From 132dde0517fefdfe6b46adc0e1dab77ab6218442 Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 03:18:42 +0200
Subject: [PATCH 1/3] mqtt: check reason codes for CONNACK

---
 tests/mqtt-connect-rules/test.rules |  2 ++
 tests/mqtt-connect-rules/test.yaml  | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/tests/mqtt-connect-rules/test.rules b/tests/mqtt-connect-rules/test.rules
index 4668f5cb6..36015db66 100644
--- a/tests/mqtt-connect-rules/test.rules
+++ b/tests/mqtt-connect-rules/test.rules
@@ -1,4 +1,6 @@
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS"; mqtt.connect.protocol_string; content:"MQTT"; sid:1;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS2"; mqtt.connect.protocol_string; content:"M"; sid:2;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string FAIL"; mqtt.connect.protocol_string; content:"Foobar"; sid:3;)
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 0"; mqtt.type:CONNACK; mqtt.reason_code:0; sid:4;)
+alert mqtt any any -> any any (msg:"MQTT DISCONNECT reason code 0"; mqtt.type:DISCONNECT; mqtt.reason_code:0; sid:5;)
 
diff --git a/tests/mqtt-connect-rules/test.yaml b/tests/mqtt-connect-rules/test.yaml
index c72b79ae9..b097714f8 100644
--- a/tests/mqtt-connect-rules/test.yaml
+++ b/tests/mqtt-connect-rules/test.yaml
@@ -60,3 +60,15 @@ checks:
       match:
         event_type: alert
         alert.signature: MQTT CONNECT protocol string FAIL
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 0
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT DISCONNECT reason code 0

From c39450344d491aeb0659d2a2b7ac3555146a278e Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 03:19:19 +0200
Subject: [PATCH 2/3] mqtt: check for CONNACK reason code 134

See https://redmine.openinfosecfoundation.org/issues/7323 and
https://forum.suricata.io/t/question-about-mqtt-detection/4890/3
---
 .../mqtt5_pub_jpeg_connack134.pcap            | Bin 0 -> 37323 bytes
 tests/mqtt-connect-rules-2/suricata.yaml      |  16 +++++++++++++++
 tests/mqtt-connect-rules-2/test.rules         |   4 ++++
 tests/mqtt-connect-rules-2/test.yaml          |  19 ++++++++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap
 create mode 100644 tests/mqtt-connect-rules-2/suricata.yaml
 create mode 100644 tests/mqtt-connect-rules-2/test.rules
 create mode 100644 tests/mqtt-connect-rules-2/test.yaml

diff --git a/tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap b/tests/mqtt-connect-rules-2/mqtt5_pub_jpeg_connack134.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a5fafb6d23658f5f41c0de825ac148c864d94d70
GIT binary patch
literal 37323
zcmeFZXIK<Vw=mj6&PdKdqU4;DisU3YgOY~~Lq@=eN)!-~EIEUKWC10L<S-yf1SEqX
zInV9E9o+9Z?>YPX?tA~-XV*Mky=v8}TA`||yVsiP(YDG=6aWqQGob+xuuu*UwAh(M
z2P{AsdHk9}XYQblJqE5}T>ljd!pMfdCdg0%rs-C_^KB&ZH435~;0FK{G(<ZZ3Kov9
zNmm^b4?#u6L~=X*_uNp6-v1qLn5IJsi6)&`AV=-j#E80o<%Z<=J2#Xmbie@Qjy!%%
zzv;&Kw{_D7Ibz?xf&u{7KwTg|^+Iw&>O>22@dCR?9>1pFxXAt=a-jsdDE^hp6<PpI
zLt9S|y%mr~y$X<mT+qB>ww?f*`&}3eDFfrb*A!{jzoF@GcEtwm>h|w6jR3iXfy|M|
zuL;x?$wlvf*Yq!3keZtPRZ~VmAe4^@z##@W?s|K<@d(@$7E%!B=jY)UR}kV6x_Lu@
zM^HgRj7LG@2LDZAeo^6@iXuq;U;KOhk+b-3=>OX+b^}LR=HKbxhU9V|oKN8KYx+6T
z_x~@r-2a#P#9y0;0$_N#xkIgu0K{j+SKx}OqKYB_L4g3u;158|k*X{BLG1uQLj&Lh
zg}?$ZA;bVG2tkmSCWIP5zk~t63PSS-><GE`8x3f4hyVcQ06lnkLIf{i<dk~x6bhjI
z);0$`4+1!6_W^+Y%J1hJHf~n7jJF-!yxd?8Ztjfoy26YacdenW$TA?vFCZexFDA(^
z$S5EnDJ(20Bmw}auOWZR_WI`<1WJiw^cwYdUJ!GT7cyZ$P=BMv_*D-G{hxY3*nZUm
zw8?MsLU>XB=$nN6XLm?zAuaOr{1;myaY$Qk0(h4?S;}hw5X5(Y;IahR+())VOaYGp
zJS;3MY%Dx%Y&;@d99$wYLOeV|GD;E>G7=I>BD~A=+v#WFUvmgPE-pR+{uKg(E2IPj
z1f<A}fb?e*qQBDt;yplw1(*Y`Q6WqK3K0aA2!faa)y6@zL*zgy(IJ-!6d0LM!HI%~
zj)94Vje`qLhrd=r02I{UE3W_$GzcmR8VWil1{OLho)B0`go<{RSOEQo_FWPtj|YMn
zq%oNlH<?+;bUs)K341;qlE-9?)!m-^VGR=@&#HXHb}LTLMxiy^OO#?*f8KVd>T%nM
z_rk6s`^%gsZ{yoXzwPB#cfc3-4eWeE6Y^?0$CeJnlnm{CpC;zlc8xC|5&<YEptNY0
zGGSt%i(HCuRe%@`l)!_D1YPh!3@K8A4?08JLM&Euo)2T?b;+z@!arCskOE+`iL?%b
zLS$3eDCmoN+0OqV!oQb*{ZA1PlK>v-B~Kzi4%pX=Rbk~|iB(ZmVTsj=RbhFV+Yw~H
zM&+|F<)Kh!OL=P2DV*?dS)@kdz(w{j@PHTY-|4-;F2&AB<x<nsC)b@;jQ|Fn^a-E$
zc9B})d#GJFo8F7Kk(#5h9o=4=G+N<7rF)`WQ__P<?Q|$z|31UGUMjq(cb_%G_LN6&
z*7A&SSFLO{VR`0pkK_}VeAcO2gD*hb>S{w@8BA`DTx_({I$6*ep8@Lfpe!Ury}GP4
z`_Qx{V3joWrR{q`D(KZbaRN%EuG4k@LZxT#m5kEtdF<}VHRQyqm^%GMEd+oV{IAM(
z%ymTJ^Uq^pzAqOnQE<V00mxlxlJOrZjPCoCn+*#uqnx+0m=ZG>Ljau><%JRFr*c7d
zXPRQ0hWk&?$qyNwrV#)d0vPtb$eT1yi@7lZFRa1dsu+?xl3Y)OJW4)O`_b@-+Cl&`
zGxoz?4TVgJRLIM&6Lkd8D1H%{(XZF|$+hgn*jsbfJd)7*sZR_Kr{&Y$Kr@OGZv=o5
zTz;Z{Z-cPD%S26UJFAZ+*3hKr_fY~BWR*h<{a20PYyOXLQO>ga)LCC2dK`?+ZW@`q
zTM?V8{<0~Oe!*3GvKU`Q9&z2f>GX?Sj77`w{ywjU^_dzwxi;Z6!*2dr*6I#_iJfJ0
z$Wlj>O0fJ&V7I7+b8G!_BE_4a__2%gjGPnK3)n_Ri^+O(Sxbm~tK_3q;Kr33^uu!K
z(fjiGBknD{LoH5Ird;j`5Brkv8!fj>0#jB)G7&&oS)s`{4<e!jCF98EKDRTB7O@v3
zn-6wk$~O=|I;fF_<G&8s@RnrPn5v|AK6TN>P%Oabyy?WE7Npd6{v81*j&awVdw;TN
zm{y&B&k`#A2mz=>IkwU4?8@}x2kU=XPKSVVQ|**y+%RPHOOl;LS^kuMqcVl-44Xud
z>p8=D?J9TO($elH&$g?S?W=TjsL_e7%(VAE_V_zatp}N(^U<dyDL2A{`^tPi(wN(<
zOv!o3XL>hER(vGPeS1Q~?9{UyyhUz!8kRABl~O#rbp-*u-?(uS*YA7ov}2Mlu@iJ4
zUe|=?M17Hy(=H(YJ)boI0R*1OlAdd=YkZbCv=Sq$!BM;J|K@F4uWg3XNXS<4v5fJa
zm#FuR+prmPg8<WK47nna&3UuE`*I$hEk+1nv3DRc<ajN&b~NM%mEoBp-?=`gIE+fY
z{<ZDdU{dI#k+zQ31|yGWJKvO+`4>h{>S`Skz<?<N_)a3XIf4Lk44$f=j66+p^4PlD
z(a=_%@(f0+HDv8_a5{qkusV4IUwfSeXQyvCM^2&h`Aw=RyL-DpV-Nu419*e~>cp58
z1;rcS<ck+;)QMEhMWETZfIPiZas&pHNZPkmLFr;K!K{UkgZ7Sle_gpA0x%NHh==pO
zd9<px5UGs-!Y%?40D2VykST#@Cux+g((y4HHjIB0=x0yie*3wv|9p8fc;9Nac*|EW
zJ6GpN{j1Gd&I{SN*)@qr7gI%{1%g)HaV$9yX*1%JC0gxpZg#Bex02`P8Pt^?caN+{
zP@Z$GA%H2*wCdW=ht;puQdRbfY+cTlW#V1+oljO@TApw#iljaIqShQpQ{A!$w=6jn
z+k}7B5ncGIHzttwC>4SLvbD0{u&f}Hj-C&$7I*!<7rdRFYC@}a88%O}LPiW8?<PfA
zLWn4>+c<n*2D=^iVo=@++Gss*yW>NA9J17S&LzH&hf{?g98>F6>8m&{*^-NQJ}_f!
zZoMwjBq#Iv<zSCI<+wz@2XuO~%dNWXtS{U&|4vo@ToqBYcSK2}QyNWXzjyj(qv`Sb
z({+k~b5p_DBSZdsTw!v1Iw>iAiR5?zW4bq$&KNAumUu16rIYM)7bsfgTKAfs-dr14
zdsSm@>r%M?*@*|rOH^I%RE>YWALlmCwchaQqO)zaX#*3^<WpA}l60Z^bhHti>s``K
zB^B8xx$u^YqPO6PNs?oblhwc6+D~&*nch)aW!O4E04~Cd1F|Mm9v@MOm}A%Xg2O|l
z1qQfbk<Tel11}QcZpW+O9C4pO0InJ5ObrC_sT&s=nx?O~L?5a_rqLvNPi_y)n1#SE
z(jrG;&e`lfo%-*bJ)miQZf;>~o?OK_UQ!cL%62lM)IAYtU9c4J;*Ri?PB+_$sQmUK
zfuA++{tpG(UV&Q??vd&-U+Qe;rPj*~>#B$=XMEIVSb}XXBE2cc#hB@fr?OqFEo2F3
z5>td-Ak8SUi!(vSjqsIM!#1OI+81r9o#4F+PyL%jYLcL;1Z&6YJT>pq_RTBAkDW~T
z5F?}OGBQUJ2ZIL}VXf;NGLf#*A!GR?As0F34Dja0gBm>U{NP%n18D^C<jxiXptC%(
zJoP<i&(DT8=+kMDjzB*joEE;t=Jt)=d9}42akl^Ab8iW4R@(_}iT#S=o4M~!Q*x@c
zwHMQcwl*Z+c0IbxbS0xtGqyu+3_XYz3J*20iQbt<04)I_Wf_ANEei->&-|I3j(<M_
zC=FKA3$9oa6U+Q+2T*grk(l>_?rjjdE}TYdpFEF?4m^1Tt*A*pr#tmVQK;BDAz0Ye
zy>JaCj;fez-0fnGH%ommO^pD$Xc0h3$j*{|XUo~X&eWRRQAF_tGsQ(weAl_>+A(R6
z%|KUf1P#7rj#ph$Ug9~SQ;38Yo#(pw1@~&B2e}*tdOs{E&+N>6_NM4gg0$em((~7B
zY?w!8YWY{&di*GZwXOHn!%nKeyP~zC$m2xl>mbRss^&`X?{V>P1{Y&*$)eAb$p?+@
zKEumReG`pS4SmJo<pk5^M&pL%2LWj@{(}jleOXg!?@m)J3;L!EqTx{)k475~*a&a)
zQXV7*(f~5OZbj39bjQ^ulN+;D7hGpdL~VZ7_tWs|>S}7_<yk5ZB6Vjb%*oEx+IyRK
zBYLfR$4pmKWK&X4e23`s&kG#0M;dkm4h^i|@CLIRk=9W-vr~U6mQ(DUI5A0Um_2ek
z^>8^499c`eje1Ch05Z7Dl#Ut^K!<+FkqH9mQLW$>AbE^Fj;DwK>T_7n!8KpM96QOn
zTd3({^mdaDUc-QSZkm#~o$INFfka|*lE_v`fa_juOYngGGN0ONW_G?+=sA(boqM9y
ze#>LYsr@bRb?MY_!sD+-vnQf_cUBH?0~GPI!v)sdkH|&3JwIpTC1EvlxH&H6Xi5jQ
zR8+(S`Ry6UK=I2GB)jUisfX%2{Ku8|0uoF)%f`&sxoTReziMu2c2!RWC+_x_dS{sL
zMDf8bvX)+XS4Vgt085xh%bJTB=4g8U@QIdjl~m!>%9y~6zLNC@>sFAf<n12XnUdm*
zWV5kr-?}4|2cNePF0LAKt9#hIRET?h60$O&uy3)fKPJ#URF4;AcW-K4>>{2k^JEGE
zFw0#CmY>v=bF9{fR7sY}jG7^U$_3ks_iyV<z42>UDyBkGJI@dJG)_)mo>>-`*GD>~
z^5)3rF@7GqfI3DKa4048L>)D|GHhqH2r&3{a27Lf$H}kxo)!9@-9P}vR^ul#zWGCa
zA*&m<As+kD=hTK`7knq#Fv+HU>PR<N0S~E1$%+Sr81;_luy>Nv>IO;fg!R3cMhBx^
zE*J2^7xNt-)s?mPmCj(Tg%5Z=Wy$z{D3Ls#_6%^T_t+EUD!LcW4MPB{&GAF$Y7HKh
z6{q74Z|-rs&Yl!mR66#&cY`->r@5^sOs$JHl`odt%?`Wlox}A{!8xG&eFDy%^NK=8
z-LIim%<Y_p`?hB%|3K(7Y3+T3YK|WPYP{~YPkA1S+pf0EL=zSwMmJlQ6IEUtpWbRD
z91fhQdwB4!q9Y?~?@<Y?sYQO+OleH6babEK^;uNL4cohscWTbDCmQ#f!-J!T5#UP@
za5CAq4xhV#e}Z`m2I+cNS!m!-V;qKv!33N3zF#=Gkew1qqRN&MWXd<d$7N$To%WJ@
z-9rQ>Y6A`?PsD;m1w#!HfM<x|zCL$MYIa*{*JGM_*=I*$6{p&4esvMW-{`Xsq=Eto
z1!m{Ba%N+3H;R^Q%#=~6V%BR)``l`$4&M22B7obnZ@j)l#-&(lR}GePR5vs}W6gvI
zq!b6wOo`RZ4uN*L;0fR}JWo3n;yTEieG{O0s(Bo(DT4syXU{FQ_A*w+!xzN>S$CeM
zy^O5hqR%}hQX&W1-X*msU*b7cASBq<g?dVOO5hDa-<h=oyNgkvo>+4>_jLA)bCB(t
z*FJA`#%KZNQ2oNtiyJVf(pMY7<MJu%0j391vs>neV-cqO;H5kMdGi8B9U+-<Zf6{6
z+OlSNbzh+g@J?0omU8jV>pV|y(J0NV)mo7WY;xkM+Di#y7}Pf`JzLufZVsE-*A+I}
zHD!AaGkq65GD6>a;u|vctX0y6C5i(z-%Z2@oK#l`@zjI#cSF3v#k*rh#K!w9jMpK^
z@Qy_fwI7f7tJ1)bKC{!5xS^Bh4u`g0@1mjS%ht`t=P8o|yWHkVM|E~W!4;pK>JM5r
zd```8mnaoR%5J^21g%>X<Y%wpI~Gx8eqiW2**rL;T+v+Cd5(FW6}`=1Kf7@PeJA^D
zi1zwwF=NI$>z(aaQBO85>TTeO`|Nz2j~Y@|iza90$D8xtAb{jW@ZJ~Ra;6Us`;+ps
zx212|5J05UR8ZMoklf&Br^6H3x;?oY>n<k@eZduHU3rxu9p`?1C;e^aTNMbvzJYp8
z!HTW$@H`8gdykJ%Jg*<|zkd+UNWIQE@*(=DV|A<Jq}}uDiTTaE&*MJ(oT&6mAyXQi
z0q~Rj{jI#aUI7gu2Hx?ep|hGPCS8+LTyDEO=cpEI8$~UH7jcI&TDs@-2w>dub4Ufl
zsZ&Vqy8!x#fG=;Q>?dkZWz5s_cfm`eNy~Ik?Gtx7sVvvWiv5ez6@1_Rnnjb@Gcpub
zs-&B_A^hefR0|QF(@u*C<LAQ%8Ri#ntoPlDWh6K3nj3a2)0Zkg5==y{>uqjALykgJ
zW>u`t%}z3s_8$>%GzdC%*@`CneD0F23l$uf`g{UD^+=8tc&k>l+}*n(=zPjwE;a<K
zn5rK*)moSOEQkP<E^vp>S(`h+g)clNY__-}>d+{7$gN~qn13tgII?nUTQ>3NR>Y08
z{?N2h*0%6{11+M}0Mn&&SkBCFL#UQo{rnWClTy*3$v7@0{kTXO@A+niif@Q1j3DHw
zrL&LC{00Ap?|$l9Drj*vnlmdQ>{(-om}GHqk73c+C^t#-`O}ceYlqGkH>+QKYWeY|
z(<Py0ct2@%VikWXcz8=~PqqcT0tcg)h95gkqeM70*mE7ImnbV6mH$X?neV!=>_z~s
z_6R^$uP7u!y4-YKW2U)7L+>d*7XL==6{QO*t3d=n-rMD7-YsHwYJMPp6^_#$5Wik$
zgPfahn&0Z*SPwG#_U-c&{(+lA7eVOzy*BfM8rO5nk+b$|r}}v(YcH&~V%-);Ztl(S
ztv$7@#fZqa*L89$ObBx={gUnb)_652vnGhGzi-PnED;`D|HRGULq(a0v2~jam#|ze
zwAhJZkNZ&W1OaS24Hxd6lLu(8ZqhJER%{}Gtala-Z(1DR&e?pHGh?uYc41mt?%!?P
zbUEA7+9f6F=%ISQ@Di>4Y4^2tzVE!D>Uly`w;n4G&j(wSBPI}=lm~zM^MrW$0r8tE
z8fZwb8USF@f?h(Tqwo^PdWpNT^22PG?*nCKR-k=phYh>|S%<p$v+g&K8`4vW^t?eX
z+p%5N5nSe%ncV%~dc?mhB6-nYQd0f3jJkVS#=gwK400(4=#4}soJ-Fh61wDqx{m}w
zzI=9eV2v}FgFZwsL4LzzCMExY5xm5kfcft<praC`<oOeGsnro!1^{=^Px#*^)D>j)
ze_Mt4e^Ym93oK;c08&?^xAgkY<2Sn@{kC8L0GVCVQX?T$Ein7353&d#y{afiAb=0R
z0B^t(fCARQT`)#*7qA4J0XM)NJT7}jQvW3(eWt%9WDkG%XMaZ`Mfxx4H&KyzS8r!$
z@PwQ>7*=lHt~M|&D@SXv^jkX}YcBz?bg6(I=tg#SbF~M{mr32$&g<9mO)oc>pXHxo
z=-4~_R)47+2Fw|1Z3{DSR)>MjA%Ee6epv^iiNOQ&vY>M7m%cIWJ>9(B|ANAB^Mu+%
zU2R>xUBEVY3cASNwJvdB86O#uP_lKk^}Oq4YXc$xJ%4xG--vO35+gCl8Wk6NM)36i
zwf?Byp3Zs-MtUHt-;9ei{$DW~Fnim-U@-1Fd+FV^{|k=5+7@hQ>*u8cQ`XZ^w{mlH
zMs|qxJNhrg*bZ)<0XLkX_P<+-@Tc<1zoWsHm^QX{cfFmFF)?f(TTie5hTPzH^k2zw
zt?cF9oZUQsF)q>1{%<P%Q2{mqG~Ha0w#EjdC0gEIFxy`z4vsT8k^T!7&&tgUoKXJ-
zj|&d5!@rVWUR&3Yi~v0FK#|+NgnwRh$au-mDU5PShok^Vey%KF6cj9g*B|670F>PU
z@#Fv{7*F^$n)6Qt;-3ga*FO=6U&1Z_L?Hf&K>QPd_$LDKPXywh2*f`Th<_pw|3o1E
zi9q}lf%qo^@lOQep9sW15s3faMj$S|XIDXg835>m2L$PLBm`~%HlTaj3a|wjf!lxs
z2z!AC>=FVU@&L*ILcs{g1G<1PvcsSLx}TnL%uA;<$OAEtXQU!8Z+TlsOHoB#;gT($
zvO3h&4Fz;$ySRFJ>L}f0G%_|}#Ow##V1u4@&}Dts8s@H{tBCZr0xAmfj4+T03ICQr
z(GSLc`e8?Sly5UK{$BAn&qUVlo}j-JavP)<vayAME_29Z5O((Ua!2Bk{zp<PCnSu5
zbe@xXf&zjtB@(v(33Ff4{DiL~VH+1$&{d6sl-b?J#RdttgYYvSZ=?$wRUL#weW13!
zAUq1fEY9Hn+&~x^`yh3(y$ib4(U87P7B5?C2N325VLVSg9eEIz2K~c$_P@YZzrbFg
zFBzl-<lWr;FTJab*Q_}h1tcWI8I^5)oo&6mcy8adcDn0n!zl0O;(piF9{_&pjBEuE
zBW=qF8d+38LR6GTkQW&-_&xoPmA@1HFK6V~{v_Gez8o_MdGDXNKO6svbIStbEnu7p
z^~Ik!t0VxZeF6ZKlYin^UV}6EF#yyI{Gtyza=titdAUpS@%j4t@<MH`d65SFBmJ)g
ze^CB=;1_<pNPd6Vj`7w{XFMa)sMer!-P@B9=6=`OmXYUQC-MJv!(YVuMGkHqTRU4%
zTUU^k0XWN`uJ+(?yV^j#pl+^=P}hGq!vB}eevttQ{+!n!K$3F-kXrHrR|ZG{)XiQ1
zjRY4!HA@F;Ab*UTI<^70)Bu1X!}8C055i#mW&W28B^oTEz@V1_9zb44kI~xO)8{7%
z8uEk=MkfiuO*&NI4hv>*!w?T32#5hvz;!?YPzAIAJ-`^;ZDkEEW-ee{&KI}`JODz0
zaNq?H4<rK_Kn_p{lmV4ME$|Nb0CWO9;7$xUFa>-C7J+qO8#n+?!T<bYLhvCZ5Gn`*
zgcZUC5rl|CWFZO=b%+kc7;*<<4{?QfL+(KyLBb)ikYq?Eq!3a8sfT=kbVG(96OcK`
zDr5(8f`W>IheC=%hr))!ha!%014Ru*55*kC9>oJC0Oc`C6v``<ER+(I8k7$xJt%OL
zuPEy%``{)GTvT$@tEfDv;;8bdTBs(dcBr1H!Kh)V38-19WvC6PU8p0dUr{$ukI^vD
zNYEJ3c+jNKl+pCjtkFEsg3%(-lF<s#YS7xzM$qQaw$U!o@zH6~xzHuiRnU#l?a_VF
zL(vn^^U$l&JJ8|ii|7X!7#QRj>=<Gg${5BNju?R$5g2J0<rwcVhA<W|_AxOrsW7=P
zWiYic?_zpkhGHgRmSDDE4r4B29%12PF<=Q|DPoymxne!UO28_@YQ`GITE;rXzJkq)
zEs3p#ZG-KP9gUrX-GDuSy@-8^LxjVQBZH%d<B0PB=M_#FP6y63&Mq!4E)%W<t~M?d
z_df0`+&8!%ap!Q4@rdy_@#OK$@VxP&@bdBA<4xf0;^X79;a|r$!S}+C!Y{;c!~cSR
zL_k8oOQ1qvLl8ocLQq36Oz@o$n~;_82B8IE0AT`Q72yEk#ue-<Y**y3+`STfCFM%}
zmGLY4L?lE4L|Q~HL=i+qMBPLy#F)fv#0tbV#E*%yiQ9-5NKi?bN#seaNgk2pkaUnN
zl46juld6z9l7^F(lJ=8slM#~%lNpftk)@C|k$ojcC1)d7A$KN^Ca)wPBR`>_qqsp~
zOYxkdjAEGLkdlV-I;AaT7-cynobrT<kxGHei7JMwmTHC?jhd5Mo7$H;ow|d1gNBqw
zipH8IjHZ%ik`{%QlU9c|kT#pPmv*0yo=%C*oi2&4jc$XUoc=n!BmGPIX8KhI5(ZfY
zD8oyJ7KSxOGR7N>&Wx`Z+Zng7(q2`*>U}lyYX8+!CUz!$riV=BOf$?l%;L;;%rBW+
znYUROSTtDfu@tjRvSPD}vpTRQvUaf^vaz!nvOQ(1Wm{pVWLIGiU@vB$zJ`BI?wZH7
ztZSnj7#!jpP8?|*gPbUwBAgDKDVzgbC|sgkP_8ttA#QYT32s;JEbeh0Jf0goK0L)d
zbG+od>bwtmYk9x(vGAGj#qf3UUGR(WJM-u8PYDnUs0ut3Xb{*D<P@|POc5Lv!WU8$
z3K6Ok`XS6EY%82D{8@xVL__4MNUO-XsF<jyXqo7$7>n2)u~e~faZ>Ty;t}E>CD0{q
zN`y$flQ@<XmGqLVl-!cyk#dqMl3I~wm$sG8kzSBtlDR9BDf3m9QTC4PYuT@ISLN=?
zWy#H7XTEN8J@5MR4UQX*H%e}NzsY~o^JewULwQO0Ao=&VP;V*S3cJ;>K&+szkgV`U
zkx9{Bu~>0iNkl17>Af<#vYK*?^0*3}inU6i%C@SQYLIHX8lIZ2TC&=_I;Xm)dV>av
zhN?!K#<V7@rmJSH7NDh~6{j_GoBg)O?M7`3?c3TZ+DkeDI`?$CbV+nAb&GTl^ls`!
z>rLrj)A!bIH6S!FGbl7TG`wXPYxvcO&nU>K$C%m}YFuZ6X<}fKXR>dqU>a|_XeMG7
zYBpxhZtiE^Z9#3}Y|&&%XnEJN>JIuH!#hQH&hBd6&APj9rDBz8wQVhLooKyobKT~p
z&8n@8ZLICGos3<q-HN@8eVqNOgPcQx!v<6ynhgEnsO*^Gc<7|%l<$OaHgqm`!E(9d
zQtwLa>g3w)M(^h5HssFb9_s$pL((JOW7|{BGY<xVnZxS5NWq7xUhiw(PrT=RWPMV6
zj(iP#tNe)kT>X0eIsKpeF9#?F<OZSzS_ih?yL#`zy}6(pL7BmjV5{KP5ay7_A&d8w
z?iW13dEoS*?;-!g*oS+M3?DT-rh9z<@xl|OC&i%zp`M}RPo<t_JVSd1eb)b6=y}rf
zi!ht8PvQLG3E^iE))Ai~1tMQXBBJb~`lCgo(_dh`aD6crBNtN;OB5RryAY=lSM!qb
zW!THTc+2?i1mT2?M4UwL#ILW^U)3eCB)v#FOLj<xr`${_Po+(Lo_d&OlQx`wJ-sZ0
zE+ahS<Tdp5=S-!{nk=@gglvp#pX{X^gPg8h@!Y~Z>b&s0^L*F*uLU{<?S*26g+;VQ
z(Zwjm-o>jWW+j8Aw@T~Ec*-)%$;-pv0B^kCtX15p7^_sPY^@TnDtpWNHnp0hI;;j#
z<6pB~>rnf(&bV%<UbVipL8_s;k+(7b-PLy~O=L~c%{a}En-MJmE&K1?-*0@d|FF<%
z**eu`)Hd3#-QM4!*731Zv9qn~Mpw&6nUC+fCA;fCiGQl?5$&nz73r<+6X~n&7wxYZ
z5F4l)lo)Ink{)UvmK**sa%-e>RAsaWt_dF+(;xdhZZ`h)v(4v~3FnC)lRlHDQ}?IQ
zr^9Bh%p`oF{gO4yF<bss^lQ`Ht-0QL-TA2n>xK1iuy1FJkC*V55|$a33s(eJ-mNOG
z4z8K5Ev~z-pKgS15^bh_zxMs@*7dF4ZKLhQAD%xDI}y87yZL*<d#(Go_rDx~+d~e+
zj;M|bj>V6=P7F_$PkqlY&t9E#oHtykT}&ffz<&cxfv+A|;2jGC1I)4TurRUk2yn2l
za0ss8gBt<yul%h|e_$sNY;flx4mK_}HZB1!J}v<fa_8W0TL%CB&OwMdiqS7S2ipN!
z@R0@u1>E=cXTrcl$AX}uA$M+TgHd@@6ciL}0z7mOg9;KsE;kJl5nsh5A!QN}yx~zP
zB6?F>=dP6}>|tzXRuvgJvyiaYgP4lep<xPny|@o7y4L!SvfJLy-J0J9yQBu6RRGk>
z_qyL%f?Z>vK)||N;2uB-3JN+FCI*PP6bfWVghq^hRY2Q=gh}v*&fS;_QX$U=v6&x)
zb**5Ptv4SI{a|Lv8lIcC-XUX^-~MY1z2*JyJpRWsIzMGNiS7hti~zCY1c|78dS1RS
zd*C}8J__>5QaD-vEVs)Sv6}ra)iO-!1qI1v{+y2V<;jLz>5Gf{Y^&U`Oft=klH{gS
zfiG@%+{3D188`Xtp-HN#x*>(0_3-jYii)RfOaYST_7Bw}J6$}-)c3bOB7o6dsts@@
zubU>vO-WQ^F}gaSP|4|$yzG9QL#f&n5R<po*f+ToS7G9jt4eS$`7POTg`vRcSWk6F
zxCoCl9M5sFhKVx|`Y}pZz@c5tOit%zE!(Fx+tDLCg%K-X?bSV%#r{eux;&F2Kcb<L
zEap3QKMKMMzT7e=RUg2|*RQ3VvQZ7Qy=DEDe%!s{*glu^nSK;RyO46IUF2C$dLPU#
zaWI41v>21~rEd1UTCFq^Ar)gab6iIbR_BVw2fbz&9h)30oKk5riZu1j)HrZ`jU5$|
zN>8Q(;_Aj3p&7NPEq5lCDScITuBoi8rm*K5NtwBY9SwfZBw^uIJp+-wo<k#0&4`x^
ztlq)S;o_8y_;a-l7-KAfx-tDWG0Vx!DU%jsRo8SMFNiC;`$oi%d>6K-x~VB>;Njx{
z5GuX+ABXgBSKcN?;fl5ytQ1MD)NJp0_iQ=jVKw_HlUh6vp2WIWbg=nSHOcM^)K|m9
z&Ae(=l;sI-g}zE$cjIO`<X%fSrFJoYE*cksDY4}$XzJ<S*A!E!uA=Rzk4@M|&DGN&
zOL`Wilz$fCW6~d9BWN|^N`ogAOQxPC8YZAk@r2phuUX=X?0lGUj`Qt`Vdeeq5=YK@
z!*|bI5x|akKDw6Z7gwi{=PnbGmN(l9>le3rf^82!AB`0i6(^Tf>(BLW=I0d@#azvM
zzN`EWFOsZhjm4*z(5pBms_a%y{#>wQRE+N1u{?)a@i#mN4P0i}S_;I9U%LIw7B`!w
zd4=u@n>&_^m<~q=EXxuJ%nLt}3@Dt;Y0MA_><uQX8E|^5gs$er9+<`wF<KAh%`tmN
zD)h`Frh7;ypW16dQ;IRx@H^9JO6sD7OI+jOeaObn-?sVxNQgr~it=s(Cy46_t0Zs1
zoMDmgmyMRIghGBbg`DO4j^Qa*2CcIKBBv&bSH20141|@kPCCskrO}g1xbH0->HZi4
zFe*|v^YRnQvN(-sa=H5z1)BDChTC4b;?i<1FY-7)->I^FpVlU{5uo7xbjg|G6ShUY
z2%D3>VVsu#arm?P%mUrmG`n)~cg5Rlld8kscB#;Ohi>!3s)(rTyu|naN8$gED!m7|
z?u4pjbVQZ~)+Z+we!lY~$l}`@eNJA@Bx3U8_1IHMMahwGtNr<QJV(qk;`XU`C!v1v
zdczG_Q1%dN!v-Z-y;t;o0)fWH<|cdf_-fwQfGmTicE4kGa=k=xioO)I6gO{1FaE7C
z9D26$d4E}NOeZ({A*atNo_5jF+pT+Qed);osfL5qJSJWz`81~s=iQS!6#3W(wr*Z6
z70dt~Hqw{$A4+IaHXLL;qcNVc_s09IF6OOn)m(pI34IuHkgtB64%ccQ9j4fm9NRc6
zFZujo!U}5n)(}9Am1G28*Gr?;#H#m-KbFL|xVl(=$RU0Cm8zz(H->NbwI{oj**HzI
zsK3X{^n>yC5+`fx6nx!!%lDP<uX{fQT~hz4go+!^I71m+U2j+7sQkr8g6;xuXu143
zduHL2kR+0+!|K~zCRD3>k1noN&qsSLCgiX-sJwiI{r>)Ze<}b-7}OKd78FFy7v<&l
zytU<@F<5BURxOS*&?ucAW_!9MQ%hUKA77M7V$MB0(&WGE8I0y%2BVF3{I*miQ9P^R
zU=JNE)>QfOiHu~vic(h}+RtP1-QCHxAL@U#d+Bwdi!GgusiAPPXv>!R=w8}m6R1c<
zads*+Z)CEXACS%XPgw!dn#F1J4!7VNpuJmr)8BZyY4bF-z&kx9jLD31NSxST($PPP
z&2cz(dSbL=hP{bd#62_D<ssZNFOr5ODwaB*sc2QEsDZON?3E6<Ew&tUn&Ze^{`RNP
z{D&Jcv#C)@6&x0+!z!Ao7NtLy)Rs}nFpht?)M9r#&G6m}(PjeoEtj+&2GCQCNW^>O
z`-@-X5se6ix)R+sr;g`}XVs<C(#}8;Im3C^FP#`@b`ZA8!KOad`A}1-^PM64k}TYK
zd#{M+UfOC;qlJTIl=U}>>LPFh6<t09Ue)#|jcvL<&THl_F|%B%MJq%8)}G77?H+s_
zrY^04=Fa+~JuQ*m)qb?_1%bf+o3pj!A3U?eYLX_pIPDX;3@e@9u@%A;tl%b`5gD?v
zwUpj|#BW3CMhZW%_7$A5js?6&7rOPI8U<Pj?Se83w6T`E-C^zCg*R+V(kR%A$;Hp0
zV$YA#9W`zer%aH}K3F62d}&qFojb1=PwY}nqSltrJRRP@s9S;>=DJxs=1pFy<`GwE
z9t)R#F03L$rz=`iKv8M$BF(lG;CjF&k7MpaIAc&KvdUK5-qilQt+;{TPI1V;xT?SM
zM%-MS-rm+&H_fN8v=*!Z%@SHN>T`y<<W*g_efeq<ywz^C_}t<3@RdHERMw*iUu?E&
z{gGLRi8~D~H+{TCD<<J(J$hOeiy;>qn#H+AVU>}GJrqN6=H}EtzFO#O9ev#4%vuVM
z&3mgi*LzYmS7f51Nn&zJcIPnUyiZoTdakhU6W?*BP(xX40Cf@v=c|f7;+3YBMX68r
zZ(P2Z(4>0tnyos~y<Xx&wXxuu8uI8{QfQc4!|g2yH>3?$(Pr{-cvjTm8>0QBy2Yt}
zsHHxg^<Z$X{Aq`7yo7XVr*@Dl$y$hR4+5Zm3|A<%i)gCb&sqiOpacK05#+#}z-eUD
zF*SK-YrLqr<3@G-yfvPHx$H=B*YI|Ds!K4OBAotkypwG;V1j>wd@}0GVwvLisQmP1
z*CNM@^Jg6ZflUJdP))Pyy|A#(k251H^%gGuW-k0?d6_bK(q7v@Pe&>gn~ou?p1t5G
zKWTKINKY)3y?S-2h$Fd^zeeg?Wz}<?kIRk+dnvJd8tDlX&G8x*efk$Gl#=4ny-)j7
z5P)<4l;z1gKHsdlAfY5fn!uTi!aSVko+Wt}qZNCDeRo!=YYm4~cD)BxP^-4`VuNu&
z2Yz8OWw(eVRZQ7HP1pLsci91RZV}DC)s}AwwiihmOr<(+#U`DOv*Qs!5$iOD|D!UA
z!T*d+F#*ccO}7sR$qjGKQa{3(f6O$wz0H+ax6tS2dEw;KAnAxvcH&zSt%V^=2<-@f
z1=y9{yP20>1aAG*t8SSz9eTSn1Y1uzz6D_0fzb|Z`H3G<A4p@|%6t-5R2Xn`9#wey
z?0GUR+2bmi^L$UbW>Eq&RJG50s~i`dla}vs&)OQ7H-u&6rIQIhPosZj^gZLJSL#!<
zpsE=XVpYw24N3`}hh2WJ@7;507S^hs<XY3w4*Z}G7vtb`V6ke`*}wN}f5-^llakm9
zWwoQKs$ASIzN=R-JViwGDMIN`xql+D8`sE%Jf35?UAjlsp{~&x9<szb)>W$`a&6bY
zCc$>=nBhu$g#xYWCabjx+;h83CBgm<x{cO<#=Nw&=>d}o+QS2e?8M}f3cI?}(UCbR
zfy9m2q8kmLdZ-M(H*WMgE`735HtkPYK6T~C9Ib5jXAllg`R3WQKI^%Z-`#0Yum(?4
zI@57Gp_930laJ-2a~-gjxeox<{JGD$_atHLC!ZcGsW*M{5y%gp@KZ4S^kjjeuc|}q
zeMKhpraq^h<9BS^?|p$6v92!*S+Q=&=ztH(J?8`O?qgn8`p>8dUQwB(UGb;sqm!a#
zTEzh(Uzo-E_g6AGIZMo8YVq^8BE4ScYUGJ%qU$X*ZhB<qa_tyFS%(XIEiMv2PQBL|
zu;3}Zy)5Uev~=e>CbuP0DAdZd6qj29zHUyzhfEX!K4BpQBi~aN(Twd<9A&0^XUlKZ
z;hqr7&B4=;S+~niiG@q*_ZAv>j#^Gq@8hz(|9g5d@Olc6_3J6-RqKyFd(f{aVz$^_
zsy<y@NOYy7LiSq1I@jv8FD11Vp726jy^XZ5zC0oxehq$({<&pZ+4S{tEB0-3`4;}x
zg}g6oiD_yiGjm{>wL;#Xl52YRtQ3|P<ocN4My&`yr#N17@QY&Ws9Pz_;~}Pusq(yI
z?SQ-aE12O~0`yLSt~ok;v&leUxo;w`Yn>kFv0-rjlmPyYNM9}XcxOOkZc-#hEuWzq
zhurg|W6q#wM@%XzQG74go(p9cTDj*$b_cOJ#L-|}%WIYy6s2g>rSY2X=<d@S;GX<;
zj#H4}90GTYW^59DDI6?yWql-<Gs+{bN@x6QpR^tM!(7RjhY?w2m21c3l9cy!E%jZh
zx(yZgZ2AJhN3W>SvTkpVB<8x=(&Kl2C(7m>-Ccwx+CGlN(6W3hO*#&PyyOO$N`Cv3
zGg!MNT<lc+oFG_YUT!VrJTEvDpsmfb3O>ni@41MS|DL&>EnPQ2#Kd=!w;l3!VDK$;
zdU>S%kk=JPU1o8TXG{N`bC)8Bedx}P^Gc?vyg{*!e!a>kAMF~uS%<WoLfwb?u|$#6
z<+d(e9?NAhKeR{HsJ|V}2TnE}RO=JoSgiM!EdSU&sMCHz{I$DcoTYKdI8UhEKZv7c
z(tZW@V}J-;v1T`g_Lx`SKV@fLeU;H%_(Ldr&ym5K@CmpxKguuqBo6^VGcx7c;^QfB
zMMTU^V|G7A8P*e#NT(LQPwlvAawK0m$!otitusWnu2+6-w2-4Da#EwoS1~FkSCcer
z4y$8XO{Z2@=&?QJOz|e^Xyt9?m<D6o@uF(FWM<gLa{;^w!WA!B{TbqPS<g`NlGoEF
zs(p@u+S!jHY@g**v5W+aOuUJ{2Wt<xv?OMiw9>gQ(p2wJllOYHX7!GeU_%8#qq3y-
z7rz_%DNpCC=f%mR0yB$|8JP^IBLZ?ky7SgQ$<#Q0oR5is`=-%^#1eVf_-0e$M(qm(
z;CY4G@h(9$<MF3U0WN2KT(|9Wa|PT3meX8gTLz$Ed8mXkF&_`x-!Ua{yqdTgXcIX(
zc~Hd3Cz$zJHz8%QwU1LaR>24!tdllT;(97Yww-K3?li;tJ<%=SoT8Q`nZo1M)=pYa
zxSz~bHIlv+y^ZD;oA~D+`lF?C3C8zjJ;>U=_Q+_c8FG*{n#oEX79M(pJsQ(IkT33j
zsfTYN*x;Kl`XeL!StL)>K54vn|Cf<r5g}i1W;k^x`)tm<W_)VVeEqd`y@lNxf5Fh`
z2<YG<Yhl0Tewg%i6yxj2D<9hek~`%(qR;6Do!3*?&M~JC6R*4yc860YYlPJ_j$L21
zD4kiXa1$C^t><Xh5F@U)_STkH3tRKl*1u(G;vz1iOG}o?XM*1G!txlW;8}f4V6$lL
zVEv%Bn2+Z4kbdz?4U5xLKK|(WR72LlS+`mlV@0?@H<veeaZmYqa}ud=MT2pnq@R=H
z=yL5>1mIEqWT-n=@;qQv^qyjHIhAEmyqCSIkEbYkR-opvN3{3O&VJuG&JzUCur<1k
za_fi4(iUe`Nbe_sOjXXIe9}5*c6z4f_WH^>$)oQhT5ie%6F-_d_W5-T6+eac9(2Zv
z2-An{D=yXBjk~`X8FyOCB^<lD`nFr1;@RVcgp!g;1K0H>zv8Fa*Lp<6*EIXM<YK(8
zc7Ny|r(F@(jqCC*P*rm=*YtPskm(-CYLKn^mXl4vUdhpdx@HLFt#u=QTijt-tKa{|
zpy|bC^yI5&(=iQdS;<qAlEK3BgzMi<lTOudx;u>#$jtx1ul>|#KAY1Yd3PlzksaUs
zW6v41ongHDQ0O2@TJE{)t_75_r1;(&_4CqRPciQ4u*k2DKDYEX^OB%zR}0+mbVODY
z9~R^n`8E6~#8xet)X~UiuaL3to+}hr;q=hRx3{fp{IE05JQ?k{G|t4y=dYDrF44*p
zu|<J<%ggn3JhQRcUYuxlm0}jBM@*oN+Cn<>MImwtus={ZP6>%-SIEIy+Dl-2Cjg7!
z?B}qp)PZ_wyP+$-eDmXFVW;MnsY+8`$RCYlf4|H^0qWqS=cj8KB%(poPiN%k6#rWy
zLiP6ZeXZxwikXMEkF+z6mY;!7Y;FfhC$xWD)p%I+KRcqoTobcCd>CKPovg{DK8{sX
zB9?g;;pAz~-AKx2>szs`S1kR|Yp{YKTv1cEwNp1P&ede9aZ;g6QJ`H_K$WvcXS4<t
zJFIxAW+J~JKcGvpn2KbCd&unDSkjS1QYA$tonj;_9VcJE@+z5BudB+4;6jn4pGlQw
zpJMl6PjWP+5yyBwd0CZt*<wlfJ#d)zv1ONnhkoQ=39)3K9+<R(^aL0%Z`uD4Jj@<C
zEx32>&#{c-Ch;w)|6uTGH36C#s9)xz+`y}eubdXA`Z@k9b!6G5h-6veoLT+nf~^l`
zt`2AVma2LAIyyQo#x-Nr#Y;{L{Cns0u2&+=bbM9V3lo%q)o0fM2w|76ug<XGIBI1=
zv6yOMYYbb-yF;>x#P<Dg(|g5n(i1cX2{5H5_%f98QS30;jI;V8oP2@7PHuF?-78*_
z$lOy^D;%KP)AJU?Nzl;|a!ytlO?{SH=D8z+Z<NoLP3AKbD@vmxIukoNF^G#2ZaryG
zK|ZH*%(Cb#Ay9ZwPrE2Xyb%J08A6l&W<C}z)ypnAl9E5~s9WkGn_es#2~Z+PE1M0f
zCadTE3=S-u!O$W_GbJ6XL7S;ZxzL!{Q$X0})(?uvrMj*6JTN{oZqPE$I8jb<tO_Hp
zxeBs(9rUv!vZ>#=FFQ7OeaP@2D;#Zwdwt98Tbr!Q>iXj@tNiS{*m|%Vy=*KUhS)}R
z3$Mkkdt&9en_a!d*D>k6o)XNL3-}HPkrT4@hmk(2EABPl%TRdKU6u8u6mz(|m7y*%
zH$b?q=OC>sVR3Y=g_-?^mi8a_$8X5{qx-5-7>C~1>m&~#?P=F}?p+<*q!2oB<$O5a
zO6NKRlgpbgdvXeXSB~eRAZ{<eAiCyVQtH)|tLFqyKQ(5lf3*7;BA>Zawi3UW_<3#H
z!XfS9sfH|Hcl;6Xt^YA<O#<71E*gQpVh=O3z9y-X1WoZ4dz`bsVyXFnF&ABT-dMei
z30pq{rb$CwPF#=E%#`Z_y0Zo+4`*b_l!#gRgQRzJDe+076ESRgUuTGxWBpbdKHrTH
z;m}M?<y7b>%d>r=tSOPn%G!iF<ItdIyq;b1Kwn#|vg_l4XLSh29Og&O+p($UspcbJ
zSt&p93L0t{XG?__FVvaW-r^m3<Ph#;v6Gj)7XhD)tm!4vLUFveqrlQL1>21Y-gv95
zsJgl3rW2H#6u~h*-yg=_%gt+H^Cj3SfvRDs%g`xxwPoK@Y*o0JRb!5Wy-*`0-#*Fs
zKKSw@<;WPDtRJfPNihp5_O|HRMw1;3+bGSu%;i=e0#H!@<`wpiFu=(fdh~AFimd<C
z9sHnKQ1_vuC_TM)ThR_Y-QW64>{u^nWxTzrTpLYKw2najw6=<LNhsT@3Uf?^qi1m<
zi!62xMnz7PDO?Sv$XOXvJoWWnMtpuRFTGLNP(FQ=%lEL!f$DWm;YICzXVb+|4W7No
z*O~cQ_T(5MNe6Helk+lW@%e)_6Q9Y#w3l$~)bE<)9Urn004z(5CFVuvv5i?0HCJj=
z&aFOG$7OTYPt5_V;&uVWx^G8EJI^C|SJjoS-V`oegDsV<D7l@gP~u3J+Uo?2`cK;&
z&|io2B?3~b*VdfYsMJ)byM>NQHOD!Nc0{mq$-7Dnn2XoOHT;Zm*i@FKq|ZsLLJ67z
zcWyVB`@X%WE>b~SuvW+=2Csf0|J&W`Fp@2vhF+J;(9_`K_zp{{lGwzME>P#QYTuwO
zna3k8rY@nUkdm|;Ik)JRYMX#cqNx3Hwb9OGT*BqMK#4g{Ol$;vV_(*Z=eqk-b_3Yg
zC~L>atTrJcPvb8i<B|+jf;3oc7;ID{vNLlO#+GFb+5L&Azr-dd-}L8?Pd{2bI?n4P
zkf<OXTeX~9zQPabrn>@uWmh~n+k3*nen7;?WE@uO*F?gm@P<xt%GO99X5ybd-Pqr~
zI?T#${Wyc;X|Bw+;ldcq=-IbY9jTm;iXU5q+<tspdHaC;3uD{R>=Y_X+8_(gGE;TI
z#$F6b;;Rn`fS|CYJZ{i!O}T63Ov71yP4}UPPt`kvkDs$2cizsw$)8#R-zsdb1hAWe
zQS-Ah3yWQxqm7vEJ%d|oQz#T|)G6N(B6?E#)I(oK(`4-JS>%bx>X^oeZ_QLO0J;AO
z!e4c#fVbu|*Q~)&njmK}b!QQqronc(z}5wwF1X&mo*n%X8qv`&kb0+-C3#uNTEsT0
zty7a%^M_AB`lz3%^jf_A3(aKms|;`E97;rpN0oF|#|&5;$3<uo)N<3au3HZ6*(>2w
zdz0m)tT&G-b?QG+9ZsbiQERk9cZx0&ooc_$j&>z4SO{)DG{haxiKn97P+mQ}oXk>8
zW7tIP5UgveKEO+*R4cNxOtoj@X5Ldpu{&z@9#hm5!w_H3)pQdt>03D4*y5IQGQ+D5
z2JMe;K6R&bMt<B|c3cX~m5#qE+Z(rSpVTGHN-*ry{_epzUTHF$YCm_RQoc}}(3?$7
z@FU6BRxK)fSc==2Q}=fhg}yH8vg%oonk8<Ci~DSq?x(357+injBb#mQu;v7p)iD;$
zu^2IWRv%R6VM)%`1y>Jh$cmFW6I@;V+C*ZRGfpb38lBrEW@m6v;s~WV5vth_Mtk=S
zwSX~|PDM>K9@ij7gp;fRmy_+-G(CW`sZ_~bRyZAAWmNaytn`!u8MdXzo;yN!n}^h<
zqLU2n6G*QT&~;c?ZRMPB(`%%Wa$tHGzG_^R4abbLSHLwP%(Z+h=fS7C2lYtYl#1r*
zDTD_rYCcTQ?(tmnwv35;o!h;~`XP31IGR+a@cn&u6x8RE_y2f>(MK<TEIE_46r#~#
zj(d=FVS293zN)3o;NmYNE-xy7LPr?ydn@Th-;0Z<@{8s}T&sK)@UQQNq|gtN?^(ui
zZ9}@#uvcsMZ$|fYjNDw~Fb&bWcJ|I(n78ua(Tc$WLm{*3Ug5TVdrTJ>9chVD=bk}R
z*;rV3YnYzV!|`pIVMoQ~w`Drli>IX?NW;G*oV?I@@%5GoPDyP~&8@{PHchQw`{6xn
zX`w<_Z_%{V43SrFy$z`+_==##zNHS2?h`oF1(d#VO^IZcHQtO<glite+OP3Um9l-W
zf$P|o8KsULO@MEWg)YS0h9*=bIyHVxZnt=C`5YVywaY2aG}u36X})yP%Nf^cSn!M(
zOO6-R8!em_^x+a7Z}^rQIZ0G4yc}0=#cT48-G`Y-I~RYgGOaL9v?J#E*X|ar_Sg-t
z(J5ZS9t&-@5U0_UCv6<o<n(zRY`L>>r!>{;b#rMBE*=`bc5GgHdSfRJs~pCeq$+W`
z@qw=Ti?DiCpE=Q$@}h!ou~6F7Pm3QLY|OF)@|ieK!X#j@L|!ueo;1D8yiLm6`DC{J
zmF8p0BSQg;1}-ye$I~zFmhiD|8sug6kl|7&n0*nNPUW!=Z1Awx{Xiy6H1fXPMq31Y
zNn&El9&pNbL2piuEKGpYnAH0k+by1&1*%eVv+(c16J=HG6HNo_sQpURi#29;b^Q%}
zcBCS?eCeVLL_C9ZV=;DlYfpJNhn*_vbQ-e4A}Mq!S5wmtdBX!ZZ$3*lDZ8ha4M)p9
zO)^x{?RlzI=F*b21JE~`vu)Mu4DD!enQT!=&unC7Qr4>|xWuV=1Vq-0kbXO0nK~qA
zBdDsJadFWr1;4;$@a&LtyE?oy;<UD(rQlu`vo=vfj0lr&barK?sxVaXrH_K?NsE6k
zypS{Q<zkH{_}Lx;GNEr081f%Jd<0M`y7XzhcO4brS|n5ljbi00xWf5-)ih<h=90V)
ztErKe=*6$UJm*sH|LoURD>6qM8u4UZ)%?}*t8GX>`F#MzsbW!4cU*__$E$8_X?=ro
zm7KGpH@1q)E$`uGu|CbLr@AUKc?pFh4$qfbSwF``e?M>MVaBTqJyns*2fyj981uE+
zn|f~FKLAHpq37P3NZZ=Z9%<e)YS@_0fn}1V!X9U!+D8DZLvW&1#&z(hY_+cMl{)j-
zCSln3l!%GXbHM{jJ98(RPDJZPr=Gh2s>HLkbb~g$IH`xC_3OQ(y*U|7pAJ>O3r882
zOC<_Uc978|w3##UYI+5l`hU~2U*Z(RNJ(4M$#3AbB&prxS}A~WY6Yr+pW(U#Fq6Iq
zP^R0+X!6?RIm=v~p)~cM8yH^p5^+PcYfSR<_51E5c`gMox6m<}_)tnLx9KDtas4nG
zgZaI(DF^RXXY_9XQ9M=w-#inkQd{ujRJ`_!y~R1RI_XSzqf3kNZ45=(yGPl^IS+EI
z+=AG=l>NKrS0#<YUIgj51PYEt#Sv=jWn&*2|1fzaC~Eq)#__;FF>J}hF1jJoPdB3y
z8ihfrdHbb3g*}B=Z)}7u1r=9b$&k;m{tZ(tI(?y`AF9dfo+0VSU-auti5dp9>(|VR
zZwP{)$XxJ500L4o6Al8Kf!Z6M5@qU>-@sMneSx<hx0#3VE{~2$F5N&#Wq$}+Xgu~}
z!2Ahczy&y1Qz9SeI?vtu7P^LS-cs^tG2Qk1vG-!U^E{z;vFBr7=>A?)-Eq7Fu+aZv
zZd!kd_e3k}!?%f{n=gFH{KK2$R^IrFdfl#meWHIPe@MJnu9!#_JW{ta-H>MZ&1QvT
zO}dshU;mg&62~m#rWqA4-L)SIoT*qS?u_Db1%EEHxBpyw2V0;Si!E^C;FtSE2jg)<
zkA-aHG6#<hy;PF^@DMe}p3+(1_L01?gywe~3$_5XNrUMre=M^ve_wmo`5a`QxC)%a
z3YV*9V7TXq*+|#oli!nqRW1$c*xV4kl_vB$Phl*@rYLPwL#x+yRWyO1^kmpl*y)b`
z58=(GmKaQcHgk|3?3zRRow;bDHu$t`T((D)Zz~;~&)o6>MzP0qFU{~MF@{;SIY?ys
zQx{zp>!I+R5%a*7N6P2Tid;IUp<w;tYTC5CY~Pmf=v246MaB1gRYkdrX+-PiU27e(
zimEp?d$<qVW#PUhReIn5pXR<ZsEuT8m)&*5;5EsZXq#yAk~3c02oNAJNFs+d$sm!V
z$xhe=6NO;OCJIRiOb}Q^n=EpW$N~(AoO81G%6rb9vtQjh_1#<d`*EkLtEOhE=AG`I
zdAgrBrYkyN8&VX#Y_d>y%Z$Tf3JOh1Y|IsgH<Knla^&*b{)iq<>PZ3xbQFJ_jxO;Q
z!b7YQ@~7h*N&z5t`L5{9;^M+o*Y*+2#w`redCA%wSSoL`A9WH>O9XhS%{%evnnP?{
z9%yggHX|{(05V5t?@K_fB<F&!34##~bJ=xzbz%9JuA}lH$zrIBs&F`TaI@uOdeX+V
zyICu2!A49w1S2`Js?u4>8A8LDTzxv}Itg`^dZ}r>ih<dj@n(?s^s}1SZE(x)fHj)H
zbHdR?oz6EE-d|3wKZ`yqmcO^^Z5f^}jG0hXy#KQR314s+E*{qdSD1_x_7KpIliT-A
zEzs__9>Tku(nnL>-%M`^I0aJCEaKl<I<;FNP%%<59&G^fY|KO6awxo_ULI{2Zzk}J
zm$CK_I<8TRN8CxF1ZQELI2N9Gen43Xf)If-RG#@(WOc#EZn>;2{B730^c>Yy-SpUP
zzWBqZ%T_+`zbnOjp?%3D1WD?GQNy=r(c~n86=un^&SI~$VyunKmHpYIn4ki21?^2m
zHugCh_?)^It`4KdV^UlHpj$N?^u#Ooha??`A70LTgFGM`4OPYp1%}3&hQI35*;dz}
zgxQm2U8Qvn&cKiM5Wno7=#o|%l9CMHnm1SkiWr3cUj6ZasqaR>NOKh#FSmw;A=haZ
zaNk=Km0nXDv%w&_^fgm;lZjZOX90S4qR2iqjXUi$2CYOdUMnH5S~?B{XTt^bz4w-j
zQcG%bh1XopWKLylkZ-X$x0>XF=`J=K{g1<O<oXMvT=>g0rKf4^>vp2wM284MTz4TZ
zqeI4dtI>i%sL;*s?I%AgTZ^b2*XFz#+y<Oqkol5(TqboRh)ee%H`LpUL-vVHfPDWs
zDiaAFSozH&ZFfdOS3k4Ir0py=L|xLTe;b_qjYS@o#v0B#e>*bzIfIa~effq~grBu&
zDca68GV4%P>NE8XWK1jH$BrIga}_#JmQC)S7?em>vHn?Y%&H+uelui_Hz}f=qt3{1
znT}>I-=???P@IKwGmLdII=t~KxH1Drk<(i9WsGA%vHQDnWsChqn(Z{z>t@?=z!xRO
zP<|iWi`t2t9y@;x)!-kUl0VlDP+dwxZuXG^ytKZ>w|RpX7Eci24ABF0K7bGUzxWH%
zwD3g)T58j20$7(iryP87n`i7uK#k+Want~oGhub2wxC9q4JM7deDz>GID2=mXCd;p
zDeby^J!^O+CZdU-|D%JQx73?v8^7O!w#z_}SESS0;WhmwtT9sLqao}BHybw}R<pP>
zzjBxFUz_E?e**Tw|6hR3@(-2%KLGoH&;Qzn+;NkT>8xm;5FD)vFW&9;e*bn!)E=<G
zw<0w))n^3ghJZt^zg#9xp5|&(=T>t4I8O|taJ~o0L)h#?ZE=s_^fn?>DZqPe>!yTB
z_p!lE%qOJ0p~0mJi3`vrq?yg&wWJ6e(=>lvsHLRd&@V_JxHGdPYu%9dupD!Qk&gwK
zD*N&Ad18>f{I!MCYw}<XM*`q-<aBqR)s*%QZ<iu=LM1&(;qgEj18_I#ewVtpp*)T+
zzJ6-q3))-Qg`l|oXfwg5RZurW_bR2P+7N595cK)+f`>5*h!v<!HCG@Srs}cCH*9#Q
zCf;YhaGIVL=Iz4MN44GclWc&OWoB1}ogDKABR3_v89K$v)_sj-K%E`>`>;G}_D(%7
zON=%Bo}J!LxN2bv$|)8w*m?N0IYCw~W*F+59rYyD^OoPkm(gyE?gn2M^xbTXD?^QR
zHMk5gQRapW2x9hYeIH5+o`^0WunEra&Wa_~f<Bue>Q1&Rl%}wg-pZ$vdkJ{=27TNv
z^FB8$=2>w_yWG(0d=BBTBm&|m5U|TM*~-new6)=5+}M$*XlHxg7Ib3-Ju_hH@YMC}
zUPT*gGOj4)%a04?d`)njQ6yKvXlXR^z0hDTr@XSRJ8+F0YS9H{#xfw;M)wu$uT#+F
zv2Vm;0bKUc0qQY^d<Dhn*G-;g16vYD6|Q{Hr~23@ai8!fdY@$#*jJ0JNyc{>ZgGR?
z&tpXgVz5_w$Kh~uPN=YM!Mv`)Rp6@rsA?h2U|_Z8oLAJR0*m_1KJzOqvB4~wAp9~A
z!CEFERr3ekU`zw1_Q=P38)yBnY*H-#D$kdD)_W>P6(pFRXuzswth8RBi)j;rmg-YH
zHd@k+ps~EzT<!*>7sV`Pr{n~x0`6I6T-osmlfVDvZqC&=`Sjb#_D*GP9$v3Fl-1OR
zgX_CJ>CE_^(^ici7{}>RT5pn&>`RWOWwKnS^<@TMQ%esRTYak_!zyxxMSvh_@0l*D
zf0KO4o$?vU#6Rfn8+O1=&$+)Pv_P<tnZvQjB*Tw&FJZTy36BQM=@Y9vJfF(@nR<_C
z#`IyR=bR9xIavGof>DF&I6j<BGW4C0MZL=DK|Gwo_Oqt`UN66<Q^?hE{&*GDtHw&j
zx-J$Xbtnq9$9}a;E6LC*T@!xu0b%DNJdk&>GdtL5ChCoVr2u4bzy_W3_$v<f8vp>Y
zN`25p9?6zrdWKmMIzf+p+f|l5i`94Ic*JCyzL8b6fz2xEjmU<v(#jS@NHJ=AInSoY
zHnv=2^ZP`zf_2scSG`Of3=UO`dy%B*dU~Qo<}xk-P~^s>_OYtY%j@e*RZD?=#`PIT
z)LB@;0-f&y|L1=(f|!&O68tThx-0^^A-7agxZWhw7_$sHOiiF;igv7g9Yo39u^#ry
z_~mzP+{A4*iXum4dGpuocxuaj<_P~N^pLtpr{t4}GgUR_6U7`Q^x27qSQ^!OU9{WP
z#6_vK=SktyUaMjjEz;4e>~CCXd2fMTC}7)2b`V~80ud&@veF@_^r(`x{)Pm-3d6R&
z3!CDQvGU0?LjXdmLHBcsIq%qH^MO`g0NGn|EY}sXj#@WsjbGOs6m^D~Q>`1)WJ1En
z28MjP&{Ay~U%pZKGU+zZ5iYAvFTjG)+LcmlU2l!<Vij^s@}dKPTc)bTOBS$?qLwYJ
z@51vIj5larm2n_vbh=cat~6K<BB{z|uvR%hlEnLpYfFWq^R_H*RtcPt(ObHD6!f<t
zC*&K9&z9F|J|CTA(u3yA=T~mZw1~Ea&b`PW&p=zJ0e{f>p@;W79|RJZh)G4xwMbT+
zv=i5{B(yBw<CMd?(JowMjkrJ=OYkj<@0#X|CRck|+eU@WHU7lmTTBX~&2Q5X;L`=;
zv?GS0;a(oi>n3_Ei9JD{dAaUm9!%4?b&NX*Sx1~VXj^Gnta~?<BRi(MUR{Uf;IAmc
zbcrAm*-RH^7C+|ZONT@_a%ebeKb<-)aGC#bjuR*Pyf3XAwUDq=jXj;o=!h?P9dYIG
zUy6L$e=72&{vQ?j^L6U{_>s=dOT%5%?y7g*slo%Pm-OE1su}5_e*95U;huL9<O837
z7T?l(&4F~~v?P=xA7z3MzI7C}s;u)HtlKTWb;TOcnx?0AL&!&WY`7WnaO^V}puv%w
z!p=YMeIG#lL{RU9Kg1AxXe#IGTGALUR)vT^t_U7Q`Z}>0V?~_YKH@97VZtsVi-l~*
zqX@wWmr6k>K%!!-YF8X~`Zga~FB-++i1hCb)vx+$XXtO-DzMxu?`Qw$>e`o%WpENm
zt~;|rdF_j`>5c}S5YAHGQ~W#D&<QGWT``O<#kt0sOo||HTPpr2>RBLRvuWt~M)BIX
zeXHVxo*MqDZdZiAH#L1>1WPV4*yyBeIuR|z56^fmm`u8gFsfNyNhkN&$WCt(H`g;=
zpDZs0<^V!^^-cH@=KMqO&mQWD?Va|nM)Dk7oU!&?Xr|&cK4Iy@AAU^^l+5~b(O@Ot
z+<82)h60O)yl%KC52%O8m1jKJy65~AsZ@sUq$Azqx?FB(?i*$t{%j8R@ZXpYLF<uQ
zUfvx&AgdR_8V+g|yYqw7yI!9add16(<*B2Xr}<~QD#ESe0#2j_h`u?@q#)_p7w)bC
zXyk^n56Y^MNdFFB%@X8}?FqqhUq3@GJGPvTot?i^YBIVXkmf~4ujxq}B|nHkm$P6o
z0?cP$;C+;yu6Ila4^zicj+-}RB;6b)A1UX;w2$#RU&f78F&H6CIA`E(F~T%8;6#PU
z9DoR(bX?XJw`U_IT_VoXtGB({xPft4`W2y?4K)u}#^LM>eeCR<R@iQlwg}#j;L9#U
zanad{^*1y-5j`-)b1o(MKE!5C6skb5_jN$^`F(=9>nN}g;8Lo2LU4@eo=z;@KLRMZ
zUh3M<z+Q&vM5Pb)GOY9#;_Jo}M)%r9EKsazh>K!_dKD9=Svw}=&wH{BSqt9Oqnnr7
zet%hhoR!RG%s-ELX~Ku$lSIfQ)(+QquzgNzhBjTcgM;i!L5})vLB}$ZBU_G(oL(=n
zSE;7P78@n~P-WxHfVK>c=Xb;s;xFzMkN%A99xzUqST|mhWwhaKGa*z#=|_d>MYT4Z
zK7wa9ALsFBBNXv`@O^|Jzl*EdYF|bK9)Q&lwB``VH9i|nl)iL{!SJUF-QTS_cL^~C
zIsSz*RY#nhWocQZHdIr<j89}`t_jaQ`Mq5cG+^Da?Qcj<^Aq_8lH>kF@{aw?#eX0<
zgWEThw>cKoFX$?%wMUTSTJuWcJKoHPRk-QYt_s@AY$+<1X`V#q2*1Uu52VK88PsG)
zP&~T;r*wqm0Ns3Ca;MpE6vgygP+4t#a)7KUC`hm!dQ78+=N%Z>OGV;Q(M#W$Uze-I
zCEjM9fy0<It%b!#-UUnViK-c0T51}V6;B*;i|RR~*?fqRf=Y*srF-1O&uWa&B^WmR
zp*W!Zk&sYTI9Hh3ToI>vF*x;$t;DaDzes3N>~)Yd8;4C#U3Zf~qB$ZoZdE3!HZjmB
z39noUZ@QVmDHQ1CWnDFY*5vY5r$d3)uwwX>W#9(S16nZmWou0)Nb_mnSQ3Cw%%*J?
z0{(ED6J)-o?>Z9w_J+Abg=sCLI|`vVtW%HMG;MzBV5j$#)gr^Us;9lk=TnT_weA8^
zujNur5Trw*z_T&lW^masi+5w^h<)2E&LUN{kjHq7az_~-@JS9-G5=u%*E|R`q4sXY
zG6S|V>I15VdHxB=Z?%3v+S>cDpZGMOdx}THo>Z_wAkXab@?7`11k9I<;JD>TKLdl(
zIPVE6;Fx;nUa>tSC?ERF3U{4*u^h7`DvxfaS|z+A+qukSxbW#9>cUQD0$5uOp<u{{
zXp}YIu^x7F_RjDpQqUsFG)AH}%5_8+vo*5nL||Hz9b^yYbjnU;9phwo83e1o(iM`l
z+IR%M-5Ma1Veh^gDx4Uf7m>yFkd>fc<5o;*TtmnuXChU%QU~_4uPqt5--qT<J|6x1
zwBS(V!q|Q)D-8P#-SbwMaSkQJopfz>tl=-XPG5GlY0q+)I5$^c>&+A{2_vH74~z~|
zX@G5AX$zLPZ-$_xM47sdlDZ8?1dg0~!=aLwQrJgZ;s=U;y)Z-^zaRtYXHyd?6z_NS
zs*%&5I?%$)+FsRfIJz>&pvWpaEn<8H<=w$G$u9u#7D~~>W2^jl#iUH!nk-*US2Z01
zDsl5yM>X45K>AUpKYQr%>^0ompKwCaypmJuI-ZnS)S-+s{Tx#$iv+q%x@K423_suM
zu2ai**OIG}Dx6MY3RAP%6!MaaM7zvjv)1=8{I2C?Ze^N2;Vj^oGrO3kW;65TBvoZx
zg-RB&8(;cOaNjz2k;@D?VW4_Y=9M2GG0#!<#Xp2Yg^sIrnCQFe=#h~6zNok+`pu}d
zN}A<@;IartVlKDv-Q>@KkF?j(ZJ`FgUdsJ-Og%cNJAW5(*1-a}8_ar;s!bI>iW7>4
z6s~^xd}Hl&HG5dT^7f~y<F4(tb<`v{U5n;p^?NL$AywpN4!cT7g`2gUao!=B(Ax0h
z6$1>;7``LZ#vb%IJmN><n2m$u=@$d+URC6R!SpD9c%UT<W6YXyJjXzOst~E#!f(lk
zt@rTv(7X-fpX*N|P4kVyxQ@AQ(1|k9pkG^>8u0m8YePlS(D&Lk_9mGE+ss5{Uk|cQ
zi>oLPKqUJ~^s2f=VGa(fer9t_$;|PQc^n7(U>n8iOqXn>ZqgMgA_?*H6ZcI3_j3=m
z_f%z$DD&dngYXNMw32jnieDwmhGLGAKgfWwO4fjlO=)PZLB0X(aJ;mwEK<R=a(W#<
zl3Y!eCVSQ@sCVCtv8o+ga#-KhX8ZLrk(5lKl8euDlSPW&mt=qNj`xKnNqhUSag#Sh
z;g6m_li{*-#k%=bC*f;{if&O2)r+@wgE~{%k##kfERm*);QW;wngibI$Qh?V74Gu0
zwk==+Ok14F)0@u}eL7bERX3laL|&Lxc*}NB9(an>uJytaKe^1S7|lK&{K~QOD;+GO
zy~EWNv(5%Hm4xRC;djdfHNo~a6>b^=*#`?HSla45ZlkF(U5%<b|NO)F^?Yiv3rjhi
z3R!~Kg<Ti!{`9y`z;=!69cI2LbpdV8%4M;zxWeyC!L}!mhoqCYhhAG4fFwfurOWe2
zPa-6{JeC7~`T-P`=MO50GOMr9#;LQ7IJvB@V1`u!Ers2f{7|aT44ew-lTVF8{PR|m
zf;sqG6uaQ82Q2;97R}8@WZ{FPNJ5>u;6uIhM>JXoxIf)LW%|BfTgUF+XD~`2uNr3P
zQf7Ktt6*v|!=oYZLDbfM4Yerb2JqVZVQukrv2<1Oib3dXXZ&;c2v%j-PZXYv3l?)F
zIiU>XW^*q(lzBW8P!d8pH?_9WY#JJZOWh!KH~x-NvJpYj*H7&#cMo*2UpOe<%w^Ya
zrN2_C$?qT=-l8tj5n>w~lS}ujzqZ_U9k*_F!>5fTBa$X!u;zh9EU`jSA+J>L)0R@g
zq(@3OmdSYup3}`zQz5L%ZeC`{uH}Q2mqT5en>$dqtVu(?#a?N5R~r`~rQpi~6EAbT
z>wR?v0ssJJZJ6WJm@0Kfw)v-`dec*~@3oGsE4!z_&|_V1@s@_y0~`7wq~g{Y=b8xJ
zo0Tl;<JHmXw1QI^LU@}~#pkhwxuO+?2K1ZC8KJs|<)&J~w@4YJtfV8W1fsZSxdU<|
zHmZ3^Qs>F)j-Z@*H8MuFu5h~YNQ5gpFDP||q_e^^>AjRH<ISU$rN(fRP~Y$0>QNhy
zH40wWwglVSmuBZn6^WVA3WPE7#T$nfX**sS(P#07tlwn+8YL^MR>y3tl5x3179ohu
zc0n|fAW`b$ciQ&#JX_ddT1D<jDFC}?Aoq+=H_73bW{ww1DqxzrG&(Lvt%WbZuP6a}
znS!4R>=Ih=c;Yk|jx$!Uv}S!bGWwYXk!BVRODtFAvazpwqARq**Z+`0d^`;?JJ4$M
z4H6n*EE%#KP0WvvAzpR&-w|9?ywN%4stDxyGyx=sSI-Nk(T{8G@l?`7hF2VoydZ@U
zgf$3s2szaotDf)eZS*>0Reu1*F48WB%eR?qGq6v%DmdWk-@#P!jHZql*IGI?RtI_7
zFxq-meRPj?I}RJyL?d#GqRI@fJ&<e2hhHHKg-$!gsqfvX>H2m_A6pGybwsT(2UiRk
z<HpO-DLEy;&EE8H7%N77sj|213*b9HK5;lQ52|!Ko#H(xBB{qFmf8<;cktnRZ7u>x
z#ju7{tilZL^Ol91fz~EVzNEm$-67QHbbO?Qd&P{{hP!@J`cnn96MN`TY<TtJ??XM~
z>BEH0ebW@hKy&66TG1fl_3E!Xbz@?(CM7a`MqA`hlzg@Qd5JY!-VbJ~Hz-Hf`I9F3
zE262)cr>xPEo1zs($&S57wZ;MT^AwIbvv^FiBN2MPrw8c8(66+UMY*AScZKn<JuC*
z%~Qn%W>-@5ru5=a^s`BE_YM4VoX1=Mn~rwU3aM-6uG9mNkp~-NX|113O{d-f7-HG>
zNROkMclS;FI5?W-h|c)%#fN{d9|dA|*%iy@1>bgBNoZ|y$4frb?@R$wCqGHH$6H%u
zngaFsjyscN^Y1>+;IClJ^-wZy%vM+dT~pM*+KsyY2c491x|@7mgsj|-5nk^Q*`*}1
zn4elIIYTqw__?M`Mo6^Z&MZv(-k$}3TbIR4geo#Q$Glq3&vVqc#oS;+2}WB%RjWs7
zQ76KIkJl~ZL{?_qIqJF+oiXP;s-r>+)ZX8GQlo2a6_;;rI$HR#&J{GA>-eE{GpB3`
zTiSQ#Wmy7S5B2D!C82I{E^J(EssTd;D}s<wO=x$!|Nj1j#dLl%s7^3o%CXDRDV<WW
z;#$ME`tow$!dBM?>!F?GD{BQk9OYx*Trr_K2VUe647YO$cK3S4CI+rPOssqnyJlOF
zamw_|4{9YpNVlkRQ_2CAUvzbg??gC+=n$*+k>)Ax(|E9i)6-+A@IUB^jc7G2zZL<s
z@`1(GY0+lU((W?pAebZUn%J?#_xpoihrSI7Mt{KhGvi)H*P1Q)?zr_N@knr2A*0E|
znlmsBU8D}SOW`5g3W)j+;dF)WnM|ryGkMani0T0yHGDjtp3TtHUC89j>eS+gzQm8o
z^IpXkLSg<CmPFz@fx2kiqB<1spQj<C4DW92X|-#tmb!0Td}JUWsKl7t7V2sfR%o=D
z3ETDLJnl<=#$|CoU*jGfBly`EB{qmyb(|DDnp7cDUS_V4!)zF|YXYThG1klYcswlc
zyPUj&Zjqa=%t%5{7LjZ+4cOTgjN*9bxa$L}lr^3%f~iD5NNl2!S=u)=--JaCPYc?S
zFHc%73nb*v52s%6_8wJ^)0T#o8eHaEXbR%yrYVQ<u_H?udGrjF$f(N7fD^h?iXv8E
zAkxaW(bGvBU3%1uCLo`~DE4xMacJCJn(vtH4N<=HyINW6g<tdkF{FPEIVw6`QKJ#m
zwq-leUS5?-tDp1K^m^4u%%}IAL$2VMdr0PMIH9*^?m(*<f(2l{v4ux7IpC5TOY@QD
zk&wF+g3Y3l<=NGP{m>wb-9_uk5QhD7IgGUy5MR|Dp<#BY)0(8nKURMow)l3ifaVk5
zXRXln8e3yb%3G>#?T}Kz%O1R9d5Q5qzyFizo68!4XFTb_l9#P%k!J|%A9OoTM^xo$
zz4Ly-Kj@OC*Ahw`M;T4!LNELRg2EGfp>V{DPJ(D?v7;B&PlD|m`hc0=PaE;fs;+ew
z#`e{nuQ)@&SZJVc!>=LSrQf85gpMwmD<J^k!76}S=IC7AuaPG#5$#8+vP=RW2}Vlg
zz~oXJ2Y>g2--A=S#_~!P9{|NfZf#h?Z&7L_cT1CG*YEWCWK)C5R@9MFXs_u8_+`W`
zQc=m8ftADV@vTCG<g62=XZ)KkMQG$6N#~>}Xz|3syJ6GjEE6+7`_nX~wjU^1`B+tC
zWwE3<Iw=ivvJ`9=h3;A^jR}SMrIfaQe6ZX1d(jtOBkc^g5^t}pwvf}an>+mK!>=-v
zO`BfC;Q<EMJ+OAu-6p;6af2@T_%>W}LWTGlj5MR#=YM=iVCpp?$O1^{X>c+<RIfO4
z(tQg)0-F}7YU~It!xPxJF7!=QQllo1QwMzX&ArzfA}CN0uV9{2ausfZ7J4x9VW~d#
z+i+^=tm-F`JZoo%3~Ni%ANzRo&;~MVW5@5EJg0?gpTH=SZb72za!*kR`8X}qkIF2_
zhM0ktpPJp|hAXwq0YD|9wR&;&s1tcY-n@xK?Y>W3T6SR@x!W3`2C~5)DdrJav~HPW
zl+v<;#65shPj4jzXPNg}7%X=fM2LFG@jq>Hrn}Ws1ixy*6VmE`<}Gic*flP^1-RV>
z%t@!PJViV&IplBduNeSFikasd*^nH?tkNe9VzN`eF2Q#=hkEXPp=rQ^9m^;rU^@hi
zcC6rR`1(Y*#;LK$BCK4vPC`(Wl75=za@v}`eqc-1*@-yVo;#0rpwk!6Ui*vmOyomd
z8_cV}y8j$B42zxOC3<Q8xu7L{MM&JI|00UF_eJG((IA_6zVuC4ZPdrjF&3e9><GHI
z04v|Hxkz&req`cdGCIC_FhWpr5elK96Ul09OF3OqZJxhWb_RVGZ+3NB21THR(qhy|
zinMRuE`vsdj73fBlyPN#vWV12@yw^!2luWLHP;^mOqsp0bcpK`d#4*~0IKGmo@vN<
z63qHxuNM>m3!76A<q*^JC3H{!XWiE?_6jZ2uFL<O?n^g0)an_ZV7N7S;^}ow2oWr2
z!wR<W!o4{5VS*0iLq!VwXS6l}(EzBXq0q*?-qgEwcfZ_zcNnW;f@=1)FgBL*kLido
zZRrmDlI_L1*J47(@owV@D(R;(q;Ky=6TBA*aX!3c_yjF)1TiVEh?Y2Ff}2I}2fyvK
zHGlaw|KEo=xe9ut&<J~kh(#GW*rsptA{`Sg>EieH_u~!aw+kb$uT5V1_3u|{=YLP;
z^8MBigDICSw+QPVsTS?(&u{%mcWs__@rNt)0Tvw}zqhCfn0|ccr&p^8>zkuLE#z~E
z0fk$WOzh9?t$Is?t8lPYNCXEx#;0{e<aJ>%^&^-lmL(9EE$=f;(<H2*uBDnUsxCKX
z=uz`mau2$UVH=IYJ&EsZ%nGq+vxy^R&gdmckUJi_aTk-STVp!42G1nm^mn@t)mIk|
zxI|*a8W~$mEl5^bY;x(>z9`o+9A?5!g><4O6w2fCdBukYcgV_~+IJX`lOsj2+C<e=
zmyE@ZbwA+8ZAWyP!wSDSrC*F9JUa(2*|k6?MUQK1WwLGq*x$E$9IHDzivc8vd<@id
z@07#w&tTVaV5UjXzJVC^MfW_v&Gf4n=a;TEz*^7O2tKDOM2kXb0n{vOHDSlvCOOsb
zoZ)vDiz?nD59XJ2EY~#Se;C<huyx5Y6>4<LU7Jq3Db?2Abr+qySDTW@nIdWUVgp%E
z^X9q#6MUt}5u^rXT65@ejkVcJ<j#qzdlgj3)3-pm%j+xHAU|vGWoyZvgN6j7IO{Vn
z4b1&*wf*@PZGGjC3)c#HOvhQYQ(nh;fN<FnI4To_0TkrdgofvUTQ<5~RSj0^$&YYr
zuwcWU*XvkI!Y^(RXM#$p4thAPZ#dvX2j{63mx2k^(4|J+uVELWuG*s+o2AHlk{=y_
zb|dno&@1HSxYX=lvb<*Oehzdgfb<GrVt{Hl3A|g5MFMH-roh_rEPk@An;h7n$=<)Z
ztnhAhdi`8Y)l;l^)sn=ZQ#1G475Y~GR~FK3ykFWzpUDt!<__Uihw^l@WS!{Q9Z%K!
zqsNV-lAuGh8jJYo<x$c|`WXHjXK+p$;W-k6Z<Jbiu!322xs3wx=i5LGE-rcekdxn9
z;;&!o^pX}q)a!O;*{StHvXI_SMbG8{jZ97-vz_EJ1sLgBUN9DTr(IzpW~w10X8Qj5
zbJ|v-Y79+^CdgE$YdI1N+JKymF*c0ZhJVnNE%>MtJVsr|n}GSq)3C7h8S%!aeO><W
zl4mKU>#IPM8Cg4>)pW9N@Cd(EoXJvdqe0ILr<hM}mHTo$sFXK)g@vC}B?FNuqTiTT
zh;`Lj<KrP*+2c9k&L`aGx#_rD1Vzq7P=iZjWiNv!iJ!wb11OLQ4vIEo7VX?-$=+xI
z2SgE8fp?0K8vUseGlB8GO5s2`INUeTry%D3H}e<6@KULh#40S!B*ZX!OYij7Kx8Qd
z#)r)$$fI#k)5IGIMu3-`hqz|UhM3RD7<wiDFeMLqsQ2_jIOBfWP5_K@5`JR7*`!Dd
zhaC!zWjzJI4o{P9r4>R~$O7JXEYSSLq>UWF!B4Q$p@1HyX{ZR2#VNRQCA%0}ZQ66@
zwdi}ZQ3=iM9o){b_MB<*IFL?cRA(qmS<yu+6Z(F5dYGWdq%!P6j)`6cnbZA{{3)cf
zU8h5v->4@@%xYA~xwsa|Mz6@T?go9DVp$k146&HPoQRBP6riY98O_HbQq)7hvR4CD
z+9Xz4pokQpu>Q2AuS9@qAZcBI97JC!uBWT<8r}X36VOElS?yWl-R_b7Q_qVr$rIKi
z@M^XQ2Y-Kp$qX3EAIN27$PHi7HWCdMdcEQ}evcR+zW_m5%9maJeAG7Cy8WUnczLcu
zEYV#a>iSg71w9vZY7EgHR1*x<oj$S`D99__+BC4yeqQ0p+m2@!v8$WAlEUQ!z0Jr!
zXtcMBx0$~AXahKxmU;PHdUAeBlv?|A7w)GCl>LJ)N`81H@P4v{wN|evWVn8beJWjU
z&9r1VR@BFIQkXs56K>I}g=gZ7O5%fQYA!rVV4VBy-%PR_sB@`H<Za5EnVl#&vjpKx
z>x&L~B8YSUkPLHPK78kgTp?PEZIPT>>hbT_DcP;1UALHfs%1B~!eSLSIb5GoroVD}
zOgVcS*8CjBrtCL{-j@BzakaN*%`<o;0|GxNS5Q7Sc<a-+SF;)Ek5d?4cG-v>7$%M{
zuXt4`T$pIl7EP(zJk9Fmb|q1-yXHHb>WO^TUT<@rs_BAPxpk?&wqTYLn!J8A%JsXA
z0KdalOpHU(aV!4n%@y}03pu-9)cXzbYO>a{vsb_094!KRh!WuDBrZM$D?+58e36vc
zunRR3@6PIG@<C^DGGqO94X1K5ABPrl+;20B?5>rAXC3^<Z6!+Qf!=SIL<Ajrx0Xv`
zGs<<tFc%CTw&)Fp#!USc%qWxaVPIpS{QO_fifOsL=@DZ>X~tjE#tSW4w8B96#ahlF
zj+&UZZN^M-NA6J<6k*1^FgEjPDkN{z#gXLT{x|E_<h3`WA7TC*5?B|6>%hG8a%oCj
zXo^-NpQ~e%!`b(@eIv?|>DOj)X8ndf?`4jH!G^DiozPV$OOB&}CasJkhQB63o*+E=
zwl#Lz+Fvw;0e|=}{|BAwj+qPRW<|$Lu$!+8tZ}fxD9IprVIh98Pmwh_Sp@q~%q?jQ
zSh8i}VNst=(Z5J{XfO6Iw7kwEE_ALlHhQsk=|w<Ead$=khm7XArV0_=S_=&4+aZ(Y
z)1b&v;TC>qsbM*&+$ysDm*Z3dc;0Dg_C(@-PWLy7GU`_rW4x$w0QjA)MI$!jIEef{
z38~zt4iXMOk*{ZlCkNlwFb&}_@{g!bfBacYjiUTMbx1lG^h$39Uwa$!mIgkU75pfB
zvymdy3?EWy^+amf-r$tSj}#e|UNV@+=UMudp^e+@ZYgXOYF*&r@K5Y94Hm?|XnM<0
zGq*Xq{l?<RCb+D3GJK!+i|&R~Ci7upTw$<qO6J1Xl+>Qnaqk+RC+x#{3#(m`x!s>(
zC8bA>S8UEigl=2t1+=r_bVI8_C{F=+)1YDIB(x!(MHBb0&!;=`6;f|8nvB_OXAm@N
zM^^OK)lp-dqte9HfpuFWUE-BMOfH;IHE6w_R`S<8$$pgo<#Kzl$LG>o3HPzOG||Z)
zAEDlFYK%|=F0(gFYo#jNcuq7$aZqhD#2yx|Z}d1$KmRe2`<9x$cHK698p$H>CmsiT
zrVlD_9A@}346WL9ss4j5ZDOYSI9;r8RRbuL9-Owyhz8)?SKEv779$%z=*f(ACmz+;
zTX;<U>)kVm8dDkqX4FwT)Thq0ijVX)Ul{JvwhoF47b4cWGeyh89;SBNYiu4Z4~NZB
z#^z^}TU=?MP|7R!R5+!$6``m8&C(d_EBBG%*jb6V7Gts+ATN#NR{}UDTcnf>dd)fR
z{Cx*8Y{%2R&Dih1vT5C|usq>CsnCF%2)0Q%GSrSKcwC&pLGAeSk35Td<DzY4Qd(ob
zNT2u4DbrzdR7*MXcfqv3AjT)9J(RLFSoF2MN#M-$IFZm@+GhA7^-_C-!$b&BeT`_&
z`{@t5%ONH;=Qk=PF2x*1V6+MdZt+9I6MIj&^qwb(JWQ|Rs{t^J){!#C1J&zw*&SCY
z!!gWAc7;K(Hm?oK9&#Eb_u{6OwEnf7Z0dGh>56T&&~$>r#h6G6PZ?;!f|JAR9q(WN
zA1BnM#u(Hkx>c%!(yD^q6TDg{hyzq<c0YPz0aDExB7h;kXwyrDX^S--B-a1+5s3H3
zfEf#UI_6f%SpP-$*r~+)y@6?GH(hjY`xlKt6fDu*$bV|HUnzaOn0OCli)$+|qr0O>
z{H^%VHGg`1ZBRb1_ovh>F8&}%iDs4xk5AX^QOC`A5yM(byacnf<D}f}Z>#yfa=umX
zpkx|!ORBsZb5R<J0oM5m2H4v^5dUjxzx-=B<Nq8^aH@55&QH=~DmAm~U}p@Jh(p`+
zHZtT0Y=J)`BNP-T^CxVBCw(XJ3lpyUdm!!_%7FT=_rgZHLT~V*Nkcq$m9o|N(+mk5
za(Z+k{EzYP1Ywv)5KL(M{O|4W2aO>7g!x2w=f5Wimn{cVzLSG3!m;S{8$Y<xvQ+;U
zg796+I8BNf?eX8+-;aOL5IVm9Udlgc$g${OG=xs{ze<^<`z~kpKlg@4cm7X$^G`YA
tf68I{krpiVU*&w4A~*FvIA#*h|AQ3e|19PIt}ha_zGytZ@xS-we*uoY2V4LE

literal 0
HcmV?d00001

diff --git a/tests/mqtt-connect-rules-2/suricata.yaml b/tests/mqtt-connect-rules-2/suricata.yaml
new file mode 100644
index 000000000..6fb68aab1
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mqtt
+        - alert
+
+app-layer:
+  protocols:
+    mqtt:
+      enabled: yes
\ No newline at end of file
diff --git a/tests/mqtt-connect-rules-2/test.rules b/tests/mqtt-connect-rules-2/test.rules
new file mode 100644
index 000000000..7f3655ef9
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/test.rules
@@ -0,0 +1,4 @@
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 134"; mqtt.type:CONNACK; mqtt.reason_code:134; sid:1;)
+alert mqtt any any -> any any (msg:"MQTT CONNACK reason code 0"; mqtt.type:CONNACK; mqtt.reason_code:0; sid:2;)
+
+
diff --git a/tests/mqtt-connect-rules-2/test.yaml b/tests/mqtt-connect-rules-2/test.yaml
new file mode 100644
index 000000000..34b3cc021
--- /dev/null
+++ b/tests/mqtt-connect-rules-2/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 134
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: MQTT CONNACK reason code 0

From fa6a630fa5950388674c8eb8bced6f86dd2e452f Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Sun, 20 Oct 2024 03:20:05 +0200
Subject: [PATCH 3/3] mqtt: check SUBACK

This requires SUBACK matching support.
---
 tests/mqtt-sub-rules/test.rules |  2 +-
 tests/mqtt-sub-rules/test.yaml  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/tests/mqtt-sub-rules/test.rules b/tests/mqtt-sub-rules/test.rules
index 7639ec7ab..af559f020 100644
--- a/tests/mqtt-sub-rules/test.rules
+++ b/tests/mqtt-sub-rules/test.rules
@@ -7,4 +7,4 @@ alert mqtt any any -> any any (msg:"MQTT CONNECT flags"; mqtt.connect.flags:user
 alert mqtt any any -> any any (msg:"MQTT CONNECT username"; mqtt.connect.username; content:"user"; sid:19;)
 alert mqtt any any -> any any (msg:"MQTT CONNECT password"; mqtt.connect.password; content:"pass"; sid:20;)
 alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBSCRIBE; mqtt.subscribe.topic; content:"topicY"; sid:15;)
-alert mqtt any any -> any any (msg:"MQTT SUBSCRIBE topicY"; mqtt.type:SUBACK; mqtt.reason_code:0; sid:16;)
+alert mqtt any any -> any any (msg:"MQTT SUBACK topicY reason code 0"; mqtt.type:SUBACK; mqtt.subscribe.topic; content:"topicY"; mqtt.reason_code:0; sid:16;)
diff --git a/tests/mqtt-sub-rules/test.yaml b/tests/mqtt-sub-rules/test.yaml
index 2b909e885..0bddb81cc 100644
--- a/tests/mqtt-sub-rules/test.yaml
+++ b/tests/mqtt-sub-rules/test.yaml
@@ -47,6 +47,16 @@ checks:
         mqtt.subscribe.dup: false
         mqtt.subscribe.topics: [{topic: topicX, qos: 0}, {topic: topicY, qos: 0} ]
 
+  - filter:
+      count: 1
+      match:
+        event_type: mqtt
+        mqtt.suback.qos: 0
+        mqtt.suback.retain: false
+        mqtt.suback.dup: false
+        mqtt.suback.message_id: 1
+        mqtt.suback.qos_granted: [ 0, 0 ]
+
   - filter:
       count: 1
       match:
@@ -109,3 +119,9 @@ checks:
       match:
         event_type: alert
         alert.signature: MQTT SUBSCRIBE topicY
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: MQTT SUBACK topicY reason code 0