From 68aead024ab4a93ac83dc83f5ba61427bd1401e4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Mon, 1 Oct 2012 12:32:24 -0500
Subject: [PATCH] Add an example of a GridFTP data channel detection script.

It relies on the heuristics of GridFTP data channels commonly default to
SSL mutual authentication with a NULL bulk cipher and that they usually
transfer large datasets (default threshold of script is 1 GB).  The
script also defaults to skip_further_processing() after detection to try
to save cycles analyzing the large, benign connection.

Also added a script in base/protocols/conn/polling that generalizes the
process of polling a connection for interesting features.  The GridFTP
data channel detection script depends on it to monitor bytes
transferred.
---
 scripts/base/protocols/conn/__load__.bro      |   1 +
 scripts/base/protocols/conn/polling.bro       |  51 +++++++++++
 .../protocols/ftp/gridftp-data-detection.bro  |  83 ++++++++++++++++++
 .../scripts.base.protocols.conn.polling/out1  |   7 ++
 .../scripts.base.protocols.conn.polling/out2  |   4 +
 .../notice.log                                |  10 +++
 testing/btest/Traces/globus-url-copy.trace    | Bin 0 -> 21556 bytes
 .../scripts/base/protocols/conn/polling.test  |  20 +++++
 .../protocols/ftp/gridftp-data-dection.test   |   6 ++
 9 files changed, 182 insertions(+)
 create mode 100644 scripts/base/protocols/conn/polling.bro
 create mode 100644 scripts/policy/protocols/ftp/gridftp-data-detection.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.conn.polling/out1
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.conn.polling/out2
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log
 create mode 100644 testing/btest/Traces/globus-url-copy.trace
 create mode 100644 testing/btest/scripts/base/protocols/conn/polling.test
 create mode 100644 testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test

diff --git a/scripts/base/protocols/conn/__load__.bro b/scripts/base/protocols/conn/__load__.bro
index 8c673eca85..719486d885 100644
--- a/scripts/base/protocols/conn/__load__.bro
+++ b/scripts/base/protocols/conn/__load__.bro
@@ -1,3 +1,4 @@
 @load ./main
 @load ./contents
 @load ./inactivity
+@load ./polling
diff --git a/scripts/base/protocols/conn/polling.bro b/scripts/base/protocols/conn/polling.bro
new file mode 100644
index 0000000000..7b9bd8d6af
--- /dev/null
+++ b/scripts/base/protocols/conn/polling.bro
@@ -0,0 +1,51 @@
+##! Implements a generic way to poll connections looking for certain features
+##! (e.g. monitor bytes transferred).  The specific feature of a connection
+##! to look for, the polling interval, and the code to execute if the feature
+##! is found are all controlled by user-defined callback functions.
+
+module ConnPolling;
+
+export {
+	## Starts monitoring a given connection.
+	##
+	## c: The connection to watch.
+	##
+	## callback: A callback function that takes as arguments the monitored
+	##           *connection*, and counter *cnt* that increments each time the
+	##           callback is called.  It returns an interval indicating how long
+	##           in the future to schedule an event which will call the
+	##           callback.  A negative return interval causes polling to stop.
+	##
+	## cnt: The initial value of a counter which gets passed to *callback*.
+	##
+	## i: The initial interval at which to schedule the next callback.
+	##    May be ``0secs`` to poll right away.
+	global watch: function(
+	                c: connection,
+	                callback: function(c: connection, cnt: count): interval,
+	                cnt: count,
+	                i: interval);
+}
+
+event ConnPolling::check(
+  c: connection,
+  callback: function(c: connection, cnt: count): interval,
+  cnt: count)
+	{
+	if ( ! connection_exists(c$id) ) return;
+
+	lookup_connection(c$id); # updates the conn val
+
+	local next_interval = callback(c, cnt);
+	if ( next_interval < 0secs ) return;
+	watch(c, callback, cnt + 1, next_interval);
+	}
+
+function watch(
+  c: connection,
+  callback: function(c: connection, cnt: count): interval,
+  cnt: count,
+  i: interval)
+	{
+	schedule i { ConnPolling::check(c, callback, cnt) };
+	}
diff --git a/scripts/policy/protocols/ftp/gridftp-data-detection.bro b/scripts/policy/protocols/ftp/gridftp-data-detection.bro
new file mode 100644
index 0000000000..15acfba65b
--- /dev/null
+++ b/scripts/policy/protocols/ftp/gridftp-data-detection.bro
@@ -0,0 +1,83 @@
+##! A detection script for GridFTP data channels.  The heuristic used to
+##! identify a GridFTP data channel relies on the fact that default
+##! setting for GridFTP clients typically mutually authenticate the data
+##! channel with SSL and negotiate a NULL bulk cipher (no encryption).
+##! Connections with those attributes are then polled for two minutes
+##! with decreasing frequency to check if the transfer sizes are large
+##! enough to indicate a GridFTP data channel that would be undesireable
+##! to analyze further (e.g. TCP reassembly no longer occurs).  A side
+##! effect is that true connection sizes are not logged, but at the
+##! benefit of saving CPU cycles that otherwise go to analyzing such
+##! large (and hopefully benign) connections.
+
+module GridFTP;
+
+@load base/protocols/conn
+@load base/protocols/ssl
+@load base/frameworks/notice
+
+export {
+	## Number of bytes transferred before guessing a connection is a 
+	## GridFTP data channel.
+	const size_threshold = 1073741824 &redef;
+
+	## Max number of times to check whether a connection's size exceeds the
+	## :bro:see:`GridFTP::size_threshold`.
+	const max_poll_count = 15 &redef;
+
+	## Whether to skip further processing of the GridFTP data channel once
+	## detected, which may help performance.
+	const skip_data = T &redef;
+
+	## Base amount of time between checking whether a GridFTP connection
+	## has transferred more than :bro:see:`GridFTP::size_threshold` bytes.
+	const poll_interval = 1sec &redef;
+
+	## The amount of time the base :bro:see:`GridFTP::poll_interval` is
+	## increased by each poll interval.  Can be used to make more frequent
+	## checks at the start of a connection and gradually slow down.
+	const poll_interval_increase = 1sec &redef;
+}
+
+redef enum Notice::Type += {
+	Data_Channel
+};
+
+redef record SSL::Info += {
+	## Indicates a client certificate was sent in the SSL handshake.
+	saw_client_cert: bool &optional;
+};
+
+event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
+	{
+	if ( is_orig && c?$ssl )
+		c$ssl$saw_client_cert = T;
+	}
+
+function size_callback(c: connection, cnt: count): interval
+	{
+	if ( c$orig$size > size_threshold || c$resp$size > size_threshold )
+		{
+		local msg = fmt("GridFTP data channel over threshold %d bytes",
+		                size_threshold);
+		NOTICE([$note=Data_Channel, $msg=msg, $conn=c]);
+		if ( skip_data )
+			skip_further_processing(c$id);
+		return -1sec;
+		}
+
+	if ( cnt >= max_poll_count ) return -1sec;
+
+	return poll_interval + poll_interval_increase * cnt;
+	}
+
+event ssl_established(c: connection)
+	{
+	# By default GridFTP data channels do mutual authentication and
+	# negotiate a cipher suite with a NULL bulk cipher.
+	if ( c?$ssl && c$ssl?$saw_client_cert && c$ssl?$subject &&
+	     c$ssl?$cipher && /WITH_NULL/ in c$ssl$cipher )
+		{
+		ConnPolling::watch(c, size_callback, 0, 0secs);
+		}
+	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.conn.polling/out1 b/testing/btest/Baseline/scripts.base.protocols.conn.polling/out1
new file mode 100644
index 0000000000..9cba678461
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.conn.polling/out1
@@ -0,0 +1,7 @@
+new_connection, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp]
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 0
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 1
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 2
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 3
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 4
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 5
diff --git a/testing/btest/Baseline/scripts.base.protocols.conn.polling/out2 b/testing/btest/Baseline/scripts.base.protocols.conn.polling/out2
new file mode 100644
index 0000000000..8476915d0a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.conn.polling/out2
@@ -0,0 +1,4 @@
+new_connection, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp]
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 0
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 1
+callback, [orig_h=192.168.3.103, orig_p=54102/tcp, resp_h=128.146.216.51, resp_p=80/tcp], 2
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log
new file mode 100644
index 0000000000..dc007e4e24
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2012-10-01-17-11-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
+#close	2012-10-01-17-11-05
diff --git a/testing/btest/Traces/globus-url-copy.trace b/testing/btest/Traces/globus-url-copy.trace
new file mode 100644
index 0000000000000000000000000000000000000000..b42ce25bca7414edde499a36af32130444a0ee85
GIT binary patch
literal 21556
zcmeHvd9>Tqxv$SjLJ}ZMVJuT9<pMRt8g02ii6%?3Ez7cGOLi#WQSu}YvMpPo1(Grp
z$~@Cjl0r$#6iO*m8A~BdWoYSb%X~{)=CLhh=56`pgq#C6>#g-(-+h0SwKgY~lTY9N
z?Qj3SY47vIJ=d?9^v(56|M%&qKHmiRuw8R`@<n*AFADzbjRn5_FTCy}@c(Ttx^aPz
z_4y86bHg&<vMnxu<*pxx4KT{DJiO(HFRXuRH&4>)$?$?#<38Wy+<7<5om{Y`FXUe1
zJ)f8}XTB%-AY_K*vCJv?o@AfTlN`C!lj=#|^21jiUS=K)0qI{_y#sOPqiZ*neC?s0
z^l8cW0?8D3lQ%x6Gq&dEW1ZigrSq47bojXKe0K0mpyR|?-)nuLYY+8wJ$v<h-$g*0
zH>T&mQP)#fE%GGZL(S3^_H;dNS6}ynou?(P+Y{({ErLKx@{P8cU&3{(rHGnbqLjOX
za(78^DU2;Sz$g}jSgBwfv;;;m1jk_<Ar2<c1D7o48m&U#UZS>Ije51W1Ye3QMZU45
zTh5n8OBZeFDSG0X`J0>ijpM1m^#xNu*_%2xm{xSfnZD4vJw1uS+W9^SOxqiu1Cv~H
z(^%r4zEI+>KKuNKW=bT}D!+tN6f!AHDZCtr-(;<3S^>6dn=!H%&O-KNfb9N2;Vx!Q
zi(j|5FSO!JPhsVT`Mw@d)*GK&tIDcv#}Yl8+SIP5B!aa%|IUpPzwAjwQEW-tu3E;D
ze7|RwtzNa5?^RpYlHRCYK4b~Wkm{0V-|j7`v>J_;GrbIV&G-Emc)vG32ikAf+&l(N
zng!bazyfat_F^Bta$1KK7l38>^7thYL!?N~rbv>qNGBp|2qYVgnqbic+Ls5TzA-Ep
z?Fd>=w-q@OYz9*S&M-8h>5!ykkT}U0WR;|Ol1Y;$Noph|lC(j(BqNYbgU*p`noN=8
zfQ)8IStcVS3H~RO3Q5+z58x|<qzs@+k^nl8EJ=&t$6<#}E#n>!&iB1C&o>^kL7(^Z
zs_nc9-~Prd&~F9Hcpq3scgvqnPk7w{0Q3t`6dxmd*m%-Rng(wgPER`JHrY`UtuzPO
zw$#B%qSESh#7@9T3;r_Vha$~>E^d%yLMBPN;wj65KLBN^EJMmln083EFOzJ~AZbaZ
zX|k4f41+7TNRcLG0Swk*<ZLw7$_eJ6m;j$6luSAr!zM)1=14fr(x%9!&}ciyu&PM0
zQ_qHCEQJgQSu5jaxQtt3SY4#j)89!&q|qyK!-fp8y{tBL@*F$lR8psmM1~?om1RqI
z0g1xJ5vAre*eP&n1N>cwH;V~T6&wi+Q7w)VH5S*#&%~L}YLp_%kV89JCL_x+)=BZj
zW}_~qM2D5f&*H4p<_lc7TGA8goSuNhR1uic^mn*B_1+94E3jGMsa96~Y<?t|U!DuQ
zB|5y}JDRdwGC>*jj#;mAVF#i-tbn;uHGr3qt<y%9CGC!_%Q2y&z%*CRRh>#WRWc((
z18cB3Lgwm<0r#?0H7u1CvqYtZSVWcmJZ6MD9jLA{klRt~JQ6L2>MGR~_$161^Kx{6
zcEwyF>~HiroK?yZx{!9E5Y)}IoB3K&72}1NTXhU9p+ZtE;`Wsm&D&A8i}eX+s74bF
zC}dYgeMMCgbvsTE&@34RcIE(E$%`408e<mC3ORwy7BJahDKI&PG*m|<A&yo$oFWuZ
zMh4I2G)ZC{Me<b_p~A^tte<GcRkt27`r$z-<4^fh=0HQ}B2&wy%8E*9eq0Hdg58Gt
z2pt{LY#$rIu%L(tqxiLAwQUi2V8ACG!p~HaYOWu^3TZWymK#A;BTGf3Y31A`Zf7zU
z40V$2R1U(NTEG$OTBr}>x&x<cOnU(3x|&@nrR!2olZZCg&vl_#Dq&e7*bGrr6a>2H
z0{btG4AK!O(h#Dg)L|f<6M8Ki*!t(^DMpMTqmuC{n{BBSTN>pxdC0nCYU-J-()A5?
z45u1JR31iLGBf=hV<p-Jow9T31QpjJc9AnpF;#aWQ#Q-6Lu!M4ibi_Fei7INB~qBq
zsO(5&>R_;_s2U@&(ej?5;Mq{}eoj66AKRx!j+o6Gz%~HwW+74(xG32IHWIJp+JPZu
zw&6@NS}v%(tQifW$?J4LAt4&c)71c<GyVEd?<O6)J|Z2_9vWdhYe%w3HyI}@fl)8W
zDV;=~!izoH=!-oOm}|AlxuO`AS^=mm6zka`+bx=IiR?(-B;N|#IYc8cy%CK^L?^~D
zePS4s+)}kQD!B#5E<j<z4@s8H#Re?}qXxM`f%F^>$<<OS#fT)~@mPs<SSsMi5s?Jn
zRS3`BUI3WC45CGE%x3-xZPoT3^Z&9tlljrYnE7}0xvRIB$@~uQu~7<=C@RZFIFSp9
zP%;wMtDSz4<+V5_SBzRouL9jzj@D>SAvw;^0_&A!7FaP!eU6dRV@5J$k}wI27x19!
z6pGDu(n@eO7b+<tkr|Mx(XuTj;qTQOLb+*EL!wc(Ni@k4q?Ri-gE4o|O@|Oc!}zu+
zCx{LiS5vi2sc-ers8GThQVC1eaV-utsb*I+(_N#}1T)B}jU+P6n$W1?CWADdSM-#g
zkxZh&rh=4#YNCl?`cMlcL&<tK5Q`+82%Q^yDl)+U4@Sw}&LlnWy@|W!9-0v~&5X*i
zHMfl8i`Qqx7xyhQu@iv1U4780)1a@o7{nI`c*}UwA7(i484~9`z2;U=;-$=gCoyer
zlz53Jabv_n4Tv~N7D8ZPBnccCAe}e^NGGRFlMb8cQbU%R?MT3~F_if)aA=Z9I@3-$
z0-Rwjt2slqM#|HUm`=9`g(`5uda03j$#TSjhGLDx!5Ai7c_h{%`OluQPC}JY@0rM_
z|L>Edj5!QB?VvLtKuDMchE=>+&<jL>Q;sUla9@Zd+9f2@6;lFmVdKBguudHZ0Rt?$
z0uF4+(LaZ==d2TPfU`i>S+X}6<k~SaZROxdh1QEa;TD=1C0%V52hDmLR|TaV#acu{
zrkS=<$J2vh6o-o{uCqDP0+B`Astim1qU)N0QBy{8AvbHw0tmWDsx<<Ej7yd%!{}0m
z7f=-`1~^qfCf<5DAW{%wPS$g#eB_G*FhHa%87Iq9+6om26RMGVBM|hrJN^QR#uGSc
z8)`pP>UIb5T7W0aatJFoTLV=L_9DY(r5WX0dKsy9`<bdM=V{go1bhBe7*6?zitaYt
zCewzUWG);?CTk91GUf09YosDspz}xyn`I0OTWB^LL1KBOl9Kb`7GztQ5f);I3f)T;
zHNP~%M><<^rJ!yn!QQPKAh3+Gz~-rL9&8DNrM>b0wPSTzM})_Y)!pc9r=B?=82rB;
z05dh<NyY)N4dNmYJR=c%rVTe@1qAbg0W_!C&i|g19kHPr7982_K(mT!sM%MPZXjSe
zQGt)k2|w14GTB_q(L!#LciR3?IEf}nE}0q0L?+Xw;RXXJfzVw!88GT;7ad5hsfW{a
zmu-+y7Ej3)CM3oKTE?n$lbo4sK>3;#Q-dK=E_OmyG8pH`5Kbo5_9)Nbg+bA5qc{k6
zx=AG;pn{30hDr|G93b$tlZ~k4IFa}Qm&OvG+qcs$jh4Fv2*9{O%?RehaH)!9X#xwB
z{Ry#3wFfmZPgVnYqn_fSbgNjj`Cyi9WT6xtC}U|6Z<IaezZfuo6{K$7n4PQ6TfXKO
zW9I+WOy>VDYwSyQ^{qbe4>OrRrX~nzn8DRfE2pTvB5(7o*wv#AAtEOr5TBM|H_WjJ
zO;FKP$cXbbf3jW8M%_@aU1|>%3q<c}!qzQ<ijBHBoQ`JvLX7q&94n($#cDFjChLJ(
z5Nm++t>lHTmI!tkUz|?gXqo94;mEKW&r7QMg<d85FYqckkt$9zvOJvzdaOJScNL0}
z)!Cke#l%{4>`4+X@Gfc{c$cYX|6^gcz*T0m6FHUMBuIv)s&b4nWEw;A6++JDOBr>f
zH=!XEX+<kh6LtoWksy0bqcs>J*-C@R1YIH?6%CPzi`isZi&I*n<Bl9YKy=Gyy;IYS
zvL2UP@mgF3g%qJ>+Ac$@on)A=@=;Dq#ZUpH5V2av9R`yHuGAPv5nNG*sz@77Xdo&z
z8_jk^tB5!uE}X0+drTXms@)*lCku#%I2*hVly+p7OnOYir^cZxOR0d7Wj-KM&^WYZ
z3|XV7RE_Gp31(QyV4bc-QE=7I@|b{TuomN`I1R(B8<aUPy)pp{(sodqD9#T1y>h|W
zTP1}`bU2dAb%H~q9Tj&|Eh5aPYspB#VX;^|>bR9|E~@bDE?KNZ^)8ukhe<Nh)T8~X
z9SXuyxEkqGL6v1HF@uJnEUXvWq0&g<%Td)TGq{wghNDKV;|iG=7Hc;tDwD?5u&oIt
z(IQ;G(bwt?C<CjlN;Jimjcfw038j97$n;&mi^l>ZQza<5DQjNpYl6ZMDF~zyO`+XJ
z5d+N88|4tT-N_VNP;=DFl>M<}Q4C3CAxL+{WStRATqmU<+aU`Y7Rz;2rpe@jl~5`<
zB&nzyFiQg|1d{A78?{O@QY}>3ZhoW$lUZ77l(O9+uj_7J3Tt*qb9;JT%m(|}be(SF
zRWoj4K^5(%ZNHK+nJ$us<Fz_&7L|B3uLi4bV^C)Cafyh{CPAo7gG$dJS!%erfJJIm
zlu<Y-fmE_dI~jK?dEol_U^hlr{Jd!wYr(W`r=>22s^wU4<U}HAwpz*#1jDRGaJ^Py
zLo%6QX_O;D{mV;*SZb;qMK&`8#C3GHg;ib6GEzC9p3pQ$Za7O+<8?ir9T|gA2d~H_
ztYa2LWPrGB#8d-Nnn2wKv7u&mIUwH6ls<Rxi1(gzXJ$^=2`{Yw>v<rEU%St`Y2sby
z2Q{-xJSu<l#reJtsN;KMb}lxzxN5N{@y^m0O5D}A_L^fhN(^`sXI9~QEl?VXYhD%t
ze#&?!9M>C3nU4e%5mkm(afH(iC!$M=6-wJy-b8v#9MMF-)u@Vn3QFo`z8EjoDsbBb
zVOSu}NlGPAYAbZZsD!u<>#~CgELBQ|)Uh>5h{r093=>cr1f@}gL--(rXaN`D{EjOU
z2@M|f!+Im{3`97C<!hye*b2rtx>(E)buHcTyX9!V2Lyo_P1DjTg*Ek-TpyAnTCRlC
zl|UTIPz+l~Oa71>NkgO{_4rN*;+?ukRzir9i<Qw<RPRZNLWK&Hqz=?ASV+8H&?_vS
z7=`tG!7|KV+8&`qfkM-c;|vC!Jl6K(rC!S_h;CtE^OYJ)cZCt>Z!?z2x*8L;2NF`L
zDLiig--HCUc2zX(@}P#s?Lj31Q_Y4jbVv<^n2gZrhYeI8vE?q3q>`ORHXn6{`L^!h
z67Yf{Etu2&Y&VsSrl_HeAi*?VK+;1u4U^%Jm{IUls+H__Ed;Uvid;}4@>-%yTPj_p
zSdePgidw*k%h5uHSAtBV(1!pOv6*;BqYQ?DAqS82BPlwZYS0~j&|h(dLOt9V;Dn&b
zIl3BwVGaPE1M6xC`2;C72T{D6qdL)UD{i(G1dF#@T1~4su}0k-H9I3G9&`!`Wi-&_
zf=z^sJTn}Le!3$ET|}pP6cipPk!qC=C2&hA@+>ye`*})fX&4%-H9FDofNF)@0N#$$
zR*@M*${j3O=9<xg5p(*Ysj0l*VpC!yVPq}6ACU$~nyNS0bdAR3d?BAs)FH!4VsSLd
zW#HI|73v_LO9*(kQdfJWgji1Ha+Qu$(o+5SP^I`3LXL{TxXZXfMJn(p+v#Soifg1x
zxZJB6Hdj-SQUe-=;9i9+=>#RTHB6SAaI4=JvO$#KrI^1sOlLuno$HLc`S!@qNpc+c
zC9xG_U9MI#NLhqwbeQ1jVLwCn5xLGF2}*O~8kTA#!pT<07^dN#sOp2XC~`q_5F#3e
zC<{tDiCLuNSSh&Nbc+3KjU>x@w^>T3Ts_d#6M>f0jt$A8U)0=qGFG5<*NLiGR~+QX
z(JV@Xn@y=#PF7K!5Yde2Afq_kFLkVe(`WOH+AsSv)uuhb%r1t=!>S?{vneen@>nX2
zqE4*7fzn!U%=dj0^gO&VJC^jd*4*Y1(B<o9#*%+MZ<$Hl0Qw#`7C^gXs`IwuGEhYb
zOjQvaz`Zn?*PEK3g9{Re(aE|6N5fFDVqs~M6ATzHjFLUKiq{GvIWVSs61VKO!1pq!
zN_k^88%{j6YDZ6*yI-BjhQtkkUmpX?tbPBPX=T=d=HiOWK4U{qA(c{xbTi2SkLKr5
zG684Uc&i25StFIf<wQoW<*F^AX2u$Br=4qe(`qNvbIY+tq|~Xa6@3_n^1V(Y-Y8XT
zU6l+Jg(?d&oCHPd7|B*DB^I-wsEt<9QV~k#6g^-zBjFrjh+H*GD-|O`Qth_IIB_Xd
z3`bnNE#on)1!Da`fT6`WE{FOxn61Y#M^YLzS}?+5upJ&{otUmmfp9UEEajklyU(#{
zE9h$ZRw}3sO4U+YYcZ-;Z;~NoSc^J5Q^Rwh5298@S}|J&9#MySw%7!FJ;9Kb0tGjr
zF3}*$qaibl<O@b+WV4!D3DJp;n&E8$HrnCTaER1n2{^0|P$aJqT7g3=!Mw>USh)t}
zDt@!=M=_yTLd|FiPoxG(xL}7IGMi;%Xn>9x6`WFog%*c#xdNLXwc@m&396AQ(iyVJ
zE>UP3uGvUuEqkgNwP>FOzQgAD#$&b>&Izo!-COuIUNdTwp7mcJTV{T3Iav5#|7`vA
z!mqdvSmB|cSz(Pb(#beqZ)2LDAC4d)$QG<dyB{ZD*gptUh(=<C7%~c%8!;N^#Ze+?
z2@z7#J2GyVIxh{BEE(yc6*~tNsDzj(HiiQ<<S&xRh7^mLtx(8p#XGK*4;LA%JV>Wn
zxuE5kky1FQFpwFRRM28b=)t0ZBh`K=QS7N0)oqg<q=e+9ez}eJ^`?cfDw}HR0uo`m
zXkOORF|^jiK-*8VAsmTjidrQjMIvSj^|K&&H%DayX|;?h90<1+yvnl4LbDr>(wsnt
zD@3lvH;i-+b?OF#!-7!Dg-NUyF}ec?iPl<tq}CIYnfj0|1Ug8HYQ*JWT*_;Ns05pQ
zU#gLID-r6{comZ>WY)0CjeHg<@^k<cVe9pJy2EGlaG}{Mxk)!}*Sdlq5zy!$mv5zc
zxD+ffh|;5!5r9C(+G^LZD^XOX1A=A}k*Z*q`&1D%!8Yi2B#n<H8D-cL>Zsahg+Vi9
z4u}q#uNq3X%Tx?Ii4trEHmZawa@l^QZkuEg1}!x<Vx}{#GAK{E#-I&X0!+1BES2yY
z$q6{_<l{jzp3NbxL@(Lvle9|fYAl>ZxOOWM(^-iw=LT^)oGr9+TBlZMmDuLcuQ$bz
zZE^WDDpb;iP$8ApJJooz+RlvhAsk0XHAPn;ClhX1eJU=CwPrY_nst+}=h2j<2UT+*
zhuWiv8W-e{3B?0wf7lDwGC5vWnry7qj`vKR8=*pUz%iq)+l@i~20~W{ZOF0Wkw!f?
zj5iowAVwL3SJU}U9Arp^y53243S=S_9qL@3st5#I%@|O<)mBL0y)l2wFE+C>r^wSR
z${e`BR|RzLjoB>fTfS;1Z!_Ifo5`YITmHiOmmdO~>5lC4)0=7CGQgtOA)vE6)&5^X
z&g`e#{bI3f+m(J}Ll6B){{kO4iZLFucd>8fnmfk6<l>pT_~nPdE?(*FVhNl)+2Bil
z26pi>HbF0mc+AZ(CD-lRiI%2zY&k&U)s777!+4QN$Rk%vg*ZtKGi42p`P+3UQjVpt
zP_C@oHY|6cVs9|aZt!*Q9=yPJ8_>@ip9ALFRXdM?*?AT)D_>au%5EMo(r0HvNC3>w
zf+#YjUxev|yCu-a%MX(^Negxz#_knmEKx(l8HMghIZo=;ExIISB`M=%v$4F?D2rjL
z67P2s;ZzUSGH4@B<n2ywkRA#Y-J}eQ81@vTZ-^*9GMI>?>U9j%Z8t9RPXY^kAo?GV
z&tYw?xpR#5H8Zh(WjBEJM;_J>wKigX1HhWxh&4?K`4*?NdjkV8rKU3kSyGefmf{7p
znJtg%fZg*}E(s-@ae1RIfv+v_T@G~d#^-Q7f7LEyTo0aw>qh`r#l!WZN2hgJ#{gV!
z*oZ4j;xaM{B8r<Smt3z7jMNet)<`xnB^w!rkT#9>nRZPL58IVyC6Mn%)nF=3$V|7D
z3Q;9a42`Uz8q$MUj?+pNw?l@}C^hAAE<0qi_}w+e@9J6jDa*`5j`Z*woj<Mfikkp_
z;GDq*Tcv4&$nps!Vz!fV%BY8f49~{me%y9gE=moD7?!m}*;PfO?@Vvl;$aJXSAzu5
z8?*77`-4@xdb-^Cm6`Y*awNd-G!H-YYty={V*!3Q0sIag@0$oM%1kBFp~4}))(I$<
zL5UU8vVy6hqDo;uUcl->Gpj1Sc9G&r$$XG*4O1F!wwrXbluVW7z8JCw2q+W<%5=03
ztBF#fgBFU0lawMUDOjq-K(`3g<_d%HTsFR$V^C+*D#P(ktTAvko*X(zK<xINx^7nV
z4mMQ!1|I?|m24Rqi>?4Kz*j2mpdyH6B5MqbDHkpD*j~NpuXRI1TuaC)3@KF2bSltQ
zXg>&>G0{u}1+{F|$+9E!cqprLjD+O^t)P~cTVTh3rVWMHE5)2nswl_7@m#d)BAH5=
zHV8(jM-xgQSBF|SQfX<hVT7%i9ghY^au!kBd01p?l`xr+1B!&iyG*@A<$1iq3l+DR
zNOA#j80_fMh$6aa!YT1sY?QT)ZV@3Y7em~T9DravTl8Y>&$OYNyij*bm2iz!JA?zl
zXg)4;Nyi1{5KahmGLBG)xE44LRPT_Lej=AHfNp#YO}GQBNGdU^!zIHFe>AF^RX3?-
zEwgGnjec1PQ+~MD$foN3a3!M+p}46dIlaJ-D5q`Y<*eQ?B^u>tVnZTa2x4%m+e>u0
z1Owq}E#}ymm@MK|qLP6_m_qdG9Bjm3EQ3gi8lU2lLQpUF=^#|ghuBfI-m&Y6juGlg
zxvH3tM#6Q%&Qt9uq}59qxlU%n=>UdM`DBeDib4vt!OEi*-Byya7WGOin_$xm4n|Qr
zmE$`-2hOybN<o*QELwK_tQqnHciyv|pc)N9#;D!zCj>!k@Vy~db;HuAVxsV%>gusZ
zF9J>-WHFXvN+f3$2;7F-)w-09DdY%;yNX#J){_~c#fq@gZcD`$T7(nvQ9dfn)TU$!
zC9(;dF4eIM1uB$ck<w6<iLgzT>q=KOK~0r13e8xz3Hke33nVuFK+P(QK-YPsx4L9p
zj|RY@kWsxy+ay8e$x%@4_fuIRS|tjV3MFSUosx+1gv3z|4OF49W?Cy3AOsRI9Bish
zumRn^S|wT=rbRQJ;JYn`P8)hs43lX|L)y8K2GwX#FAQ{2I0_;y!f>)6lPFiCtifs$
z3xm2z)$eK{!!WG69wBngBo^&w#&4MNV>C6W5_u#MZIEadHNyr~>xco6x%RsyD_{mv
z(Hw$i>u76)(i^$!M~82gNADi<=vA|L^t5H>;r9dX`t$eBnC7k(Hv=AJKjTp{IH20a
zA*f98G~Km^L=n@9At`M4s<I{(dPXc(8foPY19vw1p|_ST@ck0>M7%MZN9WzJYBx`p
zI~L94(ZlZtJi6ZF(cdxCx~z);9=&;^RWf9NjODWJ{18;Z&|XVzr}8A<&RI3w9u}FR
zSgMENb|;i?6dEGca=^Y3;CQ)Z%kd6ONk|adbRB6B@Ietf+ZwWgHaHy!V?#fUs;QCz
zldKb?x}(^L;>uNNG<3&@^)~83li{9(C9zyGZlwo=&9tJ>AU6ng`9hj1XM3Y^P_{|F
zYoT3bCLc3Qj%qh69Rl`KWUx0FIW{Y}g#d0+sfZqT1{yhvTLh8p5v*;;L(!2G;d@lS
zPsdb0RE$<<SRy!ohoQA0i<-U6&}GxQQ%@#F=}5(|6lj<b**-0z{z0z^CmZ9n`D_MM
z!mnrAYCg-<EhiNW=-o73>UVpDUQmOEWX1|zu?&YwZU-9|1wQ+iOb(_p!9*|Ks0d`Y
zUrsaibe}2Lw19wQKw6NA^kiL;L$$U(3pH9Eh~4<G1Xyg)rOK@WI>NbX%O*RaQj}Jx
zYOcwTs&t@Mt;~8ST^u%gQc$o$TA_`X0q1gDrfuRCNlt`^^{`(nX9E<6NG3CDo+Q-h
z1jv52mm-}4n=YCmj1ocTLaO%Dtzes1MY37qZMCP@XT6gI8LAo}vz44sOv$)q$!biB
zg41Dktj?q1U_muQM3adbVr%9+V@w{>ki4Kba~V)j)m1&m<Q1zY3S~vqh=P<!mGz)i
zY2_WYswP17-3cNkeF)gSmx*hmZltaVMj1s)?S2JUT$5{d6G}&`CBqhH7o-LgCFoSA
z1x5UTRisR%CK17y0+aP*dNgb!oqj5+=s|zn%~n8>G@7kctI1p$>llNi$#HC?pg<&n
zG|f^F98s<GgTYuT%7*YL-w4-6W!|mi{Ka6&5uz%@O9e5SE44(sz6k@;WWuEMD1=1<
zH9J@_0LP`{pg>VGL9HcdRFbJ;w3~~_8JzXcLY2v&c1BIw6{_Cu+07o7vOz1;-~)7g
zfLbIURl8c+N@G>BHgo6DKvPx~27-wM8al(}%4K0xX6s>#F1EB*xtRkeBzdzHw$i<s
z>p_#vVxeo6>WzkEf`gX5TAYw&Jlg2E3RK8+#Bdn#n~JS;HGZb`FccmrsYC&!Fi|Ih
z1Y%?~?l-i~5S;HUhy}CT7vOxy51Ab^fF`QpT*@>WO|5HbRT8Si+T(oZvz<d0iZ!v?
z#wn<*Vtk%w(-qS$ltE5OCqx7-3>DBg0yW8^9i539Lje=DTdAHf>K5!)QVXi(qCjG)
zaxVviLn9#~-XoJCLm4*Z0o<+)GrX1%!u|lC!O3i@fs0eTH|<?Q1z3)chG4-Fqz4Kz
zGS{(dCI_`EwO*}MY?o{Oh#}=`LSc-g*B-foUf|mf6a&36JIk4vT=UDZckwc|P3l6g
ztY2obJYe(>UfOs_dBrWjyF@m6mndD!xNVro!m(N{R!jxdI#wpbLS4=b3%Po#iuH_K
z45V*iG+42_c4pKw<3=bQE=0jzWHLQG9V<j432-jCY;^40pfoT8T%;`Z4K^qg%#f={
zXr?dWP82C%bUnf7Y`+9^DjH-(TpbWrzE>IPR-zS6j#3O#&6VR)B;b@(E{hqa<JJN=
zhS-YhZ-meQj-ph!R2szmZUA)CL<ToKKKAfAfSuueXP(8kR(;9C=bqF|kH_*atbg@9
zfX@?zywT%vz~kKlY-Yn+(b1mR$k4W(E=IYmo2KMWEyqD3436LoVr;kWmm8rxA&io-
zvCVk8oDi9z%Z&4AK5NZA<F)$9%(Z$IRFYXQ`~M($&a^HoZUt+_ZCopwGPrJ3XthFo
zK}Vo6LyjsDIZ4oh1x_GktwB*{V60xHhP}u}U3%P%O2kZDR<7E8jLTuOZ~>YAtB-oP
zy!-8GUDojcms>aD!cZ6<EY-zsz+cQ4q(rVHBw?&z77KwWDpfT#nkQALQnxY&Lu&)g
zrg+^LV3tA~skFuCi^UD=wnCVp-%PAluKCp%E3c8biCw??D8R}qbbs*lant&(_yxd<
z--s2%RHA;STWl%ec-*mMyFRFtfPXI|WjX0o>adgNp=Pd98tK_l$||Q(wF0NrYAWnz
z5el@)rn>^CMrY_Z8^1lq_#HY6zsFu!|Jt4&ezn)9^;;(Z{C@Ene&8TN9UrlUCTBx-
zJP@GG3YFK}`L@`j6J;dick@x#pWwq*GLo^nQFBzR*Q+ie6LwpOB95^Ezb9jxwY7W4
z_^q9Z-)nm=Gb4L>_<bogt=||wa9nvhd#4B%sYgbwdP{Gq7*j7heZDiQHv9!9AI}JS
zD8MAa!G?M!L~gXTKcqHWRoZim)wVOSitGij(mbqQL#B0E7n^}qgw#g;Af74Zj1Z-V
zs7442K*J>0&1UHWlORK#p^|B4NTeUpl`=)KaZ(HG5Zy-MN+xHZm{Nyo@p#p(nP|**
zYz}ne)S;Q^H2VY=<`T%Dq{~s!FO~A6jeJXI7HsD3*u+wAE^KES*HaFEa&_f-*DLvr
z?~du`ZhFIO#U0-B=^I|h%#=LSq7L=>JjtKk9eZ;1DTkjg&07YfpXJ>hTlCVVlGnun
zQg=*Cz5qzxOx5u|Px9qwPwPB&-|aOG*usULE!+bx9c`#O-U0SfY@;nOqzP^p_!I3>
z92+8hAXyUJfLl^C5*`~^(4bdi@)}p->O_z1h>}!cYE?cxiYKxa4woS%WpA+6y|o3K
z9vYar*RhGf7}Mdjej6}73(TGbhX(B4<1_S&drW)Y(F=Sx0&Kl8+bjBhJOPa*&iO)#
z;I0z%z($F8ff>hlo-^TV0smT`Gm%{0-0pzKuetPq^G?6@j=2vSJ8jjw{0DQ7G~&km
zqO<t#;C)~BO@fPtVISc;*>{o;_kG*9vv09)OCRb(d>4bucC3%_1$^iGNZ&kgJ#i=B
z4!(uH9evvaHMj81@qG$jGuOB8)IG&Vz%2gz!xUF8@@Db<i@+?#x4t%51X+20#XNvZ
zx0joq#kvHrhPymmKB+F)%$24q$2Zf?_pZ`?p~RcA8zst~L=P8y(&vMxaJlH%$sYB?
zi->y<%Fcf;vUJ-U-rU`|?7ef?_1{}!0OR!e7J}J<`GMJif4Okat$Yi2^DW%jH@Q2s
za&i}F<;2~q=S)saPR<RT{lW>*qAeDF^+f)}e=eGsm^aS{_2EU(R$I(T&)stIT<?Y<
zycpWv`?%HOEvIe}s%5(e?*i>K^>7=z+H5z<G<op&QX;$!wDr^%^BS#Uz5(w5ZRdTS
zvv^??+<Q~1PPx9xvoIXOQ6!9E&|bSNf)OZ;K(O~LnA`9XhHxx|z&Ysn@BEMGwW+Qs
zf`(9(fT1Hc#cX1pZ%)hy@sp(Qp_|V-Ve;ymPWfcnE1xVn^ZD9iu|pz%nD@jrUmonr
zv*F|0>r>aix&7h45#mdi8gDM-KD~nEQ)m3@oJW5D*w>%j>cel%p9IT1aoJa(FGEYV
zSm56REXVwbZ6+o@ox44>EqLWt;L+TP?<FTDCKhh00a&#;q%U>c^*jIY)K8XB3qRUp
z%N-v&@5GBvd*Ft`<aZ;_eYy;aTraL2T=P~22`zs7C&xY858labxj1t+{p-J+aT9d^
z8@F_}dDAxu0qZyjSjTxAtRr|`XS-SNf%5<IRoKK5LKp&;ezqn24;koxx9B&1_{YnC
ztX^^nd(3`M@BQ#o7pdo-a#G;p=qUc}pX`6ip}23=j}8o{J`!Hk7XPKQ+vG6^?sd^~
z_dfUiM~Pz}ECr3*{_xYOMc)V78`^W`qJy0TZ8`mDr-@lBG3WT>eFx1yJ@u`p-q~~C
ziP5pIzEXSty3j$-F1vp28?Qh4>TNfFy7&D@zIoCWKm7Z{uRPwl=>6~Pb;7exe)Wya
zL64dH?EmRi-{PK;Kiu(xM~?XGHkY&yyY$#Y-+Sww?Vf%2ll_>?o?C2v`n$W_{K6mq
znLmDT;N_RHTikwGY=3R(A=|G1<<EE7`MuX}d7!iR!*5)0-QRtaJTMssn9Ma(CNnWP
zOG`-qKeLzJpk1ceW4jHvmz6QwETPFw%>;!Z)H4%w%palg$Nv|Wdi<rEP8Se?$NVd6
z3w#T_?uj=x+;*S7?LFs%E5|p8FMNC^^Kbd`*q4AC#Mo6cnSajlr}+T)O@h_F?b~mB
z{c8_Cc<jXo|L3#2pB=sP(@Q7$J#JX^;i=zQbfS5;^|wQhIq<_frKjK8;;<vmd^=s;
zDoZcl`k14zZ9iGK<D)Acd1R-LlVAPSxs%LacHDd0pKbMV+4$Da?)&!py;}G|>Ds%<
z2Y+$$HmB~o&HKK;zx=@J_pN{Kv-Vq=ogaKuSa<hJzsWrP+T4pj{`r)l?gV-MVBygx
z@)IY%M@>x3ojYf8?pvGU;L#CK_sn(cyJr1`Rae~pyFc7`bb$Ey&C`%2)jQBHO$MG^
z$#9QH_vqgJ!O?>L_;z=$IAQC*YNy1X!|pv&x$?wR;`j5f>uh~Zx4cAM^tkoLiX%SW
zRb2Vj4)Pn5>(6-M<?pPt-+1yHYj<2*L!Wr(-WT86;rex#sQVpt@&SR<e%a5QeE%6=
zq5u5J*Ka=GH|YT5w1IIxJ!PB=eXp!~ymRu6r;D?+{eNSmFo7VRk%pkK=i<g6|AlY<
zoNaDmNjLv-?MLK^m!uE9;Cu1j&MS}lk3HLW@{1<_xcY}54f5|Fqh0;cLFX)ikcW@{
z=lKWiblO#iUbpwBes{O8o@VZK#0>{5MSi>W-1~pHJG%8(UOD{nKkaeWcbRMMw|iTj
ze)Zcgy?fta`6IiWd-lEP<f?7ngb#S_nNz-d$*-?_ttB1vA-#54VcnXg6StrL)RZN$
z5Dje$cK4o(Jr_3*ngf0S4g?RjnY;7c9gADM_UmnT`Q4wcd~xoch4;w!_U#W>f6nrJ
z^JlH4XL*O7^uYRke{jy-H~q)u@BjKshyK04@1dEu7Oy;Y|E-_9=Iqp77vI%+N4t8C
z{j0a;UDUNsdE|p9-Yo3=yc=Kk+*f@!Jbs#H{ot7g_IY-{@Uz>VbKa@HIl6N7{pz(_
zUU4*;PAKo*dvfoAj~;z#X-?>A>PyF*%eY%C`cGufn~&P*7l;4s&+Fbf;qVEn<V9<X
z7WsVhK#b+{Z37}>j~8wRys$}(IXm`-$C2`2W~97g-ucp&FM}BKJJxyAys+XP5Gl)^
z#GC4ym57Wb_CGIin{`0q>e|hpmv~EmM$|e($9Ydrpq|9TAO7zo^55Sm@jg#SfWsD_
zZsptJL*Ewf{X4qYeE9qC=;Ghe#mp=T+8l%bI~MqNEHEqa-b|>xIZFbufagno4Vb?O
zyp=a**KsD(6PU;Rv{$_!SAnN0L&sfnz65*;xX1VAQ!|<W-_gatHoAyx=ly=FWf#!y
zK0lrR#{1u%+~cfgp4{Wy!p~p5`kb}@S!B=sPB-}bqaNGpkHqA<M~*#Vp78TSPCV(U
z#?rsLSDkDe{QfoXe(#XngVzVVKqa#6SXA(}W8d3x^(`OoP-+In++nBuCHug=*B@Um
z{n@|p#>dWE!ymcs=eK-x?vg75_cPp^Cr}UW&a^+e{d+qs)_)#-{-)En{o{^a>0-hY
z_>~=fzOCOn?BV&>-FC&9KYs3#yYdI#Z2sfUU;OqL?qz$gtgQd2`|<Jnc_#OJU~-!T
zL^I2<*p=ho`t$wsfyr%BBHLzN<@uG5fbiwg!Yk7zw@w8mvim%VvEvr_lHlmJH$Ino
zQCE(Co5V#YeWAo%eV2ZHW7}t4#*+vpGx_9P-{gOS0M0l0*z<q;<&J;ZzPR=Pt>n8Z
zd&Cj1-1bcRwg<P{_RX^%^Y1|IcjcO!s{2l+cYpBKQ%1?Fo<8S}(_8Z|eDdOh`tz4v
z|Jb_MzA^7uXN{P6;cx#KZhz)^t&a{n)j0U#*H`2B;75M{Eq<Td?vD7o6PNzi*$4jV
zyxYI|R_vJNKfUwD7r*(BfBvx$%G`U|5g*LILVfw%rQhB2!(&>n=WdpNa=?Oz-m)HA
ze^=}(<&=Lsms<Sn>5E$@9OnM^y?^|3^@@qzj(p;8SM9p*>)5_?&%P8|?t2YBX60Z0
zao$nE`|4Z&;DIyWt{PjukUDhjBgUD7A5I?fvGG%Xu)Wh)CLXqaw|2jSn_o?Top|7q
zbD@X7{0DSy_E*1OvhUVwcd&l>?1%e2|Ip$K*M%JO?dbK}y?6ij7ruV_jaPhg|HdKl
z`~LE`{?!ls?Z~(19k}~<q{UaaN1p_1>o2@XzNb{vuRLJO`%Y}XIPdQCvF2G%U$Xbv
z-xXHCr$>@+{Qh0(jL@Oqcy%}PvMc_+aMitmU#7ltsP)b__FwQ(U~>0Ej(zHx5BR4a
z_|5q@UHc~{SMKdiKKA#uJH5AjhfkIte$3KEd%XMWAD%a7zvma?_wnysi{m0Ey;`6D
z8#!1$>Y)36`#o`o6YS~^<kI^eJ&WHD8C;1x_2=u9?T`N2Rd+o6)NUE&KYqk~f9aX%
zilsXfYrlQUj+5W}?n`H$f5feafAH46`BxTxbl2pS===9S^5i|SZ63Sr?GNnG{_caP
zTy)hvnd=I#et6`6z4tD@bonE@?Rmw8)Zu?S;u5-k@{KQApLS7sw-?Tie3L%zwbL@K
z8|X8xIs)DP%yWNSz=jV!vBQ=1f9`eX0rdQ3)w^E0_hs_^yY9UmI&bowQ^-%g+&lX2
zGgoIHfq!B?e)1{ztPTW5+uy&}@?Ecb=;jNy&HU`y?OxiW_MO!8+k6mT_|DrW-Kja;
zGe>{v-Q91$d+sH_x#8_M?+RV^EBu8wOK*L5k6Z6v|882`d#`UE_V90ickgd*8gM^o
zoSRzwLj2<SXWwr9=F-#!@0_tUC0-VNYPVTC_IEe@@#4Rp@Wk@?X&;_@-Va}7jy%*k
z>*MptTOQBC^Ph3v9skn3zkGXv?+CCNyfNEJ_!1NNIN{J|I*FB!oG)#EJ8%*=9&qCH
zj$QE}NDnf*0J7K#di|J}PQ40yZ})P3m(yFXZ#AbE_{s`zFZ)lL(Mp-g4l7sf<-O~k
zuTAgesbBCHxe&Cne&n^X&H-81R4Zkj4)*dLpSAs%$cRj48c<V7gKkwdQq9m(G0l%c
z&2THEWxL5tI+Kl6W3^aZt|!!ZxN660?vR6;Mru^VTiyXGPrsi6{S<(MH)eB<kG*mS
zPrvW4n$~ZsWw8D2fW2M<`dunrF+;xxi{RJr^~$9sphP|{qmN&)?3B$C<l^xw&YAU!
zN5-$%-goIyYd5|k3m|yVQ~IvcHVf+BV^G7>5;uVQ*J)6Hjc$~fn+Yn_&d^XwjzTzU
zT0Nek2zt;^yZM3E9#~k-PX}{!vE3e(IU>Qd>A(P7A*gA5Lj<Q><0B>SozC#|n}7O@
z8PCW+eb_|M({FaqZ{<tCz#ctrd*6*meRhKHAz)y-CvnM4i8IXzyK=`dhF(W*6DPC%
zqX0uM>%R1;%V*5^Ay4A=XKYT#HS0Zzmp=z2ZqhG*?MKT@4g(TDSU^roT=DR<j$dEB
zS&8?LB|iIw61N8uzrIo8BO4|DbcV!PvtG5tlX%aG)3cshXAT4Fd<DSqi3Q82C9XRf
otn(w@tjpKWkT`2));uuQ@tIjVUIAu}k7vDfTH=b|0UeM2U&UvPssI20

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/conn/polling.test b/testing/btest/scripts/base/protocols/conn/polling.test
new file mode 100644
index 0000000000..a6fbc35f66
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/conn/polling.test
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -b -r $TRACES/http-100-continue.trace %INPUT >out1
+# @TEST-EXEC: btest-diff out1
+# @TEST-EXEC: bro -b -r $TRACES/http-100-continue.trace %INPUT stop_cnt=2 >out2
+# @TEST-EXEC: btest-diff out2
+
+@load base/protocols/conn
+
+const stop_cnt = 10 &redef;
+
+function callback(c: connection, cnt: count): interval
+	{
+	print "callback", c$id, cnt;
+	return cnt >= stop_cnt ? -1 sec : .2 sec;
+	}
+
+event new_connection(c: connection)
+	{
+	print "new_connection", c$id;
+	ConnPolling::watch(c, callback, 0, 0secs);
+	}
diff --git a/testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test b/testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test
new file mode 100644
index 0000000000..bb7b9b510d
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test
@@ -0,0 +1,6 @@
+# @TEST-EXEC: bro -r $TRACES/globus-url-copy.trace %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load protocols/ftp/gridftp-data-detection
+
+redef GridFTP::size_threshold = 2;