From 769af9dfd02a347703c7ce9424729dee99d696c2 Mon Sep 17 00:00:00 2001 From: pcosic Date: Thu, 27 Aug 2020 16:56:26 +0200 Subject: [PATCH 01/13] ecs fix - more message pattern - Fixed some ECS issues - added anchors on grok patterns for performance - added messages: ------------------------- 434004 434002 713905 750002 750003 110002 419002 602304 602303 713120 713202 713901 713904 713906 713905 ------------------------- - with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type - added set processor for adding outcome, action and protocol if necessary for the new messages --- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 144 ++++++++++++++++-- 1 file changed, 128 insertions(+), 16 deletions(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 7671bb649b9..19ab6ece4f0 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -572,6 +572,87 @@ processors: separator: ",\\s+" ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'", + field: "message", + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'", + field: "message", + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'", + field: "message", + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'", + field: "message", + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message", + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}" + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'", + field: "message", + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'", + field: "message", + pattern: "%{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'", + field: "message", + pattern: "IP = %{IP:source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'", + field: "message", + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - dissect: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message", + pattern: "%{event.reason}" + + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + + # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # @@ -583,8 +664,8 @@ processors: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' patterns: - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA} - - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}$ + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}$ pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -1153,7 +1234,9 @@ processors: - lowercase: field: "network.direction" ignore_failure: true - + - lowercase: + field: "network.type" + ignore_failure: true # # Populate network.iana_number from network.transport. Also does reverse # mapping in case network.transport contains the iana_number. @@ -1211,19 +1294,19 @@ processors: - set: field: "event.outcome" if: 'ctx.event?.outcome == "est-allowed"' - value: allow + value: success - set: field: "event.outcome" if: 'ctx.event?.outcome == "permitted"' - value: allow + value: success - set: field: "event.outcome" if: 'ctx.event?.outcome == "denied"' - value: deny + value: failure - set: field: "event.outcome" if: 'ctx.event?.outcome == "dropped"' - value: deny + value: failure - set: field: "network.transport" @@ -1285,22 +1368,22 @@ processors: - grok: field: source.address patterns: - - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" ignore_failure: true - grok: field: destination.address patterns: - - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" ignore_failure: true - grok: field: client.address patterns: - - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" ignore_failure: true - grok: field: server.address patterns: - - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" ignore_failure: true # @@ -1357,12 +1440,12 @@ processors: - grok: field: _temp_.natsrcip patterns: - - "(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})" + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" ignore_failure: true - grok: field: _temp_.natdstip patterns: - - "(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})" + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" ignore_failure: true # # NAT fields @@ -1483,6 +1566,35 @@ processors: - malware type: - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1495,14 +1607,14 @@ processors: return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'allow') { + if (ctx.event.outcome == 'success') { ctx.event.type.add('allowed'); } - if (ctx.event.outcome == 'deny') { + if (ctx.event.outcome == 'failure') { ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('denied'); + ctx.event.type.add('failure'); } } From 8e0491eda5410cba4296bab570f4bbf3b323e118 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Mon, 31 Aug 2020 16:55:57 +0200 Subject: [PATCH 02/13] Update asa-ftd-pipeline.yml --- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 148 +++++++----------- 1 file changed, 56 insertions(+), 92 deletions(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 19ab6ece4f0..3fdda3cc558 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -24,7 +24,6 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - # # Parse FTD/ASA style message # @@ -39,7 +38,6 @@ processors: FTD_SUFFIX: "[^0-9-]+" # Before version 6.3, FTD used ASA prefix in syslog messages FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - # # Create missing fields when no %FTD label is present # @@ -48,7 +46,6 @@ processors: field: _temp_.cisco.message_id value: "" if: "ctx?._temp_?.cisco?.message_id == null" - # # set default event.severity to 7 (debug): # @@ -60,13 +57,11 @@ processors: field: event.severity value: 7 if: "ctx?.event?.severity == null" - # # Drop messages above configured log_level # - drop: if: "ctx.event.severity > {< .log_level >}" - # # Parse the date included in FTD logs # @@ -135,7 +130,6 @@ processors: }, }, ] - # # Set log.level # @@ -171,7 +165,6 @@ processors: field: "log.level" if: "ctx.event.severity == 7" value: debug - # # Firewall messages # @@ -571,88 +564,86 @@ processors: field: "_temp_.cisco.dap_records" separator: ",\\s+" ignore_missing: true - - dissect: - if: "ctx._temp_.cisco.message_id == '434002'", - field: "message", - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: - if: "ctx._temp_.cisco.message_id == '434004'", - field: "message", - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - dissect: - if: "ctx._temp_.cisco.message_id == '110002'", - field: "message", - pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '419002'", - field: "message", - pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "message", - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}" - - dissect: - if: "ctx._temp_.cisco.message_id == '750002'", - field: "message", - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713120'", - field: "message", - pattern: "%{event.reason} (msgid=%{event.id})" - - dissect: - if: "ctx._temp_.cisco.message_id == '713202'", - field: "message", - pattern: "IP = %{IP:source.address}, %{event.reason}. %{} packet." - - dissect: - if: "ctx._temp_.cisco.message_id == '750003'", - field: "message", - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - dissect: + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}" + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "%{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{IP:source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - dissect: if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "message", - pattern: "%{event.reason}" - + field: "message" + pattern: "%{event.reason}" # Handle ecs action outcome protocol - - set: + - set: if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" value: "unknown" - - set: + - set: if: '["419002"].contains(ctx._temp_.cisco.message_id)' field: "network.protocol" - value: "tcp" - - set: + value: "tcp" + - set: if: '["110002"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" - value: "failure" - - set: + value: "failure" + - set: if: '["713120"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" value: "success" - - set: + - set: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" - value: "success" - - set: + value: "success" + - set: if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" - value: "failure" - - set: + value: "failure" + - set: if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' field: "event.action" - value: "connection-started" - - set: + value: "connection-started" + - set: if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' field: "event.action" - value: "error" - - append: + value: "error" + - append: if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' field: "event.type" - value: "error" - - - + value: "error" + + + # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # @@ -671,7 +662,6 @@ processors: ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - # # Decode FTD's Security Event Syslog Messages # @@ -688,7 +678,6 @@ processors: trim_key: " " trim_value: " " ignore_failure: true - # # Remove message. # @@ -699,7 +688,6 @@ processors: field: - message ignore_missing: true - # # Populate ECS fields from Security Events # @@ -1083,7 +1071,6 @@ processors: #******************************************************************************* # End of generated code. #******************************************************************************* - # # Normalize ECS field values # @@ -1098,7 +1085,6 @@ processors: "430003": connection-finished "430004": file-detected "430005": malware-detected - "dns.question.type": map: "a host address": A @@ -1110,14 +1096,12 @@ processors: "marks the start of a zone of authority": SOA "mail exchange": MX "server selection": SRV - "dns.response_code": map: "non-existent domain": NXDOMAIN "server failure": SERVFAIL "query refused": REFUSED "no error": NOERROR - source: | def getField(Map src, String[] path) { for (int i=0; i}" ignore_failure: true - # # Remove temporary fields # - remove: field: _temp_ ignore_missing: true - # # Rename some 7.x fields # @@ -1516,7 +1483,6 @@ processors: field: cisco.{< .internal_prefix >}.list_id target_field: cisco.{< .internal_prefix >}.rule_name ignore_missing: true - # ECS categorization - script: lang: painless @@ -1586,7 +1552,7 @@ processors: type: - info - deletion - - user + - user creation: kind: event category: @@ -1594,7 +1560,7 @@ processors: type: - info - creation - - user + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1602,7 +1568,6 @@ processors: ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { return; } @@ -1617,7 +1582,6 @@ processors: ctx.event.type.add('failure'); } } - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname From b13af6ee39bab1057a20acdbb25ce00101b95948 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Wed, 2 Sep 2020 20:56:18 +0200 Subject: [PATCH 03/13] Update asa-ftd-pipeline.yml fix parsing error and add enhancements --- .../module/cisco/shared/ingest/asa-ftd-pipeline.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 3fdda3cc558..c7a335c2dd6 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -215,7 +215,7 @@ processors: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -527,11 +527,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '710003'" field: "message" - pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" field: "message" - pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '713049'" field: "message" @@ -626,7 +626,7 @@ processors: field: "event.outcome" value: "success" - set: - if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' field: "event.outcome" value: "failure" - set: @@ -1281,6 +1281,10 @@ processors: field: "event.outcome" if: 'ctx.event?.outcome == "denied"' value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: failure - set: field: "event.outcome" if: 'ctx.event?.outcome == "dropped"' @@ -1541,6 +1545,7 @@ processors: - change error: kind: event + outcome: failure category: - network type: From eafaae2aeafae4ac359cf7449a63a96dfba9a193 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Wed, 2 Sep 2020 20:59:09 +0200 Subject: [PATCH 04/13] Update asa-ftd-pipeline.yml fix 602303 --- x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index c7a335c2dd6..18ce8345a5a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -583,7 +583,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" From 40814cc6aaba8f58d425487ecb8fed28c85475c1 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Tue, 8 Sep 2020 14:30:56 +0200 Subject: [PATCH 05/13] testing for PR and some minor fixes --- .../module/cisco/asa/_meta/fields.yml | 5 + .../cisco/asa/test/additional_messages.log | 15 + .../additional_messages.log-expected.json | 675 +++++++++++++++++- .../cisco/asa/test/asa-fix.log-expected.json | 20 +- .../cisco/asa/test/asa.log-expected.json | 26 +- .../cisco/asa/test/filtered.log-expected.json | 2 +- .../cisco/asa/test/not-ip.log-expected.json | 4 +- .../cisco/asa/test/sample.log-expected.json | 112 +-- x-pack/filebeat/module/cisco/fields.go | 2 +- .../cisco/ftd/test/asa-fix.log-expected.json | 8 +- .../cisco/ftd/test/asa.log-expected.json | 26 +- .../cisco/ftd/test/dns.log-expected.json | 42 +- .../cisco/ftd/test/not-ip.log-expected.json | 4 +- .../cisco/ftd/test/sample.log-expected.json | 112 +-- .../security-connection.log-expected.json | 20 +- .../security-malware-site.log-expected.json | 2 +- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 15 +- 17 files changed, 867 insertions(+), 223 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index b3bb3b5eb1d..d8c85432900 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -1,3 +1,8 @@ +- name: event.reason + type: text + description: > + Reason why this event happened, according to the source. + - name: cisco.asa type: group description: > diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index f9ba86b8d0c..38d481c8fb1 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -67,3 +67,18 @@ Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.1 Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8d8b28fe30f..53a0a195654 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -398,10 +398,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -930,7 +932,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1023,7 +1025,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1245,7 +1247,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1292,7 +1294,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1338,7 +1340,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1386,18 +1388,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4053, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1431,18 +1435,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4197, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1476,18 +1482,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4337, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1651,7 +1659,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -1701,7 +1709,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -1811,10 +1819,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1908,7 +1918,7 @@ "cisco.asa.message_id": "106014", "cisco.asa.source_interface": "fw111", "destination.address": "10.10.10.10(type", - "destination.ip": "10.10.10.10", + "destination.domain": "10.10.10.10(type", "event.action": "firewall-rule", "event.category": [ "network" @@ -1918,7 +1928,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -1940,7 +1950,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", @@ -2005,7 +2014,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -2098,7 +2107,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2140,7 +2149,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2182,7 +2191,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2224,7 +2233,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2339,7 +2348,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2398,7 +2407,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2445,7 +2454,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "allowed" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2550,7 +2560,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -2634,7 +2644,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -2911,10 +2921,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2949,5 +2961,604 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434004", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123123, + "event.action": "bypass", + "event.category": [ + "network" + ], + "event.code": 434004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "event.outcome": "unknown", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 9924, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "drop", + "event.code": 434002, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "event.outcome": "unknown", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10142, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.138", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.138", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.138", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "110002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123412, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 110002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "event.outcome": "failure", + "event.reason": "Failed to locate egress interface", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10309, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "419002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 419002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "event.reason": "Duplicate TCP SYN with different initial sequence number", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10460, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "750002", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "connection-started", + "event.category": [ + "network" + ], + "event.code": 750002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "event.reason": "Received a IKE_INIT_SA request", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "start" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 10975, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "750003", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 750003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "event.reason": "Negotiation aborted due to Failed to locate an item in the database", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 11113, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "713120", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713120, + "event.dataset": "cisco.asa", + "event.id": "bbe383e88", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "event.outcome": "success", + "event.reason": "PHASE 2 COMPLETED", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11295, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713202", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713202, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "event.reason": "Duplicate first packet detected", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11415, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.64.157.61" + ], + "service.type": "cisco", + "source.address": "192.64.157.61", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.64.157.61", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713905", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713905, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11528, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713904", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713904, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713904: All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11655, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713903", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713903, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11741, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713902", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713902, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11845, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713901", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713901, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11954, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 90ec4ed3a8f..fb23ddc44c3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -69,7 +69,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -118,7 +118,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -167,7 +167,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -213,7 +213,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -255,7 +255,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -306,7 +306,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -354,7 +354,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -402,7 +402,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -451,7 +451,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -509,7 +509,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 18ea450c55f..b4dac9620f6 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -4492,7 +4492,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4546,7 +4546,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4600,7 +4600,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4654,7 +4654,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4708,7 +4708,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4762,7 +4762,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4816,7 +4816,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4870,7 +4870,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4924,7 +4924,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4978,7 +4978,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5032,7 +5032,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5086,7 +5086,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5140,7 +5140,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index e0c78694ae9..16b8790bfd3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -47,7 +47,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 74097780ab2..5fe3d6d6d9b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -119,7 +119,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index d27f89ab5b9..6a35f6ecb56 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -67,7 +67,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -118,7 +118,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -168,7 +168,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -220,7 +220,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -305,7 +305,7 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743274", "cisco.asa.destination_interface": "outside", - "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_host": "10.123.3.42.130", "cisco.asa.mapped_destination_port": 12834, "cisco.asa.mapped_source_ip": "192.0.2.43", "cisco.asa.mapped_source_port": 443, @@ -829,7 +829,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -879,7 +879,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -929,7 +929,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -979,7 +979,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1029,7 +1029,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1079,7 +1079,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1129,7 +1129,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1179,7 +1179,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1229,7 +1229,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1279,7 +1279,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1329,7 +1329,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1377,7 +1377,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1424,7 +1424,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1474,7 +1474,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1524,7 +1524,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1574,7 +1574,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1624,7 +1624,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1674,7 +1674,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1724,7 +1724,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1774,7 +1774,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1824,7 +1824,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1874,7 +1874,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1925,7 +1925,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2029,7 +2029,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2080,7 +2080,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2397,18 +2397,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2443,18 +2445,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2491,7 +2495,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2754,7 +2758,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2799,7 +2803,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2844,7 +2848,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2889,7 +2893,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2934,7 +2938,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2979,7 +2983,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3024,7 +3028,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3069,7 +3073,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3117,7 +3121,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3166,7 +3170,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3213,7 +3217,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3266,7 +3270,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3381,7 +3385,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3428,7 +3432,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3470,7 +3474,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3513,7 +3517,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 79f0ee61a35..85bb61cd0ec 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSJ/5+PgX+jvifux0y224/7I1vdi+0knqsm37QtrrbexcTUQFWJUlYKKAaQJGiP/0FEqhisQpFShRAqffsFw5bJBM/JIBEZiIfviU3sP6F5Ezn8i+EGGY4/ELO/P8WoHPFKsOk+IX8218IIeSNLGoOZCYVWVBRcCbm7utEgFlJdUMKWLIcCJdzPfkLITMGvNC//AV/bf/5lghagh9zQjVtPyHErCv4hcyVrKvOXwMwmn9eIXWE41CcXp+SV0zBinI+6Xy1gbH5S4OjBK3pHDJWbFF2UG5gvZJq+5MdcAj5sIAOEk+bsAKEYTMGaoMpAEXXsxm7vSMMuKVlZVdLg9ZMirtjfId/p9yPR+jMgCL/vwV8V6CyVjlkTBhQM5pDDM5dI03S0sRFNQsgMy5XRCoCSxBmJ6wCtGGCWvpxsZ1vCD8IoKo5ZPY/Y4B6S0sgcoYQTvMctCZnUhglOXnNtMHBiFlQQ0pq8gUUxCyYvgNKv7q1BpUCq6XrcDGNf3DjeXbeCWF3oY8GszPofbCWtKqgyJojUwVw9v64V8AYRYXm1EDR8O7yitCiUKD1PbAspDZ35tqM1txkKEZ/ITPKNTwUsx3+HmgrqUJouRTzhyKxpO+CZEu+RF7I7u6632p2UT3WknbR33Vdu7hTLG4X094VNgsF1GQclsDj6AGWHkF6KC1KyldUAXlBptIIMBbpbMbyCXknUOYsQa2/5XJ1Quy/euRKWYCiBk7Igs0X9rLBr9v/ucu0cmpgLtU6xszOPK32+huf2St7KTZqypKpWp/47/TnZ5T8nYoTAibfOZ9cCgG5O4BR9LWPgn2uuwoaTovinb4TCcvLKrODBlDoRX8778RwefbmCn+5f8BcFrEGtKTuyuuReaYRK5+u3nbGJltjh3QBWmUKcqkKfT8gD9DwqdZsLqAg56dXpD94kJVlSUWRcSYgo2pelyDM8eD64YkdnrTDWxNtDgWZrvEYc5lTTmhdMGM/2TWdZvr9S/COc7jvLbm5DjeMN5JQt1M4A2GIrlEDntWcr9vdI3bOolJsyTjMYSL5PffwgWvx2wIEoahZ6s3wVr/MF1TMGw3d65uSF2RJeb1z928mIWD1BCchYLV/EtNaaTOR098h70uxdIdCgVMT3LAo9hEHWVElmJjvPNAOMTvOtumitUoAuTw/CG5eKwXCZJbG8WSPG9SDRfgaQNwBrRQzNq8VFI8DeDN+B/t+2HQ5fxy8dAmKzuFBjH408B1mB+ZBOZcrKO6yw8uaU8OWkOWyFscTJkYaygmOaXX5DvYFM5poJnJwQt1JmxXVJLequRVAiuQcqOpMcNtHOjNdNA/3kb5iCiq5AtVYKecwA6HhiThOX304/7Icpxbwn47TPx2nfzpOv2jHKfmogVycXfuPJoKaCav+9Kce6E8NsfMJO1pbuJ3P77EF/nTC7se0vS36fP7TRfuni/ZPF+3WgHtdtBryWjET2jRBb8pmwN5w7+nKa/rI3GtPl1zYW3r3K9QX7iZOCXGnm3jbxmNSR7XxLt9dtyE4zT/jphxFLTjj7B4X1x21QXvFOh3bUt+5k2Y0Zzy8m3facdcXZ/dbl2YgYiRZLVi+cELS25wKZqA0eTbbiMYTcv32zdUJuf7f1yeECqvo9MjOpDKL5xNyuiGeU0GmQChZUFWg+HWhUSeEkkpJI3PJTwiKstJFVclZX+ZaJX+tDZREy5mxRCbk0pAChDSwZQR4SZ/TWre8dz/t31NumpPBRvQBXJPWTpv0rAO5BLVSzNhLS9Uw2K/DRdpzhHYsVHcLNZFlGwNytQDl/Cn+IiMLqskUQBA51aCWUAznp7ZCzfZNZnj4dk5l/GwhakG3VZbx0cfGDw3R0eb0vLfMu0bYdap6q/LB2mo3sLa2XK3dw0tOK1N7/iu6ag8O2ny5LEHbSUv7eY80Ia/lnJyDvdhUeCKOFuuDOnQ6DV00N622m0cm7AEn5r5nuTvxuRQGH/DkjDChDRWmgaGDGA0rDwFY9D3BIXTexrdDEGq8OKWNb825Pyl5C+Y3ZoS9BvzqTwZbo52sXsiaF0TAEpSVoM2+q6jSQN6AoRYaJTMly85Qz17LuX5xRfMbMPr5gPw5U5Abvj5p36coeQ9OWLgdLjowJ0FGDm2Pu3FyYEL1OHkOlYIcDSaLpIAZs2qDFBxhGTrlVomvwqhKPe+r2nF3oF/jN/6cX55/7970vJenUczdt+CW5viC7NZLDRYCZ8dQaXO7Bb9nl6OiyrC85lTh7/3CTkZ3xoD0QTsltDMGlMd3yuiSLI+7Ji//XJPda2JHTbMgDzu+cvp7hhPpL8uTQbekhwi95NAUON33KWKzbEt1/h+GTBtqoITe4+gTAYfhR1nOae8MPxF4IEzPQ/dEgC0GXqcnAoyJw4Cl1ZgayfF0d1oB9BDpkZZtM3AvBrFsqBG9JmRndr7YuAUsmoEeMlASHmZF9PSQAfU9VsQ4FwcPr0fhouh4VYLsc+waTDMS+0iAg/dmX34MtboevDk08/d/Wm8btWdS5PZyoEY+dct2RNwsWVpx2OXumR2GzVhOu+f5tZy794YmoqUWBSh0loIXVIOpz9gtFEQDRl1t/Xh7DD1usDSLMKD9YIOlXYQB6XstytATGN+/dNjGHMzrHjy5Hw8GT+pJ9uWvUpuuiOT9HalBFEzMmw91aNt0fEhfDn/ZIRts8KNRxl5eLX9sY/jHjnufuYPZG/mlMnf5c2r2/vz/LnsHr85JZENfLjhHWtdbVhBK5mwJonWSfbmKgGXRYf6LtBZI8RSVvy/jRWPUoSGrdabgc4K17j4e4gLjvH2+2YUbmlzhQTrx3mxDyYd1BSSnQwkyBQLMLECRj5fCfP8zkYq84pKaH16SKdW4i5oHMswmQNVvz7wPUXe/4HnjM2g64zOCfyEYCHcU67gZ+Yt3MEi1omqQnRlN6+hItM60u5y8vPq0pe9RzF/rLylpYlvcJephY7g9uJ2qHfMwcUaxOcPcC/ebbW1lDx9S6V87AiMurz79HGBBOCaHRGBBi2jI5Ri3z2ajDhXHQ2+fBdAC1FHern/Focjl+UNeSR3e7mMpkjnsrfRJO9l4niX3s9FG0brcKFp4UKzpciY5h9xI9SUKYMu9R4i5sXuOaZI71kFhkW4pqq9lX20hOxj9BC2+Mp8+FVW1lBqD3UopyHQ9WDRCFHyuQWMSlGZlxdd+neyXMVAXaL4gmhVAnn1HzELV5OVPPz3H1FANINpRdnDiSSivd+CErqTQkI4V+RezK1yKcONTqMupE3r2KOsgBfKMTuUSOsxgIhhZ2Yg3bRTQcvT85F/MtnlkVkHB6r6eFoNRX4U0x9axwGaEmX/WL7/7/q/aifQXFQrQBvQ/B7P5p7UHX9M1KPKSXIicVhqT4KVAk/Jecj1E/YGPH4HYytAoP7wk/2qne0J++IH8K8mlwpIXuExu0BPy37j5H/aLTJNtpnwVXEIhi0DS8BOxdcUKspxyPqX5TVoN2IFrEgaocXaFZSKIopJMmKa6SBAobo4MlJKJ4tM2+qCuIGeUI2JEqo1UVrMWa6d12A+WlLPCbYwQKEJmshaFvWE4IHgm5l452hu8uH0iBpRjvAX647Dj2WhkFdZc0uKp3HMeDtHsDyAlGMXygNXhTeHul9EWdtd9I4TttU/NRqOVs2bZJuRXubJLM7Q5mSBSWWPMSHIDUO1h2pO48b4QpimJyWBLVmRFqlfXi0byzEFg1qzGtKra2dHeLlwyZWrKrdG+5XsXARcHK5k1u/GtHJnhZuGP+uU5UVZaa3SoINOomoNpv7aXE1olCnp6dE40Ofu7OKGSPAUNBf/leeN7fQ+lNECu/X5vauVM12OCkmC1EfcQ8wU8vPiRMl1xljKy4Umb85oN1P4noZtZmZtwv+Ops3dAk6bpd11jtfgr5L/GC6MTLzPGH+GN3o5qjaOrs9Mrr/v6pFxWVlL1NV6CV+QXFwZRPw33hy/TgIb4sPgaca7UbVO+3vxkY7A7PQct8wl5+dPPZIV8L4EKQjkP+wrQqY9q0sZ/RFagXA08gmU+qDZEil66yDYTH11N/LKZGDirKZ5tPe9+k6pAxmFUE+QLIbmcr/sPcTOmBlosIT+RfEEVzY1joj3Ua8SPTnNBauFjeviWz3w0ozZ2Qrd7qE/5iLDj7RItitIqmVI0zwiKrkZlGkrWnlpJc9RY3RuF8D4HmedY4xEpakNFQVVBhFQl5eyPUHyvVGWQP4WPcjiYRbKeDq6kezFpg7oF84KzGeCMAwa+hlyKYkTB3ix3pk1KP8uOCTGRy7LiYIIbYNSJSlGBN4r1xGAn30yZR9rI13bs4HYe28rbO3N0+5VSmEWkZdrkp8aKedlEORWPxPgLUaRguyX5hxSpqy3sEIt29EbFdOG1H/ocHoioZCf6lBi4Nf7wkSUo3UmnKHbFgQXW96GbbQ001jQ3aXq5VAUU6e5BH2TjryndjtjoGE2kTfvF7vv68LZSspwg1RqT8nUOgiomnVpf1tywbw0DRWhV8Sb7ZVPLpqSCzkOpuYRwfN7ZKuvTFJQizHytiVwJ9zJmaFn1PYMeMdbfVHIYfMSMJvmCWetGFqAn5E2tDZpJXaL2VFIzEpdLDRy4SDsF2GxmcS/hGJoQLnIzoOMdloICkbsNQa1qXbAlK6xmg/shLMiuG0H2oce88CRvK6aONsPNerq3oFu7E5nh66bulZGor1lQrjjjTt9oxEUfdeGcWGncyrPJYMg2nEzWsSVQOVDkHkqx5X/so4Ia5Oca6qNtJbu73S7ayMcV1QRBFCP7BsF9H5upEZWCLYYmkGnz0iS4fedlCqxVlgBqlaXQnquYomib6MvoVBPoSp1b5HFMyJ75GLxjBtflve6cQ8XmPrl2yGPB5oLoVUOI7Qii+UCJj6FY65qnfnYasaJkbXJZwguHoTVeMCp7UACT2H3hWLBlQI5sEFjCoBzu0SbWjO6TADsvO7tcPmmTFwe1A90t3Wa6WGr47lRBzmZsY/iEtVtfyn1kT3ldOX00U2ABWhcjKzYJE42LqvCPLEHc3mw+1iJ82rbSu5agVOTdtQ+NZboJCOj71YivC9troEC2siR1JTWLKDjutLfQnBaFqzCFofzN2R2twlNzMyyY/ViiSNQlKJbfVxYF53aELLYdE+tmsrUnw4kld74HU1uCKKTyAbM7Zyanvz9C9ZrmaTdQ1rwLLH0u+IDdVoLuBuYkfcpadV8ND6TP+vdixnu5FrSNLRbSEIptIizIcAAtl/OsCVR5FKHebMR7C/Vj1EzZkn1/x3ArrFq93e6wi6qSnOXr1Kdnh1y4QgC+uLbg6xG5HGy2lJiB72sOCCwsTqUwcJtaY20BXQrnr9vUQ6VFoe2/8FLFVm8IKFQAZs/l7LpkZv12nQlkwdjDZdOSs60VQo1RbFob6EiIYYy+b/BptfXu9RcWHbrqdxB7uNXiWr0e/+SgIdiPL/J9Zzv6W8C4xQwwy7Cm4KDexHypJagJuQa3KLUGNaFzwFLePtJ9JlWDYUC7IeP09tw13XK/79StkIpMlVzZz5q/el3TmV2j9aQviyuqTGw3XUs4tkfFn6l+H9/jnam2V2/CIyUr8A+Kqe7iU0EoB2Xa6CK1GdT/zT1vefHRKQKAQUgBhbkgQopvFVSAlsyu6Ac0G4555TTNR1t7xbQNOl8w98LWPP8MZrZiZuGVZSfryTkOOMVsE0Gk+HYu7X/vuAlQSckCimPCedPOY+ALBGBByhmx0sEw0BNyvZEp/cYG3cyqNIjPXDpfra0R41JGXbBN4cWvZzwlOa+1aTak/5/BMuFPmLYr6XOivX/DKr746bgKdHTtx52wsEXvyjKlU8q+3md4WZTniIJQrWXO0F9qVyNoT+KCvWY38AuhpFqsNcspJwXTNyekUtgTBVuJfR1WlKmih+Re3vOid3k2ipZgsJk51VjFS2MhB1eLoGmdL7ce7YepNVtd0cjwanL3wWNpfJ01THAxOfGdy7Kqh2cwwbJRsmKikCsfT5tLkUNlTtpIilFmDKY5qzlfk8815c75WciSMuGlhugMxOXI1dX1esZSl3ZM3aqEr5m4gcLnAjWB6FSjd8obKPaTr1poE1bsWjg+qAqRVNR1Ozs5t0QfQAPv3fVj4XpXec8ruR6W62kfnUGVrN/YKbWL1Y+JaN3+361p/xBZ054xnv6Mt1N+haO1x1hBUedAmpcjCLvbNChGeRa4TZNdItc4ZKM29+/HzgVob5hRvwDkN/qgkgMxPMZ+dHvRLahetCfUqoWBLMM6X7jI3ybHpk0zPGso9UqE2Ym0w0y0yrHxffP/w0xTYuW5IAxj7mqBLfLtn7AQ3gaaTyDcNMFziZ37Xx+c8KuHdZ6e9I2Vy3La9NOVs60Ly6eNqnvcXtjw9dievq42ggDGPX7HeSANHIkzN7qryTjuKXUWXHLXeMs+52W+PCdvnaR55gs3ENdtzyf9WmzPw3q1c0A/hi+/436+PEeW+pS3VkwMvQfbL3IuDNBNYeI2kZUFK6bDRupSr1PWst9+1fUJ2k5d2OnHHmmOnPjQnW065V6e79VkY/nn9miyFthLUWw02gk5c/mZvt4pdx/s1mYRoNr+xvdfeXfctDZt5qY07WVUCw7acUa6C2UlyZIqRqd8kAXoijIwQSpORwSBBqGT1kfZWtCuqupGnlhJZTWMJr+Q2XW+fnF51dehiS8Z6zwKY3nZBzYUvHMu5OalxYEkl8KQazYXFIXFyBatpEpZvPbrgfyym/Sq0d0kVnXE/7RAus2n7S4rZGDjvH33gTCR87oAK858I1vXCP/ZRdPA+Mo5RBxZlN6TsF8EX+aO/raJzqnN1RJGxvSNVbkPwHWPVLyOG/OtvxreM32z48nVKDafg0rXwi7Msk/dtwCPwbVoVqAXkhd29zhbfaTT6NbT+xE8C8O3dy+Vn713OsbzthjH5Xk4jeTOr/O5LKvsyHFXuCo+9grbuDr/nq6n31o4UmB+6sz15i7qfMxK82rpI0WNdZG30lIqrDxg5XqDb6RLnG9E/igK4LCq/gx7n7uLyE5ipDTyMytEKXlD86aecli5tSLoqHaMFN82CqraLYWcrRm9qbUCqqPHBmtDTR1LcW79UZTxRzM77OBTeUtY8WL8/rI3a30MhBbRx0HhY3cWLIrw0W3uscTd9wab/HzYd++Q64wJWcd64+zkkeh59DNlJWlMp8PAI/tjZMKpKzNubYlTzq3cI7rOc9B6VnNyYccnuSxA2y3RFPsNWxZMFHAbmQGcaXOY5vlA2YIDoymmGhBTUPi+WVLFOEbwBDx47v1dzAlFJn5rfxucmUiwD+XUFRd6JI3Yj06etfGcFShd+aRbJ2EGLPMqwiYgvqnw9HwkydC5uYb3ceqAEqd8tUFe3lflvm0/pExoUoChjAecDFNZm87vRqYm+dFjMxuPLW3j2BDH+EVqoKx4smieU1LAjPonIF/5snnD99GaViteguJ0jYlcRvrLlTwLnEj7AVrd/tcwa7LAna9eG2ZqLMxIghPb2AbDgk0PPa5RX7E6/p2cxkaaQFblsizteUqzjc4cdcI6wb6VkktWOP9ZU0WuBD0aCFXI/PCHxvt7y14xvtEa825cXlg1uK0w6OlxZH0zelpZ/7ucHuh3Onh6/0tO/QNM+HRVLF3h3HMMKHYrf311SS4HClUXRrKqtT67ZDeCiIldbTbsPKohfR9/mI+tDiv3TkRkU1mkzvgaZNz1lQ6PhVgsI+rRIn61BPdkcITM844L2KcOuwDa9j2EzVnRPuWMOPHK2FbjIA08ws0fT8lr513VKa+pprv31UdXPad5iMJgjVvI664XwYV+TSGU3tpUYdoVuHEER0jQK15sO0Ta7Eq6pIzT4UMGaV3hBPMrZ6DUSKcFd4YO8fXHe3fzxkrpC0C5B9jBlHy4gWbzyYhEZGU2rYtiHd0/w8osah5Qh26t4bBC5zu9VPEpKiYjVjnopdhluj5GQgLT3ehVV3OV1gUzbWbdpi6aRxRqbLfJ2HCiZPO8sHuSLkosNgeXR7PKzz5dkGc+V+JTza2uPGUcEzgwDuzitpLafvM5+XboaBD9V5gbIVdiyxDSkNdYzGK5TX2k02ZOj+CC64eFnjVZ7m99atJrmNN8TT6OmmucTRV9jKR8P/AWi5kgJWVipmgJO8MxKqqwa2/6OglbyuUVDkveysIFR2/KAnaizgKgyB7tC0MFLCNSWUjbdePewor8Wgs0Jd/IAjh5xsRy8s0JYTI/IVP7L7D/ooLytWZ68k34fdHkVTbjdNA5P7YOta3hn10RHBR9XSgn103zKznbWajByKRI3V+nHmdTBkGDshs5CGhZxpW7PWSf3vxGFZAPLgD4m28+vfnt9P3FN9+4mNslVZSN7smVVDcxU5b3HrDfmgG7L2yjTjAqYisRPmcnbpWS9jqgub0u1glMmJlUIDTLYwqQjispAeIyvhck8D4Qi2i2omzYnPjB3gGsfR6bqD0+sVPUdT1NdCjMtNBGxc58x3ztZA6x7l0a7R5tcj7SOUkPTXbZNAYbqDQ+2WST9+LzXSyJGRt1NDVTTeaIPXSqwWpEgWn203vCQvngeoL3d1xY8F7/fz8cdaMyu85/j7LFio6P3gPZCfJRNkfzjrsLn5RHCNraWtmOXfrMtBHtTZQd1sl8jm63wc7d/zLdlKxmx3gPw6SvGWXc8rop5nLlZcbleTe3DStxWXPQwDxQwmA8qrCJuc6sinjAfA4JvMZwa599dCbLshZ9T9QAnTiscNND0b2FW/N3COvULTZ9mGb9UGzXVBT/LsOvZhtshhp2iGR4MLrhwFvgdK0rljMZLUr0WBY8ol9RJYaPDk8duhZllclUwvj67Zsr8s75UTdBqWEgn48aSnD9H6/J5xrUSO3WmotMQb9SZ9rgho5DdE3eN0lnwbCuVkvPI16kXaIydhsBS7Q6yHG0j6oJPI49mG4Rv0ED5VSVCVbLkk3gXqBVxATklmhdROtKu0UzbrWrLdIFNX2t8KF0pyDyRUlVrLSSlu66ooP2xQ9+faL5IJwqCs1sEX0v5DCLm0DVEp7NsdRSArJy+nsCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfcO4em8Wv4obs0i+v2eiyw3Kit01LrrHeqW8mEvT3cgvOQ0usQQGYg5ExGTIoekU8RGi2yW6RUzeXT5IbIZlytNy/ixK13awizTUU/w6pKLjImU4oSJClQ5XUcLeB/QrvKbNMSXlKfYK6zKKiWNzOI/SSH15Y8Zehzj0+bJziaX86xIwWxLOH78Wy6ykt5mxsRyG2wTtjuaQ4JLoWQiEWgm0oGuuM74lGexn0W3aH+XkHj0yuAd2rFrIXZpx87q7dL+KSHtnxPS/peEtP97Qtp/TUPbyIrTKaQQKS31+OaZyMqao/I9XSe4Jxvi1U0CvaSsOZuXVRrt22qZlM9jByF5yiyFUqLhcx7fNyIy7QISE6ygVnkaa9ISTmNN6rWuqwS9SHPRplUnMVWNNNb0gNsEIsRIYw2zVLTRrElCvBbsVlAhNeQJNuHyZ8uVRJfC8mdZmQXQIoFbTZZVlvMEPmxLOMEjCdJV07WJ7xa1lHUSylWdJXjTyBUzLKc8QQKRzugcRL6OGHXVpS0oX/8BxTQF7mWGZUCTUHblYNKgdoG1SahP59Xy5zQ+aJ1NmflrkkJjuc7i9orrEVYyuqjWSY45UoVcxc9y087HH63XVocwmIXz88d3jjjiqPYlIe6qycerINehPWMcUtgwOpulWEQ2i5mcvU04hW6gM1ZhkGKWRNSxavljoU01KOYfibZWeRLanM0ghRmj0dFcQsGiJYxu02YizS4pZVFz0LlMwW1PnM0TyCZZ6RU1UXv+d6iHIsijEFYwZ9ooGt8TsqGdQONTUKVitUrGa42VyFUi+eoi890WT0DdKKBlAkXSpQKlgp1OuV4tJNOZ6zAbn/qaKppkgxcjibAxKC9df/vYdJk2VETvc1xoM61VrGaBDVVwvYJSUK2jY42vRzc5ybHJYueGWfxm14dWGthFc06LIvYZYEXsZ9WmdFCCu4iVWa6kLJNUJbKEE5hprMzSBEf6ikcp2FzdRC/PVOn4JUtZpSvFIhPl1DBTR48+40xAvBI7G6o6akedli4m38Z3a3Hpqp5mMy6jX+ct8QQh/9bmjS51LNEEEsfa0AmgRo9N4HKeZOuKeZIDXEkVW4CV03qe4piVTOcpxEKpk2zYFH0gBBgsrhSdbnQZ7gpAx474c1Rjh+OJ1Sq2BZIko0y6BtDRLVEZXzOSis2zQD+uB9NdCVDx76wqc015o5ON2pl6Q9a1eE2yyRIkbvqeOLGFgScbWxpUmXMkRYdLtbYfZvkiVp7/gDTcViz6Q0AFqpwrKsyg5m4MyqskhONfva4S2cePvS6gEQgrOc+oriI2DOiSVjQ2VQWUp9DvFOTIB1d1NBHx+Ey2lOOWcO1QlqpIgDi+I1Mn8A1r5xtOEA+gIXYggGt4nMA40fA5/gYIFWiNRjWBKaXZPIHg1VVsL5tWeYpzoPIiuiKtVR6qihuBsInXYqtLs9bRq2oucxE7USLYLfahRF2RztjTN3MTf1s5ovFf9NqenrHprqvo1VrrYpokDr1WPMFdWGtQWcFiZ70naVvRvAylYIPJtaFlbG/wMmNCGzpLoBksmTIp1PBlJRKUbjJS1SKmmzVUFi1QUfS0NpK8rwUZDN1GjyRslveJclaQMwUFM+SMqsJXM9RY/j0Mx3XOSsilsQ6hSAab6BOsb5BLTkKpOm08BBPpOHdRVlyuYdBYcC//ZrKOVtT7jnvM8tD5jLDfmYI53JKS9gstbN5ixbzuNwNJDpIzjc0ZmtH90mMBJaLrqpLKkGHhUUJWC2oIM6RSMBvbCg8Iy71PE4oQ473V0UIgTPjK7iN1oTkTqTvyd6Da0bo4NTFyDmYBarL5vl7IenCjESJgCaptR2QkqajSQN6AodgR3J1V2rLg2Ws51y+uXNrrc3LuW3ydELMIdCnCYsDvwbc+RtiCvAXzGzMCdHidh5s6CfNm2LK7PUU4uJusBqryxYQJFsSHPXePUF+7Jz6xFwYGQ7zgtBbY63deYx/Xpoh7uIB7r177jjmlL8fdzqktwu37F48Y+3Yhsog5TXervIrDkg9wa/BUjLkLjtGNekQgbRrXvcUO1YKPdLzE6rkJ24Fj/VwNhij4XIM2O4p2Hx6tfP9a+U5lwLY8blQnsfseqTbudNudsguTQ4RvY1t/xwrt+pfgzGP2/t/f39AOdnneCAUcO7w30GqIF8R7zy1sL5cp1UBcuHaLhgxOVbtK/hePg1e0reBb5FK58vVBNhJCNdEA2O6M7u5XpajQND9Ce99BhWk3tEC1d7Np8lphB7RdoCtQJXPqxrFAb4Z0jTnYknGYA+GwBE6o1mwu3MJt+vWHtz6WZH5E+Y3j79jp00fp9GyR1YJ9rqHfJpGGD18H72EVEw/rgtJoNKxwBzKXQgDGVpAVM4sxQUFIIDOk1dgVHJRedG/TwrIT5Ul7RXE5ZznlxCIYMX0QxeOiw6FG2jQ+Hu+qxVqH4XXC2VayF9Ua+4KnnFGdLWRym8AZca25hr1UNk2NrFTstuAJ1wMg7tBYtHin+UYsOQeqJqdcS2uIb523c3wsJ7/6X0zIqVi3/zegbtCW18IQWkxyWVa1ARUWw0nc+HZi6cyzr/prgT0WtxaEmX/WL7/7/q/W9j3vLEfDsa+CsP0+zeK+mN3VcUPXoMi/tD45/cLDQHDhUx87/yf9nhcbzFu7fud6HBi8vE+2fd1vmGLHmZC37z5c2LmDAuc8QX9pwXSuoKIiX1ut0qtnvB8LQpBDJ+TDm1/IpTA/vDwhl2/PL/7zF/LxUpiffyTPVos1EcDMAhTJF1L7VmlSKcgNfuv7n//n//f86yBHwCwSyrg+P1CmTkoabsejE+++ex7za7cXLxtQ4SNePC3QXdm0B/mBBePufMGH8PYU04118okpU1NOXp++DYL9QwpI58s6bGf8HylgEuathfvFiFCcyH7hiUvwFO/gHeswpwZW9BFapOPuviKnRaHQT+t2eQhOe/XmZXXoO+dD30Iuz95cuVtp9HmspPqIrx9bTiWnqfq7m1xeWSgj3i/LwwM7QUThoR17nIeNJpa57lrHFRAduLQomP0y5ZsH204v//A9d8QNYE1CPODSn/Dz7S0wgLKJtU6i1931SqPkrUd4JZVpRfJA6Bb4wIYLwMx6v+TVR+a9mw8T8+Yyaab1ZozxAkJ247G8uB4dWr5Ua5kzq3I6v9FAxyFWLisq5jBpTadcihmb1woKMl0jTRAFRg2F5Ux1YOmBQdLoiLYcHHSWoN4Bj6j7d1O4ojsAFJTSQOYju+PHGcVnbSF0RjMXip+AdGVUGuKzBFtiliBbmKc4Dqnqn1QJmEqLrPHEpVPL+xa8ncekP1rXmfAIGuyFWYASYMiHdQUn5GNzjb1GB9gP5KpxgA1ugndjmlrTqucIysSIadyA9n7xE0I5DyoT1eaLGOBGFQbmLUHZO5AJI4k2eJkzQT5ejgqUHANkk8mr6CLbEpVVgrZvlrACHTui15JNkOLibsTYoejob0+A1rVWyDiIefROkYjZKh8JtdARDdSpPJR3HmAEyTGcYEYoeSXViqpi2KebkNM5BnspQu2Jv8VYuimYFYAIq56Rqybe941bGsq7T3UODMGS8RgZMZghEz7OFcMSSmasWPItNsJTXHIqjvGOfwcHZRMg0nFRDia47bLcvKQsrQU7RwN2++aJ/VIJOVYhWMarB3e3F3uqDMtrThXBetGkAfHs4vaX13IuZ7Nw93fIM7OA5Mu7BfaDHdCdxg7uC4vbwj2tzQKE8cHio7B1HbNywt0CetyQ49A/alCjgGVtcnlcTvshxwFf13kOWo9gxsrjhxVHOyzwBHERq+LOpVqTQGLCANsxhNMWRuhhtFIJH/h0JYW9V6zcCimH7Q/JQFHantUyXj26kXuTEle1FHMGOIOinY/3w/T0YSaIZqYOyE+CyQXgRbSnuqCa0EJW9nYxC2CKyJXYLJljnKG3UshyJK4We3Jo5krUH1eJsMo9E4WVP1LplgGUvGIcyKkHNhmw4S7OXtFOzJ3J0YDxdv6PEq4wyoJrH7UQlwuhOQYYETPf/QGMcPF61z5fIzYnxgNCpzJl9kBg8lNY0CWTNWqXuSwrJUs2EqEIxwZ3IeiUYxLZjJztxsbEshU7CUH2EW5pnSQIYAth1OYyBwAMjN/iS726nVt2c95Gt90mzbIWpp/OFlujLzANPMsPMevvpAXhfTwHAYrlzZSQIRjo1w8tYGaBV22otxvxYCf59xNt1PjjZzOnQ8puPdqcXu6ek1cv3FgJ5xU0TVsj3LAStJXrTttTUMHoI5JfhWhFIfYuBBYefOAyqDturUNqdz/a1vrhbnP6PtPRmpzeeWreYbxvhoO54Yw3AuEOwuDLnd3LvbNTR107d9CizE3tX7lotVSPI0D2yPFWgHy52/GH/UsWq7XBcZbsbvJRHVWCxDxjd5AfR92OMec22IytUo8paD0/dfTMndosshLMQj7CKwnd8iQTB8N/bXTBsZaSkkm9Tjtedd5L7v21FsiOfZnIE/Kfk5+++448e31+evWcnDNtmJjXTC+gwFT4IBYu5zJ5XaBdL2EYLTtzOPwy4xdHIsaUTOxV3JX/aVc1hKA9MeiRj9b0+T7HJcew/zbvt+P4Q0yhN1MqQmXSN5FilMeqTtebyHtasFq7EYhURLOScaqceLJi056hHO/1cHoVnnPNimNWGulGyn+0G6HxIvbqYm4Oebo8i1Ox66zjs4bPNOz4f72TCD8Z7AXvuIFOWkYRdmVKlTIwYPBkg6yWak4F+2NHVLVItxXuyuwDON3dUyPsnjEVzCVNVPXnlR0ObwtX4svVLtqKav4VKDeLnCoglYJClkzQYMJdRzxdUcNAGL03PJ7TY872NX3UybrSj1Al2rj26HxtBVdFlcFiSJup7harRyx25IXNXSTqDApQ1ECRRQsq27E/rPB51YzYPp5dKblkRVs8zH+PVhX3mupgY/jiP/Za29ZpwwrOZpKsONIs2yF9rT+zHplmsHkoRk4umXs9X/QV95EScK3SGbMp+H01T7hFnanzo04m9DwwUaejosZKNdFGKifxLbUSDMXRvsZvTey3vg7PvmRFweF4Uu4NjndXORdY3o7cO0jONe0xjjPdKz9ap8KQWDevsyek4tQumb2fpSIgcrWuxrz8GAp5BHvyDhF0qrUtf5XakDc0XzAxYtIVNJHk+KrP648CI/0rBVZ8WP3IFTnTE/K6oBX5hP/j9KNCCpd3+s/h5UkWdAlWc+JAFflcg1oTrEGoKyk0NBpVODnVzjfD3xxHXvoaeLmlrFhTBVK46bu6fOM4mykdAepmA733xVHvihS7PKV1mPX3eFNaequIkbUN/cXLNFG1EEE7Vp+0N497eXZlpEZy7DzFzFuY6ReCkhUThVxpoivI2Yzl9pOTUJ6gj5MdHhA7PYd3E3NDnmFFWBD55hrCp8vnHW6RWuA9/hrmNF+Tj3q78G37Alv2E2mjR9faEY5gsI/c9l1TC6FgrhpuMnsjDjje1gEIZP9vZZpiOs+QfdvTTq9Qj1Xndep1YMY4w+BG8785YLLHiesdm6qP8PWu90bWXeDUx6uADmdzHIdd+2CwvTabgEy3DIMVChek2J/8jGkDMVsCjma44ZQLmDHhffUonLCqX0mrkaKDiO6gRLFE2DYOmJ76F1swtj7b1HP3tZRGalO2PmxjaL4oj1wCfzMqMpwMrKPuciRp8jJlIl4Hsahnw04ZkwrTXp4BIdVN28FlcWW0N+n9ga6dA9Rp7749qCuqmj1l/3yymcpqwQal1Ik9HdaWdcHvd5qeid6zxJW1kGqdbsH/pisq/m1vxZgGyHYV9UY9D11Nli1/e4HU98zt0VSiwayaeuu7ZzW6CzIQRsnqENFRyHo6cC7caY/7Ma21DXvSERCjy+447jk8k2VFxbo9j3jssJ2+s1eWoOw1lDExk2GlgOqb1DlCe+RHz4pskK0gbVX02edUMQKvas7X5D9qytmMQUHOMe/ZOQeDUFYwzXIpb9gjPbr/BlPixt/Yz5SPafPRq81unsOr2qDKfWAL0/1n/X07hO+y493Rzic/IR/WlZv6xnNgmeNWcHzxFMyyqMVke7AtBueIUF/rUNnaPphjuOpa5XIbnfMsVlI13n58Yn7/emTJO7VyIm+nhhdV2j5EO1hhR97ruW9gKikTaSLboOw4dj1IRU3YNZmLjOqYr/0dwsqn00emXCsecZk7VCOuSmuMZrWK5Q3p0NSgMjqPZ1NuSEe/nrZJRw1/3Cbtd30CwQK3BgSqVvGNE0s/2m5uFb2Fgl6oTGyNyg1xjFzCLZn7AYdF9eqF/+8zD+GF/w8f1xRy+1MOKhyd56fziK/nbjLdx3P0uHZarQ2mU/iGaNakYmIGSo28uw7nfZR5dRX/vawPumePALKpSzzrLEPgSOGztkx6pAJDHG37Xbh3e7vtPmAEser+6R8wDNAab/jJqgWo4/gjrM7uI56enWHrx+fkDMcPQwNljlQsZYTPZ6B880/YisLcUZwXkj4ddxjZWXA76Ne6Uyl650qzPw71St6/NEp4tck1+yPsrWE3iWTK5T8uiIC5NMwtYLWgeqQDlM6PXVaos5Ru8PHmgnapk3WAGgS49PZYUzi9yb8JB6RoNj9GRsV2faO26+GH0UbLVpowrevoSidSxmCpdN66h72hIEJQKqkPdLAoXel5YQcn1/g4vUs6HSVCoq0M7l+Rn11jaOfuy6gjPQ8DeX/puQPjuAjVmmfLlDd6/0nVO7KDYIrMbj1aRy/TqFMRZjfgLepExQ2+2rQr6V5IKFt/JBrf66Qil9en/3hzRa7sPUXeiZHuKxu0iTKpD0H7YSXDaFEM5QvIb/RBTuS7CeG0NchCTefaep1tiTAMA/UtCDdScIeWC4oNikI+gpLrcLRVQUaNBsRsqKmP1uGzi3JJOSvcRgyA6AvCo1W13iUIkWM3sNZ9sR1p5zcBpJFpL4ypdMawB20S0riUKRiS0ydwmthcNJkvUjGz3nOiclmWSevE3RG3w+EdQuEU/BVTwPuWZmwXy4pTkWn9WA1v7chOhv/mZ9vkaAXRulTjrJLsGGHVIcAOAUEECCpsDSBb8wUVYlA4I3W5KT8qAhl5sz1S2eb2YvE9D397ffrW33svesO3F4qRqu/7j16zjembbCl5nYoBp00fZ+H73LSdsZt2vrVgRpNnDoR+jtU6MLG36ajbI08QdHA2vE4kzV57rB8FMz5cYLKddLAEhZECs5qTXIocKmMN5Wu3hiPlFVarlNLXMd4a7E0LbQu0ksoQafn767+fhkJwg2yPve+kmh8/wLKfYLDlYp1SV+wkWCjm7xfvri6vyBt6WzJRtG29w8tq53b0MMytJooj0/LTGMxu17Ra9Smcshg9PNtlOWaz4yVsPnYSfjPl5GrHlrPMS+XLc1+l16PYiZAfb1EeuVZAM+Pyv3zecJuYI4qhJhn7dKO/xJrQjxTd6NtVoxXfPuqWLrn3hOg6EKJONfmbNkqK+b9NOc1vONMGir+98H87aT9lYgZ5+KMZU7CiPKjI0Cnv/IZQURAtyci2VDBn2qi1teyPKSwqaha+WH+LgfQxDECiU+pYMF0itMvXyqXqVCFv9ckWOQij1n/5vwEAAP//HijnmA==" + return "eJzsvW1zGzmSIPx9fgWejniu7Qk13e1+2Rvf7F5oJXlbt37RWrZ772IiKsCqJIkWCigDKFLsX3+BBKpYrEKREgVQ8l77g8OWyEQikUjke35HbmD9iuRM5/IvhBhmOLwiZ/6/BehcscowKV6Rf/kLIYS8lUXNgcykIgsqCs7E3H2cCDArqW5IAUuWA+Fyrid/IWTGgBf61V/w2/bPd0TQEl4RWIIwEwVUS9H+khCzruAVMXBrOj8MINL8+YAAyGqxJmbBtANLFrSqQEBxQmieS1VYNI0kZgFEy1rlMOkAGaCG5JhQTQd4zZWsq7sh9ho3jpRyBDq9PiWvmYIV5by7fEOhzU8aPErQms4hY8UWZIfKDaxXUm3/Zgc6hHxcQAcTD5uwAoRhMwZqg1MAFV3PZuz2jmjALS0ry0gatGZbx7sHx/f4c8r9eoTODCjy/1uE74ooHm/GhAE1oznEoNw1wiQtTDxUy0szLldEKs/Lu9AqQBsmqIUfF7fzDeAHIahqDpn9Zwyk3tESiJwhCqd5DlqTMymMkpy8YdrgYsQsqCElNfkCis7dvcvp1hpUClwtXIcX0x1h4cl5Jwy7B300NDuL3gfX0krJImuuTBXAs/fDvQLGKCo0pwaKhnaXV4QWhQKt74HLQmpzZ6rNaM1NhmL0FZlRruGhONvl74FtJVUIWy7F/KGYWNB3wWRLvkQ+yC533e80u1g91pF2sb/ruXbxTnG4XZz2nrBZKKAm47AEHkcPsPAIwkNpUVK+ogrICzKVRoCxmM5mLJ+Q9wJlzhLU+jsuVyfE/tUDV8oCFDVwQhZsvrCPDX7c/ucu28qpgblU6xg7O/Ow2udvfGev7aPYqClLpmp94j/T359R8ncqTgiYfOd+cikE5O4CRtHXPgn2pe4qaLgtim/6TkxYXlaZXTSAhV702XknDpdnb6/wm/sXzGURa0EL6q60HtlnGrHy+epdZ22ytXZIF6BVpsDaH/p+iDxAw6das7mAgpyfXpH+4kFSliUVRcaZgIyqeV2CMMdD1y9P7PKkXd5aj3MoyHSN15jLnHJC64IZ+5td22m2338E77iH+76Sm+dwQ3gjCXWcwpm1RXWNGvCs5nzdco/YuYtKsSXjMIeJ5Pfk4QPP4rcFCEJRs9Sb5a1+mS+omDcautc3JS/IkvJ6J/dvNiFg9QQ3IWC1fxPTWmkzkdPfIe9LsXSXQoFTE9yyKPYRD7KiSjAx33mhHcbsOGzTxdYqAeTy/CB081opECazMI4ne9yiHllEXwOIO2ArxYzNawXF4yC8Wb+D+3606XL+OPjSJSg6hwcR+tGQ7xA7sA/KuVxBcRcOL2tODVtClstaHE+YGGkoJ7im1eU7uC+Y0UQzkYMT6k7arKgmuVXNrQBSJOdAVWeD2z7Smeli83Af6WumoJIrUI2Vcg4zEBqeiOP09cfzr8txahH+03H6p+P0T8fpV+04JZ80kIuz6yZ4JaiZsOpPf+qB/tQQOZ+wo7VFt/P7e7DAn07Y/Thts0Wfzn+6aP900f7pot1acK+LVkNeK2ZCTBP0pmwW7C33ga68po/EvfZwyYV9pXdHob5yN3FKFHe6ibdtPCZ1VBvv8v11mx3U/Bk35ShqwRln93i47qgN2ifW6dgW+k5OmtGc8TA377Tjri/O7ncuzULESLJasHzhhKS3ORXMQGnybLYRjSfk+t3bqxNy/b+vTwgVVtHpgZ1JZRbPJ+R0AzyngkyBULKgqkDx67K2TggllZJG5pKfEBRlpUv4krO+zLVK/lobKImWM2OBTMilIQUIaWDLCPCSPqe1bmnvvtp/p9w2JwNG9Lllk9ZOm/SsA7kEtVLM2EdL1TDg1+Eh7blCOw6qy0JN0tvGgFwtQDl/in/IyIJqMgUQRE41qCUUw/2prVSzfZsZXr6dWxm/W4i1oNsqy/jqY+uHluhoc3reO+ZdK+y6Vb1T+WhttRtYW1uu1i7wktPK1J7+iq7ai4M2Xy5L0HbTmAjYA03IGzkn52AfNhXeiIPF+kgdup2tREir7eaRAXuEE1Pfk9zd+FwKgwE8OSNMaEOFadDQQRwNKw9BsOh7gkPYeRvfLkGo8eKUNr415/6k5B2Y35gR9hnwpz8ZsEa7Wb2QNS+IgCUoK0Ebvquo0kDegqEWNUpmSpadpZ69kXP94ormN2D08wH4c6YgN3x90sanKPkATlg4DhcdNCdBQg5tj7tRcmBC9Sh5DpWCHA0mi0kBM2bVBik4omXolFslvgpjVep5X9WOy4H+jN/6e355/oOL6XkvT6OYu0/BLc0xguzOSw0OAnfHUGlz3IKfs8dRUWVYXnOq8Pv+YCejnDEAfRCnhDhjAHmcU0aPZHncM3n555nsPhO7apoDedj1ldPfM9xI/1ieDHZLeojQS46aAqf7PkXcLNlS3f+HYaYNNVBCLzj6RJDD9KMs57R3h58IeiBMz0P3RBBbDLxOTwQxJg5DLK3G1EiOp8tpBdBDpEdass3ARQxi2VAjek3Izux8sHELWGwGeshASXiYFdHTQwbQ91gR41QcBF6PQkXR8aoEyefINdhmJPKRAAXvTb78GGp1PYg5NPv3P1pvG7VnUuT2caBGPnXLdkTcLFlacdil7pldhs1YTrv3+Y2cu3hDk9FSiwIUOkvBC6rB1mfsFgqiAbOutr68vYYeN1iaQxjAfrDB0h7CAPS9DmXoCYzvXzqMMQf7ugdN7keDQUg9CV/+KrXpikje50gNwlU5u1/qENt0fEhfD33ZIQw2+NIoYS+vlj+1Ofxj171P3MHujfxaibv8JTV5f/l/l7yDqHMS2dCXC86R1vWWFYSSOVuCaJ1kX68iYEl0mP8irQVSPEXl7+uIaIw6NGS1zhR8SXDW3eAhHjDu29ebXbilyRVepBPvzTaUfFxXQHI6lCBTIMDMAhT5dCnMD78QqchrLqn58SWZUo1c1ATIsJoAVb89+z5E3f2K941h0HTGZwT/QjAR7ijWcbPyV+9gkGpF1aA6M5rW0ZFonW13KXl59XlL36NYv9Y/UtLktrhH1KON6fbgOFU74mHhjGJzhrUX7jvb2soeOqTSv3YkRlxeff4lQIJwTg6JQIIWoyGVY7w+G0YdKo6Hvj4LoAWoo8Suf8WlyOX5Q6KkDt9usBTBHBYrfdJONp5nyf1stFG0LjeKFl4Ua7qcSc4hN1J9jQLYUu8Rcm4szzFNckc6KCymW4rqG9lXW8gOQj9Bi6/Mp09FVS2lxmS3UgoyXQ8OjRAFX2rQWASlWVnxtT8n+2FM1AWaL4hmBZBn3xOzUDV5+fPPz7E0VAOIdpUdlHgSyusdKKErKTSkI0X+1XCFKxFufAp1OXVCz15lHYRAntGpXEKHGEwEMysb8aaNAlqO3p/8q2GbRyYVFKzu62kxCPVNSHNsHQtsRpj5R/3y+x/+pp1If1GhAG2Q/sdgN/+w9uAbugZFXpILkdNKYxG8FGhS3kuuh6A/MPgRyK0MrfLjS/LPdrsn5McfyT+TXCpseYHH5BY9If+Nm/9hP8g02SbKN8EjFLIIFA0/EVtXrCDLKedTmt+k1YAdck3BADW+eyvTBERRSSZM010kiCgyRwZKyUT5aRt9UFeQM8oRY8RUG6msZi3WTuuwv1hSzgrHGCGkCJnJWhT2heGAyDMx98rR3uTF7RsxgBwjFuivw46w0cgprLmkxVN55zw6RLM/gJRgFMsDVoc3hbsfRlvYPfeNELbPPjUbjVbOmmObkF/lyh7N0OZkgkhljTEjyQ1AtYdoT+LF+0qIpiQWgy1ZkRWpoq4XjeSZg8CqWY1lVbWzo71duGTK1JRbo33L9y4CLg5WMmt2Y6wcieF24a/65TlRVlprdKgg0aiag2k/tpcSWiVKenp0SjQ1+7sooZKEgoaC//K88b1+gFIaINee35teOdP1mKAk2G3EBWK+gsCLXynTFWcpMxuetDmv2UDtfxK6mZW5Cfkdb519A5oyTc91jdXin5D/GhFGJ15mjD9CjN6uao2jq7PTK6/7+qJcVlZS9TVegk/kV5cGUT8N94dv04CG+LD5GnGu1G1Tvt58ZWOwOz0HLfMJefnzL2SFdC+BCkI5D/sK0KmPatLGf0RWoFwPPIJtPqg2RIpeucg2ER9dTfy6iRi4qynCtp52v0lVIOEwqwnyhZBcztf9QNyMqYEWS8jPJF9QRXPjiGgv9RrxR6e5ILXwOT18y2c+WlEbu6DbBepTBhF2xC7RoiitkilFE0ZQdDUq01Cy9tRKmqPG6mIUwvscZJ5jj0eEqA0VBVUFEVKVlLM/Qvm9UpVB+hQ+y+FgEsl6OniS7kWkDdYtMi84mwHuOGDga8ilKEYU7M1xZ9qk9LPs2BATuSwrDibIAKNOVIoKvFGsJwY79WbKPBIjX9u1g+w8xsrbnDnKfqUUZhHpmDb1qbFyXjZZTsUjEf5CFCnIbkH+IUXqbgs7xKJdvVExXXrtxz6FByIq2Y0+xRFe/vKRJSjdKacoduWBBc73ocy2Bhprm5syvVyqAop076BPsvHPlG5XbHSMJtOm/WA3vj58rZQsJwi1xqJ8nYOgikmn1pc1N+w7w0ARWlW8qX7Z9LIpqaDzUGkuIRzDO1ttfZqGUoSZbzWRK+EiY4aWVd8z6DHG/ptKDpOPmNEkXzBr3cgC9IS8rbVBM6kL1N5KakbycqmBAw9ppwCbzSzeSziGJoSH3CzoaIetoEDkjiGoVa0LtmSF1WyQH8KC7LoRZB97xAtv8rZi6mg73JyniwXdWk5khq+bvldGor5mkXLNGXf6RiMe+qgL58RK41aeTQZLtulkso4tgcqBIvdQiC39Y18V1CC/1FAfjZUsdzsu2sjHFdUEkShG+AaR+yE2USMqBVsETSDT5qVJ8PrOyxS4VlkCVKsshfZcxRRF20BfRoeaQFfqvCKPY0L2zMfgGzN4Lu/15hwqNvfJtUOCBZsHotcNIbYjiOYDJT6GYq1rnjrsNGJFydrksoQXDofWeMGs7EEDTGL5wpFgy4AcYRBYwqAd7tE21qzuiwA7kZ1dLp+0xYuD3oHulW4rXSw0jDtVkLMZ2xg+Ye12ONa5y1NeV06fzRQ4gNbFyIpNwUTjoip8kCWItzebj3UIn7et9K4lKBV5f+1TY5luEgL6fjXi+8L2BiiQrSpJXUnNIgqOO/EWmtOicB2mMJW/ubujXXhqboYNsx9LFIm6BMXy+8qi4N6OUMW2Y2PdSrb2Zjix5O73YGtLEIVUPmF2587k9PdH6F7ThHYDbc27iKWvBR+Q20rQ3Yg5SZ+yV903wwvpq/69mPFergVtc4uFNITimAiLZDiBlst51iSqPIpQbxjx3kL9GD1TtmTfv2G6FXat3h532MWqkpzl69S3Z4dcuEIEfHNtwdcjcjk4bCkxAT/UHBCxsDiVwsBtao21RehSOH/dph8qLQpt/8JHFUe9IUKhBjB7Hmc3JTPrj+tMIAvGApfNSM62Vwg1RrFpbaAjIYY5+n7Ap9XWu89fWHToqj9B7OFWixv1evybg4ZgP7/Iz53t6G8B4xYrwCzBmoaDepPzpZagJuQa3KHUGtSEzgFbeftM95lUDQ4D2A0Yp7fnbuiW+36nb4VUZKrkyv6u+anXNZ3ZNdpP+rK4osrEdtO1gGN7VPyd6s/xPd6damf1JrxSsgIfUEz1Fp8KQjko02YXqc2i/mcuvOXFR6cJACYhBRTmgggpvlNQAVoyu7If0Gw45pPTDB9t7RXTDuh8wVyErQn/DHa2YmbhlWUn68k5LjjFahNBpPhuLu2/d7wEqKRkAcUx4b5pJxj4AhGwSMoZsdLBMNATcr2RKf3BBt3KqjQYn7lyvlpbI8aVjLpkm8KLX094SnJea9MwpP/P4JjwK0zbk/Q10d6/YRVf/O24CnR07cfdsLBF79oypVPKvt1neFkszxELQrWWOUN/qT2NoD2JB/aG3cArQkm1WGuWU04Kpm9OSKVwJgqOEvs2rChTRQ+pvbznQ+/qbBQtweAwc6qxi5fGRg6uF0EzOl9uBe2HpTVbU9HI8Gly78FjaXydM0zwMDnxncuyqod3MMGxUbJiopArn0+bS5FDZU7aTIpRYgy2Oas5X5MvNeXO+VnIkjLhpYboLMTlyNPV9XrGUpd2bN2qhG+YuIHC1wI1iehUo3fKGyj2N9+0qE1Ysevg+KArRFJR153s5NwSfQQa9N5fPxZe7yvveSXXw3Y9bdAZVMn6g51Su1j9moit4//dmvaPkTXtGePp73i75de4WnuNFRR1DqSJHEHY3aZBMcqzwGua7BG5xiUbtbn/PnYeQPvCjPoFIL/RB7UciOEx9qvbh25B9aK9oVYtDFQZ1vnCZf42NTZtmeFZA6nXIsxupF1molWOg++b/w8rTYmV54IwzLmrBY7Itz/CRngb1HwB4WYInivs3B99cMKvHvZ5etIvVi7LaTNPV862HixfNqru8XrhwNdje/q62ggiMO7xO06ANHAlztzqrifjuKfUWXDJXeMt+ZyX+fKcvHOS5plv3EDctD1f9Gtxex7Wq50D+jF8+R338+U5ktSXvLViYug92I7IuTRAt4WJYyIrC1ZMh43UpV6n7GW/HdX1BdpOXdjpxx4Zjpz40p1tJuVenu/VZGP55/Zoshaxl6LYaLQTcubqM32/U+5+sVubRQTV9id++Ma746a1aSs3pWkfo1pw0I4y0j0oK0mWVDE65YMqQNeUgQlScToiCDQInbQ/ytaBdlVVt/LESiqrYTT1hcye8/WLy6u+Dk18y1jnURiryz5woOCdayE3kRaHJLkUhlyzuaAoLEZYtJIqZfPabwfyyzLpVaO7SezqiP+0iHSHT1suK2SAcd69/0iYyHldgBVnfpCtG4T/7KIZYHzlHCIOLErvSdgvgpG5o8c20Tm1eVrCmDF9Y1XuA/C6Rylex435zj8NH5i+2RFyNYrN56DSjbALk+xzNxbgcXAjmhXoheSF5R5nq49MGt0KvR/BszCMvXup/OyD0zGet804Ls/DZSR3js7nsqyyI+dd4an43Csc4+r8e7qefmfRkQLrU2duNndR52NWmldLHylrrIt5Ky2lws4DVq43+I1MifODyB9FARx21Z/h7HP3ENlNjLRGfmaFKCVvad70Uw4rt1YEHdWOkeK7RkFVu6WQszWjD7VWQHX03GBtqKljKc6tP4oy/mhmh118Km8JK16Mv1/2Za2PgaHF6NOg8bG7CxaL8NVt3rHE0/cGTH4+nLt3yHPGhKxjxTg7dSR6Hv1OWUka0+kw8Mj+FBlw6s6MWyxxyrmVe0TXeQ5az2pOLuz6JJcFaMsSTbPfsGXBRAG3kQnAmTaHaZ4PlC24MJpiqkFiCgrjmyVVjGMGT8CD5+LvYk4oEvE7+93gzkQCPpRT11zokTRivzp51uZzVqB05YtunYQZkMyrCJuE+KbD0/ORIkPn5hq+x6kTSpzy1SZ5eV+V+7T9JWVCkwIMZTzgZJjK2nS+N7I1yY+em9l4bGmbx4Z4jD+kBsqKJ8vmOSUFzKgPAfnOl00M32drWq14CYrTNRZyGekfV/IscCPtL9Dq9t+GWVMF7nz12jBTY2NGEtzYxjYYNmx66HWNGsXq+HdyGhvTBLIql2Vp71MaNjpz0AnrJPtWSi5Z4fxnTRe5EvRoIlQh88MDjff3lr1mfKM15t28vLBqcFth0tPjyPpm9bSy/nc5PdDvdPD2/pec+gBM+HZVLF3j3HNMKHYnf311SS4HClUXjWRda311yW4MIhZ2tdWw86iG9H38YT63OqzcOxGRTWWRuuJrUHHXVzo8LsTiMqIeLeJ3S3AhgyNUnndcwL502CXQtvEQNmdFG8oZceKVsa3GQRl4hJc/npLX7ruqUz5TzXTvq0+ue04TiMJkjVvI664XwaV+TSFU3tp0YdqVuHEER0jQK15sO0Ta6kq6pIzTYSCDtK5wgvWVM1BqZNKCu0OH+Prjxd28sVL6BlAuADvYkk830Gw+GZGIrMymdVGso/tnWJlFrQPqwK01HNbofKeXKj5ExWTELge9ErtM18coSGC6m73qeq7SumCmrazb9EXzGIUG220qNpwo2YQXdm/SZYnFpuDyaFb52ecL8szXSnyuudWVp4xjAQfmgV3cVlLbTz4n3w0dDaIfhbkRciW2DCENeY3NLJbb0Ecmbeb0CC64flroWVPl/s6XJr2BOc3X5NOoucbZVNHHKMr3C2+RmAlSUiZmipawMx2jogqn9qbvk7ClXF7hsuSdLFxy9KYtYCfrLIAU2aN9YaqAJUQqC2m7b9w7WJFfa4Gm5FtZACfPmFhO/npCmMxPyNT+BfYvKihfa6Ynfw3HF01eZTNOB5PzY+tQ2xr+2RXBRdHXhXJy3Qy/krOdjRqMTIqp++nU49m0QdCgLCMHEVqWceVuD7PPb3+jCshHlwD8179+fvvb6YeLv/7V5dwuqaJslCdXUt3ELFnee8F+axbsRthGnWBUxFYifM1O3C4l7XNAc/tcrBOYMDOpQGiWxxQgHVdSAozL+F6QQHwgFtBsRdlwOPGDvQPY+zw2UHt9Ypeo63qa6FKYaaGNil35jvXayRxi3bc02jva1Hykc5IeWuyyGQw2UGl8scmm7sXXu1gQMzbqaGq2mswRe+hWg92IAtvsl/eEhfLB/QTv77iwyHv9/8Nw1Y3K7Cb/PQqLFR0fvUdkJ5KPwhxNHHcXflIeIWlr62Q7dukz02a0N1l22CfzObrdBpy7PzLdtKxmx4iHYdHXjDJuad00c7nyMuPyvFvbhp24rDloYB5oYTCeVdjkXGdWRTxgP4ckXmO6ta8+OpNlWYu+J2qAnTiscdNDsXsHt+bfIKxTt7jpwzTrh+J2TUXxrzIcNdvgZqhhh0iGB2M3XHgLOV3riuVMRssSPZYFj9ivqBLDoMNTR12LsspkKmF8/e7tFXnv/KibpNQwIl+Omkpw/R9vyJca1Ejv1pqLTEG/U2fa5IaOQ3RNPjRFZ8G0rlZLzyM+pF2gMvYYAQu0OshxtA+qCQTHHgy3iD+ggXKqygSnZcEmcC/QKmIBcgu0LqJNpd2CGbfb1Rbogpq+VvhQuFMQ+aKkKlZZSQt3XdHB+OIHR59oPkinigIzW0TnhRxmcQuoWsCzObZaSgBWTn9PALWi0SdhuI5T0dkLg+4Zi/3g+M5tJVjVMzrSIqM5DkaJX35iYWsR0XjvAJ7Oq+VP4tYsor/vuchyo7JCR+273oFuIR8WeboD4CWn0SWGyEDMmYhYFDkEnSI3WmSzTK+YyaPLD5HNuFxpWsbPXenCFmaZDnqCqEsuMiZSihMmKlDldB0t4X0Au8pv0gBfUp6CV1iVVUoamcUPSSH05U8Zehzjw+bJ7iaX86xIQWwLOH7+Wy6ykt5mxsRyG2wDthzNIcGjUDKRCGkm0iFdcZ3xKc9ih0W3YH+fEHj0zuAd2LF7IXZhx67q7cL+OSHsXxLC/qeEsP97Qth/SwPbyIrTKaQQKS30+OaZyMqao/I9XSd4Jxvg1U0CvaSsOZuXVRrt22qZlM9jJyF5yCyFUqLhSx7fNyIy7RISE5ygVnkaa9ICTmNN6rWuqwSzSHPRllUnMVWNNNb0gNsEIsRIYw2zVLDRrEkCvBbsVlAhNeQJmHD5i6VKokdh+YuszAJokcCtJssqy3kCH7YFnCBIgnDVdG3iu0UtZJ0EclVnCWIauWKG5ZQnKCDSGZ2DyNcRs666sAXl6z+gmKbAe5lhG9AkkF07mDRYu8TaJNCn82r5SxoftM6mzPwtSaOxXGdxZ8X1ACsZXVTrJNccoUKu4le5aefjjzZrqwMYzML5+eM7RxxwVPuSAHfd5ON1kOvAnjEOKWwYnc1SHCKbxSzO3gacQjfQGaswSTFLIupYtfyp0KYaNPOPBFurPAlszmaQwozR6GguoWDRCka3YTORhktKWdQcdC5TUNsDZ/MEsklWekVN1Jn/HeihDPIogBXMmTaKxveEbGAn0PgUVKlIrZLRWmMncpVIvrrMfMfiCaAbBbRMoEi6UqBUaKdTrlcLyXTmJszGh76miiZh8GKkEDYG5KWbbx8bLtOGiuhzjgttprWKNSywgQpuVlAKqHV0XOPr0U1NcmywOLlhFn/Y9aGdBnbBnNOiiH0HWBE7rNq0DkrwFrEyy5WUZZKuRBZwAjONlVma5Ejf8SgFmaub6O2ZKh2/ZSmrdKVYZKCcGmbq6NlnnAmI12JnA1VHnajTwsXi2/huLS5d19NsxmX057wFniDl39q80aWOBZpA4lgbOgGq0XMTuJwnYV0xT3KBK6liC7ByWs9TXLOS6TyFWCh1EoZNMQdCgMHmStHhRpfhrgF07Iw/BzV2Op5YrWJbIEkqyqQbAB3dEpXxNSOp2DwLzON6MNyVABX/zaoyN5Q3Otiok6k3YN2I1yRMlqBw08/EiS0MPNjY0qDKnCMpOrpUa/vLLF/EqvMfgIbbikUPBFSgyrmiwgx67saAvEoCOP7T6zqRffrUmwIaAbCS84zqKuLAgC5oRWNDVUB5Cv1OQY50cF1HEwGPT2QLOW4L1w5kqYoEGMd3ZOoEvmHtfMMJ8gE0xE4EcAOPExgnGr7EZ4BQg9ZoUBOYUprNEwheXcX2smmVp7gHKi+iK9Ja5aGuuBEAm3gjtrowax29q+YyF7ELJYLTYh8K1DXpjL19Mzfx2coBjR/Ra2d6xoa7rqJ3a62LaZI89FrxBG9hrUFlBYtd9Z5kbEUTGUpBBpNrQ8vY3uBlxoQ2dJZAM1gyZVKo4ctKJGjdZKSqRUw3a6gtWqCj6GltJPlQCzJYus0eSTgs7zPlrCBnCgpmyBlVhe9mqLH9exgdNzkrIZXGJoQiGByiT7C/QS45CZXqtPkQTKSj3EVZcbmGwWDBvfSbyTpaU+878pilofMZ4bwzBXO4JSXtN1rYxGLFvO4PA0mOJGcahzM0q/ujxwZKRNdVJZUhw8ajhKwW1BBmSKVgNsYKD0jLvc8QihDhvdXRokCY8J3dR/pCcyZST+TvoGpX6+KpiZFzMAtQk83n9ULWgxeNEAFLUO04IiNJRZUG8hYMxYng7q7SlgTP3si5fnHlyl6fk3M/4uuEmEVgShE2A/4AfvQxoi3IOzC/MSNAh895yNRJiDfDkd3tLcLF3WY1UJUvJkywIH44c/cI/bV74hNnYWAyxAtOa4Gzfuc1znFtmriHG7j3+rXv2FP6dtztntom3H5+8Yixbw8ii1jTdLfOq7gs+Qi3Bm/FmLvgGNOoRwTSZnDdO5xQLfjIxEvsnptwHDj2z9VgiIIvNWizo2n34dnK9++V71QGHMvjVnUSu++RavNOt90pu3ByGGFsbOvn2KFdvwruPObs//3zDe1il+eNUMC1w7yBVkO8JN57srB9XKZUA3Hp2i02ZHCr2lPy33gcfEU7Cr7FXCrXvj5IRkKoJhoAx53R3fOqFBWa5kcY7zvoMO2WFqj2bpgmrxVOQNuFdAWqZE7dOBbSmyXdYA62ZBzmQDgsgROqNZsLd3Cbef1h1seWzI8ov3H9HZw+fZRJzxazWrAvNfTHJNLw5evge1jHxMOmoDQaDSvchcylEIC5FWTFzGJMUBASqAxpNXYFB5UX3du0sOREedI+UVzOWU45sRiMmD6IxeNih0uNjGl8PNpVi7UOo9dJZ1vJXlZr7AeeckZ1tpDJbQJnxLXmGs5S2Qw1slKxO4In3A+AuEtjscU3zQ9iyTlQNTnlWlpDfOu+nWOwnPzqvzEhp2Ld/m8A3aAtr4UhtJjksqxqAyoshpO48e3G0pln3/TPAmcsbh0IM/+oX37/w9+s7XveOY6GYt8E0fZ8msWNmN3VcUPXoMg/tT45/cKjgciFb33s+p/0PC82OG9x/c7zODB5eZ9s+7Y/MMWuMyHv3n+8sHsHBc55gv7SgulcQUVFvrZapVfPeD8XhCCFTsjHt6/IpTA/vjwhl+/OL/7zFfl0KcwvP5Fnq8WaCGBmAYrkC6n9qDSpFOQGP/XDL//z/3v+bZAiYBYJZVyfHihTJyUNj+PRibnvntf82vHiZYNU+IoXTwvprmzag/mBDePu/MCH8O0pphvr5DNTpqacvDl9F0T2DykgnS/rMM74P1LAJExbi+5XI0JxI/uFJx7BU3yDd5zDnBpY0UcYkY7cfUVOi0Khn9ZxeQid9unNy+rQOOdDYyGXZ2+v3Ks0Gh4rqT5i9GPLqeQ0Vf92k8sri8qI98vS8MBJEFFoaNcep2GjiWVuutZxBUQHXVoUzH6Y8k3AtjPLP/zOHZEBrEmIF1z6G36+zQIDVDa51kn0urs+aZS88xheSWVakTwQugUG2PAAmFnvl7z6yLR3+2Fi3jwmzbbejhFeQMhuPJYX12OHli/VWubMqpzObzTQcYiVy4qKOUxa0ymXYsbmtYKCTNcIE0SBWUNhOVMd2HpgUDQ6oi0HF50l6HfAI+r+3RKu6A4ABaU0kPnM7vh5RvFJWwid0cyl4icAXRmVBvgsAUvMElQL8xTXIVX/kyoBUWmRNZ64dGp534K3+5j0V+s6Ex5Bg70wC1ACDPm4ruCEfGqesTfoAPuRXDUOsMFL8H5MU2tG9RxBmRgxjRukvV/8hFDOg8pEtfkgJrhRhYl5S1D2DWTCSKINPuZMkE+XowIlxwTZZPIqusi2QGWVYOybBaxAx87otWATlLi4FzF2Kjr62xNg60YrZBzEPPqkSMTZKh8JtdARDdSpPJR3AjCC5JhOMCOUvJZqRVUxnNNNyOkck70UofbG32Iu3RTMCkCEVc/IXRPvG+OWhvJuqM4hQ7BlPGZGDHbIhM9zxbSEkhkrlvyIjfAWl5yKY8Tx7+CgbBJEOi7KwQa3XZabSMrSWrBzNGC3X57YkUrIsQvBMl4/uLtF7KkyLK85VQT7RZMGiWcXt6/eyLmczcLT3yHPzAKSH+8Wsh/tgu42dvC+sHhbdE9rswBhfLL4KNq6jtk54W4JPW7JcdQ/aVCjCMva5PK4lPZLjiN8Xec5aD2CM3YeP6w52mGJJ4gXsSruXKo1CRQmDHA7hnDawhF6OFqphAE+XUlh3xUrt0LKYftFMlCUtne1jNePbuTdpMR1LcWaAc6gaPfj/TA9fZgJopmpA/KTYHEBeBHtoS6oJrSQlX1dzAKYInIlNkfmCGforRSyHMmrxZkcmrkW9cdVIqxyz0Rh5Y9UuiUAJa8ZB3LqEZsMyHAXZ69oN+bu5GjCeLv/R0lXGCXBtc9aiEuF0B4DhIhZ7/4AQrh8vWtfrxGbEuMJoVOZsnogsPkpLOiSyRq1y1yWlZIlG8lQhGMjdyHolGMR2Yyc7caNiWUrdhIi2cdwS+skQQS2MIw6XOYABAPrt/ilPt3OK7u5b6NstymzrIXpl7PF1ugLLAPP8kPM+jtpQfgez0GAYnmzJSQIJvr1UwuYWeBTG5rtRjyyk/yHiTZqPPjZ7OmQtluPtqeXu/fk1Qu3VsJ9BU3T1gg3rARt5brT9hRUMBpE8qcQrSnE3oPAxoMPPAZ1R9Y6pHf3o7HWj3fb0w+Zjjbk9M5b8w7jfTsc7A13vBEIdxAGX+/uXu7dnTrq2bmLFmVvav/JReulehwBskeOtwLk62XHH/cfWazRBsc5srvJR3VUCRLzjt1BfhyVHWPubcCMrVKPJWg9P3X0yp3aLLISzEI+QpSEbnmSiUPDf2z0wLGXkpJJvU47ojofJPf+WovIDr5M5An5z8nP339Pnr05P716Ts6ZNkzMa6YXUGApfBAXLucyeV+gXZEwzJadOTz8MeMHRzLGlEzsVdxV/2lPNYRBe2PQIx9t6PN9rkuOaf9t3W/H8Yc4hWKmVITapG8yxSiP1Z2ut5EPtGC1disQqYhmJeNUOfFkxaa9Qzm+6+HyKrznmhXH7DTSzZT/ZBmh8SL2+mJuLnm6OotTseuuY1jDVxp2/L/eSYS/GfCCd9xApyyjCLsypUqZGDAI2SCppZpTwf7YkVUt0rHCXYl9AKW7PDVC7hlTwVrSRF1/Xtvl8LVwLb5c76KtrOZfgXKzyKkCUikoZMkEDRbcdcTTFTUMhNF70+M5PeZu39BH3axr/QhVIsa1V+dbK7gqqgw2Q9psdbdYPWKzIy9s7iJRZ1CAogaKLFpS2Q7+sMLndbNiGzy7UnLJirZ5mP8crSruNdUBY/jmP/ZZ29ZpwwrOZpOsONIu2yV9rz+zHtlmcHgoZk4umYueL/qK+0gLuFbpjDkU/L6aJ9yiztT5UqcSeh7YqNNRUWOlmmgjlZP4FloJhuJq3+KnJvZT34Z3X7Ki4HA8KfcW17urnAscb0fuHSTnmvEYx9nulV+t02FIrJvo7AmpOLVHZt9nqQiIXK2rMS8/pkIewZ68Qwadam3LX6U25C3NF0yMmHQFTSQ5vunT+pPATP9KgRUfVj9yTc70hLwpaEU+43+cflRI4epO/zF8PMmCLsFqThyoIl9qUGuCPQh1JYWGRqMKF6fa/Wb4nePIS98DL7eQFWu6QAq3fdeXbxzPZktHQHXDQB98c9S7YopTntI6zPo83rSW3mpiZG1D//AyTVQtRNCO1Sfty+Miz66N1EiNnYeYeQsz/UFQsmKikCtNdAU5m7Hc/uYkVCfo82SHF8Ruz+G7ybkhz7AjLIh88wxh6PJ5h1qkFviOv4E5zdfkk95ufNtGYMt+IW307Fq7whEM9pHXvmtqISpYq4ZMZl/EAcXbPgCB6v+tSlMs5xmSb3vb6RXqse68Tr0O7Bh3GGQ0/50DNnucvN6xrfoMX+96b2TdBW59vAvocDfHcdi1AYPts9kkZLpjGJxQuCHF/uJnLBuIORJwtMINt1zAjAnvq0fhhF39SlqNNB1E7A4qFEuE28YB01P/YgvG1mebeu++l9JIb8rWh20MzRflkVvgb1ZFgpOBddQ9jiRDXqZMxJsgFvVu2C1jUWHaxzMgpLplO3gsro32prw/MLVzgHXat28P1hVVDU/ZH59strJasEErdWJvh7VlXfL7nbZnos8scW0tpFqnO/C/64qKf9nbMaZBZLuLeqOeh54mS5a/v0Doe/b2aCrRYFdNv/XduxrlggyEUbI6RHQUsp4OnAt34nG/prW2YU85AuLoqjuOew/PZFlRsW7vI147HKfv7JUlKPsMZUzMZFgpoPomdY3QHvnRsyIbzFaQtiv67EuqHIHXNedr8h815WzGoCDnWPfsnINBVFYwzXIpb9gjBd1/gylx62/sZ8rHtPno3WY34fCqNqhyHzjCdP9d/9Au4afseHe088lPyMd15ba+8RxY4rgTHD88BbMsajPZHtoWB+eIUN/qUNvaPjLHcNW1yuU2ds6zWEnVePsxxPzhzciRd3rlRGanhhZV2jlEO0hhV97ruW/QVFIm0kS2kbLr2PMgFTVh12QuMqpjRvs7gJUvp48MuVY84jF3oEY8ldYYzWoVyxvSgalBZXQez6bcgI7+PG2Djpr+uA3ac30CwQK3BgSqVvGNEws/Gje3it5CQS9VJrZG5ZY4Ri3hlsz9iMuievXC//vMo/DC/8PnNYXc/pSDCmfn+e08YvTcbaYbPEePa2fU2mA7hR+IZk0qJmag1Ejcdbjvo+yrq/jvJX3QPXsEJJu+xLPOMQSuFIa1ZdIrFVjiaOx34eL2lu0+Ygax6v7o32GYoDU+8JNVC1DH8UdYnd1nPD07w9GPz8kZrh9GDZQ5UrOUETqfgfLDP2ErC3NHc15IGjruELJz4HbRb3WnU/TOk2Z/HOqVvH9rlPBpk2v2R9hbw24SyZTLf78gAubSMHeA1YLqkQlQOj92W6HOUbrFx4cL2qNONgFqkODS47GmcXpTfxNOSNFsfoyKiu3+Ru3Uw4+jg5atNGFa19GVToSMyVLpvHUPi6EghqBUUh/o4FC60vPCLk6uMTi9SzodJUOi7Qzuo8jPrjG1c/dj1JGehyF5f+m5A8dxEao1z5YpX/R+SNU7soPIFJllPVpHb9OoUwFmN+At6kTNDb7ZjCvpPkgoW38iGuN1UpHL69N/f3tFruw7Rd6LkekrG2wTVVIfgu3HlQxji2IoX0B+ow9yIt9NCKftQRYaOtf262xbhGEaqB9BuJGCO7RcUGzQFPIRlFyHR9sVZNRoQJwNNfXRJnx2sVxSzgrHiAEk+oLwaF2tdwlCpNgNrHVfbEfi/CaBNDLshTGVzhjOoE0CGo8yBUFy+gRuE5uLpvJFKmbWe25ULssyaZ+4O+Lt8PAOoXAJ/oop4H1LM7aLZcWpyLR+rIG3dmUnw3/zu21qtILYulLjrJLsGGnVIYQdBgQxQKTC1gCSNV9QIQaNM1K3m/KrIiIjMdsjtW1uHxY/8/C3N6fv/Lv3ord8+6AYqfq+/+g925i+yZaS16kIcNrMcRZ+zk07GbsZ51sLZjR55pDQz7FbBxb2NhN1e+AJIh3cDa8TSbM3HtdPghmfLjDZLjpYgsJMgVnNSS5FDpWxhvK1O8OR9gqrVUrp6whvDfZmhLZFtJLKEGnp++u/noZScINkj813Us2Pn2DZLzDYcrFOqWt2EmwU828X768ur8hbelsyUbRjvcPHavd29DTMrSGKI9vy2xjsbte2WvUpXLIYPT3bVTlms+MVbD52EX6z5eRqx5azzEvly3PfpddjsRNDfrxDeeReAc2Oy//ydcNtYY4ohppk7NuN/hJrQj9SdqMfV41WfBvULV1x7wnRdSBFnWryd22UFPN/mXKa33CmDRR/f+F/dtL+lokZ5OFfzZiCFeVBRYZOeec7hIqCaElG2FLBnGmj1tayP6awqKhZ+Gb9LQ6kj8MASXRKHQtNVwjt6rVyqTpdyFt9ssUchFHrv/zfAAAA//+V+BLu" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 21dc57d3315..8b1557a76cb 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -71,7 +71,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -121,7 +121,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -171,7 +171,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -218,7 +218,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index b1b3a633ad1..0fc56c786a6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -4409,7 +4409,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4462,7 +4462,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4515,7 +4515,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4568,7 +4568,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4621,7 +4621,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4674,7 +4674,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4727,7 +4727,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4780,7 +4780,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4833,7 +4833,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4886,7 +4886,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4939,7 +4939,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4992,7 +4992,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5045,7 +5045,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ae2b729ada8..2c9f9823c73 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -58,7 +58,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -163,7 +163,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -266,7 +266,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -371,7 +371,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -475,7 +475,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -578,7 +578,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -684,7 +684,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -787,7 +787,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -891,7 +891,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -996,7 +996,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1102,7 +1102,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1201,7 +1201,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1305,7 +1305,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1408,7 +1408,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1512,7 +1512,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1617,7 +1617,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1720,7 +1720,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1823,7 +1823,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1926,7 +1926,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2027,7 +2027,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2132,7 +2132,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 90fd65d46cd..3055fdc89b6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -117,7 +117,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 371218e511b..64eceb0cbf5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -66,7 +66,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -116,7 +116,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -165,7 +165,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -216,7 +216,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -299,7 +299,7 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.connection_id": "89743274", "cisco.ftd.destination_interface": "outside", - "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_host": "10.123.3.42.130", "cisco.ftd.mapped_destination_port": 12834, "cisco.ftd.mapped_source_ip": "192.0.2.43", "cisco.ftd.mapped_source_port": 443, @@ -813,7 +813,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -862,7 +862,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -911,7 +911,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -960,7 +960,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1009,7 +1009,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1058,7 +1058,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1107,7 +1107,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1156,7 +1156,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1205,7 +1205,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1254,7 +1254,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1303,7 +1303,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1350,7 +1350,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1396,7 +1396,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1445,7 +1445,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1494,7 +1494,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1543,7 +1543,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1592,7 +1592,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1641,7 +1641,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1690,7 +1690,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1739,7 +1739,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1788,7 +1788,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1837,7 +1837,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1887,7 +1887,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1990,7 +1990,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2041,7 +2041,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2358,18 +2358,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2404,18 +2406,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2452,7 +2456,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2714,7 +2718,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2758,7 +2762,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2802,7 +2806,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2846,7 +2850,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2890,7 +2894,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2934,7 +2938,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2978,7 +2982,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3022,7 +3026,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3069,7 +3073,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3117,7 +3121,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3163,7 +3167,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3215,7 +3219,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3330,7 +3334,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3376,7 +3380,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3417,7 +3421,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3459,7 +3463,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 7d48283bdaa..c632cc3fe00 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -42,7 +42,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -130,7 +130,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:05:33.000Z", "event.timezone": "-02:00", @@ -228,7 +228,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -331,7 +331,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:00.000Z", "event.timezone": "-02:00", @@ -426,7 +426,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -529,7 +529,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:18.000Z", "event.timezone": "-02:00", @@ -631,7 +631,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -733,7 +733,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-16T09:33:15.000Z", "event.timezone": "-02:00", @@ -828,7 +828,7 @@ "event.type": [ "connection", "start", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -923,7 +923,7 @@ "event.type": [ "connection", "end", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 2fe9194946a..c993477cfde 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -60,7 +60,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 0, "event.start": "2020-03-01T01:02:16.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 18ce8345a5a..86749dd0f1f 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -319,7 +319,7 @@ processors: - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" - value: allow + value: success - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" @@ -591,19 +591,20 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '713120'" field: "message" - pattern: "%{event.reason} (msgid=%{event.id})" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - dissect: if: "ctx._temp_.cisco.message_id == '713202'" field: "message" - pattern: "IP = %{IP:source.address}, %{event.reason}. %{} packet." + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." - dissect: if: "ctx._temp_.cisco.message_id == '750003'" field: "message" pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - dissect: + - grok: if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{event.reason}" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" # Handle ecs action outcome protocol - set: if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' @@ -1277,6 +1278,10 @@ processors: field: "event.outcome" if: 'ctx.event?.outcome == "permitted"' value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: success - set: field: "event.outcome" if: 'ctx.event?.outcome == "denied"' From b992fcd5d06969043fb85a93daa18870ff7afece Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Fri, 18 Sep 2020 11:16:03 +0200 Subject: [PATCH 06/13] commit for requested changes --- x-pack/filebeat/module/cisco/asa/_meta/fields.yml | 5 ----- .../module/cisco/shared/ingest/asa-ftd-pipeline.yml | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index d8c85432900..b3bb3b5eb1d 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -1,8 +1,3 @@ -- name: event.reason - type: text - description: > - Reason why this event happened, according to the source. - - name: cisco.asa type: group description: > diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 86749dd0f1f..b2d59ad5b45 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -24,10 +24,12 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + # # Parse FTD/ASA style message # # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: field: log.original patterns: @@ -38,6 +40,7 @@ processors: FTD_SUFFIX: "[^0-9-]+" # Before version 6.3, FTD used ASA prefix in syslog messages FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + # # Create missing fields when no %FTD label is present # @@ -46,6 +49,7 @@ processors: field: _temp_.cisco.message_id value: "" if: "ctx?._temp_?.cisco?.message_id == null" + # # set default event.severity to 7 (debug): # @@ -57,11 +61,13 @@ processors: field: event.severity value: 7 if: "ctx?.event?.severity == null" + # # Drop messages above configured log_level # - drop: if: "ctx.event.severity > {< .log_level >}" + # # Parse the date included in FTD logs # @@ -97,6 +103,7 @@ processors: }, }, ] + - date: if: "ctx.event.timezone != null" timezone: "{{ event.timezone }}" @@ -165,6 +172,7 @@ processors: field: "log.level" if: "ctx.event.severity == 7" value: debug + # # Firewall messages # From 53860646d77e7560cc671ee5addd830300a0e5f2 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Fri, 18 Sep 2020 11:22:53 +0200 Subject: [PATCH 07/13] newline --- x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index b2d59ad5b45..e0339750b44 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -29,7 +29,6 @@ processors: # Parse FTD/ASA style message # # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: field: log.original patterns: From 177579284e66509eccf8b978cc460bb4ae1f55ba Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Tue, 20 Oct 2020 11:37:21 +0200 Subject: [PATCH 08/13] test --- .../cisco/asa/test/asa-fix.log-expected.json | 1 + .../asa/test/dap_records.log-expected.json | 1 + x-pack/filebeat/module/cisco/fields.go | 2 +- .../cisco/ftd/test/dns.log-expected.json | 21 +++++++++++++++++++ .../security-connection.log-expected.json | 6 ++++++ .../security-file-malware.log-expected.json | 2 ++ .../security-malware-site.log-expected.json | 2 ++ .../test/cisco-ios-syslog.log-expected.json | 7 +++++++ 8 files changed, 41 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index fb23ddc44c3..69a356109dc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -494,6 +494,7 @@ "destination.address": "1.2.33.40", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "CN", + "destination.geo.country_name": "China", "destination.geo.location.lat": 23.1167, "destination.geo.location.lon": 113.25, "destination.geo.region_iso_code": "CN-GD", diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index bb691462f78..e86dd81aead 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 85bb61cd0ec..79f0ee61a35 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zGzmSIPx9fgWejniu7Qk13e1+2Rvf7F5oJXlbt37RWrZ772IiKsCqJIkWCigDKFLsX3+BBKpYrEKREgVQ8l77g8OWyEQikUjke35HbmD9iuRM5/IvhBhmOLwiZ/6/BehcscowKV6Rf/kLIYS8lUXNgcykIgsqCs7E3H2cCDArqW5IAUuWA+Fyrid/IWTGgBf61V/w2/bPd0TQEl4RWIIwEwVUS9H+khCzruAVMXBrOj8MINL8+YAAyGqxJmbBtANLFrSqQEBxQmieS1VYNI0kZgFEy1rlMOkAGaCG5JhQTQd4zZWsq7sh9ho3jpRyBDq9PiWvmYIV5by7fEOhzU8aPErQms4hY8UWZIfKDaxXUm3/Zgc6hHxcQAcTD5uwAoRhMwZqg1MAFV3PZuz2jmjALS0ry0gatGZbx7sHx/f4c8r9eoTODCjy/1uE74ooHm/GhAE1oznEoNw1wiQtTDxUy0szLldEKs/Lu9AqQBsmqIUfF7fzDeAHIahqDpn9Zwyk3tESiJwhCqd5DlqTMymMkpy8YdrgYsQsqCElNfkCis7dvcvp1hpUClwtXIcX0x1h4cl5Jwy7B300NDuL3gfX0krJImuuTBXAs/fDvQLGKCo0pwaKhnaXV4QWhQKt74HLQmpzZ6rNaM1NhmL0FZlRruGhONvl74FtJVUIWy7F/KGYWNB3wWRLvkQ+yC533e80u1g91pF2sb/ruXbxTnG4XZz2nrBZKKAm47AEHkcPsPAIwkNpUVK+ogrICzKVRoCxmM5mLJ+Q9wJlzhLU+jsuVyfE/tUDV8oCFDVwQhZsvrCPDX7c/ucu28qpgblU6xg7O/Ow2udvfGev7aPYqClLpmp94j/T359R8ncqTgiYfOd+cikE5O4CRtHXPgn2pe4qaLgtim/6TkxYXlaZXTSAhV702XknDpdnb6/wm/sXzGURa0EL6q60HtlnGrHy+epdZ22ytXZIF6BVpsDaH/p+iDxAw6das7mAgpyfXpH+4kFSliUVRcaZgIyqeV2CMMdD1y9P7PKkXd5aj3MoyHSN15jLnHJC64IZ+5td22m2338E77iH+76Sm+dwQ3gjCXWcwpm1RXWNGvCs5nzdco/YuYtKsSXjMIeJ5Pfk4QPP4rcFCEJRs9Sb5a1+mS+omDcautc3JS/IkvJ6J/dvNiFg9QQ3IWC1fxPTWmkzkdPfIe9LsXSXQoFTE9yyKPYRD7KiSjAx33mhHcbsOGzTxdYqAeTy/CB081opECazMI4ne9yiHllEXwOIO2ArxYzNawXF4yC8Wb+D+3606XL+OPjSJSg6hwcR+tGQ7xA7sA/KuVxBcRcOL2tODVtClstaHE+YGGkoJ7im1eU7uC+Y0UQzkYMT6k7arKgmuVXNrQBSJOdAVWeD2z7Smeli83Af6WumoJIrUI2Vcg4zEBqeiOP09cfzr8txahH+03H6p+P0T8fpV+04JZ80kIuz6yZ4JaiZsOpPf+qB/tQQOZ+wo7VFt/P7e7DAn07Y/Thts0Wfzn+6aP900f7pot1acK+LVkNeK2ZCTBP0pmwW7C33ga68po/EvfZwyYV9pXdHob5yN3FKFHe6ibdtPCZ1VBvv8v11mx3U/Bk35ShqwRln93i47qgN2ifW6dgW+k5OmtGc8TA377Tjri/O7ncuzULESLJasHzhhKS3ORXMQGnybLYRjSfk+t3bqxNy/b+vTwgVVtHpgZ1JZRbPJ+R0AzyngkyBULKgqkDx67K2TggllZJG5pKfEBRlpUv4krO+zLVK/lobKImWM2OBTMilIQUIaWDLCPCSPqe1bmnvvtp/p9w2JwNG9Lllk9ZOm/SsA7kEtVLM2EdL1TDg1+Eh7blCOw6qy0JN0tvGgFwtQDl/in/IyIJqMgUQRE41qCUUw/2prVSzfZsZXr6dWxm/W4i1oNsqy/jqY+uHluhoc3reO+ZdK+y6Vb1T+WhttRtYW1uu1i7wktPK1J7+iq7ai4M2Xy5L0HbTmAjYA03IGzkn52AfNhXeiIPF+kgdup2tREir7eaRAXuEE1Pfk9zd+FwKgwE8OSNMaEOFadDQQRwNKw9BsOh7gkPYeRvfLkGo8eKUNr415/6k5B2Y35gR9hnwpz8ZsEa7Wb2QNS+IgCUoK0Ebvquo0kDegqEWNUpmSpadpZ69kXP94ormN2D08wH4c6YgN3x90sanKPkATlg4DhcdNCdBQg5tj7tRcmBC9Sh5DpWCHA0mi0kBM2bVBik4omXolFslvgpjVep5X9WOy4H+jN/6e355/oOL6XkvT6OYu0/BLc0xguzOSw0OAnfHUGlz3IKfs8dRUWVYXnOq8Pv+YCejnDEAfRCnhDhjAHmcU0aPZHncM3n555nsPhO7apoDedj1ldPfM9xI/1ieDHZLeojQS46aAqf7PkXcLNlS3f+HYaYNNVBCLzj6RJDD9KMs57R3h58IeiBMz0P3RBBbDLxOTwQxJg5DLK3G1EiOp8tpBdBDpEdass3ARQxi2VAjek3Izux8sHELWGwGeshASXiYFdHTQwbQ91gR41QcBF6PQkXR8aoEyefINdhmJPKRAAXvTb78GGp1PYg5NPv3P1pvG7VnUuT2caBGPnXLdkTcLFlacdil7pldhs1YTrv3+Y2cu3hDk9FSiwIUOkvBC6rB1mfsFgqiAbOutr68vYYeN1iaQxjAfrDB0h7CAPS9DmXoCYzvXzqMMQf7ugdN7keDQUg9CV/+KrXpikje50gNwlU5u1/qENt0fEhfD33ZIQw2+NIoYS+vlj+1Ofxj171P3MHujfxaibv8JTV5f/l/l7yDqHMS2dCXC86R1vWWFYSSOVuCaJ1kX68iYEl0mP8irQVSPEXl7+uIaIw6NGS1zhR8SXDW3eAhHjDu29ebXbilyRVepBPvzTaUfFxXQHI6lCBTIMDMAhT5dCnMD78QqchrLqn58SWZUo1c1ATIsJoAVb89+z5E3f2K941h0HTGZwT/QjAR7ijWcbPyV+9gkGpF1aA6M5rW0ZFonW13KXl59XlL36NYv9Y/UtLktrhH1KON6fbgOFU74mHhjGJzhrUX7jvb2soeOqTSv3YkRlxeff4lQIJwTg6JQIIWoyGVY7w+G0YdKo6Hvj4LoAWoo8Suf8WlyOX5Q6KkDt9usBTBHBYrfdJONp5nyf1stFG0LjeKFl4Ua7qcSc4hN1J9jQLYUu8Rcm4szzFNckc6KCymW4rqG9lXW8gOQj9Bi6/Mp09FVS2lxmS3UgoyXQ8OjRAFX2rQWASlWVnxtT8n+2FM1AWaL4hmBZBn3xOzUDV5+fPPz7E0VAOIdpUdlHgSyusdKKErKTSkI0X+1XCFKxFufAp1OXVCz15lHYRAntGpXEKHGEwEMysb8aaNAlqO3p/8q2GbRyYVFKzu62kxCPVNSHNsHQtsRpj5R/3y+x/+pp1If1GhAG2Q/sdgN/+w9uAbugZFXpILkdNKYxG8FGhS3kuuh6A/MPgRyK0MrfLjS/LPdrsn5McfyT+TXCpseYHH5BY9If+Nm/9hP8g02SbKN8EjFLIIFA0/EVtXrCDLKedTmt+k1YAdck3BADW+eyvTBERRSSZM010kiCgyRwZKyUT5aRt9UFeQM8oRY8RUG6msZi3WTuuwv1hSzgrHGCGkCJnJWhT2heGAyDMx98rR3uTF7RsxgBwjFuivw46w0cgprLmkxVN55zw6RLM/gJRgFMsDVoc3hbsfRlvYPfeNELbPPjUbjVbOmmObkF/lyh7N0OZkgkhljTEjyQ1AtYdoT+LF+0qIpiQWgy1ZkRWpoq4XjeSZg8CqWY1lVbWzo71duGTK1JRbo33L9y4CLg5WMmt2Y6wcieF24a/65TlRVlprdKgg0aiag2k/tpcSWiVKenp0SjQ1+7sooZKEgoaC//K88b1+gFIaINee35teOdP1mKAk2G3EBWK+gsCLXynTFWcpMxuetDmv2UDtfxK6mZW5Cfkdb519A5oyTc91jdXin5D/GhFGJ15mjD9CjN6uao2jq7PTK6/7+qJcVlZS9TVegk/kV5cGUT8N94dv04CG+LD5GnGu1G1Tvt58ZWOwOz0HLfMJefnzL2SFdC+BCkI5D/sK0KmPatLGf0RWoFwPPIJtPqg2RIpeucg2ER9dTfy6iRi4qynCtp52v0lVIOEwqwnyhZBcztf9QNyMqYEWS8jPJF9QRXPjiGgv9RrxR6e5ILXwOT18y2c+WlEbu6DbBepTBhF2xC7RoiitkilFE0ZQdDUq01Cy9tRKmqPG6mIUwvscZJ5jj0eEqA0VBVUFEVKVlLM/Qvm9UpVB+hQ+y+FgEsl6OniS7kWkDdYtMi84mwHuOGDga8ilKEYU7M1xZ9qk9LPs2BATuSwrDibIAKNOVIoKvFGsJwY79WbKPBIjX9u1g+w8xsrbnDnKfqUUZhHpmDb1qbFyXjZZTsUjEf5CFCnIbkH+IUXqbgs7xKJdvVExXXrtxz6FByIq2Y0+xRFe/vKRJSjdKacoduWBBc73ocy2Bhprm5syvVyqAop076BPsvHPlG5XbHSMJtOm/WA3vj58rZQsJwi1xqJ8nYOgikmn1pc1N+w7w0ARWlW8qX7Z9LIpqaDzUGkuIRzDO1ttfZqGUoSZbzWRK+EiY4aWVd8z6DHG/ptKDpOPmNEkXzBr3cgC9IS8rbVBM6kL1N5KakbycqmBAw9ppwCbzSzeSziGJoSH3CzoaIetoEDkjiGoVa0LtmSF1WyQH8KC7LoRZB97xAtv8rZi6mg73JyniwXdWk5khq+bvldGor5mkXLNGXf6RiMe+qgL58RK41aeTQZLtulkso4tgcqBIvdQiC39Y18V1CC/1FAfjZUsdzsu2sjHFdUEkShG+AaR+yE2USMqBVsETSDT5qVJ8PrOyxS4VlkCVKsshfZcxRRF20BfRoeaQFfqvCKPY0L2zMfgGzN4Lu/15hwqNvfJtUOCBZsHotcNIbYjiOYDJT6GYq1rnjrsNGJFydrksoQXDofWeMGs7EEDTGL5wpFgy4AcYRBYwqAd7tE21qzuiwA7kZ1dLp+0xYuD3oHulW4rXSw0jDtVkLMZ2xg+Ye12ONa5y1NeV06fzRQ4gNbFyIpNwUTjoip8kCWItzebj3UIn7et9K4lKBV5f+1TY5luEgL6fjXi+8L2BiiQrSpJXUnNIgqOO/EWmtOicB2mMJW/ubujXXhqboYNsx9LFIm6BMXy+8qi4N6OUMW2Y2PdSrb2Zjix5O73YGtLEIVUPmF2587k9PdH6F7ThHYDbc27iKWvBR+Q20rQ3Yg5SZ+yV903wwvpq/69mPFergVtc4uFNITimAiLZDiBlst51iSqPIpQbxjx3kL9GD1TtmTfv2G6FXat3h532MWqkpzl69S3Z4dcuEIEfHNtwdcjcjk4bCkxAT/UHBCxsDiVwsBtao21RehSOH/dph8qLQpt/8JHFUe9IUKhBjB7Hmc3JTPrj+tMIAvGApfNSM62Vwg1RrFpbaAjIYY5+n7Ap9XWu89fWHToqj9B7OFWixv1evybg4ZgP7/Iz53t6G8B4xYrwCzBmoaDepPzpZagJuQa3KHUGtSEzgFbeftM95lUDQ4D2A0Yp7fnbuiW+36nb4VUZKrkyv6u+anXNZ3ZNdpP+rK4osrEdtO1gGN7VPyd6s/xPd6damf1JrxSsgIfUEz1Fp8KQjko02YXqc2i/mcuvOXFR6cJACYhBRTmgggpvlNQAVoyu7If0Gw45pPTDB9t7RXTDuh8wVyErQn/DHa2YmbhlWUn68k5LjjFahNBpPhuLu2/d7wEqKRkAcUx4b5pJxj4AhGwSMoZsdLBMNATcr2RKf3BBt3KqjQYn7lyvlpbI8aVjLpkm8KLX094SnJea9MwpP/P4JjwK0zbk/Q10d6/YRVf/O24CnR07cfdsLBF79oypVPKvt1neFkszxELQrWWOUN/qT2NoD2JB/aG3cArQkm1WGuWU04Kpm9OSKVwJgqOEvs2rChTRQ+pvbznQ+/qbBQtweAwc6qxi5fGRg6uF0EzOl9uBe2HpTVbU9HI8Gly78FjaXydM0zwMDnxncuyqod3MMGxUbJiopArn0+bS5FDZU7aTIpRYgy2Oas5X5MvNeXO+VnIkjLhpYboLMTlyNPV9XrGUpd2bN2qhG+YuIHC1wI1iehUo3fKGyj2N9+0qE1Ysevg+KArRFJR153s5NwSfQQa9N5fPxZe7yvveSXXw3Y9bdAZVMn6g51Su1j9moit4//dmvaPkTXtGePp73i75de4WnuNFRR1DqSJHEHY3aZBMcqzwGua7BG5xiUbtbn/PnYeQPvCjPoFIL/RB7UciOEx9qvbh25B9aK9oVYtDFQZ1vnCZf42NTZtmeFZA6nXIsxupF1molWOg++b/w8rTYmV54IwzLmrBY7Itz/CRngb1HwB4WYInivs3B99cMKvHvZ5etIvVi7LaTNPV862HixfNqru8XrhwNdje/q62ggiMO7xO06ANHAlztzqrifjuKfUWXDJXeMt+ZyX+fKcvHOS5plv3EDctD1f9Gtxex7Wq50D+jF8+R338+U5ktSXvLViYug92I7IuTRAt4WJYyIrC1ZMh43UpV6n7GW/HdX1BdpOXdjpxx4Zjpz40p1tJuVenu/VZGP55/Zoshaxl6LYaLQTcubqM32/U+5+sVubRQTV9id++Ma746a1aSs3pWkfo1pw0I4y0j0oK0mWVDE65YMqQNeUgQlScToiCDQInbQ/ytaBdlVVt/LESiqrYTT1hcye8/WLy6u+Dk18y1jnURiryz5woOCdayE3kRaHJLkUhlyzuaAoLEZYtJIqZfPabwfyyzLpVaO7SezqiP+0iHSHT1suK2SAcd69/0iYyHldgBVnfpCtG4T/7KIZYHzlHCIOLErvSdgvgpG5o8c20Tm1eVrCmDF9Y1XuA/C6Rylex435zj8NH5i+2RFyNYrN56DSjbALk+xzNxbgcXAjmhXoheSF5R5nq49MGt0KvR/BszCMvXup/OyD0zGet804Ls/DZSR3js7nsqyyI+dd4an43Csc4+r8e7qefmfRkQLrU2duNndR52NWmldLHylrrIt5Ky2lws4DVq43+I1MifODyB9FARx21Z/h7HP3ENlNjLRGfmaFKCVvad70Uw4rt1YEHdWOkeK7RkFVu6WQszWjD7VWQHX03GBtqKljKc6tP4oy/mhmh118Km8JK16Mv1/2Za2PgaHF6NOg8bG7CxaL8NVt3rHE0/cGTH4+nLt3yHPGhKxjxTg7dSR6Hv1OWUka0+kw8Mj+FBlw6s6MWyxxyrmVe0TXeQ5az2pOLuz6JJcFaMsSTbPfsGXBRAG3kQnAmTaHaZ4PlC24MJpiqkFiCgrjmyVVjGMGT8CD5+LvYk4oEvE7+93gzkQCPpRT11zokTRivzp51uZzVqB05YtunYQZkMyrCJuE+KbD0/ORIkPn5hq+x6kTSpzy1SZ5eV+V+7T9JWVCkwIMZTzgZJjK2nS+N7I1yY+em9l4bGmbx4Z4jD+kBsqKJ8vmOSUFzKgPAfnOl00M32drWq14CYrTNRZyGekfV/IscCPtL9Dq9t+GWVMF7nz12jBTY2NGEtzYxjYYNmx66HWNGsXq+HdyGhvTBLIql2Vp71MaNjpz0AnrJPtWSi5Z4fxnTRe5EvRoIlQh88MDjff3lr1mfKM15t28vLBqcFth0tPjyPpm9bSy/nc5PdDvdPD2/pec+gBM+HZVLF3j3HNMKHYnf311SS4HClUXjWRda311yW4MIhZ2tdWw86iG9H38YT63OqzcOxGRTWWRuuJrUHHXVzo8LsTiMqIeLeJ3S3AhgyNUnndcwL502CXQtvEQNmdFG8oZceKVsa3GQRl4hJc/npLX7ruqUz5TzXTvq0+ue04TiMJkjVvI664XwaV+TSFU3tp0YdqVuHEER0jQK15sO0Ta6kq6pIzTYSCDtK5wgvWVM1BqZNKCu0OH+Prjxd28sVL6BlAuADvYkk830Gw+GZGIrMymdVGso/tnWJlFrQPqwK01HNbofKeXKj5ExWTELge9ErtM18coSGC6m73qeq7SumCmrazb9EXzGIUG220qNpwo2YQXdm/SZYnFpuDyaFb52ecL8szXSnyuudWVp4xjAQfmgV3cVlLbTz4n3w0dDaIfhbkRciW2DCENeY3NLJbb0Ecmbeb0CC64flroWVPl/s6XJr2BOc3X5NOoucbZVNHHKMr3C2+RmAlSUiZmipawMx2jogqn9qbvk7ClXF7hsuSdLFxy9KYtYCfrLIAU2aN9YaqAJUQqC2m7b9w7WJFfa4Gm5FtZACfPmFhO/npCmMxPyNT+BfYvKihfa6Ynfw3HF01eZTNOB5PzY+tQ2xr+2RXBRdHXhXJy3Qy/krOdjRqMTIqp++nU49m0QdCgLCMHEVqWceVuD7PPb3+jCshHlwD8179+fvvb6YeLv/7V5dwuqaJslCdXUt3ELFnee8F+axbsRthGnWBUxFYifM1O3C4l7XNAc/tcrBOYMDOpQGiWxxQgHVdSAozL+F6QQHwgFtBsRdlwOPGDvQPY+zw2UHt9Ypeo63qa6FKYaaGNil35jvXayRxi3bc02jva1Hykc5IeWuyyGQw2UGl8scmm7sXXu1gQMzbqaGq2mswRe+hWg92IAtvsl/eEhfLB/QTv77iwyHv9/8Nw1Y3K7Cb/PQqLFR0fvUdkJ5KPwhxNHHcXflIeIWlr62Q7dukz02a0N1l22CfzObrdBpy7PzLdtKxmx4iHYdHXjDJuad00c7nyMuPyvFvbhp24rDloYB5oYTCeVdjkXGdWRTxgP4ckXmO6ta8+OpNlWYu+J2qAnTiscdNDsXsHt+bfIKxTt7jpwzTrh+J2TUXxrzIcNdvgZqhhh0iGB2M3XHgLOV3riuVMRssSPZYFj9ivqBLDoMNTR12LsspkKmF8/e7tFXnv/KibpNQwIl+Omkpw/R9vyJca1Ejv1pqLTEG/U2fa5IaOQ3RNPjRFZ8G0rlZLzyM+pF2gMvYYAQu0OshxtA+qCQTHHgy3iD+ggXKqygSnZcEmcC/QKmIBcgu0LqJNpd2CGbfb1Rbogpq+VvhQuFMQ+aKkKlZZSQt3XdHB+OIHR59oPkinigIzW0TnhRxmcQuoWsCzObZaSgBWTn9PALWi0SdhuI5T0dkLg+4Zi/3g+M5tJVjVMzrSIqM5DkaJX35iYWsR0XjvAJ7Oq+VP4tYsor/vuchyo7JCR+273oFuIR8WeboD4CWn0SWGyEDMmYhYFDkEnSI3WmSzTK+YyaPLD5HNuFxpWsbPXenCFmaZDnqCqEsuMiZSihMmKlDldB0t4X0Au8pv0gBfUp6CV1iVVUoamcUPSSH05U8Zehzjw+bJ7iaX86xIQWwLOH7+Wy6ykt5mxsRyG2wDthzNIcGjUDKRCGkm0iFdcZ3xKc9ih0W3YH+fEHj0zuAd2LF7IXZhx67q7cL+OSHsXxLC/qeEsP97Qth/SwPbyIrTKaQQKS30+OaZyMqao/I9XSd4Jxvg1U0CvaSsOZuXVRrt22qZlM9jJyF5yCyFUqLhSx7fNyIy7RISE5ygVnkaa9ICTmNN6rWuqwSzSHPRllUnMVWNNNb0gNsEIsRIYw2zVLDRrEkCvBbsVlAhNeQJmHD5i6VKokdh+YuszAJokcCtJssqy3kCH7YFnCBIgnDVdG3iu0UtZJ0EclVnCWIauWKG5ZQnKCDSGZ2DyNcRs666sAXl6z+gmKbAe5lhG9AkkF07mDRYu8TaJNCn82r5SxoftM6mzPwtSaOxXGdxZ8X1ACsZXVTrJNccoUKu4le5aefjjzZrqwMYzML5+eM7RxxwVPuSAHfd5ON1kOvAnjEOKWwYnc1SHCKbxSzO3gacQjfQGaswSTFLIupYtfyp0KYaNPOPBFurPAlszmaQwozR6GguoWDRCka3YTORhktKWdQcdC5TUNsDZ/MEsklWekVN1Jn/HeihDPIogBXMmTaKxveEbGAn0PgUVKlIrZLRWmMncpVIvrrMfMfiCaAbBbRMoEi6UqBUaKdTrlcLyXTmJszGh76miiZh8GKkEDYG5KWbbx8bLtOGiuhzjgttprWKNSywgQpuVlAKqHV0XOPr0U1NcmywOLlhFn/Y9aGdBnbBnNOiiH0HWBE7rNq0DkrwFrEyy5WUZZKuRBZwAjONlVma5Ejf8SgFmaub6O2ZKh2/ZSmrdKVYZKCcGmbq6NlnnAmI12JnA1VHnajTwsXi2/huLS5d19NsxmX057wFniDl39q80aWOBZpA4lgbOgGq0XMTuJwnYV0xT3KBK6liC7ByWs9TXLOS6TyFWCh1EoZNMQdCgMHmStHhRpfhrgF07Iw/BzV2Op5YrWJbIEkqyqQbAB3dEpXxNSOp2DwLzON6MNyVABX/zaoyN5Q3Otiok6k3YN2I1yRMlqBw08/EiS0MPNjY0qDKnCMpOrpUa/vLLF/EqvMfgIbbikUPBFSgyrmiwgx67saAvEoCOP7T6zqRffrUmwIaAbCS84zqKuLAgC5oRWNDVUB5Cv1OQY50cF1HEwGPT2QLOW4L1w5kqYoEGMd3ZOoEvmHtfMMJ8gE0xE4EcAOPExgnGr7EZ4BQg9ZoUBOYUprNEwheXcX2smmVp7gHKi+iK9Ja5aGuuBEAm3gjtrowax29q+YyF7ELJYLTYh8K1DXpjL19Mzfx2coBjR/Ra2d6xoa7rqJ3a62LaZI89FrxBG9hrUFlBYtd9Z5kbEUTGUpBBpNrQ8vY3uBlxoQ2dJZAM1gyZVKo4ctKJGjdZKSqRUw3a6gtWqCj6GltJPlQCzJYus0eSTgs7zPlrCBnCgpmyBlVhe9mqLH9exgdNzkrIZXGJoQiGByiT7C/QS45CZXqtPkQTKSj3EVZcbmGwWDBvfSbyTpaU+878pilofMZ4bwzBXO4JSXtN1rYxGLFvO4PA0mOJGcahzM0q/ujxwZKRNdVJZUhw8ajhKwW1BBmSKVgNsYKD0jLvc8QihDhvdXRokCY8J3dR/pCcyZST+TvoGpX6+KpiZFzMAtQk83n9ULWgxeNEAFLUO04IiNJRZUG8hYMxYng7q7SlgTP3si5fnHlyl6fk3M/4uuEmEVgShE2A/4AfvQxoi3IOzC/MSNAh895yNRJiDfDkd3tLcLF3WY1UJUvJkywIH44c/cI/bV74hNnYWAyxAtOa4Gzfuc1znFtmriHG7j3+rXv2FP6dtztntom3H5+8Yixbw8ii1jTdLfOq7gs+Qi3Bm/FmLvgGNOoRwTSZnDdO5xQLfjIxEvsnptwHDj2z9VgiIIvNWizo2n34dnK9++V71QGHMvjVnUSu++RavNOt90pu3ByGGFsbOvn2KFdvwruPObs//3zDe1il+eNUMC1w7yBVkO8JN57srB9XKZUA3Hp2i02ZHCr2lPy33gcfEU7Cr7FXCrXvj5IRkKoJhoAx53R3fOqFBWa5kcY7zvoMO2WFqj2bpgmrxVOQNuFdAWqZE7dOBbSmyXdYA62ZBzmQDgsgROqNZsLd3Cbef1h1seWzI8ov3H9HZw+fZRJzxazWrAvNfTHJNLw5evge1jHxMOmoDQaDSvchcylEIC5FWTFzGJMUBASqAxpNXYFB5UX3du0sOREedI+UVzOWU45sRiMmD6IxeNih0uNjGl8PNpVi7UOo9dJZ1vJXlZr7AeeckZ1tpDJbQJnxLXmGs5S2Qw1slKxO4In3A+AuEtjscU3zQ9iyTlQNTnlWlpDfOu+nWOwnPzqvzEhp2Ld/m8A3aAtr4UhtJjksqxqAyoshpO48e3G0pln3/TPAmcsbh0IM/+oX37/w9+s7XveOY6GYt8E0fZ8msWNmN3VcUPXoMg/tT45/cKjgciFb33s+p/0PC82OG9x/c7zODB5eZ9s+7Y/MMWuMyHv3n+8sHsHBc55gv7SgulcQUVFvrZapVfPeD8XhCCFTsjHt6/IpTA/vjwhl+/OL/7zFfl0KcwvP5Fnq8WaCGBmAYrkC6n9qDSpFOQGP/XDL//z/3v+bZAiYBYJZVyfHihTJyUNj+PRibnvntf82vHiZYNU+IoXTwvprmzag/mBDePu/MCH8O0pphvr5DNTpqacvDl9F0T2DykgnS/rMM74P1LAJExbi+5XI0JxI/uFJx7BU3yDd5zDnBpY0UcYkY7cfUVOi0Khn9ZxeQid9unNy+rQOOdDYyGXZ2+v3Ks0Gh4rqT5i9GPLqeQ0Vf92k8sri8qI98vS8MBJEFFoaNcep2GjiWVuutZxBUQHXVoUzH6Y8k3AtjPLP/zOHZEBrEmIF1z6G36+zQIDVDa51kn0urs+aZS88xheSWVakTwQugUG2PAAmFnvl7z6yLR3+2Fi3jwmzbbejhFeQMhuPJYX12OHli/VWubMqpzObzTQcYiVy4qKOUxa0ymXYsbmtYKCTNcIE0SBWUNhOVMd2HpgUDQ6oi0HF50l6HfAI+r+3RKu6A4ABaU0kPnM7vh5RvFJWwid0cyl4icAXRmVBvgsAUvMElQL8xTXIVX/kyoBUWmRNZ64dGp534K3+5j0V+s6Ex5Bg70wC1ACDPm4ruCEfGqesTfoAPuRXDUOsMFL8H5MU2tG9RxBmRgxjRukvV/8hFDOg8pEtfkgJrhRhYl5S1D2DWTCSKINPuZMkE+XowIlxwTZZPIqusi2QGWVYOybBaxAx87otWATlLi4FzF2Kjr62xNg60YrZBzEPPqkSMTZKh8JtdARDdSpPJR3AjCC5JhOMCOUvJZqRVUxnNNNyOkck70UofbG32Iu3RTMCkCEVc/IXRPvG+OWhvJuqM4hQ7BlPGZGDHbIhM9zxbSEkhkrlvyIjfAWl5yKY8Tx7+CgbBJEOi7KwQa3XZabSMrSWrBzNGC3X57YkUrIsQvBMl4/uLtF7KkyLK85VQT7RZMGiWcXt6/eyLmczcLT3yHPzAKSH+8Wsh/tgu42dvC+sHhbdE9rswBhfLL4KNq6jtk54W4JPW7JcdQ/aVCjCMva5PK4lPZLjiN8Xec5aD2CM3YeP6w52mGJJ4gXsSruXKo1CRQmDHA7hnDawhF6OFqphAE+XUlh3xUrt0LKYftFMlCUtne1jNePbuTdpMR1LcWaAc6gaPfj/TA9fZgJopmpA/KTYHEBeBHtoS6oJrSQlX1dzAKYInIlNkfmCGforRSyHMmrxZkcmrkW9cdVIqxyz0Rh5Y9UuiUAJa8ZB3LqEZsMyHAXZ69oN+bu5GjCeLv/R0lXGCXBtc9aiEuF0B4DhIhZ7/4AQrh8vWtfrxGbEuMJoVOZsnogsPkpLOiSyRq1y1yWlZIlG8lQhGMjdyHolGMR2Yyc7caNiWUrdhIi2cdwS+skQQS2MIw6XOYABAPrt/ilPt3OK7u5b6NstymzrIXpl7PF1ugLLAPP8kPM+jtpQfgez0GAYnmzJSQIJvr1UwuYWeBTG5rtRjyyk/yHiTZqPPjZ7OmQtluPtqeXu/fk1Qu3VsJ9BU3T1gg3rARt5brT9hRUMBpE8qcQrSnE3oPAxoMPPAZ1R9Y6pHf3o7HWj3fb0w+Zjjbk9M5b8w7jfTsc7A13vBEIdxAGX+/uXu7dnTrq2bmLFmVvav/JReulehwBskeOtwLk62XHH/cfWazRBsc5srvJR3VUCRLzjt1BfhyVHWPubcCMrVKPJWg9P3X0yp3aLLISzEI+QpSEbnmSiUPDf2z0wLGXkpJJvU47ojofJPf+WovIDr5M5An5z8nP339Pnr05P716Ts6ZNkzMa6YXUGApfBAXLucyeV+gXZEwzJadOTz8MeMHRzLGlEzsVdxV/2lPNYRBe2PQIx9t6PN9rkuOaf9t3W/H8Yc4hWKmVITapG8yxSiP1Z2ut5EPtGC1disQqYhmJeNUOfFkxaa9Qzm+6+HyKrznmhXH7DTSzZT/ZBmh8SL2+mJuLnm6OotTseuuY1jDVxp2/L/eSYS/GfCCd9xApyyjCLsypUqZGDAI2SCppZpTwf7YkVUt0rHCXYl9AKW7PDVC7hlTwVrSRF1/Xtvl8LVwLb5c76KtrOZfgXKzyKkCUikoZMkEDRbcdcTTFTUMhNF70+M5PeZu39BH3axr/QhVIsa1V+dbK7gqqgw2Q9psdbdYPWKzIy9s7iJRZ1CAogaKLFpS2Q7+sMLndbNiGzy7UnLJirZ5mP8crSruNdUBY/jmP/ZZ29ZpwwrOZpOsONIu2yV9rz+zHtlmcHgoZk4umYueL/qK+0gLuFbpjDkU/L6aJ9yiztT5UqcSeh7YqNNRUWOlmmgjlZP4FloJhuJq3+KnJvZT34Z3X7Ki4HA8KfcW17urnAscb0fuHSTnmvEYx9nulV+t02FIrJvo7AmpOLVHZt9nqQiIXK2rMS8/pkIewZ68Qwadam3LX6U25C3NF0yMmHQFTSQ5vunT+pPATP9KgRUfVj9yTc70hLwpaEU+43+cflRI4epO/zF8PMmCLsFqThyoIl9qUGuCPQh1JYWGRqMKF6fa/Wb4nePIS98DL7eQFWu6QAq3fdeXbxzPZktHQHXDQB98c9S7YopTntI6zPo83rSW3mpiZG1D//AyTVQtRNCO1Sfty+Miz66N1EiNnYeYeQsz/UFQsmKikCtNdAU5m7Hc/uYkVCfo82SHF8Ruz+G7ybkhz7AjLIh88wxh6PJ5h1qkFviOv4E5zdfkk95ufNtGYMt+IW307Fq7whEM9pHXvmtqISpYq4ZMZl/EAcXbPgCB6v+tSlMs5xmSb3vb6RXqse68Tr0O7Bh3GGQ0/50DNnucvN6xrfoMX+96b2TdBW59vAvocDfHcdi1AYPts9kkZLpjGJxQuCHF/uJnLBuIORJwtMINt1zAjAnvq0fhhF39SlqNNB1E7A4qFEuE28YB01P/YgvG1mebeu++l9JIb8rWh20MzRflkVvgb1ZFgpOBddQ9jiRDXqZMxJsgFvVu2C1jUWHaxzMgpLplO3gsro32prw/MLVzgHXat28P1hVVDU/ZH59strJasEErdWJvh7VlXfL7nbZnos8scW0tpFqnO/C/64qKf9nbMaZBZLuLeqOeh54mS5a/v0Doe/b2aCrRYFdNv/XduxrlggyEUbI6RHQUsp4OnAt34nG/prW2YU85AuLoqjuOew/PZFlRsW7vI147HKfv7JUlKPsMZUzMZFgpoPomdY3QHvnRsyIbzFaQtiv67EuqHIHXNedr8h815WzGoCDnWPfsnINBVFYwzXIpb9gjBd1/gylx62/sZ8rHtPno3WY34fCqNqhyHzjCdP9d/9Au4afseHe088lPyMd15ba+8RxY4rgTHD88BbMsajPZHtoWB+eIUN/qUNvaPjLHcNW1yuU2ds6zWEnVePsxxPzhzciRd3rlRGanhhZV2jlEO0hhV97ruW/QVFIm0kS2kbLr2PMgFTVh12QuMqpjRvs7gJUvp48MuVY84jF3oEY8ldYYzWoVyxvSgalBZXQez6bcgI7+PG2Djpr+uA3ac30CwQK3BgSqVvGNEws/Gje3it5CQS9VJrZG5ZY4Ri3hlsz9iMuievXC//vMo/DC/8PnNYXc/pSDCmfn+e08YvTcbaYbPEePa2fU2mA7hR+IZk0qJmag1Ejcdbjvo+yrq/jvJX3QPXsEJJu+xLPOMQSuFIa1ZdIrFVjiaOx34eL2lu0+Ygax6v7o32GYoDU+8JNVC1DH8UdYnd1nPD07w9GPz8kZrh9GDZQ5UrOUETqfgfLDP2ErC3NHc15IGjruELJz4HbRb3WnU/TOk2Z/HOqVvH9rlPBpk2v2R9hbw24SyZTLf78gAubSMHeA1YLqkQlQOj92W6HOUbrFx4cL2qNONgFqkODS47GmcXpTfxNOSNFsfoyKiu3+Ru3Uw4+jg5atNGFa19GVToSMyVLpvHUPi6EghqBUUh/o4FC60vPCLk6uMTi9SzodJUOi7Qzuo8jPrjG1c/dj1JGehyF5f+m5A8dxEao1z5YpX/R+SNU7soPIFJllPVpHb9OoUwFmN+At6kTNDb7ZjCvpPkgoW38iGuN1UpHL69N/f3tFruw7Rd6LkekrG2wTVVIfgu3HlQxji2IoX0B+ow9yIt9NCKftQRYaOtf262xbhGEaqB9BuJGCO7RcUGzQFPIRlFyHR9sVZNRoQJwNNfXRJnx2sVxSzgrHiAEk+oLwaF2tdwlCpNgNrHVfbEfi/CaBNDLshTGVzhjOoE0CGo8yBUFy+gRuE5uLpvJFKmbWe25ULssyaZ+4O+Lt8PAOoXAJ/oop4H1LM7aLZcWpyLR+rIG3dmUnw3/zu21qtILYulLjrJLsGGnVIYQdBgQxQKTC1gCSNV9QIQaNM1K3m/KrIiIjMdsjtW1uHxY/8/C3N6fv/Lv3ord8+6AYqfq+/+g925i+yZaS16kIcNrMcRZ+zk07GbsZ51sLZjR55pDQz7FbBxb2NhN1e+AJIh3cDa8TSbM3HtdPghmfLjDZLjpYgsJMgVnNSS5FDpWxhvK1O8OR9gqrVUrp6whvDfZmhLZFtJLKEGnp++u/noZScINkj813Us2Pn2DZLzDYcrFOqWt2EmwU828X768ur8hbelsyUbRjvcPHavd29DTMrSGKI9vy2xjsbte2WvUpXLIYPT3bVTlms+MVbD52EX6z5eRqx5azzEvly3PfpddjsRNDfrxDeeReAc2Oy//ydcNtYY4ohppk7NuN/hJrQj9SdqMfV41WfBvULV1x7wnRdSBFnWryd22UFPN/mXKa33CmDRR/f+F/dtL+lokZ5OFfzZiCFeVBRYZOeec7hIqCaElG2FLBnGmj1tayP6awqKhZ+Gb9LQ6kj8MASXRKHQtNVwjt6rVyqTpdyFt9ssUchFHrv/zfAAAA//+V+BLu" + return "eJzsvW1zIzeSJ/5+PgX+jvifux0y224/7I1vdi+0knqsm37QtrrbexcTUQFWJUlYKKAaQJGiP/0FEqhisQpFShRAqffsFw5bJBM/JIBEZiIfviU3sP6F5Ezn8i+EGGY4/ELO/P8WoHPFKsOk+IX8218IIeSNLGoOZCYVWVBRcCbm7utEgFlJdUMKWLIcCJdzPfkLITMGvNC//AV/bf/5lghagh9zQjVtPyHErCv4hcyVrKvOXwMwmn9eIXWE41CcXp+SV0zBinI+6Xy1gbH5S4OjBK3pHDJWbFF2UG5gvZJq+5MdcAj5sIAOEk+bsAKEYTMGaoMpAEXXsxm7vSMMuKVlZVdLg9ZMirtjfId/p9yPR+jMgCL/vwV8V6CyVjlkTBhQM5pDDM5dI03S0sRFNQsgMy5XRCoCSxBmJ6wCtGGCWvpxsZ1vCD8IoKo5ZPY/Y4B6S0sgcoYQTvMctCZnUhglOXnNtMHBiFlQQ0pq8gUUxCyYvgNKv7q1BpUCq6XrcDGNf3DjeXbeCWF3oY8GszPofbCWtKqgyJojUwVw9v64V8AYRYXm1EDR8O7yitCiUKD1PbAspDZ35tqM1txkKEZ/ITPKNTwUsx3+HmgrqUJouRTzhyKxpO+CZEu+RF7I7u6632p2UT3WknbR33Vdu7hTLG4X094VNgsF1GQclsDj6AGWHkF6KC1KyldUAXlBptIIMBbpbMbyCXknUOYsQa2/5XJ1Quy/euRKWYCiBk7Igs0X9rLBr9v/ucu0cmpgLtU6xszOPK32+huf2St7KTZqypKpWp/47/TnZ5T8nYoTAibfOZ9cCgG5O4BR9LWPgn2uuwoaTovinb4TCcvLKrODBlDoRX8778RwefbmCn+5f8BcFrEGtKTuyuuReaYRK5+u3nbGJltjh3QBWmUKcqkKfT8gD9DwqdZsLqAg56dXpD94kJVlSUWRcSYgo2pelyDM8eD64YkdnrTDWxNtDgWZrvEYc5lTTmhdMGM/2TWdZvr9S/COc7jvLbm5DjeMN5JQt1M4A2GIrlEDntWcr9vdI3bOolJsyTjMYSL5PffwgWvx2wIEoahZ6s3wVr/MF1TMGw3d65uSF2RJeb1z928mIWD1BCchYLV/EtNaaTOR098h70uxdIdCgVMT3LAo9hEHWVElmJjvPNAOMTvOtumitUoAuTw/CG5eKwXCZJbG8WSPG9SDRfgaQNwBrRQzNq8VFI8DeDN+B/t+2HQ5fxy8dAmKzuFBjH408B1mB+ZBOZcrKO6yw8uaU8OWkOWyFscTJkYaygmOaXX5DvYFM5poJnJwQt1JmxXVJLequRVAiuQcqOpMcNtHOjNdNA/3kb5iCiq5AtVYKecwA6HhiThOX304/7Icpxbwn47TPx2nfzpOv2jHKfmogVycXfuPJoKaCav+9Kce6E8NsfMJO1pbuJ3P77EF/nTC7se0vS36fP7TRfuni/ZPF+3WgHtdtBryWjET2jRBb8pmwN5w7+nKa/rI3GtPl1zYW3r3K9QX7iZOCXGnm3jbxmNSR7XxLt9dtyE4zT/jphxFLTjj7B4X1x21QXvFOh3bUt+5k2Y0Zzy8m3facdcXZ/dbl2YgYiRZLVi+cELS25wKZqA0eTbbiMYTcv32zdUJuf7f1yeECqvo9MjOpDKL5xNyuiGeU0GmQChZUFWg+HWhUSeEkkpJI3PJTwiKstJFVclZX+ZaJX+tDZREy5mxRCbk0pAChDSwZQR4SZ/TWre8dz/t31NumpPBRvQBXJPWTpv0rAO5BLVSzNhLS9Uw2K/DRdpzhHYsVHcLNZFlGwNytQDl/Cn+IiMLqskUQBA51aCWUAznp7ZCzfZNZnj4dk5l/GwhakG3VZbx0cfGDw3R0eb0vLfMu0bYdap6q/LB2mo3sLa2XK3dw0tOK1N7/iu6ag8O2ny5LEHbSUv7eY80Ia/lnJyDvdhUeCKOFuuDOnQ6DV00N622m0cm7AEn5r5nuTvxuRQGH/DkjDChDRWmgaGDGA0rDwFY9D3BIXTexrdDEGq8OKWNb825Pyl5C+Y3ZoS9BvzqTwZbo52sXsiaF0TAEpSVoM2+q6jSQN6AoRYaJTMly85Qz17LuX5xRfMbMPr5gPw5U5Abvj5p36coeQ9OWLgdLjowJ0FGDm2Pu3FyYEL1OHkOlYIcDSaLpIAZs2qDFBxhGTrlVomvwqhKPe+r2nF3oF/jN/6cX55/7970vJenUczdt+CW5viC7NZLDRYCZ8dQaXO7Bb9nl6OiyrC85lTh7/3CTkZ3xoD0QTsltDMGlMd3yuiSLI+7Ji//XJPda2JHTbMgDzu+cvp7hhPpL8uTQbekhwi95NAUON33KWKzbEt1/h+GTBtqoITe4+gTAYfhR1nOae8MPxF4IEzPQ/dEgC0GXqcnAoyJw4Cl1ZgayfF0d1oB9BDpkZZtM3AvBrFsqBG9JmRndr7YuAUsmoEeMlASHmZF9PSQAfU9VsQ4FwcPr0fhouh4VYLsc+waTDMS+0iAg/dmX34MtboevDk08/d/Wm8btWdS5PZyoEY+dct2RNwsWVpx2OXumR2GzVhOu+f5tZy794YmoqUWBSh0loIXVIOpz9gtFEQDRl1t/Xh7DD1usDSLMKD9YIOlXYQB6XstytATGN+/dNjGHMzrHjy5Hw8GT+pJ9uWvUpuuiOT9HalBFEzMmw91aNt0fEhfDn/ZIRts8KNRxl5eLX9sY/jHjnufuYPZG/mlMnf5c2r2/vz/LnsHr85JZENfLjhHWtdbVhBK5mwJonWSfbmKgGXRYf6LtBZI8RSVvy/jRWPUoSGrdabgc4K17j4e4gLjvH2+2YUbmlzhQTrx3mxDyYd1BSSnQwkyBQLMLECRj5fCfP8zkYq84pKaH16SKdW4i5oHMswmQNVvz7wPUXe/4HnjM2g64zOCfyEYCHcU67gZ+Yt3MEi1omqQnRlN6+hItM60u5y8vPq0pe9RzF/rLylpYlvcJephY7g9uJ2qHfMwcUaxOcPcC/ebbW1lDx9S6V87AiMurz79HGBBOCaHRGBBi2jI5Ri3z2ajDhXHQ2+fBdAC1FHern/Focjl+UNeSR3e7mMpkjnsrfRJO9l4niX3s9FG0brcKFp4UKzpciY5h9xI9SUKYMu9R4i5sXuOaZI71kFhkW4pqq9lX20hOxj9BC2+Mp8+FVW1lBqD3UopyHQ9WDRCFHyuQWMSlGZlxdd+neyXMVAXaL4gmhVAnn1HzELV5OVPPz3H1FANINpRdnDiSSivd+CErqTQkI4V+RezK1yKcONTqMupE3r2KOsgBfKMTuUSOsxgIhhZ2Yg3bRTQcvT85F/MtnlkVkHB6r6eFoNRX4U0x9axwGaEmX/WL7/7/q/aifQXFQrQBvQ/B7P5p7UHX9M1KPKSXIicVhqT4KVAk/Jecj1E/YGPH4HYytAoP7wk/2qne0J++IH8K8mlwpIXuExu0BPy37j5H/aLTJNtpnwVXEIhi0DS8BOxdcUKspxyPqX5TVoN2IFrEgaocXaFZSKIopJMmKa6SBAobo4MlJKJ4tM2+qCuIGeUI2JEqo1UVrMWa6d12A+WlLPCbYwQKEJmshaFvWE4IHgm5l452hu8uH0iBpRjvAX647Dj2WhkFdZc0uKp3HMeDtHsDyAlGMXygNXhTeHul9EWdtd9I4TttU/NRqOVs2bZJuRXubJLM7Q5mSBSWWPMSHIDUO1h2pO48b4QpimJyWBLVmRFqlfXi0byzEFg1qzGtKra2dHeLlwyZWrKrdG+5XsXARcHK5k1u/GtHJnhZuGP+uU5UVZaa3SoINOomoNpv7aXE1olCnp6dE40Ofu7OKGSPAUNBf/leeN7fQ+lNECu/X5vauVM12OCkmC1EfcQ8wU8vPiRMl1xljKy4Umb85oN1P4noZtZmZtwv+Ops3dAk6bpd11jtfgr5L/GC6MTLzPGH+GN3o5qjaOrs9Mrr/v6pFxWVlL1NV6CV+QXFwZRPw33hy/TgIb4sPgaca7UbVO+3vxkY7A7PQct8wl5+dPPZIV8L4EKQjkP+wrQqY9q0sZ/RFagXA08gmU+qDZEil66yDYTH11N/LKZGDirKZ5tPe9+k6pAxmFUE+QLIbmcr/sPcTOmBlosIT+RfEEVzY1joj3Ua8SPTnNBauFjeviWz3w0ozZ2Qrd7qE/5iLDj7RItitIqmVI0zwiKrkZlGkrWnlpJc9RY3RuF8D4HmedY4xEpakNFQVVBhFQl5eyPUHyvVGWQP4WPcjiYRbKeDq6kezFpg7oF84KzGeCMAwa+hlyKYkTB3ix3pk1KP8uOCTGRy7LiYIIbYNSJSlGBN4r1xGAn30yZR9rI13bs4HYe28rbO3N0+5VSmEWkZdrkp8aKedlEORWPxPgLUaRguyX5hxSpqy3sEIt29EbFdOG1H/ocHoioZCf6lBi4Nf7wkSUo3UmnKHbFgQXW96GbbQ001jQ3aXq5VAUU6e5BH2TjryndjtjoGE2kTfvF7vv68LZSspwg1RqT8nUOgiomnVpf1tywbw0DRWhV8Sb7ZVPLpqSCzkOpuYRwfN7ZKuvTFJQizHytiVwJ9zJmaFn1PYMeMdbfVHIYfMSMJvmCWetGFqAn5E2tDZpJXaL2VFIzEpdLDRy4SDsF2GxmcS/hGJoQLnIzoOMdloICkbsNQa1qXbAlK6xmg/shLMiuG0H2oce88CRvK6aONsPNerq3oFu7E5nh66bulZGor1lQrjjjTt9oxEUfdeGcWGncyrPJYMg2nEzWsSVQOVDkHkqx5X/so4Ia5Oca6qNtJbu73S7ayMcV1QRBFCP7BsF9H5upEZWCLYYmkGnz0iS4fedlCqxVlgBqlaXQnquYomib6MvoVBPoSp1b5HFMyJ75GLxjBtflve6cQ8XmPrl2yGPB5oLoVUOI7Qii+UCJj6FY65qnfnYasaJkbXJZwguHoTVeMCp7UACT2H3hWLBlQI5sEFjCoBzu0SbWjO6TADsvO7tcPmmTFwe1A90t3Wa6WGr47lRBzmZsY/iEtVtfyn1kT3ldOX00U2ABWhcjKzYJE42LqvCPLEHc3mw+1iJ82rbSu5agVOTdtQ+NZboJCOj71YivC9troEC2siR1JTWLKDjutLfQnBaFqzCFofzN2R2twlNzMyyY/ViiSNQlKJbfVxYF53aELLYdE+tmsrUnw4kld74HU1uCKKTyAbM7Zyanvz9C9ZrmaTdQ1rwLLH0u+IDdVoLuBuYkfcpadV8ND6TP+vdixnu5FrSNLRbSEIptIizIcAAtl/OsCVR5FKHebMR7C/Vj1EzZkn1/x3ArrFq93e6wi6qSnOXr1Kdnh1y4QgC+uLbg6xG5HGy2lJiB72sOCCwsTqUwcJtaY20BXQrnr9vUQ6VFoe2/8FLFVm8IKFQAZs/l7LpkZv12nQlkwdjDZdOSs60VQo1RbFob6EiIYYy+b/BptfXu9RcWHbrqdxB7uNXiWr0e/+SgIdiPL/J9Zzv6W8C4xQwwy7Cm4KDexHypJagJuQa3KLUGNaFzwFLePtJ9JlWDYUC7IeP09tw13XK/79StkIpMlVzZz5q/el3TmV2j9aQviyuqTGw3XUs4tkfFn6l+H9/jnam2V2/CIyUr8A+Kqe7iU0EoB2Xa6CK1GdT/zT1vefHRKQKAQUgBhbkgQopvFVSAlsyu6Ac0G4555TTNR1t7xbQNOl8w98LWPP8MZrZiZuGVZSfryTkOOMVsE0Gk+HYu7X/vuAlQSckCimPCedPOY+ALBGBByhmx0sEw0BNyvZEp/cYG3cyqNIjPXDpfra0R41JGXbBN4cWvZzwlOa+1aTak/5/BMuFPmLYr6XOivX/DKr746bgKdHTtx52wsEXvyjKlU8q+3md4WZTniIJQrWXO0F9qVyNoT+KCvWY38AuhpFqsNcspJwXTNyekUtgTBVuJfR1WlKmih+Re3vOid3k2ipZgsJk51VjFS2MhB1eLoGmdL7ce7YepNVtd0cjwanL3wWNpfJ01THAxOfGdy7Kqh2cwwbJRsmKikCsfT5tLkUNlTtpIilFmDKY5qzlfk8815c75WciSMuGlhugMxOXI1dX1esZSl3ZM3aqEr5m4gcLnAjWB6FSjd8obKPaTr1poE1bsWjg+qAqRVNR1Ozs5t0QfQAPv3fVj4XpXec8ruR6W62kfnUGVrN/YKbWL1Y+JaN3+361p/xBZ054xnv6Mt1N+haO1x1hBUedAmpcjCLvbNChGeRa4TZNdItc4ZKM29+/HzgVob5hRvwDkN/qgkgMxPMZ+dHvRLahetCfUqoWBLMM6X7jI3ybHpk0zPGso9UqE2Ym0w0y0yrHxffP/w0xTYuW5IAxj7mqBLfLtn7AQ3gaaTyDcNMFziZ37Xx+c8KuHdZ6e9I2Vy3La9NOVs60Ly6eNqnvcXtjw9dievq42ggDGPX7HeSANHIkzN7qryTjuKXUWXHLXeMs+52W+PCdvnaR55gs3ENdtzyf9WmzPw3q1c0A/hi+/436+PEeW+pS3VkwMvQfbL3IuDNBNYeI2kZUFK6bDRupSr1PWst9+1fUJ2k5d2OnHHmmOnPjQnW065V6e79VkY/nn9miyFthLUWw02gk5c/mZvt4pdx/s1mYRoNr+xvdfeXfctDZt5qY07WVUCw7acUa6C2UlyZIqRqd8kAXoijIwQSpORwSBBqGT1kfZWtCuqupGnlhJZTWMJr+Q2XW+fnF51dehiS8Z6zwKY3nZBzYUvHMu5OalxYEkl8KQazYXFIXFyBatpEpZvPbrgfyym/Sq0d0kVnXE/7RAus2n7S4rZGDjvH33gTCR87oAK858I1vXCP/ZRdPA+Mo5RBxZlN6TsF8EX+aO/raJzqnN1RJGxvSNVbkPwHWPVLyOG/OtvxreM32z48nVKDafg0rXwi7Msk/dtwCPwbVoVqAXkhd29zhbfaTT6NbT+xE8C8O3dy+Vn713OsbzthjH5Xk4jeTOr/O5LKvsyHFXuCo+9grbuDr/nq6n31o4UmB+6sz15i7qfMxK82rpI0WNdZG30lIqrDxg5XqDb6RLnG9E/igK4LCq/gx7n7uLyE5ipDTyMytEKXlD86aecli5tSLoqHaMFN82CqraLYWcrRm9qbUCqqPHBmtDTR1LcW79UZTxRzM77OBTeUtY8WL8/rI3a30MhBbRx0HhY3cWLIrw0W3uscTd9wab/HzYd++Q64wJWcd64+zkkeh59DNlJWlMp8PAI/tjZMKpKzNubYlTzq3cI7rOc9B6VnNyYccnuSxA2y3RFPsNWxZMFHAbmQGcaXOY5vlA2YIDoymmGhBTUPi+WVLFOEbwBDx47v1dzAlFJn5rfxucmUiwD+XUFRd6JI3Yj06etfGcFShd+aRbJ2EGLPMqwiYgvqnw9HwkydC5uYb3ceqAEqd8tUFe3lflvm0/pExoUoChjAecDFNZm87vRqYm+dFjMxuPLW3j2BDH+EVqoKx4smieU1LAjPonIF/5snnD99GaViteguJ0jYlcRvrLlTwLnEj7AVrd/tcwa7LAna9eG2ZqLMxIghPb2AbDgk0PPa5RX7E6/p2cxkaaQFblsizteUqzjc4cdcI6wb6VkktWOP9ZU0WuBD0aCFXI/PCHxvt7y14xvtEa825cXlg1uK0w6OlxZH0zelpZ/7ucHuh3Onh6/0tO/QNM+HRVLF3h3HMMKHYrf311SS4HClUXRrKqtT67ZDeCiIldbTbsPKohfR9/mI+tDiv3TkRkU1mkzvgaZNz1lQ6PhVgsI+rRIn61BPdkcITM844L2KcOuwDa9j2EzVnRPuWMOPHK2FbjIA08ws0fT8lr513VKa+pprv31UdXPad5iMJgjVvI664XwYV+TSGU3tpUYdoVuHEER0jQK15sO0Ta7Eq6pIzT4UMGaV3hBPMrZ6DUSKcFd4YO8fXHe3fzxkrpC0C5B9jBlHy4gWbzyYhEZGU2rYtiHd0/w8osah5Qh26t4bBC5zu9VPEpKiYjVjnopdhluj5GQgLT3ehVV3OV1gUzbWbdpi6aRxRqbLfJ2HCiZPO8sHuSLkosNgeXR7PKzz5dkGc+V+JTza2uPGUcEzgwDuzitpLafvM5+XboaBD9V5gbIVdiyxDSkNdYzGK5TX2k02ZOj+CC64eFnjVZ7m99atJrmNN8TT6OmmucTRV9jKR8P/AWi5kgJWVipmgJO8MxKqqwa2/6OglbyuUVDkveysIFR2/KAnaizgKgyB7tC0MFLCNSWUjbdePewor8Wgs0Jd/IAjh5xsRy8s0JYTI/IVP7L7D/ooLytWZ68k34fdHkVTbjdNA5P7YOta3hn10RHBR9XSgn103zKznbWajByKRI3V+nHmdTBkGDshs5CGhZxpW7PWSf3vxGFZAPLgD4m28+vfnt9P3FN9+4mNslVZSN7smVVDcxU5b3HrDfmgG7L2yjTjAqYisRPmcnbpWS9jqgub0u1glMmJlUIDTLYwqQjispAeIyvhck8D4Qi2i2omzYnPjB3gGsfR6bqD0+sVPUdT1NdCjMtNBGxc58x3ztZA6x7l0a7R5tcj7SOUkPTXbZNAYbqDQ+2WST9+LzXSyJGRt1NDVTTeaIPXSqwWpEgWn203vCQvngeoL3d1xY8F7/fz8cdaMyu85/j7LFio6P3gPZCfJRNkfzjrsLn5RHCNraWtmOXfrMtBHtTZQd1sl8jm63wc7d/zLdlKxmx3gPw6SvGWXc8rop5nLlZcbleTe3DStxWXPQwDxQwmA8qrCJuc6sinjAfA4JvMZwa599dCbLshZ9T9QAnTiscNND0b2FW/N3COvULTZ9mGb9UGzXVBT/LsOvZhtshhp2iGR4MLrhwFvgdK0rljMZLUr0WBY8ol9RJYaPDk8duhZllclUwvj67Zsr8s75UTdBqWEgn48aSnD9H6/J5xrUSO3WmotMQb9SZ9rgho5DdE3eN0lnwbCuVkvPI16kXaIydhsBS7Q6yHG0j6oJPI49mG4Rv0ED5VSVCVbLkk3gXqBVxATklmhdROtKu0UzbrWrLdIFNX2t8KF0pyDyRUlVrLSSlu66ooP2xQ9+faL5IJwqCs1sEX0v5DCLm0DVEp7NsdRSArJy+nsCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfcO4em8Wv4obs0i+v2eiyw3Kit01LrrHeqW8mEvT3cgvOQ0usQQGYg5ExGTIoekU8RGi2yW6RUzeXT5IbIZlytNy/ixK13awizTUU/w6pKLjImU4oSJClQ5XUcLeB/QrvKbNMSXlKfYK6zKKiWNzOI/SSH15Y8Zehzj0+bJziaX86xIwWxLOH78Wy6ykt5mxsRyG2wTtjuaQ4JLoWQiEWgm0oGuuM74lGexn0W3aH+XkHj0yuAd2rFrIXZpx87q7dL+KSHtnxPS/peEtP97Qtp/TUPbyIrTKaQQKS31+OaZyMqao/I9XSe4Jxvi1U0CvaSsOZuXVRrt22qZlM9jByF5yiyFUqLhcx7fNyIy7QISE6ygVnkaa9ISTmNN6rWuqwS9SHPRplUnMVWNNNb0gNsEIsRIYw2zVLTRrElCvBbsVlAhNeQJNuHyZ8uVRJfC8mdZmQXQIoFbTZZVlvMEPmxLOMEjCdJV07WJ7xa1lHUSylWdJXjTyBUzLKc8QQKRzugcRL6OGHXVpS0oX/8BxTQF7mWGZUCTUHblYNKgdoG1SahP59Xy5zQ+aJ1NmflrkkJjuc7i9orrEVYyuqjWSY45UoVcxc9y087HH63XVocwmIXz88d3jjjiqPYlIe6qycerINehPWMcUtgwOpulWEQ2i5mcvU04hW6gM1ZhkGKWRNSxavljoU01KOYfibZWeRLanM0ghRmj0dFcQsGiJYxu02YizS4pZVFz0LlMwW1PnM0TyCZZ6RU1UXv+d6iHIsijEFYwZ9ooGt8TsqGdQONTUKVitUrGa42VyFUi+eoi890WT0DdKKBlAkXSpQKlgp1OuV4tJNOZ6zAbn/qaKppkgxcjibAxKC9df/vYdJk2VETvc1xoM61VrGaBDVVwvYJSUK2jY42vRzc5ybHJYueGWfxm14dWGthFc06LIvYZYEXsZ9WmdFCCu4iVWa6kLJNUJbKEE5hprMzSBEf6ikcp2FzdRC/PVOn4JUtZpSvFIhPl1DBTR48+40xAvBI7G6o6akedli4m38Z3a3Hpqp5mMy6jX+ct8QQh/9bmjS51LNEEEsfa0AmgRo9N4HKeZOuKeZIDXEkVW4CV03qe4piVTOcpxEKpk2zYFH0gBBgsrhSdbnQZ7gpAx474c1Rjh+OJ1Sq2BZIko0y6BtDRLVEZXzOSis2zQD+uB9NdCVDx76wqc015o5ON2pl6Q9a1eE2yyRIkbvqeOLGFgScbWxpUmXMkRYdLtbYfZvkiVp7/gDTcViz6Q0AFqpwrKsyg5m4MyqskhONfva4S2cePvS6gEQgrOc+oriI2DOiSVjQ2VQWUp9DvFOTIB1d1NBHx+Ey2lOOWcO1QlqpIgDi+I1Mn8A1r5xtOEA+gIXYggGt4nMA40fA5/gYIFWiNRjWBKaXZPIHg1VVsL5tWeYpzoPIiuiKtVR6qihuBsInXYqtLs9bRq2oucxE7USLYLfahRF2RztjTN3MTf1s5ovFf9NqenrHprqvo1VrrYpokDr1WPMFdWGtQWcFiZ70naVvRvAylYIPJtaFlbG/wMmNCGzpLoBksmTIp1PBlJRKUbjJS1SKmmzVUFi1QUfS0NpK8rwUZDN1GjyRslveJclaQMwUFM+SMqsJXM9RY/j0Mx3XOSsilsQ6hSAab6BOsb5BLTkKpOm08BBPpOHdRVlyuYdBYcC//ZrKOVtT7jnvM8tD5jLDfmYI53JKS9gstbN5ixbzuNwNJDpIzjc0ZmtH90mMBJaLrqpLKkGHhUUJWC2oIM6RSMBvbCg8Iy71PE4oQ473V0UIgTPjK7iN1oTkTqTvyd6Da0bo4NTFyDmYBarL5vl7IenCjESJgCaptR2QkqajSQN6AodgR3J1V2rLg2Ws51y+uXNrrc3LuW3ydELMIdCnCYsDvwbc+RtiCvAXzGzMCdHidh5s6CfNm2LK7PUU4uJusBqryxYQJFsSHPXePUF+7Jz6xFwYGQ7zgtBbY63deYx/Xpoh7uIB7r177jjmlL8fdzqktwu37F48Y+3Yhsog5TXervIrDkg9wa/BUjLkLjtGNekQgbRrXvcUO1YKPdLzE6rkJ24Fj/VwNhij4XIM2O4p2Hx6tfP9a+U5lwLY8blQnsfseqTbudNudsguTQ4RvY1t/xwrt+pfgzGP2/t/f39AOdnneCAUcO7w30GqIF8R7zy1sL5cp1UBcuHaLhgxOVbtK/hePg1e0reBb5FK58vVBNhJCNdEA2O6M7u5XpajQND9Ce99BhWk3tEC1d7Np8lphB7RdoCtQJXPqxrFAb4Z0jTnYknGYA+GwBE6o1mwu3MJt+vWHtz6WZH5E+Y3j79jp00fp9GyR1YJ9rqHfJpGGD18H72EVEw/rgtJoNKxwBzKXQgDGVpAVM4sxQUFIIDOk1dgVHJRedG/TwrIT5Ul7RXE5ZznlxCIYMX0QxeOiw6FG2jQ+Hu+qxVqH4XXC2VayF9Ua+4KnnFGdLWRym8AZca25hr1UNk2NrFTstuAJ1wMg7tBYtHin+UYsOQeqJqdcS2uIb523c3wsJ7/6X0zIqVi3/zegbtCW18IQWkxyWVa1ARUWw0nc+HZi6cyzr/prgT0WtxaEmX/WL7/7/q/W9j3vLEfDsa+CsP0+zeK+mN3VcUPXoMi/tD45/cLDQHDhUx87/yf9nhcbzFu7fud6HBi8vE+2fd1vmGLHmZC37z5c2LmDAuc8QX9pwXSuoKIiX1ut0qtnvB8LQpBDJ+TDm1/IpTA/vDwhl2/PL/7zF/LxUpiffyTPVos1EcDMAhTJF1L7VmlSKcgNfuv7n//n//f86yBHwCwSyrg+P1CmTkoabsejE+++ex7za7cXLxtQ4SNePC3QXdm0B/mBBePufMGH8PYU04118okpU1NOXp++DYL9QwpI58s6bGf8HylgEuathfvFiFCcyH7hiUvwFO/gHeswpwZW9BFapOPuviKnRaHQT+t2eQhOe/XmZXXoO+dD30Iuz95cuVtp9HmspPqIrx9bTiWnqfq7m1xeWSgj3i/LwwM7QUThoR17nIeNJpa57lrHFRAduLQomP0y5ZsH204v//A9d8QNYE1CPODSn/Dz7S0wgLKJtU6i1931SqPkrUd4JZVpRfJA6Bb4wIYLwMx6v+TVR+a9mw8T8+Yyaab1ZozxAkJ247G8uB4dWr5Ua5kzq3I6v9FAxyFWLisq5jBpTadcihmb1woKMl0jTRAFRg2F5Ux1YOmBQdLoiLYcHHSWoN4Bj6j7d1O4ojsAFJTSQOYju+PHGcVnbSF0RjMXip+AdGVUGuKzBFtiliBbmKc4Dqnqn1QJmEqLrPHEpVPL+xa8ncekP1rXmfAIGuyFWYASYMiHdQUn5GNzjb1GB9gP5KpxgA1ugndjmlrTqucIysSIadyA9n7xE0I5DyoT1eaLGOBGFQbmLUHZO5AJI4k2eJkzQT5ejgqUHANkk8mr6CLbEpVVgrZvlrACHTui15JNkOLibsTYoejob0+A1rVWyDiIefROkYjZKh8JtdARDdSpPJR3HmAEyTGcYEYoeSXViqpi2KebkNM5BnspQu2Jv8VYuimYFYAIq56Rqybe941bGsq7T3UODMGS8RgZMZghEz7OFcMSSmasWPItNsJTXHIqjvGOfwcHZRMg0nFRDia47bLcvKQsrQU7RwN2++aJ/VIJOVYhWMarB3e3F3uqDMtrThXBetGkAfHs4vaX13IuZ7Nw93fIM7OA5Mu7BfaDHdCdxg7uC4vbwj2tzQKE8cHio7B1HbNywt0CetyQ49A/alCjgGVtcnlcTvshxwFf13kOWo9gxsrjhxVHOyzwBHERq+LOpVqTQGLCANsxhNMWRuhhtFIJH/h0JYW9V6zcCimH7Q/JQFHantUyXj26kXuTEle1FHMGOIOinY/3w/T0YSaIZqYOyE+CyQXgRbSnuqCa0EJW9nYxC2CKyJXYLJljnKG3UshyJK4We3Jo5krUH1eJsMo9E4WVP1LplgGUvGIcyKkHNhmw4S7OXtFOzJ3J0YDxdv6PEq4wyoJrH7UQlwuhOQYYETPf/QGMcPF61z5fIzYnxgNCpzJl9kBg8lNY0CWTNWqXuSwrJUs2EqEIxwZ3IeiUYxLZjJztxsbEshU7CUH2EW5pnSQIYAth1OYyBwAMjN/iS726nVt2c95Gt90mzbIWpp/OFlujLzANPMsPMevvpAXhfTwHAYrlzZSQIRjo1w8tYGaBV22otxvxYCf59xNt1PjjZzOnQ8puPdqcXu6ek1cv3FgJ5xU0TVsj3LAStJXrTttTUMHoI5JfhWhFIfYuBBYefOAyqDturUNqdz/a1vrhbnP6PtPRmpzeeWreYbxvhoO54Yw3AuEOwuDLnd3LvbNTR107d9CizE3tX7lotVSPI0D2yPFWgHy52/GH/UsWq7XBcZbsbvJRHVWCxDxjd5AfR92OMec22IytUo8paD0/dfTMndosshLMQj7CKwnd8iQTB8N/bXTBsZaSkkm9Tjtedd5L7v21FsiOfZnIE/Kfk5+++448e31+evWcnDNtmJjXTC+gwFT4IBYu5zJ5XaBdL2EYLTtzOPwy4xdHIsaUTOxV3JX/aVc1hKA9MeiRj9b0+T7HJcew/zbvt+P4Q0yhN1MqQmXSN5FilMeqTtebyHtasFq7EYhURLOScaqceLJi056hHO/1cHoVnnPNimNWGulGyn+0G6HxIvbqYm4Oebo8i1Ox66zjs4bPNOz4f72TCD8Z7AXvuIFOWkYRdmVKlTIwYPBkg6yWak4F+2NHVLVItxXuyuwDON3dUyPsnjEVzCVNVPXnlR0ObwtX4svVLtqKav4VKDeLnCoglYJClkzQYMJdRzxdUcNAGL03PJ7TY872NX3UybrSj1Al2rj26HxtBVdFlcFiSJup7harRyx25IXNXSTqDApQ1ECRRQsq27E/rPB51YzYPp5dKblkRVs8zH+PVhX3mupgY/jiP/Za29ZpwwrOZpKsONIs2yF9rT+zHplmsHkoRk4umXs9X/QV95EScK3SGbMp+H01T7hFnanzo04m9DwwUaejosZKNdFGKifxLbUSDMXRvsZvTey3vg7PvmRFweF4Uu4NjndXORdY3o7cO0jONe0xjjPdKz9ap8KQWDevsyek4tQumb2fpSIgcrWuxrz8GAp5BHvyDhF0qrUtf5XakDc0XzAxYtIVNJHk+KrP648CI/0rBVZ8WP3IFTnTE/K6oBX5hP/j9KNCCpd3+s/h5UkWdAlWc+JAFflcg1oTrEGoKyk0NBpVODnVzjfD3xxHXvoaeLmlrFhTBVK46bu6fOM4mykdAepmA733xVHvihS7PKV1mPX3eFNaequIkbUN/cXLNFG1EEE7Vp+0N497eXZlpEZy7DzFzFuY6ReCkhUThVxpoivI2Yzl9pOTUJ6gj5MdHhA7PYd3E3NDnmFFWBD55hrCp8vnHW6RWuA9/hrmNF+Tj3q78G37Alv2E2mjR9faEY5gsI/c9l1TC6FgrhpuMnsjDjje1gEIZP9vZZpiOs+QfdvTTq9Qj1Xndep1YMY4w+BG8785YLLHiesdm6qP8PWu90bWXeDUx6uADmdzHIdd+2CwvTabgEy3DIMVChek2J/8jGkDMVsCjma44ZQLmDHhffUonLCqX0mrkaKDiO6gRLFE2DYOmJ76F1swtj7b1HP3tZRGalO2PmxjaL4oj1wCfzMqMpwMrKPuciRp8jJlIl4Hsahnw04ZkwrTXp4BIdVN28FlcWW0N+n9ga6dA9Rp7749qCuqmj1l/3yymcpqwQal1Ik9HdaWdcHvd5qeid6zxJW1kGqdbsH/pisq/m1vxZgGyHYV9UY9D11Nli1/e4HU98zt0VSiwayaeuu7ZzW6CzIQRsnqENFRyHo6cC7caY/7Ma21DXvSERCjy+447jk8k2VFxbo9j3jssJ2+s1eWoOw1lDExk2GlgOqb1DlCe+RHz4pskK0gbVX02edUMQKvas7X5D9qytmMQUHOMe/ZOQeDUFYwzXIpb9gjPbr/BlPixt/Yz5SPafPRq81unsOr2qDKfWAL0/1n/X07hO+y493Rzic/IR/WlZv6xnNgmeNWcHzxFMyyqMVke7AtBueIUF/rUNnaPphjuOpa5XIbnfMsVlI13n58Yn7/emTJO7VyIm+nhhdV2j5EO1hhR97ruW9gKikTaSLboOw4dj1IRU3YNZmLjOqYr/0dwsqn00emXCsecZk7VCOuSmuMZrWK5Q3p0NSgMjqPZ1NuSEe/nrZJRw1/3Cbtd30CwQK3BgSqVvGNE0s/2m5uFb2Fgl6oTGyNyg1xjFzCLZn7AYdF9eqF/+8zD+GF/w8f1xRy+1MOKhyd56fziK/nbjLdx3P0uHZarQ2mU/iGaNakYmIGSo28uw7nfZR5dRX/vawPumePALKpSzzrLEPgSOGztkx6pAJDHG37Xbh3e7vtPmAEser+6R8wDNAab/jJqgWo4/gjrM7uI56enWHrx+fkDMcPQwNljlQsZYTPZ6B880/YisLcUZwXkj4ddxjZWXA76Ne6Uyl650qzPw71St6/NEp4tck1+yPsrWE3iWTK5T8uiIC5NMwtYLWgeqQDlM6PXVaos5Ru8PHmgnapk3WAGgS49PZYUzi9yb8JB6RoNj9GRsV2faO26+GH0UbLVpowrevoSidSxmCpdN66h72hIEJQKqkPdLAoXel5YQcn1/g4vUs6HSVCoq0M7l+Rn11jaOfuy6gjPQ8DeX/puQPjuAjVmmfLlDd6/0nVO7KDYIrMbj1aRy/TqFMRZjfgLepExQ2+2rQr6V5IKFt/JBrf66Qil9en/3hzRa7sPUXeiZHuKxu0iTKpD0H7YSXDaFEM5QvIb/RBTuS7CeG0NchCTefaep1tiTAMA/UtCDdScIeWC4oNikI+gpLrcLRVQUaNBsRsqKmP1uGzi3JJOSvcRgyA6AvCo1W13iUIkWM3sNZ9sR1p5zcBpJFpL4ypdMawB20S0riUKRiS0ydwmthcNJkvUjGz3nOiclmWSevE3RG3w+EdQuEU/BVTwPuWZmwXy4pTkWn9WA1v7chOhv/mZ9vkaAXRulTjrJLsGGHVIcAOAUEECCpsDSBb8wUVYlA4I3W5KT8qAhl5sz1S2eb2YvE9D397ffrW33svesO3F4qRqu/7j16zjembbCl5nYoBp00fZ+H73LSdsZt2vrVgRpNnDoR+jtU6MLG36ajbI08QdHA2vE4kzV57rB8FMz5cYLKddLAEhZECs5qTXIocKmMN5Wu3hiPlFVarlNLXMd4a7E0LbQu0ksoQafn767+fhkJwg2yPve+kmh8/wLKfYLDlYp1SV+wkWCjm7xfvri6vyBt6WzJRtG29w8tq53b0MMytJooj0/LTGMxu17Ra9Smcshg9PNtlOWaz4yVsPnYSfjPl5GrHlrPMS+XLc1+l16PYiZAfb1EeuVZAM+Pyv3zecJuYI4qhJhn7dKO/xJrQjxTd6NtVoxXfPuqWLrn3hOg6EKJONfmbNkqK+b9NOc1vONMGir+98H87aT9lYgZ5+KMZU7CiPKjI0Cnv/IZQURAtyci2VDBn2qi1teyPKSwqaha+WH+LgfQxDECiU+pYMF0itMvXyqXqVCFv9ckWOQij1n/5vwEAAP//HijnmA==" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 2c9f9823c73..3be1e4a94ed 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -39,6 +39,7 @@ "destination.bytes": 145, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -144,6 +145,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -247,6 +249,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -352,6 +355,7 @@ "destination.bytes": 200, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -456,6 +460,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -559,6 +564,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -665,6 +671,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -768,6 +775,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -872,6 +880,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -977,6 +986,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1081,6 +1091,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.region_iso_code": "US-WA", @@ -1184,6 +1195,7 @@ "destination.bytes": 313, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1286,6 +1298,7 @@ "destination.bytes": 180, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1389,6 +1402,7 @@ "destination.bytes": 108, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1493,6 +1507,7 @@ "destination.bytes": 162, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1598,6 +1613,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1701,6 +1717,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1804,6 +1821,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1907,6 +1925,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2009,6 +2028,7 @@ "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2113,6 +2133,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index c632cc3fe00..22187db36c9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -211,6 +211,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -312,6 +313,7 @@ "destination.bytes": 314, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -410,6 +412,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -511,6 +514,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -615,6 +619,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -715,6 +720,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index c9105b957ab..1ea6f02f739 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -560,6 +560,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -736,6 +737,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index c993477cfde..dfc1285cc87 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -44,6 +44,7 @@ "destination.bytes": 246, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -99,6 +100,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6348, "source.geo.location.lon": -122.3451, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 3485b3ff583..0695d3730aa 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -331,6 +331,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -828,6 +829,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1022,6 +1024,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1122,6 +1125,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1210,6 +1214,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -1296,6 +1301,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1537,6 +1543,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", From 029083fe6c15d9b8e910ddd7f1d7ff414257309e Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Tue, 20 Oct 2020 15:50:29 +0200 Subject: [PATCH 09/13] make test commit commit after running tests. --- .../additional_messages.log-expected.json | 20 +++++ .../meraki/test/generated.log-expected.json | 84 +++++++++---------- 2 files changed, 62 insertions(+), 42 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 53a0a195654..dc0be68aefc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1069,6 +1069,7 @@ "destination.geo.city_name": "Thousand Oaks", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.197, "destination.geo.location.lon": -118.8199, "destination.geo.region_iso_code": "US-CA", @@ -2273,6 +2274,7 @@ "destination.geo.city_name": "Clermont-Ferrand", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 45.7838, "destination.geo.location.lon": 3.0966, "destination.geo.region_iso_code": "FR-63", @@ -2320,6 +2322,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -2392,6 +2395,7 @@ "destination.geo.city_name": "Riga", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "LV", + "destination.geo.country_name": "Latvia", "destination.geo.location.lat": 56.9496, "destination.geo.location.lon": 24.0978, "destination.geo.region_iso_code": "LV-RIX", @@ -2749,6 +2753,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -2768,6 +2773,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5888, "destination.geo.location.lon": -0.0247, "destination.geo.region_iso_code": "GB-ENG", @@ -2845,6 +2851,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -2888,6 +2895,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -2906,6 +2914,7 @@ "destination.geo.city_name": "Stoke Newington", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5638, "destination.geo.location.lon": -0.0765, "destination.geo.region_iso_code": "GB-HCK", @@ -2951,6 +2960,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", @@ -3008,6 +3018,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3057,6 +3068,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3113,6 +3125,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3169,6 +3182,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3224,6 +3238,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3279,6 +3294,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -3327,6 +3343,7 @@ "source.address": "192.128.1.1", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "192.128.1.1", @@ -3368,6 +3385,7 @@ "source.address": "192.64.157.61", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "192.64.157.61", @@ -3411,6 +3429,7 @@ "source.address": "192.128.1.1", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "192.128.1.1", @@ -3553,6 +3572,7 @@ "source.address": "192.128.1.1", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "192.128.1.1", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index f8677343c20..43771600657 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.44.253", - "10.193.124.51" + "10.193.124.51", + "10.15.44.253" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -389,8 +389,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.72.17", - "10.74.237.180" + "10.74.237.180", + "10.163.72.17" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.53.150.119", - "10.85.10.165" + "10.85.10.165", + "10.53.150.119" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -1025,8 +1025,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.173.136.186", - "10.221.102.245" + "10.221.102.245", + "10.173.136.186" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.124.84", - "10.28.144.180" + "10.28.144.180", + "10.148.124.84" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.98.194.212", - "10.204.230.166" + "10.204.230.166", + "10.98.194.212" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1349,8 +1349,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.139.239", - "10.180.195.43" + "10.180.195.43", + "10.247.139.239" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -2078,8 +2078,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.144.57.239", - "10.150.163.151" + "10.150.163.151", + "10.144.57.239" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2120,8 +2120,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.44.231", - "10.52.202.158" + "10.52.202.158", + "10.54.44.231" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2246,8 +2246,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.49.129", - "10.2.110.73" + "10.2.110.73", + "10.103.49.129" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2286,8 +2286,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.132.176.96", - "10.158.61.228" + "10.158.61.228", + "10.132.176.96" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2324,8 +2324,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.105.136.146", - "10.46.217.155" + "10.46.217.155", + "10.105.136.146" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2846,8 +2846,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.140.242.86", - "10.177.64.152" + "10.177.64.152", + "10.140.242.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2884,8 +2884,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.199.103.185", - "10.51.121.223" + "10.51.121.223", + "10.199.103.185" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2979,8 +2979,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.113.152.241", - "10.121.37.244" + "10.121.37.244", + "10.113.152.241" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3058,8 +3058,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.101.13.122", - "10.200.98.243" + "10.200.98.243", + "10.101.13.122" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3134,8 +3134,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.165.30", - "10.195.90.73" + "10.195.90.73", + "10.147.165.30" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3197,8 +3197,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", From e398834044fbde6a1db50f86de14023527f44038 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Wed, 21 Oct 2020 10:52:47 +0200 Subject: [PATCH 10/13] Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message --- .../meraki/test/generated.log-expected.json | 100 +++++++++--------- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 2 +- 2 files changed, 51 insertions(+), 51 deletions(-) diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 43771600657..a3c9462a556 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.124.51", - "10.15.44.253" + "10.15.44.253", + "10.193.124.51" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.210.213.18", - "10.134.0.141" + "10.134.0.141", + "10.210.213.18" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -389,8 +389,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.74.237.180", - "10.163.72.17" + "10.163.72.17", + "10.74.237.180" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -623,8 +623,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.205.47.51", - "10.219.84.37" + "10.219.84.37", + "10.205.47.51" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.30.212", - "10.66.89.5" + "10.66.89.5", + "10.247.30.212" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1100,8 +1100,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.93.20", - "10.147.76.202" + "10.147.76.202", + "10.163.93.20" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.242.77.170", - "10.150.245.88" + "10.150.245.88", + "10.242.77.170" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1349,8 +1349,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.180.195.43", - "10.247.139.239" + "10.247.139.239", + "10.180.195.43" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1411,8 +1411,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.15.213", - "10.94.6.140" + "10.94.6.140", + "10.147.15.213" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.111.157.56", - "10.230.6.127" + "10.230.6.127", + "10.111.157.56" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.219.34", - "10.179.40.170" + "10.179.40.170", + "10.193.219.34" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1733,8 +1733,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.96.162", - "10.81.234.34" + "10.81.234.34", + "10.196.96.162" ], "rsa.internal.event_desc": "Utenima security_event iqua", "rsa.internal.messageid": "security_event", @@ -1864,8 +1864,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.39.172.93", - "10.83.131.245" + "10.83.131.245", + "10.39.172.93" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1900,8 +1900,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.86.188.179", - "10.201.168.116" + "10.201.168.116", + "10.86.188.179" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2008,8 +2008,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2044,8 +2044,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.171.206.139", - "10.165.173.162" + "10.165.173.162", + "10.171.206.139" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2246,8 +2246,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.2.110.73", - "10.103.49.129" + "10.103.49.129", + "10.2.110.73" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2324,8 +2324,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2365,8 +2365,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2428,8 +2428,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.16.230.121", - "10.196.176.243" + "10.196.176.243", + "10.16.230.121" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2471,8 +2471,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.34.62.190", - "10.246.152.72" + "10.246.152.72", + "10.34.62.190" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2584,8 +2584,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.121.9.5", - "10.244.32.189" + "10.244.32.189", + "10.121.9.5" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2710,8 +2710,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.91.159", - "10.199.19.205" + "10.199.19.205", + "10.103.91.159" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2979,8 +2979,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.121.37.244", - "10.113.152.241" + "10.113.152.241", + "10.121.37.244" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index e0339750b44..90c7587e8db 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -217,7 +217,7 @@ processors: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}%{SPACE}(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" From 1e9da380a2c67976652116a4bfbe300d1855cc12 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Fri, 30 Oct 2020 12:48:57 +0100 Subject: [PATCH 11/13] fixed 106014 finally This fixing finally 106014. We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird. NOTSPACE is not work in this case. --- .../additional_messages.log-expected.json | 5 +- .../meraki/test/generated.log-expected.json | 96 +++++++++---------- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 3 +- 3 files changed, 53 insertions(+), 51 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index dc0be68aefc..29c7f84a99f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1918,8 +1918,8 @@ "cisco.asa.destination_interface": "fw111", "cisco.asa.message_id": "106014", "cisco.asa.source_interface": "fw111", - "destination.address": "10.10.10.10(type", - "destination.domain": "10.10.10.10(type", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", "event.action": "firewall-rule", "event.category": [ "network" @@ -1951,6 +1951,7 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ + "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index a3c9462a556..4bb7b9df837 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.44.253", - "10.193.124.51" + "10.193.124.51", + "10.15.44.253" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -57,8 +57,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.16.212", - "10.102.218.31" + "10.102.218.31", + "10.15.16.212" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.10.165", - "10.53.150.119" + "10.53.150.119", + "10.85.10.165" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -692,8 +692,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.182.178.217", - "10.63.194.87" + "10.63.194.87", + "10.182.178.217" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -732,8 +732,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.153.0.77", - "10.163.154.210" + "10.163.154.210", + "10.153.0.77" ], "rsa.counters.dclass_r1": "utlabor", "rsa.internal.messageid": "events", @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.0.200.27", - "10.183.44.198" + "10.183.44.198", + "10.0.200.27" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.28.144.180", - "10.148.124.84" + "10.148.124.84", + "10.28.144.180" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.204.230.166", - "10.98.194.212" + "10.98.194.212", + "10.204.230.166" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.150.245.88", - "10.242.77.170" + "10.242.77.170", + "10.150.245.88" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1349,8 +1349,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.139.239", - "10.180.195.43" + "10.180.195.43", + "10.247.139.239" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1411,8 +1411,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.94.6.140", - "10.147.15.213" + "10.147.15.213", + "10.94.6.140" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1864,8 +1864,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.83.131.245", - "10.39.172.93" + "10.39.172.93", + "10.83.131.245" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1900,8 +1900,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.201.168.116", - "10.86.188.179" + "10.86.188.179", + "10.201.168.116" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2008,8 +2008,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.120.4.9", - "10.97.46.16" + "10.97.46.16", + "10.120.4.9" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2078,8 +2078,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.150.163.151", - "10.144.57.239" + "10.144.57.239", + "10.150.163.151" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2286,8 +2286,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.158.61.228", - "10.132.176.96" + "10.132.176.96", + "10.158.61.228" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2428,8 +2428,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.176.243", - "10.16.230.121" + "10.16.230.121", + "10.196.176.243" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2584,8 +2584,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.244.32.189", - "10.121.9.5" + "10.121.9.5", + "10.244.32.189" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2710,8 +2710,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.199.19.205", - "10.103.91.159" + "10.103.91.159", + "10.199.19.205" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2884,8 +2884,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.51.121.223", - "10.199.103.185" + "10.199.103.185", + "10.51.121.223" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -3058,8 +3058,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.200.98.243", - "10.101.13.122" + "10.101.13.122", + "10.200.98.243" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 90c7587e8db..f4d81b0ba9d 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -174,6 +174,7 @@ processors: # # Firewall messages + # # This set of messages is shared between FTD and ASA. - set: @@ -217,7 +218,7 @@ processors: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}%{SPACE}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" From babe7b55a23982702d9b8e66fa409496fc1fbf04 Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Fri, 30 Oct 2020 18:02:10 +0100 Subject: [PATCH 12/13] after test commit --- .../additional_messages.log-expected.json | 39 ++++++ .../meraki/test/generated.log-expected.json | 132 +++++++++--------- 2 files changed, 105 insertions(+), 66 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index fc9b38fcafe..aa24b0fd237 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -3208,6 +3208,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178", "192.168.2.2" @@ -3258,6 +3261,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.138", "192.168.2.2" @@ -3315,6 +3321,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178", "192.168.2.2" @@ -3372,6 +3381,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178", "192.168.2.2" @@ -3425,6 +3437,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178", "192.168.2.2" @@ -3481,6 +3496,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178", "192.168.2.2" @@ -3537,6 +3555,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.128.1.1" ], @@ -3579,6 +3600,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.64.157.61" ], @@ -3623,6 +3647,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.128.1.1" ], @@ -3667,6 +3694,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3698,6 +3728,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3732,6 +3765,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3766,6 +3802,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.128.1.1" ], diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 3b218ebdae8..05d75fb65b0 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.124.51", - "10.15.44.253" + "10.15.44.253", + "10.193.124.51" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -57,8 +57,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.102.218.31", - "10.15.16.212" + "10.15.16.212", + "10.102.218.31" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -122,8 +122,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.112.46.169", - "10.155.236.240" + "10.155.236.240", + "10.112.46.169" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.210.213.18", - "10.134.0.141" + "10.134.0.141", + "10.210.213.18" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.53.150.119", - "10.85.10.165" + "10.85.10.165", + "10.53.150.119" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -623,8 +623,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.219.84.37", - "10.205.47.51" + "10.205.47.51", + "10.219.84.37" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -692,8 +692,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.63.194.87", - "10.182.178.217" + "10.182.178.217", + "10.63.194.87" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -732,8 +732,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.154.210", - "10.153.0.77" + "10.153.0.77", + "10.163.154.210" ], "rsa.counters.dclass_r1": "utlabor", "rsa.internal.messageid": "events", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.31.77.157", - "10.12.182.70" + "10.12.182.70", + "10.31.77.157" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.93.68.231", - "10.135.217.12" + "10.135.217.12", + "10.93.68.231" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.66.89.5", - "10.247.30.212" + "10.247.30.212", + "10.66.89.5" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.28.144.180", - "10.148.124.84" + "10.148.124.84", + "10.28.144.180" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.204.230.166", - "10.98.194.212" + "10.98.194.212", + "10.204.230.166" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1349,8 +1349,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.180.195.43", - "10.247.139.239" + "10.247.139.239", + "10.180.195.43" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1411,8 +1411,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.15.213", - "10.94.6.140" + "10.94.6.140", + "10.147.15.213" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.111.157.56", - "10.230.6.127" + "10.230.6.127", + "10.111.157.56" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.90.99.245", - "10.124.63.4" + "10.124.63.4", + "10.90.99.245" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1795,8 +1795,8 @@ "remips188.api.invalid" ], "related.ip": [ - "10.40.101.224", - "10.78.199.43" + "10.78.199.43", + "10.40.101.224" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1903,8 +1903,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.201.168.116", - "10.86.188.179" + "10.86.188.179", + "10.201.168.116" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1941,8 +1941,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.122.204.151", - "10.148.211.222" + "10.148.211.222", + "10.122.204.151" ], "rsa.internal.event_desc": "umexercisecurity_event duntut", "rsa.internal.messageid": "security_event", @@ -2011,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2047,8 +2047,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.165.173.162", - "10.171.206.139" + "10.171.206.139", + "10.165.173.162" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2084,8 +2084,8 @@ "uames4985.mail.localdomain" ], "related.ip": [ - "10.144.57.239", - "10.150.163.151" + "10.150.163.151", + "10.144.57.239" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2333,8 +2333,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.105.136.146", - "10.46.217.155" + "10.46.217.155", + "10.105.136.146" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2437,8 +2437,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.176.243", - "10.16.230.121" + "10.16.230.121", + "10.196.176.243" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2758,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.17.111.91", - "10.65.0.157" + "10.65.0.157", + "10.17.111.91" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2855,8 +2855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.177.64.152", - "10.140.242.86" + "10.140.242.86", + "10.177.64.152" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2893,8 +2893,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.51.121.223", - "10.199.103.185" + "10.199.103.185", + "10.51.121.223" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2988,8 +2988,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.121.37.244", - "10.113.152.241" + "10.113.152.241", + "10.121.37.244" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3027,8 +3027,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.118.132", - "10.254.96.130" + "10.254.96.130", + "10.247.118.132" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", @@ -3206,8 +3206,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.137.166.97", - "10.162.202.14" + "10.162.202.14", + "10.137.166.97" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3330,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.59.172", - "10.75.122.111" + "10.75.122.111", + "10.85.59.172" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", From 763132ead74a507b0bff5d7444291c2612169def Mon Sep 17 00:00:00 2001 From: pcosic <69909732+pcosic@users.noreply.github.com> Date: Thu, 17 Dec 2020 11:31:51 +0100 Subject: [PATCH 13/13] Test after merge --- .../additional_messages.log-expected.json | 26 +++---- .../meraki/test/generated.log-expected.json | 76 +++++++++---------- 2 files changed, 51 insertions(+), 51 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index fcc2954b838..85ca9b9cb3d 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -3242,7 +3242,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "notification", - "log.offset": 9924, + "log.offset": 10051, "network.protocol": "tcp", "observer.egress.interface.name": "sourceInterfaceName", "observer.hostname": "dev01", @@ -3295,7 +3295,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 10142, + "log.offset": 10269, "network.protocol": "tcp", "observer.egress.interface.name": "sourceInterfaceName", "observer.hostname": "dev01", @@ -3356,7 +3356,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 10309, + "log.offset": 10436, "network.protocol": "tcp", "observer.egress.interface.name": "sourceInterfaceName", "observer.hostname": "dev01", @@ -3415,7 +3415,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 10460, + "log.offset": 10587, "network.protocol": "tcp", "observer.egress.interface.name": "sourceInterfaceName", "observer.hostname": "dev01", @@ -3474,7 +3474,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "notification", - "log.offset": 10975, + "log.offset": 11102, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3533,7 +3533,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 11113, + "log.offset": 11240, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3592,7 +3592,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "notification", - "log.offset": 11295, + "log.offset": 11422, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3637,7 +3637,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "notification", - "log.offset": 11415, + "log.offset": 11542, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3684,7 +3684,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 11528, + "log.offset": 11655, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3731,7 +3731,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 11655, + "log.offset": 11782, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3765,7 +3765,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 11741, + "log.offset": 11868, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3802,7 +3802,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 11845, + "log.offset": 11972, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -3839,7 +3839,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "informational", - "log.offset": 11954, + "log.offset": 12081, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index c492b24daf1..b1d368c455c 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -354,8 +354,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -398,8 +398,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.72.17", - "10.74.237.180" + "10.74.237.180", + "10.163.72.17" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -531,8 +531,8 @@ "appliance" ], "related.ip": [ - "10.85.10.165", - "10.53.150.119" + "10.53.150.119", + "10.85.10.165" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -569,8 +569,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.187.77.245", - "10.88.231.224" + "10.88.231.224", + "10.187.77.245" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -710,8 +710,8 @@ "appliance" ], "related.ip": [ - "10.182.178.217", - "10.63.194.87" + "10.63.194.87", + "10.182.178.217" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -753,8 +753,8 @@ "appliance" ], "related.ip": [ - "10.153.0.77", - "10.163.154.210" + "10.163.154.210", + "10.153.0.77" ], "rsa.counters.dclass_r1": "utlabor", "rsa.internal.messageid": "events", @@ -855,8 +855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -926,8 +926,8 @@ "appliance" ], "related.ip": [ - "10.135.217.12", - "10.93.68.231" + "10.93.68.231", + "10.135.217.12" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1058,8 +1058,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.173.136.186", - "10.221.102.245" + "10.221.102.245", + "10.173.136.186" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1097,8 +1097,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1492,8 +1492,8 @@ "appliance" ], "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1919,8 +1919,8 @@ "appliance" ], "related.ip": [ - "10.39.172.93", - "10.83.131.245" + "10.83.131.245", + "10.39.172.93" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -2069,8 +2069,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.120.4.9", - "10.97.46.16" + "10.97.46.16", + "10.120.4.9" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2402,8 +2402,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2446,8 +2446,8 @@ "appliance" ], "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2558,8 +2558,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.246.152.72", - "10.34.62.190" + "10.34.62.190", + "10.246.152.72" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2839,8 +2839,8 @@ "appliance" ], "related.ip": [ - "10.65.0.157", - "10.17.111.91" + "10.17.111.91", + "10.65.0.157" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -3299,8 +3299,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3426,8 +3426,8 @@ "appliance" ], "related.ip": [ - "10.75.122.111", - "10.85.59.172" + "10.85.59.172", + "10.75.122.111" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events",