*SUDO>AbLv
z>}(3G#c{7GdD!4P0lPnys2KN(_J4vP1eVc#$Mb#9M#WpL3GxJ4a;HGIW5G+>MkW`V
zeW`Gdzj97q_+Scaf5^pO#p)DR{vg0}-=A9kJu0Deaw?H>@DEZN(r|ikn?NxJq3EmT
zHGtuT;pS+Mx@5~@<I5PvTUM|u<$qtdWG(_xUFXBAeE1=5#zRSHq)!3?%ZfTBlbz0O
zg<IS2quqJRWA#Enr}}<0O*td@Dra$>X5-KS7Ai*|2A6=Qm%~2Ba?W9FT!9j)h{(p3
z@i>iBn~6`V##;Ro6-IkV)ZEtD1G1~DON)rsFBY5t|7CL(q6WGpyZ<ir!3e5vCU)Kz
zdBFP3OwU0=pCF-$PJ@JRV@dnIx==>gVDszT3Fa54LdoR5?OELmzCXyV9epdvwlgpg
zC1Ny+bbyIM>t~yuYmI10!r#erjDl`v8>@tq=`Nejr_HT<N~MJLpNJw%*3!Z&|6QZg
z&3j~wr~$6cNoge`_<~U*KG8giZ~#Y=<E(h~^|Z_7!{VYRN<8CW7a5Mh4~s9dB7=rm
z9!4qu@cizw!g_)sJDX?s&fY~RU$yFonP$>(Xyigs-yjZpt^SOha(pBT6l!pkli|pt
zTfg6R<K~~6?+F2uqmtp0_MD%<qeQv_7Z0xEzYFwSR(KPY#q$$R?3b0UqO~x8lgC@P
zoZozLUiEPTX=%rB-&k$hbH2T%HDECEJw6tCa>?Ir4GKlflEq14Of9WhegiMQKBq-T
zce)=+J_uDs@5rOIiI&CI0oG-XML(wPvDJRN>R6jMlmC7RVV6@>mB`)zpPx4?7a#;t
z#DfLVja_JfIU(1v{Vu`2=K6B6sB@p3>t9sa;jl)a4`bd>{p~x;^WT?)u0aH+VfFMA
z86Q@)rEUL&P~;8WY8NXtBdcP^6`o)JS%+QAUFt7nSV%}$ep2IV40b&&iTpy7*UGxO
zv)MKTfsXe#h0+ZR8|MaxSH+vu9nqS+(bYCbg_|f>fy&=v3}n9zerse2RmIJ<8s<40
zt)64zVw4oo$&?Hio4|zg`uHMyKIDxg2MA4f87j<T(Ndf!$gz(Dt0|6{MZ&BB2);Ti
zD>fU7t9lo_7Z9vujO@-&d^h~ry!`Am2@cCsMvh&N*|o+BU5briJN-B88)BaYLBq#K
zXj<z}b{E<BQQaYY-Mox2O=mVMGs|amax%=n(9IW)V5*RNQToKnhGH!^cJ7*6#%|$g
z6azaR?E8IqbtWcmNWqP5=E=lx&POGvSi!+kpT4sQmnq02b{&fTnxv{Yvw3kxAXaG}
zQGFfCZKx}xibg14T3mSG%JSA<WPE=c*m{_B)uezXR?7Fv{Kd!Pri0!!%vTomz+PX!
z(xiZo<=DU_oQGo(^=)d+VsN^2eRHgxvwzdsNHgf@*yUnLcU{T(y2&eeCECraC#*ao
zL?&X(A~8W89j}68p#RX+dP(cyz2z1y^ZPg1f;gHAADzdU_Sd<RUcZB3pY!Ie@dsM|
z{^(@LjfIYCZ%dJ7N5;hW#<oE+n${xuDDuQXs|X+g`zkLI7l+Q@C+hPCCL{W|Ysuu8
z18zZB)AZ(Ar6`HF)~rE`UOmeeL^^tr`on2Bx4caF$sIS%>b&dCauG;6H5!lvP}kk6
zwt>icyixE~KKoFTfO0o*n5T6uZv7!Y@KU>EW8<mX0sQ@A#o19L9!xNz;57Wlu#(}~
z&>M9^i4sOdS((LkZzQqQ)-hgpok@SVK|P9bCTM8W^1=yPt*h~3(Y90lYFJ^4OYC;z
z1FXBYv>oGwI589%@9fk{fi@^B?hFYMgVXb_eZKQ@ZE$TRzbKm@8g^EX()Avlq@;Ud
zXVg_z&aKs|xWNH=LJOr>G-wr7Xty}b;nVnd{2r+Cj(zzpn;?%mqUvKP_Y}a`?yxzY
z&E!a#sP3YkS$wuk=S)XIgAeW?lp2*TiRlM2DCgpr&dZB8+m4$3sQ{#+>|}02f`a&s
z`<u0co1%W>i2F?SO6_5diUn=yBUa%d!ouq6DOf#NUk@d8gmN{@m66165`F9c<xLxF
z>}P-AxtMGIW&~bTRJc8*V%@)f`N&o^$Wk$;B@S72<?tqz#Lk^o;(mO?C&O5PLsm(J
z62g~{{yW*Oc;ED}pw@nhd>MDbPeMg`&(W3k{@W?RL-ctn4C7nKyoDTwSPe)poH}e3
z0Rh2_1w>6t3+YP;!mCiTOrj3E0S+zHVP2!jjL7b@|4ZRsHA@ik$DEb&m+JFuZmtJ8
zz`gbxV+K!Mg7Z`!NKVde{Yz$VIBU8jrqia#iqbSNR4XM3ETqZIy`=;?0*nkkzi&G1
znV-jiT7?1IY6%5$EIYIH@?LlMUB7?Br4rFOdwbgeMK}UP`N^zFgAOnFM=m|)D07g0
zBg7DSptfFv7KN_UcJol^qIT9zj#^m^x@T}yJ;&RdZkx{?*)`J#u~U9&85hbX1xJc9
zO}tYb3M8(HV%87aJ<gt&|J-}&Yq3*^WSJ7ve<#>{tl1AG>CPh!9D`zl>1Ge_SLPFC
zPHw&QgC#@(ozgHcEI_1~H)wf6sA|w*qJmg)Qw^So4*1j4tXL%hIDYGM`}MwG+lV(*
zO~uyGky8*&;)oQG!iH{aeXq}5B7;XyBAGGBMlox+M%{}^AUHL9eZYJ1`GwAQk=Km<
zhGL%xoQT(Hqutcz1w4rL^82?Ph!c^7JXqNRrh3w#rdb5+v!tP+q!inhpKpXvzzWk%
zS~jm`T%(a@+h#vw{WKfDFTKYE3(3p>-hO=q_|y04^b`JU+uX^6-tUvVH<{36d1UkU
zi}anEG0%)pe$pqo3I9&^#PQ$VA9jwNxipm&K8~?k#72ZtBLh+XD-~Q<C#k^qucI%z
z^;#A1paEs+=;z;^dC`3LOVtnjmP`%R)hHltwQ`N=ex|V$&x?+SQVM7<<P)cvTuW2U
z+0HnhQ`&vbEr|-&4fli0op}rAPawLVjaILvKgy!KfgLBZ@Ujc$Y00@_1iBG`+k_4o
zCBV05gBgUc-(Ak^UrycchjyH~CeMf;`=YMkrh&m;^{LxFNS~emvilR+%uflcMn>IE
z?RpKmd8O9tKg))sI|UQw=8hh^UMHL214sTzNweizV>(csPL(Y?HsUyFtn2-*sw;l%
zPegr)lu3M&q`gC(RDa;+_1pngd*0W?^PH3UCggSS%zjKe1J8FBera{@zx@U!xHN9!
z(8Qn=ZZ1mGEB^>x=^qv_Tz-{rxyOGL7UmP)d~#OhsRHqNpAJxkk-~C0&$I<Z^OC;T
znNrfn)*A4%ffZ@@{O6e4dTrxJQ<WA2{>$SgsdNcFNvKH(c3EJ;5m;;{($V=`SRe42
zeRmy_THXrRa`PXVr23yE#Y|@fbhuSt4IduXoELw=fc$&6I5AWVum^-_Fp}thns6ph
zrm>J%IGAXOcFxtT!0;I4)*HZ0FYMdFbcQ<1d~`l{hmm1q$|=LffBlE(x|Y$T&0spr
z1*_O|+7}AgO_DUUbY`V*vrC899p8i20Fs7{fOPB2d7BW;_$S5p37(6L=eIvtIv|pK
z{O-A*HZ6PFd{HfDSS`o{gShBlxmiY#>g@rqBUQ6(deZ>HcJ^wYx0qjdv{jl|xx1fd
zP}hUw#0ety@tB$MUk*i^r13Rk3DWk`oZy4EhiRA_B;;LdJb0SVE{Cd4Mq%l<XxP`R
zSRnd^u%*X@jhtgRU;0C&uNSZx$b=b}0%aT@hAij7@pxPMluVC;gs9o+J>hxyWE8xL
zWYx-at<x8YoAS80uPyTy<Iph(dKWik0-Eldc0W@Sl6gobayp-DGdzuIV;e+qP<<Iv
zFgZ-LZ2mPU6IlW^-+|hNyD&<(CS8(mzrnIRO$AlpSd&%-PMKQ8vy$%tN7vJrPsFf-
z&O`kMDaU$DoaS5q{%lw{(shtp_So8HU)3{<TCa7A@TKrhh!*(I+9<><aIB0<TxZOe
zspkRx%uHo&WWhY()HXF5kp7_amgIY08{oQs87TeDRko|rx!BlmG9V61Wd_${fsKk{
zxm_;pR_`NM@w%{g1&&|97v4<}zEi8Ko`2^pB6&9;$l?BJfF#r_v@n!|J+Jz)%zykS
zh*W$qlrE6H`a&pT(`xhDAm)?NMoGcUD|;LmCC{NvIF-RHPCEZEZSr7G<fY`bX@yM7
zz`*`+f3G76_qXfg?SeytE@^!>+IDT>vA>7RnkT<fPKw2%vXk{7$`LZB&n=V7R(XwH
zxm6(>Ox505_(}s3*)0*z^8?liRiG6Nifw~dm-EVyt6AeW2+=C7hSE2y148cRuJc+1
zmGj?~yR{0G`zeEww>Vl2q^-M?2-)tJo$en%s+F2QvE`1cYh{tQ1@q6?M0BX&7ey4B
zi$t{-HlKuXgVw=U;ja)@jT&^$xRJZ-SRXIvTSZnb*~A41dvZ~2Y$Wn{_G)+gR#e*d
zN((bU#YGOwrM2ARvy&8571XwFP;&`F(yUO6qz+T5P%Dd8_Q)wNKKxy~-~dlT<{$v&
z@9(J`HDDSQqRVS7Eql}{Vx5gHQ1=$u3iHA)&AjwM!GV*gLhqB}cvg-h#bKPEmK$W5
z)=*XsZCGa@>Fiu#x7FT9f-jFwLtEM=aKK4I++z<%LXPE&+wC3R@36oxh1a-H#iP9J
zu4m&tf`Zkbg6O!5fn`kZwUzj(tdrTd9v8<`U+B3)I`p4+RdO#DUR2lSRpeL!U@Pqk
zyjOilNyd2)=;&Bji>Si5Kp;f^oX>O7J}XI60GOvk^c=bx4IFk*x7Fv_U(T9Kkq8Hc
z;HmW^hud3^bT=I<3MdE^(bR~vu|vsB=6}Vpb*42D-=dvWqILh|iwbv~Gm%2Grh}<|
zH?-{U%=&n4hf)#84=Ym_m<Pt>1;$ju61wS$5^Y~OtR>?qv@<z7yw>+v8>vd;U}71q
zJ+JUc=nz&$-&KRsV$ir~zK>^6IiG6CxsC>B|M22W6FBLCC4%yu*xue|0BM3gm#du!
zh4&l0`2FS&RObGp+-jV^SUk@XAUkkqm}g{WvlENXD3T)7ABdwWZuAdMZ^mq6M?((z
ztPa7*APUF$CF%uXKVK^B8O^z4u<62P*(a^}Gc3~|<rR{!?ft#c<Y<rY-av;Fc99<E
zBbf%xFjylw^=Q8YZ6J**@!VG6G7{u8Utm}j9Xj(Rwx6_s(=GpPypphMC;ip_({@>F
ze*P|JfzvbSg-@?WqjS;bXD)Ri3*u~}#e6Ah+c}znvlJ?2q#uf4k>RFYDBP@1-JF9^
zKIiZHfKt`ZDdUu8^Ss8`{{n+cf~vnop;dd@&i?cxzF?%GQBszs%IhjMIT@x4wH5xw
z=RNp0@61*{4dte&2mEH3>vT<#9MxgN3HtJ|cbWiSqb@@;c}BqSUgtcx@!062r?3Cl
ztVTl`o<ssP1}xc$Cra~%jUi;mL4rV(IAI!sABKhLmFZ4T!-P?VOfW8{KAy?balJ=_
zjlaIIvJVKtl~El@IaqCgQ8FBb!t$@z*7oh%@AOZ6WTd5m&~Az<Obb|5rR}Gz_}e4(
z!F96>yDQ}pr}Mt0GG^H)bx9;6mQoXPDjb!9D1xdpaMOXH=X}faci3w=cEDY8DxqT~
zB_yaSOaG+DL<oOBhJZNW6#d5}yS_YjPm)w1U741I*L8b45?>65naKxfKq{eTaB%0q
zsRfqOOzJtsk;*TT6BR}b&*E>QR<Aa)V>_1Gb2rtznBX~Y{}!*TrC*~_I<cp9y1uIB
zp4;f^^SfMsVAF6obbwW**})^5ui8@;)Oz8=(9HUev%U#;FqBhq{l0Q>Ff-i2NUi7x
zxrs5h3f8#H<owk5utg$iztQJ(z0anvtNa~_h@g<?PrMtmCueobUU&Qgiyk@c9R}dS
zmCwn+WymmpltO2WN0Un6NobRdCFWh9Ol1aj*j;3e?s2$d!*V9&dl1lTQNkRUsB`j0
z<?zz1rYz90vkBx_ae<A6xJ0ovixavfvgaKZ8E~o+*uk0W^aVYpg>qON47#1K8AY%!
zZ@jKK?Pr;q-{VaYkrE_Q=B_<Is6J|gvzB<dL2}r59U3FC^V55uy>H#;O*d|h*(}`W
z{JDm2s+u`ZYU_=5WE}(9`TyllQ}5C#QH$4yAB2$hPgZUn8H!~r&F>u9*x2KjRUR$h
zM*lF*zPo)Ifw(kn8FZ39T0hA4@$S2*SR5t;YW>&GCGr)hTTmzL4MJ6WhrS%iA*2P|
z6&XwT-nck_DU?j;0d*iSeyyxCRKyKC!0uB(rYCMostTI1vh}HGEFens{v`6g-FrqB
zcs@U77I@EnzB#GN(vu6}`OZFAi%7XI$_R5g6#|hzKN7!f_+?pn5GW2Y1}&}fj=c+F
zzL(;-+b7et86V4~9--ds81_csHoT_GGk|(g03k0|X;d>_2`xSo2S<g8%6k33gs{41
zSx2|E%6&Y3^2~d74@phRE?W|G|D#MTk~3SpDE3=LG@S>Dt-~v}Ig-AFvOgiby+y9_
zJ;Kj_D7i6pdNAgN36N}G@JY!u0`ag}8<xb9d8jASNX|F`?PvAjaHQf}r)6e!YhhJo
zXH69g$pn-8WzD08NTb>}g=@FwLR1K9AFY3Lht!$!796Ss7f=2>{ivZ;w+T!)Z0fsf
zjc(r0nSkGM>X3J57;uyN=Ewr0WKuyoQa(PCiTyGaCo{0_nqO=9R%T1|`Vz%Q|MS&b
zs2Rw*q?oWXp!9AeFHWwS6Qg;VE=nkpBRbS*k)=^YSsS<yUp3A1TOxy*>FV`IZ_wEy
z@xK}vPnlzLW_Y)jl}l-O6x1JHKXX10C(l#xb#%5~;0oeXIs6!G6Ub&GbHCQ>rQwz?
zN>9ZSaNcPQiiI#6rqD#le_m={gJ?DP1P9f1$ObB5+^_1&byxy@BLNdr@qs8s*39n)
znlMuE`p12b)!$5I<=Srr-B+WU)&*XR7f-B{hmF{PD1@ujJ5f4vJ*3&vQ^eS2w_UC%
zqCp$&JR8cz9H{?Hg|m{GYqZGHq%P`+7kz8Qh3>!tiZb*oW56p*fTV;5T&2qL@#4eB
z&Wl!)-0I2VhTUCY?kvv%GAG9Hk7Q#ktF?v8o)8c^5gxn9$nT5O`z4pe22~`(f+25j
za5IHW6}D+6FF&QoNWh!dR}$al{8)O1p%ejctJ~A)u2VX2-NR+Js&wNx5sL8MY|Iec
zkKN3!v6nqD1l5P=QTZ^WdAffl4?RSi`ca3`Y&f@wxIf*noyKtLSh!o=A3vclAALrd
z5y;g)!<v6J4j-g;*7~zMZh7oMP^P=;s_q*7;rT6mrKPB#wr&)RWuhpCsD|^EoQ_or
zM3cy(VpY$edAxg%WE#2JE2YIyS2#$q@qDvZgkVxc&x|vlXTSw06$b|;;4LiAmv#f<
zA+)w$Mkp?b9AXxnPmx*^hfbf16Ii|y6d2CYa?O>-o+y>elC_-;+%Bu@;@0g%rF)K+
zDL7SGTG`{5a4&#Q9bf~@X$C@SQuoXI0;@GOarXUh=R)B2m@>X&qgQvee*r413Acb0
zNldU8WbQcKD@0fjCepMCW{py9yb14{(J!{HW?~T&M0J_Y4)77y`bU25W!d<by^VvQ
z8@Cp7GSi6vX93Qm7+k?Ah&M6B7FPBAngx21?>TySn1bAqbTt3+alX<QqMKRNAe*<9
z&C;geRSman4_H#YIU2}2y-G@aZ{ZVKnKD8H8s|{yWP)Ej*bEWX$+(zhF$<CmWx2`X
zhq0Luaj@}-m9wx)2JuAit_au9FMD?OP>dJiZdK9n2nxu;Q2eB$@;2Q+C&m#|N)HZ*
z9yyp!%1+!pb3#G3OVUt}vP9?<5tF(5L}Ar*)W=Sw#fmNo9ehiK>gjxER#1gvQ9;*(
z)hTP5l<8Vg?$zz&lqp=4Lbip6a%=BuG`Q>1S^k(o?yff%iLY>)fTo#+u^oeprxebM
zrOLz*Os1d6$j6xrB>=rbL=je=ayu1nO9Ob}WQ2r`HusT&lF6CojUlJJpxiH_E_aE5
zYDZfvhk=ykN6vWRJSEbhfZHWF3tSH~i#R_(7tK+w$w?4qpqet@>&r2e43rAU5477S
zF9v6UtS#)P0BILGQCgfbGTNAwtlreFaDot`W}1a288W}qne+O|{d8?s@}`IiwLzNS
zDBk(uF4`ro1}e4WTBVDq><H8H<mHepIXXUg+sdDKyKJ28gpg+ach@B2D{+9^=r?X;
z9jwh_E$70CBDK*}8OE`U+YL5gY#e$j|7zOsN9o_s^^=3M(E<W4o2(OtZqJNZoj{w9
zdC@{-=&Gt`&~T$it<y>O+xSR`9%Du}W!qCws3NVADQg_MSeT$M6(Lb@lsuNT<-<Sh
zLh;|SP!Mn)){tvDpK%aUBI*7iBHnUS;3N}>4H!!>1C<jY&$Ni^nR#yfz+g-QIoZ{-
zC^ZJufdQqhL^9s|VB67Y>hP{p_V{qB9($W_3N_Av3H22CTlWq|4+_Ljmxb`F8W;!Q
z%Z=GpL~&SEeDlh8yOHDX+U!9V&93C}KJ4*4_yQdxEnX-aLihsQWzeGEE%!V&O@Hp>
zzVqYn--96B@yU<78CO8qWcF!B^cKor@+p=pE<P82uNS>Xb{!|~-RosS^wXjb242hg
zBngo6$wZ0snF)|7EX+xLgG1dn=<LBEfJ%w@sZVS)NBQev{pUCit|(btqJW(SKBu$f
zc>{yrbn!gQr>pK3pLmfHnx>foK0Ds1$cJ)8<(VCA_8<r*go-Wr#;r|W;{e`I>XSEY
zCL38Ob5L3EGz1O1bro3sb*!-<l71qKXy($+v$;_xeNmsKG}0889Ll4^VoWpf5OCPH
zDCMi?SN41~p&pJ`WLVy{b~evrTdfmKuC0B}c$Q}CyPW$;*>aQ{Mv4q1f+<3Oj@;q<
z&fs&MY`@FNBT@l^S4e~&DozjSkdl)V{3WbtpZIXjB6G|z_O6jwEL?mne$`o_t<O{-
zjtZKjvM}coYA0;L8yb9BlxqOW6rgB^sFiWD9j~4h#MBAO<|7`@mg^|x7h4~qxg@d2
z!tbD^<UcwYASQnS_ywy9@T=t2e)c^3lFwyq62HL4&W)oBXn<rX<hxPE7eU+#@k->L
z&egc>yVj2eIyYC&%MenrqfV1|H*3Zuom8^flL<K<{!BGLF0A|*phN)jKyfO$5DGex
zoES9n{!!wvw|xiCWZz~pOkB1AVhJWw6Z{%3S*LM{#H>QK2|lt(^sFTO!Vp$Vsb(SQ
z7(YF{GX<KnQ~O!|bYyP<<V5MHQ)Z<=ER7j3Rc=T6ClbMgR54j{$AJj9Dn?1m6Kk)N
zCKt|nT#|FF#VC~{XKB`^D-^K|mJ`^g`M$|c?)M3iZ|on1llzXFufza>0}jH^M~YOW
zz6G&@+T%bhhlwzMG7`rYom*e6lLRKb-{bxmeirr{B-%Vmi;lY1s_<X?{YH*6nzcHH
zDD2C8gnD>>6_Z&IIg}k67*DXN5XK_ym*heiTo#ZL1Fl-c>s8&oPcJfiAT)FJsg{3y
zkT`i!72dQ{Q_c7OZBnX3rJMw!ixB^!L}NT88A*&v3DXX`U4{rik_=1EhJeh%+PZ@2
zZ*)<&6{+)D9Qc(#gOwmQF_HMO-TIBHSiVxpi9GzCf$)mi^n8ASy~t;LCGVSb7Px^F
z<y9YjU!QK58&n7L!H`@>*`cFv*Wy0|%FWTrlrJF|nV{j6*Km8<w#w5cbO6zNofmXu
zosPkc$H~;D)`gbGcM=tS>vs3j_BDnxWTO6o+u*NMX4I>LZ@wT*X{gxRgi~iio;mG%
zL>>%+;BJL(UVF=pG=?*gj|^u|_ptT2sOvV|Qj*!=_kK;e8U6CppsJPCvyw~rJ3oJv
zlnO0&ru5Nl*$;<5%EK(A1#nPMe``_^p#0l=&yZRHp;H1c%{o}u=i#zZhOw)KjGdjV
zrOovu7aA)jy;7G&$oY9dX$W2;h!`bbkrs|qr?02inkvi3ee#!OSNXF4O?6!IP9T5D
zfSN~zunfpr5_Nz@l+1VmCIE6@JH}u}s!1piyj3*$;n~H=Fp$%7y<M)~W9a(akH*%)
z1{+;p@n+$8R`|A;>Fk%Y32<p@42H7mx>=d7J#&Ghl)HUn3es@jgOpn%w=9hE(+;=7
z<N=o=GJ)O%`E}b!52yPGQ|T9)sB|vA1%{BgR^a;rUV_il177x8dZP1QRC&2oTXc+s
zw|#Q|d>2$7iiskwnDh@UhECE@l&Pu(uN5f8=w6)aPj(PMPyL7M!LQ`~E8Z%8kITGN
z6^DNxZaZvf<SjOU(W~IW{u#UYFzCJVsdDoe%(h1IL7q^tuyVP-Zs#=OPZcLKg(FFe
z0ZE5^KO_%-%7o|>KM~=E+IZe97WikR{HuvP0G^@|Q1lC4enwTSZhP$~E(&<g6QNAl
zO~1T>d<*BR2zcwC8v+<l>cbxY3G9AM8i&_;C&ytkXfhC>RZ#JH>8vd8i903O_@ad|
z9j2<7v<VFgrdJ9YBEVJz3DpDZGC|(?VBCGO{qb0$>-&Jtdzv;wwn2lISdjj`0MJBc
zPw%z;<lElP%LpphywT|$Hr1+7!xSV0EnGY#bG0qJ*^dN11}AH0bO(h!L33phR#=t2
z8>l?=+Ey$-LQLGeLyT8M$(NW52BMJn9Xlf(ET#^QrGjSg;BeBsrv!M_a>peVyI(B7
zwTHsnkGMZ60kUjx7|vByhvVf%)5rTw>M+jJAd#2VA0|kywdcbT>ro;PgWi7x1(Csj
zP|kuJYI7y$uWV?;&=Vj#T=XTG;*EXl$+<LOimi7AX;91;Xl=S^E>ic?kSnV-=-MFg
zvBc~vfyU?iP4)-xE|(8*)Njxl1f?M73>eg$o?E}2n%0?`eAt?#rE%dP$4?Rb`RMdK
zY#Gd=P5;YL$dgR}Q`{~~MWhZaexw+KCM+qO@s23(Fd&WRBuznL%ASJ+<xWk0ODOF(
zxj=v*pOuo^$kR^#t(Uxo$%~!nBfAL+{jJ65q@%-2p2yeg6a1DbMHbf8)ALF#Ro1%0
z)jol9fpVL_K3wgfXdDm%>lZ1BY5l)&fhMdBP|=2STiO4^P9hh|Y=OJ#k5Jul0@_4)
z)c&_6^T&VG%GjP+E71zn%CI2ez6!GgUE0ngcVIK`Uo1zd&n8X3O?2?#|6+yNcDgP-
zhd7_`v9UQbfPx_+1U4Y%=6CL-HemyOv2SUANP=h*So-z)htDs2jqqFB?g_27W>w_!
zD^&CthQ6cH9OO+-&ax2^y|vvfgB4zWw}U{K;r;Nw4O$gsHi@;SJ`ykSlh$1}KJGs&
z=B@w@Q)?A$*9z^{;ay+PHNAc$OiV3^a)={!q4gyIsB+}z?BQT&Sd_^ke42Ew!-k8)
zsOjkPF~bX#(EI5@+i)axzzd=eV#%OJ1NSomf_b16#uJuIPbsK~C1PArP}&I|vj5;D
zy6a_Ez*XS*;lZa(tKu9=uk~hvXa3;3Z~Hnil{GXPBEu2?CqY$wEnPtvy7bwSqD7Ha
z9&P_+e3FM3ZB}}*nQMuo&ccq#SIfm-e5w%B=divGkVCfHb||Wk>ayQN(nq`dW>Y3u
zq^$`JvTslfH8>C1B^Zc!5`0<26}G3n6MT{Nr-BIJ9}A*CS26&&;WJlH3M-dIIwurY
zSV{cO;QPg=n=I9mXEv&&v*?~L5hMU<5HH-r^6``NqvW<erM&f-keh)=Iqn6&<k$>w
z_<Rrd%dbW65vJK*n1L}JfiW~)Pvf=|KS4FUZa<H5mJ!E@?fWymwb6rFSd{WLno1~}
z?Q~lIoui`|Ct>1%J9MtPE|LV6md}XdxLbceIb@;C^wyphw`O<V3GD^dzR~L<Wif6c
zD+0YZCSzelmKoBRSWF?{An9U44iI!PIPUO919PJP>><IL3!=yb)<wLGda|Ve7>Z8~
z*W#wXKUvjjbqZJ<8+7;YAbl-})BJ?<`~>#At~7S%BMd{vU)nMDA__!eR_K26WeHPX
z+{;(pwoAf}*Gbq;89N_ygHis4=VIG;LP}PtPz(FQdJAA7!V{<WUgX`Lh{MaPgMx%I
z^?^3*7205bwT^&HyAJZ#oq`=%AdNKEwJBf4J*EJ}SYZ2gK#|V7Vh>~N==>PgNss1H
zF?l%HKx`|+_6OLgQ~+s|Qecjqd84my{0nP7%rZCU$b{1nmd%*?I=Q~CQ@3~m*3i&!
zqb*ldRh^?x9_3iFYP`ftmVXb{DN-8RL$^r0-7m4NUe@*A*-Y;}-S$eDkvb?7Ccw*^
z{TixCmmplvH6d%qvomRFZqKc-0rms=40L-&q1jzZw#CF_(A4pWh4^O=h@XTe#8;mR
zj^bu#3;aBHqVR>!duk@|)RMtVw<;R52$l)d8H})SsMRUzYkx)0ouxghtcAfPShmgF
zlaG)le<yf~=6^nnu{>|P;19{N#@YowwYk{tanuR?979-kv^+O^f{e3>TO4Q&9pk|d
zNzKeKCQ6PXN+V|3HcIeSu!4Z0i8^Z`J!KQ|rsG<JBU^w^iZTRB8X5)hI>rKb%JL@E
z_~qy1%1=#{Kz7g;1qH=*tT%o^0#G)e@|wf1WRgbcZ_pWi#mb|4nvIiuip2~u03l(K
zgku@4SIrIuLw)^0o2qXwH1Gz%wRZU3D5$X}^s&lWK)UdAa{olL!D5~nRMNEJ&EvQZ
zLA{RBFZp;QDlPT1XcgnDAWPDn2d}Q>W>Fb#JMp&JkD{13><O2L&mpV;dRj`6cgmpd
z%gD3jy})pX%>PIXNAf~bfEBU-$@2Kw0;nI=6}pz+ttCqm^liL9x3+njd&R@jNTI@y
z+KhMDT)MlivAPd0l^3H&H+5llmJNy&95(~7p2dlT_Py!^(^$gI7ePR7%bQCuuL|CQ
zC;2O;5rf5R!+5|Cw&Ll}T*=sOKBZ1F#sQEj3ye=bF~}HLj>AT$A!&k`n3%2bBsOL9
z+y(`;g`G|GDCjhdip4*m<kfu%OHQ4DnzQ-n3^}U(_FvbiG(fZX`B<%}J=ib%B|SGH
z6}e%SeZrEJA!ktkj|O8o@K4yVXmFTcBsSc;F)4W00tht1^pHy?7=9uuu39;i|Ck`Y
z+@V%tIKDuXyISMXiEnjT#wn6CiQQ-Ltzv#2!a*$UIukwi{$G6I1I8Zmeq{dh=Q3xJ
zhDbUS7+{%MOGfz@QD_mP>;cu?K1k&AyH^C6&uQVN0ryXBg$l90N9>1#;ad^_it>H*
z2d#|DyH1JG$Uius0fmJYlk0Y%d)@bUUe7ceHE}J`6!b+SO_&=Kik&lHcc1gVVtA|x
znQ^=+6(&z{VR>K@%%jUzCQzB=(>Fu%Kj^(Eloa%~wRds47l2CDd+f{D^~wS$w2jE!
zvY?+6SfD>Rs&S5eoH~b&p8ioW_;7;VTemzA-8=BxM&~xf-DKG4IclS!tE*M@S+|ff
z&V_IYDo4;l*jJUf8iz0~+We#i%6}0Rc-`{z-Wh$sPH(lI{2h;H$YuOa&Hnd7n||{a
z6vzVC$qAY_RkKgbTL)b&KGy4l+3H@q4zT$}JJcH5+9)y>xa~#@5eX^=R)7$dSX1MX
zN)0*UcM7JiOM?5VQV#T&NFxc8P*~cUo83+UHYBC)P}p1Ad;@qCxszzG)OlnLO3JYK
z@?FTjKAfPx4PebLARQvuNOAjX4tv?4)FX~FvBQS9<hy(KlDRR34*6lal=uv`w5Gy@
z1;`<6IJKbsw)56-{4%UvA5VSLp7aa#--q{5&@|xE{CsklH+z7qHCVo#5<%udB0Q?>
zctg(CeyLKw=U-SoNJOszgl4k@2<n8D@LvqcBNq>&lnNmofh17;U2u1T=IvS(d3+rr
zWqBB%F_~kXWcBs8OoT&{^;4bzFMdDHA%bjWgk1>P{m66PyaUT|a_1pdu2#k*L%^eB
ziAS0i3>rH6JeTD}ob{SEfEnyo`}N;NQIX5v;bKY%c)lU@N|QplP+g`pEFv>*=MWT@
zD>}i^v9U4l_s397DT<EfW{sl7lLKXGL+XNbdQ6#Kz4^Sy)XeCP_lduWe>ta5Q|<HX
zR@0}Kr!%I(^EfzY1?ekQ#43j{h*gqxQ9uV*N(N}I?uy|yXqy7rz_hM7!Tj7D>!L-2
zv<XK0<90ZtFK&?j!0Qx9TIRC?3(mX+&0@sp9wW~;U+ISi{QIXa!gxuVKjY_l9=`-E
z{CW8jQ?bk!avQ*61;Pj|XgfAjN4sg$?Z5T)^*IXW6qS`p-NC?P-A$N*3epG46Tl(X
z#>K_)3J;+JC=wuBnx%+m-PTYw2|UjONoE0LJ%9-B)c(^b>SfQo2G1Ji-d@KOUc{$M
zl*RU%Jjkr`^0ATbrHu}b5ui-Y8Pp_vN34VG-c^)a;)=3_Lg}(vW_dz}&naV^%;IP!
z&C9mGT<R>!J1PgQG*|qc*@4gaiU5pk+^$$ZnGgE|EOx!CH1huNaMVcq({t!z^!+F7
zAey{{eW}Qm`~-Q@Kzxl3kGmreB!H9RE^y-ag$eJk?WnG{Bd@rA^eJcPxX_SO$e!zg
zHzez}_d7Bn%Pc06%tvszjkqvfen;%>K_@IERo7u@R3tG~Xt^SC+w}WS_ZOn6fMo)F
zlnDT3sVuf%k9-5!`J%8q!R`qT7iucgjC#2U@Tr|Fd8>h*eru~_k1xJ8ND&4yw|7}4
z5rZ6-aWG*4q@%r$^tk?W?QK}b$M^(mKj6m+-8LbJK+!#VA-H{Bw}B}A0Mc+;6j~+;
zLU^eW<3Pv6ypP(~#F*!c1W2yRq!1D^ezoYs5W$%gC%K75wV~7l<3h2Rm1i9(1`aYt
z{RzIV)J|Dp)dw2%urG%ft&Kw#4dR)FimNmQ*MMAg<O6qU#(I4@XOw4Tlv6fn&4C>;
zZVHVu7+#sgZu*4;inIV2Z2Gg5@@@w`sKOM$J83vGo}b$)<A6#P87}ocdtvexZp>Ud
zgD5;i0@^88`v&0)G0UHfQfupbLS3PD!W*Q&O;Z4<eKO$g%}u3PVo<i1^XdFPW-##;
z(oi~fR&j!3k%tj-<NG+OR=sPh$RC-ZNEs@vs#d45f`Di+zzb2OSKC6Mm;%Z^1{T&g
z*ydAykh@GW!`nIptAGFv2mb<b%U1OKZ38x<{x9IGgIJrm?#<>Mn)!q-GkoLO4*cyX
z5n!Jk<H1=u<XC_{fyFq~e!Yy5Ts~tiQHhL!i5UjMg)o8?R99E$^<CfHHCnf5kpG)7
zk&|#vPe;eAs;b)OlP<QZzOK2te#A{ja6Dx`PrHvE42&|!^ApAs3dzq&IsOGYuyWHx
z2c0f^6sgHIr;1I6`uZfcH5y2NeI&=7%I4G3Q&WdO9WtlNUTtvrVou1kk&fly`-cj~
z46X-&d1Pc{m`On$PwTOAxso)Kp>R;pxrCDSSVyU(r@N&4Mq+W-VMxPbs%3jdM;Kfj
zU5~eW+2b9=BzSS}tABT$xKF4Hu8;*@t04tlEG$aH^;00F&GCG##l*zc9c#?^iLk6J
zlVM_(^C>;Nd=jOLd-m*^J)B%xP!Xj~k4y?BM0q=ZPp3(oXFr6{Xq&@r!QO=BHfN&D
zkcJruX=$aU>!+Lo7{QHac)U5A130i|S_Xi8GJg@`S0Y)(C1B3fDq?m#?ffje<u0hH
zS!ReLKpV!smF5JKiu#d`G0pu@(U}(7F}NjX5yl&N9SCjJIY=V-GTHUkGmZ7Fv@P9D
z|Iz&#z~ID-X5IOEnWR%?8>>1xI*!{k+9kcf+2@^Pt|5r!w)FuA&_;z4f+)U)z+j1#
zL&?;aC{>r~*P~Dp4hbJ0-}^KGXnScJFL-06U>lzZyxbie7>L4v(k~r1S&fg0sXj;#
zIhdZ2Ta0WwWE{ovVs36h2U#txY-+x#O+Mb8a3IxqQ&`$`=ycW<jN5aX%FgjBp)0Tj
zK|!ajy4`XGy<Z@fQSsa_F}n*NQW7|{^u&B;e^a;$?GX$9#zPNc58`gh&ljZ$Gr%0J
zbq0gM1fK{;F9It(-##zw5IoDZcXtyV+Qt#X`7#QUIA=*3AJ*OUouP^pCMu2)bJNn%
zkd3z+EqWJW3E~Kgp02L0W?D3~(y_2O(2@iKUPc6{FF$_y1?yw8_^2IMC~pE749~sO
zk4oLH7NO&n7_n6#Ywa45{5}~!s%e)2D&8Z8l8lHa;f)}u=j^VmW%s!9=gd`-X=8r%
z&N}B?(t2Njl^|ShK3Ymn@JHxz9_k*urWPLR1hS!59-_^kw}Y?ZDvyelxR>7#>%!;I
zC%y`uRx!tOSG}6SW(s@@62)GQ+2}M>Fgz+%f55O=TB%0!ZFWAnTxI|Q1a!hoGH3{5
z_h-d|Jm|+kZq1`!S{7bBzq#;fqVk~DO6HPl--o;8<sa_L$>e+Qg@toOY79Cqnhkge
zH+UrgloVCXNBY}6JA1JAadYq2rSnksu;2bBv`6KaLkv$?Hjj&}hYCuUrChZF@QbRW
z$+(L=)sfA6s3R!^*{~MQUl34`yrdB`?Ed5DXgZ!Ro3l;tlY`;xR@O^Mq0<^)Pf%cU
zEcJY|S5NM2aue<$G&q?S-?YEByqDT{$;rjN`@RLY1_W;IC}IWg3feHbHc#%CUBm98
z!D!(1GKqMR<VxDNHzrSHCz1}gw|Vlu0*WN~Vb`%>@{bm8*?cK1Q>5|=gx-#8&1eu=
zI{4!HxtRp7J4YRm4yS=Q7;~wmuIf5n5??Utkx}XUxbL|a&8OXd7YflesacYrAE+qp
zD5}I;P|ttAWC)t#@BULOEiH{1k_-HmYw^&Nbr+wHhqlLieLfHQP3s!O@7m4^hl7b3
zkvtd_ke1H$`+G(zO}s)7yGD{Pkr6A<zz2#5B$_ku$<Cpt<u^6{C+#DF{N1;B1^(e{
zUIDLe)aE*Xa`Gf-bcn-EJEJFLlz??LFvf;_XPrab?<BNEalrXha&0M;|M>gus!5Hv
z&az*!=ewTOE~uE6mi8+}IUB0r4|{w2vu-P`B<0p3;AD7grc<THyM-r|d>OHXBuC9_
zy6a+KoqayU_+MOBc=M4zkJr<A`S1S<`X(D2r)aiB=-HhX{~eYGgej@>Zm?(i!|Tl+
zUo^6}AI3K|6k$os$(tGwk`^823-VE?fb#tOSHx>lm@gP4fxcn7GL=1Tw@aafX?&ET
znhIhPH-JgL4<GD^pBB*qOpT&68BGC3@3EDbm=MSlNCdD+jBKQ&q+ko`J?iTgF~=1;
ziuL4IB9+J6y!erHt&b2{IXKF3)F6n?_2%tYudc%;to?GjZyAYE;Ic~oqCrZH=9LYS
zb-wj%!LD+*cg~7p0M92ECx}K5dw>z(i->S}L7NUR)?mJ@^}p+8f()j8@mCB5+p<0}
zlaoSaN|I@(*;N9a*HhEy_tWjL1x}wycDp6VUBdgfa}sO{6FeZ$6A}{ofOo{<3S1ud
zb5qmgqo-58ys|w#cteOL#k#_pk8J~6P{&7+*RJ?35vXs9{)rV0Mry5Ou#zyyI>4%_
zIww`Gs&>7xUYbFS{Y{`$l;*&~#AKI*mi2*iXbrH5=AhQR!zHrRTj9|ro!Tg+n5t3<
zI1npVbr>F3QQug6*)D@!CmiPiTn`f{A4r%~J>-;>Q0Xvb$ViO77qCVtbDQc_h{Or^
zl&bN!n*BHzJsKW!2_~9v@OE;ke;Yjcf>air)qwVx^~pNBMD-do9h?l%L802>#Bgus
z6<|Ia*(_|TEdf*|mz=#{O;kfbcprr$*`X=W2TA)-^BvHUXB3~T3RsF?Lx0UODFm_(
zNohDkCtMTak_fS%!Ds_aNBN^^&+8Qou6BKXV1NUMBu-ZLSdhjHBEdlvNpsiXH6#E!
zBQ(CBzNuHL0>o`E;7~#MI4PPh4aOxgC2G9dm#_T@ELAbb`NA~)t>g4_=mYGwE8g4X
zv%e;eX<b|WCsv+2lY!cLQKU$JlW3^-8WwsuE5OT(zsAYuBnn{F>isT7WR#Sq7jDpb
zLB1=`>zO(mikAGmvU1$5Yv`ak3&`Z6>`%}E{!W_FlG9U00+yPS#1cA?zEQD#cLs)}
zwUw;~_oKt1FvIn;e)X}|pfu1JBLjoH&&!#&NeX&Zw7bn-zbzPm9DdG|h;yi_y3Sr+
z+RZF4-^I;hIC)uuAOuy)PUdSr(aVFTPOv$_+frP#nhQI2PyMNNK1mS1fYay%)?>SM
zp;H|H^Q(rrYqV)dQ?fBU>A2Psfj4b3>LW}X3QrrKYUxHDFz#K`Kh5&FKeZsigc<RB
zE>q;{UTN3!%otwQPj|7SUrqb($|VWr!iN$a2{T^;QM8nl?4PP^(>qTS4=Nctj%RAr
z|D?T4o8J6Aje#v>>UrNXP5i(aeu;=vfDZ&(q@VuV7r-p#&nlYLdVAh^7soGwCm&!$
z+3YAM<m{n3h<l^Od?)D6^MT;7H#(5JwVfWAzYdN^>n%d&XJ_CEqpv#LJlHE5+GFv>
zGW%$fdHur6IJMw%5YmrT;Kb`27AvonG_2|4!7@6!H(i3fj&_$_kbJ=FbSe1~3=kMy
zoq3}_FYckv-tc~zd)(X=&DuOI=Z7E2hj!4Ov})3{>U;FOyyCOlSQgxvQp8#FeAE3_
zb!fw73W5}LJ+t;{d^LNa2O1K`aL*O7ir^t^VM%N2h7clDU`Gz3%EMQ)`>}+hfTDvG
zIo!eu@bJ}dAB=KfeEypQ;OKJ}X?~E+d7*<MFvE@ezB7x)j@08OZ9)4ov9LHx|K3js
ztwCOM8}AdiTWasrQ@s2N`b<&AhQ~&mC@nw1?!Y?)zf_xtT2f*!y2&@;%Fp>49UHcZ
zT7&=v`FmVF-Etif$}JEFyP4Nus5a|TDd{eQ@fMi;zi@SGZCB0#)Mho8+)8ygj_SiY
zgpjbguQZeO;uXZ2IH)va?t~;pFa`BitQW<zBM}~%%30`)5;DO|#3ncZQ4$9*#yIhW
z`V+FzOjJ~XWer;WnmvHry3|<bH_+ct%JVCfpbbw4?3k11()YY-wub)U^&lyA7iuFB
z7%NsKhh147++pW!F%kVmu;EKo+KAz=xH_R(71`6yfQoiWu@KT6#UXQri>Xj32d;n=
zGp}{HF_-V4s@^T^A3C#N)FabNR7c=Qd}%U-6gD_6P}aaFLPzVEX|aR~26?JxC)IaA
zps1yiFa|}8Z0&Cy^FP)<V?>?UW?3^8OA#}vBC`aQNv-EM`xD{$QWtES>JoVNY~6;7
z`1O$5I%J%>$srTr^!O*1g!Iy6>NB%{cZgLZTm0iOp`ySC4T=XPWM^pzd@W=%HaIPy
zN_>z+3)fja9E@^o5BU_lYUUUourDV?NouS=rSkjQc>KmWGOBQT&9V=q)#5;*qOF}#
z5vfuAemNb57K=&;r4+j0Qe>n#xeL#{2u#KkWnz1N%o=9@Ah<}X52<At``=HZOrjWN
zIBojkbN0*K>Bn8>$NRb0L&d|H%=I;9?FC67)K@61p--@4N){DKj^zypV@@ln-&a<Y
zin-?+VTu}}<V`(RO1={|G%_ryDK<h`5o0H%pa`qgcDA?gTD!lvByYUN<|MQW=0L<H
zT?}V49(26Cd7r!LDo_5|GcspsT2rxmDd(49NkvdWBUhh``l*?vrlFN^Z;H@8K2U=3
z&(TQ)C>6iRjrVf$s04(4ju<-HCLR?QQn|ULCM)J|aXgq9m7jgrOz>zyZoi$8skQ-g
zlMOV(kgzry4n|>S9Sojp7=r&*3mg2~3!uQ9M-=%M|JgaJru!<&#`VGg5@qzdTv(pM
zl9oO_P}o7-em<utbca4KVmTl678!<^O2v->iL%cCA{Q#(_~CuMNi*p{Iq+;0ML2tY
zadGm=HI&-l?fL4bPpicr=l(x`EJ^-!9~=mgihuWL)JzJtBZnu80y*6^*Nme1$(DV_
z*gHW5!S^D;T-OC|X23ZBQ&1m|7wg~$9c$}~5aJMv^l?nxCYxWyfB$YBL#V2&OWg2w
z!H@)UMe)>lz1)L9-Kh+&w(g;Sc^M^i=fGIL{`m6|zhgvYN&YIv)OhMn+HxW>mWGs<
zO|H71(4KT)#<TGK@d*~khoDO&&d?(#kB`vna4`{{&MB&ZtFCG>u746nGpt*tMHS{#
z5O}-Ac;eUf%Go`y;;VlRX65_-lpxusKPg1TImp)xJcW*fb|w~FUr~Rt_wKo`)oWJt
zwJ8abq=m$|y-eGB#Edd<h`s+TZL?Nh?kgwGK)!gmxWXq36?md>nyA7Q?CIk_b#(<!
z3NcuJIv{{bnFgR_e~g-9dj`m--SyxhvqiT^25@Ee{&D|aHpA}|@$!xgbe$)NTKP5p
zFHR7#?`)>*!OcZmUU=5_jz%q=k?LSM9)A0Nd!o83S9r2*9JYQbHzglO#{!WTUpey7
zZ{9z<XPU1vjB&*yk34cTBO_zZzh%SP%#vrmd&hy&qO_F%)O36VTP#MTR*;`BzL<@I
zVIC&j9ONvSs^k6f<4(^%es6D0BEj~jaP-9huxu)Qz@OZ{eLHtq4YYIT&LRLP0f4iS
zNTlz%=blSxrz26uFO`t~)zwSxZtd`*vZ9%Lq9tOA&}pS*fB2~TE#{)y%|fTMJ)WMj
zV#Cs+e0}l7y-vi`zD4rD;hvaYr=u{R0Ifzk<M|bGv9KUlcNfdD{cUF^I&C)FDumFf
zjT<-4+4s3)wWVs?6Sx0iX^GL2s&MP^Mj?@4AumgbhU^Sz)wA!(9(QvPitvzaojM$I
zw0VgC?lXHI_Xm<G?NohzJzG;#GfGiZgdm9O+S*!aLqmgm27q38;RRT~e!bpiv#r7y
zyGW8e{nS%W#TpwMFRki(J?%@2wZ$~8E|G{iP%38T&kQ<RN6RSTp(8^F7F$pzl;#a*
zThN0B{mfOYB9Q<Y^t9l!wh`9p;>p51C8XNwrBO@7<)y}Z(hO=tFs3}cW5*AM=JMr2
ziWEKm&6VGJ;#;f#x46JyOa%&_$I#p|imNNlh#(M<BtR&FK_(?G`W(Q(2m=xk0#mvG
z5Sr?w{Qi#*?i#X(pXDww9n;v@2n`Jl@!HzjVS*rJHk+-|X0t_VYilD74Glon)zwKz
zlB~uU%P_{DZr{Fr^5DUPbK-C^$??N>U(?Fvmix{Ph1I1+>KO~iNs>TjqoTq&5jff1
z=j~ri2zum^$EcRpfk;`Q^fpO~BQ$bagfwaq96RA)Vljry%~Ge_t3}I%RC%dkB`qAc
znKNiXFc=^82NKbXeM6EYNOK0Qe|SsjL(e{W+b=iYRs3kWftJpuQCi!bI6qg1&X*`8
zVgl?=7Su}e^92~82oHmH2CNwrD5p<A^q%wJ7hZ1c@9On_B@j%^sePoOp#kda>-`%x
zY#7EE=Ocu2YinygXy?wIw@tT2UbTsN;NF6@%a@hzx#Jd<q%cpH@^RbFIEVgq$NoD`
zwM`5!768@N)nzgaLn^7JZC|;s>>INkQyChW<X-tz8^85|LaJ(+@v=FXp^?d?#~W!K
zp9uFj#zS_V$DBbY%dnV~xf-=(MV3`96N@ihWf~lw#EB#a7xOz7$KdvIU@{6|bc_W6
z3|2EWeN+!aN0$q~^<I1Q<Y$geZ5<PzTrF>Q?%XK?fK~Ig&<H)cwdP-pY1*Is(_;k!
zNs8$Vp2u+TlXFe~@SQz(1w+Z;VgV2U!1K>P>-)d|-2Aca_MFwTow9OHg!or}c_Oj(
zfl^6nQQ8%)9llbsI|AVLM4)16#*FX57~o8I5=ast%R+&4`ZPVq@o?;fo$u}U^6j0@
z@4fj>$15-oSA)p;dZ_+^iBk%tHd7$r%L{U6nlgkCSj{SHdYa5~sB!RPj>FtS2awHX
zQvm?%+jnqc%o#YGpQF7uBVD0R1r9kaLe-Tf!5{Z_vn<OabA|$;c}5Y&0DS{q9111S
zva<9UgA9Qn4?_+H()1)`nkk^ByEa1M1ROZr&x=F?)YapD^R0I~o=skKe&U7$D9P~r
z=$N}97?G_iDWEg;+L=)aNfMBgsV&oL#M)yg><1Z^=NAKj8X6k>_OXzEG7veOpQGDs
z(9<cW7(_w=T3(((4vkE5&8O@*J5x;vsrg}XGReX57CTle#ZZ{1{~Vkc1Ni(L3_Dm5
zQV1+23S?8;c!1|Iob7h;ojop`o2@0f``m|r_|v0bi^Z9Fn{p-Rli|rEn^daQ2ZrpC
zyQ?d-`c#94LW)HBxw=XPEtEC4I1aH37(^EW2mqk3e{y2dA8E?T(rnc0XhkXoLl6iu
zt!l!clffVNcJoPwLk67;UG4o?p2yJL=fUR&ys)gyhzxrA^Hn>JaSmJ_7GzQaEJg}w
z*%ur8$HqhW@R0%DY*G?wdYb6&^_+e2)uZ>jJyGv`@`#*oraPUkuu^3{=<x*ZTfS7U
zOf@ql5(-dpzM;mTlVlt|GPIw^3)7rk3?Kl2?mnMmd?HY9F)RNrBVDeZ%}miUAu20Q
zBO=ix{$NiR7YZdnPK%IKI=2mWfnWm8oE^s_qX96bD^O9s0Ra#&HZiqeJrcuU(2~<<
z$G-s1=vV;%scDEK2?AABn8;+3M-FFj@a10|yXSO=d)@;W@>(!{#BTSBWSK|VWboe7
zLLHsT@e~S4RFJD*o|mo8Ki=Y~kH(nzVgL{Tz_~&HL|?yWw?R)=TFgr8tc`U90-aWd
zD$0xm!}9!|{XNWw`+9hPAb|qGIEuy?m<+`6q(25;UlfMz0qE}YfZY*<Xp{xLUV{`0
z1&SpEFd5__k-(tWkYLb}pjHw<38wn7Vlf8JbWU*1Ep}ck5<pFrRiKcIP&kqVw>M(1
zd-+fI9%&x!ycRqnuNCtL2M5Q(am@*dD6y$9Pb*9HrcRr)(vm`b?f69ClabMoZ!rJ}
z0Knl4PaZoyxJ#v!q+86&GKrX))kaMLNlH{zWC)g)q@zGE#<ZSsGbh^ooIk)ImL~}w
zi;#>~AcaDKR4N6M%cV#vAwjDlL8l=>t0F-uCx9RTSeC~QX9)N7dH9p9qx`rl%x5i8
zlT{TaGTlHE9$yp)0>QW|Z2$2~pWJ`w$Vl6@;t_c*1z@+24v)FSN7YJvcW$<ZPBj5J
zeTK<YQk3>31h~KZoVSl<dA!g8G?k=d6Ag_+yCaeKu*IajMWdF=E){tpgg`2#P}UN)
zpt>@HDlbu!Dh0{=CIgIP%**=ye$F2V@ZoTnjYJ}RFciU~V*zep$j5c|xcRPL7uR#n
zg9k?@If^2X#jGN#mYK+$EDfQMi%=xWfZG!VtwsvH{hp!ce{y*9p(7)$*OEuqWwG_r
zvVvvb{bup+H?Ggk6kNiYoN$MeyZ3ef{NG<a_Poaz3*2Y`ozDYp+qP}!a-Yq#Dzdjf
zaodY)*JN$hYNS`as`q>g2Fvom^O#2jLIM&YnKboj&GQkO#}@^ugaU<J1WhMKx?cME
zk^37zb@W_o9+B5W5ECx%c+UX4TdhF0oGi6rHW1M=Az50SwyL7cxRGJlj&p;4JAVU}
z(d9JIh2#$;CO@w4-R1U#TWOi7K&z3aUEEJJ7a|A*VzB_EQVL`;A(BZcBoR|72N;q`
z4qWaCuq+P-y$nc#fQH8Y#%F$f=)RWI6NA@-N96SqhR5TZZ0n4@FQnMAylic*NR&EN
zPm%;=T2<*)6{d&HMmnvn!+A0qW1|ZlK+`!He5T9Y`{DlHHzScmw}2#alnQa0SS*-V
zO+W1%1I7S4trTQ3Aw(h!ziW5rZ~ytJy<5j!k?S^xM_x~X1cSlIzzDZ17z)X=m#9}L
z<f2*anVc3;OH0zLZ@*>9gAxfDY(MMn<oW9x?q4Z@&J)A%?8(-#Gav5neckH|f66et
zf)o%I1udco;_9#zPq5(eMj;qZfJh_&ty&6F2?Yota5#gBx87}g=0`s}@^m!D#;zxi
z$m{)9Px=F_%O^ZAFyLr68Re_f476f4$CD%pFs8{>)s^OZ*3?+<^!Xwa1H=AvFb_4H
zYYCtWfz)<pqVL0fz3&`9HS)I08yR94j$#-tLoB8Qm&#J}JO-~X2ElLwLZJi@1Ol~6
z3`&I<gu<zwAB-`ywma>w{_4}M|MgnS8%c)0?)kJEdL3rva%0xFzp?Va*WQ}FftCp`
znX1JAFzJu6t?kaHx8FPcQhnp#zEGH9uI2B$5+{1DB&0~vYL=(fRGC(lml|vGb9Chr
zv0%AIBh^SH)CKPn0+mt>LW)Sayekw=@P`@)_Wu0W$G_cj`o?uQkT()Q4rkckbbR<d
zmgNJ+G<mgJB^J-7jSx(AIA$+VXWn*8=7Vc$teezI5o>q&2P087z7RD~D&lyIeg1f;
zz0=**-swCk5(*&Gsw%OXl?JUwisUj8&@v&=G9d`anc%?~L;s*}^7Xe{x4-ym)06!}
zfg74TTQFy*3-dH3&pvtkf2^rlvQ|!u<^=3$jDenWp0U#%<G=mrK+juECmfyeIGbF^
z8b~6hgllR{C7U)BY%MEE`)Was&M1-0E$R=365P?|;X^<8$tREZ^-p##1i3A!yX7L0
zfO_=dvPT}?vh?4I^7R&Kj+JbTF*wIVZ0~@#^|RAs@9f^!^HFE7ub*K!W+4DbND;!q
zd~No9cNN~Vd}+p)bF;M-#xz<m*LDwv;h?kEZU5b__8qVP?#!Es1j{TGnJvh}_hPX?
z|J;+eZo9KK@3AFjmGVj=7nbE=+!bbqMkYJE``mjEA00Y)wAp?(6i&LX)cO7k0EDDc
z%5eKCOUc?>vo;jv>+j06steQfG?nU<(xn{fVY@%D|4`p+&;Rtu&Ul=4FEm*#NC2Iu
z@)CW)-#=QlZS_j)mn|lx^hz7FcpgJ2oWL%3#6RH<4-5|bnmfAOZM*mPw1&dWSR~50
z0f7Ar0VI$~DZQK)X54dUenn}KVOiD^bxoR{&NAp_Dmg78t~7MV7=zsrh&CM`dGCMT
zI91oy;qF<eGFs380ss&QNOZ?)bLo~%#ZRnQZhkP!s+L`CE(PPMd`djd@ZQN-Fdk?8
z<F4>{IGpHbIo@k`1buc#&^0pZpLDsS(R5RZ1^{5(an@(h%cM)pO10UfFj!0qjesPy
zG%d<WH_+)~F{RR~B?_^aBE%xWRkyS9JchxM$;gS8(RV-C)A{nBj*WJ(EQc4ed=@-_
zzQ_pys;M;P-oL5%vE@sRUoXtlr(Le`{7S*aay;-H4;WAXeZe1$03n0`5hO7k9nIgf
z#p5jW^m|;VK6AYO`;WVReZ0kSj^h9?2DvO609{DNG?`}e#)A9Tug&>-evWR1F-<PK
zTCH@Wi03glCqhjBpzp-q`o1@I@9%kkY&_yyY_eFC06I@HsgNuy)|TA8zThh>Dopn;
zv8r-(8maJV+efc8aU2gGZ!|e%_Ya)zaDMRnJ)Q4&bbH$)QHEQrGFa3Ay4cF86r!r{
ze7olE@)F~ElTlHeZlL92u>jpD?ZopK;&B#_yFwv{Gt_mu!+GFmzi9r*A4r^pIUHTN
z37{KD60yKsU71m}WmC~wQ-*S7M!GyptCs4dQi>3Z<{wl%k0G95aWu;C-pQzU%o!SV
zI0MH&*wb~m<@9(<D4ewaHS+nd7C;x1kRnwQiNJD~EvKxqJfoDRMY$G}GG9&$<&=O_
z%Va`YCZhxdLKq<g2myhn*@FQC#=v8Yf#)%bL>V>`NrsawHyI8mL!)DX-cTrU?$qhA
zjsu4VI^qd#BpPG<e+zv5n*q?Jloc%#Do7H^cpgiP>9pLEp^&Q-Vv$l~H3I+yd?Ta&
zU_4<T3kIFz;V?m<7{}pAIFbwkK<p+9Z&FICtE<aApG>?-sfoDBf}3;`KsV`z(f<R4
WUm6YgBIGXs0000<MNUMnLSTY4wk?bR

literal 0
HcmV?d00001

diff --git a/docs/images/favicon/favicon150.png b/docs/images/favicon/favicon150.png
new file mode 100644
index 0000000000000000000000000000000000000000..29eb9771ede9e4d15ddf0bb3a1ef0177d151c72b
GIT binary patch
literal 37045
zcmV(?K-a&CP)<h;3K|Lk000e1NJLTq005Q%005Q<1^@s6JOOdy002GkdQ@0+Qek%>
zaB^>EX>4U6ba`-PAZ2)IW&i+q+O555mgG3nZ26z7cuOEA5?Br<p3^(%<@dd?$QrWh
zdp(?vs0xpCH=~h&s;Gz#h-?3!|HpUzumAPGLTYcka(V01p6BLQZn?$IU+Vq)_4^v`
zeEvMY+VkgU;orZ1{o@CbZzaB_-+w;)&+9wiFaLbQoBw=&{QLK>cmBCf{d1u|Kltl{
z$xn{_<<INtp9`h<`+mrO-O-=-_53f7^XLERJ(u{$i~s)L`DHOy;hQO5ai@@O{`8G8
z`TvwU-;4Ztr{s&y-$SbWS<?TocGo}t`nSdV$KU?8c6a~t{q*lkaov9{_Vc$j`t$uz
z{`=aU75djZ3jh4%fBV6^Q@Q{3*T1aY_pSPU`}cG`KdjVq{duUr9_9Rv7Y>#(owq&w
ze))gl@9+8D_+5F#$)YcIbMSj!p@qn5e<6nzdicUVUuT%yVvak$e2sC&biP;98(W-g
zLrB@*;frr-X<h6^Op{$pd^`T*Uc&j@c0O;0$|tYDD`Vhd;q2qzeqaCXoBv;a|Kmd6
zr|E`p*MF=P_Z2ljZo{4PPhQ1_gzwLqmb1R+_w_G!bN|c6CU&r#Wv)D6zsK(qqlACj
zRyzBfcwM>kb^pvgyz9>eSRy{Va5EvX1NReB2~W7+7~c?B$IAY6?mVU(2Rjf-i7Q+m
zdy~?`=G5qC^PV@H*Txcm-v(OPh?1W4vNbJrHY?|X{k*wiL%pPuuTsiW-cm~|{Yg)L
z%JV$$BS!T%z4<Ng^S*C=+uLiZxt99Wx7ONfZ?PpHthA@SSF5eH-uckZr91ELyrTCJ
zM;dvQ@r-xW(MF$`&&;#TXTGz}Hv5VzE!=-S>%CT8ZS@^CrnK`e``PcVyY2pAYhU{E
zSH9<azxuVW|6|ww?CQVoTKL<}{qJ`z{Mj{kET7lC|J*gc{l0%)A_ynNJ!8jW4(#~r
z4q(vHJ-chjIl6Q1+1&)N64|v-+?*BMF?KNT5X%?-v3LL6x&Q6HT_yj&+PC;W?cC+o
z{r|CZms|H|=l*lw{>!edej-Xb8>APyrg!=PHeRr6kF^_<{%^nT`sMe#(=)!la_!^!
zo)qVEbv|peY$dEW>{fOyJrnF^TRYvW`<?tGm!>QbcD7ocP{g&~zFA^yIp*)V(tP+v
z$R*~vyPL{V8=LOkpRwCB!dLUxxn>!)KBauAKA2BibF>dYnQtFuUke-pUdJe@)sep$
zSd$d0FDZRzXu+GyGuaI`Bc}ayZY$ymp%tv)?U^gy=~_3>vetKxmk*vf`K)!%&965<
zd_Z*#N*i2oa?9W1Mk_aVbH8u!1N*2QHj>u(-ah$WeV(2}&ttyqW7@m0K()O6+o|=*
zem-B1aje?D)V|ueHFmOWKKgpt<0q^b_ngF&vUo!xkmUPg=_h8?`SgjQ@62;z;d89_
zVGp>mf%!f+5oS~@yVlRBbwbEj@^}OGjT=01Kl5Q%zO{*!Eqw>~o;U7+2Ms=SVqH7e
zM$o$OBJM*sCq!Y@<z0oFtgIu(J4z>#*87Vr)M)YjLVRnV_sTB;@T>1AanvXtb-eT0
zWwcp&l=$rj_bwy9czRmvZYw<RTp!eK#HWvsu*crz)>+ZeHn+!`jw`<_#Zr0V`Hj-B
zS-cU5esQRUXGhlR%dyU#zBF;}!k;B#d-q5XrWV)S;KS9A*%O@qpL@yQzOsB#Ho}9C
zf|=Zl{r*Z~m+*D~tUnEZkCB!8unim&I#3_nA16!P@8D)Cdl~Ot!j<_^<!9j4zV)IH
zN`Vo75kn@J;a*S-pmwH>DbBnSTkhus);aIp7C`xy>)XQVUS%)#f&IjA?x%&&2fNNP
zz9Zqi^LaAfm%ky9v-2CKG2e$>oCH%aI~TYHpxkF&FDv}^#HMxtx_oQRr%urB9Xw3f
zgJ>KR#N@4`y!culW3y3p%zEJiD^>38;l9)J-8?!E8)L56%9D%a4J>6*`0;MMv)w#7
z2+C{4_W5kU^Qt}>z&?oN-H;K-2LE>IJNc6@#l@z7i?}@A`|EYBk@viJ4zYL5J(M?(
zD}r5VJ<p!8l_!rU?KXK3U;=IN<^_I)#%|V}S+<h7z=t>2@nYsYR03mCY!{s3JJ>Vl
z_pwZK0Y5y_8wW7(KC9h(<ob0e2dnPY`+mU^!U7mlfFZqmT^SJGu`e8rV1UD{J)wyh
z@_hiX>#78i8E^=obv<|I4lwHtb_0sN<&O`&2qL5N$eo{X6-+UU72Jtj=<6X6mwKJw
zQzC$upSTDdUkk*dR?@ET$1(sTU}FQuR@|)UU?+%2BZbjwx*tLxAqrr?yg#tu?byi%
z3Tn*@3ke(PK@=%le#F!BKhU|2S%{ptMQSTTo*siJI)uyJtrJ(nQ*$gE>)IkRCXM6d
z-q%flOrgC%J8#C0D@#c1`#=B)b9ufEkU;t}cy!Qtb2UDd^~W9yI8y^C!p>eRfA~&n
z56I8rr6rbP^_jO}Ln#x30Id9cWx|;1y2nV66Bxz=fjH>-V(u3|?2Bt-9{rvBeqL}E
z*vuzBwEe7wY*;GCSQnt2TKph7GvWo`9_8j~X1^~Z&qExEL{PNCepl`lomO^SJ68N|
zb$pAci3}iq<@NNtu7TyR&EkL1+e{R?aGJ(Tu<6M%aHH%GAGGkC_r`0XT=?4;R1!DN
z3q<1eZqe8sVuR-pHRHabR}2Bx46P$V6*siPuh)6B@nTAQfufil1P&@V@uS>!$Zhg1
ze5Cuz3xpY<_HKQ3RseqWl&xnzV~rlFoB>5Yh>)ymSi&P)Q69pOU)8sMz5e>kzkP*R
z5op-L7x&2vtAumKS{6a?Yda&QyLv6nrhT}U*Nx2(lfh72Ve;wE8&CoSCBxQa`Pr@)
zGwaXW33_Sm0D#v8_Y*#9U#xn}S9$|6tc|!Ae$g=2j~l_kB?KEBW%p1m4}lNLiG@u0
z1C$biwDD<Ru3%jGYT!E-2x(wB1Mrx2r`92Wu<LY!$<Ejr(xw>zK{K2Y+iMRz2B(0e
z^4LTXfH*Cl9P1;V0vlZS`2bP2k&uEzHt-j?A|~KsH*9v!4%^XqF=1FH_jd8RLTG`3
zfC<nR|Bqo;6ckH~EdypZK!`*IKW;#rShUi(aRPh@l{LA}d@oFlcnvXT(KZNnyPRuI
zP{8$?bG|pIgO#yDP@~lon*)j#BJF;feC;I=UPRvU{!7Hh0@+qgEW#DR$o-xF+6d$#
zyFl;rU4TuD#<Ab_{S5NPcL=1cE+F~T!Q!x6#7)>AUZ0<NLz6adh0lCYkOlkREA`^S
z4XBtpZeA`5v5JV`z0@5#;0eMU^tmBEy%Db2VGs;d#AbLQ+!7%WAhG#IzrT5ptKoq#
zdv*(pg1?j!AT*_{Mrdch-_iC=0qT|zRTaizY(i=9lwf)K_{*1`azV@RdV~|;3MnfC
zu9xt6LgYcD3LE@Di}`TVY~&JzCsD0E?!{)qYm;a_1aL@T;S#_XTQ)Lp3|KO|42mmV
zKs~7HEwj0aVL7tibp{{-cdtvPx-Nrr`0y<m+_{Hvj|{3p0|W2}Ed<-PpNa}%58%W2
z&UmovxT7hPN+`|%8y5yXK`6XsLKyo*?qZ&K4E8^YECs-gEb0T<%c32@k?<w4=w1>u
zzTPA;fnMRxeZjc#J2n}D5i&3kFn2g@C%WOHutj#{-4GiXDG0|(%ytiu=fYBCAzY^-
zb(+d=X95>-fB0NG;GK61T2#Q(GmFqF^x^yYKb))a5>$46;R~~83<C$`BO)LH^J8b&
z&)&aE$UynAONfybABfR=@5!2SzXQFDWO$zo-i!T11Ur1;`2Z!h5j%Vo26Lds5Mmnv
zMcC6JT+_9U&aDDCZ_x3c+%J}SLlF=ND5DL%W8-+?8_~*erahEijSb{~6WHXg-`xpU
za5(rbXg>JJCtOmRh#8@ND@!mRSP+6_WYho(7^8z!)Qy%M`vITs?}yCk1(^qNVL&F}
zyBGTQlW-Cg?iUZhFa2RfN&|&`elNTko!|0o0tD!i=llyS5Y+}GNYVvEnK0uJ*l`#s
z$a3h-%sg*6vF$UWYg(WZeuI;Q)pLPOAlw3&v&-z?HQ8cV%*1F6@K~*qkJqS15cS8J
zp;Yh^?f}iZU`~(@$SpcZmxpr}v&T30@k+$?>Vb+R1hy9gCMc~ER22d!ON;V^^}M`(
znDvH+WRwRmo4!3Si4prg4Ac7tif$HO-|K<Ew^7wI!}*aH0K!U`J-(lSexh|hBICh}
z)4V2Ee7FRB=;aa>AA5-`g%1X}#qNMHv;=EOiViHD2*(n`egFvqBI1Lcy3hofhz@Vs
zfPsXEum<j$7QtoT)@H;CdV3<Q;Wb?0co9`cuz1lpT~hJg7ZHjTs)hXoSrICTjsPjE
z@Jz6hTU7PoQiVWFoZSsQks*@+owOX9@B;DUa)Z$dT(9>)><KLZ&kfqdGNWnX6)&0_
zbE`!5$H(hy;LLw)sfQo;xc-fV!2Qv`TZ%;tf|2<#MB+aF#3|PO3y2(}?`>A+grtG~
zxez}Px!;?!lr8^x^W&S*!oDv_n21J(BM=#>Nyu(OEzuPPU(yF-+ZDbuvAYTHARrP2
zUrf5*`vgWKPD5iqgsBJoJmHXcjBR@N^`_BC<GPV>zZeEx;jwOvlC?J%EzQRPuucI1
zA%?ENd~OIBwgN+3NV3k3#kaPryxvS`2x7G_OdpL7Wd~Tp&xg%jc&EP`HhBMT+4MVi
zg<*+3rs|E_FLD8xG2sRp20j%AO;jwkc3i+>24NUIPN;8nMP<jto$)>5Mla6=)tBhs
z)j;+sJfDF-!jdNDIjgiD09&KV1zJ%1g^myfh~r~&W+%b?TKw^JEk1sTYwnBPKrsz3
zZ$b|WHlS;(B0p58&9ukf1P3Ubk}1d&=fx8uRtNMF_x`F$Ab!9bQ0085NR40;1ON~L
zZ9otWJn3r)-?uy)jORty-BCG6!V(LXJ<|8WUJ1Q296}}cI{Ksff8MCc;o?|KYHEI#
z26!bb1fUjbi(Xhfs4N-{iV(e7_7;Ezbc2N!6Fm1mK?%$QT_bkhRJpQT*dMz0N|5hy
z|J-yY^Dz)9%ok3%Px6OI!rHv-;cePuNIGA_2-c8c@}EF3iT#M3SD1i-!$O|&%|&Pc
z;$;aK7tsfLsYt<DFlFuM`EWdlCcY9Td=uK<a9Z%1=*q)aqFUpwr+gQzM~r8m!(?rP
zKf;Wk3`Kb2VJ(CWamK(7f?aHChFLBwULFgnGw&#009e>=wsdkKxGMxD;jybgP+m*|
zv43Myw|YO+i|rVV2)$*N0CsB+>rbq%riC)7fMx0VlRsqxsCx)4&rC4E9Aq;*0^kp-
z5RE{$C5L}bdTYNZTRgOf*UjG#`v(!I*nCBEn>0Z!$?+F)-xP1Tx&aeLi4U`SNG14&
zt}(tN?-V}B+sAZ8Mw}B2xXZ>f5(v<!ssSSH8rMWC<P4=`d8{k|;RK}{ct-D=OG5Lr
zh30x8LvYIo2*G_Vyy=9X%q(c2YyQmbD_{g`bkAO`rET04I7vt4?8$`)sY-+w_8Lsu
zBpDJa{Fk%QvXQ>qGFoG+vn7QT10?SLS_U}KO_-*+*Tohs9B0SI9dI>h6MKLj0haOw
zxwx@7;KKCjRCwT{#E^JfRvJA+pUn97^5yWptQNMs_sY%u0t}GIhHYPHaMQ=p9m9-K
zJxD!;&x>y3Cg=VmcowYl@S1x6=hwY0L61j7Ot=ufk+FZs0+Gy|65xw#w)@5K;kH0-
zj)NVk8_b%}YbeS_oPQ8@?3`6#BYAG{1+>8cpQH=GWWY1RHhUCug12Iy!(1+rCGt=x
zlc80O{$3ykP-iR&A!`XrC(s{pYcA&fAafC;f>iv8HhrCFLl87(v-Q<l!L=ID1c}E}
z1|SS2Uy#F!_J*5-6IeO-0G#Gj@Hyfp_R*oB$^h6mGUs^3RjiH}c7GrFZy!j&VV%}6
z;C{=HF6aIEKI{R7Dvi8NGOg>xRshe~8V=eBiCE_?0DjyL6c>+&gIoR0?Y&31P2!_Z
z2;3++_~NV=96y=ctLBI&0=Q$m>*3*MXD@Nx1deCLKu5@>(M|1gpCMxVtervmsrLmN
zT1fF^JeZ0dmLM%SnG!P8;})RI8=i$jBHLcBgo>I#GRO&qhWk|H`ZrFc0)NEVVRNYX
z1+fB?+0O4%YC+?$N9@|f5dQucQXkALTQf^4hBU5)zT@pcAh(Mf0laP#P&RQD;}=mc
z0bl4@>jG6;s@zCKZ)gpWeCxnhj<^Gg+w3B@e#il2g)47C2)qAq6nr?Po12d?d4fNL
zlOWFP-?81qxUTsq8UTiEJ#B52B2S4B!A{^I9peBF>O2hz0ZhY!`-8X4?}r62TLmMr
zAAjm5JLmqe_!rW(<TLkEq~ag(inzk+l->YaoDjtTp<Soq4<XKx)#?|*Hq^(;G{6Z_
zK`W028$&3q4{?Ys<1vI1o<0$zSe_5SYXp$Vo4D^L_&t}*15p;<YHk`LZcYNOfOghk
z;FkdX!BqGbg0QNI#bR{R)8P*<wvxD`U`jal$|}AV{Lu6pW0K#qUpNtd01rS(b2s?+
zH1Umk{TgANSdemK0e8D#AjE@}S1v9Dc=JY+X9(Q9G)S-#or}A+i5RpxgO*1a^XN+k
z$G$F*2!m9af@cXB!=AV?VpC$XObFmK1?c3u1gNTrhN2LkaP5Iof9=(XY<$QUmU<th
z@L@U@6`({`9I>-ja_0tdI&Wcub?5@fP#<gR!bGMG5|0YQEmsbzTwrkk`T6LcAUVkc
z5e%nl_DTeqFj@&RVPfM=rcwIHojWYtU0LbERWOj<B6`5W!A8<Nrk!EO0n#n)5*}tZ
zF$Pt`2Z)O7@Q@;uW&s5Zy|C%3bi$-D6ELXicPw=Ux~<@BOJQc5VJCPpcb<?mh_3lO
z1o%){Rl?FW5vVXfyHhZuJ|1%e(NO%MPR7?0FLeb8s2y1f2Sl(ZJ}sP>uR_Io_hs^q
zFqcp!*oHMXLcmt<V^s}&DhZ4$JOI(oQU|CYE-lNoAoy6>y6DzL$}?}{Cbv{WgkEMJ
zJb^^1WB!vs2MoUmpBKx#$Eh<Q=^w%YVfiI^edStmphG?9hLwM@nInJ}S$N*23$P9%
zJYr_dPXd<IgPJ<>6n=p(V1E0GIR6V#>%MZmmd1fY)cJ!qZGt_{j)DL$HGHB$FnOlb
z!^OF?hvx%K-fPy}p%wX5d92t27et`~jD0+tyaB0Y5Xq6S13nq-Kdp&RbMeav#ODiI
zOrS$zJTGjFSTVT@!LY5&qvriJ-hHwm;B-WO+&3myW#!&Grgfj3<@G05%3t5}jqjH#
zb$`FlENfT0sdOuGeG?~Nt1tv>%>^06diVMOwGCR#9X%`IkH;12qXAAV7v|R?oUPW@
zw(TB4@`a2hth1vVQVuz;D$5JDU|<OKKCHA0yNDx~7vWzqlLga4g+Rh$aWg|A;-`_U
zX9NOj04`x8@|a%WIj{W-3lTRk#HieY&V-DlYLjmg+lcdTZx*3!L^;wK!V2}7P|hn>
zPz^2xRD(!8hUDW_R2(rFG0C-8o5XZ<YE>^+7$VfAzerA;ghjtwS`c;v!d$3Neq|hg
zp6qD)Y`1uLw+UE8;B57KGH6wPb**7V88%>YrxNQgo@a0y2y`n`2yqiv*i<xY3_JQF
z54p5aAsiRu53qZJL+lB0#zYQc>w?_zXnMcgqQW1ayDM&{2@<#<KS7zX5(t&oO82w5
zGet>~`UhbZE^xj5MLcT{SRVWfFS-$hSbBoO5z5Lof}`3-%|0vuSM&NnYV5KU5D2IH
z>NQNczUJwOmlaw@ya5=DptYM;eP7e!`^K;F1yo|vq=pqa!W4!CGQw98HH*E4{{Ns+
zbK4jX#Ht6GI3Q1ew)-TlWVnk+i{e9OP||qYrZw{`fkDuL7m@Il8z6#-V$$GiQp0o}
z=~sQsYo(S8Mq`es$S6=}h81&nb|5q*D7q%g6+TM|M01d)aNXou-VZ{ENPLSAw-nLx
zS{df+BO#~pjQL`rdJv8)KhK~)@%6P*&0a=WtT*{0OseTO6!L<Kbp$xVAB~GZM6TkW
z;es|cz$-%y01fzn*(ZbUixcGMf&ET1xepwtwxBs-<N!~!u?fWqP3K+2e*0KZUo17m
zs=#q>Q>jH&XGIfxkfwJcb+;SS>MfGO%u&YgLx(}Kd*IPX!p7<CSw1!xEHSC9)nn&Q
zAc(R0a3MqVKFwuq+D6p?JnrMrTbwqmlRhm)MTy?O;kp*(0BG|e?F;T;03B*P!gI1-
z31HPr>v8eTja`7TQUQLdKt#2TSe_d;4<W&^QEh6lZbfq{V@im)GWHI#A+d{z6q`mb
z*c$;Ky#I({DWBw7;jJH(7nJMJr3M2$goVus76E#H;IT0&<X*^tQtkTs1Br$M7nbvt
zo!^LaQ!%))g$v^y3@bpto(!>>`!?tF89cFamKe7~)SLyKV0O2sQgSs)toVC_boSD0
zGXRY%F3Mki$-{07)UZUcVA0h^k9Z}v9uIBNQVjnm4zpmUHR?$P#3NcomQow*I{aKX
zTQKn7#-O43x09=VGxiDKRTOo>+rjR&<a%c#PWEu)Uau{IUqLRx!oVZqU1oEpwXcp8
z#m4(fKxehQmzk8^2j0PjWMQDm@j7%DKZSg04I>THZi|b)F%oC4h`AAYffaOUg2NP<
z84(Z$`fRv%b_>g|c5!F8{)tNsiW00)e*ib)_q%Z78#5fWLdBo($^Nlj0wXw3@-)nU
zNa`6B)dYkOmw34ImVmE2^Hebb?ieJ5#{xf!V*?~_2TKmgO;4P52!IqH<h>E|SV3zA
z&@n@G&K=_b<0_VS*~>T}IJ~i27=VmCwOd9*Oy8&6BFlRbi=}7o5x24A1wsU@{X}=(
z`(4<AHHhbZ`C{#q^?5*l05sZu%1RvF;T@o{pIk7h#d{vNXM<oeikOh=ClzH@3PuJ-
zpbG}TVj~~Y@h}wmXVDQK$j`tr*bZ*K%>(iC_77{2aM32(EAX3rilct)BH#vUCQJpc
z#o|5p*R&{GwqK|K^wJcIoo&F~WmO?d?@dvjo<kfDXL?wNXu<|Co4=R<&%zw;YPO^H
zX$G?M5!_@8AB>F%gKmB^-pG|6$Z9qS5##ZmrFp2oawXnb?6FOPpe#wpaj>qmUKGOR
zL&Gm%=fsH>?+{wU&<CW7C@@;u)`m@R!6mDLL>+|;;3YS~paUhmAz${bz?*JRcE;P)
z0k#R^AMn@B;k<$C%zJ@V@ziW8A*ABSCEC<@^MRSqx`;cV%4Z>J7vKa0w7T;RJQso0
zwpO4HFtubr$D7gX6}ztO9Y5_&7`>o<ik6U}kbB4qEBH)|jL$P6-wP<um4H7_CA$qv
zd^VNf^bi9CEoT1gd7Uypl(POZY1sX&|Lh{zO%uXp?OP;RKUN~^3+V{EAR~hH7-Da$
zmkldcLqIa3C`@%uXg#~1A`e2ikYTeg&y#Lj9&ok?8nI03U?=Iz%?`?Wh4ePmh5^|I
zPSfs~74*hVDyRT~0W=tm;Dt!z^HTcIOdGSW#5@~>b7g5SeqQa)3^M!F%G`weY$IoB
z517V1@>ohIFq(}@sliQ6#6O=6JG}8@hrY|J+maIRX|gSw9y?hnR28dx6Ta&>jhCMo
z0Pq9SsoKfN&4-Wun=g`sH8PVlFqLTDCb>P&U4%1a=8LBnfEV4IYbcpeaBpPY9oz7J
z@W1zAslRpQWm(da0fKMYPzaRFQ*-)01l0><*bvaIm*Xj{_aaOptzbY6_%`un(sxAU
zK+UJBR@j~Vf|zy@Lyy^p*QMj~z+8fe0+I_XUR)ESUDjZ;&yS02ec7f3wgKXiTe3dR
zWl+PeTExC(0|axJ*a=?oCx7gc1h7%T8_9R!nCQ)9S?SOidjkO)T>c}hyS4|~nq3tF
z>B8OT=|6tevjvt8%U&Bh;vy((KswF<H!|%vi7by5Oct)+YRhK$C_JncXT=j1Wyz|W
zV}dNqi*Seq$7*v{HcLNrbpYWR;ap(o3eye_9(d=u5XnUzTnRWBeKmJA^Hs6qSfTmZ
z&h`8&2sBU_<mVFTUif>ic03SeVeze6L$FUHTI&JUfRFZGcAhl}Kh~7FHR$qV)+zw5
zL-*TgQ2UbP%7<#1j3T1x3kd8sq02zr6;FQF^fxhRvqNAZo}|}q8wyGx%n@7VK5Qjn
zefT3thn?9ljk1a@97Nh>4+QvzKHzrBz=ts&3>n<3wt(Zt(2_$~`4ESBdRe9q?lTH;
zU^ra|loug5SWK^|Hya#H$zVtAQO6db+<v)SB3C79z;JIn9MI~JW(WZ?|LUU?!gh{u
z8atg~U?-JCGyp$l%~~o%J8L)H&LGSj(Om2$=W|R|M>r{ZEpE%QETP?wSPk)QZbRdv
z@xb2Wli^GKe)KG!#Xbzn3=X$VB3Ww?sf+c8-Lu(AdVDV6CWHDm*=8cwd`e}D5C<$4
z5DP*s=o6tHrG_gbB)LOGO{};`VhO;pehNCQM+G4W><BrzEhyGc6rOg(#4xm9_{qcF
z*ue*mn}&XQvK5NyD_5PL!pIvGecLX-9>vlyp}CR?(+S6)a%Sk5+#lJ4w_gNnjECn~
zkm^Tri`1I-sYRG<gh)6pLKH@Q!(RxW7zbO{W5K2IP-un?Q<tRK?7LkY?ew5|AI%97
zVH_jj{Vk#=6DnDXfY^{LLj+3bW;a=Ew*Mr%WqityEca+=;D-1H(TJNY&TEf>Q*mq6
zU_g}4vi8G<(Z^0v9{GY6yc;fV3Iq~vN2i7K@bNLN|I$Il)~jfPH)Kx=XN<=0H-yw8
zFw`8G6-`XkU;8JQehuG!f9AX6Y7abE%2}O<G*}g1#Cox(s6W6IaW>M6IEKdKcXscJ
zzT-LZj$5#fa@x&!7zZg(SqKVVy_}MnY<4LyqF-x9*;lpk>hC?HKo%hvc<E4)F>4zN
zI#_D3h2#@~%#ti5-L2TER{ZemUtt;b$-SGydXdOzC@20R7L^+432IviRBC?gv5<y;
zV@Wc99OZf~w{k7<Wx$*Q)FQDh@G{$pa8dv^=qV@Svz>v*gxQ)ohsJ`(nB}*xwlQUt
z4Q9@LyC1gkv-H?39MunfnkIK<JWpd*gS01zcG~^W4NT(wY|>%*4d~G_@CGCRY!(`4
zCkB}m`hLxM&Nv0fqj1S;`sjTncs3|~>$D7WXQji0F&z`)+!9XM?_eM&GUUL=awRK=
z1Te%CT1|VO7MCsjjJ5KG9L><O$P+HB)~0$vjh>)X7Kpfz!!uS_%4YHHHX<rK+(%SW
z;Wq)FjaLC;BySea%3Uh@c=JivWwhzTwMRqZ_s~C0=;Q#l>9#z!x!7&PNLiPK(6}BT
zrdT@4CvL)wSk7LugLca_FAfuJDa&B_N#V>NKCzCsLk9KAI}Sc_jAdIJ_Q!VNyJFXC
zsRI{*>NO~8S$HD=Wpj{K=jGgxdA;DOU3Rm5dF`<HOf$xWyok#>o5W+@3&h2ZAi&sO
zDJ<wc`%I4VWGD@6&>6O;UDbBUja5BF!DoOZD>>hV4g#{OLY57MN!`OLVsox=T0`m2
z11$`BNVVd)DyvUiv~4!p5CF*cJK<VH(PhgakA>Zvhs0h1N=Kt$9(H51zX&M!@0#y*
zL&vy7ThD`OOpFhb3=j}`OdS@Wy@Q<?hntX2iN>;z<5c?;7~ABcSK84YXE1X#*fbk~
z9!F5LW-({k^45dZ@oDTc&Jhp^1EWZyY(GT!67umi6q*mtgYuyRjGj3Esuo(!&-7OK
zSOT+29&x%ZJ8Ymc)r21kW;qXXeP=>u-%e8?JuKqArgw)8;E?5VFZdSn3%~z}kV;-D
zMC8J`WXEBgAnaF#(3L+EBV5Ab9a{{b+0uoTIzvY6{pPZf?ISX<t01+hg4eg=<>sZX
zot<B3L@JgDga@n%NFN9S_M~nD>q$8Un;s)(S>t#5dA2<(U$#SQ^!K?OfvUp+Mm4f_
z8^pI~TU~%iLY8gxCWL(;Zm|kXOoQwLH_&(U5*=fmmkscp=Tp_g+mM@5>MU&9VG>N4
z+13Nn$Gb!FC5*VN?eWih#tMsLBA2o$AiL0&(=ok`XJar8VdvEOnJqqL#IIYv!A-Ff
zOh}-&N0Hld@F`w~L9;DZkfB6)JpA|zJs^Aat`TfQNq{yu!ZK!4cw-#U4$U~`RXgIC
zh>MPgX0i#>F%4%a?1n&qzMUZa;p4<ww9$N?$PPF~P^5|6xD=*<Uhnmk$Lwx!pvcaH
zGsX1jtI<-u&}3)HSB1AGY9MU>%P8A*H1IFd9qHFz%lp9|2*aS};*eFda$rAO<0IJZ
zSR}0KJJ1u0N|z;mf`US)zSiJ{0vj2B9pr3?`jyCpOAizV@tP>NSvr&xQS-c>J-vQm
zQ%>{FCzxSGBR(eh;(r81Y~julwgg~=;c(ZlIvxTSVqvO8+ri0RU?VeQN$_R)znzqz
z7eQzfh~H|c$=nO>YvzBLtg{cPp=m$+R6k3ftl3wbO|sN_I|Bxu;aTk@_rw9%)3R0C
zzEKo~fsPpPg3jLs&wuQ-AX4xi@E*p;QUj4E0Yx|lz~KQ;v<Ta_rJ?fjW3HDG(HK0+
zw5mmLz%xI`Rg%g7hSUTzMRvOYqO}wtshgu?S)WYk$cqI?wtNi7>7KSOqYvB2u2nlL
zQ9@vAj3%$^>0py(gWL5;999^{XM-0p!~~|a0zeD%f(9i=ogJYr5oI&7x&LmW!M=CY
z9n|0fD<!w+8oX<oV<uhzG2nGX-Xsk2u@5lVKAj=2$<D(E6f<v~-skix+MRSq2`M2C
zj??Xi>=}cQir6Vs!)5c;MvG>21p7FCeWIUfT70cOpL5w2!!Gx*fHE8}d0zo3z)%5$
zY1xD|B9>UkU7y(q6fka?8>r;ej(rZMRm{jwC$ZEKh>C5~+D9A~vZ1~xhATr&vQ-v{
z`s?NS9HK-T)`%?!apfV=I(-3vsBu9;56)S|2Rm&Y+E+3$X*C)}4=UaQDO?!^0QrTb
z6s|rVM`Q_7-2od!6w&0@t@lX@fvCP!kRzRx8lM8%!qWR{tvJ#EQ#P~BdOQi2bgLaC
za+JUxsWVv0W;pw}F2K8_*Sod}8!oxf)HB>pD%-aL8WL-(eHD%+-LV@29o_q^*>z+8
z3;AG;tUTQ8R-aZY@aAe-6TxO{=bsP1@4r6Y-kxeh&l%l=8v!g1##|*9+4us8fUZ>Z
zI!Mx+xt?8IQ>r-aS;V3V@(`wSk~sJ>Zn`o?e76{`@L^9*zApQNB<?df=MV-O|6TPA
z;z24t?Tl+WO=%wQv)8~w08m<p_IU_9zJblx#NGgjkaL!SyBby(wrNvm2oE1JG~n>V
z@fYl%nY6GSun=k2bV6n0T*bjVM2@MdZPf-<+BJ{Q8Ce1}&i(Ce2Z)n7#8bounxUIE
zyX?51CMrG4AlW3=9;@<;Mc3FKr(3LiZF#MYNkB6YX8$>mV!2X3?w4xnHmiJFA8p9G
zb{erQYVveeIGr$(*r5G3j`bdctiNVwJi*?VfEIbhy^_osye#CjY<p@}`%IYx#qe`W
zIc!?p7OxA?C)_yv1aS=xKwa3&Ycq1T2LZdZeGvedwh-a|`<dP5XC*$Dft>JDLY4FQ
zh$0AAFbRC$7qSFYh{2#dw++8s?JcLxWt^c5^C@T|7EA66uv-H<hJ_DErwdBI0{$QS
zGFCao3cR;Q$1LC>Q0e=HPuiHVwV|!cVZg6lIVN_kK=3B`RDz9s3%oZ8&Wj6SnTQPL
z!zMp0)*$qiXqOP{AhLV|J;EAwbx7r-!EsD+UXJ`(4*Ptj&yI<K4p|AFCpMZ(gnu|h
z4|}hMLT_&Uhn$Ai@W~i4>yLVVJ-OkwX6T6&PB5b~yN5P;fPjs>-%0<$tb!9;=~=qi
zOMo12f3!5`0@)?t6^csufTP0j)9KZ(Hh5<Ea2Lk{O01pY_oMwK;s!u|of)y2E##<t
z;c>R*10ngBTD3+_Oecc8^Dd7)!<L^;N)z>3u)+5pnJ6;QF@Q3<p%|=SRmDP0Tvlyc
zgoB6M(|*z#x6=-tyXPGbn3L?RbMOanL)2g$!>0WEHD8373hWO;EIEBz;YLpNy*a8p
zut9k9d&B#nqYhgr5u8xFbTMoLFat78*1&GO1El1aGN=UINyb!jfdc~asbk?{?96vh
z6ggnWf}@W1nG5uhA#t#}H2Ca108}UcPld(E&FXl_L;&NF25eY@*jT+kO=0~i&KlrF
zgwNC70Q}d}$Iio{DylQCIQP7TgU1sF*hy*J$Et0%!ePs&h08J;hCc{(^#eUD)P@6+
zHr-D-Z2>tjLHM0Lm6fFlVA61A%-t0!?|wD7y~QB{fTDpV^MsYtL217I^_YWYi3Saa
z*aTyV*@OhC=Ka_?ZYu0s7X%Jye(iAs8=cDy-3g)2N`28La!8d&)HHZmns=~!#7QFV
zcc>+Cr0RUXqr71vQLEDtM8jG=b^)OVE4GUkD214KAjIPdBzDF^KH$KqoQ5*)f&0(b
zgd>;ec(-Jzsq0PmwsQu<_qtLK%UNtU&?lUG&^7LD6Q0Q@RoMNq*c}fpz)u1K-V;^X
z$Wwb*R&sZOQ33i;TWsd^Xk&B^kGcc-uQ!?+`@QeKzw6)Mb4Cdh0cAgCUcp~1>IH}U
zyxwu6_|ck{($4J9HlYg5HJ=;gGg#`t2ccI^AwvxTtZI*hML>s0El^yZDASd&R<Q?B
z(~`<<?;Qdq5hMhe+c7amCGcnu`pNYPj>f<wP1D;Zb?pgCp>PPP_Er(k*g7uE@(!~c
z*{nStXJ0+A;kgOcDN&lHMhF-7B!>6B3Zy<;RlMzl9cSFeBL}|6$Orjj*RZND9aJc1
zNRS|GgWfuQ@-_zC6<^~aZ_|82o;)b;Un$j*p9os*^>~a0<`L?77>I)|c}u{}kU4dV
zIy&z2D8;8;P@h(k?VpXIn)<~~Kp${JA}HN_$A2}Giya4@hjblwOx##cyodeO0dk(k
z&Q>zjnFs(&1-p707b}ajE$z(L*)?@J=$D<W$Km>o!Sq#})=4+q;qhc4pcvk*0Ewql
z3%hADL)Pk?12Y8_w1{JfPy-Y*fxevbj>%oL$qj-Q$G$9EAiM|C%2O`-_ayeosT?ti
ztCt!t<w7#iV7(%7_be+~#?e71LeMG5>o%fYLL);wff!raCYr=1gnjxCKG?|Vz0MZW
zVF0W{VsU`Q4roGiKx(Km$e@xip(kr|?&MkJw6xjn%RRKq!11TsH`ft-f!)5_Gfr-G
zoRdGdAZBe=DFLwCV*Gt(>bo@SMIS(qe?7*ZD(+KeJ6*@V_GUXSRKv!Y;Ybp3=nNe%
z2nk*T?YrRv@n?73Q7-3jp1xw7_?SE?c#wk~EX9;;tl4pyBv)|W0jvhfKgUV|AP80>
zNMHATG7ZlwgM>=ih2lXA*z6s=Ir|bD^09ziuZM!kbl}2p2o0MXMrTbP?M!7&M-hlu
zDevK=ud%}Uw+iD)rls#?L)&Pl#Tv##2+(}KVZ#;{JT4-(m19&ikqru&KVv_rwC;|e
zf>#oIBzS}lvnl;_$6*Uw|Fnz-X(N(c>zsJST{&`6F+0}o)?|`nR%05mrDxcb2bOuN
z6OPwCL7?P34fdts&zC1{+@66H2Z3ycB&FJpH}inwGxG!%+ACR2dpY;BI@IhpE#PSe
zue(|=!VCn;Ia_1_5ES`^6tR|YMw!59Vi$tcK2$)YIZlP~W^56vk3J17^N5!{l@ew1
z1HWNTn}LhNfbbnD>&%3M1`%;c&b~|Y<;jC)Y%sCae}U2$LYyaB9>cMIS#z)<#cGQR
z*Ub?_$O}G=xHb_<<TZ_d&inE-vRrSo8{g%m@Kcn34Xt;M5-7h>Df3kK|1?FFY?%t(
zu`P5Uwq~<eLf_rlJjIKMkJEG^_xlDbA5Nhb)UPAKvE<``HJil&+iy0?kzUBc1-v6t
z0n)5^g}m8Z>QOe|KnceM#k6PDBk}-KTbzf7J2>tOvk3%F*D>`AF#F)+L<^68T)?e?
z#}q4}wKr}TeegZeIWp{I+l<V{m_#5H*#weo$=iq;_*&tiZNhlK=X<@7t%Z9LCeFN!
z$y4j4(N?cr7B5GonkP2l`yST#T&S6+Im<d7)K9mkIt@=G3J$KC^m%6v1j&0gjnP9?
zwuuTErkzgGbKv=M!`_y$G)KQ|$%7$-I?*|Fgy%TT?3Mj?HsA&X>hkylhq<l4>z(M~
zczrb)$|YXY8XflxJh1j$jIBfn+r)t#*JN9#SxKe;u)Qo|DCzMGD&%@(ZN4|kLUEp(
z1!QNer6*mpTEvxBn_9s=P$m`y=69s)7c0X2ZswP-yzScaypx;gWRx=9n@vV|R7HJo
zsgJN02?+1QLe|@<pp&dYE1hGpJY?y*_nEVmr{G`w92MH&vfH!QY?m4i8rlLAmyM#+
zks`>`4acwN{IRa`x^)pacxR_4q4ZT$PhHAA=4xL)tsztX)jW~mcb;1}E)cSo#REtD
zZX#`H!)C&IFP_MRFzP^CV)IU|Bb<1#>^r}+nGnJ*qRF}t5QdxBOpIlNQ`<hF;jv~3
zvJV@!YX&ipqwRo})e)7B4YKxCa!_1FK<WtrP{r0`zHESVcG^*brY8x5Cp)wpp!-rX
zfI#{lj1h<TNLFIvz0LuC-Ek2BCC4i{{7R&WPK0?7BM!Dtf)RG*$aaS0A_m&G&e>3=
z@rTD&y{9^c1$n%Sqj}N9z4K^-p=YsR<h&@GwRe^(W$O%1wWl*JbL5HrJP$;9Hf$1J
z+xO-100mw^ILdO=$}SC04uu9p^BFl*{J+>eHa(fhQZ$5nFHZq6WrA~KV`fGH-bXGo
zA#6^C$*u76%@@0=$9L+KsVLDL8d~i&S<3#K<$A&$Kj$DJm{OHrC#0E`bFPkp8Gz_>
zf3YmjUfIa0p{8pKtH-wRR<mPE(*Q>F`NtzB?QCyoA7Fh>&xDGlCo3h~#%LDD&%C_j
zBZUygy33c!7*30%ba{eV(~nH@&SxqS9rXAfyYxCnsMvd>WYB49yAf+5(8K0{*hk*&
znRu7{#rbI)kv)njZ8!*_2duDgHW8{G9Qrozg$=c*wwtkr<B8zQN$EG=*B4AP-Zn&d
zybG>tZ#)!*rF~CZ%Bw8In-?g)oRSS5TBck%WDS{VYuyE(x|=6KW``q7@)%7#FDepZ
zIx{c7SZ2%KIYG;_q5pg>tJ*5DkYpFM<Fof}_{<g?A^j*UBC45?!&J=${!Ul=bGDL=
zw#lj2dzJL7)y~Ut5}6s=3F9sv$zb08CVFKXV9XzKGwUI;Y<SObR5C*qf!=;^TV-%-
z3w3s|7h{j-6P92a&#(y5T-%e652I2w&q~nf7EYW_B$`4wgRR4lX`ss?IEU;C3c{m6
z(Hq$|=C8lJ+S!LJ!wsGm<d_V>C?8H5;2v<+*CduLG4+lfmEiQl8riZm_ljYAo>0N}
z(QV20CZ752uifLGpJ>tpnGTox9KDC203)7JCecUIqZw_vv1Dh_rv#huh){=^KIY=n
zem+>>I)^2Jx@Vvgf)lO*$+ID9!ee6WCXV?p3lFyJ;AOWh7TlwF@H%B+T5K!HYPOH+
zPiy++fqHt~p{qzj8*F$SD6JVjc`lJM@nAe~17|%m@FPZY;n!M_23inw7y2n#Cz&3O
z0TDU1;4?0DPg__T_IkRva73h{wb^X;i}&MigzaRW_<Jw?#-x&W>D>G{hvC$S>p4hv
zjzByKc$Tsv2)kj&oI!L)RA3>oO8x2{59IQA2wk?Z-XoL(bkMSuQ@XN(-+0ah`abqf
zQSl+$jX25XB;fkG!MSrRQ1!H39*tXK(LHtEVLSUPr$=EHkFgpa;eC68UbHZc>a{IA
z)%$7J@Z6_b?QjzB=KaLx!7`4R4rHRDh1eL}&vW?XgvE2k?x9f$8TC1w_AaQOqxK)(
zlZt1_JvNi##E(M@a~IESe7V)fBNeAK)kDTWzifL$l?mJ#%)fs5&%K?Mg;3jrV#@#~
zj1}4626u$*n9s{GdG4*<n?UaKo~EnEhGoFuB9M#pyIRvHLOV(%UfVkFa9ADFvv3_-
z$)0}<_ACgQM^c#N;OaYj;LHVudrdlf78U}<um+$wcS#8R9uIaW7BozqjR;OM6aDz$
z&knL@Zck}=+1ZOF%PNnTSk*1d-SBrFFnj9KFG%&Hze4|8EnI9hQ8&yh+v`WHt4BI{
zJjy<8ti)clyp821O*|s9PtSmArW1<wq<jt{b+D!>^}l%~H`N(0RCzK`brXXjo8Auf
zoMd%ac4Qaq3&fdlK2Ml>L{#j#*(5kG54Qzpn+IW|zk)UHPXV<~Z~7dv7o4nEZ!8{}
z7f!<V^Oz=^1IqKTJ@q0^d1g9$G>*S6w)e~(F1w?UoG=;t5uG-jrae8G!V}pv8Foai
z;)%Q$+`tpQ>R+LhFul7OG|Xym6uqp*J~?|KzSkos?Q=)RPP}8?>bnBITn^savc^Y6
z4?ldz?cue_!kj}*-BWGQ5Cc+_t@VON(d_I=v?9iX%^j?f8F1vdbsdE8{?B7Gen$tK
z3cxw7@0Zd%cz`mu1LU0Kbp7|EoM7cP;!ClCI|6B)o+=u{uipR$4-YV3>!eoOsJzRn
z>YkqTZ}Ud2VR_z}i+#cfSib?<b3`E<2Rll?6PX;e=yt}Ub38iag0py5cya39BX6+M
z;Bdp?oZT}I9O`m%+>><Jsgw0=o=_9vTsP|51Jb9hRrW^h`#l5WL;(*1{5%VQMP`>g
zxGtgxYGSKHbZ_n()pMWLeF<>T{;y903g%7}TDno-gvb?=u0459UY$<AZ6#WIzF8eI
zc1V?^rEzWK>&8b}Y!7U*V+O1ZddWTq8wD&1bHLie=lRxzR;)Q&<oVj-KR|Av#QP-H
zrF~UXG0|o$5X}i3&#S-;!B&sD{R+O_2-LXK$lL694L0k}5!s*a34E~kSgvzW`|D@`
zVyOXBzw-@=eNMlAxrP9R^<UZm+-)MYZ-hrWNQpIia9l-vU7pSb<g((<)8vX@Wb2Fx
zR$<kAnx@&dub>u)Zq|RZnPJpDj*?X>4hUQ?_t}v_Wm?p<W)sG?)CmELb}xGFiX(mq
z*w-|bQ<9FqOF2D<*~1)p#l^CGSgoK0Tv)DypnDwW?W9ac3B>^u@LaTsBua$6ZBuD#
zo*re=o=t5)tso0d4IbQ+nhv$SwG>GF@NC2TG@*>s$uJwr6z<~aFK!Z^SWW{L@3<ay
zI7k2^+CWeLHBNcZ&cqgf`0VKr|MTHDzpq!c8M%kobIO+|7eUEUc+;b--aine1}<NH
zxUX(zWG<-8^q@OOhO9-*bD}ryq^Nav=7y*IX(+1ZVxi51XWh{Qv=Sk+KCeZLh!Tq?
zkUf<dO;oOCE9p5q4;S-P;-L|EPCm*EyMDZ}fW$uqI3FL63V)9It%BM($NXMxt^1rD
zILskgGlNi?*#+=G&vg`$$2uVeY=tQ`&&@}I6+FuGJ0gs*dVv}rx5Hv*3*+{SblCiR
zj@S;4`}$8Yd@8O4!MOvAlJ-61zK_GT-LBS>h_oPBMk{$(uPp}<l^lQl(J@)o@U%=1
zT!#p@0&aVfWCfhqohg%D(wTU@7RT%lE2b;D|4>77rqn597Rre#$-524Ac@U%S+{^T
zJ!V~B&+C=HUq;?-$2<!(a32qEiNqShkuy0Mrf2<IeV(3NZco}=E1tHg_%CAT`n%dO
znz}d$Vay^&xJ-0(D23Co<e6>$%LKu#9v(p)e=Pymc0Yn$cX6^K(miuePNJR@T8dM?
z67(o*!gvLs_1Af}|2%2I<M`@nCBbd~`Va@XhwXD7|HqX)=`LsX<D4sNvckz{w9EJB
z)*+Zzn%ujd`g#V{pL-7k3)XnpAm(jA_0CKyxb$Z+?^7v--^osZ`}@kyB-t0OCiomk
zM9_J#=HR_BAvTOCkZiUq_IRd)>-NqT)V(wPASupq*)wZvntA01clStiXCFQFubf$<
zwJfCnNGm)Nxxwn=GOrUjib?xuzw5MXdD6k?o;C<@iMRHz+}R_z97x2kmIYN7#%VEY
z8@DXjcwNdlTFgHGlswtqyc(f1<L1NDDSjs}*!?p5scbuP0;S?tV%fR_$$C-g_$s)5
znJ(TkDfl8TfWWLT+!+1VO!0C@@cN1O{yEFPMq|l2%O4RLPK7%8??R{)il=nn=5Z{e
z!q&TO_jYOHBgka7tql)dfF-ehz!mg$cISVbcbm3aUB=B973CQK;7U0&DX$~bh%f)K
z6Zo5>EFQ1YJj%y}V)h>$=<%HHlsvDb*yw$xD@Kd|k!SdS`1Qrh(|ef%%>Dxg`vK6p
z2`d{UJg3SA7ar9~#FJGwvq<dykTOqTyN-f_^l+gsTu=9~3+ZPoD30dg0@2arVg=^R
zkS1p;^gtwTd7Sa}5L$vj>{eH+^Tp{RLPL}tv;54Dcc-B`d$Z#?77$x~{8wabu;7FI
zXB^5I9`KaQQdf|-W4MpN)?-?+oWsRfC=Wq*gw9Q{u6m-ly$j3pwoqPpP_U`i9`?A-
zVG@YCE1iEq<`g|7-nTUr-q|Le<V*lKfl2+2HPvs;(yrA0`Dq@*6~nro@;jCO_UH;z
z^ZnP);dtbf=|HhO&3=1I38>s}JFjpubNvtW2Bak@!D=DDBlwRbn3D6v(CCrUIQ*Ya
zFaFa5{u2hn`1`&Ae}w}B{0|)b&t~L&xf^EDySw4pI^g`>PZ3GAfq^*);9%41QCHF8
zTk>!eu-hKN4Ftd~h_qkM7S)|aUw5-z@#N+!lsC=}llT?1akXvhmf38N_j%??@;2vw
zoRGRaSz(uR?z(5Ib{jv7O;lKg?JeVv>6^>`kFlb^omFoktzG{YwRah&%xm@h00006
zVoOIv0RI600RN!9r;`8x010qNS#tmY3ljhU3ljkVnw%H_000McNliru=L`e|5;8mQ
z7<2#tAOJ~3K~#9!?0t856xI6wduFz8Hgz{;(|e(Y&_gF6Md7Mk`?XvpSgxp7VK*p(
zDC`7KzjleeAfRAFKp;TqC7~w-(tF!YHoM98nK{2dk^o6&QV<mG&-Z!mb0ueX=A1L1
zdE0plz~9s-(&=<zI-M@;@15uy5r1#N-}E=I{-#@o1b=Tqk0b^F1po-npFba9wOSPb
zKmtGu0GI&4@%I*S6Z-#n?NWDzXrMrVBJQ{?HhRp6;3%cHR0RkHNhQKScZJAPC?tU(
z5Q6|AK!8{llNe)gxmeVoZv}m$g{iG?ZT@ZNrRthGOI6}vf4x{FDB6FdtdMrGCFWLV
zE&$m62G;*5#l*x2f`bAl2!z5x`i7b@9v<#PY1$bP6Co!9{1gO21hzX^<f1WlS4hCi
zQwj>X01b@u0ssUI3m_H&DC7iqdlEpB-M6i-p%qtDHN(XM18!=zK}e7%2n7V&YH=1z
zCFH5^w&Wf;np2%)u{d)8fc_g;w<wJnGdiiYrRBB(v2N4GjZ!E3DFwoyKzDGHi$Liu
z1F@K23utL|g1*s$^#%*r?KH3~3$f8EB$dj+Xkx(W!T=b+T|t1qN&rL`P1R<n;rxX(
zon=s5O}B*)?(Py?5}aTO1eYMe-7QFPcXua1fZ%Sy-QC^Y-QE2=@2$GOsG@4-Fg@K{
z)_QisU01af@al;pq838ig`ZhF8(QjAkXKjcxX!hnvFNxXGCQUcUVLG#x4MH(fRRj0
zdg`>EN)YoN5_N%yh;#{!<~&H+#@vS=CY6#|Sc3ou+mIuO-~|ABl~r<z<3P8bTmwet
z9Tsp@m9rZ^`e5orO@vn}G8rS8z4#L<0^-GUHM41MBq4$5`i}VH<K^)An3r{BBhw2?
zNlE|(MHdByut@aVaXJJVT8Ls`P@oH>5SNvDkQhDjXi<-Z@QnCrdBclyczocM8KF2P
z8G|^yf&Bj0KgyijP~V6CegdN$SuM}MQfr8y&W(ate>rg>quNl$kDRHC6}vC<%WP6@
zmCM@F-cZNPWJy21*aaHL()=oX8VmTMONIT?m>#zhj<T>|A-w%P*y)L981j#DW5;0+
zI_5{{By7hmkA6Ek0^v9u;~$|kfkK!^x41Tq_;SzmK4j<<>`0F=ZqI{kvqXtUReTj{
z+F!wk$o{n!`MZBgUlTVS8}#q{W6{c+0)OhDMR0dN{YA~7{HjkRtAJ}Ql7$m826@_7
zwYbS3@3nN<buZ154%JWJ0YI6<7#%_4LV1u`S5<S}Pd2^iYm37yiMFfqFe=aiK7o7O
zUZBM8%x*LnryC0j&aFYpD%o}Ug#D*6&L+Vp)>N%HBZxcFYC-W#fI=uB(UB!ce>3p|
zp0@3zBnA0gA~aC3{Hu^ljjUrHMTFw&iZ@x>Db>E|X=SJ$wZ)0Ed~;tDLXV5L;>BY(
zZq3c}X{nM@IOr8aV3w<9%eXr2*F?Qav(}HY###N5;rV&&ctRrNNR?m_3Nm4T-fx%&
z%7R&fB)(QwTQP!W&gUI~bGEZhquzR_!Z&k`AN7y3MEK~4KrSXEqLel|Ar*ku8?Q;i
ztujUtU~^UYdszHmu{BIq2sA14FICjg=+we5k6rXUcw7gi&)|vV_^m_{BB`5Rbyqhi
zZ?AN^mCc{arDh}1I60ANz52eIa1Dn_T0Ue|`(+%;C$Iee_i%uJh8x4-+F@MI9@+=&
zOw60ievTB2-_G*Uao+<oi+eW%g=mpOFtppss)AsHv4oZWUR<q@rIs5ZORJ=QX1%IH
z%dMS77&YdBE?WJH43G5YDZ6RCgya5hUfUS<2CK3z{<2>1J@3_itfRMbQt}r+Bj=q#
zR-4OvOcg2L)5{KL@u(v*u)xnvp7mR<<wEI-2yKOTgP&ZGq~(A+MKk#Ib>(-)5DEZ<
z4QrzxFax3Zj+-|4h>~gOMC481oQ||m4C|*^oOW==cI{Z@w3i{tJ4pm=)SB>+Q0_+C
zcgnnubGC~&Xn1s*ihS~JVj^EnPfKL`qfx`#HTn-i@q+@95^v^Gr)P;06x4OqOUs10
zgy1H@h`YGhPs8LfVn4b8?TxeUsOjAva{d=1IF$)`SD9TT7|GSc5J;3v&Ag!yJY21t
z^MsSa_tu4pidJ^KT1!yDCuiySAkuZ_zUA=Q=E79{O_ABseP!Y&&l6V#cbs^&%}5yB
z9*XOyFB3VkAyqu4Us5zxTMzeF?l~<QFN(T1&01oxPC|M$E|(PQ*S%d#*E6B{splOX
zZyEJI^Z39xheTpKUJp6v4QUX<L!%$82j!t?j(yGl5rPgLC+^mit0CiydqtnW`~JoM
zI9b=<Z0<&9&p&7*0%PyzzSJ0TtQjr#{e6Ez<wLjlY(5412Tkvr)6aRv3%^#iZd~(A
zK|28SjEtoW++F5J(YmYk^m3!63)ZXZe!F&D@K>}z{VA&$yuc=nAcU9IYMC_)i(YLt
zIxZD-Vz_Tax!uV%DGAfzP^~*uV)tN2`fG1NhKtp)rxTp^g=(AXRk_DQD#7G^x%+dJ
zZrt~vAO!JjyckgFXe4}1AtiPdy<STH&V<8B0tM`iC!0%3hS35Y>AddADG_%HdC@)Q
zN(vXIOw8WJ$^m{*@E3Op<fO8n8X7|}AOkcQQ9U*dp#G?G3LDiTU|Shb#ls6SQTpfu
zM>ohHTVc=%cO=fn=<H~Eo}4g4(@A3M)(3k9&{s3)$q+)KZV>(^Vcv#x>J>F8tvI~B
zbLk<}j7Mr0yIOT6Pw0*7pk0RzCu`|?IUk+wC!DnH?<_8r@MFnobwC0GUlrqcjf5Wj
z0DjSeN7ebsjdD!i49PGm0|@v)st^$>@bByBmkJW{=ao0DphdiJ{@$A>{jk$W_**hy
zU|kiF0V&hkfSg6Z&&*6y&5x>MT6pR({QBy*kgE}!i<`JhbeWQ5qsz*{MDvcF?|znH
zyn9(N#I)|yH1E9C=d5|SViPOP2E7p^NmBLb>;(hIt&BSDFYI1-c%k&`d@TdU_MGbs
zLq)TaTpzw^+=<efe1v7Gt=O1sK1K?FgoH)A_+G7G@Oyf&<8Bp3jVe=+K}c>{pgY%g
zGke`h$Dz`~nTLvD28r(9k5&R9Q~jgA`}}IW_9;JTZk{q=6O<_6$6fZLy6@LGOq)bj
z>@Uo`eA{m0xjy6Zwb>ktG^dR<6L@kIuk&6B`*-@4+o<4)1R_3rW`wXX|7GPMOdBok
z7Bj@ETVz!`1>$162dDSVw6(%)eKH`!B$M4HbzyAQwf*zGpS+!k6C_|Z-{U%B!LU{5
z;W(Z}pqRZKN|KFsf=cN1`npy5ho@cU$!z-Z{vDBX&7{mIM|Nf|>D2PN&j;N{+`;k=
zU62f)iyK>l3bL@Q%=e0paLe!|;CnSaK2sSrW{h4X_aeA%AML(8azF*3kNhS4(Ed2=
zj{0e*OYmK><4Sq(`{~15XUSx@|17Vzs_Obs+x2D4Y&75XFm%dmd9B%#_>Y`Pr^;>u
zLRXZPfAoRDE?Env)JjT90)nAfG!ZD2_SeVSTJtnLkC-W5L(dy&(a|ME=BB5U&RlLT
z6>iJ<aQBaNMmcZT)K6mkWDGrqE6xPY@3?rSR|khpE#W9)qhYJjAHM3`BCQAou$FNp
z<6m4-0pvjOC`{h2n2D$Gu{!Sd=eR|yM9DzN$`B>jCMmH1XjeKVN!Mu7nsNnH3E>yL
z^DMJ(o^}-%&7)uII-y<ywcM84Nq?j|uVZQUeHbm{Zn}yu%AoCea=Th})@#WaA75Xq
zzxJJBtWQ+_i@I9%f6H(SOBccV^Ng9vW#=&Cyn^R1WWy{xl)Cb;&r)KarZet`>@~g{
zK`;Gn>kdyEi2<svNh!QYZ<nrxir{TSrIzn1Z(fM_+!L_R(VT)7f6ylNDk|EDeUOpv
zh^et-+n%G9UjEqa&p+yVy6nq-!lK-IVCZWwjqe9n!}__uom1L+LNjXJE?bTX4|VOO
zmv`A6GJd+Z1Fe1M%++9Xj<ueu5ZL(1bgHVRq|E)?c3VyA`jm+97#Nx2^PZVfyQKYn
zN@x9fr>40*^x5FGh;)<@RR<#h{Wu(*Qy&eDbo0=jBX#ZOLXKI`BVs&)lQ+8Y;laK=
zYPsrGC}Fs_+__h@c!kURa{Sb8F><=mDuh&u4kN(&?JB*sJE+j}v8-}Y>!BE>fUEuD
zs?1deZ`!RIs<4=}xclOBZAXc9JOAfW9qYl<@mDRTxf*lb!F$~BR#v{gdrs%TzZ>$@
za&w#9g@yl|qX;l4j_x2OAgK&|e=VPN=>kBiOkbU&NhhqetnG=<mv!i@-y$nhJ<{Ax
zKPULTRubMRrK?A|c>C?*5L)@%t;g!pu^q!_L-}7`dQ5(mpSPk}o#x6q@ZE1|HK%cE
zAEWR+?u|T`m#*ELT6%)rVT{m^0QeIb1a?Bp)D^}KUDmo{7PYIsHn=&@q}RaSqb}Z$
zHxL=EJo{W+jT6_#a0z6du0wrb>9FMvISZFT@@})M8LVJ!tSUr02n&?)yTvhTGJ8D_
zsxFo<pRCjqrWcCMav0l6mnN~1%AfAzLIB#zsK&iZ{<0nyhm~lIDzwZE`La=x;<^b{
zhi=Eq^UBy}8AQ)}IcUi4av#ZDU-+0_F7XyK4&Tl%rfraVt?$VY%ZWblsN35-O!zG4
zP<TK#d6rT^u%A-gM3&wKsI6OV{WfB~yv?s(CYH(1K3>S$j_3KQASkz$=_A5a8G`P2
zAf6$fh5iZkL-C61>K7F^H@B19hRGFzNwk;e&fNWnZ$~nCQ0o@l)kfe)!(B1Ue5&>^
z7-xReo;IzqI~&b}#`%+w@}*rZPXX17PMs=awdtx<7^!W|!MHl^dsboy%*8oeY<dP8
z<&*DmC3;x)7Cc~c<j|CaE&8eaRt%GspxI^fA^KtLjivA6y6%M+{FXcqyairXS<G0}
z*zB2S>}g7aVBCe~HW9~Kg#i{<Ef*2AdgEzu`%a86GoAGQeNIt%8u-1}cu5*6^7Dig
z_!FC5s18qFAdoZp2U6gZs66HL^fcD5<T1C$-Nfe{t`L4tld+%&wRoO&n55@$B;3}f
zXOf3zZmIGbL)p#z(7{dmrchkS&V?8=)@}o`uR_MKXg5e_yK`fr<;HK*!-`H0OSuF1
zWk_3wN@xFVhGuWx$7%e7?-d*Wl#8LE1%JT$7?-Lvx5izS&6>#q9elA=wDQ=qCiU-I
zCjBMiN%%<vT<Ol0oeu-k{NukWzofhcNuSqv*{@~MP&)f253pG0Hzv6=bc~PY)VtTK
zrAkMCyPZx2qhE`g!BEeDesZ9p%8g?icbe5tp2Dgc4a+;D){CQXc0v>spxKc-jZ0L%
z8rX<cDQ4VjE-IHyc$wf8*4YV{Eibm#=b(4uH+E)8d<*)qK44(0!@{|&wWc#=_5BMX
z7wfNTd%S<047m5ZZ%(xK63qtpIT<ay_uswS&k))TFc8p2h^h{%Z%w>8*fpXrR%v;8
zc_9snk$^>w(zyv*XJHKu4MiR)%1>d*Mbn23ZLpWY#U|dExqDIa^*p8zcHM`y^-GKE
z(gM=R-F9twNk7CVkcW#*D)FDRUUx1o|LL|ZxtNu9ccM&f2%v3k*H-ff)^*uyfBnNF
zD$k~#fMZs>^g%1rZ_NWwqqNQ^|In}2e4eJDpdcK<Z$P8Q6axvknDQ2D|7PXzvAo@E
zf2}L0c%A2I=zVCpthDq4Ror0Ep+nOv*9`kld`RI>_kyHntP)we2~JPV-*rR7<s&nA
z*u0SE9~xM*E}36VZida*`R~k{Nkq}1SrH6RDi$qxblgvCNzT`c6@QSS0|2p%tSlZI
zGFxQ!$5-?6)~V0uQ4rw|B6|NN|02A4e#rSwR~NR4m&fZop{$AiLkE>V2?-?Q0|O2E
z%1`i+Fry2v(8JWy3@Uh1vC#YZScU6BF~|SC5EHBD8xCpCQNkuUW-N>Kn2#u_NAmS(
z)vombL<gy1YJ5V1@%c3O6E{+%*!F~3Ee}LykcLx#(BF@F0pGuO9JhVTs^vL&&+{|D
z^7QaP{TM&Q0Q_~KB&A9W4SIN_`@;W_pu$5LXV>pR9`IyoyZpgnvx&KS`r+F(Ym6j9
z?MoC2AXh$X=6z0I_ykje>h``G4`nQaK-kCCX0AKAS<bcVb<^%w_;|fvj3HDDPmW6-
zfFZ<DR8-{4b>#Z)YVhFF_+!9O|5!pceI;(`DZ!k({Kakh5zYCOk$Z%T&t7t(;(pDQ
zGHX4xK4U(owp?0scpsjT$=vSM<T488f`12E6dq-8VBpL0<+<bWTpE;5Czm8<)CU3&
zw0S_f`ge-8%|)PN#`wId&Nkbk3GTT|Rc=YBq9r(!Jh6l`Jukoynh`K1x#VxxV$tvf
zU8N3H7uR=T))uHw-uWw=elSR|P#uj{8lU@26crVNwa)iZB;{TW^;*2~=hY+{G4f@Q
z_pxK}p}=+-PxsjV6qWnDz;aiY4VjA{pN-<D=@wagvo&@_2sLwr?p_(XJ;nV^<B}T^
z);lM-Q9p(uHp~j%o>Y%x;u|`OiHSMRSIY7|=E4Fmq@FjE#{?fJ)U(oBhPu<-y~p>C
z$kk5!4oN477&5J^w6Q8ahFukWG|R_9bJ_pzJ<H5ja13sS!m$$W;g~&9<3pk^lTz5(
ze=E){ov?entrl@{zPXU&0d|hu+7zPl{#m0$?ouS%Ux=eZ;j_}Ukl;ipCZU0WCX#XY
z-S+LZ4?Ld(u2aX%>^s+lYs&(!;ldjFQlvSTESzrWk6mw%W(^XIXd!%bif7LNps*PK
zqOZfH{hliJtOB1?1Z+4@dG{6cr^n~x4H-Ru84&W<|NFG~upJl?<z0}MmnH^pL=n&@
zkIj*gZ(Ulo_uq$x1hkIlO1B;9fByWraN@-C)%EJ<EUD)jTQu#jbQhNgEFtpx=e>tP
z4R|!i0w}1JuLOe9+ENg}-{&ia<b1(`=}3KbCt^YLB#qKLrT&E=MpuG@vDrU%uVdZX
zemb7NvhSM0gc`NjIe&$4hsJ3xYF%^|^gB-MPAKF|vJgfZqxF5U9!=(`{umb4s_fHS
zb>aeiSy^@@;<EZihRa<){IhGr+~bb`*p4p0dvdGy-%r-naA#H}bQ)w~HPbi9TACec
zMBVQGCqKHKF4eLj_%#&Hn%y(#v^1C#M_zZ2%N)2sp$5Z7fjWX=IZ;Jno?`m0lsb2c
zs%o2|?BKjdyR?)PTV7tC<#+hTk73D4>FH<oZ2oi{92~@eB-`iDZnr;q(q!g$e(K)r
zKHsM|nmbw0-B8*nFyTbK9Qii}r)#p@xiZUsD(}6WuEQk$a26Gee6hdc9USM2#>Zb-
zfX6%3%$o{Rqj8EFDQ39S?Bs5IscK?>OxMt-B>6SV-SMb;UbH`UFyIX=%+9w6?I#&L
zu3s0OGttO#2_y5N0m+YHgc9;f2F-Z)#(!ci2?z+5pWSRl;ET|ZZl&FVlW#9`&}iCf
zF8fzxL1^Wdd2z2}W%Ds)3uV{0g4UOH1lb4~#N@5>f`iNMv9H=Fbh`XXy1M&+{}PW4
zmPrmJYr%;2efUN!>4TmO4KRM#Wbh>0e<B@gW%DrINYTn;je{*dkCh1UQfV%JLxVWZ
zu-_sLja0Csi*$Xw-6QoHd@td*mM)%6pEz_73Yfr7lQH=rB{kfpj?Urz_Ob~~tT!Er
zpV9(xNut|gfnv1L$m*>Ri?&ToK?w;7DkkKB6*RI?Oi0AlwIdQT!VR{~r+#9ePMlf*
zON@RZpA?CJuS`Y5YQzA4ZlE(S2+D^GIGHx9edX48ek(xA;C-8@*cFC@`PdZID@HGR
zy$8-K-sWEyzoS>2rG9vaS7oFDd?;z@+OmJmt*qnyO-R^-^wH){lbIz+x0f%TO?ZjV
zbUP|4fJW|iG5PuP21yNC5L%KN{s@Jkf&l^AmyBw_9~t550@?>-{&Qj#B4t@gWwx)a
zmz<WyIanrq+PmcMbk87uuS3cdV(mi!Y!r%Tbri25@Vb+uQVSo<4l;e-9dw!fcuZ(-
z5KBnZE0rklNwD&El$wgoM^A?8(Y)`z>lkZjB)6rBhA(y7ue{Ugu_Ch}kk9DO`>O3y
zhQk8zDo9yXd(l#N_O6Z%vs;j|%s3)Jh#L=slEhf0J3oQP#GAcsTJt&p$So+K2X`<6
za8*-N^8w7jo6#eNU`@zZT(m7C5gw`1CqeDEIgea|mqFlJ-p=fN9}Fr>UpZ5bPi|d`
z!1J5EYPIf*PADQj^D`{_ZRSc6Oc-mxM3dEOlh^FojRT%6BI*q~1n?W$M{YsIac}9x
znEhmou1hCffePI<`>zc~>Nm~PAK<!dOrJ#mRQ1T4KD59VmF~hvLqS7Z&zdzWA07-I
zmC0zdDcYo(|Jz<pbh$O1bKYpI7fFokfOkJX+Eve=`g-Tqwz4~%=&w@DiwyJwdSJ=>
z^qU_;GY345QMc}6$rAUvt1|+pv_3~oZ?=pHy*5`rQ1}uQLun%rgnf20uV^61VXI_S
z*|dj6o#brQu@qPFQv%VGqgeUCdJk>Q{k(PFQE|?i@1Aj;b$o!z%Hrmq;o#4%o)DIE
zma@w1DH^x=wkhfP$K9~ioh~)A*{X#Y3E!hhO1RhO>-#g?`zwHL*npf2fFxI~9z1JN
zno;v+DEN0X)3`*4H@dfM;XtlsXg@eJGlTC(_N2`vM2-i8BCF)=9>=Fcg)hzE;(9aU
zkRt8$#XE~+8W~9#?uil%ATt~_j%e4H6q^N>c*NIx$QzM}tKJR9)@lzASm2j=B<5+^
zd>3y)M`!8A#`&-LV-)-~s&gDtaGi#h30MR)8~3l}-|ce-OASZDeL!v6L>tq@$W>Xn
zJ9&wTqwH?|{`B00Vyh}H?ybuuG|?}kBSQ=2h*DZIXyMF(&#+i9K1=evah>W(6X(ec
z+;BL3Jlc-tUt3!rWPUvVqAgTXp4;p~wedrT{@~UL9bSR~8$HB`)rp$`v@tSa{b8hf
zATKUsItw=i3v-;@)6!v+A>a|w1=Is$Vk80!%_Yu?8*o}3X2(n{?<|$MVk5yt^8D3!
zDQEG=PGO$4w%zY958GYcZHoOfTnUeH&syKDa|El$>+2$Exoz20kD!-x>&47pxNf0u
z1tLMuA$hUp<0rVG;-<&go8+)Qwu-bO5t<hV7m1+$#gJ#zmj-G|6>YgAH$)j3j2s+}
z3_=Iu-Wl%mr?zP0DQp{pZI?&MZp4@;!O)PjptvajPu{2n9kaP6VAIp8G(QCtqA01P
zAX$$y*f6>{<OW#3gO$<KjB&yHAL#g7{?zBox=-?P4MP;8Nf<nauX`&uZ-5lxM!`lz
zU|HekO1Nm18+sf~CM>Z$-i#KTn~)7qQ}Ez@ga7Mh<Zoqw&&?vh=b+c2Jx%j{HC{J!
z{+wUy>Crvor}xCvQAx{?2{j~e*yMQp6#tp@!(sf@l{f9r2N(PP+<0YteH%Ya{oewa
z?L@y@AGX4WwKIQXZ4^`a8nId|*hP75oRJ&E_V?O9X_fN5u2Po2sSknoDedym|NCKK
zT4BP)in&pa4+SV}m=?-h0OVgkPWVqdE9fk0nH?IE8WxG5-$$L*MXGC(wm#f!=cIq&
zRPz)ToQ+@Ep}>#9FLb+1vQ17)c~`D+dz=~H`K<p10EA32rKex*n6<v7IKBr(xV8rb
zyM;D3A_%PY!V(i7Ky;cxD9v3xQxo8Byol01(1ET<UDo;j>0?w876pPV8p3)bxz~Bz
zHlcmE@Vm*WesQm|oX+fsE6a!6J9IGp@9^1|xY}=hcfGn%C@bS2J?KVK{*@u6!)j<Y
zgN32L=1mgo0#EMKV4C-lN#pVS(y)tUrM8@cvb^Wv_<sGp<0fW12=k8DJfZcEO?^Gy
zd*fPVs$}XnI&8;pige^1W`=?^)J;G@;1nGpW_AFXsWS~2(y|RHJO?V!Wo1Z$AvOvu
zAD6ur<u7(KTD{|E^Iw69QqF*aVCcP746dtV>3z0m=#u4pk;t7Vp3#bnw*p$Xqqtx&
z{XCzWkdPKh5tpdEPR@;RrXYcRM1v_TIvF}50_X#}od~QG^@@G!h0N-&#?mBu=Vh=u
z;wmrat>~SaTPP~7Dz{M$iB&bFUF8Sifwl(IGs9BUe?{gHMIt~ti7KBsKlP%{O~L`y
z6Es!FMgx8QvVCR%SYS_fxbW+ACV5u<b2|Lz8QrZbC%3yA9c{GgyuaZcN6fKe{3DX&
z5zLaF+iE0dv6J6c!ioyn(>8V#tSG!!=@t1h*x0Osx};Z_#nmmD3jeXPiBd<Ffk#|}
zQRd|I6FDdtg9;NFMw}125GpMSZg^Y;kLlc*9(<Nh2bc-4KO71}7x50Xg)E9uLbXX^
zVrRWwfg)Z;%RVVoMoAG{^G)O&;!^Jn0APkflef_|a(Bp*Zy+f*CXX<p4h)y~gQvn#
zv%WkQ+CK&&1`t%oL6O&2eG)N@*qmQyZZx3q40*uEVJ;k^OV*ZUTypZ3Dz4rv-+16~
zoJ&2@U>lxQ7}q8znN^i9RQLoAD=|ug7IyC(Zz(;wO45}#y@?0gH`a;v@;FP*#mh$|
z$1%2jA{${Wgh>pN-1hQdmxl^;kyt9A2B#f89LQCGY*|4-NBsIUr<N+GZEpOzI!tR1
z7Y=k(Mf~9&;t;v41paEO!=vFk8SJN%VCwS}N1vSMr;Ip#N!A`5`%5@lR30V@AC=)G
zU=e^0+poK+;KYNHQolC|s>slSW@t0he4Y=Fmw|b^qtBbn6yc+;^6RFRpdjkN^XE=^
zFdoQ+285$K>{LU7=vsGEb!8Q+Z=oFqJJc^sx4H^Qh#rl_f170NC<<2kF19s?@Y!X<
zjwTUMhK0*#4|-ii>2$!3>is_p;PJPYabm%=o3Rx2w>UIeTv+G&IMVDAj9#U_>G5tr
zhpL2MfqRN+M5ID2cykM3Mb=<g^sdrp(8P@(A^8CwYi+Mz@wM#GkGlNv<xO+Qcua?^
zc!j30!V+Im;2|Q2$RUKW>}!o8??2G#pEvRPo`g1QGRVA4?)T4oJ&h(szZ-DiaHUw#
zLS&}!OC2)eHPH76k1|G$koe-@o?zJ3rrU5R&;Bj9!jj76&3GB}`~Lk~H{R>QV0Kfk
ziPsAwDJ=>D+1X=1aCt3jC#gBJ``&5bDD+0nYsJ1q#-tGn8W#|TfF~ssUU;g{a&M$;
z^H}jsLe{UiY;jz}fnjUC_SZKC9=cB<@JP2}K*!+ilN3YvCTMi4G=%DbdXWs5!xvW2
zIQ9{M?-GV4!_FMW&FPiwe(R<#>5_&<TTc<c%k^KfU`oAo9NRZv<Ind^@d51y7_E-0
zo8JQBzum>H+S*Lyzc{O`2(+bGFRL%aAX2+X^IQ)1lS;Y?(40O>&mL=D_L15rVTAhT
z?lsz`rmeZx4T!LOV@0oJM)g{DMTjOLiSUT88a8g~91!rz!U_<A*6)Nw{|yfxpeN@?
z%KEVr?TU$W<DS3SXMdF>pega_gcJvxOGsV<i-e0CTD#Qykchz4^rrxwAo_>7MhKcd
zz|EheeBHu_mNb;+fp4X_hezk$=#G|to%;rRg=!Yf`}K9Iv7cmPO!2M1q(QJ1(p;~_
z8a*S>=|su#D}Y}9i`MJw`{pLv-Hd6dzS=@<`NFJe4aPO84CX~%(0#Cw-#4&EhDzg8
z4Mz$?VR8DYX=t5?haky}sl^@?Ylo+YjE>6yZR@U^GNDJ^^v+~G(5^IS^}>oLn}RLa
z*IOts_5FCtz)?`gi<dL`gvG^&G?{~uP=95vqpGq|y63SNIxRV@{_!8nj!vQT%hNNp
z-B^TLCl(sDmJ{;@5uQrwr4efF-fIqXx3rSN^-fX~B4{*do!iQ_SnHJ!@d%P}-1}Mn
z&0nml*^gUyf62;)b94LDXH4Y9wcTJpHlj8;^5@`qt(U{r1~B7X)PFvM1RY~cM{HUQ
zMD!k!5FaB5NqX&#Y*x??%3A9X_*sblqP*F&0nPt1nb^odzh2A|MH1$p-R=2J$Zu7E
z2}eIx#Alfwv3NER>`N=aee*d9UdT^byp*PMrb{S%7QtuvrsbjVOa~q$SX$NeJ}$P6
zn|1t9yva5Zdw6geW@;u{ap6w?^M_+`{q102`j~6q6M~C?6<Kp`;b(7E$5{}pVD_3X
zH7>#zbM>WDrl++=TjzYf&o4#kJ-WXdCvTrp;PeiquzEJhxyq!|!7P<86C%KKhuvkV
zn9XfV>IZ}%<3M%;so%~UEY_d^@R7frHf?Ut-K9ppKKhoQeUUpp-Im8YI~5$ex{PrP
zhH=NBh(Z6hvP%9<D-<0F2>|fXKekH1BObg7E}pO}&Hw#-q;Z{hGCjKtUdKyKLc*6$
z^{4&M-Igh7;|b!!i>HJs3rk|JOYoS}gNv){5mNiAYI!}ef68wQr>2#&OahXTfO|v+
zXXi?^=oP$g?@Cw2s{N#ndDV@MOrv4`W6^W@1J96j3BCVC-^fu;lj=d8af6dTk^yvi
z^*=Vx3&<YB47GHAs{w2UV%=k{fi8D9YBL-G$z*^MAJxMrgfGsM2>QN|HmYFWMYnmr
zDg5HCd>b1PX<=s5vx5bnRg+iFe0!rf7<blczcG>J|3Zl&<f{-$rbLH9M~td4GXuSF
zmYK$xQaresDfL07$!*-Xss*&*zO7FkeW|j`lgYf0CO#_sf~%*`%;>7kBV)@^2mm_@
zkc7xg9e<$%faD0ymdE*(NU$P(aF7ZwCa}`^yllZVw!z>m>OA5A6Z-N{Mw^^N>DdHP
z)>1_v<o`&7pZY~v)cZ}Fyme#KMPh3seO3KQ42dsAGqGC#y79L8KGC?&q=rTHL+8U2
z-L9doHoN{>Cd8XFN{F(AJQ|HsaW6u@tjbmq7PqD;&MbT3s|0$Ddj!3ism&J_kzid2
z3oqZboALs$)VQbIxd_&~Zv1oIs-F_|zf+1+BJCq2ma6rS?oKuEFo=ooR>NhfLtdK_
z)0$4gK9<`FdU|U2+L^6)rB*xEi_CWG&abQTS~-|<DHl~N2t+5pCBXq|k6#k}$mF;J
zCl3uWX?LGr0^L-{7HN!^a>;CEGwrwu7Mu&&&kI(2p4YwGljgbnS=ncf8Tt9EUHZrE
zk_OK6-Xpwj(;J~OkT*in?Bl}8C}xPlBnipsy7sFUWn*m!lmLL-3}WE~e{7G3j8h02
zlhyA5KfeFT(b+ofdL!)DFR8VKQwMHP)89ozLp$f7uwSe)B8!)dgAf?0Iw?DE^Wrhu
zj8mM4gMk<E$b<w6txfg0-Zd_-0}TxH#}=E+8bk*U4UmD%v$8}id|;&<R%IS<w@;Z>
z#=62!^3(oY5naT{BNB>CmK;<1SB{9pQg#B%htp`(cF*@0#_k{#sUc8#zCTS7-7E37
zy!AEN`}VLJ!PZ#Y@||!qOQ*0To4`3>N@ac$eP9zgUJ@NS6i-+^9tpXRlZJpO&td&$
zvBgqq3itc3+ND;&Ccmb}fksrmC6DD(SXi87UNu0b3hIB_k9}3X<~kX#pk+-*5|2I5
zj0U1i+pn@OEQ(vKFK0eJKIAq?7{dl*BC4@epsBNs69}IbFs+VsCFIBb>;~HS0;{~e
z$RIk@a#(OZrXOl+keEXd{ed8&f%lH{WiB{a_vxZK&RYA{!1$Ij6cYfbFhAcVTA#0T
zQLz55PL`G`#<IIUwiVJMGr&h)OXr0XR-UaBWpn<x(|m`c?e@~B`(2a4vI$jGeiJ~4
z1HR%Lx;~TCLUxEZ&>4-6N|!wCbvM$EsE983m_kx?wS3KRE*j8ldTl$;=ODCP1OQNe
zsDvkXTWxaet%t1edN5e~uV*l^`65ehJJpYXFU&{V9~%afU53aaUEP60H&TJ$w(K!y
zJO9C7G&p*G3nSD_M(!&yyT_IC7>}y|zgL)D(B&zYv~}XKKTPj$Yi}*gjj2`(2E(*d
zGZL~i@^5IA*;?a5u*NQq<YA)wC;)&vYwN1+@=s_?<uIP?OO2rxC>qtN8X$a!mllAR
zhW4=meWcfa-^6d4oVE%kV><O={UNS>C9Nwq5_MJ|)!@Kb@cHv+rrN}sHfnf?tr2=M
zcxcSZ%((a|1XhOc{K%d;FdoXQy&E8cGDe_i7=QvB0Nan`Q?4L6w>edPcuu0ea(fQy
zfW&}MBD3xqGk;=Huj^3`bCvEMl$5DBU}kFS(-eeTp`pECV7nFe&-jZ=4YA1?b6<0H
z*kzy;%EY9q*rBvvG#&y>9uxTN_f(#XGPr#dm+b1X;4Dvbn|WUMhc#cMvnI;Ts8~rN
z<S^BXG56uQmU587dMa8T7CI0yGdn8OgwptXugz*<Vq!&0-LsjSrp=RYuZ%NK#Lxh;
zh_4>J1H%2cEG#mEj{?Fu@!Ey2uP_@$=|9kW1VcqWqXMXRCa$_3&UdZNR?*(vu1cm#
z^Nq2&=zS6JCp1Uf+2t?Jag(t9_WxL<*-Yj9_&<7<ePN~)?lpbu?w)_Sa-WP+)p3=M
zKo9H1H!+MLTIw{)|7eEW_b@fYrBlm)rx#n67casYj(|pV80>OG2X{NRnWtq43fpW9
zY87OcgR~jgUN4vZT#oU-A_RMK-1QT~ov!Q{B04*(ED{SPM{aMw8q0)ZsLo6P4KQ%9
zHnc1me7g3M>!!OX$XYEfw)6n}T!}j6=|16MG~c*awK-RD7$F{Xu{(eM<y~yo18bJ)
zR0Dir5!*KJb9kkAhflDd4+uVi)XKew<7C7wzG0SF&Y==jdrl*yP>6@)Wl1@x65m@`
z=?gMs3xXFi@pzUwRX6sk_r7;s@I_qiX!;lpHZ<Z48z8@QK>Da8cb?2r_)ziaD#-oR
z!-OlAs1ygNAU0_5E}dSU+_o33-Qt(wjX>qFsGa`B)A}$dJ63ETXPgDLGUUMFVfncl
z;y-`}E4F(wbXvKgXfOn$1_o+O5`nn=>ei@*c8*?0^N7<h%uS&<9>$pqQiE|tVg_sz
z)Y8*yvkF{6YhVI@dv9h&X?HY&&X4L#>zW0Tv4%TjLXuH=&GH0MN#@ld@>DCF)WK$`
zZ`TkZUH~*=R$e?$K?}%?l6=vsEUzClV<(JYEzAE%SLmJ3Yz`uVjVpnz`MyEGy7}?(
zCv0?<PhW`<prPqLmHN3sK}nKwZJjDlt6shCopR-u!z(mnDc4$Bp|q8xfjyq3X_e6}
zXK+MB1lH-?p0tz!M$yiu8a$xk2AQyG=Ga)~60#^mT%5ZyK!d7+MdjPE*FlCsd2zif
z^Us2FF$uT0TGkPIYHF&isK-&X_K^bcne6eKI*#TFkA%Mt0-@5v!om)`aBZ-j9l$OU
z`8%_UM}yB|=5jHDD&4ta0M{mmFPu{gTGC6-dEwXl<L&CDB0FbHd+e^3oOn>$3LQ-d
zsP@JF^9ZgN;sm@FHa@?NAjBadbn#&TpFs=jfa0iMPXZ>OuD_HKpFUh%ZULo|;x)4;
z=O`%ui_)IGd8*=EZ?F*r_O3w{GX)g%BDxo!9saC+#*Zl!bHy9-)z1sCI^5ZBa$Uib
z^`HSo>WZ51&IDXqn>4i=0+An<y7O@{G4g)sVQO_2i=*%i)}i7ZjbirU)tWi^R>@_<
zgMR=4@#Z&s(MK~!zr+IQfd8mic2Jzj{G}?Zv*b0a0GgH@*rF&pwPrY#KL=y^ILI=8
zC7fPV?BgAL_*zihu3Nd+k&th^j1iHgxRWF&4jl~Z8Zph6_@Xy8(V?Eznck9L9bJ#y
zhpf8E3wNw%Bh>MYT!NuxNj8OD$&(ZiNK5yvAS0idyEl~>1Or=C0vO!p7yfnE*47SA
z1QQl|(|lSH(f^zjGX2?(`_QU(w8@qsF}$c5kvQ?)i?2P3BpsjX0G*d4tj@(gd9Tms
z2hEZ52(lo$I<(-8dW<TZ%cF`){TB0_iMQu+i*-)AX4UnkSk7r;S*DpLp5~*=(Uv{z
za|0S~TP&AbcY-~SrpALgYG9yCHaZ6iJAGUfk$s+~h)w4630PR*0YG<6+IP2xa9^WF
z&u<Dv9l8`TBjU2Mqzm86j9`ID(66N8!m2>`lWU8jV(*^2Lo7*UtKC)Aluiuv&Vq2p
zMmQW`ri6z^fkoOMzH~?oL4bU`HMt7MW3GepVdLd(m4#Ut!xK0d;&L9*1ZkG<8jLS{
z9_}$O>hM`AV1n7+$P%VaS8p-wyP9>+U@W)TGit`_3&_MOFu#Pl4jOA6QO}S{UnYO!
zp?mqb(lfEpvr4t1`pH>VYMR7EeGU}#N7~p`_3(}P`&_n0p-aB98ElJulewUz{dd|5
zdECE#b<O>9{vmr}GneO6!H9Bdgb@oGmo47I^HBe-GsNcRW-yRBzn+($4+|eaa{hr&
zr&BXiq+mMqQ&<xUFmu|^vYYmybf3@VC~y5uUEOj^sZBiAXV9=!UYeIDudz|RuZkfI
z`8s{^F5cjG7*8>x7Iy9(nIT0hXiDZO|3?kr8+wOjTWPksaaeb4nPhnOK?-<+X-9f`
z({L#lUM30*gzcwHJk#_Q5u<mXg%wRG^ZzZ4^obUSaQ@c+?JP;K{~zS%llac_cJ{`!
z0ZRNZ5w^dcA#Bi^kVrr&b&hwXNmVn(BS5a6;!*ohP3D&Q+=$q7ZG;jR%Rsq<h3PU+
zDp72IUpEBpLe-^Sy_Ml(S=bf^Ji?l%+Kt84tEzfO0YT7U5B~jv7C9y5HZp+Rs_wH3
zTFZB@R;CqzPeqNYUXli}Nu-!&!7OefN2MUd85JN<-8hPQL>8}rx`%sKMguxkE7XbM
zeoxKtr79`W=vyf2N&Mb#0s(SNXo+Du%}%F30_6B)V_vLo4(m<U-;LbgtUb1Kf*#2r
z4hes8azw!++t31l1|x$@lP(4d9Vx*(AM#BGWBl*Q5AR+eJVOvERvm1#*aC7FW7!|+
zqGXo}^7B!jiUmbu#q&^YqW1{R&FUb@^kvFHBGf*utv0T0YQ@43=d?(MlL#rS*art^
z)Bg&I@Jst0xbIyCuLp<AjaV6mjTNyu{Dh$?0_5aCzuX9q_n%^nN2$tkIg9S;aS}6b
zBByOtwC`n`oT>?NGP^iu3FTAw*@1YvWzK;(^$@7(eS2f={FkTLtW2O&^)s~S)n#CC
z_P>S9K_th1DEEFvdhK1I`zn4qR-_l7kiziaw(x|&{X24pm9~2jABE&Zd*)z45r^3M
zbML&{VgD52odmx;b#c8nH!trHqQidnpR%^}N+@8{xHWn-TMUCOng<9tG?O?=r)gVq
z=3n#_{Ude#VTqsi5k3qN3-0<8fLRG>l)lv3zO&MMops-%dc>N8WaOWkW8E0=#U(ne
z8aA_VP6BlCG7t2=wL5{f(|MRy-bTuiNo=<nSZXQWjW#D{&QO9{q1~Ot>pMPQbd?mw
zRz<tl=TSTx_U_8_Fa^6fN{Zs1^*jAwtbh(MiK;F4uGu6Q75t`Z)GeMRdCwtwpo_0f
zKObS{>l@CXIv7St3Lt*;6^4Dtd4W8eQYJaWyy==AJVzlq;cte+*?{hI;UBJ2<Zig7
z&G0aQ0an`X+IyzaNpqU~r@eO#Hd02Z3!afnTH%JHj!|$U<cJ!mFnuq=%8Q<FeId?l
zK<v0&))eF=?T&-s?w&x3^SQ{pk)_W#EZbuV=g!uk@&R2`9(2;JXaFTs5J3#bWo%;F
zq=}TS^Hk=b!K>FD_P>z}`NMnaUp|CF_b-{X+s<0l^moBV+<Qv(?tjkksjp%)=yWqh
z*b;z<)711dWrWzaV8mrZJESt$Q-7iuNnx9>DOrI>blxSGX^l9JX2R2S23;BErp8cF
zNC=1^8hTWuU-V`ApDR<z+v)O%clWq9zySmqPqGf#O-^^Wk!~S~uEhd#@V=U8_q&rt
z#kAPi&!4~vluz-Jfo8RCWPsZA)Kt{jVs*b=+Wn+!za?vQ5UjhC{aIZdw=WsOlqxki
zpAkd@>+xlb_Ej12kLN$aYuCHhZ+U*UIl_CeMK}oGWt8?Bv@F=hn@W?Ck^(<{`s4+^
zalopTHOc3n@UB-o64Mz7C3(z|y6lcZ&?bu${{8=wrW+F;m6erO*Qj+bVvF<3sHO58
zQci7H(qaWMnzryyayJ^KeDhfkh)Oq3dkN~G$UAkiYw&2=SS{^tUS!+9Hag9xZ$-)^
zv)<@?irO`LG^#N$F)=do2C%B+=jX4Xx8|r=TW$WEwPMHGu!A_lpXRC}i<?Rn%Iu}{
zLxN%4*c`(%rV(K)Kxw2U6L^hId%j&y(SUA;frg&3eYBF4lmvj1wY9Z4hz@5ElVEPU
znUeBW8MoXl%*}**fOR&SCFXOx!7uO|CBnHsMKkdx{mi1rDP&0k-rBvOR`_o-;Tt0^
z23@(sW#3<2d2yr8&!Ri0O!*ZA0Ow6l>k?Z2D-<MTy4C&2y4=%dxa+L%o1fJp+h6KV
zgT~lL!%BlO1~S0s3K0+b0kNYvct{477K$(30cyK&V72vl3!&Nn)9EiAcIk6nFa~NR
z=NBkqD;Lk2jjtWFhD0lmNrznSj^xu7vj{oz4yGV?H(v?&(>u>`)Kp{%rU$GF>Kegd
zf`ceK3m*v)!!<81vf5s5(@U6I%yl<6O*nWm>X%Y!-8GazADOJr1zzYNLM-R&wMnIy
zpFrwTvz&m>>Y$z}n)BXp28hiG(qZ@|(t68TfNI*~ZjfSm`@O`N#(^R46W6+jJp*tu
zZ&o{sEeZo7l3;eW=c@AU7-o*}?i`J57Bas3#S8eAzQU@Q7Z+FL^~N0AO!+h7?(bUu
zba5HJOr`sed}A&&JJwuq)HP=I<f2URW9nUQvibN4_|bzuf5*jp(uBTOhQJ&H-}$pj
z7Zz7H=``mn&O_Almdiajevth1oWAgRe!}#$8mHN8mW~w==k~A%-C;uDpCk9GURXA4
zE!3DBZ++*q;%D2PicD6I6{qR)cvm>Iy^Fr(Tl|4$9`L`!@)R^OEH^Na#4Vy?hWgYq
z$Y~4HKld$_(5{UR==8$<1M?+$Sau&&2Y&Nv+wr*GZR$#H*TTp)6}0enJd`sNZ*|QI
zd?*x@i=ZP@xeWjF8j9i*)IUxp$sf7D-1viGT%)K4*D-{;LC$btJ)$7};C-#Zl3JI&
zyQrE2-~S<)WPfFPLp5d0nvUU@!Rk&nNwIw@h}cUAH(Vo@a^j6W&^_0p@asHe!!hAl
zvlE&C9Ry$%<otNG%kU!V@Z{n7wSWx{g5?B<nMB(8y@Lsdz(y_;?z}(#>7^X)YpO$g
zll`Fsw>QAj@^UqtT4gYqEvl9?N!)>-@kgAB&4F9Hi*(h0vK#9CE9=*Y>U;a;EPGx)
z$0LVm+ZW#a8nx0fDLf|59hZjiIBqShY$lutwTR{I*ap_7eSyo+_veQm$#iK&@&GZi
z047uR<PSDj6K~x{IQWJebV6NKstN;5oKY-EryZ*0zP<Qu?}sl<ewf>3UhcFQk`}Vb
zr!ipXp#h->2gce{Pb67T<av7Ilcm9OW$^s9mExfsIJP^t*=Ow0^|KCFi>(3xz)t+Z
z&L!I|V7k{wT-;B|ufxDdkjWfMK_UrbE4%R;@t8<s@!iy^Wn%V73M3x&BWNK6rggKw
z-wN#EewX)O^J_GC3>5Oq`jvnU5C1y^V}iX+E9+b#1_Dh6M3sV9kZuz=NQqCKTWmqn
z0*J8H;ZGYf0_4Qxl`uu+g)xMl*$JgHo>|&ngsz@*V*UIY`|xqQ*Sf__%}SpBsa~!w
z!+?@xS$PR(y^3-Q3*ggC1hF?qAN#K`7X$9$(*yQw4kP1Oj&{$QX~ZRT#O0c~C8N8c
z@9qdk(rKyzEvJHn%Ise?00<<47~P|P-f;NbF@OB^+2PhLycfKnkNUjrnW+mO&b)Rh
z%v?Pfq(VZ`hkEd%K@9JQuGe*suy97(`x)qr)SB_7D+VI?)tvCk-Dq3iAH^F^vYT^q
zF1OJ$StgTW>_x8ZK+kY$Ejn|3t^YbyfzS84H&d_b=_$`J+@}{24OSf-oug8v9Jh>t
ztnx!v`aDN~^VLkF88<^u_=N*)R>=^IBnSawb3c3`YiZjPXm8F_FP*!@-)=JwfrAvN
zw-YCf41)0CEmkeRGsBA(^$5P1rU`t%UYwacznkcX8{7FRAfDW2w7B-{b6?bSTvif$
zPubOy{+ILXQPr4Dymi<$*DMFk-b2xmXR%7@6_tb?!*G@8uV25GH*qunnO$Q52e1sx
zvIyY#P_<<Oq0h9d5$Vfo!}NyP(MV0>>|!}4B>3!vY6c|mHJ;p6gdBDk{edtr^vTJm
zi(1=Y!@*g1tUHM<I%=SPw-8G$#pJyr`(l1jJw8VI>SU7%XN|gw){eW~iO}}2*6;n8
zDVt!S%T%>^url7p+giU}d{VgY!|Ib!o@y^FZ47rkL{BdS?}wi`X<7%C@;DugLZlvE
z2D<Y%uftlyy1vQFFY1XnFMTxhA9pB5wpnJom0<>-gcycp$Rw)9^;&qT3m;!=?@1^5
zxHz>LFkNoQNRVnZPM!S73_gZQhK7eryCf!GE>GdnwoYReMrD+Ak$0LYt;@A98|T=A
zFdqP%IB7W3)Wbpn14hsbAMi^!X)k&Y*;7vTocdSw8+r>HW^UXi2%IO@E69C!lCCWS
zYkMewL?r*-BS^m19#`c#MN*tQJ)jVzljZp(ZI?$tdDbrwDHhLq*~NRXN_2aEDA$km
z8|L6^DVOR)a~xdy<DNf4BigI|fQ2X;3fT~Simg6D&|i3RofZbg`FVod#`oaq-m~S#
z`h%XH%FUb?WvZE(>5bFL?WI$x1P0qKMsfC0_5@W<(x`A1$KgMh%0r<U;V5Mw)V^^}
z@3RC8i++?v=FU%FYZw7{JFg%HFQ-(9jwqGJViB_BzJPukem_ohwchlE`#on;V}zvv
z0)RG%A)8U9R)s5Ch0zW_yRy+7;4>5eX}hk)l~_u#IL~)SI9#A3aXrobcJev+G$Ql{
zqWObASRSyCGJam!5h85}JPbb{vq=5SXF#F4S}rdk_|r=eDh~ZvO2d+&@Rdrh)Oz#f
zXxC0&jXyODEV7&0?NQJ!Z)gVV>{nEfkgV(=J>u<livLIfdIHbyPoiKI_cNoYlU2S`
zoZNm>bl8dUbo~5z*1P8{)A^KF&I1|nA;SR33g_+jalp}6u<*lhDTXu$os~#%C^9u3
z3Xb{#>5h~sXZeo{wB1*4ovfkndor;BP4)Yw>eWF4@Q+~7TzVT*roiZf0zk1TvnK4V
z+nkw^O9-S+;1N&-FXbr)xV7ra1+7=zyM17Qi=`uf=J-DZ<RXkdpgwhhurE-{Lx6k2
zx~T$#+g&mG)#M+StrelKo{IrljBaLuFeHqe`sr3}6o|YI2H<B5w(>_O1+b1CaTWID
zddvAd8%1Fsd>2YfZ=B=k_N6ph*vz$cF-0$Y6)&8xuNY@uY%FZQKjN=YX_0U8lpPhU
zg!k<Y^4*hA!wDC6IpjAyZ;9{Sq^G}cRn#`$`&R#hFdO%bS562C8lQm^`CAiDNH3(z
z<{|6-{S9$g_BWs-CLv+&+@%^MqrRbII8pzZU5*P7qwG#fnZVL+$nAGW{j;GjJTuV0
zOoRdbpZIw0&B%XqR5gEWg<s*oofeQ?NPs__BY_S=7fk=%3t%{#?CiX1&sjfra4O*=
zKqfj$bM}glzRv@WH9oEV>!?~hWCN$B*&Z9_N`A3+fkWD<Z*-XW44bRLJ%SKyZjv;e
z__WIwb>@}nz0qs@H~iY;zbJ(R<rF5}2?ao3Aj(*EOZz#jV(NPkI4&c^qyd!T;`%{C
z+Z?zwTF$2MkaXfdD_}bkiOPGH(N3Dn7a0vFbe5=B$3l>4k)fYVnzB2}&`u9kML6Eo
z3=r(8U`!Dq|1Fj(oYJH*t^HC0x?3iz|2BrWl~iob)1XNA&D0KeKT(4b!Y&ZDF$Oge
zd3KIt<9Fs+<rzq22%Vne)_OWmx}jR(gra|D)NZP&Y`1sc3*Ah1e`h^7D^o6ofrP$w
zqh&ux>9nXbj9Y{lrQyLRECoTN2yl?N*K#&DjfG_mtyh#jMvDg0kPRx52A4uOaAM(S
zpf_)=(XY74HbyqKYAaAA&O`2wkdlx<Nay$V>fIYnDgU4bvdJ<Zv7?}U;y}o9t4zC@
ziEY8&73HfxmWOpXyeiD@-m$)3D%z11Eaioqc#y>-<GW&Fc;#wXhaGp)(O>a%L1EY@
zd%M&^c+$@K6dBF_D0s{dgPa0eWYi|k2^Hw$;sw)-v7SwJ(~G|(C5Q0A#{9hR2jALM
zjCC8|wp4s{>U0%<il%QbCTZ?(!yXm}NMMHsFQ*XRIwVRdyFyQP=e)RKg<oNPz-O^b
z=w}GJX;2`?`G;?f_ST1nA5i1cc$~LJMn<as{J}P~x4)hNf9e|>(^$7bZrM(KV(kMR
zQ#=krX$iEs0iRb*(!sB;Yvf5^G$6EsCqcquH6rJ{M9u!<Q8V5g1W-dpGD!IFNOQI<
z#^n{wjqiy+R>Hvq4k@k4d}B#(cC!OVue56{_Jw)w{#cl<@5cag*^{QouSwBrB7LuQ
zn{Oq#S-z>W9zTqEwCFx>2-Nc1#bG6ePhH9zF`~eiu`4W8?3QdlQa1-Rn{w8}wO-iS
z!<4ENpT`*H6%-&9$fR-O0J$2aPTt1G`IRQ$DT?tBV(gc45B^{kn7K5n_+%J7fb_Ga
zebd5{CWadOC?T~0WaI~&&w<5BenRA8(7u^vodY@_E3ky&+{l?^TfpBLiUq77bf_7R
zN{nK_L)&VUa@O<PBcNTTUUlQ$TY&u6-7emG9ynRZvQtKuRWSqOB^mp@9;!j@1X|V^
z@<rJ)bIH2_n?(0v853{xZDsn~XEwGJHa50!1qB7z{M=ls+}vCxV`Jm0RUZ(j6@wH2
zaeH;J=C3M88s*b=xA>WDmfcN_hK7u8mk@Px^BWzZa)?#4?tcMW4y5tse*yg~A9>Tz
zl<5!Gn3_sv#YKB_*5UM1xskPXCTz1YSl?(tk>T8Vg$g$@8aXU@T2)2i+|R$+yRo4`
z-=~jFE)yxW&y8L6#*(S;M@RbbW<?j3G-8!fjyjS#Bw_@OMy69C7XSdO4MTpB6QaXK
zmuqpH%d5kWFZ^|%$?WKJ%izq+%<3sqrc@w=Ca0vNs4_D%s{sHIMNtt5p%?(j)@U@1
z*RttynJDo6)pwsVnyjiv@8eD+a5@=y?~|kNtbFV6Eh!RpI$c<Petyh?`vsfhV^q8?
zD7Nn|a30BNA|AUxhKvmJ?lA_vvf9L+I90WM)msO@t*AEdWf<I5q{!rQQS!1y6XuN^
z7Wlxxct1D3Gs!k9&jC57tMTOV5uGl&Q0RoX$SZxS%d1`Bq5+~puP}jgd3EgTYY*s;
z<y0kEtgdV7NJdeVH?&oLE<`$=F6Mef9wZL-n>lxO@^7=I`k<(A?hVx&EO_zqoe%x8
zqwu?15m*2Kr;mR<e&x$4U-6aS252i;zJ7BNP)m~qd|lJ7CcA@%su~lcH&~4}o2wiH
zc8P?7K$VXyz~4_H=&d<9KwIX_?tMjg_VgIk)p~HcFqBo%5a>rjaXAfP!Gca4?9j1t
zoVmY*$vRwi$GN<Q-~Z@drKhLIl6&^-X}lgAUsrD_3h<ZH<(2g0(Mc-A6$3AqiO|3}
z-<g}Y=IyfEnVMS(SScwfo&W&vez5U?R6;6}h6aum3b>Wx@KCS+*WP&sH+5xk{Jf&x
zWffbtEccE91GXtk2?3{2LY8c@*^o&#3CYgxWSL|$gvku4yPGm(hRtM|^g<RK*ceQ+
zO>7e<G}~Z<?RD=>mQ^judQZ|T`@vucAcF%gBK&9cP13x3&hOoOZaW8!jug@F{OdH8
zHAi>d4PP8bL8%a;`f!;r+Mv+I7?cqPy<DaW5ut%jrCtf<(b85}c~?Agtr(C6fR=VY
zpeR66EO)dBJ4G{a_-GStcaTumVA@*xQ`ar2MO|E6Y{hP+@$2gQkB5eZ&cINAa#H-Y
zdo86x$jP1?vFf{n4f`pIu?HJiB_$<}6BWHB5jyd#)MRZU7GP-7YQ$JZx)%N5<8q%t
zFUOS%!Gt`QV~B*ZlbvkNU2zDHi(N4zAE^&yb<i*)k^8e;6Bern4iq%f2E81usOsJK
z>CSV{-^%C0ZgoRjTDuS0-LjQ4Q^dMJ_tGMCQpv0t+SLWcE#LY4j4Rl{0sywStUW*0
zpjeQcppFhyR#+<GAq%r3@uJces?X>|q7B!cE&fuSuNz?dj80g-IOb;~gx}9XYZnDJ
z`$)QQtqLDKFUBw|{B){|Hkw?JmaN69Yx>LIc<=Z+mSz3Z8Z4Ft%1@DpdX32XMOkWj
zpo4%h2Bji7L6uW<tS#T?qg_D;7O*T(KOFDcAE}pQCB&+t0|A5MD9lU?MNt%CckZcX
zL_!{-QH#eaaeZC&8J$pevXf0pP$S6+>PuD495i(HQs5e9AtsUonh<O>!!-avQ;UW9
z{)bjNYpxy>i+E^#lez7MtwlLrFLldD4s0Tv;BtA~YK`GYN0;UI^XF-Wcz{?WE+#}X
zGflhhKw<O2={_u83D!tZOnZ+Mx9kbiif1Ops}lmXb0h>1AenRYXm^jD`7-w$gCGbZ
zlkt&2x5uvv&b<`WHJaFSwF4lN@R97fdPFGTg2hHdPd^0~8v_D90)}u7DCOAb43K33
z8k^0`(POQ2m{x);$TDCyJAs%6T?3CkyKgx`P~8(@FKnV5(bd&$lPcnlIftx|%ud(x
z&;YM!v_YZx&HTuRjuf~4NRU*2FoAWk=PD{~+sok~vg8C!mO#J>*cYJ)0ueeHx-cse
zwb=>kldsQG1tqPF)8$8poCHD;ey}?T*6tv|VjG6;UI$WDV`K--ZZKPhL913ET8#=J
zeH^e2F<`aRAQ7XW*Kt6l#6WmiHfy_sU{6=}&?hUp8GX16S-L11!*L98y1Zbs6Xvy#
z<=#z_RO3Y13!6x1w70kSla%HJ!noF_C2M$ry8rMnspP&DagSN;p6-TbOHD9=bumsp
ze!8d7W_S0*L@Do9DaW1$q9_7kp%QHQk{EnOiUu)T-M*8RCg0f_Cq;T$lwr9ji|`Pk
zPznl#0uhPCh*T;;csv}Gaty*WID{xLP$@7F@X^ubhOQn5Q(4tZpQ`9#JcOT}ovy<&
zGa|4Mr4Z@ucLI-xLH~fu{J@6X9QUw)LhU>$*?2QDW@SISL0|CDniTn1-?Laf>{q!}
zAO8LQ6Mq8$?{r+p+OlO!=UCt4^YN6=wy*xr^2M>UxZLr*w`Qw{H4Zqb<~9puws;U8
z4+pW3gUICqRxIKo0zQrbf&fAI8TYUc976;!42v)ffJn%Jgg6x%p_5_~@uk`XPL~(#
z4gw-{QmC#mn$|s@yJFZw)lRg%CN0f#N^;_?O&b#me!Dt3bganL=cA#xtnKVGn+`rs
zkmF0BF&)6VAl|0uGB-cGZpO=rajKhIXP{{YYz`8<UJ59Rp#cGegQKWWzyZ084}omy
z^V47&bc0mF1DTW$$BuV&{$XQY4(X*P<r*F~S&lJVtOKoGY#yISuSrQzD+0};FbswG
z*bv?7oP;L<ShA{SpaRBy*JaX&!mD^VeWtH$*MDpGgla{RT9r5<P$k;y2}KbQ2{|B@
z@IWr(qjDJ^kxF<V;B&4CmEX^R(c}WZp8;K{1UNVfhre$+yK&RO6&`}>oGg1`lj$6b
z#pY;gr+3k`XF+O`Ix<kv9{_+5rI52Q+mMr<s>vxTZL6Rt#uP+g0RR9+F}8x@*4&+Y
zYl@@vvKYBcU=WMB6EaE+d;DNF4};fFfi6@6A`urngrD8Dx8}g6Ern}5ByF8cdtsC9
zAiLe}=`(S6_Vx|xQxa9PE{_MU6o-RBVw@`C!Bxr6XjB4u<+*_hilWJ20qfFI0o{{d
z(Dc>kyQ+_9R6;S1p$SU40KeJAQkr35z~ly}%L^EWf<`SG&80D5a<l*bto*Il-u>}U
zG{a7MyoybQldM)NbLL!setna*FEvTESfdt?xy!1M3((9A{rshiBA;Ry##dWESPheW
z{N`rBx~vE5FDz-x`(|(Lj>cwFuSm#|GYqSfN%-iELPn4jm<HY89`*s@@k6Lq3{naI
zXPItl>j!KvZY_E&H?MxjRD}^!TB8L3fX~BYKYIWE-7A;H&ExTIY{Rv>roVH?7iZo+
zRMheX08Gkl>v0C}<7ht?nx3k?@97O0%d{HtqA-m(LZJ}iAqoL7%t(53hGqbek;0oI
z5f>BzPCJlZ3JObFPXGC(f=3C`-!YYb#ikl8ie~Klk2HOW0E-&*@`W-ff6Q~VIF5oo
zTqeI~dHkvsOQWAa5x|?8t@Sj+lGDA%x_0|ncc0N!eXyu`Uv6IA_Rn{n%kAs8C(2~}
zC;^{?szO8{mGVF$=D|qN9v}sHkAvFrdBvMs-Y9*NqL?X96E)>M*5y*l1z9_`-T&$0
z1%@;p_r|t5D2jpqH4eH@Rd#><=C<RX5`@1xn0l<y^$8w6=k?8t|Cl{j|9EPWMjR;h
z=GE~V1!X5YYoB}J&{Gblw{p7pa$13PLEKHxWp4i6+O(IG64b)+{LnbyV(Xg*t9E}^
z`%PhK$G0BBXPnMp35DG7oMqALA6-9VLu!(CcBn=?t_#Es&1PcH{@Q<R|ETia$qEUA
z87u%8xf%2JtIN0Db65OYwMsOu=cH*C+B&UtN0<G??!3CZ(z4DXx5w8w9l#QcxXC%o
zV(xutZR(onD8-`KC?z)D*`e7o%odim<iGrS$%_O@wNFR?O<S-oN~;zvdH=1PZ3{B>
z8G$nSjwP05p{LKuboDs8`iw(Ae(*`fv7TP%S+~bu4`UQExJ6*0Vj(9bQZJqJm#4Fq
zM(CtV40^dCLMKCi$+4LsC&`|y=&pL<m7_13EW>5f*>BSxtc%Y%BU$~x)|ZyNK6iF_
z+Ajg@q8NsSKBJSdSceIlgQ)5sa5Wz~+ER0>qNj^xp>x>d?*;(-IKfhggq%nOL89ho
zMi^GFj86{>l_V(T!VFc2P!Jv_MQ>)!YRE~lXR7;Z-*~U=)!GJgK1_q1h}#9M(dUhe
zmalqk^Rg{-XN6~J)FSj&{W0mKz+&~VB<ZIKl46}Mug&MD%rwo~5de~55DowUin4wd
zK!9PWoXf$~QVCBf;Nu9N&%sn7!W%wcbt5vF-OQPD{pGK{bL^jO9gai6093Gobt&)_
za5De?%ChI@WrVL!j8pS2KPef^qG=YITFt(y^Txef-YofW*yBGHjO_?|ZwLjrYIRQh
z6OTNYz9Bv~Buy78L4&a!111;K*kWloRMhmv?!5YM2-0r~X20AXuldE9qyV4&*Ns^Z
z&z~3ZU`&)UHatu^ts(2{cQWl=wzgB1y?NU|F8`JwsOsCr7q=ByR}7Wut8?O4u3MFS
zZ<toHAVMeQDdd7FZLi%yKySa(Yc#n|>^t00c;x%GBA44+b35Aqwgu}7@r6Rp{I&Nc
zX0BQppCy&>vovavCPX2eu={>CI{{X^haNN!4?10B`JtoD<@p88<(`q4iM-tn{%Zm2
zT2jg+yqTd|kzw8a$!Rmww0ayv!?;{LS}NhH1p*F+q9}`F2#TU8iXbDlVp(7rhG8h0
zWf+D*JcOTixqN1ykLsXk#(2KY)U)q!L!Hs&?sB?(=K;X>Yc%e!8LaDuYycnu05Je?
z*REX?4FHgzf1m?Kwolvu-~s^Rj;XE|e#Zm>MO^p{0sv%Z&nGW{)p^G>*B5%n1b1`?
dtUC%C{U6~G!v9{Z$EyGU002ovPDHLkV1gsJySxAZ

literal 0
HcmV?d00001

diff --git a/docs/images/favicon/favicon192.png b/docs/images/favicon/favicon192.png
new file mode 100644
index 0000000000000000000000000000000000000000..921aaa86aa1ce2c030f652432d256557af7da1f6
GIT binary patch
literal 48291
zcmV()K;OTKP)<h;3K|Lk000e1NJLTq006)M006)U1^@s6Qrv6@0026`dQ@0+Qek%>
zaB^>EX>4U6ba`-PAZ2)IW&i+q+O555lH@v)X8WJ3s3j0Hup9scMcxj2`F#%E^A0&w
z^=s*fyx|@mW=0ZF{RV{sd7c0D|Gn3L{nvkml<s`x(s~`W-u%iVk2v|J-#@>8zJ@!0
ze}2FA??3VPzy19B;~yeFN_<T}f34^D^^>2MKi|;u@6XrYe}1*!Pm2BbgTfyl{QXK^
zIsSPo{r7`X{P}tK{rfe3-#7DL9_RPJ-2Zrt@7KTly)hV1;qy|w;z=Rh{Mo%q^1qZO
zKa2c%r{s&i??Y<epXuL^-Sx+}|1@}ieD_adchBFSr@s%yb=Th))PEYI-=Bx_Pd`t8
zTqgeQj>4Z;{@Xts9`63@ufL4l`#$}B&(G7%Tp6i){XWz`9_9Ov7cPeKXEZ9m8~+u)
zZ{P31@6ID`X6#`$7r*xvMu?2|8*+HU3~xB!*Bv&unB$3!uQBeJzMu8f;)t7R2r2tJ
zys@Q`o-1|cWHW1tAICrLC4AQ%-}QFrT=@ySG6p^@eDnBEzpsDy!~dJ#e|*sU8oD9e
z{g1KYzM=!pZ8&rO$*Y)<@cxcz`NsGAef=eF?!Qbd`OM24=FS7od;NUGD&f!AO5Z#u
zURTKe`zJL*dwxHFA>!JFn+b^-xNAry)Nr>LTL_F}XMQGk9#f8s83?7sCtNRclTu}J
zdi2`7r-kpevBaMr11(HMNtGn&%+O@AaxTPA%bggSC6#=YQfg_Xmr-U-HP=#WZB>k#
zEw$WAtF5)(Mw>nL+)J;$_1;IHBaQ@wl~G5#MjvC$$wen0J$d)!6?3k*(#or>y4vb%
zthouFop;%Fx83*H^NCM-NdKok?Rxq%o_WF{lukb7)YDEs<II;>d()fW^47P#{T=W8
zW7d9W_3yJ5{%Pj^`&kRWv*wKD?{)3ZS>wm8{o^Boa8jHzW-R8wj5lY1fR4`D-9ygN
znRCwWA%K<0tcBv_Ji!@b2J;EAyy1_z`*Y_0+j+Z6{{J;^@juPn<<$MZn7PZT`<=Oe
zowt88YtQ@`C4CcQ7CNSPdI2_GaQcjW%1Qs@*V9|h?_JI+^Bp-c5W9@9uDQZ_%IRZP
zC~l8ga!#|C6LW5NYR=#q@7|?`BAQM9QeqrA=9j_lPf1K%z4)-Z&ph5bU&d#@Cxo}R
z`gBG+gmH+KumEL-<LPaOG{ZwwK__cf((^DQPhHoDWsE1573+S8nL#|CE#PvW3|S;v
zM%gcKS~I@)^Y+|!4mJ5t{A~3n&X%uEZ0wZ;^>nxAti#Pd_k2odOij$Er}r7{jJ){z
z5STUXvG}LEz4v13(%VnFc%I7Sr1k(TXXkgUv`ac+K7_&3DpOTbe#Sccjp>xK&rPu1
zZ9OgShY-70Y~!jA98%vreFLOX`t#H@Mu!ku59>Y5OFCViDGx!r%0qs%r@{j>afgeL
z+xt3zK#VUVz}$qhz_8lxGvS#wjj;mX^t`wy9<I!}YjOI+!>zpY<`zzyZ@W&|Z)e8B
zsC@QA`t4KdyB2?n_JHbL>nfc)<8dal7WX@L?endP%N%}+P~*{JE1_&?6hwZ)xbu6+
z%W_(qOc9yA-}_zRU9F6TpmXX6pVOGEcRsB=WX*F$0_<K4HhA#teH+4YF<bHfJlg$w
z{q+YcIIzf|{t$i)NCpZ9xf=U<iK=w&$vr;xt#uBb^Bhv4ZaDqEh|)OUhv;m4v*S9k
zGC$=AH}@%I5R(>2+V=1q9a)gd+L>rXW`Y{;Y$x=2y_F%@?~e6h1|m;c_KXjcse(Ia
zk?CjOBayFfjKpt`#0aT)_s&0-f-;CJUW^qHQU_OkdfNLzfry^{d|H9vWk%~fiJ5EU
z09vI9jJ##nG`a5N8mV7M$y_@VrtWRb+c<|nsQG!*X4D8&pcye<-rn0G1KzT8e{WK$
zcH|0Jk@q=QHdPQ)aqYbd5ePv)KwC(42B4gK+i0F=&NC`u9oyW%Kw&%wx%fD?Z@AxU
zr!a}AJXS&dt`3Y8GME6VH+L20+L35QXys!B@xPcz(6$eA;#0;w^J)a-xX<EVCzJd3
zhq3Cw1{p(i9xsvnY_gYY#Q6krZNG2j5p#*_<{$4()Lw54K9Ho6nA`<KCxqd6(P(j;
z((*$lm8bKv_T+bxh9FSs+y}8RAe5WXIv1(S2z19a_g&@<b7hl=_XH*jOngY0vK~-_
z@n=ltPUi`gpg`pCwUXfZdijX;j2ZGcfegxAqy}PTZSM~VpOr}9ZW(CqFO&4}<^&7G
zCU9cGMwt&H|D0!LGY~Anh&$<3KGl1{TJartinWp?4>!K+07eA)Tj8({M+|Tcgk&1X
zUkK6Ix@Elj^7nRL65#AMPkx`%7b2n^h6ZFTyJ_>*eSiuO`n>!7K8O%Od*|{d06;E&
z3y%$^GwVQI-KYD^uz>OY9`d*W!^{|*4Q{~M?-gQ0hCg>JZ>fVpWDetDBKW|ETZrv3
zyBEQ|OAwhL#v3@T3-Zqp^&YStLW}X(AZp%lIn##gdJ7*4dy(K1tB?=@aD8$THWN8#
z=nOIF+t3TKFx36+7q2Bwfb03fW{3qY%~aoH8yc0Yzw7fd`#i-Ne1j?}2eGgZ)D%??
zAZwrXDqNwF*sEn7;M^p8g1AXw(2eLN5$a*Kg5NSR|KaOZkSx8uJFP|v6e6OGhbt5~
zG=)!Hkm<nMBpUPLVIZu*?e7NUr^keQaynOF0%zeN3AU{gs-+OGH_$W^fw{TJVPID<
zBoTrG!mdQ)c+vC3{Wy1GpsyVfXlpT90B9`$E1yT?sVWW%g}DI;LLIY>P$D3M%i0J|
zt_RH))EET6!v%f<3SuYH6fO+h_8|J|tBx!XEF2Arzt1i`o*Xww4s0Mm$RS(=0&O;!
z_TgzkXg&r40ggZ?ZtRVO|6XM0?93(!i%K#EKUNF!>3Y^#Lu4+BJt!N|$-IbrCLl_J
zs3gf@RM024WY(7TGi_+D_)SyMHZS;tPex*;%%cG@OZ2IXmg<KbKvq2o{jd;?DB(NQ
z7aYk<Dk0v0C+-ap-5rS9s4j%*1-LVslbn8vlTPr!kr@i-p#X3mlIik+zK_rC_v5+q
z8Hr;gq_M;FPfRiq2`9XYl8%mY?l+^TcRK*MZzPQ1e{QNYkhm0L2?Qle4|tq*y8_dj
z$kDM|Bg2qZC_pkepchL@8y!yw^4JLyB?*|%S%K=ljo(#3XyC0!20IbMkO5P`kK!9)
zW?-)JtdrD-g_*}(VAV7_35eK&p&)tCjg)(LN8FwFVg`0gH<Mi&1kG6a2mtX4Ya`h3
zGI_(byW;#;<t+r`LNlY~2T+tCn9SualQ%&uldFl<H)3vMQ^r<4krfD!qoII>5TSeq
z0A7!Y0Woo5(381-FC^N7E?Nxn9?TX-piZkjffq9e(CHg1(gxIJI>zn@$PLP(PlyCi
zl6z~Y+5+Vv=DMhs;zY`H&8}95(Aq-MiEDK3jC%%-9tX+~WJCcD28n5H@6{L40R%fn
zomt_DOsSrfRyZ`~hLHnCG^>bA2)d7NRB$sP^#^6UnC^?9lZH)V1bSfBNHwNBR(T$_
zWJ)GOIItD71ul-=)1@751_6QzIC=^kB-0qx-J973F1IByqy`~RLNk>iGmS*>=mINh
z6tSVt$lFge=DFH?Aq9z&gJ|8~XDWKl3D^p7;qv-{iovZ@%tRz1tD&Efxz;CK7rYV4
zwNHtj{;6Q@e$4wB3~CeEUwHKFk{N5XS|*b41p~V@2(8zcCNRNYL>Lb8)nGD+6}!X3
zoy}nHPX!Q9$U9UQc?_eH(Fjs-yq&13MCi3tA0`+#aUpIW;FR3Je;kbO4J*RZ1#)6S
zVkd)@yFxw!g(S@l1ltP+Mp*$^^N|y-1683XiK;TOjdvOM4Y!iTOfaYccz}fs5!SHS
zn3`{R>tQbMH%(DKcU;qj4aUtlur*dbnL)1DmI#s%%UTVd3Y>a1HXT}>2oa*A^C_8U
z!H^=fA;{IZp{Ldd9DlI705KfF$Qsfa8CseZyMEA=ZEz9Q(Y@t7)qQmyN%Y3_6D!~d
zz(Z~Wv>4gRgE2dw_?+l$z!DaMEhZ*~v3!z{7KIq800`Yi_AW2R0=|3CLGX}v3>8L`
zX@X!rCS~R!_zbs#F}h@w%MS+>Fzqul*I#VTs(@g4F`N}K_P!vEI&x<*{YIQ8Z@wXf
z#Nrq5BgDNA@9XkiGyUi`-go=HW8GqXwzhJ|$j0Xjm=FP^JtE0SeBD3Bwie(wM!^4*
z;m;k9k`G8Gass!gx$l|i{r-L4Wk1XhN}PMf&(x1u-h3~3Ilq=Pn1mZ-gRurbS*xGp
zC{%KF>}m1>F82e}gCt0kXM+Lg?!<#(Pl34m`96sGmO8%2`@Iz3{c$O7nIP<p;Lwk>
z&li$i&w>tcxVmZ3;o_;wO5NfIGdC3Vahi-JNL++FBIriPA<@amM+5wg=)gc7r1eX3
z0(}<}8<BJGI|OJO;>$b(&nQw3ES-Ac&PWSltP`(H_eV)8iF<HY0l9-mx<HnL4Xdb6
zG+S5^{I|w|Y)Av@*$)YX2_qiv3f@CUI3)uQ`bQJ-Vr(_D21{Ww4^fVc#~P4(d{V4w
zv~ScpzNSluWcm<stK~5MR>m2r;dghHny-PKYJfRtiL%)VB!h{VicmUQdH-fCS{3$q
zOcHW!z)+dHjJFxfMC^3wW#Jgu>7F=@70F*h4;sQnk+k)wZ=m}FWs<cJd?&Vh!NKrv
zAQkeAfxHgdN?$~<1SOM*jt@>J2?Pk2OnC4t2(xB|Y3yV@gqS#Fr&5DNgnB+NvUte^
z7g|;hqGlR*_`ww7JPvM*(Ex17ZmW8X)VR?PL@ah4AZ>gy*-v1Wr_|oC=V;g9rO`bt
zyOuzlpkCWSeyzog-Wewj|6%JaLXLav(<;MyVW9)zm-U?YuXM)(sm-~Aov;MKLJ4RH
zM-r#J9D*QsF_xre=|mAxd)*bN=H-mly5Zs%`35?}DtL{GUPqyT)DqER!byRz1Vd=e
zVwqFnc4As^zw?=NwrddAgc!G{YJ~?|59dX3^KqKw1mIM0v1;JTX^aIXkS}XomJbr?
zlT`&VhkJs2Kx@vS-<FNxCGG+Nv%5JL$=hHN*%Iz8V4`1OzzdQ<a1XLF0cgdtA<%^6
zXJR(G_34afC7=kFVHCq&xG|oYtRh!XWFm08YGVx5`aB<Z(RKofQ2eb#-1S1ZFC@bz
zm?XFx@B~4e44yCU7qaHT_^1nM2C=7%dq5+?EtpW!mp{A@i#1!Vf(vR&8s?)_G$)!b
zR@GV6vBH-;+Q5{KWDSQnfc?;WjiBpWp4bX@=i!G?{_Y|E`t|xu#q;HP{2W^<*7FFl
z=jHEnIPaU3i0F0{L_!GQj%3q>QEnx}ouDHu60n8?oMv!4=>`Vk%5LZz<-#mf2H|_P
z&<RLAc_=c-d0;PtU??!+#G<d>C+S7Th!_|~F6fhw$i^t+N{&VI0`U{dU^a?}v}Yt2
zIf9TSO9I@Fa!YXSB**Z`T${Ows<Di<XvqCn<-LnW_|s^_7si}Cgxt|>j2i;znu9Ed
z^B(8xAOO;<mzrrOplYmR1#Xfn$V#Ry9(0a1%8#VDfhg>e{ud^jq_gBbphesex-OyA
z(H&JPsN)sDm+27z0IrFEft;9G28GXh9>hYu)Fn46vx;klKXGJ_tHC%RqRwhWV&F^0
z#2iuxe;c0Bu#4|jR$)2O=TAY5E+kb4oqB4UL@j!!Cr;#qf(pdp1L1Z2Jj2n@X+$cv
zoJ=94i|cLylSk4r5o02bC$OAufo)n%jNC-y2L=`R#@n>}NM}fhki}vnK7B&mB1Y-r
zIu@Z0A`I6G@FSAm=o+8oe_KqBj4-nDMOFf$SeZgxpmlJw2$&3QfMu6?d2@49g3X~;
z{4`0ifc57Az;58M5_d$n=5Ynp6-?b#hh-CD?THDOok_FE6kEajuq8c~ie8J_TrsB|
zLc0m8GhRUr1waIDo;l#nfXMK4NMc;uEQO|Uaa}Wk5L%T%B9YMxmVCz!gflWwfd23e
z-x8s2K=6iL5L9ad{xx$af$?H$xOQX8Zl6Cs8lW>sTSUi$zCs}E0xOUJ447*Yd5|Co
zos=NRJZ87L!;t5b$tx%{6lXucDziR<VK+<{38B$jq}(7BG$Jcw{3hfNuMu4norWZQ
z@Co-xB!Ut|a>rgFYDbAgi$XcN(nRW2hk7Zv1ulT-TsNA`(jZcTw0=MhApW52aeq@9
z&CVAZlNX?E4pXU*@a5bz5t}VB-7sx`Eki(5R)f$gOaZAd21@C6oy)>fUdX;=z|~g`
zSEORz@KXo2UYaj5X99o^u*QAhpm_v74dfkIB8KjHL=wb0agsC(nGl_&O9Q#ad!diH
z$*aF5=zdc8;=o0gub_tHc@toat<TXS6~Izm3JF*ybQ<Fh>X}v#O!%Hl#o1*F6reAP
zAA^;j3LWfGN2tT%dc&YS#07DWeML+pE0d&oNT4CckK{oj;$kq-_uFAa%`z6NBW&@r
z#U;K_iE-mIVF4JP!60p1Tj!||_@v^6o_*^Eh!FNxI!NFK1FgE4l#B_4J4q?2&W}AL
zfOQx=G42X$;BYf9^=dHPr)0sYREgJ9Z$>ZRUddWmgy4e@ZaXH>F;)l=m&H#AASJOr
zUDkou<UGI`50*d!RNkpBk&}F@Af`)*q!$SXHNh=)<p2Y9MmbaxFAeksSbZ+Es%;&p
z#cfHPm?NGaOHKdIa&?&>eLI(xVB}J=fyMQhi+pw6?qzt=zgFsO{cz#sKUCS?rC%bn
z)^ln0@b%!wEE*K11eV%+x4rd1M8!ww6Ri12Ga@t?;cESuyvEfP>;}{CYN)jmlG8;R
zX25zxMaN(a$PpKC36JQQ61Ls70`LV#h!8oS!Eq_-YUps{ovDj`t(X`hq6~sKlVHTE
zbM1-^!u5?hd$lIVG$&@WJfHyTlw^$$A_8$hUU!nRWTr1K(+qZ=We^X5845oWQlN`~
zP7DN>wiw7~?7I`zE~s5cJVZxhDts)o-m4i+uHJ&>$Xm2ZSXQu*+3B%vhBQqsvmp&O
zn)Hnh_OjOS4JU9!OlKa{LOk>oZS>+@uGEt2jO`J+M*=K2W96!J9Ro0lXI(Di><1J@
z<RC(U?^<1TzKQJjAQgab7$4M7A)#Y3A_QJ4s3JoE64C0VYZdD-xJVe3Ovk1?`{930
z&{lLJK`L@f5CCYP^7*ZG!L;1>$ryLQ=XtLLMwFQ&9=Q~>V63ld7qYt_3yGi#L-<03
z_*9dQ`?slyy9cqI-TTuLwtJ9j=e;xddSE|Dg=xM)pm&fx9l#AZ43vf|%{qwtEtpp9
zGU)>Br0=P(Xa@yx276+V7$YuZPur~vfpg=+6&y6-#7sx$y<52>*&Y{K&MZQ~!9mI^
zy%5js@IX(E%3y*WnmD%$NyD{Y;QtABJKzuipp4U22BT$WPzWkU6TE}?eyl&bd^ha_
zKvyCCtx%R8iI7t>v~J<mrVWO#Fo)++=fIuN(p7XbmK$#KiTq>0QOIdltO#jB$RVx~
zX17w2`$72w(vS|W1s9FYE=1VATvlqBHQX}r1YE4Ww3K%9fMPDRV&=(r1P^HF;#xG5
zM<$|n#7{H&B>a_aY-lzSq5N+9F79_&gTogifGt|tAOdOjXI6OQXNkoXmIizyF7JqK
zodl#Ej_K=i2(}YglSDPRpvlmyGoctj2&SLGtD%>0QLgg6NJ)|uhw#*EX)4K6s2kbi
zGE~HcS_83lhv!-^!zuWtM!cbnFqXxI28=*W#9Qk&8C}*BaC9#ZLTVG6vE9=OX&Z1b
zM)Ct7tNcV(C#ou8gj2@gL)T2fVvxASi#g;<Uq1kX+LE8K&Fw!fuq_w=+qn@@Wat9U
zFd))BUuq|p`e00yHufJi)%7BCtqMTMqboPK73D`<QjdxU4~rt}kE_}!1+MqlG;}ol
z0X*7B5K`7YxE?Ih2P=Bq_Jbm`7NV#+%z*3vm{Q^fD6S;Qcp>SDOv1FLi)Ti5@bA%D
z=EoQ4dli~cj75FFHUWgkK-~2kj~T6O<1^x|{~3@0lXz`pH)Hc?q}R%Xfa@J!@#_%X
zbK4HXG=}M-9E66pFA^%0-4hBY9-Ch3CCn^<eB#n>FrbkFU<5d~h;$3(e2!|FCt_aF
zkRs;o@_b2{Vw9(F<pK*Z^ex9i(mxcBJE+g-uJ)fOlalszT45u`a<LXfD4Lp0Dz<rn
zG1|;5+#2lYxK%^oDrz%lh65>bER%CjHu{ZEi(}h<T5;ZI?~IE5+*3nDAYGM|>O9x2
z5f!e(VdfuD?m>G_m?bOw@+>Y$*sS(^>*1C@QR$eZ1=H4sS>(ovK`0*^Lt=o6Ux~S5
zK>%Q43lLgADgcRW$Bkw@TRgzzaxWJVXT943F+ej1QTo*y7|exyc7;qi^*n+FT!xTj
z&Mg|jLwxU=J>eEFE3a7TLsBFV6I=)oDe19>BuyM6+_*5)r@<!7$Fj`}oFQdzqWwep
z_i}{-Gy3)G;nP3`rTQRHLWD>|<-I&`a-AO$7woTK;FxT@DY$S$bm)h5As;6*H(VOb
z&rj(Wd0g%XrNaoLg`)!bFw8C)V8uvVbgz8?h^JvIq9xWRz`!?=z+b#3#wZ5|g&!gW
zGl|)~p)c58`_RT$A88q59{1O@fMzWh{J&?;)=@xh5_L&iu=fNpp!H%mN;WrnKobWl
zo;Ex`1O=j*k<VcBdsW0L`3gi=p#$4i2$cq(p~mDqqz0eT1qt5SNYGDPf)iE+Glruh
z;o?Q6;;1LtkTP%!Jm27{MYZ=UU}D1cR~=`DBInWKL!dv!7Rj1_N=OY}yz-w*(@?X@
z^eHz)49hNv@O81rH4+pioHWXd0l+uHIC(+M+^(gxXIvTJO*1Ok<OOI1y#csAAS*_F
zW!(=~=P{S0#b^@ZNInLJ{AV8D4qLvLdB_a&Cd1<nppLZ_T%YEQ#1_2JHsCYpgr&yx
z+*4#Jmb%eyE-LH-LL#qG_joENlCeY8);r)GGmz>E^1gpMme&C<nXmo!hwB5U`S~EQ
z7Tbn^_;lwIjda(G8OSdLj_Wzk7^E?BD}?;oC<)py>0ltnl{C3Y+x*q<uV{@Bo<`IZ
zWbK?Lb8#W)Kzyl&g0sf<n}@Nv1Y9P80a0<Y#8AQx<LB?I+3ShOHfZsg<ygzM$okqC
zMk<hZR;h7*7Q;8bqZYfXjHTBUB2f@#*ZCA3xCZwjowmR|q#G<A81mX7^DRLWxgZ&8
zIBBP&Z5m;J3!4_ekTpEF6{M=FTy~n5Q3;Kkp$<VeL2ROyCJ}>di(|rg$SimV%HX=6
zdd=m^cKP6k_qWi~GnRliHc09`rV>Gjr*v5iE0hJn_*!=@^6bms$F2Elm+R5*K<(cN
zlm=nzee6nwT9F4JI@rTEDK;iEVuPdQ*?F)8kZN3(|45lc(niz?aG1~<Vc0xiQ_vTu
z5v=$mEVxT<Gt5XM*RO!%aWfb=x0{$SC9jQ)1H2t(G8@tXGs3sjY#W$sxgDc(7yIsz
z`M@FOgIFSw@Mfq3oZZa>U3=nWyQ?Tcf%kDkIvI1;Wey@d^XS?Kcok|6Nci*ouAZX@
z$crbGX9E797UT(^_r|O6rJn-Cn;x5r^Qh1L(GYX{Sd5b-5H2K|33OXmc;9fTdQaAu
zcZ+*uVz9=QEo6}$WK+F!h83D^TO?JnzLhf)q-+fKv)nB4fZ5#z$w5NJ4Cb3B?*{W=
z*%x%$*aR>iP{W}Gl>cGQ^G5FCE~jmY%{CtV8V_t2!EO62pFk3*(BWMi%?my<(GCAX
zUSZ~40VzaM{zMiR-!7HMLbP686_;+8;w^>Qfr$#h-Gd6ezhO=fnGeWnR1On(1AEOO
zTX<P+7=sMqU-#?`49bUiM4^xeeEfEKA)#*if^CzPM6j}V`xKtlZ(x8iN8C1SyX|=A
zxn3RudbmeWio$YaT;pT0OZH*S(j31uzt+z5bt$R95CG&v3awj7aBmjqm$p}Oarq$Z
z7LOCYdIR`T5y2q_oOp1>J@#p5{(=6)p0$Aj^j}_gV6Yj_ic0K&+H?9~$WU9j9QY9}
zAC7G|8lo-;;V14$GH68ah9B$jTgqWxq+Sh3txo9SA7MH4wQGgL(h2<XFk}Teoo<`E
zH?FLzBbwZ>Z0}R-+gN$qs0~6-q+SsV&R6D{Zz@RRVY)y>T-Q|$SMRu8u07K;EZsBq
z8NG8~$x_nSbM_LwT!N8Aam-yek=;f@aVC2aiV`C$Mw-=iI~F0(8qjmVV!ZCQv0W(Q
zXC)u`>twe@5rls42lB&px%ONJ*$N&Yn0`70TuJMHGz(mRbPW(l&@`UYo+|F{PCU}h
zcpy7nod*k1Ru4llfEYU>Zl%Uopz3*DkOu_X5FBrg?t}sbnL&4;fn3Z}uo8rHanDA+
z8}mQ<`+WWpxxf!Q%%1i|WRi97{AmPO-f~ik!w49qVDrjgo&x}E6r*|me676zOC?US
zUxp&=h|GwQFs;YxO7|)V(h~F6`>>SK5d+ZCYx;dB7}7(lL^D0NdZBS_{$d)LNcTY@
zs&N3galtRRaik+?kz#YW{DnZ(a}<pCFpP@x3AkL@7G{P-Xhq;4g-Meaxlpi_+uMFN
zSdR|2TY?AU?(CFTmd6ULVWx2s>#ARK&^|a>2A#<Pz~DqI50WU>HEgd=%~eG=9W+JB
zWa#bj0bkHdRiaAQvS`Tw1)#2h+yTH$WC)>bkHXNNPaB#E^xK|aiBUX5G$YZOMC3D1
zacLX7T|Mz@u6SKMU><Y#F3K1vbDY%zL8i7VeYooGmVCSPY+PhAcU%iugH-~hP%jAG
z8+7OuSnm)TJdu*iPwUoZ*bMj_L!#=*>QZguBk&F9BIrryQh|G11Zt?*(8G`eUnC_n
z1oN%Q+~E1{4Gkk6xyR6N8=iojnNcp|B4iLHj-54`=qjE%Ha@5s7q^d8YTunw2eATI
zFlF}Un&Av4DA6H=t8e^%!`Fdr?t{U@x!B#aZP7?uJL9K4x($8iA}K>*gD(&UaGnPy
z#XjR{p%vHxq^Q9qkCVe|?+sA>5a<cGI2vR-X51-6eBsi`A8Z<6|3IzF8*CRUn$#h;
z7PACtL2H;Uc)jv0CE-#TtkrGl0@<vK+kK1jWp-ZoHX#d1rw3E>TImg#nv!Q~O2C@k
z3T1rZ@kAvcoX-V_Gad?2G=}X2=o~UBhU~KL1u!x`*6AGWgEVNBTRu(<+B>|hsA7tm
z0WO7AixH0|a-mrt^<Wu8hWmM~%m<{3NRZ=lmlNXeu^pcGBK<5%0Sd#l{!IwsWl>Z(
z&Hza*kiA}nf=d8UqQ#T2e`=O;H7f5snlZF|J}!VpTnL63l+Zo6ax{5N_dC7w3Z^(p
znu&Vs?zw^MlMaIoEqrTZkDKS<CWIbp{Ee;@GQ5IZxAe-4Fb-F|`2mwV8tG?Uc)J41
zyqL+Q_3b7TJ6~}SP$$UCD5Px(PPi?wcz5gXRV*o>h21W9?2@r%@7S~bx&+9tM3!dD
zt=nZD0+Ubdu9uZNgH<ROFzZ|Z<$Jq#E+`qauBhzMZX{c`vP=l&*gmOv;@2RLgUdJg
zft$iW4I3okoJ;GoES>W#q$*Purya_DKS)*)4w6Kss^o+LchBzjubu4I?>E1UmB+_e
zQZwWARYG2}V&B4^Em+q58>&fT;r^pj?wauI>2k7p_g7NNFar4OPL~;fd|to_>+?$a
z{Ltt0s{LMNhA0vtA>1PQT<xx;AWGy(->yF9)x{iJ8P{W*YD}*G#bhr~K&}V-!8D^x
zjJUCgBsBPCHOLN)Z|fT&#l`G2e{6ywJ#_jO_Z~ZAK!I~ZPp{nq$RqW5#{r<*U|JwK
z;Qmmb>sxn7P%;VG5@HBD@p-0zwHbDbyUpU!3Ajg!cySHL!g9|SN+c(&EIxuL!m7o)
z!ln_923vJI?<8=5qgr3W&!%`1#jYkifz|YC3v|0aLMC<t_pFy8WX9K+MLJF7C2<-)
zIBIre+di>(#LP2F2WhJvvE<ALMH_S61cj<5HPeluw~{z=M=mEA<*f!1kN{=|5{A#O
z5RseZVRu{UnE&6s5X777xe%T!NC_qD*6>{!%Vvw73*|19h7yiT*b3%vRUCU{uUH?b
zk=ks-L{m<}B$Wnrj%N`~E;Kx=PM4;cj1KH>JLI3oUIS2JSyZ&v%8*~lRv6~q$49pk
z749P-yItMIS0?6B9h=<>iHXv2jq)w_foEVV0PJD|yw+aZ+z_HjKpPKi`-+S;q;^~M
z!}T!{NO#%0_d>GHZOIzKdTo|bEud<*(yF|#>Rj~3S}BDwAlVhAZI3o0)t2Q)bhD@L
zy@A)qdjI6nEXn1oxGV?<xwxmAUv3U_JCS=~<J=DG#vY@4@%tDG#H&lV#Kb*psuc{F
z`HMTWL+NS3tkg6irnoAo=)#=dGT_o&F5|v>2=#us=VfU%WAvCZka_0okas^@H<(Ne
zDzl-`&_X<nv0HJ7iTQO3S}w&i5LT{6l;5V;pTfh1?fSmO5|T|{vuTO;PU2o%K$-7O
z#gzkY>j`QL{E#O-Fvk&Wgl23>c&}~~SrRwFAWP1KP+|sO8~wgV4lnVA6k6X}eRkD%
ze8pBdARq)0k}tAmx>8bXd1pFtkT-dO#YCQ3K|p%6pqh?x!ycqsaxdx_cD-{EvI3}D
znd#@14cK3$PC$l42mD;!bC<^ZKJWMB_Q=~<<KhwH-5?k6X%@RC2{b1Df*bJeDxzwa
z3_dm$E3C0uNJQO77mC5~h+3%T9iGSyeu$3uX8}4*!u)b=dnn-;=xQsZYoyic_(o*>
zql+I1e=NqnXlEwOdTd=Jnw5AUI<@z@31g5lWoC_Ql9_gA?>Q`M^q;EIBrje>!&f&R
z=lzyEZMi8f;^99#($6g+Zp@7Cr2d+IP;EEh*zrz;9!XEKOks8Kh<lUi`&;)~Zev5S
z!$XBT3YOuY?zZ7Mw;;ofVue!w_IW;*W&oq{8RupLAtRgJH~SE<X-IsV^uJsf2C9}-
zo5j6;yT;G=0l2>CK4k!RxKGy|B)F*Tk{@$0r6;A{x9jn8%NpF&ql>*+h(J#?gp4TE
zV3XxS>9*=l;JFkZZJV|BVUJMHJbWnw%&xBXX$|Z&aML_i*UcI>Bf70WY+}<rMkMUN
zP<~qs*9|Dfi+M_@obq+JFT(_EgMr$|{B}uw8(6^u>qf3QpZfrO&9bIjUJsmIKJIVY
zuj970Z|UCcPczyFF@Rkd7M6O#v~}OU`qhWsfmKF6&(|AeIqk-;!5>l<vVQ85-K6A`
zkyH6AoNOszxE<RaIq3Mk;66m8(!?&pZzb$<0cI{6>=_vH8?qf*Y_QKGWwtwOAkMEd
zJ=@)b9dP?;a3iW+9Q_8v+`%FSMFmogB>Zxd8It7o+yf+7bmO5P0AMHlZ0h_Crm%J6
zPPtc?_bpCd>Em308Em&J-`+;<->wy)q{&uo;{TZ+aT|&&#+G`$et2cu3$b{m#q7DL
zc5mBKzScn3@#PM8b0HpreJk;6U59p$#XGD5_p*yk{>5^Heg36S!UUGA0qDzoLith0
zkmDj-7@=@8RL;(_y@{~7VK-8*?r5Vr&$cfikeh?4k6UymA_{WrUD!qe&!Fk<kjRHU
z-OaT+7V!(%I*;mJ+PV&K;4XPQlN&{tBXsk3=7bxxhKteZi#QJiQVF}x+kTj%t$lAC
zNVTgz64s5sdIHi<c3GeupNi#q2uraGMbW@gyAUDdJUzT6hM;<IOA1E+ip+@{d&p`x
zk9PM~p|L8%U5JUFjnD8&yWLm>05rS*+%h(5{C4GH9QcF_r0VYCbIW@8Y7h5Em~QP{
z-@XnW^a*a)DH0^?_7SAp%_PY94}$FPKM3;uA;=r4VH56ueqYZ&Z~8V4{l4kG{&?Th
z+d*V7G>kbcA2DjL?J%~>rFvJjn++b;@Yhu6JubK0eQm(^vLwIL(Rh=DE<V@3kq!yj
zjA0}Bzv7n#DVr+Dc0xcvJ@U~#AUbnvU7+JVfK=owByY<;-!X`rLGDr+a=zKUg|v=!
z!0kT+VVk7iks>aZ?+f!V7~pWUOm5aZN(^kl0m!UF<*!|JdV?gXOR=xR@|{!RCTm+v
z7`96X-fUj%Pf9n&Hsk&IJ8J3i_zX)W-EN~}`x!avQsrTKab2!rFLz+qZ3jYoBXcWX
zPG@40E%hf`TxT4?!pojLe?6pxi8>UdfYoz{B!Cf3>_r@c8uf?8ftG0iy?>1%NI`6|
z0oMYnl|lD}b&%-TWZgVZs$F+lwsoL2jq8Y>uI`;*M0WEu22z&*$pCnn->o2LtS=6?
zC)tYSPO!(F;w~FG@A=p;hsJata7)Z4#D`2@l@y7@KN#m>BuGaT^e)Acw-rM)8<=+i
zYUrV88wDU!fHU{L_y$xC`oYc%4`r}iM)rXcoe6a}U)J<K?(0~D(v?C)rOR=)9^S6_
zxRJviVNV=UXvBM+uR4U#z**{dn888pxqsp7PJYt$t)3kcwtZcqwg&H~&t&fqh<RIZ
z`*w0`Bi$Z~C?N0|9bgL*3m%YA?1qLM+#mim#B#mvLL~0lB>@j4`PyJ?OPbl;-!?)M
zLNd0?Xl^@+sMZZ;6VCw$&J*y%Z1-ia?^xE4x#RHKe~ok<?s-G?5M#Ezpu(8b7apy_
z0)&l~_GDO72pOMyt72V<HyCdPPbcInZq1Ska`*n4S;(Xc%^_?jS3Y||NAvvb_(0P!
zUMQY#nb|E`7<jTGyGsqz44FaLHZqs_80L?&Zp|>cwvW&nNr_n8-d+xd5R@49Sh}~H
z>3z24c>7Oob#VPU%b@<@!dD6CbDn?RNI!T7$MtRx9%!!(*U2r7_5`DMaVDr8HwoKn
z&EQIKAbPaXsAl&+co-H!Ye7Z!G9VMH>%+00pG{4G9}2iWo*#01xC7a8zi3ND@VAfH
z8s0|SA1HcW(H)sYkLS7&*o^c2TNIGA_^^}RLH7)6I=b7avvgCW1r8kGnO}<nadcbB
zaHXIs`L?YEc1TV8A@<kt;ch<yD14`<Y}dlncLb+B%pPq6>0RJ2xe{>d_9hL+I*5>D
zwDF4hv+gwArR}kLu<`a76EM^AFm4s$K&oMme|G7T?)Ux2W{|&sO*)Y$4-m#$Z^R!e
z`E79dIfUrglW+~|jGo`&COKX&+`<;_Pa>iTTHvfN&xa`<tl<trG!WT_DrjJ&=Oc-#
z*Rbc^gDC)OEXwKoYkc9ZgWHVbCh*SuYIYMyiyA`s8!u;QA*S4L4P0H&1NrZE*XYhG
zUKDJH%01X>-mD!+I%*~cb7kH*Rh#71@X$3+xWZN8vWY+Y7Cbp=4T1+<LMXUv5wakL
zyH!j3E5PoRJ>P>NPwwO3;k0fLE=mK+&L0q=P}Ar2@s_>W^E`-jJ7QqI^@N{=32eqL
zlZegkV8G9vU`NZU`ASi`pY9>Rg}&XL2MDEhe=_Ukvwx^C+IoezUG=j7xaj(bH@vQ*
zg5uTsZB-mp+8#;dhLQ8)U}5&h8uWxP!|hIK^Z`I@2Zyut6(rTl9#yvMzDO{{F45qw
zi$@LB2%zx`e-H=o1+Sq}zm<D(yl(Av|F)`hPo&y5k6(5IuE*|VoX7ep&3&zYZ7_e$
zm0qpCGlyY}guT+qmW)&fQn0wa-~qD{0X;yxwkcVtwky+9WJX8_y$l0d%}^}=w(XI3
ziiK&f%eH+1<HtQ;7Hm=EudA|}lLV)NPeOn_2<UM%T<YJ_4O-u`f2_9Dm%NZa8-Bwh
z0j?WNCXqbBF5MHMd}|F+YPcbQ#a>kAw5!Y>tQV8uM!VPQ9^gH!hhfEv*$+068Ra|B
zh~Wd@P#I_{^6It;--D;hM>Xy$sh|+qvh&x{V<EH}yUZG_VcYEdcDTLBi`(8fk~`W@
z<VrbypPR<rD;5BXZjt&}uiMr7jAzdj<uNy@+8k<pThDLzDt#LkZ3!o9u`c|W#LyDt
zHac>d8?yb;^*Z4j>1S^sGl6pI8~&-<P-qK9he!E#9qBKTFw>ShgpEz|5qcW-bTX3W
zb|w3(oySMZ@rf<-4nP?A+6O4HnH4BOEp~vn9Z#J}o*HvEjR%G_rmt`58o^3Ku`O!V
zVT%toaJh-{+rmmt+r-1O*-itwFutA;^lge=TA&r(6uU1a(CxVax81ytr!Wv<+jBlZ
zDXRr(7+TxoATZhU%>XBi__*&N^MuXn+H(OI;B^AbTu~|htWItU8ZWNuwutB78)2Jm
z&#>nU8B6-!mRvzr8{p6q7iw}ux86c+A-m;NI>S)(<g%r?RNZcE@eyy#)dDyUC+u$D
zC{%9+?ZNjSkR{+Q%CIit$v2*n$3(~Uoy&B)?2N3g?xb=@HolKM#HYlyJY1`sn|Qt4
z<S|6Z`noYUR?jm6p1<8>)rMi~S@YXv8RK+=fDd5~{T>zYv;Kem?L@RSJ;moc9}jwR
zGVhfkbz4=jz;gb2keb0w`?sy=p7VqBc-rL>ktORJI9YHJaxnuB$GY8oj=O;2;_oD?
z8!y@2J^FZBAfE@Zl|`QOE)NMBkBbSm0>Q*?j&scg$8g*HUENUYi3QzyuZzlMxvajr
z($4L7;Pgk3QvpOaLO`Csn5Uayk+IE<KtndSafc6*NKN1Hl`s*xy!%7WaJ%o${-ZVR
z6LQhuxRB;~tM)2?YX(*es@oJg$oE1w0OA-HCOm+rcw{AN1V4WHRK(!+01TJbp+uKE
z@J6fIK_6`Ra0dkvrg~6F@~8rswtcL&+`-}=kjpbW+?6*ip<$GUCjdh@+>+|YV+d@E
zC=8P2RYE>0KvwCq<=5UR6?EB`&2LsSC(4r?LalqVcSLo6A&XL|L)w3kDjs0q`B?)u
zhFfs6G^p^M=yMHOd3_Bf&5dT`y&vo09+k#`AU-`zA;UAs7c$;S`Wi@Pbsmd59S~mc
zwa{_Tn=E*F5QB2X9>r-Z?GJ1-=N{Jc^s#rev%@1pM-X9V5^(^xUaudNe<nUA=I2Mm
zRJ-qZX=CgO$UN<DtDtC4>uU#B?lXtWA~&iO4Rl|~wA;49^Gz(bYgD_#G@zTijXB63
z6kEsi96P0U{i3H>P({HQ^5em-V}dGiR=>0LoUAybJ)HJJuEQkS<!f=}r={<1-<BQR
z#52aX)hEBMy7$Y2NH7uAl2F**!4&u7Zyl<m7e|o`j+NxsJ-{w|*y@gf)*0i>!JW(F
zf_Cz-LC+~Dsv#HRJf$UKM8M(ilokfxB9lkNc*<QNCd!c_a4Zan4RPE4_8D-Xd6FA?
z-#qqs_M1IBE`Lir$fl>;=zn7<(KGm<o2X9dJGYN%c&=~HJM;9K&eJXWBu;V#<Mlw)
zJ**lgeNN4uZdWb4N0*k|{p<+@=%ImzoSInK$O4@`;=>AE7&`-q&;*`9Crc)U__G7(
zFXiLFvmhN8kbYU2w1qq|cpgD>9{2GOPJ(~=R5SpvJyR`uB3)?NW)x-g`Oeq0$_vt5
z1e{*{`8Hini?V}(a_dIfqc2aYLNr=ejSUg<PCGRp_XU(eRL2e6M2O?^fLl1~JG<ny
z&H`pPJX-$Fi-j(lC)ts{w#a<_(e^n87-}z1Gy}7trsWP69(bLvecP(noc27;V?X`;
z$5~D{)3v|7*~J4<+6`$Imt`B8F_II<=F??SqJ8Hl-el%b9&OmQ+rHGwB49B3(MlbH
zD83}Y@jQv)akw570r|Ii5q;I}CL1v=|FpjT+av4#-MMD&mb}n<e>)EC&(qNE`#TJ|
zyM{kwwyY#~*|)pCjYH*Y37VBKBC=;E*98k;i9q;zeE)Ge&c8bxXWMmzzwd9fIlvPH
ztf$m#<dkgRLr$%GeTPDg8(ADZ>1AmPqpF;o<?-XUn(iSpp6_cx!UiEd0e7_DZ&$15
zS{O-Rh3qtUUqBXo@<-vgCRa7MpX%Ch)t9^;qEQnexzOR49uwYmWBc-C5DP1?vhAPI
zwoa(M+h0Ge(d?!{M~pJc*sza3Y?H1zUI1|Ld`=`O#G?Zb-{wCC2;OvOe0Qa$=W-vy
z3ox1YxB82haoaYRPdp1EBA@{}RErV2-7v$PzHZrQGuwg?Ja*QN7SIu1t1#y0d9m>8
zYxx0GT5?1Gg*<zn+f0X2AxQ)}Z+#e|9nqEu0{8!K`&1w?2<LcKnXcJwVc!v?ZWPDU
zy0U{6s-6Z5khmun(0N>}_;d58r7Yba^p?~}ZcA<+rNZzH{ph+d*C-FSG-Ew+iNaNe
ze)6|D#=}=V>!luKv5T&jRy>Ln8=#O+wsHk~i>@4a_xL$82+=p&w`O8H(6XN7z7T~8
z|IAE$$4*AZ+SR?!9(u6haX-sNx^g{atR0)oah$S2JODiRf)yjB#+!aHv48~i-<}du
zu0Ma^iM>cM#E`NT-tdGGTzB?}hjzb=i!R4AEv*^1-!m<5p7(gXgF9zD)bg=u*OP%%
zCvN=Arjn7B&I9pP+Xn{NZ*N+{-Hwc)nx0DI8t3)7XZ%BSb}ds7{o(aM2zOb!KQ?-d
zZ2Qjg+@1V@<e`FQD!HC;d+26$Z<dFmRfOa5#Ba}2mi;>yv~E8@<otVxE;v~%&0~vO
zbG-<!QSDN()(vLcRdg2819nE-X*ukAL!y%lWS2{ewnGxgU<tX=5Gvs01N!2H>bH9|
zUfW$@+_KBOg!}xCVsLxwcDoi)8PBOV{Ewd99u{cb7aK4$o_Jt;TmmNrJ>BEzm6K<*
znFk4s!<j9YjtJ9Y&Cug5{eMe{X;^RCDvjH-Wb|H{+jixcNwSitVqlUysxi5_^xvO5
zrf^(8+iYt{mUsXsq{WMa{9XY1eVb4Bw@!hd8f|z^GFIGG;;}4pizwVXvfTcr*WH)y
z;`aoh6TcIgKG^@7fj`(UP-nA*Gyd_}{QR2@($+%}Y>&Y>uE5w@h_PkjdhM!;9w6(+
zbN8|m6{mjZ(s+g;L-<6(dk~mlnTO*H&zZbEP*jq%90x|hA_xTrz{ANQ>G739Jj1v`
zY{-Y>v9v3`+x<<+BMTf+m+}+=Ot|&1dmfS&x<>0Rm*KMYqvEM*kE^FPe_K#KVR#ym
zC!%=7i;Y+v1?X{2DR3Li&Ajxg`pjro9ry)S;tT*6L?qD@zr(GPJ8_=;RY^R#Qb%v^
z@wbZyxeF(V*(lARa<OSl+lYKT`{lY&XpV^g++1r$X(CO3^U0R3>JA+Ow%;Vll|5MK
zg%7P5Ci{OkK<`H7fapXc0InMJaBE_eZpG?p@yJ*2+$wShKCWdcqvI{#@Az?Idbn4U
z1gx;acSyI#Y`iF^+a1!<!#~bnMMy`_)I$W|Ae9{7`ME&X|9JfBfBt&?+kbFhKty7t
zVt?N9e~7qXV>9a84Z!Xo$~MBUc)L6My*$~##r+Xos6<FOJaQ`B<z7K0KLU6BoR*!-
ztS<5yIWzwprH;19_jAFE!Q*?BgNz;7I$nfpaEA@L1pYp5z#)t*x}e_TXWKnYcZmvL
zD*}0XZ9A}Rp1=w%6!M*`1LLM`7Y99rBU=J3_b5DK{S=@llKr-Zf9oS)!R4A26IWOF
z98rzh2iUheKZCvKugAOC;3NwG6t;L(7bBr9&xmT4LpEYGCl42?b|ASPM|^ssQToYi
zYp7q}0AaI_CvgJ|$qtX#{~HNMaCs;aUc~F*q~7u+s0XcT*7+1|_HDnd-D{qH>p^Rv
zE3ZMkz1h?G6hM%tdsH1GL`#jp4)G&U`~OVf79m&Y4}*v4^z;;Wd2de;|8{sgnjX}q
z2O1uAat#^eB#+W_cS>_Gx|KX5CcEMMb4&)rV_(rMo_&&$fXxP)Unalv^*<f@3~u5&
z@B8}SmB^ReCl{?u00006VoOIv0RI600RN!9r;`8x010qNS#tmY3ljhU3ljkVnw%H_
z000McNliru=L`e|5e`4CH!uJIAOJ~3K~#9!?0t85R8{)_=iGaz_sL|^drwG0=v}G^
z*c-Z5?C!d5Qxi~k)m4(X-_>1rEeJndUCY`~iV7mqI|PzINbkL8`phlo_eZdR$s|+}
zd7p>p;mO>&_slu(=k4!%fs6E$QEqN-T5fJ`+Qpst>4>?w1sCZe04~x+x(I-abdi2}
z#9iEib4qdmDgZJ7Y*kg2#pCg)0k{Ep0635R-*<7V&JB@^TX6b9#Ar~+1wm9tM;fBS
zLktN9y*yN*kXZsu>d?SIO?a?X8)!DFG%^`O073`>LkJ;~M3tf_DJZ1^0MY5<g_`;v
zzM`s2Xl}7NJG)#RwGDmEDy6)MlaUUSQPs@*go@fmTb+z$T)j504}fs-2rdHP+-w#h
zOl)*yV1Okc*kI74I$hpOtx8OYiqMbLYE>Z$ImZNB)$+(NEzxS^kjYr6lpJInflNlA
zP!Pyv1RM)+T>t;c2`4})08j`bMQfWK9bHaZTG5HRhF;p*=A;_6OfZ?0l0we4balH9
zX*IIS;*$15TX)wV;d!aW?H0NKNEc7*A^^?^O`m>Aq*|@cY;SL$sZuIOv#bymY86A1
z;w`MjtR@T*sa#GVmobEsF%U%wl1Qo7CsGiG04%AkcThqYWTjh)T&{rGtN||oRH6_i
zK&>J$=~);J3>5N#k3^Cvy1HGox~>Q1m7TP!$4$p(g)v&KoOs-VL_tNH-P_RF<*fN;
zTg}#uTWfbYo%}&TlsYe-;za-qi^h%}OME_`hU3^wom!e>wJ7GrM5<y(jtDfHO-d3G
zrYBmB94t#9<5+Oq&@lu_qVVw|1VKViuN#fcHrm$ifLbj>LTmsDvg!d4^w}l!*(Eq#
z6dDzQ)xturW5BULJ|a<+(9`RohmW?=is~*YJvE4ljx;eYHxEgo&}rn<?cs%%R(so_
z!>z@|C9Pi<m$a>~skc|V+`RkZNnZrOaTFgPXA(tU=IC_uHOUF)D@UXRL`6p!5FKeE
zayffep6Pb;I8xS*%Ia>K6mLOFVjxi}`(qLwFGW+UfSx`HT6I4djCvN#0C@BHL>xNY
zA{{u?OvjH7Cn<@6jLq(a%gsZjlEG|L!Q&NBUEA#|DeE{`R@t$3<=WCO+B)1v1wnLQ
z1i&wpMvoqi-kz>Wk)hm;*DQ#iKO!Y4E;8J}n2bsga_+W86e${;`>_8|GmVWlAu}zQ
zFwFPQcY7#0x&(A|OVDcxqQYg6%gBI0C_dUI9yruQCyk3_Qj@HV$19+_#|=@EV6|wW
zQgX06e6*$2<}E5|D_Xg><m2tT8&^4;zVeFz_=S+ss4<Mm47+_)X5g)tOo~cRO$t=$
zv<m!?>3#|l1PK+@UG&J&cFejYmY9sH6HF<f&n}{&SpdrtM2B-wtC=4ipv%o;=iYj;
zt=&QA&Pre{W;OBgBHBBg5G4u0Rvi>_7Lr8abopp`RaeiBJ#|}l?{9c}+pflqP8V;#
z2!IQav}$?u!fR8noir}u-mLVHq^JnfxfJxnCWq69_1{#`jMQMn#|8|zMwgqSs*VTC
z0+FE{w3;8=MlEf2`svydVbZurHa#_%VOat}kkHW72Ze%zHBbYNWxk6%)iv~p1%)kT
z+xOJHzH)8pr#8E<{vrS_0Fuerq`Pj(eCUd~N!O(%TZ0XH<$3>`MNz^uT~$yVO}kzQ
z?hxGhaDr=a3+^7=-QC^YJ-7#VcXxu@LU4!R4rl(0Q$_6sTeI8SGyT4g^~~jatSXf;
zvzZAlo-A+sCdO$NRK$O1Bn-jIj&H7dc@fpT)}b|aI5lnbkqhMq+s`BnwkXH02tOeg
zw{;b0=d5q%lI9-{)$|G9k9$do{D#l4=zwBjF76a(_}{?&_=;Zc+bcKQZmpbLQ`VBz
z+U#kovb2)ostCVcpe!N5&dQHQUW#+Nf23sMVG)X#ZDZ&qn7}!h?}$wum|iJ$4ovfN
z6{Zz)k0;>lL^Ukn88aQ_eU(p-C#JQ%+Nx_m-D^IZ{Loa}&|rj1@<0b2aYJh_UAJx~
zd}L>;>|w`Fz_HL^nzyWrV$u@IGu>Yo4&7p$oVa?w+URA+;}9lE`htXT2gXgR#LE)T
z7$B@tmHW|i)cb!)|FHb*r;?^+c2ix=H(#<&p4+4%?HdBF1R)y=*v9K8^JaIRlTH$1
zj2f+kiDB`~o=zMl$?}S`z@@^#KlyKey7~1WphKryVzn!`eXjO){aanz=$Ih?@=-Kv
zVKe)?ZC>HLTP=b!E&Kb;rFVIC`LeWLh7PeiyX)87#tt6T(ly*tF9qg2iaT0rMN4*d
z^ztm6+dWWwm}CsN(-P0_5CBo?<=S`vgE|&54;Q~GFD1=}2%UtWFNenQ-7+ZW72hIX
zGj_;hGN892e>FM=llyy|5E_jYKGc&()c$wwRT91tv&Y?T1%zkXy`oigTH#S{6rvpY
zHa^Jz29a>bt{gf%v~=dzUuMEX?Q32d-o(nHue#s@ZUbEKL#<|F%Fk+Y^InEh;FW;R
zlf<odl&0Kw^wmNlT?Uv0J0=>dwT0Ei)<*}+*En)h-4eUjzi49Phyl41dX;Lda$ZrU
zLyM70(Tq9h{@{p3(njTe<aRCLggP%>+8l0<v|ltO1lmw&kRj0iwI?(ITLS1y_mI0q
zrp(6~d!YCJvf-Y3O~cKIl>EJiiG#yGi$<cVZRlStzaiw;&XU`1>uT4ZM$aED+yDMp
z-Ffq*UiO;-k;2!PR*Cgac-ejY3Rz3s8Bu9*^$-@(?$o8HJu6>rsdStCR40CJ=v?Ux
zRbKaQ!LC)Uvs~-V&T_vGD)v;`86jH=1n&%MWdA;HPA~Jr!P|w7DpV$EP{#T~H4YWH
zYe9+H9Vcu;^O$4e-tO7;YzHCeZpMd0LLel+8T}Hb7Xo#buRac=tKe%~`!pPOQwv-c
zb4gLBxxr;Ln0`)1{-sm3?K{6yMn9AI-?!7Jr6swt7t0n`=FD#m^o3QnaR?>^-bO1s
zN&GLWzbIU7Zrs&xkf#*%@;z52lFr9TE!Z)xH8s!MasDF@s^%%_ZL1QQ5yqr!a_5m!
z%*O^PZjh2vL<DPb{CmU=>%;FGI7w1m7#lP)>t}{y#fwfE5_%|_MM2y#gehF{B@r;f
zgDet`Y(asgKqyc7GKm$eH*OLK7e~TNcMj9KQN~Dnwh0>ml(R;wBj>51`hq<YPm6i)
z$8DB}(l(36FjIxNN3q1h>cM{dEhUwYkxp1W56|ITeg6-&176qI7AN5ZzN4E*`k!@u
zM(p7@z0Y~^D`FD(=Ha2ot{*}MoE76U{P*mP>#{z4!ZMu!$8eeY9P)7aE3AsNxP-Jv
zhMWxvj!+2P;Tbe+x7(;Fo<KWu6l5QUBbz%*IX-p?!YLN!fS6>3gP*UUii`f0glnFA
z;pQ3N<l2!1EnJ8L;ZQ2pBVE&e{d-^V?WN{=@=!KDe#K&+dic5U$Dh?j>Z;FDC;J&T
zg0!k9`+gEstXBI5?k9oB5B5{<hx0Xc5xA|V*|N@WmAoirl&}nN@XHl2{PbZ$1%Kx@
ztt8^*gfWZ{5*!B`jZzUHqcg=ED^R^`{g*1l$*F-3(dngIk&%c!^`V%728nwoeRtQf
zbB*xC8P1$<pgf+@WMb{16Z0%iC#CGEc10$P_8blR{<WncDOi4Rgzx3we(P1Q^Co|!
zBli7x8pGo9W0dtuy6xxDStp6#UXJK2d-Hb$n)j2X`}4KNYEYfy-bkEYcJ2Df-8$=h
z(9yHZGSKWAEWHtbF$P8iCATzf{8=}nuC{dpP>7IuYqSF)V#(=fR-o~#Twwz~u{8IW
zlB7Np)g*yVi7M;kRHMSF^GF2AGPS<Te*+iSsE}b~aEO1tiJOMWw`QamqhfPhk%rtM
z1i7Gt${KsP7m8|s-h|6+b(#sE{tVXRwy98{74t4rdD^YK2}=Lmz7*`b?=38wpzDl>
z3v$_#EG2;qIHDx1KIXw7ES8^@MU*G5TFeT_?~Et!$4<nLl{Vt6h#W5u5-%b}5{(!o
zpNnIpUh8fRR9|*0nmr8Eq9k|1gAF4y(1eUW!G*&_Qk8~5FMx3yJd`G577~>e$8s)&
zFIl3Q+c*j&l~jCojDZj;N@F{*6uu@;s@8Z|+iXtd;Kw>@4EEWA6e>#mX5YhkkQjcI
z{WM>Eow&TSxaCj6a{XtT*UHN2v;JaSV{7yC_2zf3NZ!?(%D5m@AIls<Cn`Hp4lkRZ
zVVxRpKJ6mVHkgItLVohI;Hl18?JHKA0I$q=YH%%9Qa>YzE5_9^fD(Z#BDs^u>DAVR
zoDzh4FFj_0R0Tme@!Lo78(#SmeIdE*6fX(ZjdA0^&p2MaVGKy10Rs!WKf#Y}io}sH
z_-PfSV)W}kS_-51cgNPdKpu?_R3G!WQIa;X4!hZ~=%c&`Gv|60;pHPm<gSom<6iY6
zYR}zDuYKpIh2{#CRN+xIpdW%>MAMbM6V!584Q+<TzRL0EmX%k1O+X_bb#Nj=0+tqL
zL^Nk|hUC|iM(>j}qUHn&>7XinD405$>fM4BR_0@@5M^oWQ}5zc8a7^s{W20LCvMm^
zW+-LFeD$<cbRIcIV`Z7i4bFD{LIB8z<wr2<&VP;9x!GdiGSM^RtO#!wkPe)&EBiNo
zO1|-V|8mJIu&sEXHaWa8<Nj$z3Xrzc;w=`<oz|a_ai8z0&3yk2nkeRo@RN+P)MYGD
z(DsXTbbwvXX0)JSEv0^xV}wt>h!z+0^E@OkQEn|33&~f%I8x=HLFT9jhK&duH#s3u
zLzXR#txYxkO{qhBFD5U!=zOu+nu!MChET<zWTw3TOHru#m7c^s2Z8h>h_oQTuKg@j
z!;SBCT^qW$vf`=|dpJ)5*Nz$F^614gVirm-D}{vg^k9#Y9s*$I#DX%7jUi^JWg+Cq
zNY=!Q&a?8BL2_C>g^AyuA<&bCoV4SC17>6#;}gh)>XdU<2j#yn!^X?;)k#7{W)k<I
zWK29V{Dft)ZS_^6i*|gtgKv$P(_}}I07+Os_x9B?ZzeApmv@sVGgq(m?qi}b$A9MC
zYYR4y$am{xKc@{ecCrheW@wo%l<Zw_I9TG_Ei^Gd$FoXBx;3Z9NHebUb;m+x|C+M$
zl<*68jD!6?vic%Uc#z8p53yQ3?!f-adEG|OGQ&Iu+8M(b`_pi}EL|3%SBKVkHkvLZ
zPv;9wDj~1E`qaQEac+yzX1T+p!{ToWB~^8I-p_8M$4VxqZFhT9TmAdl#6PeLAdrPk
z6RqFd@xRFwX_OrP|9-;2vFEMr{TI@QUrtFlnGh_7Ja>YmNcZ#Smy{`BS_Bx@CZ4~{
zE$g~&a9x!@v;H@gV8&j)FY1cRf+YMSLpb@DLFUTZMR~1#1JQd$vY8+)h#em<lb8G<
zPQst}AoXt1V9;TamPvB8sk)T=Do^|B)kAJgkYDdla31Y51V|Nu)1iNJh(L{wTSaS}
zoLgSNpc|D*@~<a4=6hsAG7JPLSqVB;EAC6E>tARhWsLi&m)L`zyTv`Wp-~o;Ng*m@
z4(?f-t|JT2*P1@ieN%)(kzF|lnh2WBQU%5yz4Hd|`84wMgGlb@i4*ju!uZ<)wU|K0
zduN3wP`ED~3h{k8QFR+@T#g!AQ8xXHn;M}67a*&46rC#v#VMr;vOGe<9Sqh!<m;E+
z!WCEM&dSSA>72fIQ|jf-9qmyHGa7TZ|Kd1po@fgB?(C%+B1M2%ZWyjjhk<U^*G7*H
z)Sy3o0W_?(%1!5rj+IwQ<A0+1d%hCbHcVxrJCFZnn)qB;x~OSu9jrf(Y9IgV_fwml
z87^RvqLTB~ec@yLHpyx-?nQ%$G55m=l&|V^{!7NlZuSGb*fr!4ZTH=&vSfPZ^XNU8
z<ZZ8+AN96tF&Oce32WH32d&pRhH^DhTuRHM-KJKv=U&?BXKIS8&xMl=XKOf)JR0PW
z>fP_nNgTx#urs+F9Bw;Pmh}r?jlRSTS|UY7vlJCghB9=nA9vwlU%o3KY<?XTH>eXQ
zPF5P0#V7DvTfa~JWS~2t@w;OpV6?Y5e?21NGG{=7pC1o{6gKJ-dmJKPxHWC4&UM{h
z>^iuHJL=kt;eUjkOqw(sq4&8fpsl5#hB^&PdP{*+YX)ETetM72w+hlsJa~zXh7Rn1
z$mRpf&dfyhTqHOxT|i5%?FCh#s@EGl@;m*Mz&0FA{D%Q9i9I5crk$^_vgePR$8B6k
zym}3PM;sbH8fLj1JD!?ouDeBDT#5##NIs8I<Ndz^GB2|_BtB6%8#n#2^?OtMCy#Mj
zxJBQ(wu|T*JL)71NNQYUx|!`~3=jlWGan15fx2~Pbw@|dRfJ2NZjdudK*iUAnlV3*
z^_%})({ob_j&<e3AG0fN0!^pUQR!gfz)|QQAE1P!UoO=fqVvnP-~VO13()zE?EK@%
z4H}o|)~k0t+A3A6zGzV{66R*1|55vBj*TvYhF3$K=cgyv$QqQH)}qHEKoxLHo{w2_
zK$Km1=JhQeLb0mq0=%_mX^()sJPn63Pxr<>8UjiK#q#kCus8m0X)LbkSNH3OG#EHe
zkc#K$yXdYj8lV^D?n?Sm?`-co8eMzYWj(E-Mgmvp(vR$O{{>W9Utz57sWz!UNw=|_
zQ)3B;49iRRL|ZC~y?^k_yD2!=3CErx0+suPX>pXc>6s<sINQqPBk)rqIjp#8`R0{9
z^Xpu1-L)ccN|NShM5}FEk`fHS=l>Lgy=c&&psmz)3c@rwTy=S8O>_VLf*@s;O}|?m
zR1wJJX5jRp8I?_<X*sX5^*prCw%@8RvwROdJ%3pM719tnbn<hU|ISiIqjY)n*oZ=D
zwShyP*UiGk`Ktk!IZfB#tk1^Nsk7Cz4{DdM#AU}<Ra>~&Xlp*q`6^iX`+}kN_X%AD
z64y*564&utZ~!TvYAp+X3L6S0XKmw}uPzP}2vXK*@@u@T|J8)&cqVHcQPOkon!0Z9
z-Eeg)A-&ax6B%#E2PmNNE-41UYL#Ux?bJN;E~XykhI7XRqbz7pB-}1Tacwjl$neX^
zUJiQkr2hT~J1fk6od{W4giBaUIj;jEca4SQaxng+2Dm{PG|A&Os<E5i`F^oygo`LS
z_p){3<Qib_*9?u?jBIw#a->=cC7U&+jfVdXftc}RH7eRg-9kb5tS4RL+_$4-`Vz;4
zT)D~sFPDM#>fgpw%@Uo9G&BzH>d~+SPs?FX+eHflueElVlhXk!wuVj``$6u;XjkE%
zu~b2KP~D1d?$ax;-AsoSGuDe}xckx8OPsm>s?S-$?t^WY!!;4Ad9;rJy1sq2=iVgp
z!NxmFvHUj)buW;%$_jaz-xKH9@1=1Qn*oEo+n|u(VO#CI*Vi;{_si<5{6#@H7cJ=a
zy~C=?+D^XfNAnG7!<*Y%bH2~F+o-50HeLvYk|e{A^VP|#9@nX_!hu?u{)ey#QCjDp
zT0O5l!D1KLj19+Y)Vb+hB(>Z({!7hZJ^vNcVofRMN*RZC7!7Q%oFG73`+;&l6;#+F
z_o-L^zoQr)$e082g{seUH%9ol{oT$F@KeuYJ|3c?5cZFbzTMp1n6ZNBD5N@G_TmNQ
z^*dZn@D|{txg)!64VMv5Duho9YN~%<xG}xXZiRE%)aZsHe(&_|QF4?T9r1<Dj(XSq
zN@6SSYRlx<4qK~X07s^I(qBL5K>@C-a9gsrzw~YU-QqpwDMGFswAjit<t0oddY<_*
zEtAe@D)_vg>>_=#6q0~I#mn2NgccGHM;2n3advxi^Pj>a8GfqH?dZ0w*FDe#L>aq)
z%H7*!qp@{#R=L$a_I8w}W7n_Y({y2+4dy-WncSxrH-)Kya&$;eF@@hXmi;s6Nd<j;
zdariX1stVko$WiuSZ|qJWc+!TJziU`>U4kdvDMYp1s7&m11<D3?VSb~Lm+g3ea~}P
zX=!Q8iA#r-$XLW$qq+H1CR>^7pF**%)NdNO#V3O-TzWY-qp+8R-j9m>UH|Kc*V|vN
zdhdmm9zxUhdA=y+JBxt%86Sh%rQGvY5#PR?#PtZY7O#9Wgva&xz!*epYT@os_tktj
zbjYQRN>WwZ=$2qK-(^(}UcmAz-2-6pv80NNeeHs#9=JLBNP$u9Z9iGT=;Q6V0~n6J
zH0=^AQsbHpCzrt6zd_6=VTL&wrf#Ua-Xb>{JG&Z)z7k|)WI0byPiSs#?yVgG2Oaf)
zPuVqcv+zw8Z`gVNf<idXq}_W~^*8p0#a^V!yC=awSpZ`bm?97yJBxsF<OAavapZ`H
zrYS>&D)voApDcd{O`TxyG4*sjw(gLH9fz)zDm<(hSvFg=W!K8->!_@Bn@-M*fT_u@
zu|VPwa9`>iuXl&}2csYv^t##<l8O~TO^|J@OiWCBO#aW4b7Umg>jX9U*Sp74iov~S
z6p==^4_Sw%_C#%;>58jv0?C6rjgJrQ1n;^<OEeK1)2Ig|4d2IirE_t-_58g*-?Lj+
z*io^FiBj>b+CF}xe}eMycqR@+_4M?30wy7v>givl<mG1qd^nGT(&;rtAQtxz4mcoj
z3zRErW+x{%F5Nn{^ZZ^;AfWs2HA>B9b26FD%4O|M<y!ZexgI|reoEbny;zRR(7K`;
zE+^Fxr*F5hpTPD>h0~*wT+n-7On0LK3iP&o1mYYDqYj=9C!66^tj3b5f7|J?KFkfy
z=f`93;L$B~_rC!|6`GRfkc1`RO!#rkCq(eO1qVMrKU1d6Ytp4kkIl|*XXfPi>ZqA1
zcUdm_w#GlZ2CVs$dn?pxd)<P+Omf-Qe%_^D-nqHEhts7_z_+)zM+zSBP;|`h>o>9`
z{GfX_brAXaOG_`(Ze8zljo^y-=QYqbNQkF!AOb**S-u8;R<{AwyW@A)@1s8W!??7g
zXL!(l5=FIcgUNW^)Tv=*)%m&2)$Od{XDEe~I;hdf*}1b@@9Lo}*DK1Z*=eazKURz9
zzhSEfcT_;+dYPQp{nXaHxns(CzUuw-n>o5QefANsmywyw!uqEErt0k6w(?>BarKr(
zCxFh1ccxLNBn=HJ(`u3se5%^7*dOYvZ`H};UfV`0Z!)QTuF-Bt6L=hmtGqy|^<HZ*
zEiNlF#{eOgxU`P$SrQD1;4Rt_aN4fcLFoIxH#^V#;>Jo*ZkMIX=J0;7sTE)T{&}h0
z=y!zLodOAqklpdo?ekcz=IYDQYjW6o*>RSyTtS5&D;}=HXz$($4z#qiyblcxJ@R2-
z#jET!6TT50hYwutuc;_MEet`!C$Po8^QpAz$QICazWX!`@XFsw82#qe>HTZCA~J9#
z4CZVpI2Ea$J~&^<R#m35=%q!>zrmX?cP%8rO8Vq-I2wny#fH26re5U~ZgOTO4Wvr1
z+tJj~*mxWD?U3r7<G-oDk9s+}@;kBasBgAF!wS^z_+!hNjhv!fsb0xI9g^SJ$fi`F
zhzoI-d)7>Y^^2Ql9`j7lXfK%_Li8nfzJm3$wdu;>?1O8I;i>nSW<meU7nu0}!ou;|
zCXcAzo9lk>88)uHjRR%eZ{lFLEcF>U$C0bbopx`Fk>~}YV!i+=ZMls`R{Q)Y$rgA7
zyOWTG$U@aUZ%jyvjG2WQQVIO)`*P%?I+l^xU$HC{JFvaR(Ym^pFNC~zmDM8<|LOt(
z3aHW3f3BVFrQ2XpRkb)BikLghVj9gsxy|DQ4T!KywQi?0Ta<@r2rD)2`G1RcCd3)r
z%v~sE2EE-JO!gv9GHAC{g)5(a6=ONqVf?{poLTYpzgh$&++Xd`!UKmnv4zV0O8zU0
z91qR8ksR&duG`?$a2yhPtA~vjtGREP8}<_&Z1g{qpOQgB1qN&Sy6M*&cZ;Nzy=Uhr
zOaLo6PaW8O;O}*r`Mj_7p9W=6NX@s95J3&vd|^HbgeCrNJ~%-SAuTf!@%P(1cMiWV
zaT{2#RhHAkMmvRuq4t!=*biJ#*urnUoZfBZ?(zOR@NO|bKf6}pv)Tv__Pq*3$~ck1
z<E(Xl@ga_@EM0HwuA(98eVi?m`!vba(c`&XrHLlS5{u^KG8}~^NLTH1(Y)dll7JzV
zByM7Anv={CON{5`t}b3ayv>27mLnO}I_Bypo+DWp!v9K8IkVXDaWmDZY-|0GV8e~e
z_4!+ldZmfU^5QD5Q6Vzz5k6=?YBK2~A(goB)?G<ET*brRbg6NVT2@k#22%xSnyS63
zprO&xN}7`Klz9w6$UT~XVix0(U-!QAXIOvS!AbY|f8w8|X@_gxtCJ{&$ezBbSzNi?
zxKZo7Q!S^ar<a-FnoSf-C4b%4*Sy!!4qvF%PfSJs-D#yaf8`j(<ike^qDj@6_;uo_
z@#=leR?=5`u>`y9tNV{<)X^HW_@(VXE-tRUVH|xEKdCAI6<zm0Wu7p!hS&QQeUe2>
z?H-?YNm{TR9Nul;7t~+P_vNXqOZJ!e?{95Y{~Y|2xwW(|XlmUe0As<A+y~5mDbP8n
z;l^V<F+EKQluUAvjuf0FCY0fHM=fHS?Yf?GpZ-;V&WzE_-IH~yG~>Z9Pykwjw;j>*
z#{Q5{QSX`6X~(cy9?3M8SR0A&oznjP{vyOv2pVMVinp$xpWjbAyGtfW5NqZXsISRp
zt%0nJh+e;^3nD-YQ*3YTXSDJ-3u3L5=Xp!0=1O^3MqjtFJ|c3<@8>$S?oTxL)<%US
zi-n4+qxPd*QNR+18)W8^Od3*_)-W?SUlF(-`idsjrs1oUq^+{O$2Fh)3)iCSHEk+f
zUJUUUJLrzbbLx#da^<P<9q_Tza+<T<FRisc2YZk9_apdbanMDUAtlK|bkg$j?AsDD
z{Q>L|qRd0kcevv>x_513X>Z@VfN#N5RIR8LE9-U<RJ_gS@pvPZX7T@7fTweV%4H@M
zcbE3L4T%T}FEp&3PyUh6@C~;e%!WRo*mnh*uC<3GxJV@}M-={S^SIvKlg-WX&gxz7
zC^DODO>Tg_g~ry&a*5TWju%+t_+|57%%+RnI&y`SdT(Oh%ZR|oLbJr@p~H<JzRoKE
zP9Wb+SM-k#4`CFg&4Fg?iXrk~Vs5VQzz@NiNsliSO(8YtXE^$L)oY*4?5C<a60y2z
z%ZvDVeveSbPb6Hi&%UCcd9y$GDEH>;QmnLdwf-?qc+bxMLjnG7aofA!#*Im9-3FR^
z{OK2klrg0g0$GU7^vn$LT?rma`t1A3k;Esbuk_U7@mN2!h*c8D@uBsC-Oq>R{@xu5
zCpqd8h&!!Jz<nI^enS?-`T@`Tuy`e)xX81w8V;0gcNU~Zd?B`gN&pKh-`?JihYq{}
z)iDpL4;KWhUiFjZ{OX!dAy(^X2dJ~3m*WzQ&-AogDJANY@|OCGblg%g9A*Odt4;AZ
zpMLA)qAY?SRaN(bN(~e#hi3rO?SItRTGdC2QQB^Vo%~G#ASb3&QVql$%3n7BsZWLr
z-o*~n*W4HW!n_*xZh2uq_3zRsOU+3Ub5zFvn>4O;+sG>NUOK(8PSm5ZwfdU0!O#}&
zJZo%<wFIn+dyu%2bnOIyBN(EL&XOo){92~`M~U1)LOcQUD?ryQCh)_@-ymR9X@+Aq
zpTc8f^*9fcOSP|l|Lr5DX{x{-#>FO?n}(Ut^>=>g)m%3AeW^SKt;hzKiMW2P`)T*g
zjOQ%Lqv3GUcUSZ=<`FStJ}Ryu>i1R@8KDjc4w4yN=v&F%!dE$>PpX2ye)qB6pII!F
zW;#D3{1k=aCg37-1h}2HvH%dChYU&p>^eJC)TP%Yd~XzXVutEtJ?944+?*T+&}w#G
zUTqSECH^3@CO{3q064)|nMDUyrz{F7BL&5Nk;=25dFzH{bKS8ssEBPa7T^<p?$4Y1
z-UtZU?)Gb%ufu6MuHO856>Dc$=O8}N_s}3VIxN}MCMl)8QiZr&K^`_2BS2`WRz<qX
z@YEYRbv0!tBMUm_=)yHxV*MCdYvYHc``y{&^xfA@P+4CLE>oJ;lv3*DRCV^&!t?R8
z8#=aRg<f(R_dM&L;ukhgpT!I7WsP_HHnX`pi2S87){%JlyuVjjfZ+^oD>;<|m2K{3
z<m6oF0ffp+M3Q-s*%^RV8*pT=PEJlkd5E`yK(j>?b3`d|*%(hb%>BDM4j&Mqh{6%e
zw_9W~Mu=V|rGT8}`krdZ=50${(7j*@<QF<Ar1;1}5+^l%74w%Z=Du-Pi_6O&hVB+h
z)*H&Cnly(cC0g<T<ak0M6PNPVJw8sptj^8%IV&)Ofr~5M6xWQsggr*NBU;(310Q^Q
zfB2iLOfJfktgjf~Md|Cv57{{@(-Ra}eHU?vy1(-wXS+s_cOOL%)kNDimCt`&@Qzo-
zn-32Tsv#1f{;qFsZbFJk$^kgrGf$~BMJpaYutlX?!sr)whAEzSkrC-0McXE(6&A!G
z+OZ2l;R3A*x?vay1X0$hr<79XXwAWq9TOv71Uq`uRMnu;W#tz&KWjgfIR7vYTwY%Z
zRNw+Eq)&i9C8;EJ2F-^3m|tsL8&(2sHEpKjfb<p^tos$mm~$!*%O4zG8Ha)h8gvRu
zm6qqScN<W%TKWrqC5{jH5-La1<l43|i%EX4zb_e$!z3`_xLFpGU~u<HtvzFY*n5=g
zjVpa(A~KeHFqxj`bYLxQWDq4zZVn<HnkcLn1MwreHUUur0Pv(2l23;u<0TL>4dw>H
zY@f^Q?th4Dc5L#!TP*FU0qW-CmkN6r2jmyT4|U+n2)R|JP(ijtmn~mHr%61zg0>Tm
zfs(I5i}mX=#uD%ab<Mn_6{C9lOOdC2a}@-cd{N(Bcg$0WJ@?Te`r^8}_{d9KeDw5k
z;S9Y0H^+~D%wdMRpr+oBm$L_z?r@QjiK@V?#8cxPiS`(wBC6wNDQ3JG9gObAjZpg*
z^##l1LMe$>!umvd9Y!X8)lIsO>wYP}oNXW{v+-j8Tkt#8eJY6RO9I3b6*cvd%{_-?
zp0Co&2M40^Wo$e$u7hs~T8w0K=?}4E)(JXqw_otcLN#6V&rt?vfA^3nBMaM#tIGjS
zQPsi@{Mb8X>0TanHfJ$_fgJ)|Vm60q%72#su@2PmGY#y@^9YapC#0B4vy9}il@z6#
zXczAfB;ZOMOMU~lx8}}d=Lq?9CE?y7$-=;ByDh&kW~Y)qK1x#p*NLaZ^h&&`pdY)S
zpde8nR!D+VnBj7s*dZ(^Ma_+b9>~eutuUb(EsfV^rTb8ZCE^idfUK~}<YQWOPMGj^
zU7n9W)v;?+C{6`7WLtou(gAcjDo`FM0T4WRfX_VTOZ-p)5&GOOX(-4bniWIqrefOv
zA!J(X;R=-><Pz2uWdi6x$b>09V=sH8M;9R>BRo18ArP8TwiF9bNi#VJOZX6RRq3-z
zm3Ad6Nl}y*9G{u7^Ej^`o$+c+rcine&m;O+Jh?%Bp-+_#8~Q#8B)+)z+1trV%)P7(
z#GQgDx3)O|Ntb`)k-dgT!>4p<V&C8QP^x6D{9kEF33p-PUgK4lX-n)Qr#m`iobrEP
zNHIh_h4TwH$XC5>b4!=iy^Uo$D?`zCo7TGZq#Z}_|6FxH>hY8PKsDGn*_2>3R!g6i
z>lie7b1WXrH=bK#7#LL<3(v$UY7*?yR04~|r?ikWj>LRBDnUz40&W=)amWdAGL8_D
z6ry$}?aQUdA+l3Dri4jpv$3FsO_aTaWFR3gANQ(*m}T2Zpsu#^z?a7TpU0dfwiJ9?
z2s&-xi8rE_TOKwjX_vv-sA$@+_8ZTp+t41m^z2AHWe81^m8OGBv4GoQ)9N^x@VZBi
zdLl8No#dh=7U24iyYN6;&%vUXIAO*)t5|$O@q`b`0Ojx0?N*>xL&!L~ySZr4aqjX?
z{ffb2tJ_#%&#+d*;xKe4{o60J2Z|&LIZ&NDKqJd2-_2zsyF7PS$EE@|8AJl=3{YYj
zAdUVr!JVRX_J;D{<6GzXWntI+=K+O!UM1K8j8(C}ktx^B3C|G=DPBs~$1K#}k4@HB
zZUiWke$_!8VFI(T-%$B^uA-`Hot>QgFyzkM5GA7Hnux~<(fNiI*dt`*>!!GMK?#mU
z1BWj%#jEFfn3x>30t>RWN|WN#Ie6YDC2YHlv2bh@5@7_$fK<0+wNLFxE<|Qtz+5R6
zpeYBUfiSp}{P88?;rYj=Q?SJ8v4fX2z876oT+^lhnSW^I>x&PsZ`b#8&zvL*=r0E8
z4BE?XJiXersl)Ugri*#O!7xm!DzxwjsI9vOi3IXxGDf%}-{Z&%g(`l~HfN|Ik%eH0
zB%~2aj>IBRQ(tN-<b`Cx5aZFlGi_fUyUfdNSU+uVvgvWBT>V=rjk1rD*6I~dd^%UK
zvcm>`NQaf*1ZKCLfxd3VUuMp4=M8}S;D_y(WaI~tpU{{X>G(07xBf!xXD_^fQ}!CH
zDlMOjW-U850jK%h-0Q9Rn&t4gPO)37Bndt2SI!M-`>)WYLc=QTSUQH`ESA@#wivNq
zd{=KdU4@MYe%Fl$5*si3$DTt56dZdJo3B^xN5qf@7=z4tc{5rAqU>S%+x#C(6<>>r
z-rn`H!HA(#qU7Y{QnFB!iqfwd;(#d~p)(V-2Q#bJ>>g=h`86@K5Htx%TpQpn$mp`|
zaSvDG6>)PsABFOYSbI5h;CW5Wq_wFrcW0_AIy(=T6`3SwlzL?5<lO@Gmnk3vcAAF&
z24f*UxJnw^>WBR%z(Uf{m3cfYMu)&Dy&}paX8p#&qFBH)$n*pEL+g78)Ja<csqShB
z3py7NYui%vC~p3pU-w+y`k`^x1Kz3RM~4eZKnGdrdtWrGpp08_I4vP-#6OJ=Sc^|7
z(ZUL1ApDio<OS3%5nOSYbXYic)LNo6<@^dYp;|c+@hHNOJBh2Fmr`ZiY%HpHB(4_@
z-(T`1?;iJwt-PI^8?)g7qN2&&mlmE!J9mqJg<mDefx!bI+sf_*Un@|Xm+*~jj=aF}
z2!MF3&b(W`6TV5UxR<N4f>#s!Telo<$6f(PxGWszY&BU5ocA7qA}pH{85_w;Ir9tu
z^&DtosI?nEuTO41vAfRQqQm3YJ`kjmFlbB42tmh}mz<lfGKbcvjQEe={DX%<eRhw9
z&C`MKMdU)Xib{inHU=!JGHnzPC29iYYEYJuH&;I4x~~L2cC`WU#{V6Bq|ldOX1gyg
zzFjSl%gm<V*7JIr+xpI$wMvZP%UT?}I31oo)3WLLcm8cufe0|NQ9s5lF>+|OX!R~Z
z&aUL#r8up1)oS+|Ng1=Q&C0u31!7*b5L6uQ0xTZ^E$sljj){bukVWkI1gNyVPGiko
zH*lC9rWi{Inv=ov%>gx$oRKCoG_2c*0zNIj`_go>atzF8ktt0H5VT5@&&CvkdlsNy
zUne7-QW!1V5Or*t4+qkJytcx$iaPUj#0=KycG?*w2AZF*`YPLJzE{bGqZ_<B(?@^m
z=YVhO>A5|u+O9~^GBb!}BsZ1_jq`lJfaHd$$R~0+YSL<7vidXfnv4Ws0^b8Q{=rk|
z)bXF3<V&pA%LJ@>+1w0nPCqgNhi79{>G1G!@T}yekbErW+cL73eZWnZ3rhrPcbyx9
z*pNf{=@Q#sq9fqjqhmi_JJmKn8W^a6hA4R}<i#XV@(XOA$=o{az*&*v*m%H$pKo$N
z(+_Udi7Ua{^3xQ~t8(<KcH0;cvd2${@CEAbPpKVVeLvmz>t{D&Q#F3mdpY0kWua=%
zzXk|^cNn{3b)X(TxZ<G<s>?`0|C317D45*<m=m_{Pp9Ep<ys7g9nOX$U%B-293_;4
z#767Qd#JZAc6OYu|3bqT(gc!05sm@@BmhJ^QZ>hDQHt8wv>nX)W7@Z$NDs!;a%uQI
ze{M18Ts-{i{E_H}Vx$ah&C$T}2xd9$z*8|gij%B|LA^hmvahJz2yK{<*Ad`4k;oGZ
zb+oX+Mk9Ie-X21HSJp2wVz&C>pK+_rqrA>&yP@`N%XQMC-3v}%2DmYmZ57S`5=h*j
zkXvLBN_cHS_n@X6?Nl)Q>9M4-P=FGi<2)#Xg~KdHoPi)k#kVU0{7Qg2px_)PO=(OW
z2cPM>F_8F~!Og+x*#;|s``1G+WO908Jxs5D_OR6TzS~D8J2;{cF3z|>X|h73Uzp4s
zzJydS4^*o_Vb_XUC`s8Z-#_vr6SqiMOf=Z_7Z8bUkD)x5f}B50$WQqS1w$icAY`(d
zkyzlq?faU+o26|7j-76K2&2+20bia#fx7h!V`Et<VKkc$4Jv1BkQXN~Z+5;3mPL<-
zF{rup{~Cf=sYv)rlM2Nd4wVxoERi1Zf(-%xhZWalTc1fOYG7CWdTs~%`XRf)1YoZv
zn1BiI((~S5p#OO1$?NEsWUnv0u(Osv6pKgiS*A3ZiKkK|0hs88y3}7l7&x}loX4rb
ztn{<dcYr4Fh)TSmer(rHcA)^cBp()DRtYbvln!~*GTIv#yE{po^@SbUATk>tS<?Ro
zkT%N`VbmlO(kvEPnUP5M;NCKA+`@4#a^%NP?*0IjOGH#957R)MjU|zaio1UxL)L27
z{zFcX9Aet`Ka9fOZJy8|@*OfSO^*lxi%lA+g5Iy^P2+p$|Axa@EiYp{#LI}fI2pbt
z4DYa#;KC@<;>8dbe77U<5FUsFyBeuf%DpVzXWs09>VB7Qyw5j){nvXs9gm)E()`+9
z#%csV%;t%1gk`zA^`v%<r)YySD>g}YgxbZ)Np|8bwY4tvI+K|Q_Fs46Kiqbs0D~ou
ze-V)l1_B4*kwZk@r@r2(ZVQ)sOzDZ({SYwideow>!4YBD1b?isNQb0?A=M~2rBM|T
z^5$w87NsGp!-NAO-)BCSEV1S+v5-I}#n6pOKMdVHEVVm>FE_QBIN3KWyrj{RS^mpl
zA%L~(I6lQTWMRRL1N&(yp@gGa_tK>v&PW=_j`SayTtkY9A)}T>|Hm35`UB3r5LrR+
zt?H+&JRAj=ZZac5T#L1BBVz5l`Sy0ty6Wxa^JO|Wp@^kSCAcVB1F21lUNm26asd-T
z{qjC)%Mc<UnI$TMc@WMY_435|k(;oGgo6l3HSm1oZiv^mxtNKpD@LY%l_TsNltIOA
zh68x9BqNsss{|CST`x;yMhqPWW_h4E`Daa6JfuUXCy@U#Y;3nQRf83R7YVwLh=(VY
zriATGF6_w+A6(PtHRgQyB0_exf{7$*F!wD|xRwIm5qkv4=c}wR_<pEmj@8ox{F?&c
z6p8k}*uwe8r|5~8)Pj}a>zh_(8*WR6TU9?sEO5VbpWP}gav|37QVxkvBoL0~cZG$M
zDmoAb0%4z(d&x5{^*PVRuWK1JU-9Gx>KivGdp?#w4)Ur5Ixx#V2BMvDP+UFY@7DP^
zLBZ0I|CmL?blfmNbJpB40a6$4eEQa%Md8XWpK~@7vW+v|cRLl|O64OExbc!lFaOQ!
zdJ`18ZmY@|H;AmhUJ+78$1xj~Q`t33hZ$3%fL;)rPYGU+AHW<bhH&Dgu*o47{J3F4
zn1OM2=vW+lKN1H_3=ErnYKh<=RHab>&5a7kTDiDzpFHTg&X-;YIE@!uP_b?X9CD%?
zk`c}*8{v167Sy#t=YSb?I0Q41RD*UO6xmzg9NH*;ggTCL_Zs%oXKnm|!lm?S>=t)w
z_i4L5q*rH~x=H+B0&6|nTTtg?ra&S`etY&{I!BkG`hob43yexQ$5N@vgKS>U>$lm-
zM+yQKffRo1W^KBv?uPSz_>`cl$WyF>0PFjKQf2|fpsAl;LY=chH$d)@52qqb^Co&i
zh^ktQJ?dRySd^$RzM2LtoQPVQQiGdoA(BVLlIqa-gT81&!8V|Y^&O%qtt{H}guv9p
zq44F_fBC|`pEaqnwk3cH?(P*{?<zv67*~=tS=Gc_4FfjboUgA4jhciSshS<fzj*R`
z|6pf_SEPd<2>L!`?XQDWri5;@wkCgenti;9R}aK9_|AL&&e)~5y<NPM^gJ8}!s^)V
zm~)KubkvmL3f&mwSuY}J>cntYv`?$C(Sx91ER28=RQ19IP9J`_VZyXuMipz5=&)a=
zR>h!QINSjs1zFB_eza1i_z9Qob#*X#TneilIhY-vTiiS>X>myCoWY`4Vv?8HR0LCr
z?t2}*0c#yI-p_x0V%lX9!QtJ^1b87Z&ZDXL1jy1(Covw%KX*m`?9f#-{LYol#*_=H
z(n305Mjc(Tv~1iHGGs$WSWL9WF2)EA;>Qkx(jkVoCE9h*F{p^Vf!KTJV=8PZ(9mkE
zL6W*wH+xxh!N4gZY$>(6a`^YZB~EbVr+QbGM{xTkVEVEmg=W}*Lp2bagTO**6onU|
zSlJOfNBvSl&1(*PW(g?-kc0Na9^R1;Z&kB$x9`#SFHkmM%~AU`C7H`^Uv?ZUL%z!F
zBIR+1@qOI+d8@L#8is<#(qVM#zmMHita!p6aN+;ZP>8_)p`<?>EV99&9+C=<*tk)P
zDdt1AGRT_8rMXJZep-j4p_^d<ty7I+C^K@ce89o%(uY9c^2D*I>vwdEI}h+S>8%+x
zMoG|@*~eGh9PocS#0aTDKoDG1C&gxNQ^M4>)f>#!oEs;feOcf=;`m;g1<KY9>i>iy
zPy_+dh+K{B)z@7KAX7MUdFT0$tvFXt!P!0!_E0zonx`7lDs_t0280`X`j2cNQW;pv
zocxpy4-4FE>9Kftze&tQ!asW55jLrkr893|E2c8jUOs3jeoEA|^I;LRs>;;=p`xO^
z9u0<uoTjIz!UlLFC6<6iGg9H;_ok+3$%w>2G9j&oRL{%nOq1yj=~o&1CM?>0hSLZG
z4L}=J!o#U1Ul!u{o>o9VIcNWlp_GyVIPSI<4Zv1?xK!n^ArC|;X}I78F(q{d5wsrw
zQ1)U72By^ti!C3jETyo1jS4HhiGzf(EF1x4Be*O+y-d*Ii2ZUy(Nd8#JPM!0MeEs7
zs_yGmqqV;1)y609Q@FyidKY<AVL%=&N9($^EoZF>adBD{TAzhtC@KNSu>a+lthjA;
z-inRyqwHihZW^Hx$@Br3Ne=Mtw*D6FOa^`tz#I^qI}Qgc5|sOQ8Z@t`TEMQ0d+1|h
zcLu-O+(bahfq_c3KoUE`_LUE=p>C9=NWPL300BnwG4^tA$Ig!ubfQDN*=|@+i|igF
zG+3vLixkyjNw{H#nj(Dz28yC(90@~1iZodC`>gq8@j?~(%*S{kp$-O`L4p6J1d#$;
zv@E>C7qnOA78;E02h&>Y_5$n1khGNjo^E8y95P#V1VtVOiS^P>V4c0wBmVZ0SW}fP
zNO0Lz3v>YMzIV&L+_m!9{^oo(fUdIhtXn`hBoBLgPT0ds2n1xXsy<#KeFYM`??)16
zr!z3Va-<}S(TWKxMPHp9wR+okvdDQ)AJFcrN|RAU4xH@n?1_OeS>r;*$zi>d;5pMw
znQe{O*IFu3fK{KE#r`iM(~q<cuHGqOGN2HH3B$-_uKaan#t~^G28jdTMK^lu-Q;sJ
zT{f><lQG@D(fMd53{|5>uFFVoJ_WvL5V)t!#9SSkX2#mk_|G&lCp=TkcaGP;-?3BX
z{iq%#|9L_G>!P^{iYNv4-4rcouFRX+Ki!-~#l9kHBigm?q%{;5SF$acg+Eu`SK76m
zDxa0KZY2yOr9dMy*VEJ<0>I&~AM<o+OOM8rgWB~gQ+Ll5OM0~ZFtpIL?F=Ic(~BXU
zQ%qSnENBEHfBA_k&}VAEdcG*E!J9JD2-rgQ(fo<&U8|W;-fq_aFZ1)K9thZYco}tC
zle8u97}$bhE~?R5nXIgstb~PzQH;EBmO{Q~Je>(7NSptc6RyfOge#Se7<jR#EB}-K
z!=lcv&wh#HIs)z>UkSa9A5+bhPgOc-b?l0q8Qu|Mvlhqn<1p5J<)mY5wIrEZK|Y7o
zRJx2NDxUve*=VH53@&#Z2W&>l^3YR2LOGmh@meu!Wy&v+5>^-)42ssy*6D*?@I}td
z^2BM)%gyggY~dg2;GK)z@0oiiWqD?YdU5a}3Gk_@SWEXDub<4`zfEUydM8ZY?ytha
z9m?&o(FkaRHwG7g?PS>+HGmZDWV;4iDB0a6Bw3yG?B%s74|?ej$s8_RCSE|BR|F|G
zp8vI>fWr_8a>b?7k)j<21dX?>dt{N32!o4($^|$sq(+G(nk?;$x7;ttp=Z4nPx)=d
z7mbJN8b#op+nrIi@CYr2WLQmA;Y{+NnqO@EAElAT<l+(`cqyW$e41$nGk4!_)^H?F
zy4E7U{~>W~FZrO~tq-Y_UelM^o@e|!ht8C=*IQfH1Y^|(U=Qz6|E+I|es6!4xAolL
zMGyy>R~Ud`LV&VXx5;>teE5Qf-in9Mq$A*B;zRsf>17mPox@LO)SX~P`if}49xxCu
z=+kL7kP+aXy!)jL+{2uyL~AO_EdKct73ad!yQ+9|Em0}`p{%m45s!GT)|?V_)#%v?
z`vnAYcrOjY4=|<ymBW#3{w1Tn%HMiGEqUw-mg@n(YKM-&MW3!e8!A?YU*0%%_&k|e
z%PoZwO-;lxZmXQFq$4j`i0U$KX{*extSoMPyszP4)y5JUcAximjtH;;qLO5h@QDV=
zm<hd^Y$RoNi`oKoI+ZUD+tpPr20BsyyJS)bj3YCFW{T<)8uk#`aYn2y>+jW0J0jmk
z(#yR(&(m>z!A|zxBp?wJk`VLu_GVj9P(aiQcH5{!aRK5>%(zGppi&5nbc&PYl3D%|
z@23y=t8l1rJ=XuEgsalX^mUN4!2sY@$MLVvths)PQCM1hgl_|l+dU%Kp>BUMP~5)9
zRrnST4N5bGL7rVD)cX<oO46^VygYNYwtXxo7q?7zU>5>&7S1k<pZ)R#L|=W5Qn?;J
zpT`9SD~nU&G<!cPtEt;@1_}l*to^ea?N-38CXDU38by9NXas*-|7>97i`S`zpLP)A
zlNeKh<`$?$s;Lr?S>cr{NXKN=@>>EW^kYMw%0G<wg7u`Z!K^RX@e&SvFUREmDHI)S
zOiT(2v_#vRn^S<PW9#&taLYW8sIB1bdXywwzAX7mhU2*c0U&nTNOKo`EQo&9&;8Em
zDKBM7KCe6<wi%J8-uW-@5pnBf<;FMKzIX4^L)sEDpa|zb5QVf@p2GQU<u#so9K-}A
zOv6_bdQlk6l`hgi<-WWE@S;&sWiKC{4$n7TZLL3nw0q<cpKiSQzgsqLcPn}G0N*z7
zl}NrP(J;db6b3jU;0l|FS!%cL`~IC#U^mvNeYEsCp-Y6Ll_nn9zM>-{lyDFQ#6`}3
zBJZ<dkdq)sCD!9+sNoX5e<Gi3^ky9HqqX8-|BYC3V&zH`SwOswMZ4h$5CLgeHLoWE
z9;#r6r=A{h*}@4cgpM2>Emeq5YI3r%3f)h;KMdp~?M`|l1N^YOnVyYB%qb*Gn^uqS
z-ouw~Kw9lBcJ!MYXjK$W%KvX5?020E3hAVMuE5c{A231!6ri7JhVY^=cU3Po#2K;D
zf>cNfpRYS)k8&%qs+UYniI!id6zSftJXNBnUmw%m`K}+rB|f&yZ?8fBj*H@@Q|7@S
zs$L*LR@Ow$n6B{lx3S2+>uDk`9Ozx|S;~Z?qzr3ONeyo6n~bDGJa1lke}z!$6Ils)
zc7u;rH5@D1{yz)gokKo|w3)*d?`3AA{tpr~HZxPYwzkGV9DigiT_Hr<%?af44q<zQ
zC<4wvlE8n9&d<*efm9d*D0wto-~HA#Q$~vimy=yl=x2n#?fTLl#^?3=jK;Q4?=fCB
z_zXG#@R@ZX>++O&t|6g8C8F%-%t(fs52HTs<RF>@`cbq2BqQtod=gv`;8QwHqklAH
z!aFG`CzqD0XXWDWKh}BK62H7`yl!iC*W6GlVa8YT-Ffg4fhh83ah!P89WOMnuHJwt
z|Fk}Hcmn5#tb&~C+P-jh!YSPqbhN;hVC9roors&aA_kEPqfttJvG|&kCahIR7(VIa
z(DCwq7t=&K9qb<aTDDgF#t8knsG{%(aQ#V2Q)*z)MBp?X&h;tCOw{D%<*!u~`0v4A
zAg3lmU~yu-1;+66X&5a_fLVA3E9BzTJIRfYpb9W}ZtkJ`P_Om@PiW2jpVzV%3I}5S
zaX=>uSCrtqnE*<7xd?@@h1sP()N?5oOPJK8C7YQ@)!=0|jKTX5_mRXH1{`=;!I!G<
zqX#$d7Bf=|3WCT|NiCp^r<LB1`;;>#G4$P2rb(xj8m0|;xFmgs1T-9JD{BHJ-IdT>
z0WQ~epQhQv0@r)~)sDuro?BtEcOy}5a7$$zXY2aT1Kg;X4y*D$u(fH&L7FtgV7>VG
zcw3P9;|gK;nvE`gEo2|I6fcqDq;0!Ap)pHP;QRG3&|b)YpZPKqbUl4u_`193EHyt0
zw93|IC5m^uYhHp!peI*VzxGMdJVW|;Qr&llNF+c}kTC^_%R_eUQyNGfL68_Y^y3l$
z6hX3O$(tlryy)b8%X{WAe4jDaWSrB^oT0j;*~Q#N;rYVt;lox`^~olAaJ19r%Gc#o
z5S%+ldDz$Cdd4iK1dAr(-1GT<Rg{eeRWuz5Hz>(uhWo17m+^O}P!IulcCpmQaGdyM
z*>)b&1&c8pG!ex&LDqA`X7}}W1y1$e#TAme_`4}YrY<yk28Ig*O}Co_Wd52R7w5ou
zPSsDNnV2W&WGAG-usS{gB$hvP8G<rg^Ff7dea&m{bGA-N!4kZ}C76RvZ@8Eh>A?|V
z33-%33-@GW;|9WvrgNf?hg<sE_MUg2w&kxI_WrNheYi&uLc}9a%pf0OIEau00+{TG
z71-eZ-|6~(c*I@Qw;Pq0<C-VeWJ9;Yk`c&xK1WWl<LRby_UbFz*5Y1f;11Vi4(nx7
z5lJK@PO2_V7%}mJr~V9sxK4I(aK~acDIZljWZxcgpiu@Cw+N^uoeP@eXC^~Zgr<Wh
zl)<s$sv_;I@oIOk?dL}kf2VjThe#QS6l}pBMcp96alibv^P$-f9RazPwo{IeVkD0E
zcL@!YR}NC?;b?yN<)j!u+zP_XzG?QhhuvxN^)<lVG>R#%3<;A;l2U1j`R{FQ>iZu>
zj+(&-)n%a#kcJ2_Fft0rEUT)jF2aNI$U=nZv1>nO+=;W_=ib|yMsZVI(j#I2Ym@T&
zjS`xtuYdJ=R=G_e8sm=xqW3w>G`FK-2tX4lR05G2$cn>)Kp{{N`c5*qaQ~QfMiU<7
zJOAE?Df-#5gO`UzQ|#)Lzil#H2Y{*H_6C#fp&{SO*TR9|5+5pv8cn3p|GrW`);shK
zBG>y!AM4YYwUg;NPdyvNb8!r%G8iaanK&@eE_HkvB<s?!4n(BvDRFNTvdMz7M$in9
z>KycxbzDN;)#67R*AAR=2(uQ3>-~vA^4{HBa!UBGwb(OKQSRO>G+1yRf#D9Oi3JHD
z*m$=KM{kiL*1J%V0#Xn=ng|v62ar3?QjWo(LIAcRqYOgy#k1@%rrnrJ!!af7Lx#<^
zE;)ZgWYq+LT5-N4pzWK4arpx&rqV<8*UQNOcUZC?OsUe;`+b>HTgGzL%geyyRrE;b
z?7s@(u&`wP*B%p!<z8CUbxzY{Y0ZyU*G|e18Jaah8Zk`2*}BPmHodZP*!{3Rwr?dS
zCid^;N~ZDZTSV5k)P_0JUEx}>xp}j2htTu)FM5~Ny+ofLNb@8g*YW<Kkv15R(@K>l
zc{iTC;GklY<c~^;KOjORw*^8XPzc(N$jNx15AJJk_aNiYk8c&nG|&ewh-d``eI{-g
zB_gr|+`VeezRiJit83|qh=}kb9{)SH*TXo}Xy3?t_+i&kbG9AYYxM)#EMRIdZ4=0p
zAyC2T(OFtBlE#hj>{bXJa(pJGXG^p1CU)qP^EMf=Cb_SFHVe;@y3_XHL%u^QkLQnL
zVXt=AK$P*an>~a9l6N|F2q9!Zrh>rpJ~ApORb)uAr0V}_y6UK?+OK;l9gr9V3CRKJ
z4iTh>?nXdT5ReY(h9RW8I|QV=OIkXmLqNKu`*+{9zK^xwznROu_c_nA&p!L?V;bK^
z*oWz>yz?`0$scq>%rD8|;k*BX#=tBA+u0|i<ov{L%}bhr0Yhah`RQ06wFcz}I!n|U
z@#w0xW}Lhd{MOdWG}y&E_vx}#b?2w8VnTunT=J<Bb8?EC!nCXfP{kmL%Q4PM&Oy$<
zq_gA{mA9Dnqa7-=hJ6<UL@NsXHc&%IVA{vSJ9VxH{=RG_e6YSoJm4$y(8`IC3OSx;
zNuqf8OR7F#jpPL&ZP4-Ctvv+_!RXZQiJ7rHHG~6HPMmKbfW9y>^B(~5ljc{`lIWj{
zAoqU0-(mo}%i%)ZhENqb+wXbX3k(1tTNZfJua_~Tf&jqC716DId6C*8<K+lZjiolZ
zDjT@X)RM<>L_(kb;ZdD6JUY(wY~(f4IWBkdonR-sy4KY9#m#0b=OgfJsQ>_eB*Vc7
zY+vPQLd)rwrvq@p&QBLua`wUpqI)&2!`s69SB{i%`sT=FB|8L(D>1()5uFsBlu1~s
z5xmQOmD~s$rI73U`%YI{9d&hl5y;G^aJr}l{%`$wJ7+h1D_dRJ(J<&YC=?lrfu3Kp
zIH-}%Ip2Q$Bj>{Q_`|`?nL(7z&5#G3GuUJI+qJaXBfDUk0P~p}yl<`;8|GUYE*%o3
zlKoc`FZmWSoRx4gq7}fr{>O~kNp-n31wBfxfcYi6Z~r^<M^t11Wqgb~oVJx{F9Ay!
z#Qz1%M7zdR;a>!%@1}U2pHUHeh8yJk!Xs!Vx;wNZQ~$$aAVu&CRg`;gY@NkJ*O_I$
zgB1E-#D9$<yYq_mJBgzBnPPH_bVQ-#6Xx7lfZhB<F$5;wDdIjHa9{&Qk*=QEm&Mk)
zqoL}yGXCdQkJR`QY3Q&XiZ#E_44`Mw$xS1qP4T_s-}vO-Rd4zyzd^T&d5)k7hGksj
zWC4cPR*^gowGIHmSj41!27XO*+0;YJSyo!CS)(u;zpOA(F>&d0p))smNtD+#ZZ}&=
z6E_V5#xuy4v!%s=?{iRBJoPZjf4meupS#O|JE)3IqM2}&tXtNdS!hHP$~G5v%6B2k
zy5QHBh-CD4T5E6kFaI)8t(eIeH7;KU@k{iuH=iU0R|X&Nw}ty5IRP6ZmNA1puS+u6
zRjWkW7iOka&-W|5&wIE?{yv`N{m42$cYlZKKeu`2I7hLD4nQNjdv-BjMs}mLnI2!F
z$#q=a1!dlYKJly8!Ui2p-#>N!CAk=f0b0CtxHoMCJ3KGUx2nT!e;O(+*F-TJ#6Fsv
zY*OL{e-`nTepqw=l}|;PjF3o?Ef|QEeuGn{*TVD1;rB*{%L+Omf(0y98cmo7P-*8S
z=GxIlFXC}W5CdQ&9NXOvrW8fk;R2EAJ1_q^V4C3u5AtDkapIreNFHV9%}B@Sj!G(;
z`~(&L%Mci-_22z$%Nx}z6Tu?%*cOG|aW+}9CCB4Aaa}Lm86o?qqoc#f@j7A%FszrS
zU6c;{YI}d)dpP8M*0S93UeDP1k4g{s&}8M_(bw8-!*|~zX13{H<<{_xa5BX4^0B>t
z!Ym6OVi7@@LV+N9G*o|2Eg+wEkj76WI~~f|ke{EQou4o6kfKwS2#u{W9eI5k0ReX|
zQi{mlo^?#${-LHmE94ZGOv!y;&^}^7OCG|$eQN053j1kKH2q7I?C=6ld0=!sgpi$A
z*AMrFp;nOpwU)xstK=&o_<&wT`|VyKTl@8&WQ`8Zr1-P>#2<uFSw(lYL}DNARv#}L
zYAGRZh-fQ-S4&;}tI$aOh5?1f!}s#4r|U7F){_iyr|StW5ue&OVfTuKFl$m7R8yWR
z0&_w|KkFRTVr$I;;UNJvM%qD=<MW4a9L;FMAz<tIcb><!cef(Sa~9mMjgi)n@+Rg)
zAjPb#tmFwRC(ACYG-Cp1!;i3F*Sm;kzRBiW@pe89=N=)0{tw2pz(`rWY1WhOXy*<3
z0}2m?jLf8}nT@-(^E&b)afD82>q<--5j93vtM;iQU<jY2g~7T4p?gL|v`(d2U|dHC
z@$ekkQA$Vco{&WJnSfFH+96=p;Oq4m8Y<(6!Q<~^XW`Z>WvOHHRKu=x@#&R$95q^+
zWfIJ1+Hi>H#>#<hI_z)@4ViP0FVQj--f6!+W~b^enMPEhBY;m20`uP}zP?cRIdksF
z;%~ftbMlZbF!a8)c8v<hWxmF(kI7pk`H8}FbdrqJdA7#=v9-It)z*r*vq@WJnlHka
zEhMkM|3`M)6!|Q<qC%wf>=&9TTF(7`3LjEn4Hagh1Fps*8385X2W|<7cF~MQ$B*)I
z^3xN3Qfzt#29>1v_$3_R8&Fx$*4Fl;sED4~@W+0s)avz_-&^poG6H9{zI<k?6eYq#
zH%dZ8G!A}D<C8z__OM{sZz&N^eG;_90vJpYYlYpkK$hWq`_ty|%(OCDKL~?;nV6Wy
z^7ZJ5Bl@1p%F1$M2UC|4P$Ec?e9@jRZJ#8U=?e|0j5xU&zszxmL@Ls;LH_Hb?|KeF
zQ!xF|OJl?(-)UtZcgEIyFY17l6`|GRJ4J@D%lUb&m2iGKbF&)AF2HJhjs^$D0YFXi
z6&_}sKXlKa!6t(%JcCWY!Dbm5G0vI#{p!`LSBET&jQ=_wE*Fj6vmT_}>+iSP@Fc@#
zNHnoFx5a<@jug7IkjXf=EJw%u7!x2g>dtQ6`J`ADOW9&<VwPq^pUlJOtQfEFFk5>M
zrpMWhjl9b0>a~QhS`t|8`C-GVz7`nK*eJ+^fEE<a@D2mm<a9RmOlM@~_^4FT5@7mf
zDH(~<@TXgAS6`S0+ZcM!<S~uK3?FVF6mZInqI@|)nN+pr@Vr}El%PyEu}LQ{F<<E`
zQl{7CJR@9sa-q&r>g#=`=RcWHC?^^0>znW<t^}w91#k|9^ZeJr8F|_|Mwhn#)N1T<
zhAT>>ZAAZyDw&_!-=Rsj<|dj+jnMumws)U`+i#TO+o?s7CFXIVS;78{lF<7@sZWWY
zf^hL!Gq>Npgf~NAS4oM9idY*^3Q@?2>+No#ErjJ{O;Gy`pK~JQQH8QIpr2$(3=+N!
zBIqLPN=?4yt{3@=A>EV->~=yP{vm#HL?g6Yua!LtsY~(GIT>`Wx}W&-q<bdunnPcG
z6BmK-Q9^!Z(9qCO3v%JWzFL4e2w_i?f!o$A6ELvDB{!%MPy}>AS4(S7UsqSaW+B=z
z+QqB!@!V3d?Fjdy6bxZF8m_hZm3Qi^g?BZaRj9?k9cbF5Qprp7oqFYK7>#3wk^O3j
zvz_18d1-R}@o`d)EhY#5AVSR7r^lST58S*;cBoh=flis!?-h686NTsYp2eAk{^Y)O
zY(};_h;M5tD~r%20GyAkOU_;W35!4*rFSOZcXu6qDZ4elVO2BFQKsX^%M!U7ejdd;
zGwl@;m<WWRBAX(h!O&&|^<#=zW(<liHUQ36c8SOAUP1%Z*!!{w2?;+C5D@6cVDAJg
zB@ZzwUZ@8;h8SaFgeW&}n8b?Q-#8JFO0mieNkT+5gUFqngPqt69c*ehTcQ*_^q6xu
zq};z36@{=dGYjx-Qfy9fx8>H>s=LLAErmlvUBUbY|2G$4qRR6YrkFt->6FtjhO$iS
za}z@OdKc$0dwg-h<{iwp#;Fp!FiSW~J7s&YvdmvA2w5y2xmlsSGM1ZKqhIK1Bd{Y*
zCIy|Z=RdTD1Yjd~lIBggIxBYEZ?XA7tD!(7=BuD?%Zj!j@J&$xTK>=<;t*?(^+3XM
zdb!tqb5B<|jKXKnc{!^$82uWF?2#4F*apccB9A!usb4ZGru{6Zg9AfJ`AWAlXJIR9
z1KQS&W?^ArVgh5fbcl3H1TzZ*gSMw6N$cHF3lR_rg%b$<8=(Hp0$>o(u@Q|t+L{yF
zF=*_q3_bH5>(^${RATBh?7Ca?>ks+7Ta!i!0jTvv#*$x$MQU7%@G^uzI}eCYPmf#e
zpQK)x_A8Pw^<G0_M_vFth;i+X+=>b|_kr?54^Vx}kT;PW3Dr@6?9w1SRkXCs8JL+{
z8Pn8OO&)%<O|4_SyP7ts<AyUe`_{z5*_rdWhLocd%B8SIW+(Eg1TF{SCB`1@R#xNi
z;#Jl&y><(dz#XEI0;s1%xSOZyTXVnWijbtHf%u~VA(|x-?c_MZL(0Rg^XN=<MmD}E
zqU4IdF}Xv;{~X0+qPzU5)TNbW(n_zVhpxp)viK$Pkc3VS?Q-p6w|7!TMasJEMsjeY
zkp_3|V)*ORk(|<e!4Q>=)g&Y-)0tngu;xh-9AQ`7YY%)u=sdygwGDQ@k*KPwLVzU+
z2!ouQ+>{Ew6CLO!nM2mw+dErbU0ouJLxi#Z*z#i1CptEtEM{?F1B)u?``meampEfM
z((N<U5MsYL>B6|~(YCTT)Cz=&#v06~<M~!%iJH`UUu&!Hl2^xq6%tsPn5aL0{#^fg
zC~<}w!HHxjX=0K;V$<*rxpR`3%XB)6*Zxm4vacdjq}yKAZik%WbR^L|QRUrQgcH_B
zCPpP2QXC+=<u{G{d5+8~El?{-<Ja8hoer%K8rna`fl>n5(KsE%%@E>+x{6nmvDC`E
zyNW81*q7X?+EW{vFhm}RtP@Cs+cr6)c8-=?a<a22eWAY`c}ZU<eij=X9GnNTsS%{i
ztgJTe3(ud@)nwzo#2FuD@$k{Q<(n}-=!@XzzTBAE!33B!k#eN~Kmn#)LR0j86#3g}
zYUPpy6>dZ|7xf0=sG{c_1>_fhOGY6dcCZ3DGaDNnc-wktXlQ}}yI$Ue3D}kC9d6(A
z4Ug`&oDL{$=07{N^`?GWw~HWRQc64hwr3~<c4>u#yBblmliL>M4sBNV^#9lZ=?EP{
zd4QffSyA91X$pU-iT>3g-<)D1n+(ok1(-|D6UY2B5NJ53LkpXtSZc4i@u~Nm`4`i@
z&UN~8u11QZ?+{>@$Wa!^*DP7gP~2us8<~}Y#FT2+NII19gh2hD9h5yhb`H39Bc1^w
zW|`}5$fA)Vjbl5tvb-9fX-2HEL!vaIRQn}G^%dnehXP$5{)|fKt=^o6m0z*P*viVw
z^2oi3#jQyC`0*nWOucNzf;ulZH*w+cat`ccC_i=SxXXBY&-XN4x_i1hD-~{~4F!0=
zE?Jpr+kb9k!*~IRQa%*^@F;QMq}~t^!bX*cc8?R@#|6zo&vl9_pZ=JT!C#lLF)NMV
zXn|NjI$cP?=3r0l!F;>is{*C-Bf$P0f+e9cNMy`6cD5xbDCi6*V?O9k`9a}+(aH9W
zl8VL<2kz^8<aD<nLcmi9d0hwv^k6AgwhSi353N!N%au@f{{ds*?|zyq*7=Z62_Z2|
z-YW_NFu^8RDE!s?3`M%6p%38cM^4YoY<1JD)FJ*;KI1J5tJPZm>R#XvcY~?X45@`a
zECBGGdi$3QOnvo>qr*g)bN#l*tg(@O54dr~_au32nKjwuM_?wG>hsC(2|!fsa3XD{
zq@b`*flXGv0s#*5$R0t?nhc&3{TfI_@=f`^tMqshEbMuBe<kt6;o~Gv6sZzL(gn~&
zCl`ql=<5?5;1V2h2?;+ZkfU%j{LJ$*Op1^m+YCrLwl2Q0_;7aI;5pOUd%XP|o0OOP
zFJCE`(hwMXqQYw9pqw-2+=_IFc%$$`yyCIU0oT1MhE+MNjgO#{&&(wf9esWHrCwgS
zp+?4Mj}K8bZ(xcnvC_#o*eu&nO2oH+cIiONRfC?0piuQLJiDrQ&+RF0%4bz`#l&j=
z>%}L5W<q6ERVu7NI2RJ7e{K<{C{!2RR6v?o5&}1(CT7O+7Is;2$gMmQhM`7g?$Cz)
zrHgXE=Aa!Pw{m*8c)+u@o?oe*ojk75JG$%m_lqe6%1HsMEv~GLW@2FxghPtad}+89
z_#-4YPIGgqR_k=t>QvJ`kN*v8OtRMt_Z#uL4%71L9kJ13`d%u2u(S+r`w1;hW=i^|
zye9Bo1OZ&L&$?L~3lEOH_4SNj0R*CqR&y?o3=)oRjhr%^hO}};#7-Z%zWkB`9WXBS
zf+yZbLWw4{6J&`i`R+}mQ;;P@wfgHTR$p{Mae@X;zDN0@lfGa0!tikHWr<CCIM2P3
zWJW|w0i@Ezb_t~BL|2gjLTn5SG9r-WkE*JZ2<Ur3o$9rOScWLU*sGp=QZcP|t+;u#
zgtsfQ9b=2^Kiqg1Q1mIbZO!*q|6HQV(7%BQJ@LH~QG>v#mo8An1Zry+D4F!4B>C?R
z65rLg-CTBQ%s9=CN%7wo6ciNY=f5Eb$YBUd;Myug`>>gW)n$C+BBB(P+k!#swv7;i
zFE7dJCt#N!x5U9l96@`7L$QBwx4|E*Nx{2N<JNjCq^=(KjidZA>ghU4?h!;=OK1UB
z&I0fq7<d|9FIZOSY1B6%cqM*TOMDU5Way<|y1$~}z!mk4C@itK$9o0<on{~Rz>4g$
zw>XTk2Yn~q@on|9BHqtbQ-ys&EYWm`&WX^Y%+*Ju)jh9Z55_*qi?@jA7APF-Ssww{
zNnyY0$*B`o*o@gfSE*-!0`-ZjSW<NKx=|`mDhqiC2fYX_R)qpdYH7Ja#d4i#e`cf?
z`{-T#Z+#CiUZ;@OuA#=uCqjxUF(4FI#{#mz2~zZ-I!4^D>psZcg7k5^+4gYAJA}u;
z(Mfj_f0_4wXD6ZY%_K+QXZJhLiwDi);&b)o*2gndFYRYY!o#Mg0zshQYdDjfLX(QS
zZUJ7=R&}*Kb5W0%N9suc;|_-AN<j{pn3+j^Nen?bT(iGuCdHQwTuNnnaqfO}v*I@l
z7$TiX-fLRD*@wcR-ExmNDqA1>l`gF_$7RH%v49DXDmA8BWMpQ>L>6h9Fb@ZOB_#7E
z6ji2kwzGUPTU0HJqieV{m*dX#Zs^+zaLD&zzH@OG7bC`dL0q(0A`o<|`IQs&{uhl+
zGtQcSLg&_xfnkDo`7}}@jsHY^e1lmQ_l0>ijUL~GzsUvDEeE7E5=1mPeBe9D)(Hww
zTRYzp027iQAQ06J$Kcc5Mt*w9;UBhmdFx3EAS(y0fBc!;d6}W`iln{BfIr6N@!{A9
z2a?k(rf1E{wx^+P0xGzG@oya7o#3AGUih75s~9aFg8{2<tFx+eyeapt&suWY++kuA
zI`K!sVU9v73IWpvZXZS4Dp`hEBZ1`VuyI34`aZ(H73#mW2bQ$a&Erq@Iz1?|I34Z_
z;%6lDaG~%CM067*M;|^=2tF(1B||Z2NM1?*=OOtisR$?yasfQtO9<P~W*j$Bj$w^e
z2e)M8`IkZ55R462+A!<m)X3Y4%a0HB-&(oG&SW4k5($-Z`#|roPzX>9Chn|62R2PV
zYHQEgf%8bZV_8-_l_;V3v+g@h6E^H51rbQ+(L)B}yY~L>-Yf_Iqp@V+7=^{*fpdJ?
zoxqxa(kEPGLg`XvX`tdA>K^;#FN(Fn%YWaM_?wp$x_J#a0WBFw3I<^CihzK;2^U8g
zJS51ze!LaDSkIIR{mov7l~{v|UySOv=x8KTP`51k3G-KFyZYAdN@_sA{AWD3)!5jV
zK~PQ-V^5GKd%8jV722dA?Ip6MM#xhkmW;VyZzbIcPSHsb{0BFaa?k%&n$1ie`_+?U
z_#=5V{U)*K_yZ8dA9y|OHQZEAIYk<)Q%Tx+FZhJui4@}pTj&2?-Z+2S&zpMkJ;Rs+
z(J1(h+mr}RN(3X4;bL7RhrzBW1Qj&fGHc9rZc}`wC#dL2YpKba*SSr%{RJ1(#@4)N
zRviGmg_UM~^zTx}#+v%?%EcmW$${xtgoMw_r(d^%<zjD9s58)s4$!l|j&KC8!k;*1
zT3}iDc$a!}tT-B`8BQRxq%$k}3G36+%EVp85XOc6Xt$F>eVaqdwTT|+j<YGwf($7C
zVzBdIm+lGJD=z6rAN)q0W`PPUytgKEHmm$3y{8OBBLh=Fb|kdgUOHk0GvI)4uIa97
zMva_;!TJO3XBBpOFg?Hxgd_4}MSl#|q%j#1Ro?uRoN883d^++X<EQ(Vi!UJqP^v)@
z7fIXfVmuNm>6B}@YHxyU!tZ9w^;(FH)6oE&*AacPfH~Rjqv34r&b?V?`o%;p+Tgc5
zz1-Qimw4n%(Tmn40y-0p+E=1U1xT&>ql>l|?T)3@+sqnLh#=(P7g@(4&_K^kUY0IY
zZ1O`Pc?f!9eEbf$NudGH!cV{F=H{k;i>KC)+Bo@^88?fx8iGyStsI^5J+E0_(er4$
zyJ-y>Nm_9lA&8`z22T17Vx;|-3CZCH);hQBn6bQKhf`CYawJ*E>k$8LwzKHKn7P20
zum%7@KtM}X)d3xAD4aoM$mcTP#z3Hwlb=iXBfW3ete!#qRoD68YgM;q%Z&aZw~AD7
zE8p31_If<+TOjnlK2J9R7k~pXTILx&zg7@NNjV?6n1Qej7f4tdv6Hp5Ha5<oz1xML
zUjNmvX<?$)NaC2}0_&R76QMRj{M50M5D^BcH5_QP3@+vzCdWbC|7!srj2?<b%l4}~
z=?AUXgC@+U@!<4`@y|8RcyJxC-a&e{Y`bN{r>}BX$TpO^%AL|yuj1Q@(rJ`8Q3QvK
zynP)3QU{O14^`szpT6w*2whyCA8(sTeldUFy1DI&nPqEBRZ~a<3pUQSKCA!Bl63c&
zM3(#SmiNqe<jGs3j2Lud;H9qOCC{@f#&HhL8i*f!2A2lEa}ndk3)_WmVUw))IHZRH
zxaDF6Fj>*J^_Xj&$`dV$a$;Et!XyiMMJMMwD9%~n!TCW)M;57*Dl`{6YgfUuNiCcU
zQhu&3*5fFwfBuJwjdk&<=N(;Hj9iKqQGuheib{-ScM#TRC#O1WHM8EQ*4xSIfR5{%
z$!)qVB1yq}vwykw=>(ip;+uJ(Im-T7Agc#iU+;j(g!%HN-pK05R?1!x709$K#=)ql
zkX$fV>(eIANq*gp^!(~m-3n^Mz?}Zd`PNjFl7V%I`Z#rpC|FmWaKa++zKz$CEX&W%
z3l5G)h(5=`n#_xGrCQ2d6NhIp0EXU=H`^H-I9C|$o377vZ9;XNTogyi9OG8JuOC~%
zW}dcSP_%zLv?63s1Jd9|@&bS_QIP7d&$*4YCQg4*(5gLXx9uGrI5#kHb#{~07%cW!
z##ctVs{=WT%9f{FoIoMshTD}rQs?n@i(>kLTSr~@qm{cXs<`C%_*B0bA}DCWiU$Lh
zO&{v_(fs_fsiC2Mo-{~0&?evPyL_nWih&O!?_1%ZoG+-%Tw0C_Q}_^MY!CJxDoGy2
zsbJziatrJ+H{Zl-dEsJWh2MfjqJ3H6K?Gw;iplSoVCx`f;sb(qEIvJ?cl{dxvIwS}
zOzrDpRSK9f&8KI2HY~1|Em(VLq|uqFAym^ukN+yZUwL|$-=!h}K=u!twI~qw3MHiG
z&&bl?yLzEQkd#Z_*!|75YRpj&jh6o<z9b8r+@cLl{K~B6<HBoyJK1dhRyBX>m$FjD
z3%Z_ShKST>!E!)^4)TMh(%f+r2YqbcnLZ*q1(K8c^XJcR=V;kf7o1pdK)aaA++xGf
zVbrkMKcqmkXHvQVKg`Hqx6;gOob`EnDNkH}K7M=}EXep3nb-cinfotGY{DxzL2!8g
zWyXl@6^^Ul_vg0kUf!6f5PLVt_CQUhUTIb{V;dUa+Eai}bK;?W@Su-67>3K7nl+qw
zY`w)!n>{r?{+rELpAMyg4qp@HO<xHXkliZ3%SO^{U6D4h1cg`0Hc4|5O-fM4QC0Gl
zkG6ew(xU*=g_xyuZhXQKe@Z)({-eLb7dWWR<$Pc=bilt<bF>zth}VaT>HhlGnh1hq
z_g;$CLITn?eLvS^7ZxG-yahY6^vD{WZ7?DJHz8G<mko0QB?JLE5fE9VXZ8SnL`ver
z{`KFoTK+DV04gB>wi5S2spdCRNhyXg{rfk49OJXSDDD0;NMJF%<+1@cD=T20YYN&0
z$)*0nt2sY)`FNY!@sqbkpAG|n1YTorP+WE_{yy%qc!kCj41ijT%}Z1jUYU0^zoY4J
zr(zmj0<A(ehF9&gIJ$%r3i=0_s~uEwwZ<+lo{LcGC<RO@h?FFXH2!Jq;jKF#m5><%
z|1~1xZe{#FfeAOSv#zBr_qKyl29{6HaSEHBetrG8cj(yt*ZSfOgJ{4%$Bpb7Dc@mr
zaQE}PPqU?X3>YFyR|d8C07$nRk>C8iVj8+~=0?U`!BC4Q+IwAQgqsqJkBdi`r)5|2
z#SiD*^kZIou`sig5<ER97aAS(7s)EbBzr6r6o-HwZ9!IAzp|enk7(1poXGpTKolW~
z3Y@X`dC<P6XbO*Lw)}D{i#w!CdGaZji2VY+^K|0_E0`?STiH@7u%K+NY^Bf(X`;+v
z!3M@&BEeCG7ANQ0ta{Zz(TqKuY;@P2+|vSVL`(rH)v03A7pn3O#Pz{Z0v6T&HiuA3
z=vOh>T!M&rY!-qkd|JvypGM0zU-Whjp!005SS4&~dqgq4i@n>U8-mo+TeN#6%(s>G
zmPHf)52$+x*??2?3`;`%)PL<+?vF?<wCF0VuNZ+1(@g->9i$K!=-y}9F2&tkH&A5W
zBkrl3O%Xu;ON{0bft@;I;ZLM=zJmurphiZ<HjCu%u(XIaaSQ~C_TQZ-8jI2vtPOm#
zSs!V@elWismM8=aZ>m2JAwXY+#lG&FuiAj?!^Q7)u!_muNqL8i8qjsf)^;9S*7AFX
zJO{UMIF*2ZW<$)-<ywRgCfV(j^qdIuunO~4!?E4nHjhU(j!lkH&7Dr6LZlnFkR}V+
zE^$h@1b$%A_e3Nchs?+?N6=2IBkGhd@3~cDb5vQsqshmD^DCYZ+ozSE&BY?b36MlU
zN4y(^)zc2W_IXtMySwEtH&wSrb+M>^^Hjd#$dm+FY>)sLl5RO=G7EVTuQgSn#jr2b
z9~{P@tf=`WR#tlr4f!oNELg!%v>+ce5$~p0<*RiY%NhMpZ@X%w*Jx+NGE_|rup5KV
zGt%E5SqZ#c!gG-?Uy8+{hy)0X3}#|rZ*M;YGGk-XJi1fk25&8O4!X5>bu^SH;QCPk
zZ+ar+m+~j1CBVg^p?Tpoc$U1x2tXX>eyD_=a~1ZDypY-_vsPAKbm2jtP{GL87%JW<
zyoJ3}3+thB7hnAaEdU46WE`cs??0|*GSJf};{Xw0l2?zeh$47#Jv|Bf9aqCiO|e^{
z2ppk(gnmsRDet5Nqhd<-pRa8H?R1&?gqU-!<1-tmdI-{jHx?7;3{~J#4IKSC1X5KR
z7vQ~{h?eDwK-up*#(pr{mh(TN_M>|N0am^s|F%4o$g&Tj1QEy<K0f}}goK3C52yf`
zCm(>z;5$;M6@0*`SY790$#G1N$_N>0#iptmMUIemwU=G>c5cunIhBwvm$-)=U%FTR
z?`hn!fzGYh-;ZbjDV<0~?@W4@*|nyszb2pREU$uEbYf}V%H6ez;Yz7i%uHXlNGGvo
z5&b4re0+Aw#LAa4i(`kk1}1lw0HqRD4CzX}^&$fMNlz{=%k}d43;l2&`k%9O<bo4m
z6%vd79TUb#CV9j^$GnNnR&#E?F<;K9b9x$?Fp%MlmSjOH-u!u<A`;!XdkZzmugoU@
zlez4ZAMhkIQEz}6a8Gm5zO}Wr<d613hd9Wd3V{LsYz`%{H6$h^pl=|9ub)Au-P7$g
z%miIRCDAO)%lQg)>1kajs3@D#PD##A6?Bo5mlU&v)G{LDF2wBaQ(ZVz_2Y#uI96_O
z5s6JTr+wztgFPoe6>u^A$=M_?9>^7_j=|ApZ5H6um2Tp^ILey*RwF8zz2PwCebY3w
zfZ6=GmTYJD;vDmkh7yrTiNF@TT5`lIt`cENq^)p0l6vtJn?zQC@!@RU?pb!-GPcWb
znCQr%K#x?INRMhKCq6soE1ovc8WJ3`(3Q_TF^`?kV$Jify2?t*G40HZIwL{Q;}VRe
zCYSx$GN)i{vPtAlGVs;EDA%g`S!LWGStaEM`nn`S|3NUnmwM}KX=%~C{MNU*?Nyy~
z+cfodxlQdKruk~j2`*z|!MdME^>NC328)?80^9|i*?*%+TMEHa`;2^iV<Ow8k{pFU
zQUjW_t9CjkMk^_@=~2V}(h!IG)SGv=YFAw$0Z{lKbl8&kesL1BwClk<1<So5h`FpA
zyK#U@O9Litb~;=RZhtKlEWPhlGyPXOuI5K;hO*_5e6g}zkZ`^pId;|tD;0t-fV@;5
zsu&2!LRkQYcoHfxL>p3I0#EhR!uQ>ZE6P#pnc^2w(JnGXG&ex6BrR?Ju#V&7s{PwN
z(XZ2Ym7<nSFWJt;t45?>T!miOy;g_8=qv7I@vB04lJukKJ53~@-w3<N{DVdA&LdbF
z5817Oz(T?_xMu3SP@@4BGJ%9l<`;5Na23eQjp@+hxZGo0)XbQYDQcpic};zNq4G6P
zge2+Bw6U6j+Y#LhgUoomg4bmt1z>KL4CEK?LXm;MaR1ArF5Rk_Y5_E)?1F#*==10}
zR%BE9>b<XM>k$n&sK0G(u8I4_h?_8fom5wI8iDg5mQ{;uUjPJPyuJZ{&lR$SGWhM*
zI{5&Q!c6?*=FJH+A&2j%+uNU>g63G`|1ID7FbRlXkm<(=A$UB8hor+}RVZt6Ea6+K
zw^VS*ALAKZKcG;^Gk06g^F^RUmgg<;-cFUIwRgE^wSauyyHt2|N_k-vsqMBn6)t!E
zLXiyLtr7oVdPliR48~wMgT36{NZq%O^;UJMcdcZtzGB8+!YT6kEL!R3BUulIk1bIZ
znGQZywX)o)n^$*y^ovt)P^9EgAB+SCI2q6m1@9{bs)dAuK%F1aIrp0$PP6$_PjBp%
z$2%3H?!?=uQl2MU2rMbXxXN}_Xs*gws;IQIv=}T@paN*B#qn+X<t@zo&IgpW6Xx<n
zRB3zEhyzgb=&bM8_R50f?rM8`=LiEsRt)hv_ySFwIpUMCdfX2ScaLWGrGy3yAd$_0
zT!MaPH?m%B@P==K;cGJ9$T+@<ndBs$l8b}29+F6B-n7YK(Qdax3S`SvqHl%c-ENom
zlrhE04SYi1Ao?1`vqOhwU5qpef@ElpP-jH{<0eY{isqxIi|8$m{`EYW<<nThccHh&
zvZbO_M*Z<WTD{D;Qr<BkePIp#7b*@Z<w1J$3H8%N6Kz<AAnCad>VP6)hLbZAu#`zz
zde_gfK3;Y7Bhh)$1r8H1+RrX69d2{j`t?4%iom$l1VkO=>Z+>Mh}<GEu}#SjR^!~A
zOT_jr0<KT#3N{T&X90z@5kx=vYlx(jzFs`!=6lYZ#(7EEpaJpm@ta6M>xFOydPPUI
z!(D73L*8u1EsB8W_3rNYO1I`-p(QPs8m$D%YhwaI7%H-;-&bdTWS*9>srkb_vPw68
zIO%0*Z#bhWot$il8u3?LhtKeIoj0GpaL*q1Av*oKGv27O1ssG+b9*jjiGb3#e~vwC
zXGS1&r<7F^EA?wK#3m>q6w>w4VZU(Gy~A-47@y;;G-&*J;{={SpWp+YUlXo~%9{E2
zJ$8xte6-lrnDwhE-PAM3BR=l$`DirnAL-XLJZK_`fJgMm5;4bB{Jq0Xuo`V|k>s5&
z{hQ9jL#!MeA<LeM)=K5rgmMZn;q0SCi1ZfgL)nA0r~drp^yjX3SiAgWm@I1Hbt;hv
z_6KA6w6`I}W7zMM=qWrs&XiwvbfU&COTL=^;9>usKSM*6*m8#=+w|`?eGC<59hn4p
zzDABSm{^TIc9W5~Wg=`$0Wd1Xv3e`-$jX(&Rw@4dHIZB?P?0M>SxE37{z{gCU(s3d
zbOTXTRG#3N_*Jocf<nr>AOnS)&(=2LcBc`cd`;!GYv#y*!ycX9iR_pu7S7=pAk|_g
zR+G>}q;B4Sl-Ln}Z1e6Pa{G^T<qu>)t8dlv-=&fXNrjrrmMIWyVUqNl5@CQ?KutSQ
zR#0=kMFGn0!UVcwq3736=*Xyur>4DnD+MD|$qVG)FrGQzY^6W%$V$gJ5ios;$4yU4
zwv|Bs2;hA7NR<f}MN^}bz#-XLLjxRzaTE?o&DHVq>As237O)l_f8|A~bo<ywnNY2+
zp8t|eaH8(8X3R3n-mS57CKJUgf`D=J;^y)i9*W%djASyljy^p#UREnUrF?9ISE%~?
zifZ3!a>qOp`x~^t(5W^L8meE>N!H2a<>);rJF*DPP_QA{OfjAN6kHl2I-!x^RI!rB
zBifo5?F;kr|3TT}?gKhd!+7)x+&WPb{QZaVap_-8qkT`Mgz{<__kC{pc#?a=fIl?3
zqpol~xcYcHzJYBv?#^=Q+pd{*=zO<?i@Sg_a=7%sx2x(DuP+p|BQcF%!IuBSw)SY#
zHQd%2z)Zo1E3`R9Nh5N(rq0z&sweW;KH&z?Zi!F4u8VKII+Y>CM5mw47RTFd5%?qI
z4p(k340L@U#b=h4(1|!lb{yF6AD{l^_gMtU2qGWeP|<fiK}TXw(c7FFv$RJ@h9)vg
z=PYMJe^}OnE@87dwilOfX%#c%<G&rcJv>+lGK89QLE8FhxcGfBoE4*`38N__H6HIR
z3iKPl_Dq9ZV>r=e1cq;y`8Vi$`$=7F-<jRw=3Uu9SM?S!2NK`goF4vSuWr_W;&c7w
zRSpA!+XDS%n7IhvNh}Agp$qDo)@PjJ^8J9D8a!p^zHA1$0mBwu#}1%OkM#N;H5N}R
zB+OKVHE+$c1Y(R#P?BV|I{yab@COBlxOR)A`Q92{fjxs$|N1^Yr>H0=;dN)Z@@=0@
zBZr{!<Ns(3y2Ktr;rcEfD!K1epdPZ@dQkL*ihzcqggXH}8TG%1n+i?l|JquZPUy<R
zpwIPz5JobkU&V~|g#mZ^e2}B4>a(v8$j?;{9w2{9&LIi{{}SU7vD31Hmo=_Q0HX#S
zoYDr;9+F(&d#I|kP!$`1<u>G6moqS=LzLB`Nyp&vk<St(2vgn@HM^&qoYlLxw+)FV
zGRx<HHIBl=Q2^r^TBTOosPMzZiOVJV9&5|2husL$+SQ$C;qQ0zx?c-_Z!|Iqzf<iA
zhZj(R1u`3Fb?>k7p1+Fs+P#E?x0~mY?EW5rN&fLZ#mUz`aVA1A^ENTwtwjeYak=QZ
z6qMLfv&3<cuLCYL{4Ub=uBYB=HaE>+lPdw*&pmsrPDKnll9Gp6cQ{(I+rI$6uIj`-
zMB$~EQ}#%fs5q$NPg>Lt{LRmv>Is+%^aK3q$*|DDi3(Da0g)`t;+E0I34*R?Nf*eu
zP*CU$A4?%ulIvl%*slzbrSV%4N_vQBz!tdpti3o}LVVO}15UIt<V=y))wR-a^ca^w
z9gA&c7Ub7Chcg<f=xeIG!&@x^M~(znW;S@1kwMcxyrq>bAq}_Yed&Bf4mOx#nX$IJ
zJiUndxUh7Hn%WRSLG=`^l$xI*z4C9v^+gYe?cNI{39bPPI(5n(D#d83Ci#He+;i!&
zS*k$zHwfrRfn1R8&x?X$|Lhq^cyKdfh*N#7XG85n6<C2*VP9weiAVRTE73MLum5wd
zPNrjT_ACyB9h<5IO@c7?izXP4BwE=akH;X1hmTf$;hCBPpN!DE_uySMH#fuHzTKMp
zHl<k;g8s_HY){)Af47ev|Cju4DH=L+^4bM~HgMd`UWJ&2t{nJ*lUBeqtipKA?@~d;
zPWMwQ=*fa_pxGJ+MvQrZx_7x~t+_X6T3k*(F6zyw%?n#jZ4})Bu^y^OrI63c`2>}k
zXwroe(j_?}U|vNf+IfbI>MzhJ2&?3O@bBKG8!6+dw)7$KS+fhaYo3)qhy+Guf2*Bs
zzu^Q`nd3pyXua(ChJKi|gXpLr^s;MSIPl!~Z^qi()J-uZ#9)y;x8e@UtWz7}%vToW
z_4Jhgc$#zPFrAko7NCNPTt?>n^yKaNFYCCX!hPaBv~oEF;C-TXEzOFN)gBCRG4s4i
z!%@7wSV}<;s^T6ZADIOq*UQ(X{jYAz^hy7?nvk8mKyemc=S4aVh**PmD~EjklB*)4
zoUgAKCeA%;kuUEVjv@1gc_4q7<_e0y{Fk<nffVwVUWD0nZM<p}B$6)%)cBnnyci$`
zwq%fIa_pa=RzjJ5t<`75W%B9r<e{nAj!$eGCy76#1JscJc~DY(IA7zK>LO7f34acl
zU9zxfC!ChqZa)28zdIwBmLHck-}_}l14EVMl!f|p@J;F)KtP<Y%-EA17VSrANWZ$c
zZ~<;H?H;v1Tld}PP;T8_(c=bDIjYdHf+H`;4R^)`wRhcnwLZ;#;s|i4p)z)?$tC|u
z6t=)m_Npt|t{WlSZ-I>U?jUllv&&eIBudjcD={SbYnvjuppMo}H8e<hF6-oZR)9_1
z3&^vOFcm*tR)53j;IW3^ACg*|p3({}ZgC9QJVXrG*go;3by?Ioy{$VlK*AnYl8Xo-
zFQYpmUgTNGjt7U`bkH-1dVx)ew)L3TEokevY_(YsAZYl-(&D!DTvNw`v13*Zu5oOE
zh8%UiY9jnMFMlKynOq4XZ~D#<PT7}@nqX0>k+{50mu2;X^-g23T&hL>C}{r+&d&a!
zGB2s3T<|w5&Xi}>HIq)nj0GmsZKTYNhQ;@~VsL%uX^RB^h*HaHO|$_2JJV;Ke00Rm
zE%(ak8jj3we}9`2)T6>BD^m`+;AD_9I9$pGD{^VwIHqAP(NpxAXtIGs^cWdUr&w(l
z4SB~8Hx*J@^?dNeeQWT_r-pNficv#!D_S2{nWDmCl%m2^B6bDAnJ(7Kp{DW?X<SaR
z>##y5=)s=-?@#iLX~ck8kgrTp&7#w%yYj>*&@S@Aj{Z#us$UPoCRNqfa5NTUr}Q!u
zA@(abO6aC&0W<(6i-gg%Q|cxT5$R=!yX*K(#(Zlhc37cjbJT3*>Z%8BN1djQcBGmK
zA7;MJGQK*PzUEDc{M>ih4C;$i<LVY9&SF3OHQCd2AQd(|x~g+b?_3=QcweCUoy;Qn
zoUMpukklu>^_;W4sCBw(6mJ!&RYhkq)q1TLImHYi;#CA{dQm_q+A4%S&B(Fi#5rD6
zK-o-hzJBJoS(2fE<>PrZF!izB;xS~SeAT3Hp8yC*?Tj2Dusw{_Q%EBY`Xwzh{XH^~
z*0Y^Qc|by4zaD1ucY020GWM+tDza`z@816U%|3PStp(DWKnv*|iho}9kK=(AF|uRp
zIn}!^P!6znsMrzw;&koQUN!Z*R%ZVWrUp6;_1>EtS(Kb~lv3-tCrGlvpqsGwvPd!S
z`HD1NLaWXzo1Q>Q_>qD_-Sg3)WBJVdV{lC@;egX&7_3n=Nc^Yt2jS?4ZYhu!{5f1~
zk89k-);J*GTTV{raw5Gw(eUVf;Io%jnudyWZ?K(C3w_r1QtXF%NE}wo<TN-!m7uTx
z2RIX8Ugq{%>s9QK1m&kM(b7cG;is8?+Z?222js3#8)_ZePi_zIBfI@b)^#U9{jMwd
zSp-WxHH-CZ22tEnBaueBd|xCn8a_N*MQ&%QbfBl@1?LCQsNpOcJ}P}zwi1~$oBCT<
zRnHoWJ(ZziDs&!vk%{GvTpNp5%wwTLqvKP!I>ZB?slY1}O%;Icxn=rbO1SV~`?PTl
zHp;nJV+0~dzI$&3O#p;g^I}(@AGWWuQZJ6<&T=nu?f<qdl6pJ*Xm$b5mfekrk0e6o
z=Hx}2ZVn^qbroVL<J>euBjL%9Yi;vU3TdQwBMfd6xH=JEb+;+;U#_V~%-?Qzka;;y
z&G!99YS)i&X9CL{01e#_TAyS7DT6i_x7pBq)R9I<Wbh?{YEVO`GH^g_#9NXp^1YRv
zvtWygdd<clK!lSat;5{=r&q~`EiYqPeR*%)QdxmnlB;z|kEDRrTaE5|m(>#2s=Of$
zw0Gu;vk{o!RX}k>>{eJDh5JcndeTvHQhI@=Ows8Il97Dp_J*`v@QAkF;s=jE@n6oW
zWT$2$SwE!plQjP^ozy@DR0kwN!CKQEh@hB2Z)gun;os3ovH2Q<`OLX}DLkSOQ1IJ%
zhh6v1YDwoREyIJKhj+QFGs4r`#uZ3M^AC^E(vH5IDkM*PYy+RigfRmRsWo`G?d()L
zIz`MjN3!0PR|}SHVJXzVFXW#?1G@Gxflq<D@zHU_F>RhQ3;*KZ98MmD52WY2V&y4^
z(B5weQAjDyB#-!bbo^mk9QwF&e$Bf$Vh1`G0O`a*(%QFpC1*aK+qt!Lg-VesO57j+
zm8RgYb#0;lIU+9{`gBp7$vgA$?6facOz}g}$|3qJ6gkln9Y9dZ7DJULi+Z)e2RoX^
zK|{+XTOs`|O05K>+E`+AQ{0{h2&kv?@C{wnKRyIp%=mDAEZ1v0vIfE(Lx@5Z6;;j3
z!PL@hDCxU!dKz&-+soJMo@%}uU`Ysh_t5b<*{E;H*dP1a+C__WR-e2n;)BD(v)XqJ
z^Y2^SmmXfClfd!+2pmz4y+{rgb+`RDWbnxO99Zjk-0#>6y7V_S57nga#q2_0q4KK0
z(>XZ>-%@eV%Epvxh8fQ=ev#CX?Rg`X4=+=ZQ|EYApw%-8N^zNFBeyQ>!8uo-o-AC>
zZWTU~tbl?so|AVljxGgs-?LzGxS7w@qMG-4XJ~1#V@+P}4CA0i##wX*rs4-*)Bu68
zQ)FuwR8PeZokut)m!JY11Njmepfi-k21L~6UI5GrY7SM&DsnX8nq{%#=5Jpz42}D1
z4YOM$pcZSymW%@1U(uu$+IsJA>Vqzx?sulMkdboMO@%1l2?C>-399k;hqjx7yk?U3
zIHrnWa!Mc!wDU+O14R$IZp{sDtLu>+p4G*dcuD-z-b}+J%N8VM(KUNCFJ69NPL8|o
zIUq)V!KLc-x+z=&vaBNqHs5Atfm;PnzaMpm6gK((eg6td#^RFxs2fvRH_LP1v+eTe
zuz#AYa(YfmqJ7<Q4tZyv@)B~ZrYV;Oy0<qvtxgd?_J-eP*;>w>&y>$zkh8hW91GZ>
zthry}iPusIDW*KF3C>@A{=QE>Fd8x}EBDQi&1T6t54$5PAkmrR!|L?v_?*DWO<&nX
z8o$TVOiuJ#)6CT)55TH}lM)}ZWxDI&$Vq*i%J<er!r9cs^i#S{g=#3nH$>Bs0u3D0
zt_#>V1vJ+5e<`y)uodvGHuKQSbCR;otLxj|@M`!`+kxe4kD2)Wr8?t8?epV7eE~Dm
z`}87dHw)QZ9#vMn35$g5)M^f#cc@5UeG0XL?M<!I+#RUS9$Md6mJ(i_ZS3Fr%jgfg
zv6+nk;W)R9xTt#j{w3?mv(ALqRK@WT(?7)RhX@LX2c)OA7)^2y8nrH_rQ76TaiPi5
z8R?oOJ=+Wz+(+YEhO~lwcP&$|-heG}UE4UP51Ltpi<<(67eN+jI@V77R}ExW?v3PN
zG%G<6Hnua?fNtCcUKKY}%=o8b#O(J%aT7_2UsIn|B`efrKW*e{Fa*&D!erUhs+kpF
z2=h=lvw{j$s3bSkFxc6z8yOchT#N`W5=v#4?#rTC(K7buaG#@PVd=<saC^Hf(c9M1
zF|BN3oAAId8@kEs*J3@n^sF<Ya&$6>0v!lJ@^wF`l5zw9q3gBo_e8B^*vKNlv#HRB
z2As<ois3_=MxJ&C;5x{AH1hs_@K4vOkX3t|xWQPX7m2$E_(fpD@BjVv-*`evD=^<k
T*7g+#w^TqzLQ%XNZs`9%8o3=A

literal 0
HcmV?d00001

diff --git a/docs/images/favicon/favicon310.png b/docs/images/favicon/favicon310.png
new file mode 100644
index 0000000000000000000000000000000000000000..d598696e047b854fea418d12faeee4f183afc562
GIT binary patch
literal 87767
zcmV(}K+wO5P)<h;3K|Lk000e1NJLTq00A}t00A}#1^@s6>%6|H002JMdQ@0+Qek%>
zaB^>EX>4U6ba`-PAZ2)IW&i+q+O3^glI=K>WdFH}S^_Z>%fUd3^bUIYeGc3sGBPr&
zx~iq~<r~8NUS1L~Q&Y78e!c(ue|^_~{KtQU99q0`X;1C7-uy53+~eRM&;9eipTEPM
z&!6Xiss8>e{PWkZKfe+AJNe3=Z`Aka?=bj!`Ntbt{{8y==dWLF{rn?7zZd%b#vd0<
zesbg=zps0KFO=fX*Te6BU;X!eBmd=bet)NSF7fA!|Nh^(u^7AX#T2jjrjTy_^o=q3
zJEg(bB7fc~`J(ghkox&b{P$~j{rS(oE#9C1`rF#w<M-?7pO@mg>+cKd-`42&>!JMn
zwL2^H*E<UT_~d{3MlPw|fBoNI*6#cE^L_8n(~VqNse1iB)E|#>{>2L?mrCbtm0ykD
zg@3p6tMlvO5f_WT+0DtXb%h=xtNme~JB;v!_x!!W;udp!W8?1_S4`(?PinEp#iECl
z{T060*oJ+jhdo*BTH?#`&wB~ybNl(c6&^l$2VNNi7Yk<}|Mu(pcVGN}`Ss_8zE9H)
z;eP&HEAA_5HQa_f=byZa4GG`xnwGP^=hyWYySe|ev56flXPF-!aNP6f60?MV*j76G
zoOoTi^L782duaRj0xS`qUAUQ$*nzu-R6-4Ri?M~kIzH^r;Lc;pak2xUl(@t7u{SAI
zHs^_cHt%WSyf&8j^JSogjlix_V{32}HY?|X{j~gGL!+dUuTn}atvscdQB%#e)LL5=
zqee?Dx6*2B?P<M@Cq4NoPkq|+JpCCx_5_5LUVFRx(|aF-4;@^3@b1AY#+Y%YnP-`G
zw)xCH$HIJ8US-wQ*0cH=JMOe`|6O;x_OtsQZ+J1KH^1erZ+oA&zvIK!zVzj<eD!PJ
z^Yw51xof|>`p>%-{<d@f^{$2AU316sd0qR*uJPs8{<uUCPKtZRj>R0<@#YR-(9u1+
zpOABO=iIZq3t%O(YoWL~JGf))V17d^U-)zH{;_la<-T1d|Bv=9{%1RPxpn_PcJ6ZP
zes}I)_wC>8+8!sOq_aVKp=)}l4`Aa3?=#{vj7k63zxUo@uJDbw&h?JCTK;<9`TFqW
z@a}bgYki@-h6-Zco=?5UH%8gH@U|hGwJ)!m#~U@)UefoBTq2A8uIB?GM`LkjXZH$=
z^{%_t`SvpN_v8d#vQ52|H`lL}d-QKTrLH|ckawkB=l2f&``Rh(R@Yc5eeCv&<J6W5
zD_6@HAk|y%CjrjoWdUQ@DZZT#3cU9DR-A9>Uf^OAy1U=lF+R54*^lebiup}(<n|Sw
zkbC~_wVxdC=i!ngy#UTLAMA=X>7!qv<u#utg*WeajrVT6W30>#CqFPWp1s0ZX5i-b
z7qqCaU<w#*d3jG7JU9k9=Zx=eU&P89Ue!jM1xt?@C<`6Gp4t95R{!>9X~Vb1eCNvZ
z={0pCMY~sxS4&@OYu&iRe4mv9EA`fAE}~VM6A)}4iwPfSUjzHF#E)%!3g1p0hj_Tx
zve%`d^{{W&tUTe%G4@$L_vO90gZko=Uu{@X59xbbUyG=Be<P&zU`*p{y!Cr7R_^7w
z#*4Ss88Dx3VkbZcYlMx>(R>AVm9U7$`eWvKb#}IYX>QhOg)zTt-EV&?%NV$0+%v3)
z|IBq`Z()3C?Ai#k<Ez9+o&mq#{UsiJ3v40mf>UgIar<|~%<dTpqItFyejH*i?&|#W
z{_p&K{p|~ES>o3-dBBX<gD!9FeZArvw1Yd_A3nNRgt6H+pfiA6u-g5#9yhz%OZ)bV
zua8oL(B^f&Si!IREt9=0Z>Rv_JKG!eDL#=0fGwn_URVQ&n%mZG_P_>R;`?bi?)$6j
z!-L-u8YaVjfioq&*y#q8pBQJw@dB~3To2n79#9g>fgN*07%z78hVk6k{<B}8`VK2+
zy!+iBApXV;wCy_HuUF6*?|-l7+38sgcwMX9{6E*oou=|^IQ7r<dk1nG?<4|rcDOxn
z;5~4v2eQ@P$unOBH0+em$026IapE3h<G}mQGh*|vk3GPq#NGqD8_0YB)Vg#0*c(3d
zW1X*<vC<pp1p|7CWvsoQqHEy{JC%l?Mpmv>=;D0G_BKHB@+IwfVMs5xt7XUZO+IOM
zHVu-ArM>e7RU+P;xP0Jybv><sDVs+-m^!i2kF}1O?>=qsYozt*A(I99!t*}qB}h&j
zX6G6@A@1vMCD_f6z43Q_KimZc^hP`z_<Hf*aJ~1N1mvWLq_ie+3jbqY37m}u8T-u-
zph9qs@u`L26UL~|+Qeai6^kNTwX1GCb+(ezCeD2<?ROKISe3vhl=+BX`va>ATnjJ=
zk;t$Xo3?9w@32SPtG4R{dp`iE#D+KE^|gR-_imj#A{amG>#^34r|fYKY>-I1OBm%X
zg;>N>->~C(VFY2;OjPKNwItYv@Fgt}KfnbryRqj6N_rLy@ok<2ZXu({yZ|;5z0lWp
zA)*lV3hw^CAnFTh0TbXIw4u%n<b{<$8?+Kv!GZ~o**JK!^?M7Mg*C!Qdc9YE1}<3N
z7vI140aS?pF8NDwKiJjXzX>Sv`2^GtIAAMV7`3bz2ai@Ywv}7gK0511m?!oVRZ~Wf
z^1e4#Vr3aOkUw@4y|Ll4_*@q4n|KSDjW!;{UVOX_Hm9IJh#7ln*?gp!9SqOq%SLdX
zcce5?i>yFwunIn&Ko1^0*wdak{EMGf+z1HmI5!9dxp~LHN(ba7HwXac)DyQz$eeqp
z)u5AAa0-{EEBx^L1^3ri2kXeqy{viLkpKp|trs&UR==<x!0D+q0}&Zkhdu1chXEt<
zwP&V2u(+_-^FM%W(D0t{f}GaHBK8da4GdyOSXk@YcpIIyCXN7O-}4ZA!OV98LvwYE
z9%AqmJ{Ay%$HSNOwRwLxj1jEg(30?iTCm6t>=hjPDGki}LWMxi$VGPy_e<m>?h+fn
z3O5O1A|asCGrcHFBFE|*uL|!XeB%&c3&eyK+WQ5<z^f?4m%ed%2o*#XdxS}S_l4;b
zbvHi6jpq!i6N|y_41&WZKj35G(0Q)1Ti)L6G*UoU-uD&@8iow5VM`+LJP1>SU_gdX
z+b>Xg7j~uM1LfmGpt7@~cjwJ*5Vqfq$#U0t%Lc*$Hr}-MS60ejD`~OBW3?#Li-beB
z@YBWu9{?QiPIgy*zkWCO`Q6;>>>|%dbX>*&%pYUYw#E$_a$m>J;uNaxeTW4M22Z{X
zSP^e{#34B(U{w~R0>{m0YJd)IvU`z}f|whz0EHkJfl=Ix>|n<GYZ4wl7=tBrUkh6L
z8Og?v_we9oAjqaPkE?$xbv&Jj#6t0r2#F7fgewC$J$OCg7~x0YKo$%Zo%NnG71n?&
zvE4Ao@H`{IY5`?PDR<NX!Y}!73m8KQ?*$bHhA)&AP<H$JTNa%cn*`?08KBn$z|Imx
zLJfG3;%&G@5`pTCNLBsB2Msdw#eD&p8)gpt5y{sIM82jlF|cewkO;y9qoUzCpH5WL
zvj<mZqdzeaDtQS~11DJ!K^Bof0tNvq3;)6yS-1glc~Lcxz$uMKapPo=m5{-hj*0R-
z@0ExS#OoH<#+?>Q7o;XQBhL_`4*>++*#s=u!-hYF-KP;M67Gn80mcHr-rv>pgSbQa
zAij`kKP-zt+XtirL*oiW1!4w&6XXon<AZzY^b-mW6>qSOd{uTb<53SZ{8lndhzZsk
z(1R(A4b_>hI8nhUjUx~$Vgp25mafC?;imPwAOH~FXYv;GV1(*E5Iz|(d%wP!RFfa;
zoMi^1e1?FE^YGg*qBjc?d0+MAiMVKs+A+7?aA9^8XMp$mG7v{|M2lc9H-w{Y0x{B9
zxs1{&`I$SxMq)rGf4OR^1GC_sfWuaf)Z@0`c0J_phVR~Ax$A^Cyfblwuo76rlD;Zx
z${G&}g;i12AeocV4?X+N?+0nQYU`6tLaY!eF>ff$Q_+Mxbxn82RIb9>@DMemhh^&>
zx5x^B{`ilO<y7N^U;r|(K?u+DAn_o{ZM_dWHK4mKz4#i+3!M<zg@)rk8Xtc0v41nF
zJHB=og;|O0Z8G(jal}?x(hl3~h7s&&A(VDA*N0thB3qc~S~x<7r*jui-~+cg2gDl8
z9J%p|18p8AfZ8YW;$v47JPj<s@<8pwK1W{AEEW`#WE}{5O<juwOK?7j3k#p1@$g@s
z5blFiQ}^>x@N0<YjXO=efSr(~v0({^hcCgb5gml0hKPgRsFosHlL!Pyt^i@{T<8Tx
z5bk;g%T=MU@NYFAOd3ysgN0l{5bi6zS}P#GR^s9?ONhoB3?ElUQ4)ae6Mb#~xIvrQ
z#{y2w``H_bhr~x-!fzyw=n<0;FuSa<94P$AhOui2%QJ{Z>=5%p&V5AIT?#@IhBER!
zGGZ`*1uzuQX}!lp_RUI$2WG`{hYR9CG^)pDO1YnZNrxbg7xsB@{gAQuBa{Gi8x4%2
zc%_vMqD3I+5sOB*@bYGi;p_i4Bs|J#9*5P&g3KbYWedFzj$ANAlW6b{RLlLN{Bvw+
z5B3pXxnah^C`JTDyu8ned8`e$CNM}6ebx1!yzDR6ARwM^^Y?iH2ym{mK#@86SU^>r
zR|f)boF(UVl>eKtp%2oySP2jnpFw;9IC~Oy36^b*P9XV22$Z(^$BSR=1niCwkWV~r
zpK||&@5(oBFzQoy5OEN6otOa%o4LbTr=*%?f#yAZutpz<nn%gg_x!|1iG);<n?Tid
z!vYT(B2<p0gIxk15gG8osR-@g=r`LB3w?4$DO6P5jWajAvBMAGeJ!ky7{ktHh!G}-
zF{h2?W9t|%Xcbg_NVf~}C^3Rg!Qt*uLGlT<0#Jxo;2tClP(&4sI*pg5vrQPR`3o>j
z@^M470<x$bi^Vb*JPtN9^diDDudyWYnHhs{WpookQDIHMhhjp@k{-CyzVKnV1s_{`
zLf|JJzP|VcvI>C!7eH?#E$>Ds$4MqvYuX2K1XyXPq!5rb`|4Z|9|WNR&qoTynoYI^
z-p8U4T>`%O5!B&G5K`c@N!tMr$l!ws0htK*>p9^&z(>HWv>SN0A`1{DhR~P9>Xuq{
z8oU#WM;=Nhpj+^iYL;~hnpaiQixi94&_YA<@tl~CPBv0_rt#pDU(Ide4o-wxN4alE
z4@~JXU9jHkMoUVKumw<wYZ|<^w6jY*L33gXJOeR}01ppF4HH>xSShRzgqK&K7_R`v
z<f8>%xTtB2h&sj=<oh=Q7U$ld>%r}=H6_DDHA2%TX7GrJLL|cl7RuKT(hPh)q*}}#
z0|@oQ0W^~b!H%MG)sh(0Ef<N4K<>x74gQqXt`Z4>b+Y&OgRBW3uOI&6i3xGHplAvc
zlds$f8&U8RWJEwThn;WM{9>2Yo7^zgy>aG;<-r2Bu5&*H!YA077uwwBd$Uk@;Zb>$
z`$fiaQyGNBp4<D0QezORy%^-#1Sp~oCfuY(XnKsq07OhNGe)p=yV-YEy_I)fP0K5T
zNHqwl;CQQSHD<%bP|%OpS+(M(51#;o{5qUn0oMu&J>I6b^Lj3J_yt)8;TrJ;8-nLN
zd|ZcH-Ct)@*qZl1Z^C51I|C^LQAnHz_BU%l3@YOy^w)blYEVovndaaL36viT&B6dK
zELKAnc2!#ao0j=gm|lNTsKl9dZ-6bs3W!^f#0rk!8jYv~@XEdWo%Uyn8U50MPB?S5
z&~U8)xrJ2|di%|lcrNH0divq+2oku0qK#nwz|UAsNcT-RBiK9`cfRkGCR=rd57J~Z
z_|AAJff<p|S#1JtBCa7qcJ~GmvH^7qC%VllB4F51;>s3Khytg0V4j3f^ON)%FP6b}
zWBK6R9)pjE#D6oE4Fl>{GL)2ZUX$m%!Q$IBbKrg-)M~65b~Ay8SGB>1O07cTs)Wvy
zIYAT-et&4rHxYX3Fcg2MF7ll~{dGZ`PnR^FJNtci|4BukKY!l;!?XwkaPc=rQ;Lxt
zy%6}w!f0_Z;ilNl+LD0>QkJ^J1k;sn%<y!eo;5`gE)*o6gqHZ83YD99KPdQMqi)C(
zCZzQ19q1s+B&$CaugK646d_-%Kpo%g5hG57y=@Vu8kVnn5(U(bzy~@rRCEOb6Mw~r
zKGZJEOF=WRi1p?EWS%gAavQ5c+DeWg-RU}2mB-{L2s>DMHh%*R=x#V>f#sW2hT>Th
zLTatdi}AEh?10$?Q<9(Q!$s^LCfvABLN`?A4n#$)!>kE$>+WFbum+M_ESYyFK9q;G
zmXfk{i~B9#mG=tx9Q^;ml29{k4tR?dfL$vK^H@GzY?WzhiGGx`ytmmSG!(C5+urYT
zH>bSi+YdzJ!J&8+A`LMuy9_gdL<Fye&d8Rt0#e5^MvyCFNiXC&bnu8x`0@l%x$Q)>
zzd;vn8bt*2=v;NT^#QaUO_vS0pwS>;&3hD6r)#o=@j~ZWg#dv;R-6{NL`zIm>@weX
zKNfdh_B>++fO<K#t4IHz2tjNSwFM=;B*UBA!Q%E4l9_azVyPBaKj}ywA|Y$=H1lO}
zB*Yf%;8ce2!Y^SFX<Y;+;s}<3VPp_2n$Ja~WHchKnk}wEV47N_f>DGokk1Mw>})Pe
z!BgnDHu?>1*cKLupKQY1I}runUblgi51vF%w!>_DH{}yGx;VqT=dE<J`isg2h;q51
zsYsy6Ga0`CF^CCZ1go=EB7Arpfd!;PI>0{P`{W^u>+xm&RWDEob9szm=&Snulprk?
zeoA({&;s8_0A*7$H-b-mNV;Au#R}yR&pzJ^=VcRXfhd%^s-9I`pa6y6X0M1YWi|l~
zfenrz%V4TleR(8Z1i?hWU6*MzL^|{Z+Xqra9tg?+SnzF(&LsY_--N9}$bjb)ph*UN
zkXWI+56{Ml@1>}!x(KUH<gV{D3svHR2yK8g^gCiesCt0uU?sj`ZD16ubYTC3_w(VF
zn1@MPg3BOmJnvU*hMA9zM4vSXKcUDx5OK{?8iZgrwl1er>AXxe+~#%PkxNe*EmT(r
zEBYIIwLHM{m`g$j*JVkJ%a{)bH32bha@>{2zu<ri9c<db+&uaj;`^OE^E6xe%0+Py
zf*D+13J#U14><JUOO-crJy^*#d45Q<r5*y!yMb>^vXz;w=jc%YD;6`^Z?ixc2t2$l
z)%asc$^sAK;zCf`i~wJ-sC5GruGc*#c=?<d5;E+=_#CVQzNhzrb<Ci}+i*s>1@ij3
zPpIj^)TsaZ$^E012u^Jnxwa|=NHZebBkUgT*J_wZj6`~Wu5kU^OAzt?ll-LBn`Spm
zQw^Z0v0c_>-&gBq=K<7CD8sh73+a7?FS1)|$Ogwmv%gQzJ;V$RBnZC&Ax%gsVq&SP
zY{Sr2T7od+&SjZ<LtCz~5O<B6S~U_*njvk=&iyRBmfIrIt2a>R{bKPpD#W6wc`nNu
z6Ha@w6|=}pax3}4eb{i6;wSkUr7xHQJdV&27OSc7+tE%TSYHfU0pSI=<q-&Np{mC_
z!k@4UNkM+}X=1^Q4R10{)LNc6$z@dwOT(-3V<=JWL_|kI*KZgiV9=L00FMIfh=5%<
z^4s9@AyMhgIb1K8_Zf@L-K^Gx9_4z1;kyPzG(NwAdJ~sK0K?!RZO>21+>FcW34VAj
zLIBi(nA&SMqbwnXMI+$Vbyo9<YYpo-Ng>}Hz;MFhwhB^FB^xb`(<XZW>{EE|k}#>6
z&FDPV0ePJA^d?A6LPC$#A~#<V{E|Ho7<)#NbhJnW<l%^qodGFYybcL7fdYv#=nf0@
z9a%V}p6v6q#zg$ubw>=34S;1dA}yp9vq}9GZPLOyk;hS;PS63$!;pC0-wh(B(+ps~
zgUjSR2z;>Xp7GF2ehI&UegKQylKdXz-B7AwHv((Krj?Gi<?dLmT2!~7C>qL0wh8*!
z_w};EgK!;Lx3VPVTtPwwFKl&BGZ)+!APEl2xp*v83yXZfKfo$L)9<-ruzHSez(@(f
zn0;GNzp~{}K-BY{{*cc!3}Q7}2?tr4RqFd|H?b>07Sd(#%AMdP!N-!P1y7uq0B50M
z-k`5hkhqjUl&^-w%E9_;E@o7f`e<Wm%~rd#lB@;~r~`L|20%W+c2M+1HPohk8<uL}
zIaVW}mcTN%y+60IrK^U)b>|21d1{U}vasSPw281zrF?Z}V!?_Pr<`}O0EN~Ch0-8~
z!(3toJNreLz|-0bH_>q+W`Iu06Wapdh$Hnhj()@w9tTF82HX$a`7)-*#v44}xCoG#
zF%)XAtq!Z^Fc6|3$cKl2w>e9023Hw1+z-pkzVLDT<jw;DP*1Pjv=6S_iBqh}I<>F`
zZ$k}3zX@J89Q0fto)botZB%Z)F0Fvd&a9=pa0GUZAZK?3fsYuBQUctH<-+pfLM%Om
z2bI&U`I=J$cMc`C-D%4_%t<`&CEbA);^7Y;PF&v2MSw?FZWAEldsWeH*WHSPKW@Gb
zt!)w_03d)G73Pn`(}7@5mMvNB22Mf%*nbFo<*^bW66(VWmuCSk6Pojkkn!uA1?PUS
z%}WfjC+}^qE<LR51vW@2i%3Ec0{@oUt^Bj(r(iO%VEZ>%X<|gM3+j^Z!5D)1kuVgB
z308pq2br+F3FsOMdLX>Lc%GDkh(DB*bz4H-(YpHe!3ZEW>{y>RXbdPr#uN_S0M}7X
z*l;#YL7-1I=%7G8!aSm)Y&Zolg@VQ)*{t|HumY&Y4TElo-4n4*I|eycm?}6xjC%sd
zPnvb%HIc{z6aYIsT8J2}3Cb6m*kD71FPjQyvgmRfh#xC?&`(e#jPqy&Rdda;OiBB+
zyX?YxE$zVK!po}NR)7HUXkniKv%bD!-(w>VtKG+6KH3f@%guo6geYP~&KES6ePO#0
zP|)I1Sfpx;$Y+%blLnW}+GA+CVk_a;N4Bz_VP$zlA17X0Q%^UM6h#Q($e?Weq<2-8
z-3NXi(NS{XPiH;tcD5u8OGaQ=SlbNyw%KMzvjyvANmsX|e&2BF8vuUrr`tLmCjA;X
zZ%e?47b`d*L62-rBWzsz@Y`<iG`{a|ji9En5SgNS3I(+92;86CAo#FBW$@%_@rL=C
zdVAzYcpaFU34Q1<Fl#OtO?%%}yH$2vd)hV<kjbAgggx+LypHXS1OdqD=wG?;__6>Y
zZW14VU%2rJE6~k4h<!F?JodSoGYiP?t{8bM7=?wjJK719+q@JNA-M^+Y6*qU9+rK|
zBcEl<pR!DSZ4jJWji5)N>Y+T~9r|ep9_r$n+z0{@64ea%tTLgMmyFYFih~oWD|{CL
z(xTQ4>KyH2{h`?u0r{*KasI(A&0Z04mR)>?SmM2%4?GoO3i|v`8~)zGI)J^Y5~e^#
z);uihvnfH?tsC{!wwb2SObGjBgIBbKHtoh|Wx3&G)(M+E+`CxBwK9&fVjV`|(YVD5
zz$1P_LW1M}Hq)#e>@PF_`e2aOqEPW5GRgrkv3Tl|Si-%{TwNFl6hxCM_9dD(IoZ3p
z+3<fP^5m&656gO3&%y$@QlGfTU|$l#?{0Pw@F9RYoL7Dh!!Gb@9xd9HXSRMpLstSN
zlWoBjs)r)q-1^pu?AW}xN&S^eLy)R%9w>lqv5lt(F4aV!1-gZOCQyfH2PH@YSI4S`
z9&Qc#x)IScNOjkYVDTID20RyCuuOu%(Ou+)oFcY;;z?FMeda+|yo0SO=zbh6$M-ki
zrviRiLTrY}zaZmqS;!?!z*_S+zf*+Uz1xz=Qed2mZM2q6Y}V{~bYl$?2eJCv)&?W_
z*bu;FAUaVO<)jBr%R^xOOR8`<9%g;^n_Q-xR@7KWwKajgfH8&&%$RkF@-lmA7i3@m
z<yPQW=4}QGhz`+XQfU{GAlrIIl#P5)c>tj|ez#TY+I|bJ^)vVk8~Q)uYp{TZR%-I?
z+){^?Uua_X4O|fmla(B>ah~ZR=!Csf#6#lPTPA9e$Hg5{wcJJvAjL$26}v005G01s
zbaY3K&lFBF<PCeUcU{t{Z+!+>cHueN7(sE{Pub1bchqw`Q3S+-z$|-%i9R+B%O1fJ
z7A|7<V0+-dsx=j;u$m2BZIylG7;cov6ZVB4RNKF5%z(s%ro({Q{$W_3K6V*!Wn2>_
z0n0=YL5Xk+LLD&)nw2Z@FJI7m`>H3D;<fn#1AX3u0ihHAF>fwlt0Y@S<U^+xbtxjK
zMgmYjA?e%svI2Y>VBrjqdwdaNNS6E}91V4F%JCnn^0SsK5tL)Wsv?q)AV1(3XzvTU
zZ03bPk9}8jg=kMU3-$5Z!2v~*!rz5Byoo8Xm_#~RaIl6T%-Ulx_*#5;3PQ_6lqu+~
zG3LpFHh9)B)^X*;4W_`th|%w4FNn$GMWh6?918sFHt}KcBiPrIbB!l>gSDqMykiu?
z1oX%z>1@oqEsrHzo`F%@rs4kul^yJDLQ{Ylu3NAN-lqbxaeC-nw~jYQ4(O&y)OH3y
zDonV9F55|q<hslQ5~>^87xQIt&hzW^)=k2x&=TU}r#=V#16-?}P9>f?S0ZycxqhO^
zr)DKq*fokT!!qsvKnG*{*e`MlZMFhoKuuEZ_XU^uR()>n-h3A1^5Wgqs=|F5b1^SI
z(XwSTO)yz%wD5=E8-!{g*)CetTCw}F>#*-6@Dj+cVlM?)1BesC`rP+2E<?saP|*9e
zq$THm&}-Pyb5Ifjexv9=b{Ms8ljH>##9lkXXd)&|5D)u}=8mxf0k|_{!&X$H53tbf
zySO16fR7z%WsB~?z7fFd-Tek*R>b-6xMs^2G=p%wt+3(F<vo(f0TjogY|vjZ{`7XY
zX^-iJsW_Gf9)Z_KLfu2mMmXl>zy>rJvcK{A_JKSh0smWSI_*jXpgw|Ve69rlARyQj
zHBTm+ojDEJ{0;?*g6wvb1woGviVd4)?FcC@D1iyi33TjmLF(SS+B(EuOeBp3Wa5II
zV-Il<(0zh?jsnEz@Pku~{wzdbIy|cFVi7$0j9-{XJA(}3M(uN0uea^sF$0utCx^PB
zecq7LX^T#fu`W#?X1nXvs-ck8C8oePgAi`<2;a5f+xz4@XinlWpi2-1NRTCSBt#98
zpQy4x-|vDu<3q1${aao2p;yLC(9?3Jnoc`YdAX(gx3lRVe>X=;pfFFmzw3|@_H9|M
z9!{O`dA+>tG@C2|xa0doe0G&pQ(@TJKfH_$m?cBkbGvK^OS=DOZSG?g&AvDIkkQ`E
zD`0Pn!f-wb`OcewE&>b$iKo%Ufx30oLx($I{q%Pd;A^(}-_8uij<zzSWiJ~z)qZ-d
zvG#>;4h6s|`?8-GVUp+oxJNe2zC$1mly&$7*4P%i4Ya_kuqCV!RLJGElJ1(}kC2Jd
z3Nj0uy@CAO7&Gid<sLGtGrQ!*hIT-~F8fSSli|J}SIxCWWYjdK@nRPDYVFN&5EF1q
z=bnlgolv@slTX?>bBY^+0ab!P&rq%TwT8rW2+i3;*e?EjEgu8s&odDpbs%EEvc5I&
zxNxRXvdLroDB0)_fSHTLzOv&FAPq)e<F$kqi#}#r&7qj!it$a*Mg+9!HtQ-M8-t=Z
zc|tIKQT}%DnqTki9&Gc%;qBGNQo%B}?0b;Ijsd++_}OLjpdKJcX2~I|(dJedJzfMA
zA%Nmwd3SXGUC-n)M!i{#N2Y1+1e<}NIPrv9Fn^5~ZIz#OBhUyCD$1?rPF963HlOvy
zjsf2X(F&hBy@w{XG=o_&O9ST(@ivSnTR-MQ?5w9d`6o*@VE#z*C*C_knXva>i28&q
zRNo$_gs>rtbNi?eZAczoZE_D>NU!wM=2nCsX8oCkcb>POIiqk=w#hooBGwuHUb9v3
z57i~45X}{JntK%|vNq^7F8g*Nt+s(jAcg(uvRUkY75gT^STF=;oGrFOlCW~D$zDKn
zUsHz5O3f?Fl#880)rPl3EbsNF(7kw=`2<IO%5mE64o(#_R))8MO-?m-E%y3AV9V9X
zGMO$Rvn~U(gBSDf7vaceEqiwzu!Ud6#yzZLR|w7wG!Vl&0n)Jvb|A0>lJ^&04BK!7
zFTp)wiAq#RU2=$}rV5*3y`lA=?5Emffbc-~I~NU$!m83O9q%{<WE2JCK!c;b`Lu><
z)>FUkYzE%2s;#&$4uLl4rvt&3;B8oXObSNA^lOT_7)SZM*Q{xST0&zTE-~?Ay95Y6
zrs2pQo6A&amIy$5w;{;F>`soe02p@O0M`gD+u*daJ9lTkABXHgHgq__ux0Sb)Q4?v
z1QT1u*p7X)4NSplS@g*|0uHOd)i8{tWCy+<;?Mf*(k5)D3;7+p!%PltIfY`C&W2o~
z86K?7EDYL;`r6KT&4|$<eaf0WVnO$ko%RbZU_tJr{P}F>8(F;5E@(L=em3f}rH(Y}
zXT^TgX}k%@2q!n;eYt%|Q5MZo1}bp3CB~m_T#JL5&*C!BG`tPn=<otTv3*ELfE$KU
zAlxvZcf@PFCu{_}fACa9mr8A0Uxd07FoK<;<=ZgRI$28Gd$OU=nXIUIC_-s{>vBTC
zzM5NLfR@4pK8QFt8Cs9QAv^eJbwb>(qFNwX-2{MXW1eB!X2mC8e-FcdhGYEtek7Zp
zg}HnxVURHAxB}unqG-FV<?IiT^IYu9t!@%L?o<0D;I>LQZhwYjhmw9HEb;9`*z`w)
zji)0x&8wJ%(^It^*wlw8drfJvbFae|-Ney}#&8+0{u7O>LqI?s9+FYp^K$6#r$$ic
zwjU?fRnO2Jj?Q;1J6k4C;-$Gc8Gd!H(+1^})Yu4;`#SLoNj7XBLBj-4sS;KL;PAXB
zrHj(F=dms094o!wZ+3?oY=LlM;6-m<x!VY1Yg07+HNwZreG*v$6=4QZ9UXwZe^w=+
zdA|ssV|US_Pr#gS3kH|nsM!?U<XK^hU);WQjgz{qMOxhNhs!1V(Sx=G;EkYwX()3L
z0pZs#6C9t7sCIK=c=ohAQFTu#zhufqX%4S0%h=Uo;r-d5(+GRj+%NPZ0{$HlZz}$^
zQSG}Ec*dS!L6DYif+oS4)62^5s8}bgv4$0bxu4Y|pW>Mdm)U8H-{3nz2UeUFlKHf0
zB*UX!+K`eb=G$Hg1rua{+p)316&T8}{BTVhPI>C&bOZWwuteajSYrMTC`HU5E#Kdr
zupRFtx0?-rd7Ej#tmcKJw}bnu!*P!2coUZDK(D0p)fiqi41qJg7BZR>WLDg;T=u}h
zAVPgLS@&Xs#w^^r)tiX#NW9Z<)*DVm>ItBfvx=rsSO^#x=KM`N_hbw=%zrqW2y=p(
zCn-&n)Is<Oq0w^*R(DVZU^DI3ZG*GoZ>LYx0Fs4p_+h!kwKH>I#lgcQkY^HabLry&
z5D8axX#dudF!<aY7j*b9oEF=q)Z5PmGhe5pXyCLqaU#FrC3vO%hgquwYCT9GIUAMa
zAGU6Ks6&Hq+6-X%@q)1sIRJ`?{d4{1pjiG6gHA|*obt(cA&5;&0HZaeQ;#KZRs}Kk
z=Q#BTll<+Ddy_EJUYq0aH=cPrsln&6_ZC5$!-VymRblT{7u;7q{guzP?^6Pww)X=a
zPdD`n#@OBa;B$Aj;R)u>rzYd1oyePu-iMmr9bc&Lc&`dg1f2X26kN<ap*?iLLMD!B
zWy+cN)7jrJwa>n|_y*g8&*=#bxrMyGyg7Vt;a1fFw%aC?UB+WBZDBRw1;P$a(#%Ao
zE|qyspE`Dd(W?#eiq~m75ZE3&<VvyCM1;ZemP87O4K}nbhak3{o5?vlgf6I&;mr?1
z?6%#*w0@5-k_K;^0+2mKwFi_eaF?76s&|q3S>3I+`q)g=Aee}Fj4F-{jJ$CXwa|(v
z&S=Mt&1$#Be0$=syU(P=hFjn}3+#<pgo9+<50W*V79yPK`iOGRhcN>mxJx9wAge!T
zaZg4IkhnoSG@s^aIgNWu66j!R=oBs^+!@UFXcdGb0h|X&_lZ&^B~a;P`=NABhXtow
z*dPc0fP`i%4>}yKQWZ$WG<3Dgd*P#>hhUuc9d;ea{mez(P6wO2M90+AnubX0u&i)r
z8|(W|@8xAn{K1Xwe1YxC5JOxAZusN}^a*x6nrk&R0gMp1_*|@eOE$`bnDoGli$8}v
z(?ngxZR}#a1J3}SeVzf~(E`(MvwDDSSC5o{$yJjMH$lhQ8E8#VRM`l3E-+8(%tqtI
zqS*inEs&90m_LcobLaxxCf!!J{?Rmi{nQwo{=Vlp)-(DrePUy6v>DHF=I&&=y{6og
zbDr-r@sW8y9p_s3%y;$WAoEnuu&bkE2g)cSX)s+f_pqBqwrX4N>CRr`j3W_7oVkXm
zsMIcR9K}r_8wDk0BMNjID8?btdl*L^*0L=Nnwt{@9F2fq^hfqH9|dl|Y+F<_*b^|6
zim>xixql4&k;B_~6&Fam%^5=XfD#+wR+@vj2`PH5bzaV*$Emcla}}NKNkD|Kf|I3$
zeqyl+MsI*)N9&8(sx$kF-Z&Y{ZGbQJ!d0t+VRuiKNh(<<sZ4`}4W}sQa0NfU+Q-4e
zBHmwk<40HoxaS#6%;Va_Zd`1XwE^2q@Qr>d?eOzC9LfUf5@P9oVt|^$F<I^xb^Yvl
z6ETv*(dBZgcqfxhygT8#sL@wlBeZzr$#X~J6L8GScd^X9f)goNJeK4LBDdeJWr~BC
ze<p(M6cjir#$J>3ta=!TCGd=kAYCOuj!W7?yqtL8F<&e=Tn<?lv-@nS=bpsvlywP>
zNNx=gTY=gFQ~}fF<3Q2cKoVBt6F^LX-mt{0Jkc&7d$Mk}Rvb8qPvqGoVwwv6ZS?tU
z?c=|2GSRJq<1BJ)!$Y#{VIK}Gr&#U3uRnRL_oub{?Ev&Pb1v?do9J({0*qghBamoB
z8+>%|tC^IyiAO~`Q$4|htxSkH1pJ0OopA-{d5!3p=d*6Gs)8)6Nj~FVGhX)7+P~f4
zBUte{!p6G)-R?M^(-vec-U#6g7a#sJdiEU+5dQqm_4jWT!QuX?xB;VT9v*DYpDy<I
zk1qIs`ObB|Rr1epNC9JGvJYps#{`e9(TFrYk#LxUXF{x>r$ZMRSRg3Yi0^!%D4iS<
z%U%b8v*W7{H0Lm#alM`8PIk!*l`e0xyL3V;oPI>Wqg&xh?Q+)G$<b-ia-X^w?w#v7
z2dCJ;AgF9qo3RWdf0K>rHIy7dBXqdgZTpY-SGME!w#qati)`DX%WLy>|K_-1Sy(gp
z)*TBwCtD<;?>^~3fETpxShigveWMN_FQ`@aEO?{~N;t@sUhEU~kB&jZ>VLMNd8Qql
zc6=uR-fGDg4*`j1ry=ox@Q_}kIgxB8S#@5*+^EV|JOFX%*b|8Hr?)|~?J&G}pg+8g
zjUh<FnWxfkf&;IUkeI_(<2{76o{@ew$oz|CU4OA3dmp~sJGP06yy07q@uy)_(D-WF
z$VSC>_yOQhoYNm0alo|z{|y&Jc%H&2dPF!G2YE0N&zUKv7HtG$Z@ggFpP$<S5A$e`
ziN`NocrL&mV8A28Pk=4Q5Lx;0Gyhb~*xE^k3WA0d&;nq8xU^YtTauifDdCcG*tN&r
zLf19KZChW4B|ICY5is=14MX!j$32}i#F6{mS^CiI*+2k&<+9+6Rd;*A&Ipkx0tJ8_
zbwnELqvNLtF?H~~APm?p+d~da$%6;Dhp(Yp@{J*R33$(!qv=&1L$$fv{W~B`$g-*M
zK5dD&oh3X5_t{_(sP=uO{&UK~?X;{DTw^Uy7c*01*00)XAnN35N!%HJ&$Pg7GZb4v
zps}^@3WTNt3+P~But=c7!w)B$^0_U6u#5P+kJ0jZwoRmo?8hd?NqamF+g(tZas$=2
zcsp%06d>DkSLC{A8CzRk2>KyOwl?Cn-$6{%8BNm5>g~&epD-2nIKLJ)@a&KbbuW}0
zu0OrnJ+<uHvo;J#a)8Hnt@7HzoM7PJ1<V$YG_wKQS^BKeO^>%hPka1TAGRRn;1vGI
zj`p0Ai-|=Kg7UOD++<(Gp|@H76{jkz>PYGB4poOblDWrZvWd9tJZI@1_+<lzDKxxk
z-uP7LS3T8&JD>fIgjwq`fRe@88<~m;$_W5!r+-lto7j^>wH#hp=Z7`by{~=_@_}H6
zWI)Db1x0rLHl1oOcS@6efkcB4icRDwPXKBX{@_ctUa>ty+T`s9=f4{g(Me<rC3RUx
zd=5mMe#_58WcDFBI2=}Io5GA!S_|#Doc~fz7SEpgOlO_(T#=t}ri|OBgi(QJBfrx*
zcV@r#gOwtMaU0eqULBzib-Eu}%e3rkmBJ%gimfA~{S5pMp7m#T`~H`|i~ac*P-og2
zmWYgcZ@k^S6)`SZnq(zVZOEORJZS3XV=}LLzUE0=rbnW)_4xX=?9#s{44iedN+b2P
z#0twIjIlgOVds#SJ<QItKKf!XQ~45Ft--?o(ETu~t-EZ8-xM~AhI?nw_`&2q8&gf5
zoM`|e6=r19m8rwMkgRrKqb;tu)bJ;Mdz#Vf$((|y-e!FnSevRrpyj<`g&z9=5@s&e
z?sD37-c!ts^|O86)^$Mpe%}%07#~8+gFHN(Z931qJXh{jAxzs!Y!-<Yr_iq1z;SsX
zLHH?BiQ?T7ytD1wMML-z%WssJ2L<)_cttOSyh)ruf}fowP7_5w^ko56JjkPLf|1><
z$>U}`spUCmD!jG{dmaPCGTwxP=0P5|d#mxwfE7U4xoz3=HyyY_SbXMXG3#;WM2hF$
zu(7!GO<X`vkLV@iZF4K2f?49f_jhG97C|tblL72{o-!VfiJAyV1u<+0v-9jmyQBP<
zExHGu-*eCj4j<B$S;c0KUUh^VpD-l!V=#f|+&9k$7yIDoA2bTO4=0B}&XaOtZxH>y
z=)EAC$Q1%iv7cjkuB62ZqzKGxLM@j&j1pefwO&!bc#eig$yuUj6VPHUTx~c9{M8nY
zc6uD<e^1r^wDoQ@56_!w^|-g(H7syj3$r^;In_^qyG$Dst$_a42%?WC*bz%SqU*V3
zFhAXP1(uuxt3Y&qLELE3e3*4Vhc==h7m*eN^jN<tqO+m)LR<2S9)AMo0PiqBbC;Mt
zXi{*GI))RKuT3rprChJi7Vw19;5ui#drQHjw08UvzEzfN7kn)fmw<@wSz#(yhwwu5
z?3vpRO^Z@+yp$cjOUn^pV>R*Yv5gh0u93SBD3=@BX#I~z#$A3+&~m&sTB%`iJi<WC
zOlv!GM>G-}%%NJ`h5Q}04^CQ7Q|g$TeP*`J!I`v1WM$VtuU@T~3JVB^NZ<qWWh*Ke
zM*^x<=J`8|zOANxvz}S>Wk;anrO%~u>t`0ddAhC{x#cX~YZ3E<d2<<?b>N-jemw1h
zIEY;4Q|b&=wIM%2(|*XsWSQvotkQEe51fXX+-ISQ@iOJE>!72sk4&Im=DIqYhgjT}
zfUcjR6%iGf;zO|8(oJZcBh^l(9(R})_-3@&NGyW7K}6zf73N)@k&-(SBAY#RWPT{c
z&m<<0xhfW09eW6JWyKsY&ow=3!+w4T)4_^2J&%F=I&%R8*TN;ZEpunZ+|9wzr<vR~
zWnTK4b~Oi2c*|obqQM>0cb=8h9$;i2*~z_hsPFO+gJ^-#wvpzXYFjakiDL11K51oM
zR!oPz&nAkWQ>wlo6cIp-!?FAK^ikJ8jxl-u%`qm<2%gfT6UN-jEKYrfad`miD>o{q
zZ0;t33&T^Aevdxk?LUW~oTE?JOAkL`XJhx=TA~upSexS5^o*xt*$yb0VF4f%(GcBM
zfX@lvj&OtKNpi)8!MlUJ=nT2MjDb*knS*+5WyJCw*KD?${~QeD*kMIza@nYu!E9Yi
zc04<}I0-m*(hn!=%4LCKbf^rnW(fu7hzXO_=>*|y4>kgv^|JrYrd8VpkbVR$lXtSX
zuRfQo1kmzg=3EmycY{J>+s;(2zRa%~<pkT>Sr`H}%R26#DLgxpak_eKTl2GrRo@+V
zB<M_=*B__ZKzkdyz+_m&Yd*Oun>v!h=}ymxET`uZRJyXm2)~`RFHhs)?^ckSCljIP
z^E!DvyM9@<9TUD~qaE+SlEeHtpJCJs>+oE@rM-g>-0WNn&P#xWmU}QJ)Dg1djQg|^
zYTK>h6MVfnS!K^FP<|ouE4xYLeVp5iubmOR;W3ae0IU+K?772wSbR&zqI|XarVW^b
z$~nz}IEFZRz#_ikA#28p(+`Lgtez8U>B1R9JfO}#onLZR16AmGK>B=E9bO5hb7yOO
z&-y)Y6&wK-Q<xnML6GvX@E(tUREOP`^lAxU!fQ?$Bpzj6BbXVUr}S!l^>gCsEeBe5
za7ee>W?wwYNR@Byq}YnQ>>DvJu`I{k*X=n4gqF9$YOs9^j_-^nLDN3R5JYP@6@6q2
zlmp*pj{=m&z~+e#uos+Gl<};u6au2wmVRy!b;9nxrsAh;`Rz+C&x1e|b}Sw$?^!+A
z3#b$^a2^eHYIhReZAw)Hw!h1=0n1`Bdj1?gRXwQJDi6>K^?J{-kBDcedtBplv9U7n
zFWK3cE%;}T%HZqfsb7CGgR|%FPp4J3YbaNpAO>e{P<>}S`to4Wh}}Z1#{pN5vkJ~3
zAU$~7Jcn~V5Ug`J7yO^V?dcQKL?Fn}AQJ8Emwg+J-S#XNOLB?m*Q$rb5u&H*?GzE!
z-Pwb6T9;h^e>x{JdMwg4z)s#h#5Mc&hUcAO{o`{4UhOu)5j$!Kf5E;T(}{2!=t(<A
z*}+PeJ)@t4S~k)S*10}-5&XV%1WJ%#dD;>xta+FUo5a0i&B<9u8}FC%hh@Ax8hT46
z>+uG`X&39f+@HOQo;B!6gHx8mo>vD=hBXg+(DpuO{J!T9xzesF!#4EPzCAaV0Jo;?
ze-<~>f^q=79+LrYLvhFLjL>QQeV!hF4*|7K>yc2PwMXN%n<XW>n8))J<x^dL?d6!(
zH|iwx-mgOEP~*TpV_F`mWFl(ZKh+9b<EsHbwR?N2RPZ2_(d`#29@_uDNXcAm!FCD`
zJM-v@-!4g<HpD*#p@+LV8~r;N4V`x|+9-Tu4L`?7-hVwv5=C|7mj%?zE1=)(!9W8N
z3r`ZqV<ao!ZOcnL&04m4j_i@?*tkCS*w4Cp_B3-m^7@&^ez5*?BBhO#e_qI=Du%~J
zmEjq^QW^NJA$647u6@wJQFRPIUiq9!jtGwDz$QB>a`G(g*Hf)+hqHORJfP_QJaOky
zwL30phcybp!#DxYi};JtdsgV{Ifof;^PMTthWxhs+Hu==F1siO6z;J`3%)l`v-@gw
zqe7|c3Z=081P6<?VRX+L?>xYS3wDn^>bAR;;F*zI_<uZX_DvpK96Ug*+-LCfI+fn~
zWv}4*cAg@0P9{dhvJ2q4#~fe=Pm+aqJlM09ofD9>lw#jLjQpy#=2%%Amd7ON^f&<+
zf4?nDfVtMIVkEwssX0F!!BbqiOe*`M2W+JDd`M3kX|`*<XxAcmte?}FJh$~0haG@%
zFa?xuFdb7i04Stlt*1Iq5bf2w@T5M@Y}68n(I6?S9c)f?lF8$VAp@Va7Q_wy4arEJ
zkboUQXFbVpMO*|9H%}@(dFm>Z(NklijF?rLQl50Of1>9ZtAdXZ7b_R$QpjA?DQ>l{
zGCjrS982%>eg-`ri#^XKX`2NWdq!WR&N=$2DF%`Cb2}?5(Fbg1zB~?B;QcuQ>PYHS
z^vO<C^q=!*4HFA_f@+1+-5wYLSG1VBqCYCZ(dNrzzux*gMl~GQ{jU%5jh?R#UxZ0^
z$M7;5IS{ok)7<yZNn=W{W)&G_&GI@=gmH1-0GlV4e%;*E`<=5_AI}lB3YSDz9}VWv
z=VN{qPs~m}Wi+UVNZY0F7)#U|Q6R5_=clr2%e;q)Zq+HqPGG$Zd-nMt#FZMRtZgXC
zkH@$yf*7*Ugpti9=Li*ii+A8M&pf@gecJaE;o0Au*uI1vefpgy#h;VbZH?u5V5W#W
zm2a^R*?9mDFlITN@`VcIJ>ouRA3|~w<A>whBf6Y%8_KzJ)Ky-N`(guYpR=rSLXV>I
z2p9ejEobAAq7})!JUZMt6pO4LDe6yqAdrAYH}bUd7`zN`wduzeL-h-|g{-&e)Cf-D
z>gQ0I<*1woiA2x8d{Ge2T|49du;4f@8%cojCzOCP052+#5bmK7=QP%quVn2f?!BM2
zw}-i{GX6_Bvuy(h=VT@91aIrhQ}n<aPv{7srI}?bt*6cRIcX7u1gMH7;%(DeSn%Eh
z1I|Hd{ydW5-sPX32v69L=F_bZ8)(d!izU!(s594fBL0uhSe}YzRwnovs1g`05@2DF
z&Q})?jkBHHstvk;$Osem%%aC5n>`ot&7O@p&Iz`j?duJkjKewf)zhjy4Y7G_5_`%W
zoK)gCgF1wO^K&>n%fWW(;h`K43pPFPn~m|rtw-syUVIIu8=V}p3k*l_SP;iCSu!}u
z@)#^g{XIS8^&GS3@hX@k5Sxi`&V+fo-sPFU-SaX&k2;ic)a602(WZ=W14YBuG@IE`
zg!kbVV0Sdn4Q0n8`9!qy#R5SPY<Yn0!DNs`h?Oe5w&-~7*F8tz6OrVz2q6=p4y8Ih
z0FKt@!E-JEwVmluJJ+1X!w}83vQ358IxzA;??XS$wq{0k3xvz@?o;x0v^QK%3<n$z
z{?qOu<(x_){6&ptuqYlhkrY8Kc=kQp=DY)s3V5@5#Nlmq{Y?1r_MbDHY`^>Y@e<7+
zC)1TBeZA)}@ITJewofHk)UX)%A`F}Zx_&{np`-u%KN{wr{&o^{o|8}IvS-rI1~&8k
z$IBLR|1Cd1iX-=J_6%}_+(^h=&rnL}j%uO63dw^w7J7>#_3W9PBYXa%)sC$sm;bku
z0k(_z478=6Q~Di;Grujgyx%2B@!0t4VZ;`~<LRJ+@+z9xT;MifP5umwVPU@5T5*4;
z$7cWjTm-=GO3~>LyCqR7cD*7oa4%H+kE?6~2&UU*M`$&fbl;v_W3AH;cB~PO*DrXR
zKTZZ&)EvM+joNoRhuGw^L(>iofBsP|PL|zgN^&h&i6(UtCuXWH)4ZNc<(Ua61|-@b
z4mhFabWvIFGU4tI+yH}`{HJ~%L4no!^GyhfZQ5sbeP^l8f>{AA+urB-g8}Rs;ea<G
zgU_mCtJr7#wgZuk&A$8ZKxnrJ1=&XdBfb*2i+eTopHuc&z9$5oBkGdL6;zU)elOBn
ziiF6uRNt*PUOxjr>8HEV!K`T)?n(Q1e|S){;omcmJUY(3E1oWVtfdf0Q#wC1ZN=-q
z`%?fwe?l9C>i+<b)Q&>ClVBwP000JJOGiWi{{a60|De66lK=n!32;bRa{vGf6951U
z69E94oEQKA00(qQO+^Ri3<L!e19K`V4*&ol07*naRCwC#y=Ryl)tNT@oKvxL?w;w%
zIcb!$kU(T%@?x+t#(<5z-nGAl-L<g|w$}k<{5ria-d%g`wJ~@}BAFmSNCf3HN~1J6
zPfzC@DxLHF7{QV?Jqk!r_jL^dG}T?_RMlNiydMNQbev+WUcDLt!1>4i^R@4O_q$Zz
z6&<G%Sl<F2I&|p7rbCAg9Xhe;(4j+zPHZ}K=+L1Pn+_d1bm+vULx+w}G?2apI*Pq#
z5JF%!@rdUb(1->FNdsBd5JHGY2t)>hh%sU@280l>JTEd=U48vhNh+A0edeh>vaCpi
zf=nru03bA7WmH>T(+%1bFB+t{yQDb9-QC@#xEA-~#odd$6xZTz#oZl>7bx)E=UeN|
zA6EY4+?<)S&z?PdLKFr)X$TTXZ4jay9EcEWEUW<?HZzx@LjX<7iv73DZU~c?!j|@i
z*&eqzMJ1zc!ThgBJ@*-h<_O}%h=(ZhLk@6s)FD3dkO_=2JcMk#7G)4zhZ2m@XM_Sm
z0hy-a%;(WYR$7Zug_MUV$*X^&OH@yCl~6H>=paBbH`C6yM&vNoo(XF0z+}Z=!Wi4B
z(=$N5g4NxER9d)1l8=<5fRI2KFA2xf5%TYh_^sVWkc2ZN7z+Y?sS~#fL)tJTCS|&R
z)^{x|EA4z*Y|#%>X_s$wBog(^F-IY%NsA`3<h)w4$EsUqBrO~!55ai()^2nC*41}W
z03yXv`!?u;p@>bIGd?HAu6XT*fDnW~%Y{MpE-vJ^tAsio!ibTXl6g841(IEWv6DaP
z_lu9jvM6vu(Z*?7)T(Jf6QA@K_ZQY$Xkt7aSzCSyR%WasBP6VM-@GVj?s!XG-UT$T
z^Pa2$DPh*^lgq{6*VLLdhX>s%>UTp<M4)2WsagrRC`JpkN(*8LBFq?R4+Lh6%t#xa
zpX-t04_M6j`kg5#WaCLVAnxT^O&A<%rxE6=5$0n+HsgtQxlEE59vk+JvO+86JsrbO
z@^<;(5Ja+ec{Q_8%CFCbrrTETL714bmV4Do+ztLd<lbrI-((V~WfO`)0mYlBKvr>A
zRI;K(;jthJV+g6MC&?5sYE-li+OfC7u$k9c?GcI7G2+5+>|SvrC_^Dg2%#lEK#-9h
z7lIugAx7jL_HURX!s_n}KtgoI5Dp{OKU>aed6mCoK^&xGNj3x`8Vu+PncyT?C7~YH
z#1I-J5H1I7)O)z0&bv42w=DYQk9_FU;6N$pyJucFGf(Jyffu$DC;a@n-WZ%vp|U9y
z=8_L)+J$hUPTDCyU4;{hB9tr&N(8&AZX6vw=$X*zB6(9rXm^8p4#4@OBfN{pK&nRf
zwI1dmCt;=>dNJp+cxt6+TSEyf@sL7C?WlR@%*@8*B!YqG_tXQ^|D#sZunAMi#eWZr
z3?YkTgAMELF$!S~4(Nr@D&>X1B7o!z)zsf(hy-9DMHb{MQA&nOB(iem6flRwsB5l#
z=rb~DNO#hYK?Xslp&)gHVH{esdTb<iggk5%a@h75m}a=(`RG97=~a!5D<QgoN-Ne6
zGINgH$eA7}bDrdiI+^^#+pIe$NPMs$T5L5TaF5ZJkTO(0Mg0ro_sL5EjH8niR1cbj
z&>SVob~ncFJRmU5jh8rC$jKFN_L8d)k(Hetyf8+O9j6PJth;=as=S<;4T7@xtwTd~
zN8|hzGjYb|Kv}yCe}0kod-rc7q9~YM=~)vk6vkjs{_#3&608*gj5<YL89Y>kEN8ec
zzmSX<S4vr)f;Lstcp!mZP1ypjLLENEJirQ6E<u)^&-!78G-p~!8OBZn#g7FJmjf}F
z`*=m+oSzn(5_Knnf4$2#<Q7#zIOUUbZ>yV~dFw|MM6{T9D&I#&x17>@Ob!BfAu@EK
zulX&`Eeu52;9@K|(JOs#G<XA~Fc-;dFLOB!sjNeYyoRf-0uATK5|kiPAzxnsaxqh{
z91r6V<^ib;CZyV>L$=0=+;jFuXj|<7W5BAp*yrZ=+&Mh%fgkebT#M+6gy@8LDSC&s
zBEu-~8@)HVnI3eN<&%S(IKASR`{4$`M|CZJ%!*_g)1>LMr12U28^(QGH>_KYrbet8
z1yqt`$tij5EahKTKZ%%L@n<!(U^X}Z{oZFUR3}Evj*qVv0~#};Wnv4attA~Hh(=J+
zq0CTyLNuBA(k|hCk1FvXY1%3uXk?F`PfH<Pey_0}fd&LCi?qDFJYbhQUS&d&?u!dg
z|LRHkUk(3=vL9u=U(y9Du$RA(e}hFX7*<$?<x?jO5#gi}rA-K(SPi#k%qjdbVbJJk
zz*C=r&;#il8u&pfow%^3C4?XkM|;PnWbi9!=39X23^o{zG*$EHuNcxo=R!qjp|%!x
zGZB-vQeYMC2f9ea)(+S{Q)%F%<%>R!Qxj|922)ypPgUb3mMY`pl?Z+buB+R4J*x2L
z3%2FZ{@G1hrYuudzL^ey1TCz4`$wP8B&Fr!N=OPRWT_B%H+%h<n{t=bq-0I?rKNHt
zK4zvmU|)nF**JLdDj*SXwBnEa8^`a&yaYi-$P9TuN21O+`<@xuWnjPvQbq6KMd-y$
z2>$TH#w7+~qQgnReXholqzfppnw}$}()B=_>)nR$Jlm0g7A}uzF_A0DkfmxGF@A^5
zORQ_btik7w^(sM-dVXg*I;_Rs?)z|5oek78af2?IeewScLL5J*YTl-00oUbcq{QlC
z8%>;|-{+Wb`CTiuKgu@d9bd0)WUV6*Dsf@N0tHSN%dFwa>xk^uc*P`#5^7Hh5KGHk
zNw+B$sHL%0@L_`s>BX=Jl9FqcR40Rk`+Hc2-X`@7@?V14p4Ma~)uTVOIjbY98t(S<
zPj%cqe3!!^WsQf)ln=R9LH@)4%;`l>AE;I?6uceX=5#uJG?Sy`;bC}NR=8g0hL9eD
zgg{lZ+4~<5BSwFyWt8yq_xd<he)x6m7Y+mN^VAoIy9~?5C#~F7c*dwHZoC^aA@%nt
zC<DiYx`;g{xLZ5Pcf-b9K0l}=z(UM|(vJD1h-eIm{_m0P-?``o6()&rR`g5?6z=UW
zer@z>_-8dROHkZzD+11M#v%_iBG?&$<+daDTr2kIl%p-mv&J@w;1}?uOyiryA@={G
z`Znhqe8u%EeoY}pNKZY&08)vyT7p+Fd|eRGIe}WuU`wxWsMAzxa$oSc-?3^9Um*^E
zOV`SK91Y+85IZNTFRWG9i1_o97XX1y>*GFwB9z6wTcxll!FhElaN#&`-dWs4WY~kS
zbZxH_pWPg}VNwmI0}dt`%{Q&tWa<&?Jc+4;tp9wK+qz2&G`)JBBuh*tB^t45zmE;&
z`a-z2$cN$I*3NZbz?djioj3fXUkyASEMruF3M=;)5pUDZ(}Ek#-+q1)Q8msN<0=in
z{9ek7D^j%;LEuIpq@yE0d@}bu9KmIDM%RAl3al_s8$wQSi$>Su0=A*oa^%xCigRgU
zw5|2tgm^jWr*bw_!RK~&;I``*H^-RDz^JJQ=f_j-A=Cfmr~cCtLt-URK_4hqFT{5r
zXUU7Mh|<wyy%qnO-ydeh=#K$H$|%-#<gN3?<RT#JcUscA;F_>4bzASa&RV&d)YjA1
z*03?J!i6FGVTdF{2LPU@`}qfzlTU>%Q)R*ySc3bzIH4k}1;F+pLExZ^E=CQkJzH^2
z8-p~nx5s#BWg|btYP!E7>T2%xU;6f%)w9D>&jRrDTWzJ+YEN*wpg2i{Ts_Zpm(Fc>
zAwMui_npDzaolHY@WF$0eafP&gaSIm7g^!spE?U^VWW=*sV%Pap?4mJo#p$6-M5cC
zW0U$i=ge0+5T|-Cz0FGL>vx6m!NrK^yuWdRHh{^oWSw|g1t#NPtl&yq6e<HmRtd*a
z*+8|7fSCZ{Ex{ICG%|RNr~r$`zqOTCM`ed-)<MGsm^BF8_x`rZo;fh#>mbIc{B}X4
zBv^<TZrVdFwFnr6Je=R2gQH>MFk|i__xvtRLwj7$g+E@=nn1pkApTYsh_?3ooPlq6
z5LNlmyPYEBvF_(P7M6bt^SRdAj*|)W?TcT2CBBF8&He0n$&F}JPGkj8jO_4WC1ra_
zM5mKwqcCBk1|!<LdRA!huRsd+T9kkR{^c)MWSbG?4CgJCzmehu*2^r|G0UnOO>;~)
z{VqvEdaSm3PT54sl>>xW;Sk~8@eg%e>X5_t)I-*oDRO3Z8k#<Nuj*#-r&g3NzzbbJ
zb`X$atE~sj>CZGA_U_fqAF@sA)crWQJe;D__3Dk($z3!Z<o7t}lmr(6Q$w^!fg=V=
zyb&JAd<CZTA0ehFMB#yl5bpV_9ueWtJBRxjJ%hk8W;-zp4#Tx8%+PahBqiMuVajS@
za&aRG3iRr@;XF(cV^@Ch*EWk>8+J#>zMmXCxkI;~D>77&ma|~jeU<;TL~pUwbxeKr
zW--$aHsUVq?D8UQ@m>705VIQQPZ)`PUs|5BkV}xgG`SQ5CE(dO$HwF2YU}pAv(%~1
z5v&;3);6|mjbkJGqY;JGV^++9IWcR+UvuDGUug|bsXb8VNk$m6ZxXM?oFpYvC#Nxq
zgB1D0Cd4QNqt9f}ZU<E(%BW6PJayIl_Uk%z`#e2sL61plAMIb+Dy=Pip`*Pfhy81$
zj+W}ENLb`lz3G7BC+9ruymrGtyV#yHP8eDcd>{QSTDcJ?nN{^}FR9<(Rzy+!r?oN3
zpHfg+hYovOU2Xg4p6`K-wyf+a@ahyw8aAP2{qQ)UJ=0Pm>zxja_h%~<Q?7SmBxs??
z?bitEQw1me?$p{=C^SfN>-C}g%`CclZu3+Orxl|w8XA8gk=Aqw-_39UBAW1Hb|Wxt
zjSC_xM!syuNi$aG=|_n%diIe(fhYrP3AbEHzy;AtH?CzIu^~%UHIoqzeyEsbhmb9p
zY$JsAn&jsp;c}c-R5>>;sPUwvq@?M}c4`cDEc-dQ6=ib}aQA0ZB7e$M-HNAqNG$%!
z1wbq2$0>GLkW}&evo+0tq8l+*{HylLmOx{K!61Uh-!4i!#)7}U%KkvAb=OZ_nI|OU
z(ihCEsBkavXbR}O+5e!3ZDhm^^HbfucD0{w{v$3W&fuWxN!y}#c+)w7pYhFo{N^E&
zPA;P@Z|`yc{gtuG-glM?`exsI4m_^)dJ}24n`m5?x5>!6IbpLzbd4OuKKxJF@r|#&
zo<0tic?}Mv3yCA6FC%K(j?k3Tsl7(0;9<JQpmOO18Kc>C{&-S!6G*hYM69yfgxU$m
z<aL`ILk1y#)TE(udt=dzX*F$g9ZerX+<?oUMVkA$<T2ZsXxvLl%<y8EGePpe`RM%W
zNbk*`q}Zecb6buzu$;(2g9OCUVd$?Nt`cFI2B*p%=O5?0Zd+URT!IPxF<Lv#_0iC1
z0G_#BmC{_MC#XHM<)|s;=d0>JwW8Vn28Cw$kjJYHLgj0&=OfOcmze{UX$%Z<40z*o
zZ--L`^PDwBGq&~G19J&mlp#TtR^M4@8{4_)Kk^bp$HtZn#@>q=@HtwU=rY&DU?b_&
zl9qjl?PH%FNy(ctY7Hu|(!$oRnPYCO(Nei93cVTC%<1k}(9|(8F22t5Pm*1q!wXF{
zJk2-k@Z)q|LM3@>pJ_pS*KVc-m4sIoBEb(nCDAY<uk0PiCC=hRWPLUIrSoQyTW`He
z`gkpW^Ek+h_r&U~s{S8`8$Q6cs&onLQCxRZC`P)K@}O-#a0ushKmYi=KP`1~C#NwI
z@OfB*rb!i5*+{z~BD29xdEh*^wdJbZJc@q(bKIlo<_-;3ePyp0tthpKb*t&--#-_f
zrq6vdXMyo`dlm6%u4>BC1}UF#CIhyq8KW?!*an@uAG5SMWZquGY%Q_`OV%CSmIknZ
zNqw$|IU`!+MT3o}Ky%Va8DrgW_@Bv)NvZX!f8_#{#De=e*^^S)mGmcJrt;A#n}43R
zC3j};-ZB_wO#wxeV53|(1`<{;RBYF)w8}kbWEkh?pb@ud^BE+z<FCx3i>^oPt0r&7
z8J$#lHLXfCSCK<+Qq>1aaJ1zG<L0KJhxjSFL%a3GK-8h8)|tjt(n5Y2eW0E~K2TNs
zKqY(@nW`4J9(8!D-92=$!~ZumNwM7>{jT9Ok<Lpk;gj@Sse5t9`g<6qPX+y0DsN)k
zZ!4a|J>rEkgP6I}wL0+p*#e^Az$sISkI#d>7FgfM9xs>yF{00ueh(Qt<K!=TW7o!8
zI>-VGu{kktCIHD4i=gEUqII!ePDeB(WZs%B4a6sg2~Nki3R!m?_NjJ-yFnWyY-Vi4
ziY5W~P8C%VxKd1Tm3*tl0H(_|W_OS>8c8o<`e+cMWbmNiX2M5@;fV-_$?vz-dP<KX
z)ZFyxJJYS{sw}GfZ8=D@qw^6x(V5r!%gufM-{83O<*S{xi=iC<qSK4c?B4GFo!JdQ
zO2L3lD1LERxRHY|0&Tur2((6y^78X5ylb*shruy#LMmDBVV_$Pj5Y7E$J%zVjhnq+
zNbsNw0=^;I!!T>1G$;`U$1D4T=Q_&XHFn!GPHh@1q~Bwa;F=$9-;a=(SbjS8WmiWv
zn2->a=!x|gHUh4l#)l_F(|{{8)HSvD*~Y9bS%~}%Rlij)nwd=@PzoaHxRQpGkRFbV
zje;Vq)%UF@%;8G28z-H+O)TRt+lMvTt&aE6DpzW5$QUAIiRwpPlL5C+gRfVDFH<?)
zpYL4{Ssu>N`B|X}U)j<%sIfzblXCRgQlnV9Aa#to=dP{P#J>NMB}KPe22MGfpE?c-
zMo`H>72-lz`6&InJf&sMq#+m>NYi|!0X-C@w=Q!s8?2DP)n4Eo_wPawC}86HVn<im
zEWcnpw&{XMc?izBs%WOqaV^~A%!LuLT|Q)chEl2?5jTp}+!@G^9*)xTU%gyhUkQAO
zZ${Oq9VQR=3zxGp=13H?mm<SvhOar1yZ6e~<-0rf2U~O7Z-WqPhRk`X>Y(z47*U5K
z)t#ox;l!KGZ;z>QulwnEaXuyOEU&Im18znJ%0g>Phlr<8JcDnbJVY{h`{o+ciMg6{
znc{0){|GmUh{bUnS$hb@pEh}`_0vuz&0R4IEc7yHV4*MjxXp)RewOV*J=N6g!0OKk
zfHX1Woq!|(7YC4`qesm)Y;`In-E*_gHmHnIy~Z3uq-luKvp_yZCglHu1g=~3OvDg-
zyM>y<^yRfun2s1DVJN8=pqo!ed_fAKcK)_oYbz0Tc-p+ieJIKGx;~C@{)H;2hl6Ha
zY7UA7?DcY&H|5I`$2-oqWB>bqU!O1HbMMe7bEgg(zcbp7(ikglk^{d>S~AB|>-SP|
zJX5!~A*XSzrpde7VUMMIc7Ozn3{aLjEwq0{oUXOHVMv0=#ETKBD{^h|;Es!tluFM8
zxk&?Vi!?HLqXwiULlfhLf9H7zHyKV5i_xD?iiTJdQ*>Fg05pK9DB=bJ6|f6Y)3!g%
zJX!y#5Z*$bGwc*$mLFxD9#noJ(gkqyqls`xs%n<g)#%E6^E&s#{TPci{Z)&i-=M1c
zdofd<`iq#2B~wKYd*7Yq;J5pOlx@Q}MYCpXB+6>*TP!NrD+Lp{fIv;dbr80rg(K9f
zR!J#iHN*FlM%1?`GRo)=-(aH*^fu+kUJQ~(<=nAq&qmrch{AhLO^nEY^onW0r3QOF
z-+U0+a)s2<Iv+(?qK!7J%HjigI~0|<Ttyy2-fA7cs=I015Lx<j<dpVdHAO|_Bq(1_
zu`5qvvI!$p!L9`I&y3-Fe%*rK{Lj?p*Qch;gQ_&HF^9D1qU<$@4ry9GpL<;K>%ZX*
z&0L?0X%-;6^*_cQJm4ao&@>qwclI|K_aTyozz))Wh}lPE3&R1FhZ0)cAsGOyb^}p}
zF7m-M&>wSj?ED!4@pY8Z(Nr^ag2%&Jm=Z&(uCDy=^Br-m2@ne7z4=ZbmGRQesSg?Z
z6X7M`=v#=!SK-Vd7PC}nazEx{;b3ML&dlRV#Mq_nVM7YFhZQo{s2gtQaooGgde{41
zJiQomA}ABCK|?0$ii}77h@b#F+zl>&_hZ4$`_R_S_KR}-yJU0sdrze50Zbiss(7HJ
zQ3dFF>+bf@!+OJ)hrbR(H0*rX$$L`=f0tb&&Y8wOCC9@hFdov6oimivpPR5Pu!(?o
z=y31QsmhY#lx1M>QHa2>;eawC77v#)AVq;qm4F!?Te5AX7(#shzAyd)V`Z65LITdZ
zR#zMz8}yNo-~}dyzl8`gtBn*~I5d2&#jducy~pyCy{2<nk{eglt>_~Oi^VW21c1Y!
zZN@$1If~}yN{!UMVJKINuR)xb7kPREb;4}EkFX+RZSF#-X*7r|L?5mCrQqho-*Y{g
zgINb!v&I-n;~*P5vG@a!q<^Gx-JY$rx%{oW=vvAM`Z1uEd?Xw%J*ye#I+WveKR|)U
zHQ)YLUBC9(JQbQrlV^q4@>0xe_DRuwlfv^2>c#tr4yDr;`7kZLJ)9p8j~2#pJMkqL
zAUQIYjh;@vF^L*U%fN`JfHtnMD$_gt7bJj)^;Y6;pL15K<RbXrpWvUpJ=dJKX3&S%
zmG%0r1uzb=DH)!I<aE)>g|I7~aP-~UJcIb{vD$3Z0flAp`mO45wRZuiTwZk<t6ec=
zMoQf7f0ZnlaHM;7)sOoeqiQz4?a1clwmU0$M-1Q4IPg(QhZe3IAD7{w-Mu}=cfK9&
zqxuRWhtv}yAu!1fm&k^k_Axd!KgcW~MW`_!KWI<dez{*MPN1TK&$ASQ$;21ce*X?7
z7)0SJr@t5M&-%Ja0swixZCD!tjZLXb;XN)%+64bfmv^-L8A&)$z<UZ<^t=51!hmK9
zuRs`PXFuzF(?V@(4<>WuiIGx<Ho7gcrq5ki!f*ez|I}wxs|^n!kcJ&%H)3_1Q}C%}
z42xuEFf=^1+48dRW6jF>j>AqnmQf4{5kS`4+S)j7ycSJOyj~sFWX`K-+ncg}<{4-j
zDkidK`EvCBWl^;K?P+B&(Epr7rZZ`(Vn&fLUp{$>`XMH^fiZ)pq3Xx{F)Pu738f1B
z*LOHpwtI@D9j5HDVZCNM@nhCO_naiaSIQS7N3U@p4w$*ZhKQjt;=*)_N1_pinT3gv
z{s>$h0rkl#5Hzf!c=ipx5>0Wm6wmg`4OCfZqoB2e;Y8nK42<M2((Hr+SM=K27Tu@J
zzeT-{Vf|R4h2=6x044_YIzjNo&IBE_=h5w-e|7LNcmG&EY$W_MGK@h)*d@EU#GdB;
zFMSdiy0P07$PTA?)Bir~`KtO^&4a#wkhGF660@qh(QsbvlFbjB&Wa$^H{87Rx?#&L
zw__ScBvHH#K$f5L3cuAZCBQKMX)>|zX1AO&ztcMQ)c*(H1;X6LfkQlW;`VIF!)ANw
zC5GIUlj+BT_9?g7dlqcStlU|kOm$#{RWSr3Et((Lk5zu=-B~*YXGGZJmjI=MxxExW
zn{N}O^}|+1y44+(S2WGO#;@{YscPwhl^=_>O6dc;dRv+fmV+fpysmp3795EFIngtb
zC}ESI-ifPHaH>;~(oya^6W~tR-OOu`lgJ@qg9d{WZCaR6`B_V(d_egl>4;PY92v_R
zL9^EH4ZNz}nTf;IjD?6fIj0;;35DwA1dV-`wpR%MfQmA(ADGWQZpUC;vf@7Eg7S?V
z`6bw?b`{mJ;QTA>R9*&syOOd+ZV_gci6gfYHb$h6&c%=-LfsXAU(%D@7;}5+_Mzd+
zY>@1#uJ5mrX>cJnY5e${{3@cVzo*sIoMN}*(M4D99!I^%Y<al{1D>cI2ozaBckJ5h
z`g*-0>r0Gv(;N8{8_k_zTCFc|-sdDaBJSrWVfE0D>YBVt9uDyL?ub1WAL8f8f>wJ)
zrUH-{;fy|+Zh0Z5Pw?NYtrR|n>Cl|s$-Pk0JSWg33lnj|Wm&yY0($tJ_R<r9rmC>Y
zO5gUl5OYneO>WTlVVayJRtX>3V3&EERL+;p?r!tmwG5eeLs=mQZsIdWp3t&?z!8^R
z<oEb9wCW!BLLaa81Qm(+oNM|Ofc&K0?@GG+EiF~cmj0J+1=vQ8YJlQhTD1epm6%})
z0Wn&@oY?AtVS;|vxC3gul8%Xp0v~d=KKl|QL{0+5J@Xq)5I!$^3T2i2M%)?I3y2Fd
zVFXspga-g{?ip_!;J}vzT7S7s8jEb=jvqypFb(ZBr61v~%P#ss-PGJt-3{C_-7Uur
z4K^=S3s@IX1=#=T>&556kAkm1cguif{cB1D>zb6NZ;SV^XgI%{t2nl!FfemBH^q8S
zNtL;#2puXTSp2*;!uU)~Cmhxb^d}2fY-ql^oRY@SASr3vOW-0SOFm=&Y16_GM+A1$
z?<m4Ibb*@X)GgDIE#{K50!+AZ79OD_ag(YuqZV<+of|=Ty3QQdJ4P|%%1Sihp^8+l
zU}yP33m0z8=%(P2%JARLoy$e%{k2B-&=+1~ju;Fi(?D#mf6J3yL%BSEqwXBgUip*b
zzkZ5232aOhvx88SjXQKXF8?Y|zeMS>h0m+dM2w3HRAG6pi)H37PDhNnV|G2Vf}jy)
z2r<Q=fsBmFD+3oNf(CvS`Y7aod>)#AbQxXtn54}fJtT}F>b%r+P}p;Ju3vL#fW)l5
zXBbVB=P$2t*I}~ov!>6M4f)l|9R2;D^l#7S{tub7^*wA$obBs3asTDCH*;rRuWfS#
z%|8fjBqC71A)yO)dF*CbqWiV`v)+kS=UKQm-|S&#&XWhs*{98H?C5G3Sa|d8<11RR
z@>h%4!o9iAzYU=VTIM&c1Y(ZB+O2THbLbFZ#FF)Zd#o)1A#?_rg(NxiM4)n!;|`BO
z1e7Ms`e7UexMl<dr_87_C&*L2>Pg&->8l0@iq7juvM2q|3y_S~&}Xm3&l#^Ks(eg3
zM0T8*qV`wpLuPLe+>r6}zvV9f*TM6sOFb`zDqH&9>Da@s)T#(=+Y_%xB*ZH((`}2-
z-FzP=0Zfrkjp9M*FD@lmV)U{0);%tYakKwG22vN$*ifDfT=lY8uO}K4@+!koOYR}m
zeLAk><RX9|IP&2;u6Pllm>-F;$^-p?NOGzi)9;klgYv84B&$ufx9Ektbi!N9Ho1#-
z*kbn~c3i?n`Ss)Wj7)Xo@8u|+SQA#KSmlJ(KLMg1G!2EQmeF}4efwoW(8ueFOM|h>
z9U^uCFCFvi$Wz7}ptf-60!@dK-h85OESgH9Vv6Wl>?VcSLfH6IL9P3m6INH+7_bn0
zO|s<t>6Jg*&YPDV<O!7`!YY7qKuHZ2W$<maIz-_$4?Sf->7*fm(bmdxh&3s7nJh<4
z$zT+&kM#Ce+l7y}?fb)8!boRH7z_?*f)P4##6NRS=*!nlA?_dLjq8RcO*-QPW%(U(
z-+2&6Wxq(|4ne&=8OcH@mVFt6Z$@eQou9>SBQxaq!9?y88QU)#T-|Mdo2YIW&S-e&
zRF%Q558^+<bC<er<`<v+SfLp!umRWw&7L{Vd(JjG>Yrdi-^WxT5as;N^mi#<53-UP
zVA@EDaEXMK9wnfkaNq)Te0_wIi$<2Sl8iBIp^mUaY(`K=pRy?%>q?g^K+V>|Elm70
zk#mTz)sY8#jezs@Yk1k5ekiOkt_}hJk_~QJuw;;oc)C2Tg{Qk$dNLp)H|sL#$x~8)
zT=rnSHX{F7;t&1)Zv?L<SD-n6fhueGF^U|SAw^@AC-(6P&VPydOc2tB&KhaaP!AmO
zpyv_Rt&C57-Va<3hCZvap~+2HRmx-g*h_Vm&<8+26R7ig9zK!NIHn50^hH`Z4lMo<
zs*;za0(nns)NEY4N?lVXK`TbCjR`KE|M=0g?-@OoB!=qRciYNdlQr!)lIjOrv{Rrl
zt8XUAJcf+`KXuBq^3H3#;iG$9XUA`YpLR~>x}w=*XE$lfSg6_{xk+xIyMvVT^_6v^
zSk$p`Dh_uFXSzI!pp_=)IB7~(qt7L!ti(kdv2RV=?+uXOrrt{;OM>%9JxQOR=2%>P
zd5A{*9u5c({;dN7XyFX2@01vZmR4KoEE>qrZwq~OCg%m~0UyPOGB?%D<hg}3lChSt
ze#-vl-`IbFUPu(SIgS=H^ekeyzeNrwS*kbP69kJJYcKR!m)sTavBrG}at-@6U5Y4s
zfFwj0SSJ*Aw!xRO^wYy`6X=~SikUtN)Ol{x4zXFw7m|*g)NxHc*Q93sE*MFg75E(Q
zO_i#tl^Dq6e_uqwVFC5ltk%+Tn?G~!_Fss`>~##fVU&{~2AI(Mw}(D&Y1UC8ZE1V}
z=IYBOuJt=Vu=~5?bIivLL4<7+7x!Et7BB%YplbwaDky@afzIYll~_Hi<HUZ|o96)4
z1X@&jZqxCg3ksvYnl)U&s^3d{)ofSr_Op1rJT{W0!>3_wLQ_+16qLRt-0}PMM|4Aj
ze=#n&>MIC-PyF(9p;C;J#J(p&Zxo8eEj6b8e*~!_C|zf|<_JyUK#qL<Vd6Iof>Dt0
zfkR`VE$r*Tl-|AEw-VErO#|Mi!v7S1e6U56dHpDuOie`%HiPpg2B4e^(P2naN4QEH
z;}gq&Ipb!1{RbQh4qPdokM6;JCb*CbF+Ki3IR6OzFPqEg2`0i-F&0T9d&X9j`4id4
zhmkW+g-O3WNn;*}(>$e>rFPQ9kt1aqcCnVTO?O9X3#`6;nn!CF-YcFM88=G}I=azW
zkr=`p?-#R2N1)HHdMUExs7pU=^nSe}Y-Z_l8JM*R_k?BpBtnZ4NBwgs_jv93Q1X6V
zfOwcceyjo^J3&FPjtm~S{d0C1=-LPO8wrbi)ch`rL_hlbwCrvGxh@ztSmfK<kx_WN
zhZ0I1QjQQIHUyh4uiqIj|1J*x22v<dvr3r}O_WnDkugsWvH*9~xxvzp>J6I|xUN=j
zuSMhLS~Wxtv=mAuK*tzr9=fuoDnu{cmglthduDQmSw$LKe>vQxP5f#U|EPs4s$Dj}
z<(9efF061?jJ4U2LTv#Mn_)~TnKN{qZ#26bw=R+of43=6J_CK{w&#MCzPQWP>m$|Y
z%V@D8t_Cmh+_o3C519kxq|K`?`o8+-2ymjkN3y5)0@we>^f!?tksWX;nJR2bsJ#lU
zllHE49L*Rz-K@A5fJoYm{nN;uurMl~vx;Mbjav<okPOBEn?f7rL%HnFspQ?5q02BF
zcT>`qX0DAivx2z8cA3$4U1P9R^&;M}_aS`93A0)!4JmwQJB^2~Ky@>V2?#@6<7i>3
zGj&(v!bp~e;jk{a2?U!PJ8iGP>0R?4K|tNWdjDiY5a^qYHQJ|m=DiPSh->&Lc=rr#
z_2)w}b{R7GA+4*Q=v$i3x&I{Qbp2tO)28y|6+@sc5(2B&^Awdd3)V9cjqwt3iZ)Ey
z8kZC{^}3*Ne<bIBP+|GK_*IEJK}}7bVgl8^I?axn4Eq69>^T17Xt%zyGtLZKoT9aZ
zmzSGpJx4}%-afT#@Q{sTj*2VRw8zlolQWS4E3Q<uc)??#rLM!VwzwVt6e|<zq&k=0
z+-p>Y;M|E|d@QUwRc)au<y*<y^36ZlQ}0(EqU5i)bb=&;b;>gO>2?=u+uJjn#VYBa
z5TwU)FUp0*$-Yli#8>AWHL3ABKr{d1<Ct^$@fP7|Gz6H@z020e%$T>3WU1z(H}tgs
zs5!nxpu9I7UyZTc<h|#lO?`|`CYUi&9v?r`zu;M*bnK3AE9;Bv-nK^#W=wkiLLD;w
z&xm$DS!%@Ba?UQcA#4eSJnG-)Ii6I*m0N$H!KHB?aqCx3A6V5cQQ!S`Q$5stN&KP#
zWsW=f;ckIJ2>Jt>76z}2)A>}osK3uoH{$LTz@5s>M%z7e?v61nVOv|a$C}C1eJ<<%
z9qfL7oO(EQ?_!^7J&Mo-fw@Jc+M`&{|5DaC`>YJ(D@{Ej1#O^$jQ;I3aOv#s|0SQg
z23UHMQ<oXb8ljeU{H=xwjqwddcPEvkoUwiXRahGOza8H;H|ve6yZd?1Z#1w`IlmCf
zyj}F_$JuWRd{u-p%OCl|TVmJYfJo6mmi<_i(mz=FGfrrw>Z|I<KUehIGOr-96L3ov
z*VjH65%Ac_DX6QjZJaQWheil#K<ytkX1XGb+;=4h@aYhS4}QC{CM|#dFxs-NU@GdB
zE}vFSTC&_<xI!OJ0h#=Li`MUMLm)O4CU>kYY=;Q*T=QT3XV`AuTQr{>Ykk;=BOVM;
zC>7xU2=S3z@Du&>Bc}>?RpHzHb{-upVP$VZK2JAdBdXe2GI`93eYa*5-D9^i6C0~M
z{jCT4+Pck7c|M7$%+#i9{E6!cvF*u(1&&B?gNlJNQSP7_HHI>a%D~0ct4u!YLQ1+p
zx+i)6zTT{S>*P4bUR5n&CgL347+Tvjf{$?HVB>K0eomcBNgbB38MWx`C614H#hdhR
zp_oi0hW?%gO;Z`{_N^H090k&u*90nYbH0?eS7Lm4U@zqC90e;@8QI118KJ@YMAZr!
zGt0ymHiYIOZcv0>KlJP?19OeQgcq~#5gSdFZ4g&hR6kBFH^d|k4(ziqB0@7Y<xb!P
z+&ay4Nb#;FnLz8_i2cgPCHS<Wc^&!?yDwWVH+N1CJQ(20vGjl2s+L42LVFRS0k~vj
z(+U(eLGD+bCp92}=osi5b7AwXEt_mB4ZVVqBst2KzZlg0woJd))tLvM5Jt;Bqa!W=
z*u|b~N{gVRmM~`aBYPK%&M;zXR!_rb{|Y*$*+GoOfTZWLX~Z8tIqI#RoK<%W?^C=X
z1t!xw`DEbJ_vy=9qqA3)d7C~$hJ+EIDF3^BtM{IWjlCl2-$BU!?J9>{Us>)O9ATN`
z*>n@LUH3y{?F9u86!LzL<rfOD*-|s$xbY8}lvX$;IT4*Q9&n4$itUCD$Hvx?{9811
zuUejA%UCSdMyCD4SgB`V`?3bCs0J(@&Bkl`7~J~y`rMk#pqU^<3W}H7ljC98bGmM@
zZz+Cx^LcI4W>RQ3)*&pl2Fhp!TK}ihoI?-S=vP~)!88^^+km@B9yU^arNpQVQ$+>=
z|G^G)L2KCT#%k`KRi|k>{G>cvwfa*ZM3lLt*7nu?=+VdEobEbHIH6IFUVkZBYTtJ3
zUlSrggR6MC0xgxi(kD`;#!%Ng^YxdraQRiM<-NW6*1Qh0Yi;J~(Ntv|EVP@R7IYoV
zbH1LG#l7so2O^Y+-s(5jzlJXw%y3TavMWUW2Io(&<INNMKlQXNaz6O;5i!XfVHfU-
z<(G%VBGmJ7Igl8Tq)FkKyRo4J)vFLDr4kJHIFf6AFE*Ht!w4X)ZTxLnmSzv8BVvL#
zSmkzHG*u+={0W%n<QHA8TB851FsvNtdm6l;>!Z!sVhH*%#aQNeA$I)<Wnl&9>!_=D
zhp-K<!feTi4DWY#c5Xahw4<+{-^ZQ9zb6a3*O=n^>^&ciOlXrmN6;m5Y<78AsQ7W|
zdZ(?r-NeaD2`~J&Q~mcbhV%)(umz$EB+JOE)AAZ8z}^Pa=3Q9Mh*whEQ=fK~szd)F
zgShU4h&7ZMwOW7i?p!jLw-zWh%4V$jalvGzHBRh{h6204(yKNcN(tC}^cH{FH}{>)
zS12ng#=Qe+!1Sm?c0V!>{;e&xhD(|?Pnxx59emk*y>D(dioU_Z!n)<^ew;YIiNf#y
zt+`tLcWwT>nJG)tKF1yria8cvk|WsokdBAu%ZJTG1fwq{KO}uG1+*U@Y%`x8Dgjza
zJf<MfZq0VH<(|Hj?HyE5{6Qu9j_MENu3I{NG-B+?L9u?joM`;7ctHAcO<kw{{AYmB
zV(P9XlEvK;f`WXQl3CMjF_=mtQZ{+<x~G~Up{Tn$4?L25X=y1)T|EY}TNLsgF+@oa
z^bc>4d#F;k8ExmPW%l=PXaF0r1bCh-gjobkHDTe>*4e4Q-sSsDC#YOF4EPu9y6+<w
z3=KWZb@kbhz?WjY6f?lqO}}kXcwfc>RON1CDvl)g2V`}1Ar6tJJ=r$*Q(rgWj=?b(
zMi9ksbWsH9dy8{$;+H5yB1nq^Obbi0jUw&<`J_>uix#j{fB~;49AcpE(%O*|*yl>z
z9%w=xvSlV(w>lZIc8SlEy7Ka3U9{|?{ds<Y1wlbQZlLc70jMZ_uGQKN5`KSr-_e9p
z^YQZL6&40>cx?KTg-qXol-`5zV0-Lxr<&dFPUic-WY^i3K8L@vnF^|1QZ@V@+89<d
z)|uxTrI=DRx6-8cYD^-2$$Cl8<B+>$VH&}&Xp#QB*oxnh2O1xjY82F97{F!<Bh(uj
zq+`ZJ^p3M)OIh9dm$^=TrOlPtc9Eq4zutu_#Ls!Z+~UwR$#b0<>*-AW3zKQ!o=1*<
z>tQAcLqOg8H8J-eJm3ij=R3<Bvx91lqYVck4`Tp-NzC2&DNM*|7m$-f%<FNn1}}2-
zhmCFqnQhQ7MCnic7<1yu$%)ZowLZ;Vh<N<IWz*L#zg2mcZg!89P1fvtbaArUFN;za
z`9lvc#s6`CH-S&<CVa`$;7}i7*{Ss7cCUqKl_534y$=~#)HiFg`qw*;`z^mMbL#yF
z#*DaUaS|3fKmYNLnf@1%NJs`0M2^fX4X>DEzu3ED819!v!9Dgk_{v7MPwz}eJnL(9
zm4~H2(N=fAer>rLB>XT|?+$7KlQqJF?qPa(MWl|(N^%O&1^@kNe>mwRVTVHDfv9kS
zgtlLwFE^1v>qARdH<1NIrInRyE}Om&`@FooTa@O?@gu{`fQRx%Glj7fDlbVKrh>HY
z`{B3-ppqtIvGM+?lnL|4Vnbz!V>@R@T5SxN6Z1*WRpJxuwOVpe$cTyzOmX!@SfDw+
z5yT9Be@{yyq0$^cu2=M^^qTuN`CMD;Yw!T|nHFvzP&F5K^)8+Jie3RflF){rAfor&
zc3K_mb#nj%g1{J|fyTwas4zXb7$WIF*6@)$eIywn_gHtsn=oU?5ALl+1LYJZeTCW5
zh<4ij_juDfU!j>h9f1rBXV84qe$O%CQPWmhSDohB$G3|BNHXW!H20Tl^)9ZT5Qr8?
zcs`cErB@c9#8BTCbEqhbL_;V5xloRtYTG0+0Sse~Pnk3Brqq+q#3!LC*kSP&J9G8B
zvF$xjX;!t>*1evLWn5gf^<(A;vN=2gI~oo=wG%jBB4oM>oUbBtj2v0eku<hHOCoMV
zVpZ3PC-`!#2m?A&^naRD4l@pd?Apj2n}hQ~MXt}C4;y?5WBW(IU)>I#nh*KagO7J(
z%r?9w_2ZmXJP{*mfuGy&kG3jm9$rYZQ@p99@w(@oGS-x1zQ<qvt}U=30Lk$P4X{Ew
z>?v}HQbh98q)WgQMm&sJ<8D$3NY?NIrv{fVT>cSv=z!ft<4c`RI2cAPY59*i-X|tL
zPs)EkKYk3H2PwG<9<O_Bq5>}~6O#fIvPLjS24>4VWEw+6>hblVTkvP<kXrYj9Pf)j
zNn$TCm;hqXUja}wY!7{yF>|vP<3jGsndQ;-7)$OotY?lemBH>#cYDEI6!Kv*{#E0S
z4M9h%8|l+oRQLr6f&7;dJT(Eh@?F;;O3YAhruu0>0LDd*Lvp@iF%H4l;ik+w3kBSq
z_yp1pud6G46<qcoqiJQXjM)(>w4lvvx62hP_V=lf)IZ{8IxMYwm@N+*-thw_b@0Kx
zW1uZ(5E!n<UscAN<m(aHes%jrMw_?Zc!Y<$`!9Wubp&&B^H9Ev7Sqh~a!J}ESqu?F
z#DEytRAvEwhmDSZEdGzO!)EM5S7Y&qK{#%2_0C>jifA3h8wkj-0Yx70A-esk%L&{w
zg;0oJ!U*vF=_7glgH;#1`S$t%O^qo6=MRiP$lwcl3PgnG^M?JtAX4<ZM0?t3gd|mO
z^zX)fUgv55ZTUC~C@pnb!J^nat{e3kqc87hE_|*ZDZ<V0KeI#4pak1Pg0F0)<u-Xq
zoT@UKAR)n`+xP0~yXgFXK&YW2;x%SEofxL3rhlp&e4}2EBn2aH_}|z?N)uJuh)nsX
zj9Bgd0WsSww9dHiy!5>k#ht2kS@mt!bCRALEqCTqtwffg>sb=Z;D7nGJ;C=7{i2f4
z*jP?zYst8C#a+v&J5ql}6x^#s6}dxWqW^ZQ_$K!J^h7|H969Dm21*$yRZ@!Vvi>0Q
zt@kMDmi2>(P{RB;K-&yIzx>Ki!OZnCZ|!cu_#gsG#&JI=SD!dUM;WkR|LL)#i6H$f
zG<Un<eTfie3{h9FfZ6IWtv=;QnpGA7r<bpK&3-!<a4^7(k&t}7EfEwbv(`ZcWub$Z
zAiG}#-yWw#|GVlpy|2Cxj86z&X07PrPBL)G4<Sq(m_4nnP;{OeoOW{MB!#)1a5uy&
zlvJVgF&aSz5kVgjgUKGHweX6tB_zVsLwp)rc0t(Mh5VX6??L%V<pcue3CHC!r142%
zh8xo^4y~ISPGd1H1d;M5Y>-|+Xf1Y0o%cJoa=4uc`f(oeU?zRpe)%~X!x^pzNyeH7
z)By{6NtctzQ0RF5fw`*d*sAB)hsrhVaxi{eoD@qMf(zI4Go$zpIA6ZH7$VC+K)kWZ
zkf;ld3;_S>Jp=O>n=A!fHD%~hhc9jO{rttIq{*xWw<zTgHy_rn`=2$&BE#ej%S3Pi
zNB#X`@5%PINZ$SqDT-V{nXfXCz;D?a;|*eTp&dU|GR0|m-K4-pk>%Mo@sgPG!<hyv
z(>LvH1c!>uTFSONk-tTt_+G99Me_3D?IMQyZwFi3avCzKkw(A;4K}r-3}GxxS^x==
zfGX#qOx^x(er*;L8Hx1)iPTW9qiHg&Za;xEIqIVNdS?s}B1~SEahfcM)MZ8-uLw2}
z<fOGX1)R<0w>C$E*4CwrPckrJ5?G_Tua;98sF`7Y2DGL4*}Ri_KKl%YFd^UHkv0C>
zcSdz2!jmhRQwQe<^0*wBJ)AAOXw;yS84;dl9oDqfUXkYx@td2B;bAY;I(`4UCIM}j
z2#>tdxhFyTVX(>nSE(y6RAGO`Oq&9$*Nz2NWq#wtwr&+gu8z5Ep3z7qzoUZ2vwyq%
z<SEtvQIi;yL0hy4Cxk@Sn4|L5@pPeT6d3a3<M#RcN1E>~@uEWTVa?^wn#<IT_eCp>
z9cQK?Oh7Qmk*&yeAz?sPLdtJ3TNY2ft++5OQ|jQjP|?lZVde9`fP(L(3Lh;w)zr;B
zbGk7=_rOuqpk@Jq@IXDgAV&?|FVqxMoC~cMgs6JTol+SRWROv74&BbuG?ln!gNt$z
z#VE$+f`p@kj}+)?fVl8*+RSX{w1g_24RrKt?UakWS1057;*I_Gv>1}!lii|#qMv*|
z-=*l<^L#44En7*-1<p#X`?-$1auSd!eXV-c3`7K7FKrbT<2P+lmk8?Wu&W+%l+AV|
zPj0kXn{aI=L-;WO&W-gr>D|;3dOg&gin9&2!}Nr(*>~M7=uSCDp*rF0H!UkjI%Ncg
zsC*lA?zhIXzKY<8#J+2sAk52`>N34)$~U|`f=J8L2p>A7PrGUUoQMjO>`EEi|N5Q`
z-8zG_#r=FmRl=sE-^81S(|!$1$Yl=?`o6|&dqHTJ&e7f4tLloBu7dO;%62|-h~DW~
z%5dFSj@jAzf-*ROX9#Gl00|%~a!p*f_iuMt+;_(Lwf%=0r1i^bt*2bQ!kMM>c2>Jp
zAuOM{dG4rQJBooJkrK!Gk)Qc0J?g|@7780#8CX6uha04<Uf@O?!T+-75<XQ`<?dUZ
zzc7O9G7F)wvUeo3_!Kws9QXEDo)cRk2Uq1YQ^r0u76W6>;p0jql{(-SQfmB}GRAOQ
zbSEI$d;#$z%~Z$Yb<0`?c#{}tT7*s=CU453q4UMVq5+?E&=*XGL-t!oSvhcW@Dt#f
z{;7VyUqpo~%ZAQdgdHZ4AOtqiSD;`%SOTo$Y7#Q|V)u<ri+k5LKBtrU?*KJ=J$Z~y
z+*?MY0?d%2w!oaW`<gK_j8w9lrHEYTrN5Klf~)CY{BvXs&-SY=LEyw{Sba^$!t<e)
z-iBytb%;0hZpY0eTyz~OXi^khHMPG{^DS+}3_E1HB5C#pOxCnNmYVB!s)jAkc&E*r
z#W&}`bdW<0zcoF>DxNmSjhnawmIySHL23{u_W1QmTLdLYe5mxUdSC%&<PIYN2n7M7
zLu1(ur6(N3%`JbigzbWQR&+CE?YoXT+UV^G-UkECQEy;Wh43AEIPolao=|wo5ekJG
zfw=Lg&CP@SpI0|G9{8p{KQk)Hh=OYI$XxA#k+RRL3)ao=-8fcdEO?_(N)<;JXuhqF
z%9aj)m&?za6;mOI7eve!j#2t~<9NhU<8b0_N}fdb^vn|*7^ShG`IGa}9#_kbuOcGm
z5dS}CbNfO40mGO~mAD54pg#_F#Nh6KI-CB(>=7qSs+OExuXi<YBBdxGAE3FAE*Ivb
zWUEh|2ot*t2A#oxNQRuu4WCyQCo|lx8T&j12E~CU(5EYL`YFI}4GwG25v`Ip$JhIv
zX^^1)33~*^@@CYUhEs$V`1B576^G3=b_l(O9V}Tuy$XZNojH@{qm0~*S1eBv**8@Q
zpu@YRWoFRTa!qnDe!Uu*%$5(h=~?In-(;pZMxg7Ir<j|TP>ac|_aPW)WQ{~1G>eAi
zzZ7x&*ZJLVtDCR5?CEkuAYK?Fo}#2o04(vl6%Z*f#Lha5#Lp)H5v?E`{Q-5*`mHu3
z<0QL-7CW_FRb50vLRB=$kKdfVUPg*soJ-)r`GEr%Jt$ks``*LB>X5S8WMVzP$b&0i
zacWi0ZLX~>Lsw4Qpx0t$Fi?-wU3GLRT}1VCLMR#^wjhhBX`pAEpLEdH-aZnH{<*Ya
z82_6rODA^1h#5uE??{Z3v`FxAqT=WG&1=qM#Go{Bx-T}iwtSvjJ%JqF`QYtA-b0+I
z1NCutJRW#)4JhQJV!jn4x_Oa?Fm2EhZPE9!5n9MdbkC5|+XGN3zFV{BT7XXQb8}C>
zoe=8Jj5>RlP3Y*c*A|Qq0{VTO-NQy5a@*J4sa`tzRbF%4Oj_qje5NkKDZY|H4)x`|
z<`=J+U%eDqv!|Joe&;vIXCh$zK(?+Qb#*iM4Y@BU>wrMRo0uis@_3L*mM)h;S2PB*
zg(LEfQhI3WWUL+~1S3M_2}#7N6(E*+K;dC|tCNkE@4mfOzlz5~+l<Rlm@S2CBq^Cj
z08fsOlBFSMC7}#PiKWCs>FeKyE;w#D4SjTcdwHP9oUl+=zcZ0JPWJO(?pkb)etp`C
z&-;PHC5!<SLZkbiHWsKaV+w|OC+RhlOj(`zLJ%|!R$O0Q5s6D?5$XX#Q00A(&JS=h
zKvBjPk?MnNqJbI&h~u^s$$f9614hh5K&)6Ga>(usO|Fmg=nznoBhnU8B+X(JHLhDU
zWY<N&hY1(sPvq$Sr{ZX%={iZn0WBO<8q&-{!2Pf8$Qv#0#!yNCxNnw9Dd|e8b`LbW
zpK$)Z_<f+JYVC$id_QUV=6}DzCpTHaPtrBzwR-!xp}nE=LES;4ZqEP%k<gUTG}DCi
zF#%+lKmucGVxm{t+O?O8L5cw$h+w<ulo>qHZ=aQ^(EoDT-q0|2_~p>Y|BS%Sbd0Ye
znbA(b|FLZ^efgo|aP83g;iccCP7{sj;&q*a#r-Urrk<zdTaX{&%dol|-gD<D65DT3
z+5fx%!rUBJM?ntcA|U00d*sCw-|{-<scc)SB(~V|_UB!`2h`7bgq4@Ed>30uv*5#j
z<{)&($y5xH>Smp)ySHnWHxWFM_gftkoA&MJoRF~X?W`Kg5Ic&HqZupL$=tXBlW$_=
zh-7B($jm}%BXg#FFI*1STy&TUrq%HNPP=6iz7-VH8%=x?{BcU%WJj`BhQe_z8d+7^
zBksbFS6RZck}895Nwjp){pPpk|MsFb*Jv~Oc$amvpESD(>nXf=7jfzT_N=$4{Z{Q8
zjDEJnfid;7ltvns;N*G@&p_#(PP)Kd<P{}A9)mXWSFHLNZa51gQoHlTC4?ZNp=#CJ
z-6JRK>u*+z*+j#~QO!T=mwt;-d6zVdYX*^FG7z2_d-^GYFxcnPd$X{4<Ljwck{9~8
zNu83&a1ls{=g{=+isUW+#)JRqsE{-y8dC(#Ws+r3`=lo8nIjUq1xTr`ru&O5-KC>^
zxomFP>mS5Sqt#N|(>E=HnYhAH)1zax7zKK{1x*taxz=5=x?av5R7Io$RK8LKL_tie
zvTh91i+TROT>5YN=u=Fva-SYWey%syeaOk5@tic!by}ig*41mN<F+$o+w48E#95-<
zzdw=LtU6sxLU6fTaLvyD>C1S(GTG(7==w?>*8BT6_J8QT3zVQUsC`xlf4W1yD}$O@
z2RVUDrlsqy%3)j9@M+eokw=!3Z=w<<fUw6vfAKK;c?KHeGWp;#*_m~7y$VD+%Tq!c
z^IHKphNQLaf<*8xqUf&mS_DQ&UH(jve^h{&M3J&^x$Pt`3Hc%0C9ja7fI8u8$vQoY
zC(9vT_h0cf--mT8dwX|Sts$Q72$#<&TU=qrjeduGn=}7U)}5WNs}9|se(L+aEi8P-
zopafXmq`dfwUr50$9dJ|Ic#zvUgBpS+lk^*`$Ee&ysjH1Hg|T6$7?`<|9>=HV^n2d
z8_$}WY}-xKWZSlF*Nu~HYqFbcdopj6CQY^`TkrXQc-LyJKJ?+<bK3jaKRwTuJO6#x
z=H#SElhS?z=1ZEkRD<wWLU=-fzztk8*D+L8Ri(&BRhsGc+oL4?wYOISWz1puJe&L<
zH9CCr`|p<sy@H~W5-BMO$-BAKs7u12qn}d#tVu@sCMAbaU&p`q>^h@n7NI?~!{U2>
zRwA)A7i`81FE1w}aa)@yT-R*<q1i>uOoD9b^J%8b`lA12;QjsmWTr{x)VVbTa({@v
z{hYq6Y0H$&#}Tf_+uOA!JoiEKLCWLYnQrHu{fY`V;9qO9Os(JDdo9|x)M#C}xgOl=
zqs>$_r;Xd~I~~0<pl=Z+pR&E^AdmvDCq*I;Kv>V04?wncf`T9=A|eXd3WCprRPM*?
zQk`#>6ansb_POYJOOhUXy-Em(RX=(CF&owjX#OMG%;ZBT1?RLvPvbUPC;qp^q*n(A
z2d%*9gSO7}w{WtZHHeKAmuSr@s`i|TRXZW|hZ;Rc?e4OoDO&K)3x+BJuYYMIhDLgU
zv$OO)l><%(s}zOD$ZE50w)Pb6Oj^A2YeL!BMvnuyXvlD|vNjEsm3D~apTSQlsdI(d
zPQ5F13=CQGo~3iT<{#VJ@J8#iKHES^2<`|?Yoyu<P8*g$X$hL#9Zv#!(He|lo?vg5
z>8R^<LNCkQ_esAnIm>oz*o#pjwwgJ8<OLND#f%l^7^tg<TIKuwF^)xH9r1_U;trey
z_zLj;z5A}>oX|wjz?8F4*<=WcqGL4Rr*E-e9SVCrt?Pw2Iah^d7nHqTibi%Wu=jKr
znHq&>Hb9U?!uDwv{|FtQye9hs-dnNl7$^Pae4{;cpdHT5x|>Fa8gWQ@e)AeT>g$zh
zGk2hTAs|$`-ku#o6v4v$bh+WYWZ;?P%zajt>W|k?4bh26-Uspf;q_)_27kdYVCugw
z&3Au$4g?eSLOYx6VQl6*uL-Mh2n@%<*MX-M51I>K?Qc;)@s{}P;|SwFXl~8NiL>cx
z{Wwaq%hT7*tk-Hhna&JR;0J7-l^Gr(5d<BmEf0vbf56xX&3SgU{}fAh1-=B?pEmg)
zuZQ%9z8rxpqGMYD?}q^_%br$EHjYUPe|Dgr%F0%Ux$bV;ZH@lU-JQR0?@d;Ix5Nhe
zP2G9-k~QQ8+l;(z&JP9MbR7Cm8|I!g&uM7Xy!_=zHCd`?V03VD740NU+9;QL!Q&Op
z9%n;)>2A8&57p2*=`O$<2vW6$|2>4aCXKKnh2WhD%6pv9>Sc3ESY!3}-7HMXZ*EDb
zVIK4R?y554!Hvbvv4_jG03+D>@O$~=rwt9?&p?HAoAS!JkHTRE*j9b6fd%z&2k)Af
zmS2T?jv5?Fj3rMI0gv$So&gV@SH`T51c$HO<mQxtk}}En>!29{DQcOyzK^#HGi&Q3
ze$nYc!Mh5jAkaVB&;@5O=}yiUYg}L6;u~?c6$_08bu~X5>-p9GiG%R&eExU&mycFY
z`Bz&vih0{CeXi*+%Fk;x7#dgvQ>ZI-8|}5P^Go^~ebp6$<}JD<-T^<$GM77hA}rWZ
zb>{X&m6Y-`NgL+}ptKaN6qoQNC3la_XlXpBr6O4IkauE?UMZMxVyv?)1p+l7RDoKL
zCQ8$7_~qsGP$)q66nO9pQu(vLjWt#;(bQpDaL^ztb2KO>8<u(vEjZ4$)&zk98$5xG
zz&IG+Kc851jb?Y8_c#lN*?B&<#!<DNp9F9x&Eb?t9l{GeLYnJXW^*}_=yka6Q$on{
z9OAlyv)v5>j_W?2>qh$kc_bINDkp+In!*|Ug(9>W`iHi()4BVk`R$L%Uvb?9fo|b*
z(^?B*>CITL`#{=B-@Cy5G4m}#(w~QTsk2FkGJYQKKny{J$b(1SXt&GU1+?*#v!=>k
zr<LyP-n(YcZGd8g`*ZW>n_^lv^Sf)^9nd#^cV8wwHT+b+jlW0~$JJoZGh*&?TT9Y|
zU)+x`eIGtSUvbzJK$sAG<a-)m?-{_yxuwnXg6iyLg|17cXKr-R+Pq*{Q*U`MLc!)~
zU?cjRX|Jm_+vu)0lO@h}g@+TU(?Hg5*%EzU7XF($hTvws<FmC4mB#z^g;Hx=Jhfpz
zlw!^tI|?B0vy%8fn!NSC{5wsivgv1^E{z4Q)+YCR*bMmK1bZ`KL|u};Zowa-+kL*z
zobiRrxnY11kv+x){L)xuA2uDzVLU5|CyLLc^NAXWm5i@*M*iO|+@+TGj9NWoHy>AP
z-<cy;!;KVZTK<ezOd*OCsED9>@fY@9Iqm!)W+0n{ve!&1nd>~OM;taxsNun@XYTY8
z8$O_B-p(3Uc;ZYLl~rs*_xIRB%iEj_xxOZtQ+1M{K<7dwBH7-2{%)pN;{Dn9JMZ9X
zeEh!|%QzlXr;gotzAZQ2aeEUhX7Z98kUv7dA-LnYrOxkMzMGSiEz4`Ww8o%@F$1U8
zy^9ItudGs_y^wn0SdD7H#+l?zp2DGe!Bek-v|KH^UDjejdi`QATAN*PcVyjJ4BBzg
z*fp~{5&jRDw*xxIVrOTkL1^M`XySfo;tZtM;>82$)1S89G{M~MYErD?R9(nw$a;yT
zyE7+%yMDXoqX`-3i6BEu#g4+m<J@*t)@Gu>;n<&aUkvJ2IAstN<jrgMcz7@TRr_x|
zNSlI>B&K52EXrPqqCz4?hB-?EMI#wzc0bY2Kfh)9w1K0;Kvsu!3xUM|tJb>mQzyS8
zqk9*YC{FpCA4Apws*p=6*P>RU^6$9B{GF)7@Rkz>A$lg~gR=Dz?t5Z_ctr)Pd%Eay
ztEP*MldH$wgx$xhT}`mJKp+Z4Jeufxgeq?fAm6=jg`nm&ycOE|HW%AnkN+t)llxP{
zG99IYcDWX+a5^E>47%9rE6;M-acl8aBwS{Smd-vAC9SAHdIp`3DVC}G?=3H1Chevq
z99e0nA7%8tQbSw<;yLAs8?O<0XfwJf3%v4|=$$+ODAc8Z9RD-DxxdW4(2^4hzO2k(
zh)NUZH-P^WsI2Uh%%gOV>?byMaaj2sDcGhHanURXP0*jbKNBFW?2kNmBh4G{r>NNo
z@?&tBB5J5{h<$UjWCQb%lO@wBcNw&XLwR)2oncgKB0^D{7xHZs&*Q&unMrwp%)V|f
z$Pw6@o3k+l*w|&btSQJbM^hZY*y}9zH^g5RZqM$4)sFMgMK7nF{4sH2B)I)wy|52`
zu_5rky;++@i4X7-_T+Z{TAnq-L?z|nyzdyEhSgAv;6I#Mt;VorfDS6_+~RooobXPT
z%em}>WS=^qXRzH>S;3O3b{%+w@BTN#@Z6s++hWj4PW&3!jL;A_fW%FlMs>_pX7dM9
zTa4ZSa;pP?F`lm9zi0V9bZrVGSU0uW%+nwQZyCoLKy3x6YX}sVTKp8dA8(|C3KR}%
zq(GNaI=bwn-{W$VRTdSNfRZUGp*y3HFv;NeDVXUT-qGQ|pZcnv1|K;|OhuA`kPx#I
z#vIbQWG11}@x`k5VLXq%rpf07@C?i@+?F<glLSp7iEZRHwqX*1oD=-yIHJu5VU|wp
zsu}w=-fe{F`_p0yszGDJ^#}Ladk#TX_Q_54V%mEZYIFQMa{mJG)P;c#i#zGg?zIxo
zgRBjpi+=0F@iDo~>O6rpLYMn6LO?s60qO$)6Jodz^T|S+pM85n9@agLnv08}Ki)P!
z-h$v;S66jyvkoL7Y9PWl7617Z%B#Ta+-S$>EAFGR6Gp^Q?EO3<WmDE+2+A?rH7YaH
zc^^|d?<Sj(VVwBH$_|%`BNI8?<h%Kc+;4x5g8s|V*toy~O8CFtiiP*VK~&pHn_h$7
zrp``+P&C}Y($u+Oh<hk*aRixww^O44rGfZZTXViniZAD@T+VVj4L|8{bxY^TQzR5%
zIRGK8i6JvO|Ibn5{Pi$BwJfV~pYdX25m{-6p9Xun#hT{>@sCLJ`@W3qYcSu%UX(Zm
zF#?Q-ifn)af(t}@l4@sjZ?EA~fsf;VKA1_CC7v)kx%tJ|7(&eGuGQHC6Arp#Td82q
zMPv78<4}k&ZwgbyaP{ZE=&A=qKO#$>oJjcwCgpm}$BQrkfmeZp4GaJ1I3|nM=jSpk
zqnxYeYTR(sSxc@TpXt|{Nnbf`&_&NfQCXQ}St<*>Gb04<;VV~c1M!s?|J`Dp|DC{e
zsl2?!z0>BRCo93E!d#?kG{<C2h)ACwO6gv6nNDu{sAWrJVVvFMmm41kp6PE}MBL6^
z+>2{MZ&Zcs4S~bI=Mj~j0KY<je)4)g=Z3ZPmJR%5I<i~^7;R1$x3|qt|Jh2=u(sIP
zKzPg*yre9f02L{Cx1eTq%atOd;IUjfw==-?;6sljVkj*9Q6JPPi+?Nd=Yv%t{?|4h
z$@f<}qrT2m04=3Z(ju#;MqYZul*|zX9F$_N0Ht(DnT)G+eI@A2bFY}#m!E6_3r1Z)
zg)wPbff;0#<vu)x(B?i&z!VL4H{kk@#a`tsbA={)UG(3o0i1%<u(e`>N6VfJ=JLgU
zAPhIv!2fo6Pe~Qu@3I=2kUSIyI(=k#`pF$kWEDn}%n+ad1Mlo8>$~Fo6o^JmsO#$#
z@KH{Ipm#a2_qRZWV6ve%{}0ChoF~e0^W;rnCy^o;ciqm({o<*EL!$`ge<~(@JBsaN
zj8I@=U~<OoF#y^7OAj4|Mq5vXZoX{H?y;{Ay^9U{uGI?ad&_WCR3RqCI}*ddP@AAb
zNa?-&_{xnnTEoSpc~I=yWTB^|M3uY()elIyeA~|42#0^|@J5Cq_(KyzAOM1X_idr~
z>&M+J-UaZD@0X*lK0K!<c6c+){(&>*3lpiCVef(hOTT`zMxOTkd(eF$P^E#D(Tb(7
zr+U<IkcCBzFL$)|fXttzF&zbJfbt$C_S~v6daJCpS%rk?gJnhDnulPiUpoiCT=ac}
z>@=@H=!+wG=Yjk=uM38bl?j$=8641th1S)JAk@>Mj)>U`2(1D(ox$jtvb#yNYby<4
z#J^q+-zw@*k_uHYcT;GxY%QcQM3@BC5PQtk!tlT<$`}y5U6hh*v$GB<v-U4<51Xhz
z=a0!kt7$@g)6v)@5uO|j4L5p$MO^hv?D^LP>_7nKVZ#TR9_9s&N=jn#xI=t`5|K$7
z1rmRcx>XukZMz&_j42_gAb-u7&QvyHC^=%GhZHvPC0pB(t`*rF@F@K4KCSI4sI<)i
z_2z=!L11rm@;yn>vBv*+1kUCRgy+k78z%UP0%AAkruY5*{o8wXGL`m;9h6-a<LkZW
zjv6m9ls!&#RAf|>H?3tO+~?-_OCtfVA3g#&*HNds(kjbw*0F_MN~1e)_?(PEHm=Pi
z#2n$07|*bbvRL#|hUJw6+`i^iuJsPDR)A1L9E&ywwIvBr+C+i6CO;qR_dK63`12v5
zEc;~pzCo+=JH@zu%j$$2zo|`wPm8d(ac@|WH#tQqOc*S<1*OG1Og5f!s8J`k@A~DR
z-*N10d=q!7Y481iXIm(mKkzI{nwpw|@(A>Rnl;Z}lZkdc=h^qNp0u%HcoQM?y8QyT
zAPD3U`UI!_r~@~N`Ms1kyF4%OKMZ0dZfkUO8lTkTHlSdmKfyG6o?QCC(p_gVCskGk
z70$vK`rlD4p@b&{lthIFdqh%5@Q*vU8;BW{!pu~^8oTihlK4IUXnl&-weug#ydmWh
z%w%hGB=y?vJQc!hT03u>en!{BGxO`|=@|i{5Nh>82{NhtX>)5vPkuAKD0UMpNkkwe
zE&Axl=d5mLmF13mFRfe8o2ZimSo>Je%3({bZZFl@cofBe)pt<mOWD0;<H%9|q{v~8
zSvsZ-AUQJ&XlQ5*HZrwAv;)HNMsRR2vE85Qywx5bE(qyR;T!|K5gs=PIPy>#iZG^6
zXc7}ml|k~7@P~&a?b&5A)H16u1<?JMD-ayn8WeYn8;k_DAriHo<14EUSdjUFy&}+y
z`&MOdlqnp)xmc$kNC_m_N==97MA;X@$4;As)oj9{9T+BJBtmb*(b!UaeE#iYmd)4=
z1NB>+d^EE^{8#<QZ)sf@b}6yK-!u>}JckhyDpMPPniSyC8LYENbo?)Ob!nY&{rB9D
zx~YyxVMI+PL?1uHQ(N%QJcxo^Y~v=~(r#+zFvf02JMdy&hy!H`bja0Dy3#538E+C^
zYMA6{nhD@$?<~tzL*Mu9;GV8j-~3TcG-T{0FaBOV4tF*k-9%{(eLX2ea^LWLv7;%<
z89eTGM^-T|ZH5$%kvV)nGMt&u62+Ob$L*X0cnL^F1=JXoBX~=Yco)Oa0o$L9AP&1z
z(UJik9GF`QwviDpFXZ&vos-!1EZsqa!rK32El^9IXYAaCQzl+{O4C>w1R&1W<tUeu
zIbML}iA>1yJNJ@9=4tSJCYnV9W2$JfLs#cOkMhyRIdr`&&a8L-J#f);4PT3rj_zx8
zsAg1eKd=xTvx{x8_VncP2R6#P&iD6V;gx>nvx<<K!8T5=J#27Vt0aV%fM#boPxqPe
zsh73j;;c7hHr?+cY`FpE4x|GG$+>PojO8L3CtAD%!7m^{R!76kn-3XJ?YoRiGy*)9
z0x=E8hoN%9FHXWl%a6_&l_7e}LI;bObLGU1p=ibo`|m$lTNRjV_(kJuxG(kxeF(e4
zG*vh1vb$=t$T7njlu7DME7i3&o#SR#_Lk06vy1b%4yPyaInq>%CMhOVBw8=-AyQ|Y
zE7D~P-?FrH8%$xj57{jDdo6SnUr+nqPjz^p3k!BD8Chy|w%zp(LRA~(mG#L?t)~J9
zS<HHMiz;o68M3w;yl^7oV@<88;*07(0WxV)qbaJnPCp^4InAWYWh7Evc2T4Hv)Gyp
zQ{Mhe_p(W?p(a%;``)a6$InjiC7`4(Cz**o)S=ia1psOp$LYz*d$k%tmZhmL+x(w-
z()0Wr*$6SnmmJ(-TlDb>>aZC9x3xbM=FSH}3RqFg%BM#7EY7;r^ljO$=1hg8*2LZm
zzjf~QwY_Actea#tv(s>}aXYmh{r;pm{w%HUWK-@fr>`rbJ8P9q?q`ms<2_?@;l-Y6
zfRf)hws_*#RMkH!YqE3lUQd}eM;Y3+wc)LDT5wNMQnH$AHQOBoB&yt`iUno%bO(U$
zT*S)T<;GsQ(G=T#$}QIKbfbq*cLlFQ=&r4;&9t|b(Lw1eR@`P)*?zdL?9?;jzL#y%
z7C1?d{<g;PuA7k}chY`cGN@R>jh>0jijSxM%8qdePz@?IhGW9Wt1MX|orTl{fDg&A
z8jr4(YFqMiV3XiVIF#PPvo4~9GuOG>rKH&0sBy709IS3YLJStWfYxez4|#c|46Oy8
z#clv_ySa(`q`Pjs5>iu~5Eo069tL&KGrvwHBWw~huc>uz)bMdRCOEh?f)C3XBay5}
za4nch>b5sDKJSJp;5RGoGrH%Y@$K%xG|56Iur|A>2!XsxqOzRffkm&E%2z?Bp^G8s
z!edbrp6H1j9vc=(rG!eWbpFXF7KXD52B=qceV8Nd&F!TH1MJ>Uw{Gd4ZVHyq5oKnS
z#ZghM_YH^lq$DeqmDPNC>hLf@ma+4@$YxhN!^W{Ih~ya{Fe#V9x0gA&FS%D%R<V5P
ztysQSjd2>&f=Z5JkrI&7KPg`OjG{0jIO5%CCb?;q%^`7Oq+w+X2xF}@LQb;~CD5h&
zov5Kob6hT+dt(f}MDUq#l4L1{D<J4oav?d|KyV8~E3f!wL=NZ0XHU!qBZp1~ED^!+
zIbzBRTn%=c{X^*v0zykDI6`{e$4w@cwkJ}2G=`_=`HFv*;QTtKM8`kz?4^hQJ}4$m
z5t5^6`37$v3V{=bg%fUo-O<}`|7WZ2{NGwth2_PHp}q_Tj11NN0MyIGEC1m>M_Q1C
zomLuC4c#4Y2xJ!)@^X~$G0(6_Nvd#?1Oyppl{nIMu1DaSnF|L$Z@M*Jw)FdS9<&%S
zylw<45XA?^h{_Aq+4%CO&E7p>QT?gWlVVrUgDn8~bv@`1+>{iOL}>R0<Z(C@@~v&A
z+V%)~OTY1Uc1pQy!|prtL~l3Su~!kWD!_puKZ6m;Lor0nWdaAu2QOMgRA7Qv+5|H4
z<xBDJ+iVb?>1-LOx*O=wGG&{j^6a&~Y$zA9FCI?YZOLu+H(w2bM)L^?l`dGP9`c)G
zE3^F8JRZ*1n|oi`bh3OTsJ|SMNre5AjS)psqjx)KWaEJZdUFfQ`&%lTmro~Kb})0n
z^|dJ}QfxZA)e6MP)V~VHnoC+&`%Ip8E)_U5f+|00riUV369pGVil@K(hIdbqh<W|R
z0e&hv*~plURGYbT|KOYpu-`WPDJ~9J+W30)TH7O*K$X0TsK7-_UwWWlM&NhwEkCHt
z1`?tLf&^P)mfLl24Bw9=h6w@NB2TV%?eAj(;ZhpBIZvDCFG%FLA#aL`qQa4&4Uza@
zUp{*$k7vcx${nIeTD<$V3OWWf6&;2i`iu;Do5yubDUKM5Mma7`#127dh?05U0D!H&
z5gVik(S%ZcAoCWuw#tv-UGVd`P!UY(@3=C645>uO=z#lwqmlHh=8liSZjwUZ`qMQ~
zPHuEFIF=%EI{wzix&U?$QQSzQkA(!Q`rQ=vXR0V=87!h<lf$w`)fwyz`||GU20?XY
z!<`nGR}WEop2G$5gTr&QWe1FgH7eKr;l+QSzR-alZY8RKlzW@Q`bO8T^4eug@$NV+
zrcAL=+MhVJuwTJs%HXH(qGK{K!)zWjpWt#p%hec&k2Q9H0_gqGl1&)X!xLTrQD8^o
zaZcDTamu)LBP(5sf*gxiu2XQ23J!{*$CTn_PtAy=V@}-|QqthS)N8x@VIYA1I(?|A
z2U3akTbEDS{hfq<-jUJuZfDBoBg}=jkw7yU{FNhj-E-^rn48P;d483a9D)eQZ|oR&
z0~U+p@QKhB`cqe|Pr;B<-u?M&?Dm7^+$)%wcqB4s3(eo4ZHt6qb&3k3T^~A2nYU+Z
z3=RJ_`YYG~0y>gr%xy13lbQoWmx834U!J-i_GPVshU?;0?RcD?(doOJ-OKW>4{9v`
z4{6&Tn%(0z|NB#;58jc{(MgC<$X8!L$&T$rRuX!{x_e<_tnF^U=F5NDn+tzUG&78v
z+6b~SZ-T32@D0TXcJ7T7lj4vc#qa(%KN**Wj7P-zd!?$lLQ>LD*=zp&>k2Y1FmjVG
zc1@^5pM~Xm$}V|Poqd`l;C{Kv2Q~hcH-%%PZFe4^UzgIRQd%>6?Ivt}@`wLc;9fZ~
zF8O3(WxHdq#_%CIe~Pi_uB!f~is~3Hq%20{WKZTU#K$ulLxw7aNyRvEq2GSxUpoMZ
zX{}LHk(W0}EKfjaucRY<@&Z1E3erD6u3E>?-so@Y=G?|t70-J2$8;;B6W{hKtLxdL
z=GHGM930@Fs=8i+l#~=rh*O?JJ$$p{2vYyY*f)pH+Q}3%+S+bM(3_CoNf`j|U|C!Q
z0}~Zbz1)3JjT)LGmmR)wFv(Dr)1iN5weLTEG;<Yt5F2wT(i>f1AH2qa1*Ry0>T;kB
z*3oZ9`<AocmLmw$(nt7t^LY@nECEr-Ac@!q&foM$_s3f|Ee||9w3!%X6ee&ktOA57
z$B9G+>nQmk_#mUz16M)8Y6hVmJ*cR>gS?J)NgwD!R~4AW_Eyn|3$y1f)r>i+skzo~
zX)e9|1Xu@c<*mHdH=WGtXmo-{lJr6AG%46}NNLYm#!n;e*hc;~c1sa$7yknMXM(m#
zsgs|_jakdTj#OF-%{`qp&E%mwodbjP>FDWOJw1pz57HC3j9k|b!UvRplTX1f;O%mI
zm<D5_sTyJW&i8rie`DL3#S{CT;R9w#v*dQw4<SRV)+WP$w*7w=prrpf{U{j}zwvH!
zpWpZQr=z|WjbnR(e2$VG{2|df?a1Px(ebmx;rQ{P+q&<j-E38*NzPH0FEFChTgRrs
z3T(U9$W&1JwJs8gZXotIy^*ppWoTsDey?QPyeO#R^#{$U8<QE)Mb6*4)1OMNO}f;q
z^KOTSJe&sKO@^&FtC{uszUy4sB*^;+We>6xcMg0>$LXqCs-~k~Ywfy-wld<qGJ;1v
z^D`Nq;J`%+zO?4d)`*CRz~vWDr>1c5+rP3n{j=cv9zMO8{im9)wIk<d2`wkGq~6`<
zOW$#)CEa!QI-3ZD>;MI?;)yfgCKIK<Z2eyUV@Z^m0l@${WLhc4P+KhR4|+|i#~D)Y
zg2g46FuU67j2avlLqbP;ieXZp=jFn6`0#h^&=NreALS){zCZXYq`8WxW#iQ#cR@O8
z=PoQ=oddf_`MB<Wo+Ti0sjn#ESdCKS&b^mI(^~S408mQK%!rD)<C0N<gtPR1aAHeC
zh2U-JbjFfVkEKNe7vM&LeXKz`LcrPDSW+rn%k-d8r)TheX?G@WeQwdyH9&8zVN*d~
zQ5FKHx=%SBcEto&4u|8w&ttwb+71}0Qdw5Cz?h@xR8UFaWpgUCG5162I@oD*_@Art
zV-HpcCEP^Jra)WeG10moZ}_M@`{Fo)SC|lbLr&&Q(pI1UQN5w|R>_isV=B@8Q^Q45
z<u9YZs~neSF|_}(bEa}$A>vSWXa<)X;>YuV^NwX=-xb7*RnfrW^{W9qhPvzGZW5%h
zq@X9$(DikzDd{g~@i@Ts&tw3L`U#4Foa}S9y0XT0&pV~oqTf}cf`-I?siDsEH`^ud
zjH!L#Pf1oCZYfp%!wcFvAO(qe#=g-nT|UKYrikb5!Zs7E_*|gKM3^8^Gz4-OmIwoT
z>v9ysMjL~t>8cFe3>I4kWu|CnUCMv*DJBo^B93^mPTFeE@yBqYfzEl6_lhXqkZ>=2
z3mx3>Wthn4xdd2I#*3=3_icrOeV=VVUZkr`+M@TK?XrfSE`@_KDOSNf&?^9r__%0@
zn!14yR2J)+w-IRk_<flNxZr<diKymZ1qtbyJ-7&Yo1mnb@#@i`9(!cNX3Sc2nLwV)
zz{ix$+gnrp8OKusTYY7UHl}BB)A#)~k=*xuw1`3o7$0l;JPh|N%V~pFd%WDcTTQwQ
zu`bEdmA<^SqDu<aS%~Y##x&66Fv(QH$#ekfS*ID?ZB5i+Ab`*0IZeg*-K5=Wfs9A+
zO$9@9EUR?Cm4gup$H>LSeYds;`mO5$^(;TKL{DmDr!FquB7VH_$E@4D{7?6rI1(=M
z(A9H_($MJGuS))7n%ShT)#EcDrj7bC-{Iu+;NTt6wmmnxp9a9~dc{pXNC0Kp8cAsV
z?U^#sNC!jS7Z{|1$zgG;#Lqgobwt9-%F0i<Z=g^1E_3ws{6az$f3?Z)wtVSb^V&Hb
zH|MLX_I_y~_Voq`XymPUI`2i`FRBY!i;>{(R?GtT3c2x5z6q}7JcKP${5ow|@g?ct
zPno5C5(VHFL(%}$;hggC?WtoC?$Oy@%m%lSBP^H!*DDBf9f;Br=k=4K8N<$olN&7~
zO*J&6<r!NOV@bpXVTKx)L35_uSsBln)L9p{fp94dONN>O_RKLJWRZe!I#q;JR}nHa
z7+FNfuL@xN-63=2sXdBad1K@<D#WS7mS|vE7M8IIUyFUFh)!i}B;zJV0#oHO=9x=V
z;aAFHD<eI2Ywp}>@2^%0@1u}9)be|n?qq@gjaM8W%Ue<;<7ef_dMZeKgPxyX`7!>3
zB~ty`o5`?mNi!X{ap|S!PvE4DMkV9h#_CC+X^XUYdMNBEEg`<#R>fh$4ZvW@e+4=y
z;<||BMT(s>n99IiR6oNX3bR}8JjxJ<LNMaeJ1=kMxeW09C!+Yj_d^ypkHsYz%v0rp
z!w90vR_aK3eIJ2Cy)R<|&+HK*i%dCvJZpWFmu3gM)X<5A#FuW%8NmH=MJnz_3@`t#
z$3ak>vJeTQK;P<F!vSY=SaFx9tvy55$rycgp*RzhbG3d)^QDuJ_ghg_Ml+VSEAa^b
z3?XdU_*Z<HtM@{@?C3H;PLOwUAmx&j+$o~^)ZM)>dQ$m1V3Ey$-DMCgTtOeLo^J7r
zCK?JI21=y>4F-vg(EkTbh>hz}=QzhYJ8}pjjhQQNO|cW1CI7WL-|=|@K`Mr>+A$Y_
zomlXaorSkZgtqQkq2{DK=txwakqbHgpFeRLHHG;0w6U>@xT%VGwV|QCPER*o^(nI2
zd}g$`s=-g2G8;Vm5j#pU0Efj;L>nfgwHr(@+4yc}=ToZL@ZUbFw7MAZ*p#Dyy-~y=
z%js}t*XxQ)6~k?yXnovc6|>5juvOH_dXAqq3GPWQa@Yf|`bErEc34+@y=%<dW{hUp
z@|2$_m0A+`A6%Duj++~BFQmTzBAQ23n^k{_N=Yf!y0-l?tWW43G-uj2eA?Rln}?SZ
z1O?#idTx7Hf05pAZ6o?2<h;3xLpze2IX6O|hYj@3pN=fDEBoFXP`T2v!whyZZ|CGw
z$TR1>8A`9AYbZzF2gNMevp8Uq*nX;Mz8d28ID%q;R&&O&#(qR{@no2yF({azK(xrz
zDOSh>R-Pz`#0`X!s`TvO+HYVyOpa+PAi28nN6->Dg|{-R3qfERlOV!V&5TG16Wj(}
zYSWe})IA={&SM80q&7M3eMu+;a~)y-F%e)Vuw`Q=f&Y+i5k)FmT?(PLHEK*ok0&2E
zgEgGm<N_r)UApB)hf)#ivQ6(WU^!3uZi1V1pkGi?vr&b-7rMQ~N}aF5u!AMg4^eC@
zZMT4M*VSmA<Hx`8yyf}Id%;rNsoApK?=$M`*z@j~rk@WxSvRSd&t3g_iy0vrKS9|i
ziw6tlPk%W;U@hL2!N~=G)@3r4^ury2EDeS6m2K~(c?=NrJiS(`)loUSX|LInFUjLR
zRMx;0cvER=6SD2?EH)DGH5V_hM9!AjPE<Y7ED283pc`w$)G!+>hmle|LX%JwSAmIy
zblycZOr?ToL>|KkqQjtL3!0YQuE$(v3Yfa;zS98`NOTlTNMlS#<Xde?09vz{H^<AD
zH#28)1XPj#)<bs4pi8TzL<10Uq`=-6Jb74k<vr^Je`U7?qjk(|i?SW|Kbm9o`8CHe
z>*-5tGSO3YaO!>gEM7!IQ%s|HkKgXwgAMycq1d9|5E`9fBw+JzgR5Wg>1x;%Bu0{^
zNJ(v+g$%DNrP}9zxux`(h~y=#>>D<za}%Aahb`}#5L=eMj><vq%}z80a1`ChVIXEP
zkZPkD1Mg(J(lr2a`s<(oTh?#Mkz^nB^96Z(k-$XU<^>0Rz4u%o+170Xh(G7@XbT+c
z;{1izA;6N$gAN(lrrcc}<5s)AdBy3XqzVivw?zt1A|F*0cfRF540Q(VRk~kOG_+L3
zS@IhAuY!y^P5kmmNI6aCbQJ8lWJx=CB=boc_;}DvI8gag!g)r4>%e%h<i~rG4SQ_7
zR3thk=c4+4dOVuJXO2?-%(=(HR+abL7+U!t3`70BZNjDW7;kd;2AyHGaGM-xKQTCd
z7NnnVe<e6ZxZ%Qg{$sa~;h!eP=F)?6gyR}ACD&>ViIece96CZ1jf5rlFYq3J&<u`g
zCks7VXXnYD?$tROQR9TKi*v{IN~gFG2?*vrt<*gTb%HK_3t^JQ--O%$F*e(+@H4|4
zN7YL8W(K_xm4>QoKFSI>QuFiX>EIb-O27b7uwVL4)8eWcKF>ujO&5u0#i{+a*b;4O
zoks@=Eq~po)9$Kl?Sg~r`{P=(9E$>2M?RC{FOvF{r97YvAxo%K$7BbmPiMSDZaN(*
zM#L7(DEbOA{#Ar++Wz8gN0%{v5-Iu3jV<|LRy%yubbe3Thm<g(Wc<Wpm`Z4GYulIB
zraG_U`3R1c*eY^F{ucRY%$$dg`m!B?p9PYHD{N3w34bISDs0Vy+%Y2zYmdieHr%!F
zW)F+c#dY9y_RBpUWPUCH@g)I^W@xvy*WpK+{MVr!WM=nkp2=(u`S8|aGvCQp5+GO;
z54icDdug70ox^t%=p=ef30MjsEdcBfN9ShZ`9%4z+?%2b8XC|qpHZ5m@*S<J(s80P
z?5j&In!`K9VTf~6PCnjd*1vRj7GJQ;50zIo-IT)#FCuTOkqYEUS29?JX&$C};v!T|
z_=?D2iGE5m1Ky-o;-RwZxH~?a7)3=EW|I9TAGMr=rVN0$)_n)1vftl3Q8^Y4!ie0+
zSD<wkg*}y0-~6rW04XdoQ-h<SjE(HChgnl;*&J%NM(|{XaQb2Va<W*^WMM(`vKR!~
z2zN4lT-h8!f_!O%&j(q6djwqmQZ!J}WLydfy&)l=L?CmZD@T&XT}$SWi!o_<zq?5f
z$Ya;BDg_pyMGo-MZqrlO>ryqdAIyfYlC3+7@CdDZ8_xHw9c<R227r4YP=@4*;)N>T
z{^Q&nDnDq2lfeS&yF}8Z9QNxQgTS)g13+*}BL?b0Bd$EAw3U_QR-6=`>?et8-J*WW
z7c*O33@hpD5K0<b26`CYUHo{Zvd5b`w=9SA-N&I(97L3sUqZ-sJjBYUXYofuPZvFF
zo@e-vwoJ9|gd^U{KD!ukN|rvmh-vt6*`PZkG`fK&#ZTmyU|ynEw;%;%xZJQtsy+2_
z87ntn5YY&h#8kJ2R1{jjV@h?}e%{Q6$KXyty9Y>Y`B)jJI!$g~9vOLb`BPmEyV0}X
z7rSZ{X@I>lGdoVuZbL2EFS?re$EreQs0B?{B)%p>yDy4l$=U(#A&?)xy`iPB(eE~~
zB#Rt%2m@NY>0k`GBt-HMMz~E~!h_JEeLmwWV+Fq!K=f$^PF}I(<w&C=Ez9&<QO0Cl
z+nmmRZT<M2*x|1CrQ^AgU{#%zf}{<*p*>1Iy|DA_@68|iltNGAtiEeqR2M#M-|J_b
zo%%kXi)<5!BpXbzVz@Fh<ZWNbQ!U+sv4HRNXizY3z(5E%Qy0ue>!KdB9033XY^akK
z8NJ7Fu;*M19UE5WKm#Y_u2mmz{bAbD_jeCl-E(eK+W^}}iW0bp-NB0Hga2YvA302y
z!u^KJLaC{jEGbnR*vsZg6KNK`wlWhA`jVV>m+!x{tvIW!HlCd{tB$N|QQxO&1zV3M
zm-KaT-MDcqxl3%=kU!HtR;~HmZeE<x0;liWNd`+IgKQ6go5`#m)o1or5dN}!0<uQb
zlNng1UR2=!GGBmXX(9uHOm7a2n&uU|L#HEC4h~cj?xz)Av=nw^v)$=O$Bvd))}^Ds
zLL-a%dB0<?i3o6`*@I`a^W%I=rM~4~9%tvYxYcyjv5(TA+&hPC<;_WbU5W~m(L6yQ
zs>I#5vtz5OhFvg04}*i3PahbokacvvBmxthTp!pe`&0v!;)Dst#EO7@_18*8{p`^+
z+raJkto_NM91$Z%g8%Jso5+Cn=k3RL<B#{lHn;clOX<oq7x2vB@*1~*jljAPw;x3n
z0m?t3Az=v>G=@pvMTc|D#@eQNXwELNq?o~4-YSWShQ&d4rF-!%Kx<Vf)sevAugbvo
ze;TpN?(<qK<;c^?{g`h(a)X2ajGFy%Bi*H=e}p9jy1{5Hr%#x=4ea59UoDC(r@Kko
z5#<`8QT<N_+UyBPGy+)&(6hMi)<kG0A&NpmLiPntsK$@eiCqN7191Y0C#Y*Niky2j
z9~Y0V*pW`M8m5~a<28iMPQPH<x!uc-=qL(rlcq_pFWYe-z~<ZWI)wRnix*s2gmHdh
zo-7}A@E(mBW#tB9DGf5f;-fj^4DMvWH$)Y%SbiV*<mARb-gbUsHRBld`>yKxc=Ju;
zn@bndr$#P7sBvK{dcU;tX?0jzd}tdiKBhbrIZs7TTU{p<;90{3<gQ^`Y#Wzljl+6I
zS2teJcOK3`_EO`1oYoarI}<i}$q`yiF^G5N9gkIs!wHKpqmJ_t>HyGHI8v88q_D!g
zf?Hnf4<*4R6AuriC@#Y_DrP+_8pDLU9K<fbUQt;NI~AG}|Nc_+8dhWQ_o8LzI;JXW
zt>Se&sLUL059tO53nna6Ou%GoO9h+rlZZ|OOrMn3Xc8zCO}hpINQI(Pz>T@N<$S!%
z-2a%q6X|qQA-AcV37Mu5;f@J(%0j*h4Ht75?5^=c9u6b%eWg?=DH(gC-C`3nfS$7n
zFZ>FPnUo34Y7lPd)(Kx@Hf9Ovv|$r3!tb^Efbh95Wl`1G#_aX-fyT?J*G+|m<d`?-
zcJ<|dDgIb}+4)1<V-zEAv4#?o3*Vxa&5JJc86R$PT&Ho(JQV6)bkO_)Npgqi_u`3%
z&e<QLzjrG`)h2kpNKN8KRT9l#9Kj!R|Lx0<j=cfd(c{jK9MBLZL%_d%mbXk?J{dW)
zJg+4!&N=5^Oe?!ib#Mo)jIg^!Al6=2J;+JuV=*M+5m1|@4cs9v)PEELgHP%CS@41D
z?J0NRR^uz`SLiAysl4=WiM`_o&1kNnFf^M}6U%tN_#F&mo_)NVqas}so6kSHc9!sv
zviyYo+~p=YaJw>qR95zFxhWtKHEt-0)ODxqR2Qh6-t+3^OP?5Z(#Q$S@bJDSO|yl*
zLJ`<eai86$Za?aQssS&q)#t<bK8%^xhNf5!P;kfqt6<P1WA<Btne&3M#qlvcV^w7k
z;AAZ%`1c-0Ids8a#8Nls-4t++zVwT``LdPb;&!HW05irULf2}RIi~A#IP1OFWqX+r
znSSEK=a@Nj=doLr`Wh&%sA`>mOaf@}c7O6qrE4xr`E=*|S(H@*A-wLW^CZgjPB=&D
zUfg`=j0Po)Gq1V6uL(6hz3VP8r2lbGoxm;~H$@H63#^DB=G_ol<cmJIOT*jgj)2wV
z&3y%2Ud=y_7RAQom`WZEGaTmV3WO0u(?@)73TfkQgdP)Gj|=K1dn`MYY^pycb|;3U
zVtwCood`H8o!rj_fj`JF&|)lRfjza0DFcw4z-byY6*ECjePu~e5x%iAahnv#Os2s-
ztigrmDDmVVBp5?n3HMBdKCK_$etaD%JO&WB{P8(4W@d(AjC{^n98U(P-dn&`#lEPS
z-w|r=zhPL4&m@azx8K@xZ@OSGWzzauo4!0%!K1!=J^Y#t_{z>%UOD1Dmi2<4M?fG`
zlHTlWQM<q(i%2D7PLh!$#F=!=M{G<9+1DbiGL(}T2{QJjz@9O0mg!PZorqq~?>Jsf
z@9TPQ)ZIKjSYX2^1{$!+``#U@$S0HU;=k0Dy0?go1z2K8LQ$93Advx{Rf2$DETA;B
zTl?{3%B4vsTSg<nl0&AbA&+)(+#(Z{*ClUfozD~CaVi^9^vc-J7DZ}zR7;oB-6col
zS!X;n7lB4aih7#;$j<6Zs>7a=8MoTzf%TqdL87X;0|?TPp@9&ual)fU`B$Sn09v@c
zRVeQIGGTVbltC@)76M$YNZ~p;iYt~ZE}aZBzZXdh9P5~7=$H-dh+xPJHDQyyz!Nsa
zMtL$h5cD^&Rd<=Vs)fVoh^o)$*w|atPk#CcCf4dzedaxz0jDU_qW)u7W%X*w2orMR
zx2X8m<zR>CSEj|7w|`N^#WTIWJ3ecks2{-~`Rp=pk{Z`~H_2Q)VkLPH9I2~zfCSEP
z;HD-!XVOZDTC;BsMm-Y_qF_SJkcn3H7|IH;^1d_V{xK^Iyqf^@yW4=;^}mT$ZMh`n
z3W}vyJLxQMw0->5b-J3yZ?83zNBS?hV1<h~z^&N{PvD%#H4+#H^k2Nb>p21pq~$}r
zRgBOZ7#Kes<ah$^zk=U>FYOkw;%|7AM+qZdi++AS&c^YvtAevn5a8>aRBO6*F<7b*
zSf@RgQk2)s91(ZW=ukt#g&8_-k1}VQln4^Rz(+8FfaC@U61uktyh~R#E51qSs*E@A
zlq~r+9Bc~4&RApR$dzSKzTw|3o6unVuv)M&h&Yi%t@u^h+G=18tnf(W>Km>~{&>5x
zU0+}L7;(sKkDsjWm#t$vSqptPep}3VymsuY&HS#P-UcgE7h`JvSDf9Ff>jFNWq$97
zG>4P)`>XWY?hMg~ho{lm*Fo0B8`iY0Qq}L~z7!n8zb2E!EEY^MY6KHnv{hhoY**Lm
zgQjiKqt<D#d5K*eNeBbI__G^z!X^j>SKXE(>dF~i@+9Q|;{dROZn*mF7V~}Ise0_y
zI?m_wwdDt3S-MGw`W-kCGmO+FfPRHTAg_%DR4s8j>-?KTY8x8yY1HT=;)RCY!02aL
z#PA?b_4@iXi$)iR%+mJXEeBS8g2vxMvy6<|uPF4`3D&<q{tl|}GIhl^Q^WQCo4ysn
z!h9L=Nne!>ww!=GR2h#3(ku{gC$S(?F&KVl<`^@4n@n>@TV{d@4ix%5W}dk>q{gA}
zS%J$KFIJ*#uDivLe|DWP>K0{47qwN9ADzYKSf}^Z>?xT_i$u_u+pF>BvW!qj_255a
z;X6Z`rV14uN(}dG@!)yZ_-2osVBE!q&=0?pr(Hb~pM#<G<JbnJMR1qRO?-DFQ<k))
zTE|HaH*uqJ+jtn@pQ|tC<c~^P4rCaEdDV%4gv%=<OT}A6f?s<B^^%L9)A};tRqjRz
ztz|E_1pIy8o}4V1@pVNUN9CE}F7IhD4k%-+#*r8TimrGvU7puJZo%*F0<VI4ikl`a
zXxiA(;kJn3zZy=3aaz(aME$QE2AO3rl=ZNc-=FWP<w*S-*W2#Wz!&=M$CZzz83yPJ
z?C0YGJ{|#1Yv6SST3(+&EB3BB8r}up$BTlq<|x_>RK#tYWQ#_bF@74r749Wmgh0U5
z9UgDIVZ81h94K>O&K@Hx(Qv3OB7<BR99oHqPaXI;Jpe(GBqs}eMv6b}*mWYdB;nNF
z(HW(>3S85BdzkMtftj86xJO%Ca~ZJHX}OaVa@#y9v+bdZ97jOMoV?*7<nlRIf$Hhc
zxqukzYwcaoE-lSFbvmo0AOf^D*!nK;D%9i$+#&zZlzlgb1yl6ki}Vix>iUXKNC|X)
zmJDiIV_6F~ib>J^xFt@l)O4?7Uq;99U%xlLI=-$cJq-E4v+wWRNlg3{Y=D9F2E)R!
zejYSt#Xl??XT_Jfi5hQClCCJL&Gt<n0j^lkB>%F91_0|+jK)M{IAckD(A~AEc@r;y
z8x(yXCpvSGC@OB{K~B3&Qm$;aMY|;c&B2UYoLif?LlafjJwtcuFj27(*%)_ve=f{l
z@4FvJ=)*#Q$y%!0bbfojBg~s+cbEjG8BscI3M78?CA5au;53vsPHCwbo;V;L@}2mS
zROzL|YBMFDxzTYZtWk6r-~idGqABZcbP1fOac=d+EuF=!O3O=iS*zLOSo|2Pri$kD
zS@w|9xhz5c^b>r%SmJ+2(L{0brO$Yy(iDX#FR#CjzxW+b29qHSLpUDfC?TVu{Cj%)
zLn~z0pe^JwoksmH`vAeV&Pa3E1c=pJBRs#WOX>r-(oL~4LCB~2t-&h(ZC;$}#+1#b
zWTvg0x!*7Y#$ZW@Gk3NlIfN;7)S?ha;?_FrYk={jrGiL0Y}GfZq@JW%nA-MsN$tPt
ztQUs#23#(WN99jWA02#|D$KHCantu5Yv~j@7rLxevnb)xRKoz1-1RyfS^%5?0ZOy0
zSvTDT^Tv_LO8k^?6HB_nBBoC)F%&r3HKt?djn9<~uNDe-g+<8}Z5Wp;p&h_woasc^
z&OoSSZ~TyN87u(ZZY>6zDffbu?Qntc1go8j??nHFtpBui%RE1RJwjbQU6yVNcaxJJ
z<@tP1EMo~<w`R^j=zZ9UXv26iz+u_BFhliwMG@T~Fx|)V!YtNZ=;f@5*2w3agO@!S
z3$-OqCKi<R^`9%xkZ;=>hASU4EN8Yl)nu>{R=EUPq&$7n`MvTFXr?qGQci`kuOl4m
z#!>Qr@MNf(pc{VhauRDvX~ZeeHJ1OJ>#RL3gX{;oMSCHu7G)90VM7xaA)@ijz6icd
z&FhE}cQ=s<x%nBC4!fM9d~=}c@SgalFbg0~205#&eEeM?9KRgD{-%a1;J-I}kC`Hb
zN2KWSbz~+Y?-O>RwzzrI!L1w9Bq&MGlN*a-GFTvm12)H$t^1LMD@y~7t~B+sgXWPt
zze2y((2)PapACo`J@h9&H5pwf@fr9_s3=TYIXO~U4Cl?mp^k8?Pj8)%(l*D}MtSMI
zJiae^+zVpMm7iaQuI7V(6yr$9Pd37=vldpuQ6+)vVGz)i%7f|9`qoOZ7@{vfnjSW`
zUDB*pAK!8~{Yq3W8qM|6eVp1&3GKflP=|#kDkq;=KKW+{H=w{kjlj+Iz9pXxK#jw(
zlBXtyTE=z(ZSr#I<{VXE>G{Ldho?7k!oQ_S7M#N~?)WU1&7h5kzZYs3UFOSMXBAqp
zU)pN}`fjULC|w2cZ4{49UyjZ^U_n+WiH3flgyrrYl9W+gk4aZ_B=@_3ID+rb{N-gB
z6EAjSif#3M1HvFXE$ZL<yj^4eT<qGPCm=IDvagGc-X1I;0$w+ng<c*mgdTzBkRMN<
z#MRx;Tb63O4zlbhKH;(~@QFpGm@(%jm8*DmQ^R%9q|8?Y{X#3M3UdGV_tfU-$fXIw
z_~rh*N|QMt!lJ_tZ=Dr(06lk@9*Dm!Tm8IBrk0aVxA=)>N)Q+X;ekk={&85BFH5SM
zcPDT2v~`LZRev*SL=+n9W;OSag)laq+5qZ{2PeWt<a&?(lk^+Tnqa=DDSr%DZ27gH
z#Q;CNf8Q*~K_SX-(h4h<gtD0P|11Dv5LKvwd6f3Qq6z0Ms7hO07*3gBgLEpMOmj`D
z%E4{rSv>})d93A@hxWTyxiwQU_>9%8)zI&Qi}dP-=`OPhCBKxRr0ia=9yEz~+N}cS
zC*C4-)5An16}W9ff0+1tpukb6?6O~6rHc5^H@0__GXFs~wzAWEeM8B%4dAU`@U(d9
zkNq<JLzmZoB6MKtO#VUQ_?wpi=U=yTW1E$1A8w(gkR8!YZ;|z8JSjVrRGg~Ag*hsy
zIbSxK_+({+rTrch=F^FuT%NprxAGr6EmQ`{M@9iR12_&>yQp9MoVSZfp_gf8=GY-T
zAs@}hlc`@&1|$1`zJ=v(?;9(_UPl*wA-}&Ce;=>%E$2q!2uGcIpAKMEOivanegM6c
z<~psIv&Q5@*boFip7y1w=AKSJ9_0UFW5(oVa+p2FrD=$)bu)szg=Ki}(j^M3-o!>m
z^`LxT9~&xBwY0h$91gEG@o2byl-0AKHa_$mcMe~Lt`J1gj30^zQl(JI)Eh|eo(A`q
zjhSny(^o`W)1?YWFKsY7O*i7bptk&&>1!6?w3riKY|gQ*pbQ+}{p9jh)hC_Wxw>}#
z)!0H}zRaLoSM%G4-DG@^UhuDS@1#T4QA|trJmFj8u#Ys#w0BRz4OK4C2=-gA`+Q4?
zRV-=lg*%VWOnFk;_P`YVTfOPDipyvXW$8^^OUp|Q%LrQCg2LwnWzEW88MfQTr9t<B
z{r$;JzkWNav4Uiy5)d9<UzZ36l?0!F5i>mpW${;-G~ISOnqSckAdQ<VD;fWLeVsr9
z*HZUkp3k%SpwRUgB{1fT4ILYa+!8txa~57S@&r}T%jj&ai5m3!<2B#+DaNd}&MDYW
zxne?%24{A7k2j<c=Kjn9!LPoucw|%NLua$P2M?JrYO<qQ&Z^-@kodqQEr#XXc2DJ4
zB}IxsU*NzI?CijHV$(>%M4#Wu-cEO3y--$}uz?sFkB*~$dCa>n;%juJ$4$mZ%U6CI
zeW99my3JmY5^=Bpi}A#nM5IeJ{5WCT9|<F0@0Vy#A>R8p@1+e*6;)LRrEJdP?~9ch
zf3>og*kRqohWJ9Bld?MF6Ds3d+Fqa=M4mbf6V@D3zV9laq0i0dsBiv`D*MBlhV=rz
z)^*QSQ86nrDnyb(-DByZE2c6powT-XajxD7{i4BJMc*3pF>yLJ=KQ&?26bqudaV~|
z^2j)CvYb9iq&h|jL_l9hAY;Udd8+GuKCzaPf(Mt<2w8!Npp;#AgsQY^^}YYtjl|-I
z039g#>KfBftSOm4A++I*Lo9S^VsM!Ez`{*V3zuh7eeR==b!^`2T^^+SYkjN;$1=9-
zd7Xz@S%ZHVoz80g?xxq3tZV0t4)^yDA5OJgjrYcqqH_5>4J8ZY%%=*b+(rvzc99NI
z=wwb^!lp1{m0JIBoUd%&9)_~K_S`QMeQp^&sV}28)`eopNWTpusXDFqzuU|n)RL#u
z9E~S24!EmfnCfBsxrD83Sx_TDv7zJNe&5peAmCG8bSDu(*|K=-_8f|41YiGfHA?EF
z+ib03RF@ekKAo=A%K2VaE7)FD#(DY1*T?^SvK`XoFdpou6)!)MDl>dLN9q~#E2Obx
zfd9g338A2HC3K0|kJsh58i*I6IDA>zz{+^-A53_v&6uo^0o#m;mh=9?9I}APJ1fS@
zLc@dciyTm^<sqb*bQ<@_0#7hE*8WG+IYwpLer^1YQ<LqQY)y6(Cfl}cb22Aus>z&e
z+qP}nc(3PO>;J6}wOU=>*Lm)}k7FM{tRUn;+vfdb1ddH_r@ES&cs=jye!}+{JMUdQ
zDq31njbwr`-n6h0kg`<#UAc)yH542s6KF|!nCmauee0u-(Hnt>M{}0i24`TI*@03w
z^&=@Yqb^fv>HEN??)vrc&AeE4@js-BW;f{=6Ae{j7Cqw88^^bVQVAbj%xIh(G^ku-
z5(Un)QXPe(Koyb_Jbk5e_Wp(0o*%+SDUHcz*UKxI+bMdR2}gQ6N|jkE7i-Ook~kfl
z@%ya;_hh!#Un4d<8>}uX_113u9*8VoMVX8nSR3mcWMyNr!`M-$c_rc#rK<G{sr5C=
zIU4&HJMJ&G{a(l6GW4F@rEFL?Mm2iIoUsb!XbNq3PBl3AZ`Vjs0v22Ya=i=Gwkzl$
z3i@e)$GPMsE~fG?fW-t=M;4>D@Nu%^b~KL&ho8(RnMCS4h)%uAKZQXDmo#@CwDD8z
z`=c%iuC}hO?djRs*~2Rj4-d2P5OM~Y#4p*lMTjkWiTGqjjT$mf)H$;7#BE^~ySBrL
z>c?1Y&8=5sFOVxe8Aa6i<@{W@33H5c!|~_y>iA{nL(#8IE6a!qRvC6@9W0P4+VnS)
z5xpk+ZIip^#BKAnDD`A<c69O#nFZrChSa{!zi`{G)KCc&=<DpR#=4qr;r6C~TiE^M
zbCt;wSdqk>-=5or3k8t-7j22o&8?G<^6CMtvFt`+g)ut*3)|mnYBF6PtH}nF%FE{;
zN>a`ytfs!W(MZ@#AjD8okUl30PUE_()+o<q+b=07d!ew2^pzO;0KvKB1E-jg$@|jb
z1EO#k!r15qJKg~gE?r59YGIhaEfa#OEm6vLm;K@4pcG*t)0U_aT(oVf-V|VfQE1di
zJ2dR-wE|HccaM;{x(i!2U4tDi0#4*}hccPP$Ft+iO-naw3C)z5_QhtigOAm0;?LIE
za;==|oB)ET*;r~ov(usEYJ&|eNp3R;8hJVtG1REm06XUkkvH<SJ63dduDGH^oZA6b
zCDBdf=^-Kmr#88HZ=sR*DnhVwVz%TkW@3=OvT8lv=Y8wH%g$GW{$Fva9!#!62}Xw#
znb;h*Yr`ld2G#22Bz%19+@5zwCg>+#q>WPaO^%kwHv1-gM71b^)lPOwgUJN<cA~ke
zMwPtm67ggj@q1aE)<E6BPy{V;@+@qX3VzDIaJ1^mcBJ>RV=tqMUuPgi>-e3HP%~@3
zOssyL2&3}d;xY?MZ{t}|$H-auEoyI%Ws(<Smepvi4YsQ(CI)eFr$3T$`9uQ~Ia<Sp
zc43arXa9cvv);zdsGLKEJyxqXs2Zxy(kH1(I>2828?KRYp<de#H_Dca6t=)jh<jl5
ztAC99j`Jiv<tVAo?r7dfkqm?9kZD4MT&A&ll|C2{rNadr#VWAGx~2#3LSa^5Yl0#c
zH`KNqED5Eh{GdhfrnEF9=36P?aohl@9JQEq>h=+0)V=33(7IgpcY}=^tmS&VIWyHE
zR1vrE@Kh3Vnr4YO=H_4189Qox#`X9)Ynbrakg};+>rBUSDRTKh-@}TF{XRcZh>uXy
zEUM$YV>12@#nVY)xsK$+h0?_5QYpr&iw5R!&UnWVy6wPqb2{hGd!EaA?dmm~1gR<}
zGMujwiBTOLHrGn#Z^+{X_i%T<Zv?CebhLj?3l?>B*U+76Kc44=5(Xmgz@XrOLTIxg
z%o+?L9%2`i`EFa)T-$v2%(Y0C@5xBuiQ;AA!eqs)xaAd${x%67yACkp)ULviesP<|
zKj;1}NJb+I(U}{le6QsemB!+w+4-4AQ}e1UxZdd}K<IO)0GzL6wi*izpw2J);7=pr
zLjGv}!twdkB6s8<OqBMnF`g7U4OG9oX|ZbHPoC|NQ`yR7`*-yDx^hlRnP1erU&@Up
z7BhF1io$h-Agc10bbzt5q1EuYG%uDCb)nm-q=<mu8#}#FG~B!%*{}k+#{nmhA-vio
ze6JN1Mjl-v*+k=*tx5uQI9_DEML(GwIWnz^oSAm>BKC%8W5q~U!0orsS}|{Z$FdL=
zdT1}^4~sa)<1Dt`swx8|nWy>2hxg5agP~VS^H4@md5_@%QZTX_Q|+Y_R}N(Qg0JH1
zUJb{CwVm}>it`4pv#&p+hx%X3(o=^5DKd&VPX-HZ?$z6KaA_Ct`%7KsmzwGkLupr$
zV~)ZGW%|%4P+MR}Pd;c>l9<Y+gC}VXUOOO#;wCpprGj$yH6EI4p*Oh91y@q68*0t4
zg>sMyfvDaX5fb9jnhnxi0k9#`+*MhSCYb+Yo9^Y8IB~K%{cdnX=*i@@x@BdPp}%*P
zdTuVyY9r9bOEHb==H~F-CUW|FRe$oea9!4WTI4LjtpqA`J=?fym@x%DS?aBqzrzsI
zq&ADfFn<6G`gx<AbB`2s>~VYLN3h!QWD+Osg9C3k=L^9<M8D-^Ts3*AB18|sf84%)
zF-k8?WhqQ7PX6ssJ|W1tHnJ;r*u5*!QL5=e_qX#p#mA1I)cn<lv;1_OukXJ^jv!<k
zPy<A2gY&Usb5qk(JcBWb0Wtn}8h&k+X7~G-liguVv@jT9XcMK3&8`-NFHel4NQSQ$
zo)x7Qhr2Sw(+h+sGXIDboW>@3Tsdy^1UQ2>+gpD5J)Fk&Px{@$R%+@+kDRzx{JRvP
zbN!(BCQ1x{R75P$8u^<U8?y)$6X;Pps#uxLbEJ2k&Wd|DtRx=q9OxZSZd!=uXaAl0
z;PKTVfGG%{-Qw-uX|$8Y>}QD@3~Uk`^qFSr7bMBh(X_P>{fm*Z_v>??$_u`^kA~^-
zoW+d|L{oNhiI<?T5ac+!kGJQPxZ=tLYY|jW1rJkbxDJ?SKH?w~joekE4OAVHF1}$8
znC>O7zY^9fs*?gQjU^9J&R8l7*!EmtodW(`vms>X|6H60t|xAK2OBP|--0cAHg_Lg
zoMC{dc)TvPG_FVBU@Gx@+74wrHXLwKQl5ua>%3lkuS`xc@wPh~^7fKrY?MM*AD~}E
z`n%%|OV|i4`po)JRJ$np4VR4yTT-62)QQf(aB+hIpLd4h>n&em)<Mr!K$^00D!6E}
ztd@WV^b3Y7MwaWDl>QjgY7srTZY;$*Q>C|vjn819n?QLJ2R_@I4wPuu;jKY;AXML&
zt!Y;GSTLodYNd+-{1=dR8I@!n-KbSE@P2Co%V^o<xuvC$jZ*jP&f|ZdImYl<`_5~o
zbMm;)*aL(IwH$6;_9fItj2sd+Uyp{m&s%Y`<;cbescQs2-)^5K+&X55#t_DMbMo?x
zf+r7a!2`NXL{3N(FciI5WQ;Y0V2H<by{uKSDqyw05%<Bf5+ae*hVF%(e^7PayktF%
zFCt7!z7`C(OmM2&kzm7j9siEY&RF~1iX7FOWK#`vY#%Kp<gQ&zp1OR#FULh-e}9EF
zpiJY-%+}4!%t&?ojiBqNDO<_b>Z~s0MxFNZHVn=K|K}T!^XrfJE!W@Do1!_v!<W1v
z)HXuAuQzQ}c)x#;hU{$>T8$ik`E(3swNu3zMm5-P$$KN3wB0#x#hYFs<f7M3Dqygu
z9Z{+}6-<eLk(jLZ6UgSZb6qa~ATQBllTp37y{!h`k+E!n&55zRX*N%Cv}q!`(HBTT
zctP#teL2uuKpFzc3x$6*5PI#uJ1s^e>g&r-7n$_&uGr~0KlZ`$f>9`04VhOW`b_{&
zA5;8i=*`~8T1Odkhrw($2T$Njhp{O?5<cfQx=~GGk=}5s$8@WT=BS@OM^)4jfPKyx
zYKS$MJZRoa9}PU&#C6cT3&wdME_uZ#W}b=88-TNp4LeE!)xNT_sL;CuT8S<!ogr@%
z9jyiKU-PjoBvsWjZb#Ou7>lo@%dM@z?M4+*gXZ5i*86J7dKCCf*ek?jKIh%m{E$Q{
zw(6;j11uL5PKZe4I8Jy>Wi@~3;9JWUMf|bms7O=#>E>g?y6!H+^%g+&`H+<P);;nS
zc)`0QK)=a>dr4HbFiPi(vxpJpM<<=ZNKkH~#_Y>xO4>HAD-hj3e1xm`3C)s%HoYox
zr)G*M9)EWXm0k#|v&aLY`*KA|LX%+fe9E3-GX)G~%ZyDqL&wuMK09bB&<n)lgBo1n
zY_X>1)&g$8aO^3U-w5FQt6j`|?l&O*bvDw;(mdz^k<VdNV`H>w9?6TR^9;KR*@Rc6
zb3C!*sDYxFPS%0+y=_e2PeS}l#n(e($D)KWYz|fs*s9CS5atw>&d}wUPH<)RjA4`s
z;Pjui=p<zYA(z~$xH?S4-oNDh)}77BX!U+}BtwOT=&}Uu8f!dUEY}{!Gg@+5Vy`~3
zwzq#I7>VUF=V=+Aa^@iY&RTK%sx6|!Ra^6M%<ARo*YY?~z2{u)zRURfoVg#`yiOF1
z46gw$8L6CKAi3m470?GuIlDW3RA@E&MFwB%j$oG6?u$JFOC{9R0T5KG!QuDe?O^#j
zAmOzaCsqaAG1czZJDMOnkUE?`(8x5(;cC5QGHPq_51m%WSumGcBJ3RwEmar&FwW;m
zupBah#*O(B%|^7?h8vz1J^bC7i6zVL!vos>cbW-tU)O)JK`C&sKE~`a4UhSp9*Bco
z$l&ddOVW{Ol#sELt)!Z(Bts+4F0I?S%)bP*bu4t5tB3dv%^Rde%#qaXTggBaz<2zy
zjtsR`U#iLLD0xxea)I_7PpY@y7GiQD015cV5qVz)B*w)#9Cy<jDpzdC-y0}7Ew%if
zHPwtd@kE1az9Cm~QbULBQ2t^nO`X%)@jYaX0ijc;LCJbeF;b)_hy(&cO1YQ@7>XcD
zIS1#Hi}IhBrjhHFRd9c&ixY4A7R1?RHkl<NCMMRniSspBUPtF21ZTWBnXi_Tjs~}v
zXD5$jgf}iq&bVCw**AKXz*1xk%zO%$>ktcr&zyw^VX>8k<CcQQhYcpDs4#vori8FF
zpr=?hQ9gliTEd9U9U7j%apbk7kiPAayuyNJPuQ(ajcc0XDmuk%F{;uxJrkItK~$;J
zs4YsNNvG+p@o(A11Y$Cn;Na;eNiyiU^vmqd>S$<IIiQ4pj`t(hcD|gHQTWe~c?X+l
z05^T><qV~q3D@)-{)hc;@=7w?`$q@`9K#o4w*47e2MJW-@kJ<mptNjKcA@JU-B=?%
z!R02F>Z<yV5J#0)GvJS`L%5lw6iG1k82!>endMBUSr?W<ueGpy>GiN|b`8WU-7xxg
zESdgvi_PXL7&54(M)nr6C=(PFHbM>|_DsCsoZoRsSoGFzXTxPd(jDV_zWn^K0~Ld&
zEHxI$vM1e^txoauoytlR(K~S<!YHNJ>o}*a^jV~3k3vfHhUPD6w%t+=#kbaxkjN|A
zE&nDb%&TZd_5)K@xDIq!v9fonkw*&hoWU`33xrcGSN1jnIqf#Zsf~88?y>W+wz#m0
z8_)KU0$p_-j_E1%4NV<9^O&E}x9%-b3$AeQUzNSH47F>dhbHfLMmdm*ZUWNoR<a+i
zC-|bJ=R{3C+LrsSG10~ZRSTtBOl6nzqgV%d!>KIplEU(xvv*6IYrn`&3_lF%Y?KRf
zuCQr1w2?!~C~+<`-3?8<ws+(hh1!NSM79%MyRR7@%!{z13myOf1{a((h8|X#!0`%q
zHW`T*E*5yDM(I1kCAw~hS@eTva0Ot(j)%#xXW>%s#)_9CA4m~Rn<#fvI?tXyB$<*!
z-BsZuQ%+796dYum^P>K3Y6X*LO^2kqNN{;=ZEUP9Ax#G)3Eaz$!&s@}UkS=im$X->
z98@O+ne5y8MSf~xtv`NFKqoRgSc9!QoWiWs<beStY_JI~wr1gfqd|Ff!8r0LoV3H%
zlaUX%W^GH;8OlcC@l>|<yNc_)+gS`z?woZC;$F(`LKOJ*z1+Y=GAHIJVKL43!HnM1
zsV{T{Kr}gOSaD_=63Z>5ib~Sx)tr~pib{<|#H6j1qkTHqEP66ILyr+!ppnp@&e(A#
z$grcpF3hi#Pe6A*t}**ctAV4lk#5VBuG!Lt>>nqNeI~1@MjXfFakx>)SKTx}qsH<2
zUlLa;m$V2Em^3lTs#?cQl2l9Abg{v?z+4OW6w2b{L^o_56y#0Ko>WErypDT%#%}kb
z9g%2wP(RRhG6sd^`NajUe{msm{%P70X(~&f#_6vA!doPKer;O6ih(O1|NVTVgj`AX
z0!fPLB!kYla5Ve-+XJnnOlc?3uoHBvw^dWubTVSw2P3-!fsK&<G9s+Vf*XxM4(lk)
z{ArkA;Ci8PvySFWKZF#_C@TIXTNR2zPfd^sHfH80+aXb$nW?hsYyb5DGDQr%yljJ`
zGb9vx(iU&d_Lg(0#N>wtrjttar@0UZ&&y2+qh=jUvdOuq8q&fQv2cjCqBzP}ZUwP2
z3jAPy2_F!DtTG6nh)FY5*BPA{v-;0q;}4iJKM=Op(HzRghM1BduVV%J7DbqKiqFh?
zDy#BCQ%*oBX`7Il_4NWp*lCUOF|>lkkU5}E87H|PXkSLeohYC#GP^n70@O1~X|_A=
ztEeIM$y-967#scWX5gi|Y?Wq|+J=Kk3dxJD%>6x)tYt$-u7fa6&QP^EU!|lSenjMo
z^z?Yq#vCn9P%9}awLH<J1;oh0HK%<yPV0hi(!p(BA3l$hCkt?2g8_v--pi<=_kYWM
zO!J7yrP`2MUo~wk+YT9!*Lp(-)&gDOB80@Hl0FOB^Lr}{cbbHxan-~}H<svmCm?Y%
z=<B}FJt>~gB!>6*I@PSzP75P;mP;Sr!5V!PGd1%aNL-$>CT0^2DMU4NfEYaC;nH{y
z)2Hh8^(zm7@u5+lT3&`F;g%Npp^+R4loRW~h1FiAKK3m`<{_Vq`Wy$IoHIwu0Qg||
z5M`8#i}%s{nK4Zq-VA82l8Rsd=|p=ISINLQ3cINyUd}!M9Iewc3|msiGfmP*6s#%~
zUZ@xfrazse`j})8^WD#VCLI3*q5XiFhW{HMHULy-@-2yx*4V1$_4G5=S^DZT2tS2u
z!+X}8;0XL&iCP>}7hn$zXU|?5O<-ZVo0JpZ(`k%=mUisVjNHrUs~1;)LRXeBxAQM1
z1M43vQ{5UID>jmrjT`Bb7c;)ci!zzYi9V=JL7;T4ak*g@8KtgG6ych)g76?}ZsF?}
zdyz{eeJ?=Znp#;&M;7uH5-~y-b@02**ldeZmI!^YRzsJVSLQ0wS;2_{?#i#l>&85Z
z7i<0IYvx}=oZ-xVD}IN_?1p^7c%FEy+Ud%{obJ?XQP#fFP%E)zg8#M6<scYJ%1tLl
zhGEJCk(uexTi2Ap@Z-kf_Fx>)X=;JAEIAv)1D;fmOJL5E!3Y-33HpZ0b{8|@-b$Vd
zCa)9;Rg}4P|EJv@c3p_IwAMhK1b^D0yn<z61~VL5IK0W?t8g-T|GDCM8V-Y*gFz{2
zzZI!U9C?v&!G`>g%+0bSCQEk)XW^-r=ul?kt8a62qg2%P;<u(qsjb@yM!$Aoomd!t
zH@R`w`QDl$G%>LBl4olVh)WA{_@hrs{52xmIgt1oM#$J;Q5_}{{nsKw%JJ&INYX)&
zGt;em(QGqribY=nFMa{Kj8dI3Qn@@8v7tk4aI3}w+{K-E-<Cb60#OWEl+!+1OUumU
z`{-Lh>XW<EzvoOl*{V$3pLH)#ycZRgSRfH23R(UsiOiuE6AdA<RK^n4^z1NKrdw?i
zPbjQu$hGJ%G={J&6Yw!2X)%qO*j!Cz995&VXyz7?VWsJUx!dkcj$8Jp9}uBh4-E~$
zRx$}0F6)-j<fuOks;MQ&R;^11O_f+Ma5PFvCIWMQ)r25YPvYyQX78M<rJf9pUQ5={
z={Wxo;@fV1hG4F!C?Q=x3;iRF1^qC26@{1Jce)a5)hL!b!1bzb&8|VHn&q(n`$w8a
zktAD44>(~;P(tndSk#6ATCGWSQ;<Jt*b%Ae2LQMEasgByg;=`o+usfEISYsj3JSOr
zR0WWNT}bgI=EQP;UM};|N&Ous`WGp3$LXJc<Yjfjtv-uRLnHn?S7HdAt|`4|>i1Az
zBi%j&M-D4O`QcGQhmQ!vC~biK)sD~q5sAgfZ%^IE4n9;kj0-0(oDklljl&*|9GPKm
z3!7oZuFP@Hv*c`i*`2(IsP@G1^`{qE>6bK=Uat8nqattTR-@C2T|&|18OeyYJTb)4
zXUFHRF%&gf+HuAaIR$*g`&`?c@xrYU3-Y^@3@=d|9a@j|uhF>ig$Ou_9`^?}_nl#b
zCEIHjh>i$E@%IHYzS-31%n;qb1%IaBS-{AO$b05YN{Ym<+up|DvPqt7b_#5G-;VR^
z)E;L05&jpZ#sg*z#-x(G-w2kPLJWus4y!D{>2*Bp*czJW*|ttpHs4CzdSp9j-zu=7
zpNg4Hi_cr>UrAl%Z4%7owg6h*ezG=PWyQ&<5;R>gQ}{PpB6QJDR^D4NQX`Fcj0(QG
z8!Ld=%alvmr$;eVbN1Ga<U4h^Y1CL!x@vM8LL!|LCRmzcUpHXa{&DDoa7(21v1X^c
z=J-hT;k;G2{<^9Q6LRmf9p?K7C(h~D%JC@VH{8gy@rV=dR3)YZHn*2LFRNAPj|a0)
z7wdjNZ{lzHl&`Hg#X1aY(ZRKCY0&=qgy&F2;y;0Gus5~V^QJvHf5@$BlOFYk|A?_~
zqCs9Hd6<To_fNR%{LNZR61CevEsTpRR#(M@i=5nOXB^OJ&VfWvr7YhUixwbs@6~x7
zAO-3lw1Z~A(C_aLKZQec)8peZ&acU2sLC=_GXxf<GATFC6|kc<&aaysFkdZsZ3Sl&
zouGe5%Md@f^)=-$QD%FtxCTKg%LJY${#`hq6BH3Q6-<K}5_c+&AbIxe`Rc{oU_6Y9
ztRRZzg@z;}CwJ*YR=;dAZaS+NtBiNmB(2+AG4nb4x%N~<>DzEI3XIsi{+_5GhEAvA
zEV$IF!PL258}eRtK|Ih_wmFJ8I9zAGza&{xpK+XRWPe!Bo(sIs4>Gm^&zt_A4GJ*>
z2|-faL0{W)fwF?eXlU#Jv!Qtf2je1-O#BhuyNFI>;u!p5k`e{FNoGqmJ=_$Ux1sOT
z9>h0N%GD%ikz@Pft0o!ZAY_p{dJrizJoXmn50!b!2Z7I9fvUnc*3bWW0qAHU_4)kE
z$R%nlR`wBp6GCaD7GdmpWe!Uxz;ugaV+Qy9Y-}%6e8dx(eh+98a2yztqsr~wU6_z4
za^A9!R7t%ocw3t-7#1cDxSN|z6EqeTqO-Lpvm^tv4jO|`$)!m|g(qjQ=>Luy{*5pe
zFP@A(h0G!(mx|hlAVxDV6Sg;P(Vo}5;~5B|_r1=D#cJ=Yx!GuVSQ>0G5cP!Pl;gdI
z^!>Qama3sc;{GwtmmZePd>cv_TSPpCv-;d!T1v$C+WPPFCh~Kw3FxRWg*iMA+a*we
zPZfR?!FErJ3<7@i=*-@=Xo3!6!PXd|U8wLd-Dx)S&Rp(~MPi!27MwOCJqBvOvrhqg
zoo)eRzw9wTxlw;8Q3ceMm?>fJm|hK?)fI666busiwaG2mK3=TrAAB`M{C>OCdeL&~
z_zFN~EmLNb_Z_Sx3V!4=L!5t@ukF|2U?EtKS+h2VSmm0@ONiw{EAlqf`l|EV=5|yo
zp&t}UBDQ*J9^uA(&3`5PLt`uo>OuL{yS+Drb;b@w7|WMXeAwK%u`(+sfM9BCdZ07L
z%g0uK+4KutH0RHsz@Cxx;s(R{kNV2C>eGw$SFP+=k#WSk@7I}`nb82_LQxT&9KeTa
zfsKKx@VZ7r3|M)A^wEX?Uin${@>A9P+?LyaY8y+B=X#x0$8Kc{Dxy2E30`jWsHQTs
z#8P&Ld|!;P**RO6cBi2MSjNGu&dk~xyi8JLMXEaMge^~IX@0?a;G&P`%AH6|bVhow
zc*s%Lv3%T4bu%K-Mpm=QXfiaYlIhl!B%NgR=Df7jl=pcrLDAOsLiFF}!}+QK5FOrQ
zh4)jW1jsOdG&ySVAO6nu@+gJ(cSuojQh_WtuYq5h(5^94WF10_DgTtsB{LKic9xef
z*7X8sn%z$s=z2+h#tx~-uKx`gh7rY%aXK0qM574YhNN_JBE#jSvZ@*_DbzU$h6(Lu
zf)@rYb&q)@o9y#l_n~3=S(nfZ#1PP$ne0oS!-wy`A};u~*7J2l<Cxmr=q_qIA!K<R
z;JjUh3fut@b%ZVg$^$&TYC5aSQO3@4fx9W;;*t`sbD!{_;hZYpr*@1aB>qPMEx%`A
zTKkb@-<LW1eO4!xqs;$-z*>+lr)2l%{`fyW)msbi27p1;>?d)u6i<>ZHoG^A$nO`*
zX(s#~CFex_8#Oo<$v4W;UHUO8oX?F`zX1RoldqLr9~+hoW)6PEMw0FTuu{B|8FV84
z<D<3f4r1wfqqw%V2ZW`kdPLEU#+R0+pq%jn_XPgCl((?8#6<YdU1+t%5I}KdVZ>cZ
z)u`mcEIyGCkXN(Qf-me(%--!k793(4t0?)X?HO^#5;Yq3utsbZA`LY~N;aW>y;Y9_
zGFY&emzRA>R)j@Zfb2lAC~OCXY>!o&MuVj)gES8hj~Ef5?9B@#0yg+EHUFEv1UbW(
zyW?~djox5nH!yKgEU3p)aWYhmI&+lE)yB)fQLOOvkMq{_<d4V8#?QN6l_Y|2U8+SX
zRD-@Le8mDLF{AQC%%VwnXdeFYS|}cfm80$EMU(v2x!GGvK~_&&eJ5^Z?hSOw(#_N`
zCP(!c4%%Kewj8Y!AVU0VN*Kw3Brfdxt){7OaM+rNGlxHOe}Dgqk{sXsX}z_b9hOj7
zJ?JO1)5AZ2_JPwqVH9G(74cOuA^~Hc86jZc;D}vRVF!3^LFM{X8|X17bL(*y>EN%3
z^$~y(!bFshkJen%zZCSqazJR3#^mcv*l!3;?nG8r8ug}KX*A_u7oJYz#~=*{gh^h4
z^m$lX!QlUkoAi3upr)n<+%Tnp4^L4^Ne_?9(O8Bzi>!$U|7kkbHwef+7oy1Z6>;YA
zw*Y;Nja`21Q3_ai0MOXxq78Bu<OuBTUt%l1??9cQyVg{|ZhA*@cyMo?%90m`sP@8T
zyQHWi%e+@>Pm-vZdPzSy;V4m*Jple~OFKr^L4k%0C-IEQ%QQrb2Jbgl&$;qfxsOh?
zv-URt^qP;+^*Z(j%@W%{cZz9x(Ft5`9)NgZ-yA<`Pp8!YPkCc)6?Q}uJD6u`Vxsf2
z+UXA$LrQ!`y5XYi{ZcCnF?K)<w&C;<1!%eh#7+^<ZF$NqtjaMFWCFX<lGlyT&KWt!
z(l%x;-Bqz&j*^2G4B}Uw9w?fSeCWGzYHz3}b+S`XK6XN>*J*X752N}aLYwL_b6VMX
z;R`5&UiTXRQBzWz(fvszW<KmW|0EVQ81zE(J}epS-99UtXncU9=s^7q49hYD2C8`M
zsnh0lYMu0`Y(g0g^8)uTdJpZM#ku3+4erzAXsO}ubTE~J7gG1!lv!^)dS9c5#NC=F
zHi+OeTrV2>qF5=_nTYJZlBb0xSscvyl4>)!45hs*R;$AUIl@`gLB(bVDPhH^UHBv~
zhLVyImjHdTy3U|CB)?<w@{t9FfcIMazH>VSkD+%7$Fz1>Sv8%1<Gg_q190+o#pU_t
zSj3o<p>6|DNhB|P7enPddc9s15CMg9I6c-IW@)m=1pg*%b56FEm5wND5gF^qG29JH
zyD2XFM+H1{O~4NS{p??YK;i|B*2I7vK{EAh+mq=)wE`LKK;$pJ2rEGsCNZ#4;rApQ
zyP+j7?_VI5Vz@gH4Tv(|Bxcq{(0`jevyrTP2Zp)t-Cv0MS}!|RPp!^w*2Ws#lGXU{
zZ;0IfS=q#roi{Y=;2ua%7A3pRVn(Fy7h05ps94syECek)PttsZuH6??*PCBZ!(m)o
ze@4r68{bw@F-W^e6RNqlyT<g|t+%+S18+JegLW~*62<7vcMyF%+4}fc0>HOB(gkE7
zK-2KL^Ra8c$As?%UQ|_(61jw<Hll<ahfLCbkN4$WPut$!09|)+@z)@z#H;Jw!D-4a
z%&1hE!4vTN+zj>Vnw8kVHgxy)hgx|GY)pIZ$#)lOU7is5k-vgsjv@p#!1%v!ryOt&
z(kJ)FOj<egY*zsZ&6=Qu@S(>gqge9$kGVNzl3WK7^m@9}DcF-^xb$4Ar(rqY!2b?a
z8WaR9A@8I#sVS9nEf(jasVxAU`|9W&hM=Tuy`=p*>L$PoEEQ9_9f_mn=*7jNRU^_2
z$<ZF2osG@8=-j%`eY{J})YX<Ad#V}TH1o2P^wdd+&aL78R70SIt>hmplg3xG*D($G
z_a+nsetS51xZN8X8iafrjLZm2{52R^51eUd^W%IIfF655^BpU^p4<7ssi+`<g&|Kj
zNliaKJz6J|E6&dT5#?IG$p8992pEA0-3!Uv#6IXD3Ct0F9fZJAL^6Z6w1hDI(V_NG
zurm45YOdUM&i#lBv;rD94A!gjUBe-KP|dm~6JsAvN=nwGajaiNF3*N3vx8=jtxXRI
zl1;{4Iq`>EA}z*v!Mnt2=pKjgJa@t=ja5{fz}9-k62i>cSUNr4o~{dn;jkjCD%%?-
zD_P>Inrd2{_9NJm7zxVFWys2C<FZe4ZUS`Gh48QuL!E?k<UN13@T~emYt;ZV<BVQc
zetn4VEZR$c#Yw{3d+J-~u24#p7-q59@wbfZDji$f9CjPLz%*GLfETgC5pVG3G_gT-
zsRbi@#PU6;$1XhgQ4P|N;D%R}1dTpetPJbw{!WRHJ4^i|fGkW_s+Lx$GEG`kM9C<5
zy~N2k&gJ^_`;SC3CFk+#y8_@d{euf`yP|5=@&_0Ag?WEqtuf}Ip&w@dW{H_d#D_Or
zTAq~_ljrz+qeX4A9iN?A3SW8IqA{rM&W4!m=?g~#WO$-3NYFWp=@?A8Zu?8%B@U}O
zGGHLXObaVSQ=mmT2LPFe6R%c)Ye!)$gCn-0<)joHR2ycF>YrCy+Cdp){@?N5e=wfG
zc<dsHn)c5oE@aL6F{u~Y%*;Y_GFUGhrjXjaKRr+Lr)f7oD3^(c*XwMk4SqinKf{FC
z5|7^a$(WO1#=|!>XrX}#&>ah2<4H56ua^p%Yzr^fW~(Ui*~-!w*NB>2PF2e_>m|p4
z6nZ3mBoqq~Ry4tfKU_|l2V-dosZ0jo3zd3)6OWfm)evYD(qYWCDQR$Gv4lDV@X*Vb
zkDs%@v>XB+TPio$Zz7>QsQFX_%s{JdY&Yq#84Y5)3#S2sW}EKT)2YKY=hHea2$|cr
z0U-wJz?^<L<%F|L$Rbr|O&<&OWqk5FFs-?i;x{@Siob6#zsW+~OhyD8ubLB5<+0&8
zaGYKbJEUih@k%J5uL7CZe%+7K8SDt48W23Hko7Wfy?gAI4ib97ySA?X5CNRmx~2<h
z&q$yJznfvo@aJ0qc!M|13MFLFzVj;y!>^QcrGj#|9tG^z==Uutm9qdrF-=z7abRkj
zT=qwSvkFol+xthgbq0lzz6JM!pQAJx&(EUL@8eCmdfR`}AU^o|^GvMxj2QrD8L{d=
z%>t|RhO{tUVKuf3ThMNsZsn~Ibr^u>fgxFe*GKk0JDx4ldsqrP)2(c;(=#ZgPg9^_
z%Ijb@cmA1gDdY5TCU_BNWusnf2Y-PGnLB-Ja~3lJj82Pz*-F-ZS~aII;Q1>mr$ej2
z)+19Px+Pt%=_njd<;!DrI+%+mdQ!A`$Jlr3X6FS;Pr9Hb2@ze1cxac!{t8zY8(j!}
z0+uh0Hmj}+|7q=kMOmJb4a?U1W8QcyvHAxlAl3d|hfjb-IAqs$J#g4U9Q-Y>q2o4M
z<+RK)!3N)TNhOLPPB=Omfh&`MprZ{xc2}BRo4Dmbq;-~-<~-%+bgHb)hj}~_y8Q1H
zl6BABDGMVp(@$Eb$s!fia`k}!@ND?uB5z}D>1ldkOz2(bfQ~veQy{hP6#iko+3`*m
z{lqO1e^8Rb<GSr!db}&PFXy;4pRf4yIw)LFjMXyTU2c~3f<^xnoWs`ACidx9j?*Eh
zP#k2a5Nrw4r*%Yu`=8eRb4rpsMv2}H2zo$(j_<HYJ7zdu$OwtS<M{sgiWnN7F3suX
zkdtnVJnc2cOW=R#UHJ-F285GM5J*W9(jM)Ws<!K(UjD1J`XjNV;>k?Fp1!vX{B_k#
zzOOOBj)udetBR*ryh~zc;pV>Y1xz~Z3v(`HDx&f#IA{ZVid5J~SXUe-mgzlag!Ve2
z<bEUFt{cB+tb`@vkXj$`<+!nEC4#0&Z?qdXd3Sh7Lrr{TRPysh*a^MPm;p<qAjn)1
zecuGMn(Be-Unv=%SPx7Ajsw0Ba-Q?is#O>h_xXajS&&+RA;xDK9ISDpM6l7%eMC9c
zrji1-KvFSbg+NZad;70tgI%VYBnlb?OD9Mo{}Q-jm6oGWVMinSWoB)aCRQ9^e;J$t
zNwn_gsjMBK)<^bx%Uwi*M3dJ80;3LINAZJpe|sOovU)(nWpX0*w<N*s1l$GGEVs^3
zEdb=VRo|2nm_l*@K2ZSo%LLj2APxYHTOj7{?haid-t_w|Q2(Td>BgIQZ03qaMgffT
zJwG3{lMtqcbL%%@8y_*=wE8#`A=8kAbN0REIro9)1Bf&*3GkL#NJ<jv3~gzkj_x87
z|F{BF&9Ss;f%9a%5Pn|szn9#hI&ogL8$j?n(m0y`{TC3RO@;z3ix0ov37Q;lK*EWN
zSPVWG3i(w3GCQ>Y?Es$LTagGG@Ka*&!|6#0$JLa03Q)qZ73JYXv(|`4ixoOPaMsnS
z7H2$DZCtpgmZEOl%FfWc**7Oz$@&uU6T{aw>F_ebjcig9B#B64`R!jaP>#fXcS}p7
zsL>*oE?-VkiDK~6@7XkRCkvp+aHG>j>M*+GCE{l$#{8IBm~T_jxYG0f!?c3*k7o+7
zdEKiDsYc8}dXyv_{)?#|Mx6LD{J@mQkHvX5nY@V}S-`oerkw#*##X53c&eCb^5CXG
zKBO=cK`$Fj>oGKY)ui`|czLO|Gu%s9BPrdmh;f67>@l6oL~ifU<6!x`JwsCiIEO-o
za;RABKv!NQj;PZF5xG(Hw6wK+w__}z7UjKQWU=Y_4`vEl+SBYAE7HJ!-ueUe{lO&?
z;|ghof<8vb+hO+sh0C66NXcX2fG}n<khrrN0jFqFLzmM`9#t-l6$Ud-Z%|rt-gP(J
zKa$3knCuEyLr2W=&&x-;NJ&^q3v!$uB@y#gTvG8vTghZ^-(80=)+SH@`PkYvnov<i
zf@54N6vb+>q90hW$V~<m<^C&s^Zp17cu)eR+)r0mS7`s!up^n#np`y<7mSML16+;x
zd{odPszNpL4uR<g%Gcl?;1-Cjwq0-OY#z7Jp!?(MaaDd?K&ms5b^7CLH>dWpP`Xem
zclFS@qlMX?JhqK*K<?WG^Urt~*-*(*HI-a%eG0D3;i3v{*=XqdNpTi<D{m>QCgQ2M
zVpIE>U)86Jm4hQmw9J5E7TZ4$bdu%))O$t;SMzFm>s%f;#<q5LW)ktZVA@E3dv>oy
zVhMO2<RC0dNl1BSnQs8CZ!?{{WGQ8gg&-17{o#PPwj|n*LSkflU|@j%3%hxG{=s44
z7(NF#<D!9DNd<G*+F3=NqKywF_b*tFvtnLuw54<{dd@RQJ;}!|3KU|VQQ=EJ<p8h(
zi^TE`swq(mW#!)|BjRo{)|QAX!rOfvK@7Rxu&;v9NQCeyqx10kfygBPd3_&}Xw?ii
z+B`;v9VksJusQ9&;UkKrlSwQx-|CaBK<GD{XaoQ+XV51m*g5*-to>5K4PYjmcqn-I
z)22RejL)?q2|1KNiC)^k^0Fj^5-{;w&{uZy4`t(Mh)7Rg&WI{Jl?-Jw*4#Ej3PsYr
zoSYL^{V_qN0?QN%51oYK+6mN`ZZRUCp!qVj+j5OsA<zS0?FDIfkC_0Y2x>+~M!-Oa
z1~Qh2A7No(p#?4`iVqF{=rjxY&pH5$<THl=<)O=lv#>TX!Kv%9D~>k2v1z+fS5jSc
zDfM*;UWd%PWF^0>5}#?zR;jp}I;agFDK#K(-j^L}cIu|QwynHS70osUvQq3s;mbdn
z1i((P)b@{XAA+TrLq#@2<_941)YdI=aHGzP)zyc_V7Hjp_7y1jEw_2F0QHU$*c4b4
zX)Y<CHBg{nfMbh_5G5ri(}=JVc8!A&A=E82RL6UQ;rao7cGnvRqjTS}#Y4P8uVW<x
z^~17f%a3rFS44I+mi%j@n*x@_S{5?o7??d1TD~{lZ=~xIR{Ry)tl1F2zS&8%ZOCZJ
zwEv8=oPq90Uyv=Lxm7HFbU%WC(@ielSk!<2!u^q?osZW`I{*M&2HMg;I1NG;mykGy
zf&MiPR6#J)+@@oxF$6rWZ%UwybqX_G=A5h6#&uTbqY_0hzUHEgMh^Y;!eoSRuXaF8
zy{9&!+*fAfU=o7N>QW;Yf+8r_u_*PmpxK<PgtV+?TIRJ`+IX^_-!;+^1I}jxYb&RR
z>$Xbv{Xry??~gJa4|*3_Pp{p-zF#~Rn0wf!cuKtd0G!NSAVjn{Nd4anY`<8<lK0Qa
z$;k^qwq^(3B%T3ji#Q=D-bXp19~JBttfh;K?9Q$cWLTmq7!4LR&J{6E#J}tQ#sWv%
zy;_O{?V?H!OX|`6z55!jsSKmU^W&v#^EvQKuTH{<H3WvlYwz8-JoQvNuLtmQPCa3|
z21V|?Ku{ug`#U>30TH=pWVvNQ$d;O#D*_M|alJW-<7v}=mfw#f6R4xwzi82qXQ_$?
zJ>*x>q+!uUKxR-ZOGS7)g(jIbXK0cPjl2FzbJ!9uvtLp<0m69N)RiKG(JSFoY7Z9+
zEWSHB@!nm8iZwMc1@jVWRUQ<C!5mx2TG(rt4s?ASE7`DnL|AB=Qk8Syg<uF1jn>Mf
zeeYL9FGvcr{TkZKuA=hg;PCJ@j4CutRVu#D1K97~1^|_qWvc&PUPn`kuMhzU-g~}7
zaGIjrF9mR5kD<H9pPAHg;--Q-5WJd`ltW6wPzNk_HKgGI25|8>YJ5iN2Io^E%|tn;
z{O6_fdHQ`uEgQ<6K=uHnMEx5xRu{q^_B}Y6FRQkkr&+RYFgGyRHXyMi&1KfDY~+j+
zH)e7&><dFd&}y^=5PobjN%a!DH=Q20_reFjnH}GgQFy?#p{0Ov9<`)5qio});^Hz{
zO_Rnr;{tady-ff#^)W%VCSL2f+<~y}+PFIoXcqi~Tm@yRICL$gdBf^ITkwp;FvMw9
z)wUx!;JZs+5{A=zE2a}+`zvk&G?W@IE%EDJcdO}%{+0Q(w$nFJ<ICVfA|FQv!$beF
z=fodxsZblPX_E&sr!ODv07z7;%q;#_eREx1!vCn2oukn!%gexL>$q-lE`#jRxg{b%
zd`x1yI3}I@)_E~ApimXAyGqbSXXYv3qoDt8uv6K7;J}rE{$aXb1`f@{)Rf1zX@O%P
z)6v`B_Q%o3#NT?wd4TPsq@+cFDAvZ2t?9E9kZ8hna_tVibp9|5l!*4N>n=dlwsRht
z#9J@X#}yHfYSLwz;BEBtU_)E^cl=%N>J<83i>X!@>p!GjQ%7Bon*!Uym=mJ_8{lDq
zX{0eU^CABlEcj9NO(tp5BS;JU$yf}3Vh_g``RLB@QvqTFfw@V?G<(f9*@?FUelRJ4
z5=&;|X*juednE(|^Z_B*+wXnz9~7L#5ga?G)G}?{^tCc3CdP6)67AD&UV4^EgUryD
zvO4#!yba(SF?@?-+IE#P+rh;*0P6(;XokJCBj|p_Nt0mjx!%j>J&bKyDyiVItd-5r
zH?FR%fcIjsY3@5VKXBv6T=jc5m}ndw9Th)#w)4!)&Q{hgTW=a4%nOBON+r{UGpJW>
z5q(`U*2taNnbY|7#T3(>uOYt(0TJIe*g_&nwkXe|KO&ZazDjgAq}pim+HG|uuhH1d
z(|Gj6kbj;P>cC@e+ZZ;LcfeJ4<?zDr%%=6-eB|c#j5^qvnQ(PjW)(;J3YdoF)jwZt
zoUdv%LV*V$fxO|#uzIuWe*A*o25QbAGKo@PLnsIt4U`&B)}ET2yzp?F{i%J_@_|&V
zan8>5cu^URXqG=LURa#4V-VB}J8>mp7MxqHo+6eVm;CktEcZe^b9FsUr(HEM#)xxe
zF)1ugSya3>6>bCep%fy%1Hal1;<oWR&NhHAw`(|y3ADXkiyaSaT$qvfW(R5j=7upS
zb#%-`r0)E<D4X9LJLGwUwh~~pL->6X;teTjCwlJoITRHaK2DLK5S+3@(Gkxr@&K&^
zOVY#({!)<s^c*S|5KVc7L?tn4bP+)ZC_2?m!(-BB$*^HC@gnjGcqqbBR_H*_b{)N#
zn6Q|4uUY*E?5HJt{WX0j+q$Gov!msvF_d;?10f_zGQN0mV=hNH^lGv5L#2U^mY_@9
zG&#(?7I~-2MB|{wWb`T)(vosvQ(smWNq)YCLWQo(%J!)aKL!4-P;hPueGefc<{H><
zqV`x@>DNX}*XlLgZz)ZVT_E%U_D4h1v{nsQ!>N+b)^38&9#-wdcnKMe4x~+e2W!fk
za;Yjcli85F0O~tz4PEE!eWhP}eS7=*%Q3(wa%)#pRH}<p8$S}DA3u~H!7ww$FE#(w
ziMBn5e!1XsDj?e;xn4%ffXRZ#VOz55y<Zp42-BU92aebpXg>FiU#>jU+E1R>b_ek8
zMKY7#6gPdVU;Imv>d;0_#;>V0e>HI<Y<I!4baN^{R31Hm@ZJX(|1tKTXOxP8VPMs+
zGgDGzcWQp(x;mGN$3-WWQM(EGvv>eLGfghbjE`L=$p9NOqmZ-AM=ZC(MREYOB|LUP
z)!^Yyab&{z@x{}5y(jBk=6dn7#_zTznr#xl4C!C^;JEps$C8^%0iJCWSfK@XxH&G$
zzi+uu;jkE|B}G}>kbgtcLcyPC{C#k6aJ2s0UNJW}@A?nM)!FK^Q$_vYkmqQJ%fT%$
znoQPOZwpiYnx93VV_Q;bSB?bz>q*;RhC{^5#AS7&;o-=|wKey+1r~6lxcZ&_@d_xG
z8VjDTEegOXF19qAMP;>h)}5LCLOISvhtIi&``N4I#qQVCa#PYWFk~4{1svk~v4g+<
zQ)mh;R>IBE{j0~cA-14MPQ>Np4gqBn?sJF&yM3p1mK6tf-LSV#U%+UU`aAi4HS=yC
zZ}rwqjdV%lD=E6H{`x@r!=c{B^~}dF`cIUjIjf*1*72YO3K<epLdpMZPgcOr*VFOl
zc(wph<EF2dH?Szm6Lv&}B4c_`i9CJr_V#ujEAZj&4Xjxo{R`>;6tYDqDbZZ68}4sJ
zKcLiO<y2km#!xXBHF&hyXm(PQvhx+L^p{aG0aiJ5Iz7aEZtsTQzy5$sQ4$q9{G8nI
z3K>?(T<$qtKm0SIGe1AiMd_j}f+~diEigzNnwL}mtotG8)%{`@?<}nvmSWkz%Pp1J
zX|UHU_8PvSo1H5)A73F^bN$5DWum#P#gWtC@={C+k~q9VwGndh{Uh$~sHD{CVc9E_
zqXI*~D1q7t@?1H@@T(UScEs+vj7`%n<3X=smaZ;6=4{oYzTT4?;{so&lieoTcGbea
zQ*TWND5JB)6bh$_NLfn^d*VJTK$v!Ob;SiP5!Mf0=_73zGQ8+Q&M}x!mA)Nr*=!2t
z449v&m+68`F%V*}4x{%f)-4{3uzv8DwibAA=R~K3R@T?=?Dz`5YUjWC02<#f<^$uX
zf6!Mu9G%ZH_jfc$aExvKfKld$_o>$A%_PA31@0;h&;odIvWdqapbAW_FD@4Gz2D7l
zy|D<?>6iW+d3uN_fNCD*C+giYKffc%EsQ~ehqslJd%O}Sb2RXmnTLmu{u%4)@(RtM
zgQ~qv@INm=d^XWnN|<l_+=K^0TWD@1QVBp{9s&Up5gvNdEiX_?$(9XaL|ZP^l(F2c
zMY;&A);C^KGo-q;=&lGO@j=!uOQ({BY10N(8OGNfG$9Lp4*I=`y>X>2lfkhWh>$9%
zq)IC>Iu#WyBgd3FQ=CIeq@$m18GfhZdmO+jw!_DSYG&BWD%9a|k&lez*tEiVySGDH
z_iF2Z3?!?5vX=Exr^6)quN0I4LCcx>Jr`#ty0a4cy<Ptx?z<IHhR{bqp{J#xS*Zb(
z86cAB8F1@8rmd6W5RT@Ks-bVn>!igw@5~Z~84bP)lVIlYBO~5FJjk5l7On@#1(KZW
zbUX@e2XV6#f`PV?`tDiCDU8#8ry3%zpGM|(IAEvH(|$9-g#f<}iaGac3G96CozAvh
zpMRCBZrYY1D^w$TdY<${jO^b5x939ffe;Ku-if_-Z@U0cr}F}%8CDDa<8+bY(s+;0
zyAs3!^E9ORvR6Sb!`5%ch_03%OZH>|?O$H|ZpfcgCyI4Aa}9SJ8nzGh%3F)JgDzwL
zL^iRHr)(&n0lU&)jLKmI8;}kCNa9jwTGoNTvI*F_cOFpZ^WQXzCp=~#?!z5WKk45&
z$Pi*R(~?hk-oIZ=Ov&O$dn=Jez%oC-is)8I$gw)n;=gn^Zejdm0ii{ggC}+px=Dx&
z8%(Nz5Z^~e5>MPmxzP;7O|o5=c%V-}rOQS|06eYlyu-64$J~S4E!{^>j0^8O@9*!Q
zYKtEB+>Z}Od9jAQAqbLG=$c=*Xhjl9gPs_P`#$8U&|k`JOW{z%9AnItPm!Q^CHjR$
z$ee|b%%r~{cl8&A<_UrBqe*jf*M!q>9`b!W*0<b01uHKFe4UQ6V_2g)$%4ek4m5ps
z@isvyY1l?7;Kj2pd{2P6oZ_B9;Heu4IW4OH0ph71xd&ov)U?*)8JJwzdIBn<0E?G!
zGS0s7a<aDHcpDGgjgDl^v?_1TZo7?7*x>zNJHwsxIEBkPqYDd;4;W$*&RjQO$Nlx=
zym4*=J=~Ixex9VP1+4aYSFempQ0U!x4<Q(B$*+kB;Oq1&U0Qx#c}~sq<nTWluG0eH
zogYrT29WXXMgPI9qnMYOqO?J$;o?wLz*igB*ABbcpU>IXhqgIYG~nItcAUAE!)HX`
zL;H0=(0;aiRTPX+SVCWc^F*{?n+Nt{<v;Os>>n@z188|GPK<<JWwnE!R=r!*%erOh
z>A3b2QsGpYVY+@NB}Ik%zHfkH3<kP>zx3NYymr@3GHDisae(p%aMy0^)=Nx(Ez*6f
zVI=@wTeG3Y#^XXc!-OPzBL$>=n}@RVV@Z!8bEm+Rz!doeservML3F9*(+O^f>)J=~
z%Kaaw1j_M{?i?V@Qy>e!K@)pU4vd}HKOpCuWaR9Y!)km7X0`x>@28{B?7}*q+}A1b
z@7cg2jTgY?6o=Uc5R2fy8H1MK{wl<i-3!4Mc@vIp3As}m{;F<D1~HkC$PK{klUvLT
zsYA|V;1gw@8e89d-pk?8S=bO^L4Ub%il6)^^R(-I`w$Z%?D8u%xVOcxAx*ghpqdAS
zoq-m>p3n|?nfdvBbvHe3`Yr!+nXH$VB7zrF<Ys{2)5Z@TKkxNEU7Verm3e_k3M_9u
z<R2sAjT?@;D<iaUw@L|iZ?UDE?#{?DiOx2g0WIg#soW0yi%z<9SVAzpr;!)Sb?xn9
zaX6fZKR@-a&@S@kg{B0^(b+f$8+3Hq+E@{WOIz@u2eW+mIx;WaKCRdAti;I*`4eA;
zNMq#zp*T9M0(2z<0?sF=Keu@Z2nZ+HS`PX&><7^gWtxuB;nIf1baF+>57%;G_e|jE
z&ud)lGKWX!k4EFAx%usEGAvcM@3x<Cl?0z@la=+S17~U&SPa_klIX1|VK0D9B@O5G
zqVw~$Q%qR+*9eyY^p+dQTPTdjuzJZdwAWy>%Agm@<d`kP#Mr&Opm9U}y;D_3Gc~J?
z1K|z<THY^^6cgz|BriutDC}0!d*skdX}81ueM`QopGYzhA@=9*i)y?gh(d`p{GU_z
zwNm9C?Fyj45vh2!iHnQd+vwGmMptJjU5KHlx`7d3bqsn@$Bn>QCxu+16s+n`*p5(`
zS@;lT(3W3Ja6rjLulg7^V(?B&DGrlN+`5=y(4RB(wkOX#TkJp|)&pbIZp%U^a4oXj
z9r5=n_2xF@;rL1f_~5%n_WCvsPJCa|xT*VP-M{~#vO!x1e-^>rlfv#E9v*PsqXEa{
z2l^1y?Ch)?m^rV6xu%rJD<Hg0|CETYi^k)a;Es&iTC4V!xcF=`uo3-7N&g&h<u25#
zmC+*NnjE=EV8w?5^Am4^XVYzifl9r+Z1FSnJ@jQU5xqqT6*d!3Taf#oZRJpqxOA6y
zvc}Ru1M{|QJ^A=nocPg_Td|$}?n6w`uWga5S&}FqlY@vMMQZ1d*+`8yALv)u1IS!S
zW!@do`UH@IVzK7YMI#;&Aia7~*huMJPHIpi#zZ*dkq0d9A;Q5hN1JI6KlJh0l8yn#
zMtvd9QhVpBTbsvSiuN~q;sr67Zjd(A-*wYk1i$o+v*)G%?-_T1mD($yPG@8q7zsj7
zk&LfXj?Z_q`#+k_IV!XFYvWIvY}>YN%;cJE+t#GXwrjF&YqCAr*5sP}JKuM$w_5$z
zTBmc)bKm>E_UF2G+ivJCfGYv{HgWy}^t}$O6V8%eXK4<d<uB7~<8rbM?^<G@kt`|6
zD-y%T@;SrVPoDrZY{C^|SotOo`3p@y>4FJkC+3rjM`aR}+#;42mXA;%oa!s@{CDBg
zk~6-rZQ_vzN-t^l{8+ET;ZB`3uCRf%eizyw{)hAi{Xhc<RwT3Ld;&BHT?Zjz0+2%&
z0M(u&UPY_TlNj#iuE;UG|B`4rkIPj_c6iJev-JV8u3!^Zr((&131s<7lsnn(yU2sR
z(q5{QjM15-pn`xD_U}XdT?hKhK$uCrmdBrKV5uV(3nv5df<A04Ex+l4NQTCK2i_cI
zIkXT7`*mT9G#lY~fOza1SCRgszIswqv2K7VTi##9l|l%R4imHfsC``7)X>PwKCXg9
zSdszP%=_rfM5seoZDZqlCq34}w9k}zurwFe@(2<kp=WXDvV*JZtDFB$QZ+~cTAafB
zXd_e@Wu$%>)zoYyDHHZk*YK%_$U$Rf&_;KsDwz$R%eD`|2B*ZrQ^dk+Q4$z}|D~Yp
zU5}2A5|mL|bujJO<@Bfvj+v%Rn2Bmh;}JR#Eh#FtX-@_lhUc;((+7)?U|_ee(n@zf
zAOrzpTF5$lJ)Ynb(up!I-JZkz|3RCYnrecozSL#85D6xw-`cKW_gq6EAR~{2ptylP
z#9>4w?m0;ZQ-FJal+pDIgCBFtU3@6Wprg2jYANLhj5Q88qWnOC|KQKPAFDjN%g-_t
z6>&3z&1390l$pcm??L@J=z%NoQxyl21$3}Cq{kGf@n@zuxWX<%N=vQ@8TR50WFtKh
z>6Z3{mwzvjFM0IxH*C4~Q+4e7fio!vsRWP>1VJ*4<Ad3^BKWjnGAX)vPwd5lfsX*p
z_=90JL*hsxBb~BC*Ao=#e;&E3=AsuDU{WXnQ?OW(7fHZ9q|`!`FAH61DXkR3`5p&L
zYTj)epOGOg7Vb<M4BHn0WDPwP9B};dKBF~cn<Ll&R=ScTlGad{4?D88$A9~A9z=rP
zs{eTx;=jo;pEafzPtt3o2zZVdFzD)}=h7)!h>dci4&h%t8n5ob;o;%o5a7Z7J;<K<
z=CB*>^r;Am78XZ<&&M!9k*PB*)IW7phrS0JxUhXA1|#=xUsWYT6wAe#XI&U)HkOds
zOLAdwq^lXgYViMaxa+joYPF#3O@RKukZwU=cL5=Cih>V|1Z6oE_l2hgt@%!-x{8U-
zl-%p(a{o-Oe^GhbwklvDPcIg&&m9JpI3>JAF^{jWjo^{9c006Sn*v=F6tR_H6q^tf
z9mIk3u_J>!*PM8u8$LPf=Bt@llonx$9WVj*!wfip@gfV}qx?4uJn2P<jD&G1+4})=
z=*jn8HtMgYQj(QS%dzWx25X(w*HXt4^L!SKqmkGrBBG~Z<e9~vQ+Z{uAzeMA#A}^Y
zKVOla@Yk#;eYL2{@El(xB8*@ND)2FAks7~+7K<+PhDwRugqF;0!aj&&Y}Oe;0Q2S2
zP>c}+9AHTKf>C;pv$@|+z6#IxK6PIi85$ZQWlldy0%H@nf8kv23A9`NyG7#$_H`UQ
zq|?$X<i?DC;+G;5%$N!?etJsUQV}52$BJVwC;YNi`#{TrrRTC`ePyg<)g9#fdCUCC
z=0Y9i$ZO(CXp-E7Wk!SXJI?Q(d;@qRfGE8fv2bCKCDgSWSqBv-C+7oDF6W-jCoYj$
zFc>60%`W#gU9VSaU}&dUS#H6QIu^LeT?k^JOki8g_3eDiYg~WzAq%#!o;t{QAyeZV
zOlR&{I+V!<F0&d3KQ6C~<Y9m~5e5wcjV^48&i8@}I_ziLePS2Iop)xL1D@RyFR^x)
zXMNlI<GK-B#v}*}o)q{Q<~{C36N3cyX+I+z7lk!BZGq{qVc&!V!*7zI7H8|D=Ir?-
zGa(=SAnQst;p``hzDwh41suT3C**`86SX1zCk65a8seiTaHq%8*4^ncMMGcI$H(W(
zaTiKoC19mEUXOlNPNFb3H81+mRG;)37$EPZE^s7E*zo(qf%vrPK};bXDe!Vq7=~j~
zoqcBm`hnYb1JtN{;T07T)jF-lKw3<$EAABADub%)!(s8$rqk<h{#sov(=3I0L$;2n
z{TxQUvT|CB=hZ=E0zA9F7qGUnWy8@Sf7$88ODlf-K8|{C>71!0;^ngZ!GT&u16dk0
z&7*C`CQUY!po?q3-DYV^WECypdIbzDCzVZ9r3wBg3!(&Z!IA0{5)j-2JJ^6r9v8fM
z{pea7xAyYZsXX05B975ig|QhhL`D$nv+hL_#5PX>DMqlzF*C9A)7j;F;yio!kQ=1<
zjV4Rg!;JaUG|<|co1Z6xCsjvP&SIF@XJ;(8WE<NY8iJZv(_rv*z4`g}nuDYQCVzK<
z7a9oYCYlIHNMCr4YvD<`z-e}~KVvAQhkzcThTrS@wjaTwTp}&~X2)$5x5nq|_WMJz
zhhDq&OJ0f97cP6d<E;R~G)5;<G*~Mgch?WDUppTeKNN1|gh2A_uKpzT>}U%*{60VK
z&?{n9yx64zHivg|c1Gnsc?4qyYU0VItu53zcaR6a0z>4%_ya0&O+rBK;FhM*R%1s<
zM-061Upej{Up<hJpg+S<>f|t8aL5mi`B?dgP(MW8Oqe;+l1Q<zXE|6`7h}ebruy?q
zn6%Q979XA=oOZLqk=Ga^0Sbetb;B7Rlng@}8Gf>v3!D$wkqSen!wA#`>#V(|3sPk5
zw(V^H>OQ=zQ~$b$M$1BjC6Z1}1j251ErefjLD#_hQ2^aX5&%cmf!p`r*A~$Bb3HKl
zILytb5?f6%`^&uD)pO>*<!z#-tY0IWS|WX6g##WIhZvDM&7;@e5P92>?s?Q6TN1c?
ztsu{Ceos2a{*FSXT)jkhy*2leU(uhR_gy>tv7fGp2j>ev2TUw7hP<12pS9YkQ5Ihv
zELe2RS1<itN;9meLwd1ra<Op6P@~{2?{mhB^;QQYFZ0!46k}5czXE@f6W~;KI-Oiz
z>i?a<yyY!XpvA|a_G5{8nmcE_T4uiJD|YNPa<D((p@$eS3Zxj@-FG6)cQjsMF;7bY
z&L#B6Z+OEiozeB4BrJD=eO#4QojJdAPf^9x8|*4mi)(ADCmDP#T+T~ghUff=iDHN}
zILWyPAGd*SL6~NTYq|Rfp$7+E=p2M0>+xHx63wEr?vAT!>fw*qN`vfPXHogo&BG=+
zA5~cp4iVyRcXiGveOX>69K1L5@M6%{m+iaPeLMDU^V>;b%Xw8bfA{VDkJ`ukSNKS{
zO=3CHB0k(bSfoqxLbZf4?=u%^hQz*f?%xBufD3Kgd7Ap{{QMahuRFp!*d9=FD&YBV
zWp-G{K0K9QWl|+p-j)m9nx1|2h>*~mMgW<q^e{-kR+~<of-c^jO>m-JgrOuNsgCPV
zzQ8&(Tw-a?Q8g<?WYLsums<E4)@l0K#JQ(UHnB+SnQ<5gVR}I8G=N(KrEVVEp<+z0
zf#qpB$ES0-ySMi##uxfkA2Fo)rOi5825rBzRXAq?iC8H5sKk2^y+d0y`D$WnZ1zYa
zo%my#`#7yyTlr-4dS%s>E|++sQhsodSf7{4`7W}ogbnl5ekUi!*Vm44YnwHKBPeQy
ztImoKSZ!NJ_TGwPbk;wQ0fnStK<G3k1LNoBFw0-|_*`;-kZmZb1X~ssc=%A0r@w*A
z`^w7qD}tQap?V3iIAS}TH9-Nqk98ob$f`okjx4W(P2BIU8{JzcOv9jsLh+YCpUBx5
zxR`wlLWDf{x@&TQ>*g#(f3QP`>vgXAe>*CU3E-7d2V$UPDbOOcOae(omOay5#1|*o
z^J`cG?>XS<#sy@Idgz}j)Q0?B3hdq{vOHV~F7U6Hk>i3r?vX>zag(TkLnKduGwJo5
z8;Mq`X5{7|T18C}Ptnhx0?Xs~9P8sD&Ad^yx_YWAx;tEEW<1mQvs4RMbX#kSKY#yZ
za4t4ix)eZv`7+%6g#6fZhHQPA$#oa^?N`h(O3W#2rKH!c(q>;;n3NdQAte!ty#2`q
z0&L+Ha-jUezb12b-Y^v1lbN@XnPZfrJ={3zCiGY2Cl3a#bd@YQ;sWX^DYGFW_X6K&
z=CZMufPon!6U(bVhB(y6F|a($n?qV`jjNNuTxXYtoHAxD@Ufz+AQ4diq3Jipq*?AV
zBmHt%tj6fu?{T`SJC9XbdR;xO!j5+03!|-FJ>LfTQSpfhqq1@Cq&j@joead5OcDpv
zrwWQpO;;M&=PwR3a9eIw)0Teap3CTQ2v6*~YmM2amNMqKmH<V0_a+O1)MK(-GB!QS
z7y)q2h`><df5sFQQ*f)L0y;Bfzh?2jgpps_Zf`zl6iWixTn97v-%jus^R2)m#p<*%
zSW@4n)i8!}$kACdgVLfb0|VBaF8(Q*@KmYmOsX7LCg2P-YoyY}2{*I*U8b1HDEv8S
zQ;iG~fs`l!r@{_IHR8j#0pzgGfrDfUvVnB1;Qx{^^3J`90>p+_TtMa?6@efvbN3`^
zvIsEB5H_Sm%J`(AUDrC5W3Wi$lFSOZ;u1FU1s2G+eotu<6ay^9la3k}6K6R{LkT%$
zidB2|dXCl<TXiT2j?1SJtp%`(K;ZEfRE{uXF;-DXt1HFR7k0bo`q-G9=e`9>?AtQp
zW;I)ghI>=*eR{Ro8y5MqTqkgE7I`|;u(e|oxT6<Q94?20N*Ag|*<8?$0xpd+DH=~^
zzgZs7h30>2m|@|j4xyW1x19OVf5-SYibhH<FZLPlhn5FJ>y9o@G*+H9#K7J<@jZQy
zMV7s@7B-QBRxErX{3IQPjAvb<sKPpah^#cnn9FGe2hQ0v+fqZAbxfSPRyh@Se!-T8
zUb=9tLe6aN&30lBiucdZol6zGP2<!OChm8mo+#kzaIy%M_*J<BLQ7DcrZVv&E2$RM
z(+zRHwER80xV(6LPYo}~<u}~d1&I-CHrGB)?N5;pmkUIYp|j27y!DR-T2xAg8o^L#
zG*FqAu4774wF=|piUUtIb68U6cu+^4S}HWjF4%2F-u1A8YypsEDjdjOz!;7!CU73`
zX5GLl)kLM0=_s>m9NQU^|JJ8CPg`KD_`NLT{$y3B3m#=b*dN{W*cLp$%ex6SZ_qL=
zo#2JFl@M_XjJDJ@oP1q9pNpn;?eed~4vR$!U$@s5A>T)<7{}nTMX)2(cl*r$;O^>?
z$YG5N&b8%oP+Dp`%Ly00n?7nu0J3Vxz&Fa#LZuLKLP4k~NR?y+>ZM3FkUTk9Y#FAl
zD8B`unXy^NhM|mEP5xO9Tz9?)1r~WHgu?(gk739t5fJ2>R2H<{@kJ9s{_z7v-yBP|
zQ4pvTWir~oGkkN=5e#sgvFwnAsYKcHmg5Q>VH(6+XZT(+W!^A~_G$<#2bbTVD(VyW
zMeX(C8akAmuI2BAgv)t)+y0~E!2><uo{!I=B}Y@c`3T(FdP2Sz#*ejb<U{&x{wx$y
zax+Z+5X8L19eYyBRkJ>Xq6jmnI2|KZkO>o#G(kGfCT<kisi{n{OwgsPD_bUI{NH`(
z^rrefrp}_L0AH=EPjk7pJoO%!&V%W9WIm2_hl>JE5`S_DPm=Ki%0#4M!Fp`ENkjf?
z$rZyEp3`(1#0ho5FMz9pZ|M2Oao)8j=E0Sd>M`~$iG<bAa<OmdND6>=o}_MWv*gJL
zly8>Sv6Lt(Nbu0h7}WZ{<rPj~``>M%`@;k;Voh3GSv&?Jf`&pv$v>YTk5Y+h9oUMv
zvZ(H8x`STE<VR^R)RQ`tlgR3a?i#Vzs%4G{nshJZ86{{6IPJFPoJi2*|MId)wYh5b
z5WrLn@0y4Y(=rPUkQ=#Xi!VV^MC3PGkd0X;D}6sun38K{ws8HxEdsnK0WN>Puo%G9
z3**IDm!7m+yn<FQWgZIFE}|FcQyS#T=-Bg{Rm3^`ZWedlatgZ_qPE{|XqW-Ub!u7d
z_YRfo<7v8q)z2{rm=Lv_KP9Puwmx=T#KN^^i0k3&PEjMyVtgK-dOUYd0^B3B>Szpx
zXUo7gNhWKj^MW%sBtnMB3JVw*Cl0@lGa-n~thO^?Er-Q&$JyEmu;R&c5vQIt%>(*&
zx`BTuuM^$!kt@q+g9yoJ!ryuon(S{KeX4p1_S568x@3?ZzqmV4Sjn`Z^052*Y?bYD
z?ah-87#JTJrpKH|Eq+^Qz=<oA1WywYzJZ%$p(G)+t-E_fcyP5wJ}gg~(5GR?lTvVG
zD=F*M^rieZbPODD3#tcRtxxYCWOLKc7oBO?kSMM}HYP%E*86{Ak!n2vRkj*3Dq{!P
zSyjW-(3As#F@hyD98e+YC$Nt<FY4&Wfv2OJgnP3k^cmIp=>8;`c=4D<@%!f)11<kT
z|0BW45<-x8Vn7!I6k#_WVC^#c4rJ#Y%wwuYi2;|x<krrRa_r&&B)We>f<mY{#XKa)
z65z4^X~}*6o2e$b%tv7E-V)zgWXNVKykzA_Dz}8d(HtFltj|YPpp59@XN9_?YA&`A
zU?NW!d242BF-`*BwFP7fmmVuA=6*Pn<)32jy%ep!-2!ynzQgCEgVUzlvKCXftEBX{
z(xjO(c*>oOAeNRn38+vXg4R7yetmsteyBYe!6sm;qHdZfci(bgXQI9hH5=HeEObGk
zBAUvY-Va^TDXUtv-`T+Oh8U6tak^jBUAju>RDdxerj2N89j-+_6pKqw@U82iRdUes
zge<re5w<?ak3>MD=_?|+7uF_lIfVrUzY%t%Kw++WSH1wY#e`6%WomWvbCSQ;Q{{n?
zGQ`S4O<m()%)NX|6oMD`mYRdy9Aj1$0zzE$&B~<G@*HP`QzLmkviLc9k41a|GM2Nl
zZXE`b5{^PjNezOz%THiyKC9<4Ri}5Q!+z7P2bkurjV+ef+4*`0Z42Cq&(Op~v<y~t
z5eb82iZNR0aUW=;i>Zq8$toGeMpj9xCJ(FYBGx94*!&i@q(tTNM6*yO&7>@y5%1xy
zdUEXFLphC&Sw@aRM=>vS$Hm*4oXnd!2(YB6q=K8%FJInHPHs=5tQ*Z5rO8MGZeSs>
z*h?kE#GQ5*y;j3PTE>(7sPYb$1b*_%k`${HuO2;jglJ-_D9W%VwmJZRr>+4c#^hs=
z1A|*1J1QrLo`1hokX5SXyKI&YOwTS=_S=>qXS!SbEvC$~BB&<Rx7}W#+!CG*Q=5Qy
zTsovoPTLQrV72TJQOSan60r+`y_K#LTw@vZf5?J(g^R@cT-?7&25SR^*$5y{ZWf>m
z|4rxc3lsObpI5i;>1@AXS!Jfe?$D8Se21ye33tB&(uwk#o2&T+r~G^myIj+z=u{}^
zP-Ic$8X_H4#r<kr#%0tbf)`bzP8~Nzx++I{wHBUrRn~`E<14J6|9jEp-L#T!*MMZa
z&=G~&?xk#Ce*o-N*z6fFgo1oB@YOu7O~}B$BJK5n6(u*9eq?!xbA?Y7vzQ}0cH!Cy
zs4elixenw7%&2oEmK=QE-xYVn4r+@c*`5si_9vox)m1XAKAPA`rITD%7<2HP*-S@o
zpFK8)(fO#rSvhiW&}(~^qI&`XJ)_~I<eaXIWJa=dc*j*QuUb}|f~qcW9HG(bwza#5
z=GXgx@>SMVi+>ucm!g}S8$GHd&oMXHC`*RiN3+ecRE`35W>%JPR^Q{Y|NC;=-84Tf
zH}|rXgoe@gatk?_n@AMn>;KxTot>SiG5GraB<AJilbShM`^lGFq3DEsat%`Qj01a#
zlI_Wp!6^)^d%8teTg%<lSlr%66r#*6%Tyd9!P!W6Ym#@38x0(8SAj5&CF!`>Vrw0h
z^gVfevhJnYG#E!Pp}d*eFUl$@qDY;*5mywR8(c0vY0TA?7REXZ_Ww#>Rsr533dh6-
zGzfO_33P#($P%=$JAaa)e*Zp6>F?z75Cr_PTW#-Zj>}w?yOwu62@RN_mG{aN2_GXP
z#tz72ncY18x*vgB|LG{qWp^$SIuc3=@9g-HQmmSu3zsDQ5^%4w45i)40Z1TG){}L=
zOu6PcAhKFKa6UgKdkiE^-nhHFeb-VMb)o@7mb)&DQ#5NTlp!Wa5%64JuQl5|Y;5Q*
zE-(AL2V4TV8{$ANbVm3QSeqUUDs_Q;A_d{+F0y}_y=JJT&Hu9is||;RyOF3!Bd?el
zjNPV2_WA5X5`idT1LmR{Gc4mW0;a9<f&?iPU$jygy5Bz}EaLpn5Bf73qpa%NSSx5$
zd1?n;q}|P(+qs5ec(rI<cPx9k_^_nZBttKp$1N`xcNNU8p~<KR=F0ucR~b|?*E8of
z*p7&CV~98qKFVP)fNfMHv4{aw8E%<`LUs>e|GM!HfXb!SF7VX3{jx^cnugJlQocoR
z0$Ca2n8$>WF$C6+s(3<1v<yT-eJkSwdN+GcdV_m-#;iGH%7~lY=s>&1z;<(q_6$F4
zZl3GE<QKKdsME-a$g&23AU5_3iiryoLoc|+H__N3PV*H7x@%Z40tX_@&zGpDIId=e
zw^5dVv*k0kTV1$-#ye*ZbXn{NSiB?3Ap4diFviEn;d}w@=#PQdVM-Ld?SE1*V6K{B
zz>=LCJFsRAs0KZrcMx>|z53}BVOS-SU$X`FX@_f(&T&)rDYHush8z4~l^H-1fy{VZ
z%ewp|arkkwyQhbwiTAc`to7t-vH&yCl6=HE;9b^GEAp8vIoKm>lrHEZD1Dp9kIAH-
ziflk@HN_E8?3KDC^ldXWLZZy-bt%!rkmsaZ>+E`%Yx`4vZsBnW<g<kWmMK}W@Jg^~
zo6J8f3$EK1&_)sCvfmy4joZN!bsa^1_h`V_sHiYncx0Me%gF1`N3~tsVrsei+h5}=
zxZ;ur_*I@FH+_8Su9Sq=_(o7;DZVYV*QHZpV79Gd(gQa&MUtbJFDjcBOLLNKdhi}N
zj#2Ze29twF*$6{&f`IC6&|k=(=YFfDhS;WKg>HKGv(af^O4s*c36;#6x_}j=0bT|$
zqk+IO5DK{G=<40h|G>lBhJ=K)0o~;Y*3>UMbRYl)fd;c>&zd3!4(aipKu=&Av!?G@
z@gBy=bWzouX?n_ORG&C(!m2oSnp8EVl)Bl;ETccgxSp#ymah9fP`+aLxT__~G8-Ny
z){q6m1JKbL`PlC!1vQT+a};7HZ_>7Hqg7K&v*4UBC(qMn*H}Xl;(n^wlBjSdNdt1h
zf)HvrW~+NNVfb)#V@37b=Jq=wj)^3QDb4J8sWjJ5I|tExL($tBZPm_s3i13%(0!Ru
zwqk=x_PZL0Gyv!%&dnVT{d_iS+Dnwv?IDX}(oq)y*6&%fiCe3~25@aRE3oRWrhruD
zu|lA0mz+|hES;Zq>ylHam69ZW<BD{RVQH(DFdGoEL>!t6LW!~Zw_l0)ww=rS&z8qn
zz>O(q_CI+S*iZK6Wtns0&DvoDL?xENM$MyRYIRzfwt(E)-fiK|z7`-aaRZ2A(Cqoq
zp5oH8mkbZP!$~S}1^5%2fqw&U4P&@3JpJrJ@<op7^j5NYb(N_!B6H2v^$Dq<<F`0%
z?17XBp*#A5>o2DrM}J>{qA*VV%5`+HQG&nmt!%A~qJ9E<W@aqI`qxRJk(z#s3LYM8
zy-Cc#4^g)g(`K3jcosZ-V)3Oegzt$2DGjR_scHL@QButtvG&{gYUqLN2TSoODQ2Vv
z%-}0b((^k}%srl>e<tlyZtc7CZ+CmUZJymio|!0D10#UG?y%iu+i8dM_`N18&u``L
zmVpEIKR3-Y-|h~!?bM-;8a+*p71&`GIm_cs4MmG#Q{yaIoR}PU9DDyg8C=;A;Kpqa
z@V*FFYw0X-TmY`fM2b@&MW9e(5t8K7G<K`Q`EYy=-=RyHn1EmqXy#2qtcN1v*ICYy
zNiIJ)53uxjqw%zuTUZbi5fLc}0F27X*_q7VB^gQ-evc(X!swWcmSFFiN!%bz;XWQ&
z0*G#WK8dU|iQ<b!<Pa+tkrOb((^jrb$`(nVsivIn3D(~7xqX_GQqo?wA?#Z!<@kh?
z4F8iW^{_9h$>|;gFNX3-UxKJ=YH>XOQYOac^cWqVOR4q*)mwel+|BGS&B=c_ZqxsP
zWZ-ouB6O&ie)}=p_rP=4ircEjqP2NnDn|A_KbO7AHb}8bEjkd<fypae4+A7+bq4x8
z)zau+V1$u!jwRXtuVE-698`{FLSU^?`5hbgfjiUXcN-gg!?|zIfBOQ-2aqc(>UnVy
zLxEU!+tmiBi8N*nSs9r%@%&j(0NnI*b7qM=gKis38xVrg<8^nG0oDRd<Ou>CLzL2q
zw_sIJbufLMpvSL;%AZd?Pl9r-*pkYos4>=r5y9%(`g>YR-_w7G4&&rlUJevIXP7oq
za4YT9Wks->dOUhUhkh+|TR?41Z^T8EmSib<bnK_Mp=Yn$ELTq@KmnsgLO(p@S&gdY
zmSQlMlEpF|?S??m+kDsL5Kc-YbhL<$&pC|;K9rIiC5KP<FXtS-^DaI+fzW+8E-<9_
z;B`Ua!~dZcT6*M35&gEtPzG&&TM!<;4~Y&;I*Aq;u`o^yHM=RooHrAxm`Z*%Q4|q|
zjjSB4R-<Ely^qMG0j#-!<cP39FlxGn@lS@ik&oWenYdh`=82V#%44YE6KR-)^y%>B
zznh&mYc{n;4`)lHlF9(mnI8V<KX(+_k0mt?sM@wYIN)_OdFgu`L|2Swn4nFhsD^UH
z4d5DHSr0XeCg5=l_}s(p<(Y|@Nl-$p_9t09bIwQwR<s;yS#!QEw1BCC!ZsGp@-u9c
z;CqfvFGCvD*|}3+VZbVLv~#$ZS#tAl#nX~!)5L(imx`Wo^*SMZN4l{dpfsLWx0lO@
zpcLA>ICAW^*?(rs;Q|}FbX*&|)aZm8EmZq79+)yK2bwKL-i=MI9yD2pHcWyNhS@f<
z-*u3dFRL~~!-2aN)<#{+#a!>p%X}@9UbYRZyoy%$$G<upBG?5tjkE<?hZ$pYn6Eqq
z|HTYiX`3d7g1J6gTVBm6snz7sC_WFG4y1Gc{QU7Z-1Av+Dr^t-Ca%I9A;;m}ek7I<
za25zKGdqYS7D<8JL20sy$%QoIvq0I??BeB+t2qRq5Cq%re?0(m8DA8NF>8Ph2om%*
zX3NzIkek*3yvn1H&BJPfys~p}CofS5?8=dnckBcobs>0Jo%MNqK~;Yay0{v(3NGZr
zN;^Hk1%3NBL;KNPuAQBxjO&qy)V%cVTg;S2f62;lQ3&#4Gw@zS-rr`$Xq#o|$hi5e
zB$x=Q>YR!;_&}y7KTk|Lelr`gDn=_jgb)wB`CUM_Y2R84dF>5^m*hyJ`ch3=r;1V#
z98#8ZZ#j!EC4FAjm}#i1nWtlVdCS9XMc{1xsD(1<FcZr8{svCf>{E>el)89q0`t%@
zjbjH3nd@qv)I3ZX4xuCO(vAp_`<{nWR5!q&2Oo0QkGz_w9Cl3F=BB0{)5>&xUEK|4
z>F@Xf;GkvD4)9UTX#>(>ALiziqhn)#5v~9pPt?W5#nJ3LG>`#?7*Dt*5OonLK~@j+
zmyw~7iLzrX7=I^7P#=euTK_su%w|aYaiWRyOZC?x#qV<QctApwP~Dn4yo7~B8*wvX
z0&xDvoU1pFUFTyhZ5{2(%A?|v&g|5pB%y}E_@tEIt~vXgjMVp(@C_?FFv<*A7-mEE
zGF;Sd<1WCGrsXCnrC{E1nQ4OfemKXot!1!1`!>lwGYQ98JykGzN+dh9_q_V~Z+TnO
zdnT<%Nk=_Cjn59%SnqhHsans}g10V@>Kxt6sxcy72`cm}qN&BG%I#V(sLKyxBvVzh
z8X>AezD{eES_nVF+H*e#{q49{DE<0nuUCn4AG>kxE8t6s04(2zK*mKx(jIS+L=#LO
z+_0u2kbd3|uuq}>O@b2O0hF?-JFnZHLMG8>aHKVuV!Cv}E5Hvw56_A3Mg7R2?UbwU
zzkpya4g&k#P~}czD}{*Z>iG}x9L*M<D2CJn4hz!^QtAmSBuEoVJ3SL0aU)+>U?=#s
z>3v?EoS2w+j#ziSBch`$Zx*_4s~~i0!X`~K=^-6x_|sv1sRa03QC|uQOy4%hkIJ>0
z@HN>;Kz2?^92TEG-jb=T8v36XcMB56*591qh>$W3dO;AFKuQ~%SE|t(bkLmZaM#vu
zTx<BZ-**7CY=<t>MAPaX4|W;95W`wWSDTmb67CG_90ioBPV1M>n0_PvCwP$sC~s&t
zj%MpJIu)hwc_O^xqWoCP*V85HADwAu58ou#@!%?vhtWelxSr-p<g@C$?#z`{RL~vy
za;haTK#mZohb+TXHNffVWN<JThkzg$2vzw~QBwoNuj7$*M2Ck4qX7L`DQ#`-dxMYL
zH0%oy3eCyg$crtO)zlu8*WVU<%pIfT)FR~uF?Fm)iBlpUscn&2b{>K)Qb@^TJP+pB
zYQ4_X@Up=}XT;vSX`jn>UfRk?_@vrI1#c3zNcc@#R|aDOp83KQ42$uvXJ3>!nGtD`
z?wZ&SA}8ZBcH^<9W)vzj)9O3gX5H+>mYgv|G|7zqF<@yeyTz7IXR=96nzKt&g?xv<
z`~F9D`tEJ%KfqwCcC%+^g1e@2lxb8pWhQOa!;~SKd)umC{+yncebY(ZLCzR5DPnfB
zl$>6iuaKu5MTF+}-0Yjtf?bCWAGyjmii*9QDZ61=2QE==&#OMe>#(`DEtUmqLyJZT
zXr#Q3jx``nNFU&Rk2l06=y{Jb0LVuiXk9NC1JyE<Y4j#jFbv9^`LO1KNt|FwH-IDX
zxL>S534*?0!-OmaY61gK>7Dg|0VUODW3SGlYSHh*CW>aO2&#c-)wJTe%606&_%K9A
zx+g9yE=~c6BCsaW4qFXZg1y2@s`_W;W8Ye37o0R0urkJF1sfd5#-E7)F4!TZEiMZy
zsND%9N4K12bm0RhlZ^|E_7*z&{aZ{)`bIXwWvoMf2U!;#Y|wACnA2oq?p2BmEsjkV
zFyI@#|EP|ZsdMwfD7b5nZ29a^*15OQTx|~7L098B?Y||^21wuH>1-Nh%$mCOa(Ve8
z4*T|z@}=ix9vo1S1T1VYPz{?=LZuMC**3ff2@x^o`;Ye3mjDUBW~wP!hQi_}US}TL
zKU#-89c;o32f-QbOpv2vhqmV3{6y8vkO+7J<g>VT0h7-QfLE-N2cJ+C2n?@0NMIy^
zF+g17nN$g5Md1Q*CuanxJzE=lKBsZDggS4{>&&lN7#b~RPd!3TuZ&0(I;@G5p@*`!
zIR@=^AD@{p5}lbkRQjw(eU}Am58N9E{`<|x{@R+eswqb;HU9zi=kcW-4EKjR$60pj
zl0K(X?#;E^R^xJ4d0EREBpF)!jolbPWxX1;Z~(~QehejtZVw6!xKENjm~fTDeM*kD
zrX2HE50YPhD>H(Vj_$IoFDz7LWSl;BZDc3QSww2x7OgTChuDu<t65S}{v}h!^!Kin
zR897>9Q(aN``|;zW~3kSvoHqMa|6xxkF++ae|%xJY)}n6gMq1N#oc586-&9*_2V#>
zzQ+$puXZNi?fk7{YVbALyeRHmLKw(vz%!>L0012NQ9})=B8@1<)eO?}4jl3exxSBD
zO)V|@_c0DQA~XeG@G_--O^#bu=(f0iaCRblYq<>pVRFL!r{adKw3+~&ebK)=JCN{g
zU}sd*R*|D*3KN|vF(oa{WD?)T>%1FXcwDAc*!MUME0y{@CYLR3L9TT}$*e)s^j+A0
z8|QQXykg8=<G`ktA!Nz<LwiRe$yEd?ECOrMloo_BuoFJ)npSao7zzX;CLN?mNB}KJ
z=>)^(@%Z9ZBcJFYHy{{?QZ7;gK!Zp#9J!_#N!j(pG;%}d#h`qH_`JWkCS#6`&Ljx`
zaeTdDQOhe8CeeRZNrDOERMyJ?uzhb2x2Km}gb?&x*q_V)4O#+hE5Ja{n;3ho)Z7#<
zyS2eq`%Spo<<|^85FqcuK$1^QW1L53UtCl@#`;xMD=2nYVS}pFLx8hg`F@Y3BtQ}B
z%VY0j(-E^+5Qi2}f37y0O<)1a|GW4=ph(AvyOx$yre12P1{OyK1qOCW!%tm)LcTTh
zRTo3m@u?OWV3|v|e;q76m^S2+uG7L?v7>Tck)Jf;W(D>Gu1fGmX>gN9@;$;BD<G^N
z9;hic>sr94lMjZGB0yOo`8Co*eRW`Dft1bWK(IBjP1}20AplF+MSuPcF(IQL5Cu+K
z6*f4wEA6f4{&6wX3O`aGSO5LvX|dmooXX;MIc@ww(gaCNNR)x&(y5~UGN4}in~Ww$
z$|@Jek$0+!WF|$Bhd|EeDto0AUqAqw7aMV<4`+Wj{12A^Uc=#05d-6>BBy-op=bi-
z!Ew8$omq!#fg44S*Vo$QGgVE$8u+mWlOO7gXiIfoUpv!b22YR9=>RB~>cMLoEO#5w
zVZTUzv8KmJ#+IM<{>2CvIpjtlz}E*fJTeUG8#JAZHBXc_cly@x*ZmIeC|hj!J}1@p
zg%%X`xOuR%JsfMYqTtw>?5rQM=q4_%i&m46q$6PL)6}M~SLlDBqn=$N6R;t$j<oqC
z1jM+2sj)X%s@ehc#P2Qw3pe#p@ywc5a#k^^4n4q#qx3UB{NwjI<A$*@1M^4*#^#&F
z+*=@zK5!)yXodKH)D!ua5;5|gg9xhi=sI3pF%Bons#*F|$a2*1MPa~dnW^;s8kL(`
z;_k9)E0YnJ%8Km-y38y_RD2=wKO={mW;lYTEk4{zPB*Th3m>90bRU!NWnW%Gi`VFo
zSM5ryLQru}-G}Vi8Ht`GS=jJ+tIl<Ef_}jx+m<r?Vkz)_4<!F`9P;c{1Mmm@Sxjv?
zRlzE5W}(Tc)_-#SpWFEOu#^D+?Vv78L?XA+ZC}^WktZ12z-H%ee8Fm}0!_v#y#&Fs
zALXk`Wh8J=#3h1lzLTStOr7aL>X@EeWTX1Hmg!E&IxMPWVm8_hm)YN+8%)i)?A`FN
z+$o()Cwi``-8}xSxa{`p`Wbvgp2{V#g1<t}S(T1ndcgH103#!xWZ9}gGg-3GB!BS4
z^P<dt@}^af!4LwZw%`BD&p?kXKP?TbU6wlRuoT`tVAH(7tC+}2-wJQtzb)=+Wg+H*
z0b15&okgYMy3r0+ZDj6+^yaZdy{e}wTwOQuGjO=Cy^x@fm}7Rnys-MKxOzwM8XP)M
zNaNz$3E$5L03NOX6jmJ%H=v<4T?o~@nz)Qju6KMU>%h@-`=?}@cw~Qg<=E(5NEjAo
zj}(T3pMW-sucPp}eH9J!pu>_6T11%w<FIowl8g}-4^~QSS0blEe?=&p*O34HFeGBj
z&p!yIprMMVdiInfH!Yx(f^~e#z2SLD>j1DH33qLPrlE>`E=*f#bG5GIVFGvOSh(!2
zP{apFo%TE6)b$cXF9<Td#pE6Xkm7JHt+N;qOxq|YYdJ{SebHv8-8x~H`s#;`_CqxA
zgBjT0hNhYs*f*!Ygo%@g_@Bn?`)sZM@$%rXc6I!Cwsij70O22lM58An=M(pCt1eD)
zWto}f^Eq1Gw6hjX6U&-L?V#ogehGa_&{T1q^5vd8b$;t}PjvI>svhtm%eP(v*b6U!
zFY4-x3Ey$n21p(iCVB<*EO%GS&Zh^Kv;~A^3UOv3`hQfxA~aP6HAdgM8r#(X#D4X^
zTkATr`gMp0x_~uymzB^hhVG3tb{-rGlakom^0-4-{uqZ4J}Pa?660$uVx*f!itKU?
ztr>V;egeyd`jF?%)bMaCSBu{^vFbTm#LUdiKi!mQw2Ci!iU{eZ#q{|)wFv)wr!&Xz
zt*FD~sUpT@<}b{Xnp{08Fk&Q@LWB9B?XiKhx&a!d@D)RgxLP5s<wzHo>>;aib@!f2
zbSg<Pdj&Wh4&krH(f=C#%g{Fk{Z^{j+I7`w*g7qVvQfYj%0gd;QE!eqsUcBMhTSj$
z-Sa$}EvU4sk(KzXPittbKEzLmVoA6P8F|NImeJdGuo#!X{Diud2S0BAzs26&&iZ_v
z@2T4A>U;T44jAa@tUMP~H*4!tdbPcqZ^-XKyEzeq$2LSaE*kK0BWgzV+MO3%K8gUf
z;YNm4x1?@1@9J3<APrUMRs0L1Q%_5X59^5BWX^j4#RV!P3S^t~%mo3Pf()RyyjA7i
zqUz={S{)-)Im~T2nN$F=VUnhw__Z4XY=6o_2Ot7)a7-Ne7%5~Sr8`)7dF0tq;3|23
z*naD3Ek;EDNN@XC^Rivt6OeJ!5=u2j1y|w>bd<=eR2;cMr|a^I-H-#oZ8kV(jG~p*
zQo24HzA#}F^mPvpT!*fO$q<s8m|BL!G^TMg^-3{_AW^^`Isd(SuiNfYy!NB~lvsO>
zis@h5VlHJJSim;%4pwC`yPzQZ>;kcYnYwZ6JQ=q<H|q~JhGt-4JM34Ii;fM6v+79S
zcj|=cb005c;dy$zmnVP;Md!7$w~<sY5zmC3O`!OawjdLAeEcot@YHw`pVjYGOwixo
zKNkf&+67F~JUyE?r=7J-Wi97J1UzR`$Z2O3^wCrgHI2c})LRu^qp2nLcM&-XUrg>c
zKgJty&74}E|6ye-88D_&P0dhJE+APNGUW1o;XLE}s@Q9AA-FQ)|K3TSxmi+oURxc%
ztf$A+u2NleN<gS5G>Rtforwr=VbMabujEflgv9=<JGqLy6Ek*C1tnIY3=>na7_EQi
z2(=S-19_R3BTl)zGBF~6LrSV@nwb^}PV3`+SS)INdU~OA=T4vdnc-KH(BA5S)@9;w
zUJS`hjr1!vdJCHb#c`i3$hJvW{>t*nWOb&QuM9PJKvUlO%Kq|bvs>uw?;SbX!l<>H
z2nX&*&dWt<NVOOY4lthxSBVoM&=CCVdDwrZBd4+&VnRK1%?6UN8eKiPC~KF|9BU}-
zfEtM1GLe~p*dupLJzqS4iEmO31%lO!L*Sg*%rqGxhaD9}*b!nqb+PSogn-s@RK1f9
zzlN#w#&fac?f7BHcm3ET98{nVrCu9ONHGGm`TnCzLX(+~-O-@1*chRa=i}BHm5(lc
zPa2G$tG2Ph1G}YaNn?*$*nGXmGOVQxRa2SnJVuRlZSL|~kyGX`HS9wdTTR`spM!gg
zM2aUaC+<#igXqHmI@bM!5EK0R+vtIRSx-eD@T!?JP@1>W(lFnAlY}atN3=P<2?~3C
z5QKga>-B8uPux>#TQ}pfFmEesV}ZgnD_4y_4_=}R3Wr49J@8R=B>e^>;wW0*7TOb-
zXL*&0(yv5dHdGEA03#B~xEagFzL=nK<m6d{Lk#edDF;T7d=(%ikquxE$?wt(q;^X*
zK3NdC2pR%Mi95%^MZEc|FTAz7QIa8-*i^?Q`?lH2oC2&m6tWi(c|^E~Cbj}UBiWF{
z1ME8aM*JQ+#p4KsxNh;MhmN%oB80B^{Q=a!PMgu5>_u6$<t69yh8x}vc*Bo5YfG)Z
zXs?Z+f8Jyb@Vj4K`Ih;UxQZ+suZfn}0FD$Axp`iQzCVqyR=HCc8U3b-j9R#<%o}ba
zdttqGJrxaQBq>wFawSHN(O!kdjy#sOn{z2Vn%oS-)NTE|tyKWYV`f?;OKw6(mcT<H
z4H64OAxIoF<WfA#G55UK`5BA?86{bg&45oqCAt9RsuuwNBGSBhO2T6c85PoRPYK8@
zD&35vRJ9u1ZGiBX-{T}fj03kPv7Syt=ePg>1~R;>w8_8B-&b%7DsWFOeu2Pf=;T6-
zV1TaO>HA?LG&cbc+b#U`L){JU_T~NO?|!XDb3{-PC0aeS?CpK;%j;*)qVo3xp;{U2
zV{l&xu*>JP^Y!i3MQ;a_s4G25BPX?-fmV1#TjHY;k~GZDRD+hP>$%RJ4o^vWvyv&}
zjGVk6crbZRmZKP8^xl`|zgw_d^M9ir5C<nYQ;2li8~Tz{PEBEB5{7Ke%^SftK|Hw_
z_*CGgu!gpYY@^ncD-0JVMieGV3oK(hjYf`;;;<40c*tLYkN`Z)SEPs2L<s<eE%^DS
z3YZb7ON+I~OcNcwQGauzN;>$1ym%En=WWA>I02TC_c6)>`8{{Qjr=pWU-H|6(5KJa
zX9Vo-uU|yT$rvLzCeUAp(Mx`9efD;<$5h|(UA?)adbGd(p74>@w=a-LC{PC)lw*K1
zq2;_oVIxm8ipp-5Vki&7v_w9EON2G(6l5nni7<=Iu0ny{+PpwDZM@QO$Qa38ohlKL
z_$~6aM|W$YlljVTIs-YGpg(qh5Un}>3b_qM_)PGM_w&hXy3x$t)joQZIF{+%{D}qT
zH))FP-?FHXfwMr{nmtwPKk;_(3*8<%@BA%s^-7-kri=_l<6pm0rxHq&2_ic6o+%gO
z|Edl|0heKggn&C+!zk=*;g;cV<)nGKwC@9D_j(x5d+k>n3Gt^@^R`UOH-1UgG9elg
zm4}6^md0ILMn#P>3=d|3`=>4ulZe?*jsqfxgc(ff0|yy6nFZFqLGFWVr9woNN8%7o
z+{&h<RYgJ2^4$J~^w~WWJvRPClO6Q^*NALSf&ABo8k%@T#D{A{y04bxB_9K8!kC3!
zBiMN<`0)>m1UXUJ9|oS=Y0pRgPw&SoZ)OI64H#uT_<|O5hL*~Ubq`@sUY(V-e|vY-
zkA30KFdy;iv1_-lEft*b3faGC->ySG21d4XpF4ld;fcd+loxZa8o%~&>PcVTT%AM+
zHh+G!IQX7Ex!c;<zybk6FWXk6keXc3Bj#e<1UNaP4ZHPKdNkH$+RdKzwwWzc6cJ=(
zW65FQbTx6$-+U*-!2NIqDuPv0$kg&hXr(%g;0GLot=P(}xDMd)iqdQZ3}y)in!rpX
zFf-U{HGUJNi18c*{+;%2cQGOK#DG&J`<5!?*F>}rE@K8!Vh$Hy_9QO8ft+kilY;1Z
zM<DVw0|de*m6i}yy}Y@15k7mpvUvSI<IH4ji^xlESxr~~h*1Gnct!(de*0TFTMi#1
zwSSSCTZ88w{N@RVjdq;Z{0?Jw*_peA?vYosor=CUZ~kc2A+gm^#*7>w^;+)luKqk7
z8|lpTGgP!;K~tZbl55d>ZmZVRTgrr5&88Yx3(~^cj~$RMwvKcyF=srsE+|?3#%*hQ
z5<4r89}GHp_%^zqpGT+quM2L_L_fRiDM>^`D%g-}0wW9@t~$!ws5svLaK&$)91hGd
zol9;C1Iz@ndW!VAj2?B%Rsp@15Lep&^Q-S?u>;8~L~!u%pA|%SJ)5u-pv_X}`}$Zw
z;q`HI|19&Xe(Uowrgj@0ct{2sB7tZK{4HGHVj}vsBm}N|{Xez_g^Bq&p9Gl(6YX4<
z-8-RhN(R!{6t?r1M?Q=_1)d&5J{EI@A3T>+Yo^m*tnd>3_|hJ*#n2IGP!MQN)?9{g
zpx1Ykc?sIu&fMX^=tbpRhb|>ys@qC}jpJ#0@K!%nsmiSQ>arIMX;ngEE>U5=V30rt
zp@2>g=|1P8AR5EA30~Z{MIL8!vghlMu2zKPsFDIb1?-jSo@N+Tu}dscpWK_md=tWt
zxqrDo?D}B$DoP1%-Y7M&wjrC$WlY#asZA-sg8hZ5QtL5!<-tLh$~Q%ln>pI<nC(44
ziRKFZSwX#%c4O_<`0m#4d03;63QNNVB?;Vl482zs47f-+(NtKaNZ|+Q6(^pedCYIc
zl_IpE)3G%Fey|yKv27dr)gK5vy@l*z>*K!t+4=T?IlXKjf~ZxAoT^X?W^(cGy?^44
z*3Q$N$s>;w7iLki`^1~OQ-amn9$}tP2cM622$?T-UzP4pk(tvb=cav6ogON;QKo=!
ztELbyM<Q=ya`_*t4n5-9C;CXa*=nq|rNI{5gQzdj3Z|lJG)){KB<jcSB)LhfNGj}5
z=bbYTk3F};CkApesoTygYed!(e{KiV=rF^F&UlZF8B(~IViij~I0t=iJiCeYuIdn@
zQ6V7!3_mBli7V`peYlnJn2vVXFu`T_3zmID9axoavI|m+J>P<O;p*}TRYTIgidXJ3
z`AE0E^rJV0Ybj^e8-=JW^Rl6RK4j`tUSlEBSpiWSSGchj0+XIX*5^I5g}(28^-b^i
z@s$36_A7+@n6`i4;i1{+kuw=Vq+BVR`PIdSb6CO7pH$OuT?Y(AQjl7HSv6(Vz3Y<4
zP{G!Frg_M%moEm&JdVrZr8(R>vo0H0EP1q?`c-Z^Q`e@Ckr9Q#Y*Omf&$%*<RGJ<W
z#<rByGlC=R2^MaHFSQy!hb2IG_~6&O7|5HBgFe(H%~zjoR|d$vtS<(fF)=6SMUkOZ
zX#;9B7$gL-MQpssgQJ>!7c3UCKC<Z*8bIIMraMHOsHvKtNS+Jo3i(UXX2zj*`S(U_
zKrN4L?5W+hZ>iIZGOL%Vw?#xiFw@7)9cM&9Dy8jjQ%H^2yZLrv?snIP`o}UqZ{T|g
z+#S3b%s)&^2Y7LwljqSsJW`O1SrD<G3(xDuo$u%I=03ZBEiS`lRpFSesUTsUaXn1E
zrmyJ2?n?2*L`nX+2RAoVvY|-3JvJ06NSX||O$-mNL)=Xi;<=piokJ`aRs(2IBfID7
zoA$+ZdiBo1R`u3grBAW)hp`00oSWRenxQg7-$;TF43&mp3eVvfsw2}`!CD54jOr2C
z?<heam>1yUqC|Mgz)6V-?I+s<LR2$8?`L<eKVLuEdkJx8e7~}5dUap&Hf#~`<j#mw
z;4QTWERdrg%2BDDL@d9O)$?5;Iw_)vp<L6KH5N{{+Q}M!on;o*Uy#dWKC=R;?wwyh
zUaG^dH;Wl%cBz-I7LxBjlLv{*ULnLW@~3@GMIELgnMjsN-qGR3-nHHzGad`bXeVP}
zQX|1o&8y~xbW2FlZHYrS9NC=}PHxHd>A5;kM0)UNPnk2QUCMS_^^2++31h;56Dc2r
zQDc^$R%McxFU=AYrJO@~n&77M$w5JQa1)weAdGYO7$&-ZJ@ApAP^ZJR!Gpv(m)^0*
zHtHN!LyvZ9{LX${dOYrc6vs%+`|%<7d6;l0Bj36=R1ioBs}d(OC$mYdtwy^4!z}c8
zQWrIqO^pQsx(x-`Wcow@us}kbef>KlB-d=-f3v_|d?m2{`g>+8<DWWRp<dJF!+Kj_
z)iQML5(f<ioB&#RR!-*FhwTqC6$q5g2+zK&yRGySTrqk=?<~9^*QaTKkTyNZo1wm>
z*N9HEzs<H|-^6Uufj$OB!`9$e#WQEVvo{vE#{J6la`LqGGPUFgf(}b#oG>Sflc6;M
zH;T3&%>n*q))n7%GjOPwPEPKaG;JY|6*WMj8~N<43kA_fMD3(@>D7)_?~u8hi{tYG
zdFC^2tEbq16nhGa)KCw)2Byj-a;U&Cd&wMo+=9BKfgFe=qeXpM4jUj6vsXGmC`@_e
z#9uEw`}5cHHMQo2ngV>CVI54q6`Mu$k9KU{R?Y86)PAQnt4xNhiF04^!uDK!BI(b!
zi|3G!);LA^nMus*?^?(Q@Ev8Uj10ixoK3VhJ}xemH-i3*3{s@nx?ijUJi``|O$(7@
z^UHuM@G2OZ_&_GcfL(i;#Z%ncP@iaX1?A6~-DUXmdmNQABm4On(mV+q7j*pk2}x|D
z8ZZH^^wWu=%3Zjr_n}t!X)v`E`L7-PKi_f0Ckfjy@%+4-!cy~FpqAnF`MbC0VR1B0
zUCGH0U-w9dqh6_gZ%z<P|EU}|B2JD|*ijPf;G(GUmY-_ss7O=xh1^IHSl8hkEThWY
zl#!)iNM%?TIq*~G)mUoe+~K}pScbo9&;h%eT5)d2Z$n8M`J2c3vD->v{O6laYV!|^
zcH@|JE{{qBU8C2-GCD~diMCSu$CMetx%W~<fsXddZb~s2t(=n3a@Q1Ogkt(DqFg?=
z`^8Ck*^F`gj%jSduZ}HJkEc0ww!{_zukUO|NNJ|9Lxrf#3s*_Pl@<5MS6c~H{`dJY
z&f;VN0(2oS>BvIqdG5tn_fi)b5vSn(m!qS76AsZoEKC`mu8`0v*WEd%+$8;>Vh8%&
zgA<rDj)Af;n^9v@N{cK8sBPtF+w=dd%RK!2$<-ve*y+yUZhILkyr+B`q@S{=K{uQT
zDyj|9D)oq@e>umKOC4%sKtH>gwe+yKX#Lwx|Gcu?)6{ubzI~?N$vxs&u!Wp(E#tSk
zv@`HvPe2Odm_obC$!7X|Rb=XUekXqNx1lZUwZ@5^-Xub(seAtdK7ttZf3-GKoVn||
zkzGO^H4YpNcUK*r38YYM^qThXabIAGbT|wDyS|9(yJjR{q>ZGRnv_Pvx=Pp)xcsw@
zw25sh8V$oL+6Q@~xp24A;A3yP_j8lFRp6#m@v+IR=__WgqJB!`myul-P8~;mfgfJC
z27Zno#50eKA9nes3RTA&-!xWg(5FSR^vbe(1QLZhlgmRXB6ZLo{IpU>5o`GeVFD|Z
z784O<H?z(QpSBmA4SaMCSZmXSc9bp4wAtBV0>{$Z3V;9eXs9C%j%QF=x+<LFZyoOa
zUjV8MRr9>}-sZplqu<~4XJ7e)U7y{%r=@N~YgAGcvMM#GSEj>@cTP-IpMAdX<sTm!
z{Px&H@kPem0Kq3g-6i<d7?uM7U}baW$rlfg3{TAzzI35~=}$iQMEACi_9#_kvI>U@
z!0(g6w;@Vfn?p^HKfI~2?^5dE<<ZQazkhb_r3(W~Z`Eqfpl&#eR3h9o-Qo2&5=Eh4
z+l+Ws+UWC1J$LVHd~EMM&7bS(iZ|@q-slhb6(mWko5X8c3?`@Y&Y{<b29BPZe&*8P
z@((zNf)GNO?%a(}K11#j{AQ>sB|Z<?xpz;?*MH}+t}pDrueH7*5m@!UUspS{rqX3+
za=K7`>*(b9iK$%g+(P;AQo44LF`*k4yDf*?-YLNYk4hy%khiJ9x4XG1_}d+A(VY(;
z*sy!!hPpsgLxB2x@~R&g&IP2>6@KFMO!n}bqdz@$cJ6zc!7k~#<Eoi!v8|#7XE@9-
zoW6HY%>LEnbpF+oXJ)_o#m{fuv$Z?n3kB6xOHxM&AmEoF;E&OcwrF_&eQgg<%@+2b
zySVt}nYqGzU;ole{ezifrp>1{%}&cQv2B}!J9y?}T}+@9gJUz<=aUkY;?^Bo<NJ5-
zX#B#4wn)qFUCCHWGDH=HBIzcSSY0Vx7lXs;+D{G*o;i16;eX99){d4cW(@$`m*@)H
zO+i$vR&`{&_*yDm>l+wKfAPu3y1sgFZ(H}aEeTncDXeBaHKiE*ei?1sl90D{$D8s6
zy>W4=ylZy8q#Zv!+dDFr>CYF9bBn3UNz)RGmgP9sN{-WdKOjh!FqUOPRRuRUH3lDu
zhSj^bb|rS+e{b`ymSo7AYz#_~u;-?=H4*~AvK;6iN?XTH&J4eLWaOWxW=lUQSL_sH
zZn)DGwp##WToj7tqNe5k@A%Z|H+uUPzW%^{txrGpNN0OXQ;;gk>Mk!rE0#yB&WmDo
zUU|#rdimhK_Ro~c#>3|?rAp(I*~~(!GBGxhJ2EtyJHt6FRcdCQF;O7|bGF9&4HANZ
zF^(}t0iRcj5{w#py6W!j+7x@dsWG^*Yf~(K*N(<eFrXk+q3C8zxw;n9bYO0w<oxWN
z@#*8IXJ0ybX8wDo$tKO)^h&`MwsnSSG261($k9`Ce{*>x^WxD{Gk^SrCwsoIdskDW
zwIxiYo762rk_bo=LBW7Rl8wPA<C~*P=}K2BUHMG0s5`^sx!H3U7f&xPmL_zQO&5yV
z<wDV#R1~RZTaM5S=T5fjkXNNxk|{Dx+ZPSX9pSLI$D@+=WMgRK?ww70x;kU6k&sFn
z5<#^g;l~6cxD^d2ZHL3`T+!*hxR8J8@X$*m<Jo7Ib4IVG+m?HC;0oLA<(mRPO|z|<
zW}i%Dw1J_K<sTl{+xlmFcDEdS<iLhRyxx!Hn`jZ>D~Glv8A2_|kjl7#y?a`F{_yv9
zbXO{-7#_=3N5->D*<7_$C>rybZ0-E?Z1F-WU7Jv3S~V@E>xOLz0R{lvZWq@CAy7T4
zq$)D;m=^OlHF!6+wS@1A$9#83!k%QT&KK(16l>`2jQIlr1t~JYUat(~7Ix0HYzFB}
zmA`XrYU#}RxuZu<&Hhs+t6i`xUUpB=4gSixORze~1S3ho-sZ-@L)~5VU;6wL-H&eX
zNrYRHAu3C^Hhu8Q2sq$Efa7pTXR3TDQ?<(#!>HCQv5=}{X6H*|lhgUJbfz-zFkWB`
z3WjMfSF2V|H(1_bqD%<3ys9KH!QeO?blnp6FX<NiwXb~*Hg4Sb2mrvu#KharJoC&)
ztxbx-<B<`i2sjg<88%{!%aovy$3r51pHk;hrFx7-gi;($!~@BW_Go8YGSr!D48(mt
z83hBX+7S0kiMSt2SK9on{BG@Duxti%^ChQ$C|x}C+R%~V(dB=ePgUPDEv`9^dynP{
z+nu(!SB6fi3JFKU%I<^v+P<=TSMreq_qWAcn?rQ9gAAVr#yHe88w}GCj>8yZ0_E}=
zn@^Rsbf#KLXKMLUS+Cd*b8MTLrpd~N$#RD2EL)b7(+#_#>2}pHSjDoK0|2JY5PM+%
zqxS#+oH%}@S0aJ{fFjF;swxfmJW@baX+V}~R8?qPQAku(NKlf9B2hwvK~JC|?vFOa
z{h?%Iz*`sf5<-xmln_;+$mf;dc5Cr{H7GDUUviGUKa=jgu<-V=Q!~%yi{?4QU`6;~
zyr_#SY<Dn(AS6lHn{4py-qca|$B*pqc<6!q+gh8Of;8Y)ZtLMmTnG?c02kLBM*+w%
z9Z@V9qFga~t!8n<bhu?R+p?L%9M1Ta!N8mgBm_t+Vh=XPNB{uB2q8i+k!2#u5|LDe
zBA-vj!GMCpAr+|#MSwtDohpnG0Ky3HZM;}Q2q;%fv5=}b$KRisedqY(JL8kN=N6V~
z=WLtn?tmXx*w!SJA`k*RbrE$(cW3M~j~v+W2V1)8H{89W$rlQ$=vKC+cKP%;4u?wB
z6c+}TY8MAm^KT!WdVX{w_eQQ@TtWzR$8q({6}EMPs!~~zaiVKe^y#imvCltpuw&=0
zZH<vwotJpMviovwa|8frng!XM#`^kG#dnWSU6`ECAG$o6J)~(YZJ6tG-heA?E>{~5
zVoD$ui+S(g+ExG1!v{7z-PsX~Z|_NXgFyumi~+fC>NasT0T|~{ty<#pNJbkR&g9-X
zHg$M-Z23qwubs3k$U2O3x0R49Y%bTl506Scij13jx?)dtb;f>Y*S5w@d+%*&tc!YS
zFreHqb1>H$j0vbzO|hJ-v6E+J(*r~4(W#lj%a;bzhpRP~GE7GUx3a?(HkV(G$0K2a
zMIc`9yE_t65ANI3`sjVTo42<%hdmqGBG*h%a@T6LEHfbl=!OGRGX-aUv846&r~2PJ
zKK=7dwt6a))y@b&C0%#io@lPHxqM1@RrV;fJ{nQB+`Y5$>Gsy}zV6QY<h^$#>*}Ij
z?D0tGR_Dg86)c;9uG=D)*ZJAL`TX$M^5XPt>G-*ei!bI1=CElx%bW|#T`5=CTyE6M
zLI|k}rG$uRb7Np{G~(I2V{60i`*t_)YHkYo;`M&HA@0MUG=tLRTFY!DNqH$#<C*2E
zJ-1k@ojy0;*FU(_n=k687E{$z98f{iY-c?VyLN@m<)%U@2Ig={QE6PFIJvnavU}H#
z#;01Ef}2}g!jbJ;62W-A4^v8zA`^tM`>Fv}`kk4U1CGr_CR^kEL+SGDTroelSRTFD
zzx2x3RN*{x#C%P+GK65;aXn2}*j#QMgdpPeO0rC$vAHR@CmQkGQy2BM?b_D3ZRgfR
zTO{HkKCet;Q7`s-CHQ4?FxQ?n1^^&H(`?A*HD0S(PNAr?3xi9u7YCLGbNSj#zG$4C
zUnrlpERoW5+hSa}4IN!!bGaQ+WCFIsF~%qy@XJYpA=%a%-m<MbzPG(4v@;s<`eSuI
ze_Kn~+uRf+vP1x3ga|=!C#IGNu~G`gxB$+Dux$qOi)A)5S2VJ@S~XwLDpRw?OM}D9
zCuZh~LyW^hrD`p3E{YzNa!t3vbuwLHbGb9$Gxd5TSqM<WLE75f6x<bwcy{=Ga&su?
z32)pGZQZmX+R)q-^ePG!62(|mB;xf-;PpswySTEP3(#~MG|dLXw3+R2Zki67Unpzi
zQ~C7dbbh{A*7LQRy;vw27v~pC=SyX0R*|t$C>fRz;DDQ!;R>6}+C)_dqLhH9+mb|4
zEEH546@@f_5aCF~+qAJgy0Il0+LEaEwS>cJP?3m`WQzS>S@rv6Dd1OdIHclWKtYsX
zaqVvU$Uh(6Wdg3%mR}f4SN?Duj>=V26iWuLR83y3T6R^l49jx3WiwPP8s+qIZEkL%
zG&C`tA1@SYDFL`(Su9;Dn<>W;*<e7i9mb(rv)o#9SJ+%!00DqR2$q6=S>^&H!?5Lm
zUy9d7J;_+q+v4-d&8kA<s!F1YO#FmkOfbfTU`bJ^q^eX=6-gl&QAME`V??<C4*&p0
zpmQ!9({woF!Z8fn)J?~<Ovh%7+njUmFwRYjRSkpX4b#a~Yvz0|ug_)k`a-p8XB0)U
z2nM@cH7&-31>jm?F0Qb-T*rQqBm#b~gb+qx+YV?t!vI3X7%2pUN-0t$ie*BOiV$Ez
z5F$jD4?gtUdjJ5AzWdr4#w?35A%p<Vm@sUITaF_P&cWau3;-}a9>Qgb0_Os%nk8(T
zgDYMxuCTe>Hry%W_gvNvZsDPei;F94E-o%EuCTedxVX5&=HlYw;tHFKi;IgZY%VS?
bYn%TM&KLwclyMvp00000NkvXXu0mjfFuyru

literal 0
HcmV?d00001

diff --git a/docs/images/favicon/favicon512.png b/docs/images/favicon/favicon512.png
new file mode 100644
index 0000000000000000000000000000000000000000..2f8c02ad4a28a9833ccf628a64f7bc00678d01e0
GIT binary patch
literal 91937
zcmXtg1yt3|^Y^6%1f-<9yGt7B?k+{?M!G`~q>)Z(1f;vWMY=<}yYpS1-}^rvg@bU}
z@9yl(d}3~>vZ53U5<U_H0zr|H7FUHppuwlmkXP{F!-d=A9rytMQBF!6^8E5AtEC_g
zd<D^7TE__jLB@Rf3k69@!v$YN_#&eqfw27=77iPMoJckr0wIOSh>NPb%^#$@YGY~P
zgsd=KkcW|ze`~oWZu)r4<dRciWt~ZlA0cVNSaH4Fv&?_B+#ZIl%t$M%7Gs#ObR0Ej
zKvprt{O#JCn8Y<<sloMV_(0I<h_4L>+JDt^3qA|Ii}a0`Z-395SFq6jBBZY&;2-dL
zC**%$h(?bIC42K~Tu{dkTEvhPZS^%T^qk+YADuB&5{&F&t*X^3gX-?`48&3djuJYi
zU2c`@4Js^*zX)U%?FNday9o1D5EOX9Wd+nMa%BwKR~ztY)p4!Z#%Db|b@IVtWcNE}
zocJjC5%4v-Dcf8{1Q<!Ml;$YGtfea81t2{B#kw$J;OAjPNc-)1AvOMkB8Z1^%`nEd
z6`p^^>G~$+L-W33STU%v&!xnTEMtUNPxG2qQ8xu**VdYD^xFnT)X*h!=&Z(aV4juf
zFUm<PpOf>(Mwgo(-F`jU(1DH048kPDmyp)xv?E{p7A8x|tr(BLo&*2UUwM_yp5O#p
z5lX3Nlj6SxNFUEaD?ssNF-9ZzcY7|LI5xayki!JOcs+UwX*;bJtKUTFpO_Av1|$FN
z`6rocgc8lbnHsaS>({G$5jX;F4`ErWwAm&YV_pFaqSSHT!~0qA*?y#}sP@FO$cs3M
zssC+1DN{c}HQX<lp6Ka~k!Su6|DsR~D=W1F>yh%hI?9khF4Vb_@@iHpcKVE5N|ex0
z8Sy@9=&b0W@(S*W<E}+{|AvOpr<&4IzGUl>{@nW&$-5QiIKEnL(_K?PMI*P)Kabb-
zZntz$qs!6J(HAl+92{!d>iyE{MKbd0ZKKiBVqwB=e%0ajSSKR7w*Nm8RN<Vmu>TTT
zv@CyhEg2d5MEX8hH_oN;9oT^oYfWDMxmb!Ols|md_AZq@17q+7gxvMKpF7D?u^k&u
z?H)sv467{eZ4}dey9L`=KUTvlIm*jp(QdG>t!dCj(wU(WlrSoUM#@k=C@`vwAs(OM
zn@6u9dilq-Yf}EC_+L=2#@R#NS<pN*OIuy;LVpzt4psI4+7MfErHRFygl#2<xh&p|
zNsQi?`i(arAjj?Y-BrsyE0;?2!c-)*du23>(%ZBBr_t1})>pm!lc}x&I@NpZ1%Cvo
zDH-q5GyEQI4??39Hac>&=$6a0dl9v8_%SprGY}-~SDvxSK8zJkJy#&9OAjH;_#L*t
z{YUlYzo6c+hn9p<h*mxLVN{8kCl(nRO6cT-37!QUMbF?k7J-!-780LkLVi-ROk7=j
z9^HqskE&kJBdNR}*DylAeWPKg_fMJ?|G2K+-9r@%4nwrXFj+qM>sJgdGk*9BTBTG|
z33vRP;BC<uSa^xE19w<|7IOC|^4LD5E<`tc#cbKf%*Ri)90mGxG=qr_*<uzngYhox
zgOy@#ZiL@84NQ;8jEDt1E;B<H=LQmjZEvOJC+&9!IlM@McArf@d=QHuaU9Eb_@M7N
z>$s6Cyxp9!_Pm3Q9&>tph7klwtnO{+E{*x$-Mc|8hoQF2JV|%+{q2RsI2=D~R?$5$
z7M#XsJ&?%HA%Sd`^Qq!s!+FH|L{S*&Ro}hK8&_|!(@Wpbl|WXokFBFbk*aikd?8E*
z3yB-PkG|5k+G)940~0(q!X7<=A!R4N5BSegW%c_6DV?k_L!YsR&6FC(71fy&<5D!7
z)(<{e{au%rR_1V>qgt$UJ3nw24{ICPWdEh%^1*mi7B)n}>1qu#GSjE<+AS%Sp-7Dh
zO#vS(_e1)Fwl@7K@0p)>i1%qDv9z-CWLu&+r!+o1j(>bRl!NDg2l<Jy5z-X{eI=Bn
zXJ_*{tSXMFC+t&>x`UJt?Xi4=s^ae5YV&V+$Gr!WKl)ysM48GU*dDhz5)!B<%i^Ql
zpE*0`_Z}4^L7Y2n-Z}kVbo&#(Kic5U0;@5uXD8b6a8*Cm|6T7=K)q-uprK*hxbJdf
zmw;Mcc;sIk+P6>{JdV}0u3$Rf>AatMP|W&1gZ^DUguEV^?KtQjQSwuR4d&BXq$BuP
zlzN&Bla?pETYa@Ht_@yH(OJ<uz6f}~qM?zmVUYc3)~3;4^5jizKe9X={;9v0ryc<Z
z(#D9`ExY1mX-rg#hJgxwoA=j)og~=Wqt>pDoa=_I$AB3-ReV@eQ>6Ji#y@ETD8h|p
zv$Nv1i>O-xGis5U?)~6dF5y8|iKWLjurH2Dq`pLo9^#AZh#Xj-_0At@Yaihkr4t~Y
zp3Z-`lf#C;E`s$NePq2Ny!bF9O7cM544XR}Y8h{^yZjR?Vjrhl+%r;xo(myr*=*?d
zf}0`o#+0uK4Y?mf`@41`Iwlp;H}HNU(SHgdj8L+tsCBJkWL*Pe3G7rv7CV}L2?|Ib
zY=1p4!*5v_!y;?CtvMV(fjglppEY;Dq{CXuc4@hJpX=SzP3d^+K^hV%yt-O(FM#5;
zpU?6`n1P7^CtIN^dt=lJmnbkRn%0NNGpLK^QATzvS($#b+EzEnVtwzU6~pIG%jd|S
zkI95<51L2T3u0G|T@b9^RnsdblE_6L8|fnd`{z)yus8D5<+FH+^5~i$fG<;Mo-<t^
zj!~B;f(wBbogc$U3c+elT=Pg6`1Gl!E=!$FYQC0Mw&`t8w>cC#x`TYGufL7w@f-Xr
zmzI@o@s4PpcwE8iJF~;l;|@90Ot1Fk_dfdPKEHXGWwD18&n3TFjMYbrexzK(P!CUa
zj73?n%}XlWbi@;Um-yifw+?GLji4@2yJ;X5yy#9MrYw$Yu3n#NwT&SbgWSY(wZrY5
zlV)jKZ_#-aBC0}6Q5F<2c^>{Bh+!y$+)K%CKdBxQ+BJK;CIQt<rNUbAT`isHdGOaZ
zT@0Qar>T2BUj_aVxUzz~e$NJd$>MwoZK0+)v*Y8r^H*0MH<f)|i3~i@m%Sq3#(sIM
zpe#+r?wB9soQg6T`!zId=oOk+7E8eCD2Z132Rx{n*Oh{}0RPp}=dRjR{Wfe^zla(<
zVP{&2wxiAd<n<-d$PX+gNo~V%f+1cY{cWxICyx4|w13L|4BCp9-KGBrUm_7UKVwwq
zm>jOpoNT_4km)0=)lOAVid)1&3bN`74WY?)Yg4xs_Wgz<UZAJe#wdDCt9j;VAo-kU
zf1<&?cfFV3n`mfsJuYVXL>H<e^*?-IwVQYQ@<~2n{e^W!Pt%(D!#7P&{DLB`USf0Q
zht#Pq%WGiW)Ute~DQ`a*mxW=mteq^oU|>wv+g+L-ZV@b=qfqVI%xA;91y#$lB7Vcv
zN_<&v$95co%yNx!n2Zr~j=g`$m!}F!LH@*^Np*p(g144j4;<T!Ae48fZhpw}Rnc%~
zokvl%xwZMA8CLq-D}WGG*pb_%YY`FhY<$v=jkJ+7&YUCHh%y;Wa~js$lJR1f5S2o(
znr1YY>2c(HKEDN*d$Df$)9J6FyQE;*%{096It-M(4XG=CBiVS_5yxw*l4Um{kZa@2
zuqnv~utr733I12lyn+lwIAY<>Kwb^Qamcc2QvI^8O#fbdufR;5o~uoX_fI1ekFo_^
zVC9^i<EgY=<!rL=sSl=xB`T3``&}sypTiZIj12zpNPM-GPWY2>VuA8gNs-5Eie8e>
zkJG7i<G2Kqe}?uXN|*5<DTS(4+gWJH37!t;wyY4Uuy?HGT2#7ROyR0z&xJIfr?Zi*
zm%I~kI${Q%u@DGheWpA>gZcsT3RYJara1c7whT_e>$8o)5`)xI(u|7<Kk(RhPj<q@
zeaHJV&3c^l-Ft9MZ5}J&#2r>V;-(17Ffs5W<l$?IxBn#)V;5>LjUr?=3SZ-Tpe_%^
z#68_zgO+4Cef%40=`snf2dI);%q`vEKg>C!h3(!x-55Ei@X$ZVczfdGc2v7>^V)9+
z{iAcnBZjGp`2sJl`x6{>z%d5qDyK5vZB5eDaxC{q7^|Z)*Fo!=g<7=7Vm*;~q7T3O
zlbFY^8dfdGO*bP)UR~eI)^*I-*@|OkIZdN~S1oTKNI3nn&zVCLzcn0&<*|z#Uu(5w
zo~u0@G{5pmZAo09;y|c#=^Xp_*yqqk^CS5?b2->Ve3Tz_|N1lArgBZE7Bd&GE>l^O
z*tZF3Mg<i!8k1fT!bn2udNim(VqNuYhf4a6HDU*?8tJon_9vV~hheGs$a{2H_e%_&
z)1TNMlnpSFD5V{Cfj-hTk4BAW;dxeNmCxlY;9S9}vuByX-MKJiT80Hq;OHCQJ)Ga=
zp(M-qo<Iq+dd!AQkR0EBWw&Yl^vVy5;$+*7>-J}70Rl%aRbi6QGxUC)+r9}|H7x0X
z8VinA^2>&WOY>3InNcm(Y)6lT5vLEbR<EFS_B=<N(2}O*6LIfk=ALhl1k8*r7tIGh
z=V%QZ{p;Bxs*{nHCvOVm0@pg%vu|8mJIU+vsjF*!XWW+tr#WM9#mRYKc#O!P|1Ku%
zo8b)ft<^jov!M^X$jGmTWZp*99wf8-5+VJz+kn#vMTd@k9mg^e&e*-xS3!THUl#RR
zM9P>^S^QeE!|Uonu<?qfcocD*<oSO6jTMh4jB4m|Q=$)9mCYXW9Bk`1;|@obY3nO$
zAw!92#)OLl)nF(=24j=QOAVx`Ods(&BbVK;L0Cw5a;9843KQfc4;hj$2vJLBYvCL>
zLa*KzMNd@8;Yp$uKg~VLg7(H@%VOI0RMD_SIigyC8@EE>r5vsjyhnXNd@VsRTcF(U
zP#hDo>pO*Wdxsa)Lfm?RUx}j;ix1AAH6p!GmF@EUJ`+KL-F260+NPn12iAv3{c9$F
z{Mi1TFWnd$V)a2~a`7_D#qm^WOyUTG??Yj<x@v4NQ<EKs!xkRsocoWAN4m#qEG9~J
za4tX3_>fSK3I#r|&(IN)OMfl7`o^FL>V>F>B%(aR9rRlWXl}n)XazV>Sb6iz->+c$
zJh2q5^cp;0+|3-<;7vAVi_Rk<MSeUQm-C1cF`O9=f2`@Hk=pY8c01IP#CrI{aI$ZH
z@W*57JC#c9t0*5HYU-HVA;IL98w|uy8THbQ&Tz!bHr~>)(Pt_X>h#r(2B|wY<lM?0
z6LbgYmuxVOmmr<;U;w2Cxo1oWC)AHOG#CmS8(0<Zqf~C{(Ipo6L3!%=g}Dp749fKK
zd6qO?l5Hvv2<E{b!yQ2@R%$h|Lt2N||Kesi56fe+-dNlkP{*BK@65m6QTZ3w>I*K}
zKNGZdXQnrpd1=JyL#$gf_{Sw2Cv@H2MYvr5aP?f4s6~tazG{}Fm*mvYcmHoq7*@vA
zCmi$No~(74@UHck-qkRXNpAD!7)03+@;|=udpC7n?ybNdSnCQ>-+F%9#>H0}2xpO&
zp96)Zw=-2|Yu8nU&8WenOEI;CHecB-jki{gKPdU^K6`YAU;EbfVnZ#~_q{cmzsu&C
zj+bySy0+!Bd<w#1t$&4!QrJC317fCKdls4@TJ?4V(%>|AIy&1pSw;bU-)iQA=Mb&H
zZwsZ|T8$~?@`cMSwQp45(?vJt;<ayRsH$jN=Fs^<7QK;%Tfg^^!V}L{bgQ)LlYkCy
z&9fP!FdGrug94%2c7{pAJ=dfq%Ap>%$(_+<TO;mx^XH6V1IN%AyNflkQ|aZp74%NA
zfKd^$V3Ct#ZD<DnOA!YV&3X~dX-4awZsEO$g4V{>`y81T=t6aTa61RV*#JmBRw?r#
zur_&yi^EV0rePZ=EblAgHZxqg#kLJ$rLJ1FaxF_38m)!^KWOwmFDy3|s#}5`sr)jc
zq03DtZ`u?!!_3N~rCMidXsPb72^!cx?m{n7ESqTGJ-0g)Xq<-+7w<5T99q0Q3J|9{
zw1)pmbi#^aXtDB3Tw7*~(_2<z(!%toJI<E-SP)P@80v{%BC9IrgfSq}b0snhcU^bL
zk!P=gYdB+kXwXXBPZAdy2i9wbb|J!?=ycVIdF6Ive=+%97R!M&Bxl6zm`BQmz{8cU
z>vv#lbLck;HnvdgqZwLFUIMuDIp1-iv~=s;>7Sec_@?pRe~aL^J%1;VfUlviLfa}3
z_)~oB;Prt<O!ilzlg78wpVR{om63~<{iy6!^+N;D$Pys1B<~}udsj$UVfr`ILiyqd
zRQEY@l{wfgxfWY-!mkgFA0CV_ZpZ`5wb+6}`cA3YGeD)pz=%~Y=Axvg{t4y%sZO36
z``!3bI5jnryaHBI3VnGsCs}F>6(6BZe<BSs+}XTZ@vnV^&sGxzOFnZWt?yeQ!_Ng{
zS{hhh&o@?uE7R##%Pg~%m8CwVj~Pa^6n!M?X=V_lui+r?d^jlMYLyliDGlac;&Hlr
zz<hKk5I#GvB2r9q?`~f~!@wex7!#Y*X0O^s7((?$E#@&a>%8D-cGq)V<zhwBraw~k
zXNACK%Gn)m*ukjUuLzs$kNvXvcWg@vT46Us#O{4v(&f4Ux0?+vQ8E>A37Q?M&%!Vf
zSD6QLM^azK6sh$%^bHOQRXe^$mVQ^e;Lz9!muZ>azu>#lin^v!vTagddJeYX!MkWe
zsQI;Nx;=mOe0%?M9S!$(MkNDYay51$!CejCJ0a57u~$K`=izh4-Jxg;{n<?6d}d7)
z*whER3o=x~mZ;?9SYh8{8PLP3mEMd!Y#PdE`eqdFz%J?eOV9CjQv8?5b2vqHw?|Q<
zsjA@A`eyD6-|0${(Nc!NNF6yXbNKPM{)82Z`peMM65>WVH=Q_7vas<C9UY`^XjLa1
zjA0MuX!(o{cShwoiayYiy0*;4rm_lhLH;E&d%2cG<)>O{p7kQl_o0@^?&ySHRq1HD
zuj|woT-CooWA8C<Zw}%9A-qZMgj-H`B_WDyzbPuvuKD+lG><NlL}&l|`1#wi*3KlE
zzRM|e{%ZO^*?0;<p2D7}cdQpt??K!a_#ApMCeL9t$rlym@;V>!Z82U_3K?dS+GF3K
zt3+yp>(jwc`^p+l77BzA?sy%0PO#=sIpDy$D%741_}BV2t^8pHJm2d-@N@jasKNAt
ztmZtj35w45R}cEri@;=MOiN2wv>)ymEA-V;-PkC{e<5qd!g#Atg#SG>N~x2q7+WX<
zM(uOkdO^m=Wp*X_i<0*4F=wH>TRE)^Hv4W-Vj*`0=56`m%=x6fcqea{CcW#$pU)>S
z=GB@a06}S=!%@X%3V6Sd>hP@hIfuJ-G&5aV)5M}n@>nJWjj`Q&<ZA0>K69!l3?cM8
z2>Ke066oIjVaoC7{G{`h`*$X5DLH5+rHY2N;XEcSdA-(z^jueZK>UHgyCXUM)NMiI
zVMi%=)zUuk#m8JHdJ>19Y)W6*56eiop_${nfSX#0xry^|br)I5{BgpR6aNL)TjA8)
z{dyGi!T*DHsby?p)4RFu-T&#{!s;F*gz#i9=xe6s{!i?859*O1yl&^F-~}U>3ap+D
z?l?OVB9N;reZG$hMcxEa_C7nsf?n;TY5u3JmCM~pYG*Fa0I}?yry<+s-*D7C=4NDh
zs7Qc|y-`ete+`4hjyL%`Aq3kg#l*}k;{)p7?GCww(uU4cj;L2&=s%x3rn8~M{8HOL
z7*m|A5eR?cV|{}Qy#YsOUJA&jEd?9-e-Bp{t`#Hvqry(3Q1<3}IP?i4w>|fJ<E}I>
z{mpbY{Fh_xyQ((dvjYnFsCVM4-(MkZ)tPNBzRffkJ3h#R%zs(Pj)JimD|}Uq!}*-O
zKG(d@-PKD-&8#R<hnkmsrPWgQ+v&uP*~nM%_@^hL+m+<?v|QHrX@>u95`Txn{bVL~
zma>oMG_&R9K#{`kBc1Pl27kR>ga0+?6b3B@XuOmTPwgm7iVLwt!nO<Zn^xrB4*d!6
z#aC-Ce4p~AP;z1l<j6CPQ-~R}(9h3_BLLC04+t)S%zIG4NY0+|!34F+=~<AGQ9kL;
z%%HLQzFGb&z}e<E>mDuYc75Db+PtNwIG5X7OU8{TvpsPIc7^)O$y4Wg(Mu2=5`wyw
zj~hWI;%z8c&9K#fmkC~)19n=SXvbSCXzirblhI7)-TBrH9&cs(_!O>GTM&NKuHNtC
zX0#B#!Tp9I@Y9fHemX|MG3HW6kXg$xMM19ksOXf#axO03tx|X<wzjT;#grD|gy7*d
zeH|CeIcZ&+($xC%U}-kSGTzbKIg|Uiaiq+bm<)7P;D_1lWOI}ZRUrdI>Q%dz7?@NP
ztJ{j7lWwmQr^EnZnqc_;%JJ^Ogs@6)y|oZ~Q<fjETbWqsO8M-@kFvC4mgFZbEhv$}
z>vp+Z!g=!4IX36yjA_#wsfOFGD~@rW_kY`uvK*}Zel%VsWknchVTtZXt*3xP`}o;n
zuu+1k$Urbkg}=h84NWjaddjA*)HXyfLdni|uCe&xX@*UglX-ZLMcc`j<oeNQ+~kD#
z=q4z3h!2xti?hHhSt-+P)D!-1_K@kL^K5}0-_vc?5zZwQolI9a+;(#7Dl|al-_1C=
zl2X<t+F!l9Ug|jXybF1@&z&c3>Nz9_si{uMVimFq8=HUIyJ^$^95Hy6A#nc<04T>>
zUD8lGr;|*mCO<l_`~92XeE4#hLk#6@5;^wgOi9T@k%>rxhSf_fOiZ{Ap*Ej!*Upu0
zmDWG(*(R8$0^{HH|0Ju{C{<L1K0IAJ0B+L6^w;V!$V<g3d3_c4Uv}%{NVM-3vVIxG
zOH|EtCAM~5=crP#S%edK`_P+}pI4YX3qJAODLX#;Rf(vH*NOy7NJE)fZ%8w@^!Swm
z)-4$mzuZ`N{YyN}6CF5sw!P!^3!++*>rx(f{6e%XWT<IU3mkc9foR7wIFc<yRw7)a
zq?Ja3;b}qFo!MW!rl!3z1lIa>5M(U_$vjoe6UG4QOJuJL{`LHfjpl8&r<pQ#1p+Mj
zOQGZ>+7~9}!M*CGeE~IXbiLqTy~b!@=s=$@GxA1Ffw7_I6;Z+@8jG7?&!W5x0FXwL
znPPC2szqrW2$44qtNq?DdsE;+Y=J@(Pp8XD@c!<p{d+X6?Gg%<y#&%5RG8o2^d#LN
zuq&usG1GTdkjY;ush30ZUXD~%7o9&b(UJuA83ErCSFkT(C5UeVCG7C4EsQ|A5$)73
zIX<3_IF+A(NyPrFq-t2(4a(0iwX34m<N0#;o-`a^K{IY@8L7;qrB%9n+v&vjA}kaB
zU<))PJ>PlDT~vyd6!Y`}=?`FpTa#c89g!~f{aWkIBHBw^F5pQlS_KcM^R9T#tboZU
z!TII_<<Qf%YxFtqsMJ&1zpJx~8pQs)UaVQ@YFI$;f9_e_GSc|II13t3Q|9LOO6M6j
zBI06CJ(xu(YRf34=tg)y4to@PW!epE!{xViDZQb{wCWZ@KR>Y5Z&df(%RgWH{5~Aj
z<8#<Tmow$gGZ^|PxvTd@9y-wH+V~oZ#JXfeo418cVc$1p`@`aoIDmZNq|ZhQu3et#
z2ewwDY2RJUM_#8J)BhM400CXjQ%++y-+V4_WN)a|M2<)oxx?bH0Lb9zC-Z<G^QI_&
zvsFGMj9Ofcz}~`r6=$>TbU-COr(jcQt0h6UhL$96AcqTPgM5-^@6Hg>Y0&Q-pBo7$
zfA+dkg)qIdgEk%wMpZ96xXT=Up{0L6x~R5>V}{f@OPFpL{jN#1WBs_OqAp_zsNdmP
zBdeY7yx!lo(s>+?fE22!nZL+4L!!69GBf)vJgi`WrHRk^hz;(1p~^;sKTvD!HBxA{
z&2=dtQm0xjaSOjwIxqqFLK+c6u~}6IUq1SAAegGONSk?^XY9X155j-38B?5HrFFYq
zxZTUaBf=E2!wWqbH(<O!=puOv%V}9hJX-9poy36H%puUTf`JiNIB!pdmf5_u6PZb?
zM=zD~dXjGx0*D_ub8XJj6s!-Y!_-MWl+2(@jh(_d6`;j{00nDNfCF-?HM{YPlB?~}
z{Reo=)q_t%87M>%*=O~p6DU5J_VNX;S(0bH5twy<>jWKMwc5}_{S>iEmd7A#@OA&o
z!*=UQ*rYT!FK4mn1G8Kg_}Ba|DI9@@6ulP(^>g)4p>m@fe?{-w^OFIqK%ROJQMnCv
zyb1?;?qhi!!w-PJyAk$L2+{1Bus%a5)TF~HxN^yHLq~8Ss+S5eTmb0h<^-*T@DI_B
zf8N*7PgAYma&4~5^g2}OH-=MY{hkErPk>@H!f(_0T=8#I<vKF&^qf$77bCK<VO=Q~
zYoTN<0i77)f2sp}0rQD_+SFQiIe{KKeZsqd$F{9!g+meOqNTotqOvOlK|k79r1jAJ
zBKbvBfTVDwk86CA)%3^PW!2#U$}}Iza4~Ki`h8b+k+Lfvz}Czp`w=EC`<x`@Jm{xi
z_NvmqCuXYT2T|y0K1u_UgyiAR=KiR~q-~2Kg|Tv`>;qTjwAQr*j`%JhftHSlmi18B
zYIGX6=uN0I|03E_nfr!leqWFQStGarqUw<H<X2)l(!AIvz`LaM#4ux2pqzL6n$TUD
z=avR~-(OyYpY67Qe-Mg=f_%MbZ1SY-5V?R$lsOSSGrD_BZT##kXt#i>VHrv|_xk_|
zX<R8D|BQ2%PL~*9qQ&D-3EZz9x{A)Q2YK0?^#vcVK*OIVaDS=cE`?V7r@uo35iufP
zB5`E#9GPnn_u|knGS%#UH@8b628){|J3<%(+&N?1V2ZpA-qd6|ovJJ<J*~%YMHY90
z@#hKdvBewKJ_N2of6H;B$8Yk<r)rLoy1z}NFo#ayL!Cxt1Wo+z;|}CDH8WF;4`UvO
z<**iBb`6-TK9`n2H~v2_0C$7I0q)-%uSR@a4mG&qt(q*WdsTqmWgcsf1_C#hWk#7l
ztD56Ha2n&VIT#rQf82<+3@1>D`&(|V>oPY?M6!+x#aFptzbnlWd{G*tA2wL>8un*A
z9!{=r(3`(?fpqp5J1G4_3Bw)kQ5ioN69kuB+~($st9M)DyJ#L{qB+OAVgiCwAboE<
z)_47V{3wo<4m|>MU(Fl>7NwFfa{34TkvVVTdkY%PdLs&E!=6(94gs{VPs@{%SWG{d
zmQd34nR9?J*WFF+xHe1y^aIr<4`RYfotA5UCVcD<m-+kM-ITFOg<FexexuAn7tHjD
zuDzX|L4i`oRr~FNmg)lvs1)w<mKq}pRl#s`uKkHXL{-Zoh}AkSuWuRWA%|aG$VzkR
ztd1M{9FC`%{u8K;b?MHaM+vP`+|RgzBKL2Q?i38T=n44<iRD1WEmI$C@cG5U=Y-3A
zS)%%gy*PvPHz}EpjVlI|pn#lCCS5>oBaYe}Gw(&-J*d)tY3ExS6Y{E|UMKO%F|&QR
zv#6ZaDK|0jl=W_BZQI6?y`(O_JcVFN&X^jHh82xRxep28314C*9}dqo{hTmM<axrM
zwA>N0$GJz_uW2AAhok#`VF0?r)@X-$-^$_S;kl|-lazReN8F~Xd)BqGoMx}Q%$pql
zfqCBmy9EfO9tDd*pOgUy^^#LN<cjzz@80iv=4VXv2s@w}*^^)Ai2-r=S0@ePw7HNa
zEx-@fB??9A%rxtg)7j=7Wtp@%WsSp012p9|Y$o@6E+i$ZJOI(<|KUgT6Jzc=*S0%r
zG*yg0)vH$BlLFe8K&=aP-S>1AmcmlcBUbZnQG@hIw=9_K^5_?A{*}resSxtQkSu7`
z$t7kB0qSP=df$f_A!vU&49b+$F^D4tDjHh`N%OX5yq07wlW#kT`&mGzN?WxdfCJ#L
zeCeOoKNz>90j9{Tj{5eE*Y-Z>-!@5aj-UO*QON1)sZ~G#MQEskSAoCrXA9YNkK1Ja
zhB2I>gWq#s0s%i~0&r99l(6d0;rj`PVji75qcYbo<y%KRMylSgotkF<Rn&0I5rq?^
zUIXt(u(0i_#VWy)-ch^KnhPeNSJ!{M*FCONq5UL(*A*eOG?>?<D1`K?V0%??u^v0u
zlL1}(8&)Ch^fgBY6eN~+LK>Jphz&?m_TVi5sG*<M^G_}c80x#nmEXH+HiPhA-`jUE
z_(?(id*?tP2uPK|#6kc2aqdq*iQH^;PHn;CzGB_llI3Qyle-*jShmW=`qk`r<5qNN
zOC-zYsoJH^-#g|@Vm6S%0Paf!;6^_r4lM5AXdOQve(qcLY*Y|Fgo!9*2F-YfCvK2>
zmth7_8v^y-6*N`00BP|8uQoHM;K5l*)iSs9y)Xs+>E|yn5Xyf=B}@DXrT~`}%_kEF
zUYFndp{YHU$Qe=Kx1bTXd>k7bBIMg0{l40dMGTGXL<N+^&Ev5e;e}V_tUMoP8n1q^
zoF8ra5#1k;dG;HMgz40KWV8HcE>c_5E}j1Cxg+#amw?cGU^oLMCx@A1Wb7&EwforS
zO)2Z&J|->kRiLMo2J}#}E<c&p0PTw0H0><y%KR+DG0F}^eRcXrm?!rv!8f#uE3PJx
zYKRL17Q2@qLY}ULMVXa9DC!x|w+DQlSqRh?Uk;@tsmiSnvAM0=;=Oc`fqkRW-q=K{
z^7CW8oHq~^UlVWo8&Er;S|2?a#$=?7Oxy4Oru2`QKgABE=SsgnSe@Ms;Vg_pyQV5t
zp$`}S4FG(7jsDR0RoZAI&qq{w%(_ev*sBmXsNd{(5AVw90hJ-AMbx}{8BQGNf{Br@
zb$tFF>8ODjtkn$S$4y!;dgx`XJI1Y%p}AjU*mtQXYOVK3Vas)v|GfhdDfHubN!0=W
zhMf4P<|ps_;kP9QlXp35dJKzYY#$#~0N`>mx55G9-SzI1ggqtIFQ#cTxZ&hQzs&hW
z#Tt`u5em7^b){~G-n~&wVU=!@6H4@-e#{q6{rx$^9hvS^=s5&q&S)$80pc}U4|Naa
z#K8fVnoyUgIkmW(@5JUne}}S=C{RQ578jZkr{JiG8xjUn2V_ySGSsJENUo#}!y!)&
z-+(=2uD(Q}k&rgZ<ofnJQw<n1@_a{o=YOPIE%>so`F37R4C^?CHvdjOot;m%)_E?*
zWZgS9VKi{UhB$Fhq1nCeSX588^!CLjmW#V0IQ4$h+rEsQeByb?Nzk{8%zQGMR@L}9
z0g_wq_r`$%31-#P1dA0hnvZ|Z@uMqG<-A^g>YouHLlvF>*_A!FjHX9*kr;n^>$L(8
zkq-Oub)k;2cP&|=tsVvtBR^aLif|*`7W9Z_N$+WXNNp1O`I^KPx2)LzP8%wuM3Zpg
z67!GZ^OV$I^HpCH)C$`wo);KkXF>x6?#FGX+rg1_XE#R32>#oThn)#U^T)ts!)e}>
z0X!GOspGU7u-{sLOyFdIEp`DgyD=o}T|1QnKRyl_T$+ou=wMVLm*ddrNY&%S$j0;P
z7{lPC?qGMa*_XJswyV&xmZS%`0bJ<v>*y7&!%ut7=RrY|69t|PUxaUA0AfdpVlt?A
z%x3v4Cp(4szB8Ln$D8ePq5k=rP7a=fhBM3JF#zxqVs%hWUj~!twAl)hpMb#Cy4af9
zh}NSR$qhO+cm_GO;3&c2IXNf`?qIIs`Ze!-5=B012xIieP>*kVvbYdDBByo&bDFpg
zlCED>WJC=DQjgx@gO^$-8y39t13skDB=ro6>8nPBP|MxDRKQ8`gmbv6BErisZ9oOs
z-?k^!&D3`{0u2Yewfi)R2fLC`MYO0|wgNO({uYdSo>V<%*hqLo+nhPNdHQJ$H$fn0
zJ&!(FYK^`JxX`0aH1or~YRl-$u7A>0i=D*xdHP(ZA}iR2295{x)*@QZqNpXXrr#G{
z){2djOYcJ!FUz-|SZ(U|?slxnohFGq9;X~I`v$DzaHRaIhHWAzLRWs2U+<~HpYCx_
z5oN;h3}N&Ls_Yyg!0*s~F3plKY#El9hiF+73=9ATBDe115^YRZCV&zHL?19G4gW%!
zaadV<%=9kRnN=mp+IA8iCRN&1*u!3p`oQG|0=I9O-whKz(*-k{@XBsa{5kWoCnJ~~
zF)Oq|2COm+zulX(xF(*i;M%!BWeM71nXU%^MNye&n%<GU=p~o9){>xKrg-D^?G#ei
z+HT+t_!QL4lY&oU2VX4p&QeLfxiE#HuL_2PR8JN+09co|GpZbOjrWmH94^VjI(7Bf
zz*H2D>-z&x>QCqDi_IU%9<QQRh~anlpYOEt0Ze@9^hU`%m8tSdZD(@XY=_eqrOh5D
zVTqx1x(}&d`-O`bQGOQY01mbz{hP1ka1*VKbAoNkVNd0LK=;`VNLHlCqqIdYkUt3(
zfX-fD(^z~AXRihzCx<2jVtl5}gB2Ez9>tj0bs&Sn*HA#<QoCi&`Pc5oC&hU__gVgh
ztQW|k1M1wDqq?}P)gSXZ$oV{DR-^)`ueRIKg##~~k2ZqUY2)HB&4}3?A1XLWntmV3
zRl2^XkypTmG*r)MLOFa#gjv-yWiN+~o+;TIoWk_3sNhyOSByyainWZ;+CRI?@sku`
z3X08KJwJuluDb1|@%`}io(t$h<G*Ckm+<X_vw_>}#tk)F5?f0omiUi`BRBnFm<WLI
zKy$?CAXE85QqM1;oR!xQ3k1QvI$r|UNm6f44z)@LcLG3^8(;SBzb0~~9qB8Tl`ykS
zJCfq2Bb|R+4>S3;E{PS=Dltu#cQ;mSrQ=e%?<Wu;^#Iax{C=77KUo&eag%4N+?uEN
zYhMssqgx=`LJlo=&TfPpTSo1R`UCaoTpR~kNhyPKhs*vzr<DT013O(LGJE30mlAF{
z;<1Jr=nTDpH3q_;{OMAgRMYNf&p@&4+494D(L3|Zxq$TjchbU|dM&$GL$;F^`aNA^
z9r(vik1swuKSX;hb0%93km}_K#RrqOqdrU}bGI6%xSEgT6a4s90V`ZI?E$Uo{F@~D
z*EJ%nk(UKjCZURu#WWs}$=Gw1@?7cHKXZDx&~=3_EdduP8J*1guZ=^qjrXWPu)%gp
zT?c~4i{wAkb$y6dMJV}P*64FT>Z^$NM^9zaAL%m{S&nyz7u{Kx*OHxh3NT}JpPQ2a
z>K8E!QcE!<0}N=S-ULt5w#AZ;4dGN(Df#ZXzWM=S@HR_$+*{>}T`L6r{_5Fkq&K<&
z{yRZIlo{|o^?y@=Uu@dusuvgvMOzrWd0^BlwOw9L<;pr1$++#`eR9(UhRy+_Ho#N)
z)JX7=0{wv@b{g;q7lk6G{K%y<lnIBPD2bu`cfMQ~W$(K_7LMCf0fU0{!hj5FNUihF
zWGpN?m@P7m94xRtgO4Ft^{SKNbY_X32=g_x3Hd~gdyi>i*jrA(Cgn$I%&Cm;Mx~fY
zitP?>e^C7#LX#5Or$SY9yML`~p_<IhG+=2rQ0fFjtHa0-c`-%>SrpK!u_LVemPr7u
z#rvr)s=MxME$(D-z|$ot3a_W@QZ)1{YRCJi1vQGf<deM<JW6NKF$-iT9Q2yXsRHkI
zB6?!lB^{a&VMtqI4ES&Pb+nW0Esd_Pr=fV>#+jw(`J`ToOHx6a;Rm7Bx{EMyAtaEp
z;$s%1hU0P);9|`eOHKp!wTmV~$~@ISMJ-E3x-v*!X;qVPWH|ym3#9@P`)^l!4@vV!
z`OBUk{yqsC+cHnVz5<lGSwBJ0UCsHfVXKJhrkcT}k7&o)Ij{4RLrUa=5rq|-&nKo&
zs+H1GtL62ZK~T|#_M(HQbwg<bY5N6t`4%ZgfU&AcE&I^hiQFjC)+N2`&C>&x_l*JK
zgSK+0Eh{bmv9nsOf0I2w+<D?L+PCgtVKy|_`3&ZT>IP)L>5*_mf5KE4Kv51<bK=h?
z>?~{FPNh($3o6?7VAzMC2>hBwMC7f>Z5nNUuADqtyfY2FSO2(MV%negy+Fuba?zy|
zB5id>hAmMsU}`sTspjqACRM{?;s6XhNLspnfFg_5e|q!}_LEJc_lIggIXRnZT9?6L
zyzYEHwR&;6&8hMMOCCXD-A|1;a!ARNS74siZ&puLm={7ToL9sv;0HdhyF3w=u5&x^
z4GZC$o#xdyej*2=ZgjvAJVjALBlHj_{>u&eY{^6=AizA*TVivb4cb9T8eDavqVPsw
zDzOk#S$%69&s0pMrFikUS6OJ(wKk<?KJP#=#uiEnXNoO44ve<1M~GI_D=U9~7#lX&
z3k7w?Bv=E7B0fC+JY}L<R1{*$STAC1OetJTI|wYZ+U5Ew3&3p*m~}MLsaH3bN?q=4
z{55nxJ?B{F7QFp6MLOdO{{1MdNCKM0xb^Vf)L`E-O1iS_M;YwunG98Zh0G{ggon)^
zl7l~aoPcwC-|bkvbmfr`be65#n!x&*`_fq=74}$Qcm<WwAv_$1gi>;FP_Z1LDxHQv
zwGkVi|6TwVqVFBv^xk8a-lvX`ZNbd5odGN8KypM+y!WxX@4tkrr>Pc2o7m=eFY1S?
zxe%l|&Z;&`b1zzM^iUPpGzud|%$N455eQd&(d3W}7Z&pp!@xni?3|*)RDz+P)i7a$
zAT@*+xCY~GTvJmkO8j1{QkJs{K^4)i6mEhf`X7KaQ?$M}Rwb9rNl=AsIBGuU9LHR>
zORS9XZx;*R54{jJ4Ne}w*{#l>hDj;;5gb&slt^_6`)=rjh*_c-#3}TOG41{E5WjhG
zx<t79rz@B3y1>E(OQHrx)3vo2!z3B@GLj9D|E;*)oenPEzsTuCkIvYIp!>PfVWcw}
z3<a*#iAskLOA{uI*|J^nfKz@?9jNlYn8W=_CuNes?;b-2ra*UHWAQS6Bf<AE4=D#_
zLt*R^hR)dSqV1^!R*|$}#bT-Y6~h*{QWaYh$VI(}Jh8NNbaxc)pCtwyKR|H9+5KpY
zRcYG<fz3d=iX?8mfMl#;1r;N=rc*n&J;`Ye3vs+3A{{&Q`K<h&0y1E*l-mW*Y~bE|
zmse`>;J>EzVySFh6#$sbS)wR5M@&}F`!%fjvoA!P;&Yw2MW*HmgeJG15Qh{k8nax{
z#|vyL==3e73*WrI*HpwAUnJdi#wx4)rd4Lb#-^fN?<ZJy6kP5up|>~lr*A904)<h1
zR77>C$@3H^@WSNJ+IRUR2lzwWw&UCggeTZfznNXq7MD=?o2qr5n!R~~8f~U`eGne~
z16~~$utHvoh~`RrREgal@*R&cjO2QQoYq%;yX`FDMND4$HFVKOw2=)`d(im)+2~qr
z9YM>b?D!-TO{$NQ)#;x^?QzRc)i(Nb#>p{6$`8AJMzbphX2f4n1RJ>5VWI~<VKEzz
zW-Vjy{%sUb$qX;>M_0GklN9@ip~J3s0=yQB%r5%8lb9f|BPC3CsNXRY9!UTuqG&lJ
zi5Hu>$1Hm+3yRVITH<j^D%PL7>VIfhoiUL^p?3tRrj}fKr39&Z(nC-IO7(28nZd~R
zL^cv_RR|ura~sbSeg^XC1(^?ZR+(<y8!Xc2E0_ivZNOknJ@PJ4jLhUryAF%w?A%wT
zIFox_*Amq!L4RD~$&&KxpwK+c?Rfh)^`r;q`(>1Bn6wz!rYDFO7k&f~HE>~k_`k^w
z%ssH3@;V?|)P)~_x=m!Y@X}OXzIzMi2Z-T<IFtz9XoKB)G^0@zwuu(fPGN9x8O-$*
zIXL%^A|CU26=1TCVX^oDX1{h(I?jP1Z6)LVLgP+z1(l!GnhO@Zh-Hk1m4@!SciK*;
z(xaRX_kC1_FO~Hk?cTq7Ss3F+C5>40od{x<vh;ONNe_<ul|Vp7`jBdMbZ)4_z3nTm
zl;8P|kJxEK&#*PRFtI~dTJ2)|yDWVtM+>iV>C?Z~TwjT;Dt!3@{awq5Oe=H_!1fr^
zV38@=23)>+dPr1eu!*g0XD7B{GisE{@JU^4OW&vvyEX~_)JU1<+^LBoa;b{5Wa%{P
zmy3VTSlsMy^S<*t8atUSacRTzQrpUbE{SPc8a+Q5bbRgS=JVqB2(90;+~Oq~SJT9^
z@K_aImfu0#E>1^tA^{5qCOW{N3`MXyNaB%=rPC@obC$L%$YX*rBnV+pxBkhw2CLHy
z##z%0Czx-tREu=lE~$T0nE}t<9Ov%jw+;<D!&xXm<h)E!FzRkf41Am$h@BIAe%dl{
zeLe1Tt$4Tdq@;tR0>xFc9dpajY(7nAGwH$b!{Ot?9*OfiDBE@)2P=S!t*D<vL^PY^
zxAgg@X%wJ?|9HYH|Ng^n*b+G<*n)+C`fY+jTIv%FE1SwmUoK{MFEzWRxihfa|5V<D
z({H*J<2gN+q8Hb|sZaeA*+C?8lTY_1I;qffD;pWBxbj<SY<YqTUwIw}prF9u)k~LF
zT!wMS9$Y)JGDtgW<T5~NgY(A@_*pR8k?4}n)NZgX21J~e&*|d#%A_$_WJ`ZF=&;rC
zvCFWPBdY4S0DF#*r?oBATuG^X!<SsG6!8YzMW63)(|Ps-^oYrO$ZtZydd)VV={kK@
z$c(@^LTB({9j?&TH)e@_sMu<24pPc=k|C&4vcCl1Jkbed4&PcO8)tD{Uw<&M3A-n!
zgHtY@640*i{Jw&qH6dkvC*)Q%6sY8k)Pll#@Q7!mhdK#^aeUvFD?Zf&`&At85w_M^
zKk4?Fb6iHzRYDyd3%=dV5xw8WG=H^OYLqkPI=$fp8b*p(oJr!IND8Sw^i6?eG%6j+
z8_c+Gk}y%woel0ZuPFKU+Nx)c;_MERG)b9k2xrVWU$_r?6s^55D?GTm6!$_chT{d)
z(l*I#dc?kiX^$@BiO2<bizXi?Z-*?&%-gAT>92j+My+8#0~Xi;aKV4vaJJM7Xp@|p
zwuyv=|F)ox3(4#>&B_*IHaQMfw8*C9wjTaKJu+S<{9DX1Ic!l=)FY4grS<VUD!L$3
z4IaF)yQ%+JeQjtbvgsro{!!zt<4m6$=KOq5X?c0HEKOfGCA(P>jk9Gl7ZUdot9(Qm
zfL*(WZ*Kz1RwU1EU?ut}RjcOkBhyZJ?gj{EtH`~Z5+`h!A@gB+8la#2$o<!lI?(yM
zp32YgxH0}0-ecN&ykJ5e;t@7MF1`KZZsv;maO0UWkZ=X*Fz78l05v09#d9?)eY7a4
zsr1R$qYEJ?z-B#Bv$QbVOi+h{nF-8O-0p<!iR$)9qPnsTrK&}{vt|fKdf`UVUj}Cz
z8?)uu54#LLJ2ZiyH+VhuWU^Q9!TC$Cy)dG9O1bG4tn~tcZlny2RWa>t2am{^NW}-~
zY<@fxgTaMOF#6UKeDnc0_9ZRqfw2|{6-0jZyx199Fcp<Qpkvq9HPTv*arqgPnE986
zGF$C&5T%o05kSPhm-H-myTs1PtOsqCTK*^0XnLZIwFwx4uTUrHe=(BaSPQizJe--V
zCVMe4CIQow(j0Ebk?V)=PudcPO&3LC%ovNqloJb4hpn~bJXxrx0KUfoS`@jM!}0yw
zp=MgGyTkXlgO|Z$Ew?`dz8`(gDO=P~tB#j>PI60YGs|GR3*~QIr#Y*i_ow7^CZfAk
z12!XBa=N{N6fVXe0`}dsz*|bIXNDLB(+RcaPx8jXC%`V`YW~>_g4vd1V)*)G=3-(X
z@!+*2uw@qN(&0eBSQ)JfWz&=0HVYhX?g)wAjvA`kdzuDeRubc@?C;^}*7_Z!4TOJ)
z4~iyK`h$LKUK))0cS8Ia+u=l1eygKSGh16s_EO|v&}vyBjv9#vsQ)eCR2@+8U)2L5
zCC1GmKmQR_W5GON+JS>%W)+1wbxEGavFnrrZA^xx%?DFzb|^{RuFTQh%z!}0Z?Zp-
zI2>!HyEEPpWb_Y{n5GuLHxB$WohwlOw5x!mywZ1!qRsbCd%dFOy9xmsT2zkpVP4~&
z*_ia8xzH=vmAA-#hAX=j*9f&1oPVAA4Fe0Bz;~+^G*){Zg3v!eoxW?cS++^~(oQ&M
zbAjrwKEKJE%Zok&Mi6#|?CVsNv?C9=4;+rOICA%PnlU;dH&47Mys4=Sd^KfFDwmH&
zEs=R?3+#riVNi5+ZEsFq`L8al@3{Ir9QrZH$XMc68`#;W`z8DG{B2V->>N|JaM_gI
z<@l*vux4vUA;W3~B&+d;QPiA_@~}-ub`vr0r7e-H5I`HSn8Hi}V)dTeh4a^6rP(3e
z!D++6{S)ozy<{9%=pF&`H(pih5~<{~g-afR+#8@|V@Tv(K5vWKX<QxQN~dPYczbiJ
zTS`f?K>NUR68Dk(t-aR-zvhSt4DoEAHI8hGP=Wm;xsXUbsx!9C*?9ZA0}*WB$E8hi
z@m`o_ar$74a4-OtAOoR?`~p@W_$bFr_F85Lm=7*+9|bE3G(YAk%qe@lW9;`{=lh1J
zN+$4}Dz-%IBPMb7M#yeD?QM0&iMV`#e6psuU{bn!*3UpKmBTIl*Ix)bIAb8`Ca!-*
z^Q^U2r$*ZUMnIH-hu`d!%65fIe;^QO$Crk35tP`d?MIK-sx3@l{1Ny`N#US$30CcE
zDSB|sQPbT-MmszsJjPM2_X6T_P^61WW?Bo}Pdzyx)-hjxZBEf|e;mi<$>AczEXWpH
z!oq$;`aWO;CVv^F^!T$3Ms4723cdH&p55)9|J}n|3<-VDJIed%nCl8n1U2#-=6Z+U
zI`foTlrL@Wnd9viHAJzU3_OZ_GlT(<jtBY+%jOZ(l!Zn5c6?;2)xKEDKQ4^W6~O#6
zo`Qc87zpc?fA^tWQu6h$Y}e=gdLM><Qk%_@(wX5RlXi!NfZDW^T0vJlP`SnwwG)Ql
z9_Y>(@?>24jdeo$wM$@-l9T%RTJLFcBp!;@ErBf53z|~W&D%tA*at*dyky>LsxOJZ
zTRxVTKmd6ghCP_D)>58025(UehQpSI9N~$Zu+7)2H0_%I)YJ81BLC6`dY#ntxQ!xb
zR^5ACh~$=8Zpz=1l$n4uzHqIj(bB1R&>1abkF-A|bMFvgS6~RBRzOw^^yNvLRj8D8
zg;4&Qghz+{b@iTkX~;_wx5-_4(=)lP^E=;n7W~6plsyCVI(&DL!E%9bluk^q{p^ym
z&ABe`U09^z?%*P(?Ne>_>YaITMZRKr?a=t(zy%x!6GQG%?=i^Wp7P%jE&LECQ)+l^
ze;~gnY%=*PLGOB88*`0wmBbI^xDO#v0R$_33Gs*agCAg2|C$7AejeF@_v5oiRR;2K
zp;9_q7!}_cDHu_KSB8o3PkjX&a2$&47o}VJ4-KXVx_=W)>?Zt(@W}HqfH<j9ZN+;1
zri*1PXTyc7x8nTkx+A2R!4-L~&KzRG@7p=44i!x>o1((<H{2FNh`?@E$<=3~XO_eD
z4v3mSBg$Ji2vL^BeATKI46$BuMXQ--MFDgPWl!x-SpUlTeGaHST!#lAXvHEf{1;!%
zXkenG#pGB=io($R&M%fHY54fYKmG9Sud>4Qnb+I%6_ZlwBgS`96nK)}9XH#aqlwEH
zy$sX8dh?c~?Bi`?F}y|AO4}NwnoX)Gl3R;7>qksqIrl0U&sd*!WCCJSuSK;7G5keg
z;e!6_`d2VOuBK&$Gd?)M2jaj8?@{nXRBXX-Mkwm<E5iP(O=fWIgO@X}E1mT8oJvaM
zwMv4#{?7|=x$w{KBg%MWu^jc%P^SfJFt-0TaH6SOH4l=8g&eN|0go<elvpIRI+x<L
z-<L=XUYLG{_|X9{g$Ev>i>7RM(zQu3ejlP5&kE+Olc3EXNZQ!7S&fNtyfcJ=l|!sk
zRhUSbA04_rzXO+=R6{NTz>9=;BQyA=|K960QL>O6WQ+mQd29Lva!^_#KUYy3sDd9J
zDbrrMsf&R*1-Xt65&>^40HNGeGKzo)7UPf6@PmmmI-}k9E_=w(@wC~A1EVpL>$s8X
zc4TAQKDfdtv!8!R9v%$O)mPUr6K5e8X}#q$z=gC*@4lVJTXlnnIDclxYg$?`v9L{Z
z_I*L}nCNIH@B<oPDjRlS4#s}x1}5;JS!L;guGaggz^7b)V9f)DR1H5ehvYBP-vi-;
zzUsPDP53;QO94R2tJdu*_WniaXF*tt5yv@#CX&|qc&A5>7V8Jwh45fpjpX}3BN&x5
z^DlO3)i&@Z3DIdiejVAfR+<BGAMgLIPqJ{V?PU2%aw@G?2>AUV@1Jzvp56av^+R&|
zdE%9pMN!Xd-e(k}@0#sys|kcMa~8z0dS;lbhz}<y#FH{2VDiNU3;@~wfPYSL3Ck%U
zhBl9OeEd3?DMIRoqvTfz00qzM)eIi4c$1jnb&EoINNG?bJ5l(yx^bx_j9|#YW`<Fr
z3jXEnJRT+{pLD!_TMellUo7twj4|OGI;mgMJg~I>>TpE?(~UX^ygn2N+$i>3TpHz`
z=?>G6*F;w)N2*FoTgsFpP#^-_NVK3df4A92r}KaEYzng~ROjQMOV^dWv-fvJu%)Cb
zvH;#!@D>KIm$PyLxqzp6+U6-zePL5CE8E4;2yxbm<PMp76#4`TA8MpVsnVb(q0?=A
zdGnlX5Yh(Cn6?bd&)?;G3C6xJ@SCOT8Wj1Hz<!>PO~U|?I7`aU5`A4Nl39D;_RHk+
z=WI_M-t=$_DpE!;(RpVRj+wRcTY?RkL8kG<LMCpx64m&n44~;@`l_9_-jF^RSoq!h
zk<S;*Q<fI5zI`@3Ztlt{oTq(Sh*dcLdA;muH|~jGF&>kx4h1KQrHrNW%TE;!3Tl@$
z;9}YHm<R(yTDmM1yk7=?lZ;Rp;(@hGSK9VJ2kN6g=?$(|%h#=&gbTx7>T)nyzw|g*
z4xgjY<xqDn;qhyXBm<Tq<aXHw>}7PyS)|z7@NaJ9GnU*d#Qq;m-yD|d_kI23CO5ez
z+qP{@np~4@8<TCj$(U?S_GH_(@!p^Bd;R|G>gwq^=f2O`d#|<j+R~Yht?012SrgDg
z9C*jG?iOyD_U8vqAyFHq$r7A&m%)*d5U`BTmmE*k+@y}L)v}q-+Cs9ybJxjx@JFXS
zE-A+Q^q?Ekr?|(Zv@s)$xRD99q4Hk~e-u}o^(R>Kn=rzC4rHi+|M`wtu@np$MCT0>
zPrw0Pe+hTQ1Et%P>R*Bpg1xm~d<B{+;yZ;Yvs1+DwbB*5zzCO={2G!tN(4!QkL2<r
zs%ln*yT5?-fD(3K?){w-$TO+43G1pyXs?IXIF6ieoN(oHJkkm&2?J1`%7RKS)$)V_
z0_R9z4L;*xFuUzXeo9-_^%^AYAFL-}!`M_I*y1z61fyiCrjyeG=$BOF;4k4|@DB-C
z@?y$SQmLyZP%G+wggDBVM2DIe5lf8;Rw4R4(km%P>a{o>gyZXJEiv7ya-WKyb5+TT
z573W<ty6Q{2cxmu-*bV*3JGhWfB-swAFFgnJmJCkD`{C4w0{la!#PR<Ih0lq!_%X_
z*6#i><Q6dw@iCZS@X$w5gTiHMQ~&`*(5;KqSkp3WrTEpEq8J(UM_62|jp;s&9z@Hl
zJ1?uB7VR<~JaX)Qq3>zDuL_=W!UsB)(v>SLG%RcbpIVK2g+!sUG_*e-=jDMZ2Z+zQ
z!Ose0m~Z%};q)W*jaRuUqZ`wW=?`R+nEUT4C>Sx8O?(5Yt=M7d3V0o<38;-hJA&v^
z1S+~#Y&g;|99QYVfVEPj2C(fH4Q=6xJn139@aS1m55W~`r!;UVxQ(v?psBz@<JK06
z<zQ@lt7rULRS4wc%M0Jx7gaQ-Z-Vb>%kYY$8wSOW%NDcaS^iyMr{-sDahT8Pu(3~K
z7W8^4DUlsx(E=$t2=gd=!ifI23A7>#<--&H<!ZAebEOH|4|*Rjp*}j@_us@=#1TzC
zzUK+`@)CU|()yj@5=~(tgPbUgp>$|)0Ge5`C)9_Q2qdy<_tf=G$a|jE-rBx^-TGDZ
zL4_7UwrY<h?!F%>oq5A%mZH`7otyZ4)C*`A43S|7H}oIuLk4neCzpSJ4BFnRKUEIj
zp6?%3e$OhBBl`pEMDL*gDcnW(Zp`bf*HP<T95DI7526@{jKM*W&~nxc*GsY)gRWAa
zNLa3tFX{A$!?f+wUeVE)2wqc^&54QW`P<xO2fv;r?8t8|6nEoIjVPoDncE`_-=O^U
z3EQAI3bW4aT~d5#wrR*xg=NAty^044ZU&wLUz5DS1b+`oZZw|-8zk*jjpgVLay~fa
zT@uz`gaE{hM*MAe+CwYk_$D@$wpHG9)$ySKYEW9lPFg~44G-yaNhY?RE!el-Ev4nQ
z`Mi@NR<sxKg!V+B{M!wr?8gP!@`<##0bOdTHYPs{{ma<TNy}MJ8o;`GSWO&N<Ak@x
zzUGg47V}oZgsW`sNa=l)C^mRg82tPhA)i}Ciiw&b@CVQz%_k%u9=$7bYvSoN9*M#w
zWs1vH3c!#^e~h`Y8JLoozwDxp9PawVMs|j>-2bH?VOQ4o^v9gJW=t@QTYyOe?KwKn
z)jA4$EpKL6IK?_{%Mig*^y9kT)X^%%sYj8GBzxhYDykAOW`L<>ecMm>L_<sbO~Wk%
zwu?3%{_BhD%w|c^FZc1IFYOlJyNQ<TTE@(jPaEW3t5G4km!SLb1n}Gw2FK9FU=h=o
z&YMU?PBF1E6M5r}kOSRXVjHevq1(WWP%$9OJVZN-rdUn9A#`;25c$`=ut)dOL*+|I
z$&4fd0;58{!Aj4IiB&5|8=$0oS)_L7hXbjR;c7;bdQ@r`*LBo+iFg-u;((-1C1rgI
z@{PwBD!4kEyDOtzY&9Y_Q?j;a=7kVR(3O~z^<AL4;yR#X!irv|Q1qNN4Wb>P_yZMM
z!uG(1!QX^WOhP$9NKiMPvxO>}%XUpJi)s{{E7D1xeo#1ADn(x?nU*(A4WIjUp{U~#
zgUhq%5^Y$J{k3d7AczF0-H0bAUpg63{2qJZyFLta&!VezrYGk<G5i-kuN^Q73MR>B
z@u=zFF!pucs!Tv>R~&VJ*#p{WFz9j_yHEY@`gQppkU2ZoqLW)?grUXRA>CeVwp#C+
zy94Tk?25gN#ZCR!xcAGF6yy%Tt{!STSS)q2HuMnv55r^_e6<}TPMi0O;U?oJf`B&Z
zG=)$1zgpTjTr@s|WV6~rEQ4tK7w9fL2x3~sp^Kmf>+it@Q2Qo1e16Z=ktvxjZC>E{
zqdLVz5F*jTW6IL)2rAgNEo^0eu^oH_m%QF!H;4C4Zx?(ULO<)sgaie#BAZbOEc70O
z&TB9IV32@=xZ<o$?q#IXZ4*@zN;-3Caqzhc+oAWHb37wa*mGO0?k^{q25gvjfOSla
z)`7eo@o6+R!gT(lmdeby!WJVs)o|Jo^*N6#DXh3$OOVu$(WqfIbt2?9kfmx9U-<IG
z>Xb^>tGng~C@hKv4g1%U#V03tL12#f2m?OQK9)son(`(*Q*bFlW9+#J0|C-Y!JnjV
z6+r@Rg2`d4!BA#*v_?Qk*b;M*;flG4$eP4_2hJD6`PF^G_WS1(rhCLN7el3U>cBQ6
z*YP*DmUc~n^yibRq$oE>`(iQiOsCJB)nn{_a9t3P`Sh1LebjL*bSN7p$`s-*QPSUx
zn0U%w!=-OL4uF`5ThFcxgPZC^H`eqJj?{z~LZ<Y6M?<=6(iK)^CBng>a8P$qq|NK~
z>sP}-UBXGw3Tka*JEag?yXSOc19oJQR$~LKC}>6;An<edZy(T2*wNE2{%?0!ev@`~
zGO%?0V=SG=Z5yRF)&`Rx2zkn}gQn!pUSk?RZPd3>ICNt%bfJDMQIyJ`HGh9XPMFK)
zh0oYviu3z-w00V|J`Id1Ch8!vTqB5yWh_=?x(Z;P2ZSB={)@^Wx@^d$4TaHNNoC0n
zN%(Iu^B@rQhhB+<o($#`ot3Cj*XqP9QT~MR*W<wdRxyj(IAG-A^tK@M-EqtLEa+xl
zPYH>sHJCm|+buC<enO3)E9nTk9?X7da!4e0>&)yr!l_OJYCLTY8_Ns^L@0*jFW<9(
z;C~>*94#?Wpm`JVzUFfk_-kx3L*exbQ$_|3ed)^yX}RrWB9D9|X%CNB!Ud@Kl`f<X
zbT2SWIW`cKLn)2m<;6WR6QXwoB8y{QQsxAOMoW<DzEmeR5(5Dt^{-Wi!jKWEWki!H
zhz{!LUs<KK0}GnKS>vGClM_1mslM>wFU&Mz{7f3#??LgfQ%lWK>8EfTUo=62RTA=v
zo>26@*GumFfBqcc`ZyledXpa}`rE5an9D)qrXC2b1xe<=F}=rCA|igYu%y51fMo?d
zM}WnB)rat%R6vr$*%Vp`G5v6jdPNo$1~da22NX~^*bu1cgH}>_6-%UIuszx<f2iC!
zy}u}Rm{VvnbRFm7QBT4jH1pYw&f^`>1YIGpF>EIojz@V6skkfe^{nNNkI5^NeWw}#
zp=b^nfl>HsN;V;=qe#;wn&C5N`^Jbo6%y_C!NkuK{#_lwrzC9{6ikkSg|dsC1Od{{
z`2C&FGr9Ccjq>3A#S}cZafh2j9Bb<Xuv9cOMCWrxJ2j#Am1ipAD4}TMBwA<?$?X!g
zHm2K)D<h+oXeYD{88I<xLYN|OSWDA_4RT)7n-h0ppt}+%D$-@#y4c}BnvJ-P){YH_
z4A4bfHEQ!WVxn#d2?)8yJ<OKi*poW228Vhcw|J@J7C}X`s(93ldp;bXj<_(KJ<~T{
zr`}wj(957<d)tz6SvVFZ8PI#t$V-V^%VaLBZH#A_m<W``kgC7Tetltz#b9!IIw;<r
zB6P2+D6vl)H?b*(Qi|I=*O!5jQL)!sfUPup)4A=;hZB?n%IJggHu<BKSa{eY|NHMm
zkGP56_qYINh<FeeoO^1|Z&XxL_Bd6UQlk55FnSP0R5h(E#H!mS3ppFa*5NLREN{Tn
zc+J0T1RnKw|1d1WKT)r~HI;}HxeH&TiC}1c5p{VnBKnX2)*V>O%^X>oW`tMR`eXx7
zP!^_9iWB}v&`a-&P#b(Qf@1*Hm&~tvyur5ZC6vk94wF1;l3E;KQo&fn#TYlGo#L9{
zfumqD{fC7pxpVS!mu)Jj(8OwZY%KgBdct}Yep3U&04k3`mjoVT)Ht;&zVyi5H_edY
z8awFwZ4L0yQG3~QvZjZ=V*eUW`@of+)e|mv{R{#dq?q^D28=#_BaCR!(N5{$;+p1g
z#F}j}YeVTM$g$0wCnDByusxQT{tkZZ6RN*+U%F!hIf5aAd^2h6$T$4AwSmrBu?&Px
zcTLwHKqwBJ3J46FUXg~^<3x#<-HO?QR=V0ugW)onIFmSZy+K#zLykER|1tV5*NJ?i
z-H{!K#S9cdDB<}p2z;j8C~!VNuS75@CBf)ITt#FIvNk5?D#T?bSS`4c8eL}g&tI$~
z3&TN@hSr--tIoL5r50V%31_vyeFLRgob4Ihpwi6t8@w5HJRKwX!k4rz{UB{waJ0EK
zljqSq!YLW9Ty5Oq+Vz2;Ep-iLJWPsVb`>-HbSp9bh5~Z(EuWeP22n_FCLl(j6T!bv
zh(1~7WBgMuh|`cQ1LqTt*f_MF)Hw7Jy!e0dw^z|0Mnr~JDCBgASj5~iII3CZ_-1j3
zP)McR9TT9mDYZ%Qn)JLZG^k->N3UlOnEsw4aH-RKX#VDeL3t!23M8kU8d<1SDEY1Z
zm9xJRhz(EpN@_J(k#8OyCRTgH;h{PxaGKD0q|$YN)liD%T>_lKzDJEyDH(K^!a0i?
zn}3oR@t*p>3%Q_!RW0V@DJc}HUoY+;1AlvRZ^lSojzP0UE32(xo5uNJ#yZWF41)xw
z?GF6+uf4gwoPrlaM1?oKv72*4$|Ydi>@U+9_;Cc#LP&XSGEh#xhw)w&54to(Wo{x^
z!)795U`J;!U>B#%#dc!Ap&lUB>hPcKElL<D<ubrkP^(p-q=!R@IE)N7M~x@WD6~Zr
zf8%=}+ud7@?Ao|LQH?vhGX+Kc^A?MdlQ$p~DZBnO@$7~cDJa-U=Q7E)<}92qe?Ahe
zCw(~tz&AQb)qNQgQbh*EW!z_{bMYKVG5@XC%lC*_?0`lghv2axux;?Ruma?~o~~)M
zQiL<Gk0uc>tRis+ED<&-;jb~Ew!mlaG_JN7>*%BVkUa+vR-R@?YFV#d#_<=y*K>F4
zZ~lferZs|FjPI@|*PeQ50ibSretA{r4r@-1=Tm5|uxWWcu`hNZY@iPRLC`EEdrD*e
zpTvhWB)^>r6Tg43sfx_O@TE+(7)#_hFhCGuSwm?&@U$?qrH>LlGLI5&QN##q@e`1g
zqzBr9QXBILO}~){5Es`L78a_f#92C5Zm5c5P)?*igr)SbLl!qer%_GZe-89NV%h80
za59<CaV*;^l&H*>YogAU%{zis+JNXla|3X%%57qpz@{9hk^)dYsk~CzM2K&cJ(!y4
zTq}prQOOiIpK@Lg$2A5?nG1vca>TiSs5v5+EcEbeOu7(jvdlpFuk-7hgytFde~zdT
z8Wo8*Ot<?F3B^_C?RM!%=YPQSsA>^W52q9p7Tv(h4ug*2YF&opMf8SCg8AOtDSltm
zL8}g%L;J%QbOh#7j<&z%c3uS^U)dPTDT3Hhs`F7GZ<q0dPo)aSo#3otpNn<<U`cK_
zSDv6+h~?whH+LPd$tIBB*z$>8EccQd|0JI>pyH6P{oBZyJm_95r-&sz*yJ~b*vi6>
z4v%f{XoqAIuf<vr+w&=IZ26?JA2DEJIg0c%ZZ~w}#79hI13xffgD}9%o5);^1bX#H
z7lz$tk-lPNgHXm-%|!8l?*k625ua(iolAo6k%>X|Bq%2ur{zQ5dAT3~9_TJb{w^?g
zxsA;x`W*v*spKo68!e?*&~C{YCn065tedrpNXo;cuDfLu)R_TaL)g=Yi^VNwaOqn)
z4gH>7BmvN(u_;g7VSFuqGxWPOSk(YZY}qq}2{acb=jHp<)@2Q3uUD&=rWq&7m@UTW
zeQK&-w|Qt_z6p_O?TZEk-ih+(Ar|<0DD!L#sf&5oKm{+J`G}AQ*QS+AcLvJ6l;@lw
zPU^WQY@wirFly7#{&5IQQasFyk5+hh@YjU0&yJ3j^bt$n@wS-dfI<cTL1c5X0d*MQ
zBvBaO%W?p2{NTiH6Q?%gWDFp~vOUc8xwL>lIcbXJ!-4S6A5XH1OE-AE7mhxcInefZ
zOX05$!Mt$jKd^8uh7b$R7(2@}OQb$^VV^oFji$v`lr4dl_wmtR=O%VaHJn$w<9`pF
z+?tCb_7ev7@|itw(Jf>^QP4T7M?cWTk~}XZN>6RXhYkJ04F(#}1;C?Tkv4b#CE70&
zm<~S5%Y`<g_UpOYfe>J@*ShN}1!Kg=ri#oJq0fZlBoTyA#M4Siz4B@csA~zJWzg1n
z#2RHhjci%|?jhmmTNN^r?CNVbsj5HN9or;JNGh($%UOeifSS_jR3Ys7)5U@@cA;lw
zLPI|E(c1o-4l2RQ80`0Qr<sD~@4sI=k+Rru4X3G|9l_uZZkbVe%1{jjfJTN4kS|bi
zKtH5Rfv`V!1$KgqPmn8<W>F+tk|IbP5m-pge<>0z{X?gUL)!@3TlhhTc2GBG*OwHu
z6+pB;nkfA0*R^-7v{;p%+L`HD(9}ow!bX)~;+M^t>vpM{(PKt}36R!DIbxJn%HOyg
zH=W)4LI#ECZQ3rRx_?QDu~?JuQPP|sVaH~<4<~}2JAjU_c@BKnMmLBpGk-woJ@O#R
zjBRjCa~r$sMB5om95%lBy~p)<pEt^0eE<6bH5AJ>Zx2>)pP6iXo$N@A4@!jPIg3)a
z7cp$y3j|PK1l;>M*J<r$3+PGyEKqWFb#Nd8lC(myyDZLTN}g=K#M9(c)1Mvm94tu5
zsK&B>QkTn&VaDg0u&y$#4)9!tY<*@%`(xqOD|sjzdXq$>)}c!kU~w>1`QOW)d@H@b
zu(0~_%0z{|3rZewYojfqruS6&x5H}8u?Jhp#N(?QNTW*z=jOzryES9zfb1PynX-97
zr>I}*wRkTdQ^LfCW^ki3pjfq7fQwh%%6sB~R;MjPHBb;R33EN`G!n4;S6gdsBZ#I2
zAt5$Q${&xWobK{1{$Dp<d=ftbZ2e6q0%*zYNgzM}PaXSAvzN#0cItyAXdGHKdCV*|
z8QW;GAaTS^^7vObDkKs`j<YzBq72yRS}@~B+k35iWdL{gir8#TEkP^D2*>P!4;G5)
z>_v=!tcS86&6&uqe}%p>q&-Cq9vnQy5pab8;Wok{yGcSnR`pG+N~`7O`szrhG;!Lr
z$MhPo*;LNZ{+lD4^+MeC?I!P3K|~E-I=-*gXU2|-dNVDtj`n75;Xy*OL=n@kyRsg(
z03D$~BFKG62v~U>m){2e8VVSGcq7lIjDifN9aZ%#7)GM4MPC7r_BR^N+`VaP0Y|A(
zEYb`T2@V-xDe}Yc?#PyhKX!z)i0j-Nk&DCZ@}$9VK3B>Z3x!Fb4GmSZEAWZ!4hxqT
zD*hgC&cxE9Z_;$$7A~Ny+Guj)5-)E*+|MEPGXL2OSxr)2^|dJ5o*M5;!oLXh>M;hd
ze{jqQ&!W*XgPkgC?Wvg-&=dVHAvKXTO|FVJHev2wn%*-^z^{%X;jQdp8N5RmqrWwS
zO|7gVh9wf%=qYlzx1Y24(faV!>;cI@YID?_%@SqpR1!sVwMnM*o*O0RYK!||{GvC%
z$|vpJNTp(Pcn9N<%k|`s2lLgv>p`L(Mtb|wxQj@8%7C%e=lCzs?6xYcpeIy<v8R*t
zppo)1CyE{E<%sZBfS#Sf8rgFaIHjM;=ALwg|FB0b9z-5tPhRZ)*xRSqkbGc{WB^Lp
z(;zfuV!aT(n6JOI>l1XuS#4m0Az2{C8FFxN89fOKk#MfmhR%QWc>E#pzc;=^ShS(J
z{flM821~8}eiuD(;nMrzhC~@NbJPMu3Pg7|MP$m~K8s<Ip#sJ3|K!xW^C`i$qn=$k
ziG~foe*KEWT#HMCu@<-XNrMqZK!OZ$8&HTGhDIi8*r7)~HN!M=m$Nm&(%EE8SNHQA
z>drHW4iU(kB;o^oiAKlit6Pav!IZuX?`-Ae>mxt2AyQB%|76%-PtV!w-y|DBvO;C3
zlBKHq3-^JiDMiBeJQ{Mzip!)JoQqtokTPyd_qL1Bd>OKJ@!RM)i(^fIJ!wHcvH)YI
zgd6o6xC1Pw69(<3lW1@#1LhOB{r!#e&z)44RySMhPC=Sf27C)9p+qFwX-eE_ZgW@<
zRMCgZi@Rg3m=RVaqokQnc&w{r`sS0x0aIS5TnvI|8)Hu!uv34t>+A6G3_qPFiLP&^
z95-!Ckzh<vd3qBab;%#P-T33{FpNTEYtgkq;cuTNq44o!ygC4Es~4S%(s;i~Dk9s2
zP*|oq0dNy7sEtz7c-W7B^=@H0I<kJSl(2tjNZc$_s$JhZfNdjMMGarYBw%I>{OF4K
zZO^jHi?kGu@-edqyh~Zs6D?k@*rG3L3X2M7ch|T%kg(wG1;5^awLIBc>wd#;tX$7Z
zdVH|Rji_7y`!6w8K9tqicda@3xUqPX@-`(WzA8XnJ~FM`im&*i&H_Rx(%y^pW325)
zQygsq(){%gW3*-BnY~(qap+V&a5~*_Fi@6n-J}aX8Z97t8hD|46*Q`yIb1K=|6V}2
zsVIEaV&C*u&eSdmsdaNw#9bJPt%!sOtGwjt`I&HJ77OO&uQ0Q7rEj0u@r4u>mtfH!
zJE6~x94tGuozx}+V}I>KvBmvJMc}1YwasnoPCxd~VP2k_`Fs&9Rt@y`W_5uT4#vU8
z%qck&4=%1!!2YX}?$Q3^MkR4r3H=83v_s~1Gqy$IaU+x*)XyN%g5}0fAR%rrxAr}!
z$3002>Uyx+TK%@X*6REt=Sol2na^W%oGrODNys>2g>-HPQV?o5!a(I!A>-_;@|A$-
zFR9>ium%YMl9XE^9QX++08X!hYrFpSj11^(^QA*E(8n*wwrzaur@K6+9G)#vx<7m)
zNGS=g$%xkO@cb~oq8fGw8^0GPyT;d8_YW)wh(LK;e6Im@wx^KR=T^ugKIH(?i>GVc
zD2Y-PTEas{Xh2NY1AHJ=+*D}w`(nM%lnuyoarp0`Nw!IAEKrmEF?mHq*%*<)?CL-!
z>2=Iw(<?!__%w2T)7C|Drqv?@%q8yQivvo8<C97`unMI>4<cmcTE@+`7T(~~-6h@^
zW#NMOO!5fL=kC{`WXs$4Vc2`AGYU17B&)APa2p!VshFSqOGxmmez^4C6LN8qNB8q=
zZhu-Yc}5S=PTok@a8ALKN17chmPwZ}ODYPOPUW{}bz}ErzcRwY$C6S|1VDBQ8?oWC
zhduo<*C97|z<0r2TXTN$Y**@#qM%8g5(YeQjcHTsAsO_(6v=+NU`NOCSMa8LXMI78
zG&u{?LLWX1(z9dof(8vDRFJQBe&f37apoEeOr0m`<JlyIEPM-Kp4qWzxZOOl&pVyR
zn^Fb3|Hr=5WU$xcLBT&co+{MBr3J_FG;t#fS!@NWR~#HSG8#vI9@4P?-79#3J!SnI
z2@mY?TmnD*KP><<EQc@(H@N5@d13(L?nT_Lo{U1tZ6h<%PPqX+flcY?I`g$9eUBXb
zw17;;V-P#c+n&q$c!IM9L4Cd8M=18(74ILQ+&L>UnYhHan0Fz6zJ0NG*Czbtg4>np
z8i&&zA@A5kXRE`_BbDOC?YKisFQ^4YV!ZP+e{4Z=?`u**^=qUtteA10As@7=jaE02
zA48lZj^llZEW+DQJXl;$eOaB^8QHsL5PQX5ip{nD!=lIR4q-|!reC6@D3ES2K?{@I
zSByt?lPe?j{C(d)Svb>N2i$8}0E+F6>o$(1ZRCoND+5`Jj+j9J6+i&@NrRrO&s?J<
z(jIh4fv*X|q-RaMxf+PWty`aZoSoP;`cjuI@<a0XA|?~I!Qw}I|InC9+(N4^b=J2=
zqCP6jva~;UEbAx+b4t&8)9JV41*+X<TOQjkb${Rg<OJ6T-U<7PsmX?o<Tat8Lkokw
z(IDU{CF^kW{b)Pk)2J3yk-%}kqKb;R$3nrt0HiBB2kFG#&*uymYks{$>!a7g?8K!l
zj_c$kB)cGD$hnG0z7fCcYiNaRub({luSltmqGY$aeLO%c@n`KZ@+k;Nzul8H1FUJA
zkEcmS{8Mz~G9VZ(Y-3cb(o|AH{qD%J{=*vkCx=X~o_m37I2d^IpTkDM#9g^|f6^4Z
zom(Z4xt@dVgE=0$yAVevCZ^N~*2w=Xh_9hI_qc?4e%mimwdn}E3gc3x!6<pWJM8Iw
z1sYzG`=ETDIW(c>kw-cxI@^bb<e9v-9TIo8L?I79Rx2s_QF7$0#_m?Y4}{=Mv?7hh
z?VT<{#pmwnEI?6U=BkX{*2td|#;lYB(q|QSm%3Mhi(^QK>I-8CzdT_lKPwWh%@nB+
zmAb4S7Jc)4#&%RIk`jZ42(G58wJ*<!F4w$5L(Wssuu3E=)SOQ5l)inNLm+I1kjxJG
z#j3SUS4Km?|BUSyjwV#0d^>-5L;guGt<`eSIj~p}*Y)4d<pu-;*Mv^TS1MTuAjcV)
z{rklt@oLg>HH8H<2fN`l=uNQ+-)3}aGrPU?Xusi}e0HUVzPud;jwoG3`&U}<zOh+c
z&!30=rt1NM2IK9@1!B$;L*K7^QH=dn&v2n**ZH_Rre6#~K|zZ^4?89`lr%SLO~(8O
zoxY!5=J$cbJ&}a#?CBO?;VkDHD%wq-t3G3MGVs}%E44(qOJ*SH8A}iVKz&4rz|;^s
zKLH|bQlRIU1wW<^10qjwD~>yn_W9O*>}J}px>Kq$jY*^yiNCl?Bp!b<?MZA!+)jvT
zZW*n?zecOLKqURl?#&?mtLD*K6WJr-FBZGw<3~$>FNC$>{#;}OHjxFoizj`YaNxP;
z9)8;&4wsxOOHWmNC6j*5>3&NZTMQZ>oSj0$8+ElqOE900jpOOf{!BgYlunSloPT_B
zd*kluH9|I?g^`j#)QNYa+iy++W5Uk!fqzaaGo9e1{G=BRkaleW_06Z~xVA*i@Vmm;
z1yfQgWT>7a+JLF0j8~VHf8Yp~a{#ZbT&7o4Pu?(sU<)9ISG8@4tKzi<S86sDs3yQ5
zvuJ<VG(5>7ee&eJU7ebcAGQ0b!Tx4<>(Ht7Y`o7bH8{t$Ehtb<GV+?H^Sha?iFh`1
zqXiZcKpK6uNn!&s0VV^e8-uQJkreD8dcIIqfA7T#+8_Dw!$luC_adgi8e1IYH63&c
zuBc)OWUpor2~dj1Z(@`aoBO9IPNuYs#{-e{8N1&7CH+n3`7E(qOk#l5!gG)Tey#Np
zNxXdg;9(sFH0Z0I2$WxtTfh&uB!YIH@O5O`TaVvb%syhYs(yalrPQtO1`1B1;APTW
zT0#MAKd!X~aMN669%(%D>EN%TbK)aO*+CdE<&9>~%5s>LUzVh!NllTk$YK=rYX*0D
z(uzUXknmayQia%m3W|Tl{3ALCcC?Z2T;9!8YDW&YcW*lXBAeBY9Y+lFkQlFhyk>_F
z)c<U_80`yghfZZ7f+Q?47rC}%bbK+=`tv0pFw}`9q28?%-fxB#J5R$>Ic)D5PRlE2
zi{AYk#-6iyDxmj7e^>&(1WLr8{XHiXcFNms>AUoXpgU0h4>GKeWe-}9AsTo74~lSe
z;683b9v7Nkj_DJ5+fbJv=otb+o^mI6*+;^p@L$ft69Xpf=bKf2>}VV_p(&lKk{|Qj
zmCIyFuQvw|JIfQws&O=A2+*YO0<W2P&AGF!Hqy{{a@6Tv&hs8QGWn=5Fo>*_obl&+
zz=ldr-%=IfzZHGHZa&Zek2*}!{2P-d#SSfi6>-;jq%B-EKY({sfaOUXt+7^i^L^g{
zC<qi>0(cQ(%j_H5cS^aszv9Zqp*Hw7QVG4fh9y%>NO`K)bQT{!#|D3usjxBvX^!Ep
z;NqDtlhN+I_naL+;wnAml_ol<Fm!(FtSjmEwm%oC)@c);CV8wkicn8)ZRoQ_a3pfN
zKF~V-6Qu9kyz1PNm6S~RzyN%|CxWd_{u}W-EedML2L(omJmkEQjAeNatoi>~?NF~|
zHyU~OK;X%aO%v;UNQjAtc3uRmf+4)L+-UnehdSK<vz+s0^&tHB?~5yMS~oqnd{<rl
zlLn32<k{iqI{aT?5P)gKRMm=oIw0_fqmSer^R+Sh{ldQ8ZUHk<=~vBw6h%m%Tl50t
zk1eE*6<>?pP%L(9v&qso_F<zFzAUB6*?H~~5>fDx!~mk5v6-H@B6+v6X5F#PdC(F3
zbdj&{vgh^mb?EQEcFArhRrX(dzb&El(s81<1lgZkBwa{zM#Xioj-mWf^AaQP0TAYV
zo5%t?mjECgKiVim_)sKG>pUu2cj-Ba)}Z=vjn$RW5Zc1UkJ}ib?`J!Cj}~<8D4UMf
z2yCYSUOm2<8I1b4RVK+XGSQwmLOm8)C!CR_H&NzqxSm?(&kQ6tDd=N5vEkY;eZO=?
zSH$?#e5>t#t%Fn!zX61nCTn~A$P|=V%VXgk6KFJO>p2A?vq_gT{#QrsuJjD1K@w(0
zAgo3XUSFddTs&WCPup;y!DLi_mvohBU*?G4_aFyS!JeV9bj{n?+oN!wBH_wS&*-o7
zekNOo+Fv|SA%y<&JbSoWp=YlqdmrDLO}@^W9hrhsCN1P!XO{I|<PN(|#~XJ&96hcr
z?4HTybD_l@4+6U_Y`LPOa0%cbWio%!z&a8F6r3F>Cd->l8zTB7?bcS{PZQWQlKs`S
zD`5HQ!8clumEi`NndCM?5+>4eBLi-Qn%)6}G7|Khbnyq*7m^RfLBx;O2U;)>w+DHX
z&AkNP!;72Q(ca~!(S03DX(#QSCqy?LmvB5y{V}ICJXk<rL9<*q9ppOpgnlG%$Boyb
ztw7=KkQFcs$l&Es-u%bmzVQfv3p>1YxMKjJz5>&S>a;%UTl3!}cbv#LA~*3pB#cB3
zc!_<pmq{*UNJ=uYI?r7UO<Zh&+Kl6?s>%Vk5e6JsrDk<KO@eU)BJSK9_kG<uY)7I5
z4<ynxUl&vay$Ny%VuarFJn(PDpO(^PSaw4Fh-j!{M9>x_%u<W6(BS^Buq!(iJtkt=
z*RL@*u+1mBvq&on%!EqGR2kvkt(_asKi@r*%%1hJmTK>5eA-d~ABilE+q^|P7}n!M
zh%+AhRG>Xv>-DQR>mMI^<TV|A!DxXmuq8&hE*-GZCNoQ(&hNEzw1;hq61MEQZq~Y4
z1yDXFUO8dI?yeWzMm#POWM7cUcWLg6E9zm7y0>Cyoo%h2znuXD&Gnr<2_4@8YHwf5
zm=?4UIpCGH=b%!xVIK~}`LL&1(tUmz_AC_JcR;7!o!6l4B$0IAfkY!_zLo53RBnuJ
zGT2<R%t9h#TtE)7O+kY2hcLd>e0a;KP^4dTzDMeevy29&ATYpUlcQ-Esu7nxvAbGv
zmB5erV0Ha$eGRQqE7=wq8v}nzu|D=@F=XsF3pa?(5~C^u!{oYB{nI1btoL8TaZ?6>
zN+5hT&_D=Q-;GWozWk&`jSrL@nin5Bqn<GKX%a5{U@rR@0E>1POnRAt7X-aC>Ld0U
z2&H7jlw&y78g1gE6lbV219Tq&Pc|?JqHb))N>)9G72j5QBVR)VkxiWJEJ-}<k8y(Q
zc};Lo5H6)8%-XuklRJ0f$l|XoZoZN9^&q}hzH3LfzWI4DH%>`D{w#YJhn}g${YFj{
z6l`Jdj(|gA<^I7Fz!VMWnM;9*?Q_54O7icK%7Kvt#w~~f-S9xfQu|rZtK24OC-%i6
z(>OIs0wr<{oPkIL4adUqB!cMsa->ga;{y1JV{yGQAnJ(JZE%h504Uzvb(o7f%fI^?
z7b*K<K!`A9<Qm!JwY@r${sCtT&ZtP)_1wYHDL|81Zp9BD^V{Zeey#O0aMDJW#n$+I
z(GzRITA^Svm%o@=tI9jw58zvuQ;PbR#5CVbh9I`m1^&fZtZ!-@Ev?+>`N#4kao~U~
zCJ#Ne(O%8AZdu6dYVBkhH9hH_;&bJ{Fh64~qD!?u#iCri%)pj!rVavde(&N?`WiPs
zwH_I(8qGl-V75bXVV>D@zuNna`y+1lFvtGgl_~c9?-%%3pKSLKFx2lY5e7us!Bh?n
zoGnBr<xWyL>9QP-`iH15sAbvkC*WRcG#F-&h_&t?Qvl>ry5Y{8lcSKeF^dfB{4&8C
zKnq&0xMl-ox#O;DEq6NOh{3{tu8s$acE30fwTnvv;u|iyGPK<SkC%Q!I{8_~NZg)W
z(CgV$r{9%0K7V^_Z_2C;dN-_LKjU{s9_e9-1h?99%WKxzwPF%VDG*HW;Mou=T_f<v
z1kq;>|NUroICYu*dG*Gx_ZCTlopVAoI-sNS!<Ggk-CLJRy+3wlpiZe!#@14ODkw5>
z;eoI+k5L@{<;J1ek@|z+h9smj^upm}4GpM|_ZHSs^nwS=ff;oac};hAfqT>~F;w~)
zR+P}aKZrP)hC(nun|t*^=USM_<j<Ub1a<-!>M?+@%d{t~N)B5$6tJwOC-^v$<{DBE
z+yT;Bolb)OcS%D4OiiO0N4IyJ`Cg+ga3F7WKe+U9dPPQ*#j)N$`T19UV6){3`R$GH
zcBf|6;zy^_Mt`>#vgoqgQ`fPoGIApU1w`kRZbC`M_o@&;KqH@p^ezoi{Iu!``U*N<
zXZ>ru{b{#wtOyL1LLk9wJoLINXh_6-w-kz?Z&xTG)<9A$S0DZl2Ppj%2Gg_(w)p}R
zBVe#vo%xOTIZgXfM6Z~XFtF4#jr@IaAx?YceTeugQ|{_?XYl|86B_ox&RNg<ZSKfH
zd6zeR7*NwnUvp*$L2GE>U)b^h<tZ1p#XoNID|<JwDs@!+L?Lf)l5JE6vLiI$eIf-$
zzdb$mFDm-d*gHDr83@?5`TPj+<sa*w^$~nPE&+6HYhKtgv6CigAG*7X2h3-@&an@j
z3u#k+@2xo5t0Q<fK!ZCqme|jGWwGdP@Ka*!tLNRtrV*Ssx)7jNWG+L_5efS{asXzI
zWbV_EZG!g6ok@no!X4C&PS8UXoS}8Sx4XSpRIK`E94Ikj6>MbV1Y;k)UdR5kA^;|=
zFy{hwP@v$V?$5`Mc3{v(6l7;F46*d8x|Z=2G4?p7As&s%EGn_TGDp)>36vUY`p)=U
zet4zB$>r}Z>%Rk(WM2t!|3*%yvFR%ogGWn5m$Z}qf`9q<+d|pXjXsy6+1IiIp{l)l
z=c7=`(}j9$&JM5B^*T0Ye%5D8;@0E8DnkDa;AG6T-VlW(P57I5TtT{+Zw^|R5P5!6
z5fl(a@{BX9?jR0un~Vj<;avC??Kj~EAQ24}uo8;<d@=?&8DwFUe+2n;CIk@rgjj&7
z(O-W(3=`Sv@vx=FPozkVtlg*Mp<u~=@=tvUF<1-kK6=b-q-G7Q_&YbX6^m1w%Gd9^
zVD`dS815Y9+Wzw_3#CJYrz2{PJmKLIb!IL@00wiK>RJR?C%v`5VwNyGp<$&C7g8Gb
z4^n<5pn#)x=0ViUQFwZ3**e}9O9m9a|BBMYv7Q&VPomA7&+0KhOHltqc5^8?MD9a2
ztXCYMC?~^8liM?60LU_bcI0%DR{326&8|0Bh|^@DmPZCWH7lzDs1B)RAzEdpfEh^}
z#+4-zT$eV!1ni(T7drYeQL?d*DJhX{g&r&+M#$|LxZp{*555gHJJm2@LJeP|!Op-%
zz_$_H)G--2Md|HF=)8~X2hu_<qvm9Sfs#9T7N{Q>X`wDMNbInUg8thaEl(wwC18qn
zjAlRrNNFXC=DVi&vj8<(V#01#Yr5@}W>8^eEZ?TnVzvO=Mhm^ZEN0p7Nq`^5h6E^V
zreM^}036Nk?G0cT08B^*sshtB&gWYHY6u5FjUuP*lns1zph=93?rni`pd;bSjjl34
zFCxL8ynU3hgJxb1xWRla8zTnq;YMa;hZHh@p&gj{3)jSkHH#BBAly`_(WqUMq^Aj#
zF)P;iOpdI-V+)qY)IDj#K0A5=c3dGke0S8b46(**!^p##tMJKi7$S%c)oiF2LdLse
z;U6;>o}{(23hmCUO5?r46V-_8CNA#~Z>{QklD>1*kd5UBzfE@g)>_`P01?oV&JZwk
zDP4iEhMb2Yr)-nsWoqE_<=mj_jiXGi-70iOwT6yyTiLoJ=UU|<{hZdCl<c8vCuxKz
z5uz$H<DToJ=z-S)5$p~O^AJGG2SjtV-oSF8#lLr~=%7f4@bKarV?oYaaf(TY*iY@<
z?G-*0W4}maXzuf4bl?K?+JBtL>1S6;;1ZNDTO;UcvX9r<4)R|-Oy9fPm_+-5JhA_!
zzXJ_MrRG}vOXI#tWDdt8)uy6gunbghvn0gTmNK>)9%J8t=2#j3`}MVBQ@BEA^BtSM
z{7O(_B1EKF<BOtj!_g0Z^708{I-THBM`NeMneBkOO|!+1(`5!S3qsN-ZS*3-Hi)r0
zQ`g;-Kf;*Z?f`7vDl-A<oz5s1r>Hvcru4^6-uH-2(3H?Px3`akSoOCzfZeK^wJ=xW
z6{K`~+<gmB#Aa^@se39x1L%b(Umc(7T<q~}znAGeSKn{_wj8u1d?@tM`e5+v++gvS
z%o8D4pPaT-{x$!TeZB4w651J@=;ZUy76~V~F#{SE=!df5$mt)yC%7{%vI`X102^bZ
zLEmN=eLJkC%A+hA_PN3H)O0MrY=ys*_v<FzixrEx>HFaU45M^$7f)zX-T-}W>f1mD
zAgk{15Sl^5{B<p0N?>`jv~$&T0e%VC<qNC-@|wVGAv93Ny)(Q$I?`B+asGSTGB$aY
zm~vxpPF53&)!ERjd@qH18X42>)cDb)6N1=$n^CUYUM{D_n734d>sDf2m&Eb?5&g?$
zU%w+9YiK?|hsM4x(v`d(e(vK$VgHB*p4*R>GrC2)VtrI`DRTt;*GdzBm)x7!A9!Hb
zEmL~vPIQrsTI~fU`GHU$Kdl^KDo~tUPTCjxO<N%H-}8xl427ir)VsIx8TtdcPa2Yn
znm{flL=V)JT7}vr-RJXY4s*}?t7%nQt1DBQ4~q8#UH~|7wpQ40?42d`C(rPEB-MX2
ztHrsN&NJ02l2?Dj9|jHt;5f=lL+q&pp1=RTMen9COCI#IVGp&A5<x8Pz4UZ$cx){<
zV`Rg?+?>veLl-kdD4|U=B734Go-hx17zgeA$1~Ka)zHe_6NG1i-noFMeVvo28(dLe
zt$y=9jjRSh)5j8Mv5HGq=sfwZ5a&Rqp?wOd`kr$H(StIZHskhpsxmT0o-MUkKu2J4
zw4r=6-GKCujoAsxaJAea2&D)qGN2O3jRDV!tE(AU4u(^@iilM3XQg~OSJ%qZ$<BIF
zi_P*h>ScP)+OO`=ce3YpD7}Atp_P5j71JnjHp>BSuFg=CvVv{J=}O`&S~M4rB{uKd
ze7LjjN^*gBx;3B~$kmmWaaHdPsaiB&v4BD*`1P;eNt1)&GAeh<kMdlv^CL<zvFvUB
zlZdb|WOS<g7RX-GZ)3=FYe<syTP6%BdhRoC-0J`llm(6OgpCD69>0)F`pzeCnoW85
zYzrY4<yjOCKmrU5NB}ndYbaHMY4?@FRk*iet9yHUyT1>o%H7+745+k*q@yYbNtBtw
zI2V;pQFw49wph<(*RLQ0e<gr*($pF&SXHoj?)8fz;d{aMT-L94JUG!{$bGa404(UU
zE3$)~!BagtutvGJW6-<6sz|{`4`X5`%kJyo(Koiw=XF2|$ac{ZC>C_pYc_Q<sUKPO
zw|lnh5Lcz$43+N=&KgG1KkO;Ef6ws|GbmBPY7|0=G>L%T6qE#UM5prhxu?mR{i=nB
zS1SR_y|XVwVMYlvh)^@ID@*#{wR~ox3^xPAlbu1mi+A%hBPD@UY0Co1B7ND521$DG
zxyuSUf9ZHed0;t{R$BS5G>x+pDzV$vpmER(aRWgp=8S;tJ=VBQX5VqT%f#VAz`gg9
zc5>8HALy@nu6@Kcoe)%LqPuvjZ?h_IRs6Yo5A;ulQ3;O*)+eebaHez%noaOdPVn{;
z(P(8*cN=H+llv#1?#Dw?YtU32*H#oGfY`SR)hkNX*qaCJmJE8xA`BrHmWGM;MdoZS
zK#nKh*bvTC!X;BBt_HSFMrq%20Hg65iG`i(;&|W}U$PY-;_#Ouq%heqHccg9Kg7U|
z&i1Ykz@Wf7I<o+$j%GT?;+nsUf@h>$VsWelubeKZDdGAHy#oUQgl71}N191=k1j_~
zqL$4%eF3D8W#5S@y*TfSywm4Uo3Rm;Dwe<IKt&!pPM0q?cEJEbW|PY)NyWZ&w)M&j
zUby(+@}7rUjIEyd*E*dJVH+o66%1J%kUUtjjxjr+lNvN&8v2~gEES<V-@1Unn772p
zUP;>89zX?jP8(jNJ%w8)q6RY>_rO~Qxz3X!LF&FCOC+QIDV+4`L2^g?X7lE7Lc;b1
z8Uz?S_yf7gcR&kWvEBoSK;N47&_O<J$+C?%dcf`j7u&C}VJ_b+6HUrUfqy+onxPh}
zKI{R)@d!tn0TX_%6i&bA7&qj3892-8^3^Mr-psHn?yYVo{W5M!72^Aa%7AsCY;6Q7
zX)<hd6{pkR3f9Z3v}ZL!Q7Mb%V0oNVI4yscITNHQghBS(`nP!>TkG(=QFqH*5%cPn
zfWP_!99!y$e5->aEMU+FEu1$i=V?~pPtM`}N=Rg!^a$Q%Tg{X5xsWm+DbUacTp*`3
z0KUmEi6oc3L?yq8zt9cW>gZm3Rs)~aZH*H?KlHH;3|ot!?*7)hxS9@hh8f&&B7VoX
z<jf!HiO%Aov=&T;!<?`b2h7i^W^!}=>LY=_AgcSoqv}@89CRYmspbO->SL)4&wLp+
z`~s1OE3}ThM-0L3u^{)Esdw=?o^bsK*Z%(2#c=m#@@!-2FU@@$+!?aK#-z30zh4mA
zp1V6|1~2urfetpLP2|REcr5{OG7JU(N{^=7xZD8u0*}Hz_3m^a-?%*jye%a^<$2jV
z0qWrT|3kY6p+1-1g4%8ydqJ48Tn-1!jaGa6TMHXNVJ;}Yh|TYSrR}!Hmix)lN(~U+
zjWT`&JRfo7v=iK@{I%UPvyZ5$Aoa>ls<8nlO0`p$CcrxmIj<8z<Qp^uBxJ_!r(f}3
zAvqy37d6!iwf_!BCS~Z4Vs(vx_uZHC!~cf20jXRB<_+un?-e2$7&nl~?DfM7u~hj3
z#4mPS44X`>-HYX^G{H`jHnLj1j<3U6zbL_uRtx!Bojg0|T>w)*3BXzz7|}!QN2%>T
z8(4eA72?+zL;#@WEG#+yM6H0?UXpdjuClW((9tV{eJ0Y<;k(_X@{35tz{61fckO)9
zJ}LH854I{>pnhd(4aVhu7eI$qqq@;??N{hU&#nbZ4-f)4Du1h7?KcUxi%!u)-_tmX
z@p1KU{*E(5dyrIG!?BIBJaMF%p*NN^QWyY~_a6=7-vbK>;N-&#(zyUhyrI#@K9JCl
z2)>}lKe6JqQ0>x}q0;&K6zO)8`b!l4mcJz#f9v{E&2UWl2Nl1f#C@I{s5!RJ_s6qY
zMK>qXT5zR07yN+81~cS#H}H@7zPM%8b@OL`3qB-&WP!b~zHjCViN}NU31U2f-ycCu
zmPIU4OQwVRj0LCj2A$F3iU6XoA9Y6h#U+=lED!+-F<NgmT6zReo1M+irJJ6!Yqu*1
z3v+Kjc>=s4g{(fie)2S^zv)L4xgEon0+I|l9Q|CN8>uVR&JalEIPGAZ?gv>f1QAGC
zcw(^fMU40Xz!!uX??6U@`w!5hSk9R@TCVB1n9tGh@n?gsZXJ5p<s}2W1<)C`WVc1S
zaP%Gx2JMF2&j=MZFZQX4$vxGm60`rVzSskj1T^23seB`3Kwwe_?o;f?3>%*p6c)GG
zZd}Jre1ptG)aTqPbufQ>?fP3K^J^5oGOaF_FItA{4`Fw)Z#2mf@GzUYuqDpdbj}v~
z5rT_)dyAWjtZ%dBWh?iJX?3}R>ba6t>i>miUu+HJ!y+byaswuzAXh*8kAz`ir80xj
zrx3vGf5Y;f+jrD=b|*J1&O!sz?^PHD1rM*p4bGFm<eDa4!UeA2d%(Y^19=xq)1wff
z@-c&%2o<x5FS83<pNx@t?)Omt<+8GVHktX--T*7S>~=&zImvf0(?~?{8j6NVAPM*>
zez^|ECfm%XOG(lCrCtGSQ7BOU0toc?I&;%<wUGgs`P&tjZox0GW|KQA?jAhMo=aoA
zT?qpo4BssNPYb|WZ)+im0R01?*cYtZ`UWZj#3U)XNar3$iNp${V2KNaM&J(^<&pjY
zvboyO&^tzWk}^uPz^q|vk4zdO6$%YY^^pmn;sr9e_KCa2(l70Dkr<~bu2L=wpMKk!
zjFz{L-JEG3r_5~)w9*T7HEx@iYi^<2`sYMMOo1d&?`f|p_01WJ1qHih3+{iYkC7U+
zfF_`-O3YiBrMh?MdaN|^O+oRUGz|ld7G!kY&qsEFbKQS^PK>~MZb{fA5LNftA-&3;
zF;YOKDxx`QPqRX-vim&gyj~<sNJ{PP$3I&0_}R<%CY9`F0d>|=$2m`G4b=6OG&ZAN
ze_Wnow|qda0Wh6R(LO9^E6)7Ch!4!&N$-^E_iw~S^zEA5n>>~t`Kf8XUKvKmhvsOo
zhWrW);x>3IT>(hR?rT6NDXR%U3sxN8fS$1N4N<pN7s}w;s~-TC`43~5@m-ev+c&nS
z=N6?lcT-?=k=*OTfX&S5e<(U8Jr?tgfbN)b^Y8tHaMtHGrk@7v6mrW`ZYs!3kB6zx
z>2J9bOs+EoP1fB3>V*gOisdYx=Fx1w5aeKCqw*wXH@_gF>9GLv2B7z}DudM-=r?@v
zZ5nWH123zT3s~QVRC3<T_rl}^f&Qb~#LW@HSUxmxL1iOgVbEE2xdaih%_fa4K{=Aj
z4Wr*sY?ZOnd6wbh-*s^Ffa$Q6+A|{;V=q9CW4+=T?dQ6FaP|uXo-3Zwg8sdc)y;l-
z>tx3t5Ha}*Fc?qlNC0||z2Sp^+*o)m81^nb1^|`1dT<_`S3BFe4~H%&Km*h=<Uq9^
zR_fkIx&s)MZ+X}w{0Dlv<Mz(xN$CX-d?f&0YHRQ>U!bGPt~g5PY2Lhb%9JQ*fl1*1
zi2*payA-Y~_;1rpvp<TI!1R&cXNSmW-xh$a*y>NGT<gFeC;hYs>?E0SqXC&^{`Y{A
zP&9yPvesN5Ngc`rgh-{z+?)Vpmg%SXh~Fj|x?#nP9SvM4W7pX}^cxc1A|&h?ACv2^
z#AjNYe>*A^r}5Id_t;c?xkZ30Yar72=R>SKHQ?CPk?w`GR(MKz8lGw%=E8%x`g!uQ
zu;_&+HgrO*X~U4e{ReaykF5o?4Xl9h>i@5ZeF}5nl@n2IkLP=~U<a-F!)6DClq}Nc
zf?CX<H6`SipbEsKkv=t@#MCS6B??V%7VoQY3+vgMF1rSR&R%Yxjm-`S53~j?_6<FS
zy^&+_kB$vhn$#e`P*VF>@|l|ZSCq;4#Ml;h?l^dj9LGyTDxjDLqGQLk7sI61XzGYU
ztb&R8Vu5>G0yEI12^bd*K94DCHW!iJ8`DHjz;XfopV2GylDXzRL#yelC847W3r*|I
zM;rza7-J@8Ln{~mwUILpUhV-=h>Mq(sX^Z)1i3QhciYEa8s9AwK*BMbtnLEwW<#ET
zBynuE+()Z(<Yyw8BP_``^okA(S9p39pf6r^$}YO@X#fz@D&!Jpf)U){e$V^7319~s
z-lLp4c-vxj`qJ-#!yrg_ge(%an>(*t^<m_r0rWxCyFcSB*mVv@ul62oZcVz`D<#sl
zQv!H;k$9oVTy^@?!Ot^*0-pZk5}tZwS_lk@0|pIzUbIe(u*P}-dKh5t-JjGWZ2r(#
z!M&^NPz3Bh$s*647K;U3xp(FMp`nRtx!bYxhupwEOyHt_$Nc2nI><K2aMcMA_~#E~
z_X`7rOtC{7L67FMKJ37U^q2<&c+u5uzr^17hwD5)G(^K`E01`q`Zjpi+2+dF$##l>
zC`TsdCuCk--P0=nolt47!JPmQ%Hd4tGV5n+W4H^_?&UFuGnEK|(R3bUwlzA)Ech2q
zTPF2Hs<m|$s?$|QIHvE@{k9wbb!NUX?V|8LYyi{j$!eT3+S|AQQ~)`db}vunSC%=u
zC3ql7IB=%sxcz{tOiHdYr#9@z&d#0K(9y(&G004^iW~amcsmS`Kx?u9MCsx$Yt6Nh
zz0<(l8hFb_nFljhmw*2NV^S>+1(M=cAI4yIyc+wfC5Y-xPX!<>f`EpDOgE7yhXq65
zEEjA+LahIWuq|yj#zmH|0GAyX#S~W*K=$`Do>I*&TG`+28Ld40kQWgl(W=UT!IBu=
zFtx7C>4SP(^131jjo~NKCt&=oU@f+;WoK8!j~G#;cPc2yLk_w-(+R=Z)b<lduYV!~
z*jt!*wiQhBW5&Nrqe97kZkvBvz_v~b{*EZiT4(8nO5ytE{6D6?GODUJT6Y7|DV<Uh
z(gM=mozmUi-QA_qAsr&!CH+y-4Fb~L-Ed#;8E1_16Mk&iYrQe&6Z27r$%QT?!>Oiy
z%E<`O%w%vKLdV#mR~Q>ZE7zU)YmeYJXWP+p)iMC)6QyZ{{Z^v`IQe@Ub51~C@p)tZ
zOBZT(q+)?Zj1qrVCH&;?&-8C^tp|5t|K6p1(dkNE=H{EU++srmUIHTkGR79AEV4X+
zp#-)oUWskD25FZh*%4xOK&p^Z$)mU<S9!Ik89oj_|AlH`v%~=HlJ9-SxIn24s9b)}
zTq8ZzT~Y)4B*moRf8D~p71N@Vznhgg@MFsXfe)0o>%cAuUy<>qJ*aUsrhR&&)8&-J
z8|9B>{H;xcHSVabIA9RU|CT%^EL%KnJr_?qy#0fP#0obCt)}ojfMU3>&eVOgyFdve
zDsb39TjRw>6zT3nbADxmN*tU8TU9K`LvdzNM?FCZ`8aN4NAHeSr-nDAV^aD-hG{zM
zAq&kopKy-lcU!+?nXtqHTmw=IkbEox;xLCYhW-(az|coQM*GcTya2%$SKLquTX>uT
zG35^OtrzhALIR}Gctc`+&Woj*)VxJ9re3?D%`@^3J%$f1$FO61z7HyBK{7@8#*4OK
z7Jm#7QE3;B0tTvd@yG)}blmMFq(BP<9#TNsr&F#~1^&QE+Su90UBSeLc93~`Ihyd;
z?D`1-xN$+@eP8bZo8hJ{4Q>li%~E+NjI(#@JV!Vf_0HMsbb5Jn)%w|aMB`pHc<1PM
z5Q?=o2Bh@_EO|DdG(bO!6B(KSv9qoK>%;~gC`CvBG!2!fJVjFhCzLM}_OLiQiL3Za
z`(<7{JZ>d^>o?t9WvXao4Ir?XII8Xj&D9<O#SUDyJGVF%fMAimyq&eK32bZSSzF(U
zlql$5l#U4rfs0cY&;KhG{8va$4mt{sa{X<Mm;^NjUR8iea$tdi=*uqw(8`=s5l&B3
zYuc}(uJ<4BF1Hf(RJ3*fyT?Gw`vC<H7|YCLO!Gt*k3Q37ey786(G-_m2OAvhHIO!+
zASIQ;3lWKFcWAos{ZxCy>jlemqcsd9$?2D>Yy#E>GU<&k=<RS0#=|#6kgebA-C-d)
z;85RpdGQr|CW9|*_Pq=byW5HRgH1<<yLTUuWi-;%X0`MSKPJE``QT8$lSD4FvJAmH
z`#qa3Fn_BvAADg_6NLgJam$+m(=_?JaB>STip{vVpgy9Z5ki|u)#rdJk6NA=!4ZuX
zK!RjMYo`Z4Hz)hnaXV}N9fii)M1eP_6J7&BtaLd4<dF^?KkO0<hzSXY@vuB<%^pWn
zaZ5G+VHHPO%OAeXXM!1XN_8^!;PSdrcsl+khs?R%ov3-tYRB&a;w?VZSax}q4@(~I
zxgcQS>B8i4{#)aJH1D0awJ}P@9$j{R36_lCyPO)yL=6MoVyOW=shiDqfyB11mAS4g
zJ=n10PemnQhNl^=IH>4>*riy}I%|h6lEmk9qG*-pchX=_wmg5uH#{Te$msYI{Y<mv
zRxA{uQM#7J+S(Yo@V{8auimjFKH_(60Kt<Z)=MQ+b1q`9#X_C2uSv4u%&BpkmHb?l
zMX&ZZ=CqiEooEP{U;q!pe#xmx1jKGhrPrCI%cpOHDMhM&IT2t^240RPiZWymxL%B4
zWw`1>RptE&n3lVFdu9QK2xP5rc5Nu?7EMx27k<P~d&EtpMI(mgBdNCrP(!@LHPXWJ
zAb4pby9TFgcclXkrYn~>&c&b4N7yShz9`tqXnyiN2bQJTL*|;pF1^aXo(h_tzqgEm
zyb5^641q|EI(=w<!%K?YVhr99Ji7=*zO5_nfV$MKNo838J(OzDGhYi1DxOnZ>=#Bv
z46u658O_;uSQoRyy?sZk#()J>T1B=)uRHz;ic*E<b*n8d%%K759t|14%J|m;j=sCO
ze%8S23t&r>%X<I*jfV#<hHf+t?TLL+y^s?vtc+|74iY1_N2<~?qJ8%YIYw|;D83WH
z{Y$e0HR4+eHu8N=pNh)xk*(3p+mp82Wxuh-$Ai%(*OOBTOHC9AmgKz26S^Df3pZX>
zhxu3!a@JS&Tl&=T(Yv>9R*Qx2Yfa6o+1~wi-Kztm3!Pn@9WI1*938RkeC)RMb%j~O
zkhs=5>TWG;QsW|3&czGN?%L7e^We1JB=)Wb5M&FTi`VH)*3}s;iYLp2$nFaYyT;Q_
zV?v%_P#iRySlT#UIqx``RLnXmYuniKF<BWc!v`bM{VD;CwLa!&&_U`WG~bwrz?vSL
zA4YulP^N-Hx@CQZbW^_;r-*>8p}#&+Q}PSMlvF1+)~T@`JZi_jQ{i<(cCuu*VD@&o
zD90-q^I3mB2zhDP5GS^p|A}&}oswtFy?HN0;tGb^EtYuQP|$XtUT!s-ZLiv?d=AyE
zzd-7Ia*D1z9<H<1x0(J-W%PSQl|jn|wn9C2`&q|ZWni|td-8sm8RYjMXMxOwz@Nz%
ztS=EfzO&6@wa5X!S9k94K<>Voqs6$t@~MV*b*f?h&hEy_Z@5&K>EEONmgGLh@ZW!y
zKju6M9DGHfdW!DP<E;LBE~&w@Txu7EO&R&*8zuSI`7$zIJ*b*KLCOx|2!_V#y;_fC
zOwFv(Z0kCs5!O&C(3h;BYr+f;Cy(`=^ZV5$J?#_aV8F#K4{RSw3)Y1pEwJTE;)J8P
zj^bK}uD|^_qT~D3uI+@%GUD5isjpTQ!jih1ylV1o9iDI&-(la^#O$ogv$;ALkR~(L
zXlC`Nfljo@xh3vG?}Y!%WVz}@xBZ?Yh|Z{{C*D?TF-oNm3)ib1Ju+7!5$C_3?7Hrx
zNhkUjub59yy;dtG$l2pCeJ)3)qwSZyC>$v!YJ_Mlf<{9bHoEN}vh$+1b@AB>IqY;&
zq-T4oLgt4J4}2S<iQRE^`9G!+yXQMzws>Hyz`bOWk&S#G&REIx_D>P%yleY3Z%*$;
zK4tk8fxw-4`r$5T;LTbB7!T@V9uN>h`pfrw-yOoxb4u6O892yzP(J;Oz36V^Hj1~%
z=~EA_hR;VK{4XhVHBMc`Lh4QC!T=*mFT(wOI`D1_ETX9Q4iyZefF{LO?f*15=iaN&
z9Fi_@%McMSI4hp?06XKSVc^VDD4#^b!u3t`L~+sO?(Ht$uj>xjf6uGkMBLl;r%(r9
zI5Wi+dZZzET*N##>_N>caX;@Dn#&8aA4oo)vjD=x=pqd+mPGyW)j#FIZp;d|qBU5X
zvEO5S3`diFiG?>Mca3(=p{?&XD(BfbDr~OsaZfD1E}Lkutg88U<MW^N;HSh=EW-24
z*hB^$5BZ$K)FD$863q~+#Ez%(c@Am`(G~SFuN@o&j5ro1A5(3jS7s&T=Dnopj1r9q
zqNlY{Uc0S76-{K?QUUUI5DcURfo85)KBh)E{ydV$cPyS){)KxS4REwBK{b$e9u3p=
zBXzBfvC_|k)bfJetrbm}AFjci*mL=+pK^q%uY#P$8V;>PtHVqe>PpFhN>aQ5mP)M;
z9U;L5T&_omK4|<q<papZYJ?y%4|Jmi9`iC_n|QXG=_ZPbB}IQsOaL0HkT)cl2AuSx
zXQ#Tr5`lGpvEa1m_hm8$ua1?k@|Stn*~+h5yraCZFz8znKh$rHUJnd`APKq7?v|f|
z(xgU-Zf~ZTcoqGJLRc+<pueUk%4}vi84E3@jSUs~`GJlMwwvi{N;X{1>QwX(e4K`i
zijD0<bjU{``PhPZYmvE70t_2_>VeyH&k$1Ig@lNO)=Q=?fm}Un7)V?Vdvw6VGl*+4
zfai)T<hVm*fDVU>B~qsuX85sm``2P*Trw(BY9T_u@C!_Uf}KKQ_^V&(0+z)u{KsMC
zl`UAI%qp20f9VKU(#!S$E`S@FOm})*&u+J5mGA$_gKls8T<D5u5#kR|x~kMcP?I1#
zuTSG`HyiBkYOA;N>a6a)iPghNdE>M#q03X|(DZv`Jh#@|)Re&|fzP~P$&N|SCr%xC
zjJtwhp^Og3N3D-4bv^o&uN``SW;{;AVZ(ZlAqfe0%-+n=oQ)qLA+oz+pN{14E#onq
ze9Y@BDFxK9hKD54@{{d#ac1o6EXf+wx3<#~=)iAXSdYZGo-6FX(j?pd>Tr9UQ*}YF
zsghQ|S@#%a-XvtP9^5T4HfTr88))M7JiGG?UTxc|HTruxdf)0*`r0<xcG)FLEyrJ6
z)y&D3Sm$okhGGx{zFVEuBgqZ1e<6B3;T&VnM9{3&pK8wx=boINc6fhZUT@L_ewYmr
z7dGyYNA=CysJOcF#?ZXCgt)z5YT&tidsK7Ae&-Ct$DD*D+9ArL+OPNwNHp;tEx!se
zAL}-#=!0pWBB}1%Q)c6tDoVG<Kc01eJ<tiiEwgEWK3bZgl$}|<gBMe3>$8T2rWC@q
zP=m_OnCp3!{RMZ?R&gR%ClP*Z?sK=r@1|1;HL3iK?Gu!cqM^%V51Ou^)g5lv&$yJs
zEkqwE9Tm?*LPJPbY)&SA9~(F0gr(tA)k*oPJ3W+{t(jFn_`Ppq_If$E!gbAeR(G#3
ze}c2vWq&VMu@T+hTRGZ%J}3fMLSlH)eZ`Zsm!nP}H41zpkl+gT3i3aHwy#dQg+h!r
z`^d>zpcCN?j{Nt-i&#WRfTW3ixu*p^pg1Fr#UD-j#g-2G%KapmfL)^gzmy4!wVP-j
zq><{p@IJDwjr5AAmB}a~mjjaEu3k;x?WzH;gqaPl-THr>h)UmgZXZXXVp{d$(A~en
z?6!6BXJ_~r`*RnO{sCAog6mK-?|AFc5(fyg*T=McIo?kqrRhRgknc*}<DiL`=Z4p4
zRI4`(LSt5R1-fX`o1S4~Q-%!x)>jEUZXEbu5UeKf=VI+l6lfI~mmB;cmvy7?wFjX3
z#N(r0Rts6uA5+#ewg&FiD~?#Vdk}=A)$zgubX_22;9Kul@H-Ovv)-mk0;bxm_BFn`
z*Osm>eYK%u<KboTcZi{xTh5cuEVs8+wcp!JWnw1xh9tQH_LKc5**P_;4b72TJ>=T%
zmU&lMZb<w9rkK#|`;1B$hntRaFi$53o{8n9+J}&n8#m<Fv=5St9$QYqYs<^J-CG~8
z2|hL#>sL6A&6wxR;y(Sp=Bz(%P@DJPi&46}<Qye_o!3M~v7KywqoeN5de`lenqHPU
zfE~D_3f0vqWMOhGz?+;FqFy#DMU#k44GDle@iju3g!>EpF({gvIBfe)%=^sOeM;i2
zS?lifXluf8#qHSNn;9f{M7|e-kntN_;`gF3sI88S1|D&YyeDtpy$zYt6|Q1R#^*0o
zZ`Ho}+kxEIuqczXgH)M~ADdW!1FrNdqSlDST}%%XoDqldu52}Yj=@i&NO3taquL!W
zgy7VguW^FVCL<LqSpIkWJl)@Te-~c+x|jGSMnEX6mZ{!GD?HxrH^`C*>Fyjzw19fz
z+k8(m?nU*jl}TkVXtV9%K)m7aUFg~$TO3>&*m(ss>Jrf%pD^21pPal+w1cth4@!uM
z6;+65{MGfJooJX^(7}_538)d`L{F8RfiA>{=)&pJB$SRX7`dT%Q)KH0HFM}8o<T`j
zOW=poK0F@526&u2PUTe*33nroI%WiDWiit8ysmDAvb9cJ-TTu-D0)Iul$>+`0Qd8q
zN(?&rq^)CH-?vZmXV=K0R+YJuCDEYZqn9^lfss5i8}F7J$(njU3GMmNgADgn&G}V^
zB2a|9KzrNw>Qp(s@|fOy->K&G%w*2CC2Am91F==z8Dz>H<TSF|eQ7NwPS);ikMJkv
zUmu!G9B=k}{Vp)C-x|txtdm@90&r(Pf6>huZf0;1e$CYv6)YVx+!LCAuk&dB<d)(U
z!_3<3@ag5Q!KzsQ(X(%yjCS?m+{1+W$)JGFk+P%!CwpE3|7i^j?_UGOjS#8fbO|)X
zA$MYDo5X6dzED`vbT=r%m)Du}y&d!ntRswR$b)ZpR_Um~(n{LLQ{n)|_B67DyO!(j
zIyN-YfZyO!cuTbpFGsAFaNdhbPeepgVZ73~#GvUP<<Vi3mN~Tlx0J#peCFl7Ucmi>
zjkep8+|Y(X7B3ge5OIwJ%xc`qz?dI;B7eLHQ-P@y4NpCj>@6A&ZQASQfxs_ste$YY
zCT`CoM8zEVJ)b+_LN?v99gE=%1+E2u?cVit4YHE4&b9v*cR~HDVvzJ9b@+$MM|8%F
zBmg(FCefM`mzl=FsoVV;dooMih*7cH95<O$-#OBp|D-jvGdQTJn_1B_&m24b_(-G{
z&-3Edbl4t-oO=D?WwwiKy4+BNFAb_jrYP709n}Hp%I$U(oa2OV>IBYJp@a|&JyuPA
zbgwMG=x%kFca8_KoJWlxbHby+TqxKL*It}9=4>;)ftNgYOBm(z{l-F-%Gty?;Bh;O
z?a}s17aURm@}NSPFpK<;dyZC2J=6F1EOCgIPpS>?soEudZxwLTxoY2eIWJLv6t=ON
zbAsVK?buvx(6hXV(mMksGRl)tl|Y&_qKpfy*X4q8sjt1Y8naNHL?5m43>UH~sA=ln
zF$1Iizh<iE(999Ko4N*!4P&k%0Zm?>e9RUvdk>{?v(qk#hQqJ*4AZMEQhW{k^rgNO
z>g$-PW?^N*S$gBoJkN9O9&$N8DK4q{{Z#`>vX`lRFKpf?Yh8*DmbOcN31Ih4RVx^|
zI~>{1d_3JHRVd&%bcKq6yTespwhcxkrBsJAhZ?8Gf9ewLf7fL<?iWZhCBfSV5u!@W
zLpWo9irSl*4O|hD+@HS=oDR&l>NU1CnBK0_^}9_R-{Z99ocxHm@?bqr+x5cOE|=69
z1g3%8qY>lWpew}B@wIa-)8=526#T0|a2YyBK-W=TF-pKu4M*8gmY(}9;JHyJHrqET
zMP9br%j*EiQA8yFu5|$SM9@2DOM#sVM3sSU_hq0j1=O9`OqPnJm}5zFJ7RyA8y6O6
zKcuY+bbDT2qSLUdge5r8CS*TsKGUV)F$<oJF(+v_h@7FvPI&11qR7g!{Ztzpcp_k=
z)t~t|d3fsE>-oeG2&VirzwYtR+qbVzs=mIl4GL+enl0NZ@IMw|uQZ6gFpF(-K|_r(
zx(U8)K5nV9NsQ^_Rwi>Dz5b#6i8P|=R(h80=d4JXeP)aA^Cum3*L?9rOo@B6U8eTJ
z!@%R#`}dfZ40gV9EaXG{n1%t5M;IY&5tq0=ESps>5Dg3w)gd@Yicn!#7=ZwKKj9M*
z@JZ-tC|z^1z!~vA5m%RMF$#h|^1`6u|JNAZ{KYRm0re5?s{Hpat5JE;=`PKNb2!0g
zf8sca81NDLoD$~EYAjR|hW8JLPwiI}q$2rFLuS2-l!udTHdLVcEuD0w>h4z7<>LFY
zVYU1{Ac-y-cBIIV3~BI+jx9_iydn-3P<SSQTK&whD<USwAkdL_cQ3hih}VDEM9$~+
zuB)Krh0hPSE8@$Z*Z{5SR63#BrE0si07w9rj51b$o7I(y@78QThg-T`-t0Dcz1wfX
z59NyI?;)lUuAVJW6~`Ty&Sc$d$aJ{>IV=&4?b@}uM+U0S-h|WD_(NhL0}AI~LB%wy
zq1bD%*jk;1Fm@fR<tZb=w=`D-wK|-*$R*g2&(QWnW%zkUnQqHCe#^aqIFWzn`Tn&5
zyUP>fwZrk9l(Po->9GOk4Y?YrGQ~z#@4>nAP2qW2sgyk}eaOqz%QNHo%~WvLn$!-{
zmEq`4=70bF{Giqog(>dhytkm*uI}sYc=(r>=gMgs2jOQ>laTNS1WzV@M-C_Ca^f)E
zc$o^}0%<?gG<&F&;Vtlq)zvJ$V-nI#7B(`eBY+^L;*pTIjm^kK|N8IQZ4zZjm9h$4
z>@*g9Mx>F!8JFG%3z%tLZX2nkreTP<0_IeMRI_#mDI&qg|A?<tyg9T|R5Rc<WrrSz
z!T_o33)F1-xl5v}-_5NFdbQuUU$OktH=__;)C)gjV|G`fdc9R>WMaslv}|`Qm7o}*
z3Pj2S!sV}1hh{9Z9lDh!1jMRH5FVIUT&BIQ(dlqJsGpw$K2)uSlT8}c1!kzHm@o4S
zUM05hic-=^h)>@TVSacR+Gd?&vUWJ59SQxf`L-*;{5vNmNrebgs?+g*hSB(WdPkcP
z>$igA)u(5a_1a%cJXU9EM43XBKhkB?>r|DIOi~<Z9murJ%}37txrl7V^COSarKa>?
zB9cjUE|wC8&(Ht-%lk2C-a*v!5bGzWlngop!^q&KvFM3zV>8#%7tRF6F$E6n!PF3y
zK4+EM=ET3`%yqdcR$SgwiFR$LF6$Sv!GiDieon}=<+dXvPe4Vc7|MS5@mus)*6ZE6
zTRIorGgc8e3@YU{$P>F8utL}vgnh4fbXrjsDpk2>C}K5=)3cqiR1i6H%RXAKeWpWY
zDtdiG&S{sf0%5^T(*ftS!s(&InS*BifiKB+GtM4)>M&Pp0VfE<7}l-aHe-?hQ}yZz
z-6Kc7yXvMV|NNYe0AAvc*K5L_9+NM_W_&F?JwN0E(HL88rw*5OG}AsF%-q7v{jV0F
zEhF}!Lp@x~8V+rBI9oJf<Mbt4);1Mdd6!kj8({#NG4Sa;N7TiI8}@QhwM_!*PZM2?
zO@pu4zz=|glT%Qn?BRbRCs!7ehzcAMDFqp)K@APuAY=ZK*jU)3zG>?9i5nDzy*K=~
z+`h|+OSh}*q!{-#I_4;jL<<NEl7-4VFaa_n(io0-mKd)I|H{3{?oVvK{w{bvESFU-
zKvt1{&o*`HboLK6(DP9nFnj|oACy^KvJ}d0NX;^-3GF*ZwVONner8pg4su6?Kl{V}
zt-IZx`B~zis=Ix#ago<_23xMhtX%u=66RmIOI-n2$CcPf+>$TH$@|@rh$48;G0dqz
zT@jL=o|W1pNmM}%S-ZN&b3NLX=yPt_UoBvr-pQuA6UFXB;$`)*o>p{+E)2bwWoEVe
ztF>Z$22s9$hIjH?%?vt6z~R#QAhZ{l+j=ZuUZ9(0N2@m#MTc`S@k3wvpcQxITaRd-
z(Z}W-|Nbyp<`$P#JjE)Z_MHGeONe0T+#oCFL!t)!j_gPjk}{(KtW?)HkqYU19&K?D
zq~!U`5o*%*pweLc=jy}1Qeer4{`TF&zQ3D<_LEw1$)8a64PHa7^lxLH#P|Jc@Z&o6
z*_HHzx|{-LLz5UlZ)$RH5U!}lot#!Nen}u}#X<$r+@()X-KkVi6Nk-g^%jTLBv7ae
z-vLzb2RN9OLGZa+C=y25lu}dCnZ96k173p-_L`s28`W2?zQ&c?3F|z&;i-Qu-ilog
zFy0j0dbGI;o9EUyw?V%`#4%c$1q)%BU+B`Y*1t~T{y^cPxz5toNlye<CnnfO4aV<&
zr~DRAR~buU{dN|QMwc8esrb}#JD3`g@Z93|N;0nhX8n{jFR@YniUvXNExMIGx18~L
zrY}OPFGlc&AYv>`BNXC=qbU5G;loxx+_QoYI=^w(S^G@6dZ4I%yNcdXv)!$qgaTi=
zjr?aQ(V*mFn#EApd;*Y^&_r^}A5QqR*7uWXLV7V(g!Q|O^^Y7l!uY33>du#i!CV@Q
zEAr?K0|rR0Z@TWk!c(>C<OC++&V5Ee&#dwtKy=+=>ioxEL8Ap)qb!@I)w2gXTF~W&
zMhxVt*i2Xpm*Hd_f;|u>5+9e$9Uq_a@A$AzzMRZ=LewqW9-mr02MBS7`*NU6Q8#zV
zC&fy_4sk~Sk;$dIMHdDygTOns6FiT10$z$}yvTr|kOR%slp56QGH)dH@%*8RzELFf
zl1CSUVQu|V0NwMG18ambbOp#3o(;?o#5zY>7YI*JC#IKmAwFUp+P4&EqOk$pm#tm$
zf+l@UE&IQs-rU^zVym%FkSsXO66Yo8tC&P7fLX{H7{b#uKl#6`zj-5pfk`MYRw(0u
znS_%6UVZaxeeWu~uHyQ$Oz8CPsSsKhR@!@5MD(CH)&lLVpN-c^8RJ+_{#;>;@Y~=u
z7U-2F9p_Nye+Eeol>T|ESYpvV^Y!8BU!btz^tY<(*7_KG+s@R>n?gAS@*oB<5#Nv@
zC(t-APos`Ij66^6VoC)Z>N|WL9MCqyBWx3k9k&9Y9-P@F-F9y2fcEJgNx9ljY54iP
zdLLHf*k=aNww}jXc!5xffGplPbkzI@-MGP1+DHwCYp3c>LkH=vB53U8s%fNfE#}_m
z+a>=R*m%E{3G0TLD%G@hIBXj)Qj8#*X&i8_wKyLwz2}Dk&|gY<M-M4769!2|zI2E&
zL)vVxuh-NVTxh5m2>+A$`zRT>2kQZQLhk%p7g=U682<ykIp??NE}S+L>e~t@CQKj0
zQOS4%xKP}$b?Bm7JF65Iw=_^5p+$B-=XIl=Y2iX)T#62jXc%9{oLl6^X9(z-f971h
zyPIr&=DBEIaN1tTHC>^aw`=eF&uSnlUj49gz*mg74w2dv+gZqt;Zs*DqsC!$QUC;(
z1`qNJ8VSEQwORPEVcBPIV9Kjvf3Cx~SZ}sL$DS3eCBK92F?H#GtO<;dU-$BArdd=Q
zDKT+hy_W^I<CPNyueQ}!^l$Fc8gF4GI5D0lhw@NFuJSVK&ys}d1K%T{f&XW!Qq77w
zzFab%I7Mqin?ctr%;1#^wyT-+fW@lb$ho6{n$)PbaS3o@Ip>0fM=tBvtZD05XzNbf
zIPQ(OPXaY>{o2%|*@!T33i8J^%Dm25@vWfj$d122S(DNIwV^~>o0EwZl2}=fmWdS=
z|G?rXwDsb86!aaNHc9j|tid<j8%;8yhX9r{eI(7wufJR@w3Tp`Ev}O51MQ*xlhVHS
zbdiungsJ4=ZT-%fk6*HgTcs!`B1-I^u~?RTM+*+Nz4PO-yB2?g50Nd_+D&pSWHYSk
za_`pe3nn$0#Db0!hF~Etfzx5VFduY&gM8&v7z&Vh_LiHZ!qe5Oc~V^56;wuag5zAJ
zuO6iv++G)QdrmVynVkJ|h)Tx1K6>>_zw>z*I1N#kwjI%blWaX0y+IgB?BZi3qQ18f
zG)0w_##$NF%}+KJ@^|%kW8%C7k|oIZ#hHLOp>$=NDzcSbo5Q|yv~Zs$DmJ#rDI}jE
zZINQMvG?Og!UMl{!tvdpR-Ywkt~^R}3~G|Pw-xq52-?11|2x3PYQkuM>-VQ{p}2Tz
zjgO@7lG;c*r<3Zet8Gxjq=wz&n3FllCJGj%b`AUWe_4-0iwN@<xA@Lfy_pY`Ki{fv
z3mOL_hD*LTygym@Op@u9_{GC(Ysf!A`mH#M5#qdC`)M!Ybis$TL1LKGuVb*jFW@*O
z6A}0I&n)sD-s`UxJMQZ1OQsiqoaY<2Q@I{=ewS2yp0u8nX{&gdvOh*%<3w3iaK%ZZ
zI7UnEGF%G+h?9W#fnwFEyK?@6AXrb^b^1B-!@MfZxf5^hYL6dKNFAoGHh;`&7b`xn
zs>KLKZcO;ElsQ@}3Id_yz)+q3j7@{YEm;wvOi`AsWM`4{{jwCVqsPV@<N7YRsJwer
z;mz?>=&q{T`%rVHxT=B3KM@{6g1PFy`Z}B0sVj7y7ct(FBkh^7F0@qI6f?X)0JcrQ
zS&sJgYt6{rA%jL`XI}lG$PUxZ1mnv*25d}m-|8C^a_F_bGO`fTg)#M2+;R^ISvm*{
zjAJ#Yt-j}BrO%*g{)Hf0wcn{<|MN!WtH*FLRSUzl?;(SgU~1zlT$4^xWy_bK-rIv{
zR^y@{3?=onRpb9nPm<B44pY*NX}~ChTjc3s;6t>UUe`{*sc&P+`ofq%S|)vDoZ58Z
zbGR$1#cg+lZu3)g#w^lAqggsTK<zOVh!_868U)x%nHEOB2p$;$i<g*qQOA-jQ-tc{
zgDPN*R_dDIBbiO`(BzWcdtYUaM&23<QfOqa<Q|3@Fu{JRduvsSsxkqSpR$f?s6}Rg
zX3Co0!C^7;<xjePJx_DMr)V6f|G<5!?YdGZ+ZP72LbWq8UN4buC?*DV*MZJ?7j(QS
z)_J6Y0x@MpY32Isw>ALasF^aYND5ezSbtc>@0Z4V%^}`A?RGI!!1ShWpu~QAYi?ES
zh#JIu>-PaLTm{r5vp8YmP{?oF*Ph>U&yPn5iP5LvfGkx)V$8m?95mI2NoT%xR)gQm
zi$fV<b>iE%qiq8FND`ocf8y9h0ZFA=o$S(_Fhxp(`1g8@@ke{|fbaw0c1*b4eBU^7
z3DRTJRbhOY00I}1uWsxa%3k!3r_PW)XwS$WID=nNscXKeOgPISF`!Gmz9K4H<cgw+
zO%_zd)S)K--tE_@y{}N33;SR~Wcm<Q1t9R$D#7=WBt>1zqxBr=Ul1eToZTj{+y#+r
zrm-(2K|{iH?KR{5mnz#JuBV?T_cTtIi&9+)?yCH29A@j^(>17*Dt~&d<pL+-&{Z4H
z(SWG$qJjf5A)|cgAx6EW94>KWT@j);F2+9qL3>pFd~?Pm-Je2lDY?W*FK>j)dE+bl
z>vQmSs^|R!4ET^@nJ_*AfgDh4I(i2Lv^Fx2Pg_8-AJ%^bY*W!bK78X%Vg8qQ>W~tQ
zKF=s)t<Wer!L<-}^>-As*X4Wi`+*Z2&GfL0oEWePc7b@L?HV8a@Mr*!f^wo0CpsY3
z9uXFnu1x=uh=OVIxqiPTENVKw0P_#($8+ew@;l#*Gg34NbO<G?|C;BDKF0@G2y0l6
zqf3lTh0(xEgr-jBbYqy)<B`LPkK{my{X<`;@(RU_6XRf>NzdK@c?4BvirdIc+kHPx
zsLXY0t=q0138fR95jIw!Qe;_HAN<yPvE44CIQ8M5ahyMtJP`Gn*;30Lb!KshY^Vq;
zQo`-#iXKh@#%#9!lYU{hnkCJfIItq_o7tsyouvXjpzjikzvr%2^M{6umt>dzSu)ra
z_#w8HnmCm+M@D-&rJ}SGn>)iyiG5iMy(MHI_WJsU4102F4=GD_=h-9BHzmcK;lA!u
z9iIL~C)f3W#KIyS+ws=FFH?Ge?1nRC9aZ`xSZZ`My3>TU`wb=Kh$d8EL5KjPT80Ty
z4U0m@cHn<NaQfV9wOT6&jqWbG2|!dpWlkX{f3Exzfk=7C>NaNe?341k!lO#{nX`2z
zPo~$5=du7HmudoGQu{iw{!u6NoW7bZ8bNH_3y<vJxJ^knv(hkRsX~qysz_z*TZ;jV
z<84rte($U5o!Q(63JT+UCo%pk7j2@aU*7IN2lv~bOEt&Bo+aN+mrqOR6}^^d$aCv*
zUBy-YSw>QZWMok)e_=PLBNyZQDI0TmV+tKHB0_0ZQdMSj53fAa6u8BU&jcw-mVpKE
z&qm2=!v4$^tv)-=>UC9$6-~gzGvX-EzcE8_Vn|2GA11sbztD{_!+xSp`$B*KkAN7(
zaTnymtrfru8AQ!xXUpQeseDF<+MBBhKCjdiLosO7OOT<W{tC$OIv-I^(1n&1Tv~o^
zk}CfF6rbf9`ZW>l@MnYrw3qY`pAJ+m<QW(qv&8Ne(T8_UGuDjY)G)gX6-~ccx9gx2
zH;d|VSoK+=Sq<3kCvqqCl>)#q%E4vW<XD+lO;+>io+v<yJvRu1rsIjYyf3tV!equs
zc6Mv=Wi_f`d{HTU!q3~9mD4V4C3}J^#vI?K$5Ik9rdE()m~+~Hr40Il{bK(?NjC3`
z(?SIvAjH>aiO${A<p!NBa8oMVC06s=+%m)Ig_xq!C)PE@bgsBUeL=B?PedN5P&;1@
z6<C*j-z3KbafD;xRC+aXjm<DA$w?d@%Ha8gM0gzSx9HxU?aipY5Txq!cnP}QySs2`
z!@SScPFfLiEk1;(?5Fi#<LsN<Iy0D$>Aq!POOn(6?Zi-<T7>G3{B^|_ILdo61!CRV
zGe+(mn`XZ&)0&Ejm!+{@enz?#9{$gYX2RO2f2%)@DE+>sn#E*jxhnlyRuwFk{p%G4
z07(m9Y{WTL*Qh)9J?oGhA2TpY<n%bbk>^JeR(p;9f^%YHDlw#u#F0%=kDM)a^o5B`
z8u2;s6e?xRE>5Dr>^OxBw^VO<DhcDm+X9omheNq+e-V#>WsG30jQ5(UtA&Uz@m6-M
z<cT};g>v<*v7RVDyquu|sSsp!Mb}2c@WAGruGNypM%o;a=7&3;&?s5@L(ARn0NG{g
zFf9A*iO|EjoVE{70$?T}w2HQA`Wu`p=mTA#dY71qu-z1FD#$(Q6e;6&J<2NpNI`1V
zU<jTCQM=F9w@*Vc)pjqpXq=~aXKI@p>~?8hB(AI1W&ItD{Eok^MgbB(xw%AA>YYYH
z%m5-_JDHS989s{Th%f|OGsoxty`=bYr>f#;C^h)LaXk;)R!pW_5;oNRwL}SV()f3i
zUuQ08gi&7it2^`uM&v3_Z&)~7ojWj7D7Bwdj2TX3R@?Ke{8+mO5#S?ZV?Xs!i+{CT
zdG#!6f{^<gBM>{{^?6ie5|!MYj*Gt|=BN6h9wst2Nzx9**c%X?nQ&yA97~|htBU(d
zD6esLr3H!nx$fOH_xWl6y;#_-SgsNWQTZ#y&tE2|g5HYHRT>sD7-s{_qt%V9l4Y|~
zeiQLxRS{tWEG{ozp#LkDx6RteD^kCP&RSSW1$V_7IGO&zLbE}Ik;Y*pAX2fQQobg$
zep&$)8e_%>RZP2-yeHHGW@sL}5cd2K^#Y0>Lp%yu>icm;g{wZ&Jo5$H<GlG(`xXU&
zx({_&JC85Li{I=YHvTm}N-Ajm{_0Ia`4xIbB^M@mRMjvTv0s!uS5c1$Q$6MP3@jvk
z4_c|L0dQ7P;Iw{dK<TU`;ocu2z1&2K#T&C1UsP#H<9S2@=-^)Ie2&B{=L5;Kb)Ns>
zr(fQeP*xV7<G7OR6uZ&Wf^yYMEPA01gU(tK{O<nCsp4^9d4T`Dy+{ABqR20LJ&DQw
zn1g)x5cUz&F*4Z0_gYLqo6F6$H5bEl{QG>bRB)8nVe2GB@er2XK{sp2<m&mflWZ$P
zH70XvV-?q^dnuy%w{MKAZ=CP@BQCBeDGR>{T2uL9uf<*G+MTYsY)=7n)0bLV+EE<K
zhMqs3e+sG7+wUC2zKP1iDo|`SmqB1YcE8yq$0buY^MpO~{3B4i1r2c#{RjbZuR8!y
z8SP|<4+}HWd(HNNpWJ<1c@Xzs;H-2#Rm#3hHK?^elxHX!cX6#Y9t=E?=rmz$vybk)
ztcs`Il0n8Lb1rSC+97LOXU!+n^?Pna*Mqa=e1JzI(G*>so2u_^ePd!W8-D1mH9w9B
zNQabBo8Hj3ZeF`Y5`ZP(c7K@e3o;3xE0&L$YK3>>715+&Tu{t9iw|!8`@~fG<Wuw?
zEuV-b8lPmLPlnWhG;$*pRgw%W&Fzh7-WN9G4WoRMng3+kvhrYT@b!`}L4_0hJ)iT<
zQuvQ#Ddc{swz_?Ub{H%<7C2*9B1=k<6jm6+K*(C|*S&x^IBmC;a);Y8ojS5<YCmbY
z@(kr~Qn6#=M+58q4vFu0`}F3&6{p~K!|(sv-z+3z%PIeG@r{r=7d4mLX)b1nO#%NI
z#^Uu4b|6q9Tr+ePTG2$tE3=vDiUNAZ_a=rSu{-qZb(&xS?Bpb!cR*7NBd=h4c%{K|
zHY?S4H{pBn_faS8WSEm<>gs=vQ@#X8nMD5bbG8f_ygck*clb{ls|1H6$exwJR&O%u
z$;-vD>lqQetYRf7pL%UZK%fc6vz)j*05oRodD+$d&tu@beXbEUvF~BXXLVNJS-aCv
z0`2|SFu%z|X$BjqK!B{WPoy+gx;Gz=|I)wLeRG%j^RqLzR-K2cA_OG*cDtOCMdOS{
zsh9Qr`MtdN{NIxMipeo<yW%*+Dqn&5hVsvwGV&iwN0Ge<O`Iu}E&X%fZ(|>fzAvRr
zm+81Y_s6l}>HpiyV2*9E#cs6LLC-(f6tq&tm7iIBd&qbG!|ISmqq)7FhW)6})$Qtk
zMP${aqe_?~|JLtu_-m{G`#oRy8}jl{H{ssTR=b(%T#!tt2e+!8)a#gh6`Qp4c`Z{`
z@`*PSMS9!?)-IOp6Sc$CBui)bmZ?F#@}im)=#n!+X@<dhZ(;WqKbqJ|sTf0&C?JFQ
zF#ouVUj}};%Iy^AB$2GK$3CZr>98%j{U@j^Ux&#7s0wgiLo2I(WQX<qna&8OZGXSN
zVXVga9Se@7>_+C;CWQz}G`*Q5H7J@WEMUp$<7<6%yd%?qjOm`4Z?Jds0NVVG=&%+M
zG}uOCFO2+7?zQU)_qznQF+S0D!6`Cq?hbq5a(oS=_paUAGR@J0o42Cas0YLkx`p#@
zV<8$Cf8Y4M9rN4o^XjSv@AoBx2?dqYwrvz^9C9$v6f09C%#`}kMMkwi|1vwoV-Lko
zWYE(>jJ8Ky6>;QKg&H+JlmtEWd;8;g#dy-`Xmdz33iXyN1#Jb&-iOyQ=Gb+?{-`lI
ze60j$vrxgOUsQOANb&h@m*0pT1EK-mY|ziidZ1^$XjgYay#gOjxL1uHL>2jTs2GVB
zbQDP%_+Z^otn!c1^YQ;N`A107-ymiYnHdA8Xk$_}0Dybo?q<r*H&O1hp4h|Fv<vQ2
z$7Lo?85Tb*100;YJMPx7oove#)76Q}S8KHkf-B!L^^uUrcmdag-TsVG&ZsCgwg8D3
zQ<#*0N>FntyB)@JNFJdVim+q}JkQel_sE{E9E<}$vWJ8LsUTYktS_oT7XUd#v&TZw
z^AtmI!POVCs$84I3V`T#4mx}uS_PEICR1x@y^5m=f?INf3fUZ?rLc$-GnU*Stud6J
zPx(iDNCk%%oDgd6r1??rxUMIZP=R-N!K;q@N_mMmUCQw29jRDQ>TMbNLw*&I$wGng
z9Y#qqo0HKd{sKQ;P+}yuo>8M#F%C>jq<zjc)J0&(F1{P!3*u`rR`<@ET?@hoL~e*m
zVNZfFiiC{X6(^nl(dV6fYS5Mi1=p7e%fG)+*MWxkUtehco#R{Goo$xP2(?Fg3y`>n
z0#}52+AOW^L^i;X|51waOQ-*Yg`YocJy9oAkgjs=5ffCsEsYx-&m7P>`i>zUOyFl(
zM&62t*=*0G?S|8NyN+_Crk2x_$@RyRga_cLvC$@bxL+SCvlN9XVfVB{15;b9Mp?T9
zSv1N0YjpxWp*qs@_9G%AHSL#g@;oQAutyy5aecN5DLp$e6Dz@6eB>P1cYnIswF0Lt
z7(SUmTG9%0Hte~%@0QhZ7JRL9ePGsJ*!SlP!Z+#(s>shm1GYS01j*<IZXH%#5?=V}
zRO_^%3VgrB>s8k%tF-vq|5P85t)W1}W;~Lb6p4Sh<>uAe_ZbB^>RXZuY8KjH^t?$=
zFZlC|Yk076yT%2xnodOkI4TSnSnZ0G1<g+YNn30@e7EEt^#_h#mQ9<TacE<)qPkvA
zCoWr-iRi}uL^wiVX~Auc9CT;f0S(gXHD}<OOe$@N92{Kug|OYqwBP)>2m>j;!Yx8P
z5+Rvt%)ObLB91LAiOMfASl5`=H0}U*vdz8&$WZ|(zObl`flK~If!JA-u!vtXLS2s&
zi}DHf9l0(xDk8d=vZ;n4LO$2T8!Qy4s4z|iNG=r)R3Hz`Rmi}s24GXIGzVB--Y4+E
zEY$NWWc$oMacm8e7sfjLJvTbdlT4yp|F85?-`F_Ww=WJV4(`FXQ`X~p8RPTMkJZqV
zHY>szUsme&4Fw>?6V_HMKn2Fv&eO9-3i>Tl;C`nvc*k2w{D^CFIAb>mAkqVmO|oAU
z-~Q=>fp1|WHiFZG^zPzD4<B4Z6a}A;1kS#!z`rxLGLjfJr_yTAwfi~FpPKl|hr_MJ
z#DMdL*f&(W$Y?vbk#-czW)w7<i?#V!B#-u@Wkq$^_$M;klH6o_FUpY$IYd+AyAVBg
z9h}MVhmv|jcVVUbGAV|ynZ$E2@!UrY3ypM40$Lp>ghuNh|KYLsvf|%uBj(KFIQHVR
zuC`i!z($K(e#VE{EDW@wtL{S}f&$Vx^4WEQnC?01=!H$nUPc6<LWjX;fb6}DcDCM-
zXmfn%o<IMCw9DKXtBx#~VApldM#1=}%!aC9C4JRAheG$r5L(KBUfDX2T0!K_Vd^h*
zO7g^81ayR0IptQ)_B8fqF6)Mr{Y1hN?{h`^Xk2GQq4A&PIy2daG@ZS>-J0)oiTl_5
zX9rUU&;oy0zD3z$5Xf|P!`*b+cKaEBoHd;RB3P7)MBd$y`t@{?-cV<vS!$NB__gh?
z6mXtdU6Ov6KQ$4sn=Y#(VWRw~s1T_TL|+KjRrG(6H5*kN57@e3{T?<h_smHQt#!;s
z#$rBaY(@|%78q@uKH$!LlF&^vkhYDcEY+}O?+#TI9y}*1Ws`VRMq1lcjKbtyxnhG@
zFndx0xsWQ`=GEV)B0RSi_i~0&&34+#kX_Ky19f8_XfkI?)xIofqOuai5~vK*;wcnO
zRXcB@t_Ti%I~OTcTu=IsB`I+s@F-ey%_C4NAcyV8=d<jPgl5NkoKIyqxq4-+=?_I<
zAzchG%eQzK(E{le%Mp=A*893RAdad(sYzcpdocylOaU(jNqAYHq8Y<WzI5KZQw>+-
zO0xCnT4mGzGQ3FGwF68mlpD6*B+}pIncvrw2t*F<m-M^ek&)TxcG8X#4Yb%-f+G;<
z4j$aAMzX?o#V0mRD=Z9A;*e7f4yMBBHs1Tjg=uxkiYXh41IfrH#s^54a$DLrR7gHs
z59AG;r1R-lQk>z|wJpo!JT?@xc;lU?%ZGs1dmR^sWGABazOu@Eb({NjB8~7k9L6bN
zw!oKH^!@Xz4m71g^%521h21RrNWY7vd25fNxrLNG#TYJA_1FiYfRa@1yNk9pl}-M9
z(kt=czGYv%w86#Ifuq97vE+1kpAxO<fBn{JZG$ko-(2wdyaS>Ks>hAGE3a36D9yn(
zt=y)cE!CK=9yYedoIEy)6-I6p<klw&hOyxA1P-1D{4TyV;ge8WmR>{)cyfG2+^VZ*
zG3l*s{)PiYbhU2tES!m#ey<1KdXfFtF@(qZpr##9X)#Ls`I>|Q#7D|xp^4ym6tLhy
z1u8eJv44Pr?3+Qx41A*`3W|ikQxFLB+K0T%;!&o2*v}GL=o4fKu4p^?2HJe!%W&BV
zmg22{{+TpcxzNhho%11`3;$PS0YSj%4vY_BSAMbvigR^<y8aH3d4mCN=|6EUP1BjR
zz_M?w+V6?cDcD<Sz?Atn^lmub58aXOV<y0osUMsEZTXH?<S^tvb=I4x0I`<3VQX!e
zkGZ$|`chT5?<bN4FGL?&yIP0hTU2Npk%M8utBXH0bWugXD9{|7^1oVu>Ua&5md7qi
zeISn(J*@r5TCSlR^S|S%4p**xuJAeaq<G&li(mQaR&^nGg3nT}Uo2dX1*(t`!nO$q
z`A`CxDiihX7iIVl^}satWi{XmQNy7FhlVzFy^+VL`|>9$XJoX>xm~BVrgp}@`wj}J
z?lhO;U3?oD)fhOKSNVGj>LZpg8yc0*bZh{OQ8&4=?V=N>DE!4a>UIuJYE4~(;l_`0
ztM7&;6<fff;^h-SY!WfoJtq;Rjtp3bp3?t_`=7tL>RDtjHy-_&AW7Bb7<oD*9-h;a
zz3_|K@r|p9!;B)}5i-vF8(lb7%=t-b$o-C;tO^JKS9p^Y&m?0sq6{7OI6pPJDOw_F
zX{QlXNO?@L`<=XESe+UU4w~|){84)re~?R+V-Xf~3zYIABK-I<LlF)V6j<p;J=*NJ
zO|@h0Y^}kZmWLHL-#N_LUPf(66B`?Ac3n&aa8R~t4YfJDx8fscHz{1aT14CNBL<ZY
z<oeG9aAI#ne4aXm*qGq&Y^3|AAe}Ex8K5Yjj{OlM%aqCR9JcK|Iq-ThW=Wk;TGjMX
zzwVwIj7KvX4~mF-DYhhs2kRsFdj%|Dr-n{K&=dJig3}q@UY|0q7O#qNz*5Ki2-NH*
zcJpr>_<SZaLDzI&>#q#vS&yCuWWQalsCM#o1=17nx+b4pbg5T&h!CKPjHj+Yc86Z|
zKy{5F2v7%gzkL{>YJqg&k#Uef2?4VLaLRlz=%*5$T>vUFjQ7f6@i!?WFAZA3^ByFg
zQbJ1afeYh(Nl0=BOO@`vu0#tFkbCi6BF%`)=fs4s{udBp{zNdrcZ;_1-9WPy&GC8%
zNX`O;0BG+!y&GeDy*+?d);r8=f-f+LQ=}54U17F1=m%ymQG6|O0`{JNcjL|uQg}S?
z;HRj!F$riD!%7{o{>uiG#~khZVPo!G_=bj6KfM*<NH|)f=2lK05C!88n|vWZEDHa=
z0@iElV=D98578t2Z=&4pw2Y;|uI8_XjWssK#m6tDfdPcH2$`S6n<g;5rC?Hp3g%uj
zStilYgKPJ8CrYCy0M?H$*Fp`F-HGrf*9vA68(04IFsqW{@m;zky*~<L@Z9JLy9u_+
zs+aZ8O~G&gk!{ptSvIg7rc!It;w+v(4{o0={m1O(<df8aKQ_!8xooym?fe|~=ClGd
z#j-E9Aj>;LK-A+9)pf&U8`_UgGcmU8t_T(e0*{Q$_RqDr76wGc#C$iQzgmthr*hNk
zg)#g^^p;XNe-AYuPZ23rJjgZ8;Y|uyMSMO5%-((=Nnrc;qHc8JtMzFpNFWFQCrHyt
zB(Xs<(mp!GKg(Ngl}7hRApds(Ol07~8B8XsDpjY-8KYBkcwTBxbeh@(4*1#U<})_*
z*h5S#C6vu3P6DhLh(h+I%q6M)idQO8lb_}1Duhu&obfrumZGUxlEc=G##T1>Mj6mH
zWBCh)+e{}TdfXeNnjKB>07Pc;a_PI6L_f7>yBs2owfZo6KAD3HwSSlw*+`neiPqna
zT>&6O@pi8SQfSd4%;y0>@&FkH!IN0N@n=s&FLTEHxh)qXrnL{SlAl<*L+g9ty8d?K
ze}MR@%DKuw1!@;alfpohic}t;1J5GyIi3N|*0eP~7xlN!>5-&fdv8UY;YQ%}O`NTf
zk$F<b#zZy#-}^9%<6raULEYyC|B1*^KTgGFLRE~nRkKSg{6o^7t6YFYIsH;uo0b=t
z1UC5E1isCwz{iwmkhRE+t;Y@^Kl@O}S1Putn>Al{rIK%=Q%@mia#Y2QeXQnCBF9qj
zfnKvTu^Uq?z(hX&2TQUNTzv_4Zd%!Baj$M-|2<T`=&DMCdjpN|7~8}KmzPH-IdeGp
z@4Iyqc72Rk&q-cuhLExLLCE;^g_=$}dI7FrTY9y<(Mi%`&`I{0_E3amKD70mt^uxz
z|F)){y}*yY8>M`ijIIz|ss!5#V9=x<=c2c9R{qa=3V~5B%1pE~{Iv@8GBXX#KD(jy
z@vwLQgO$1c!^(2JH%3RcY&EBXMgf{&WfiVnP$Wvq`GCFzg8*Lz43a99u1q&1{v%Ij
zh<<iRc=aX9dhHV9{c>E}IZ)KGKL-Z-^O{Z{op*zn-Sm)^%d5|f7Czwc;0{_4M;v-G
ztV}XE@_JA_VH}YCf(HAKu^Jk4b_V}F1VLI4f`N>IkDY!16A>!0dCeMmVW#)(6Pq+5
zXg|2<Y<a&98LDA=9}Fn)4*)&3JEN>gj_3p>&3Kfa%4AQxL<?3#yw8C@Us@R4pzhj-
zp81tenP?Zt5Fc~_nc2*CeYiT~=T88FVYAo#{(6+ST5Bc!&fpy=rrxyFoerA(p4CE$
zZ0rGFdVR~XFSc{+z}Eg+lc%a-Ot>5=|6P}68sY-aADxR{&PwT%7btJHsKl+g#n*!=
z_wfFZ0q=&@3au^m_!JHlm#?&XSaMRxFov-w#a}S^FG;_uKrm3(@G!m}z^wk-3{jVD
zh1Kd;aGF1Sp0CnN1O673Pc^^35JS@^vnd#y_m(_FnaSfW30rt%Oroystay}qUvBOH
zf4Iv_4#w~7)*$SA#kbA2$BXGf??F=$buNuk!E@htLhHdd<ytfETIBkx&*1^&H{jmJ
zwKP#%`j`Jt+WyaVh$@Y5y60~0RJF@13_#5$8pX3{HI%9s<Ys<ktgg`%s8}K3_Q_j|
z*%+&L`H2lXLWSBkBT^TBfY55qoH1BfdLBRrA_Qtwsh)aOW)4oPLh#=fZ2)2Y)QLg=
z&-*BkSD^R>5F-I7N>t}RRmMrN?&O)f^)8Kshl;&@_pSgr^2Dr0xE6UGLz8GT1Cs#R
z2U2nRc&6BK4%#M31y7ZlEZN|-)6RHO$r-cV2YXFTTBWj2%^W&?>sZ+{Rcet=y@wbW
z*h62=;jw<WGi9%+3_vIKaWz0zVH!a_v^ULo-p;kVF0bT>4J>+5$;n>9U65QE@m~0Y
z)T++8qW#(oqSg1ImA@5*$idQctNt=H!TXmG)8FZ`B0vU8h$RqU5TycVEAaltH2MO^
zP+jBGihIfMdS%<PDkHlK`xd}FT5qMy6SUJ-saYeUg%@H_Zenq*b|9eTn!9J&&uuE0
zp$zlJra}8e+Jt6k<-2x)hDYYTiz?udO}W9qyU-<zh&^OoFobaEK%VoT^5EJAX9JKS
z4B9v}6<L%KX1;i1R1#c8A0VqYr72r6@XO+l&-0|x&WFJO7=w)I`<6bQi{rNW1x50Z
z(2M=~?+um;44Vlz)C0W4d+q71Ar#%ecZD6>E7SCl7F~%US8R)x<M<`r*L$1G_p2^a
zbQi!TZ5q6K7>yHy%lfNzAx!omYFiqYgccp+x5NG06{tm2W+?v0L~P)Q=<cOC-9K~F
zI+$a)3*aUK+E~ZK5e%7B46B;+&Q><FIq8%!o4A4yDz=^P+Yc37UvoQ)n<kz$(OFDQ
zmmz}|_DmK%ga4g$5yqwT((u*PvhEJIiet7jB@V?J&$!)oRGkbwYMtFMilxzAC!Iuq
zr53sj!Ijx;?i@IT_DoiRtRb&$W<J;x{y&<oDkzRMN)HU~P9V6uySuwPgdo9!yG?Kj
z?oM!mTY%v1?hxE1!QHm+ZtV+I^Fnq1-F@Vfb6C&Kt`3{}IAWd#kW-Ck?_cp5&*VZ~
zA`dI{Qo=M3+lP<Mq+?jGs4-axXbpTGv{=hLD3Q_A=@GmaFU1n<d6v(i{<NpL5sLwD
zhAY0$f9PY4D9=k*E^e{{KYkoqft7oLr0MSiLOY&Ki?{E1z+*-s>BwVCs0L=H`Q`}Z
zqx31rvO<4Zt9MJB`m>Pb2snEF^NS%Kz1KRW+z@}KT)m-DAv!j}Yj>}UAOsOe<m$&F
z(on^@KqhzlwjMBk)<9jT(1W~?5wBqBcXAv*09`r`W8&TVd#~5cKI?8$?%tH?&4HvG
z7vM{g+ls&0iqy+zX8w-N+!0t)s`$@p8wwlYB{rYH+Pb0VAL3S0$Zz8A8*ghwlvs<s
ztxOySGsjFqNZ;3v#}h?z$jwq>G$7`i1yuL#CUBfKzc&!VGc+?#0?tDASaZd3;2B0O
zIIP|i8{zt(JbPxFzUIcib-9{aLtA8n$jId0vqi=Wn*WmZCLbe*C>8?u5sqa>L|}$t
zAoyF@R{^Tq4${3f-vlM%i%De_L1AMzAn5l}-nqaAXbb_Hw91vgz*Cp>92R20`&JzS
zi0L~HsQ)y>FMa@i0*hYmIBME@ip2}%LL~BQ5+D~^Ir7Nz^FI6V=Ab;+h=FdX>%K_;
z&Tcgdm`j)?fXdJw$e4$$(T&=#2BE;%WxSB4BQ0<YyRG(Ao_*j|PoXN%z0qoXxxtn&
zNY5ak1tB0ukDNe(5Zd<i=;fw95f0E$1^0qtV+S$EqrPiVFZ(5o|LaDc_Vo-z5@3F7
zgab9ax8}cl15}HAr)))N-;nTsDb%?mgyZmSw)fN5A{;THk%dYUP#Fg7w;{}AM|UYj
zEuA4sG3$nGP*O>rSn=Y;b3f~x0~0O~4M%U60CH$=V9e|VObJ|y{FYnB+zb)`njsxD
zmrBiKYgHxle!I5N8R&87D8F4$5Xyt+__8OWGw#^uS$NOsbEQ5>N(2Ewz}@gAOTe)U
z6-JJDUxaOifX#65mg^QX89a3EeaVncgBnF`JLgA=VKaZo#iLV0bDT6V^n?|nxdi~p
zP}oWjABsUp`@Cqo^b`IDJ55kDxF9d+r)+au0!U*K2q>oh_|pCCN;yE1K`&1_>jw}k
zI#X_z+%M$Qb?^rVgDd)FyQ>xE^*!DEP-oy(=uNUHaDxCel-AFXy3x+QIDY>(*lN?g
zQUHI|bSH~rtl{_Bp>GC|uW?3<_inj@!a3SMWopAfmoDG)a+l0}thAm9dpuuFlq$n8
zE|0$F!WVe)k%3n)==|9UsORMXC+rGP`yuNX9Sm)|0}5;;(J3K$DXB{EG|>!CCdqf`
zalpc$sIz|!1WOQ?gBH__-5Zv)WBZ|2l5y_bCd4En6Vimh4xr8vapoY)7^?JQ9Xq#=
zG8#yrT#%Ghe@P;goG+5uMsM`fV!lrk5_KZ>!uFZ8dc`zb<WF;B>B73G=%VX6tHK^m
zxCf+kG<#Xw!|`4OEGV&TQZcv2C{yb^z=6PSr;r50oJaaOc#WCo_xkofa2HJ5(*qQ1
zf!M6+(|OKKo7l0toz!!Ya6I}j;+{rD6AvKos_)L1`?~2n1c<0VuwNno>2a=8n_v*F
z!XerAu2G^q+4Z0s#IR(l0N~XP_#MtJjXUSm_{Y;fQK+K@|5FfqAQEhp6Ci-Xpl<$U
zw!;O#@yFPS&r2Rcf3dR4##3>)^HvFlm{QSfp-cIPA=32Anm|Sg*ya_{fT7V?dv{3&
zK7}B6H>DE~H9%zjLv5H&i|w{?AT`IiL=;<=c9YokEiqjW@SJ87<@~@FVSni_nD7Wb
zBq*5W!`JBYz>^&xTJi>@HeOv%Vt_2U%z(abDFG;dg}c_}bL(9RxR2?U9G{N{#n~iG
zyvV0vw^Pi>na@%%a6DA=yKv}Y#3NR367-TzG;SPdg|VA3!xW#t;Tu%xJnvYt0SHim
z)Ba=QQGF!fxemNTKH9PG3o9nRiTW0b%#Q&Wx5kqTzcgK(#>Kcfx=YW4i*RATQ2<>5
zFtd~T5iZ3bcqnCQ&!xV^EwWz_U+`lBmRkAuYq633>pWu^3LTIqB(^(nXl4{fvIjH&
zHzp2e&E~B2FtjKx2qXpk+sX5}DhR6ytR`EY@TiuCA23MamN_gIO=n~^_~(Mbe<I_N
znJAZHY|S{2U*_hKG2AM@4b7?Rv#!S7q*&be)C8jQ>{#kJaqw4%c#~nrSU%eoTFjP(
zh;IW~!e-is88Csk>=n_n_d>6d>V=hMyGz~Z$ALWJon>1T5iV1IiK%zvZA0$03TIpZ
z1<QZd$ELwC{@v|YeO7b8sYgIrJpCU{U}R&>ViYjY<$JEl7Knxv<yRmf@ZM<7(~X~U
zMUw^H>OB-bUHgS_o<5Q4^X}dkhxtP-Oj%NfhMwzkn#s{;N0hlApLzq~Q;|YZ1P%Mp
z_n+f#9sY`xBZ7j+CU<!GLqcS*2?!K(|CBfHy!uZPyiU>Ydz}ki>;oCe-40j5#e9Tb
zTY-=jG@Q!Z_9G&Q)zyYKJ7pWinLfL`K@}TtdjKT!2s8brcLz!dAV~IG@Gh*jl8T=8
zt)Yg+kfb{3TaFN;V@Z`bVm^bLH`(a<Z$gW0Oqwf;3LnE9ySKeRgF?WExLi21l6X%4
z4Sj(4KsnQwzW>#8%;#oECJioWAldPym3{~BxnLQC>lk9xJKI`Y-}sFyK5FU{m11Zt
z?|&07;hus)9DvGbN^#y<2CQ{AzIXF5piU4vNr&oX{%^c$Bl+Qbn()u1y9cMFvQ(mV
z*-2MXsJ67ib$t7cJSY7H-?Q|ttQ)>HqO}C&e=xLkhwGLo-#VG#JzKtq0BQ+>`DQ}E
zW%Pu)CV4x^=!V=SW8ij8W<bmuICzalnVX20e|v>iVq8<T<EI(V!$X5+|2Gnd<bb2w
z(2yEXHPm{HDTkrDNR!`iBFRB1+0LNV)-|cmwmV;{ij>|ad8-&3ok98sa>FFr*ELk7
z?2d=+Ya2+S<(ekN=5y1{Bpm9h35HhRZVmlWyLW**s{sMoqr__(ByYI9Lhr6|L!xVf
zP2RMG%eoU0-Jpzwt!Sj`suBN`z1s{$;9(w#{kbfA0xl6woYNMQ8%lpcWQrgpe(wKt
zLI=q-m4Cc)3Q`Um-iJTuNbbQ(v2;;x-4jeL85tPml53!fAShb-nqlYr{3Dj?`*oTQ
zK(0!n{DOwmiU)qE5qKu9oUqq;-Wa%5z1%9|t~!Kh{3Q9>4T&S2<N^i*`yU<u<Jfvf
z=0V3V;spgU*q|dG=x%nYPltXXEHcqdFW*JdawoDaDy8Q_-qC)7_QpP2CkGEH9&Rcq
zgD!Bk_OsC8EJ3L?T_x|{Vl_WUI#sI{T>!JNOWU#r2cn%BgfNlGwmrbVPlYM=>0C?T
zBU(u`g5wRAoc14m3|KK7*Nv9HlEh0vN;&?SrdGKW273>tit5h7#FV!LGdL~u%q#~H
zf4ua~z!ZOH;nl;PBq|o_UHVWN=8b!k_*R)Ur+>H;Wb)utc`-C)Lh|KOD_ck7C{G67
zN!~x7xA$c+tg*c*&MNb^ops!s)MMgcz~Clt!z2SsLvV1RFmZ9z#iZ0QU<oLq@)7D2
zI_@{x8r{U!xF#Onyr$$e1QLJo6Hwo~dwWZ$Zn(Nk3g+Gu+&i!mLZgsob7Rh3YR(ju
zoY-W>5L!Dy)e)p!@esvgr6OLJ>}@{~ltr0s8pdcD?1!a)r#3AO^L+K)Q^(GC!8<iJ
z`806aut@^m;)_>t6yogfrxCUfwT>pn(#%jO-q{b({|KU;`m-;d$g&nmEyO1_6FCqS
z@GCdmql{e)i;ZMkz>{|#6cH;gQ>9aP-;Ju07Y(IeDnOX<t#fVQUQgdZ>P`B>?VaKE
z-I#-hP$V92Sp;%-@b{VP`~^(v-?>oE`!e>&1P1@2&jJgVqv7Chu}?}b$7d_L0)}2Z
z1MnMp&zt_@8<<Fl!6k&FV%h5hO%lE4Y-xKz0P%H`9l1~%7(<&>_FFYVSa*%HC|u`r
zgaS6HR6rzt9M5PFN8*akM@wv{J`%8*sF=M`lrafJ0@h)Ox!`l+_?~dFVwk03W&L@4
z%aDwFq5UsAu8d0lSmH35+wrA4EzGBn-G{UNyfdihH53TE^)p{2SmhWdDH`XxoGv>;
zDQ%nL<fDh7LI^h+^bl<<zF9`RgyqN-M%EmhmHgF2o;kTuX>}$g<=zZjF#e8O7zr;g
zU^Th+S-9?dZD9r`Xo4_h{H};nBhktDqx+akd9}qBKh9r+3<8O&Bn%$KuxBx;$fGO-
zo=)+WG_olPsm@7kG5mAF2f0EzvAM8VU14RVc?0aVPjOIAglr>JB>Ln$i*G~_#{>P4
zK!N6(_`j|7?KXWr>eX3#O!Ixk!Y!K0(iZ-mNL)@0zP>Fmd+<^%11ZVXwl?tIaOynx
z$S81`p!fa!9C$J0E$(ioy$6S%+>c?=x;xodlmbl^@hT#Z;nLwp>s7yBW^zMIxV!CM
z8_qf4WB>HZ7M6J27VyMiK?-S!NJq+b+ggOsr4mIRry>w$w8TT~k)Su_k*nL}t_==P
z{UQ-qy)VB|NEK_)z|?*|Z?dOtuZ*{6OCQgE&LBU?U7lG>0+U5QfnLrR23K<1?zd21
z{J7`K6JGl%uA>bTi1<*rEAYh&)koTT$k6|4(Ia>^5pKh|<C}oFv5rHz9y`9DDi*Ag
z73JY8-1C4j6>}B;HQ{#3_TTMbVKp@#apY-Qp9|~{F}-#+dv7bt%kPS75E9m@;ZZ)j
zv?7Ux<kf`TRgGDCYiQKRUZ<It>lDW;6I@)VVOA#z`=V_M;G)T#tW8;59eUZI%uCQ+
zbBiS>vIGv>Z84ldrz-e6(3uGRYztI2gK*q!ZUi4VmySh3IpMQ0ez%0vXRkGrx+4d5
zYz!Ay1ZD702*qO!NH#cJ@1*eAF3{O(9<ypF%&&RsWkgE<R>dvoAJ(ixS!Vbv=i4?S
z+~MH<!c-8prcFov7l)UUL1a;GBXV1;0K6(1Q)b?ho%yrW;XYJ_9+wGYPd2aA&cGWA
zO{1>e+mpR_v8~*p??J@n1r07Z@^_Q{(0hfvlu7C2Al;SWNBy5fxnl>74G~T%vLW3|
zoU`w=WP6Rqh^Kxz5?+^O+wu@|=^$L2myqIYQ5ssfZcE5(_*X0MARR`I3oy8$*+}Qj
zoq_m1&|^99h=vB6tJ+%d&9uS?lf93Dt4@!aT;z0{*gm8&I_Cgx1BKM4S8_F@%4x<Q
zC!PlIMlrq3Md;b{5~;EjNw*YCoy?-RoxLV$_ClE|`TZH6_I|aZ;I7EPe##v=uu}!y
z{MF`M`-M)7Ytrn~WPg|@GFO%PNRr$g?LT25>+qM)A50-?1|w16***^sw<UnS;x4tJ
z$aj(8DeSj5O_*E(YVliOLUyGC?gH^sll9;F<k2R32LIQ`=1||Qg}2)VVcpnw-daki
zi_i@U(euHH=P03;CAjqSrq*!J+P-c-n`Xh$f%_{s3X(S1NZZ8`HT}PDgOqx2GGs>m
zcDU`;XzGtn?A!}tr`5=31*?<DFE2oSV)vu2C4f`iWShb2x(N&9@4Gbm>u(ZPQ(4u6
zs92tfc{UA|E$(BEgF!MiTes1^*_58LWJo^)nS}5F=8rt%2tRaPGbD;0H;mjYuQTa?
zYVi5;U`xJ3AcF1nox7NW&cH1$%yulGjIgCtwC*3DDGc=r)h*@EC?!>n8m!Ha7xgi+
zsQ;)Alz~Xqf(6v;QJkUj6T&^~(J?Nk>snaq*s*>@q(Zmv1)cIrP+c?2w(K7&2wvBC
z%h70(A5l|od1$y0I{bc3S3y-rR0`<o$YAlD`u35dC&ggHT__|KLPNpSUGj3NA4yed
z?!6}EVcSIa%1x+z_NU@|ghn*Y0ZR_{M6jMzSt%w3Yd&HvHYOIs$zEp$MT|0PkYjJO
zEPS!}kq;eI#nl=&KRbvA>Q9XF=puOQuwq2#7w*=iaot=bgH;>OeeXV>AD3<00xYmg
zf+i_4W-a+gh~sKE5uDd%pP)XM1QQ(wx!W$1QliIu-ZchoQ*T6K<>vY<nloiDs!+Pp
zjyaNK^f0>@262+qQfC*P4?7T=RXrNnK!%~GPgX8Z$e@J^yk9H-9;54U7zvfWMEFZ3
zaaf+$RKzk~3Cg0_(2)Kb8(2b@hg0{o!QUX|i$lQVPm*^<tR==AJvuhVCq*p#=G0_h
zxzsY|JS5_yXr(oAwWGgHXyzB6%spq4IcYZc+U0(T>-y3qo^ysBrbI&y()=k^wtf<{
z{fVOQ;hwt`*IV#&SW`SY=@fj916)D>U+?^sq#9%5?Tz+t*Ac2OMZ~#A-~gzEsTruq
zvr*{?*$bo(cO>mS5A=pO9n1Kn?h@4c$M;NsNHRL!hd_WKJFSD-n>R9~UyC87A#c!x
zr^xf4<{)^w-B}(9!O@uQZXenrY#}lHz*x$C)C&f`pHt=RV;|=JH&YPQ#x471A$Goo
z0@$qYm*UkAky1F2So?^@s0OZDnpOWM>vO2jKpySH&^pOfuJ--GUnvcZSvu3jx5#4m
z=z7qZNd9;~F#H2?Wf)=Dd}&W!PI3>xM!w2eCl(A}mAVWz%pTD&znIE*c~VdS+rG2f
zqb0jBAo|yLnMo(fVir<lsHaG~YYM`goPnRcAtD|1aqoE@bab(dx{abX$Axv~%AMx&
zaxQ$8A$=m_lAQDrUhPKE22hwBs}QNBlaPQqH6MJ+3yQ8?dSIAgGX2}KBYj8ASPYaC
z;?^cJJ|{28&BxE-1IYI-I#j<nh*r>&RmNkxzGVo>lJe~B8)+OaiD)s$ck&$j%Ll*d
z?KcUkwgp+XVt%lyVrq4zdOp<&`6$V|)V%lmcR8OdP|@#|wg(bDM~;jmZl_iXZ>9t1
zs{r5Yx_<br_jpV-C<FwQizfY8D#d7n6x>y*{U})V@{qe=4Q~+k(66RDi@lVmdm0L<
zd7K3NX%mC&F3CrYj=Bh}`FqT5M%F9VOmO2@6P<*?DSen%kNrUqA4=`{Rt%F62ri2R
zGNvny^-0Q$EFfUT^k0DmD4Er|3rekBkBuP(2}m^tjP>NQ=DmUr7QgBk_LMXhjM+7=
z;QXT08Z@!q5Dbj%7CEWaFcQX_RSiIQa=~_>YJBWbG*#%!%SeN;Sd+qKX~Kn^H7(Kq
z*8)USXzZNU7Qp^>bXN$3AbETj)~9ZCdCaC?8O<bb2wbihcC6H6NkpPx`Z4H?OY@8|
zk}#zp(?gb=M%+mmGhr6;B_96~e;>-nqpC!1x0%UDgcP`=Wf+Tc+mfZMiy4b`DK{l7
zpI|5c#Y&z2gNacRNR*{3Po0$fY_}+rK+&)y3gTVEfplIDy1=@P86L%)cV+LA&&RS5
zvS)SkgDHiQ<_rs%7Qq`i7@jfRoUJ{Z{d8zw_c68+w|ap9lwlnRV;>)LUc>Kwa_~p!
zm89r>++7)A8q&^?VJK%9CB2Y*njNB*ZC1>mm0-x=hC7F80S3m|VZ{%lW2bOl66`D`
z+n@Y5fn>aJ-GmT9Pfqler^oUMBT&Zn=0xhapW%L>StNSu$adccP9rtnbABhuI$myf
z3E9V5;)1WsbL>zpsO`o1x`iJo4gyI(l!`sCjND`j9T```^JFMpTxC_@v<*KyHgV8`
zN3*Odb`?NXnJZR99RZxc2E3Hdf3FfGrAq>KUbR&6bY&P?ebX3lfEJ+l`X(kgOEqy&
z*{Z%Twt9P(T!C;w?@F(I*whO%zY;oHw3{?A?-!5RNDNdwLQzS{i99eigR*;bX&f${
zppr9SZDp7VuEqITgh5*%#<6YsUB4$QA-Pgh$_XalV83@B^QSd~RAOu?rF!Q0iy8}K
zAOi)SAmUKei&pA)O<xNiVb~5(-wJY_{btoT8b22oMB#Y-Zt?A{*E~D5X=QR^?VjF%
zPj7K_7&8btLiusN=3VnlT;=`2*^U*0b^Eed-zTf4;_=`)!e<{ApK(VK_(M=^tYlP9
z!@gb%M76&N5?iIdswrmYga-S`$xmd8?(f<3cvowzloAA7-}xiSz^vflkDy>~Q*=Ha
z-~5g0s9MPr{nT+?nT9T~B{af)gA>c@YL9dy*>YgbSEg*2u|YeMp;XgGNkT7vHQ|{;
zN#*xT7WFhvMDNeu+gku35{%_Jx2n86rHHtq)@8hrao`bSkgDBlDst58pvqr{Vf_U{
zvz(xFd(KpgRleCVG&>@<m}ZPm1?3159IRL9w&3<@!;GE8&!yv8+t}XhAQiCvx-)+v
zJXtq<m5!>85LmZ*NKvQDfhC5kBcY95p5KFUH2tNs3~o7b#9v?*narC*t9$b?A54gO
z>55&TG^OsM<&yD3A+!4`(?2go$?>xb&D`m~4=6`9M$x)VngPROF(hc<ba*3jK`miN
z1$pTKS9+tXSe$A_6_wAozZ;^2hd1#=7=7tZ$Wja$_`*1nh&O^iTZF4Bg!#yuHF{2r
z^CH0a`uWX!IK;YwE2dw0fve^bKPV7`f)e=<L*r(XaR^1VfsYfSK47nk=UG5%#+6BD
z!sLmq2$Y)z8s%~e1bQ#0>H{0A1+A)M?YjezjK_S+e_{w%TCQ7C{2=j)-<X)B6UeKH
zO-eQFdCEv5-3kzP>_tYGZ}}ing%r8NVxDsb#%1v{*Xv)?>%%HDb9f3V7@@SLQ!7==
z!AvGxA?%KsOPd*VtgjVCXBY5^GlFpU@oaY#=U&A5Mi~gwgrWf)tC?1Q&L$|30g!IB
zCDlbdo<!s7_fHVUC9H82h&ChcFJJSza27tsVO#5l&drKtL*$F=PlGtFbY^t9tT-@1
zM05lR+u2Kmhh{JfwYlw>8N(bMS!yyROUCRtY`H?NyoSWF?fI_HZU$mjzxaKVU%zf(
z?Q%7T33O-Ms6snEJp5I1jV216dAC!U_$e(GBH+Py{Ax)p_>#fJ;}Yx}A(SarPRuGq
zI%UCuM;u1Y7&j7La>k=@_W{HUna8Qx$du6<Cwl8lgo<a!bn4SV_E!5Ws1<8Lk@qJI
z1i}kkLWXc2e#Xrb0;uIGnbKdlVl6F8JCDgZOBj~2m=XQm?OVby-Xpwwv0r&PGd5W0
zDCbUNBg7d@UyiP;MsGI1E>wwT?z(bRSb4M%`){`QO)_V4GlbUEz!lE)FURrHKe4?V
z+y%9((|>dA^FSX%>k5{`8Lv9470P`gOR@Lao+*Q3`y%EqO}P1cE*mT5uf!Kt+%s*+
z=DR>nIXqc|RJW!zGa;kH-!f1O^AO&3Z37(vu7X@``jkwJVd>GDA=jY||0Np^Imhnt
zgO<;f<ZuU(jknae=|<fi3=j$5t|OGuutAFsA~kZmF(=X^{W^NAGBGDBG&yY_vrxpg
zCA`OEKe7XCGox;vRx%Vj)pA_1s1W6$u$wr7IzRHt2paFiCqo|_`)}7a?Hx``2G9XN
z$ltt?iY?(Yw9x58@^rywtlfiE$MoNjaWF_A@OZ7_(F0EFSR7@x@YY`T+39*n(s297
z;Zu+GjAV&WDQ>J!4`upoFR&R1<!Bed;hv)wFt=rJ2^i@gm6F=Y&neAQJ!<4zbV`=i
zYe`!2va<)#Lgiee^zfW;5ww*J0R$Nl(OhYS!l-p%8IyT}U(j@7rTD1NexZ>|bI>zh
zv@-_5n;*OW%t;bP*&SO-j-s@_?<2+|>}|a5aL0ul3hWm>U4qm@;02yG;Mva;=mqJa
zI^AeJ5&C-LW8@&J$F~>W-`1UDIbQ<6Gs;vJgGSmN?!>==d(oB3Bg0CgA7q<>>&9;n
z9Jw{PwR#2-Yf!>255|vzv=~J9cilM_KI^D$Pyq%WQVD~kRtGot4K+7B<mxzXA)yDx
z)Xl*BIna1^v+ia1qwV_>3gNQY+e0YwcM!(>iNkQ#*#&}>b`0m2_6{{TVi25=u55<9
zkU!Q-fb0iQ7q~=l=9ph6N&&7rC;dC{r)}p?KG`$F*iKQ7w3OFI-*F#2FO=CM>Cntc
z^17JExkl&=-pCf>?9P5U+ouG|6wm8Bv0x{~pyIFmf-n^31^<A6_jT}t;GL0X(IsAt
zV(~K(mN}{2*PuOZWaN=&K4TGJWlEOm<VNuW`1Pz0t$nqtvk8-JQ2N}1yC6||ad0^D
z?7|y{*c&ss^zyFvk`9b>b*nztp@=KZaxo?2dc-!d*m_3@5+Iu~lVe3S()tM-u*?RM
zOYVi<{&e^EXqOsH#>8}vJ?87!BvGiIlxk%$4}XdqSom4Caj*DrqFrorXN4md9<zER
zdpMypHe#VhtoGV6{A*&`7Uv&LAcWMyu&w{T7EAcx-5gFs>MQJs2zZ3GFbESp(IEz?
z#-#X6^K(|`8eI5dgY$^Q-V=#l+^`9aCrC#a<kjOA;dUzz|6rK7Hd5Lp2MRA(#HvoD
zaof5HqCMi23u3aV5{cmTuCiL&ArzsZ@LOMLNI*G7m})Kg{_L+04>(#s+lTNh{n&n{
z?7{N&yehfi5XIOe3CxsQD;G&S2=J>0xi+iV))3i*GzQPCE~|SdD%A*z!AoT+(JX#-
z68fa_$bnhU#0F7DG`r?gp2xyE%VQ+m8o!u3%PrGl0E+*Ii#cT#?^@ucwz!BsaO$=g
z`QnLdv9e90XAzE0A@Ny%K~*q#a1GgVn%GP%Z#9am)A!wdmZ@DxRB#sbfNeI0hP-QA
z*K0o8LY#9mz2n$VH3P<LZm2vr@k0VW;gz4r2Qa`JGq9u^++$|3+%{SMmhn1})c&R+
z*?<aNc{Qz)iOoM7hw%r>6qLsC*j74v^Ba5zU1{WMkT6I|$=vpqNPRXYqarsiK=tMr
zqice((QuAOLMA{nLXUno=S=*8r!4ZtIpU`B)##!6K1m(Wfa;H-jd5)V%hjA5g+3P`
zU=-_Acy*?6z;y?i&eHF!DjiIY*b0(vU8S_3kU);oZ^$9hy3B{m6>d2AHSWv*HtmlC
z={N#)-(ACYX$y0%!T?uv?q#7NWnGmAJWHad3$d<PDkZVpqD#?2@%k7l$4QOv@BfaS
zYBN`BP=$fOa)g}GaJ19e=l$EHk?koRurv@eQ1nyfJxR+S8+6YdL5K8fOWl>M8HAQ-
zJG--nB;tQp)2%X6(!oMA&tBotYoDRTZW%%^FV#z;T%TE77t{!QqmS6YWN>nFb01e|
zXQ0EwVKFealEhi~L^dQoXfcf5P4-$~DFnpk>Y4a;vS4n1OIMmcY{FIX9qS9{+K-d=
zzr0@pB_}aG@d{NooM5o{r!)rZT7IH>pul>ntm+Q8^r5A|c@a`BSz6EoJ3UVVsiN8B
zrcc7*<EBqAX5maoSKi?Eef`~10EkGGctUjyP4F+2=(85;uPX16%(>6V7nIdi4O2=U
z4~`t8XpT?;Nho3B8{0c~N2qLj17V|XnHD+xk0jy(me~A%_hg|`s~f3o@#(by$6qLD
zr|RTf@~;y<fFz|WZJnQcQQmdyu(N#K=$tCDS<AjFG2~{R_`xhm$J&zXkEvwRM#URn
zx`hs`CfD2w4S!q2{z2A){2=|*TxsD$3!>k+%=`QY`bK`lCW>lUyT;sEX+;w@o@W2{
z;el@hRA$(au8-$F{(u_g;w1zK5RqNKZf4bM6d*<aHbuwp3e@*#VFuoyIGMdoC5e!=
zb|+OWSfuBtvg2zvW+3FO$H7;IJ_cy@f*y#?)>srt#4ZcS{{+S>?D#8^q}@8V5bsL}
zlxs~*EnUiZdO3k!b1^SdYYxv22AL0MhVdD(#^02KKZvv-+G1jVVekf9?eHs^P*Qs)
za;LSD_U=1MX(8=dXPD?xVs4!c=!NqdZ7PJ0=T^RP$s6@gsb*9^AMS{J;j(qJfy?z?
zX_Y3o<sQ#iOewzh8QX|gv*{GPnXX>LU6uf9b6w2b7CEzQ&z2Tu5oqz~8l5i(?+&-}
zr*R&L3;Q=Zcw#=E@}u@cGG`v6@5kRg-aDypFo^8q;Kg$Fk`X^oJX9h>y-Bpz9zrZt
z0<U+68b588h-+2YFVel|amDA|Lt=fg5)zD{w@={33p5b7XKNUgWghiQmQo_%`P`qX
z`#yeE8!`ultYJdOqk^b~KpX)X&s?BqwDrAfeZic!TEV7@?oe<a!E$M=QkoHd0&)Y%
z62m1>b+zkqV0@+caA4~b{@ri~5uz@cG84;5xP9h*O+yYVNTB6v3+e}7`gA0$KZlxl
z4_rw|%=?62ZG9U6V_<$Anv`&1etM#7rr)?20yX^La6Z8+?Rs@7?pvw5!#$YtQ<yA3
zlaB8&0_VD3Pd<}V!0$Oo)z7yfoNUn`e7$zMYF4UYbjII$+4n_r<eRshX{K#3%`17~
z`@38Mt?GgG2bAZ3o9CVD{EHVDRyLXahdY@DRS|-K>?WnvN|frcQ_Y27xw6fjXl*8p
z5hDka{g0UAYq&K88VHAtb&^huyn4T{KEM^OygPcXsD1tQ=lL5Nasa>7To`q^)(<l{
zbTRY90kD~>RhLSpUa}lZqI!qRr`&VnXj2`c&x3zD8g2Ar7bkKYr|-QA7=&}nMq5;Q
zIPXhei;4*pp%pRDOpuEQ?!INYZ}CY{Y$}DAbPxqr!r99vgEqPq6$)UKK-QB(MU>kv
zI9d$<L2@6P|0Vt8wD7IYK26F_EE(<?2KH_fta+Fmyn%^3OpPX^LZ>jdYMe*<-rbDg
zt4&nRo|@bEd?*YoIWkVjb}B^4+CRHG8EcQhNV#mSC6@Mv$aVh>l|#Gf6=p-rKTOgF
zlHF8SNg+y}<^99dK+_YH=zkx<h_NJp;3Y|n;AG+2Zi+r%8!hNFt;1FuDLTmMwVy5s
zy1tonk7rd>CszKvN%KZoXvLb{`O?78e}U=wjUWma)kD8VPLY$tb%R8wMo`lBXOB;>
zXt-I>GZsDE85}~AhZyF@<yk2HS5#pNoMw>YLQDlFVt<)d+2mi}q~QoLX%>yflf$A&
zwcn9MUU#m$P<lvA?XLIV1oSIP?K7MJ_9D9@zBPJwaR)uV1V4In&>?NPWrDxJ$Hqn`
zm!xH!SnxYig0iT|6`YZD|J|F*_Unzz7qAqW-ZPq98);32sdpooA(at(^7F)~K>MY1
z7s-Gb+m+wB!NY3A-_5}I(NXSFI!y*6cHI(`9FwU;+=A7zF9~J>%@s#i_?Y;4y}7}>
z5uMN70&9d+i!vdnw*|<KbsvIk*JQ8MP-L8(&+gDD)3&k2w2RHj2k_pDyYk}k12Htt
zJSchLAS5le9O`#zrg2w5`IpR$JvlIT4`hzZTXk$Ai%43+nB{Sw<fakDG?YT;SFEVc
zn7Ko9z5s=IXzdEE2*L#;!xU?_Og@htG@#uz?2;<VdAADjUDrl*kHMgpohZ5&!52p-
z+9h66=|dMA$Xtlx@W0wcb9`A6RgKTK--}86sNSKlZ9fIT9|<XTD!>nN>3;)+mL~`f
z<+W;ovG)GPb)(?6gYVaMC<LvUg|xGn966FLE7s(_rvD(fi9I54;`A?k5*}Xc1xC|j
z?Z<vM;191|cu~e%ZLrUkqSe}~pm@R6{LRJeJ%9lyH|iv_o*HtwH4wrbmBupaE&!#c
zmr?%->&>gFS@xbU*Z<x+*G7Mr&te)=8nAW_I-36lt=M(`x85Y7a)I;eHSl5geD3J>
zAXJn<yj6%`>F16#`RLP=Joc!JRBN7Y`P8EvSh1k8ko*+Ns58@S4iumCPQsx@9Q)1j
zW%3oiyiA)xhxz2Re&Bty2`22j!9*_j;C4M?Yv2P50q9?dNrcpZ@odSq>&V9oZV8VE
zo8wK<fr^f8CKMTkx6>8vjE620M=r-N)PC_v=Z78^6EJ)p5=Jc=u;o}{NMOCRw{^wZ
ziFXRxcm2o@bU_C>(q2EbBH7Yd-sU=2<R5>V*1g1GU+u8k1>=LBemngDY<Ve7qa7R_
z)uCuG$axfSkfILf>tBDhut`n#hmN}pS!#W9FhqSEEf|5p$|pDQU%7e}-wmZ-f4S}r
zY=)>EM@uBTwyy1vk}*GUu!a-m*QOHlQ1nI()v0<cN4M|#L(+0<Dwbgn-rTwco=s)Z
zymejdKt%8wiJG%~{vv?)xPNl{!R8Z&UK$QH)w0#iRT2$eP7wB31M6!Pk9Hie8gT+^
zDH&KI>YHP$Y|Z{S_V>!MgMqo)@|!fvze<w~6J8$Bo)AGX3S^wBgELlh1e~us3BGvA
zPXTdNejFI)&E$XmL@MADtq@~XYx~!Rf3gcK4l|E=@BSlBMlF_A3@hHJ>|JjREo~@Z
z<rAw*T!|PxKpT9PrK4rN+)Z?AT%mP+dToDLjD<vq&Zi+rqY>c|LjBMofp`g`fcRnZ
zle4aSi}`r$v0M4EHytGD1yiPoV5?MAr=S#%S3T=0v*Lruzzo4oHEmeH)!xe>nHf{>
zs6EKlch1!P(tg;Z5-*kj<>cvy^q2uDyDtiMa<eEl<ARkq_brm|hh<`fT(`aa0Yloq
zphSe4b^m&6=<%4dTKv`_C5Vax107y(RHX7jZ?PMH;9Ry1=mk{!bq;nkEi&IsitHJE
zz28D%>OJuNo3c1X13Z~FIXK__9u}naQ!Sp?<m=wNNiD$V|K!RX&>=6hmza(YqilpS
ziUbP0W@yw4pt%0{?^{`iZa<i8;C6S{;p2%&BD`1)gm<TFU3bM-t$(#E^TkUbk)qgn
zSBIj>VDjKO4}G-l&3(3@Wd-~+q$PFaL?I#Ai|4{1cqTomj`$^Cqx``<(M4ebyYy>a
zwG6xYjD>R))CHwk3-K$Y<pJkpDRKws1=6YqF-gACd&<c*c0}H2v%zn@j(n6?QIP}$
z2rux5{}^bL*JRQT@tjTBC<j4Jm?L}w_#Tr$LAOSsH`(sQ`Ugr*L8D}Bxb4XoKwSvA
z31g6|pf?a&shU5n(+%`%aP*zqsc3dhc>ZZ|Ck+`oh0O<cY?pO>LAw#(I~gDCxd(b0
z+vQZ^JBq_}^fCi3dg(ff(aZ5l1K+`?U04_O)Es=USR57q!|fkot}@165OC5(=K9FG
zN@v2pM$xtai<PK(gXS-Wo_OOY7$^z~hUdvwDrYObg>=?bn?0Qw*N6T>qKi7kJ{FLR
zZr3eYa&^-60^LM${i7w=^!%K7CLqeyp9cfac-wKeXnW&B2`r{{f9-m|lrbUbRG75k
z3oR>rACP<sH6R>f7|EYfZebyKwg~U2C8dVoG2r^Wmb?6#e^SQxiVx7dQ2r{YZgRod
zoo6>SU8{lv0to&7A=wy(vQ6i0g?3|9=@9s$Buo#O)mxnE_ukN;^cQj8()L%2s$80!
zPV4mp<oe=QJPDoolp=oZ+Tk0WKE}CI`4-rGW$i&wM10xr^8xBL_W(UPh_OjWwpnqJ
z`Q75Fa?ZgM>D@nrPUBkBH$GiL^h=U?Rul0Hw-;*WRqt=Y^?fGG;joaOCRIDhjKtN;
z(jr-xn|&lXj>exr;~*v7njy_91@d`Y+-LM?w&XY*!}b8qp3X>WCdh-=P?hxkPE&T;
zD3*1=Q;6oq%ikmTd7E42Lze!avdw=C`p4B0FccN<ba)vXI$oAO!ie}#jRuw|5QzkF
zkdRzG>kyd`6J!r3r*9N1&v#!}i3WjXYe=xqP{4ZM?^+e_-DiGPjP&f2KLrjsYlS48
zs{oSWFrA>E_!ZlicF7r<QS$c6@$7;>|K3fEkYr;^73Y2{u}JE8bAuYYrIQd-tAtcS
zT@r{yz5j!O)$+-}iLg@k=Tgw}3j}g19!m9^hV+*;_Qy^FO`027?r*cgCrufWXB`$r
zIa1v4dIznc2K7grNyqEk#HA#m7TraPnu8!Z9WIz!(RUiAdD0}raBrx$b&8*^gD8&M
z$>EPD7ov}^HJVpDqQe7lK400PFsmO3`F6K{k){%(CFIVSNL}UQ>+j-=Efk3({?yi~
zuHDIrdmBj3jrRFuf)~|p&fk5dO>3i9%4g$4DXY5i!>mXS=6lmz(+Bc8SOE$YCxD}0
z`ifwVO})#uDEQ8^9+0fq!~!k`HoV||K_=>DoXg6Kw_;0YW4O3ez{8hU(6OLcaTKP;
z@1VQ_`E<4XIn#dFWQ@TLjF239nHc3h7<k9s@<l&G*2bjnpFtQ@D<&I5TN<PgY$r}2
zRa+FK;>;(R)+*Lu_w?}`U@_<FJqesNcu$HHk`ogI8YyVDoDK{{e|pRdAPUhl4v3Nn
z)lPAee*`&Sdgtl=7VUz;unerqOx3xmvUB$_aLZs#vsq8{c&m=TW~SEvmsJVpz#a0;
zG9xG=Oh^w}`bx#uIhS1DPoI?N5T~ubu|^WaYPkHeX$g`+)6TuHzI*X!di<MyI~n*b
z{4SIg6S4gq8d0TXLmx(7PZma9PnRj=Q_sc^n?VW)u$6>yl=FHa+xTcUZOn9R?ByQ<
zc#Fho<qMbdzHK{KEvtIx_cEB;v~DU2B`=g6tgBS`{H4BqyB!gc06;A0*x`CE&EYK9
zZjob`^XC$Y%qYkj^QNN|qgZI&sfr^5KUR{WJHs`0$&A4<rOa(--Z<-Uj496>6-p_+
z9yV!23ett{*j{w@FYx(a#rNlaqgl}rNzXUA&%cp_x~+dC)pUrj?#GJtXIYM3K<%mM
zh=^_z<o}i_G@ryb#_fpL-ud}G?`k%;kS^)~{PH-Z&yXB#asKUNGCe&FUg3xZK7m?G
zun<W2IhrB2AQXAJE~dWjy;<}{R|kQU4Cgw#bxub<_*^JxS5TiYy9pB5ZfDimOI)kw
zAc&R1h{r{GF6uIO@ED35RU{rc!=WnZ0_p6qUC~0GKyDNep6a^GBI0~CBxKA*5T$Zt
z?5#MAaxx*LIM0WsXw*~Ukn*4`b0pOshxIBp_0Q_{^zK<jJ=`PWB%qPX4I4v+u!43M
zP7%56v=RZbg^W?U+d+_Z%|2i52Q+}0PG;Tv9d@3AzJDmFG;}`PIAwa+&wo)@X>r9P
zBu{+AgAOf1(~~C5hHD>oY=Hr`A?^x;V1r)9soS2>S9m}LQISPGS<UB%PnjQ^jU{S$
z3uemFZvq6RNsXog6!)hGjcwrnmU|(q*K{E)jRcRi&=Qb0VN^!CxLm3xs$bB3g2N!e
zIvb)TbyK^M_)KeQ79%Q8(l-&y0cu3Rqjz0=M`VobeZMnm@-+vRiQi+7-8g!F;>Z99
zWy_0bR2*MSpn1iItBIEn2pIC-Bd0DB|0R3HH~h7=2cblq^@?^9+Nh&iX}DP|o^4Sz
zw}}`U7}0mW>$cohz*l0^mk0w(Hze}hS0GuRnTPo$_>iUt4|Y%?=~a*Sca0{(V*kI0
zJ!^e&H|VW*gzsYo-5)`wD*r0WXzhk_D>7o<GrS#^5}IGQyT4I3U);~tI<HB;ybf%o
z{@IH<XDSJ7`v_qnW?*<)G!1Y~Ap&>6^GWLJr5+1Q`($jy0>PIQmIyDpnxnNi6dAGk
z?KbNdrJni#fU=_R-u$`|9BeN)(q5?&yeAN}34Xbxbor5dAd?Oq0+k2i{d4iALx~kj
z%DuAf4k@uMmbf`FP@X~Vxb69k@~mc-D@XuB2Ca9rSOB|BMpNt%aT0by)6UGm$+W3i
z%`UukUz&V4xp#ai4e9SFVsl&iOiw2)Kd1_P(%nuuzBLy_xMig#J3K8~7Uwl;|AN4v
z{SWoFS=0z!%<BuJ09RoBiA9{1E+9_v^PuL87{?Q9Vz>({Eg9p=cFdmY%65+!ag5AB
z4bq(Mf3@W`{<-kWR2xy<9p9==9hhm<G88$I0n@hyM9~LEM7f!`?Vojwn8svP7wR|q
zmJjoUs!!kcwnUL=nj8cqe`EqrkiUyUW_uYw&O!ykELPG;{{W-&O77`-=?^n03|<$0
zm0}GcA0d71y71enlIyE;ImruiF9t1ySWj*?tV7)o`)~k}(@gn3f)=hYh~|jypc1(=
zT2GDc>sj@vXSJNd6XG3KhzgMh;j<vyNn5c36Tw_qCq2APwPv=ARGHR1k*(GOrsj3d
zq+jZHijITI|6dD`enzuEZgip04J3VOs|eWTruW|fSYy-`^5}JaH}<OoG!PUSsVtL*
zd^?E~IqP*(dk`gDcF#1TfqZfHCmm{5;x{5W-GTftfcBw0N_sq)c6Ygruninnc%HS6
zj&P>_A+iC-hXm_c5j%kF;r<nu5Jn)N%N_n&uAT6Z_tC1uXfzPMcPT^6UpSFh<SfwW
zc{kClE_n!6<rxW|a}rvK0}e3y%n8wK4Q)t~PiV37`=i&n_!^wdNSWGq8O_)Z_uZmP
zO*W3<Y^9?wXFwY<78EDN8bhlp%|>xhBip|yj0qea{LW*2-#I7-P#!S``lwt+cd)P4
zPlku3Uo!-HYCS9LF~6ahaUjBSw)TH{R$0SN%Z4{o<w)d~iN!|58i)!}BO6vtz`y((
z^xBVn*8txQkM?x~II&P>A~-&;o07hdXz1u-g_xQ>J(SJ%xu!pisKl(CN9^moLY>~5
z?X-33!ntg-GoW{Mh59UW_XEHY&{m4bCA7PrR<;?uO3s|LN9cC@W~y*exr5bKnylWF
z_1u*a@Z_4gK_Z~<v*wXCI1TZm&h^qOvpe5ReiNk?B3J9vCSD0N($_4HJ=jjNJUTJN
zD!x<%#b4iy-uQe%UIXS<L;)mA5N1&1^%eKppy&QokkHZD<1&%4WG=QzU~2+J*Y;7Q
zU^eExg%rcom6}$($Ll=?F3KY;z+?#u0sWmUVerY|t>VQ&K24OVQ*tsJa^jLQRbI}(
zw-hpk4<K|5c~TsNs{yi+uvN`IqaT%QAeOypP<+FCN~Ru<V^{xrx&=mEpe%xu-q?-E
zxBotbH9ce}UK;s?K}#92;GS+kZE)ueVp%zd;`7kB2zq#aR%<TdFk;uS3=E_!YZb<w
z!*stnC*Kd)<FxO&wg~5i3Pr}b_`E;mkJGjMz14TTGLQk6%Amiwgzri~K^^})c)FNi
zoZ<6tt~KoFGmTcafdKGU*Lsiz9o=-=Po2h+*#7>h=F#x6tCr_`;FuB&`@sSZKS`=4
zFK4@%3DY=8-=AdfsIOBPfV>VEGM7psHJd?dlM24w3Dc)BXTo35;=W&P-Txs`JU&N%
zY!S7l75p<g@z0%MTA@nk@~}W8Dp41T%I?;W!@uqE`t!tCBHf>NdOp2=1$yunDH%C4
z^Q%Fto8?_L_dYdx_W;oc5UJ`K4NdV?LR821UGsZ$Xqm$w^fgK~_}<be-M`+6&Z&G(
z<dG9bQi;>*g`3qZFcP-EWp|i$!JEB*s^e?cD!Y3>J@**f7_5*Rk0e1LwZViTf2;_E
zd2$0(Bx_EjE8Cq{?V_){lk*kEMwiH)S6!mxQGo%SggZ=@Hx<PG%&;TK`p{da72=~{
zi;5Vj?u*+0Vwx)sG#`yRTC;<;N&@NSz&NqX**<hDV;^J8e@}5}i>Z4x=8$N^X(0;s
z@)~zzY3|UT^$d4R)`gd5<m)AiKE_!_sVyDn%8S*8k>7dG`F)_6GR(KhRM}d`wyZNJ
zL#m9;fT_ijch@G|uC4M0PyMd_pvUXzsipk~8&`s@52_rXLFmCou3)9?&zvwIwN4|L
z8PB9~XMaPv1iA3s^D2~;c>pup>s#S}`N=fr3m2{AXx+}yVX{YJ2j%g%ty*q(e-z=~
zPs8P>GVGKBu2joJE*r#zRW1x@IRH+Y|E04@KsZh6I1lmOYHSP*7W2m(j+ECl@$@k4
zQsW}8{GfY%-!0@8^4oh?WBg&BUpsmV9ZSlUAteepAQGzLPh6Qv??nHeG-p8(vTWiR
z3CTs28-uapDlm<-Jx96osWmlWQTs%s&~l3>`y43P7gaf?V=5({Ii9H36zC6_Tcg~T
zS8F78U$?<}Elj>AkpOT80;C5HS%0e^G|wjcBvKL-jB6iineKgIhpt`ukn^AuBD@|f
zd0R^(`5=xW_;P&(PA5n!+X}O*`<jKepB9<CH|Rxu4%#~o>Kr&SKHSQ1zCDb!L;0IV
z+Wo|RQ|=>q3vU%A9==27{uvRuKdruYJM0?x2VLyPu$c7MfQ`6k%ku%)vkLlOsmII_
z|NEFJ2;~$O2wakBKeNJ#=q~x$Gh)^TI3$b&K9mW=LB3R2By*&gobu%GlKLF^Rw1{e
z7|F_2v?23A)$9m0&7t@T0qoDYls<5c5m*Bdj^f^x_7mwtl(Tdy8u^g};4EjU`z|hL
zh8v%pyOC76Kxm@&6K|LI$M#**E#LB~*FC3swnv^OD0DP*evI#Q@uq*S`jyDak#t=3
zUs6CG+C}M3#Er%OR%z12CZ5Q3QO>!d2wti-!7(M}4vz&2I}3(6fYPDA5>wGLFY59>
z5`0Bcf8#+Czdm8nqj~LOMYG5ogRQg-XZ?|V=Hza3iO!@h6k>d8T6eIaizEEREbYiv
zpi|D4p`=8(mP+7yKOFcbQ+_J2yQEzE=5!~)G-&U#aXQZw*42gXi@tgw(8AQJ2*7AR
zhhy@D>`dAYt(~L(yHMS;QDA**Jw*&}C8PO`PjG_hQtrr=P+%bGPaT&2*62E(Yxf;0
zTgO(1a7XOW$q39JLWed-;6@oQv~}g}YeKy3IuZnJ1>LI$!!fjvPL*d)=-!vC1h}J}
z%E1U1u9K=c!hxivQ;|)BUpQudY4b<np&cydJd^d3N0sXf^nvsc(&hVNWUv`^@`ioP
zFXz-sWz<<rA}OD~-VN3YU2@r|&2IDN04S+^W6hX3`+3;(hj*ou@8>%}A=S&jJ0kRn
zk8tr51XdBv()a7S!2mm<GLdkCzq3+ik(plG?_Jc}xx>%<4}lc9x+)*(CP-yMD%OZ?
zx@z=^o25eNM_Voe{=-}N0CAYB8TA%0v<~ymk?5>(KvaMx5>fLPh$3xbQ?)M{UGQRK
z=wnq3$-t=if{KsLF#>adi3inM(!?i7-%2=?MQV>v6On1w<2jEj^GzS`C+0ar!X5`>
z+=TXB;7TQIh~Q^QsE#XFdWgbujVpF2kD-^5`W7mvduxAPxfd~6{nU1DCp@d}(B1D_
zBY9xiOu?ILMc`5M4B<ysF4Td-k=~PP&9ome@bH3fO(JHA9j*@isCIi|660WJ(mSR4
zw~=&ae?|J}Rt5+nHa2iFC^iaSdJrN5PI3iF+~9_QW4+46Ei{smfJ&a9w1-d@q;T<L
z$ciZlt`Df^e?Ig0?Ms3F3+?}c6hVrCqCezzaj7+`_L3Xz8(u6maD1;o00~3h6N`UR
ze<k8&VB<h<vmFT*aoc?s0%PEv#PxhhJTyS1(7%MK#=l;P3zZS3t?$dDlq+O-e6mgF
z-bXx8KL2NQdR~ZX^xJ&oiB(r18&fiq!{v{_N`?D}A4sQ{a1gu-soyvb2EW?E1~sZ`
zg}p%{BDV8LFHxG-6Oq#403_(MZL*AV(N-)q++zYlX530^@U-+cxn-cRVG}e7f|u|0
zJw7Z&8F;P|JowpFL2`%I1rvn9ui?4=AQA@-34_a@DPtp4ZWpajsU*=iUL|{lhH1GV
zX-Fg%iJdm68`MNVx@(5Y1HMXU^P!JXm%|pJRf08asy`zbKM+KWz-ZFANjb9BFDCj`
zx8$d+Ms_`NSDL$-j<06yM@mP-Xm%>WgvV}hV805X=tnYjn`Y?6XutI!7o{Cnh5Yxa
zEtwN`C+v>$<-(ztIa(R5)N-H3G}XjqTA?aBpH99q6@QD%ZDEel1kj?kI;+fiJCd6>
z1LzKnf47e7FDB=p^zSrJ!kXb9o3YqGC}*z%Y#xPHg@hJjKV{;T5hB0_V^MG!5=5{5
z9A|of$I#D*kh*rBjm9?BsFj(;YdUhUt1E6U>6med>*;~&?lq3?yexq&mQ!umyk>0a
z@hBDRk0YRno~R9%xxlmrQt}Cf|L8V)O23=r^p_W04$uzs<pLe!sS9*&75hKww{Cti
z^{k)P_W?r<&|zV4YC7hy^R~AK0&n9Nde^fD#L6XMZjHn5x0mVwRHw>TVP$$3?^z0E
zC69b)7{TP|IcN--*AhODvz68>69rUD%27H~tNX8dO)aeI0}^7%yUJozeyRga3(!lL
zKURK4d<cXOf&UFa20O)vr_TEqhC&q>%uUR0UQgCQnQq&J<e)$ZFqeK$pWxjDD93a&
zhE}sCTkxBb0-vL=Ci%Iw^O$MH80EPvp8t*0rhXW?y4NmK;iMkO_F5sqG`-@&FT{WR
z*akXa(W3FRpN51T?ACOR`B2XO)X%UVI$mGKksd0?wY-Ey_jU~aCNQfqj~($pG+hN-
zlwH@Ip*y5OLZm~wySux)q@<*Wk}i>M73nVN?(XjHZW-XapZB`HKQM5gv-jC+ueBrE
z9OP~%4HR^-S?i+K>9^^vRcp;mzu&k*Fo8fDM{fyZuqNbEz5@HvzDx*5Q1y{hvw(om
z!p%JFYCXYPpmh94c5#vHmZWuh)YagZp_sY{g78ZfEb#ehydE5Y8!rVu(TWg*7O-67
z&CSzm1v0ax^fXJ#Jn_}fD$T2<LPE<-Ydy=ay3yHWm|BMy^DEJ9O=-mVylH3@90Ql<
zqTdmb4F<GSWYoUQ5P=>f>Bbgx(p@qfkg;>F0zL7AkUk!(iY`ihSOxEfMlK+5{{%8!
zpr9ox+m~4_mEd`PZ~E8PXvQ^MUvyX?Qo3-^;IF6@{GAe%^+Iw=>vn=)g_rQE+IebI
zO-546XJo^}xj7%%DJQKkuSb?zMt5DAGg9_fLkY>8b%NSe7T`7qsP~T>tH+yZbr!`c
zhY<&qr4q}=T6?R%bWxOOGW90xG|0)0>KYL^=fnPl`!h63a`4b?bcOgczAbh1%ywXA
zqjYYvEMap22zq|^bN5W+8dI$<^yhtrU!d;pVI8#8s6AZ+GDM^Vj6+vmm|iyI;7}~S
z_XmQ1a_zd*UC;8=ZjKu7L9IM?dG9N^cb?Ykd8=>Gxyy-VS5mC5?zBSaMo1zCy=BF0
zxgA6;w>@bNkiR8kTZ$@RMM7Mr{UISgEgtB#snVu;^uO#pu0Yu<38YZ)z8pyyb{xSZ
zcHmCmDUl>wZUm8h3;oC8IK2Z>%&rc>b<8+*(M!rj58R2cM2nHeF|kUtg6h_?6QUKk
zrvQ?wWkSi^up$%9#q>q!^9~gq0fN_C`M~JF$m?M9?&N!f!CnIb{CAg^;%BP1vkWTU
zI&;|PZ!1XG<SIeAX*SFXQYZLU-mOOPaXGC$ER1p1|MHu;qOVrE4;tNkINb_8fe|4;
z;NTu9nD6tkf6X;uqomR!)nr;qhP`@xYj~`=eY2$ich#CFwF=E(GevO)eyNwwX8_`N
z>C1_m?Fg3gIq@)1SeUIple<SD<ev(uL{08^*C#$%a5$Au^yp_!%NG#r3|X{yq~b@f
z@Zk^H4KaZTq}=sV7AHDxB)ga+Bi|1!bLID9ARP>=_-sijSEHGZ0rkS1>p=SkWp^(O
zgymCcwl9YYufs|W6X?xpNS95ORozne<ZhS{q-}VX;PhHi@NsoJ54$WhCpcnMkT*Bx
zB(NhlEWXfjWLCmHc73h%W?`D3(c2t%A+D_tny$iTYYLme$s|@y+4cBjr&_E@Ecs+i
zC2o*U6--t9XIBgf9?D5v&%iXBTat`2wG&z5cWZ3$wZb<!?Z$$)`Ng9^`A{}p-OTCc
zvcgc|XU~ktuLTn1%ZFbZwe@^{P;Mgutpd-7W02yrb>Vw+1&}rW&8uN@ag)Y1%xt6g
zv+#h5v_`E@0vc_-gE}#Q_uibEI%$8b3<)lOgqik+dG8D=x)QWjV<BT3g%NJ|qE^nI
zA;McayFJy<eu~C~xjdJ7t8pAtAQ~^$75*WQhf?Eq!39`37LikAEk0VRAP9vB1c4Ci
z2^VsT3yqUraZVzu&DSsX{L^(AB>c<_#8xp_lK%=0gmddd;y3JVbSwZy@$gDg%SSMQ
zjg*33ZvfycSECigO1Zu#mF1aQ0^J?LNetNXz=4t7ZJzh#U+ONv+iKha^*h?oM<$_X
zmV7|do1yW5>9qY;$<*{knf9A&e!!nxKUSaae~KzdsCR`xHe%TLejxqksA=M3Hw@mI
z-s4jSxf1dP|4wKoC3d4VXU3z`7DVb3D@4)WE$!^F*!GjrnBeUC+12p7$e}0qH!^BD
z(0{jntlcl|&*Lxi+9<LS@U`gEL?5OF!0q5NzZ-20MXcEk8bn5cdr~WRH3Q@^CE%Gl
zT+c@VX4Vv_wb8{JKrcilr;2(6&qZXV0L{*Mhhm-Zg#eHjW<-t@&FE>(rU?vW<+%r5
zZ3KbZQ8TKXqc%k6jM{(X(y4LDpvUKpTO5U{-@hg3@C?w9**qWhy|zN1w{5D*D-%v!
zuuf$Zim3=T&s@@VDukAb*+Bv2D&%qB;R6Ac=T<R_0QKvG%RlbmH0uxAc&cRI7(k(@
z){4JT0g(ssqd`Ie54-ht$9e*t!Cs_3aec0Wp&tqZ-suK!#8s}-_VFDY0=liJj$Ijm
z<MyFmoz1ztq!r`e55bfpUbl~<0+TqT48PRPKIML&DzVcGWJ-r2ZLBTYKbtmgWD|x}
zB>1#3QlrUInI_y+`{Z>p&X{go=rm@Y6oX=QbFXl;8<gM6;*LUej5mUpglXTr)j}VH
z1#QA?z4-M~${-rK{VV;o+PP96SWTD3{AOhRvX2@MHEjjd(dP1wkNh;qcvV;NL1i1R
zL31bL>OfjY(>l}dckWB>OvR;z8Eg#M%CiM!CBFjg033(zM6{7V)PBvDXeWipIJp8%
z6pSYt8M^Mnjrb!;D5;ny-V1~*tAv<=95gt7e7=R01ayGi0@w@u+x1{Ap4*aFCO^0$
zn*qQeRUZ;9MH7eqL<CJYd#AgjCTE&41QQ;7#Kree!{P!HFH8u&E72}}bT{<XWKhFT
zE1C2=MFzSSgZfGLv2%;0@`Gbb5w=hA%(|190Zz!GYm^K>MAv4wFyFdz?TgM@?J|0f
z0qqj$_0mH60<q_jE^=a|BC}%NP!e^jsPSY~oSu2(U(eX9?y)P<&gtZVWP>3ZcTV!R
zzyGNE6}fL+2~Ec&%s_nMo3~Ab;Tt-DJ?{2UI^8R0eBixi+1wp<f^Q{scQ6nh!2woP
zi(Q=0HF;6Td81+q{($`gToUIIXFSln4d8Z}zir9@-O|c=iU}YZz}whM9bj7Tx<p)I
zp7G%3pdal)hTw77Q4>G98JwI$iUV-gh`TwT+x(Te{uw!k=i~JHT^}mX02;;F_!^aR
zj<&RJg;e4+ZtAs@J3nk<`{IwStO9fe^+r|j>yo>$5uxa(x!ND+9)y554Ye?c@UX+o
zB7xbG>sl1<CLwrm-|RRU06Bl~z8CqT?w9Cyat)jF%{Z7|O(&tp{qwCO@W|v5+T*_x
zzJNm|dFfF0?KY3B4zKvviMg#MGW@lmv_;F5Hz)3S#HQxFX4ni6)w;@9((E7YJIW+x
zyzzO`)Fu)O?IVtx=nDb&nJpg8S|99mODaQRBxA3w3RX&FN2Ro8sp{w$viWX5C_rx#
ziGL-Ijk58brQqX>-B{556ZP?rUk1=HOy_E%O|)&aw(H*t$0=Pj`LfsbatuGn57gmq
zOGyw4|3Sw5;jWm|{*plCB_Un@pCP0v(xBj>ZI2&KeM3aN1Oy5waGi4u1lGghq|^Qf
zdptU3Sc<g+fp^BRqO%ud;I!MmdBwG8f1f!jC1=Z}3w-ICL8R(W7eYm&z3-^`+fllB
z_d*HIW2z|(6Qn~A8I4a3QolqJ$`*34em0bD`$0fubSKrJkJP>k1yhTIKywUuKQLFC
zx_ptqG#@ly!@Rw6kCD4;Eil8{=D%HAQ9fGrv0;$5C08P@#2Q4-ItqpFy_2w>L7?Vq
z(P=#wLaex1|AYPw?)he?tZ>vN0L!@Q?HeQ<*=v2SL*h(&qE1*;-BrKfybmDOrSsIT
zW?U7TG{!!Mf_Z&~wG&8wG))E_w4Ov0IK{zsX4i4T)&lP5ct6BD;$(evF(9X?SQ%$j
zul|8}Hr9OO7s<ZMQfVpOpQf)GL@=!bD>~mXS6aG!(*h|b(t~V}aIM0nK@;u`D%=Y|
zs{F`So-a8S`;?;WKac5KyyAnQQ%MWDJiknVwn5=Rzb|O6rmM6L(WR}Gj>Pj(;Ai|F
zlD7he!|k!_9)YtC#@5BSJcGX2dK}?A|BecsY?jg+H)$P!4DD?+6c$07APVV`d&v-M
zr-c3gtR1tn0aV+uQMd^I@3zcrpM{4|5sm0hho-;z5{Ak6Ln~<F4%fR58ChTIym*7d
zV^1)|T=u&1lem;AU2qHJNBBcN=;u%U@*3s3x=5$&(n)}#xF>DyaxPWbFYUqu+VNHj
z@vpaNGua3g;Se6boObXK-V`9k<{!oW=cY~@-kmEFnKR{X$?h9(Kyj8KmU^eppUbEP
zkZk+`DDl%+=imeTySUpEBZ0NvX^CY$Dyjm8?Ry7JmMGD!cI1Ap=6PeU1RO;e_l7)j
z%b}GEB)=Cqf}5-6F#_NP`>?i=d#)ebDQc4P3d!PZ!zL$Jqp@Ypz#UppEByu3lRWK6
z5(vLlVvhz~eDGQmBB}(J0FN%;>ozTUU5`wjHPpsHR#|z30QMx2r9q>7iRV2Zgd{LU
zY2?dJFP%ItCR;9tHMHY&*)yA)d4zp`EQM&9kZb(?`5OX{TBT;oR&5SimET+>+G(JQ
zdx>OMgs3*udzy&@cx?d;?ywG#OUSe{P1lw7ULasueJ}mzPwiE%qxvc3nL#Q?3%3#t
zj>Nig_W1=cWkYbT2?Z!F8O?90@k;f;i2wNEq8p3&wxTm}x*ijZdM#!`43nmJ;u_3=
zhssvvOzO1OG_kO8c7GUN<#IyJz@61auyNXJiWMvzz~UPuLQtrJ`fPWEjsHnVv1xj1
zH1`UZSjp$=k4neCc%YUCtCjTQ+TKG`9=HmN73eNQh*uP;eti0TxYoumH^l!6m6;_T
zk&}~e$~1=j$|<GAXK5Wo4udTSk#WXx)MDGQ^?S&t-hxcLk^rNi`PMcNZ;L;U8&Ghf
zWN>0hvI8w5YP*o-Iywc_pDajojq}QoeMl##r1`=ZK@%w^q@n`#t`!M4f)~GlT?@%D
zM0Shybu=<cl}<n@tUG%BIMLd=+KTO8Z{qKi^FH|ly(<uDTVJ+(f`k2@j#diC?0>{G
z@-mzF+o!Yv*@RYdQzBRulpyMcHVJZAhR_2Q=x+zTy_7i0bxvy9isFdLF5dS*iS6sF
zFoh+9fzSW$Vj=J&P&1owQK@lC>0ytb7Zl1Aof=*)PY`CmTt$U`B6YQqQ~I9QFHz1y
zDj1?|E*>Y^GB8?wtYT#9t_6mGuO-k|X#-3A(viA*U|r`#y>vkrXwGt<OLDF>xP3=4
zRpyVqj{-`IHtq#(mNnWP;CNJG%#VBHh{i>{cJWy{noyEaAX#%E#9F8}yoJV@d^N-c
z*k12>(a}25clX!2K&o<>JA$lavIx?k6GfUs9!sm{#8Mr4#nOWO|1fsTgUNw~oq5w&
z3BJg)`|?qo5vtb9?iV&B)3yDZebw}Lk4Gyx*6bCJaE@U$oo{W^gurZ)i#*r9;3Cc6
zeqS!YR>NOuJDfkk*hbyR21QYLy(VH;zd-{RK<h*~4KL#(EVFsQC>UtdJ(|I5%jvub
zFF^RcR=z2xFVE=J-*W<ow+RDrFnW3S%!47XGfcY!ObGbb+8mse#Mz#;nvPM<Q9})B
zF%^l#92Hd6z@Gcihm~`_hSWbOGY_(5YLdi<fzJ=u04FHUkjVa5Uz&b1oyvs{DgFR*
zgRH7tnRfwgEkJSAn*)F4pb~_)|5VKZ`O)itclR84gAhVDppF9M-IspO(MTIABXO>;
zKcw*Qhm@1)O=yDW-m<oUu^t@G1E=uAn)Cp4XSnFp>`Ybmna>5AO;<d97CscX0Eq$p
z6}RWcLMrG$Bo`*4jj4GMUXNJcgd`;N3^?EPx<wby-;%uQ2jGWvMa0KvOwfMaKAvhQ
z(h_nLxCU5SK_OFmwuc{2hiiYWU!%jXx-4%V6~w=Ipvlnbyjs-1zEBat$H#zG#s5v!
zz}JC4G;_RH___;g%Go(E^EV&o-O*|V<(_=_&BDK0!=@C|0=k#2gOI3IhdmVdJ^M${
z&VLbzED-y@spFIy3CuEEr9(z^Si6W3-#UdW%VZlst*@>h(GYOl@J|o$=yR=~#~Gv6
zCI;|XI^F2V?aMLI;68nD1qqVwKRNb(FTk+7thTl~TrOrWoaoby-e|<Vy3!X;YmH=3
zvYtLK4n18DAO#9lL<2ER{HN0oIr6;oP3DQeL_TPEpC{uPwj>NzEo89X&h@9~EVSM{
z%o`%j&(G5TM4dD`7I?uXyF`w-9`UmW!O7$A+a1Z|!Zw3RgGQ%AY+!U|rqNoj_Zdc%
zO0`<~e}aKIC_o;UPA~sJx2q3FD7+|05w-<@gZPfXlV(oX3q{R1N6qrEO5yrJc$3z5
z1E)_Zq^~z^pVe6@zxOf5u^sjyfO@HI@lcoQos6ZmuW!ND^pAd8NGkcnY9IcLA^Ptd
z{1ojPqyV78qFF2i$X%f?{%O!XZXii)+zmey`Vz7rQ~pc(W+}<}lB@RMV#i659TZ9#
zqFcKQ@03H>2cjQfQrP(*rZ52>;e{|{9Qe%3(q7odejIRi`<Ipe)5!pT{ns2)(-U?e
z7#l_eK`@aVJ<zFB?%RlB{NzvtdRg_3ZvnaiOO0;_^;G3sZ9Ovj)j^?E_|cltC0I~)
znw}<%9Z10eSP3IZq1g^N?%EY`=e9{aeFo}esXf;TzaNeAl6i$F658z^P#7&ICucDZ
zeSwQ)>zz#(z-`H8q4i)_!O0cfrThO{08zEjPcxX<?^fZUIhg<Ck-vq3Im*!ZWq>Kv
zU)H^vJ^&^6!nxHw^dkSM3yL{^v$a*m3w7sM4xy)%DK9R;2A<#k_?ZS`R$|z8wxM2p
z`MSZH!Sh$i^F2Z39sp!{-EZ+#zLxdIOyr0rOA(t47>kUAOV?D&PsxQ@YMFjgB@>Hi
zz^0{}0wjwf7Cq4b%A`ApwB@LBmvC}f-n8e8H#ive@yf4K9|-U@yA3<v!Xo&0^fnk}
zLO$bNKo?v7dToIp5gUtm2#Ky<MWT#tpD-r?X%h_haXHZ+QmqS23jlcZiBtIJ(YhM@
zdHR7LD*zNJLGcHXi$<zPnA&}``2N-T2^;{Mk)ahmDWz`WK_%Tj6=N<H@&uU@!ys!r
zoBSIqz1Z}?pIG3SXTM=Wr(wg-l`&zxe43rb>rY^m0Zv8%<Wr!F<rDB$Z}&&4DUxn<
zo!j^J=TGLny~7~yP-+<0N)ss!*NZtf6TItwck7c^kNr7y3<j<L2f-wU*u@K}s;(SQ
ziaH&VU&PP;S&G?VX^P0#T`aKZdn{ISSq<U$%xEPFIy-i=kWYKVl9SaQ-uuwT+^R{?
zCsN{yLCopn+oTdc(hyneBMLn`0OgO{qB=|$X=N=5!~m@heV=XtARa^JjLd`PpU;-K
zZjaij<M#Dt>cGJJ=*fraQECuU`I^tdoI#iOmpQtg5RC@w5BCON)sqSqvQh0I`G>BB
zz$PF?uy|`TE3Y_I9ep(;C-<X7DhY=1k7U3X*Sx|SPC_Y^tj2<Y@uO4cO#`5Ud$G@X
zKaGv;$1Mm$!^P@>lLPw|vOYk80L;jUrY8kOXZXMRXbul^nG&7x7h)eC?({-LroG;y
z7Qs77t$pQ-6krIt#e-IJTb1Oi7b#uxh({C8C7-Ia{&N9nhB`jTfCSXuNrEIl&MIki
zjTrH#qji(ov|Yb^yR)Dxi5?H3v-4L#)xTVh(dQD9%2?g<$KLCIMO;icD5?b5c&NZ3
zo%4b<o#)CpOY!MR+Kykl-|3y9C8Ny0&F3O`{FYUko2hycbduSiWfzQSsg?tl2}W@#
zB;iOt-<G~T8h#_b71is+mJ{F0KS+<6B#pScY*&M6M0;!%s^hzeb;w@~1)^H_DB96w
zcA2~s0BEe_L$5k?NM;U>GBE5Ofa3tf#=Y64mRm1%rdMHNkCdDUO05EO&W!Q|q-*IX
z61bRzS5(Oeh1jH4E+;#XyJ*t2RwBaS!H?2WHDvbZAOt{ruX)&50P%ih&){AoP%Rc0
zd-qPg$?XBmoSCve(KoE<KBO;Xb)uMRBxrQy(B{lShOQ~KyHPY>eyEb?qZVZ(Tgju|
zbfvgWz4f0hjh~T(0l})TgUo8N#oi8pGXPkS$y0OLJCqHENh&RKynlSi!Y=ui8sv&$
zdyTnCZ<l!ED11ng8dw9g=$jviRMLIL&K{Qq`T-|NVt_atg-0(MO_R^(CLAU(B}YYF
zXvUe&N*DvQOK_$$)qLi{rQ4LT^rFa@4^t~Q7vrxhw$*_O^ECPh1+B9%A3*zj1s7@&
zY6}F@gSHol?^ee5uIG54b_nfW+~DNpjSC^u8Es%Swp5#c1~Nn-Ei8`)6^cVv9gy?R
zWAmbTr&6aU^l%<6RbI=O5K3atlV$Vxv%pWtlSi1Ct3f4Rx?DA^C(~k~#`a0=&xTHa
zOFQtC=%Twb8}Mg^WFj*9{F0Dyp4vLfWs`#}-Nz^IEWl5gv!>bJ?fQ*p#fz0|o3W;O
z)d%<kq-N1#8x_sx;%Ok}Z>;Nu$#~S6JsL+cvLSULcX2i1d$LqWp}<GsAHy%J>o1Gj
zMf-_H<1uPyZJ&2hi^9Ok%8J9dEIEAbAg^tKWBxltlm6V?xV%Qy;x?Y;wx6E<;J-er
z$=r#uUWVXn(bMzr?l*55ccuwWX^>}mxt5_Y`)b*W1Ww`kUIRR>YB8?+iE7-QJ<H|X
zBZ4#Y+NGo0l{}RZVg-#LWzf12<K;*aKFv(24V&{2y>Pn2GB#u_|LyHJ_%eEHS%Cv-
zveGN0Tf>=Oa-VJVa)JcmO(SA(u_A2%_ajR6Lw^zxq7vB{d3;H<_=l_sV0YxQJLyd-
zT-w=o8g~=@JmqFF7OQ9+^A876Op3GlGr|;-61$A(VZ2tNm##d-=W|#dz2;*<hUDPN
zejd?EL>A2I3FyM{jkRNRZ7p-a>+(2Z`C7=rMy<}rdsA@#ZeZ8j$4#S9n3U0D+xaeX
z)1eK@+ft(ub;YbnkPR&fB*!D^G6F7IfDJKztw1S$@0$!2>sMW7YskWNXh?vjyLx|@
z38p5O#>_qJE7C<IVy7&{VioaEpKMIcwyrT&q=eULv<Oy1)gIOkl6keC;mU;%ivd*M
zfF)}Q3o{8E2R(dbSW(Vwo@9cGG?)MU!_bSYQxJ-@<kdB1_<XK0B5cRV(MVYmbQy?y
zbIjLXWW))D>gL@v($<GH^S_#Lzxa;f4%S;ZvoaGus~1Xth|6m1$uE6Sqw7rxN=!tb
zV|Y$0XQqy7%2S#lxmdtQD(pR}d}RBGhPloaCa3bX0Ed-a)sMZTqWDW<lWx;F%n3Il
z%oocQ(f6n2YILRt?Ie;SvITecn(sLYNd6*BJ1_dEtJgzWtLgK?=l!<)f6oLt&!zX9
zYG6sruZ%8A3Q>NCRG8uY#5QMaM(;K~Ozz)U&;#4TWl2lUHB;O}WBFpz_wE+o%Zhli
zWm$z0_0s0`F$A*V(cc=k>V1wUdGa$9%KQA4ooPgtDrLM-RMY%N7@LU$&vUAy(Gre8
z&uhDKVWG#vUT<GM>&wdi;$o4~bF0V%|L6O^e!>-GW5oD~)n`rEYAl;pE)q=jG!|cI
z$ND)%cheb{IUh!JrI-8;UJbCHOsFNUiZBs0^Ssn}v|rp30&C6iUCj4c_{KWbNc!I1
zrc=cHOP~iEv$p)Xno7-Ad!%T4ryN0W-`q^Sd$r@()*v{Pn|I}?AQLho+$0&o$0T+p
zkzN~DlTZp2M%MEYQbDgY#eCN%V6_QhD(pw4JwlNepHw{(wwKKPf|I4o@84yavcaGc
z?OdMp-)X2eHU_UxrQvo@oNRJE0%rsotwki{=#`Gc$q>RssAd~x?WiO{t9_Yi5xXFh
z$=~HM&xpExa_p{eOUcU-ga}$=CGfiJEqO~Fmj`+>UbaX`Yp<RrGtcwd4DGLfKKKa5
z<Ti3x?D`etDJ@(r@w7a7T`On3FW0LrA|W+MeVyna5pkjIY9O=BO6M63-ZznPXyO5X
zBG!h93G;nRpLk-2p|Akvg@jp!;Uk5&XX<&e1t7rLPfy#~47Oyks?Sz@<vF#<Zu&A&
z#x=E4&m<>j;)!KI$xb5rgLDxtYwGCsmh3YGwguS2!tq=<U$D^NG%)Eq$S;jiESCNw
z-nBL$&HJ$0wR?YigUg@(>;Oz@<V`;LPvrH_JM)&C3YX~wCA)}43GGzIv%Yz)w$ay6
zep1C;e>8v!QTPd=T*|Y;F(F=H>0gT8>YqJUJb<{rBYiHjJpZkMd+TC7GHg6se6?}q
z3pAS^#CMRD3f*v-iwKu4#ugQFz^Qo++BUs)*YvPNfmu_I)+|-=Tq3A@AH42fINYl7
z3B5)5<?JlVf4i-)XLY>qikvai)hm`&S-|mO$+>4%$S4QLlHgi&O#_X6xT2?HaKmiU
z=35Sk(qS@Gbbiq-9SL&7BdULs2r$im@cEzTq}8l?1%_nfNj&RVEoIys-U02a038~3
z7nM=Zi~`@fP>b@60X#s)t?#f2(*h%yefGP-l>T3kzR-|V{wqV6#T(hPxCnc-j(uaj
zzS;$_A!(F)@#bTk*o3yu-gULto?aaMx9JWUDTgwS%EjX*1#I`z+8@z6=Ng65V)LJl
zr4z&}-kv-?#dmD)&!=OY;eSNFzOYOiB0Y49V6}tMgT^C3FVP6t&+3ezxuB1NEsD;~
z@J5Tj2=8|b6h#KdR@f9@8$W1&&bPa8*|{&Zz7u27A54a<F%p@4l1f2M(G~vC$rPxT
z>%d`OFFJ!3V6O35CxEl|-@igwNhw;ks)aoNdA?|6Y#fW%41RfP2a~nTlvw{*ob22{
zkBP^*iU^^bkDVnB%L@U7uf?CW7(3U|Uq(~NvJ(c2BolXb5HEy82v;T+vV+=6zlbm-
z5V^%!Ez3QfT-?-odD46KY!k9I^1m^i1r>((1iTulN2PpL+P88io4q!#d@I`o$ET83
z^t%mXh<MXmGR+ty+N2)Ub3(w%`6st^N9|}E=1#Zg`U#DXni3V&aV{q3toE>w*8(DM
z!!yy-CMGe;YCmb11fb;~?S1_RjrK1)H95NvUtuJVHjO0~rfaHMLQ#-(RLZqwDu3B?
zoWU_=E~HNk%yW!~2>>;A)B$K5MdWC;C2E!(Ou5|=ZJS`wi?60RV4&&udus?~G(tx4
z<+00_h%bUPF=Zj)nL@R1ymFW2;nt2iB{bR9CeV>Vm4;vHjC!oKq$UB=m!SwE1xNK5
z!wWgF(l?9mz0$Utt0iHc;%j<_(FmSPlYnm{hNXX?eD?@AyfBdw0j&&4qRGv&lFn!|
z3h45{`7HKrg|vuefIyD>=f}<z(gj{W=-;Id#o})gnTVU4rs$$R%{iZ7b#C?=5ej_o
z4u@J!S5v(Wig&^mtjD@5`tc-Gdfy#CgdLb+n}WMHs06Nrx=UK?V(X)%Iy`|6?lF$D
z5gw<OVZaPQ&>NkHH>kf3fq^io27!`3KL94U3|fMn1b=!T<TL5Jq?m`^R9PtHrlQ<)
zsOL`^lJyH~k3V8jW=~IhYcFj@ixPyIb!LQp`4lDQ^*ABEOK45o3}(bb0hZWd0#0Lo
z91}v9jN;BOWF(Mebw1%Zx(u=~g6Z+TrFzZ`m30+n3yiK!L>DWR{;i!E;QzRPMtEHJ
z7=pVs9$p@sfw@s>c6&B3*O&5BBahvxcv&_|S|Rl{!0qvobjEV(5{=2Ji=&m+4gqTA
zb+1}cM_{0R56pGv*O<twe5<6Q&R6@TXngN@{H7jIICEq-?SgE>5>{(%rb9dz&{9n?
zGH<w<IMgDmI6e8diJYVGFQ-*>8=8^;i$A*&+t8Ps#G0j-b4Oh;AsiiEL_RZV6`I*T
zPI@f4wLwsda@>5Dz$5rhpP5RKJ?GY4h#~ohfsM?TsdIa#SRri3aR)Ie3J-{M_mQ&t
z%Qy@kSfBgeYN>TR{W?Dt_F|^0hjMya5*n14#|3PQv@HCkt7!d~`Xl3lktwt{n~ElV
zU&ID0NRx-T5z`-Sf+PS7@+6}CS^PnHkE88FzqzV>esIwVj`5LmJmPA;R)bX%-T8PI
zGi;85%Y{~iitJuq<<}~o9xDfjSpYEw{(3PPE2<pWtcSMH9u76s`jQd`m=?TCK+%B5
zzRJx;48Zawow`CMZpJk18TfeeJ*PsZ7^@m2(eJ>0lFFD|1r5lK^^H1vy1@My*{eS3
zyh7R=CzM_bH7-b^&D6PNPY3tW+VXny&sxg0IC_2`+GXT8S}zvlnTRP^XxWQ>g-^yl
zG9n3T#h<t7Ps>{g>`*WMY4Q;DEsHdfI^=EmE>$s^f?(A4c{sqNrvr4RpR%p5${Fy<
z_vTwP$HB!^)tb4sb7M?yr9jL4o&R1}z--}44%Z_K&2ynYBIpixS8$j@5H-mpu5=*G
zae+5L?^K2!_lxVpGcIG+KpFbuWujw$xK5N<w#fIL=-zG}5I)Ss(vm*5m!D(-Gs%UJ
zSK=pF?aUZcLnDXCSOuxdg*<IWK2KA+b?@w&-QI69G?M|3B3ZnSC6r|{gh;WHvm!$b
z@)U}Z%cin>6{_4UjQgJBHEwu#*^*2AwQ>pyg|6_<Un?)3^>cxM6nCsd0IWIO-aUU%
z%K20oOv9W_R2$Fkf3G%O$B%GZGTM;K)qRgws*FL>5t@ARN%-k2Qsriy%@N&@w;@75
zSTWrt0z0H6Pm@8FPP8)oK{`!j`>El=K%Jt4BSLm0#5E?t5*7huHbie%cizr4(_UxR
z_8a<S@2g?#qv(Lb&E1_NSvogWH#4oshUA0))cSs@y_u(F;UQmqsg*(<frJ7oeE#7*
z495t#?)_!vmT%<;Z9=WS=;rFLYC89hr@2-kBBF`P3bG0c1H<xn%ON6x@eLg07$wTU
zuWQ(}{>uZ_#Ul}W>W*S|ko7MOh2^^mT+J+u8GBz|u-T5)BD`__R90?2a@$4;Opp*I
zC9pAA=6>)kJ6>FtG8%K@eMgim`_$|P{5;}g_ClpNO@d`VN+3)EKR#U109t8Z>JB?g
z`rZY4>Z9o@z6P>cvb-5Xm3q%cxMRS>_%#lm`wbX}=6rYZYK4Zx0@kdP%#`Jlr8{?5
zsTl57X4d!$)*(hjwKN&n&ywpbY#$NO2i1cZ`(PN4eC=U>`sE0_zNpJUEu|1^eS?e|
zZv#Z}B*wG5+<?S_Ikx9`9K~!GB;ZvXBf+!jZ(trwUARi_=;&)v;JZ5IXZObvOHl_|
z!a4+f>C9J-6*p`nle+D(y!8?C79wqQb@;YK0_*{#4)d=gB72g&NZpC;4TcAGs+z`$
z|1up|UQg%mblAX=y!ddEbA-B4E}^%d#ut5HHFacq{yUM$*gI}B6EkPdn3=L=8{a(O
zm79|J;@6f*u$kzC`036w<thRy(d)@D&ZlyW`}rj1J-O6-EAL91J;kx_Uf3Pu0^@(k
z@4>83iD7=cjsFauR_ilAad_R*eAZ^}Oi6AtJ~Z?K(!-B54tvl&B*C?_bf}#~vnSJo
z{)>KXA53s?9y$7Vlu)&#*N_j6+9-ji66oLh3V%zSs6%V_5)>|EdhBnO7JaOpMRPId
zYpn*ju#$UGz-q3e3A$Av&>}LYOI5@E_0(2+hV<9VMMwSzgS%ZclE7jUZZp|{fM|Yi
z{qneux2E2LGacmSyYH6~UO#@!u=Dq|{gcoG$6;_M-QWCl2{8wDrv~{M$KiW!oeKCx
zkH5T1S1!y{IjPNmI{&9F(gCD?@A+K9fxz~2jpK9`Cy~=n<c9UlzzfB(IZoM8{-)<o
zK_wo~_uo_MP3wk~?6Yx0RVaAiUD}(HHF@wQemat(Is<MJ<4&J<h*+q6{_gP9mRI9S
zW*Zpqcx=l__x)}a=$%{~9!Or&ZUzeJTjRTbPwrXEb!g7Zy#9i!r2kI?cBjm)yoRd#
zMT_t2@h2c3-QO<{|0dOYvnj@2Y<Cn-^kZp7-^?n%w`VN}=E;aodokIE3sqxnV*nTv
z8@<JOQito<jG=<*TR|4^ERY54M0$bx87pTk@*xQbFwRW8F1;H((76A?LP^G=f(ZH7
zOyrpH)HeU{Z9O{A`bI=n5!c_M%-BwMX^OIB9pRuiQ-lWzg!Sx(?&zQiG|jmm@!wub
zPnA@PD=MN`os81(QKSD63GBUw2Ss=Vo&;*ekME^(m1`AnAO9D88(ujqgxlrdMxXOZ
zvsaQ*gi@tekz@0uXP*B2`CMJEh4a-eYpLCS)@B9B=ileX6%RaO*CRJy1zsh7t$Dj-
z)?|Q(_0`&{t-ky6wZ^-AVgtykJ)bMt`!aP6N&zRIXbeu=xqorX1F??T8fH00#42#T
zY))(}&-~J&ujSd?tX^?HZ0q(ii<QBpNRVaH0)bkiizo-2HyZxvq@tt?PjcGUeot#0
zK!u}EM$u+I6yHIRvbwNhPf&||<jImT|AA1iFSnR~rIP&QpSc>Z{M#qd8yKHDQ>x&d
zQo$b&Jio_UevdA$9K)$sK4%j-PaPJDIrnr-BfQ*%YZgIoAI!~NnW7Bc&+sLgc66<9
z!GLqYA;xqsFGJP1L|!4iY0JN5b}yZh<8dS5Q9)SAq9Q;Yx5IM_&m4n|)2uguZo|&-
zU4$e|Q`F!_bEo3s9OZ||MybTld(|86asjePl>rYfn<%n0uUxM~qi}}9@|0%Yu|3!r
zlg#P<zi6Fvq3xCTqrYw41lTO}yQEFNxKkh(2Y}I4^=c%{B@-m)(eFh##+g^eW*z1S
z`tvhNM5t-(4xe5#6zw{J+puH4FUE~14`jct2C#=T%(Dl-kfZM>+FN780!UL^dB%<a
z0?|e00795p9#56&k=>F+I-sLI6wjFl*<FgX1QabHz5xYX*UBwYWoz#6`RYS~#>sru
z_N;Bqt*@K8Nx$>eLz)V@HrB^8w)<8aN$|rB$OLva$q{FV(O*giLl>^mOzWly2M2E`
zmBz%fQv$y1=_g%@Gul2@N}5M9g8C!7m41FN3>PB6z?ewFtEEl9KQV(m-c4#?-=`-}
zB^m(LwlRN&Qu5>!Wb)Nr?|Q=<n=+g)JHGJ!h!i=s+W2Jvs&m*L(b*wUonF|96@FMO
zZuu{v(v;xa2p0a-xL3Wi+V>@jV90_=s!ZZ>H#ZrE;=mQAD8;N2(ZGOfK?PzvZ!RXS
z&Z$2<m*dDp?2c-7M$d>S4;WkEpi&1cZ_2I5!C^;8&7bO(uSSI%mjOBQIAt1n6eO?5
zc5F{qe4%%lu-*Zu($h0{y2V<Cn1qqF>C@uQ8?jc$EQoq-TkQPVIShDhPyZ6bW-E*@
zV?~~Kh6K_(cBek8<@rd-Da-8updE-aeSM4t?7R}#zHd#zs|=vouy8$L3qHxf3@y|u
z53NezI@=<=N;tD*N_1WML+A#n5_C&IpacvLvZ@l`-^omQ82y1@f*Mx<AV6ub<8M_k
z!M)>Qd}(R<>0Co+Z?W%_V;8chrac-4p+!ny$BL)LllQ%vc14?LhPKR<c!l4S8Z0n$
z{7(8AO7R)Db;b$XZ0jm8f|N+0m0Lz-b^r28K(lgNqH~FLx=->FQ!;(kP{L_$M8796
z^M?!96>#iK`U!lDA^=c&^z?AHc)1(y{Q5MQpvxO1iX-X?p!9$7kF*NJTRN-R_O#N|
zt!7t+2tQmsY}`&~jg~Z=1C<f8|5dP~zf$|JA@e=lBffnXsE+yPATUQfVR2OA=G7>`
z>Zq;}cTOl7KJP62Sh?mGs?HU_gZ@f(et&AX5WYiu0d!H30*efLLm3nLyWVu2NT6;v
z0Mb~FFc+fv@JF5gKf9GeZL*e!y(epxOMTGJ!y(B;#g@{edZ%CrW}SxBMW742eXu!B
zRjMhwVq7pWpQSaB8>yoHsoFXDs+E2%WwF#!ISBZN-HKbNokzY!<}{S8cFlnNv2enh
zbLV0Fr1$U_*U?HFCHH&@&#Paow9LZ8>waf7){HNye)9Ihg~62XpgzWX^k2YI@&7P_
zmnBSuK1S$J=t>oe_s|TYn#PKxu?pfRQlbRA=g9wZfJHA2=}k1#vQzy3-k3nPPIq7s
z+GkdmZUMcopsfVty5qkw1`QTuz8eiiBnCQn!?+C-S)HRz1CRR$u!rtGxF~6C`SAWN
zZEcE;sHq>*?*@?Po!iY*g2+v0Iu-~yKf~JDiDNA<mpt7x+|S;!h(3tf^SbaS>Cd5j
zPbt`$U1ANSl6(mrTwOe1@LqBwy96m}F}+KiZgdrjiYw=!9cVN>YF%70Ajvbf|A0bt
zmSXgA2rdlfDR8Lr(Q_cs{pZwGpeim3yvJwUVW1?>y~<kltwd6q+U4B5@#qDSZD`a8
zH!wVtG<n2#BnN`=K)G$V=EzsdV=P@s@cg2q9QRW?8O9m9<Rf&-=M@5^{HD{G&yBcV
zxzMMqM?VLD>$lkq;2BpfUH2=%!$}lR99Kx|;O)d+G%EHJ#&9NyXelKn{a1#IKNIVJ
zHGTkOD_w*Y8~hO{X-)5%U@jy4BlI_D_LZF_7VfP$%E3f2!62HpehEFwp)x$s#|@ZV
zSelmkGOA5OLZJ<lk(Z)B1M4g%G%P2n?mcH*D1Ez@!cRT~s3|$z=ow=q&o$=82RyHa
z08TvNHraZ3qHXlMYyXAW`e-W3#oxdjlKk(Cxf1ek%xRw)gEjfb--g=l!ph9)HVy9z
zc&VADw~hZox$l5$65W13j|e&ItDT9dozr;$J&5d=q*pEhNBb{rdcMDISbZo5Lv_-A
zH#cDGQQ^<cB0=Pq3$jeQpuj~GLReM@QLgrv)`UKE2hivGA8h2a+cQ%hZvKVN8#uj}
zR|ejMAMgL2ot7;&RbW~{1vk97%!Y>DnDo8lA_n1bQGmVEygi6od64pM=R3l`r;Yv3
z7CZ@AOn=YuP!1<cINczhL+a~)%p9CgIc|RbO-{q{Cs!ny!HeTGZ%mpzlD?Cm>4pD0
z%%)3OP)p#^r@@`i1Ic+G+2<a2qv?IqUJm4TMux)XKtTQoKwzGJ#LwEem_GOb<#otq
z>DUhxaKC?FmVRlL-JsnfEPzdjI~IujhUFzR%n3pxRZXVP?SORtF~$Uj-E2=-*)0BL
zL;^q)2?^K5U&fxxpgB6N?wxY7p1sazcaqky$tsywJ1LZ=8o$?;q-zgEQy^sAKA8&1
z4H47$Lot$veP^mC<nt&DVQv!}+HpY>-LQ@5Y4a!?rJqfu+cP2GbFE3)+M&p5qOz3L
znqW{j_alMm)b9kAkps`a5wNR&Px$}C&1R=NQlS8bArdIluE2u%^{`F&G{k*R+HU2l
z&UAD#4zOg^_5N+p_HZ`(GF{)G(2)s3qgy(FntK&uoVr;<Y3$fLOYz0Nx+QCl<2WGi
z^9GpnG^mTj`o)2>kMq+qYRs#<017-*xSVTG-go-v8D*aLESYFQxGeZmTppw|h(+}T
z5eaC2V{n_vE_m@tyRac+Z#M*?0sdHR3I<V@TC@EG*7}JE%->h1!M=E`yFk*sBX*Mp
zYTFzfElK@(|GySsuFhWVhaFDl=4n=~;x|C97y*)pcV9k@a$X7uECB=%ITWpSPiG6F
zNxAYBzS`=*1LJ*@R0$1fvb@+$SUcLGR=VdgzF4teOOL#zCMB%MYG*>Cr_wW&AwPKh
zZ1{3y7JpG66`Yt;aj=q$d3n-mvACpHefWR@M8VL29`Anj)6}4v>y%WOO{*f*_k&(>
z`xB#3{@ocH^1T%qF-FF~oEm#7d?pZx|HCj6<4Eez2ynX0{l9fe=hz_I7_a*NLASR9
zXWz6K;Ok2Xc5m43iq9_+9R>d5?pfU8Y8}SBEph}XYN+?2v;T^_<=^^ZzlQ?@-m{qn
zD&4LXi|8wU|BUBY6G+K(eu#SX66m<wY4qazQH|4p^Mz)W^O6yFvJt|zujKrkwzJcd
zhKmrpKDZvjb9MFA`e-!{@LcIoAGcT+46_J#k=WL~e2|x3GYNuG;_+(rU(94iODFlM
ztkA+o^I@mFV3AIoC6srOp~xVtk+K!AM|HP1Z<Pn={_p2#zQe{w+_1Qn?hfA&r4R+_
z>&E4&CPzDAA}t;ROAK31e*8}&J>7dYjgXx#i-Fz5jr4ldmiF5ilf;y9;K}`Z(a|;T
z&(r97)_!DTrQki?Tucrq!avQITCMp~0MwGs>B!<KPF|Uy-4x7&YW>%D_z&}8KdcYB
z(ZJoN?dL}V)2lKJ-j>D9w{gL9sb1J#7^y%)?-m8{Wr-h(pN*fHed+$~`iI>c*U?$&
zvW@qHn`|Vp$ImFLawU5I3ss*xKXmfPmy$kn-xvOjuazQ&W>502leZ+`fXyawVL-+?
z7@Ur(F#xj{Wa8o(ZTAdZ!>Ey06sd1W6Atl%?sIvWCTEFBQfSBDfMTIn15fisw@sQB
z%+<}#gcT|pJH=8;E-30`i5#*%7o%80@V<-e+-DEy<1_X?)ceP`-T`uZAWKWXvtWcW
z?gt!SysqJley`4qh*rrrd60*)79-1t2A9MhxI8;CA?4+=i$=800heV2p$QSlZOH^6
zX@Kdn?=TbK0ty4|i~yU1h{Pk<_|fV?mPr#77*WWF+z4bcx($uM2vdTp#zZWl<Ut*c
zhZ=~&&#PA-8jO2wT>4%4Ir%5MrAD~eV*;-E8&*aj*Uf$oUivE#0ccv^RwJqD`Od00
z)QWL6nNs8XYWcT!&ThLWP=Pcm(WZwN8*BKN#fJh4;k->d^$tSdNA|LtrM|dvZJ-QB
z2C5c}3l9Fu^ORi>ayl>sRE!SD#t-?uYoR+&A0a6J1>pwN9aJwrR41qOA1L7`owaKU
zEESsq(Tl=M`ZP$Q1oD`JStlQVE6S;0IF9+PyxMn7ah_MD_5R_^Yc9ux8$3_YEdqhQ
zaQdmZ<g0hZCuUw7PYmOGvvU%YCKjGq4FRL7d{6r@RpA#`^meir65jQ#7HRYS7YsD=
z{n~Xf=oF`Hkz4Wmo)oqKxHHz*DeDy0i}gZrRNUDo6Wp62eHX>*rmtW~n)~7(DMvhR
z6tmfTq^g{SvA27q`kO;jy-uC6c*`VE`Yw7JaJu2-d!HR~!8hu^|A`%8%sLSYUVeX_
z^R=f7yyYNStG7)CEK`_?L~LfLZ|BJUBQrtNwF2sGQ4vc;3;$F;!LK7$^B-dxCN(tT
zf}ErGBE;!{S%L=N>Z4n%d_DpKZ-MbiX#Y#O`%jU})Kjv^P!tfBw1Gg7G{|T<bt_<I
zMgKN3y@5B-WS`8J>HB#yhVHM<e(BKcY`njJKbMtj>KYUS0Eb3cO~U+l*zPW;y86tN
zZC!tf`-D`!=H|9}bbyp|KOh?t-+}-d901s>%{UT+XM|4Q1gS24aCIuAv0Zt>Vp>Ql
zKK<1!J(Z|ucq%sTLwt)`=Up_&yfZAYt%F`nXfPSN#I1Pdu19%(t@&jVFYm`!@rtUW
zc~9Qnhq%*#MV26%9JS7rJ%fGGYF?iwH$a^w9DpgQmYd;fP6Z#xw}?{5*?u_xi^&b*
zlz0?7c?3)j?BFHC`s{aNv-xpJ=p8B^NV<TiLPIKY`}|aY0Z=9EqlLwS#HJLVo<M;A
zQS9+?xP+PwLtA-+Qy~<LxJ6nh4vuqPjY}F8F$9ho|I8fA#Vf;~r{n-h=^cJT=Sz_!
z<pu3Kh)7UT5mlXvC0AgC9>d;=SQESPY|*wv{je}VT06}XLHZ+yFHn`M%nT?12~ya@
zY4$VqT<PQGRZ;V7>C-m<J3D>S85`2AfsOc|3n$(kl_H5EjuG|AgR@R+{zSllGcM(b
zb+O(Y**_pwRK!4^egc4;9N$$Tv6hqQhg`8lYiDt_3x*A1eeVi-rvOa%Kf|^Q*2ch?
zFEdz;1=LTQ=)}8;c~R?ep?)BTh+jgp>Frw2@bf06-#n8PH)r_Zx$Q-md9As;wbCsV
zPntu9fjfAi2q<>ApEkv}#47-z>W{3Lj%LZ|$#Q0c#iP|Z+v}Qt_8{#s8&VLg6zZPY
z7n1;lhr58{+sTuzsa6qdoP$qNn@3xnr{o4xjqO9#+1A;q#Ej2Jf%sv`G?BO<>pi63
zuH+z-fcfv(u(kba4nrliG0*1VF34Bl-`!e2PbvRrq<0G{FgYlp!7e?YuK*@)Y5z~Y
zZQW>^e~d?F<rj|KEw{eF`uZp!A)dW`_+>oS4IH;J5SxdF?0WkPzb7S0tJkD_lSIEl
zF8)&}^6$NX0T(wn<>X?&K49C#08M-C!@s>}7VjxcE4X^5RJ&QW>ALB!UEVPml=s09
zJr1&u5-AP_Qa{`E!BiEQ1^;|tN%VrrE+9Sp_v4w?5GZ?nC_SB8VF-ewlJD!0s6a1D
zIq>`_nh_uv$f=36@cFlB4gUx;Z2Fq3y_SMalKQ!oXdUr2$%v|26%6``@E0^Dn&iCJ
zT9YdE1mB7VJfd1BEY}MeH(4!&SF4UNS6Ql?Th=m7)5e@-CP~&8xD7?K-2~V;iQVTC
zJWEYHX*-1yO};$m)q^hs{MzMzG?6j+8|cS=wrd&l^;29!C@nf3Q_EW_ES#PDJac&p
zfXH8vYtPAlTxV!HYCK7t(}TEs#sn{FT}x!^hzqVQsQ>L-c&*3HXgB9UWW$oyTC)Jo
zwjz)N0s|ot0u-g_^sHPL>MKLcLzm&GayZ0c26djI2dV(aUJm~pRA5+UeOOu2-`YD0
zbXMbmMz#E>{${jm2x_RK<?b3w3jW6(Li>=$jZkPGwb9h3BBfbg4#+}Eqe)-!+5l#k
zTA!Q#N`Iq#p{FF^({*2iuNPM0fAtJ$JbBFReXEKci2yZYJ@d4R*B8i%v@oA|t(^ix
zQK}o(^;_px;G2^3NXyx<rJhAQ)QP3`P0%a`+7=xVfu6kfzw_R-N$c8!2cSMKfD0N3
zQMY)^-V(659ng1yJb$&BR6@SwKL1TSU(?hgufMAcg@D#TQ0VmP`b+P?3NpY<g0A=Q
z3M>J8P-UR#Xy5?CY<Tq$KzBt%Dt%z%i+%J$2i|%hheV23q~K(V1Egbfa}6LaQ`74y
zG;?RCB3oz{<9Z!<{Faw;Uj9obw_;7b(P)0WSNcG7^VE?gh!a&_o&nf8hpQ}l8GFRf
zM>zDkjM0z4HHxyU;%!~AB*0K8=mpb#3kKNrE$1`4g&NBgVRs)iV++GLMUFbh<Wm~J
zZvtZ;)SN}PQU>DY0=^EppE$bVkfnDXqo?vgjz5X<kYkahi~0rc$8sQzhQ`Jcd-4cG
z;kxGo0LtCg=wCU4W5FNWbbvD)O>;v75<Vcowfx63Mt{{iFAMlqea4&F?Y#=8VMEt7
zehN&ddKxSmd;)Ci=E7HZTP=nWVjO~0@yr}X_IU}Dc)D52|M5B1e_DvXfPwsrFktKq
z+Rve=Kzq0k3$)Bg0mMtinwRKp2-Wtsx}3b+M`k4(?x3IQ^Z*mMW9l4R8qExUEuhgJ
zLvUx0SD+mmZ0#W^<aNsZpIrmm0g!|JN0Lo87~~gD<HCmgwwpGqo_b+LFuU+oS#MVd
z=@Og3nh@*2K%U#Fg*KRT^U;YP_Amg5Y2il{EQ^=4zWBcfb3TGFWgY}5o=|6L1AWfx
zv3gQG;5#<&Y+*vqaa=?q7Z-7->yCh`*WYu;z>P{3&fpN_M%CA&_zEzZ3GUj)CMN^t
zLZbPZI*05Ym-$fs%KSX(dMpFfyJ>*=^l#t==)u4Xh4Jw$AKZ=K=$hNJ<LLpa>1T>J
z7^bJ)DN6n&19kcdFrC3i@Jw7e8)b^voHhO`SQqGT;hIYP5llf7Kqjms2R8i$(<v)q
zioS`U3J65`Zv1WP4C%eDjpW(ADjnq3Q`fbB>^zbfwz_VeGc{_DYfmJAUX<9^o;S7v
zUPSO7Hrd-ddJt2FbOfgue5VfioXss_eT^T&RQrScxKR{qyGPgLINg#FaByEpk~;-W
zK|g__yZ>?@K-Cz-77K0)0^<KZGqP!amPK!0;r5pG#Nt*x;cOww=eb&et4Q|4fx*od
zO2AMBRQp*68Nkx$#a%!rprv=-K9gV{03(UBhd4VCWhX$u|B<^L!JBeT0p00%{_T?D
zTrHOquUvQlC}C-Wjw09z$N>Ms))+4W$o}0^TTkmC6UC*TQxT<ff5suz5GhJ{(XW&&
zlz1xWlTAi;`xCaQd$G*~*eWYzjE&gl46r_gwjrwqi7=hlM=+xUSX5~fBMC<u83)IY
zAcgmjJdPd1v+3cD__(pj`f_hM$&a>@q=Ii2&jrsvxlR}DQO@76(<mm2a6wB%0=?`l
zLZWBK@Jp?~3#B+uPskr`PFi=QYu}->l9>$ypWFFE4Q2!OBbX%ccc>8{Hr%;ABvS9o
z069zZm`)no0pUVO9@uuhh<5|Bp0+J@-FoSqs9x7P^Yw!m4;kn%NUhWPx=bGYU86CI
zRq&VYmf-tk;m$I8ZkCbyP1|O4Ly19PU(J~V@@kS14SZmzg(D#qf~l?*u!tk^?PWEE
zJzvo3!ulO@Br!g-$jE6ZEpoi9XtCyGK@&MpFZV~i$?xsy0btc;?c2T|BFa(tDezPH
zzvP1kgB&C@%erTJazYFcHuttnvC*Hc#?{)N_r6bEYuI>I#iam$Pn5e8`w`Y_p^9G=
zJ%HT$WibONnHV(Y#!<uk@n~^m2iU`=nIZ~M_Qn5~zAx=p{iW{^?*GgiV18^R!_?8b
z*Hnn1vf%F)=`el>zl|RX_Jl4gZHe|&$pLVB5;&J7?0mf#AqfoF6DI-mMnu8D4lMXE
z+<v^Ei;mCY*~Foi&K=a_CUK^KftMKuBqZT7$6?IhUg$-dU1)LW;dG#(rskSKb%5<Y
zN_LRsp#LlBIvk<?|Njju`|Rz^>`nGOTQ;d=MP$zqau?~0GO}exMA;)NCwpX-z1K%V
z8HEtP*L{EY2fXh!pU=nh@p!ymFM`k*(7Ek;O-oI!cb5C-RHAk7v14^M9STWQYP0Tv
zOP`StMeacg!(vEvASpZ^eFpyOV#zpMt|f1nCFG{LMT6%udpCGfd?xZV-Sn>aG5PMj
ztdnyqzQl?>;fSTo(WbhPO@;NLT%vJ)u-K<pUi4F&f>*C?a)AWvCi&v4TVVM9_=C$?
z7Poq?Ntkq!Su^Mt=K}gRwmj1sIYCT(a<H{-7F1h2XZL8`-INY+qD}{cb=}>hRC%D(
z8L!gSZfO*c&&{0_j<5rskUC>S={u>TklsOQQ9^a^O^zfgaPh{4=e^0HA`T-E)yF*g
z6)h~qsVRPI6K#W`jxdEUbGZk}Ljihso1aMZQT0NpitC2*IV1Vyo>9!hZr2{Nxsq@8
zEZXjUpL)mkuf-~S``<rT6~pXcyFo23-U$o_=M>rt#&K_#a0$8}*yK8W_5@hl8q0_(
zZ6jk3XoHh7%OpS1qp?&;voO%T>oG8UF6$MDfZ0MWAm@t0`f8hxHG%%+GXHbObA|=b
z2~A_gB^?KzYCMrXAMupk3nFJKgv(&nz+F>PNbHIhxx%TnJ747GRNmB=3z2e+B0C_<
zS%s(UBpwrg$GpJOR7!>D0;v{d(N&J_I5^$&oRsl4O#tAmq~3nSgeM{PrsGcK&P5$x
z5?oi)DC!B&0P20L;y7{#Rjkrag7A(cV7K%N4<$rw=kxlg2|{=iEfxym(jZ!A=hA<M
z_!*}A0bfOa>I?6KYrgO)fp)+-xy(uUK>rwDQ)m`2uDFMP{koV3M6aXq{W*p5(=i}n
z9J75K=-rzJt7Xa}>dCovNtun@ue*OMyLl--w1{qfcCq-E+)T3L2e5AnBQ@biI6g)n
zcZ99(dV2W1AeU$CT^Y~$7&Pz9O-GfWWz%3#4C(ilf$&3vBnT*;R<nA4T}T8&+O1S&
z(WqDemVY1oXYDUvl5?u%wS^Mj`xti8Gx@K8GXP?THpLZ8U}??D7f28-ZB5yr4cLE|
zpK$)6vHDPCsKR4z^Q`x~o|7W^S7H?IjE(&<m9rsP*Jy)jXkE*{F=MI^ZTVWwNYS2y
z)DBEVmu-WmZvkxpxBzGMDo`Y={rKYxWc4trMdx3IciEJJGJt^_;+~cQ^q_|}RRX{e
z{HY=9@)fA6kYBghWFJteNRU*-AEu<h)DPWHA-ZTyQbO_{7SA~O<r-#sjsI;@11aD8
z@d|Q+?Kw2Z`4$L+H_dp8CW%=`(gr%_2MuBYkHRu3u2U5}w0^>HJY=5+K)tJ2biiSt
z0CelKd=P)a`FLXEbUa-ko<?v3jR0t&w`aCDyn=#7bno%|6~One-#y3hW9gjmQ!wo;
z$UXLw`<d-*L#4QP=&nd@A;8|^pXR%YHeGL?$778!ojC8=G%)D_bMPqYd4j~h<nuFS
zf_A)ApmH0ljTNWZVTh;@YzI0RAQuQ;Q>=GqNx(*8{A2~<eh0R12Lsl$%%Yu|Vu!xO
zv7I~X!L#r~Bc|N*58Pbi^&4uink|6l)DIcH!!NFtd3j9&!G&EkC$)N}*Ih=j*JQ3U
zu7NS(4<V$IN9dzh#-bphIwg)Z*?NXX0IqC3qg4n2<qIjJZzu318f>;dG_BY-q!)_A
z8X+YFvT-|R1a|RjAgW}*e$nP9xu4-l%!g_w<yOa?9Vs`gg#Rl=`JFViWL!ywOS(`6
zFyzVfGN72clYbv&fJUVYlC$Y}Qj7s(VZ3W_y_;@bF`ejrwdIkyn;Ft0mOr`K2ygX^
z0m<?CwWlX&9qbHLoSa$3gcJ_Ikg^IJp8mZ6Ao;eS{`8M##335AM>#=1^hejxW>9y>
zQ}F*=rS5#3LK&ma+uN<u**(9v%g-I#CQFip&=#fS4-<fu;-vGIN9d0r8~gj)icPP2
zh)7uUjV2@<C&Z>a+faA1xBvQbW+qg7q=86BdqA8GpG2pqKZ#~t4X|njn2|3+1@Prj
zDSQip_dZ8WJjn|QRkRt_5Cv|(Yp))$+&YoLdL@_Cww6GWoGBYHU(`9C!CLCYhZgeZ
zZNlHkvar)e&UCG%ZRzPt_7L@O4N{qC5|Qgelj`0<hN14vqhT7HuGz98#?P%w1n*72
zZ`@Lf_X-EPxHtR~FDdpmRU&PTcwD9ppvVE+R1)#MC8T*Ou)!J-N|&6pd0n3FkS~9c
z@9)ZVUcdVgC*~kO;bcRKeywe>qTBUXrx0CR(sugiJl#?#L;NlquJPV9vy3~>fab>?
zv=1h>)&t*cQ7=pyx?Qudz^93HICFw~UgpW_q4b6FjsPHFdYgXZm{Dof|7ycP{O&b^
z^ujs7B~mF2FCzZ_&3O<KD(@T**E1NOaP7Zy%+cZ!z9Ysxvf8q12f|@GMx{v89u8?z
zek78$7&|vf=9~k^Gj^rRKmXf(7RKKsg(NrQS#{kwMgwpZRTQ(+K<@xA8d0wjqdz^X
zi<!AoQTGJ{(sXPMaL{{CZ(~BS!^B|Q(U29xxtaP91^Q7=7qU&#Q&Y30$DyF8$bZtF
z^F^sL`MBQ@Nns}Ir|fI@sE!W85JOWFB-@LGKx#x!R#$!`gm>sPDrRP8(zQ_9=8k{6
z4y&06F@MwmzC0AkB&tIvZ#Dx2zs**LK(GAv!CdzS#Rr$am?FiLy4taQaTGCJQp9fu
zte}FBS|+uX>!{)mSv2tJ-Pybdm#kF9D|wHIWqkY~_BR(jWDX~wWYkmr050>+VzaUS
z?Rnra?$hdUJJ<LiL^y&`TvzJhoGQ>f2i!!8wQcxJppW{0f@1WQDUbWT1Og+Tw&$%X
z?X8v$pUV_y-Lsba0Sz3;TAdB*ffqja;Mq{F+9CWr+P`JxurWw8*Z5UAE3CIaV1>C&
zW-Jl8y`7*D1&PJUp)3zwW;e|tnV1vmp^G#LIui4Dbl=|JL09#50E+2v-JXgpkO%P2
z4`YI5H_RwP*c0Dq1@sz8Y2^e2)FUDnAMQ7j(uAiJ<WQY@pJ_bW>u~&yyy4Gz%6dvv
z6D*hvTL}tftf{hpLC*KI{YY`5)kC|Nq9XUhnn&J7V#mn-<~J2)6$MHtJA!WjBtkuZ
zCKW_-8zlr^8_q5m%PY-4*ojgEmIls9rQu5+E@n8fMk>!DRXEozqGCvh{ts9_m-(X6
z<`HoJKb$QlpuH}G!)G#8Tzm%4wo-V64(l>W0jt!WH7P{@WgpAwkVLB)Fub1zTC(dz
znhNW(ElgN#Wp&7aH&cJASqoBNb-GE7q{*Lvwm==)IM1LFh^h9s$Sh^CMj4-tq0{6b
z5QJpsIo-f94h+wY+5r1%$w})d8^LqyB}#k;80pcG62+p;t+UeLI7hwL&kP<)<I*VL
zPONt8xefS<QJW|TY8dy>fw_8YADIe6o~%4CD;+0A^p}Rnd~GW9`&X23RV`QYPdQ+?
zeSh+s%J5wp2lApx9;XK_&})Zg0)%K@aEU`^oCIxANV4*9&UiXFDirWd!yD9Np@uM!
zw1(YW-BDE0uvUcZH5kbEeq|UA^~eH6qI`15Gfj=l@RvX)NWh;KNv#TdskmQKF>>@b
zb&+}9`6)(>r0FJpM_n^OsUDG#cN$v>Z@RAj+5>9Mh#zs7!oKR&T^byaZ?3g7CfZ%i
zSZfGT6YLUPLc~CJ6|LH8#Aas9VTHoqx~Txa$fjY~cuB<V$H5gzqF;|M<Iw?*<Q(mS
z>#C8;5|o+ZoWb}7HTszu!8t}`DnL&<SHFLMs@@u~w_E-2DYwA)OTNigSGH@r&-SlN
zlO{Y}VJR{l=k|X|>u5{^aWCNed{I8~3jRqG3S5H^O<N^?og9t&RorE64pjmU9XbF1
zE>ynqy%a$Geiq)QUkpiVBiF`kl1Os_s};zJ4pa40@(OphzQYsajGcgHxVykOyjfw!
zTtUw=&Sg#kNBm*D<PCd!)5R5PN?lXDOe#Pa;-XARxbnmOIiRMqZyc8NwQkllS#5pa
zk&_ZiM$k6ap5rL)qw_gtC<C>B9)U6-sg0-sq2d1oFD!er4<4@H_~O4&yIlvk9Ea`Y
zt=XFESdUIBU_6ePs^a4^V9M7nHuvg2R3WL2hX@eY6a9d?Kslv0HlnJR|M)hQ`ZtHy
z``pVm{$S|3b8&Ht{(V=kkK+j@r}u-1%4e=RVqaa=&%9tEE~U1RT%jlM@X6TA@Cb;A
z%{nAZ`r~f1wd;!blOw~=!hm+J`$j)<s_HGXHEAVRT-h$1(q_zac!EIPu0Yb1vkXQD
zKTL8IT*khMlI@AxD10yp16)iT@Yrm$uu1`W@S}Ke^@DYnKt&7kA^HNPT8DHLK-<i2
z&|yOG1k>Gjc>HhC;hwUdVPoG7)GSc8^dDFRH?z?7v||Z?YccO+=b^d?_t8qZBT_Y{
zUllvF3d6w>&+Lcx7eA@1qIP3{ynCLii2+7;!id*`w+7?Sg5t(1T?T9;KJ;`KOB@eH
z&i?*2nV`zJMa@h(v8>5Wi0<C4Cww9~JORvNGUc~YXVn^eyB6*8*t-lmKWQ}qB+cMD
z@;u<W%**GJ1I5Lks?mj%dU7Pu=QuBvWV*u&gKt-LQIeA*498J((~=yaw&p<{OGtfw
zG=knc`eaxL!Gn<ncDxy}JS_rnPd1Hzrf(2~BG@Ri{uQ{R)AjYiGK2`peu1BdTJ$m2
zNvkJ8y0Jx;>~JVpG$1-4TVZS)6*pC55v&lY@Va1ycp=^hscNTHu9I`HdddAeCM}vS
z%0W*%la-Ij?mE&l>3*oQe=4c+@ILb!>hVKP*O1X!iOi@O*I;dtE+v+wVAPD>Jd*9m
zlcM7!f0VYw90L><F=IKP#p3Nl0LHz$RY483z0GF_Y+`mVoquo5D+H`^FxOg%L%OJ!
z{?Xu}t4N8Q#Jt2C0=(jBbk!L8(zscQ*w0V!^(X2Pz$7+vu-)v>wE^x0TGk9r&7zp%
z4Vej<?c$EtrV>g*X)q6A`s3p%c}1J`HP5Jw=WxOZTY<eT4Ztv43S@}i5})s&JWq@U
zK+Cw2Sl5*<LKoB7-@<_3{|s18Zky^)2P{Xwt6fiV_-q`btmKom-%sGZ5XU7amIX`z
zC>6amM<Xe}1HgmID2E7`GyQq2Qsb9c%LqKf2iKe&aZ5|24L{6Y=Yn$qLR~w`m5m^Z
ztZz6+g>fh;FYFGiyBl)cQi`J=0F8^<jcyv|jLdcHU3e3{D4o_i1tmuOA=TVqPSJxR
zYXT2hqSb|?^~sJOSqJW!rVr%H3?JCRXa*{%>2tfcEFRVQ&0Cpsx}>_HC$S}k7p}lr
zMkJ(<(y+Xg4^98yth2g1ykE7qqYmq|5(+u$>gM+kQ%|W-h!lJ}TDtpRe{3uBUKuB{
z@hd;egRB3IzNZNzYSzr6xfAv`ml?2LT|}1Pji*6r-hqQ+pkiIjo26ey;F;g``NycA
zmmw$$(pa$9^j~&UowB<{bDiA%U~OLYfQvtJA<5sR4fJF~9@r^*zA+PDlMfcZ|Mof2
zDvJWkDj8QY=;8o9QxmZ&Y9k(=)HnGO)UXFVr)SM0E~Y7USd+2+u3@eBHo*r2*)+k3
zlF~>`vHu0K4Syl18iYdfw5=kQR49F@58FApJyxEotd-)4v97p(Iq?;L>ZO2n99#hX
z3Ud=j;4IUDj|UrqsW_&ta&^b`9Jwi>AKwJJqp5aG7ngPO_+oo%o&+E}uKb=JWqg*t
z^ZN%v;e45^+`|ArioD_)8V)pLh*ce8Gzb8|NsebW1g+&0l?_uw*7pzQFJyK|fQ%JU
zi?l3r#9dKhlU)r!1VA00SrUChS;hy*ecIk|yBVdZ%_Lp_)<`hbnH1O(T~`n5*r+~w
zNLffx6YmnKYJBrZ0uoq~-jb9T;_}ZV<kg#`sCL<ga{861lk$mbJ2Nn=K7=oH`ckZ1
zZ#Vu2%YgBWyK~0R#uGo{vMzVNW{1z1`ur0dOqeol2O%vtaKO%~IXuwwUbgC@umR`e
z0bzvy_4L1nu+v~4i5osDsM5&yKQ-z0#U*Z1p5gZZ%}@cq1e;r2XV91)Sf&@kkEP3k
z>A`E|Vxy@WlJ$4kcN%RSzr+j?yly>l9^_CbsD?T^2kGWX;{Q2z)11`oXQKjl4$fKH
z&84KMxJpTs<?jTbdcxasH)jW*v8g`E0T872N{<9sZKUrUJQc_dN7#@JYd$`}=P12e
zKKBBpF~%~=kIol`?YZ=Ph9P6SxlX_L?0_h0e3-DQZcGr3*N^aDnh##rGl}#Rw@<__
zEPFBSn+!?=u1cMIAoLWuMsx?p2c1t)3#@J`0;<u{JBw71fXwDbE%ItSV~mMgj|uBS
zw`9RPBwGE8GuNX|)ae!#;O}7!Jf5L^_@PL#jlMBPyn4eFL*5yUEN5(KoyAA7x4-C0
zgEL5hL-m#Gm!~A{jD6tP*G#i`Ca98uY^v5=OqCQ(GIuvoz)JM!2oENCQ~Cr5$qAM;
z=)@ii>EV_};=tY#w3v7WDvyb_WO2d>XAzADz5pXU`q|n!AYEun5y#Ihg{d!fJyBdy
z^@Tciw4x|a@!Jz@eJ8R&%~L8%EqS^-YJUyg(`Y~$LnpdxkVd)$jH*e%mkuZw;n5Wj
zUyxb4`n15wGs-P-UH>g_k(z^dquH}?UWf*c%R$yxJx>F_bz{5P=!oW^f6#|m_n4QX
zXW9)0vEYC+Kr#Z>@>KML|CO|KP)+_L+jt!L6gXRsIorRyt8=uaOxT#pwE^;QN@nqZ
zjnv6NRs^{(ZB1lHpG22QQbsWfzy4FK$}mLgWL*XtW;l3t*wVkZmO|Bab)S0%h^T_Y
zNY6f+engW!`Q&XWkdwHkz2NI#Kazf(hoAr1&J9k$!4P1k-;gxZ8rp;?pS+=oH5p4v
zDUVn}`mlYcMf^RPCYL_<!rczd(*NHkosBh6kHB#zhniCR!aXl{K)ml3dfM=UB}_@y
zm{RWJ$C<Tl??g~Li;c+1E6uI#dTQB;6EED`^9yR|?D_&VF?l|1=Q8FNxDb!sa`coM
zA0I&V@gfjedbYMge%AznHbO(2^ZDO*UMHtl`g&vFCJa8SH+=Uhw62!z3$;@FUl4io
z9R4(cg;7X{$Nqo!-yEo)(xz$=urp{m^MB-#qVXiJAoF?hRoE`@d}n-TdGO#nCJ@;p
z5uZr(8SQ|2xIm^3nXuIbe7ib#avPnu`n9f(A`&&YD{gY%J`9B`dZi&_a}ZKp6i5CN
z8<P(&R*?+xkZv>9+UP6gKAwGr*bel=wx7zci1~I&;Ow<^<_&piVo^@xuVu->0^-dm
iOf3ap21|0G?+VJL`ubI^oxm>$_~~mKqbfBWp8g-f?^Nsn

literal 0
HcmV?d00001

diff --git a/docs/images/favicon/favicon70.png b/docs/images/favicon/favicon70.png
new file mode 100644
index 0000000000000000000000000000000000000000..6d343b05d2e4ce1ae8b5ef662e6ebb65625f18ff
GIT binary patch
literal 24851
zcmV(%K;plNP)<h;3K|Lk000e1NJLTq002e+002e^1^@s6aW3M7002Q<dQ@0+Qek%>
zaB^>EX>4U6ba`-PAZ2)IW&i+q+O555*6g~iZTVlVxJ?knQq5tdF|r5Q{G5}q&#|wc
zuk*be>Fu+N_@a<VU|}r~KwSI({=dHKzy9mLLaJ}OQm(DMrQG~4z3F{Ae`)vcf4@J&
zozCy)f2sWWS@`ddUw{AL;i1T%@%PWN|2)6*c>c!=YWnl|`0tNjb^dvu_UDcM{NS%Q
zjDGUNU;aF={duGK{2mW~{(ZfFUf0t<-Oiu?Vm)v1_mlti->I?~EAwD{u4l&(Z+`cM
zPxQYSJC8m5e#hvO&fi0Pf4~3xwY&cQ>%T1C-+%j;wY&SD$K!uritGMsvCF@#(Vxdd
z{`YHlR_LFvDE#A-|Jx5njqU#D|NYb2ecx)|w|{rnQ(>jb_2;Jkx|Q=co;X;_cwScc
zRrxRT_j-Q4{A%3dWYHJ9IrufN@P>!g{z3{X^zem!{+wZQiRsx-<<IAtPdtycSfBTq
zY(t32U*UTy+pw<K*ptbwMIL_szLs!4_dTCCL*tWI;F(Y0&BEEofBAL&y9fWj{QCQi
zzE9H);ckDg71#A>fLw+<=kGj=4GG_$HO*&z&#&vB?B@Qbjg9PJKFi#=!G4e5TZ|n3
zVO#O+bL4sXPS^c2_fXfLH(-hQ?99c4$PU~k#2iYv>+{qQSjWcxbguk~=^5-m$oW~}
z`q-No3!Bp(KbzOoaGv|*=l3ws!bap+BDSTYuvsZ(?5C!N4fPyzx^m7X*WB`(dx<5L
zTuP}$jOsPkRC6u0)>hxzTWqQ2R$6VXy{*5`8-cL=mbYGSd*8QrKD6`JomY3B(ffEt
z9BJfHMjdUuqfg9drkQ7%b+-A=zMd5q?!U^a*J|rseTR)H?X>eQyY9B%-9K#Yi(mTk
zSHAkS@BRAUyY^>S|NE|mf7!YJyldgluDN6BJg@#^*Lb+rzuqDUC)qt?$DS0}@#+p>
z(2sj|w~*4~&bepzD}d#PT?^UGS-~A+2h$Eu{=(mT_m7?XkNbAz^nbK(&;PV@ms|J$
z$Ie}D-JhNNU-#|b?Aq!lqQtX7dZBB2#}8oR3A^>Dbz{>1{AaIR+B3%3FPFr<kC<m_
zq1KREiA0ffe|g?}&Bi{Qu$M+yBYpANd;%*zOAT*MPksB|F@0ZS-B|Zs>bpu{3Cg-=
zVVmFZ?y>vGyVaiSeEN!IX#x8qZV{16-Q^j(Mc}&c(%&|EPHVm6S?NiWTO-7QMw`&x
zU$*y|=_{H2_`cNNSz725kZkKI-~3qG_XCY4Z~ERNaBZQd86F~SO048y2j^XCVr@Te
zKlk|EZM9TbA#SL)4;%3<_EW~oExj|uud<~ne>rY;t$j1*zT-RVSK{tZY!iQ|9j|DZ
z5MigThqqo~l`nC7qwa6xJ6z@}dyh8D{x0^quR7k2#jz}LzfbxWA!87gxZ7{f@s)aG
z_4l3;6P?`ie0M2df1a`0yYIZ?#f!hZ`7EBb;Y#(x&35`Q(KYzIZ*fuF(ulJrF1#e(
z{%Z}t`y%$uN3qngT<>##`{h2_i5Fi^jr-vaBhH$*&RHvKfe{0(<#mm}H}kg7Tg&~G
z2Rlu;OTD=H2cs$N>n(6&AAaT)+`XiQ%XXGwjLtG`UKZF#u79oi0xP*LDBf>PuBXIj
z)+g<`W53tD-S#<G8uM9YXaP?g_}beRjzQ?gnt5(mvyPQ{YTsW@>G}rOL441+{nO{&
z#~ld+4W#i-+?TQMg{3~TW9)10j$<eOiJ1Tw@78+qwd>f=!@ZOqdigNb@3{QZB)GCQ
zSjj!V0Y1&T78?XGY;IQD&SAar2`j#rW^+7J(C8yzpt-(f#XKg<UZJ`jTufNx3^-%}
zlepnHUKk+zk?-H1*I$46-}w{71CX9wbHsjFRo05Tt#6Fu$}mj!f-ng`X&c^A*4Ij%
z;q#{B_w3T1H1NN=7YI~9(!~a^`{mg<L*~XeQ3OBWhRd6Ac~Fgg0J9g18OsFNUmgou
zBCMvdRUht<=K$4f!VBD2{I={X)jRHcauM8pUJIky`t1G&G-(j*KRzUUaYOZ3?23oD
z<O5@=;O>V#w*f+~&aI^JJ>q?x1BV!x_j>1hCyW3q0>JU*)#t{d+l0rxBY`Zy6v#2Z
z3cA<p>vOSkPuXz5{KU!~zXU$~2OsC7pOq(prgJ60Oe!HXyd#bZ{IcA{feN_eYwv^2
zk4gA=cbcMM-8ljrtPoKk5(fGjzJDk^y=`t><W6}Wbc%cw-dN|Aw#zo}7W>%Qn+dpE
zJO0*qi-*<zGInNId1}^8JCrGXVH92jR<PhJU2#I?Q)Iv2H;e|ET7Yi}<D0pE#C>px
zu=agKLiph)J<LQY9AUG&d<aniSG;P~PHtj3JFly3!tjm36-XQSOH{}Uc02gwud=BC
z6tRL>$%U~?sdCFW_*LfO0v9om_?F(^ExAqHFAQK4r&%I)gow;%c5J+`9c2#4_H4V~
zL>&n1MQkRZf!|nCHqd}7p?>#RvlL9QgbXIn%vP2FlGkzLt30XU&e)2#sS#e?Ykc=N
zcYB{kR7z}9&Y*jHSB@Rr?azRC762s;SVE645q<)ay??B5iIGjY0B07vND9yvAP+8>
zAK1Y=2|Ee%f>i9r`{VWm!0@fTXJI*sfUQOR57=GfV)Yua2`}0UGR59S0!-k&MsJ2T
z+~bZ!#W;zMGIVJoq^YO8Lfx<r&@J?f*n?XT4q2RmVPOndI{U`$86Aj6;|6{J!^P64
z+|VYAbtjs)>W&WVKkn<TyH4B#Fl+2xd!=gl8N8+4yR);vJn`Trj0TVs>)=B84T=A7
z;TZn{7xz`yL@Et-biWX)-GCDblnj-az+K11{x5<Cwglk61h#~Ufg)TGu~(+@yjNuH
z*oqu6n+CJmA|S6>sIvVXU?cE{@dALje!E2~01(DlI<Xc9!1VC`#2pes2HQC@`vOpL
z9qYrYBSr^CL3~u&0}8eJ;9oPXeSci!y&)6ur6-Sg30y7Sm=mE58zRtTJcO`Z*z|{8
zfp?9UEdwF>V~OA(C=B{w`Tgh5>;9Jq_!FOMkfA5nZ$Ixh2&k<Te4YDV>@3SUCwMQ)
zq0PUIt;LJy@6eBjrCu`vWwH-2oXqOn=%$Z_V`uLP9bk>V&A;Rd8A9EvtY~VZ*GJ4C
z2*?0m7+388I8GLM#(+xdtcy^*GVBCAY6Sw9fL7oFV<l#~SP{&wtWPr@!ISu}^#ub=
zgdet&upV48892MaU81TXB*tGD2_FYu;{9Onyo9<AU2SfqksEZ~3+w^f-UW;<46P-I
z(dJ+9rOs6&>YLb!sDySx8&kNrK-f<u6silP4Fk5@37F|ciN>4#=RWWh3D!*{8Z(Pe
z--iFzm}<v`%R@Lyd@#NpF<Lex!+3}_kUiurfI6R2*2Hw!#9^pIbYTwz=paZxw~QV#
z(609TYlB&R*c4&c8-%ZYAB*rKeLxGW5M+fi`3PFZOhfSR%fJn6p+!ENk=p@!c^fPk
zV)E|L<U3dcVS{UE?~M@yDD#G3RzL(a?1mfYH#)B5D*}2C_W>6OaG#qEz_nuKJqydl
zW(_up-C>JZ%*EaU0TCB@uu!BIWHGQ{7qOE#3GxiC3oOK!371f$`0`#g!V?HnY*EH=
zpnGUc?%)mhDSFD~Jzjeg*H&alUM?rx%T2FP`Y#|Pczj`__y{HmYvFz1Lz~dT<6!<-
zP2|~VIPrztA{<~s5jQRn%Ei)vnYaiJO1yZXX*Cc9vlJ=dEKBTCF=1#a2$kXfuCGiv
z@r&$XdESp0$K6bp77uxi?j0G{2~Kbxb|7SFEOHqr#l}%cD%>YuEDVbeyI?mF4y+s)
zx8WcwP4oic_rn{oFBG>Q7Wr3g(IsGaVchs=#IcAXBP}m${I1scmI|RslI8jm*;!xW
z<A<FZBxc5BKyczI7>vk<R?cD+VX5&)&^qaZAMDWBQ(3*L5}HHr1EbRiO2XtIy!|+0
z*|Fl_d_GW%cXE;FBOGTGg-1blJVc36@qof*3e~;8NKvSAdD2P>5D<54u;3u}dM{8+
zPMuuv#iz|?$mf#huAm3;<r(mrJsV6OGeq+VL3|D%G*Nl1ztrvm2vJP~Ua4I*Y;r&w
zQ00gBm2_j^AIx^LZEq9)Sn~BDQ?T2By%S$?FvKx{#zMX|qiX*kJFowXq*w3>+`iMn
zs_eGm91r_A&=%r1MyRb^E)=W8+eFies?Jv}5!DnB+gcG(0%MTR8J^JO7&BMWA_04;
zx1@eBnsTIR7_gf4!VOqKz)EPEgg01<yTE23QXt@^;oF)>hb3;fduz?b#tQNG$UY2c
z#Aer`cLdjEkG8s2sm%Ma09+tmgNLyG5iI=fN8$Q{>(6z!4NY4cPKyVEJ}W^gA%{b8
zI51&YJfKPFx<TYjoFI@7<38?R3Gi$YKfN-qA|h5o!2@~_3b1Fy2`ES;!^B>q8FvQT
z!T4*aFj?3~k7!J84zXP!=<uV(GP1x@4YVeh4wzx$xDwo)ovIn#A1CY}PrxUGc9m-k
zNCiN}4|rt@?}fV(Jh+nr{n{)R&e6C&Am~9Oh<`+C7aM0}pLdZgvZ|;}AOSg22X=-O
zg)9*dCZ3dHFZscK(DtAxo5h{r>IH&idV?j1Xn+@?6~Y7jzUAh*(Lfn5taoUI5T?Y&
z6hGFqTIxy2{u6Fe_+Pok-(lqh71+p$D?}Ao8{zSW9im`~7zDMwO_X4#@cpl|V0Gr_
z7m%PTYm{F=LI8aiuT9^qwLcq~jr2BuKujDay3A~BWD3TC69c)6h`gZC;l#JQJzv9T
zHq!Ds?~n8SQaUi=DC-y!ftIk<bn->%-k2qE>L+V53S{DN`#C;{mPGgw@7nn>n8Ra0
z^ah@YDO;<<F58Ck>gRzaMkg1db{$Z1414Sjsf9|n3z|<%o9_ThK!3pD{UH8s#aT8C
zc#iL1Z{%O@0|^SS5f_LO`LH&X84mMefLJD0^bp=|yqfqHS7^TP`@RjAd!XyER^Ipy
z179P85@o=VfM2nhx`}$~$#+HGpxq%)sJFqNNc~658DS!KHZl{Fg|k61zYC)jXd}Y;
zY-T-L6;4k?!tf%C_HMKYJTq-oOh%xCXcH*JyQXmYvG|vcw{pYx;Unzu$ul4U-dHd~
z)LntnbOdX{HtwA8Esa{ncVd2+2p1UlH6dZRDi_Fgy1aoKnOH1aG4A=YX$9SahYMe$
zC`7YL`!&%x<QxqG`dr*Qaiu>vT1Sm||HKi3U54dnR~+(2glDzj`6&GM5iSYU-i1+M
zNEyny+?dJFH-X;h$BykApC{z1M&k=Syylx@$-o2Q`EVX!%xs2<<4xp$(uG2U$I8Vt
zR+u5c>B-1J)ODj>;Z7{{LoliyUZQ%&+mD{vTwY5=Om_M*Q4O_BZy^xNNwJYQO=1vt
z);s~wT;rE<0eEav60&2F7zZk^ClOnC(lt+RM{ONNHRvIs9<$?q*e7U$NegHRs0lc5
zr|c*<JIn>ZZ46c4gGnOSr>Xa5tO}puQBFF{#G(OMM<Q;;IrfT*IN0qpr3B7yH3&ou
zVFT1(`J{A+S?eD2{s8a<W5eT!i5-}Nv$F1HUXWcKN8Ex9Tx&z&;OIc;{g(H>7U8OZ
z{7`)G1B->Nas|BZmu>6>OYT{3ToFXZUyM759nc(KN=Q_~WJmWaietG6gwG8O5`}Pz
zi5^mSZ1YbKVSs1}SP&&DlCQDkaHa{yt#*Ih8Q%Z-_SMWIeptTFp1^{>Sc$eM8HCz2
zC3b_1z_dw-fhnN&(>V^v#w^bu)yk_1#Jn+dJ>is)R<0aBFYL<>zG<8?Z`eCw9EwWB
zVIjHQj{uXo-gd!Z3So+%mM~>(T6q{vdt%xs>CwZgcQb*pH9>xa11tSIKjgBBj!?ws
zdeBp>5^GXF-k;q?LMrW`0BoKF{kfM8$%<t&fZW)8qnT6Q1KEyHCd2`3M2t6J9Bh=Q
zDX2z7alqYqm(T3?Q9<<&@Hc{388_A;MnV92;lo`)wBAF`fT{nGTjfnRqQIP|$wr_B
zBbX;Q5QAVfu7EsZBbCksIJ|=J8GwZw69*J}o(Ud5+c`&`ctC^tK8HW!wheCa4Da%i
zkpimdXSf2K#KZqCf#QzP>!0*;5$+z|xDb4RpY`nBODkxA2N!(+V^7!R_%M8v&qE|3
zr2Q54JVH<RpQ!g9g&E>Tg}>;D42RBWRLuCW+JF|toTbL-5u{<A<|rXGAf*&Md8q?d
zDq({yXBLw<X%;i$=FJl!K9Ds+d_RN~o_gZPpFfeqXSePb=RaZbIpOfVpZNEQ%~A}<
z6W+1x@mG8g9#yySC%&UiH&(t`r9~8VDfK*Ti+6ycWDo@*5q{@3@e<7eX!AKROQayI
z6qnhxOid5a0GaU}y>*^wY^Y@WQF%CM%IM3_NE_92ALJWj$;uFbF#=o9$0GC`px_e%
zYDQAAfyQkoI}mz?S(T3R(*EbwG7mr`<PXpy%v=zIXm~z2!<2Tc0yFfCqq%4Rv~p0W
zN|h*L8WV&30(NPk3t*11vkvjkq8cqdWine5P1{A{=qGT2=i9u<3@Q>>*kFxLcmNI(
z7mts-d2n{T+9a1ek-($p&JVhsAQJ#;8BKnhK!U<9&(g-cijD!Q5Q#NMJ{In$15Z`_
zj{$v#x#f>p8qm;_hXFh95uY`m4cWgeaT#D}Fp&!xXG{3>X&(FqTSxcG@T|Lshuwgo
z6FR`i6Vl<GEXni~<_haRy5eQ`O-PoLHZOz$NZUiKLgBv9i58Ua_?J6zmJE<$^FRL2
zqVq<`sA(?8qsrPbch-StbH$Bo7+Ls8Mfkudkg8melmuT5t)gtXBbW+oWadePs_3sy
zY(uPr&Yc}u#>XaISV$&9Dl7KOR%e1T3f7cwnIVAU_m?q9mV%AVGD=v=gpPD1AKI+L
z0x(l7^nE;U7-phbJRpo9{t#3OBK1=ue+$NjPndF655r&Kx}kZJzCEYlYH~qd?a00c
z2sDuzmL1GpSg|ub^jV(3UF_IwCZ2HR(mE*93KTP;geQ6zR|my25<7cVgb*EF<dj;V
zm>=Kv5S9z`#csH1BH4mDgR-z+P!YU^CYZB{dUcW6B8*)uEb|Sor`ua1)`Z2&3_XCv
zn^p<<@`MS>48rDyQZ%sw3K$*XM4suI-%`24f+0cKG`sBO%JIkQ5$XpdFq`c)G!Lzz
zDLArn%Z$%2xjGLCHaEqE0?x2fK>WFOWZiHrRBt7~?bjq})W!HGcUPslaJlV~H1g_e
z#1MokpOxU-bE36a?t&D3T9o_9^q^-5D%`40Et7?ftTO^{K{WZa$Q4Ls%7V(kzOu@z
z^tKz!AD;(uVxP;y@YMpbAcQq}Hk(wRa+d&~t3=p(gX4rOf1$38=pf322FvMszSnX;
zlfJ0N{L7b`F<wxxeoNW%QL0brm3xb+xqT1O$>_Gw5pYvD<ZFcoGR?vVtmQU02I}qG
zy#DQ8cDD87LJ2Mbj#BYaaJ~Y0$b#=C;Ib9<0%chq>=$Q5BUnK4)>9~QLwz<_h;!|N
zt0S`~WZ=W;0q5kAUXnyaVXWXH#86D66u3c5kmo#sEMSe`4B_b06gq^I-#tHuLf?i_
zOd7OP0<pHlyvxMH+YvT!q)_k|04zeSG#M7CW$T{MB+t?{b}_SO3CU*1*o$29Hf52n
z4`W@pvwSu8=3f5{lv~2NNB=Zo=s5~|VPu$<f*(Xl-Q*t{*3{`XeONJ%0)=?MeJupa
z6p?gbJS;Ha-aMni*FSgx#G|!x57QG99gTA)joBj~WPI{u4&N;&iFX&(TLCU_JlXT1
zeR9-rMP-2qB*s^$pz#)TyX8kF69a;0!H=H^w$5MfA1=^0{Ip|Hh#qJq1pRr5e9}*p
zEsi~x`8p^<*%x7rz&z9QG*7&6BGWYkkjVI_sf1t(uQbC0$P4$XCQ`d0UEMd#SB!B*
z{v0NQO2E_+jMW%|(LfsCpM*23_x-Q|;wazYDm=5XTEU#E8NLf`hst`a%zLfDOKU#u
zoSmi6ehelN{c!>`TmiF^-1o)MpCqXV2#bX!7mnoVW~lreA_HzsH4!_@^|F~`KRv+z
zJ)~UFJJXqXpX@p}Qx$y`Jgi>Gi%diqp{eD=@T8K@N6li9ovq}?usXKEa~Wg>L^}_O
zI)OHygzqp@c-6R6Q<i&R8R$`~Bjx};^XozS`{Wyk_&%gs>FWsrYliVPjTPl4)QxWv
zMOb)Gzd*IaWeLBtc~<T5j%7I9Ux#7o5lhNm7bGp46pCX;&p|y@%IGyB7|$k<Lc{qf
ziYB=bTR}{KhVx@xb49M?1<unxb%o^(MDa&0iU@o2WpDy7h~bc`b`GtCzNPqv!Fp)I
z7A3r5-Jt*)P|m|3yRrRYodFwk-L<z>VhuO?6Hngfq==0s6Hl)vS7bb?RtyYJ{~~v-
z3v5jlIcX@kh;B9G0=)YYh<PDk%1$f`o^TuwvGND@B1rP<)_E?5Y=`jXsf&UIZ@czH
z!*={)o|p+EwC)Q_CbVSkFErDkxp>-?(@tQZ2kNgG&ve42#Wo3F3!Y;{YYROt^=QKb
zCYY9*pTI@%Eji$rZ}m#w7skP^8!9te7=l_}DA<Lnis6n>_yl7xiYHi?{DT0`v$wK)
zHYIl8%Kokdf(p#AfcVGrnE70$J+Y_`t$tJ!xfipt`^f{2Y0y<|osuOFm%=h0A>&#|
zp6jG-X#kjWVKLDAaU?PJk3W7a%dbkK1SHe<B^Vo!HlV^%Nl*OMIB?{cWOT_SEqV<D
zhr!FXpD|4;qvTs#ouI`{-B4DPXG%e(v803$aeX-{$3|;ABm(NSQiQyQQ&f0Azj6-6
z_PSMh4^qS$5jb%-YVjZP&`KdFa>O2{HO~<JdLg&&n7M-+gkr7Zjkvwt(*eRg8<*zw
zpu)N<MnPmS9P%QFIqY)W)@|TPgroa~*z%%?L!%NWygh$8nL+3P5*rFxI!BPxJYC9f
zd8{LHXK^sBCG*0|{QqaJ{x-B?xu`EbdRU~GV5PWF?ZB}0cf~SD;z?1K!e9dN1Kmxq
zndyQgTdT#g7*I3D#+u10;r6C@A|M10&O<r@vBlQe2gpT2bW35P^-K`0U|F2?a~loM
z1MuJ&xehNyWJl6|p|@$msy>}d*3dkM-v)F-$+Lj!d@Waml^iF}iJt*k`~B6{MG&VP
z?}rUQYRvG447HlY)O3Z^024eEd%8R)WvNjEgcfWGTMm%&>RGN?2rH$AM7p+^?-RCp
zouwf#b~VB_F<_m)D~avln;xWC;~8<q?TO4JJkMzo89y(pq0v8K>jrj+P!B6rfZy-K
zim$+R-fX9J_z@w5Gk9#6S+sj97?bDmX7jK>q-p>cvFJHpQ*$M;+^0nI;!(_<*nA@T
zjYbBuiB0*j;)$ik3Lq%HdtQ&Jx6b8_HxLF0sdzNZ7Fq@#c^b6k%xoi4@IhaW8%%4%
z<e4BX(~bge`(=oQ3%EJjrCIvnao`l#enAfLu~5U~pu}v^y7kXvbaUuaI)J+n&kB+4
zCm}I$D4S)qX?z#(`#!y~4<}Ct%yrmax2V|k;tN{CvSAS^Y(-t19j;=0e33ptjk!WX
z)3phtuR9pu;91_lZy`pw@gk5w03+<!Dw2UYJTE|I`4GnUSiF8u_5f0Z%H9^OeRn!V
z78CZnP@XUy7Pimhwt@TPZt*~fDy#-Ij9A2hxeb=0g~-OX%kxcDnpJzeTea%g1iXn8
zNf6qjc$h*&;Jp>*xIL?c(1B^7zfdEw*8#2JqhQ2Xy&;R27udveKd@o!OqS@;8}u-m
z5<-_`aVlFG%&tzNT4J3yjEx&<0$u$wsM_blZ)^z|jYz2h+3;EfMPQaB!6{gD{L>RT
zv=3JH0TJWs?}3~VO2UGZ=T!^-2dGSF$Y&kcugaAG1nDn2>t|Rd1Oa_tf5NHqVEa+G
ze^+z^L9idVH6%;b1d?__g>?sEvH+d{7c(hf4e>Oda|EoWSba!PN26PEj4z#r4p_7W
zzGzO!195<*hg+0CnxG;fLg6mZnA5_Ew_6Mk7xCajno@toC&c6&s?rEbkiQ-kA>c*6
zJrUpe#j_@N8K7)44pSgI!)hV;p;%k%nSw<Kh#ssL@CG{JOmKG3g5e$3*HjbGAF{g*
zoRCmD-d`xa?(-L-DIqgL3|<XnSva(B^IkjJOHjk_XbKb*L(%AbHg1{Y9L-ezz6dIO
zYO!VzRD8{3!Vy^{@H-ssYFUQW`CmGfP&b61o5LN6{D4q@l3Mk`K0lBl^YCXemnAT8
z@UEwnlWWB-3pAyw>YAmWSO`R$m)~)qUvKju(Bq<F5?u%yUG@F&Jgx{=$u<(@;3;v|
zheZEu5QH=p%gggRg|C?1eVO`;rlcN(GuMz`WbCqm1HV@TKOVC$YZ%stcfoco{_SB{
z8w)_OvRG~aYI_Wl@n#CTnd{E5JFe_ji=~a_nt33)S?#Nj440ZMZx)`bN%nic7wikn
ztkAIl?^79!@QZN|gfeDKgpVD-6tRkX#1btFfZ<LwEd=uc!%?KyZOM{!4%686l)-J5
z#_DanINR4WRphuD&m^+y&#dE6BzBn-0T+>RnSe~tMiloxts`i2b64=zh(bWq;y#2;
zkiz5NF(ju^*e|SV`9u?5jykHIBbcl<2YMqfq8UFU8ua94&nGgO%SZrqJPOf`0D_kU
zC6*@=YglY^bi-m#KDkH0u$Y=Ugnd{uKP_s0?Xm$(tWkQ)4LZP#o*h^37zx@u@5`)k
zu_$vBUgt!@Lz6AJKSUo7gn;Otb|YZkmJiQ{j;^o(KI66XBbC;#XdVt#2`!wrN2r9<
z)PoWc7-1Dxx_iS&v04QF`3<MAa0fF)iH`>M*M2qYWVw0?Fz`IF&0&2h=3zkrzRz2}
z1v>pqtJQA{hP`+MU!T90kLSAsthPY?_RVvNeF5u3`ao$cFaB7lq8WCqpC^J{1St?d
zDF6`;ruD;vr9SbB&9hTjy{Gmyp0thJY+G{h;n3~#yer{}$mE`_0A}Z4BiK;u(jQjo
z&V(a^0e)`<MB-vBQo{?h3HGReNTOo8M?8+!J7zifBit10?DGRd7-e3Im*bLrs=ZYo
zLEEI=V;2ap&rSFCvG=?`7&7qQuS5AkUVAlgPwx6%K;fl{dNOReHO2>~q#5jgs3x0H
zqv|Y6gFa|aS~3;HJtl$-f1>a}ghB4W{BfmBaD$wN5Y~OpLtxN_b>I{CZT_ocP3L@F
zE|GK>Pl3RI2h%Oq17CnoL5NwL9-n~XzMo(1EN+J5?UM#MIXEkU@U=?Js%$431mj2;
zWVT%BVu{&lf$=Ml*g1@a!P99g(!YsdBFIH`4r>&_A-F160sfxoo9&<>a9x|_@hr?%
z8=w?1;BB9?eV`o-xuH?eeT&6oJ}IEun>m>Oekyo*Ea-_UH-pLp#$gwBD&V&#l2+3~
zeV;0Lv*WLc;A;Pmw%ypnW+m9X2IS(LWzB4`3;E8EeB9C)c~E7Sqh}k2cH^rt(F_7M
z7L>D}?N}vV#H;sIs{T&-c2i?<ukyd@Vey}Qw}cPL3rRNjHF53NZkT&CPhnQQyjnOn
z<Wtu^b-W>(8!%AT(|Zs-fVCWAy-As5B?cr09IP+lyxjJ4T%SA({|EnZEVd2YZV99M
zrOBbXyZ}a-KuT`Q8d(4kZvoUGC@CY8^BSJ6-)Lb=<!n=XU4R#xWz$Xhbo){8EE7@u
zHFc;#wkP{e9a_^oP&oD#E+C^=$x%*Am&n9AV8@f-2X4X~i9o|(@KbeA_Rq7%a+?o8
z1K0=yakqs5Jz$;YxNQgW&e1?`xKSCwa(bOmmU$SnW&dlw8*2c=+A3@aZ#9Et^w$vv
z^GDbRs{l*q22R1H`MQ0MFoDMS(_wI(AblhdBLb~IS{>>KcO8VYiY}B@R%;xPnzw;}
z5;ennj+|lC!@4=xaYRNv&*=#4;hcC_jBsJ_8V}2fFF`(V%CLK~T@CKRyI5vkUg**+
zRtyn@i+NWo^$_jDWPv9yS83cFW;MDeqb*sx->iH?a$&jqbf}pXFu$4z9XJq#y3B|5
zG!9{1gU2sE8#I;wLMB+dMCe;U6~YgcOvQvevDpG9!zf|Ud;``W%q~<xCPXm*dRYqF
z-cF^-cTQpsmB6-_hve3t*$*dxSngU)F5yHTY$n@~QiH<Ge%Ve_xkwwWZm>CftZV@U
z2+^>hWtf4+LtoH_%FFjfIRL6BFA!yukj-T6@n-|M$4$-rF>JDkyavlRS#bz@-!DK_
z(*e&Di*tE<GmM%c<%NUo2VULf&n7Sg6N`hLuuyR|Nc?jX!tB6Rh)mBy&9w2RC^m}*
zZWCAoQR8tBks^CW2o@JY0h$EK#+3zd6!2PXI9?b}HAcQ!0?lX0>{&B2t~~uB4E90r
zXwNbS&Ih#{PO+y&NO(LE8XQ8|XIra^ZI!Ih#5!QBT=j-2PDIf4z@xUOhU>jM)`73Q
z>c?fjQ7m}niG1Rhb)YM=Ly#hDKMN&)a(XEf*9=%E5gkpT;f(=WZ4w18Iqb^FQiXe3
z9ewIE-?hFYM5E;d2zo`&1x{s)zuxil_K7=vl@$}A9;;O0eFNnL7i{HwPLmeb|JaSI
z`~lzKShjh1h~c3EfvF(C;Ue+W*deq$BfmGW8AfG)y4}NLd3-Qo>h@lzlk~%_J?~$S
zr$T}IUe+Og1D4MlpWa1`$&}5D`(;pWolseBlloJIQSH^%xG%dFA!ymgxhGoWjLYrM
zydkKuh{%OV>?w>@r(p#B156=YdWwqoan&&33tB|5fuKDaH^ewue;drHr=0#xf6FgC
zngZFsrrG=C!7qtHm9i?2SO8m-B(+3}-fcxyF2P~<XSxt1CG4Iw^<mlD^gv{7>$UB@
z#eLZ)ptceg;DFOwE#ThLFaz9#(pl09AiQp!neAY0h9o%&^9AP5<Iy6@Qw($>F`?lj
z5*Pfi{R%DqgyIv3ZI*-@ERWr~+uE$ixu$I==~tPN|2bPsNDa4@nITxg+Wm|L?><U8
zNO$jjlytJ3){^0=2q}t?ehi`8x(GZV|1<L3O2KcfyGo+0?=e*Y0VvI$N<syUF(jN8
zKzvu=&1{+i-s0`y1p%I@TI?<cTvjx73<=wI*Lf-I$_w9t0wa9U0`n@00VxvHqAirw
zvxp0)H9&n7J-1}Tr~L_@ZLg2`=JUamXm>wLbh8JS?I_@mwL#WY^>j|-Y@r6eB&m>W
zW#gL<`4SkqN9w_P8|d(6p*tbVX2F0Aw04`PewI7hd{)_Mbo8lTEnpVm(n@UG+_?77
znnRv!;Vi&1^7yXfqy)`KY=aDenozfblC}uQOcrvpB41S1rhua*yY`mZOs0u$D+TU-
zK~c=ddBh*BunBfx4%HOE3Hqu<VcIx59+p8{d;nrTEhBu?%Gn;K&@Q`MxI|VlbC1EP
zC1?~6yoi2K6wkO#3-kBe4jUHnw*3mBT^b@V+p>cK!`Gf+lS3h9qv0&vjMibLCwcI~
z9RbY&O~`5o!t#sUMJy3|4rav;DQFA5X1>={MY3&%;CGI8mE<e2c@;wC?15;h?f1b(
z!>{5yN1GwHN8*-Y&UnG@Qm{vajr92H_!q0~Im=l)fr`tiHM8*t3ihc~;MRjXyX*ve
z*?ug~3g7VA%!(fasLllOM5<v0ZM+_8edFj3)SZVlFob8P7k1n%(Y<-f1@g{gjArj^
zw#@)LYgQs#q6v~XC;+fUZh?(of)Jl`q^kGyA%|{fa7lg^`g1{rK1cvIyY7>eiyrKq
zg4Ji76C6ZY`5k!bYMS>s5K!RaC2+{j-2nv{p`{`o5+Gh+0O6GUvyZ$;dIjv;_kVAP
zTP({G^Yg(Nty6-r0o;}%+$OfZ+O3?oq6#HIcxIceg@L|%;4e7EeGUb&aRM<kR%!>^
z&EX1`w%UL{JW#N-2bn&flQ{QW_^%?;=TxI4A>r*7eIX`hwX-4wv#!@O)YEnr7a=E`
zeZ5cq7f1_4cH)LavUN)+pVJ5r(Q@36{>Jvtj>Xk0S)5z46yP&qW7>vW$sdHku%e@S
zB!I2+v}Cu8oj|2n!692dLmT!0vps0+-<?^h)@|`x(~KD2j>c!34Zje^HtwZ5f#{^J
zK(-llI|@bYw~(n?>}3JV8JD0}!V-5H)?r#a9zyBa{w~{@tn9~ttvcwQbJ)ypcBWs|
z`2$E%+e33bHIMH>M=YJ_Z}}${w*WFcBk|E}y3O5OUiF~<bd0ef7pjjHO3?`&_e|YH
z|FrbYSUk{RC0l+7W`rtgAZ@)e1T=iAdnRpvLWb5X!}MXKp9Jd_-R}2Pjo>8@pl>x3
z-g~bDWUwEW1}on-)N?UV4dr@h*6Rbf7N`f-9c1g!B%Jg%KCk;^cmNZdIUQmlY56>u
zCLmz~r`D+v*BVfT{0Y(WE$)Z)wx=GbueZk-GkF~IuapE%YO>sdBIt&-e!r0$%EWrY
zHZDl`H(0?rY`EtV_zhnqa3*9RVEQ;<$2#X~Dc1I2myqpX8Eb#bEOr^*o_e7RJ!WA=
zXFVzOIX!H79GPT3``+MyRn<{-V-fqly7*)Scu&-hGxIsFY?*d{*y3)S?x*6qeBGfc
zU$Rsqn^0q48(ZDtWycR6;vormC|R-ueRq=(=A?!#q8O-^k;Mc-=n1I4Ykp0sL06Fx
z_{-(-yD+lNjBE=Inr8>*5bP7-f(gUcs@TQ~o)fH3zbUlC>d0VsuA112DD#AX;5)Vj
z%yy94LR*rc-_-kr3TPmJ2HpU7VR=es=f^#Z2g>I7u6$ZT&_LFp0Ut!ALmq(W&~4Ko
z_^9}R8i*jSNF1z0ZnoTJ>f(A6H}i$BU{1;TSu$%>RB?6=%F8@4>u2>F#4FawA0{$9
z`dVi3?1<qi#IDk>&vNH(HH&p6OW9_Gv!=yBW!L2CxIR*Sy<1~Y8QYHrGPYmeL7Nvg
zjTLo2*q&sa=(Qhvf_f7y=?;gmoCiH%VuDB%x0plZ|LzY(L)Zl)E&wpytJ!<h<zp~*
zD}MUxM3rHM3z&)~f26^upZt{65bB`5!`h8q2zTpRzmgg!ROM4rGc2i55$!Wfqf1Ym
zFtn|U!*p4N;UNla=9c1}K?M1`Z1{h>XYzKf`B7<W($i=<PYr{`jgPZM2oxyWY@V%y
zN@k&N)rp6cVm6}iMhNWZ$H~y4yf1GkH}ibsU0hO(xJ}1CAE(=y4a8fz;E*xA)viB5
zxOp+Z4g;=z+Je8@|M0W^iY0-^Foa)ePrt8bOVl~jFNUM|&p-T^pPe(d`*c4_|IHw<
z(+GDN{*`=fT%KmmUm*lWZ6Q4F1nl(mbS>H>@JGB7qsy5kgkS#>k6jA&T`c2c3pNyF
zoacX$XxcFjD<%0DNGPk&EFCuVR)}AJ5Nmd$cnr~UbI8T@osn5eLs;~!;N-2k3E8&?
z2eA|@3q0`h2Abn|tSLFIE*S8O&pm<YdYR)Vz=2WwbSPOn_hI#q#i*X))%R<|CP8br
zZQARWOc8gMYP)Cq@qo{3t9&f7iVdw`k>KC1)U#6u;CaEO!TSs2)Z^QB=JbPscW=AV
zc^|ePt8!RTBSu=$-A>=hf7-dfYJ^XRz6D*j=*M{dspvXKnh*PSD!NXe*sr2X9qrsP
z^s=kU`$A;Cg!Ff^1!@X0_1P~HvttP?pma5DikZ#AB#ig5;J7&(3XQ5_I&NcvqR3u)
zAac#O22aqzBedlTXKrQIZC(dEY`c3A4FS_GmW)ABoCsmpLk3dxMK7FKzb!sREM1O-
zAa0p~LA)xaKcL7%UOQGC&|!N{F_AKA0fZmG$7z%Mez2v-aa}CmbFqojxfvi1MqHAu
zmu;Qn8%gD_bRE8s>?P#-9)vbV^eeq8HlAlObYH&`Aut3xg&{*m=Z6q^#9kZilx-l`
zb_7>_&nzqp`YkS=NcL(|{bxe+cCbM>d)n)tsSBs<+cG_qr>E%qSElDV@>v>dW`AYh
ziG7ozmkTwEENExS5N2uHUOlrd>?Q{3(cU=eeS)N^0uUviZdkh};F$Iiz{kgB$`P`&
zh0z|@U1DfPZwEL$#h1Rsx@dt&RJEPHgo(dDXT}+9EoF;{FW%V}ZwoRkaXv~68JaCe
zHqVu8E8$O-y49XwN;q9$*8F>lXR2zpbe#_4(@|j$&eL2~b{pe#mXFEj*xWlz1PnF<
zO{f|~<^y0R9{HT|)vFEeSrg$_2qxRq3Bt`Dxb?j}o!jgt9^%N*=U`8cH3>wDdEDi}
zsbOtbC!nIXRU_E}Lnmy=UZIA$**(21C^mRQ3Nda%yLD(50as^4bwKZPD97tDQ+Ij5
zR{Lt4rbFD?L&3zR;s-Y8d7h5gJ8dp@7oFKHh<qC<>daR~yMm+EL}F2>dm^o#|2lQ<
zG?$!Uj^p$G&0(+RWFd&sT5C_9b6#982M(}Z+xC6v<^6ix2fy_^(uy=QEL{BidX{R*
zOjA0J`fID&r)6eE5Ylrca~&t`a|SKI3suIzDV#fiB3iMvnTv%}MFVy6T<kPLKtWz^
z{v$y0S(twLk?6ebGyR`h>o9V5!yec(8wvwJkUH@tJdT?4%=}#hEg&yN>rPJP2B8|k
zp=LT$1EA<uED^?dCh&1i3J%YXIhW_^r^tk0(CX_*iv=hWah||yg5w<7<y5(*CU=Bh
zNa~%h8Dlq-ZIyL_<w9$g4YAGsS!ilIXFM#6z4@ybq;)&FcQ|0gBP?9Qt1YK}&EQ2f
z(nFBCf&-p(^^@eD@-37w0ok#Xuai%HDP_y4@fu4!Ly2d)h92V5Tjm0cIIFMQhimHx
z?ibG)2oAZO@P^~SmzNXjxT_2Tnl^Zyv6Zy&ak^$_M~g%=3zn~%LRt%cZaLbr@({;!
zYEY|oLc(}+anNwJ)Or0H2%80ZGKCMKg*P{=^Iv<XZ!3BnUt?~Z&_hfj`sW7^?eEOi
zeIhn*%dc{?Kj{>kSfrCI{KPt)f~J;*k$NQd{$>gArl)hok%^xb1J00fF4*ZuGvL|0
zWF5ifk?L)nUuT$1cWOavzgp0EI%UzUj(_!Bl)HBR+hb0hSjG|%2hmet{*^5qT%Hv1
zH`tHYUf(-G5U2II;ZF7i8B|QYqz<D%Ys1D*b711`mu)H6{HFi-K#XP)+aM4)Kkad9
zL}Q!olR&cmjva7pmWR2$u?U39?C=Sz$nNX=HM!dLVA0QtSdUvi*2{94(O*XpA4oRu
z>v=7Vx7+6I#I$X7G}Q0?c*akl1b7x~EZ=s4#+Pk|@wk;}NmJO%LVqOUdW9)_4jg;<
z+E@-Ay)U<4rIP_Cuu|8oDYtqM$23&6Rv=g(*=~n9R{NyQeJE?+_#oQtsR?Wzf;Ku;
zHd|%XtVRT$4$%tSawL?${Y-0YPI?(YhfQh05;?pJ+MDiro%s>@b;{t4E??%=QcKA}
zxz7!Wa{?Q&$gVP6)x0Uu6F2GA@)sqW$<26yG?U9aDTdP|4FhRT@(OG=&JLx{4oq3Z
z$7P<%v9}&9FVEI?yNMC#^l@R8NOS9fC6?KWnDR?JrVklYs(D9N)7sbD%wzH-dG_PY
z4XYUMuy)PN=z~Yz052@?*T??6fXB&k^F|1_o$X^6X6$IOH0k*~5st@f`-af=%b{7V
zjnmqrW-CP<YPQ6)>2L;6)IZZ|>hC(gGp#0yPQPeSGfs<Aji=NdTsr5MjsQrnN$5W#
z05AcIQBN&v#O)A9NU^>IHwQ_j4l8zEEt^#4JgpXXe#(rtGJFOLvrH)kI~@sA%fi><
zEErTLciKHHJbm`aEYG&4=jQlQbDU3L=ZJ2QHYa@%(wrSv@A4py6MF<>O~c-L-k$)<
z?MI8mtYqnLy<h3JbA}UPgx?)AK%mOb_qAwQu=!Ap^86nSb#lirtZuVh@hVopB2m)3
zWmx5#0a5DQp5!RWOptzoNi?@5UN$`J?ULF8Zy6po6Cmj8@_2^3aE4JZyuk#bZTFu&
zD#Ou(Pp%!gmkfPshALIXrr1oPYi4u8`=rali_EQOGu^i&{ES&}%$E%vj$2l<{W?*f
zsZK<=|B6+Yf%ng(vg;os%W@X;Pvf?nLmpP`VGF;BjE|%D@Ll^%{1h0ixd`v<ocIZH
z4#=~D+6;(uKZyj<-5gKofX+b5w{1z*Ir&L;9t3Mm02Ge^qZ3UpY!&i#`VO4bGo3#>
zB@y6N^aR}lS4(;)tfM<bHrv!?ovlFuVm?NAU?ZMAr*1n5|1Z`z?Bd`HL$xz6&J@~Q
zxr&#~b(kYqZAb1X)!{TfoSJ=yy8y~Jl<d^e<TDfm@SmwWiDU_#FcSyu!LID<$X1^@
z!OVX6#SNfIFyE`mhw!^<>!Bq%c8DdZK*%;}q;IMcyXDVMMlFN|<{+Rg;%8GZEa!Hn
z%bM)h*)}&}St9BeBm^f|=aWf5`0;k0yVT<E`a39%U~MnZwyfNSVco<vfGgeGqpd%)
z1^$%ddKv+fbDGFx(O`^$h1+H=&!M0d@lGdbN?4~>Er*IP%n?;<iyXef`pe1ga{@0!
z+mE*$fQ1{d#3s!>d#_R#{B$-9GW*R5w_{`!plF3+gNon-yu<w9uS@=y9q$`V_cU};
zRVoc<2@?&lkaFeWS4nX3;#vsp%yGmx&Mb25$U}Qk$a3_`O}~zd%PD(t#Zl>f0DpI6
zjpAIkLM(P13IWbrnU<Xo;MC=10|9=Ib~NaEL_JWoV3k9Axdba__`u6Cw!xX0+-I}k
zp2Z#P(+%x}KpL-47dlY^p7CoN#BXgFLO@8>Z?%88ro$}u%o$N8Mi6TdDd=z((wbE>
zpW!)Uus!X2h`QyLU6^8lW}OMEh>=Syh3f-R=ws`X_aXK8No8GH@~F&^RXl!mF52nJ
zF_~p`g`<#8aSsS-eukI>viF26M@wMw7D75=mWR3;ehww>^eEl34TnfhkEf#Phi%Ni
z91c^R?ghuR7r9zCy6_rq=gcy5^sk4zeVj^^=78d8_>Ka6v9T*63$6kow11?(@4kb>
z^2$8L+7@F%oaUL@*R7?yAs4LD3K2n>YB$k+#upKE%JmDT`A;wC(7%7f-%O_)PCcKr
z@1#0tj>WZyarFB=Go}BaD}P=N!ytMFXDEzQtGrJm<Zv``#MB}3mUqov&(L!0W`*J8
zP^b1C+8FF%xlB=3M*&57O9p(<k~k${<W8frljD?BIHSR4!m0T<V9<ec>gO>Z1SOg_
z+qMv$dG$H!{TvSIh_QMIXRni)caTD!_BgIES`I9f!tBgpj#*xq|0l^B(Zfp<D0aI!
z&DP0biOWhLqI1UW|3}47j|PCV2WJQ3oyxsWz5N9`iHGk=rr3#Xc?7$Zi(dt>&M3ru
z0%o<0$Lj7g2LVz6)$ikW)UO?N+z>eO`Ez2ya2{AVEwiX(EEU3#J?n$n*e>rB4h#2d
z)cTUsf<7xT2uJrBV6?@^yx9q-Jq&{>6o$RRPyZSK`k&{2UjLf|Kp!jCEJz*j<a#oO
zW=2nX6kdA<;0)r%Igtg>{RV;W4yV9=*t#MUR%gBA%*V85b8j<=4#sq@MFkuXGy5uD
znseM_J;>*{S%3h^++w|T`==I%cp;aar|8yB9jIDcpM|Z_u7rIp!LZMGIGmpGSwKEs
zjnk7oN$IJ-@H7}8W=~K(j<hD+mSQ2^ZMo6)4y!Ovtyj<PaC@!lc`Vd62N|<XV##hK
ztn!@mTY>WWB?`_sEw(U&FqcjB;&L#Rd1k<PwrL=>1<e+D^N+mfhFzExb;J#d<)nlQ
zE8^k#z-iB^4l*Z=)?O1jh8PKjbEz{{-#}iuzQeXY5GRWPC|rcU!zdgugfG?$RQlR>
zU^J}bTNri`A+ZLhn+E50bu>qc7Um`-0APtewV4@#>!62k!*`x*+q~JI=oztC!3U4$
zc5-8rTEJ>xZ+)4FAQo|_;UQ{x42)FsTM3+tV_Y-M%;#VXM4$P>Q|@Kkz_5k+4CFN{
zKTey)YscY!!tV^}3>+hLoQj@uEk_7At5bR5L{G=4nSuSR<!!3*Q>z6k#FL)?%|EsT
z$dNQ>{xRVf7<oUx*g}2F>b^}LW5&otu*W3p&(y<g@$7$?uYdhARq0Go4j#UlN3u_=
zISLx^OSj({Vy-EfUQEw#-t!C1a}uKcI?ma>97(;412DUzDo+3;6g_}!{7t#^`!hN^
z3^M4UpgBV>dRl4cl$$fFYjs&IAv1;hm)$>KXyItofDMi95EbIH-#}uOrgl&QNaYOd
z_ngUYjE8F~2S$?3_|~XA@lbLs=y`1&t)|LAch6%Xa1NYx)Vm{oGHlr13vMRbByQE1
z$0FY_LcYVHf;HWrExF2TcFt+A_K(A81_svl*)S)FtHS;2FT2ODGiIOvSl8qzS%Jwe
zK!6O;w4lQhM0-Yn1&b?cBS3t9m&0^41e?SoWnGS;{-nMgRDLS24VEYFPaXZ9(&hyF
zEQBOa?#w29r(6I74@7J`VVkYOXT&e?j9+!!+JkKH#G@_M3*L%&!S^GwzyY6*dT-V5
z^g00;E#T;j9ND#Q^2Tp2Il902^+p7|j7Vtbi*$Y?)y+69Q`-cjxlV%t@N1gRX+(rd
z@Cal0P7f;~L~5SR|Kk;&b}iZ0ZGwC_IRIsRs=qy;^uYB)J8oPY$Ge;(&w~Xe^-4aL
zHIBJ|>vUBSwak6LmY?c^A=#x?&k4>sZ&=T%EcwC}PZO+d;~nCa2vf-zFu{ts98CY@
z<#b_><PL=wMJ-?&&et)99W0pF$rut49O80k#gu721Z=Hmb{}M#ppOATp%E~isYUw_
z?{of2G(qRuFnC$8jFk4PTnJGfK-;>R{f-bX>w~C0EWzjOC6p8K9y#_BJe4{S7L(z8
zaJ`<s?H=`D&9Xo<f5T44zxKuRFZbnS)c@X?;WvypK<QrE29e`h)>S+X>C5-~`;rQM
zm}q)>Gl(@f(ramqBhX;IW`&U(RzN#`X_~Qtm|dzQ<gZa1ZQ1~s2Tb?O?EXFz57}z-
zm|rU_S16#ODhJidj{5x)gcuXMSGk=TVGoxzdT2KT<QH|}Q}~ZP+izecm8W@NnBVaN
z`sUq%^oI8}xN5!XvXST25s-()#zt$Y(V@|VtT{HtWc&>@ohknH^&M6dJB;AZw|88o
zDjekO*LPTi)=m|&U#kHpvv0}cdIC7i7xouDXhC^+s2lx`nvd{=ojlMQi`zy&V+cGh
zvp?7RNsmsmBf_g=^RiQFW(SjriXBF4&&MMs-!KL+xn1)Nu{mSo-&1EXPWgdjp)Is2
zey0z5m#wqP-?2W<mQu10Ths_a=Nnnx%j>o$*Cw}LV`VsP$@O#u-dP{;D*}S&5)Usk
zAF=<;j{c|dgxCMUcf$BB3V!_#+M#%8gK$JsKi1UDc=191BvAY$aO$9}h8u3vl)p1g
zBvbFj318OU08SWF{SDeSqgBt4LFbq_rUSGyDdWk?vK;`ni+)KKfu7?42Yf=s|Ed-G
zr&6IS`du-Qs$|j3NI1azC=hsW7ammxI*v06_2k_wYvZY}3E??U^EPgdT=&@28|A-K
zfaH|vVzHm~zR3aO1mSSLmWX?9PKUwllHJdUO*{lU_1j_4Yc~9q0rnsX-wYA%5=Nfe
zcXlp07ko!Yf_mor*irO2yO}87t?7oE`PCc*KUPM<zR!#<bJyKTH3XwmT%S=BT;KVY
z6^OHQwW3)G#FkxbR<gbM#sB<n6t3?ow(+v1jqul;0FQ*OXCQk!my?~JDx-D?h5-ea
zMf4DR@3fpz=fJjip|U;KhhuROO`YDpGtSw*=xz_8-7p)Zgecm-#AdcCXR)^#;eA82
ze#tugyx~ao>`-bDd65>XIW3N;rFX~NAW-M8>-w+7uK#AS)eXb5*`tlhX>oVLApr!;
z^CamspPg}7=Eyg}Y*~Rs*iSLNJvC?z8(m@90N?AksomBHbF0~b@3z^r;7lyX&^V5d
z;A}yiIql+vsQ4S~4gbB6v?hVuJl`kxOb;g|D}L9_bE;eWYeO^|*FAXgd>mZ*^ZP2c
z<RoZm&G{}iM@fPIeid7qex<<cx6vv0c&G6H>d&mxCq2He{|9>5Jv@LKec1p200v@9
zM??Vs0RI60puMM)00009a7bBm000XU000XU0RWnu7ytkO2XskIMF-~$1O*cm@cFFB
z00191Nkl<Zc-rM$cbFB`-G0yX+uN4Aon1OC5IQKtwg?&v*db~x3D^x$@otRy5(9G4
zSYjeESYtyJR8Wer6a|!;P?n`E+gY~n?Pczrne+W|_bv-8N=^Kp?>x^wduQ&<oO9p#
zonLw1GXwlc+T6Kwt#jwjwf<Pf!~K{07fmK1&1@75+qbTB1cNa_CvlA|OM<~rycvM}
z-x?VCPjoVF+&Cf#e2z&My=3@c%TR}1>@Nshf4z>+HW?+>nPz~^sskYa&uQ=nB4}(5
zYV}9`wf>-dAS=VX-|LI)SiEfC`jsV>4gaTs88&PfE*i%Fr0A0TsToewwN{JN&t{Pb
z$1x`zE6WNzz9^!y0;53>hG78!CIbUSQBdFD*Hn!Xvr*KdvQp~tMm}5f_2G}^{pGuZ
z|7U<<S#a<D{f1k5_jJt6$}kU?MDC3GXle<9Wf-J5^auns#1#sIo&nWVRM&a6v{VD(
zIhGItt*t%0x$I!`{GZSG>=OX$j}jP@QRLoy<=USY_D}y^da9upA*4IYpy5c|AC;AM
zRi!>cAn7DN-E0zVT`egPlo1Zck)CD*05mi!5O@N+l|@aRM>85lV$kzMQz`U%9!)Kw
z^1WqEbMAg<=?CFRT=~%e^V$nP8-LNLoL90k%s=T02&F(vTc{}*lvnI6Ybsf@p<>h0
zm4_Nb;dm^0j6pB(zrJtOz-uP<eY{7mZJH>s1OPnV2w0YZPA4D|p)eU4w0l(;^bFeD
z0~*h>#BSG<U{Hp|EP+yr`Ud~5Z@1Mxdf#I!zWJ{LbIp}K4Np8g?)g5wQf7$4v0EOG
ztF*qszoB%0(_im@e8uvvKzv`g&P&;U+ocz$z9NYn4*+%bKC06jNs5i_JT4g0pi#i%
z@oP4#j+jj%@%o~$m_-mmAjcH#(Bam9Jond4Pb^<u5jty^aJDDDJm<>6GwvR>rf0t6
zDvo6c0H~^lx_aM+<!cW8e99dk&-rZm!2|KQc3N}4sHjNtg;Przr81h8X}$~qVsS#e
z-VkE3INCiCgu*d^YLFxzf*_LGBkgL6!@%ftJbVEeqQHUU7?Pf9965Gm&JBGEY#Udt
zt7!U<S<J_8-E`CF;n{DSjG{5QueB{)x9wkbGjG4|^Cf4S-~qrhe|$Q=d*l7pDRzBI
zn@5GicKp4QV=9_kf&k%Q&<V7)&8PP1mBIml&mV=wEOqf!vEbI7b@$wI&*D$cbUe(N
zp77;|Q)iAJ+vB4oD5|Q_{fAmUnEAVvL(UeIt}PN(LZMJ>jW3|VYCd^*qQD|2%L1#J
z!_medi77x_(UJiGyGt7@R8^yiZNWHxY>$OsE}S~^f&#PRqiIi#8lL@vD6lL5gu?OY
z=B>5Uue|B~JC?6L>^WZ%E-I@>WLZUHb6{shb^A*P54S#3RqOdjV{@RUOB6)U9!5lE
zhOMdfC;-4P1UenRee>4Z8KH1I+5sdxYFPFQ%Rid-)CDOCzFatU=7^zLf8w}=Kk@pa
z?dvyIPQLfiFE*a<TxjX4#!y~%<D~l^`|_)<`;A6{e|P@mUyU4^{bz%o*XeXTaxx^c
zYhMfPRp0;s*loHiF2DYtxBqS4qyv|ZEBM@Mk?b7DkdZ^P{`BR-so`s;E_~^{Ip2@p
zy6L7dBXbuBJj--|((uXB(xQi5tG1snFp7$bBmh{uc5QUimP6kyUw!D%iO0lZs<!B}
zecJ~QOx>B6W4(>%SjK4Jaqw_E&CNCuj$;VVF^1~e_C<4E+`Ka@!?dcPhkddnaVCZ#
zBrVlgG<tYu*(XcO%6@Pv&6_vR@I%pO^zfXwlheoRi?)BVv~=Q=e_Xrw0+uS@8{Y4J
zXxXZ&8qcfA?ZE>aY-?Lc0|1_9am~cOLjhpcA4>Lovb1!f*B5P1POH(wv)_LC*((Qs
z-}T*Yw~?Wg>fLU4!Mu6%_!AGfc49B%gv)v@G8qM9(x<H7SULFugK}E!rTO2^kID)K
zfDEUJ`25ET@l2;VFZub&Kd#-oZe!)-q|Y%KMdO4^do8+lVlP8Ck&$z|-35dYJ>zn@
zT3jwyC8adO?RMwPojbSlz{elD__>U9Q$GMuRE_S~RsZmX@F{20mV9~eP#`Eb0RYD`
zP!x?EbIgLN>#@Il^oxx<chx_fj8+-xrhbn<H17H2_jBgVf!poQA%tYQT&~I|pM0{J
zoPd}>2+0QEvk4mqUUyZ$^~sEO|Dl%mC*AVFoq>Q%FT@Xh?6JpsN|KaeG#aZ;_naHA
zIJ!B-q0a+=J^LE9!2_KP08~`9KR>eQ^;unyHRuJhdhzY=_V1f|dm<lFv}G#~T;_?5
zFQt^)0Mr#17stAdN*!NR78e(%Oq!IpAPGuqTe$Ao7r%bwLV+@U`gB4mwL~J3a9dm3
z(bryk?FakOOPubOD<5zsYqH~OG<p)j6$;1bvoC-B$V+psz9hx2&k+TV89gFz!N;ro
z<DPx?*^1N3V}|uEzcwe!*tcT}Vav|?$Ct0E@La%|k!!VDYpqsmt)^+Yr&YMVc+F&+
zRVOCurx-+m)so+}w1u0yJ7@Xo3eVOZ^^YrR;?SH-W8a~@4qba%2_DZgTw(w8r;>Nz
zNWE`ey?5j`x7(e0fviOYpzu7e@I0>oP&)RVvJLE)Y8o*#>*?h7f$}yjE!EKZTXya~
zdhis{Ci94Q<hCRA{&hgY$_o3ZKgIJ5_k+N^JAd-6X{m;u9aXaS&3DzmEiNvuCWLt0
zZg+v(?Y5m~Y_b+CSWutbSg>G0eRJdCNs`EQn`2!!skix`uTK8NnP%({0E(iaywazd
zO%l_=<tSgRE#GkhAXc~AT>!vSTwGlJ&39E##p4OHNlP{Ke0TojTYoU~?cXQ$!A@&A
z>R<Qk->%*Y08c*oWCTE^+wHcw-R=TPX+v>wapWAW#R9;0;{IPw%^g4M!F!6UYg(Vb
z|M4%s^Z8?*u_H4xpMLz(Nj-bmpG-|L<Rp*Xv)_Y3{T+l!B;*JL<=vaN)wg#5A_2$*
z;BmQJmC18{{oB=B#*gi>K0nuX1tA3e`=mYq;Db{F^Sj5!4RofNMt3+c>?&<|<-|d|
zTrLj)&)m6lGu>`?I)ECN%XP+1`R=>#2BkFR_19lN$?>J9@luN2GP++c+v3tq57J0f
z(M%?h6@}xCsItaOIhLW$bg9$wj~w+cnmczcA%x@sh<62~YumlI;guda)+-1haHg5Y
z{O+-F182XmX<xTf>9TPJ(*z-r_BXeNY9DxF<;qk2u;Sw4qlAz;0QnsNol)a?K9dk~
zw7c&lksD<&5QM@S3<iOuIP}MXBFhS@YCRAHJz<%+mg+Dhr;)sFi+&9uBp*PX%jK#+
zRsRpnTDhXRHB<`#g1|DDjVqYet;H}5NQToiIl0}|9$qZV$|?C%hGDqFr3**hGG)+U
zy-q)1$GQicqCjOzsS=JTZQ*dNX8p#heb4{xyKkei6772KefQl*G)<EhELd>TRDAi_
zD@Ug|3?n#}Af(ccP@Evanp#2~ggb#jZ-y*~)a=Y-+(hk>&|+IkLAlH2`a$L{8da3G
z_VAMQRO8H!?D=|z!S6H;^f+Lyozy$WVix-+nYi_vsup*n05E@fcG6Er4bT3i)uOw~
zX4Tm{$h&UakU}SZF>PqjACTAWE^T=G;U`xu4~AlKP1EvJRXr(@YiX*s-g|SeH<G+>
zC>TOx6NNz!h$4&B6azSxL2J7ToupBJAP$Q;0Zbqu2j2d0Tk%^Tynfnr=7vpGpY-jO
zI+JAyEM{@QwG(^iEL~Y%dmJ#gO&NT-PU4f4g2(-r%{#kZ<gLG6H*xro%sH7(({PqO
zJsO7)0=rdbv|Dx8<z-v08$B$$vh+aPoRu46tKWY6o#XtH7T(_H7dJZJ$#9xFZ;nPO
zvNMg4L;{v2h{Y+|JSr?^;LzcAwXlCWm-L5w%9{S?tq*qBoe^vJm(4qGoifPdu<LC)
zi6^(+FzE87E6d+G4wzmA_7Ta?{-C@q6iN`-cTF9fGUKk1^9%B9H}gDuqB+vW=71KC
z#3@4vKoaqcf`aE+q^BAgqd_1^keunJ0!gQTv#@`pe8$v!S2Z*St1V{H?6B)cI_&z1
zdfl-OYL575ey)uW0(kuz01AcxW+PBu(WVaUm)1G<imLXN)21(Z<xKrtC=`zcg7P+p
zT|Y5_fnzv;<AKph{D9==a5%m-A&Xo+^78QopQbnr*~#xzRYQ4YyIOzLPeE9c;xIA*
zPZ)+kuj662Ng#y4pacAYC~as8XdKHRE5poalz~oSU^N?iJJXE4`}9mXX|S3`QC;h$
zx!D#%NJ15eL^YTU3}P{v*0x6IfWB#LvI1ym3haCNwQqkO2*%Dza0?}V>%<NW2A<@6
z2~c>9*bbGw_xH(HUUG5%5~D%rB)qF?Jv0)D)BIc;+pqV@Kgu7F;qwP!F-r(VcrdI)
zoM{p<85z_b@zHj#f`NUlq&t3$0%&OoLXN4(%e4}pUjrd33_1pOE3ju@8_mx(pjW=V
za~?M~2lv1F#@0z6E-5?fa;2p;w68l1H~^3&&LoPgBf0b7;ntjKHw}5qXb|)X8AHX6
zf7h#p{nJ@<u6RmsYc`26n?!iL5y-JHoM}eHJN$yAGm-)61Uq*(L|WR^n(PcQ+iaE$
zloApMDiC-EcDo*WJ&RD7!eV0J^G7^8_k?OSRqi`#c$Or0)UcES)wP}t?|k^Lo9Dl^
zv-Mn(%nh5XYc3s^4*(EE)**?kDJrW00st11*t2}cBZoPTfh;TV`l8YFG^5mEYIMzp
ziulz<y#=95F45c)YLR2g*K$m4mqa#0uM;k{+jOR5!dML9NE~S?22cvLwyPinu$mdP
zw1uk|E{o2T_<&*55HZJO5^{8skVZkN5?30%{%G~aZE}?-U?N2qMgKN_Om;@X_i12=
z5<76H<=GjJEt^wS<3DFP)?^fVly85eN)T8miiTbzUg_x%$dw!bj2N0>NNUG%MMDx4
zIi}Dx8)}rx#^rZ{5(vtHEjzu>EnMb#@$=7@hPx2e<|Xgk@|!{Z(|;>T9B(uTh(zOv
zMB<1kEK(hb^SwR|W|OYRoi~z~KU%6>`>(_Owg5OvDNPoRG9e^W6!)9Q6okLLcvMbC
z=T!9vcf9sq)2#UmK3#vl3bjZ?@diUNY8P~b;}{Gd;xw+`RFlYjdlfizC(U^Z>@90i
z3-au|#VjVRAh@#RP*F|mfZ1clj7{r$d@vaEPrT{<KYa6D_0*`G5PDJ_2Glo(peQQB
z;Wz-mYGD8Z2!fP%{gu)`Kl<Q>qX2A#ki3pR+mb~uHw@}a-Wf8`o|&wHjvV!Ge`@xc
z%M_&SpFVxM;d}w3s9HqTv`)&RPtODv3;@ss;|E32khGkN>NZucH?RdgI(;v8?QMAa
zzQ<N<n>A||07Tqw_elf1?UzfIR93aWe#}($0F5Im$5G$lM?+Hp?d<^&XfT^hLtmPG
z_3UIWlKlVNA12N=8pOew&P3ngNL*REqU^3OzB(LSuwX$W0OxtE?vGoSp><%9pe@T=
z!yWPjB#}dcWG0A2;>2hW0016u#P`SN)-C8#Og5crfD1p}^ITL`v`Cb~X650q>tVO)
zk(FUaM!E^vnPvoo5qNwdIGwgfweZ#~05z1-8ZEpnBQ4eTh(UiW|7&XxuX%dz*Igx#
z=IPU?r=AZ~1fJ2cEYlh3l2|Z_O0zK-kE@+`t-8je*=-g!%Xy413P<9*cJ6KtpBU}j
zZudz8eD%$pRX%^TAr_|)cmhgk=bcC<dl^m>(i{?+Tf*!`BkhlO>PzDtzmX)KHJgr!
z7HyvJar)JQ1q%WIOw*@NKWAWc5@$0S6OlHqXxOu_Dbxu}L{^*q0a;VEMA0S)EEqz-
zc3BJ+iNpilP!N6qra5!woEXAsLsQJ}^#=a^?Y7$c=fAma?6WU@Gve#b)wdt2@NJ35
zRSE!lJ&&F}jPM7v$;}N1oXrj8Db94`4WJZ?(mCzn@qv5(`R7mUqZUBUxdQXRy(67`
zhx_pRqna$M&7Hu+<7y}tQ=1ru;K)&*mXU5^6qO<xRl3NdV#X=1UCVLYaRZz(Ws0!y
zv&vV;PI_a+HB%S9_VnBhThekTA31n*=y$8PWR6?C{_vDQP!0fqUdJORQzvAlMQ<54
zAU2uj1xY+1Rm#nhQdL#Wce~xrE>@!ez^{JwEB;)7xoA{wL1z{miHGEv8a$4Vp_J}p
z7=pN>K@fN%i3Eg@&go?`3WILHxiF_2t5GPW)a`b64lp$}HJj7*c{LhUG`HJra=YC<
z0fbyGSLN@2|9kb0`#)d0@w@6flJsJ3wh1hwT++9f<q}z@(Ce7vrk=?lO!~wBJaq&>
z!0mSTbi3WAM0ujt5kk(%YV0=M&`u0Ay6YsODjbRL0|15qu{eb&5TvCT(B_FGbs6FQ
zdqzETitE=U&3gLu>1F`_9zA;SZnrxhfX?M|Rk&QPVAm7wee}zvwe`ML$*?fA&{8Oh
zWMC2wy^e=0CoDEC)sVCJom*zQT&|GI<*EQ6x!vyk-o1PC0Q?<&o>em&#mkeQy}szl
z4BmnA*6oQ>ABZayEK48=Y-j$_k?-8~#fP^&k)$WOSPcO9-EOyq5RzI@P@t!jI$bVT
zmCNPoR?3iN1=Tg4x02fqyO_!`nlnl7IPCgPVhR9;4bGgs=#3li?C7t><#JU4a26C4
z=mDHngu3IF!c3b@SD4J(zTI|oN0+)O(SA0eAoICDPO6JU;>6*wCSp4QBGEWPp*T_;
z`p)XQ>|pzf1@D#5`C`SUZ@YH%^wUrOG#-!ZLZQ$>S(f8JG_bJ0w$Gg6!gUNo;PuPU
zR1GXA!eU}NoNg2x%fMt5l36(|-QTwKAMe*cmzAAg3jm@h@&<#UFQv3@-n@BbX9CQM
zMbl=D8Id!uLyMv_p4gec;p=Z}j;pShuc<ux)MN5qQDg@*1TY#I5C9Az;8+G`V`8v!
zjH)&ZDqCAB>$^z120}<0rF3_3ak1}o2bSv4@h?3y7%WRbDT_!%gCH<4=o5YU{3;wa
z5j>yRZuiIyKEHR-@)c{gq0747dGqE)DW#-CB567uYLn+#HZR9|PbYIw<J%Vu#cI1%
z3Cb(mJ{{0Ebr1leX#mRrZJsdlvJ=lfL}f+Uu&L_j)24s=afdv?0?4D3hB{39%<7b=
z8j)p1)9ZOgujA3$7SaS!$0QX{&;;StL50-3`_ZoPvtQg)cY@wdD5a9i<*M!&Q(6Z(
zU+Z$YPFZAr_>U>KInxqqtEy^Pzq#>~9Xoc=ZdHOkrHvo8dm@zM2vn6K5{biNI=0wv
z|Dl!_yMU4jAe#_URa{(rRx2Zep;%im9E&8#b&{C7G|35tk>N}f>#>-MufMJS#fhMF
zB#XHnIZe{vHB(Bf0A!s?J-uzp0Nap4=e(qTw(mf@wtbgp;c?eJ@uWXLGhy9bQ-@s^
z3TyEC0?5g-BuS{qeUB~8xpcw|4S*d$z02i_o@;`&`<wf==44q$0YGJSyXJ6M8MBc=
zO`QilaucFweS?4VpmBd6*Nx;V0!TSQCSjA)>;%EhlZdW7zxMMxm-OkGa%~5LfcHK*
zynfd2mtOw867Bpqx6coTWXLg!t_pxZ5I=C~gc%k}DLTUMIfK#>oi=w?x{5~i5`izE
zK_?x{+kF1$rc<1rO({K2J94I5d%X1Qjk6_@)4N=*XouiN-EMcmuOFP!d&9E3mi8`4
z=@jz!lzCy&)A>Ir(N@-YKdr0x9mvW|=|?rTORXd~oJ!R@m-g+p+LE66_L+nb<Yrr$
z=GK5_Fc_J*qS2&9x3!1cyRjBKfcE0z;^X$mW3j*`7iAUi{^q{B{Q>!l`Ud|YQP?A8
zI88&Wlk%=Jn?&gtiS7lZ*nj`y%Rc=<U;t=4ch%2!rrY0_yYS0KgK$BfK6CwP-Ri3*
z^l3<S7&0V@BYuBW)9DOg*<)-#dYZ92Ut#U;MqPh(@09Eek?{v<X3u=XjGp=SZu_mN
z^8$<jPkYNV0JPIuAJY;ZxytJemNvB>OGONN{wF^jn{7GYz(k{pa-`n(c5*v2!_0WR
zL9N{z??OL{6ZkGbx!vvz0Nu*FH(x(+62~!MSpr2lSyK0SBd9&%1J4_vDst(8`oh)S
zU57m(^a&FtOz0tsVx+Nt*QUIj)Vl?qGLpza5;;CM+uHo$lF}{b8yrbw_l_8rHA50P
zQ4%@Q+#FCNQHG?aiV0apFQootkn`Z;W&2CrZa356a8Dw^ueq|9ZQ4zP-`DGSlOz%x
zt_mR%jUpI|!RL=65RAcK5I`6SJg=yWKHGhx!CKf_R8*8%R8$lyDJfA;0><rj=Mh2-
znx<737Z*oXt*xlP@tS_tP=t<krs<OP(vYn?>)x(!2t>{&FgtfQh9_R$Q_Ie@Oh^=V
zdZxP0qeNxOrr0GggdjD=aAp5Kj&GuB9t)tRq@?6HbFf)N<J+%JS(52A4@u-m3S?P9
zYKjqds|d46g2^bt>jz9m;H!0qUY_-bwQrV`lteDS{BjQ=B(tcf$W~HP;sXHEK{S~t
zrM1Py#m6N?V@71^?zv<9mY)@657tQucT{$;`JF4Kynl}@$It6}yhk2+B;~Ffl&^c_
zm<A+O&gE+=wMkdxvj#n%EOet~2R*O7|MB)0-d$9Bq@&o>zxKk<t{OQkYfgG<B4Go7
z>e@uOZ*5nRVrLPRDS}}QHZy}|tM>1HXx7THk*IRq4W2h|9!Dw71rQ)^x7+Z2DfAN$
zU($cfh@5XP8<%BGhSbelYo<@R^W!(pCops8&b7vZ`+DDblVg>|EZIBAF}i+JwR*)*
z^EpxEx@638)$5Hm#Z@h0F^L&wlc?{yII+6cgRBfQc%DT(PSMn=!fIx~a~jruQ|Vp2
ztn8xCR~+1bs<F7;ZUb9VQWF3Ea9YzEi5bd<54PQGF^f#c(({SK2B+`*^veT>&lfO7
zMMV-Tq_wv<mwuC#VZK!mSf1xulAmW|_LMcMqQEhFUBYsBj%7?n(PS}8c1h&;Bq)la
zq2`E}W;xA-<5+lnD&h)7nuCMK6Ql<Zw<+ZnZBzgD#`ewMH<pr;lK5#oOK_<C$RUf>
z?ioD5ew8S4gy&f<(`mk8*kI@G&z2uJbiRNAfQNqb>VaW{o!c_fP1lP8Co&8{rqj&$
z{83t2?V(hoFz5x+)j|S68Le$$1Vb@c%qAkofVcu!%`Ae!2tC>qpc<v5y3YH^gR@qC
za602T?I+weZ>iYUyC7ZdRbaV{=U5^LET5BQx%rZd^V+}o>d=mOTs<$qtX;b{`q}aW
zm3cYl6&dNKD~txg(GjwVGtEc>!5IB+`w?|-S*v>FXbA1zI3a{3CZirK$3w3JeEzWJ
z^M|O{AEkPoKqQeP)wP}{Zn<aiX|ISlqeuT%tU35iVgK|%UbbZd&$EQ*ST;MueD%*J
z^zQ5NhS%>eZ;PA{U;yB&brnrtZ>oNG#L!H$*(46*xx}IzlTjqS^6gCjJ`Of5MIt;0
zO;r^djmk70k3)&8)M3|?)D#25^Be)7mhNwQ^!nQu{pC!?bH>j^R@DpNrC7D{OsDB;
zN#uBjAxLo;3NId=d;6FXS#_U&d7$ik00RKctzr3{g}YWbY~tq*yTKs{Y`^5AK>#2M
z95I_j#%9$qHmi=YS|lP#Jc-3s5|3*DrT#5D>Zaa&_u}`?bUbGaOjA=6maRHinwDZ%
znVo4KZ!(Ih9bwa4kY~Gj>J5V~8PGT7;HtG1N6r<PWLvkfx_QArcP{q%Bk!g<^bLxl
znF%2dj$?RA6VFLTqjALJ8bA_!acg^c-_n))ubT0j<!AL!$XP!{yKZAuLsd=NKYJHA
zELMv&oZ}dVVF;`iDStrU)O)AiSoqU1BeJ|}HdI!`6-_%AV3O_Mdz-xPF50vC?GJao
z)3b-Qg6G*0X0vD&MHZ6CK@eD|s-~75Y@Ywr?2=nwd*@$A&sw)V9}(s6f4+L$#iMio
zdh!G56wR%ny0-T4;;%PXFP{7I<{iOMEOx3q1^|kSi@n`_Z#3}2Z)c7hdCA53H`#5v
z8`Dw@IVbj2-{AlE=B>4l-2eEBP3J6VpRYXRhhAZzsuW&d#1jb0+e6{_*4DPrzD-+d
zYhHiv-%XK7+&kmG2Sfn)$7}OtosPHu>W-o5<HqFXr8o=&4SIgG$s~@nnsqjoJ^s3s
zQZ%)M4wvq4ntkshUwjY<%0Hf07#ue@6ED5Ec|hOP2h-C`V@2Wnmw3kGDgvPx)zrjv
zV_1eU83c0TLdX+aET(FW&4Ddt2U}jf<Ni+<sp^mPr5D|`r+zc8|7GLzr)4_LlPxB3
zfKJCV=W@MBB(C`aa#=%T;PZ7GD;CaqadX*)8vB3b#X11U^;h-EzIDpr%X=3%hU;|v
z00I;W0-I_!OALR)J7waE2ERY5#bRm;1>F~kC}rgpZ95iyzIWZymE}j!Nts{30pq{e
zM1eJmBAYg(&}kS{SeOO?drM23cb7JXWLa%a3he){+mG$#UH=Pz`3sy0Wcoh<0000<
KMNUMnLSTZYbCR?G

literal 0
HcmV?d00001


From 36af1c17563432c79ef94d89b634356fd483516f Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 08:26:05 -0700
Subject: [PATCH 76/82] update documentation SHA sums

---
 dashboards/opensearch_dashboards.yml | 15 +++++++++++++++
 docs/download.md                     |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/dashboards/opensearch_dashboards.yml b/dashboards/opensearch_dashboards.yml
index 052a81b3e..67d9f4f65 100644
--- a/dashboards/opensearch_dashboards.yml
+++ b/dashboards/opensearch_dashboards.yml
@@ -17,6 +17,21 @@ data_source.enabled: false
 opensearchDashboards.branding:
   applicationTitle: "Malcolm Dashboards"
   useExpandedHeader: false
+  # Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way
+  # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
+  # internal opensearch code validating them AND the web browser retrieving them. So we're going scorched earth instead
+  # by just overwriting the originals in our Dockerconfig.
+  #
+  # logo:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/Malcolm.svg"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/malcolm_logo.svg"
+  # mark:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/icon.png"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/icon_dark.png"
+  # loadingLogo:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/icon.png"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/icon_dark.png"
+  # faviconUrl: "http://dashboards:5601/dashboards/ui/assets/favicon.ico"
 
 map.regionmap:
   includeOpenSearchMapsService: false
diff --git a/docs/download.md b/docs/download.md
index 84bfcd2c0..632d3c035 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.4GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.12.0.iso.sha256.txt) |
+| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.1GiB) |  [`da22b4bfab2ca8cb2a3ea6266b6cea603a9ae119de83009f3d133f0f202b566f`](/iso/malcolm-23.12.0.iso.sha256.txt) |
 
 ## Hedgehog Linux
 
@@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [hedgehog-23.12.0.iso](/iso/hedgehog-23.12.0.iso) (2.6GiB) |  [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.12.0.iso.sha256.txt) |
+| [hedgehog-23.12.0.iso](/iso/hedgehog-23.12.0.iso) (2.4GiB) |  [`835160cc0d2e3608754736989088d912c17372c49764244742e0572af9295d4b`](/iso/hedgehog-23.12.0.iso.sha256.txt) |
 
 ## Warning
 

From da0886d1a585d492ca8bab59c7e31bad36a78857 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 08:38:47 -0700
Subject: [PATCH 77/82] fix issue with image name for kubernetes

---
 kubernetes/03-opensearch.yml         | 4 ++--
 kubernetes/04-dashboards.yml         | 2 +-
 kubernetes/05-upload.yml             | 4 ++--
 kubernetes/06-pcap-monitor.yml       | 4 ++--
 kubernetes/07-arkime.yml             | 4 ++--
 kubernetes/08-api.yml                | 2 +-
 kubernetes/09-dashboards-helper.yml  | 2 +-
 kubernetes/10-zeek.yml               | 4 ++--
 kubernetes/11-suricata.yml           | 4 ++--
 kubernetes/12-file-monitor.yml       | 4 ++--
 kubernetes/13-filebeat.yml           | 4 ++--
 kubernetes/14-logstash.yml           | 4 ++--
 kubernetes/15-netbox-redis.yml       | 4 ++--
 kubernetes/16-netbox-redis-cache.yml | 2 +-
 kubernetes/17-netbox-postgres.yml    | 4 ++--
 kubernetes/18-netbox.yml             | 4 ++--
 kubernetes/19-htadmin.yml            | 4 ++--
 kubernetes/20-pcap-capture.yml       | 4 ++--
 kubernetes/21-zeek-live.yml          | 4 ++--
 kubernetes/22-suricata-live.yml      | 4 ++--
 kubernetes/23-freq.yml               | 2 +-
 kubernetes/98-nginx-proxy.yml        | 4 ++--
 22 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index 5eaa62088..2f0ff97b0 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/idaholab/malcolm/opensearch:v23.12.0
+        image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index 37453d405..4817da142 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/idaholab/malcolm/dashboards:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index 7f66c0fec..c2152f0d9 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/idaholab/malcolm/file-upload:v23.12.0
+        image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index a9539e70d..9a2287e41 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/idaholab/malcolm/pcap-monitor:v23.12.0
+        image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index 45c3155a9..863c46f73 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/idaholab/malcolm/arkime:v23.12.0
+        image: ghcr.io/idaholab/malcolm/arkime:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index 7f38aecf5..c158439fc 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/idaholab/malcolm/api:v23.12.0
+        image: ghcr.io/idaholab/malcolm/api:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 425cdf403..a210c1b8d 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/idaholab/malcolm/dashboards-helper:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 365e159c9..809b3171c 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.12.0
+        image: ghcr.io/idaholab/malcolm/zeek:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -71,7 +71,7 @@ spec:
             subPath: "zeek/custom"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 4d74db91e..b7ed63050 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.12.0
+        image: ghcr.io/idaholab/malcolm/suricata:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             name: suricata-offline-custom-configs-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index c7e7f864d..a8e9afd94 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/idaholab/malcolm/file-monitor:v23.12.0
+        image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index 1df2bd614..c38697906 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/idaholab/malcolm/filebeat-oss:v23.12.0
+        image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 5e068d077..4b2d03bb7 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/idaholab/malcolm/logstash-oss:v23.12.0
+        image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index 6340f9c50..6fc358ecc 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.12.0
+        image: ghcr.io/idaholab/malcolm/redis:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index 0600302d8..d8c7dc2f5 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/idaholab/malcolm/redis:v23.12.0
+        image: ghcr.io/idaholab/malcolm/redis:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index 326cd18d8..8bd333ede 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/idaholab/malcolm/postgresql:v23.12.0
+        image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index ce5c2a908..8ca9d1fde 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/idaholab/malcolm/netbox:v23.12.0
+        image: ghcr.io/idaholab/malcolm/netbox:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index 3cb338118..d402c9e1b 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/idaholab/malcolm/htadmin:v23.12.0
+        image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index fecdc11de..d82fd6274 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/idaholab/malcolm/pcap-capture:v23.12.0
+        image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index 74196b4a8..a31997b6e 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/idaholab/malcolm/zeek:v23.12.0
+        image: ghcr.io/idaholab/malcolm/zeek:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "zeek/custom"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index c969a6ecb..19e5763c8 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/idaholab/malcolm/suricata:v23.12.0
+        image: ghcr.io/idaholab/malcolm/suricata:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -55,7 +55,7 @@ spec:
             name: suricata-live-custom-configs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index 2db4f7b9c..5173b8d2a 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/idaholab/malcolm/freq:v23.12.0
+        image: ghcr.io/idaholab/malcolm/freq:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 661489996..1f293bd64 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/idaholab/malcolm/nginx-proxy:v23.12.0
+        image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:v23.12.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true

From 14970bdf39d9e2af8bce60181af3efea79eccd8a Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 11:28:03 -0700
Subject: [PATCH 78/82] issue with K8s with zeek custom/intel

---
 kubernetes/10-zeek.yml        | 21 ++++++++++-----------
 kubernetes/21-zeek-live.yml   | 21 ++++++++++-----------
 scripts/control.py            |  1 +
 scripts/malcolm_kubernetes.py | 12 ++++++++++++
 4 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 809b3171c..ab3b403f1 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -63,12 +63,10 @@ spec:
           - mountPath: "/zeek/upload"
             name: zeek-offline-zeek-volume
             subPath: "upload"
-          - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-offline-zeek-intel-and-config
-            subPath: "zeek/intel"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
-            name: zeek-offline-zeek-intel-and-config
-            subPath: "zeek/custom"
+            name: zeek-offline-custom-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+            name: zeek-offline-intel-volume
       initContainers:
       - name: zeek-offline-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -80,10 +78,8 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX,zeek/custom;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-offline-zeek-intel-and-config
-            mountPath: "/data/config"
           - name: zeek-offline-pcap-volume
             mountPath: "/data/pcap"
           - name: zeek-offline-zeek-volume
@@ -98,6 +94,9 @@ spec:
         - name: zeek-offline-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-offline-zeek-intel-and-config
-          persistentVolumeClaim:
-            claimName: config-claim
+        - name: zeek-offline-custom-volume
+          configMap:
+            name: zeek-custom
+        - name: zeek-offline-intel-volume
+          configMap:
+            name: zeek-intel
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index a31997b6e..f97e71a62 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -55,12 +55,10 @@ spec:
           - mountPath: "/zeek/upload"
             name: zeek-live-zeek-volume
             subPath: "upload"
-          - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-live-zeek-intel-and-config
-            subPath: "zeek/intel"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
-            name: zeek-live-zeek-intel-and-config
-            subPath: "zeek/custom"
+            name: zeek-live-custom-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+            name: zeek-live-intel-volume
       initContainers:
       - name: zeek-live-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -72,10 +70,8 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX,zeek/custom;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-live-zeek-intel-and-config
-            mountPath: "/data/config"
           - name: zeek-live-zeek-volume
             mountPath: "/data/zeek-logs"
       volumes:
@@ -85,6 +81,9 @@ spec:
         - name: zeek-live-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-live-zeek-intel-and-config
-          persistentVolumeClaim:
-            claimName: config-claim
+        - name: zeek-live-custom-volume
+          configMap:
+            name: zeek-custom
+        - name: zeek-live-intel-volume
+          configMap:
+            name: zeek-intel
\ No newline at end of file
diff --git a/scripts/control.py b/scripts/control.py
index f74d9e914..c6b39d6c9 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -1015,6 +1015,7 @@ def start():
             ),
             BoundPath("zeek", "/zeek/extract_files", False, None, None),
             BoundPath("zeek", "/zeek/upload", False, None, None),
+            BoundPath("zeek", "/opt/zeek/share/zeek/site/custom", False, None, None),
             BoundPath("zeek", "/opt/zeek/share/zeek/site/intel", False, ["MISP", "STIX"], None),
             BoundPath("zeek-live", "/zeek/live", False, ["spool"], None),
             BoundPath("filebeat", "/zeek", False, ["processed", "current", "live", "extract_files", "upload"], None),
diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py
index 6945a50f9..d83c5e178 100644
--- a/scripts/malcolm_kubernetes.py
+++ b/scripts/malcolm_kubernetes.py
@@ -159,6 +159,18 @@
             'path': os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')),
         },
     ],
+    'zeek-custom': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('zeek', 'custom')),
+        },
+    ],
+    'zeek-intel': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('zeek', 'intel')),
+        },
+    ],
 }
 
 # the PersistentVolumes themselves aren't used directly,

From 7cc9e105a69cb32351cc5be3a5d1b2c958263646 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 11:56:35 -0700
Subject: [PATCH 79/82] fix issue loading zeek intel on startup

---
 shared/bin/zeek_intel_setup.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
index 186b95538..eb2b12a6a 100755
--- a/shared/bin/zeek_intel_setup.sh
+++ b/shared/bin/zeek_intel_setup.sh
@@ -48,7 +48,8 @@ EOF
         THREAT_JSON_FILES=()
 
         # process subdirectories under INTEL_DIR
-        for DIR in $(find . -mindepth 1 -maxdepth 1 -type d 2>/dev/null); do
+        for DIR in $(find . -mindepth 1 -maxdepth 1 -type d 2>/dev/null | grep -v -P "$(echo "${CONFIG_MAP_DIR:-configmap;secretmap}" | sed 's/\(.*\)/^.\/(\1)$/' | tr ';' '|')"); do
+
             if [[ "${DIR}" == "./STIX" ]]; then
                 # this directory contains STIX JSON files we'll need to convert to zeek intel files then load
                 while IFS= read -r line; do
@@ -73,7 +74,7 @@ EOF
         done
 
         # process STIX and MISP inputs by converting them to Zeek intel format
-        if ( (( ${#THREAT_JSON_FILES[@]} )) || [[ -r ./STIX/.stix_input.txt ]] || [[ -r ./STIX/.misp_input.txt ]] ) && [[ -x "${THREAT_FEED_TO_ZEEK_SCRIPT}" ]]; then
+        if ( (( ${#THREAT_JSON_FILES[@]} )) || [[ -r ./STIX/.stix_input.txt ]] || [[ -r ./MISP/.misp_input.txt ]] ) && [[ -x "${THREAT_FEED_TO_ZEEK_SCRIPT}" ]]; then
             "${THREAT_FEED_TO_ZEEK_SCRIPT}" \
                 --since "${ZEEK_INTEL_FEED_SINCE}" \
                 --threads ${ZEEK_INTEL_REFRESH_THREADS} \

From acbe2d37fb30f6f4b3c12ebb7bd000cddc4c9ed2 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 12:23:09 -0700
Subject: [PATCH 80/82] fix issue loading zeek intel on startup

---
 kubernetes/10-zeek.yml         | 16 ++++++++++++----
 kubernetes/21-zeek-live.yml    | 16 ++++++++++++----
 scripts/malcolm_kubernetes.py  |  2 +-
 shared/bin/zeek_intel_setup.sh |  7 +++++++
 4 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index ab3b403f1..3e5c25046 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -65,8 +65,11 @@ spec:
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
             name: zeek-offline-custom-volume
-          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-offline-intel-preseed-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel"
             name: zeek-offline-intel-volume
+            subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -78,8 +81,10 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
+          - name: zeek-offline-intel-volume
+            mountPath: "/data/config"
           - name: zeek-offline-pcap-volume
             mountPath: "/data/pcap"
           - name: zeek-offline-zeek-volume
@@ -97,6 +102,9 @@ spec:
         - name: zeek-offline-custom-volume
           configMap:
             name: zeek-custom
-        - name: zeek-offline-intel-volume
+        - name: zeek-offline-intel-preseed-volume
           configMap:
-            name: zeek-intel
+            name: zeek-intel-preseed
+        - name: zeek-offline-intel-volume
+          persistentVolumeClaim:
+            claimName: config-claim
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index f97e71a62..725a21b10 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -57,8 +57,11 @@ spec:
             subPath: "upload"
           - mountPath: "/opt/zeek/share/zeek/site/custom"
             name: zeek-live-custom-volume
-          - mountPath: "/opt/zeek/share/zeek/site/intel/configmap"
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-live-intel-preseed-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel"
             name: zeek-live-intel-volume
+            subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
         image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
@@ -70,8 +73,10 @@ spec:
               name: process-env
         env:
           - name: PUSER_MKDIR
-            value: "/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
+            value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
+          - name: zeek-live-intel-volume
+            mountPath: "/data/config"
           - name: zeek-live-zeek-volume
             mountPath: "/data/zeek-logs"
       volumes:
@@ -84,6 +89,9 @@ spec:
         - name: zeek-live-custom-volume
           configMap:
             name: zeek-custom
-        - name: zeek-live-intel-volume
+        - name: zeek-live-intel-preseed-volume
           configMap:
-            name: zeek-intel
\ No newline at end of file
+            name: zeek-intel-preseed
+        - name: zeek-live-intel-volume
+          persistentVolumeClaim:
+            claimName: config-claim
diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py
index d83c5e178..4bb7bc47c 100644
--- a/scripts/malcolm_kubernetes.py
+++ b/scripts/malcolm_kubernetes.py
@@ -165,7 +165,7 @@
             'path': os.path.join(MalcolmPath, os.path.join('zeek', 'custom')),
         },
     ],
-    'zeek-intel': [
+    'zeek-intel-preseed': [
         {
             'secret': False,
             'path': os.path.join(MalcolmPath, os.path.join('zeek', 'intel')),
diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
index eb2b12a6a..7a868d828 100755
--- a/shared/bin/zeek_intel_setup.sh
+++ b/shared/bin/zeek_intel_setup.sh
@@ -17,6 +17,7 @@ ZEEK_INTEL_ITEM_EXPIRATION=${ZEEK_INTEL_ITEM_EXPIRATION:-"-1min"}
 ZEEK_INTEL_FEED_SINCE=${ZEEK_INTEL_FEED_SINCE:-""}
 ZEEK_INTEL_REFRESH_THREADS=${ZEEK_INTEL_REFRESH_THREADS:-"2"}
 INTEL_DIR=${INTEL_DIR:-"${ZEEK_DIR}/share/zeek/site/intel"}
+INTEL_PRESEED_DIR=${INTEL_PRESEED_DIR:-"${ZEEK_DIR}/share/zeek/site/intel-preseed"}
 THREAT_FEED_TO_ZEEK_SCRIPT=${THREAT_FEED_TO_ZEEK_SCRIPT:-"${ZEEK_DIR}/bin/zeek_intel_from_threat_feed.py"}
 LOCK_DIR="${INTEL_DIR}/lock"
 
@@ -29,6 +30,12 @@ mkdir -p -- "$(dirname "$LOCK_DIR")"
 if mkdir -- "$LOCK_DIR" 2>/dev/null; then
     trap finish EXIT
 
+    # if we have a directory to seed the intel config for the first time, start from a blank slate with just its contents
+    if [[ -d "${INTEL_DIR}" ]] && [[ -d "${INTEL_PRESEED_DIR}" ]]; then
+        rsync -av --delete "${INTEL_PRESEED_DIR}"/ "${INTEL_DIR}"/
+        mkdir -p "${INTEL_DIR}"/MISP "${INTEL_DIR}"/STIX || true
+    fi
+
     # create directive to @load every subdirectory in /opt/zeek/share/zeek/site/intel
     if [[ -d "${INTEL_DIR}" ]] && (( $(find "${INTEL_DIR}" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | wc -l) > 0 )); then
         pushd "${INTEL_DIR}" >/dev/null 2>&1

From 39bdbd5474445d4fab9778c20b8acb12675b6bbc Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 13:49:53 -0700
Subject: [PATCH 81/82] fix issue loading zeek intel on startup

---
 shared/bin/zeek_intel_setup.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
index 7a868d828..077dade07 100755
--- a/shared/bin/zeek_intel_setup.sh
+++ b/shared/bin/zeek_intel_setup.sh
@@ -32,7 +32,16 @@ if mkdir -- "$LOCK_DIR" 2>/dev/null; then
 
     # if we have a directory to seed the intel config for the first time, start from a blank slate with just its contents
     if [[ -d "${INTEL_DIR}" ]] && [[ -d "${INTEL_PRESEED_DIR}" ]]; then
-        rsync -av --delete "${INTEL_PRESEED_DIR}"/ "${INTEL_DIR}"/
+
+        EXCLUDES=()
+        EXCLUDES+=( --exclude='..*' )
+        EXCLUDES+=( --exclude='.dockerignore' )
+        EXCLUDES+=( --exclude='.gitignore' )
+        while read MAP_DIR; do
+            EXCLUDES+=( --exclude="${MAP_DIR}/" )
+        done < <(echo "${CONFIG_MAP_DIR:-configmap;secretmap}" | tr ';' '\n')
+
+        rsync --recursive --delete --delete-excluded "${EXCLUDES[@]}" "${INTEL_PRESEED_DIR}"/ "${INTEL_DIR}"/
         mkdir -p "${INTEL_DIR}"/MISP "${INTEL_DIR}"/STIX || true
     fi
 

From eca0c868974dc74ad8bf063648a3bea61889703d Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 4 Dec 2023 15:29:26 -0700
Subject: [PATCH 82/82] sha1sum update

---
 docs/download.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/download.md b/docs/download.md
index 632d3c035..1aca19bca 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.1GiB) |  [`da22b4bfab2ca8cb2a3ea6266b6cea603a9ae119de83009f3d133f0f202b566f`](/iso/malcolm-23.12.0.iso.sha256.txt) |
+| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.1GiB) |  [`3e836d09cd79a4e3f54c6fc365b032385312ad885b8483a0df156b59175d4909`](/iso/malcolm-23.12.0.iso.sha256.txt) |
 
 ## Hedgehog Linux