From efc76fd052b29cc0b23f89868384587b7d809ac3 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 22 Feb 2013 02:36:41 -0500
Subject: [PATCH 01/54] Initial groundwork for analyzer actions in file
 analysis framework.

---
 src/CMakeLists.txt                          |  5 +++
 src/binpac_bro.h                            |  2 ++
 src/file_analysis.bif                       |  1 +
 src/file_analysis/Info.cc                   |  2 ++
 src/file_analysis/analyzers/PE.cc           | 34 +++++++++++++++++++++
 src/file_analysis/analyzers/PE.h            | 31 +++++++++++++++++++
 src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++++++
 src/file_analysis/analyzers/pe-file.pac     | 26 ++++++++++++++++
 src/file_analysis/analyzers/pe.pac          | 20 ++++++++++++
 9 files changed, 137 insertions(+)
 create mode 100644 src/file_analysis/analyzers/PE.cc
 create mode 100644 src/file_analysis/analyzers/PE.h
 create mode 100644 src/file_analysis/analyzers/pe-analyzer.pac
 create mode 100644 src/file_analysis/analyzers/pe-file.pac
 create mode 100644 src/file_analysis/analyzers/pe.pac

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 16de055e11..9f8f4106ec 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -176,6 +176,7 @@ macro(BINPAC_TARGET pacFile)
                        COMMAND ${BinPAC_EXE}
                        ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
                             -I ${CMAKE_CURRENT_SOURCE_DIR}
+                            -I ${CMAKE_CURRENT_SOURCE_DIR}/file_analysis/analyzers
                             ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
                        DEPENDS ${BinPAC_EXE} ${pacFile}
                                ${BINPAC_AUXSRC} ${ARGN}
@@ -222,6 +223,9 @@ binpac_target(syslog.pac
 binpac_target(modbus.pac
     modbus-protocol.pac modbus-analyzer.pac)
 
+binpac_target(file_analysis/analyzers/pe.pac
+    file_analysis/analyzers/pe-file.pac file_analysis/analyzers/pe-analyzer.pac)
+
 ########################################################################
 ## bro target
 
@@ -453,6 +457,7 @@ set(bro_SRCS
     file_analysis/InfoTimer.cc
     file_analysis/Action.h
     file_analysis/Extract.cc
+    file_analysis/analyzers/PE.cc
 
     nb_dns.c
     digest.h
diff --git a/src/binpac_bro.h b/src/binpac_bro.h
index dcdbe94f57..1f63808c10 100644
--- a/src/binpac_bro.h
+++ b/src/binpac_bro.h
@@ -7,6 +7,7 @@ class PortVal;
 
 #include "util.h"
 #include "Analyzer.h"
+#include "file_analysis/Action.h"
 #include "Val.h"
 #include "event.bif.func_h"
 
@@ -15,6 +16,7 @@ class PortVal;
 namespace binpac {
 
 typedef Analyzer* BroAnalyzer;
+typedef file_analysis::Action BroFileAnalyzer;
 typedef Val* BroVal;
 typedef PortVal* BroPortVal;
 typedef StringVal* BroStringVal;
diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index 546ac5103c..9afa2d96ab 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -57,6 +57,7 @@ enum Trigger %{
 
 enum Action %{
 	ACTION_EXTRACT,
+	ACTION_PE_ANALYZER,
 %}
 
 function FileAnalysis::postpone_timeout%(file_id: string%): bool
diff --git a/src/file_analysis/Info.cc b/src/file_analysis/Info.cc
index 60729cd590..e7d8f7ada0 100644
--- a/src/file_analysis/Info.cc
+++ b/src/file_analysis/Info.cc
@@ -7,12 +7,14 @@
 
 #include "Action.h"
 #include "Extract.h"
+#include "analyzers/PE.h"
 
 using namespace file_analysis;
 
 // keep in order w/ declared enum values in file_analysis.bif
 static ActionInstantiator action_factory[] = {
     Extract::Instantiate,
+    PE_Analyzer::Instantiate,
 };
 
 static TableVal* empty_conn_id_set()
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
new file mode 100644
index 0000000000..66954ffa3e
--- /dev/null
+++ b/src/file_analysis/analyzers/PE.cc
@@ -0,0 +1,34 @@
+#include <string>
+
+#include "PE.h"
+#include "pe_pac.h"
+#include "util.h"
+
+using namespace file_analysis;
+
+PE_Analyzer::PE_Analyzer(Info* arg_info)
+    : Action(arg_info)
+	{
+	interp = new binpac::PE::File(this);
+
+	// Close the reverse flow.
+	interp->FlowEOF(false);
+	}
+
+PE_Analyzer::~PE_Analyzer()
+	{
+	delete interp;
+	}
+
+Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
+	{
+	return new PE_Analyzer(info);
+	}
+
+void PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
+	{
+	Action::DeliverStream(data, len);
+
+	// Data is exclusively sent into the "up" flow.
+	interp->NewData(true, data, data + len);
+	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
new file mode 100644
index 0000000000..34840c0e3b
--- /dev/null
+++ b/src/file_analysis/analyzers/PE.h
@@ -0,0 +1,31 @@
+#ifndef FILE_ANALYSIS_PE_H
+#define FILE_ANALYSIS_PE_H
+
+#include <string>
+
+#include "Val.h"
+#include "../Info.h"
+#include "pe_pac.h"
+
+namespace file_analysis {
+
+/**
+ * An action to simply extract files to disk.
+ */
+class PE_Analyzer : Action {
+public:
+	static Action* Instantiate(const RecordVal* args, Info* info);
+
+	~PE_Analyzer();
+
+	virtual void DeliverStream(const u_char* data, uint64 len);
+
+protected:
+
+	PE_Analyzer(Info* arg_info);
+	binpac::PE::File* interp;
+};
+
+} // namespace file_analysis
+
+#endif
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
new file mode 100644
index 0000000000..1a295f2d30
--- /dev/null
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -0,0 +1,16 @@
+
+
+refine connection File += {
+
+	function proc_sig(sig: bytestring) : bool
+		%{
+		if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 )
+			printf("yep: %s\n", ${sig}.data());
+		return true;
+		%}
+
+};
+
+refine typeattr DOSStub += &let {
+	proc : bool = $context.connection.proc_sig(signature);
+};
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
new file mode 100644
index 0000000000..4cec173ae3
--- /dev/null
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -0,0 +1,26 @@
+
+type TheFile() = record {
+	barf: DOSStub;
+} &byteorder=bigendian &length=-1;
+
+type DOSStub() = record {
+	signature                : bytestring &length=2;
+	UsedBytesInTheLastPage   : uint16;
+	FileSizeInPages          : uint16;
+	NumberOfRelocationItems  : uint16;
+	HeaderSizeInParagraphs   : uint16;
+	MinimumExtraParagraphs   : uint16;
+	MaximumExtraParagraphs   : uint16;
+	InitialRelativeSS        : uint16;
+	InitialSP                : uint16;
+	Checksum                 : uint16;
+	InitialIP                : uint16;
+	InitialRelativeCS        : uint16;
+	AddressOfRelocationTable : uint16;
+	OverlayNumber            : uint16;
+	Reserved                 : uint16[4];
+	OEMid                    : uint16;
+	OEMinfo                  : uint16;
+	Reserved2                : uint16[10];
+	AddressOfNewExeHeader    : uint32;
+} &byteorder=bigendian;
\ No newline at end of file
diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac
new file mode 100644
index 0000000000..be91643b21
--- /dev/null
+++ b/src/file_analysis/analyzers/pe.pac
@@ -0,0 +1,20 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer PE withcontext {
+	connection: File;
+	flow:       Bytes;
+};
+
+connection File(bro_analyzer: BroFileAnalyzer) {
+	upflow = Bytes(true);
+	downflow = Bytes(false);
+};
+
+%include pe-file.pac
+
+flow Bytes(is_orig: bool) {
+	flowunit = TheFile() withcontext(connection, this);
+}
+ 
+%include pe-analyzer.pac

From b1f1b64ddea74d87dec665238ce7d02e58e1e243 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 14 Mar 2013 11:19:39 -0400
Subject: [PATCH 02/54] Checkpoint

---
 src/file_analysis/analyzers/PE.cc | 6 ++++--
 src/file_analysis/analyzers/PE.h  | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index 66954ffa3e..622cbb945f 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -7,7 +7,7 @@
 using namespace file_analysis;
 
 PE_Analyzer::PE_Analyzer(Info* arg_info)
-    : Action(arg_info)
+    : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER)
 	{
 	interp = new binpac::PE::File(this);
 
@@ -25,10 +25,12 @@ Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
 	return new PE_Analyzer(info);
 	}
 
-void PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
+bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 	{
 	Action::DeliverStream(data, len);
 
 	// Data is exclusively sent into the "up" flow.
 	interp->NewData(true, data, data + len);
+
+	return true;
 	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
index 34840c0e3b..d511f3e9bf 100644
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@@ -18,7 +18,7 @@ public:
 
 	~PE_Analyzer();
 
-	virtual void DeliverStream(const u_char* data, uint64 len);
+	virtual bool DeliverStream(const u_char* data, uint64 len);
 
 protected:
 

From cb040b6da4bde97239552955d3a4c3af1e02dd56 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 1 Apr 2013 09:00:07 -0400
Subject: [PATCH 03/54] Checkpoint

---
 src/file_analysis.bif                       |  4 +++
 src/file_analysis/ActionSet.cc              |  4 +++
 src/file_analysis/analyzers/PE.cc           | 33 ++++++++++++++-------
 src/file_analysis/analyzers/PE.h            |  8 +++--
 src/file_analysis/analyzers/pe-analyzer.pac | 18 ++++++++---
 src/file_analysis/analyzers/pe-file.pac     |  6 ++--
 src/file_analysis/analyzers/pe.pac          | 14 ++++-----
 7 files changed, 60 insertions(+), 27 deletions(-)

diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index ba62e58855..6ded10b251 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -125,3 +125,7 @@ function FileAnalysis::eof%(source: string%): any
 	file_mgr->EndOfFile(source->CheckString());
 	return 0;
 	%}
+
+# Define file analysis framework events.
+
+event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%);
diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc
index 51cab26478..dabda1c931 100644
--- a/src/file_analysis/ActionSet.cc
+++ b/src/file_analysis/ActionSet.cc
@@ -5,6 +5,8 @@
 #include "DataEvent.h"
 #include "Hash.h"
 
+#include "analyzers/PE.h"
+
 using namespace file_analysis;
 
 // keep in order w/ declared enum values in file_analysis.bif
@@ -14,6 +16,8 @@ static ActionInstantiator action_factory[] = {
 	SHA1::Instantiate,
 	SHA256::Instantiate,
 	DataEvent::Instantiate,
+
+	PE_Analyzer::Instantiate,
 };
 
 static void action_del_func(void* v)
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index 622cbb945f..e5b924e9fb 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -6,13 +6,11 @@
 
 using namespace file_analysis;
 
-PE_Analyzer::PE_Analyzer(Info* arg_info)
-    : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER)
+PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize)
+    : Action(args, info)
 	{
-	interp = new binpac::PE::File(this);
-
-	// Close the reverse flow.
-	interp->FlowEOF(false);
+	conn = new binpac::PE::MockConnection(this);
+	interp = new binpac::PE::File(conn, fsize);
 	}
 
 PE_Analyzer::~PE_Analyzer()
@@ -20,17 +18,32 @@ PE_Analyzer::~PE_Analyzer()
 	delete interp;
 	}
 
-Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info)
+Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info)
 	{
-	return new PE_Analyzer(info);
+	using BifType::Record::FileAnalysis::Info;
+	const char* field = "total_bytes";
+	Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
+	if ( ! filesize ) 
+		// TODO: this should be a reporter message? or better yet stop relying on the file size.
+		return 0;
+
+	bro_uint_t fsize = filesize->AsCount();
+	return new PE_Analyzer(args, info, fsize);
 	}
 
 bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 	{
 	Action::DeliverStream(data, len);
 
-	// Data is exclusively sent into the "up" flow.
-	interp->NewData(true, data, data + len);
+	try
+		{
+		interp->NewData(data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		printf("Binpac exception: %s\n", e.c_msg());
+		}
+
 
 	return true;
 	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
index d511f3e9bf..95b5083aff 100644
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@@ -14,16 +14,18 @@ namespace file_analysis {
  */
 class PE_Analyzer : Action {
 public:
-	static Action* Instantiate(const RecordVal* args, Info* info);
+	static Action* Instantiate(RecordVal* args, Info* info);
 
 	~PE_Analyzer();
 
 	virtual bool DeliverStream(const u_char* data, uint64 len);
 
 protected:
-
-	PE_Analyzer(Info* arg_info);
+	PE_Analyzer(RecordVal* args, Info* info, uint64 fsize);
 	binpac::PE::File* interp;
+	binpac::PE::MockConnection* conn;
+
+	uint64 fsize;
 };
 
 } // namespace file_analysis
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index 1a295f2d30..77edfa3434 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -1,16 +1,26 @@
 
+%extern{
+#include "Event.h"
+#include "file_analysis.bif.func_h"
+%}
 
-refine connection File += {
+refine flow File += {
 
 	function proc_sig(sig: bytestring) : bool
 		%{
-		if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 )
-			printf("yep: %s\n", ${sig}.data());
+		//val_list* vl = new val_list;
+		//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
+		//vl->append(sigval);
+		//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
+
+		BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), 
+		                                                (Val *) connection()->bro_analyzer()->GetInfo(),
+		                                                new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
 		return true;
 		%}
 
 };
 
 refine typeattr DOSStub += &let {
-	proc : bool = $context.connection.proc_sig(signature);
+	proc : bool = $context.flow.proc_sig(signature);
 };
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 4cec173ae3..33cd1270f7 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,7 +1,7 @@
 
-type TheFile() = record {
-	barf: DOSStub;
-} &byteorder=bigendian &length=-1;
+type TheFile(fsize: uint64) = record {
+	dos_stub: DOSStub;
+} &byteorder=bigendian &length=fsize;
 
 type DOSStub() = record {
 	signature                : bytestring &length=2;
diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac
index be91643b21..9cd4f4f112 100644
--- a/src/file_analysis/analyzers/pe.pac
+++ b/src/file_analysis/analyzers/pe.pac
@@ -2,19 +2,19 @@
 %include bro.pac
 
 analyzer PE withcontext {
-	connection: File;
-	flow:       Bytes;
+	connection: MockConnection;
+	flow:       File;
 };
 
-connection File(bro_analyzer: BroFileAnalyzer) {
-	upflow = Bytes(true);
-	downflow = Bytes(false);
+connection MockConnection(bro_analyzer: BroFileAnalyzer) {
+	upflow = File(0);
+	downflow = File(0);
 };
 
 %include pe-file.pac
 
-flow Bytes(is_orig: bool) {
-	flowunit = TheFile() withcontext(connection, this);
+flow File(fsize: uint64) {
+	flowunit = TheFile(fsize) withcontext(connection, this);
 }
  
 %include pe-analyzer.pac

From d19b8b0266d6d8581792189d5ab0161ed15bb11b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 3 Apr 2013 00:51:33 -0400
Subject: [PATCH 04/54] Checkpoint for discussion.

---
 src/file_analysis.bif                       |  3 ++-
 src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++----------
 src/file_analysis/analyzers/pe-file.pac     |  5 +++--
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index 6ded10b251..89845e6f2c 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -128,4 +128,5 @@ function FileAnalysis::eof%(source: string%): any
 
 # Define file analysis framework events.
 
-event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%);
+#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%);
+event FileAnalysis::windows_pe_dosstub%(checksum: count%);
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index 77edfa3434..63f722b18c 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -6,21 +6,17 @@
 
 refine flow File += {
 
-	function proc_sig(sig: bytestring) : bool
+	function proc_dosstub(stub: DOSStub) : bool
 		%{
-		//val_list* vl = new val_list;
-		//StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin());
-		//vl->append(sigval);
-		//mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl);
-
-		BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), 
-		                                                (Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                new StringVal(${sig}.length(), (const char*) ${sig}.begin()));
+		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
+		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
+		                                                    //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()),
+		                                                    ${stub.HeaderSizeInParagraphs});
 		return true;
 		%}
 
 };
 
 refine typeattr DOSStub += &let {
-	proc : bool = $context.flow.proc_sig(signature);
+	proc : bool = $context.flow.proc_dosstub(this);
 };
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 33cd1270f7..50647b7275 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,7 +1,8 @@
 
 type TheFile(fsize: uint64) = record {
 	dos_stub: DOSStub;
-} &byteorder=bigendian &length=fsize;
+	blah: bytestring &length=1316134912 &transient;
+} &transient &byteorder=littleendian;
 
 type DOSStub() = record {
 	signature                : bytestring &length=2;
@@ -23,4 +24,4 @@ type DOSStub() = record {
 	OEMinfo                  : uint16;
 	Reserved2                : uint16[10];
 	AddressOfNewExeHeader    : uint32;
-} &byteorder=bigendian;
\ No newline at end of file
+} &byteorder=littleendian &length=64;

From 8beb75d985553a6a3cf36b0794f45fd494957e3a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 10 Apr 2013 22:57:54 -0400
Subject: [PATCH 05/54] Checkpoint.

---
 src/file_analysis.bif                       |  2 +
 src/file_analysis/ActionSet.cc              |  2 +
 src/file_analysis/analyzers/PE.cc           | 22 +++----
 src/file_analysis/analyzers/PE.h            |  4 +-
 src/file_analysis/analyzers/pe-analyzer.pac | 23 +++++--
 src/file_analysis/analyzers/pe-file.pac     | 73 +++++++++++++++++++--
 src/file_analysis/analyzers/pe.pac          |  8 +--
 7 files changed, 107 insertions(+), 27 deletions(-)

diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index df4ed98a53..43aab3bb4f 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -153,3 +153,5 @@ function FileAnalysis::__eof%(source: string%): any
 
 #event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%);
 event FileAnalysis::windows_pe_dosstub%(checksum: count%);
+event FileAnalysis::windows_pe_timestamp%(ts: time%);
+
diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc
index 314650a210..d7b1dc9d11 100644
--- a/src/file_analysis/ActionSet.cc
+++ b/src/file_analysis/ActionSet.cc
@@ -16,6 +16,8 @@ static ActionInstantiator action_factory[] = {
 	file_analysis::SHA1::Instantiate,
 	file_analysis::SHA256::Instantiate,
 	file_analysis::DataEvent::Instantiate,
+
+	PE_Analyzer::Instantiate,
 };
 
 static void action_del_func(void* v)
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index e5b924e9fb..daf679ce82 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -6,11 +6,11 @@
 
 using namespace file_analysis;
 
-PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize)
+PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info)
     : Action(args, info)
 	{
 	conn = new binpac::PE::MockConnection(this);
-	interp = new binpac::PE::File(conn, fsize);
+	interp = new binpac::PE::File(conn);
 	}
 
 PE_Analyzer::~PE_Analyzer()
@@ -21,14 +21,14 @@ PE_Analyzer::~PE_Analyzer()
 Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info)
 	{
 	using BifType::Record::FileAnalysis::Info;
-	const char* field = "total_bytes";
-	Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
-	if ( ! filesize ) 
-		// TODO: this should be a reporter message? or better yet stop relying on the file size.
-		return 0;
-
-	bro_uint_t fsize = filesize->AsCount();
-	return new PE_Analyzer(args, info, fsize);
+	//const char* field = "total_bytes";
+	//Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
+	//if ( ! filesize ) 
+	//	// TODO: this should be a reporter message? or better yet stop relying on the file size.
+	//	return 0;
+//
+	//bro_uint_t fsize = filesize->AsCount();
+	return new PE_Analyzer(args, info);
 	}
 
 bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
@@ -42,8 +42,8 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 	catch ( const binpac::Exception& e )
 		{
 		printf("Binpac exception: %s\n", e.c_msg());
+		return false;
 		}
 
-
 	return true;
 	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
index 95b5083aff..34a76e7e00 100644
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@@ -21,11 +21,9 @@ public:
 	virtual bool DeliverStream(const u_char* data, uint64 len);
 
 protected:
-	PE_Analyzer(RecordVal* args, Info* info, uint64 fsize);
+	PE_Analyzer(RecordVal* args, Info* info);
 	binpac::PE::File* interp;
 	binpac::PE::MockConnection* conn;
-
-	uint64 fsize;
 };
 
 } // namespace file_analysis
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index 63f722b18c..d0407f348a 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -6,17 +6,30 @@
 
 refine flow File += {
 
-	function proc_dosstub(stub: DOSStub) : bool
+	function proc_dos_header(h: DOS_Header) : bool
 		%{
 		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
 		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                    //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()),
-		                                                    ${stub.HeaderSizeInParagraphs});
+		                                                    //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()),
+		                                                    ${h.AddressOfNewExeHeader}-64);
 		return true;
 		%}
 
+	function proc_pe_header(h: IMAGE_NT_HEADERS) : bool
+		%{
+		BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), 
+		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
+		                                                    //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()),
+		                                                    ${h.FileHeader.TimeDateStamp});
+		return true;
+		%}
 };
 
-refine typeattr DOSStub += &let {
-	proc : bool = $context.flow.proc_dosstub(this);
+refine typeattr DOS_Header += &let {
+	proc : bool = $context.flow.proc_dos_header(this);
 };
+
+refine typeattr IMAGE_NT_HEADERS += &let {
+	proc : bool = $context.flow.proc_pe_header(this);
+};
+
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 50647b7275..5854fd2bd8 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,10 +1,14 @@
 
-type TheFile(fsize: uint64) = record {
-	dos_stub: DOSStub;
-	blah: bytestring &length=1316134912 &transient;
+type TheFile = record {
+	dos_header : DOS_Header;
+	dos_code   : bytestring &length=(dos_header.AddressOfNewExeHeader - 64);
+	pe_header  : IMAGE_NT_HEADERS;
+	pad        : bytestring &length=1316134912 &transient;
+} &let {
+	dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64);
 } &transient &byteorder=littleendian;
 
-type DOSStub() = record {
+type DOS_Header = record {
 	signature                : bytestring &length=2;
 	UsedBytesInTheLastPage   : uint16;
 	FileSizeInPages          : uint16;
@@ -25,3 +29,64 @@ type DOSStub() = record {
 	Reserved2                : uint16[10];
 	AddressOfNewExeHeader    : uint32;
 } &byteorder=littleendian &length=64;
+
+type IMAGE_NT_HEADERS = record {
+	PESignature           : uint32;
+	FileHeader            : IMAGE_FILE_HEADER;
+	OptionalHeader        : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader);
+} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader);
+
+type IMAGE_FILE_HEADER = record {
+	Machine               : uint16;
+	NumberOfSections      : uint16;
+	TimeDateStamp         : uint32;
+	PointerToSymbolTable  : uint32;
+	NumberOfSymbols       : uint32;
+	SizeOfOptionalHeader  : uint16;
+	Characteristics       : uint16;
+};
+
+type OPTIONAL_HEADER(len: uint16) = record {
+	OptionalHeaderMagic   : uint16;
+	Header                : case OptionalHeaderMagic of {
+		0x0b01  -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32;
+		0x0b02  -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64;
+		default -> InvalidPEFile    : bytestring &restofdata;
+	};
+} &length=len;
+
+type IMAGE_OPTIONAL_HEADER32 = record {
+	major_linker_version    : uint8;
+	minor_linker_version    : uint8;
+	size_of_code            : uint32;
+	size_of_init_data       : uint32;
+	size_of_uninit_data     : uint32;
+	addr_of_entry_point     : uint32;
+	base_of_code            : uint32;
+	base_of_data            : uint32;
+	image_base              : uint32;
+	section_alignment       : uint32;
+	file_alignment          : uint32;
+	os_version_major        : uint16;
+	os_version_minor        : uint16;
+	major_image_version     : uint16;
+	minor_image_version     : uint16;
+	major_subsys_version    : uint16;
+	minor_subsys_version    : uint16;
+	win32_version           : uint32;
+	size_of_image           : uint32;
+	size_of_headers         : uint32;
+	checksum                : uint32;
+	subsystem               : uint16;
+	dll_characteristics     : uint16;
+	size_of_stack_reserve   : uint32;
+	size_of_stack_commit    : uint32;
+	size_of_heap_reserve    : uint32;
+	size_of_heap_commit     : uint32;
+	loader_flags            : uint32;
+	number_of_rva_and_sizes : uint32;
+} &byteorder=littleendian;
+
+type IMAGE_OPTIONAL_HEADER64 = record {
+
+} &byteorder=littleendian;
diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac
index 9cd4f4f112..8a20fa3c62 100644
--- a/src/file_analysis/analyzers/pe.pac
+++ b/src/file_analysis/analyzers/pe.pac
@@ -7,14 +7,14 @@ analyzer PE withcontext {
 };
 
 connection MockConnection(bro_analyzer: BroFileAnalyzer) {
-	upflow = File(0);
-	downflow = File(0);
+	upflow = File;
+	downflow = File;
 };
 
 %include pe-file.pac
 
-flow File(fsize: uint64) {
-	flowunit = TheFile(fsize) withcontext(connection, this);
+flow File {
+	flowunit = TheFile withcontext(connection, this);
 }
  
 %include pe-analyzer.pac

From 4cc9ca424322be2f53cf950f35eebe78c929f671 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 24 Apr 2013 12:56:20 -0400
Subject: [PATCH 06/54] Checkpoint

---
 scripts/base/init-bare.bro                  | 14 ++++
 src/event.bif                               |  6 ++
 src/file_analysis.bif                       |  7 --
 src/file_analysis/ActionSet.cc              |  2 +-
 src/file_analysis/analyzers/PE.cc           | 33 +++++---
 src/file_analysis/analyzers/PE.h            |  9 ++-
 src/file_analysis/analyzers/pe-analyzer.pac | 56 ++++++++++---
 src/file_analysis/analyzers/pe-file.pac     | 89 +++++++++++++++------
 src/types.bif                               |  5 ++
 9 files changed, 161 insertions(+), 60 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 7f4d29d26b..8a82fb98b3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2486,6 +2486,20 @@ type irc_join_info: record {
 ## .. bro:see:: irc_join_message
 type irc_join_list: set[irc_join_info];
 
+## Record for Portable Executable (PE) section headers.
+type PESectionHeader: record {
+	name                      : string;
+	virtual_size              : count;
+	virtual_addr              : count;
+	size_of_raw_data          : count;
+	ptr_to_raw_data           : count;
+	non_used_ptr_to_relocs    : count;
+	non_used_ptr_to_line_nums : count;
+	non_used_num_of_relocs    : count;
+	non_used_num_of_line_nums : count;
+	characteristics           : count;
+};
+
 ## Deprecated.
 ##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
diff --git a/src/event.bif b/src/event.bif
index 08a2b64a84..fc9ca8df6a 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -7026,6 +7026,12 @@ event file_state_remove%(f: fa_file%);
 ##    FileAnalysis::ACTION_SHA1 FileAnalysis::ACTION_SHA256
 event file_hash%(f: fa_file, kind: string, hash: string%);
 
+
+event file_pe_dosstub%(f: fa_file, checksum: count%);
+event file_pe_timestamp%(f: fa_file, ts: time%);
+event file_pe_section_header%(f: fa_file, h: PESectionHeader%);
+
+
 ## Deprecated. Will be removed.
 event stp_create_endp%(c: connection, e: int, is_orig: bool%);
 
diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index f7fbe14de9..b3e34f93d2 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -97,10 +97,3 @@ function set_file_handle%(handle: string%): any
 	file_mgr->SetHandle(handle->CheckString());
 	return 0;
 	%}
-
-# Define file analysis framework events.
-
-#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%);
-event FileAnalysis::windows_pe_dosstub%(checksum: count%);
-event FileAnalysis::windows_pe_timestamp%(ts: time%);
-
diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc
index fd7fa883eb..d8d057bec5 100644
--- a/src/file_analysis/ActionSet.cc
+++ b/src/file_analysis/ActionSet.cc
@@ -17,7 +17,7 @@ static ActionInstantiator action_factory[] = {
 	file_analysis::SHA256::Instantiate,
 	file_analysis::DataEvent::Instantiate,
 
-	PE_Analyzer::Instantiate,
+	file_analysis::PE_Analyzer::Instantiate,
 };
 
 static void action_del_func(void* v)
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index daf679ce82..c15b6ba739 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -3,14 +3,16 @@
 #include "PE.h"
 #include "pe_pac.h"
 #include "util.h"
+#include "Event.h"
 
 using namespace file_analysis;
 
-PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info)
-    : Action(args, info)
+PE_Analyzer::PE_Analyzer(RecordVal* args, File* file)
+    : Action(args, file)
 	{
 	conn = new binpac::PE::MockConnection(this);
 	interp = new binpac::PE::File(conn);
+	done=false;
 	}
 
 PE_Analyzer::~PE_Analyzer()
@@ -18,23 +20,21 @@ PE_Analyzer::~PE_Analyzer()
 	delete interp;
 	}
 
-Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info)
+Action* PE_Analyzer::Instantiate(RecordVal* args, File* file)
 	{
-	using BifType::Record::FileAnalysis::Info;
-	//const char* field = "total_bytes";
-	//Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field));
-	//if ( ! filesize ) 
-	//	// TODO: this should be a reporter message? or better yet stop relying on the file size.
-	//	return 0;
-//
-	//bro_uint_t fsize = filesize->AsCount();
-	return new PE_Analyzer(args, info);
+	return new PE_Analyzer(args, file);
 	}
 
 bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 	{
-	Action::DeliverStream(data, len);
+	printf("deliver stream\n");
+	if (done)
+	{
+		printf("analyzer done\n");
+		return false;
+	}
 
+	Action::DeliverStream(data, len);
 	try
 		{
 		interp->NewData(data, data + len);
@@ -47,3 +47,10 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 
 	return true;
 	}
+
+bool PE_Analyzer::EndOfFile()
+	{
+	printf("end of file!\n");
+	done=true;
+	return false;
+	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
index 34a76e7e00..6f25e19723 100644
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@@ -4,7 +4,7 @@
 #include <string>
 
 #include "Val.h"
-#include "../Info.h"
+#include "../File.h"
 #include "pe_pac.h"
 
 namespace file_analysis {
@@ -14,16 +14,19 @@ namespace file_analysis {
  */
 class PE_Analyzer : Action {
 public:
-	static Action* Instantiate(RecordVal* args, Info* info);
+	static Action* Instantiate(RecordVal* args, File* file);
 
 	~PE_Analyzer();
 
 	virtual bool DeliverStream(const u_char* data, uint64 len);
 
+	virtual bool EndOfFile();
+
 protected:
-	PE_Analyzer(RecordVal* args, Info* info);
+	PE_Analyzer(RecordVal* args, File* file);
 	binpac::PE::File* interp;
 	binpac::PE::MockConnection* conn;
+	bool done;
 };
 
 } // namespace file_analysis
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index d0407f348a..18efc1d54a 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -1,26 +1,55 @@
 
 %extern{
 #include "Event.h"
+#include "file_analysis/File.h"
 #include "file_analysis.bif.func_h"
 %}
 
 refine flow File += {
 
-	function proc_dos_header(h: DOS_Header) : bool
+	function proc_the_file(): bool
 		%{
-		BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
-		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                    //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()),
-		                                                    ${h.AddressOfNewExeHeader}-64);
+		printf("ending the flow!\n");
+		connection()->bro_analyzer()->EndOfFile();
+		connection()->FlowEOF(true);
+		connection()->FlowEOF(false);
 		return true;
 		%}
 
-	function proc_pe_header(h: IMAGE_NT_HEADERS) : bool
+	function proc_dos_header(h: DOS_Header): bool
 		%{
-		BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), 
-		                                                    //(Val *) connection()->bro_analyzer()->GetInfo(),
-		                                                    //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()),
-		                                                    ${h.FileHeader.TimeDateStamp});
+		BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
+		                                   connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+		                                   ${h.AddressOfNewExeHeader}-64);
+		return true;
+		%}
+
+	function proc_pe_header(h: IMAGE_NT_HEADERS): bool
+		%{
+		BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), 
+		                                     connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+		                                     ${h.file_header.TimeDateStamp});
+		return true;
+		%}
+
+
+	function proc_section_header(h: IMAGE_SECTION_HEADER): bool
+		%{
+		RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader);
+		section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data()));
+		section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT));
+		section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT));
+		section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT));
+		section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT));
+		section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT));
+		section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT));
+		section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT));
+		section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
+		section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT));
+
+		BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), 
+		                                          connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+		                                          section_header);
 		return true;
 		%}
 };
@@ -33,3 +62,10 @@ refine typeattr IMAGE_NT_HEADERS += &let {
 	proc : bool = $context.flow.proc_pe_header(this);
 };
 
+refine typeattr IMAGE_SECTION_HEADER += &let {
+	proc: bool = $context.flow.proc_section_header(this);
+};
+
+refine typeattr TheFile += &let {
+	proc: bool = $context.flow.proc_the_file();
+};
\ No newline at end of file
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 5854fd2bd8..bedfb35204 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,12 +1,15 @@
 
 type TheFile = record {
-	dos_header : DOS_Header;
-	dos_code   : bytestring &length=(dos_header.AddressOfNewExeHeader - 64);
-	pe_header  : IMAGE_NT_HEADERS;
-	pad        : bytestring &length=1316134912 &transient;
+	dos_header     : DOS_Header;
+	dos_code       : bytestring &length=dos_code_len;
+	pe_header      : IMAGE_NT_HEADERS;
+	sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
+	#pad            : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
+	#data_sections  : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
+	#pad            : bytestring &restofdata;
 } &let {
-	dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64);
-} &transient &byteorder=littleendian;
+	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
+} &byteorder=littleendian;
 
 type DOS_Header = record {
 	signature                : bytestring &length=2;
@@ -32,9 +35,9 @@ type DOS_Header = record {
 
 type IMAGE_NT_HEADERS = record {
 	PESignature           : uint32;
-	FileHeader            : IMAGE_FILE_HEADER;
-	OptionalHeader        : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader);
-} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader);
+	file_header           : IMAGE_FILE_HEADER;
+	OptionalHeader        : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader);
+} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader);
 
 type IMAGE_FILE_HEADER = record {
 	Machine               : uint16;
@@ -46,16 +49,8 @@ type IMAGE_FILE_HEADER = record {
 	Characteristics       : uint16;
 };
 
-type OPTIONAL_HEADER(len: uint16) = record {
-	OptionalHeaderMagic   : uint16;
-	Header                : case OptionalHeaderMagic of {
-		0x0b01  -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32;
-		0x0b02  -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64;
-		default -> InvalidPEFile    : bytestring &restofdata;
-	};
-} &length=len;
-
-type IMAGE_OPTIONAL_HEADER32 = record {
+type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
+	magic                   : uint16;
 	major_linker_version    : uint8;
 	minor_linker_version    : uint8;
 	size_of_code            : uint32;
@@ -79,14 +74,56 @@ type IMAGE_OPTIONAL_HEADER32 = record {
 	checksum                : uint32;
 	subsystem               : uint16;
 	dll_characteristics     : uint16;
-	size_of_stack_reserve   : uint32;
-	size_of_stack_commit    : uint32;
-	size_of_heap_reserve    : uint32;
-	size_of_heap_commit     : uint32;
+	mem: case magic of {
+		0x0b01  -> i32 : MEM_INFO32;
+		0x0b02  -> i64 : MEM_INFO64;
+		default -> InvalidPEFile : bytestring &length=0;
+	};
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
-} &byteorder=littleendian;
+} &byteorder=littleendian &length=len;
 
-type IMAGE_OPTIONAL_HEADER64 = record {
+type MEM_INFO32 = record {
+	size_of_stack_reserve : uint32;
+	size_of_stack_commit  : uint32;
+	size_of_heap_reserve  : uint32;
+	size_of_heap_commit   : uint32;
+} &byteorder=littleendian &length=16;
 
-} &byteorder=littleendian;
+type MEM_INFO64 = record {
+	size_of_stack_reserve : uint64;
+	size_of_stack_commit  : uint64;
+	size_of_heap_reserve  : uint64;
+	size_of_heap_commit   : uint64;
+} &byteorder=littleendian &length=32;
+
+type IMAGE_SECTION_HEADER = record {
+	name                      : bytestring &length=8;
+	virtual_size              : uint32;
+	virtual_addr              : uint32;
+	size_of_raw_data          : uint32;
+	ptr_to_raw_data           : uint32;
+	non_used_ptr_to_relocs    : uint32;
+	non_used_ptr_to_line_nums : uint32;
+	non_used_num_of_relocs    : uint16;
+	non_used_num_of_line_nums : uint16;
+	characteristics           : uint32;
+} &byteorder=littleendian &length=40;
+
+
+type IMAGE_DATA_DIRECTORY = record {
+	virtual_address : uint32;
+	size            : uint16;
+};
+
+type IMAGE_IMPORT_DIRECTORY = record {
+	rva_import_lookup_table : uint32;
+	time_date_stamp         : uint32;
+	forwarder_chain         : uint32;
+	rva_module_name         : uint32;
+	rva_import_addr_table   : uint32;
+};
+
+type DATA_SECTIONS = record {
+	blah: bytestring &length=10;
+};
\ No newline at end of file
diff --git a/src/types.bif b/src/types.bif
index b69239487b..4999e221e5 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -163,6 +163,8 @@ type ModbusHeaders: record;
 type ModbusCoils: vector;
 type ModbusRegisters: vector;
 
+type PESectionHeader: record;
+
 module Log;
 
 enum Writer %{
@@ -248,6 +250,9 @@ enum Action %{
 
 	## Deliver the file contents to the script-layer in an event.
 	ACTION_DATA_EVENT,
+
+	## Windows executable analyzer
+	ACTION_PE_ANALYZER,
 %}
 
 module GLOBAL;

From 317252b5aeec2c1e04c46a8bb37af53f6d1e5270 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 25 Apr 2013 13:44:12 -0400
Subject: [PATCH 07/54] Another checkpoint

---
 scripts/base/init-bare.bro                  | 35 +++++++++++++++++++++
 src/binpac_bro.h                            |  4 +--
 src/file_analysis/AnalyzerSet.cc            |  2 ++
 src/file_analysis/analyzers/PE.cc           | 29 ++++++-----------
 src/file_analysis/analyzers/PE.h            |  9 +++---
 src/file_analysis/analyzers/pe-analyzer.pac |  5 +--
 src/file_analysis/analyzers/pe-file.pac     |  7 ++---
 src/types.bif                               |  4 +++
 8 files changed, 62 insertions(+), 33 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index b8993606d3..e99feeef76 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2489,6 +2489,41 @@ type irc_join_info: record {
 ## .. bro:see:: irc_join_message
 type irc_join_list: set[irc_join_info];
 
+type PEHeader: record {
+#	Machine               : count;
+#	TimeDateStamp         : time;
+#	magic                   : uint16;
+#	major_linker_version    : uint8;
+#	minor_linker_version    : uint8;
+#	size_of_code            : uint32;
+#	size_of_init_data       : uint32;
+#	size_of_uninit_data     : uint32;
+#	addr_of_entry_point     : uint32;
+#	base_of_code            : uint32;
+#	base_of_data            : uint32;
+#	image_base              : uint32;
+#	section_alignment       : uint32;
+#	file_alignment          : uint32;
+#	os_version_major        : uint16;
+#	os_version_minor        : uint16;
+#	major_image_version     : uint16;
+#	minor_image_version     : uint16;
+#	major_subsys_version    : uint16;
+#	minor_subsys_version    : uint16;
+#	win32_version           : uint32;
+#	size_of_image           : uint32;
+#	checksum                : uint32;
+#	subsystem               : uint16;
+#	mem: case magic of {
+#		0x0b01  -> i32           : MEM_INFO32;
+#		0x0b02  -> i64           : MEM_INFO64;
+#		default -> InvalidPEFile : empty;
+#	};
+#	loader_flags            : uint32;
+#	number_of_rva_and_sizes : uint32;
+#
+};
+
 ## Record for Portable Executable (PE) section headers.
 type PESectionHeader: record {
 	name                      : string;
diff --git a/src/binpac_bro.h b/src/binpac_bro.h
index 1f63808c10..03857179f1 100644
--- a/src/binpac_bro.h
+++ b/src/binpac_bro.h
@@ -7,7 +7,7 @@ class PortVal;
 
 #include "util.h"
 #include "Analyzer.h"
-#include "file_analysis/Action.h"
+#include "file_analysis/Analyzer.h"
 #include "Val.h"
 #include "event.bif.func_h"
 
@@ -16,7 +16,7 @@ class PortVal;
 namespace binpac {
 
 typedef Analyzer* BroAnalyzer;
-typedef file_analysis::Action BroFileAnalyzer;
+typedef file_analysis::Analyzer BroFileAnalyzer;
 typedef Val* BroVal;
 typedef PortVal* BroPortVal;
 typedef StringVal* BroStringVal;
diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index bdf23c2446..5959279f61 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -4,6 +4,7 @@
 #include "Extract.h"
 #include "DataEvent.h"
 #include "Hash.h"
+#include "analyzers/PE.h"
 
 using namespace file_analysis;
 
@@ -14,6 +15,7 @@ static AnalyzerInstantiator analyzer_factory[] = {
 	file_analysis::SHA1::Instantiate,
 	file_analysis::SHA256::Instantiate,
 	file_analysis::DataEvent::Instantiate,
+	file_analysis::PE::Instantiate,
 };
 
 static void analyzer_del_func(void* v)
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index c15b6ba739..662ea1f3e4 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -7,38 +7,29 @@
 
 using namespace file_analysis;
 
-PE_Analyzer::PE_Analyzer(RecordVal* args, File* file)
-    : Action(args, file)
+PE::PE(RecordVal* args, File* file)
+    : file_analysis::Analyzer(args, file)
 	{
 	conn = new binpac::PE::MockConnection(this);
 	interp = new binpac::PE::File(conn);
 	done=false;
 	}
 
-PE_Analyzer::~PE_Analyzer()
+PE::~PE()
 	{
 	delete interp;
 	}
 
-Action* PE_Analyzer::Instantiate(RecordVal* args, File* file)
+bool PE::DeliverStream(const u_char* data, uint64 len)
 	{
-	return new PE_Analyzer(args, file);
-	}
-
-bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
-	{
-	printf("deliver stream\n");
-	if (done)
-	{
-		printf("analyzer done\n");
-		return false;
-	}
-
-	Action::DeliverStream(data, len);
 	try
 		{
 		interp->NewData(data, data + len);
 		}
+	catch ( const binpac::HaltParser &e )
+		{
+		return false;
+		}
 	catch ( const binpac::Exception& e )
 		{
 		printf("Binpac exception: %s\n", e.c_msg());
@@ -48,9 +39,9 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len)
 	return true;
 	}
 
-bool PE_Analyzer::EndOfFile()
+bool PE::EndOfFile()
 	{
 	printf("end of file!\n");
-	done=true;
+	//throw binpac::HaltParser();
 	return false;
 	}
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h
index 6f25e19723..1fd67c22db 100644
--- a/src/file_analysis/analyzers/PE.h
+++ b/src/file_analysis/analyzers/PE.h
@@ -12,18 +12,19 @@ namespace file_analysis {
 /**
  * An action to simply extract files to disk.
  */
-class PE_Analyzer : Action {
+class PE : public file_analysis::Analyzer {
 public:
-	static Action* Instantiate(RecordVal* args, File* file);
+	~PE();
 
-	~PE_Analyzer();
+	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
+		{ return new PE(args, file); }
 
 	virtual bool DeliverStream(const u_char* data, uint64 len);
 
 	virtual bool EndOfFile();
 
 protected:
-	PE_Analyzer(RecordVal* args, File* file);
+	PE(RecordVal* args, File* file);
 	binpac::PE::File* interp;
 	binpac::PE::MockConnection* conn;
 	bool done;
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index 18efc1d54a..fdba29a5bb 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -9,10 +9,7 @@ refine flow File += {
 
 	function proc_the_file(): bool
 		%{
-		printf("ending the flow!\n");
-		connection()->bro_analyzer()->EndOfFile();
-		connection()->FlowEOF(true);
-		connection()->FlowEOF(false);
+		throw binpac::HaltParser();
 		return true;
 		%}
 
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index bedfb35204..84b26381b4 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -6,7 +6,6 @@ type TheFile = record {
 	sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
 	#pad            : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
 	#data_sections  : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
-	#pad            : bytestring &restofdata;
 } &let {
 	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
 } &byteorder=littleendian;
@@ -75,9 +74,9 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
 	subsystem               : uint16;
 	dll_characteristics     : uint16;
 	mem: case magic of {
-		0x0b01  -> i32 : MEM_INFO32;
-		0x0b02  -> i64 : MEM_INFO64;
-		default -> InvalidPEFile : bytestring &length=0;
+		0x0b01  -> i32           : MEM_INFO32;
+		0x0b02  -> i64           : MEM_INFO64;
+		default -> InvalidPEFile : empty;
 	};
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
diff --git a/src/types.bif b/src/types.bif
index fa9539dcbc..ca84794865 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -163,6 +163,7 @@ type ModbusHeaders: record;
 type ModbusCoils: vector;
 type ModbusRegisters: vector;
 
+type PEHeader: record;
 type PESectionHeader: record;
 
 module Log;
@@ -250,6 +251,9 @@ enum Analyzer %{
 
 	## Deliver the file contents to the script-layer in an event.
 	ANALYZER_DATA_EVENT,
+
+	## Pass the file to the PE analyzer.
+	ANALYZER_PE,
 %}
 
 module GLOBAL;

From d1dd4cb688d1c3f63ddd00fc465a75a4f9999f64 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 15 May 2013 21:33:14 -0400
Subject: [PATCH 08/54] PE analyzer checkpoint

---
 scripts/base/init-bare.bro                  |  96 +++++++----
 scripts/base/init-default.bro               |   2 +
 src/event.bif                               |   8 +-
 src/file_analysis/analyzers/PE.cc           |   2 -
 src/file_analysis/analyzers/pe-analyzer.pac | 168 +++++++++++++++++---
 src/file_analysis/analyzers/pe-file.pac     |  12 +-
 src/types.bif                               |   6 +-
 7 files changed, 224 insertions(+), 70 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index e99feeef76..3150dfc9e0 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2489,43 +2489,67 @@ type irc_join_info: record {
 ## .. bro:see:: irc_join_message
 type irc_join_list: set[irc_join_info];
 
-type PEHeader: record {
-#	Machine               : count;
-#	TimeDateStamp         : time;
-#	magic                   : uint16;
-#	major_linker_version    : uint8;
-#	minor_linker_version    : uint8;
-#	size_of_code            : uint32;
-#	size_of_init_data       : uint32;
-#	size_of_uninit_data     : uint32;
-#	addr_of_entry_point     : uint32;
-#	base_of_code            : uint32;
-#	base_of_data            : uint32;
-#	image_base              : uint32;
-#	section_alignment       : uint32;
-#	file_alignment          : uint32;
-#	os_version_major        : uint16;
-#	os_version_minor        : uint16;
-#	major_image_version     : uint16;
-#	minor_image_version     : uint16;
-#	major_subsys_version    : uint16;
-#	minor_subsys_version    : uint16;
-#	win32_version           : uint32;
-#	size_of_image           : uint32;
-#	checksum                : uint32;
-#	subsystem               : uint16;
-#	mem: case magic of {
-#		0x0b01  -> i32           : MEM_INFO32;
-#		0x0b02  -> i64           : MEM_INFO64;
-#		default -> InvalidPEFile : empty;
-#	};
-#	loader_flags            : uint32;
-#	number_of_rva_and_sizes : uint32;
-#
+module PE;
+export {
+type PE::DOSHeader: record {
+	signature                : string;
+	used_bytes_in_last_page  : count;
+	file_in_pages            : count;
+	num_reloc_items          : count;
+	header_in_paragraphs     : count;
+	min_extra_paragraphs     : count;
+	max_extra_paragraphs     : count;
+	init_relative_ss         : count;
+	init_sp                  : count;
+	checksum                 : count;
+	init_ip                  : count;
+	init_relative_cs         : count;
+	addr_of_reloc_table      : count;
+	overlay_num              : count;
+	oem_id                   : count;
+	oem_info                 : count;
+	addr_of_new_exe_header   : count;
+};
+
+type PE::FileHeader: record {
+	machine         : count;
+	ts              : time;
+	sym_table_ptr   : count;
+	num_syms        : count;
+	characteristics : set[count];
+};
+
+type PE::OptionalHeader: record {
+	magic                   : count;
+	major_linker_version    : count;
+	minor_linker_version    : count;
+	size_of_code            : count;
+	size_of_init_data       : count;
+	size_of_uninit_data     : count;
+	addr_of_entry_point     : count;
+	base_of_code            : count;
+	base_of_data            : count;
+	image_base              : count;
+	section_alignment       : count;
+	file_alignment          : count;
+	os_version_major        : count;
+	os_version_minor        : count;
+	major_image_version     : count;
+	minor_image_version     : count;
+	major_subsys_version    : count;
+	minor_subsys_version    : count;
+	win32_version           : count;
+	size_of_image           : count;
+	size_of_headers         : count;
+	checksum                : count;
+	subsystem               : count;
+	dll_characteristics     : set[count];
+	loader_flags            : count;
+	number_of_rva_and_sizes : count;
 };
 
 ## Record for Portable Executable (PE) section headers.
-type PESectionHeader: record {
+type PE::SectionHeader: record {
 	name                      : string;
 	virtual_size              : count;
 	virtual_addr              : count;
@@ -2535,8 +2559,10 @@ type PESectionHeader: record {
 	non_used_ptr_to_line_nums : count;
 	non_used_num_of_relocs    : count;
 	non_used_num_of_line_nums : count;
-	characteristics           : count;
+	characteristics           : set[count];
 };
+}
+module GLOBAL;
 
 ## Deprecated.
 ##
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 8b36899f10..ad66ab469b 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -44,4 +44,6 @@
 @load base/protocols/ssl
 @load base/protocols/syslog
 
+@load base/files/pe
+
 @load base/misc/find-checksum-offloading
diff --git a/src/event.bif b/src/event.bif
index 7a99c20e37..30b3191734 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -7059,10 +7059,10 @@ event file_state_remove%(f: fa_file%);
 event file_hash%(f: fa_file, kind: string, hash: string%);
 
 
-event file_pe_dosstub%(f: fa_file, checksum: count%);
-event file_pe_timestamp%(f: fa_file, ts: time%);
-event file_pe_section_header%(f: fa_file, h: PESectionHeader%);
-
+event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
+event pe_file_header%(f: fa_file, h: PE::FileHeader%);
+event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
+event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
 
 ## Deprecated. Will be removed.
 event stp_create_endp%(c: connection, e: int, is_orig: bool%);
diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc
index 662ea1f3e4..51db8fd232 100644
--- a/src/file_analysis/analyzers/PE.cc
+++ b/src/file_analysis/analyzers/PE.cc
@@ -41,7 +41,5 @@ bool PE::DeliverStream(const u_char* data, uint64 len)
 
 bool PE::EndOfFile()
 	{
-	printf("end of file!\n");
-	//throw binpac::HaltParser();
 	return false;
 	}
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index fdba29a5bb..e6a39ae1dc 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -13,40 +13,156 @@ refine flow File += {
 		return true;
 		%}
 
+	function characteristics_to_bro(c: uint32, len: uint8): TableVal
+		%{
+		uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF;
+		TableVal* char_set = new TableVal(internal_type("count_set")->AsTableType());
+		for ( uint16 i=0; i < len; ++i )
+			{
+			if ( ((c >> i) & 0x1) == 1 )
+				{
+				Val *ch = new Val((1<<i)&mask, TYPE_COUNT);
+				char_set->Assign(ch, 0);
+				Unref(ch);
+				}
+			}
+		return char_set;
+		%}
+
 	function proc_dos_header(h: DOS_Header): bool
 		%{
-		BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), 
-		                                   connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-		                                   ${h.AddressOfNewExeHeader}-64);
+		if ( pe_dos_header )
+			{
+			RecordVal* dh = new RecordVal(BifType::Record::PE::DOSHeader);
+			dh->Assign(0, new StringVal(${h.signature}.length(), (const char*) ${h.signature}.data()));
+			dh->Assign(1, new Val(${h.UsedBytesInTheLastPage}, TYPE_COUNT));
+			dh->Assign(2, new Val(${h.FileSizeInPages}, TYPE_COUNT));
+			dh->Assign(3, new Val(${h.NumberOfRelocationItems}, TYPE_COUNT));
+			dh->Assign(4, new Val(${h.HeaderSizeInParagraphs}, TYPE_COUNT));
+			dh->Assign(5, new Val(${h.MinimumExtraParagraphs}, TYPE_COUNT));
+			dh->Assign(6, new Val(${h.MaximumExtraParagraphs}, TYPE_COUNT));
+			dh->Assign(7, new Val(${h.InitialRelativeSS}, TYPE_COUNT));
+			dh->Assign(8, new Val(${h.InitialSP}, TYPE_COUNT));
+			dh->Assign(9, new Val(${h.Checksum}, TYPE_COUNT));
+			dh->Assign(10, new Val(${h.InitialIP}, TYPE_COUNT));
+			dh->Assign(11, new Val(${h.InitialRelativeCS}, TYPE_COUNT));
+			dh->Assign(12, new Val(${h.AddressOfRelocationTable}, TYPE_COUNT));
+			dh->Assign(13, new Val(${h.OverlayNumber}, TYPE_COUNT));
+			dh->Assign(14, new Val(${h.OEMid}, TYPE_COUNT));
+			dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT));
+			dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT));
+
+			BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), 
+			                                 connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                                 dh);
+			}
 		return true;
 		%}
 
-	function proc_pe_header(h: IMAGE_NT_HEADERS): bool
+	function proc_nt_headers(h: IMAGE_NT_HEADERS): bool
 		%{
-		BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), 
-		                                     connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-		                                     ${h.file_header.TimeDateStamp});
+		if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0"
+			{
+			return false;
+			// FileViolation("PE Header signature is incorrect.");
+			}
 		return true;
 		%}
 
+	function proc_file_header(h: IMAGE_FILE_HEADER): bool
+		%{
+		if ( pe_file_header )
+			{
+			RecordVal* fh = new RecordVal(BifType::Record::PE::FileHeader);
+			fh->Assign(0, new Val(${h.Machine}, TYPE_COUNT));
+			fh->Assign(1, new Val(static_cast<double>(${h.TimeDateStamp}), TYPE_TIME));
+			fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT));
+			fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT));
+			fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16));
+			BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), 
+			                                  connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                                  fh);
+			}
+
+		return true;
+		%}
+
+	function proc_optional_header(h: IMAGE_OPTIONAL_HEADER): bool
+		%{
+		if ( ${h.magic} != 0x10b &&  // normal pe32 executable
+		     ${h.magic} != 0x107 &&  // rom image
+		     ${h.magic} != 0x20b )   // pe32+ executable
+			{
+			return false;
+			// FileViolation("PE Optional Header magic is invalid.");
+			}
+
+		if ( pe_optional_header )
+			{
+			RecordVal* oh = new RecordVal(BifType::Record::PE::OptionalHeader);
+
+			oh->Assign(0,  new Val(${h.magic}, TYPE_COUNT));
+			oh->Assign(1,  new Val(${h.major_linker_version}, TYPE_COUNT));
+			oh->Assign(2,  new Val(${h.minor_linker_version}, TYPE_COUNT));
+			oh->Assign(3,  new Val(${h.size_of_code}, TYPE_COUNT));
+			oh->Assign(4,  new Val(${h.size_of_init_data}, TYPE_COUNT));
+			oh->Assign(5,  new Val(${h.size_of_uninit_data}, TYPE_COUNT));
+			oh->Assign(6,  new Val(${h.addr_of_entry_point}, TYPE_COUNT));
+			oh->Assign(7, new Val(${h.base_of_code}, TYPE_COUNT));
+			oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT));
+			oh->Assign(9, new Val(${h.image_base}, TYPE_COUNT));
+			oh->Assign(10, new Val(${h.section_alignment}, TYPE_COUNT));
+			oh->Assign(11, new Val(${h.file_alignment}, TYPE_COUNT));
+			oh->Assign(12, new Val(${h.os_version_major}, TYPE_COUNT));
+			oh->Assign(13, new Val(${h.os_version_minor}, TYPE_COUNT));
+			oh->Assign(14, new Val(${h.major_image_version}, TYPE_COUNT));
+			oh->Assign(15, new Val(${h.minor_image_version}, TYPE_COUNT));
+			oh->Assign(16, new Val(${h.minor_subsys_version}, TYPE_COUNT));
+			oh->Assign(17, new Val(${h.minor_subsys_version}, TYPE_COUNT));
+			oh->Assign(18, new Val(${h.win32_version}, TYPE_COUNT));
+			oh->Assign(19, new Val(${h.size_of_image}, TYPE_COUNT));
+			oh->Assign(20, new Val(${h.size_of_headers}, TYPE_COUNT));
+			oh->Assign(21, new Val(${h.checksum}, TYPE_COUNT));
+			oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT));
+			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
+			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
+			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
+			BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), 
+			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                                      oh);
+			}
+		return true;
+		%}
 
 	function proc_section_header(h: IMAGE_SECTION_HEADER): bool
 		%{
-		RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader);
-		section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data()));
-		section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT));
-		section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT));
-		section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT));
-		section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT));
-		section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT));
-		section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT));
-		section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT));
-		section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
-		section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT));
+		if ( pe_section_header )
+			{
+			RecordVal* section_header = new RecordVal(BifType::Record::PE::SectionHeader);
 
-		BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), 
-		                                          connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-		                                          section_header);
+			// Strip null characters from the end of the section name.
+			u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length());
+			uint16 name_len;
+			if ( first_null == NULL )
+				name_len = ${h.name}.length();
+			else
+				name_len = first_null - ${h.name}.data();
+			section_header->Assign(0, new StringVal(name_len, (const char*) ${h.name}.data()));
+			
+			section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT));
+			section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT));
+			section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT));
+			section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT));
+			section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT));
+			section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT));
+			section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT));
+			section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
+			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
+
+			BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), 
+			                                     connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                                     section_header);
+			}
 		return true;
 		%}
 };
@@ -56,7 +172,15 @@ refine typeattr DOS_Header += &let {
 };
 
 refine typeattr IMAGE_NT_HEADERS += &let {
-	proc : bool = $context.flow.proc_pe_header(this);
+	proc : bool = $context.flow.proc_nt_headers(this);
+};
+
+refine typeattr IMAGE_FILE_HEADER += &let {
+	proc : bool = $context.flow.proc_file_header(this);
+};
+
+refine typeattr IMAGE_OPTIONAL_HEADER += &let {
+	proc : bool = $context.flow.proc_optional_header(this);
 };
 
 refine typeattr IMAGE_SECTION_HEADER += &let {
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 84b26381b4..5c56775538 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -6,8 +6,10 @@ type TheFile = record {
 	sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
 	#pad            : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
 	#data_sections  : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
+	data_sections  : DATA_SECTIONS[] &length=data_len;
 } &let {
 	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
+	data_len: uint32 = pe_header.optional_header.size_of_init_data;
 } &byteorder=littleendian;
 
 type DOS_Header = record {
@@ -33,10 +35,10 @@ type DOS_Header = record {
 } &byteorder=littleendian &length=64;
 
 type IMAGE_NT_HEADERS = record {
-	PESignature           : uint32;
-	file_header           : IMAGE_FILE_HEADER;
-	OptionalHeader        : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader);
-} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader);
+	PESignature     : uint32;
+	file_header     : IMAGE_FILE_HEADER;
+	optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader;
+} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header);
 
 type IMAGE_FILE_HEADER = record {
 	Machine               : uint16;
@@ -124,5 +126,5 @@ type IMAGE_IMPORT_DIRECTORY = record {
 };
 
 type DATA_SECTIONS = record {
-	blah: bytestring &length=10;
+	blah: uint8;
 };
\ No newline at end of file
diff --git a/src/types.bif b/src/types.bif
index ca84794865..f43abf9a81 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -163,8 +163,10 @@ type ModbusHeaders: record;
 type ModbusCoils: vector;
 type ModbusRegisters: vector;
 
-type PEHeader: record;
-type PESectionHeader: record;
+type PE::DOSHeader: record;
+type PE::FileHeader: record;
+type PE::OptionalHeader: record;
+type PE::SectionHeader: record;
 
 module Log;
 

From 7ff8c1ebdd01f69ccd664e347d801beb91ce2a31 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 15 May 2013 23:33:37 -0400
Subject: [PATCH 09/54] Add the PE analyzer back in as a registered file
 analyzer.

---
 src/file_analysis.bif | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/file_analysis.bif b/src/file_analysis.bif
index cdece0d350..52ede9292e 100644
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@@ -25,6 +25,9 @@ enum Analyzer %{
 
 	## Deliver the file contents to the script-layer in an event.
 	ANALYZER_DATA_EVENT,
+
+	## Pass the file to the PE analyzer.
+	ANALYZER_PE,
 %}
 
 ## :bro:see:`FileAnalysis::postpone_timeout`.

From a65966c2d1c500a59f05c48647deeff5a2f4391a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 15 May 2013 23:34:01 -0400
Subject: [PATCH 10/54] Make the dos code available in script land.

---
 src/event.bif                               |  1 +
 src/file_analysis/analyzers/pe-analyzer.pac | 15 +++++++++++++++
 src/file_analysis/analyzers/pe-file.pac     |  6 +++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/event.bif b/src/event.bif
index ae8ede439f..e43f979aa5 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -7060,6 +7060,7 @@ event file_hash%(f: fa_file, kind: string, hash: string%);
 
 
 event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
+event pe_dos_code%(f: fa_file, code: string%);
 event pe_file_header%(f: fa_file, h: PE::FileHeader%);
 event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
 event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac
index e6a39ae1dc..341a3efbec 100644
--- a/src/file_analysis/analyzers/pe-analyzer.pac
+++ b/src/file_analysis/analyzers/pe-analyzer.pac
@@ -59,6 +59,17 @@ refine flow File += {
 		return true;
 		%}
 
+	function proc_dos_code(code: bytestring): bool
+		%{
+		if ( pe_dos_code )
+			{
+			BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), 
+			                               connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                               new StringVal(code.length(), (const char*) code.data()));
+			}
+		return true;
+		%}
+
 	function proc_nt_headers(h: IMAGE_NT_HEADERS): bool
 		%{
 		if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0"
@@ -171,6 +182,10 @@ refine typeattr DOS_Header += &let {
 	proc : bool = $context.flow.proc_dos_header(this);
 };
 
+refine typeattr DOS_Code += &let {
+	proc : bool = $context.flow.proc_dos_code(code);
+};
+
 refine typeattr IMAGE_NT_HEADERS += &let {
 	proc : bool = $context.flow.proc_nt_headers(this);
 };
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac
index 5c56775538..041f2bbdb4 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzers/pe-file.pac
@@ -1,7 +1,7 @@
 
 type TheFile = record {
 	dos_header     : DOS_Header;
-	dos_code       : bytestring &length=dos_code_len;
+	dos_code       : DOS_Code(dos_code_len);
 	pe_header      : IMAGE_NT_HEADERS;
 	sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
 	#pad            : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
@@ -34,6 +34,10 @@ type DOS_Header = record {
 	AddressOfNewExeHeader    : uint32;
 } &byteorder=littleendian &length=64;
 
+type DOS_Code(len: uint32) = record {
+	code : bytestring &length=len;
+};
+
 type IMAGE_NT_HEADERS = record {
 	PESignature     : uint32;
 	file_header     : IMAGE_FILE_HEADER;

From 1e098bae8d6a96bbfee23d5796014bb19fc8d428 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 27 Jul 2013 00:07:47 -0400
Subject: [PATCH 11/54] Moving the PE analyzer to the new plugin structure.

---
 .../{analyzers => analyzer/pe}/PE.cc             |  0
 .../{analyzers => analyzer/pe}/PE.h              |  0
 src/file_analysis/analyzer/pe/events.bif         |  5 +++++
 .../{analyzers => analyzer/pe}/pe-analyzer.pac   |  0
 .../{analyzers => analyzer/pe}/pe-file.pac       | 16 ++++++++--------
 .../{analyzers => analyzer/pe}/pe.pac            |  0
 6 files changed, 13 insertions(+), 8 deletions(-)
 rename src/file_analysis/{analyzers => analyzer/pe}/PE.cc (100%)
 rename src/file_analysis/{analyzers => analyzer/pe}/PE.h (100%)
 create mode 100644 src/file_analysis/analyzer/pe/events.bif
 rename src/file_analysis/{analyzers => analyzer/pe}/pe-analyzer.pac (100%)
 rename src/file_analysis/{analyzers => analyzer/pe}/pe-file.pac (88%)
 rename src/file_analysis/{analyzers => analyzer/pe}/pe.pac (100%)

diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzer/pe/PE.cc
similarity index 100%
rename from src/file_analysis/analyzers/PE.cc
rename to src/file_analysis/analyzer/pe/PE.cc
diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzer/pe/PE.h
similarity index 100%
rename from src/file_analysis/analyzers/PE.h
rename to src/file_analysis/analyzer/pe/PE.h
diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif
new file mode 100644
index 0000000000..b6ce808278
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/events.bif
@@ -0,0 +1,5 @@
+event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
+event pe_dos_code%(f: fa_file, code: string%);
+event pe_file_header%(f: fa_file, h: PE::FileHeader%);
+event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
+event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
\ No newline at end of file
diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
similarity index 100%
rename from src/file_analysis/analyzers/pe-analyzer.pac
rename to src/file_analysis/analyzer/pe/pe-analyzer.pac
diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
similarity index 88%
rename from src/file_analysis/analyzers/pe-file.pac
rename to src/file_analysis/analyzer/pe/pe-file.pac
index 041f2bbdb4..ab7cdf5f8a 100644
--- a/src/file_analysis/analyzers/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -1,12 +1,12 @@
 
-type TheFile = record {
-	dos_header     : DOS_Header;
-	dos_code       : DOS_Code(dos_code_len);
-	pe_header      : IMAGE_NT_HEADERS;
-	sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient;
-	#pad            : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
-	#data_sections  : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
-	data_sections  : DATA_SECTIONS[] &length=data_len;
+type TheFile(part: uint8) = record {
+	dos_header      : DOS_Header;
+	dos_code        : DOS_Code(dos_code_len);
+	pe_header       : IMAGE_NT_HEADERS;
+	section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers;
+	#pad             : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
+	#data_sections   : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
+	#data_sections   : DATA_SECTIONS[] &length=data_len;
 } &let {
 	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
 	data_len: uint32 = pe_header.optional_header.size_of_init_data;
diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzer/pe/pe.pac
similarity index 100%
rename from src/file_analysis/analyzers/pe.pac
rename to src/file_analysis/analyzer/pe/pe.pac

From 7ba51786e559383e4ad76374d50933c873d99029 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 27 Jul 2013 08:10:08 -0400
Subject: [PATCH 12/54] In progress checkpoint.  Things are starting to work.

---
 scripts/base/files/pe/__load__.bro            |   2 +
 scripts/base/files/pe/consts.bro              | 149 ++++++++++++++++++
 scripts/base/files/pe/main.bro                |  86 ++++++++++
 src/file_analysis/analyzer/CMakeLists.txt     |   1 +
 src/file_analysis/analyzer/pe/CMakeLists.txt  |  10 ++
 src/file_analysis/analyzer/pe/Plugin.cc       |  29 ++++
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  11 +-
 src/file_analysis/analyzer/pe/pe-file.pac     |   2 +-
 8 files changed, 284 insertions(+), 6 deletions(-)
 create mode 100644 scripts/base/files/pe/__load__.bro
 create mode 100644 scripts/base/files/pe/consts.bro
 create mode 100644 scripts/base/files/pe/main.bro
 create mode 100644 src/file_analysis/analyzer/pe/CMakeLists.txt
 create mode 100644 src/file_analysis/analyzer/pe/Plugin.cc

diff --git a/scripts/base/files/pe/__load__.bro b/scripts/base/files/pe/__load__.bro
new file mode 100644
index 0000000000..0098b81a7a
--- /dev/null
+++ b/scripts/base/files/pe/__load__.bro
@@ -0,0 +1,2 @@
+@load ./consts
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro
new file mode 100644
index 0000000000..4dc21ec179
--- /dev/null
+++ b/scripts/base/files/pe/consts.bro
@@ -0,0 +1,149 @@
+
+module PE;
+
+export {
+	const machine_types: table[count] of string = {
+		[0x00]   = "UNKNOWN",
+		[0x1d3]  = "AM33",
+		[0x8664] = "AMD64",
+		[0x1c0]  = "ARM",
+		[0x1c4]  = "ARMNT",
+		[0xaa64] = "ARM64",
+		[0xebc]  = "EBC",
+		[0x14c]  = "I386",
+		[0x200]  = "IA64",
+		[0x9041] = "M32R",
+		[0x266]  = "MIPS16",
+		[0x366]  = "MIPSFPU",
+		[0x466]  = "MIPSFPU16",
+		[0x1f0]  = "POWERPC",
+		[0x1f1]  = "POWERPCFP",
+		[0x166]  = "R4000",
+		[0x1a2]  = "SH3",
+		[0x1a3]  = "SH3DSP",
+		[0x1a6]  = "SH4",
+		[0x1a8]  = "SH5",
+		[0x1c2]  = "THUMB",
+		[0x169]  = "WCEMIPSV2"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const file_characteristics: table[count] of string = {
+		[0x1]    = "RELOCS_STRIPPED",
+		[0x2]    = "EXECUTABLE_IMAGE",
+		[0x4]    = "LINE_NUMS_STRIPPED",
+		[0x8]    = "LOCAL_SYMS_STRIPPED",
+		[0x10]   = "AGGRESSIVE_WS_TRIM",
+		[0x20]   = "LARGE_ADDRESS_AWARE",
+		[0x80]   = "BYTES_REVERSED_LO",
+		[0x100]  = "32BIT_MACHINE",
+		[0x200]  = "DEBUG_STRIPPED",
+		[0x400]  = "REMOVABLE_RUN_FROM_SWAP",
+		[0x800]  = "NET_RUN_FROM_SWAP",
+		[0x1000] = "SYSTEM",
+		[0x2000] = "DLL",
+		[0x4000] = "UP_SYSTEM_ONLY",
+		[0x8000] = "BYTES_REVERSED_HI"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const dll_characteristics: table[count] of string = {
+		[0x40]   = "DYNAMIC_BASE",
+		[0x80]   = "FORCE_INTEGRITY",
+		[0x100]  = "NX_COMPAT",
+		[0x200]  = "NO_ISOLATION",
+		[0x400]  = "NO_SEH",
+		[0x800]  = "NO_BIND",
+		[0x2000] = "WDM_DRIVER",
+		[0x8000] = "TERMINAL_SERVER_AWARE"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const windows_subsystems: table[count] of string = {
+		[0]  = "UNKNOWN",
+		[1]  = "NATIVE",
+		[2]  = "WINDOWS_GUI",
+		[3]  = "WINDOWS_CUI",
+		[7]  = "POSIX_CUI",
+		[9]  = "WINDOWS_CE_GUI",
+		[10] = "EFI_APPLICATION",
+		[11] = "EFI_BOOT_SERVICE_DRIVER",
+		[12] = "EFI_RUNTIME_
DRIVER",
+		[13] = "EFI_ROM",
+		[14] = "XBOX"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const section_characteristics: table[count] of string = {
+		[0x8]        = "TYPE_NO_PAD",
+		[0x20]       = "CNT_CODE",
+		[0x40]       = "CNT_INITIALIZED_DATA",
+		[0x80]       = "CNT_UNINITIALIZED_DATA",
+		[0x100]      = "LNK_OTHER",
+		[0x200]      = "LNK_INFO",
+		[0x800]      = "LNK_REMOVE",
+		[0x1000]     = "LNK_COMDAT",
+		[0x8000]     = "GPREL",
+		[0x20000]    = "MEM_16BIT",
+		[0x40000]    = "MEM_LOCKED",
+		[0x80000]    = "MEM_PRELOAD",
+		[0x100000]   = "ALIGN_1BYTES",
+		[0x200000]   = "ALIGN_2BYTES",
+		[0x300000]   = "ALIGN_4BYTES",
+		[0x400000]   = "ALIGN_8BYTES",
+		[0x500000]   = "ALIGN_16BYTES",
+		[0x600000]   = "ALIGN_32BYTES",
+		[0x700000]   = "ALIGN_64BYTES",
+		[0x800000]   = "ALIGN_128BYTES",
+		[0x900000]   = "ALIGN_256BYTES",
+		[0xa00000]   = "ALIGN_512BYTES",
+		[0xb00000]   = "ALIGN_1024BYTES",
+		[0xc00000]   = "ALIGN_2048BYTES",
+		[0xd00000]   = "ALIGN_4096BYTES",
+		[0xe00000]   = "ALIGN_8192BYTES",
+		[0x1000000]  = "LNK_NRELOC_OVFL",
+		[0x2000000]  = "MEM_DISCARDABLE",
+		[0x4000000]  = "MEM_NOT_CACHED",
+		[0x8000000]  = "MEM_NOT_PAGED",
+		[0x10000000] = "MEM_SHARED",
+		[0x20000000] = "MEM_EXECUTE",
+		[0x40000000] = "MEM_READ",
+		[0x80000000] = "MEM_WRITE"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	const os_versions: table[count, count] of string = {
+		[6,2]  = "Windows 8",
+		[6,1]  = "Windows 7",
+		[6,0]  = "Windows Vista",
+		[5,2]  = "Windows XP 64-Bit Edition",
+		[5,1]  = "Windows XP",
+		[5,0]  = "Windows 2000",
+		[4,90] = "Windows Me",
+		[4,1]  = "Windows 98",
+		[4,0]  = "Windows NT 4.0",
+	} &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); };
+
+	const section_descs: table[string] of string = {
+		[".bss"]      = "Uninitialized data",
+		[".cormeta"]  = "CLR metadata that indicates that the object file contains managed code",
+		[".data"]     = "Initialized data",
+		[".debug$F"]  = "Generated FPO debug information",
+		[".debug$P"]  = "Precompiled debug types",
+		[".debug$S"]  = "Debug symbols",
+		[".debug$T"]  = "Debug types",
+		[".drective"] = "Linker options",
+		[".edata"]    = "Export tables",
+		[".idata"]    = "Import tables",
+		[".idlsym"]   = "Includes registered SEH to support IDL attributes",
+		[".pdata"]    = "Exception information",
+		[".rdata"]    = "Read-only initialized data",
+		[".reloc"]    = "Image relocations",
+		[".rsrc"]     = "Resource directory",
+		[".sbss"]     = "GP-relative uninitialized data",
+		[".sdata"]    = "GP-relative initialized data",
+		[".srdata"]   = "GP-relative read-only data",
+		[".sxdata"]   = "Registered exception handler data",
+		[".text"]     = "Executable code",
+		[".tls"]      = "Thread-local storage",
+		[".tls$"]     = "Thread-local storage",
+		[".vsdata"]   = "GP-relative initialized data",
+		[".xdata"]    = "Exception information",
+	} &default=function(i: string):string { return fmt("unknown-%s", i); };
+
+}
diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
new file mode 100644
index 0000000000..76ba04fc8c
--- /dev/null
+++ b/scripts/base/files/pe/main.bro
@@ -0,0 +1,86 @@
+
+module PE;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		ts:              time             &log;
+		fuid:            string           &log;
+		machine:         string           &log &optional;
+		compile_ts:      time             &log &optional;
+		os:              string           &log &optional;
+		subsystem:       string           &log &optional;
+		characteristics: set[string]      &log &optional;
+		section_names:   vector of string &log &optional;
+	};
+
+
+	global set_file: hook(f: fa_file);
+}
+
+redef record fa_file += {
+	pe: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(LOG, [$columns=Info]);
+	}
+
+hook set_file(f: fa_file) &priority=5
+	{
+	if ( ! f?$pe )
+		{
+		local c: set[string] = set();
+		f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c];
+		}
+	}
+
+event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
+	{
+	hook set_file(f);
+	}
+
+event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
+	{
+	hook set_file(f);
+	f$pe$compile_ts = h$ts;
+	f$pe$machine    = machine_types[h$machine];
+	for ( c in h$characteristics )
+		add f$pe$characteristics[PE::file_characteristics[c]];
+	}
+
+event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
+	{
+	hook set_file(f);
+	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
+	f$pe$subsystem = windows_subsystems[h$subsystem];
+	}
+
+event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
+	{
+	hook set_file(f);
+
+	print h;
+	if ( ! f$pe?$section_names )
+		f$pe$section_names = vector();
+	f$pe$section_names[|f$pe$section_names|] = h$name;
+	}
+
+event file_state_remove(f: fa_file)
+	{
+	if ( f?$pe )
+		Log::write(LOG, f$pe);
+	}
+
+event file_new(f: fa_file)
+	{
+	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) 
+		{
+		#print "found a windows executable";
+		FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]);
+		#FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, 
+		#                               $extract_filename=fmt("exe-%d", ++blah_counter)]);
+		}
+	}
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index bfafcd2894..67929b77fd 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -1,3 +1,4 @@
 add_subdirectory(data_event)
 add_subdirectory(extract)
 add_subdirectory(hash)
+add_subdirectory(pe)
diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt
new file mode 100644
index 0000000000..7fc89bfd51
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/CMakeLists.txt
@@ -0,0 +1,10 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro PE)
+bro_plugin_cc(PE.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac)
+bro_plugin_end()
diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc
new file mode 100644
index 0000000000..1cc33b5759
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/Plugin.cc
@@ -0,0 +1,29 @@
+#include "plugin/Plugin.h"
+#include "file_analysis/Component.h"
+
+#include "PE.h"
+
+namespace plugin { namespace Bro_PE {
+
+class Plugin : public plugin::Plugin {
+protected:
+	void InitPreScript()
+		{
+		SetName("Bro::PE");
+		SetVersion(-1);
+		SetAPIVersion(BRO_PLUGIN_API_VERSION);
+		SetDynamicPlugin(false);
+
+		SetDescription("Portable Executable analyzer");
+
+		AddComponent(new ::file_analysis::Component("PE",
+		        ::file_analysis::PE::Instantiate));
+
+		extern std::list<std::pair<const char*, int> > __bif_events_init();
+		AddBifInitFunction(&__bif_events_init);
+		}
+};
+
+Plugin __plugin;
+
+} }
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 341a3efbec..045f71c479 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -3,6 +3,7 @@
 #include "Event.h"
 #include "file_analysis/File.h"
 #include "file_analysis.bif.func_h"
+#include "events.bif.h"
 %}
 
 refine flow File += {
@@ -52,7 +53,7 @@ refine flow File += {
 			dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT));
 			dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT));
 
-			BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_dos_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                 connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                 dh);
 			}
@@ -63,7 +64,7 @@ refine flow File += {
 		%{
 		if ( pe_dos_code )
 			{
-			BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_dos_code((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                               connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                               new StringVal(code.length(), (const char*) code.data()));
 			}
@@ -90,7 +91,7 @@ refine flow File += {
 			fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT));
 			fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT));
 			fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16));
-			BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                  connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                  fh);
 			}
@@ -138,7 +139,7 @@ refine flow File += {
 			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
 			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
 			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
-			BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                      oh);
 			}
@@ -170,7 +171,7 @@ refine flow File += {
 			section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
 
-			BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_section_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                     connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                     section_header);
 			}
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index ab7cdf5f8a..03a25ce150 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -1,5 +1,5 @@
 
-type TheFile(part: uint8) = record {
+type TheFile = record {
 	dos_header      : DOS_Header;
 	dos_code        : DOS_Code(dos_code_len);
 	pe_header       : IMAGE_NT_HEADERS;

From 8ffa81f3908bd1634c74472b4b519fdfbbd8fe35 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sat, 21 Jun 2014 13:30:14 -0400
Subject: [PATCH 13/54] Updated PE analyzer to work with changes in master.

---
 scripts/base/files/pe/main.bro                |  2 +-
 src/file_analysis/analyzer/pe/PE.cc           | 12 ++----------
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  2 --
 3 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index 76ba04fc8c..f9ebc57297 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -79,7 +79,7 @@ event file_new(f: fa_file)
 	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) 
 		{
 		#print "found a windows executable";
-		FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]);
+		Files::add_analyzer(f, Files::ANALYZER_PE);
 		#FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, 
 		#                               $extract_filename=fmt("exe-%d", ++blah_counter)]);
 		}
diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc
index 51db8fd232..59fbad91df 100644
--- a/src/file_analysis/analyzer/pe/PE.cc
+++ b/src/file_analysis/analyzer/pe/PE.cc
@@ -1,14 +1,10 @@
-#include <string>
-
 #include "PE.h"
-#include "pe_pac.h"
-#include "util.h"
-#include "Event.h"
+#include "file_analysis/Manager.h"
 
 using namespace file_analysis;
 
 PE::PE(RecordVal* args, File* file)
-    : file_analysis::Analyzer(args, file)
+    : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), args, file)
 	{
 	conn = new binpac::PE::MockConnection(this);
 	interp = new binpac::PE::File(conn);
@@ -26,10 +22,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len)
 		{
 		interp->NewData(data, data + len);
 		}
-	catch ( const binpac::HaltParser &e )
-		{
-		return false;
-		}
 	catch ( const binpac::Exception& e )
 		{
 		printf("Binpac exception: %s\n", e.c_msg());
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 045f71c479..619bffad53 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -2,7 +2,6 @@
 %extern{
 #include "Event.h"
 #include "file_analysis/File.h"
-#include "file_analysis.bif.func_h"
 #include "events.bif.h"
 %}
 
@@ -10,7 +9,6 @@ refine flow File += {
 
 	function proc_the_file(): bool
 		%{
-		throw binpac::HaltParser();
 		return true;
 		%}
 

From d98b5b88b5e110d146ee3982b3d2210b2f1bbc2b Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 22 Jun 2014 07:18:12 -0400
Subject: [PATCH 14/54] Parse PE section headers.

---
 scripts/base/files/pe/main.bro                | 11 ++++++---
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  4 +++-
 src/file_analysis/analyzer/pe/pe-file.pac     | 24 +++++++++++++++----
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index f9ebc57297..091c322990 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -39,11 +39,15 @@ hook set_file(f: fa_file) &priority=5
 
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
 	{
+	print "DOS header";
+	print h;
 	hook set_file(f);
 	}
 
 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 	{
+	print "File header";
+	print h;
 	hook set_file(f);
 	f$pe$compile_ts = h$ts;
 	f$pe$machine    = machine_types[h$machine];
@@ -53,6 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
+	print "Optional header";
+	print h;
 	hook set_file(f);
 	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
 	f$pe$subsystem = windows_subsystems[h$subsystem];
@@ -60,6 +66,8 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	{
+	print "Section header";
+	print h;
 	hook set_file(f);
 
 	print h;
@@ -78,9 +86,6 @@ event file_new(f: fa_file)
 	{
 	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) 
 		{
-		#print "found a windows executable";
 		Files::add_analyzer(f, Files::ANALYZER_PE);
-		#FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, 
-		#                               $extract_filename=fmt("exe-%d", ++blah_counter)]);
 		}
 	}
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 619bffad53..2b49cd2c23 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -9,6 +9,7 @@ refine flow File += {
 
 	function proc_the_file(): bool
 		%{
+		printf("Processed\n");
 		return true;
 		%}
 
@@ -203,4 +204,5 @@ refine typeattr IMAGE_SECTION_HEADER += &let {
 
 refine typeattr TheFile += &let {
 	proc: bool = $context.flow.proc_the_file();
-};
\ No newline at end of file
+};
+
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 03a25ce150..58278a7ffd 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -3,7 +3,7 @@ type TheFile = record {
 	dos_header      : DOS_Header;
 	dos_code        : DOS_Code(dos_code_len);
 	pe_header       : IMAGE_NT_HEADERS;
-	section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers;
+	section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections);
 	#pad             : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
 	#data_sections   : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
 	#data_sections   : DATA_SECTIONS[] &length=data_len;
@@ -41,7 +41,7 @@ type DOS_Code(len: uint32) = record {
 type IMAGE_NT_HEADERS = record {
 	PESignature     : uint32;
 	file_header     : IMAGE_FILE_HEADER;
-	optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader;
+	optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
 } &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header);
 
 type IMAGE_FILE_HEADER = record {
@@ -54,7 +54,7 @@ type IMAGE_FILE_HEADER = record {
 	Characteristics       : uint16;
 };
 
-type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
+type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record {
 	magic                   : uint16;
 	major_linker_version    : uint8;
 	minor_linker_version    : uint8;
@@ -80,12 +80,13 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record {
 	subsystem               : uint16;
 	dll_characteristics     : uint16;
 	mem: case magic of {
-		0x0b01  -> i32           : MEM_INFO32;
-		0x0b02  -> i64           : MEM_INFO64;
+		267  -> i32           : MEM_INFO32;
+		268  -> i64           : MEM_INFO64;
 		default -> InvalidPEFile : empty;
 	};
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
+	rvas					: IMAGE_RVAS(number_of_rva_and_sizes);
 } &byteorder=littleendian &length=len;
 
 type MEM_INFO32 = record {
@@ -102,6 +103,10 @@ type MEM_INFO64 = record {
 	size_of_heap_commit   : uint64;
 } &byteorder=littleendian &length=32;
 
+type IMAGE_SECTIONS(num: uint16) = record {
+	sections : IMAGE_SECTION_HEADER[num];
+} &length=num*40;
+
 type IMAGE_SECTION_HEADER = record {
 	name                      : bytestring &length=8;
 	virtual_size              : uint32;
@@ -129,6 +134,15 @@ type IMAGE_IMPORT_DIRECTORY = record {
 	rva_import_addr_table   : uint32;
 };
 
+type IMAGE_RVAS(num: uint32) = record {
+	rvas : IMAGE_RVA[num];
+} &length=num*8;
+
+type IMAGE_RVA = record {
+	virtual_address : uint32;
+	size			: uint32;
+} &length=8;
+
 type DATA_SECTIONS = record {
 	blah: uint8;
 };
\ No newline at end of file

From ee3e885712ac84f13286a1e2a14ab080c5a537f0 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 13 Mar 2015 22:14:44 -0400
Subject: [PATCH 15/54] Lots of fixes for file type identification.

 - Plain text now identified with BOMs for UTF8,16,32
   (even though 16 and 32 wouldn't get identified as plain text, oh-well)
 - X.509 certificates are now populating files.log with
   the mime type application/pkix-cert.
 - File signatures are split apart into file types
   to help group and organize signatures a bit better.
 - Normalized some FILE_ANALYSIS debug messages.
 - Improved Javascript detection.
 - Improved HTML detection.
 - Removed a bunch of bad signatures.
 - Merged a bunch of signatures that ultimately detected
   the same mime type.
 - Added detection for MS LNK files.
 - Added detection for cross-domain-policy XML files.
 - Added detection for SOAP envelopes.
---
 scripts/base/files/x509/main.bro              |    3 +
 .../base/frameworks/files/magic/__load__.bro  |    3 +
 .../base/frameworks/files/magic/archive.sig   |  188 ++
 .../base/frameworks/files/magic/general.sig   |  138 +-
 scripts/base/frameworks/files/magic/image.sig |  178 ++
 .../base/frameworks/files/magic/libmagic.sig  | 1838 +----------------
 .../base/frameworks/files/magic/msoffice.sig  |    6 +
 scripts/base/frameworks/files/magic/video.sig |  218 ++
 src/file_analysis/AnalyzerSet.cc              |   36 +-
 src/file_analysis/File.cc                     |    6 +-
 src/file_analysis/Manager.cc                  |    6 +-
 .../Baseline/core.tunnels.teredo/http.log     |    6 +-
 .../btest-doc.sphinx.mimestats#1              |    8 +-
 .../intel-all.log                             |   10 +-
 14 files changed, 750 insertions(+), 1894 deletions(-)
 create mode 100644 scripts/base/frameworks/files/magic/archive.sig
 create mode 100644 scripts/base/frameworks/files/magic/image.sig
 create mode 100644 scripts/base/frameworks/files/magic/video.sig

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 10445ad846..181607bf6c 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -47,6 +47,9 @@ redef record Files::Info += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
+	if ( ! f$info?$mime_type )
+		f$info$mime_type = "application/pkix-cert";
+	
 	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro
index c6ee799a53..df03616ec2 100644
--- a/scripts/base/frameworks/files/magic/__load__.bro
+++ b/scripts/base/frameworks/files/magic/__load__.bro
@@ -1,3 +1,6 @@
 @load-sigs ./general
+@load-sigs ./archive
+@load-sigs ./image
+@load-sigs ./video
 @load-sigs ./msoffice
 @load-sigs ./libmagic
diff --git a/scripts/base/frameworks/files/magic/archive.sig b/scripts/base/frameworks/files/magic/archive.sig
new file mode 100644
index 0000000000..d8cc727540
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/archive.sig
@@ -0,0 +1,188 @@
+signature file-tar {
+    file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/
+    file-mime "application/x-tar", 100
+}
+
+# This is low priority so that files using zip as a 
+# container will be identified correctly.
+signature file-zip {
+	file-mime "application/zip", 10
+	file-magic /^PK\x03\x04.{2}/
+}
+
+# Multivolume Zip archive
+signature file-multi-zip {
+	file-mime "application/zip", 10
+	file-magic /^PK\x07\x08PK\x03\x04/
+}
+
+signature file-rar {
+	file-mime "application/x-rar", 70
+	file-magic /^Rar!/
+}
+
+signature file-gzip {
+	file-mime "application/x-gzip", 100
+	file-magic /\x1f\x8b/
+}
+
+signature file-ms-cab {
+	file-mime "application/vnd.ms-cab-compressed", 110
+	file-magic /^MSCF\x00\x00\x00\x00/
+}
+
+# Mac OS X DMG files
+signature file-dmg {
+	file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/
+	file-mime "application/x-dmg", 100
+}
+
+# XAR (eXtensible ARchive) format. 
+# Mac OS X uses this for the .pkg format.
+signature file-xar {
+	file-magic /^xar\!/
+	file-mime "application/x-xar", 100
+}
+
+# RPM
+signature file-magic-auto352 {
+	file-mime "application/x-rpm", 70
+	file-magic /^(drpm|\xed\xab\xee\xdb)/
+}
+
+signature file-stuffit {
+	file-mime "application/x-stuffit", 70
+	file-magic /^(SIT\x21|StuffIt)/
+}
+
+signature file-x-archive {
+	file-mime "application/x-archive", 70
+	file-magic /^!?<ar(ch)?>/
+}
+
+# ARC archive data
+signature file-arc {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})([\x02-\x0a\x14\x48]\x1a)/
+}
+
+# EET archive
+signature file-eet {
+	file-mime "application/x-eet", 70
+	file-magic /^\x1e\xe7\xff\x00/
+}
+
+# Zoo archive
+signature file-zoo {
+	file-mime "application/x-zoo", 70
+	file-magic /^.{20}\xdc\xa7\xc4\xfd/
+}
+
+# >0  lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0
+signature file-magic-auto382 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x02\x21\x4c\x18)/
+}
+
+# >0  lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0
+signature file-magic-auto383 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x04\x22\x4d\x18)/
+}
+
+# >0  string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0
+# >>5  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto384 {
+	file-mime "application/x-lrzip", 1
+	file-magic /(LRZI)(.{1})(.{1})/
+}
+
+# >0  string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0
+signature file-magic-auto386 {
+	file-mime "application/x-lzip", 70
+	file-magic /(LZIP)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto434 {
+	file-mime "application/zip", 340
+	file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto435 {
+	file-mime "application/zip", 150
+	file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/
+}
+
+# LHA archive (LZH)
+signature file-lzh {
+	file-mime "application/x-lzh", 80
+	file-magic /^.{2}-(lh[ abcdex0-9]|lz[s2-8]|lz[s2-8]|pm[s012]|pc1)-/
+}
+
+# >0  string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0
+# >>5  string,x, ["version %.4s"], swap_endian=0
+signature file-magic-auto177 {
+	file-mime "application/warc", 1
+	file-magic /(WARC\x2f)(.{0})/
+}
+
+# >0  string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0
+# >>7  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto150 {
+	file-mime "application/x-7z-compressed", 1
+	file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/
+}
+
+# >0  ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0
+signature file-magic-auto151 {
+	file-mime "application/x-xz", 90
+	file-magic /(\xfd7zXZ\x00)/
+}
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto436 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHa\x27s SFX)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto437 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHA\x27s SFX)/
+}
+
+# >0  leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0
+signature file-magic-auto467 {
+	file-mime "application/x-arj", 50
+	file-magic /(\x60\xea)/
+}
+
+# >0  short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0
+signature file-magic-auto479 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\x71\xc7)|(\xc7\x71))/
+}
+
+# >0  short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0
+signature file-magic-auto480 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\xc7\x71)|(\x71\xc7))/
+}
+
+# >0  string,=\037\235 (len=2), ["compress'd data"], swap_endian=0
+signature file-magic-auto500 {
+	file-mime "application/x-compress", 50
+	file-magic /(\x1f\x9d)/
+}
+
+# >0  lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0
+signature file-magic-auto218 {
+	file-mime "application/x-lzma", 71
+	file-magic /(\x5d\x00\x00.)/
+}
+
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 500c4f7be0..e673fc86b6 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -1,18 +1,51 @@
 # General purpose file magic signatures.
 
+# Plaintext 
+# (Including BOMs for UTF-8, 16, and 32)
 signature file-plaintext {
-    file-magic /^([[:print:][:space:]]{10})/
-    file-mime "text/plain", -20
+	file-magic /^(\xef\xbb\xbf|(\x00\x00)?\xfe\xff|\xff\xfe(\x00\x00)?)?[[:space:]\x20-\x7E]{10}/
+	file-mime "text/plain", -20
 }
 
-signature file-tar {
-    file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/
-    file-mime "application/x-tar", 100
+signature file-xml {
+	file-mime "application/xml", 10
+	file-magic /^[\x0d\x0a[:blank:]]*<\?xml /
 }
 
-signature file-zip {
-	file-mime "application/zip", 10
-	file-magic /^PK\x03\x04.{2}/
+signature file-xhtml {
+	file-mime "text/html", 100
+	file-magic /^[\x0d\x0a[:blank:]]*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
+}
+
+signature file-html {
+	file-mime "text/html", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+}
+
+signature file-html2 {
+	file-mime "text/html", 20
+	file-magic /[\x0d\x0a[:blank:]]*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+}
+
+signature file-soap {
+	file-mime "application/soap+xml", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
+}
+
+signature file-cross-domain-policy {
+	file-mime "text/x-cross-domain-policy", 49
+	file-magic /^[\x0d\x0a[:blank:]]*(<\?xml version="1.0"\?>)?<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+}
+
+signature file-cross-domain-policy2 {
+	file-mime "text/x-cross-domain-policy", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+}
+
+# Microsoft LNK files
+signature file-lnk {
+	file-mime "application/x-ms-shortcut", 49
+	file-magic /^\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x10\x00\x00\x00\x46/
 }
 
 signature file-jar {
@@ -37,12 +70,6 @@ signature file-tnef {
 	file-mime "application/vnd.ms-tnef", 100
 }
 
-# Mac OS X DMG files
-signature file-dmg {
-	file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/
-	file-mime "application/x-dmg", 100
-}
-
 # Mac OS X Mach-O executable
 signature file-mach-o {
 	file-magic /^[\xce\xcf]\xfa\xed\xfe/
@@ -55,13 +82,6 @@ signature file-mach-o-universal {
 	file-mime "application/x-mach-o-executable", 100
 }
 
-# XAR (eXtensible ARchive) format. 
-# Mac OS X uses this for the .pkg format.
-signature file-xar {
-	file-magic /^xar\!/
-	file-mime "application/x-xar", 100
-}
-
 signature file-pkcs7 {
 	file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/
 	file-mime "application/pkcs7-signature", 100
@@ -79,16 +99,6 @@ signature file-jnlp {
 	file-mime "application/x-java-jnlp-file", 100
 }
 
-signature file-ico {
-	file-magic /^\x00\x00\x01\x00/
-	file-mime "image/x-icon", 70
-}
-
-signature file-cur {
-	file-magic /^\x00\x00\x02\x00/
-	file-mime "image/x-cursor", 70
-}
-
 signature file-pcap {
 	file-magic /^(\xa1\xb2\xc3\xd4|\xd4\xc3\xb2\xa1)/
 	file-mime "application/vnd.tcpdump.pcap", 70
@@ -119,7 +129,53 @@ signature file-python {
 	file-mime "text/x-python", 60
 }
 
+signature file-awk {
+	file-mime "text/x-awk", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
+}
+
+signature file-tcl {
+	file-mime "text/x-tcl", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
+}
+
+signature file-lua {
+	file-mime "text/x-lua", 49
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
+}
+
+signature file-javascript {
+	file-mime "application/javascript", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
+}
+
+signature file-javascript2 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*<script[[:blank:]]+(type|language)=['"](text\/)?javascript['"]>/
+}
+
+signature file-javascript3 {
+	file-mime "application/javascript", 60
+	# This seems to be a somewhat common idiom in javascript.
+	file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
+}
+
+signature file-javascript4 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
+}
+
+signature file-javascript5 {
+	file-mime "application/javascript", 60
+	file-magic /^\(function\(\)[[:blank:]\n]*\{/
+}
+
 signature file-php {
+	file-mime "text/x-php", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
+}
+
+signature file-php2 {
 	file-magic /^.*<\?php/
 	file-mime "text/x-php", 40
 }
@@ -135,3 +191,23 @@ signature file-skp {
 	file-magic /^\xFF\xFE\xFF\x0E\x53\x00\x6B\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4D\x00\x6F\x00\x64\x00\x65\x00\x6C\x00/
 	file-mime "application/skp", 100
 }
+
+signature file-elf-object {
+	file-mime "application/x-object", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
+}
+
+signature file-elf {
+	file-mime "application/x-executable", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
+}
+
+signature file-elf-sharedlib {
+	file-mime "application/x-sharedlib", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
+}
+
+signature file-elf-coredump {
+	file-mime "application/x-coredump", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
+}
diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig
new file mode 100644
index 0000000000..ad4e7bbbe1
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/image.sig
@@ -0,0 +1,178 @@
+
+signature file-tiff {
+	file-mime "image/tiff", 70
+	file-magic /^(MM\x00[\x2a\x2b]|II[\x2a\x2b]\x00)/
+}
+
+signature file-gif {
+	file-mime "image/gif", 70
+	file-magic /^GIF8/
+}
+
+
+# >0  beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0
+signature file-magic-auto427 {
+	file-mime "image/jpeg", 52
+	file-magic /(\xff\xd8)/
+}
+
+signature file-bmp {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /BM.{12}[\x0c\x28\x40\x6c\x7c\x80]\x00/
+}
+
+signature file-ico {
+	file-magic /^\x00\x00\x01\x00/
+	file-mime "image/x-icon", 70
+}
+
+signature file-cur {
+	file-magic /^\x00\x00\x02\x00/
+	file-mime "image/x-cursor", 70
+}
+
+# >0  string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0
+signature file-magic-auto289 {
+	file-mime "image/vnd.adobe.photoshop", 70
+	file-magic /(8BPS)/
+}
+
+signature file-png {
+	file-mime "image/png", 110
+	file-magic /^\x89PNG\x0d\x0a\x1a\x0a/
+}
+
+# JPEG 2000
+signature file-jp2 {
+	file-mime "image/jp2", 60
+	file-magic /.{4}ftypjp2/
+}
+
+# JPEG 2000
+signature file-jp22 {
+	file-mime "image/jp2", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jp2 /
+}
+
+# JPEG 2000
+signature file-jpx {
+	file-mime "image/jpx", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jpx /
+}
+
+# JPEG 2000
+signature file-jpm {
+	file-mime "image/jpm", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jpm /
+}
+
+# >0  string,=Xcur (len=4), ["Xcursor data"], swap_endian=0
+signature file-magic-auto271 {
+	file-mime "image/x-xcursor", 70
+	file-magic /(Xcur)/
+}
+
+# >0  string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0
+signature file-magic-auto282 {
+	file-mime "image/x-niff", 70
+	file-magic /(IIN1)/
+}
+
+# >0  lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0
+signature file-magic-auto291 {
+	file-mime "image/x-exr", 70
+	file-magic /(\x76\x2f\x31\x01)/
+}
+
+# >0  string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0
+signature file-magic-auto292 {
+	file-mime "image/x-dpx", 70
+	file-magic /(SDPX)/
+}
+
+# >0  string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0
+signature file-magic-auto294 {
+	file-mime "image/x-cpi", 70
+	file-magic /(CPC\xb2)/
+}
+
+
+signature file-orf {
+	file-mime "image/x-olympus-orf", 70
+	file-magic /IIR[OS]|MMOR/
+}
+
+# >0  string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0
+signature file-magic-auto298 {
+	file-mime "image/x-x3f", 70
+	file-magic /(FOVb)/
+}
+
+# >0  string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0
+signature file-magic-auto299 {
+	file-mime "image/x-paintnet", 70
+	file-magic /(PDN3)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0
+signature file-magic-auto355 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDRA)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0
+signature file-magic-auto356 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDR6)/
+}
+
+# >0  string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0
+signature file-magic-auto484 {
+	file-mime "image/x-portable-pixmap", 50
+	file-magic /(P7)/
+}
+
+# >4  string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0
+signature file-magic-auto497 {
+	file-mime "image/jp2", 50
+	file-magic /(.{4})(jP)/
+}
+
+# DjVU Images
+signature file-djvu {
+	file-mime "image/vnd.djvu", 70
+	file-magic /AT\x26TFORM.{4}(DJV[MUI]|THUM)/
+}
+
+# DWG AutoDesk AutoCAD
+signature file-dwg {
+	file-mime "image/vnd.dwg", 90
+	file-magic /^(AC[12]\.|AC10)/
+}
+
+# >0  string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0
+signature file-magic-auto115 {
+	file-mime "image/x-xcf", 110
+	file-magic /(gimp xcf)/
+}
+
+# >0  string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0
+signature file-magic-auto62 {
+	file-mime "image/x-polar-monitor-bitmap", 160
+	file-magic /(\x5bBitmapInfo2\x5d)/
+}
+
+# >0  string,=AWBM (len=4), [""], swap_endian=0
+# >>4  leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0
+signature file-magic-auto208 {
+	file-mime "image/x-award-bmp", 20
+	file-magic /(AWBM)(.{2})/
+}
+
+# >0  string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0
+signature file-magic-auto483 {
+	file-mime "image/x-award-bioslogo", 50
+	file-magic /^\x11[\x06\x09]/
+}
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
index 72ec40dff8..d18f6f01a6 100644
--- a/scripts/base/frameworks/files/magic/libmagic.sig
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -56,42 +56,18 @@ signature file-magic-auto11 {
 	file-magic /(\x3cmap ?version\x3d\x22freeplane)/
 }
 
-# >0  string/wt,=#! /usr/local/bin/nawk (len=22), ["new awk script text executable"], swap_endian=0
-signature file-magic-auto12 {
-	file-mime "text/x-nawk", 250
-	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fnawk)/
-}
-
-# >0  string/wt,=#! /usr/local/bin/gawk (len=22), ["GNU awk script text executable"], swap_endian=0
-signature file-magic-auto13 {
-	file-mime "text/x-gawk", 250
-	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/
-}
-
 # >0  string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0
 signature file-magic-auto19 {
 	file-mime "application/x-svr4-package", 230
 	file-magic /(\x23 PaCkAgE DaTaStReAm)/
 }
 
-# >0  string,=Creative Voice File (len=19), ["Creative Labs voice data"], swap_endian=0
-signature file-magic-auto20 {
-	file-mime "audio/x-unknown", 220
-	file-magic /(Creative Voice File)/
-}
-
 # >0  string/t,=[KDE Desktop Entry] (len=19), ["KDE desktop entry"], swap_endian=0
 signature file-magic-auto21 {
 	file-mime "application/x-kdelnk", 220
 	file-magic /(\x5bKDE Desktop Entry\x5d)/
 }
 
-# >0  string,=!<arch>\n__________E (len=19), ["MIPS archive"], swap_endian=0
-signature file-magic-auto23 {
-	file-mime "application/x-archive", 220
-	file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/
-}
-
 # >0  string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0
 signature file-magic-auto26 {
 	file-mime "application/x-kdelnk", 200
@@ -111,18 +87,6 @@ signature file-magic-auto28 {
 	file-magic /(riff\x2e\x91\xcf\x11\xa5\xd6\x28\xdb\x04\xc1\x00\x00)(.{8})(wave\xf3\xac\xd3\x11\x8c\xd1\x00\xc0O\x8e\xdb\x8a)/
 }
 
-# >0  string/wt,=#! /usr/bin/nawk (len=16), ["new awk script text executable"], swap_endian=0
-signature file-magic-auto29 {
-	file-mime "text/x-nawk", 190
-	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/
-}
-
-# >0  string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0
-signature file-magic-auto31 {
-	file-mime "text/x-gawk", 190
-	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fgawk)/
-}
-
 # >369  string,=MICROSOFT PIFEX\000 (len=16), ["Windows Program Information File"], swap_endian=0
 signature file-magic-auto32 {
 	file-mime "application/x-dosexec", 190
@@ -147,23 +111,6 @@ signature file-magic-auto36 {
 	file-magic /(Extended Module\x3a)/
 }
 
-# >0  string/t,=<?xml version " (len=15), ["XML"], swap_endian=0
-signature file-magic-auto37 {
-	file-mime "application/xml", 185
-	file-magic /(\x3c\x3fxml version \x22)/
-}
-
-# >0  string/t,=<?xml version=" (len=15), ["XML"], swap_endian=0
-signature file-magic-auto38 {
-	file-mime "application/xml", 185
-	file-magic /(\x3c\x3fxml version\x3d\x22)/
-}
-
-# >0  string,=<?xml version=' (len=15), ["XML"], swap_endian=0
-signature file-magic-auto39 {
-	file-mime "application/xml", 185
-	file-magic /(\x3c\x3fxml version\x3d\x27)/
-}
 
 # >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
 # >>20  search/wc/1000,=<!DOCTYPE X3D (len=13), ["X3D (Extensible 3D) model xml text"], swap_endian=0
@@ -172,22 +119,6 @@ signature file-magic-auto40 {
 	file-magic /(\x3c\x3fxml version\x3d\x22)(.{5})(.*)(\x3c\x21DOCTYPE ?X3D)/
 }
 
-# >0  string/t,=<?xml version=' (len=15), [""], swap_endian=0
-# >>15  string,>\000 (len=1), [""], swap_endian=0
-# >>>19  search/Wctb/4096,=<!doctype html (len=14), ["XHTML document text"], swap_endian=0
-signature file-magic-auto41 {
-	file-mime "text/html", 44
-	file-magic /(\x3c\x3fxml version\x3d\x27)([^\x00])(.{3})(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
-}
-
-# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
-# >>15  string,>\000 (len=1), [""], swap_endian=0
-# >>>19  search/Wctb/4096,=<!doctype html (len=14), ["XHTML document text"], swap_endian=0
-signature file-magic-auto42 {
-	file-mime "text/html", 44
-	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
-}
-
 # >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
 # >>15  string,>\000 (len=1), [""], swap_endian=0
 # >>>19  search/4096,=<urlset (len=7), ["XML Sitemap document text"], swap_endian=0
@@ -212,44 +143,18 @@ signature file-magic-auto45 {
 	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3cgnc\x2dv2)/
 }
 
-# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
-# >>15  string,>\000 (len=1), [""], swap_endian=0
-# >>>19  search/Wctb/4096,=<html (len=5), ["broken XHTML document text"], swap_endian=0
-signature file-magic-auto46 {
-	file-mime "text/html", 40
-	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3c[hH][tT][mM][lL])/
-}
-
 # >0  string/c,=BEGIN:VCALENDAR (len=15), ["vCalendar calendar file"], swap_endian=0
 signature file-magic-auto47 {
 	file-mime "text/calendar", 180
 	file-magic /(BEGIN\x3aVCALENDAR)/
 }
 
-# >4  string,=Standard Jet DB (len=15), ["Microsoft Access Database"], swap_endian=0
-signature file-magic-auto48 {
-	file-mime "application/x-msaccess", 180
-	file-magic /(.{4})(Standard Jet DB)/
-}
-
-# >4  string,=Standard ACE DB (len=15), ["Microsoft Access Database"], swap_endian=0
-signature file-magic-auto49 {
-	file-mime "application/x-msaccess", 180
-	file-magic /(.{4})(Standard ACE DB)/
-}
-
 # >0  string/w,=#VRML V2.0 utf8 (len=15), ["ISO/IEC 14772 VRML 97 file"], swap_endian=0
 signature file-magic-auto50 {
 	file-mime "model/vrml", 180
 	file-magic /(\x23VRML ?V2\x2e0 ?utf8)/
 }
 
-# >0  string/wt,=#! /usr/bin/awk (len=15), ["awk script text executable"], swap_endian=0
-signature file-magic-auto51 {
-	file-mime "text/x-awk", 180
-	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/
-}
-
 # >0  string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0
 # >>14  string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0
 signature file-magic-auto53 {
@@ -309,12 +214,6 @@ signature file-magic-auto61 {
 	file-magic /(.{39})(\x3cgmr\x3aWorkbook)/
 }
 
-# >0  string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0
-signature file-magic-auto62 {
-	file-mime "image/x-polar-monitor-bitmap", 160
-	file-magic /(\x5bBitmapInfo2\x5d)/
-}
-
 # >0  string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0
 signature file-magic-auto63 {
 	file-mime "application/vnd.font-fontforge-sfd", 160
@@ -333,33 +232,6 @@ signature file-magic-auto65 {
 	file-magic /([rR][eE][tT][uU][rR][nN]\x2d[pP][aA][tT][hH]\x3a)/
 }
 
-# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
-# >>20  string,=jp2  (len=4), ["Part 1 (JP2)"], swap_endian=0
-signature file-magic-auto66 {
-	file-mime "image/jp2", 70
-	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jp2 )/
-}
-
-# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
-# >>20  string,=jpx  (len=4), ["Part 2 (JPX)"], swap_endian=0
-signature file-magic-auto67 {
-	file-mime "image/jpx", 70
-	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jpx )/
-}
-
-# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
-# >>20  string,=jpm  (len=4), ["Part 6 (JPM)"], swap_endian=0
-signature file-magic-auto68 {
-	file-mime "image/jpm", 70
-	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jpm )/
-}
-
-# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
-# >>20  string,=mjp2 (len=4), ["Part 3 (MJ2)"], swap_endian=0
-signature file-magic-auto69 {
-	file-mime "video/mj2", 70
-	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(mjp2)/
-}
 
 # >0  string/w,=<map version (len=12), ["Freemind document"], swap_endian=0
 signature file-magic-auto70 {
@@ -367,24 +239,6 @@ signature file-magic-auto70 {
 	file-magic /(\x3cmap ?version)/
 }
 
-# >0  string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0
-signature file-magic-auto72 {
-	file-mime "text/x-nawk", 150
-	file-magic /(\x23\x21 ?\x2fbin\x2fnawk)/
-}
-
-# >0  string/wt,=#! /bin/gawk (len=12), ["GNU awk script text executable"], swap_endian=0
-signature file-magic-auto73 {
-	file-mime "text/x-gawk", 150
-	file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/
-}
-
-# >0  string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0
-signature file-magic-auto75 {
-	file-mime "text/x-awk", 140
-	file-magic /(\x23\x21 ?\x2fbin\x2fawk)/
-}
-
 # >0  string,=filedesc:// (len=11), ["Internet Archive File"], swap_endian=0
 signature file-magic-auto76 {
 	file-mime "application/x-ia-arc", 140
@@ -447,12 +301,6 @@ signature file-magic-auto88 {
 	file-magic /(.*)(\x2d\x2d\x2d )(.*)(\x0a)(.*)(\x2b\x2b\x2b )(.*)(\x0a)(.*)(\x40\x40)/
 }
 
-# >0  string/t,=Received: (len=9), ["RFC 822 mail text"], swap_endian=0
-signature file-magic-auto89 {
-	file-mime "message/rfc822", 120
-	file-magic /(Received\x3a)/
-}
-
 # >0  string,=<BookFile (len=9), ["FrameMaker Book file"], swap_endian=0
 signature file-magic-auto90 {
 	file-mime "application/x-mif", 120
@@ -484,46 +332,12 @@ signature file-magic-auto94 {
 	file-magic /(LPKSHHRH)(.{8})([\x00\x01\x02\x03])(.{7})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})/
 }
 
-# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
-# >>12  string,=DJVM (len=4), ["DjVu multiple page document"], swap_endian=0
-signature file-magic-auto95 {
-	file-mime "image/vnd.djvu", 70
-	file-magic /(AT\x26TFORM)(.{4})(DJVM)/
-}
-
-# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
-# >>12  string,=DJVU (len=4), ["DjVu image or single page document"], swap_endian=0
-signature file-magic-auto96 {
-	file-mime "image/vnd.djvu", 70
-	file-magic /(AT\x26TFORM)(.{4})(DJVU)/
-}
-
-# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
-# >>12  string,=DJVI (len=4), ["DjVu shared document"], swap_endian=0
-signature file-magic-auto97 {
-	file-mime "image/vnd.djvu", 70
-	file-magic /(AT\x26TFORM)(.{4})(DJVI)/
-}
-
-# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
-# >>12  string,=THUM (len=4), ["DjVu page thumbnails"], swap_endian=0
-signature file-magic-auto98 {
-	file-mime "image/vnd.djvu", 70
-	file-magic /(AT\x26TFORM)(.{4})(THUM)/
-}
-
 # >0  string/t,=#! rnews (len=8), ["batched news text"], swap_endian=0
 signature file-magic-auto99 {
 	file-mime "message/rfc822", 110
 	file-magic /(\x23\x21 rnews)/
 }
 
-# >0  string/b,=MSCF\000\000\000\000 (len=8), ["Microsoft Cabinet archive data"], swap_endian=0
-signature file-magic-auto100 {
-	file-mime "application/vnd.ms-cab-compressed", 110
-	file-magic /(MSCF\x00\x00\x00\x00)/
-}
-
 # >21  string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0
 signature file-magic-auto102 {
 	file-mime "audio/x-mod", 110
@@ -573,12 +387,6 @@ signature file-magic-auto109 {
 	file-magic /(\x89HDF\x0d\x0a\x1a\x0a)/
 }
 
-# >0  string,=\211PNG\r\n\032\n (len=8), ["PNG image data"], swap_endian=0
-signature file-magic-auto110 {
-	file-mime "image/png", 110
-	file-magic /(\x89PNG\x0d\x0a\x1a\x0a)/
-}
-
 # >36  string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0
 signature file-magic-auto111 {
 	file-mime "application/vnd.iccprofile", 110
@@ -603,36 +411,18 @@ signature file-magic-auto114 {
 	file-magic /(.{36})(acspAPPL)/
 }
 
-# >0  string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0
-signature file-magic-auto115 {
-	file-mime "image/x-xcf", 110
-	file-magic /(gimp xcf)/
-}
-
 # >512  string,=R\000o\000o\000t\000 (len=8), ["Hangul (Korean) Word Processor File 2000"], swap_endian=0
 signature file-magic-auto116 {
 	file-mime "application/x-hwp", 110
 	file-magic /(.{512})(R\x00o\x00o\x00t\x00)/
 }
 
-# >257  string,=ustar  \000 (len=8), ["GNU tar archive"], swap_endian=0
-#signature file-magic-auto117 {
-#	file-mime "application/x-tar", 110
-#	file-magic /(.{257})(ustar  \x00)/
-#}
-
 # >0  string,=<MIFFile (len=8), ["FrameMaker MIF (ASCII) file"], swap_endian=0
 signature file-magic-auto118 {
 	file-mime "application/x-mif", 110
 	file-magic /(\x3cMIFFile)/
 }
 
-# >0  string,=PK\a\bPK\003\004 (len=8), ["Zip multi-volume archive data, at least PKZIP v2.50 to extract"], swap_endian=0
-signature file-magic-auto119 {
-	file-mime "application/zip", 110
-	file-magic /(PK\x07\x08PK\x03\x04)/
-}
-
 # >0  string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0
 signature file-magic-auto121 {
 	file-mime "application/vnd.lotus-wordpro", 110
@@ -645,12 +435,6 @@ signature file-magic-auto122 {
 	file-magic /(Article)/
 }
 
-# >0  string,=\037\213 (len=2), ["gzip compressed data"], swap_endian=0
-signature file-magic-auto123 {
-	file-mime "application/x-gzip", 100
-	file-magic /(\x1f\x8b)/
-}
-
 # >0  string/t,=Pipe to (len=7), ["mail piping text"], swap_endian=0
 signature file-magic-auto124 {
 	file-mime "message/rfc822", 100
@@ -663,18 +447,6 @@ signature file-magic-auto125 {
 	file-magic /(\x2eRMF\x00\x00\x00)/
 }
 
-# >0  string,=StuffIt (len=7), ["StuffIt Archive"], swap_endian=0
-signature file-magic-auto126 {
-	file-mime "application/x-stuffit", 100
-	file-magic /(StuffIt)/
-}
-
-# >0  string,=!<arch> (len=7), ["current ar archive"], swap_endian=0
-signature file-magic-auto127 {
-	file-mime "application/x-archive", 100
-	file-magic /(\x21\x3carch\x3e)/
-}
-
 # >0  string,=P5 (len=2), [""], swap_endian=0
 # >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
 # >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
@@ -699,151 +471,12 @@ signature file-magic-auto130 {
 	file-magic /(P4)(.{1})([0-9]{1,50} )( [0-9]{1,50})/
 }
 
-# >257  string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0
-#signature file-magic-auto131 {
-#	file-mime "application/x-tar", 90
-#	file-magic /(.{257})(ustar\x00)/
-#}
-
-# >0  string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0
-signature file-magic-auto132 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1\x2e40)/
-}
-
-# >0  string,=AC1.50 (len=6), ["DWG AutoDesk AutoCAD Release 2.05"], swap_endian=0
-signature file-magic-auto133 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1\x2e50)/
-}
-
-# >0  string,=AC2.10 (len=6), ["DWG AutoDesk AutoCAD Release 2.10"], swap_endian=0
-signature file-magic-auto134 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC2\x2e10)/
-}
-
-# >0  string,=AC2.21 (len=6), ["DWG AutoDesk AutoCAD Release 2.21"], swap_endian=0
-signature file-magic-auto135 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC2\x2e21)/
-}
-
-# >0  string,=AC2.22 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0
-signature file-magic-auto136 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC2\x2e22)/
-}
-
-# >0  string,=AC1001 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0
-signature file-magic-auto137 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1001)/
-}
-
-# >0  string,=AC1002 (len=6), ["DWG AutoDesk AutoCAD Release 2.50"], swap_endian=0
-signature file-magic-auto138 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1002)/
-}
-
-# >0  string,=AC1003 (len=6), ["DWG AutoDesk AutoCAD Release 2.60"], swap_endian=0
-signature file-magic-auto139 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1003)/
-}
-
-# >0  string,=AC1004 (len=6), ["DWG AutoDesk AutoCAD Release 9"], swap_endian=0
-signature file-magic-auto140 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1004)/
-}
-
-# >0  string,=AC1006 (len=6), ["DWG AutoDesk AutoCAD Release 10"], swap_endian=0
-signature file-magic-auto141 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1006)/
-}
-
-# >0  string,=AC1009 (len=6), ["DWG AutoDesk AutoCAD Release 11/12"], swap_endian=0
-signature file-magic-auto142 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1009)/
-}
-
-# >0  string,=AC1012 (len=6), ["DWG AutoDesk AutoCAD Release 13"], swap_endian=0
-signature file-magic-auto143 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1012)/
-}
-
-# >0  string,=AC1014 (len=6), ["DWG AutoDesk AutoCAD Release 14"], swap_endian=0
-signature file-magic-auto144 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1014)/
-}
-
-# >0  string,=AC1015 (len=6), ["DWG AutoDesk AutoCAD 2000/2002"], swap_endian=0
-signature file-magic-auto145 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1015)/
-}
-
-# >0  string,=AC1018 (len=6), ["DWG AutoDesk AutoCAD 2004/2005/2006"], swap_endian=0
-signature file-magic-auto146 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1018)/
-}
-
-# >0  string,=AC1021 (len=6), ["DWG AutoDesk AutoCAD 2007/2008/2009"], swap_endian=0
-signature file-magic-auto147 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1021)/
-}
-
-# >0  string,=AC1024 (len=6), ["DWG AutoDesk AutoCAD 2010/2011/2012"], swap_endian=0
-signature file-magic-auto148 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1024)/
-}
-
-# >0  string,=AC1027 (len=6), ["DWG AutoDesk AutoCAD 2013/2014"], swap_endian=0
-signature file-magic-auto149 {
-	file-mime "image/vnd.dwg", 90
-	file-magic /(AC1027)/
-}
-
-# >0  string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0
-# >>7  byte&,x, [".%d"], swap_endian=0
-signature file-magic-auto150 {
-	file-mime "application/x-7z-compressed", 1
-	file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/
-}
-
-# >0  ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0
-signature file-magic-auto151 {
-	file-mime "application/x-xz", 90
-	file-magic /(\xfd7zXZ\x00)/
-}
-
 # >0  string,=<Maker (len=6), ["Intermediate Print File	FrameMaker IPL file"], swap_endian=0
 signature file-magic-auto152 {
 	file-mime "application/x-mif", 90
 	file-magic /(\x3cMaker)/
 }
 
-# >0  string,=GIF94z (len=6), ["ZIF image (GIF+deflate alpha)"], swap_endian=0
-signature file-magic-auto153 {
-	file-mime "image/x-unknown", 90
-	file-magic /(GIF94z)/
-}
-
-# >0  string,=FGF95a (len=6), ["FGF image (GIF+deflate beta)"], swap_endian=0
-signature file-magic-auto154 {
-	file-mime "image/x-unknown", 90
-	file-magic /(FGF95a)/
-}
-
 # >0  string/t,=# xmcd (len=6), ["xmcd database file for kscd"], swap_endian=0
 signature file-magic-auto155 {
 	file-mime "text/x-xmcd", 90
@@ -968,81 +601,6 @@ signature file-magic-auto174 {
 	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXO)/
 }
 
-# Doubt it's going to be common to have this many bytes buffered.
-# >37633  string,=CD001 (len=5), ["ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)"], swap_endian=0
-#signature file-magic-auto175 {
-#	file-mime "application/x-iso9660-image", 80
-#	file-magic /(.{37633})(CD001)/
-#}
-
-# >2  string,=-lhd- (len=5), ["LHa 2.x? archive data [lhd]"], swap_endian=0
-signature file-magic-auto176 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlhd\x2d)/
-}
-
-# >0  string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0
-# >>5  string,x, ["version %.4s"], swap_endian=0
-signature file-magic-auto177 {
-	file-mime "application/warc", 1
-	file-magic /(WARC\x2f)(.{0})/
-}
-
-# >0  string,=AC1.3 (len=5), ["DWG AutoDesk AutoCAD Release 1.3"], swap_endian=0
-signature file-magic-auto178 {
-	file-mime "image/vnd.dwg", 80
-	file-magic /(AC1\x2e3)/
-}
-
-# >2  string,=-lh - (len=5), ["LHa 2.x? archive data [lh ]"], swap_endian=0
-signature file-magic-auto179 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh \x2d)/
-}
-
-# >0  string,=AC1.2 (len=5), ["DWG AutoDesk AutoCAD Release 1.2"], swap_endian=0
-signature file-magic-auto180 {
-	file-mime "image/vnd.dwg", 80
-	file-magic /(AC1\x2e2)/
-}
-
-# >0  string,=MC0.0 (len=5), ["DWG AutoDesk AutoCAD Release 1.0"], swap_endian=0
-signature file-magic-auto181 {
-	file-mime "image/vnd.dwg", 80
-	file-magic /(MC0\x2e0)/
-}
-
-# >2  string,=-lzs- (len=5), ["LHa/LZS archive data [lzs]"], swap_endian=0
-signature file-magic-auto182 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlzs\x2d)/
-}
-
-# >2  string,=-lz5- (len=5), ["LHarc 1.x archive data [lz5]"], swap_endian=0
-signature file-magic-auto183 {
-	file-mime "application/x-lharc", 80
-	file-magic /(.{2})(\x2dlz5\x2d)/
-}
-
-# Doubt it's going to be common to have this many bytes buffered.
-# >32769  string,=CD001 (len=5), ["#"], swap_endian=0
-#signature file-magic-auto184 {
-#	file-mime "application/x-iso9660-image", 80
-#	file-magic /(.{32769})(CD001)/
-#}
-
-# >2  string,=-lh3- (len=5), ["LHa 2.x? archive data [lh3]"], swap_endian=0
-signature file-magic-auto185 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh3\x2d)/
-}
-
-# >2  string,=-lh2- (len=5), ["LHa 2.x? archive data [lh2]"], swap_endian=0
-signature file-magic-auto186 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh2\x2d)/
-}
-
 # >0  string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0
 signature file-magic-auto187 {
 	file-mime "application/x-font-ttf", 80
@@ -1073,66 +631,18 @@ signature file-magic-auto194 {
 	file-magic /(From\x3a)/
 }
 
-# >2  string,=-lh7- (len=5), ["LHa (2.x)/LHark archive data [lh7]"], swap_endian=0
-signature file-magic-auto195 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh7\x2d)/
-}
-
 # >0  string,={\rtf (len=5), ["Rich Text Format data,"], swap_endian=0
 signature file-magic-auto196 {
 	file-mime "text/rtf", 80
 	file-magic /(\x7b\x5crtf)/
 }
 
-# >2  string,=-lh6- (len=5), ["LHa (2.x) archive data [lh6]"], swap_endian=0
-signature file-magic-auto197 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh6\x2d)/
-}
-
-# >2  string,=-lh5- (len=5), ["LHa (2.x) archive data [lh5]"], swap_endian=0
-signature file-magic-auto198 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh5\x2d)/
-}
-
-# >2  string,=-lh4- (len=5), ["LHa (2.x) archive data [lh4]"], swap_endian=0
-signature file-magic-auto199 {
-	file-mime "application/x-lha", 80
-	file-magic /(.{2})(\x2dlh4\x2d)/
-}
-
-# >2  string,=-lz4- (len=5), ["LHarc 1.x archive data [lz4]"], swap_endian=0
-signature file-magic-auto200 {
-	file-mime "application/x-lharc", 80
-	file-magic /(.{2})(\x2dlz4\x2d)/
-}
-
-# >2  string,=-lh1- (len=5), ["LHarc 1.x/ARX archive data [lh1]"], swap_endian=0
-signature file-magic-auto201 {
-	file-mime "application/x-lharc", 80
-	file-magic /(.{2})(\x2dlh1\x2d)/
-}
-
-# >2  string,=-lh0- (len=5), ["LHarc 1.x/ARX archive data [lh0]"], swap_endian=0
-signature file-magic-auto202 {
-	file-mime "application/x-lharc", 80
-	file-magic /(.{2})(\x2dlh0\x2d)/
-}
-
 # >0  string,=%FDF- (len=5), ["FDF document"], swap_endian=0
 signature file-magic-auto203 {
 	file-mime "application/vnd.fdf", 80
 	file-magic /(\x25FDF\x2d)/
 }
 
-# >0  belong&,=443 (0x000001bb), [""], swap_endian=0
-signature file-magic-auto204 {
-	file-mime "video/mpeg", 71
-	file-magic /(\x00\x00\x01\xbb)/
-}
-
 # The non-sequential offsets and use of bitmask and relational operators
 # made this difficult to autogenerate.  Can see about manually creating
 # the correct character class later.
@@ -1145,31 +655,6 @@ signature file-magic-auto204 {
 #	file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05])(.*)([\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
 #}
 
-# >0  belong&,=432 (0x000001b0), [""], swap_endian=0
-signature file-magic-auto206 {
-	file-mime "video/mp4v-es", 71
-	file-magic /(\x00\x00\x01\xb0)/
-}
-
-# >0  belong&,=437 (0x000001b5), [""], swap_endian=0
-signature file-magic-auto207 {
-	file-mime "video/mp4v-es", 71
-	file-magic /(\x00\x00\x01\xb5)/
-}
-
-# >0  string,=AWBM (len=4), [""], swap_endian=0
-# >>4  leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0
-signature file-magic-auto208 {
-	file-mime "image/x-award-bmp", 20
-	file-magic /(AWBM)(.{2})/
-}
-
-# >0  belong&,=435 (0x000001b3), [""], swap_endian=0
-signature file-magic-auto209 {
-	file-mime "video/mpv", 71
-	file-magic /(\x00\x00\x01\xb3)/
-}
-
 # Converting bitmask to character class might make the regex
 # unfriendly to humans.
 # >0  belong&ffffffffff5fff10,=1195376656 (0x47400010), [""], swap_endian=0
@@ -1178,40 +663,6 @@ signature file-magic-auto209 {
 #	file-magic /(.{4})/
 #}
 
-# >0  belong&,=1 (0x00000001), [""], swap_endian=0
-# >>4  byte&0000001f,=0x07, [""], swap_endian=0
-signature file-magic-auto211 {
-	file-mime "video/h264", 41
-	file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xba, ["MPEG sequence"], swap_endian=0
-signature file-magic-auto213 {
-	file-mime "video/mpeg", 40
-	file-magic /(\x00\x00\x01\xba)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0
-signature file-magic-auto214 {
-	file-mime "video/mpeg4-generic", 40
-	file-magic /(\x00\x00\x01\xb0)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0
-signature file-magic-auto215 {
-	file-mime "video/mpeg4-generic", 40
-	file-magic /(\x00\x00\x01\xb5)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb3, ["MPEG sequence"], swap_endian=0
-signature file-magic-auto216 {
-	file-mime "video/mpeg", 40
-	file-magic /(\x00\x00\x01\xb3)/
-}
 
 # >0  lelong&,=4 (0x00000004), [""], swap_endian=0
 # >>104  lelong&,=4 (0x00000004), ["X11 SNF font data, LSB first"], swap_endian=0
@@ -1220,12 +671,6 @@ signature file-magic-auto217 {
 	file-magic /(\x04\x00\x00\x00)(.{100})(\x04\x00\x00\x00)/
 }
 
-# >0  lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0
-signature file-magic-auto218 {
-	file-mime "application/x-lzma", 71
-	file-magic /(\x5d\x00\x00.)/
-}
-
 # This didn't auto-generate correctly due to non-sequential offsets and
 # use of bitwise/relational comparisons.  At a glance: may not be
 # that common/useful, leaving for later.
@@ -1285,22 +730,6 @@ signature file-magic-auto223 {
 	file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
 }
 
-# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
-# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
-# >>>&1  string,=webm (len=4), ["WebM"], swap_endian=0
-signature file-magic-auto224 {
-	file-mime "video/webm", 70
-	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/
-}
-
-# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
-# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
-# >>>&1  string,=matroska (len=8), ["Matroska data"], swap_endian=0
-signature file-magic-auto225 {
-	file-mime "video/x-matroska", 110
-	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/
-}
-
 # >0  string,=PK\003\004 (len=4), [""], swap_endian=0
 # >>4  byte&,=0x14, [""], swap_endian=0
 # >>>30  string,=doc.kml (len=7), ["Compressed Google KML Document, including resources."], swap_endian=0
@@ -1502,37 +931,6 @@ signature file-magic-auto245 {
 	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/
 }
 
-# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
-# >>4  byte&,&0x40, [""], swap_endian=0
-signature file-magic-auto250 {
-	file-mime "video/mp2p", 21
-	file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
-}
-
-# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
-# >>4  byte&,^0x40, [""], swap_endian=0
-signature file-magic-auto251 {
-	file-mime "video/mpeg", 21
-	file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
-}
-
-# >0  string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0
-signature file-magic-auto252 {
-	file-mime "video/x-sgi-movie", 70
-	file-magic /(MOVI)/
-}
-
-# >4  string,=moov (len=4), ["Apple QuickTime"], swap_endian=0
-signature file-magic-auto253 {
-	file-mime "video/quicktime", 70
-	file-magic /(.{4})(moov)/
-}
-
-# >4  string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0
-signature file-magic-auto254 {
-	file-mime "video/quicktime", 70
-	file-magic /(.{4})(mdat)/
-}
 
 # >4  string,=idsc (len=4), ["Apple QuickTime image (fast start)"], swap_endian=0
 signature file-magic-auto255 {
@@ -1546,82 +944,6 @@ signature file-magic-auto256 {
 	file-magic /(.{4})(pckg)/
 }
 
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0
-signature file-magic-auto257 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(isom)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0
-signature file-magic-auto258 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mp41)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0
-signature file-magic-auto259 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mp42)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string/W,=jp2 (len=3), [", JPEG 2000"], swap_endian=0
-signature file-magic-auto260 {
-	file-mime "image/jp2", 60
-	file-magic /(.{4})(ftyp)(jp2)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto261 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3ge)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto262 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gg)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto263 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gp)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto264 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gs)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0
-signature file-magic-auto265 {
-	file-mime "video/3gpp2", 60
-	file-magic /(.{4})(ftyp)(3g2)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0
-signature file-magic-auto266 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mmp4)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0
-signature file-magic-auto267 {
-	file-mime "video/3gpp", 70
-	file-magic /(.{4})(ftyp)(avc1)/
-}
 
 # >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
 # >>8  string/W,=M4A (len=3), [", MPEG v4 system, iTunes AAC-LC"], swap_endian=0
@@ -1644,12 +966,6 @@ signature file-magic-auto270 {
 	file-magic /(.{4})(ftyp)(qt)/
 }
 
-# >0  string,=Xcur (len=4), ["Xcursor data"], swap_endian=0
-signature file-magic-auto271 {
-	file-mime "image/x-xcursor", 70
-	file-magic /(Xcur)/
-}
-
 # >0  string,=ADIF (len=4), ["MPEG ADIF, AAC"], swap_endian=0
 signature file-magic-auto272 {
 	file-mime "audio/x-hx-aac-adif", 70
@@ -1662,17 +978,6 @@ signature file-magic-auto273 {
 	file-magic /(\x30\x26\xb2\x75)/
 }
 
-# >0  string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0
-signature file-magic-auto274 {
-	file-mime "video/x-mng", 70
-	file-magic /(\x8aMNG)/
-}
-
-# >0  string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0
-signature file-magic-auto275 {
-	file-mime "video/x-jng", 70
-	file-magic /(\x8bJNG)/
-}
 
 # >0  string,=MAC  (len=4), ["Monkey's Audio compressed format"], swap_endian=0
 signature file-magic-auto276 {
@@ -1713,114 +1018,24 @@ signature file-magic-auto281 {
 	file-magic /(fLaC)/
 }
 
-# >0  string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0
-signature file-magic-auto282 {
-	file-mime "image/x-niff", 70
-	file-magic /(IIN1)/
-}
-
-# >0  string,=MM\000* (len=4), ["TIFF image data, big-endian"], swap_endian=0
-signature file-magic-auto283 {
-	file-mime "image/tiff", 70
-	file-magic /(MM\x00\x2a)/
-}
-
-# >0  string,=II*\000 (len=4), ["TIFF image data, little-endian"], swap_endian=0
-signature file-magic-auto284 {
-	file-mime "image/tiff", 70
-	file-magic /(II\x2a\x00)/
-}
-
-# >0  string,=MM\000+ (len=4), ["Big TIFF image data, big-endian"], swap_endian=0
-signature file-magic-auto285 {
-	file-mime "image/tiff", 70
-	file-magic /(MM\x00\x2b)/
-}
-
-# >0  string,=II+\000 (len=4), ["Big TIFF image data, little-endian"], swap_endian=0
-signature file-magic-auto286 {
-	file-mime "image/tiff", 70
-	file-magic /(II\x2b\x00)/
-}
-
-# >0  string,=GIF8 (len=4), ["GIF image data"], swap_endian=0
-signature file-magic-auto287 {
-	file-mime "image/gif", 70
-	file-magic /(GIF8)/
-}
-
 # >128  string,=DICM (len=4), ["DICOM medical imaging data"], swap_endian=0
 signature file-magic-auto288 {
 	file-mime "application/dicom", 70
 	file-magic /(.{128})(DICM)/
 }
 
-# >0  string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0
-signature file-magic-auto289 {
-	file-mime "image/vnd.adobe.photoshop", 70
-	file-magic /(8BPS)/
-}
-
 # >0  string,=IMPM (len=4), ["Impulse Tracker module sound data -"], swap_endian=0
 signature file-magic-auto290 {
 	file-mime "audio/x-mod", 70
 	file-magic /(IMPM)/
 }
 
-# >0  lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0
-signature file-magic-auto291 {
-	file-mime "image/x-exr", 70
-	file-magic /(\x76\x2f\x31\x01)/
-}
-
-# >0  string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0
-signature file-magic-auto292 {
-	file-mime "image/x-dpx", 70
-	file-magic /(SDPX)/
-}
-
 # >0  belong&,=235082497 (0x0e031301), ["Hierarchical Data Format (version 4) data"], swap_endian=0
 signature file-magic-auto293 {
 	file-mime "application/x-hdf", 70
 	file-magic /(\x0e\x03\x13\x01)/
 }
 
-# >0  string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0
-signature file-magic-auto294 {
-	file-mime "image/x-cpi", 70
-	file-magic /(CPC\xb2)/
-}
-
-# >0  string,=MMOR (len=4), ["Olympus ORF raw image data, big-endian"], swap_endian=0
-signature file-magic-auto295 {
-	file-mime "image/x-olympus-orf", 70
-	file-magic /(MMOR)/
-}
-
-# >0  string,=IIRO (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0
-signature file-magic-auto296 {
-	file-mime "image/x-olympus-orf", 70
-	file-magic /(IIRO)/
-}
-
-# >0  string,=IIRS (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0
-signature file-magic-auto297 {
-	file-mime "image/x-olympus-orf", 70
-	file-magic /(IIRS)/
-}
-
-# >0  string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0
-signature file-magic-auto298 {
-	file-mime "image/x-x3f", 70
-	file-magic /(FOVb)/
-}
-
-# >0  string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0
-signature file-magic-auto299 {
-	file-mime "image/x-paintnet", 70
-	file-magic /(PDN3)/
-}
-
 # >0  belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0
 signature file-magic-auto302 {
 	file-mime "application/x-java-keystore", 70
@@ -1911,12 +1126,6 @@ signature file-magic-auto316 {
 	file-magic /(\x2e\x72\x61\xfd)/
 }
 
-# >0  string,=CTMF (len=4), ["Creative Music (CMF) data"], swap_endian=0
-signature file-magic-auto317 {
-	file-mime "audio/x-unknown", 70
-	file-magic /(CTMF)/
-}
-
 # >0  string,=MThd (len=4), ["Standard MIDI data"], swap_endian=0
 signature file-magic-auto318 {
 	file-mime "audio/midi", 70
@@ -2035,36 +1244,6 @@ signature file-magic-auto334 {
 	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x17)/
 }
 
-# >0  string,=SIT! (len=4), ["StuffIt Archive (data)"], swap_endian=0
-signature file-magic-auto335 {
-	file-mime "application/x-stuffit", 70
-	file-magic /(SIT\x21)/
-}
-
-# >0  string,=<ar> (len=4), ["System V Release 1 ar archive"], swap_endian=0
-signature file-magic-auto337 {
-	file-mime "application/x-archive", 70
-	file-magic /(\x3car\x3e)/
-}
-
-# >0  lelong&ffffffff8080ffff,=2074 (0x0000081a), ["ARC archive data, dynamic LZW"], swap_endian=0
-signature file-magic-auto338 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x08\x1a)/
-}
-
-# >0  lelong&ffffffff8080ffff,=2330 (0x0000091a), ["ARC archive data, squashed"], swap_endian=0
-signature file-magic-auto339 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x09\x1a)/
-}
-
-# >0  lelong&ffffffff8080ffff,=538 (0x0000021a), ["ARC archive data, uncompressed"], swap_endian=0
-signature file-magic-auto340 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x02\x1a)/
-}
-
 # >0  lelong&,=270539386 (0x10201a7a), ["Symbian installation file (Symbian OS 9.x)"], swap_endian=0
 signature file-magic-auto341 {
 	file-mime "x-epoc/x-sisx-app", 70
@@ -2077,72 +1256,6 @@ signature file-magic-auto342 {
 	file-magic /(.{8})(\x19\x04\x00\x10)/
 }
 
-# >0  lelong&ffffffff8080ffff,=794 (0x0000031a), ["ARC archive data, packed"], swap_endian=0
-signature file-magic-auto343 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x03\x1a)/
-}
-
-# >0  belong&,=518520576 (0x1ee7ff00), ["EET archive"], swap_endian=0
-signature file-magic-auto344 {
-	file-mime "application/x-eet", 70
-	file-magic /(\x1e\xe7\xff\x00)/
-}
-
-# >0  lelong&ffffffff8080ffff,=1050 (0x0000041a), ["ARC archive data, squeezed"], swap_endian=0
-signature file-magic-auto345 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x04\x1a)/
-}
-
-# >0  lelong&ffffffff8080ffff,=1562 (0x0000061a), ["ARC archive data, crunched"], swap_endian=0
-signature file-magic-auto346 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x06\x1a)/
-}
-
-# >0  lelong&ffffffff8080ffff,=2586 (0x00000a1a), ["PAK archive data"], swap_endian=0
-signature file-magic-auto347 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x0a\x1a)/
-}
-
-# >0  lelong&ffffffff8080ffff,=5146 (0x0000141a), ["ARC+ archive data"], swap_endian=0
-signature file-magic-auto348 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x14\x1a)/
-}
-
-# >20  lelong&,=-37443620 (0xfdc4a7dc), ["Zoo archive data"], swap_endian=0
-signature file-magic-auto349 {
-	file-mime "application/x-zoo", 70
-	file-magic /(.{20})(\xdc\xa7\xc4\xfd)/
-}
-
-# >0  string,=Rar! (len=4), ["RAR archive data,"], swap_endian=0
-signature file-magic-auto350 {
-	file-mime "application/x-rar", 70
-	file-magic /(Rar\x21)/
-}
-
-# >0  lelong&ffffffff8080ffff,=18458 (0x0000481a), ["HYP archive data"], swap_endian=0
-signature file-magic-auto351 {
-	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x48\x1a)/
-}
-
-# >0  string,=drpm (len=4), ["Delta RPM"], swap_endian=0
-signature file-magic-auto352 {
-	file-mime "application/x-rpm", 70
-	file-magic /(drpm)/
-}
-
-# >0  belong&,=-307499301 (0xedabeedb), ["RPM"], swap_endian=0
-signature file-magic-auto353 {
-	file-mime "application/x-rpm", 70
-	file-magic /(\xed\xab\xee\xdb)/
-}
-
 # >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
 # >>8  string,=WAVE (len=4), [", WAVE audio"], swap_endian=0
 signature file-magic-auto354 {
@@ -2150,20 +1263,6 @@ signature file-magic-auto354 {
 	file-magic /(RIFF)(.{4})(WAVE)/
 }
 
-# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
-# >>8  string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0
-signature file-magic-auto355 {
-	file-mime "image/x-coreldraw", 70
-	file-magic /(RIFF)(.{4})(CDRA)/
-}
-
-# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
-# >>8  string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0
-signature file-magic-auto356 {
-	file-mime "image/x-coreldraw", 70
-	file-magic /(RIFF)(.{4})(CDR6)/
-}
-
 # >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
 # >>8  string,=AVI  (len=4), [", AVI"], swap_endian=0
 signature file-magic-auto357 {
@@ -2290,36 +1389,12 @@ signature file-magic-auto381 {
 	file-magic /(\x3cMML)/
 }
 
-# >0  lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0
-signature file-magic-auto382 {
-	file-mime "application/x-lz4", 70
-	file-magic /(\x02\x21\x4c\x18)/
-}
-
-# >0  lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0
-signature file-magic-auto383 {
-	file-mime "application/x-lz4", 70
-	file-magic /(\x04\x22\x4d\x18)/
-}
-
-# >0  string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0
-# >>5  byte&,x, [".%d"], swap_endian=0
-signature file-magic-auto384 {
-	file-mime "application/x-lrzip", 1
-	file-magic /(LRZI)(.{1})(.{1})/
-}
-
 # >0  string,=OggS (len=4), ["Ogg data"], swap_endian=0
 signature file-magic-auto385 {
 	file-mime "application/ogg", 70
 	file-magic /(OggS)/
 }
 
-# >0  string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0
-signature file-magic-auto386 {
-	file-mime "application/x-lzip", 70
-	file-magic /(LZIP)/
-}
 
 # >0  belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
 # >>4  byte&,x, ["%d"], swap_endian=0
@@ -2335,13 +1410,6 @@ signature file-magic-auto388 {
 	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
 }
 
-# >0  regex,=^( |\t){0,50}def {1,50}[a-zA-Z]{1,100} (len=38), [""], swap_endian=0
-# >>&0  regex,= {0,50}\(([a-zA-Z]|,| ){1,500}\):$ (len=34), ["Python script text executable"], swap_endian=0
-signature file-magic-auto389 {
-	file-mime "text/x-python", 64
-	file-magic /(.*)(( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/
-}
-
 # >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
 signature file-magic-auto390 {
 	file-mime "text/x-tex", 62
@@ -2383,56 +1451,12 @@ signature file-magic-auto395 {
 	file-magic /(DOC)(.{40})([\x16])/
 }
 
-# >0  search/w/1,=#! /usr/local/bin/php (len=21), ["PHP script text executable"], swap_endian=0
-signature file-magic-auto396 {
-	file-mime "text/x-php", 61
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fphp)/
-}
-
-# >0  search/1,=eval '(exit $?0)' && eval 'exec (len=31), ["Perl script text"], swap_endian=0
-signature file-magic-auto397 {
-	file-mime "text/x-perl", 61
-	file-magic /(.*)(eval \x27\x28exit \x24\x3f0\x29\x27 \x26\x26 eval \x27exec)/
-}
-
-# >0  regex,=^[ \t]*require[ \t]'[A-Za-z_/]+' (len=30), [""], swap_endian=0
-# >>0  regex,=include [A-Z]|def [a-z]| do$ (len=28), [""], swap_endian=0
-# >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby script text"], swap_endian=0
-signature file-magic-auto398 {
-	file-mime "text/x-ruby", 54
-	file-magic /(.*)([ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/
-}
-
-# >0  search/1,=eval "exec /usr/local/bin/perl (len=30), ["Perl script text"], swap_endian=0
-signature file-magic-auto399 {
-	file-mime "text/x-perl", 60
-	file-magic /(.*)(eval \x22exec \x2fusr\x2flocal\x2fbin\x2fperl)/
-}
-
-# >0  string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0
-signature file-magic-auto400 {
-	file-mime "video/x-flv", 60
-	file-magic /(FLV)/
-}
-
 # >0  string,=MP+ (len=3), ["Musepack audio"], swap_endian=0
 signature file-magic-auto401 {
 	file-mime "audio/x-musepack", 60
 	file-magic /(MP\x2b)/
 }
 
-# >0  string,=PBF (len=3), ["PBF image (deflate compression)"], swap_endian=0
-signature file-magic-auto402 {
-	file-mime "image/x-unknown", 60
-	file-magic /(PBF)/
-}
-
-# >0  string,=SBI (len=3), ["SoundBlaster instrument data"], swap_endian=0
-signature file-magic-auto403 {
-	file-mime "audio/x-unknown", 60
-	file-magic /(SBI)/
-}
-
 # >0  string,=\004%! (len=3), ["PostScript document text"], swap_endian=0
 signature file-magic-auto405 {
 	file-mime "application/postscript", 60
@@ -2445,32 +1469,12 @@ signature file-magic-auto406 {
 	file-magic /(BZh)/
 }
 
-# >0  regex,=^[ \t]*(class|module)[ \t][A-Z] (len=29), [""], swap_endian=0
-# >>0  regex,=(modul|includ)e [A-Z]|def [a-z] (len=31), [""], swap_endian=0
-# >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby module source text"], swap_endian=0
-signature file-magic-auto407 {
-	file-mime "text/x-ruby", 54
-	file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/
-}
-
-# >0  regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto411 {
-#	file-mime "text/troff", 59
-#	file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/
-#}
-
 # >0  search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
 signature file-magic-auto412 {
 	file-mime "text/x-tex", 59
 	file-magic /(.*)(\x5cdocumentclass)/
 }
 
-# >0  regex,=^from\s+(\w|\.)+\s+import.*$ (len=28), ["Python script text executable"], swap_endian=0
-signature file-magic-auto413 {
-	file-mime "text/x-python", 58
-	file-magic /(.*)(from\s+(\w|\.)+\s+import.*$)/
-}
-
 # >0  search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0
 signature file-magic-auto414 {
 	file-mime "text/x-tex", 58
@@ -2489,117 +1493,30 @@ signature file-magic-auto416 {
 	file-magic /(.*)(\x5csection)/
 }
 
-# >0  regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto417 {
-#	file-mime "text/troff", 56
-#	file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/
-#}
-
-# >0  search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0
-signature file-magic-auto418 {
-	file-mime "text/x-php", 55
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fphp)/
-}
-
 # >0  search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0
 signature file-magic-auto419 {
 	file-mime "text/x-tex", 55
 	file-magic /(.*)(\x5csetlength)/
 }
 
-# >0  search/1,=eval "exec /usr/bin/perl (len=24), ["Perl script text"], swap_endian=0
-signature file-magic-auto420 {
-	file-mime "text/x-perl", 54
-	file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/
-}
-
 # >0  search/1,=Common subdirectories:  (len=23), ["diff output text"], swap_endian=0
 signature file-magic-auto422 {
 	file-mime "text/x-diff", 53
 	file-magic /(.*)(Common subdirectories\x3a )/
 }
 
-# >0  search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0
-signature file-magic-auto425 {
-	file-mime "text/x-tcl", 52
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fwish)/
-}
-
 # >0  search/4096,=(custom-set-variables  (len=22), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto426 {
 	file-mime "text/x-lisp", 52
 	file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
 }
 
-# >0  beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0
-signature file-magic-auto427 {
-	file-mime "image/jpeg", 52
-	file-magic /(\xff\xd8)/
-}
-
-# >0  search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto429 {
-	file-mime "application/javascript", 51
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv nodejs)/
-}
-
-# >0  search/w/1,=#! /usr/local/bin/tcl (len=21), ["Tcl script text executable"], swap_endian=0
-signature file-magic-auto430 {
-	file-mime "text/x-tcl", 51
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcl)/
-}
-
-# This didn't autogenerate well due to indirect offset, bitmasking, and
-# relational comparisons.
-# >0  leshort&fffffffffffffefe,=0 (0x0000), [""], swap_endian=0
-# >>4  ulelong&fcfffe00,=0 (0x00000000), [""], swap_endian=0
-# >>>68  ulelong&,>87 (0x00000057), [""], swap_endian=0
-# >>>>68 (lelong,-1), ubelong&ffe0c519,=4194328 (0x00400018), ["Windows Precompiled iNF"], swap_endian=0
-#signature file-magic-auto431 {
-#	file-mime "application/x-pnf", 70
-#	file-magic /(.{2})(.{2})(.{4})(.{60})(.{4})(.{4})/
-#}
-
-# >0  search/w/1,=#! /usr/local/bin/lua (len=21), ["Lua script text executable"], swap_endian=0
-signature file-magic-auto432 {
-	file-mime "text/x-lua", 51
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2flua)/
-}
-
 # >0  string/b,=MZ (len=2), [""], swap_endian=0
 signature file-magic-auto433 {
 	file-mime "application/x-dosexec", 51
 	file-magic /(MZ)/
 }
 
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>30  string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0
-signature file-magic-auto434 {
-	file-mime "application/zip", 340
-	file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/
-}
-
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>30  string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0
-signature file-magic-auto435 {
-	file-mime "application/zip", 150
-	file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/
-}
-
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>36  string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
-signature file-magic-auto436 {
-	file-mime "application/x-lha", 120
-	file-magic /(MZ)(.{34})(LHa\x27s SFX)/
-}
-
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>36  string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
-signature file-magic-auto437 {
-	file-mime "application/x-lha", 120
-	file-magic /(MZ)(.{34})(LHA\x27s SFX)/
-}
-
 # >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
 # >>2  byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1,  32 kbps"], swap_endian=0
 signature file-magic-auto438 {
@@ -2698,64 +1615,6 @@ signature file-magic-auto451 {
 	file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/
 }
 
-# >4  leshort&,=-20719 (0xaf11), [""], swap_endian=0
-# >>8  leshort&,=320 (0x0140), [""], swap_endian=0
-# >>>10  leshort&,=200 (0x00c8), [""], swap_endian=0
-# >>>>12  leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0
-signature file-magic-auto452 {
-	file-mime "video/x-fli", 50
-	file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/
-}
-
-# >4  leshort&,=-20718 (0xaf12), [""], swap_endian=0
-# >>12  leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0
-signature file-magic-auto453 {
-	file-mime "video/x-flc", 50
-	file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=12 (0x000c), ["PC bitmap, OS/2 1.x format"], swap_endian=0
-signature file-magic-auto454 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x0c\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=64 (0x0040), ["PC bitmap, OS/2 2.x format"], swap_endian=0
-signature file-magic-auto455 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x40\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=40 (0x0028), ["PC bitmap, Windows 3.x format"], swap_endian=0
-signature file-magic-auto456 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x28\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=124 (0x007c), ["PC bitmap, Windows 98/2000 and newer format"], swap_endian=0
-signature file-magic-auto457 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x7c\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=108 (0x006c), ["PC bitmap, Windows 95/NT4 and newer format"], swap_endian=0
-signature file-magic-auto458 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x6c\x00)/
-}
-
-# >0  string,=BM (len=2), [""], swap_endian=0
-# >>14  leshort&,=128 (0x0080), ["PC bitmap, Windows NT/2000 format"], swap_endian=0
-signature file-magic-auto459 {
-	file-mime "image/x-ms-bmp", 50
-	file-magic /(BM)(.{12})(\x80\x00)/
-}
-
 # >20  string,=45 (len=2), [""], swap_endian=0
 # >>0  regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0
 signature file-magic-auto460 {
@@ -2786,37 +1645,7 @@ signature file-magic-auto463 {
 # >0  search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0
 signature file-magic-auto464 {
 	file-mime "text/x-tex", 51
-	file-magic /(.*)(\x5cbegin)/
-}
-
-# >0  search/4096,=\input (len=6), ["TeX document text"], swap_endian=0
-signature file-magic-auto465 {
-	file-mime "text/x-tex", 51
-	file-magic /(.*)(\x5cinput)/
-}
-
-# >0  leshort&,=-24712 (0x9f78), ["TNEF"], swap_endian=0
-signature file-magic-auto466 {
-	file-mime "application/vnd.ms-tnef", 50
-	file-magic /(\x78\x9f)/
-}
-
-# >0  leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0
-signature file-magic-auto467 {
-	file-mime "application/x-arj", 50
-	file-magic /(\x60\xea)/
-}
-
-# >0  search/1,=eval "exec /bin/perl (len=20), ["Perl script text"], swap_endian=0
-signature file-magic-auto468 {
-	file-mime "text/x-perl", 50
-	file-magic /(.*)(eval \x22exec \x2fbin\x2fperl)/
-}
-
-# >0  search/1,=#! /usr/bin/env perl (len=20), ["Perl script text executable"], swap_endian=0
-signature file-magic-auto469 {
-	file-mime "text/x-perl", 50
-	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv perl)/
+	file-magic /.*\x5c(input|begin)/
 }
 
 # >0  beshort&,=-26368 (0x9900), ["PGP key public ring"], swap_endian=0
@@ -2869,42 +1698,6 @@ signature file-magic-auto478 {
 	file-magic /((^[0-9]{5})[acdn][w])((^.{21})([^0]{2}))/
 }
 
-# >0  short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0
-signature file-magic-auto479 {
-	file-mime "application/x-cpio", 50
-	file-magic /((\x71\xc7)|(\xc7\x71))/
-}
-
-# >0  short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0
-signature file-magic-auto480 {
-	file-mime "application/x-cpio", 50
-	file-magic /((\xc7\x71)|(\x71\xc7))/
-}
-
-# >0  string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0
-#signature file-magic-auto481 {
-#	file-mime "application/x-elc", 50
-#	file-magic /(\x0a\x28)/
-#}
-
-# >0  string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0
-signature file-magic-auto482 {
-	file-mime "image/x-award-bioslogo", 50
-	file-magic /(\x11\x09)/
-}
-
-# >0  string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0
-signature file-magic-auto483 {
-	file-mime "image/x-award-bioslogo", 50
-	file-magic /(\x11\x06)/
-}
-
-# >0  string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0
-signature file-magic-auto484 {
-	file-mime "image/x-portable-pixmap", 50
-	file-magic /(P7)/
-}
-
 # >0  beshort&ffffffffffffffe0,=22240 (0x56e0), ["MPEG-4 LOAS"], swap_endian=0
 signature file-magic-auto485 {
 	file-mime "audio/x-mp4a-latm", 50
@@ -2941,12 +1734,6 @@ signature file-magic-auto490 {
 	file-magic /(\xff[\xfc\xfd])/
 }
 
-# >0  search/1,=#! /usr/bin/env wish (len=20), ["Tcl/Tk script text executable"], swap_endian=0
-signature file-magic-auto491 {
-	file-mime "text/x-tcl", 50
-	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv wish)/
-}
-
 # >0  beshort&,=-26367 (0x9901), ["GPG key public ring"], swap_endian=0
 signature file-magic-auto492 {
 	file-mime "application/x-gnupg-keyring", 50
@@ -2959,79 +1746,12 @@ signature file-magic-auto493 {
 	file-magic /(\xf7\x02)/
 }
 
-## >2  string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0
-#signature file-magic-auto494 {
-#	file-mime "application/x-tex-tfm", 50
-#	file-magic /(.{2})(\x00\x11)/
-#}
-#
-## >2  string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0
-#signature file-magic-auto495 {
-#	file-mime "application/x-tex-tfm", 50
-#	file-magic /(.{2})(\x00\x12)/
-#}
-
 # >0  beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0
 signature file-magic-auto496 {
 	file-mime "text/PGP", 50
 	file-magic /(\x85\x02)/
 }
 
-# >4  string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0
-signature file-magic-auto497 {
-	file-mime "image/jp2", 50
-	file-magic /(.{4})(jP)/
-}
-
-# Not specific enough.
-# >0  regex,=^template[ \t\n]+ (len=15), ["C++ source text"], swap_endian=0
-#signature file-magic-auto498 {
-#	file-mime "text/x-c++", 50
-#	file-magic /(.*)(template[ \x09\x0a]+)/
-#}
-
-# >0  search/c/1,=<?php (len=5), ["PHP script text"], swap_endian=0
-signature file-magic-auto499 {
-	file-mime "text/x-php", 50
-	file-magic /(.*)(\x3c\x3f[pP][hH][pP])/
-}
-
-# >0  string,=\037\235 (len=2), ["compress'd data"], swap_endian=0
-signature file-magic-auto500 {
-	file-mime "application/x-compress", 50
-	file-magic /(\x1f\x9d)/
-}
-
-# >0  string,=\037\036 (len=2), ["packed data"], swap_endian=0
-#signature file-magic-auto501 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /(\x1f\x1e)/
-#}
-
-# >0  short&,=7967 (0x1f1f), ["old packed data"], swap_endian=0
-#signature file-magic-auto502 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /((\x1f\x1f)|(\x1f\x1f))/
-#}
-
-# >0  short&,=8191 (0x1fff), ["compacted data"], swap_endian=0
-#signature file-magic-auto503 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /((\xff\x1f)|(\x1f\xff))/
-#}
-
-# >0  string,=\377\037 (len=2), ["compacted data"], swap_endian=0
-#signature file-magic-auto504 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /(\xff\x1f)/
-#}
-
-# >0  short&,=-13563 (0xcb05), ["huf output"], swap_endian=0
-#signature file-magic-auto505 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /((\x05\xcb)|(\xcb\x05))/
-#}
-
 # >34  string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0
 signature file-magic-auto506 {
 	file-mime "application/vnd.ms-fontobject", 50
@@ -3044,130 +1764,12 @@ signature file-magic-auto507 {
 	file-magic /(\x0b\x77)/
 }
 
-# >0  search/1,=#!/usr/bin/env node (len=19), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto508 {
-	file-mime "application/javascript", 49
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv node)/
-}
-
-# >0  search/1,=#!/usr/bin/env wish (len=19), ["Tcl/Tk script text executable"], swap_endian=0
-signature file-magic-auto509 {
-	file-mime "text/x-tcl", 49
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv wish)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.asciiz (len=19), ["assembler source text"], swap_endian=0
-signature file-magic-auto510 {
-	file-mime "text/x-asm", 49
-	file-magic /(^[ \x09]{0,50}\.(asciiz|asciz|section|globl|align|even|byte|file|type))/
-}
-
-# >0  regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0
-#signature file-magic-auto517 {
-#	file-mime "text/x-asm", 48
-#	file-magic /(^[ \x09]{0,50}\.globl)/
-#}
-
-# >0  regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0
-#signature file-magic-auto523 {
-#	file-mime "text/x-asm", 47
-#	file-magic /(^[ \x09]{0,50}\.text)/
-#}
-
-# >0  regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0
-#signature file-magic-auto524 {
-#	file-mime "text/x-asm", 47
-#	file-magic /(^[ \x09]{0,50}\.even)/
-#}
-
-# >0  regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0
-#signature file-magic-auto525 {
-#	file-mime "text/x-asm", 47
-#	file-magic /(^[ \x09]{0,50}\.byte)/
-#}
-
-# >0  regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0
-#signature file-magic-auto526 {
-#	file-mime "text/x-asm", 47
-#	file-magic /(^[ \x09]{0,50}\.file)/
-#}
-
-# >0  regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0
-#signature file-magic-auto527 {
-#	file-mime "text/x-asm", 47
-#	file-magic /(^[ \x09]{0,50}\.type)/
-#}
-
-
-# >0  search/1,=#!/usr/bin/env perl (len=19), ["Perl script text executable"], swap_endian=0
-signature file-magic-auto511 {
-	file-mime "text/x-perl", 49
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv perl)/
-}
-
-# >0  search/Wct/4096,=<!doctype html (len=14), ["HTML document text"], swap_endian=0
-signature file-magic-auto512 {
-	file-mime "text/html", 49
-	file-magic /(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
-}
-
-# This doesn't seem specific enough.
-# >0  regex,=^virtual[ \t\n]+ (len=14), ["C++ source text"], swap_endian=0
-#signature file-magic-auto513 {
-#	file-mime "text/x-c++", 49
-#	file-magic /(.*)(virtual[ \x09\x0a]+)/
-#}
-
-# >0  search/1,=#! /usr/bin/env lua (len=19), ["Lua script text executable"], swap_endian=0
-signature file-magic-auto514 {
-	file-mime "text/x-lua", 49
-	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/
-}
-
-# >0  search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0
-signature file-magic-auto516 {
-	file-mime "text/x-tcl", 49
-	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv tcl)/
-}
-# >0  search/1,=#!/usr/bin/env tcl (len=18), ["Tcl script text executable"], swap_endian=0
-signature file-magic-auto518 {
-	file-mime "text/x-tcl", 48
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv tcl)/
-}
-
-# >0  search/1,=#!/usr/bin/env lua (len=18), ["Lua script text executable"], swap_endian=0
-signature file-magic-auto519 {
-	file-mime "text/x-lua", 48
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/
-}
-
-# >0  search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto521 {
-	file-mime "application/javascript", 47
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnodejs)/
-}
-
-# >0  regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0
-#signature file-magic-auto522 {
-#	file-mime "text/x-c++", 47
-#	file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/
-#}
-
 # >0  search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0
 signature file-magic-auto528 {
 	file-mime "text/x-info", 47
 	file-magic /(.*)(This is Info file)/
 }
 
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0
-# >>>>&0  ubyte&,=0x5b, ["INItialization configuration"], swap_endian=0
-signature file-magic-auto529 {
-	file-mime "application/x-wine-extension-ini", 40
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x5b])/
-}
-
 # >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
 # >>&0  search/8192,=[ (len=1), [""], swap_endian=0
 # >>>&0  regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0
@@ -3185,70 +1787,6 @@ signature file-magic-auto531 {
 	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([vV][eE][rR][sS][iI][oO][nN]|[sS][tT][rR][iI][nN][gG][sS])])/
 }
 
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0
-signature file-magic-auto532 {
-	file-mime "text/inf", 55
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] (len=51), ["Windows desktop.ini"], swap_endian=0
-signature file-magic-auto533 {
-	file-mime "application/x-wine-extension-ini", 81
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^(.[Ss][hH][eE][lL][lL][Cc][lL][aA][sS][sS][Ii][nN][fF][oO]|[Dd][eE][lL][eE][tT][eE][Oo][nN][Cc][oO][pP][yY]|[Ll][oO][cC][aA][lL][iI][zZ][eE][dD][Ff][iI][lL][eE][Nn][aA][mM][eE][sS])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(don't load)] (len=14), ["Windows CONTROL.INI"], swap_endian=0
-signature file-magic-auto534 {
-	file-mime "application/x-wine-extension-ini", 44
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([dD][oO][nN]'[tT] [lL][oO][aA][dD])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(ndishlp\$|protman\$|NETBEUI\$)] (len=33), ["Windows PROTOCOL.INI"], swap_endian=0
-signature file-magic-auto535 {
-	file-mime "application/x-wine-extension-ini", 63
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([nN][dD][iI][sS][hH][lL][pP]\$|[pP][rR][oO][tT][mM][aA][nN]\$|[Nn][Ee][Tt][Bb][Ee][Uu][Ii]\$)])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(windows|Compatibility|embedding)] (len=35), ["Windows WIN.INI"], swap_endian=0
-signature file-magic-auto536 {
-	file-mime "application/x-wine-extension-ini", 65
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([wW][iI][nN][dD][oO][wW][sS]|[Cc][oO][mM][pP][aA][tT][iI][bB][iI][lL][iI][tT][yY]|[eE][mM][bB][eE][dD][dD][iI][nN][gG])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(boot|386enh|drivers)] (len=23), ["Windows SYSTEM.INI"], swap_endian=0
-signature file-magic-auto537 {
-	file-mime "application/x-wine-extension-ini", 53
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT]|386[eE][nN][hH]|[dD][rR][iI][vV][eE][rR][sS])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(SafeList)] (len=12), ["Windows IOS.INI"], swap_endian=0
-signature file-magic-auto538 {
-	file-mime "application/x-wine-extension-ini", 42
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ss][aA][fF][eE][Ll][iI][sS][tT])])/
-}
-
-# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
-# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
-# >>>&0  regex/c,=^(boot loader)] (len=15), ["Windows boot.ini"], swap_endian=0
-signature file-magic-auto539 {
-	file-mime "application/x-wine-extension-ini", 45
-	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT] [lL][oO][aA][dD][eE][rR])])/
-}
-
 # >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
 # >>&0  search/8192,=[ (len=1), [""], swap_endian=0
 # >>>&0  ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0
@@ -3288,138 +1826,26 @@ signature file-magic-auto543 {
 	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/
 }
 
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0
+signature file-magic-auto532 {
+	file-mime "text/inf", 55
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/
+}
+
 # >0  search/1,=<MakerDictionary (len=16), ["FrameMaker Dictionary text"], swap_endian=0
 signature file-magic-auto544 {
 	file-mime "application/x-mif", 46
 	file-magic /(.*)(\x3cMakerDictionary)/
 }
 
-# >0  search/w/1,=#! /usr/bin/wish (len=16), ["Tcl/Tk script text executable"], swap_endian=0
-signature file-magic-auto545 {
-	file-mime "text/x-tcl", 46
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/
-}
-
-# >0  search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0
-signature file-magic-auto547 {
-	file-mime "text/x-lua", 45
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2flua)/
-}
-
-# >0  search/w/1,=#! /usr/bin/tcl (len=15), ["Tcl script text executable"], swap_endian=0
-signature file-magic-auto548 {
-	file-mime "text/x-tcl", 45
-	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2ftcl)/
-}
-
-# >0  search/wct/4096,=<head (len=5), ["HTML document text"], swap_endian=0
-signature file-magic-auto549 {
-	file-mime "text/html", 45
-	file-magic /(.*)(\x3c[hH][eE][aA][dD])/
-}
-
-# >0  search/wct/4096,=<html (len=5), ["HTML document text"], swap_endian=0
-signature file-magic-auto550 {
-	file-mime "text/html", 45
-	file-magic /(.*)(\x3c[hH][tT][mM][lL])/
-}
-
-# >0  search/w/1,=#!/usr/bin/node (len=15), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto551 {
-	file-mime "application/javascript", 45
-	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnode)/
-}
-
-# >0  search/wct/1,=<?xml (len=5), ["XML document text"], swap_endian=0
-signature file-magic-auto552 {
-	file-mime "application/xml", 45
-	file-magic /(.*)(\x3c\x3f[xX][mM][lL])/
-}
-
-# >0  search/1,=\input texinfo (len=14), ["Texinfo source text"], swap_endian=0
-signature file-magic-auto553 {
-	file-mime "text/x-texinfo", 44
-	file-magic /(.*)(\x5cinput texinfo)/
-}
-
-# Not specific enough.
-# >0  regex,=^private: (len=9), ["C++ source text"], swap_endian=0
-#signature file-magic-auto554 {
-#	file-mime "text/x-c++", 44
-#	file-magic /(.*)(private:)/
-#}
-
-# >0  search/4096,=def __init__ (len=12), [""], swap_endian=0
-# >>&0  search/64,=self (len=4), ["Python script text executable"], swap_endian=0
-signature file-magic-auto555 {
-	file-mime "text/x-python", 38
-	file-magic /(.*)(def \x5f\x5finit\x5f\x5f)(.*)(self)/
-}
-
-# >0  search/wct/4096,=<a href= (len=8), ["HTML document text"], swap_endian=0
-signature file-magic-auto556 {
-	file-mime "text/html", 43
-	file-magic /(.*)(\x3c[aA] ?[hH][rR][eE][fF]\x3d)/
-}
-
-# >0  regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0
-#signature file-magic-auto557 {
-#	file-mime "text/x-c", 43
-#	file-magic /(.*)(extern[ \x09\x0a]+)/
-#}
-
 # >0  search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0
 signature file-magic-auto558 {
 	file-mime "text/x-tex", 43
 	file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/
 }
 
-# Doesn't seem specific enough.
-# >0  regex,=^double[ \t\n]+ (len=13), ["C source text"], swap_endian=0
-#signature file-magic-auto559 {
-#	file-mime "text/x-c", 43
-#	file-magic /(^double[ \x09\x0a]+)/
-#}
-
-# >0  regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0
-#signature file-magic-auto560 {
-#	file-mime "text/x-c", 43
-#	file-magic /(.*)(struct[ \x09\x0a]+)/
-#}
-
-# >0  search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto561 {
-	file-mime "application/javascript", 43
-	file-magic /(.*)(\x23\x21\x2fbin\x2fnodejs)/
-}
-
-# Not specific enough.
-# >0  regex,=^public: (len=8), ["C++ source text"], swap_endian=0
-#signature file-magic-auto562 {
-#	file-mime "text/x-c++", 43
-#	file-magic /(.*)(public:)/
-#}
-
-# >0  search/wct/4096,=<script (len=7), ["HTML document text"], swap_endian=0
-signature file-magic-auto563 {
-	file-mime "text/html", 42
-	file-magic /(.*)(\x3c[sS][cC][rR][iI][pP][tT])/
-}
-
-# Doesn't seem specific enough.
-# >0  regex,=^float[ \t\n]+ (len=12), ["C source text"], swap_endian=0
-#signature file-magic-auto564 {
-#	file-mime "text/x-c", 42
-#	file-magic /(^float[ \x09\x0a]+)/
-#}
-
-# Doesn't seem specific enough.
-# >0  regex,=^union[ \t\n]+ (len=12), ["C source text"], swap_endian=0
-#signature file-magic-auto565 {
-#	file-mime "text/x-c", 42
-#	file-magic /(^union[ \x09\x0a]+)/
-#}
-
 # The use of non-sequential offsets and relational operations made the
 # autogenerated signature incorrrect.
 # >0  belong&,>100 (0x00000064), [""], swap_endian=0
@@ -3431,31 +1857,6 @@ signature file-magic-auto563 {
 #	file-magic /(.{4})(.{4})(.{4})(.{4})(.*)(\x00\x00\x00\x07)/
 #}
 
-# >0  search/wct/4096,=<title (len=6), ["HTML document text"], swap_endian=0
-signature file-magic-auto567 {
-	file-mime "text/html", 41
-	file-magic /(.*)(\x3c[tT][iI][tT][lL][eE])/
-}
-
-# >0  regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0
-#signature file-magic-auto568 {
-#	file-mime "text/x-c", 41
-#	file-magic /(.*)(char[ \x09\x0a]+)/
-#}
-
-# >0  search/1,=#! (len=2), [""], swap_endian=0
-# >>0  regex,=^#!.*/bin/perl$ (len=15), ["Perl script text executable"], swap_endian=0
-signature file-magic-auto569 {
-	file-mime "text/x-perl", 45
-	file-magic /(^#!.*\x2fbin\x2fperl$)/
-}
-
-# >0  search/w/1,=#!/bin/node (len=11), ["Node.js script text executable"], swap_endian=0
-signature file-magic-auto570 {
-	file-mime "application/javascript", 41
-	file-magic /(.*)(\x23\x21\x2fbin\x2fnode)/
-}
-
 # Too much use of bitmasking and relational comparisons and non-sequential
 # offsets for this to be autogenerated.  (Also, the depth isn't displayed
 # correctly in the debug output below: it reached a depth that exceeded
@@ -3477,12 +1878,6 @@ signature file-magic-auto570 {
 #	file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])(.*)([\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{26})([\x00])(.*)(.{4})(.*)(.{4})(.*)(.{4})(.{12})([\x00\x01\x02\x03\x04\x05\x06\x07])(.*)(.{2})(.{22})([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
 #}
 
-# >0  search/wct/4096,=<table (len=6), ["HTML document text"], swap_endian=0
-signature file-magic-auto572 {
-	file-mime "text/html", 41
-	file-magic /(.*)(\x3c[tT][aA][bB][lL][eE])/
-}
-
 # >0  string/t,=@ (len=1), [""], swap_endian=0
 # >>1  string/Wc,= echo off (len=9), ["DOS batch file text"], swap_endian=0
 signature file-magic-auto573 {
@@ -3511,31 +1906,12 @@ signature file-magic-auto576 {
 	file-magic /(\x40)([sS][eE][tT] {1,})/
 }
 
-# >0  search/wct/4096,=<style (len=6), ["HTML document text"], swap_endian=0
-signature file-magic-auto577 {
-	file-mime "text/html", 41
-	file-magic /(.*)(\x3c[sS][tT][yY][lL][eE])/
-}
-
 # >0  regex,=^dnl  (len=5), ["M4 macro processor script text"], swap_endian=0
 signature file-magic-auto578 {
 	file-mime "text/x-m4", 40
 	file-magic /(^dnl )/
 }
 
-# >0  search/8192,=main( (len=5), ["C source text"], swap_endian=0
-#signature file-magic-auto581 {
-#	file-mime "text/x-c", 40
-#	file-magic /(.*)(main\x28)/
-#}
-
-# Not specific enough.
-# >0  search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto582 {
-#	file-mime "text/troff", 40
-#	file-magic /(.*)(\x5c\x22)/
-#}
-
 # >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto583 {
 	file-mime "text/x-lisp", 40
@@ -3548,31 +1924,6 @@ signature file-magic-auto584 {
 	file-magic /(.*)(\x28autoload )/
 }
 
-#This signature seems too generic.
-# >0  search/1,=diff  (len=5), ["diff output text"], swap_endian=0
-#signature file-magic-auto585 {
-#	file-mime "text/x-diff", 40
-#	file-magic /(.*)(diff )/
-#}
-
-# >0  regex,=^#include (len=9), ["C source text"], swap_endian=0
-#signature file-magic-auto586 {
-#	file-mime "text/x-c", 39
-#	file-magic /(.*)(#include)/
-#}
-
-# >0  search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto587 {
-#	file-mime "text/troff", 39
-#	file-magic /(.*)(\x2e\x5c\x22)/
-#}
-
-# >0  search/1,='\" (len=3), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto588 {
-#	file-mime "text/troff", 39
-#	file-magic /(.*)(\x27\x5c\x22)/
-#}
-
 # >0  search/1,=<TeXmacs| (len=9), ["TeXmacs document text"], swap_endian=0
 signature file-magic-auto589 {
 	file-mime "text/texmacs", 39
@@ -3585,38 +1936,6 @@ signature file-magic-auto590 {
 	file-magic /(.*)(\x2f\x2a XPM \x2a\x2f)/
 }
 
-# >0  search/1,=<?\n (len=3), ["PHP script text"], swap_endian=0
-signature file-magic-auto591 {
-	file-mime "text/x-php", 39
-	file-magic /(.*)(\x3c\x3f\x0a)/
-}
-
-# >0  search/1,=<?\r (len=3), ["PHP script text"], swap_endian=0
-signature file-magic-auto592 {
-	file-mime "text/x-php", 39
-	file-magic /(.*)(\x3c\x3f\x0d)/
-}
-
-# >0  search/1,=''' (len=3), ["troff or preprocessor input text"], swap_endian=0
-#signature file-magic-auto593 {
-#	file-mime "text/troff", 39
-#	file-magic /(.*)(\x27\x27\x27)/
-#}
-
-# >0  search/4096,=try: (len=4), [""], swap_endian=0
-# >>&0  regex,=^\s*except.*: (len=13), ["Python script text executable"], swap_endian=0
-signature file-magic-auto594 {
-	file-mime "text/x-python", 43
-	file-magic /(.*)(try\x3a)(^\s*except.*:)/
-}
-
-# >0  search/4096,=try: (len=4), [""], swap_endian=0
-# >>&0  search/4096,=finally: (len=8), ["Python script text executable"], swap_endian=0
-signature file-magic-auto595 {
-	file-mime "text/x-python", 38
-	file-magic /(.*)(try\x3a)(.*)(finally\x3a)/
-}
-
 # >0  search/8192,="LIBHDR" (len=8), ["BCPL source text"], swap_endian=0
 signature file-magic-auto596 {
 	file-mime "text/x-bcpl", 38
@@ -3629,39 +1948,18 @@ signature file-magic-auto598 {
 	file-magic /(.*)(\x28defvar )/
 }
 
-# Not specific enough.
-# >0  regex,=^program (len=8), ["Pascal source text"], swap_endian=0
-#signature file-magic-auto599 {
-#	file-mime "text/x-pascal", 38
-#	file-magic /(^program)/
-#}
-
 # >0  search/1,=Only in  (len=8), ["diff output text"], swap_endian=0
 signature file-magic-auto600 {
 	file-mime "text/x-diff", 38
 	file-magic /(.*)(Only in )/
 }
 
-# This signature doesn't seem specific enough.
-# >0  search/1,=***  (len=4), ["diff output text"], swap_endian=0
-#signature file-magic-auto601 {
-#	file-mime "text/x-diff", 38
-#	file-magic /(.*)(\x2a\x2a\x2a )/
-#}
-
 # >0  search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0
 signature file-magic-auto604 {
 	file-mime "text/x-bcpl", 38
 	file-magic /(.*)(\x22libhdr\x22)/
 }
 
-# Not specific enough.
-# >0  regex,=^record (len=7), ["Pascal source text"], swap_endian=0
-#signature file-magic-auto605 {
-#	file-mime "text/x-pascal", 37
-#	file-magic /(^record)/
-#}
-
 # >0  search/4096,=(defun  (len=7), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto607 {
 	file-mime "text/x-lisp", 37
@@ -3674,126 +1972,8 @@ signature file-magic-auto608 {
 	file-magic /(^msgid )/
 }
 
-# >0  search/8192,=(input, (len=7), ["Pascal source text"], swap_endian=0
-signature file-magic-auto609 {
-	file-mime "text/x-pascal", 37
-	file-magic /(.*)(\x28input\x2c)/
-}
-
-# Not specific enough.
-# >0  search/1,=Index: (len=6), ["RCS/CVS diff output text"], swap_endian=0
-#signature file-magic-auto610 {
-#	file-mime "text/x-diff", 44
-#	file-magic /(.*)(Index\x3a)/
-#}
-
 # >0  search/4096,=(setq  (len=6), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto611 {
 	file-mime "text/x-lisp", 36
 	file-magic /(.*)(\x28setq )/
 }
-
-# >0  regex/100,=^[Cc][ \t] (len=9), ["FORTRAN program"], swap_endian=0
-signature file-magic-auto612 {
-	file-mime "text/x-fortran", 34
-	file-magic /(^[Cc][ \x09])/
-}
-
-# >0  search/wt/1,=<?XML (len=5), ["broken XML document text"], swap_endian=0
-signature file-magic-auto613 {
-	file-mime "application/xml", 30
-	file-magic /(.*)(\x3c\x3fXML)/
-}
-
-# >0  search/wtb/1,=<?xml (len=5), ["XML document text"], swap_endian=0
-signature file-magic-auto614 {
-	file-mime "application/xml", 30
-	file-magic /(.*)(\x3c\x3fxml)/
-}
-
-# >0  regex,^import.*;$ (len=10), ["Java source"], swap_endian=0
-signature file-magic-auto615 {
-	file-mime "text/x-java", 20
-	file-magic /(import.*;$)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x01, ["LSB"], swap_endian=0
-# >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=0
-#signature file-magic-auto616 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x00\x00)/
-#}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x02, ["MSB"], swap_endian=0
-# >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=1
-#signature file-magic-auto617 {
-#	file-mime "application/octet-stream", 50
-#	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x00)/
-#}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x01, ["LSB"], swap_endian=0
-# >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=0
-signature file-magic-auto618 {
-	file-mime "application/x-object", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x01\x00)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x02, ["MSB"], swap_endian=0
-# >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=1
-signature file-magic-auto619 {
-	file-mime "application/x-object", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x01)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x01, ["LSB"], swap_endian=0
-# >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=0
-signature file-magic-auto620 {
-	file-mime "application/x-executable", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x02\x00)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x02, ["MSB"], swap_endian=0
-# >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=1
-signature file-magic-auto621 {
-	file-mime "application/x-executable", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x02)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x01, ["LSB"], swap_endian=0
-# >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=0
-signature file-magic-auto622 {
-	file-mime "application/x-sharedlib", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x03\x00)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x02, ["MSB"], swap_endian=0
-# >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=1
-signature file-magic-auto623 {
-	file-mime "application/x-sharedlib", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x03)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x01, ["LSB"], swap_endian=0
-# >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=0
-signature file-magic-auto624 {
-	file-mime "application/x-coredump", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x04\x00)/
-}
-
-# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
-# >>5  byte&,=0x02, ["MSB"], swap_endian=0
-# >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=1
-signature file-magic-auto625 {
-	file-mime "application/x-coredump", 50
-	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x04)/
-}
-
diff --git a/scripts/base/frameworks/files/magic/msoffice.sig b/scripts/base/frameworks/files/magic/msoffice.sig
index 111ec77004..7ae866a088 100644
--- a/scripts/base/frameworks/files/magic/msoffice.sig
+++ b/scripts/base/frameworks/files/magic/msoffice.sig
@@ -26,3 +26,9 @@ signature file-pptx {
 	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
 	file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
 }
+
+signature file-msaccess {
+	file-mime "application/x-msaccess", 180
+	file-magic /.{4}Standard (Jet|ACE) DB\x00/
+}
+
diff --git a/scripts/base/frameworks/files/magic/video.sig b/scripts/base/frameworks/files/magic/video.sig
new file mode 100644
index 0000000000..019372d687
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/video.sig
@@ -0,0 +1,218 @@
+# >0  string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0
+signature file-magic-auto400 {
+	file-mime "video/x-flv", 60
+	file-magic /(FLV)/
+}
+
+# >4  leshort&,=-20719 (0xaf11), [""], swap_endian=0
+# >>8  leshort&,=320 (0x0140), [""], swap_endian=0
+# >>>10  leshort&,=200 (0x00c8), [""], swap_endian=0
+# >>>>12  leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0
+signature file-magic-auto452 {
+	file-mime "video/x-fli", 50
+	file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/
+}
+
+# >4  leshort&,=-20718 (0xaf12), [""], swap_endian=0
+# >>12  leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0
+signature file-magic-auto453 {
+	file-mime "video/x-flc", 50
+	file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/
+}
+
+# Motion JPEG 2000
+signature file-mj2 {
+	file-mime "video/mj2", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}mjp2/
+}
+
+# >0  string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0
+signature file-magic-auto274 {
+	file-mime "video/x-mng", 70
+	file-magic /(\x8aMNG)/
+}
+
+# >0  string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0
+signature file-magic-auto275 {
+	file-mime "video/x-jng", 70
+	file-magic /(\x8bJNG)/
+}
+
+# >0  belong&,=443 (0x000001bb), [""], swap_endian=0
+signature file-magic-auto204 {
+	file-mime "video/mpeg", 71
+	file-magic /(\x00\x00\x01\xbb)/
+}
+
+# >0  belong&,=432 (0x000001b0), [""], swap_endian=0
+signature file-magic-auto206 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&,=437 (0x000001b5), [""], swap_endian=0
+signature file-magic-auto207 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  belong&,=435 (0x000001b3), [""], swap_endian=0
+signature file-magic-auto209 {
+	file-mime "video/mpv", 71
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# >0  belong&,=1 (0x00000001), [""], swap_endian=0
+# >>4  byte&0000001f,=0x07, [""], swap_endian=0
+signature file-magic-auto211 {
+	file-mime "video/h264", 41
+	file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xba, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto213 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xba)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto214 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto215 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb3, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto216 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,^0x40, [""], swap_endian=0
+signature file-magic-auto251 {
+	file-mime "video/mpeg", 21
+	file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=webm (len=4), ["WebM"], swap_endian=0
+signature file-magic-auto224 {
+	file-mime "video/webm", 70
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=matroska (len=8), ["Matroska data"], swap_endian=0
+signature file-magic-auto225 {
+	file-mime "video/x-matroska", 110
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,&0x40, [""], swap_endian=0
+signature file-magic-auto250 {
+	file-mime "video/mp2p", 21
+	file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0
+signature file-magic-auto252 {
+	file-mime "video/x-sgi-movie", 70
+	file-magic /(MOVI)/
+}
+
+# >4  string,=moov (len=4), ["Apple QuickTime"], swap_endian=0
+signature file-magic-auto253 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(moov)/
+}
+
+# >4  string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0
+signature file-magic-auto254 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(mdat)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto257 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(isom)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto258 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp41)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0
+signature file-magic-auto259 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp42)/
+}
+
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto261 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3ge)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto262 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gg)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto263 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gp)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto264 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gs)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0
+signature file-magic-auto265 {
+	file-mime "video/3gpp2", 60
+	file-magic /(.{4})(ftyp)(3g2)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0
+signature file-magic-auto266 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mmp4)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0
+signature file-magic-auto267 {
+	file-mime "video/3gpp", 70
+	file-magic /(.{4})(ftyp)(avc1)/
+}
+
diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index 8425e5d3c7..6121e25e15 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -52,9 +52,10 @@ bool AnalyzerSet::Add(file_analysis::Tag tag, RecordVal* args)
 
 	if ( analyzer_map.Lookup(key) )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s skipped for file id"
-		        " %s: already exists", file_mgr->GetComponentName(tag).c_str(),
-		        file->GetID().c_str());
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s skipped: already exists", 
+		        file->GetID().c_str(),
+		        file_mgr->GetComponentName(tag).c_str());
+
 		delete key;
 		return true;
 		}
@@ -92,9 +93,9 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set)
 	{
 	if ( set->analyzer_map.Lookup(key) )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s skipped for file id"
-		        " %s: already exists", file_mgr->GetComponentName(a->Tag()).c_str(),
-		        a->GetFile()->GetID().c_str());
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s skipped: already exists", 
+		        a->GetFile()->GetID().c_str(),
+		        file_mgr->GetComponentName(a->Tag()).c_str());
 
 		Abort();
 		return true;
@@ -119,14 +120,14 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key)
 
 	if ( ! a )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Skip remove analyzer %s for file id %s",
-		        file_mgr->GetComponentName(tag).c_str(), file->GetID().c_str());
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Skip remove analyzer %s",
+		        file->GetID().c_str(), file_mgr->GetComponentName(tag).c_str());
 		return false;
 		}
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %s for file id %s",
-	        file_mgr->GetComponentName(tag).c_str(),
-	        file->GetID().c_str());
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove analyzer %s",
+	        file->GetID().c_str(),
+	        file_mgr->GetComponentName(tag).c_str());
 
 	a->Done();
 	delete a;
@@ -168,8 +169,9 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(Tag tag,
 
 	if ( ! a )
 		{
-		reporter->Error("Failed file analyzer %s instantiation for file id %s",
-		                file_mgr->GetComponentName(tag).c_str(), file->GetID().c_str());
+		reporter->Error("[%s] Failed file analyzer %s instantiation",
+		                file->GetID().c_str(), 
+		                file_mgr->GetComponentName(tag).c_str());
 		return 0;
 		}
 
@@ -178,8 +180,8 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(Tag tag,
 
 void AnalyzerSet::Insert(file_analysis::Analyzer* a, HashKey* key)
 	{
-	DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s for file id %s",
-	        file_mgr->GetComponentName(a->Tag()).c_str(), file->GetID().c_str());
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s",
+	        file->GetID().c_str(), file_mgr->GetComponentName(a->Tag()).c_str());
 	analyzer_map.Insert(key, a);
 	delete key;
 
@@ -191,7 +193,7 @@ void AnalyzerSet::DrainModifications()
 	if ( mod_queue.empty() )
 		return;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Start analyzer mod queue flush of file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Start analyzer mod queue flush",
 	        file->GetID().c_str());
 	do
 		{
@@ -200,6 +202,6 @@ void AnalyzerSet::DrainModifications()
 		delete mod;
 		mod_queue.pop();
 		} while ( ! mod_queue.empty() );
-	DBG_LOG(DBG_FILE_ANALYSIS, "End flushing analyzer mod queue of file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.",
 	        file->GetID().c_str());
 	}
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index c90c9f2413..d0b1ea2a01 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -304,7 +304,9 @@ bool File::DetectMIME()
 	file_mgr->DetectMIME(data, len, &matches);
 
 	if ( matches.empty() )
+		{
 		return false;
+		}
 
 	if ( FileEventAvailable(file_mime_type) )
 		{
@@ -502,10 +504,10 @@ void File::EndOfFile()
 	// any stream analyzers.
 	if ( ! bof_buffer.full )
 		{
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str());
 		bof_buffer.full = true;
 		DeliverStream((const u_char*) "", 0);
 		}
-
 	analyzers.DrainModifications();
 
 	done = true;
@@ -582,7 +584,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	mgr.QueueEvent(h, vl);
 
 	if ( h == file_new || h == file_over_new_connection ||
-	     h == file_mime_type ||
+	     h == file_mime_type || h == file_mime_types ||
 	     h == file_timeout || h == file_extraction_limit )
 		{
 		// immediate feedback is required for these events.
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 995d422a37..217c901969 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -390,7 +390,7 @@ bool Manager::RemoveFile(const string& file_id)
 	if ( ! f )
 		return false;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", file_id.c_str());
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove file", file_id.c_str());
 
 	f->EndOfFile();
 	delete f;
@@ -467,8 +467,8 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const
 		return 0;
 		}
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s for file %s",
-		GetComponentName(tag).c_str(), f->id.c_str());
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s",
+		f->id.c_str(), GetComponentName(tag).c_str());
 
 	Analyzer* a = c->Factory()(args, f);
 
diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log
index 9a9776b7f3..72f673bd5c 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/http.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/http.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-04-01-22-57-21
+#open	2015-03-14-01-46-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1210953057.917183	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	Fp32SIJztq0Szn5Qc	text/plain	-	-
 1210953061.585996	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FNFYdH11h5iQcoD3a2	text/html
 1210953073.381474	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FHD5nv1iSVFZVM0aH7	text/html
-1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	application/xml
-#close	2014-04-01-22-57-21
+1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	text/html
+#close	2015-03-14-01-46-26
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index e62ab5a373..3a0ddb5fd9 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-10-08-03-56-52
+      #open	2015-03-14-01-46-11
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
-      1389719059.311698	300.000000	text/html	1	7	68469
+      1389719059.311698	300.000000	text/html	1	2	42231
       1389719059.311698	300.000000	image/jpeg	1	1	186859
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	text/plain	1	10	101763
+      1389719059.311698	300.000000	text/plain	1	15	128001
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-10-08-03-56-52
+      #close	2015-03-14-01-46-11
 
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 8782898d33..ba1afe4239 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,20 +3,20 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-04-01-12-47
+#open	2015-03-14-01-47-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	-	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-04-01-12-47
+1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	application/pkix-cert	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
+#close	2015-03-14-01-47-46
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-04-01-12-47
+#open	2015-03-14-01-47-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-04-01-12-47
+#close	2015-03-14-01-47-46

From 19f498b4a473b2fbe30b2b3aa1703dd2532ab684 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 14 Mar 2015 00:25:13 -0400
Subject: [PATCH 16/54] Even more file type ident clean up.

 - Add detection for ColdFusion scripts.
 - Support detection of XML/HTML with prefixed comment blocks.
---
 .../base/frameworks/files/magic/general.sig   | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index e673fc86b6..63cfc9a4e0 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -9,37 +9,42 @@ signature file-plaintext {
 
 signature file-xml {
 	file-mime "application/xml", 10
-	file-magic /^[\x0d\x0a[:blank:]]*<\?xml /
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<\?xml /
 }
 
 signature file-xhtml {
 	file-mime "text/html", 100
-	file-magic /^[\x0d\x0a[:blank:]]*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
 }
 
 signature file-html {
 	file-mime "text/html", 49
-	file-magic /^[\x0d\x0a[:blank:]]*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
 }
 
 signature file-html2 {
 	file-mime "text/html", 20
-	file-magic /[\x0d\x0a[:blank:]]*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+}
+
+signature file-coldfusion {
+	file-mime "magnus-internal/cold-fusion", 20
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<(CFPARAM|CFSET|CFIF)/
 }
 
 signature file-soap {
 	file-mime "application/soap+xml", 49
-	file-magic /^[\x0d\x0a[:blank:]]*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
 }
 
 signature file-cross-domain-policy {
 	file-mime "text/x-cross-domain-policy", 49
-	file-magic /^[\x0d\x0a[:blank:]]*(<\?xml version="1.0"\?>)?<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*(<\?xml version="1.0"\?>)?<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
 signature file-cross-domain-policy2 {
 	file-mime "text/x-cross-domain-policy", 49
-	file-magic /^[\x0d\x0a[:blank:]]*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
 # Microsoft LNK files

From fbff3a04eec3164d19f9587edb6928f25aaf9db7 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Wed, 25 Mar 2015 16:07:27 -0700
Subject: [PATCH 17/54] Add PROXY-AUTHORIZATION header

Added the PROXY-AUTHORIZATION header so that proxy username and passwords can be decoded. It follows the same syntax as the AUTHORIZATION header.
---
 scripts/base/protocols/http/main.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index c8f06dff18..735455f70f 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -257,7 +257,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 				add c$http$proxied[fmt("%s -> %s", name, value)];
 				}
 
-		else if ( name == "AUTHORIZATION" )
+		else if ( name == "AUTHORIZATION" || name == "PROXY-AUTHORIZATION" )
 			{
 			if ( /^[bB][aA][sS][iI][cC] / in value )
 				{

From 6861ecc0464e475a6e89b5c283564d06e21ef58c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 6 Apr 2015 17:21:53 -0400
Subject: [PATCH 18/54] More signature updates.

---
 .../base/frameworks/files/magic/__load__.bro  |   8 +-
 .../base/frameworks/files/magic/archive.sig   | 109 ++-
 scripts/base/frameworks/files/magic/audio.sig | 121 ++++
 .../base/frameworks/files/magic/general.sig   |  24 +-
 scripts/base/frameworks/files/magic/image.sig |  98 ++-
 .../base/frameworks/files/magic/libmagic.sig  | 681 ++++++------------
 scripts/base/frameworks/files/magic/video.sig | 207 ++----
 7 files changed, 510 insertions(+), 738 deletions(-)
 create mode 100644 scripts/base/frameworks/files/magic/audio.sig

diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro
index df03616ec2..19a0090255 100644
--- a/scripts/base/frameworks/files/magic/__load__.bro
+++ b/scripts/base/frameworks/files/magic/__load__.bro
@@ -1,6 +1,8 @@
-@load-sigs ./general
 @load-sigs ./archive
+@load-sigs ./audio
+@load-sigs ./general
 @load-sigs ./image
-@load-sigs ./video
 @load-sigs ./msoffice
-@load-sigs ./libmagic
+@load-sigs ./video
+
+@load-sigs ./libmagic
\ No newline at end of file
diff --git a/scripts/base/frameworks/files/magic/archive.sig b/scripts/base/frameworks/files/magic/archive.sig
index d8cc727540..4b0df827e5 100644
--- a/scripts/base/frameworks/files/magic/archive.sig
+++ b/scripts/base/frameworks/files/magic/archive.sig
@@ -16,16 +16,19 @@ signature file-multi-zip {
 	file-magic /^PK\x07\x08PK\x03\x04/
 }
 
+# RAR
 signature file-rar {
 	file-mime "application/x-rar", 70
 	file-magic /^Rar!/
 }
 
+# GZIP
 signature file-gzip {
 	file-mime "application/x-gzip", 100
 	file-magic /\x1f\x8b/
 }
 
+# Microsoft Cabinet
 signature file-ms-cab {
 	file-mime "application/vnd.ms-cab-compressed", 110
 	file-magic /^MSCF\x00\x00\x00\x00/
@@ -50,11 +53,13 @@ signature file-magic-auto352 {
 	file-magic /^(drpm|\xed\xab\xee\xdb)/
 }
 
+# StuffIt
 signature file-stuffit {
 	file-mime "application/x-stuffit", 70
 	file-magic /^(SIT\x21|StuffIt)/
 }
 
+# Archived data
 signature file-x-archive {
 	file-mime "application/x-archive", 70
 	file-magic /^!?<ar(ch)?>/
@@ -63,7 +68,7 @@ signature file-x-archive {
 # ARC archive data
 signature file-arc {
 	file-mime "application/x-arc", 70
-	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})([\x02-\x0a\x14\x48]\x1a)/
+	file-magic /^[\x00-\x7f]{2}[\x02-\x0a\x14\x48]\x1a/
 }
 
 # EET archive
@@ -78,43 +83,34 @@ signature file-zoo {
 	file-magic /^.{20}\xdc\xa7\xc4\xfd/
 }
 
-# >0  lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0
-signature file-magic-auto382 {
+# LZ4 compressed data (legacy format)
+signature file-lz4-legacy {
 	file-mime "application/x-lz4", 70
 	file-magic /(\x02\x21\x4c\x18)/
 }
 
-# >0  lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0
-signature file-magic-auto383 {
+# LZ4 compressed data
+signature file-lz4 {
 	file-mime "application/x-lz4", 70
-	file-magic /(\x04\x22\x4d\x18)/
+	file-magic /^\x04\x22\x4d\x18/
 }
 
-# >0  string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0
-# >>5  byte&,x, [".%d"], swap_endian=0
-signature file-magic-auto384 {
+# LRZIP compressed data
+signature file-lrzip {
 	file-mime "application/x-lrzip", 1
-	file-magic /(LRZI)(.{1})(.{1})/
+	file-magic /^LRZI/
 }
 
-# >0  string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0
-signature file-magic-auto386 {
+# LZIP compressed data
+signature file-lzip {
 	file-mime "application/x-lzip", 70
-	file-magic /(LZIP)/
+	file-magic /^LZIP/
 }
 
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>30  string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0
+# Self-extracting PKZIP archive
 signature file-magic-auto434 {
 	file-mime "application/zip", 340
-	file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/
-}
-
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>30  string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0
-signature file-magic-auto435 {
-	file-mime "application/zip", 150
-	file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/
+	file-magic /^MZ.{28}(Copyright 1989\x2d1990 PKWARE Inc|PKLITE Copr)\x2e/
 }
 
 # LHA archive (LZH)
@@ -123,66 +119,57 @@ signature file-lzh {
 	file-magic /^.{2}-(lh[ abcdex0-9]|lz[s2-8]|lz[s2-8]|pm[s012]|pc1)-/
 }
 
-# >0  string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0
-# >>5  string,x, ["version %.4s"], swap_endian=0
-signature file-magic-auto177 {
-	file-mime "application/warc", 1
-	file-magic /(WARC\x2f)(.{0})/
+# WARC Archive
+signature file-warc {
+	file-mime "application/warc", 50
+	file-magic /^WARC\x2f/
 }
 
-# >0  string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0
-# >>7  byte&,x, [".%d"], swap_endian=0
-signature file-magic-auto150 {
-	file-mime "application/x-7z-compressed", 1
-	file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/
+# 7-zip archive data
+signature file-7zip {
+	file-mime "application/x-7z-compressed", 50
+	file-magic /^7z\xbc\xaf\x27\x1c/
 }
 
-# >0  ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0
-signature file-magic-auto151 {
+# XZ compressed data
+signature file-xz {
 	file-mime "application/x-xz", 90
-	file-magic /(\xfd7zXZ\x00)/
+	file-magic /^\xfd7zXZ\x00/
 }
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>36  string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+
+# LHa self-extracting archive
 signature file-magic-auto436 {
 	file-mime "application/x-lha", 120
-	file-magic /(MZ)(.{34})(LHa\x27s SFX)/
+	file-magic /^MZ.{34}LH[aA]\x27s SFX/
 }
 
-# >0  string/b,=MZ (len=2), [""], swap_endian=0
-# >>36  string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
-signature file-magic-auto437 {
-	file-mime "application/x-lha", 120
-	file-magic /(MZ)(.{34})(LHA\x27s SFX)/
-}
-
-# >0  leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0
-signature file-magic-auto467 {
+# ARJ archive data
+signature file-arj {
 	file-mime "application/x-arj", 50
-	file-magic /(\x60\xea)/
+	file-magic /^\x60\xea/
 }
 
-# >0  short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0
-signature file-magic-auto479 {
+# Byte-swapped cpio archive
+signature file-bs-cpio {
 	file-mime "application/x-cpio", 50
-	file-magic /((\x71\xc7)|(\xc7\x71))/
+	file-magic /(\x71\xc7|\xc7\x71)/
 }
 
-# >0  short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0
-signature file-magic-auto480 {
+# CPIO archive
+signature file-cpio {
 	file-mime "application/x-cpio", 50
-	file-magic /((\xc7\x71)|(\x71\xc7))/
+	file-magic /^(\xc7\x71|\x71\xc7)/
 }
 
-# >0  string,=\037\235 (len=2), ["compress'd data"], swap_endian=0
-signature file-magic-auto500 {
+# Compress'd data
+signature file-compress {
 	file-mime "application/x-compress", 50
-	file-magic /(\x1f\x9d)/
+	file-magic /^\x1f\x9d/
 }
 
-# >0  lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0
-signature file-magic-auto218 {
+# LZMA compressed data
+signature file-lzma {
 	file-mime "application/x-lzma", 71
-	file-magic /(\x5d\x00\x00.)/
+	file-magic /^\x5d\x00\x00/
 }
 
diff --git a/scripts/base/frameworks/files/magic/audio.sig b/scripts/base/frameworks/files/magic/audio.sig
new file mode 100644
index 0000000000..de2de85c6e
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/audio.sig
@@ -0,0 +1,121 @@
+
+# >0  beshort&fffffffffffffffe,=-30 (0xffe2), ["MPEG ADTS, layer III,  v2.5"], swap_endian=0
+signature file-magic-auto487 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xe2\xe3])/
+}
+
+# >0  beshort&fffffffffffffffe,=-10 (0xfff6), ["MPEG ADTS, layer I, v2"], swap_endian=0
+signature file-magic-auto488 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xf6\xf7])/
+}
+
+# >0  beshort&fffffffffffffffe,=-14 (0xfff2), ["MPEG ADTS, layer III, v2"], swap_endian=0
+signature file-magic-auto489 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xf2\xf3])/
+}
+
+# >0  beshort&fffffffffffffffe,=-4 (0xfffc), ["MPEG ADTS, layer II, v1"], swap_endian=0
+signature file-magic-auto490 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xfc\xfd])/
+}
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1,  32 kbps"], swap_endian=0
+signature file-magic-auto438 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x20, ["MPEG ADTS, layer III, v1,  40 kbps"], swap_endian=0
+signature file-magic-auto439 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x30, ["MPEG ADTS, layer III, v1,  48 kbps"], swap_endian=0
+signature file-magic-auto440 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x40, ["MPEG ADTS, layer III, v1,  56 kbps"], swap_endian=0
+signature file-magic-auto441 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x50, ["MPEG ADTS, layer III, v1,  64 kbps"], swap_endian=0
+signature file-magic-auto442 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x60, ["MPEG ADTS, layer III, v1,  80 kbps"], swap_endian=0
+signature file-magic-auto443 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x70, ["MPEG ADTS, layer III, v1,  96 kbps"], swap_endian=0
+signature file-magic-auto444 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x80, ["MPEG ADTS, layer III, v1, 112 kbps"], swap_endian=0
+signature file-magic-auto445 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x90, ["MPEG ADTS, layer III, v1, 128 kbps"], swap_endian=0
+signature file-magic-auto446 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xa0, ["MPEG ADTS, layer III, v1, 160 kbps"], swap_endian=0
+signature file-magic-auto447 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xb0, ["MPEG ADTS, layer III, v1, 192 kbps"], swap_endian=0
+signature file-magic-auto448 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xc0, ["MPEG ADTS, layer III, v1, 224 kbps"], swap_endian=0
+signature file-magic-auto449 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xd0, ["MPEG ADTS, layer III, v1, 256 kbps"], swap_endian=0
+signature file-magic-auto450 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xe0, ["MPEG ADTS, layer III, v1, 320 kbps"], swap_endian=0
+signature file-magic-auto451 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/
+}
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 63cfc9a4e0..2a2e630863 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -9,22 +9,32 @@ signature file-plaintext {
 
 signature file-xml {
 	file-mime "application/xml", 10
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<\?xml /
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
 }
 
 signature file-xhtml {
 	file-mime "text/html", 100
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
 }
 
 signature file-html {
 	file-mime "text/html", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
 }
 
 signature file-html2 {
 	file-mime "text/html", 20
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+}
+
+signature file-rss {
+	file-mime "text/rss", 90
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
+}
+
+signature file-atom {
+	file-mime "text/atom", 100
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS][^>]*xmlns:atom/
 }
 
 signature file-coldfusion {
@@ -34,17 +44,17 @@ signature file-coldfusion {
 
 signature file-soap {
 	file-mime "application/soap+xml", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
 }
 
 signature file-cross-domain-policy {
 	file-mime "text/x-cross-domain-policy", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*(<\?xml version="1.0"\?>)?<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
 signature file-cross-domain-policy2 {
 	file-mime "text/x-cross-domain-policy", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
 # Microsoft LNK files
diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig
index ad4e7bbbe1..2977cd90ae 100644
--- a/scripts/base/frameworks/files/magic/image.sig
+++ b/scripts/base/frameworks/files/magic/image.sig
@@ -9,11 +9,10 @@ signature file-gif {
 	file-magic /^GIF8/
 }
 
-
-# >0  beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0
+# JPEG image
 signature file-magic-auto427 {
 	file-mime "image/jpeg", 52
-	file-magic /(\xff\xd8)/
+	file-magic /^\xff\xd8/
 }
 
 signature file-bmp {
@@ -31,10 +30,9 @@ signature file-cur {
 	file-mime "image/x-cursor", 70
 }
 
-# >0  string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0
 signature file-magic-auto289 {
 	file-mime "image/vnd.adobe.photoshop", 70
-	file-magic /(8BPS)/
+	file-magic /^8BPS/
 }
 
 signature file-png {
@@ -66,78 +64,69 @@ signature file-jpm {
 	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jpm /
 }
 
-# >0  string,=Xcur (len=4), ["Xcursor data"], swap_endian=0
-signature file-magic-auto271 {
+# Xcursor image
+signature file-x-cursor {
 	file-mime "image/x-xcursor", 70
-	file-magic /(Xcur)/
+	file-magic /^Xcur/
 }
 
-# >0  string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0
-signature file-magic-auto282 {
+# NIFF image
+signature file-niff {
 	file-mime "image/x-niff", 70
-	file-magic /(IIN1)/
+	file-magic /^IIN1/
 }
 
-# >0  lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0
-signature file-magic-auto291 {
+# OpenEXR image
+signature file-openexr {
 	file-mime "image/x-exr", 70
-	file-magic /(\x76\x2f\x31\x01)/
+	file-magic /^\x76\x2f\x31\x01/
 }
 
-# >0  string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0
-signature file-magic-auto292 {
+# DPX image
+signature file-dpx {
 	file-mime "image/x-dpx", 70
-	file-magic /(SDPX)/
+	file-magic /^SDPX/
 }
 
-# >0  string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0
-signature file-magic-auto294 {
+# Cartesian Perceptual Compression image
+signature file-cpi {
 	file-mime "image/x-cpi", 70
 	file-magic /(CPC\xb2)/
 }
 
-
 signature file-orf {
 	file-mime "image/x-olympus-orf", 70
 	file-magic /IIR[OS]|MMOR/
 }
 
-# >0  string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0
-signature file-magic-auto298 {
+# Foveon X3F raw image
+signature file-x3r {
 	file-mime "image/x-x3f", 70
-	file-magic /(FOVb)/
+	file-magic /^FOVb/
 }
 
-# >0  string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0
-signature file-magic-auto299 {
+# Paint.NET image
+signature file-paint-net {
 	file-mime "image/x-paintnet", 70
-	file-magic /(PDN3)/
+	file-magic /^PDN3/
 }
 
-# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
-# >>8  string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0
-signature file-magic-auto355 {
+# Corel Draw Picture
+signature file-coreldraw {
 	file-mime "image/x-coreldraw", 70
-	file-magic /(RIFF)(.{4})(CDRA)/
+	file-magic /^RIFF....CDR[A6]/
 }
 
-# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
-# >>8  string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0
-signature file-magic-auto356 {
-	file-mime "image/x-coreldraw", 70
-	file-magic /(RIFF)(.{4})(CDR6)/
-}
-
-# >0  string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0
-signature file-magic-auto484 {
+# Netpbm PAM image
+signature file-netbpm{
 	file-mime "image/x-portable-pixmap", 50
-	file-magic /(P7)/
+	file-magic /^P7/
 }
 
-# >4  string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0
-signature file-magic-auto497 {
+# JPEG 2000 image
+signature file-jpeg-2000 {
 	file-mime "image/jp2", 50
-	file-magic /(.{4})(jP)/
+	file-magic /^....jP/
 }
 
 # DjVU Images
@@ -152,27 +141,26 @@ signature file-dwg {
 	file-magic /^(AC[12]\.|AC10)/
 }
 
-# >0  string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0
-signature file-magic-auto115 {
+# GIMP XCF image
+signature file-gimp-xcf {
 	file-mime "image/x-xcf", 110
-	file-magic /(gimp xcf)/
+	file-magic /^gimp xcf/
 }
 
-# >0  string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0
-signature file-magic-auto62 {
+# Polar Monitor Bitmap text
+signature file-polar-monitor-bitmap {
 	file-mime "image/x-polar-monitor-bitmap", 160
-	file-magic /(\x5bBitmapInfo2\x5d)/
+	file-magic /^\x5bBitmapInfo2\x5d/
 }
 
-# >0  string,=AWBM (len=4), [""], swap_endian=0
-# >>4  leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0
-signature file-magic-auto208 {
+# Award BIOS bitmap
+signature file-award-bitmap {
 	file-mime "image/x-award-bmp", 20
-	file-magic /(AWBM)(.{2})/
+	file-magic /^AWBM/
 }
 
-# >0  string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0
-signature file-magic-auto483 {
+# Award BIOS Logo, 136 x 84
+signature file-award-bios-logo {
 	file-mime "image/x-award-bioslogo", 50
 	file-magic /^\x11[\x06\x09]/
 }
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
index d18f6f01a6..5975962838 100644
--- a/scripts/base/frameworks/files/magic/libmagic.sig
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -357,65 +357,50 @@ signature file-magic-auto104 {
 	file-magic /(ITOLITLS)(.{4})/
 }
 
-# >4096  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 4k user block"], swap_endian=0
-signature file-magic-auto105 {
-	file-mime "application/x-hdf", 110
-	file-magic /(.{4096})(\x89HDF\x0d\x0a\x1a\x0a)/
-}
-
-# >2048  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 2k user block"], swap_endian=0
-signature file-magic-auto106 {
-	file-mime "application/x-hdf", 110
-	file-magic /(.{2048})(\x89HDF\x0d\x0a\x1a\x0a)/
-}
-
-# >1024  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 1k user block"], swap_endian=0
-signature file-magic-auto107 {
-	file-mime "application/x-hdf", 110
-	file-magic /(.{1024})(\x89HDF\x0d\x0a\x1a\x0a)/
-}
-
-# >512  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 512 bytes user block"], swap_endian=0
-signature file-magic-auto108 {
-	file-mime "application/x-hdf", 110
-	file-magic /(.{512})(\x89HDF\x0d\x0a\x1a\x0a)/
-}
-
 # >0  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) data"], swap_endian=0
 signature file-magic-auto109 {
 	file-mime "application/x-hdf", 110
 	file-magic /(\x89HDF\x0d\x0a\x1a\x0a)/
 }
 
-# >36  string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0
-signature file-magic-auto111 {
-	file-mime "application/vnd.iccprofile", 110
-	file-magic /(.{36})(acspSUNW)/
-}
+# Find a way to do the following to generically detect ICC profiles.
+# An ICC parser should deal with the difference in these formats.
+## >36  string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0
+#signature file-magic-auto111 {
+#	file-mime "application/vnd.iccprofile", 110
+#	file-magic /(.{36})(acspSUNW)/
+#}
+#
+## >36  string,=acspSGI  (len=8), ["SGI ICC Profile"], swap_endian=0
+#signature file-magic-auto112 {
+#	file-mime "application/vnd.iccprofile", 110
+#	file-magic /(.{36})(acspSGI )/
+#}
+#
+## >36  string,=acspMSFT (len=8), ["Microsoft ICM Color Profile"], swap_endian=0
+#signature file-magic-auto113 {
+#	file-mime "application/vnd.iccprofile", 110
+#	file-magic /(.{36})(acspMSFT)/
+#}
+#
+## >36  string,=acspAPPL (len=8), ["ColorSync ICC Profile"], swap_endian=0
+#signature file-magic-auto114 {
+#	file-mime "application/vnd.iccprofile", 110
+#	file-magic /(.{36})(acspAPPL)/
+#}
+#
+## >36  string,=acsp (len=4), ["ICC Profile"], swap_endian=0
+#signature file-magic-auto277 {
+#	file-mime "application/vnd.iccprofile", 70
+#	file-magic /(.{36})(acsp)/
+#}
 
-# >36  string,=acspSGI  (len=8), ["SGI ICC Profile"], swap_endian=0
-signature file-magic-auto112 {
-	file-mime "application/vnd.iccprofile", 110
-	file-magic /(.{36})(acspSGI )/
-}
-
-# >36  string,=acspMSFT (len=8), ["Microsoft ICM Color Profile"], swap_endian=0
-signature file-magic-auto113 {
-	file-mime "application/vnd.iccprofile", 110
-	file-magic /(.{36})(acspMSFT)/
-}
-
-# >36  string,=acspAPPL (len=8), ["ColorSync ICC Profile"], swap_endian=0
-signature file-magic-auto114 {
-	file-mime "application/vnd.iccprofile", 110
-	file-magic /(.{36})(acspAPPL)/
-}
 
 # >512  string,=R\000o\000o\000t\000 (len=8), ["Hangul (Korean) Word Processor File 2000"], swap_endian=0
-signature file-magic-auto116 {
-	file-mime "application/x-hwp", 110
-	file-magic /(.{512})(R\x00o\x00o\x00t\x00)/
-}
+#signature file-magic-auto116 {
+#	file-mime "application/x-hwp", 110
+#	file-magic /(.{512})(R\x00o\x00o\x00t\x00)/
+#}
 
 # >0  string,=<MIFFile (len=8), ["FrameMaker MIF (ASCII) file"], swap_endian=0
 signature file-magic-auto118 {
@@ -529,78 +514,6 @@ signature file-magic-auto162 {
 	file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/
 }
 
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXB (len=8), ["RINEX Data, GEO SBAS Broadcast"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto166 {
-	file-mime "rinex/broadcast", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXB)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXD (len=8), ["RINEX Data, Observation (Hatanaka comp)"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto167 {
-	file-mime "rinex/observation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXD)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXC (len=8), ["RINEX Data, Clock"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto168 {
-	file-mime "rinex/clock", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXC)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXH (len=8), ["RINEX Data, GEO SBAS Navigation"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto169 {
-	file-mime "rinex/navigation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXH)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXG (len=8), ["RINEX Data, GLONASS Navigation"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto170 {
-	file-mime "rinex/navigation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXG)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXL (len=8), ["RINEX Data, Galileo Navigation"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto171 {
-	file-mime "rinex/navigation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXL)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXM (len=8), ["RINEX Data, Meteorological"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto172 {
-	file-mime "rinex/meteorological", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXM)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXN (len=8), ["RINEX Data, Navigation	"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto173 {
-	file-mime "rinex/navigation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXN)/
-}
-
-# >60  string,=RINEX (len=5), [""], swap_endian=0
-# >>80  search/256,=XXRINEXO (len=8), ["RINEX Data, Observation"], swap_endian=0
-# >>>5  string,x, [", version %6.6s"], swap_endian=0
-signature file-magic-auto174 {
-	file-mime "rinex/observation", 1
-	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXO)/
-}
-
 # >0  string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0
 signature file-magic-auto187 {
 	file-mime "application/x-font-ttf", 80
@@ -935,13 +848,13 @@ signature file-magic-auto245 {
 # >4  string,=idsc (len=4), ["Apple QuickTime image (fast start)"], swap_endian=0
 signature file-magic-auto255 {
 	file-mime "image/x-quicktime", 70
-	file-magic /(.{4})(idsc)/
+	file-magic /....(idsc)/
 }
 
 # >4  string,=pckg (len=4), ["Apple QuickTime compressed archive"], swap_endian=0
 signature file-magic-auto256 {
 	file-mime "application/x-quicktime-player", 70
-	file-magic /(.{4})(pckg)/
+	file-magic /....(pckg)/
 }
 
 
@@ -949,21 +862,21 @@ signature file-magic-auto256 {
 # >>8  string/W,=M4A (len=3), [", MPEG v4 system, iTunes AAC-LC"], swap_endian=0
 signature file-magic-auto268 {
 	file-mime "audio/mp4", 60
-	file-magic /(.{4})(ftyp)(M4A)/
+	file-magic /....(ftyp)(M4A)/
 }
 
 # >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
 # >>8  string/W,=M4V (len=3), [", MPEG v4 system, iTunes AVC-LC"], swap_endian=0
 signature file-magic-auto269 {
 	file-mime "video/mp4", 60
-	file-magic /(.{4})(ftyp)(M4V)/
+	file-magic /....(ftyp)(M4V)/
 }
 
 # >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
 # >>8  string/W,=qt (len=2), [", Apple QuickTime movie"], swap_endian=0
 signature file-magic-auto270 {
 	file-mime "video/quicktime", 50
-	file-magic /(.{4})(ftyp)(qt)/
+	file-magic /....(ftyp)(qt)/
 }
 
 # >0  string,=ADIF (len=4), ["MPEG ADIF, AAC"], swap_endian=0
@@ -985,11 +898,6 @@ signature file-magic-auto276 {
 	file-magic /(MAC )/
 }
 
-# >36  string,=acsp (len=4), ["ICC Profile"], swap_endian=0
-signature file-magic-auto277 {
-	file-mime "application/vnd.iccprofile", 70
-	file-magic /(.{36})(acsp)/
-}
 
 # >0  string,=FORM (len=4), ["IFF data"], swap_endian=0
 # >>8  string,=AIFF (len=4), [", AIFF audio"], swap_endian=0
@@ -1048,71 +956,71 @@ signature file-magic-auto303 {
 	file-magic /(\xce\xce\xce\xce)/
 }
 
-# >1080  string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0
-signature file-magic-auto304 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(32CN)/
-}
-
-# >1080  string,=16CN (len=4), ["16-channel Taketracker module sound data"], swap_endian=0
-signature file-magic-auto305 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(16CN)/
-}
-
-# >1080  string,=OKTA (len=4), ["8-channel Octalyzer module sound data"], swap_endian=0
-signature file-magic-auto306 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(OKTA)/
-}
-
-# >1080  string,=CD81 (len=4), ["8-channel Octalyser module sound data"], swap_endian=0
-signature file-magic-auto307 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(CD81)/
-}
-
-# >1080  string,=8CHN (len=4), ["8-channel Fasttracker module sound data"], swap_endian=0
-signature file-magic-auto308 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(8CHN)/
-}
-
-# >1080  string,=6CHN (len=4), ["6-channel Fasttracker module sound data"], swap_endian=0
-signature file-magic-auto309 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(6CHN)/
-}
-
-# >1080  string,=4CHN (len=4), ["4-channel Fasttracker module sound data"], swap_endian=0
-signature file-magic-auto310 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(4CHN)/
-}
-
-# >1080  string,=FLT8 (len=4), ["8-channel Startracker module sound data"], swap_endian=0
-signature file-magic-auto311 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(FLT8)/
-}
-
-# >1080  string,=FLT4 (len=4), ["4-channel Startracker module sound data"], swap_endian=0
-signature file-magic-auto312 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(FLT4)/
-}
-
-# >1080  string,=M!K! (len=4), ["4-channel Protracker module sound data"], swap_endian=0
-signature file-magic-auto313 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(M\x21K\x21)/
-}
-
-# >1080  string,=M.K. (len=4), ["4-channel Protracker module sound data"], swap_endian=0
-signature file-magic-auto314 {
-	file-mime "audio/x-mod", 70
-	file-magic /(.{1080})(M\x2eK\x2e)/
-}
+## >1080  string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0
+#signature file-magic-auto304 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(32CN)/
+#}
+#
+## >1080  string,=16CN (len=4), ["16-channel Taketracker module sound data"], swap_endian=0
+#signature file-magic-auto305 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(16CN)/
+#}
+#
+## >1080  string,=OKTA (len=4), ["8-channel Octalyzer module sound data"], swap_endian=0
+#signature file-magic-auto306 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(OKTA)/
+#}
+#
+## >1080  string,=CD81 (len=4), ["8-channel Octalyser module sound data"], swap_endian=0
+#signature file-magic-auto307 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(CD81)/
+#}
+#
+## >1080  string,=8CHN (len=4), ["8-channel Fasttracker module sound data"], swap_endian=0
+#signature file-magic-auto308 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(8CHN)/
+#}
+#
+## >1080  string,=6CHN (len=4), ["6-channel Fasttracker module sound data"], swap_endian=0
+#signature file-magic-auto309 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(6CHN)/
+#}
+#
+## >1080  string,=4CHN (len=4), ["4-channel Fasttracker module sound data"], swap_endian=0
+#signature file-magic-auto310 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(4CHN)/
+#}
+#
+## >1080  string,=FLT8 (len=4), ["8-channel Startracker module sound data"], swap_endian=0
+#signature file-magic-auto311 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(FLT8)/
+#}
+#
+## >1080  string,=FLT4 (len=4), ["4-channel Startracker module sound data"], swap_endian=0
+#signature file-magic-auto312 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(FLT4)/
+#}
+#
+## >1080  string,=M!K! (len=4), ["4-channel Protracker module sound data"], swap_endian=0
+#signature file-magic-auto313 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(M\x21K\x21)/
+#}
+#
+## >1080  string,=M.K. (len=4), ["4-channel Protracker module sound data"], swap_endian=0
+#signature file-magic-auto314 {
+#	file-mime "audio/x-mod", 70
+#	file-magic /(.{1080})(M\x2eK\x2e)/
+#}
 
 # >0  lelong&,=336851773 (0x1413f33d), ["SYSLINUX' LSS16 image data"], swap_endian=0
 signature file-magic-auto315 {
@@ -1410,11 +1318,11 @@ signature file-magic-auto388 {
 	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
 }
 
-# >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto390 {
-	file-mime "text/x-tex", 62
-	file-magic /(.*)(\x5cdocumentstyle)/
-}
+## >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto390 {
+#	file-mime "text/x-tex", 62
+#	file-magic /(.*)(\x5cdocumentstyle)/
+#}
 
 # >0  string,=DOC (len=3), [""], swap_endian=0
 # >>43  byte&,=0x14, ["Just System Word Processor Ichitaro v4"], swap_endian=0
@@ -1469,47 +1377,47 @@ signature file-magic-auto406 {
 	file-magic /(BZh)/
 }
 
-# >0  search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
-signature file-magic-auto412 {
-	file-mime "text/x-tex", 59
-	file-magic /(.*)(\x5cdocumentclass)/
-}
-
-# >0  search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0
-signature file-magic-auto414 {
-	file-mime "text/x-tex", 58
-	file-magic /(.*)(\x5ccontentsline)/
-}
-
-# >0  search/4096,=\chapter (len=8), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto415 {
-	file-mime "text/x-tex", 56
-	file-magic /(.*)(\x5cchapter)/
-}
-
-# >0  search/4096,=\section (len=8), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto416 {
-	file-mime "text/x-tex", 56
-	file-magic /(.*)(\x5csection)/
-}
-
-# >0  search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto419 {
-	file-mime "text/x-tex", 55
-	file-magic /(.*)(\x5csetlength)/
-}
-
-# >0  search/1,=Common subdirectories:  (len=23), ["diff output text"], swap_endian=0
-signature file-magic-auto422 {
-	file-mime "text/x-diff", 53
-	file-magic /(.*)(Common subdirectories\x3a )/
-}
-
-# >0  search/4096,=(custom-set-variables  (len=22), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto426 {
-	file-mime "text/x-lisp", 52
-	file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
-}
+## >0  search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
+#signature file-magic-auto412 {
+#	file-mime "text/x-tex", 59
+#	file-magic /(.*)(\x5cdocumentclass)/
+#}
+#
+## >0  search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0
+#signature file-magic-auto414 {
+#	file-mime "text/x-tex", 58
+#	file-magic /(.*)(\x5ccontentsline)/
+#}
+#
+## >0  search/4096,=\chapter (len=8), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto415 {
+#	file-mime "text/x-tex", 56
+#	file-magic /(.*)(\x5cchapter)/
+#}
+#
+## >0  search/4096,=\section (len=8), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto416 {
+#	file-mime "text/x-tex", 56
+#	file-magic /(.*)(\x5csection)/
+#}
+#
+## >0  search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto419 {
+#	file-mime "text/x-tex", 55
+#	file-magic /(.*)(\x5csetlength)/
+#}
+#
+## >0  search/1,=Common subdirectories:  (len=23), ["diff output text"], swap_endian=0
+#signature file-magic-auto422 {
+#	file-mime "text/x-diff", 53
+#	file-magic /(.*)(Common subdirectories\x3a )/
+#}
+#
+## >0  search/4096,=(custom-set-variables  (len=22), ["Lisp/Scheme program text"], swap_endian=0
+#signature file-magic-auto426 {
+#	file-mime "text/x-lisp", 52
+#	file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
+#}
 
 # >0  string/b,=MZ (len=2), [""], swap_endian=0
 signature file-magic-auto433 {
@@ -1517,104 +1425,6 @@ signature file-magic-auto433 {
 	file-magic /(MZ)/
 }
 
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1,  32 kbps"], swap_endian=0
-signature file-magic-auto438 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x20, ["MPEG ADTS, layer III, v1,  40 kbps"], swap_endian=0
-signature file-magic-auto439 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x30, ["MPEG ADTS, layer III, v1,  48 kbps"], swap_endian=0
-signature file-magic-auto440 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x40, ["MPEG ADTS, layer III, v1,  56 kbps"], swap_endian=0
-signature file-magic-auto441 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x50, ["MPEG ADTS, layer III, v1,  64 kbps"], swap_endian=0
-signature file-magic-auto442 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x60, ["MPEG ADTS, layer III, v1,  80 kbps"], swap_endian=0
-signature file-magic-auto443 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x70, ["MPEG ADTS, layer III, v1,  96 kbps"], swap_endian=0
-signature file-magic-auto444 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x80, ["MPEG ADTS, layer III, v1, 112 kbps"], swap_endian=0
-signature file-magic-auto445 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x90, ["MPEG ADTS, layer III, v1, 128 kbps"], swap_endian=0
-signature file-magic-auto446 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xa0, ["MPEG ADTS, layer III, v1, 160 kbps"], swap_endian=0
-signature file-magic-auto447 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xb0, ["MPEG ADTS, layer III, v1, 192 kbps"], swap_endian=0
-signature file-magic-auto448 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xc0, ["MPEG ADTS, layer III, v1, 224 kbps"], swap_endian=0
-signature file-magic-auto449 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xd0, ["MPEG ADTS, layer III, v1, 256 kbps"], swap_endian=0
-signature file-magic-auto450 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xe0, ["MPEG ADTS, layer III, v1, 320 kbps"], swap_endian=0
-signature file-magic-auto451 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/
-}
-
 # >20  string,=45 (len=2), [""], swap_endian=0
 # >>0  regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0
 signature file-magic-auto460 {
@@ -1636,17 +1446,17 @@ signature file-magic-auto462 {
 	file-magic /(.{20})(45)(.*)((^[0-9]{5})[cdn][uvxy])/
 }
 
-# >0  search/4096,=\relax (len=6), ["LaTeX auxiliary file"], swap_endian=0
-signature file-magic-auto463 {
-	file-mime "text/x-tex", 51
-	file-magic /(.*)(\x5crelax)/
-}
-
-# >0  search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto464 {
-	file-mime "text/x-tex", 51
-	file-magic /.*\x5c(input|begin)/
-}
+## >0  search/4096,=\relax (len=6), ["LaTeX auxiliary file"], swap_endian=0
+#signature file-magic-auto463 {
+#	file-mime "text/x-tex", 51
+#	file-magic /(.*)(\x5crelax)/
+#}
+#
+## >0  search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto464 {
+#	file-mime "text/x-tex", 51
+#	file-magic /.*\x5c(input|begin)/
+#}
 
 # >0  beshort&,=-26368 (0x9900), ["PGP key public ring"], swap_endian=0
 signature file-magic-auto470 {
@@ -1710,29 +1520,6 @@ signature file-magic-auto486 {
 	file-magic /(\xff[\xf0\xf1\xf8\xf9])/
 }
 
-# >0  beshort&fffffffffffffffe,=-30 (0xffe2), ["MPEG ADTS, layer III,  v2.5"], swap_endian=0
-signature file-magic-auto487 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xe2\xe3])/
-}
-
-# >0  beshort&fffffffffffffffe,=-10 (0xfff6), ["MPEG ADTS, layer I, v2"], swap_endian=0
-signature file-magic-auto488 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xf6\xf7])/
-}
-
-# >0  beshort&fffffffffffffffe,=-14 (0xfff2), ["MPEG ADTS, layer III, v2"], swap_endian=0
-signature file-magic-auto489 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xf2\xf3])/
-}
-
-# >0  beshort&fffffffffffffffe,=-4 (0xfffc), ["MPEG ADTS, layer II, v1"], swap_endian=0
-signature file-magic-auto490 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xfc\xfd])/
-}
 
 # >0  beshort&,=-26367 (0x9901), ["GPG key public ring"], swap_endian=0
 signature file-magic-auto492 {
@@ -1764,11 +1551,11 @@ signature file-magic-auto507 {
 	file-magic /(\x0b\x77)/
 }
 
-# >0  search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0
-signature file-magic-auto528 {
-	file-mime "text/x-info", 47
-	file-magic /(.*)(This is Info file)/
-}
+## >0  search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0
+#signature file-magic-auto528 {
+#	file-mime "text/x-info", 47
+#	file-magic /(.*)(This is Info file)/
+#}
 
 # >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
 # >>&0  search/8192,=[ (len=1), [""], swap_endian=0
@@ -1834,17 +1621,17 @@ signature file-magic-auto532 {
 	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/
 }
 
-# >0  search/1,=<MakerDictionary (len=16), ["FrameMaker Dictionary text"], swap_endian=0
-signature file-magic-auto544 {
-	file-mime "application/x-mif", 46
-	file-magic /(.*)(\x3cMakerDictionary)/
-}
+## >0  search/1,=<MakerDictionary (len=16), ["FrameMaker Dictionary text"], swap_endian=0
+#signature file-magic-auto544 {
+#	file-mime "application/x-mif", 46
+#	file-magic /(.*)(\x3cMakerDictionary)/
+#}
 
-# >0  search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0
-signature file-magic-auto558 {
-	file-mime "text/x-tex", 43
-	file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/
-}
+## >0  search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0
+#signature file-magic-auto558 {
+#	file-mime "text/x-tex", 43
+#	file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/
+#}
 
 # The use of non-sequential offsets and relational operations made the
 # autogenerated signature incorrrect.
@@ -1912,59 +1699,59 @@ signature file-magic-auto578 {
 	file-magic /(^dnl )/
 }
 
-# >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto583 {
-	file-mime "text/x-lisp", 40
-	file-magic /(.*)(\x28defparam )/
-}
-
-# >0  search/4096,=(autoload  (len=10), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto584 {
-	file-mime "text/x-lisp", 40
-	file-magic /(.*)(\x28autoload )/
-}
-
-# >0  search/1,=<TeXmacs| (len=9), ["TeXmacs document text"], swap_endian=0
-signature file-magic-auto589 {
-	file-mime "text/texmacs", 39
-	file-magic /(.*)(\x3cTeXmacs\x7c)/
-}
-
-# >0  search/1,=/* XPM */ (len=9), ["X pixmap image text"], swap_endian=0
-signature file-magic-auto590 {
-	file-mime "image/x-xpmi", 39
-	file-magic /(.*)(\x2f\x2a XPM \x2a\x2f)/
-}
-
-# >0  search/8192,="LIBHDR" (len=8), ["BCPL source text"], swap_endian=0
-signature file-magic-auto596 {
-	file-mime "text/x-bcpl", 38
-	file-magic /(.*)(\x22LIBHDR\x22)/
-}
-
-# >0  search/4096,=(defvar  (len=8), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto598 {
-	file-mime "text/x-lisp", 38
-	file-magic /(.*)(\x28defvar )/
-}
-
-# >0  search/1,=Only in  (len=8), ["diff output text"], swap_endian=0
-signature file-magic-auto600 {
-	file-mime "text/x-diff", 38
-	file-magic /(.*)(Only in )/
-}
-
-# >0  search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0
-signature file-magic-auto604 {
-	file-mime "text/x-bcpl", 38
-	file-magic /(.*)(\x22libhdr\x22)/
-}
-
-# >0  search/4096,=(defun  (len=7), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto607 {
-	file-mime "text/x-lisp", 37
-	file-magic /(.*)(\x28defun )/
-}
+## >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
+#signature file-magic-auto583 {
+#	file-mime "text/x-lisp", 40
+#	file-magic /(.*)(\x28defparam )/
+#}
+#
+## >0  search/4096,=(autoload  (len=10), ["Lisp/Scheme program text"], swap_endian=0
+#signature file-magic-auto584 {
+#	file-mime "text/x-lisp", 40
+#	file-magic /(.*)(\x28autoload )/
+#}
+#
+## >0  search/1,=<TeXmacs| (len=9), ["TeXmacs document text"], swap_endian=0
+#signature file-magic-auto589 {
+#	file-mime "text/texmacs", 39
+#	file-magic /(.*)(\x3cTeXmacs\x7c)/
+#}
+#
+## >0  search/1,=/* XPM */ (len=9), ["X pixmap image text"], swap_endian=0
+#signature file-magic-auto590 {
+#	file-mime "image/x-xpmi", 39
+#	file-magic /(.*)(\x2f\x2a XPM \x2a\x2f)/
+#}
+#
+## >0  search/8192,="LIBHDR" (len=8), ["BCPL source text"], swap_endian=0
+#signature file-magic-auto596 {
+#	file-mime "text/x-bcpl", 38
+#	file-magic /(.*)(\x22LIBHDR\x22)/
+#}
+#
+## >0  search/4096,=(defvar  (len=8), ["Lisp/Scheme program text"], swap_endian=0
+#signature file-magic-auto598 {
+#	file-mime "text/x-lisp", 38
+#	file-magic /(.*)(\x28defvar )/
+#}
+#
+## >0  search/1,=Only in  (len=8), ["diff output text"], swap_endian=0
+#signature file-magic-auto600 {
+#	file-mime "text/x-diff", 38
+#	file-magic /(.*)(Only in )/
+#}
+#
+## >0  search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0
+#signature file-magic-auto604 {
+#	file-mime "text/x-bcpl", 38
+#	file-magic /(.*)(\x22libhdr\x22)/
+#}
+#
+## >0  search/4096,=(defun  (len=7), ["Lisp/Scheme program text"], swap_endian=0
+#signature file-magic-auto607 {
+#	file-mime "text/x-lisp", 37
+#	file-magic /(.*)(\x28defun )/
+#}
 
 # >0  regex,=^msgid  (len=7), ["GNU gettext message catalogue text"], swap_endian=0
 signature file-magic-auto608 {
@@ -1973,7 +1760,7 @@ signature file-magic-auto608 {
 }
 
 # >0  search/4096,=(setq  (len=6), ["Lisp/Scheme program text"], swap_endian=0
-signature file-magic-auto611 {
-	file-mime "text/x-lisp", 36
-	file-magic /(.*)(\x28setq )/
-}
+#signature file-magic-auto611 {
+#	file-mime "text/x-lisp", 36
+#	file-magic /(.*)(\x28setq )/
+#}
diff --git a/scripts/base/frameworks/files/magic/video.sig b/scripts/base/frameworks/files/magic/video.sig
index 019372d687..bc0f24c46a 100644
--- a/scripts/base/frameworks/files/magic/video.sig
+++ b/scripts/base/frameworks/files/magic/video.sig
@@ -1,23 +1,19 @@
-# >0  string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0
-signature file-magic-auto400 {
+# Macromedia Flash Video
+signature file-flv {
 	file-mime "video/x-flv", 60
-	file-magic /(FLV)/
+	file-magic /^FLV/
 }
 
-# >4  leshort&,=-20719 (0xaf11), [""], swap_endian=0
-# >>8  leshort&,=320 (0x0140), [""], swap_endian=0
-# >>>10  leshort&,=200 (0x00c8), [""], swap_endian=0
-# >>>>12  leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0
-signature file-magic-auto452 {
+# FLI animation
+signature file-fli {
 	file-mime "video/x-fli", 50
-	file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/
+	file-magic /^.{4}\x11\xaf/
 }
 
-# >4  leshort&,=-20718 (0xaf12), [""], swap_endian=0
-# >>12  leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0
-signature file-magic-auto453 {
+# FLC animation
+signature file-flc {
 	file-mime "video/x-flc", 50
-	file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/
+	file-magic /^.{4}\x12\xaf/
 }
 
 # Motion JPEG 2000
@@ -26,193 +22,74 @@ signature file-mj2 {
 	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}mjp2/
 }
 
-# >0  string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0
-signature file-magic-auto274 {
+# MNG video
+signature file-mng {
 	file-mime "video/x-mng", 70
-	file-magic /(\x8aMNG)/
+	file-magic /^\x8aMNG/
 }
 
-# >0  string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0
-signature file-magic-auto275 {
+# JNG video
+signature file-jng {
 	file-mime "video/x-jng", 70
-	file-magic /(\x8bJNG)/
+	file-magic /^\x8bJNG/
 }
 
-# >0  belong&,=443 (0x000001bb), [""], swap_endian=0
-signature file-magic-auto204 {
-	file-mime "video/mpeg", 71
-	file-magic /(\x00\x00\x01\xbb)/
+# Generic MPEG container
+signature file-mpeg {
+	file-mime "video/mpeg", 50
+	file-magic /(\x00\x00\x01[\xb0-\xbb])/
 }
 
-# >0  belong&,=432 (0x000001b0), [""], swap_endian=0
-signature file-magic-auto206 {
-	file-mime "video/mp4v-es", 71
-	file-magic /(\x00\x00\x01\xb0)/
-}
-
-# >0  belong&,=437 (0x000001b5), [""], swap_endian=0
-signature file-magic-auto207 {
-	file-mime "video/mp4v-es", 71
-	file-magic /(\x00\x00\x01\xb5)/
-}
-
-# >0  belong&,=435 (0x000001b3), [""], swap_endian=0
-signature file-magic-auto209 {
+# MPV
+signature file-mpv {
 	file-mime "video/mpv", 71
 	file-magic /(\x00\x00\x01\xb3)/
 }
 
-# >0  belong&,=1 (0x00000001), [""], swap_endian=0
-# >>4  byte&0000001f,=0x07, [""], swap_endian=0
-signature file-magic-auto211 {
+# H.264
+signature file-h264 {
 	file-mime "video/h264", 41
 	file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/
 }
 
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xba, ["MPEG sequence"], swap_endian=0
-signature file-magic-auto213 {
-	file-mime "video/mpeg", 40
-	file-magic /(\x00\x00\x01\xba)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0
-signature file-magic-auto214 {
-	file-mime "video/mpeg4-generic", 40
-	file-magic /(\x00\x00\x01\xb0)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0
-signature file-magic-auto215 {
-	file-mime "video/mpeg4-generic", 40
-	file-magic /(\x00\x00\x01\xb5)/
-}
-
-# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
-# >>3  byte&,=0xb3, ["MPEG sequence"], swap_endian=0
-signature file-magic-auto216 {
-	file-mime "video/mpeg", 40
-	file-magic /(\x00\x00\x01\xb3)/
-}
-
-# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
-# >>4  byte&,^0x40, [""], swap_endian=0
-signature file-magic-auto251 {
-	file-mime "video/mpeg", 21
-	file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
-}
-
-# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
-# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
-# >>>&1  string,=webm (len=4), ["WebM"], swap_endian=0
-signature file-magic-auto224 {
+# WebM video
+signature file-webm {
 	file-mime "video/webm", 70
 	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/
 }
 
-# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
-# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
-# >>>&1  string,=matroska (len=8), ["Matroska data"], swap_endian=0
-signature file-magic-auto225 {
+# Matroska video
+signature file-matroska {
 	file-mime "video/x-matroska", 110
 	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/
 }
 
-# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
-# >>4  byte&,&0x40, [""], swap_endian=0
-signature file-magic-auto250 {
+# MP2P
+signature file-mp2p {
 	file-mime "video/mp2p", 21
-	file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+	file-magic /\x00\x00\x01\xba([\x40-\x7f\xc0-\xff])/
 }
 
-# >0  string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0
-signature file-magic-auto252 {
+# Silicon Graphics video
+signature file-sgi-movie {
 	file-mime "video/x-sgi-movie", 70
-	file-magic /(MOVI)/
+	file-magic /^MOVI/
 }
 
-# >4  string,=moov (len=4), ["Apple QuickTime"], swap_endian=0
-signature file-magic-auto253 {
+# Apple QuickTime movie
+signature file-quicktime {
 	file-mime "video/quicktime", 70
-	file-magic /(.{4})(moov)/
+	file-magic /^....(mdat|moov)/
 }
 
-# >4  string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0
-signature file-magic-auto254 {
-	file-mime "video/quicktime", 70
-	file-magic /(.{4})(mdat)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0
-signature file-magic-auto257 {
+# MPEG v4 video
+signature file-mp4 {
 	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(isom)/
+	file-magic /(.{4})(ftyp)(isom|mp4[12])/
 }
 
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0
-signature file-magic-auto258 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mp41)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0
-signature file-magic-auto259 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mp42)/
-}
-
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto261 {
+# 3GPP Video
+signature file-3gpp {
 	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3ge)/
+	file-magic /^....(ftyp)(3g[egps2]|avc1|mmp4)/
 }
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto262 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gg)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto263 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gp)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
-signature file-magic-auto264 {
-	file-mime "video/3gpp", 60
-	file-magic /(.{4})(ftyp)(3gs)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0
-signature file-magic-auto265 {
-	file-mime "video/3gpp2", 60
-	file-magic /(.{4})(ftyp)(3g2)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0
-signature file-magic-auto266 {
-	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(mmp4)/
-}
-
-# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
-# >>8  string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0
-signature file-magic-auto267 {
-	file-mime "video/3gpp", 70
-	file-magic /(.{4})(ftyp)(avc1)/
-}
-

From 99061fff4c9f611b2c19ba18b78a2d10c8b446b0 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 6 Apr 2015 23:40:20 -0400
Subject: [PATCH 19/54] Another large signature update.

 - Lots of cleanup and expansion of XML match types.
   - Signatures for ATOM and RSS (text/atom, text/rss).
   - Improved SOAP signature.
   - Improved text/cross-domain-policy signature
 - Improved and expanded javascript matching a bit.
 - Removed a lot of potentially problematic signatures (performance)
 - Split out more signatures from libmagic.sig
 - Added a signature for matching JSON.  Seems to work ok.
 - Signature for MPEGv4 audio.
 - Expanded java applet signature.
 - Improved PNG matching.
 - Improved MP3 matching.
---
 scripts/base/frameworks/files/magic/audio.sig | 124 ++----------------
 .../base/frameworks/files/magic/general.sig   |  47 ++++---
 scripts/base/frameworks/files/magic/image.sig |   2 +-
 3 files changed, 41 insertions(+), 132 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/audio.sig b/scripts/base/frameworks/files/magic/audio.sig
index de2de85c6e..efba99ed0d 100644
--- a/scripts/base/frameworks/files/magic/audio.sig
+++ b/scripts/base/frameworks/files/magic/audio.sig
@@ -1,121 +1,13 @@
 
-# >0  beshort&fffffffffffffffe,=-30 (0xffe2), ["MPEG ADTS, layer III,  v2.5"], swap_endian=0
-signature file-magic-auto487 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xe2\xe3])/
+# MPEG v3 audio
+signature file-mpeg-audio {
+	file-mime "audio/mpeg", 20
+	file-magic /^\xff[\xe2\xe3\xf2\xf3\xf6\xf7\xfa\xfb\xfc\xfd]/
 }
 
-# >0  beshort&fffffffffffffffe,=-10 (0xfff6), ["MPEG ADTS, layer I, v2"], swap_endian=0
-signature file-magic-auto488 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xf6\xf7])/
+# MPEG v4 audio
+signature file-m4a {
+	file-mime "audio/m4a", 70
+	file-magic /^....ftyp(m4a)/
 }
 
-# >0  beshort&fffffffffffffffe,=-14 (0xfff2), ["MPEG ADTS, layer III, v2"], swap_endian=0
-signature file-magic-auto489 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xf2\xf3])/
-}
-
-# >0  beshort&fffffffffffffffe,=-4 (0xfffc), ["MPEG ADTS, layer II, v1"], swap_endian=0
-signature file-magic-auto490 {
-	file-mime "audio/mpeg", 50
-	file-magic /(\xff[\xfc\xfd])/
-}
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1,  32 kbps"], swap_endian=0
-signature file-magic-auto438 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x20, ["MPEG ADTS, layer III, v1,  40 kbps"], swap_endian=0
-signature file-magic-auto439 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x30, ["MPEG ADTS, layer III, v1,  48 kbps"], swap_endian=0
-signature file-magic-auto440 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x40, ["MPEG ADTS, layer III, v1,  56 kbps"], swap_endian=0
-signature file-magic-auto441 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x50, ["MPEG ADTS, layer III, v1,  64 kbps"], swap_endian=0
-signature file-magic-auto442 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x60, ["MPEG ADTS, layer III, v1,  80 kbps"], swap_endian=0
-signature file-magic-auto443 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x70, ["MPEG ADTS, layer III, v1,  96 kbps"], swap_endian=0
-signature file-magic-auto444 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x80, ["MPEG ADTS, layer III, v1, 112 kbps"], swap_endian=0
-signature file-magic-auto445 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0x90, ["MPEG ADTS, layer III, v1, 128 kbps"], swap_endian=0
-signature file-magic-auto446 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xa0, ["MPEG ADTS, layer III, v1, 160 kbps"], swap_endian=0
-signature file-magic-auto447 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xb0, ["MPEG ADTS, layer III, v1, 192 kbps"], swap_endian=0
-signature file-magic-auto448 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xc0, ["MPEG ADTS, layer III, v1, 224 kbps"], swap_endian=0
-signature file-magic-auto449 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xd0, ["MPEG ADTS, layer III, v1, 256 kbps"], swap_endian=0
-signature file-magic-auto450 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf])/
-}
-
-# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
-# >>2  byte&fffffffffffffff0,=0xe0, ["MPEG ADTS, layer III, v1, 320 kbps"], swap_endian=0
-signature file-magic-auto451 {
-	file-mime "audio/mpeg", 40
-	file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/
-}
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 2a2e630863..15db07f1e2 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -3,48 +3,55 @@
 # Plaintext 
 # (Including BOMs for UTF-8, 16, and 32)
 signature file-plaintext {
-	file-magic /^(\xef\xbb\xbf|(\x00\x00)?\xfe\xff|\xff\xfe(\x00\x00)?)?[[:space:]\x20-\x7E]{10}/
 	file-mime "text/plain", -20
+	file-magic /^(\xef\xbb\xbf|(\x00\x00)?\xfe\xff|\xff\xfe(\x00\x00)?)?[[:space:]\x20-\x7E]{10}/
 }
 
+# This can't go well...
+signature file-json {
+	file-mime "text/json", 1
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(['"][a-zA-Z][a-zA-Z0-9]*['"]|[a-zA-Z][a-zA-Z0-9]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+}
+
+signature file-json2 {
+	file-mime "text/json", 1
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(['"][a-zA-Z][a-zA-Z0-9]*['"]|[0-9]{1,})[\x0d\x0a[:blank:]]*,[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+}
+
+
 signature file-xml {
 	file-mime "application/xml", 10
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
 }
 
 signature file-xhtml {
 	file-mime "text/html", 100
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL]|[mM][eE][tT][aA] {1,}[hH][tT][tT][pP]-[eE][qQ][uU][iI][vV])/
 }
 
 signature file-html {
 	file-mime "text/html", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
 }
 
 signature file-html2 {
 	file-mime "text/html", 20
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
 }
 
 signature file-rss {
 	file-mime "text/rss", 90
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
 }
 
 signature file-atom {
 	file-mime "text/atom", 100
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS][^>]*xmlns:atom/
-}
-
-signature file-coldfusion {
-	file-mime "magnus-internal/cold-fusion", 20
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<(CFPARAM|CFSET|CFIF)/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([rR][sS][sS][^>]*xmlns:atom|[fF][eE][eE][dD][^>]*xmlns=["']?http:\/\/www.w3.org\/2005\/Atom["']?)/
 }
 
 signature file-soap {
 	file-mime "application/soap+xml", 49
-	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP](-[eE][nN][vV])?:[eE][nN][vV][eE][lL][oO][pP][eE]/
 }
 
 signature file-cross-domain-policy {
@@ -57,6 +64,11 @@ signature file-cross-domain-policy2 {
 	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
+signature file-coldfusion {
+	file-mime "magnus-internal/cold-fusion", 20
+	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<(CFPARAM|CFSET|CFIF)/
+}
+
 # Microsoft LNK files
 signature file-lnk {
 	file-mime "application/x-ms-shortcut", 49
@@ -69,7 +81,7 @@ signature file-jar {
 }
 
 signature file-java-applet {
-	file-magic /^\xca\xfe\xba\xbe...[\x2e-\x34]/
+	file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
 	file-mime "application/x-java-applet", 71
 }
 
@@ -166,7 +178,7 @@ signature file-javascript {
 
 signature file-javascript2 {
 	file-mime "application/javascript", 60
-	file-magic /^[\x0d\x0a[:blank:]]*<script[[:blank:]]+(type|language)=['"](text\/)?javascript['"]>/
+	file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]['"]?>/
 }
 
 signature file-javascript3 {
@@ -185,6 +197,11 @@ signature file-javascript5 {
 	file-magic /^\(function\(\)[[:blank:]\n]*\{/
 }
 
+signature file-javascript6 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*<script>[\x0d\x0a[:blank:]]*(var|function) /
+}
+
 signature file-php {
 	file-mime "text/x-php", 60
 	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig
index 2977cd90ae..cf3ac58918 100644
--- a/scripts/base/frameworks/files/magic/image.sig
+++ b/scripts/base/frameworks/files/magic/image.sig
@@ -37,7 +37,7 @@ signature file-magic-auto289 {
 
 signature file-png {
 	file-mime "image/png", 110
-	file-magic /^\x89PNG\x0d\x0a\x1a\x0a/
+	file-magic /^\x89PNG/
 }
 
 # JPEG 2000

From 422e558d77f1cdb406dd8294268e2915dda1eeab Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 7 Apr 2015 00:46:10 -0400
Subject: [PATCH 20/54] Extended JSON matching and added OCSP responses.

---
 scripts/base/frameworks/files/magic/general.sig | 10 +++++++---
 scripts/base/frameworks/files/magic/image.sig   |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 15db07f1e2..51acd0c5de 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -10,15 +10,14 @@ signature file-plaintext {
 # This can't go well...
 signature file-json {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(['"][a-zA-Z][a-zA-Z0-9]*['"]|[a-zA-Z][a-zA-Z0-9]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(['"][a-zA-Z\\][a-zA-Z0-9\\]*['"]|[a-zA-Z][a-zA-Z0-9]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
 }
 
 signature file-json2 {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(['"][a-zA-Z][a-zA-Z0-9]*['"]|[0-9]{1,})[\x0d\x0a[:blank:]]*,[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(['"][a-zA-Z\\][a-zA-Z0-9\\]*['"]|[0-9]{1,})[\x0d\x0a[:blank:]]*,[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
 }
 
-
 signature file-xml {
 	file-mime "application/xml", 10
 	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
@@ -85,6 +84,11 @@ signature file-java-applet {
 	file-mime "application/x-java-applet", 71
 }
 
+signature file-oscp-response {
+	file-magic /^.{11,19}\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01/
+	file-mime "application/ocsp-response", 71
+}
+
 # Shockwave flash
 signature file-swf {
 	file-magic /^(F|C|Z)WS/
diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig
index cf3ac58918..c6c0d13a50 100644
--- a/scripts/base/frameworks/files/magic/image.sig
+++ b/scripts/base/frameworks/files/magic/image.sig
@@ -10,7 +10,7 @@ signature file-gif {
 }
 
 # JPEG image
-signature file-magic-auto427 {
+signature file-jpeg {
 	file-mime "image/jpeg", 52
 	file-magic /^\xff\xd8/
 }

From 8fd5e7f382128c29f0fda3906d8290c9f05b3083 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 7 Apr 2015 02:06:02 -0400
Subject: [PATCH 21/54] Adding WOFF fonts to file type identification.

---
 scripts/base/frameworks/files/magic/general.sig | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 51acd0c5de..e1d3cc9b03 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -89,6 +89,12 @@ signature file-oscp-response {
 	file-mime "application/ocsp-response", 71
 }
 
+# Web Open Font Format
+signature file-woff {
+	file-magic /^wOFF/
+	file-mime "application/font-woff", 70
+}
+
 # Shockwave flash
 signature file-swf {
 	file-magic /^(F|C|Z)WS/

From b4498a414274239d3064742f4e88098fd76eaf82 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 7 Apr 2015 14:45:15 -0700
Subject: [PATCH 22/54] Some changes to fix PE analyzer on master.

---
 scripts/base/files/pe/main.bro          |  4 +--
 src/file_analysis/analyzer/pe/Plugin.cc | 33 +++++++++++--------------
 src/types.bif                           | 16 ------------
 3 files changed, 16 insertions(+), 37 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index 091c322990..754b788318 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -82,9 +82,9 @@ event file_state_remove(f: fa_file)
 		Log::write(LOG, f$pe);
 	}
 
-event file_new(f: fa_file)
+event file_mime_type(f: fa_file, mime_type: string)
 	{
-	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) 
+	if ( mime_type == /application\/x-dosexec.*/ ) 
 		{
 		Files::add_analyzer(f, Files::ANALYZER_PE);
 		}
diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc
index 1cc33b5759..8601dedb67 100644
--- a/src/file_analysis/analyzer/pe/Plugin.cc
+++ b/src/file_analysis/analyzer/pe/Plugin.cc
@@ -1,29 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
 #include "plugin/Plugin.h"
-#include "file_analysis/Component.h"
 
 #include "PE.h"
 
-namespace plugin { namespace Bro_PE {
+namespace plugin {
+namespace Bro_PE {
 
 class Plugin : public plugin::Plugin {
-protected:
-	void InitPreScript()
+public:
+	plugin::Configuration Configure()
 		{
-		SetName("Bro::PE");
-		SetVersion(-1);
-		SetAPIVersion(BRO_PLUGIN_API_VERSION);
-		SetDynamicPlugin(false);
+		AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate));
 
-		SetDescription("Portable Executable analyzer");
-
-		AddComponent(new ::file_analysis::Component("PE",
-		        ::file_analysis::PE::Instantiate));
-
-		extern std::list<std::pair<const char*, int> > __bif_events_init();
-		AddBifInitFunction(&__bif_events_init);
+		plugin::Configuration config;
+		config.name = "Bro::PE";
+		config.description = "Portable Executable analyzer";
+		return config;
 		}
-};
+} plugin;
 
-Plugin __plugin;
-
-} }
+}
+}
diff --git a/src/types.bif b/src/types.bif
index 70da9e14e0..180112dd8c 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -168,22 +168,6 @@ type PE::FileHeader: record;
 type PE::OptionalHeader: record;
 type PE::SectionHeader: record;
 
-module Log;
-
-enum Writer %{
-	WRITER_DEFAULT,
-	WRITER_NONE,
-	WRITER_ASCII,
-	WRITER_DATASERIES,
-	WRITER_SQLITE,
-	WRITER_ELASTICSEARCH,
-%}
-
-enum ID %{
-	Unknown,
-%}
-
-
 module Tunnel;
 enum Type %{
 	NONE,

From 89d66af7923997888fd0d9764529f66b499e2bac Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 8 Apr 2015 13:39:42 -0400
Subject: [PATCH 23/54] Fix an issue with packet loss in http file reporting.

The HTTP analyzer was propogating Gaps to the files framework even
in the case of a packet drop occurring immediately after the headers
are completed in an HTTP response when the response content length
was declared to be zero (no file started, so no loss).

Includes passing test.
---
 src/analyzer/protocol/http/HTTP.cc              |   5 ++++-
 .../http/zero-length-bodies-with-drops.pcap     | Bin 0 -> 19611 bytes
 .../http/zero-length-bodies-with-drops.bro      |  10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Traces/http/zero-length-bodies-with-drops.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 924c958e43..2258f4a7d1 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -239,7 +239,10 @@ int HTTP_Entity::Undelivered(int64_t len)
 			  len, expect_data_length);
 		}
 
-	if ( end_of_data && in_header )
+	// Don't propogate an entity (file) gap if we're 
+	// still in the headers or the body length was 
+	// declared to be zero.
+	if ( (end_of_data && in_header) || body_length == 0 ) 
 		return 0;
 
 	if ( is_partial_content )
diff --git a/testing/btest/Traces/http/zero-length-bodies-with-drops.pcap b/testing/btest/Traces/http/zero-length-bodies-with-drops.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6de1f1efc577b3f0aa6681ea74fb1198e21fb1a0
GIT binary patch
literal 19611
zcmeHP4R9OBbw2)xw%IUNe%i7VcYIbV#EyZ({r`Z5LP{hoMI?oiG-J7r)#KqvKm_jK
zy8}VFEGKQ^j3-X(h?SjGwkK&Ojg`Mn>$npqp8h!fiQP<^s!kobiJP|5y3?_&(WE0g
zc3i3N?ExeY0FR_dWNMn2xxd}pw{Q1$-}~O%xA@*)J^BZ&R6AAuUAjb3E$~pj@7|%O
zp6jIcz&##R$DhQ$+jaYw2S<N$>Pl*WqS&EVdZ`a}?EL3Wikdk%k-GNjVJaP4`1T2W
zx!6im?FL1)w(oeXrKP=f7O1`acP)$5d^$c&pW1U*_fju)bU%rdkRp|SdidPw<1SFV
zzxeiRFMi}7ky`utDz*0Sv`{kCghw53*AKl;czeEvxBG#jm)_aSe&RC}g*^2>+d@Tl
zP~@nkvZH(GB2xLe7gwV4+s{+f%>!d}T+hVwaqfM2-Sv`e#K2R*^qeHeD-kz2!E#!}
zOL79sYO1QJEYAv}EJyTAE|U~wQ5DpPW5PYBvJ#Zg9k}NsdI>HO!%Ak%NxhW!4it)x
z>AE@FikMz97dc`WmC{jCP>M!5p5;}B<2i|CqD%EfxrkS^U0_FMBe`-iQku2M*>&+A
z_>JVO9B>#hoMhJXio1orc-(WQnVFoG$r-j=%6TSZ*oF9*qZ`vXYbri2#1B}m=a_mS
zzQkF4w~%6YEBi!M!L!JT99#unkY%{aEHA=^6GZ`E+CR|OKQMv`_yq6ZyBxl;ckjT!
za6jDa=H;B_nU1CBN6bvlF%56G(C;}V6LO3RxaS0s*Er}>k={QxmX31_*VVb-cD)46
ziL7BTGt6YU;1n3k^tw84aZM-IH)UFoJ!IdN%jfmD#IW@BAApA1Ww(dErH8KE)5Bx5
z%y2!lX~k|C?V+8S1jlF$&v4QW^v$L*ZO3_*<5+<e=oGLvY0t(521-a>oqdL37NHK$
zob}>auaJ-G#bQ2Z=pKB&_$;Q}I9r=q$oJftWEm~`-uQdTomwRn8`Q0-l0Ic7keQMj
zH7)YOVok9D%dj)>T@v)vUAbZuhD=`f%*FEivby7%z|euwLorpAv=|pHd6O}fkWr$3
zeM(p7LDMY8`trFMsEWgu?6WNkdL7tK(9@WyV<x8C(>Zu)cy!+puUwcg%SZ1Nn5kLI
zwHSM{l$@;mSdG;b6F!e5@lr;b6elGW?oCmYbWs<1foIho`iKi-eHTuYBa);l3M=w5
zFUh<nX{sXZf){Wytnh+NUYK!`yOxGL!|;-#aq>K`a<VM>7yn6N$&<qQ7e7yt=LMFR
zISDT?4d(?;(L{b;5O|dr=LJzwct{jgS<&WU&WZx$k*P~AGI`Q?pdw3(z|IQ_3&RgD
zA}}E+g2M6hQEZ4&%mx@0HI{)vOY&SJxyzm6I8jqYW?5s%t;VU6!tkofvT){EMic~6
zsthf!6v7JhnI-xf$B??A3Q=Uq+j<G|E3eN(#lBQhS&<Np!tllvzcMyjVMF62nPng&
zic)jnObay#N&=5ssoAn;=n_iJtN%JEHUHsmB73`g*+2RsMRB4eYt@>nq#;qMsUDMH
zM%D0m2Q(AMojq-kamTGN?l?mL0%7BB`REl_prV){##W_b-<1iS1KgybhfvYFI=ect
zZ;!I=)J@Q>c+_dh>!17eUW)1X{%nnw^kNIAA58Cjo%;Kyp&0ogt;dvh>btEJIcjOO
zKKY!Ew7&N*4QX}1PF=i@qN*a5hFL+U?2?t~>Krw_SatRvS@UR;MW(@Mf{tBn9FT%5
zjstVH2%^_bj_O{N<^{U1=+G#YX--WDN<tLrn}^1FGIl}FS;-|$&{NdCY%<<c)0)-h
zAMjE)|2E9QpzW)L1dXaUahZzuee4`4-8rIi=ZM0cLv=exl<l0aYUen14%I9q&iN{K
z4itY-y(Uq)MvMu7D^<lxlz<01Gd5^iQ(iVfvt6D2pk5O6ShfV+F49AKgKo#pb!JQ_
zL8m@2+SQpB(h0g~gBCmn$}+jD(%N#l%uG6_S<aefp7CblWx<FSg(3s`aaVL-I=QQF
zaFFgFP1E}hjnKmf`gc{Q$_#%+2m~DNAQ14Gpcp#+;JMQ$y3#w7pZwTKin<Rb$ya|A
z1_6hEfk40&sT}{!AOu{5eE_OdAEyC=^RhW7^Q$G@@p5_d@)2P}=(Y`ewqcL2AHlNN
zny^O!)V&P$h-x!o4^(z}ii#9mQBiFnz=Bfqagdt505tHZg@6=4{EI~PJ|2|4&)!R9
zZ+G&O&%8iU1o{)$gY@3@Qd<b@xxgY+dE!(Ms+{PGEj)Wa!k%vtF95QFw0`+q8#M;7
z2ah_~le(ZFt*?K$AuWJCuO40odw7<m4;`#Q32VkYs&bh_i4<IMD1{;pHNh&Iig|#S
z<&#g6Ve)O51F$Lypcp$=1QfAoB{xJGX-A(b=n2}gV}@>I!S)Qn9@XYI6MNto+usq2
zJ-W&Gf3jx$gZt@$8`C>`j@|tkih2O3jL-S5Cv-v8&Y~UN!xq6Fzp)aPp&tdY$K|=7
z&|Iy!pA=aWMBn|yt<n92rK21c6#oCYp9D=&!HFdBqJZuwNs|S*G<H8h8zhnmr**iW
zw$ax%`r6{?OA8vkL;=u8n&fnX%0kf>O3e~T&As4y!lPDdwur+vO3kb92ujT#fcpt#
zZ+FkJN4`u^;NEKNbRyNSsCc&!hFd~k*rPk|X$?VNKmA`sOppB_h?pL@F}Co-<A}cg
z;u`o4<cGB6kGE2P1IP=HI`s9mpI$^-j~;AD3((hpKD7*eZP@9w+Gx7Waj**f;WpRl
z)M)-~n1juAI-#NkrxU2zIaIQBPA62ZYjQd@1c0G%j}s8>HWTjQpzi(Djxbl#M+w{;
z4T_u}9zS>bQ{TYV#@Rb4>gzz|o4?jdbph1FqgHUWUrHyC%2iJVsr(xlO()N!yZ5~P
zs&hfOH$4NZgI*G}kH31yhB%hM2Q`z+nD%(iEc;%mx+TDEB(sfVwl<Q{cqw4YDq0i$
zNLX1Yl37Xj_yylw7zBmm7jI~%ZUxMMM;&f>f9Em84WHW+#0@9U#1>wdNCR&8@a@ZR
z!#ce-0)$O0t$Sks!#oJCe9DjjpCq_eRY_c0v#b`a`*@@VShZY5ZHwAwdTunn>Ndsd
z8IcV44Rg>$&yC;wW~y==XQxKOJU8issD$78yFn%V!o<1L54{GSoAcK1P}Dbp$}4ZV
zA|!BV<oA)v73r0z+}&NL%Jobphfx-K9)enCAdu*mk-^=(B=nPb9JuL&Cq6|^5KF?0
z8oK2gcFDuA9Fpp~la5|6%eFJ^zm*v!;W_Ug#c$@=`Ml}iq8elhDIL%KQ>Le9T=1!7
zN_mK1aSY!rhs9-hEa)D24cYP2OwY(d36g5V(q3LaMlxLYND)@IEYmrVA(@h*$ZR#M
z0HHg2C8IEv!#A)&r2=w+cLbZ{bAB!GT<~V9&4MQg;9y0T4^SJ+d3lHdf;NnqrbWo`
z?2z9R5=22&Qpg3vh@cvt9VjxDJC1Akf}f}yvXC^E81>9z<#sOwK2`GZB14l&yZTMn
zaB@Zbc91Ug2Qv4;D(RH%<V?TI0(l3`WALpiof*if`SjRBnD2jlQYiyHWI-&`OwKUf
zYFDLJ?prKg*RL`}wWy>curWmlFAA*~7iyP%m=yVF*e*Wh!8eE%>_Uu>L4**;#ca!r
zxzKm9iAt}fmVLxj5rz$ZZRRKjLJ{700b1jC6LuocSHF<#r<2ixIlwc7h+%Ue04%FR
za8iCTZ?P?YTv~bywJ2-mrn3HQ<W&jVkKe4E%XnFM5c(mUiX`gpxanYwAW0QS+ELe^
z?T6us)vD8d942*N#=ZUqe22^s*0S-Q^(Q#bI;K~0ER#%EcGB@D7h4quknI+27=#ds
z=a^Q;bW8_CS0iziDL~`}O3jDg8Y(qU5~+D8C^cUksmk7WKSNQKNIv8<MP_CSXTlMT
zNh4|4Du_|ETnK-&9mXwBE-u0Yzb4ASVY@FAVk(iSOh0(6;uaTJnOA+cxX?I!a@%&=
zww<=P?Ifrb+i4k?+&nMv&klmW!F;$VHNOH<6U-ZO)VhtR;gJVXYQCjAC^gUTB~r7y
z=lq#zh}GBD5`KtvedooiLOj9mq%lbU`NxA+*h8<y7S8WY@0^(1bDi%8_A&B*oDHRQ
z9a?k`HKLV8ukz<+meX4J$yFiN;XB`rv`(IAz*iQn!?L&qtV2oNRO_(OgkHruT%Cg^
zT8Dn+&9n}2{AaK03UTy~JWS@=O*L~Zd+zk7uR%xe9lI&&$3W#He;gK5IQ|GyY1_LJ
zm4AhizkFLs#nD@F^KyV)43_1qJ4!T8Q)LnMe8AHEwwrf*m&6)(NswW)_HaRQZJQ-n
zP8FKEXToQjR|K+WqOvgn10UD1jRNM&B9?)TQodtsGqH?R>rR9inZQO08G~l(+=+f-
zjXSZD7}x|M!2Yi2*4hMtQuA*?YW9NC$D<DC@Z+aYYF_!Cpwzr@E0Mjht>lqAm&X($
zz1Z)C#T1Iaf|z0MPlK4@)7QinE=(Z)c=$GC1Aj>CxBjq=`lmLE9JSu*wr`2Mk=C)F
zZ%7O9$8{jl7q?QZ+dKWU8cw0wUrUJcy70&1eylf;q}kjaSla2e2C22VRj;y<rJ)4e
zFb7Qof7P+qOz?-3yyel35b!tt=R^R#t4099(!gh*NbkJq_~9F2=kzD;9Xj!qupL~f
z@1v+V+8PuUpM4^>@Y)Aa?40;ZB6Hw`w7&6Jdx+Rcok3cY6AfvB*h#*!5wRmnHH%`R
zRHMZpp<avmi8WfRl31g~poUcz#Y8s2a&Ky}v;H2~G_kY(s>8(&C_Zixc*)WlRwUQN
zL9@ipV&%;gJ2=Vz?3u6?$=mm%*l9f;6g#hd@Z9Oo--b5l;EyTlC{X#T-WIYV>D-T0
z{;MWLX^G1I|7mD*;{OHUKLcQF(YDdKy)}P>Tl3#QP;mK1{WZWh_y>c~z5DP72#ZE1
z&o#m51fn(STB|iWA)#Jf`-wH`x{?@F*I2`rGCEOeUNg}~^#Rzzqt50OoCi>9o>hXf
z_tFrNy<l@nNs99S!-8yNLxNYoV@HSs{S<8JVLGmy4kEVC-xgcAbSt92k4KOX{2{Fq
z@7WQ8{!T%lJJZqr?S`}f{r%GT2GAd`)C?yPtk8fDLxF_4;Z#Ws4ks)MZwCL!LBJYT
zLx0?x-RKn8-2<D4{?=XfDiV-mmn5K4m4IPJ=b9SdH1t<(elyV@PVz7HT^V9@I%KWj
zELS6e!0YveSJCLa8BDx;fQsGH7DC1Qca&rQ{c=MpZv!eX`&2$;g_*8jgE04(Iuav6
tf%An|L3kZbzwO$KnR|%jf)nA$ZV%(=EaB*E4M&HeT@Ysn99^KO{{w@>V_5(I

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro b/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro
new file mode 100644
index 0000000000..ccf397617e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro
@@ -0,0 +1,10 @@
+# This tests an issue with interaction between zero length
+# http bodies and the file analysis code.  It is creating
+# files when there isn't actually any body there and shouldn't
+# create a file.
+#
+# @TEST-EXEC: bro -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT
+
+# There shouldn't be a files log (no files!)
+# @TEST-EXEC: test ! -f files.log
+

From 6162d986a24a57ebbd9cd208c0a69750933e6346 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 8 Apr 2015 13:41:03 -0400
Subject: [PATCH 24/54] Fix an issue with files having gaps before the
 bof_buffer is filled.

When files had gaps prior to the bof_buffer completely filling, the
file gap handling code was never sniffing and passing along as much
data as possible so file type identification wasn't working correctly.
---
 src/file_analysis/File.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index d0b1ea2a01..2b0d76f8d6 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -538,7 +538,12 @@ void File::Gap(uint64 offset, uint64 len)
 		return;
 		}
 
-	analyzers.DrainModifications();
+	if ( ! bof_buffer.full )
+		{
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File gap before bof_buffer filled, continued without attempting to fill bof_buffer.", id.c_str());
+		bof_buffer.full = true;
+		DeliverStream((const u_char*) "", 0);
+		}
 
 	file_analysis::Analyzer* a = 0;
 	IterCookie* c = analyzers.InitForIteration();

From e8c87e19bd79ee63470d2fa92a5abdd8569b4744 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 9 Apr 2015 01:23:55 -0400
Subject: [PATCH 25/54] More file type identification improvements

 - Split fonts into their own file.
 - Improved JSON matching.
 - Added XML-RPC content matching using application/xml-rpc
 - Added OCSP requests
---
 .../base/frameworks/files/magic/__load__.bro  |  1 +
 scripts/base/frameworks/files/magic/font.sig  | 40 +++++++++++++++++
 .../base/frameworks/files/magic/general.sig   | 33 +++++++++-----
 .../base/frameworks/files/magic/libmagic.sig  | 45 -------------------
 scripts/base/frameworks/files/magic/video.sig |  4 +-
 5 files changed, 65 insertions(+), 58 deletions(-)
 create mode 100644 scripts/base/frameworks/files/magic/font.sig

diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro
index 19a0090255..34115f0a55 100644
--- a/scripts/base/frameworks/files/magic/__load__.bro
+++ b/scripts/base/frameworks/files/magic/__load__.bro
@@ -1,5 +1,6 @@
 @load-sigs ./archive
 @load-sigs ./audio
+@load-sigs ./font
 @load-sigs ./general
 @load-sigs ./image
 @load-sigs ./msoffice
diff --git a/scripts/base/frameworks/files/magic/font.sig b/scripts/base/frameworks/files/magic/font.sig
new file mode 100644
index 0000000000..f4f7d77e48
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/font.sig
@@ -0,0 +1,40 @@
+# Web Open Font Format
+signature file-woff {
+	file-magic /^wOFF/
+	file-mime "application/font-woff", 70
+}
+
+# TrueType font
+signature file-ttf {
+	file-mime "application/x-font-ttf", 80
+	file-magic /^\x00\x01\x00\x00\x00/
+}
+
+signature file-embedded-opentype {
+	file-mime "application/vnd.ms-fontobject", 50
+	file-magic /^.{34}LP/
+}
+
+# X11 SNF font
+signature file-snf {
+	file-mime "application/x-font-sfn", 70
+	file-magic /^(\x04\x00\x00\x00|\x00\x00\x00\x04).{100}(\x04\x00\x00\x00|\x00\x00\x00\x04)/
+}
+
+# OpenType font
+signature file-opentype {
+	file-mime "application/vnd.ms-opentype", 70
+	file-magic /^OTTO/
+}
+
+# FrameMaker Font file
+signature file-maker-screen-font {
+	file-mime "application/x-mif", 190
+	file-magic /^\x3cMakerScreenFont/
+}
+
+# >0  string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0
+signature file-spline-font-db {
+	file-mime "application/vnd.font-fontforge-sfd", 160
+	file-magic /^SplineFontDB\x3a/
+}
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index e1d3cc9b03..2ef99c31fc 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -10,12 +10,18 @@ signature file-plaintext {
 # This can't go well...
 signature file-json {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(['"][a-zA-Z\\][a-zA-Z0-9\\]*['"]|[a-zA-Z][a-zA-Z0-9]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(["][^"]{1,}["]|[a-zA-Z][a-zA-Z0-9\\_]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(["]|\[|\{|[0-9]|true|false)/
 }
 
 signature file-json2 {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(['"][a-zA-Z\\][a-zA-Z0-9\\]*['"]|[0-9]{1,})[\x0d\x0a[:blank:]]*,[\x0d\x0a[:blank:]]*(['"]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(((["][^"]{1,}["]|[0-9]{1,}(\.[0-9]{1,})?|true|false)[\x0d\x0a[:blank:]]*,)|\{|\[)[\x0d\x0a[:blank:]]*/
+}
+
+# Match empty JSON documents.
+signature file-json3 {
+	file-mime "text/json", 0
+	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*(\[\]|\{\})[\x0d\x0a[:blank:]]*$/
 }
 
 signature file-xml {
@@ -63,6 +69,11 @@ signature file-cross-domain-policy2 {
 	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
 }
 
+signature file-xmlrpc {
+	file-mime "application/xml-rpc", 49
+	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][eE][tT][hH][oO][dD][rR][eE][sS][pP][oO][nN][sS][eE]>/
+}
+
 signature file-coldfusion {
 	file-mime "magnus-internal/cold-fusion", 20
 	file-magic /^([\x0d\x0a[:blank:]]*(<!--.*-->)?)*<(CFPARAM|CFSET|CFIF)/
@@ -80,21 +91,21 @@ signature file-jar {
 }
 
 signature file-java-applet {
-	file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
 	file-mime "application/x-java-applet", 71
+	file-magic /^\xca\xfe\xba\xbe...[\x2d-\x34]/
 }
 
-signature file-oscp-response {
+# OCSP requests over HTTP.
+signature file-ocsp-request {
+	file-magic /^.{11,19}\x06\x05\x2b\x0e\x03\x02\x1a/
+	file-mime "application/ocsp-request", 71
+}
+
+signature file-ocsp-response {
 	file-magic /^.{11,19}\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01/
 	file-mime "application/ocsp-response", 71
 }
 
-# Web Open Font Format
-signature file-woff {
-	file-magic /^wOFF/
-	file-mime "application/font-woff", 70
-}
-
 # Shockwave flash
 signature file-swf {
 	file-magic /^(F|C|Z)WS/
@@ -188,7 +199,7 @@ signature file-javascript {
 
 signature file-javascript2 {
 	file-mime "application/javascript", 60
-	file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]['"]?>/
+	file-magic /^[\x0d\x0a[:blank:]]*<[sS][cC][rR][iI][pP][tT][[:blank:]]+([tT][yY][pP][eE]|[lL][aA][nN][gG][uU][aA][gG][eE])=['"]?([tT][eE][xX][tT]\/)?[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
 }
 
 signature file-javascript3 {
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
index 5975962838..80ab9bfaa9 100644
--- a/scripts/base/frameworks/files/magic/libmagic.sig
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -99,19 +99,12 @@ signature file-magic-auto34 {
 	file-magic /(\x23VRML ?V1\x2e0 ?ascii)/
 }
 
-# >0  string,=<MakerScreenFont (len=16), ["FrameMaker Font file"], swap_endian=0
-signature file-magic-auto35 {
-	file-mime "application/x-mif", 190
-	file-magic /(\x3cMakerScreenFont)/
-}
-
 # >0  string,=Extended Module: (len=16), ["Fasttracker II module sound data"], swap_endian=0
 signature file-magic-auto36 {
 	file-mime "audio/x-mod", 190
 	file-magic /(Extended Module\x3a)/
 }
 
-
 # >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
 # >>20  search/wc/1000,=<!DOCTYPE X3D (len=13), ["X3D (Extensible 3D) model xml text"], swap_endian=0
 signature file-magic-auto40 {
@@ -214,12 +207,6 @@ signature file-magic-auto61 {
 	file-magic /(.{39})(\x3cgmr\x3aWorkbook)/
 }
 
-# >0  string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0
-signature file-magic-auto63 {
-	file-mime "application/vnd.font-fontforge-sfd", 160
-	file-magic /(SplineFontDB\x3a)/
-}
-
 # >0  string/ct,=delivered-to: (len=13), ["SMTP mail text"], swap_endian=0
 signature file-magic-auto64 {
 	file-mime "message/rfc822", 160
@@ -514,12 +501,6 @@ signature file-magic-auto162 {
 	file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/
 }
 
-# >0  string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0
-signature file-magic-auto187 {
-	file-mime "application/x-font-ttf", 80
-	file-magic /(\x00\x01\x00\x00\x00)/
-}
-
 # >0  string,=%PDF- (len=5), ["PDF document"], swap_endian=0
 signature file-magic-auto189 {
 	file-mime "application/pdf", 80
@@ -576,14 +557,6 @@ signature file-magic-auto203 {
 #	file-magic /(.{4})/
 #}
 
-
-# >0  lelong&,=4 (0x00000004), [""], swap_endian=0
-# >>104  lelong&,=4 (0x00000004), ["X11 SNF font data, LSB first"], swap_endian=0
-signature file-magic-auto217 {
-	file-mime "application/x-font-sfn", 70
-	file-magic /(\x04\x00\x00\x00)(.{100})(\x04\x00\x00\x00)/
-}
-
 # This didn't auto-generate correctly due to non-sequential offsets and
 # use of bitwise/relational comparisons.  At a glance: may not be
 # that common/useful, leaving for later.
@@ -1279,18 +1252,6 @@ signature file-magic-auto378 {
 	file-magic /(\x13\x57\x9a\xce)/
 }
 
-# >0  belong&,=4 (0x00000004), ["X11 SNF font data, MSB first"], swap_endian=0
-signature file-magic-auto379 {
-	file-mime "application/x-font-sfn", 70
-	file-magic /(\x00\x00\x00\x04)/
-}
-
-# >0  string,=OTTO (len=4), ["OpenType font data"], swap_endian=0
-signature file-magic-auto380 {
-	file-mime "application/vnd.ms-opentype", 70
-	file-magic /(OTTO)/
-}
-
 # >0  string,=<MML (len=4), ["FrameMaker MML file"], swap_endian=0
 signature file-magic-auto381 {
 	file-mime "application/x-mif", 70
@@ -1539,12 +1500,6 @@ signature file-magic-auto496 {
 	file-magic /(\x85\x02)/
 }
 
-# >34  string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0
-signature file-magic-auto506 {
-	file-mime "application/vnd.ms-fontobject", 50
-	file-magic /(.{34})(LP)/
-}
-
 # >0  beshort&,=2935 (0x0b77), ["ATSC A/52 aka AC-3 aka Dolby Digital stream,"], swap_endian=0
 signature file-magic-auto507 {
 	file-mime "audio/vnd.dolby.dd-raw", 50
diff --git a/scripts/base/frameworks/files/magic/video.sig b/scripts/base/frameworks/files/magic/video.sig
index bc0f24c46a..6df3dd5fc3 100644
--- a/scripts/base/frameworks/files/magic/video.sig
+++ b/scripts/base/frameworks/files/magic/video.sig
@@ -85,11 +85,11 @@ signature file-quicktime {
 # MPEG v4 video
 signature file-mp4 {
 	file-mime "video/mp4", 70
-	file-magic /(.{4})(ftyp)(isom|mp4[12])/
+	file-magic /^....ftyp(isom|mp4[12])/
 }
 
 # 3GPP Video
 signature file-3gpp {
 	file-mime "video/3gpp", 60
-	file-magic /^....(ftyp)(3g[egps2]|avc1|mmp4)/
+	file-magic /^....ftyp(3g[egps2]|avc1|mmp4)/
 }

From 0ee7d82e19f4405d8f44949005c67286ea0a737c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 9 Apr 2015 23:58:46 -0400
Subject: [PATCH 26/54] Make HTTP 206 reassembly require ETags by default.

---
 scripts/base/protocols/http/files.bro |  4 ++--
 scripts/base/protocols/http/main.bro  | 19 +++++++++++++++----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro
index 840b5a2372..92747beb87 100644
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@@ -19,12 +19,12 @@ function get_file_handle(c: connection, is_orig: bool): string
 	if ( ! c?$http )
 		return "";
 
-	if ( c$http$range_request && ! is_orig )
+	if ( c$http$range_request && c$http?$etag && ! is_orig )
 		{
 		# Any multipart responses from the server are pieces of same file
 		# that correspond to range requests, so don't use mime depth to
 		# identify the file.
-		return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http));
+		return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http), c$http$etag);
 		}
 	else
 		{
diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index 2349635844..4475d35d86 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -78,6 +78,9 @@ export {
 		## Indicates if this request can assume 206 partial content in
 		## response.
 		range_request:           bool      &default=F;
+		## ETag for the return data used to match up 
+		## partial content responses.
+		etag:                    string    &optional;
 	};
 
 	## Structure to maintain state for an HTTP connection with multiple
@@ -89,6 +92,10 @@ export {
 		current_request:  count                &default=0;
 		## Current response in the pending queue.
 		current_response: count                &default=0;
+		## Track the current deepest transaction.
+		## This is meant to cope with missing requests 
+		## and responses.
+		trans_depth:      count                &default=0;
 	};
 
 	## A list of HTTP headers typically used to indicate proxied requests.
@@ -150,9 +157,7 @@ function new_http_session(c: connection): Info
 	tmp$ts=network_time();
 	tmp$uid=c$uid;
 	tmp$id=c$id;
-	# $current_request is set prior to the Info record creation so we
-	# can use the value directly here.
-	tmp$trans_depth = c$http_state$current_request;
+	tmp$trans_depth = ++c$http_state$trans_depth;
 	return tmp;
 	}
 
@@ -278,7 +283,13 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 				}
 			}
 		}
-
+	else
+		{
+		if ( name == "ETAG" )
+			{
+			c$http$etag = value;
+			}
+		}
 	}
 
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5

From a55ce01ef317d6d61ec9289a1d0ef7b35eb140f6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 10 Apr 2015 16:26:06 -0500
Subject: [PATCH 27/54] API changes to file analysis mime type detection.

Removed "file_mime_type" and "file_mime_types" event, replacing them
with a new event called "file_metadata_inferred".  It has a record
argument of type "inferred_file_metadata", which contains the mime type
information that the earlier events used to supply.  The idea here is
that future extensions to the record with new metadata will be less
likely to break user code than the alternatives (adding new events or
new event parameters).

Addresses BIT-1368.
---
 NEWS                                          | 15 ++--
 doc/frameworks/file_analysis_02.bro           |  5 +-
 doc/httpmonitor/file_extraction.bro           | 11 ++-
 scripts/base/frameworks/files/main.bro        | 11 ++-
 scripts/base/init-bare.bro                    |  8 ++
 scripts/base/protocols/ftp/files.bro          |  7 +-
 scripts/base/protocols/http/entities.bro      | 13 +--
 scripts/base/protocols/irc/files.bro          |  8 +-
 src/NetVar.cc                                 |  2 +
 src/NetVar.h                                  |  1 +
 src/event.bif                                 | 50 +++++------
 src/file_analysis/File.cc                     | 82 ++++++++++---------
 src/file_analysis/File.h                      | 19 +++--
 .../output                                    |  5 +-
 .../output                                    | 11 ++-
 testing/btest/Baseline/plugins.hooks/output   | 24 +++---
 .../all-events-no-args.log                    |  6 +-
 .../all-events.log                            | 12 +--
 ...-doc_frameworks_file_analysis_02_bro.btest |  5 +-
 ...-doc_httpmonitor_file_extraction_bro.btest | 11 ++-
 20 files changed, 170 insertions(+), 136 deletions(-)

diff --git a/NEWS b/NEWS
index 7129b293d5..4addcc519c 100644
--- a/NEWS
+++ b/NEWS
@@ -79,14 +79,17 @@ Changed Functionality
 - File analysis
 
     * Removed ``fa_file`` record's ``mime_type`` and ``mime_types``
-      fields.  The events ``file_mime_type`` and ``file_mime_types``
-      have been added which contain the same information.  The
-      ``mime_type`` field of ``Files::Info`` also still has this info.
+      fields.  The event ``file_metadata_inferred`` has been added
+      which contain the same information.  The ``mime_type`` field of
+      ``Files::Info`` also still has this info.
 
     * The earliest point that new mime type information is available is
-      in the ``file_mime_type`` event which comes after the ``file_new``
-      and ``file_over_new_connection`` events.  Scripts which inspected
-      mime type info within those events will need to be adapted.
+      in the ``file_metadata_inferred`` event which comes after the
+      ``file_new`` and ``file_over_new_connection`` events.  Scripts
+      which inspected mime type info within those events will need to be
+      adapted.  (Note: for users that worked w/ versions of Bro from git,
+      there was also an event called ``file_mime_type`` which is now
+      replaced be the ``file_metadata_inferred`` event).
 
     * Removed ``Files::add_analyzers_for_mime_type`` function.
 
diff --git a/doc/frameworks/file_analysis_02.bro b/doc/frameworks/file_analysis_02.bro
index 141b11fca6..b01a8464a6 100644
--- a/doc/frameworks/file_analysis_02.bro
+++ b/doc/frameworks/file_analysis_02.bro
@@ -1,7 +1,8 @@
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
     {
+	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
-    if ( mime_type == "text/plain" )
+    if ( meta$mime_type == "text/plain" )
         Files::add_analyzer(f, Files::ANALYZER_MD5);
     }
 
diff --git a/doc/httpmonitor/file_extraction.bro b/doc/httpmonitor/file_extraction.bro
index 3860cb361e..b89f87705c 100644
--- a/doc/httpmonitor/file_extraction.bro
+++ b/doc/httpmonitor/file_extraction.bro
@@ -7,15 +7,18 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;
 
-	if ( mime_type !in mime_to_ext )
+	if ( ! meta?$mime_type )
 		return;
 
-	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]);
+	if ( meta$mime_type !in mime_to_ext )
+		return;
+
+	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
 	print fmt("Extracting file %s", fname);
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
-	}
\ No newline at end of file
+	}
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index fa4df59cf3..273f45efdb 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -484,16 +484,19 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h];
 	}
 
-event file_mime_type(f: fa_file, mime_type: string) &priority=10
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=10
 	{
 	set_info(f);
 
-	f$info$mime_type = mime_type;
+	if ( ! meta?$mime_type )
+		return;
+
+	f$info$mime_type = meta$mime_type;
 
 	if ( analyze_by_mime_type_automatically &&
-	     mime_type in mime_type_to_analyzers )
+	     meta$mime_type in mime_type_to_analyzers )
 		{
-		local analyzers = mime_type_to_analyzers[mime_type];
+		local analyzers = mime_type_to_analyzers[meta$mime_type];
 		for ( a in analyzers )
 			{
 			add f$info$analyzers[Files::analyzer_name(a)];
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index cfe845eb4f..fb3ccd6698 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -414,6 +414,14 @@ type fa_file: record {
 	bof_buffer: string &optional;
 } &redef;
 
+## Metadata that's been inferred about a particular file.
+type inferred_file_metadata: record {
+	## The strongest matching mime type if one was discovered.
+	mime_type: string &optional;
+	## All matching mime types if any were discovered.
+	mime_types: mime_matches &optional;
+};
+
 ## Fields of a SYN packet.
 ##
 ## .. bro:see:: connection_SYN_packet
diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro
index 617b57348b..8c18d19869 100644
--- a/scripts/base/protocols/ftp/files.bro
+++ b/scripts/base/protocols/ftp/files.bro
@@ -63,10 +63,13 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	f$ftp = ftp;
 	}
 
-event file_mime_type(f: fa_file, mime_type: string) &priority=5
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
 	{
 	if ( ! f?$ftp )
 		return;
 
-	f$ftp$mime_type = mime_type;
+	if ( ! meta?$mime_type )
+		return;
+
+	f$ftp$mime_type = meta$mime_type;
 	}
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index 9fcf7f24f7..6ea4c5d892 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -93,24 +93,27 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		}
 	}
 
-event file_mime_type(f: fa_file, mime_type: string) &priority=5
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
 	{
 	if ( ! f?$http || ! f?$is_orig )
 		return;
 
+	if ( ! meta?$mime_type )
+		return;
+
 	if ( f$is_orig )
 		{
 		if ( ! f$http?$orig_mime_types )
-			f$http$orig_mime_types = string_vec(mime_type);
+			f$http$orig_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$orig_mime_types[|f$http$orig_mime_types|] = mime_type;
+			f$http$orig_mime_types[|f$http$orig_mime_types|] = meta$mime_type;
 		}
 	else
 		{
 		if ( ! f$http?$resp_mime_types )
-			f$http$resp_mime_types = string_vec(mime_type);
+			f$http$resp_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$resp_mime_types[|f$http$resp_mime_types|] = mime_type;
+			f$http$resp_mime_types[|f$http$resp_mime_types|] = meta$mime_type;
 		}
 	}
 
diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.bro
index 518775abb4..ea9bf1bdc2 100644
--- a/scripts/base/protocols/irc/files.bro
+++ b/scripts/base/protocols/irc/files.bro
@@ -42,8 +42,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	f$irc = irc;
 	}
 
-event file_mime_type(f: fa_file, mime_type: string) &priority=5
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
 	{
-	if ( f?$irc )
-		f$irc$dcc_mime_type = mime_type;
-	}
\ No newline at end of file
+	if ( f?$irc && meta?$mime_type )
+		f$irc$dcc_mime_type = meta$mime_type;
+	}
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 7c66b55bc2..f7f6e12aac 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -10,6 +10,7 @@ RecordType* endpoint;
 RecordType* endpoint_stats;
 RecordType* connection_type;
 RecordType* fa_file_type;
+RecordType* inferred_file_metadata_type;
 RecordType* icmp_conn;
 RecordType* icmp_context;
 RecordType* SYN_packet;
@@ -316,6 +317,7 @@ void init_net_var()
 	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();
 	connection_type = internal_type("connection")->AsRecordType();
 	fa_file_type = internal_type("fa_file")->AsRecordType();
+	inferred_file_metadata_type = internal_type("inferred_file_metadata")->AsRecordType();
 	icmp_conn = internal_type("icmp_conn")->AsRecordType();
 	icmp_context = internal_type("icmp_context")->AsRecordType();
 	signature_state = internal_type("signature_state")->AsRecordType();
diff --git a/src/NetVar.h b/src/NetVar.h
index edd70d1ea6..2c5221f6a7 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -13,6 +13,7 @@ extern RecordType* endpoint;
 extern RecordType* endpoint_stats;
 extern RecordType* connection_type;
 extern RecordType* fa_file_type;
+extern RecordType* inferred_file_metadata_type;
 extern RecordType* icmp_conn;
 extern RecordType* icmp_context;
 extern RecordType* signature_state;
diff --git a/src/event.bif b/src/event.bif
index dd941b6736..871ddd2d25 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -905,8 +905,8 @@ event get_file_handle%(tag: Analyzer::Tag, c: connection, is_orig: bool%);
 ##
 ## f: The file.
 ##
-## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type
-##    file_state_remove
+## .. bro:see:: file_over_new_connection file_timeout file_gap
+##    file_metadata_inferred file_state_remove
 event file_new%(f: fa_file%);
 
 ## Indicates that a file has been seen being transferred over a connection
@@ -918,39 +918,30 @@ event file_new%(f: fa_file%);
 ##
 ## is_orig: true if the originator of *c* is the one sending the file.
 ##
-## .. bro:see:: file_new file_timeout file_gap file_mime_type 
+## .. bro:see:: file_new file_timeout file_gap file_metadata_inferred 
 ##    file_state_remove
 event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
 
-## Provide the most likely matching MIME type for this file. The analysis 
-## can be augmented at this time via :bro:see:`Files::add_analyzer`.
+## Provide all metadata that has been inferred about a particular file
+## from inspection of the initial content that been seen at the beginning
+## of the file.  The analysis can be augmented at this time via
+## :bro:see:`Files::add_analyzer`.
 ##
 ## f: The file.
 ##
-## mime_type: The mime type that was discovered.
+## meta: Metadata that's been discovered about the file.
 ##
-## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type 
-##    file_mime_types file_state_remove
-event file_mime_type%(f: fa_file, mime_type: string%);
-
-## Provide all matching MIME types for this file. The analysis can be
-## augmented at this time via :bro:see:`Files::add_analyzer`.
-##
-## f: The file.
-##
-## mime_types: The mime types that were discovered.
-##
-## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type 
-##    file_mime_types file_state_remove
-event file_mime_types%(f: fa_file, mime_types: mime_matches%);
+## .. bro:see:: file_over_new_connection file_timeout file_gap
+##    file_state_remove
+event file_metadata_inferred%(f: fa_file, meta: inferred_file_metadata%);
 
 ## Indicates that file analysis has timed out because no activity was seen
 ## for the file in a while.
 ##
 ## f: The file.
 ##
-## .. bro:see:: file_new file_over_new_connection file_gap file_mime_type
-##    file_mime_types file_state_remove default_file_timeout_interval
+## .. bro:see:: file_new file_over_new_connection file_gap
+##    file_metadata_inferred file_state_remove default_file_timeout_interval
 ##    Files::set_timeout_interval
 event file_timeout%(f: fa_file%);
 
@@ -962,8 +953,8 @@ event file_timeout%(f: fa_file%);
 ##
 ## len: The number of missing bytes.
 ##
-## .. bro:see:: file_new file_over_new_connection file_timeout file_mime_type
-##    file_mime_types file_state_remove file_reassembly_overflow
+## .. bro:see:: file_new file_over_new_connection file_timeout
+##    file_metadata_inferred file_state_remove file_reassembly_overflow
 event file_gap%(f: fa_file, offset: count, len: count%);
 
 ## Indicates that the file had an overflow of the reassembly buffer.
@@ -978,10 +969,11 @@ event file_gap%(f: fa_file, offset: count, len: count%);
 ##          file data and get back under the reassembly buffer size limit.
 ##          This value will also be represented as a gap.
 ##
-## .. bro:see:: file_new file_over_new_connection file_timeout file_mime_type
-##    file_mime_types file_state_remove file_gap Files::enable_reassembler 
-##    Files::reassembly_buffer_size Files::enable_reassembly 
-##    Files::disable_reassembly Files::set_reassembly_buffer_size
+## .. bro:see:: file_new file_over_new_connection file_timeout
+##    file_metadata_inferred file_state_remove file_gap
+##    Files::enable_reassembler Files::reassembly_buffer_size
+##    Files::enable_reassembly Files::disable_reassembly
+##    Files::set_reassembly_buffer_size
 event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 
 ## This event is generated each time file analysis is ending for a given file.
@@ -989,7 +981,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 ## f: The file.
 ##
 ## .. bro:see:: file_new file_over_new_connection file_timeout file_gap
-##    file_mime_type file_mime_types
+##    file_metadata_inferred
 event file_state_remove%(f: fa_file%);
 
 ## Generated when an internal DNS lookup produces the same result as last time.
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index c90c9f2413..9d5c934b51 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -53,31 +53,35 @@ int File::overflow_bytes_idx = -1;
 int File::timeout_interval_idx = -1;
 int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
+int File::meta_mime_type_idx = -1;
+int File::meta_mime_types_idx = -1;
 
 void File::StaticInit()
 	{
 	if ( id_idx != -1 )
 		return;
 
-	id_idx = Idx("id");
-	parent_id_idx = Idx("parent_id");
-	source_idx = Idx("source");
-	is_orig_idx = Idx("is_orig");
-	conns_idx = Idx("conns");
-	last_active_idx = Idx("last_active");
-	seen_bytes_idx = Idx("seen_bytes");
-	total_bytes_idx = Idx("total_bytes");
-	missing_bytes_idx = Idx("missing_bytes");
-	overflow_bytes_idx = Idx("overflow_bytes");
-	timeout_interval_idx = Idx("timeout_interval");
-	bof_buffer_size_idx = Idx("bof_buffer_size");
-	bof_buffer_idx = Idx("bof_buffer");
+	id_idx = Idx("id", fa_file_type);
+	parent_id_idx = Idx("parent_id", fa_file_type);
+	source_idx = Idx("source", fa_file_type);
+	is_orig_idx = Idx("is_orig", fa_file_type);
+	conns_idx = Idx("conns", fa_file_type);
+	last_active_idx = Idx("last_active", fa_file_type);
+	seen_bytes_idx = Idx("seen_bytes", fa_file_type);
+	total_bytes_idx = Idx("total_bytes", fa_file_type);
+	missing_bytes_idx = Idx("missing_bytes", fa_file_type);
+	overflow_bytes_idx = Idx("overflow_bytes", fa_file_type);
+	timeout_interval_idx = Idx("timeout_interval", fa_file_type);
+	bof_buffer_size_idx = Idx("bof_buffer_size", fa_file_type);
+	bof_buffer_idx = Idx("bof_buffer", fa_file_type);
+	meta_mime_type_idx = Idx("mime_type", inferred_file_metadata_type);
+	meta_mime_types_idx = Idx("mime_types", inferred_file_metadata_type);
 	}
 
 File::File(const string& file_id, const string& source_name, Connection* conn,
            analyzer::Tag tag, bool is_orig)
 	: id(file_id), val(0), file_reassembler(0), stream_offset(0), 
-	  reassembly_max_buffer(0), did_mime_type(false), 
+	  reassembly_max_buffer(0), did_metadata_inference(false),
 	  reassembly_enabled(false), postpone_timeout(false), done(false), 
 	  analyzers(this)
 	{
@@ -169,11 +173,13 @@ double File::LookupFieldDefaultInterval(int idx) const
 	return rval;
 	}
 
-int File::Idx(const string& field)
+int File::Idx(const string& field, const RecordType* type)
 	{
-	int rval = fa_file_type->FieldOffset(field.c_str());
+	int rval = type->FieldOffset(field.c_str());
+
 	if ( rval < 0 )
-		reporter->InternalError("Unknown fa_file field: %s", field.c_str());
+		reporter->InternalError("Unknown %s field: %s", type->GetName().c_str(),
+		                        field.c_str());
 
 	return rval;
 	}
@@ -281,48 +287,46 @@ void File::SetReassemblyBuffer(uint64 max)
 	reassembly_max_buffer = max;
 	}
 
-bool File::DetectMIME()
+void File::InferMetadata()
 	{
-	did_mime_type = true;
+	did_metadata_inference = true;
 
 	Val* bof_buffer_val = val->Lookup(bof_buffer_idx);
 
 	if ( ! bof_buffer_val )
 		{
 		if ( bof_buffer.size == 0 )
-			return false;
+			return;
 
 		BroString* bs = concatenate(bof_buffer.chunks);
 		bof_buffer_val = new StringVal(bs);
 		val->Assign(bof_buffer_idx, bof_buffer_val);
 		}
 
+	if ( ! FileEventAvailable(file_metadata_inferred) )
+		return;
+
 	RuleMatcher::MIME_Matches matches;
 	const u_char* data = bof_buffer_val->AsString()->Bytes();
 	uint64 len = bof_buffer_val->AsString()->Len();
 	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
 
-	if ( matches.empty() )
-		return false;
+	val_list* vl = new val_list();
+	vl->append(val->Ref());
+	RecordVal* meta = new RecordVal(inferred_file_metadata_type);
+	vl->append(meta);
 
-	if ( FileEventAvailable(file_mime_type) )
+	if ( ! matches.empty() )
 		{
-		val_list* vl = new val_list();
-		vl->append(val->Ref());
-		vl->append(new StringVal(*(matches.begin()->second.begin())));
-		FileEvent(file_mime_type, vl);
+		meta->Assign(meta_mime_type_idx,
+		             new StringVal(*(matches.begin()->second.begin())));
+		meta->Assign(meta_mime_types_idx,
+		             file_analysis::GenMIMEMatchesVal(matches));
 		}
 
-	if ( FileEventAvailable(file_mime_types) )
-		{
-		val_list* vl = new val_list();
-		vl->append(val->Ref());
-		vl->append(file_analysis::GenMIMEMatchesVal(matches));
-		FileEvent(file_mime_types, vl);
-		}
-
-	return true;
+	FileEvent(file_metadata_inferred, vl);
+	return;
 	}
 
 bool File::BufferBOF(const u_char* data, uint64 len)
@@ -355,9 +359,9 @@ void File::DeliverStream(const u_char* data, uint64 len)
 	// Buffer enough data for the BOF buffer
 	BufferBOF(data, len);
 
-	if ( ! did_mime_type && bof_buffer.full &&
+	if ( ! did_metadata_inference && bof_buffer.full &&
 	     LookupFieldDefaultCount(missing_bytes_idx) == 0 )
-		DetectMIME();
+		InferMetadata();
 
 	DBG_LOG(DBG_FILE_ANALYSIS,
 	        "[%s] %" PRIu64 " stream bytes in at offset %" PRIu64 "; %s [%s%s]",
@@ -582,7 +586,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	mgr.QueueEvent(h, vl);
 
 	if ( h == file_new || h == file_over_new_connection ||
-	     h == file_mime_type ||
+	     h == file_metadata_inferred ||
 	     h == file_timeout || h == file_extraction_limit )
 		{
 		// immediate feedback is required for these events.
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 645f7d5111..6ad90e986b 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -230,12 +230,11 @@ protected:
 	bool BufferBOF(const u_char* data, uint64 len);
 
 	/**
-	 * Does mime type detection via file magic signatures and assigns
-	 * strongest matching mime type (if available) to \c mime_type
-	 * field in #val.  It uses the data in the BOF buffer.
-	 * @return whether a mime type match was found.
+	 * Does metadata inference (e.g. mime type detection via file
+	 * magic signatures) using data in the BOF (beginning-of-file) buffer
+	 * and raises an event with the metadata.
 	 */
-	bool DetectMIME();
+	void InferMetadata();
 
 	/**
 	 * Enables reassembly on the file.
@@ -266,10 +265,11 @@ protected:
 
 	/**
 	 * Lookup a record field index/offset by name.
-	 * @param field_name the name of the \c fa_file record field.
+	 * @param field_name the name of the record field.
+	 * @param type the record type for which the field will be looked up.
 	 * @return the field offset in #val record corresponding to \a field_name.
 	 */
-	static int Idx(const string& field_name);
+	static int Idx(const string& field_name, const RecordType* type);
 
 	/**
 	 * Initializes static member.
@@ -282,7 +282,7 @@ protected:
 	FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */
 	uint64 stream_offset;      /**< The offset of the file which has been forwarded. */
 	uint64 reassembly_max_buffer;      /**< Maximum allowed buffer for reassembly. */
-	bool did_mime_type;        /**< Whether the mime type ident has already been attempted. */
+	bool did_metadata_inference;        /**< Whether the metadata inference has already been attempted. */
 	bool reassembly_enabled;           /**< Whether file stream reassembly is needed. */
 	bool postpone_timeout;     /**< Whether postponing timeout is requested. */
 	bool done;                 /**< If this object is about to be deleted. */
@@ -313,6 +313,9 @@ protected:
 	static int bof_buffer_idx;
 	static int mime_type_idx;
 	static int mime_types_idx;
+
+	static int meta_mime_type_idx;
+	static int meta_mime_types_idx;
 };
 
 } // namespace file_analysis
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
index 5e86c8d685..f8ca8e9d1a 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
@@ -2,10 +2,11 @@
 
 file_analysis_02.bro
 
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
     {
+	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
-    if ( mime_type == "text/plain" )
+    if ( meta$mime_type == "text/plain" )
         Files::add_analyzer(f, Files::ANALYZER_MD5);
     }
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
index b193e4a530..4a1fe36596 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
@@ -11,15 +11,18 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;
 
-	if ( mime_type !in mime_to_ext )
+	if ( ! meta?$mime_type )
 		return;
 
-	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]);
+	if ( meta$mime_type !in mime_to_ext )
+		return;
+
+	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
 	print fmt("Extracting file %s", fname);
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
-	}
\ No newline at end of file
+	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index b60d905499..7ce4d80076 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -201,7 +201,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -298,7 +298,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -754,7 +754,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -851,7 +851,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1306,7 +1306,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1403,7 +1403,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1770,7 +1770,7 @@
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_metadata_inferred, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -1779,7 +1779,7 @@
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -1795,7 +1795,7 @@
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009775   MetaHookPre   CallFunction(file_metadata_inferred, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1804,7 +1804,7 @@
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009775   MetaHookPre   QueueEvent(file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1821,7 +1821,7 @@
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
+1362692527.009775 | HookCallFunction file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1830,7 +1830,7 @@
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
+1362692527.009775 | HookQueueEvent file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index f5e53044b9..d5369c07a4 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -59,7 +59,7 @@
 1254722770.692743 file_over_new_connection
 1254722770.692743 mime_end_entity
 1254722770.692743 get_file_handle
-1254722770.692743 file_mime_type
+1254722770.692743 file_metadata_inferred
 1254722770.692743 file_state_remove
 1254722770.692743 get_file_handle
 1254722770.692743 mime_begin_entity
@@ -70,7 +70,7 @@
 1254722770.692743 file_over_new_connection
 1254722770.692804 mime_end_entity
 1254722770.692804 get_file_handle
-1254722770.692804 file_mime_type
+1254722770.692804 file_metadata_inferred
 1254722770.692804 file_state_remove
 1254722770.692804 get_file_handle
 1254722770.692804 mime_end_entity
@@ -84,7 +84,7 @@
 1254722770.692804 file_new
 1254722770.692804 file_over_new_connection
 1254722770.695115 new_connection
-1254722771.494181 file_mime_type
+1254722771.494181 file_metadata_inferred
 1254722771.858334 mime_end_entity
 1254722771.858334 get_file_handle
 1254722771.858334 file_state_remove
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 397812ae7c..847d5122e2 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -312,9 +312,9 @@
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
-1254722770.692743 file_mime_type
+1254722770.692743 file_metadata_inferred
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] mime_type: string  = text/plain
+                  [1] meta: inferred_file_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722770.692743 file_state_remove
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
@@ -356,9 +356,9 @@
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
-1254722770.692804 file_mime_type
+1254722770.692804 file_metadata_inferred
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] mime_type: string  = text/html
+                  [1] meta: inferred_file_metadata = [mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]]]
 
 1254722770.692804 file_state_remove
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
@@ -412,9 +412,9 @@
 1254722770.695115 new_connection
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1254722771.494181 file_mime_type
+1254722771.494181 file_metadata_inferred
                   [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] mime_type: string  = text/plain
+                  [1] meta: inferred_file_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722771.858334 mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
index 5e86c8d685..f8ca8e9d1a 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
@@ -2,10 +2,11 @@
 
 file_analysis_02.bro
 
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
     {
+	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
-    if ( mime_type == "text/plain" )
+    if ( meta$mime_type == "text/plain" )
         Files::add_analyzer(f, Files::ANALYZER_MD5);
     }
 
diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
index b193e4a530..4a1fe36596 100644
--- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
@@ -11,15 +11,18 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_mime_type(f: fa_file, mime_type: string)
+event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;
 
-	if ( mime_type !in mime_to_ext )
+	if ( ! meta?$mime_type )
 		return;
 
-	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]);
+	if ( meta$mime_type !in mime_to_ext )
+		return;
+
+	local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
 	print fmt("Extracting file %s", fname);
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
-	}
\ No newline at end of file
+	}

From fa7946ae7d75e6c2aaf6dac5ffa26305bafe4715 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 13 Apr 2015 16:34:18 -0500
Subject: [PATCH 28/54] Checkpoint - Import Address Table being parsed.

---
 scripts/base/files/pe/main.bro                |  17 +-
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  36 +--
 src/file_analysis/analyzer/pe/pe-file.pac     | 287 +++++++++++++++---
 src/file_analysis/analyzer/pe/pe.pac          |   2 +-
 4 files changed, 277 insertions(+), 65 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index 754b788318..b05f1e3b72 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -39,15 +39,15 @@ hook set_file(f: fa_file) &priority=5
 
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
 	{
-	print "DOS header";
-	print h;
+#	print "DOS header";
+#	print h;
 	hook set_file(f);
 	}
 
 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 	{
-	print "File header";
-	print h;
+#	print "File header";
+#	print h;
 	hook set_file(f);
 	f$pe$compile_ts = h$ts;
 	f$pe$machine    = machine_types[h$machine];
@@ -57,8 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
-	print "Optional header";
-	print h;
+#	print "Optional header";
+#	print h;
 	hook set_file(f);
 	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
 	f$pe$subsystem = windows_subsystems[h$subsystem];
@@ -66,11 +66,10 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	{
-	print "Section header";
-	print h;
+#	print "Section header";
+#	print h;
 	hook set_file(f);
 
-	print h;
 	if ( ! f$pe?$section_names )
 		f$pe$section_names = vector();
 	f$pe$section_names[|f$pe$section_names|] = h$name;
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 2b49cd2c23..1d7d0dbbff 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -7,12 +7,6 @@
 
 refine flow File += {
 
-	function proc_the_file(): bool
-		%{
-		printf("Processed\n");
-		return true;
-		%}
-
 	function characteristics_to_bro(c: uint32, len: uint8): TableVal
 		%{
 		uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF;
@@ -70,7 +64,7 @@ refine flow File += {
 		return true;
 		%}
 
-	function proc_nt_headers(h: IMAGE_NT_HEADERS): bool
+	function proc_nt_headers(h: NT_Headers): bool
 		%{
 		if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0"
 			{
@@ -80,7 +74,7 @@ refine flow File += {
 		return true;
 		%}
 
-	function proc_file_header(h: IMAGE_FILE_HEADER): bool
+	function proc_file_header(h: File_Header): bool
 		%{
 		if ( pe_file_header )
 			{
@@ -98,7 +92,7 @@ refine flow File += {
 		return true;
 		%}
 
-	function proc_optional_header(h: IMAGE_OPTIONAL_HEADER): bool
+	function proc_optional_header(h: Optional_Header): bool
 		%{
 		if ( ${h.magic} != 0x10b &&  // normal pe32 executable
 		     ${h.magic} != 0x107 &&  // rom image
@@ -145,7 +139,7 @@ refine flow File += {
 		return true;
 		%}
 
-	function proc_section_header(h: IMAGE_SECTION_HEADER): bool
+	function proc_section_header(h: Section_Header): bool
 		%{
 		if ( pe_section_header )
 			{
@@ -176,6 +170,14 @@ refine flow File += {
 			}
 		return true;
 		%}
+
+
+	function proc_pe_file(): bool
+		%{
+		printf("PE file processed\n");
+		return true;
+		%}
+
 };
 
 refine typeattr DOS_Header += &let {
@@ -186,23 +188,23 @@ refine typeattr DOS_Code += &let {
 	proc : bool = $context.flow.proc_dos_code(code);
 };
 
-refine typeattr IMAGE_NT_HEADERS += &let {
+refine typeattr NT_Headers += &let {
 	proc : bool = $context.flow.proc_nt_headers(this);
 };
 
-refine typeattr IMAGE_FILE_HEADER += &let {
+refine typeattr File_Header += &let {
 	proc : bool = $context.flow.proc_file_header(this);
 };
 
-refine typeattr IMAGE_OPTIONAL_HEADER += &let {
+refine typeattr Optional_Header += &let {
 	proc : bool = $context.flow.proc_optional_header(this);
 };
 
-refine typeattr IMAGE_SECTION_HEADER += &let {
-	proc: bool = $context.flow.proc_section_header(this);
+refine typeattr Section_Header += &let {
+	proc2: bool = $context.flow.proc_section_header(this);
 };
 
-refine typeattr TheFile += &let {
-	proc: bool = $context.flow.proc_the_file();
+refine typeattr PE_File += &let {
+	proc: bool = $context.flow.proc_pe_file();
 };
 
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 58278a7ffd..ef048079a5 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -1,17 +1,27 @@
-
-type TheFile = record {
-	dos_header      : DOS_Header;
-	dos_code        : DOS_Code(dos_code_len);
-	pe_header       : IMAGE_NT_HEADERS;
-	section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections);
-	#pad             : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address);
-	#data_sections   : DATA_SECTIONS[pe_header.file_header.NumberOfSections];
-	#data_sections   : DATA_SECTIONS[] &length=data_len;
+# The base record for a Portable Executable file
+type PE_File = record {
+	headers         : Headers;
+	pad		: Padding(iat_loc);
+	iat		: IMPORT_ADDRESS_TABLE &length=$context.connection.get_import_table_len();
 } &let {
-	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64;
-	data_len: uint32 = pe_header.optional_header.size_of_init_data;
+	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
+	iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
+	
 } &byteorder=littleendian;
 
+## Headers
+
+type Headers = record {
+	dos_header      : DOS_Header;
+	dos_code        : DOS_Code(dos_code_len);
+	pe_header       : NT_Headers;
+	section_headers : Section_Headers(pe_header.file_header.NumberOfSections);
+} &let {
+	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0;
+	length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length;
+};
+
+# The DOS header gives us the offset of the NT headers
 type DOS_Header = record {
 	signature                : bytestring &length=2;
 	UsedBytesInTheLastPage   : uint16;
@@ -38,13 +48,17 @@ type DOS_Code(len: uint32) = record {
 	code : bytestring &length=len;
 };
 
-type IMAGE_NT_HEADERS = record {
+# The NT headers give us the file and the optional headers.
+type NT_Headers = record {
 	PESignature     : uint32;
-	file_header     : IMAGE_FILE_HEADER;
-	optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
-} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header);
+	file_header     : File_Header;
+	optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
+} &let {
+	length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header);
+} &byteorder=littleendian &length=length;
 
-type IMAGE_FILE_HEADER = record {
+# The file header is mainly self-describing
+type File_Header = record {
 	Machine               : uint16;
 	NumberOfSections      : uint16;
 	TimeDateStamp         : uint32;
@@ -54,7 +68,8 @@ type IMAGE_FILE_HEADER = record {
 	Characteristics       : uint16;
 };
 
-type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record {
+# The optional header gives us DLL link information, and some structural information
+type Optional_Header(len: uint16, number_of_sections: uint16) = record {
 	magic                   : uint16;
 	major_linker_version    : uint8;
 	minor_linker_version    : uint8;
@@ -80,34 +95,47 @@ type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record {
 	subsystem               : uint16;
 	dll_characteristics     : uint16;
 	mem: case magic of {
-		267  -> i32           : MEM_INFO32;
-		268  -> i64           : MEM_INFO64;
+		267  -> i32           : Mem_Info32;
+		268  -> i64           : Mem_Info64;
 		default -> InvalidPEFile : empty;
 	};
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
-	rvas					: IMAGE_RVAS(number_of_rva_and_sizes);
+	rvas			: RVAS(number_of_rva_and_sizes);
 } &byteorder=littleendian &length=len;
 
-type MEM_INFO32 = record {
+type Mem_Info32 = record {
 	size_of_stack_reserve : uint32;
 	size_of_stack_commit  : uint32;
 	size_of_heap_reserve  : uint32;
 	size_of_heap_commit   : uint32;
 } &byteorder=littleendian &length=16;
 
-type MEM_INFO64 = record {
+type Mem_Info64 = record {
 	size_of_stack_reserve : uint64;
 	size_of_stack_commit  : uint64;
 	size_of_heap_reserve  : uint64;
 	size_of_heap_commit   : uint64;
 } &byteorder=littleendian &length=32;
 
-type IMAGE_SECTIONS(num: uint16) = record {
-	sections : IMAGE_SECTION_HEADER[num];
-} &length=num*40;
+type RVAS(num: uint32) = record {
+	rvas : RVA[num];
+};
 
-type IMAGE_SECTION_HEADER = record {
+type RVA = record {
+	virtual_address : uint32;
+	size		: uint32;
+} &let {
+	proc: bool = $context.connection.proc_rva(this);
+} &length=8;
+
+type Section_Headers(num: uint16) = record {
+	sections : Section_Header[num];
+} &let {
+	length: uint32 = num*40;
+} &length=length;
+
+type Section_Header = record {
 	name                      : bytestring &length=8;
 	virtual_size              : uint32;
 	virtual_addr              : uint32;
@@ -118,31 +146,214 @@ type IMAGE_SECTION_HEADER = record {
 	non_used_num_of_relocs    : uint16;
 	non_used_num_of_line_nums : uint16;
 	characteristics           : uint32;
+} &let {
+	proc: bool = $context.connection.proc_section(this);
 } &byteorder=littleendian &length=40;
 
+## The BinPAC padding type doens't work here.
 
-type IMAGE_DATA_DIRECTORY = record {
-	virtual_address : uint32;
-	size            : uint16;
+type Padding(length: uint32) = record {
+	blah: bytestring &length=length &transient;
 };
 
+## Support for parsing the .idata section
+
 type IMAGE_IMPORT_DIRECTORY = record {
 	rva_import_lookup_table : uint32;
 	time_date_stamp         : uint32;
 	forwarder_chain         : uint32;
 	rva_module_name         : uint32;
 	rva_import_addr_table   : uint32;
+} &let {
+	is_null: bool = rva_module_name == 0;
+	proc: bool = $context.connection.proc_image_import_directory(this);
+} &length=20;
+
+type IMPORT_LOOKUP_ATTRS = record {
+	attrs: uint32;
+} &let {
+	is_null: bool = attrs == 0;
+} &length=4;
+
+type IMPORT_LOOKUP_TABLE = record {
+	attrs: IMPORT_LOOKUP_ATTRS[] &until($element.is_null);
+} &let {
+	proc: bool = $context.connection.proc_import_lookup_table(this);
 };
 
-type IMAGE_RVAS(num: uint32) = record {
-	rvas : IMAGE_RVA[num];
-} &length=num*8;
+#type null_terminated_string = RE/[^\x00]+\x00/;
+type null_terminated_string = RE/[A-Za-z0-9.]+\x00/;
 
-type IMAGE_RVA = record {
-	virtual_address : uint32;
-	size			: uint32;
-} &length=8;
+type IMPORT_ENTRY(is_module: bool, pad_align: uint8) = case is_module of {
+	true  -> module: IMPORT_MODULE(pad_align);
+	false -> hint:   IMPORT_HINT(pad_align);
+};
 
-type DATA_SECTIONS = record {
-	blah: uint8;
+type IMPORT_MODULE(pad_align: uint8) = record {
+	pad: bytestring &length=pad_align;
+	name: null_terminated_string;	
+} &let {
+	proc: bool = $context.connection.proc_import_module(this);
+};
+
+type IMPORT_HINT(pad_align: uint8) = record {
+	pad: bytestring &length=pad_align;
+	index: uint16;
+	name: null_terminated_string;
+} &let {
+	proc: bool = $context.connection.proc_import_hint(this);
+	last: bool = sizeof(name) == 0;
+};
+
+type IMPORT_ADDRESS_TABLE = record {
+	directory_table : IMAGE_IMPORT_DIRECTORY[] &until $element.is_null;
+	lookup_tables   : IMPORT_LOOKUP_TABLE[] &until $context.connection.get_num_imports() <= 0;
+	hint_table	: IMPORT_ENTRY($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done());
+} &let {
+	proc: bool = $context.connection.proc_iat(this);
+};
+
+refine connection MockConnection += {
+	%member{
+		uint8 rvas_seen_;
+		uint8 num_imports_;
+		uint32 rva_offset_;
+
+		bool has_import_table_;
+		uint32 import_table_va_;
+		uint32 import_table_rva_;
+		uint32 import_table_len_;
+		vector<uint32> imports_per_module_;
+		uint32 next_hint_index_;
+		uint8 next_hint_align_;
+		bool next_hint_is_module_;
+
+		bool has_export_table_;
+		uint32 export_table_va_;
+		uint32 export_table_rva_;
+	%}
+
+	%init{
+		rvas_seen_ = 0;
+		rva_offset_ = 0;
+		num_imports_ = -1;
+		has_import_table_ = false;
+		has_export_table_ = false;
+
+		next_hint_is_module_ = true;
+		next_hint_index_ = 0;
+		next_hint_align_ = 0;
+	%}
+
+	function proc_rva(r: RVA): bool
+		%{
+		if ( rvas_seen_ == 1 )
+			{
+			has_import_table_ = ${r.virtual_address} > 0;
+			if ( has_import_table_ ) {
+				import_table_rva_ = ${r.virtual_address};
+				import_table_len_ = ${r.size};
+				}
+			}
+		if ( rvas_seen_ == 2 )
+			{
+			has_export_table_ = ${r.virtual_address} > 0;
+			if ( has_export_table_ )
+				export_table_rva_ = ${r.virtual_address};
+			}
+		++rvas_seen_;
+		return true;
+		%}
+
+	function proc_section(h: Section_Header): bool
+		%{
+		if ( has_import_table_ && ${h.virtual_addr} == import_table_rva_ ){
+			printf("Found import table %d\n", ${h.ptr_to_raw_data});
+			rva_offset_ = ${h.virtual_addr} - ${h.ptr_to_raw_data};
+
+			import_table_va_ = ${h.ptr_to_raw_data};
+			get_import_table_addr();
+			}
+		if ( has_export_table_ && ${h.virtual_addr} == export_table_rva_ )
+			export_table_va_ = ${h.ptr_to_raw_data};
+		return true;
+		%}
+
+	function proc_image_import_directory(i: IMAGE_IMPORT_DIRECTORY): bool
+		%{
+		num_imports_++;
+		return true;
+		%}
+
+	function proc_iat(i: IMPORT_ADDRESS_TABLE): bool
+		%{
+		printf("IAT processed\n");
+		return true;
+		%}
+
+	function get_import_table_addr(): uint32
+		%{
+		return has_import_table_ ? import_table_va_ : 0;
+		%}
+
+	function get_import_table_len(): uint32
+		%{
+		return has_import_table_ ? import_table_len_ : 0;
+		%}
+
+	function get_rva_offset(): uint32
+		%{
+		return rva_offset_;
+		%}
+
+	function get_num_imports(): uint8
+		%{
+		return num_imports_;
+		%}		
+
+	function get_next_hint_align(): uint8
+		%{
+		return next_hint_align_;
+		%}		
+
+	function proc_import_lookup_table(t: IMPORT_LOOKUP_TABLE): bool
+		%{
+		--num_imports_;
+		imports_per_module_.push_back(${t.attrs}->size());
+		return true;
+		%}		
+
+	function get_next_hint_type(): bool
+		%{
+		if ( next_hint_is_module_ )
+			{
+			next_hint_is_module_ = false;
+			return true;
+			}
+		if ( --imports_per_module_[next_hint_index_] == 0)
+			{
+			++next_hint_index_;
+			return true;
+			}
+		return false;
+		%}
+
+	function imports_done(): bool
+		%{
+		return next_hint_index_ == imports_per_module_.size();
+		%}
+
+	function proc_import_hint(h: IMPORT_HINT): bool
+		%{
+		printf("        Imported function '%s'\n", ${h.name}.data());
+		next_hint_align_ = ${h.name}.length() % 2;
+		return true;
+		%}
+
+	function proc_import_module(m: IMPORT_MODULE): bool
+		%{
+		printf("Imported module '%s'\n", ${m.name}.data());
+		next_hint_align_ = ${m.name}.length() % 2;
+		return true;
+		%}
 };
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe.pac b/src/file_analysis/analyzer/pe/pe.pac
index 8a20fa3c62..df7c3011d9 100644
--- a/src/file_analysis/analyzer/pe/pe.pac
+++ b/src/file_analysis/analyzer/pe/pe.pac
@@ -14,7 +14,7 @@ connection MockConnection(bro_analyzer: BroFileAnalyzer) {
 %include pe-file.pac
 
 flow File {
-	flowunit = TheFile withcontext(connection, this);
+	flowunit = PE_File withcontext(connection, this);
 }
  
 %include pe-analyzer.pac

From 575e22cfe713b10cf700d2b434edd26af6a15435 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 14 Apr 2015 20:21:43 -0500
Subject: [PATCH 29/54] PE Analyzer cleanup.

---
 .../analyzer/pe/pe-file-headers.pac           | 114 ++++++
 .../analyzer/pe/pe-file-idata.pac             | 145 +++++++
 .../analyzer/pe/pe-file-types.pac             |  32 ++
 src/file_analysis/analyzer/pe/pe-file.pac     | 355 +-----------------
 4 files changed, 296 insertions(+), 350 deletions(-)
 create mode 100644 src/file_analysis/analyzer/pe/pe-file-headers.pac
 create mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac
 create mode 100644 src/file_analysis/analyzer/pe/pe-file-types.pac

diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
new file mode 100644
index 0000000000..7c34277edb
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -0,0 +1,114 @@
+type Headers = record {
+	dos_header      : DOS_Header;
+	dos_code        : DOS_Code(dos_code_len);
+	pe_header       : NT_Headers;
+	section_headers : Section_Headers(pe_header.file_header.NumberOfSections);
+} &let {
+	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0;
+	length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length;
+};
+
+# The DOS header gives us the offset of the NT headers
+type DOS_Header = record {
+	signature                : bytestring &length=2;
+	UsedBytesInTheLastPage   : uint16;
+	FileSizeInPages          : uint16;
+	NumberOfRelocationItems  : uint16;
+	HeaderSizeInParagraphs   : uint16;
+	MinimumExtraParagraphs   : uint16;
+	MaximumExtraParagraphs   : uint16;
+	InitialRelativeSS        : uint16;
+	InitialSP                : uint16;
+	Checksum                 : uint16;
+	InitialIP                : uint16;
+	InitialRelativeCS        : uint16;
+	AddressOfRelocationTable : uint16;
+	OverlayNumber            : uint16;
+	Reserved                 : uint16[4];
+	OEMid                    : uint16;
+	OEMinfo                  : uint16;
+	Reserved2                : uint16[10];
+	AddressOfNewExeHeader    : uint32;
+} &length=64;
+
+type DOS_Code(len: uint32) = record {
+	code : bytestring &length=len;
+};
+
+# The NT headers give us the file and the optional headers.
+type NT_Headers = record {
+	PESignature     : uint32;
+	file_header     : File_Header;
+	optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
+} &let {
+	length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header);
+} &length=length;
+
+# The file header is mainly self-describing
+type File_Header = record {
+	Machine               : uint16;
+	NumberOfSections      : uint16;
+	TimeDateStamp         : uint32;
+	PointerToSymbolTable  : uint32;
+	NumberOfSymbols       : uint32;
+	SizeOfOptionalHeader  : uint16;
+	Characteristics       : uint16;
+};
+
+# The optional header gives us DLL link information, and some structural information
+type Optional_Header(len: uint16, number_of_sections: uint16) = record {
+	magic                   : uint16;
+	major_linker_version    : uint8;
+	minor_linker_version    : uint8;
+	size_of_code            : uint32;
+	size_of_init_data       : uint32;
+	size_of_uninit_data     : uint32;
+	addr_of_entry_point     : uint32;
+	base_of_code            : uint32;
+	base_of_data            : uint32;
+	image_base              : uint32;
+	section_alignment       : uint32;
+	file_alignment          : uint32;
+	os_version_major        : uint16;
+	os_version_minor        : uint16;
+	major_image_version     : uint16;
+	minor_image_version     : uint16;
+	major_subsys_version    : uint16;
+	minor_subsys_version    : uint16;
+	win32_version           : uint32;
+	size_of_image           : uint32;
+	size_of_headers         : uint32;
+	checksum                : uint32;
+	subsystem               : uint16;
+	dll_characteristics     : uint16;
+	mem: case magic of {
+		267  -> i32           : Mem_Info32;
+		268  -> i64           : Mem_Info64;
+		default -> InvalidPEFile : empty;
+	};
+	loader_flags            : uint32;
+	number_of_rva_and_sizes : uint32;
+	rvas			: RVAS(number_of_rva_and_sizes);
+} &length=len;
+
+type Section_Headers(num: uint16) = record {
+	sections : Section_Header[num];
+} &let {
+	length: uint32 = num*40;
+} &length=length;
+
+type Section_Header = record {
+	name                      : bytestring &length=8;
+	virtual_size              : uint32;
+	virtual_addr              : uint32;
+	size_of_raw_data          : uint32;
+	ptr_to_raw_data           : uint32;
+	non_used_ptr_to_relocs    : uint32;
+	non_used_ptr_to_line_nums : uint32;
+	non_used_num_of_relocs    : uint16;
+	non_used_num_of_line_nums : uint16;
+	characteristics           : uint32;
+} &let {
+	proc: bool = $context.connection.proc_section(this);
+} &length=40;
+
diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac
new file mode 100644
index 0000000000..80200838e5
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac
@@ -0,0 +1,145 @@
+## Support for parsing the .idata section
+
+type import_directory = record {
+	rva_import_lookup_table : uint32;
+	time_date_stamp         : uint32;
+	forwarder_chain         : uint32;
+	rva_module_name         : uint32;
+	rva_import_addr_table   : uint32;
+} &let {
+	is_null: bool = rva_module_name == 0;
+	proc: bool = $context.connection.proc_image_import_directory(this);
+} &length=20;
+
+type import_lookup_attrs = record {
+	attrs: uint32;
+} &length=4;
+
+type import_lookup_table = record {
+	attrs: import_lookup_attrs[] &until($element.attrs == 0);
+} &let {
+	proc: bool = $context.connection.proc_import_lookup_table(this);
+};
+
+type import_entry(is_module: bool, pad_align: uint8) = record {
+	pad: bytestring &length=pad_align;
+	has_index: case is_module of {
+		true -> null: empty;
+		false -> index: uint16;
+	};
+	name: null_terminated_string;
+};
+
+type idata = record {
+	directory_table : import_directory[] &until $element.is_null;
+	lookup_tables   : import_lookup_table[] &until $context.connection.get_num_imports() <= 0;
+	hint_table	: import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done());
+};
+
+refine typeattr RVAS += &let {
+	proc: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1);
+};
+
+refine connection MockConnection += {
+	%member{
+		uint8 num_imports_;        // How many import tables will we have?
+
+		uint32 import_table_rva_;  // Used for finding the right section
+		uint32 import_table_va_;
+		uint32 import_table_len_;
+
+		// We need to track the number of imports for each, to
+		// know when we've parsed them all.  
+		vector<uint32> imports_per_module_;
+
+		// These are to determine the alignment of the import hints
+		uint32 next_hint_index_;
+		uint8 next_hint_align_;
+		bool next_hint_is_module_;
+	%}
+
+	%init{
+		// It ends with a null import entry, so we'll set it to -1.
+		num_imports_ = -1;
+
+		// First hint is a module name.
+		next_hint_is_module_ = true;
+		next_hint_index_ = 0;
+		next_hint_align_ = 0;
+	%}
+
+	function proc_idata_rva(r: RVA): bool
+		%{
+		import_table_rva_ = ${r.virtual_address};
+		import_table_len_ = ${r.size};
+
+		return true;
+		%}
+
+	function proc_section(h: Section_Header): bool
+		%{
+		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ )
+			import_table_va_ = ${h.ptr_to_raw_data};
+		return true;
+		%}
+
+	function proc_image_import_directory(i: import_directory): bool
+		%{
+		num_imports_++;
+		return true;
+		%}
+
+	function get_import_table_addr(): uint32
+		%{
+		return import_table_va_ > 0 ? import_table_va_ : 0;
+		%}
+
+	function get_import_table_len(): uint32
+		%{
+		return import_table_va_ > 0 ? import_table_len_ : 0;
+		%}
+
+	function get_num_imports(): uint8
+		%{
+		return num_imports_;
+		%}		
+
+	function get_next_hint_align(): uint8
+		%{
+		return next_hint_align_;
+		%}		
+
+	function proc_import_lookup_table(t: import_lookup_table): bool
+		%{
+		--num_imports_;
+		imports_per_module_.push_back(${t.attrs}->size());
+		return true;
+		%}		
+
+	function get_next_hint_type(): bool
+		%{
+		if ( next_hint_is_module_ )
+			{
+			next_hint_is_module_ = false;
+			return true;
+			}
+		if ( --imports_per_module_[next_hint_index_] == 0)
+			{
+			++next_hint_index_;
+			return true;
+			}
+		return false;
+		%}
+
+	function imports_done(): bool
+		%{
+		return next_hint_index_ == imports_per_module_.size();
+		%}
+
+	function proc_import_hint(hint_name: bytestring): bool
+		%{
+		next_hint_align_ = ${hint_name}.length() % 2;
+		printf("Import function: %s\n", ${hint_name}.data());
+		return true;
+		%}
+};
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac
new file mode 100644
index 0000000000..27b5a25d07
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/pe-file-types.pac
@@ -0,0 +1,32 @@
+# Basic PE types
+
+type Mem_Info32 = record {
+	size_of_stack_reserve : uint32;
+	size_of_stack_commit  : uint32;
+	size_of_heap_reserve  : uint32;
+	size_of_heap_commit   : uint32;
+} &byteorder=littleendian &length=16;
+
+type Mem_Info64 = record {
+	size_of_stack_reserve : uint64;
+	size_of_stack_commit  : uint64;
+	size_of_heap_reserve  : uint64;
+	size_of_heap_commit   : uint64;
+} &byteorder=littleendian &length=32;
+
+type RVAS(num: uint32) = record {
+	rvas : RVA[num];
+};
+
+type RVA = record {
+	virtual_address : uint32;
+	size		: uint32;
+} &length=8;
+
+# The BinPAC padding type doesn't work here.
+type Padding(length: uint32) = record {
+	pad: bytestring &length=length &transient;
+};
+
+type null_terminated_string = RE/[A-Za-z0-9.]+\x00/;
+
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index ef048079a5..1c748f3764 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -1,359 +1,14 @@
+%include pe-file-types.pac
+%include pe-file-headers.pac
+%include pe-file-idata.pac
+
 # The base record for a Portable Executable file
 type PE_File = record {
 	headers         : Headers;
 	pad		: Padding(iat_loc);
-	iat		: IMPORT_ADDRESS_TABLE &length=$context.connection.get_import_table_len();
+	iat		: idata &length=$context.connection.get_import_table_len();
 } &let {
 	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
 	iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
-	
 } &byteorder=littleendian;
 
-## Headers
-
-type Headers = record {
-	dos_header      : DOS_Header;
-	dos_code        : DOS_Code(dos_code_len);
-	pe_header       : NT_Headers;
-	section_headers : Section_Headers(pe_header.file_header.NumberOfSections);
-} &let {
-	dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0;
-	length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length;
-};
-
-# The DOS header gives us the offset of the NT headers
-type DOS_Header = record {
-	signature                : bytestring &length=2;
-	UsedBytesInTheLastPage   : uint16;
-	FileSizeInPages          : uint16;
-	NumberOfRelocationItems  : uint16;
-	HeaderSizeInParagraphs   : uint16;
-	MinimumExtraParagraphs   : uint16;
-	MaximumExtraParagraphs   : uint16;
-	InitialRelativeSS        : uint16;
-	InitialSP                : uint16;
-	Checksum                 : uint16;
-	InitialIP                : uint16;
-	InitialRelativeCS        : uint16;
-	AddressOfRelocationTable : uint16;
-	OverlayNumber            : uint16;
-	Reserved                 : uint16[4];
-	OEMid                    : uint16;
-	OEMinfo                  : uint16;
-	Reserved2                : uint16[10];
-	AddressOfNewExeHeader    : uint32;
-} &byteorder=littleendian &length=64;
-
-type DOS_Code(len: uint32) = record {
-	code : bytestring &length=len;
-};
-
-# The NT headers give us the file and the optional headers.
-type NT_Headers = record {
-	PESignature     : uint32;
-	file_header     : File_Header;
-	optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
-} &let {
-	length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header);
-} &byteorder=littleendian &length=length;
-
-# The file header is mainly self-describing
-type File_Header = record {
-	Machine               : uint16;
-	NumberOfSections      : uint16;
-	TimeDateStamp         : uint32;
-	PointerToSymbolTable  : uint32;
-	NumberOfSymbols       : uint32;
-	SizeOfOptionalHeader  : uint16;
-	Characteristics       : uint16;
-};
-
-# The optional header gives us DLL link information, and some structural information
-type Optional_Header(len: uint16, number_of_sections: uint16) = record {
-	magic                   : uint16;
-	major_linker_version    : uint8;
-	minor_linker_version    : uint8;
-	size_of_code            : uint32;
-	size_of_init_data       : uint32;
-	size_of_uninit_data     : uint32;
-	addr_of_entry_point     : uint32;
-	base_of_code            : uint32;
-	base_of_data            : uint32;
-	image_base              : uint32;
-	section_alignment       : uint32;
-	file_alignment          : uint32;
-	os_version_major        : uint16;
-	os_version_minor        : uint16;
-	major_image_version     : uint16;
-	minor_image_version     : uint16;
-	major_subsys_version    : uint16;
-	minor_subsys_version    : uint16;
-	win32_version           : uint32;
-	size_of_image           : uint32;
-	size_of_headers         : uint32;
-	checksum                : uint32;
-	subsystem               : uint16;
-	dll_characteristics     : uint16;
-	mem: case magic of {
-		267  -> i32           : Mem_Info32;
-		268  -> i64           : Mem_Info64;
-		default -> InvalidPEFile : empty;
-	};
-	loader_flags            : uint32;
-	number_of_rva_and_sizes : uint32;
-	rvas			: RVAS(number_of_rva_and_sizes);
-} &byteorder=littleendian &length=len;
-
-type Mem_Info32 = record {
-	size_of_stack_reserve : uint32;
-	size_of_stack_commit  : uint32;
-	size_of_heap_reserve  : uint32;
-	size_of_heap_commit   : uint32;
-} &byteorder=littleendian &length=16;
-
-type Mem_Info64 = record {
-	size_of_stack_reserve : uint64;
-	size_of_stack_commit  : uint64;
-	size_of_heap_reserve  : uint64;
-	size_of_heap_commit   : uint64;
-} &byteorder=littleendian &length=32;
-
-type RVAS(num: uint32) = record {
-	rvas : RVA[num];
-};
-
-type RVA = record {
-	virtual_address : uint32;
-	size		: uint32;
-} &let {
-	proc: bool = $context.connection.proc_rva(this);
-} &length=8;
-
-type Section_Headers(num: uint16) = record {
-	sections : Section_Header[num];
-} &let {
-	length: uint32 = num*40;
-} &length=length;
-
-type Section_Header = record {
-	name                      : bytestring &length=8;
-	virtual_size              : uint32;
-	virtual_addr              : uint32;
-	size_of_raw_data          : uint32;
-	ptr_to_raw_data           : uint32;
-	non_used_ptr_to_relocs    : uint32;
-	non_used_ptr_to_line_nums : uint32;
-	non_used_num_of_relocs    : uint16;
-	non_used_num_of_line_nums : uint16;
-	characteristics           : uint32;
-} &let {
-	proc: bool = $context.connection.proc_section(this);
-} &byteorder=littleendian &length=40;
-
-## The BinPAC padding type doens't work here.
-
-type Padding(length: uint32) = record {
-	blah: bytestring &length=length &transient;
-};
-
-## Support for parsing the .idata section
-
-type IMAGE_IMPORT_DIRECTORY = record {
-	rva_import_lookup_table : uint32;
-	time_date_stamp         : uint32;
-	forwarder_chain         : uint32;
-	rva_module_name         : uint32;
-	rva_import_addr_table   : uint32;
-} &let {
-	is_null: bool = rva_module_name == 0;
-	proc: bool = $context.connection.proc_image_import_directory(this);
-} &length=20;
-
-type IMPORT_LOOKUP_ATTRS = record {
-	attrs: uint32;
-} &let {
-	is_null: bool = attrs == 0;
-} &length=4;
-
-type IMPORT_LOOKUP_TABLE = record {
-	attrs: IMPORT_LOOKUP_ATTRS[] &until($element.is_null);
-} &let {
-	proc: bool = $context.connection.proc_import_lookup_table(this);
-};
-
-#type null_terminated_string = RE/[^\x00]+\x00/;
-type null_terminated_string = RE/[A-Za-z0-9.]+\x00/;
-
-type IMPORT_ENTRY(is_module: bool, pad_align: uint8) = case is_module of {
-	true  -> module: IMPORT_MODULE(pad_align);
-	false -> hint:   IMPORT_HINT(pad_align);
-};
-
-type IMPORT_MODULE(pad_align: uint8) = record {
-	pad: bytestring &length=pad_align;
-	name: null_terminated_string;	
-} &let {
-	proc: bool = $context.connection.proc_import_module(this);
-};
-
-type IMPORT_HINT(pad_align: uint8) = record {
-	pad: bytestring &length=pad_align;
-	index: uint16;
-	name: null_terminated_string;
-} &let {
-	proc: bool = $context.connection.proc_import_hint(this);
-	last: bool = sizeof(name) == 0;
-};
-
-type IMPORT_ADDRESS_TABLE = record {
-	directory_table : IMAGE_IMPORT_DIRECTORY[] &until $element.is_null;
-	lookup_tables   : IMPORT_LOOKUP_TABLE[] &until $context.connection.get_num_imports() <= 0;
-	hint_table	: IMPORT_ENTRY($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done());
-} &let {
-	proc: bool = $context.connection.proc_iat(this);
-};
-
-refine connection MockConnection += {
-	%member{
-		uint8 rvas_seen_;
-		uint8 num_imports_;
-		uint32 rva_offset_;
-
-		bool has_import_table_;
-		uint32 import_table_va_;
-		uint32 import_table_rva_;
-		uint32 import_table_len_;
-		vector<uint32> imports_per_module_;
-		uint32 next_hint_index_;
-		uint8 next_hint_align_;
-		bool next_hint_is_module_;
-
-		bool has_export_table_;
-		uint32 export_table_va_;
-		uint32 export_table_rva_;
-	%}
-
-	%init{
-		rvas_seen_ = 0;
-		rva_offset_ = 0;
-		num_imports_ = -1;
-		has_import_table_ = false;
-		has_export_table_ = false;
-
-		next_hint_is_module_ = true;
-		next_hint_index_ = 0;
-		next_hint_align_ = 0;
-	%}
-
-	function proc_rva(r: RVA): bool
-		%{
-		if ( rvas_seen_ == 1 )
-			{
-			has_import_table_ = ${r.virtual_address} > 0;
-			if ( has_import_table_ ) {
-				import_table_rva_ = ${r.virtual_address};
-				import_table_len_ = ${r.size};
-				}
-			}
-		if ( rvas_seen_ == 2 )
-			{
-			has_export_table_ = ${r.virtual_address} > 0;
-			if ( has_export_table_ )
-				export_table_rva_ = ${r.virtual_address};
-			}
-		++rvas_seen_;
-		return true;
-		%}
-
-	function proc_section(h: Section_Header): bool
-		%{
-		if ( has_import_table_ && ${h.virtual_addr} == import_table_rva_ ){
-			printf("Found import table %d\n", ${h.ptr_to_raw_data});
-			rva_offset_ = ${h.virtual_addr} - ${h.ptr_to_raw_data};
-
-			import_table_va_ = ${h.ptr_to_raw_data};
-			get_import_table_addr();
-			}
-		if ( has_export_table_ && ${h.virtual_addr} == export_table_rva_ )
-			export_table_va_ = ${h.ptr_to_raw_data};
-		return true;
-		%}
-
-	function proc_image_import_directory(i: IMAGE_IMPORT_DIRECTORY): bool
-		%{
-		num_imports_++;
-		return true;
-		%}
-
-	function proc_iat(i: IMPORT_ADDRESS_TABLE): bool
-		%{
-		printf("IAT processed\n");
-		return true;
-		%}
-
-	function get_import_table_addr(): uint32
-		%{
-		return has_import_table_ ? import_table_va_ : 0;
-		%}
-
-	function get_import_table_len(): uint32
-		%{
-		return has_import_table_ ? import_table_len_ : 0;
-		%}
-
-	function get_rva_offset(): uint32
-		%{
-		return rva_offset_;
-		%}
-
-	function get_num_imports(): uint8
-		%{
-		return num_imports_;
-		%}		
-
-	function get_next_hint_align(): uint8
-		%{
-		return next_hint_align_;
-		%}		
-
-	function proc_import_lookup_table(t: IMPORT_LOOKUP_TABLE): bool
-		%{
-		--num_imports_;
-		imports_per_module_.push_back(${t.attrs}->size());
-		return true;
-		%}		
-
-	function get_next_hint_type(): bool
-		%{
-		if ( next_hint_is_module_ )
-			{
-			next_hint_is_module_ = false;
-			return true;
-			}
-		if ( --imports_per_module_[next_hint_index_] == 0)
-			{
-			++next_hint_index_;
-			return true;
-			}
-		return false;
-		%}
-
-	function imports_done(): bool
-		%{
-		return next_hint_index_ == imports_per_module_.size();
-		%}
-
-	function proc_import_hint(h: IMPORT_HINT): bool
-		%{
-		printf("        Imported function '%s'\n", ${h.name}.data());
-		next_hint_align_ = ${h.name}.length() % 2;
-		return true;
-		%}
-
-	function proc_import_module(m: IMPORT_MODULE): bool
-		%{
-		printf("Imported module '%s'\n", ${m.name}.data());
-		next_hint_align_ = ${m.name}.length() % 2;
-		return true;
-		%}
-};
\ No newline at end of file

From 0b5103b41b222af414929097f2e3da7be127884d Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Tue, 14 Apr 2015 21:09:16 -0500
Subject: [PATCH 30/54] Fix support for PE32+ files.

---
 .../analyzer/pe/pe-file-headers.pac           | 59 +++++++++++-
 .../analyzer/pe/pe-file-idata.pac             | 95 ++++++++++---------
 .../analyzer/pe/pe-file-types.pac             |  8 +-
 src/file_analysis/analyzer/pe/pe-file.pac     | 10 +-
 4 files changed, 118 insertions(+), 54 deletions(-)

diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
index 7c34277edb..c732ed4001 100644
--- a/src/file_analysis/analyzer/pe/pe-file-headers.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -65,8 +65,14 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record {
 	size_of_uninit_data     : uint32;
 	addr_of_entry_point     : uint32;
 	base_of_code            : uint32;
-	base_of_data            : uint32;
-	image_base              : uint32;
+	have_base_of_data: case pe_format of {
+		PE32    -> base_of_data: uint32;
+		default -> not_present:  empty;
+	};
+	is_pe32: case pe_format of {
+		PE32_PLUS -> image_base_64: uint64;
+		default   -> image_base_32: uint32;
+	};
 	section_alignment       : uint32;
 	file_alignment          : uint32;
 	os_version_major        : uint16;
@@ -81,14 +87,17 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record {
 	checksum                : uint32;
 	subsystem               : uint16;
 	dll_characteristics     : uint16;
-	mem: case magic of {
-		267  -> i32           : Mem_Info32;
-		268  -> i64           : Mem_Info64;
+	mem: case pe_format of {
+		PE32      -> i32: Mem_Info32;
+		PE32_PLUS -> i64: Mem_Info64;
 		default -> InvalidPEFile : empty;
 	};
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
 	rvas			: RVAS(number_of_rva_and_sizes);
+} &let {
+	pe_format: uint8 = $context.connection.set_pe32_format(magic);
+	image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32;
 } &length=len;
 
 type Section_Headers(num: uint16) = record {
@@ -112,3 +121,43 @@ type Section_Header = record {
 	proc: bool = $context.connection.proc_section(this);
 } &length=40;
 
+refine connection MockConnection += {
+	%member{
+		uint64 max_file_location_;
+		uint8  pe32_format_;
+	%}
+
+	%init{
+		max_file_location_ = 0;
+		pe32_format_ = UNKNOWN_VERSION;;
+	%}
+
+	function proc_section(h: Section_Header): bool
+		%{
+		if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ )
+			max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data};
+		
+		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ )
+			import_table_va_ = ${h.ptr_to_raw_data};
+		return true;
+		%}
+
+	function set_pe32_format(magic: uint16): uint8
+		%{
+		if ( ${magic} == 0x10b )
+			pe32_format_ = PE32;
+		if ( ${magic} == 0x20b )
+			pe32_format_ = PE32_PLUS;
+		return pe32_format_;
+		%}
+
+	function get_max_file_location(): uint64
+		%{
+		return max_file_location_;
+		%}
+
+	function get_pe32_format(): uint8
+		%{
+		return pe32_format_;
+		%}
+};
diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac
index 80200838e5..ec87ca6673 100644
--- a/src/file_analysis/analyzer/pe/pe-file-idata.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac
@@ -11,12 +11,17 @@ type import_directory = record {
 	proc: bool = $context.connection.proc_image_import_directory(this);
 } &length=20;
 
-type import_lookup_attrs = record {
-	attrs: uint32;
-} &length=4;
+type import_lookup_attrs(pe32_format: uint8) = record {
+	is_pe32_plus: case pe32_format of {
+		PE32_PLUS -> attrs_64: uint64;
+		default   -> attrs_32: uint32;
+	};
+} &let {
+	attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32;
+} &length=(pe32_format == PE32_PLUS ? 8 : 4);
 
 type import_lookup_table = record {
-	attrs: import_lookup_attrs[] &until($element.attrs == 0);
+	attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0);
 } &let {
 	proc: bool = $context.connection.proc_import_lookup_table(this);
 };
@@ -28,6 +33,8 @@ type import_entry(is_module: bool, pad_align: uint8) = record {
 		false -> index: uint16;
 	};
 	name: null_terminated_string;
+} &let {
+	proc: bool = $context.connection.proc_import_hint(name);
 };
 
 type idata = record {
@@ -68,6 +75,8 @@ refine connection MockConnection += {
 		next_hint_align_ = 0;
 	%}
 
+	# When we read the section header, store the relative virtual address and
+	# size of the .idata section, so we know when we get there.
 	function proc_idata_rva(r: RVA): bool
 		%{
 		import_table_rva_ = ${r.virtual_address};
@@ -76,19 +85,50 @@ refine connection MockConnection += {
 		return true;
 		%}
 
-	function proc_section(h: Section_Header): bool
-		%{
-		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ )
-			import_table_va_ = ${h.ptr_to_raw_data};
-		return true;
-		%}
-
+	# Each import directory means another module we're importing from.
 	function proc_image_import_directory(i: import_directory): bool
 		%{
 		num_imports_++;
 		return true;
 		%}
 
+	# Store the number of functions imported in each module lookup table.
+	function proc_import_lookup_table(t: import_lookup_table): bool
+		%{
+		--num_imports_;
+		imports_per_module_.push_back(${t.attrs}->size());
+		return true;
+		%}		
+
+	# We need to calculate the length of the next padding field
+	function proc_import_hint(hint_name: bytestring): bool
+		%{
+		next_hint_align_ = ${hint_name}.length() % 2;
+		printf("Imported %s\n", ${hint_name}.data());
+		return true;
+		%}
+
+	# Functions have an index field, modules don't. Which one is this?
+	function get_next_hint_type(): bool
+		%{
+		if ( next_hint_is_module_ )
+			{
+			next_hint_is_module_ = false;
+			return true;
+			}
+		if ( --imports_per_module_[next_hint_index_] == 0)
+			{
+			++next_hint_index_;
+			return true;
+			}
+		return false;
+		%}
+
+	function imports_done(): bool
+		%{
+		return next_hint_index_ == imports_per_module_.size();
+		%}
+
 	function get_import_table_addr(): uint32
 		%{
 		return import_table_va_ > 0 ? import_table_va_ : 0;
@@ -109,37 +149,4 @@ refine connection MockConnection += {
 		return next_hint_align_;
 		%}		
 
-	function proc_import_lookup_table(t: import_lookup_table): bool
-		%{
-		--num_imports_;
-		imports_per_module_.push_back(${t.attrs}->size());
-		return true;
-		%}		
-
-	function get_next_hint_type(): bool
-		%{
-		if ( next_hint_is_module_ )
-			{
-			next_hint_is_module_ = false;
-			return true;
-			}
-		if ( --imports_per_module_[next_hint_index_] == 0)
-			{
-			++next_hint_index_;
-			return true;
-			}
-		return false;
-		%}
-
-	function imports_done(): bool
-		%{
-		return next_hint_index_ == imports_per_module_.size();
-		%}
-
-	function proc_import_hint(hint_name: bytestring): bool
-		%{
-		next_hint_align_ = ${hint_name}.length() % 2;
-		printf("Import function: %s\n", ${hint_name}.data());
-		return true;
-		%}
 };
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac
index 27b5a25d07..57020a88da 100644
--- a/src/file_analysis/analyzer/pe/pe-file-types.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-types.pac
@@ -1,5 +1,11 @@
 # Basic PE types
 
+enum PE_File_Format {
+	UNKNOWN_VERSION = 0,
+	PE32            = 1,
+	PE32_PLUS       = 2,
+};
+
 type Mem_Info32 = record {
 	size_of_stack_reserve : uint32;
 	size_of_stack_commit  : uint32;
@@ -24,7 +30,7 @@ type RVA = record {
 } &length=8;
 
 # The BinPAC padding type doesn't work here.
-type Padding(length: uint32) = record {
+type Padding(length: uint64) = record {
 	pad: bytestring &length=length &transient;
 };
 
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 1c748f3764..07129b878d 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -4,11 +4,13 @@
 
 # The base record for a Portable Executable file
 type PE_File = record {
-	headers         : Headers;
-	pad		: Padding(iat_loc);
-	iat		: idata &length=$context.connection.get_import_table_len();
+	headers : Headers;
+	pad1	: Padding(iat_loc);
+	iat     : idata &length=$context.connection.get_import_table_len();
+	pad2    : Padding(restofdata);
 } &let {
 	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
-	iat_loc: uint32 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
+	iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
+	restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len();
 } &byteorder=littleendian;
 

From 4753e4a3c2b4486367ab19e6544e7e70147c79c4 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 16 Apr 2015 19:44:39 -0500
Subject: [PATCH 31/54] Make base_of_data optional.

---
 scripts/base/init-bare.bro                    | 2 +-
 src/file_analysis/analyzer/pe/pe-analyzer.pac | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d30874a1b2..866b9d5ff9 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2586,7 +2586,7 @@ type PE::OptionalHeader: record {
 	size_of_uninit_data     : count;
 	addr_of_entry_point     : count;
 	base_of_code            : count;
-	base_of_data            : count;
+	base_of_data            : count &optional;
 	image_base              : count;
 	section_alignment       : count;
 	file_alignment          : count;
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 1d7d0dbbff..e227f9af0d 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -114,7 +114,10 @@ refine flow File += {
 			oh->Assign(5,  new Val(${h.size_of_uninit_data}, TYPE_COUNT));
 			oh->Assign(6,  new Val(${h.addr_of_entry_point}, TYPE_COUNT));
 			oh->Assign(7, new Val(${h.base_of_code}, TYPE_COUNT));
-			oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT));
+
+			if ( ${h.pe_format} != PE32_PLUS )
+				oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT));
+
 			oh->Assign(9, new Val(${h.image_base}, TYPE_COUNT));
 			oh->Assign(10, new Val(${h.section_alignment}, TYPE_COUNT));
 			oh->Assign(11, new Val(${h.file_alignment}, TYPE_COUNT));

From 81bafb6c36c3aa9762ee68fd98957bae2e8c357e Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 16 Apr 2015 22:56:47 -0400
Subject: [PATCH 32/54] PE: Rehash the log a bit.

---
 scripts/base/files/pe/main.bro | 60 ++++++++++++++++++++++++----------
 1 file changed, 42 insertions(+), 18 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index b05f1e3b72..cb2004deff 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -5,14 +5,28 @@ export {
 	redef enum Log::ID += { LOG };
 
 	type Info: record {
-		ts:              time             &log;
-		fuid:            string           &log;
-		machine:         string           &log &optional;
-		compile_ts:      time             &log &optional;
-		os:              string           &log &optional;
-		subsystem:       string           &log &optional;
-		characteristics: set[string]      &log &optional;
-		section_names:   vector of string &log &optional;
+		ts:                  time              &log;
+		fuid:                string            &log;
+		machine:             string            &log &optional;
+		compile_ts:          time              &log &optional;
+		os:                  string            &log &optional;
+		subsystem:           string            &log &optional;
+
+	 	is_exe:              bool              &log &default=F;
+		is_dll:              bool              &log &default=F;
+	        is_64bit:            bool              &log &default=T;
+
+		uses_aslr:           bool              &log &default=F;
+	        uses_dep:            bool              &log &default=F;
+	        uses_code_integrity: bool              &log &default=F;
+	        uses_seh:            bool              &log &default=T;
+	        
+		has_import_table:    bool              &log &optional;
+	        has_export_table:    bool              &log &optional;
+	        has_cert_table:      bool              &log &optional;
+	        has_debug_data:      bool              &log &optional;
+		
+		section_names:       vector of string  &log &optional;
 	};
 
 
@@ -33,41 +47,51 @@ hook set_file(f: fa_file) &priority=5
 	if ( ! f?$pe )
 		{
 		local c: set[string] = set();
-		f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c];
+		f$pe = [$ts=network_time(), $fuid=f$id];
 		}
 	}
 
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
 	{
-#	print "DOS header";
-#	print h;
 	hook set_file(f);
 	}
 
 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 	{
-#	print "File header";
-#	print h;
 	hook set_file(f);
 	f$pe$compile_ts = h$ts;
 	f$pe$machine    = machine_types[h$machine];
 	for ( c in h$characteristics )
-		add f$pe$characteristics[PE::file_characteristics[c]];
+		{
+		if ( c == 0x2 )
+			f$pe$is_exe = T;
+		if ( c == 0x100 )
+			f$pe$is_64bit = F;
+		if ( c == 0x2000 )
+			f$pe$is_dll = T;
+		}
 	}
 
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
-#	print "Optional header";
-#	print h;
 	hook set_file(f);
 	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
 	f$pe$subsystem = windows_subsystems[h$subsystem];
+	for ( c in h$dll_characteristics )
+		{
+		if ( c == 0x40 )
+			f$pe$uses_aslr = T;
+		if ( c == 0x80 )
+			f$pe$uses_code_integrity = T;
+		if ( c == 0x100 )
+			f$pe$uses_dep = T;
+		if ( c == 0x400 )
+			f$pe$uses_seh = F;
+		}
 	}
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	{
-#	print "Section header";
-#	print h;
 	hook set_file(f);
 
 	if ( ! f$pe?$section_names )

From 546cbf50c99a7d6b11154d0f27b7d1faf881fa86 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sat, 18 Apr 2015 19:41:16 -0400
Subject: [PATCH 33/54] Fix a PE analyzer failure where the IAT isn't aligned
 with a section boundary.

---
 src/file_analysis/analyzer/pe/PE.cc           |  2 ++
 src/file_analysis/analyzer/pe/events.bif      |  8 ++++-
 src/file_analysis/analyzer/pe/pe-analyzer.pac | 25 +++++++++++-----
 .../analyzer/pe/pe-file-headers.pac           | 20 ++++++-------
 .../analyzer/pe/pe-file-idata.pac             | 27 ++++++++++++++---
 .../analyzer/pe/pe-file-types.pac             |  1 -
 src/file_analysis/analyzer/pe/pe-file.pac     | 29 ++++++++++++++++++-
 7 files changed, 87 insertions(+), 25 deletions(-)

diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc
index 59fbad91df..6df2dc8d99 100644
--- a/src/file_analysis/analyzer/pe/PE.cc
+++ b/src/file_analysis/analyzer/pe/PE.cc
@@ -18,6 +18,8 @@ PE::~PE()
 
 bool PE::DeliverStream(const u_char* data, uint64 len)
 	{
+	if ( conn->is_done() )
+		return true;
 	try
 		{
 		interp->NewData(data, data + len);
diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif
index b6ce808278..3e6bbf8faf 100644
--- a/src/file_analysis/analyzer/pe/events.bif
+++ b/src/file_analysis/analyzer/pe/events.bif
@@ -1,5 +1,11 @@
 event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
+
 event pe_dos_code%(f: fa_file, code: string%);
+
 event pe_file_header%(f: fa_file, h: PE::FileHeader%);
+
 event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
-event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
\ No newline at end of file
+
+event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
+
+event pe_import_entry%(f: fa_file, m: string, name: string%);
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index e227f9af0d..1baaf93947 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -174,13 +174,23 @@ refine flow File += {
 		return true;
 		%}
 
-
-	function proc_pe_file(): bool
+	function proc_import_entry(module_name: bytestring, i: import_entry): bool
 		%{
-		printf("PE file processed\n");
+		if ( pe_import_entry )
+			{
+			StringVal* name;
+			if ( ${i.name}.length() > 1 )
+				name = new StringVal(${i.name}.length() - 1, (const char*) ${i.name}.begin());
+			else
+				name = new StringVal(0, (const char*) ${i.name}.begin());
+			
+			BifEvent::generate_pe_import_entry((analyzer::Analyzer *) connection()->bro_analyzer(), 
+			                                   connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			                                   bytestring_to_val(${module_name}),
+				                           name);
+			}
 		return true;
 		%}
-
 };
 
 refine typeattr DOS_Header += &let {
@@ -204,10 +214,9 @@ refine typeattr Optional_Header += &let {
 };
 
 refine typeattr Section_Header += &let {
-	proc2: bool = $context.flow.proc_section_header(this);
+	proc: bool = $context.flow.proc_section_header(this);
 };
 
-refine typeattr PE_File += &let {
-	proc: bool = $context.flow.proc_pe_file();
+refine typeattr import_entry += &let {
+	proc: bool = $context.flow.proc_import_entry($context.connection.get_module_name(), this) &if(!is_module);
 };
-
diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
index c732ed4001..05628917f4 100644
--- a/src/file_analysis/analyzer/pe/pe-file-headers.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -39,7 +39,7 @@ type DOS_Code(len: uint32) = record {
 type NT_Headers = record {
 	PESignature     : uint32;
 	file_header     : File_Header;
-	optional_header : Optional_Header(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader;
+	optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
 } &let {
 	length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header);
 } &length=length;
@@ -56,7 +56,7 @@ type File_Header = record {
 };
 
 # The optional header gives us DLL link information, and some structural information
-type Optional_Header(len: uint16, number_of_sections: uint16) = record {
+type Optional_Header = record {
 	magic                   : uint16;
 	major_linker_version    : uint8;
 	minor_linker_version    : uint8;
@@ -68,11 +68,11 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record {
 	have_base_of_data: case pe_format of {
 		PE32    -> base_of_data: uint32;
 		default -> not_present:  empty;
-	};
+	} &requires(pe_format);
 	is_pe32: case pe_format of {
 		PE32_PLUS -> image_base_64: uint64;
 		default   -> image_base_32: uint32;
-	};
+	} &requires(pe_format);
 	section_alignment       : uint32;
 	file_alignment          : uint32;
 	os_version_major        : uint16;
@@ -91,14 +91,14 @@ type Optional_Header(len: uint16, number_of_sections: uint16) = record {
 		PE32      -> i32: Mem_Info32;
 		PE32_PLUS -> i64: Mem_Info64;
 		default -> InvalidPEFile : empty;
-	};
+	} &requires(pe_format);
 	loader_flags            : uint32;
 	number_of_rva_and_sizes : uint32;
 	rvas			: RVAS(number_of_rva_and_sizes);
 } &let {
 	pe_format: uint8 = $context.connection.set_pe32_format(magic);
 	image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32;
-} &length=len;
+};
 
 type Section_Headers(num: uint16) = record {
 	sections : Section_Header[num];
@@ -118,7 +118,7 @@ type Section_Header = record {
 	non_used_num_of_line_nums : uint16;
 	characteristics           : uint32;
 } &let {
-	proc: bool = $context.connection.proc_section(this);
+	add_section: bool = $context.connection.add_section(this);
 } &length=40;
 
 refine connection MockConnection += {
@@ -132,13 +132,13 @@ refine connection MockConnection += {
 		pe32_format_ = UNKNOWN_VERSION;;
 	%}
 
-	function proc_section(h: Section_Header): bool
+	function add_section(h: Section_Header): bool
 		%{
 		if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ )
 			max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data};
 		
-		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} == import_table_rva_ )
-			import_table_va_ = ${h.ptr_to_raw_data};
+		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} <= import_table_rva_ && ( ${h.virtual_addr} + ${h.virtual_size} ) > import_table_rva_ )
+			import_table_va_ = ${h.ptr_to_raw_data} + (import_table_rva_ - ${h.virtual_addr});
 		return true;
 		%}
 
diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac
index ec87ca6673..d3ce2e9ffd 100644
--- a/src/file_analysis/analyzer/pe/pe-file-idata.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac
@@ -29,12 +29,12 @@ type import_lookup_table = record {
 type import_entry(is_module: bool, pad_align: uint8) = record {
 	pad: bytestring &length=pad_align;
 	has_index: case is_module of {
-		true -> null: empty;
+		true  -> null: empty;
 		false -> index: uint16;
 	};
 	name: null_terminated_string;
 } &let {
-	proc: bool = $context.connection.proc_import_hint(name);
+	proc_align: bool = $context.connection.proc_import_hint(name, is_module);
 };
 
 type idata = record {
@@ -63,6 +63,9 @@ refine connection MockConnection += {
 		uint32 next_hint_index_;
 		uint8 next_hint_align_;
 		bool next_hint_is_module_;
+
+		// Track the module name, so we know what each import's for
+		bytestring module_name_;
 	%}
 
 	%init{
@@ -73,6 +76,12 @@ refine connection MockConnection += {
 		next_hint_is_module_ = true;
 		next_hint_index_ = 0;
 		next_hint_align_ = 0;
+
+		module_name_ = bytestring();
+	%}
+
+	%cleanup{
+		module_name_.free();
 	%}
 
 	# When we read the section header, store the relative virtual address and
@@ -101,10 +110,15 @@ refine connection MockConnection += {
 		%}		
 
 	# We need to calculate the length of the next padding field
-	function proc_import_hint(hint_name: bytestring): bool
+	function proc_import_hint(hint_name: bytestring, is_module: bool): bool
 		%{
 		next_hint_align_ = ${hint_name}.length() % 2;
-		printf("Imported %s\n", ${hint_name}.data());
+		if ( is_module && ${hint_name}.length() > 1 )
+			{
+			module_name_.clear();
+			module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1);
+			}
+			
 		return true;
 		%}
 
@@ -129,6 +143,11 @@ refine connection MockConnection += {
 		return next_hint_index_ == imports_per_module_.size();
 		%}
 
+	function get_module_name(): bytestring
+		%{
+		return module_name_;
+		%}
+
 	function get_import_table_addr(): uint32
 		%{
 		return import_table_va_ > 0 ? import_table_va_ : 0;
diff --git a/src/file_analysis/analyzer/pe/pe-file-types.pac b/src/file_analysis/analyzer/pe/pe-file-types.pac
index 57020a88da..b2fa934dc4 100644
--- a/src/file_analysis/analyzer/pe/pe-file-types.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-types.pac
@@ -35,4 +35,3 @@ type Padding(length: uint64) = record {
 };
 
 type null_terminated_string = RE/[A-Za-z0-9.]+\x00/;
-
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 07129b878d..3d69256682 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -3,7 +3,12 @@
 %include pe-file-idata.pac
 
 # The base record for a Portable Executable file
-type PE_File = record {
+type PE_File = case $context.connection.is_done() of {
+	false -> PE      : Portable_Executable;
+	true  -> overlay : bytestring &length=1 &transient;
+};
+
+type Portable_Executable = record {
 	headers : Headers;
 	pad1	: Padding(iat_loc);
 	iat     : idata &length=$context.connection.get_import_table_len();
@@ -12,5 +17,27 @@ type PE_File = record {
 	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
 	iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
 	restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len();
+	proc: bool = $context.connection.proc_pe(this);
 } &byteorder=littleendian;
 
+refine connection MockConnection += {
+
+	%member{
+		bool done_;
+	%}
+
+	%init{
+		done_ = false;
+	%}
+
+	function proc_pe(p: Portable_Executable): bool
+		%{
+		done_ = true;
+		return true;
+		%}
+
+	function is_done(): bool
+		%{
+		return done_;
+		%}
+};

From ea36686524b807916c34f0a8ed46fc3b62bdaf00 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 18:15:21 -0400
Subject: [PATCH 34/54] Remove the .idata parsing, as it can be more
 complicated in some cases.

---
 scripts/base/files/pe/main.bro                |  15 +-
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  24 +--
 .../analyzer/pe/pe-file-headers.pac           |   4 +-
 .../analyzer/pe/pe-file-idata.pac             | 171 ------------------
 src/file_analysis/analyzer/pe/pe-file.pac     |   8 +-
 5 files changed, 16 insertions(+), 206 deletions(-)
 delete mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index cb2004deff..bbe0846f04 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -29,10 +29,13 @@ export {
 		section_names:       vector of string  &log &optional;
 	};
 
-
 	global set_file: hook(f: fa_file);
 }
 
+redef record Info += {
+	confirmed: bool &default=F;
+};
+
 redef record fa_file += {
 	pe: Info &optional;
 };
@@ -75,6 +78,12 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
 	hook set_file(f);
+
+	if ( h$magic == 0x10b || h$magic == 0x20b )
+		f$pe$confirmed = T;
+	else
+		return;
+		
 	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
 	f$pe$subsystem = windows_subsystems[h$subsystem];
 	for ( c in h$dll_characteristics )
@@ -99,9 +108,9 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	f$pe$section_names[|f$pe$section_names|] = h$name;
 	}
 
-event file_state_remove(f: fa_file)
+event file_state_remove(f: fa_file) &priority=-5
 	{
-	if ( f?$pe )
+	if ( f?$pe && f$pe$confirmed )
 		Log::write(LOG, f$pe);
 	}
 
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 1baaf93947..1c61241684 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -98,8 +98,8 @@ refine flow File += {
 		     ${h.magic} != 0x107 &&  // rom image
 		     ${h.magic} != 0x20b )   // pe32+ executable
 			{
-			return false;
 			// FileViolation("PE Optional Header magic is invalid.");
+			return false;
 			}
 
 		if ( pe_optional_header )
@@ -173,24 +173,6 @@ refine flow File += {
 			}
 		return true;
 		%}
-
-	function proc_import_entry(module_name: bytestring, i: import_entry): bool
-		%{
-		if ( pe_import_entry )
-			{
-			StringVal* name;
-			if ( ${i.name}.length() > 1 )
-				name = new StringVal(${i.name}.length() - 1, (const char*) ${i.name}.begin());
-			else
-				name = new StringVal(0, (const char*) ${i.name}.begin());
-			
-			BifEvent::generate_pe_import_entry((analyzer::Analyzer *) connection()->bro_analyzer(), 
-			                                   connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			                                   bytestring_to_val(${module_name}),
-				                           name);
-			}
-		return true;
-		%}
 };
 
 refine typeattr DOS_Header += &let {
@@ -216,7 +198,3 @@ refine typeattr Optional_Header += &let {
 refine typeattr Section_Header += &let {
 	proc: bool = $context.flow.proc_section_header(this);
 };
-
-refine typeattr import_entry += &let {
-	proc: bool = $context.flow.proc_import_entry($context.connection.get_module_name(), this) &if(!is_module);
-};
diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
index 05628917f4..adf0ce575d 100644
--- a/src/file_analysis/analyzer/pe/pe-file-headers.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -136,9 +136,7 @@ refine connection MockConnection += {
 		%{
 		if ( ${h.size_of_raw_data} + ${h.ptr_to_raw_data} > max_file_location_ )
 			max_file_location_ = ${h.size_of_raw_data} + ${h.ptr_to_raw_data};
-		
-		if ( ${h.virtual_addr} > 0 && ${h.virtual_addr} <= import_table_rva_ && ( ${h.virtual_addr} + ${h.virtual_size} ) > import_table_rva_ )
-			import_table_va_ = ${h.ptr_to_raw_data} + (import_table_rva_ - ${h.virtual_addr});
+
 		return true;
 		%}
 
diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac
deleted file mode 100644
index d3ce2e9ffd..0000000000
--- a/src/file_analysis/analyzer/pe/pe-file-idata.pac
+++ /dev/null
@@ -1,171 +0,0 @@
-## Support for parsing the .idata section
-
-type import_directory = record {
-	rva_import_lookup_table : uint32;
-	time_date_stamp         : uint32;
-	forwarder_chain         : uint32;
-	rva_module_name         : uint32;
-	rva_import_addr_table   : uint32;
-} &let {
-	is_null: bool = rva_module_name == 0;
-	proc: bool = $context.connection.proc_image_import_directory(this);
-} &length=20;
-
-type import_lookup_attrs(pe32_format: uint8) = record {
-	is_pe32_plus: case pe32_format of {
-		PE32_PLUS -> attrs_64: uint64;
-		default   -> attrs_32: uint32;
-	};
-} &let {
-	attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32;
-} &length=(pe32_format == PE32_PLUS ? 8 : 4);
-
-type import_lookup_table = record {
-	attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0);
-} &let {
-	proc: bool = $context.connection.proc_import_lookup_table(this);
-};
-
-type import_entry(is_module: bool, pad_align: uint8) = record {
-	pad: bytestring &length=pad_align;
-	has_index: case is_module of {
-		true  -> null: empty;
-		false -> index: uint16;
-	};
-	name: null_terminated_string;
-} &let {
-	proc_align: bool = $context.connection.proc_import_hint(name, is_module);
-};
-
-type idata = record {
-	directory_table : import_directory[] &until $element.is_null;
-	lookup_tables   : import_lookup_table[] &until $context.connection.get_num_imports() <= 0;
-	hint_table	: import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done());
-};
-
-refine typeattr RVAS += &let {
-	proc: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1);
-};
-
-refine connection MockConnection += {
-	%member{
-		uint8 num_imports_;        // How many import tables will we have?
-
-		uint32 import_table_rva_;  // Used for finding the right section
-		uint32 import_table_va_;
-		uint32 import_table_len_;
-
-		// We need to track the number of imports for each, to
-		// know when we've parsed them all.  
-		vector<uint32> imports_per_module_;
-
-		// These are to determine the alignment of the import hints
-		uint32 next_hint_index_;
-		uint8 next_hint_align_;
-		bool next_hint_is_module_;
-
-		// Track the module name, so we know what each import's for
-		bytestring module_name_;
-	%}
-
-	%init{
-		// It ends with a null import entry, so we'll set it to -1.
-		num_imports_ = -1;
-
-		// First hint is a module name.
-		next_hint_is_module_ = true;
-		next_hint_index_ = 0;
-		next_hint_align_ = 0;
-
-		module_name_ = bytestring();
-	%}
-
-	%cleanup{
-		module_name_.free();
-	%}
-
-	# When we read the section header, store the relative virtual address and
-	# size of the .idata section, so we know when we get there.
-	function proc_idata_rva(r: RVA): bool
-		%{
-		import_table_rva_ = ${r.virtual_address};
-		import_table_len_ = ${r.size};
-
-		return true;
-		%}
-
-	# Each import directory means another module we're importing from.
-	function proc_image_import_directory(i: import_directory): bool
-		%{
-		num_imports_++;
-		return true;
-		%}
-
-	# Store the number of functions imported in each module lookup table.
-	function proc_import_lookup_table(t: import_lookup_table): bool
-		%{
-		--num_imports_;
-		imports_per_module_.push_back(${t.attrs}->size());
-		return true;
-		%}		
-
-	# We need to calculate the length of the next padding field
-	function proc_import_hint(hint_name: bytestring, is_module: bool): bool
-		%{
-		next_hint_align_ = ${hint_name}.length() % 2;
-		if ( is_module && ${hint_name}.length() > 1 )
-			{
-			module_name_.clear();
-			module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1);
-			}
-			
-		return true;
-		%}
-
-	# Functions have an index field, modules don't. Which one is this?
-	function get_next_hint_type(): bool
-		%{
-		if ( next_hint_is_module_ )
-			{
-			next_hint_is_module_ = false;
-			return true;
-			}
-		if ( --imports_per_module_[next_hint_index_] == 0)
-			{
-			++next_hint_index_;
-			return true;
-			}
-		return false;
-		%}
-
-	function imports_done(): bool
-		%{
-		return next_hint_index_ == imports_per_module_.size();
-		%}
-
-	function get_module_name(): bytestring
-		%{
-		return module_name_;
-		%}
-
-	function get_import_table_addr(): uint32
-		%{
-		return import_table_va_ > 0 ? import_table_va_ : 0;
-		%}
-
-	function get_import_table_len(): uint32
-		%{
-		return import_table_va_ > 0 ? import_table_len_ : 0;
-		%}
-
-	function get_num_imports(): uint8
-		%{
-		return num_imports_;
-		%}		
-
-	function get_next_hint_align(): uint8
-		%{
-		return next_hint_align_;
-		%}		
-
-};
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 3d69256682..64902e9e9f 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -1,6 +1,5 @@
 %include pe-file-types.pac
 %include pe-file-headers.pac
-%include pe-file-idata.pac
 
 # The base record for a Portable Executable file
 type PE_File = case $context.connection.is_done() of {
@@ -10,13 +9,10 @@ type PE_File = case $context.connection.is_done() of {
 
 type Portable_Executable = record {
 	headers : Headers;
-	pad1	: Padding(iat_loc);
-	iat     : idata &length=$context.connection.get_import_table_len();
-	pad2    : Padding(restofdata);
+	pad     : Padding(restofdata);
 } &let {
 	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
-	iat_loc: uint64 = $context.connection.get_import_table_addr() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
-	restofdata: uint64 = $context.connection.get_max_file_location() - $context.connection.get_import_table_addr() - $context.connection.get_import_table_len();
+	restofdata: uint64 = $context.connection.get_max_file_location() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
 	proc: bool = $context.connection.proc_pe(this);
 } &byteorder=littleendian;
 

From a2eff14e0598fd8c7ea88f3d94fbde5b75834a18 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 18:41:32 -0400
Subject: [PATCH 35/54] Add data about which tables are present.

---
 scripts/base/files/pe/main.bro                |  5 +++++
 scripts/base/init-bare.bro                    |  3 ++-
 src/file_analysis/analyzer/pe/pe-analyzer.pac | 21 +++++++++++++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index bbe0846f04..db4d9e41d4 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -97,6 +97,11 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 		if ( c == 0x400 )
 			f$pe$uses_seh = F;
 		}
+
+	f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0);
+	f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0);
+	f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0);
+	f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0);
 	}
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 2b8ed021b4..3babb1ded5 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2603,7 +2603,8 @@ type PE::OptionalHeader: record {
 	subsystem               : count;
 	dll_characteristics     : set[count];
 	loader_flags            : count;
-	number_of_rva_and_sizes : count;
+	rvas                    : vector of count;
+	
 };
 
 ## Record for Portable Executable (PE) section headers.
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index 1c61241684..fd3ee5b0e2 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -1,10 +1,25 @@
-
 %extern{
 #include "Event.h"
 #include "file_analysis/File.h"
 #include "events.bif.h"
 %}
 
+%header{
+VectorVal* process_rvas(const RVAS* rvas, const uint16 size);
+%}
+
+%code{
+VectorVal* process_rvas(const RVAS* rva_table, const uint16 size)
+	{
+	VectorVal* rvas = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for ( uint16 i=0; i < size; ++i )
+		rvas->Assign(i, new Val((*rva_table->rvas())[i]->size(), TYPE_COUNT));
+
+	return rvas;
+	}
+%}
+
+
 refine flow File += {
 
 	function characteristics_to_bro(c: uint32, len: uint8): TableVal
@@ -134,7 +149,9 @@ refine flow File += {
 			oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT));
 			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
 			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
-			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
+
+			oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes}));
+			
 			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                      oh);

From d4bd5672c06d1a39cb97d3044556d229b237f4b8 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 20:21:49 -0400
Subject: [PATCH 36/54] Documentation and a bit of overall cleanup.

---
 scripts/base/files/pe/main.bro                |  69 ++++---
 scripts/base/init-bare.bro                    |  99 ++++++++--
 src/file_analysis/analyzer/pe/events.bif      |  50 ++++-
 src/file_analysis/analyzer/pe/pe-analyzer.pac |  17 +-
 .../analyzer/pe/pe-file-headers.pac           |   9 +-
 .../analyzer/pe/pe-file-idata.pac             | 183 ++++++++++++++++++
 src/file_analysis/analyzer/pe/pe-file.pac     |   4 +-
 7 files changed, 375 insertions(+), 56 deletions(-)
 create mode 100644 src/file_analysis/analyzer/pe/pe-file-idata.pac

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index db4d9e41d4..8577d24078 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -1,48 +1,75 @@
-
 module PE;
 
 export {
 	redef enum Log::ID += { LOG };
 
 	type Info: record {
+		## Current timestamp.
 		ts:                  time              &log;
-		fuid:                string            &log;
+
+		## File id of this portable executable file.
+		id:                  string            &log;
+
+		## The target machine that the file was compiled for.
 		machine:             string            &log &optional;
+
+		## The time that the file was created at.
 		compile_ts:          time              &log &optional;
+
+		## The required operating system.
 		os:                  string            &log &optional;
+
+		## The subsystem that is required to run this file.
 		subsystem:           string            &log &optional;
 
-	 	is_exe:              bool              &log &default=F;
-		is_dll:              bool              &log &default=F;
+		## Is the file an executable, or just an object file?
+	        is_exe:              bool              &log &default=T;
+
+		## Is the file a 64-bit executable?
 	        is_64bit:            bool              &log &default=T;
 
+		## Does the file support Address Space Layout Randomization?
 		uses_aslr:           bool              &log &default=F;
+
+		## Does the file support Data Execution Prevention?
 	        uses_dep:            bool              &log &default=F;
+
+		## Does the file enforce code integrity checks?
 	        uses_code_integrity: bool              &log &default=F;
+
+		## Does the file use structured exception handing?
 	        uses_seh:            bool              &log &default=T;
 	        
+		## Does the file have an import table?
 		has_import_table:    bool              &log &optional;
+
+		## Does the file have an export table?
 	        has_export_table:    bool              &log &optional;
+
+		## Does the file have an attribute certificate table?
 	        has_cert_table:      bool              &log &optional;
+
+		## Does the file have a debug table?
 	        has_debug_data:      bool              &log &optional;
 		
+		## The names of the sections, in order.
 		section_names:       vector of string  &log &optional;
 	};
 
+	## Event for accessing logged records.
+	global log_pe: event(rec: Info);
+
+ 	## A hook that gets called when we first see a PE file.
 	global set_file: hook(f: fa_file);
 }
 
-redef record Info += {
-	confirmed: bool &default=F;
-};
-
 redef record fa_file += {
 	pe: Info &optional;
 };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(LOG, [$columns=Info]);
+	Log::create_stream(LOG, [$columns=Info, $ev=log_pe]);
 	}
 
 hook set_file(f: fa_file) &priority=5
@@ -50,7 +77,7 @@ hook set_file(f: fa_file) &priority=5
 	if ( ! f?$pe )
 		{
 		local c: set[string] = set();
-		f$pe = [$ts=network_time(), $fuid=f$id];
+		f$pe = [$ts=network_time(), $id=f$id];
 		}
 	}
 
@@ -62,26 +89,20 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 	{
 	hook set_file(f);
+	f$pe$is_exe = h$optional_header_size > 0;
 	f$pe$compile_ts = h$ts;
 	f$pe$machine    = machine_types[h$machine];
 	for ( c in h$characteristics )
 		{
-		if ( c == 0x2 )
-			f$pe$is_exe = T;
 		if ( c == 0x100 )
 			f$pe$is_64bit = F;
-		if ( c == 0x2000 )
-			f$pe$is_dll = T;
 		}
 	}
 
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
 	hook set_file(f);
-
-	if ( h$magic == 0x10b || h$magic == 0x20b )
-		f$pe$confirmed = T;
-	else
+	if ( ! f$pe$is_exe )
 		return;
 		
 	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
@@ -98,15 +119,17 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 			f$pe$uses_seh = F;
 		}
 
-	f$pe$has_export_table = (|h$rvas| > 0 && h$rvas[0] > 0);
-	f$pe$has_import_table = (|h$rvas| > 1 && h$rvas[1] > 0);
-	f$pe$has_cert_table = (|h$rvas| > 4 && h$rvas[4] > 0);
-	f$pe$has_debug_data = (|h$rvas| > 6 && h$rvas[6] > 0);
+	f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0);
+	f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0);
+	f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0);
+	f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0);
 	}
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	{
 	hook set_file(f);
+	if ( ! f$pe$is_exe )
+		return;
 
 	if ( ! f$pe?$section_names )
 		f$pe$section_names = vector();
@@ -115,7 +138,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 
 event file_state_remove(f: fa_file) &priority=-5
 	{
-	if ( f?$pe && f$pe$confirmed )
+	if ( f?$pe )
 		Log::write(LOG, f$pe);
 	}
 
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 3babb1ded5..8034d1ec67 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2550,75 +2550,138 @@ type irc_join_list: set[irc_join_info];
 module PE;
 export {
 type PE::DOSHeader: record {
+	## The magic number of a portable executable file ("MZ").
 	signature                : string;
+	## The number of bytes in the last page that are used.
 	used_bytes_in_last_page  : count;
+	## The number of pages in the file that are part of the PE file itself.
 	file_in_pages            : count;
+	## Number of relocation entries stored after the header.
 	num_reloc_items          : count;
+	## Number of paragraphs in the header.
 	header_in_paragraphs     : count;
+	## Number of paragraps of additional memory that the program will need.
 	min_extra_paragraphs     : count;
+	## Maximum number of paragraphs of additional memory.
 	max_extra_paragraphs     : count;
+	## Relative value of the stack segment.
 	init_relative_ss         : count;
+	## Initial value of the SP register.
 	init_sp                  : count;
+	## Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.
 	checksum                 : count;
+	## Initial value of the IP register.
 	init_ip                  : count;
+	## Initial value of the CS register (relative to the initial segment).
 	init_relative_cs         : count;
+	## Offset of the first relocation table.
 	addr_of_reloc_table      : count;
+	## Overlays allow you to append data to the end of the file. If this is the main program,
+	## this will be 0.
 	overlay_num              : count;
+	## OEM identifier.
 	oem_id                   : count;
+	## Additional OEM info, specific to oem_id.
 	oem_info                 : count;
+	## Address of the new EXE header.
 	addr_of_new_exe_header   : count;
 };
 
 type PE::FileHeader: record {
-	machine         : count;
-	ts              : time;
-	sym_table_ptr   : count;
-	num_syms        : count;
-	characteristics : set[count];
+	## The target machine that the file was compiled for.
+	machine              : count;
+	## The time that the file was created at.
+	ts                   : time;
+	## Pointer to the symbol table.
+	sym_table_ptr        : count;
+	## Number of symbols.
+	num_syms             : count;
+	## The size of the optional header.
+	optional_header_size : count;
+	## Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.
+	characteristics      : set[count];
 };
 
 type PE::OptionalHeader: record {
+	## PE32 or PE32+ indicator.
 	magic                   : count;
+	## The major version of the linker used to create the PE.
 	major_linker_version    : count;
+	## The minor version of the linker used to create the PE.
 	minor_linker_version    : count;
+	## Size of the .text section.
 	size_of_code            : count;
+	## Size of the .data section.
 	size_of_init_data       : count;
+	## Size of the .bss section.
 	size_of_uninit_data     : count;
+	## The relative virtual address (RVA) of the entry point.
 	addr_of_entry_point     : count;
+	## The relative virtual address (RVA) of the .text section.
 	base_of_code            : count;
+	## The relative virtual address (RVA) of the .data section.	
 	base_of_data            : count &optional;
+	## Preferred memory location for the image to be based at.
 	image_base              : count;
+	## The alignment (in bytes) of sections when they're loaded in memory.
 	section_alignment       : count;
+	## The alignment (in bytes) of the raw data of sections.
 	file_alignment          : count;
+	## The major version of the required OS.
 	os_version_major        : count;
+	## The minor version of the required OS.
 	os_version_minor        : count;
+	## The major version of this image.
 	major_image_version     : count;
+	## The minor version of this image.
 	minor_image_version     : count;
+	## The major version of the subsystem required to run this file.
 	major_subsys_version    : count;
+	## The minor version of the subsystem required to run this file.
 	minor_subsys_version    : count;
-	win32_version           : count;
+	## The size (in bytes) of the iamge as the image is loaded in memory.
 	size_of_image           : count;
+	## The size (in bytes) of the headers, rounded up to file_alignment.
 	size_of_headers         : count;
+	## The image file checksum.
 	checksum                : count;
+	## The subsystem that's required to run this image.
 	subsystem               : count;
+	## Bit flags that determine how to execute or load this file.
 	dll_characteristics     : set[count];
-	loader_flags            : count;
-	rvas                    : vector of count;
+	## A vector with the sizes of various tables and strings that are
+	## defined in the optional header data directories. Examples include
+	## the import table, the resource table, and debug information.
+	table_sizes             : vector of count;
 	
 };
 
 ## Record for Portable Executable (PE) section headers.
 type PE::SectionHeader: record {
-	name                      : string;
-	virtual_size              : count;
-	virtual_addr              : count;
-	size_of_raw_data          : count;
-	ptr_to_raw_data           : count;
-	non_used_ptr_to_relocs    : count;
-	non_used_ptr_to_line_nums : count;
-	non_used_num_of_relocs    : count;
-	non_used_num_of_line_nums : count;
-	characteristics           : set[count];
+	## The name of the section
+	name             : string;
+	## The total size of the section when loaded into memory.
+	virtual_size     : count;
+	## The relative virtual address (RVA) of the section.
+	virtual_addr     : count;
+	## The size of the initialized data for the section, as it is
+	## in the file on disk.
+	size_of_raw_data : count;
+	## The virtual address of the initialized dat for the section,
+	## as it is in the file on disk.
+	ptr_to_raw_data  : count;
+	## The file pointer to the beginning of relocation entries for
+	## the section.
+	ptr_to_relocs    : count;
+	## The file pointer to the beginning of line-number entries for
+	## the section.
+	ptr_to_line_nums : count;
+	## The number of relocation entries for the section.
+	num_of_relocs    : count;
+	## The number of line-number entrie for the section.
+	num_of_line_nums : count;
+	## Bit-flags that describe the characteristics of the section.
+	characteristics  : set[count];
 };
 }
 module GLOBAL;
diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif
index 3e6bbf8faf..c804937c49 100644
--- a/src/file_analysis/analyzer/pe/events.bif
+++ b/src/file_analysis/analyzer/pe/events.bif
@@ -1,11 +1,57 @@
+## A :abbr:`PE (Portable Executable)` file DOS header was parsed.
+## This is the top-level header and contains information like the
+## size of the file, initial value of registers, etc.
+##
+## f: The file.
+##
+## h: The parsed DOS header information.
+##
+## .. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
 event pe_dos_header%(f: fa_file, h: PE::DOSHeader%);
 
+## A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
+## The stub is a valid application that runs under MS-DOS, by default
+## to inform the user that the program can't be run in DOS mode.
+##
+## f: The file.
+##
+## code: The DOS stub
+##
+## .. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
 event pe_dos_code%(f: fa_file, code: string%);
 
+## A :abbr:`PE (Portable Executable)` file file header was parsed.
+## This header contains information like the target machine,
+## the timestamp when the file was created, the number of sections, and
+## pointers to other parts of the file.
+##
+## f: The file.
+##
+## h: The parsed file header information.
+##
+## .. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
 event pe_file_header%(f: fa_file, h: PE::FileHeader%);
 
+## A :abbr:`PE (Portable Executable)` file optional header was parsed.
+## This header is required for executable files, but not for object files.
+## It contains information like OS requirements to execute the file, the
+## original entry point address, and information needed to load the file
+## into memory.
+##
+## f: The file.
+##
+## h: The parsed optional header information.
+##
+## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
 event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%);
 
+## A :abbr:`PE (Portable Executable)` file section header was parsed.
+## This header contains information like the section name, size, address,
+## and characteristics.
+##
+## f: The file.
+##
+## h: The parsed section header information.
+##
+## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
 event pe_section_header%(f: fa_file, h: PE::SectionHeader%);
-
-event pe_import_entry%(f: fa_file, m: string, name: string%);
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index fd3ee5b0e2..874a142ba8 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -98,7 +98,8 @@ refine flow File += {
 			fh->Assign(1, new Val(static_cast<double>(${h.TimeDateStamp}), TYPE_TIME));
 			fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT));
 			fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT));
-			fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16));
+			fh->Assign(4, new Val(${h.SizeOfOptionalHeader}, TYPE_COUNT));
+			fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));
 			BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                  connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                  fh);
@@ -142,15 +143,13 @@ refine flow File += {
 			oh->Assign(15, new Val(${h.minor_image_version}, TYPE_COUNT));
 			oh->Assign(16, new Val(${h.minor_subsys_version}, TYPE_COUNT));
 			oh->Assign(17, new Val(${h.minor_subsys_version}, TYPE_COUNT));
-			oh->Assign(18, new Val(${h.win32_version}, TYPE_COUNT));
-			oh->Assign(19, new Val(${h.size_of_image}, TYPE_COUNT));
-			oh->Assign(20, new Val(${h.size_of_headers}, TYPE_COUNT));
-			oh->Assign(21, new Val(${h.checksum}, TYPE_COUNT));
-			oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT));
-			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
-			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
+			oh->Assign(18, new Val(${h.size_of_image}, TYPE_COUNT));
+			oh->Assign(19, new Val(${h.size_of_headers}, TYPE_COUNT));
+			oh->Assign(20, new Val(${h.checksum}, TYPE_COUNT));
+			oh->Assign(21, new Val(${h.subsystem}, TYPE_COUNT));
+			oh->Assign(22, characteristics_to_bro(${h.dll_characteristics}, 16));
 
-			oh->Assign(25, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes}));
+			oh->Assign(23, process_rvas(${h.rvas}, ${h.number_of_rva_and_sizes}));
 			
 			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
index adf0ce575d..a3d46dc72e 100644
--- a/src/file_analysis/analyzer/pe/pe-file-headers.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -39,9 +39,14 @@ type DOS_Code(len: uint32) = record {
 type NT_Headers = record {
 	PESignature     : uint32;
 	file_header     : File_Header;
-	optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
+	have_opt_header : case file_header.SizeOfOptionalHeader of {
+		0       -> none: empty;
+		default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
+		};
 } &let {
-	length: uint32 = file_header.SizeOfOptionalHeader+offsetof(optional_header);
+	length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header);
+	is_exe: bool = file_header.SizeOfOptionalHeader > 0;
+	size_of_headers: uint32 = is_exe ? optional_header.size_of_headers : 0;
 } &length=length;
 
 # The file header is mainly self-describing
diff --git a/src/file_analysis/analyzer/pe/pe-file-idata.pac b/src/file_analysis/analyzer/pe/pe-file-idata.pac
new file mode 100644
index 0000000000..589bcc68ad
--- /dev/null
+++ b/src/file_analysis/analyzer/pe/pe-file-idata.pac
@@ -0,0 +1,183 @@
+## Support for parsing the .idata section
+
+type import_directory = record {
+	rva_import_lookup_table : uint32;
+	time_date_stamp         : uint32;
+	forwarder_chain         : uint32;
+	rva_module_name         : uint32;
+	rva_import_addr_table   : uint32;
+} &let {
+	is_null: bool = rva_module_name == 0;
+	proc: bool = $context.connection.proc_image_import_directory(this);
+} &length=20;
+
+type import_lookup_attrs(pe32_format: uint8) = record {
+	is_pe32_plus: case pe32_format of {
+		PE32_PLUS -> attrs_64: uint64;
+		default   -> attrs_32: uint32;
+	};
+} &let {
+	import_by_ordinal: bool = (pe32_format == PE32_PLUS) ? (attrs_64 & 0x8000000000000000) > 1: (attrs_32 & 0x80000000) > 1;
+	attrs: uint64 = (pe32_format == PE32_PLUS) ? attrs_64 : attrs_32;
+	ordinal: uint16 = attrs & 0xff;
+	hint_rva: uint32 = attrs & 0xffff;
+	proc9000: bool = $context.connection.proc_import_lookup_attrs(this);
+} &length=(pe32_format == PE32_PLUS ? 8 : 4);
+
+type import_lookup_table = record {
+	attrs: import_lookup_attrs($context.connection.get_pe32_format())[] &until($element.attrs == 0);
+} &let {
+	proc: bool = $context.connection.proc_import_lookup_table(this);
+};
+
+type import_entry(is_module: bool, pad_align: uint8) = record {
+	pad: bytestring &length=pad_align;
+	has_index: case is_module of {
+		true  -> null: empty;
+		false -> index: uint16;
+	};
+	name: null_terminated_string;
+} &let {
+	proc_align: bool = $context.connection.proc_import_hint(name, is_module);
+};
+
+type idata = record {
+	directory_table : import_directory[] &until $element.is_null;
+	lookup_tables   : import_lookup_table[] &until $context.connection.get_num_imports() <= 0;
+	hint_table	: import_entry($context.connection.get_next_hint_type(), $context.connection.get_next_hint_align())[] &until($context.connection.imports_done());
+};
+
+refine typeattr RVAS += &let {
+	proc_import_table: bool = $context.connection.proc_idata_rva(rvas[1]) &if (num > 1);
+};
+
+refine connection MockConnection += {
+	%member{
+		uint8 num_imports_;        // How many import tables will we have?
+
+		uint32 import_table_rva_;  // Used for finding the right section
+		uint32 import_table_va_;
+		uint32 import_table_len_;
+
+		// We need to track the number of imports for each, to
+		// know when we've parsed them all.  
+		vector<uint32> imports_per_module_;
+
+		// These are to determine the alignment of the import hints
+		uint32 next_hint_index_;
+		uint8 next_hint_align_;
+		bool next_hint_is_module_;
+
+		// Track the module name, so we know what each import's for
+		bytestring module_name_;
+	%}
+
+	%init{
+		// It ends with a null import entry, so we'll set it to -1.
+		num_imports_ = -1;
+
+		// First hint is a module name.
+		next_hint_is_module_ = true;
+		next_hint_index_ = 0;
+		next_hint_align_ = 0;
+
+		module_name_ = bytestring();
+	%}
+
+	%cleanup{
+		module_name_.free();
+	%}
+
+	# When we read the section header, store the relative virtual address and
+	# size of the .idata section, so we know when we get there.
+	function proc_idata_rva(r: RVA): bool
+		%{
+		import_table_rva_ = ${r.virtual_address};
+		import_table_len_ = ${r.size};
+
+		return true;
+		%}
+
+	# Each import directory means another module we're importing from.
+	function proc_image_import_directory(i: import_directory): bool
+		%{
+		printf("Parsed import directory. name@%x, IAT@%x\n", ${i.rva_module_name}, ${i.rva_import_addr_table});
+		num_imports_++;
+		return true;
+		%}
+
+	# Store the number of functions imported in each module lookup table.
+	function proc_import_lookup_table(t: import_lookup_table): bool
+		%{
+		--num_imports_;
+		imports_per_module_.push_back(${t.attrs}->size());
+		return true;
+		%}		
+
+	function proc_import_lookup_attrs(t: import_lookup_attrs): bool
+		%{
+		printf("Parsed import lookup attrs. Hints @%x\n", ${t.hint_rva});
+		return true;
+		%}		
+
+	# We need to calculate the length of the next padding field
+	function proc_import_hint(hint_name: bytestring, is_module: bool): bool
+		%{
+		printf("Parsed import hint\n");
+		next_hint_align_ = ${hint_name}.length() % 2;
+		if ( is_module && ${hint_name}.length() > 1 )
+			{
+			module_name_.clear();
+			module_name_.init(${hint_name}.data(), ${hint_name}.length() - 1);
+			}
+			
+		return true;
+		%}
+
+	# Functions have an index field, modules don't. Which one is this?
+	function get_next_hint_type(): bool
+		%{
+		if ( next_hint_is_module_ )
+			{
+			next_hint_is_module_ = false;
+			return true;
+			}
+		if ( --imports_per_module_[next_hint_index_] == 0)
+			{
+			++next_hint_index_;
+			return true;
+			}
+		return false;
+		%}
+
+	function imports_done(): bool
+		%{
+		return next_hint_index_ == imports_per_module_.size();
+		%}
+
+	function get_module_name(): bytestring
+		%{
+		return module_name_;
+		%}
+
+	function get_import_table_addr(): uint32
+		%{
+		return import_table_va_ > 0 ? import_table_va_ : 0;
+		%}
+
+	function get_import_table_len(): uint32
+		%{
+		return import_table_va_ > 0 ? import_table_len_ : 0;
+		%}
+
+	function get_num_imports(): uint8
+		%{
+		return num_imports_;
+		%}		
+
+	function get_next_hint_align(): uint8
+		%{
+		return next_hint_align_;
+		%}		
+
+};
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 64902e9e9f..0cb308b17e 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -11,8 +11,8 @@ type Portable_Executable = record {
 	headers : Headers;
 	pad     : Padding(restofdata);
 } &let {
-	unparsed_hdr_len: uint32 = headers.pe_header.optional_header.size_of_headers - headers.length;
-	restofdata: uint64 = $context.connection.get_max_file_location() - headers.pe_header.optional_header.size_of_headers + unparsed_hdr_len;
+	unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length;
+	restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0;
 	proc: bool = $context.connection.proc_pe(this);
 } &byteorder=littleendian;
 

From 93b84463f5f34d8958cb3294ac42b5bcd4e1ef3b Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 20:22:42 -0400
Subject: [PATCH 37/54] Add a PE memleak test, and fix a memleak.

---
 src/file_analysis/analyzer/pe/PE.cc |   1 +
 testing/btest/Traces/pe/pe.trace    | Bin 0 -> 415586 bytes
 testing/btest/core/leaks/pe.test    |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Traces/pe/pe.trace
 create mode 100644 testing/btest/core/leaks/pe.test

diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc
index 6df2dc8d99..44464a3a5d 100644
--- a/src/file_analysis/analyzer/pe/PE.cc
+++ b/src/file_analysis/analyzer/pe/PE.cc
@@ -14,6 +14,7 @@ PE::PE(RecordVal* args, File* file)
 PE::~PE()
 	{
 	delete interp;
+	delete conn;
 	}
 
 bool PE::DeliverStream(const u_char* data, uint64 len)
diff --git a/testing/btest/Traces/pe/pe.trace b/testing/btest/Traces/pe/pe.trace
new file mode 100644
index 0000000000000000000000000000000000000000..c70c9e6afe69f5172fd9bfa7afbf81be4244c553
GIT binary patch
literal 415586
zcmeEv3tZGy`uCX&!!R=p!!Qt;j+5DBqJ&^3riMB*fFX>4Lv|rAfCG79VFt7{#4v4~
z@XxkwyUyEIu6uFYn{VqD-6>tMZ7Z|3b*pvFTz3f9$P7u5-}`;e?>EB?7~B8<UOxN(
zyr93^xjg4N&pFTKJm)g+?SFcgoGDr8PY@WB;p6Y8vzFA((6K_i)5Ru^+tRe*(D825
zcmJklcE)nXjm=>>s(`Lzk8C_H%lYS6^8N0q%PH|*xgfOsl`*+8W}i%<h>^+En(|fG
zw^5u@E<)b|=nL^pmk3uZgF~N<0s#HlDFm5HV9Dp7`{%UR6ewZElg62CEia4Em2$O4
zGw(N(2|7xOCA?qxRy>;zsB{g(dwRy51bOSxA$YF<bY-)_ki76IP(Z}@4T4M%_x~!M
zxd4o=VYue4nL!ZqKOKUrl5lNKWp%Pt5h9>X2cB<aW@cC>HPkywofVd>^o;b(>*F<4
z%KE2A!dthLN_pzT%ix{L@vaEt{RNdo5SQ$WXT`vou3?n0jj1JwkL|lG#8gA_YwMyR
zE-A4WTb8d~w|2vtb>4ar=etlsh}Od>GkwiXoHCb&P$m_WscSZ{x|V06DDws3Tn~t-
z3crRybgh}mA%1XKh@iFcm(dWjvZh&_t1Fk+S6b?8D_2%mZLoOUm6qD&_4SSG>MGL3
zT3r9!U@eBxY5KLTROWYnHiS-f=rOZEdDFtoFrChYDBt)(JS##i=o$ub-c#!cqOSe2
z5K|4NyX&GMI_H&?Sf)0vs`TWD2*=ITk3{xtPNa)Nh%^gi-!z2mGtnW>odVf2w#eC1
z;7ZppvfsL97KixBWg&v>>rG*@7ZJqFtPD%Rx>eO{E%n}&D=X{ktGug0YbvPyb$J-|
zVU(HP-ADz!@!}B5YyzzpgVsrTUxX+#`Ag8ch#>a8Cuey;o33FHXDz>#ATA-)BjuC`
zG1ZXty{XX<OO}?DikQayX%N$4B$>YEW=@i?hLB`2i2T41A}=mqHTg@z^cp~10wn1g
z1~GTdY!317mxTx-e{KmAnM2H+cB5rUVg7BF(haqhvn&NOMYON~U=ZzL<d}Z-MJnWb
z*+a<j00>+G0vq#wA0kIu90<Ia(0==4Im-pgbPa=;{nR#ssM~W{h^YqSQ;Wk8wFJ>w
zW)l&;2(Y&TB3;9%F=x#jPK`4|s8Ip>ZYQbw<O`A1NYiHCc#~zq4HHDrcbyuE2FEuN
z==Yx;g7J3HU=63izA(nR5Di}WhdivVhS6a5l@kf#<Lb*o1PvOVj)qve)M>Zmi@3f6
z$fPyt8b*eaHFG%`{yc;XYe0sFi3}6&iXww9Gb6)N(pc?T>8@V8%HmmPnP0tjdEExf
znspVG5(nPfJrZ$_oS_0w+J{u-VG!pb5GOIOHC&bW5OFS^9*F~YClN%`RhNaBYDoM(
zECo^Hrg4anb}o@Lx&M?iFUUgIFw(4Aa|<WUYePu$5J>X_BF)d2MUf^xGxH{keXXam
zjws`V2B>bRv@8N$ER&{XXHJ<mW9F1;Q?lqKW6HGbY1d2SdZ%Y3ay{-KBvPrHMv9jo
zfLyPDTnTyLb*Xat5V=;Im5*Rp)pAAecsmU7g(qLhnfA*kKm%@A{rDF{4XZRg#gSn}
z-1;p*|K^6(ldqhA;lbsP&qWDOUdFI0E?<?VC&P*$U)?(rC4TTTqJ+712;NTu`YoVD
z^11P0N+f_1#RT!O^MfK_7+1~t$72NX?Hyr=qKPTeHr0?Y?w%-!iwp8gN-a~Di+xAi
zCuh|l3thwd&K+xVc;9&wpd;<eSI~EMQQw&#2=^T#LBg~fGc0+Pb(NNt>(*4(a~q<f
zx~_7iXB~KJb#=W5eM;&tg(&!ljPYwo!D`uoX=|w9EjNS;mgs*A(Vq&Q6%$=>MP1|i
zx~cTvg1<~l20iF6bDH>+?lZG2^J?oX)3PnoZkl!DObd|tFK0#GsdbH0>!#9wf<JAr
zw1{G-WzNW+mKj~_q7qlW&0dslD=7G8KrAz6&d8V<4WzKB)b5;TOSj)<|As)OXWcks
z2oTqz#^rUDw^dcvtzNgPKD}~%<u`*hEo)lF%nT8snM6!zSx;rXXIlD->a}9mDn|={
zjnS)S)2FSa7JlI6=oWtBZQjC(QARKCTEqvb{euvP@xk;5&Jo0EIYanh7i7#SaF#yr
znlK+2LY%c}U?hlVJ|&2U^1~2C83SH@;%z{TJ1cd6bp0^IN|_>D>)|-Q^aMft>XFMp
zJj@~P9FAiPAl?r4q-zMLFjlZ;9zo2f0Z$~0o(i$(!`DV}iXk&|hQ$`<$@<E*6_%n~
zC7$e)kA(Z4?@>wmCoYS7BB=5GFz$&V`ZC2J#38t&4=_d$2ZygBmp^eBeP9<Ehw>Yu
za8IN@@Vl5nh{Ngo?fC@p=CffOMOjFFU;y-u&(nl)G=^}Dk5!Cd80*Rj;!}q&3o+FY
z|9v!zq`5f6LAC4vTo2let|4`2tZEI%G{0j=yA7b-ent}RT}j;&mgrx`Z>pAWf@Z!c
zE2Ndvv?EdL-sh-pv%fv0Za@3ywEY>NmM-^5xNb=yYAuadjG&c|$_V1$tYL^R=Kbo_
zpI1)<3Ak2%bki`coJ4UUty}@<-&`x_{p$RSJMIqNfD$slMk^<UwDM8INR-h2knsM+
z_lMw}3Ft(L<VWHAky_alqJ++<V5PvFu3<gVaW5aH%sv%{DE35=wy6f)74R2DLM*nI
z7F(k90`>Mfl;H<>x`y?k`_?QVtn+D15yAWWGth^gqdxTbqhc9SA2N}8E~>3uOP1aI
z{K9#~OS!>osaWn=4wb!jEi`rYy0w<7b#;-b!0;1w*oqAh@u9Be2Wp=}4bwFQHFeBK
zxhn{@nh7D)q^8QCrXtq<92KJKhfrH|yPp9N_py<8tsU?5m&5NP-<lDvAOF0b?TdT!
z>ULSdn^%{*tLrVbb?a8uEnj1)tNfN10<Ye(sCs4Hy83lh9!pvE+KP3J^$>d#CD4WT
znAso7&ch&KEUrbznt3??WbsVJOfflZ4{MP<B70I+jLwk9F_o)-z>eWdqX@8vm~-4i
ztRW^zZy1-PuTp(>g<;%hS9}?puQZHXsJvM{E7>q^R`L^Z+pUIi+pQCHRi%b;RizIm
z)?R5CS9|5`q?;^;IZ)2Yifx8*%58CGgUT?@pxVQ>8ow34)%c$5XvVj6M>CX6-z;Kv
zQmJ6hvA<~{L}Qxe9N&A)6IjOB_xO9OS%>#u^LSNrEDzgh)*>vsnLdKZUpqFLzn@m>
z@SeioFDR9Gzk<L2*nB0@%lP|C<`lfk`TM&Z_C@|~kns7Nc^u2oiD?zh3da9pl7OQa
zW{SB1?_z!%e^>DQjH&V$EU*>i#!9`PF-4i(iAu`Y7-nYIuqo_DB)ZjJTxc&y%q=LI
zKd&HfUZJhPURYF|?^NX4@|EOtQ{QS|I=^UMu}!^b5xFPqi(*Rh>;(mKLGk7-va1-~
zx3EN}pl{$o_e>exFDPP|nuqR{)A#Kvx<3<3_Y*q0@8Kc$^N^2to;tab#qc~%4W%&i
zbWQx8qNR`(S{dVI%imMe_bH7`%2CKuJ;U?0#ZlZ3c#3D#DkkGF8M}_f(p&6U1>Idr
zy4UghPx*Z{<%m6W1>J4qWh|bjZb;?n%yj>Vzn{30-gCy$o$-*&EWF3%P%YG;HSRO$
zJ@!$a>kPjSj2kCnf_9uH(kA8{VG{E=rHzsE_xGs=F(y6T_fS1zro_|z8I4k`c}xdk
z88hFg5uwGL)yGJ0#sr!4))0PsG(jnq^-Kctsb&(rRY$25)gK75isP%|_^Q?u9aL`E
z1H45w)9D-fo$mL$SOmMfsw*njSsajR660IuIrHlo8^f*elG0-PyhTe2oy9Pxi|u*#
zc{Y1-7E6kV%(a)=i;IhjC$spw7cIyyE3_>@o>Kb-mV&4vr@hdTkM1~cksUx>`S!AY
zmTW7YS7ytf?<_8&I9q;+vtZuRI;NGv0dP?z)AB-W`SS{ja?LCjj8ITiV*ew%Dxz>l
zvE81BT!pszOB@b+@r_K+V;2;m)Z8V-b_>(k@=NpV#rcK#r5<LIP%O6RVx(s;UQhtP
z=*7W;^B38_#WYmw(gk_Iu%4;&QS1WL=TFQKQE;)n#9n#>OOh}~P3JEmrS$N~l7A(a
z{8vXy{(l|~N&f4ukCyyYrJ@4c8kQPSbW~fUGb0F7v<QJEB}K&x@`^yCv*8L+tt(gp
z&kY<4mn^c`T_vWds+5$@D=wWT6|rER(^j1CvKQOzB?~}SyrnSB-T4a^0sg#P``e(W
z*m(9rTXnb`3aepp`3v$30j{9nb!Ld94Ao=3)N6po0*ENcE0k3-Aq;|gN)<~4h(##J
zW)D^B^H2*?ukf;Xn+wsUB}<AO^A^}24QDSwS8HTiU>eGJoFzy11tcj(-m6)1{(=(w
z;!rwAG5RKI^QF||mN;!_?rYGU^A`-Faf&4l*2p=pz+PHvUrpkf@P0!gvB)kCQ2qLF
za`Y1^`C1lF1sB>RTE5BRID!OWEOoSE`=TP3{SQnd;!WLs9McgRAn$y1*}@=|m|y59
zIz;UbI!L_ZC@Nkwuk^DhG^p*TP_m(Q?PYqYDqz%t{M+rdY%DKPL?6vpgw8+6RMXiN
z!-4Q#bB^gGNSrrUu@nvm*p%fL+KS3b(0xksiwfn`HGnN){$4l_2hqSxk!9N?MxMk>
zA;{<~xsX1b;_FzfM2=6TvP7H#+gVhSUy8EQn2rOKh&-DmNL?z_-aX7P*hz|tNrZgC
z5_ukg;j*mMep_j>)C|0Pj1MEto53ALXzF^IOfPl?$CAPYgvMK<lK-#WKhe~%8n!q<
z)*kq(Mn<23*-Q}LSmHlz_B&MCj&?!Vanwl>Qe-L{|N0*=JAef3*RmZ){SJ-arPChq
zPSJLFV)8s=x~~C{8l@oMahr@krpF6Hx310a(C=Pm#E4xG+GPYr!`krje1hzawpb>I
zjX`#moZW*9N<^l{H`Ey0AX<8uX(Rho&hBDlOUc<hro(gOKgu!qx2C><6cMZ6Q17W+
zlU}_RPB&W}+^co<47c=()vH-<rN>ddy3&O(SmOC>tJYycVOUs6^}UstXRWMT?5(WZ
z;99=gTS;G(WtPQqZAE(MKfANULyla6Nx<&Rn4XcHG2K4>P71MA)~~Fqt|gnFvHZ35
zp5?1oFJG~`(z0OPnp#-Q_3MCH2t$(mk3#aFg}qDHP@7+QGPfcJHvc`T(USj*W-j?L
z9Qo}2Xvr@cY3bl$#;%>7KHUwKEI!kvPgsPUVv9=VEm*|ReHRclEu5s+R!~!-m&0^q
z%NwezP$4$Ym5&NnE?+}5gYjQU!=2%w!$TIVURPfUcpP-pt)5R4)Gl9L>G4pC&>xi!
z)03%E9+MqUeNt9B?w8bo_}}r=7sKxqu<yza*|~9l42P}1>Z9;G#m^jbTxJ@7Ivkcd
zwm<w%@khrn`D5dCqLGj9ePahPy|d6-BzJz`{M32Dd35pK;xR?NMQ=HeInOx%xcJA#
zFBY4NE)*Sco^YOZ9$vhsxTAPN(LmAr&Qs1_=X;BPS$v>4vNtwXujSn`)aJIj<&C!L
z6|7=qHLGY?&MK<wYgaGdK;QKZtMI+Dnu3`mp_yo-hd&8*{zo>`+KL6MF`K~9JuMNp
z$?5E7HaUGVnjUeJaJNjg(EIfaEezzU(QPf&V&`0o7De2(E5la>-d9K8=nF|0bJkTh
zR97~Zc)V3r(I0E5sB1GaD`wH{`sm20Y!Il6(80)4OMF<eyrGgfr;rfAH+8S@w^+;4
zy5%eHS+N{*)6)04b*t%9jepc<B$7luNYY@ifE0#^aOz#5-WGaJLi`=L;&D+f`l}81
z3&!&g!f0j;|5<ah_`n^ntfQj?Pl^CCgb$G758Meql*JnVQ-8IWO%KS7#YO|-VYoF)
z;kB`~c&p_Jc@S<pcYa?CVvV&A0)iUPMhQ?<ddd~sxMAncokP+CzEpBldO{@@;CTTY
zFM`k1aVU^u05FmGi15SdNdi7Tvh7<*60n9(aX|`>7rh>RVXwzFbF>5m4z&-`AFv_}
zsFG0_L}E-t5-GxvzVTmU%;D8GBdMAI|4WLX02I&D$D&0qLvg|Y!5csl!i=LUrH>7@
zC`E++cxrq|1h2&_ho3<BU*<2AJ|c?OT0$iv_+P&grx<W0;0kfddc24JD2^`iuNho|
zH*f`i;Eq?$CB!WwamryZBV7sS(R7XLn-luB)yA%Wu=)So_k$ulLFl3G5h@QzF(a;K
zAWHQhJgKh4y(T;fXOa@c+hm6jXOI4kQecz<|9J|K<p1%=lD~>eesi?#dnxSo*j^Sb
z`Tz4cjOG}nz$gVqDKJWb|CbaX$^XldCI2ce`Nu^`{$&c$>w%fhzyEkt^8deVvHv?|
z$uT<rfh-Qd<?M7U+120lZ`ADmrj!~@H%ftj9}1A<|Lw?<-_0fe*l5WgHz_pJxd{^m
zk!xK3ed;!f$tVRzDKJWbQ3_m+0wnp{N0$86T=LUi9lr3A`}vpY4~HcGhPy{4|K%t<
z8a7ISQ3{Mw;NO)3B>7(%S@PF#$v-Aq@|)I&B!B(0qmuvMwRK1F8l}J}1x6`wISP>E
ze`93He-D@ZS4K<zF_w_zUyH>Tqu!p&(RMU!lmep^7^T3!Ck42lKV_uN!3(yK<gecg
z$sc)m2~JwuzX6+rHMv+?Ns=Giw39=dgU62@31ZU=1aanuFhp^iG`1Um(cElEII_KW
zIK=A!afJQ0tGRZHUVFc6{2{KLu=d`4S6Dlh5T5^@Z83_~C<R6-FiL?@3WO*?+Q~Jt
z<X^)j{}s{Wl51;2<B}CGjY|FyHAkPL6d0wzC<XpIP=F-=og+(reuP?0O0?upOASf>
zyI|!@9;s2A|Gz_%kK#B=fl&(le@_9D{M*eV`H%k2_Zh$Q)^Pt(AC9X__+aatu>U9}
z<dJFv#1Z^Q>-Z=lIa-%wbcA%t{aD5xp-WQ!zi*^b0*q2%lmh>KC@{`E-tyJe6Rw$f
zt@XM|*H2EHGBy2%jA@x!({G${)65GOvS;0VarT_Kx8%&5j{~tBxq0~uZ!K6<Smaz>
zTvEEkRd(Cb3%B2K=UwG@FI&E1WkqGxDtC3wJ*(HOUH3`tx9aLW-iF5SuitR*w>O@=
zuj%g({AgRt7T-^|K6L+s|FPZw>((9rb938w9{%nl-+T0jKiC=gACGlB{=}2J4($H%
zPd0V_Y|qc1`o%AQ_4aS}9(nq=`+oP#v+d74|H6wez5L4YS6|!T-~aoA&6oNQz5a(c
z{`lrwrw+gKk9Xhu)BAru`j-zr{OGU82L2ZO_{6{5TtvF$k&z{TEtmYJXvsgr9g_U2
zuf9(5%b0>$EOMN#AY&OguSSM1@zkUsP9%}z%fL@wpfBk>$gk@!aX2f*LI<hT$IV;4
zT6&`}dtKc+9HnxZzqrD678?$DSy^ewTfVx=LT4gbklT}%nN+y0Zq4%5QqTfV-RiVy
zNw#%fI@(A~#=|n>txlX~V~OKm&UkByXI-uIRT670u3U-VK2cfiH8>VkwZKXz1SzeB
zm5ni07mk&QwYt`=_O7W^SxagwD=Q3EItwN}JzWA&q_)ywF$hRrux_ojs(O{Tj=rR5
z+huAL9b{Ut&bnsJ^0gI%nH)F9TNkXW4Pnd=LyFGypZKElF)X-pa8V2LKj|TU4BqKX
ziQ#{A{uK^1VYlE)Xhs|3V#{#V;=-@_@V^S&4Qx}7JhnMOiNFpE4$HO7>Y1dFtC&7k
z@g!3>GsUMb;~17^`fjFhc5jcEJK`QX0Y?xn;`Q@e1mXC2LFh;jgyvYFr@%YT`|80t
z7ybMU4535O+>iVO>9}-tpsLN{rNBE~vG^wB`GxQC$5Ej^IxeFbpd<d+kiTg9DS2#j
z#7R8S$(wOd2SS>g#Ru+q<!5*NtMf&W>%aJyFocK#9S<`2hw4QoKwYB}2uLuP8gD{E
z&(MHq2rMBXIsxm6DgjiE0*H?x0SV%_NO?+2-w9GF5;~|>0{^44O%UHBWkM(;1gXqd
zdiDwz>6OaY5>k5s2O;7og7+d)3gCe+@Ho1?fWN&jX!r7GC{#Nb4{*`>hrmY`tss^k
z%Kg9d9PEO9o6usne1m@9fquV?B>&D4M-iTw9Lz#5pdVQf=e0w#(Ad39v(Wc`304v3
zwZo%`$4AyB-y(=LNzuAwwjrcTzM3gQ#F&IUQYq9r$EB;|{~&JyB>($&<k3wb<oGid
zCtF4S35_^<Y49&WI3JY&Js>JUqad88v#!E_jY3aU0@j!i4S{U}gm7}a#BMq-ev3yc
zA)uDN!v`#F>Pf&i4j$r}5WFci7HPnh^v7cmAHkzI28n@3#Uq}GM-h#ai$eKX4=B)s
zuUmRDgfE~hIFBlbM>7BiA^5{5GGyQ;1@OQu9!Iw<{AFY*GWatTsu+wPmVXF*WKjrW
z`JvqZJ5Npue*5Z{Z^)znS9Q}jtqVU#lg`*|X)-WxTzfLxiGwk9tk;p)?6LSAhUSx-
zoI-<MXwV4_8lgcgG^hdxpk{e0p}{aTjyeR73!NYsak^mW_{-3Vl3AJT5RSxlncHJ<
zl4oFo{3f>BY258HcB&e1uvM$0H^r%UuVMUz(9Dhp9hV+-4Cvhrp%^b~-P$0eINh)t
z+$&h%3~HU#t9RcXnV@%IFaaTlV?wRkUaz@zE5(QacmdiDZyXgYW8E=rg34uVwM|2j
zj+Oz<#$W7m8Pkr8FMs`wwnH#_%<bEN@E}1XxT<z7>)Ol?l&h@=V_8d+PF8mV?qeIT
zZ)sA=8pa7TmKi}vRS6MM%Hz!HAc|{PyM}dt*|xb!*QKbtxur?ZJU99sI-lcQrvqz&
zeC2%)IWFKxRG*{2(=h<1YS6n`POIZw3O^lHADlkG!L+rfu&g8e6>VDv+Rl{Wl+-4@
zR`9CPyje%Oy={JKN}a1_V!#1=4-_HHyHB?5aOl!HtUjCE>QmyO!bMMw)knHy_sEjJ
zj!S-HwB(=H9+Lb|51xF-CBID#$a-8lTt-|5Tq(FrxW?d0#bw4d7S{w^mNIu$j>;wW
zL4EMiOXJJ$=4ZH~o~Y(0sAfx(hIuCX8`Rof&p3afO8dGe1+C;>l~co9IBHfOT!vh)
z|3SrgN9S*cCd(L+X}z4230=CZMjl|W<0QItjgxgcj-|3r$8m<+iH4P(j+4u4(>i>P
zpwDrt)A6aC`5dRwHh!1d=Q!hY^-$b7pW`g(yu*Qd#bl#9d6oL$@=GmqT}I|rbp4*8
zU)8DFO|0uB=GQxoH-BCaTn%N^FcP2rK)!=@?P6)4x6B1Ucw~-2j`%6M`a#DfhKgzq
zqCd3SGSF9tbp7%O-gpxkP@y6T1hL4m6esV6B8uq#>3+vKt>dgm?FZ_vbKTdqZY2<{
zTi+)hVmUl@jz`-b%XW5a+Oj&j742&3ZPXAtc4&&6Q?ebD6sw6Euj}9C1nXqGOpVvo
z#bi5-^%kMQBs72#hRKdz`65M^L4Li%c%{pfozh_R#I`t$vP72&f=KJod$iduok#UD
zI8@P=)r+HlwGOpMlkHM@VqQR?JnKWyBlbX(-g+<wEOS=-A-+UzG`r8ln%zbgI1vNN
zslFusG%>HLr3sXcKd9=BW!oJ_WyX)bL^3NAlN%slj#Ax~GP8RO3w$4g*g0~xG0oR-
z4ke))R0lB)+AZ)dV4L0PqQLSwdO=fFR!7&(vNosLy^sac5$|)H^tnz64ZUXf3>L`Y
zA;*2L6FdY$jO2pP@sZDUOoZF&2&OoN@{>MCpU-tcdl-G^IIEEh4Hv}L^Y=;59-nJK
z%tA*cBVK6e6B-6wLiuqt{4F~i16ILf!8HNbSX^eayH=_oFSX@>p{408qiT_)4^>MQ
zxDn&A)~)YdN<l5QvOpE6(CO%5jJo+5bbTsCjBj<EMt^bi5XK+*92Z)e&M}DF4$p*^
zrXJ=Q>vx>dI!=cOCp4T98jxGZi!Y0~gBbh^$1_Xa%fQ-1K9?)OrwuBI@E9<0_q6i|
zS+mFJKS+uyaGQLNk{Ddh+Q9G9q0wB@9`-1Cf0aSO@dSr(L?ZG1G8M@U3zMW{*K^F@
zWb`{s+D^|HJe*)iYUIF05P?gCc-DOsXG!a{4vl9FkRPT7V%qhr`**#LF*471e?yAj
zk*YoDRiP@~PqqmSsjeDj;2;+--fq7m#qUZ534N|JewWGDgho7zbE^F=14$4U^>G|;
zEw+6~!t|q|g$A&ZS!ft5G>qXy*9RZy<9s+)JR5s2s^u@#YhU+jB&Ckit{1y2b0RU;
z2c3PQ){u0?wpbE^I;}ubR6|nKMUww#BTN2zF8LFqC4cU+kmS!vi?;cB%Yu|iW$p?R
z%pr-M($}pN<ub&HI@I1T5lWK2Vl|Tjf%r5vGG7N>g+45|3e)jW;Zh>%W<+@tQAL*%
zNe|-O?{*{Wh7i_Sn+r_xtPbi;1YD}`fCzjztcN<0dyBe^dJzFKsCRT)n=4G0NL`b-
z6Y(>*-=U`Nqi14oRJ12jhb6Uy63p#C<guEeu_|^*DfYe>kU&(<WP4>D=?bv0cAgZt
z7KStLbI{J8kao8A+DvlZli%Ztn(NCl_q2I~dhu{COa$~0NQyD%JHZ=Z=a5Fx2cH@c
zW9K9?@0gaR0p^X0_Dj)z$AH$+?^TBg=Xdn`T?3NB4dMRLP~0Dn#QlQ$GPo;YX((9t
zyKTH8-WafCXIq*3#t8fkBjWEE8UO1phd){^3V*5Xe-IZUy<`{JBPjn24tfevp4&wt
z!m4&9>wb@8uk^%FRXWSuQzEc0{!$_mNh@=EnFeK$9TMh3NT$W^>GMLuNguR)iSB|>
zp8kc)r_YQ?-*YaUp2QbAceHgkC0q-2z=Iz{8LUN_`-XXtTh1`U{p4JzMIj3TYn&Fa
z8d4xyb-XhYs~FLyqVk>Occ{@J=O~zWoFo&&cCU_g9}dYx$S<y}uaMHqm=`iqA9zRX
z%<uXgMiO<R%#%c&DE35ACyG7Mm?D+uYY;77mpfw~7j>YWNgoV;A)?3WR!x`>r}NYZ
zy0w21rklC_8r@~nXGNrca4<d5xdb^lpT~02bldz*WJ8xhn73m@5Tf$mL46ej8VUJX
zS}7dVc@vUf?@s6RF9TtmE`8978r&VSV5y7;2&*Q|prt;IpdmHaACLj30R^BZ1)k(Z
zdb`WqhjKVH5>xu%duKUB74J=DE@ZA@ZsC@+*B84MFZO?hf!pozWn~B{bCs0^niZQ=
zgn*nq$5h>l=VU6-(pBdFyj{io<(fB1^8aE)|IzlHB>AWOkKz8KxJlR-!Mx*#`;YdH
ztV=vxml&dT$s%<~m%MsMv@V%eXY&8W{|7~(y5(KwKS<<iQocFu%d0x>F8BZauGhGv
zCuQB?85^7ft7uSN2Y-nX5u$>bEUN=)MXeB(;y(n6H!?9cn9MvX(b(D_j2nD+`Fj9f
z@8WuG^BF<F*V*#@WAPIbA1P&U^x`KZ)Z`bIvx0cYeWsAd=w&$SJw~R*vkvJNV|wHw
zp1;PgCHCX_uu8!$;ki0S1_!4?Hcus^->s5)@NLBNW_%|BUY8CX0pDX0o{8r(_${O#
z%M`L${9@#<@$AH}|J{J_d-1&&&+d2``#qlL@jQs<M+zBRh-VVMi;zBmU#xQC`6TeZ
z4dF*o&h7Y)0sOo1osaKjc=jWHdE`_9^&B(*u@0&KbE`-fH0W9mkWPk{QA6$!%LG?z
zc$kNbOjmFsYdOGeHfU7XNPke$fBvQmzv(4?>2FZ(aHy=CH_l=p1uX09W&VMO90OI>
zmf4fMpIKY()5*L+Ys<zNvbxof*t2Ec%9go%)bMPWdF$-n1C^#if|)RLVKdC+p%f&u
zO}8eN&JbqoQCA^ix)cG>e!HnEugXa=!Iyxn3dyUiown(qJlnO0hOsk&z(yP79D;2Q
zhP&fh8HMGEVR;1<wlJHAm5O1dw^NvF5f3Y1-c)=QI4P`fsSJ0gi{6Xjo8k4l&%iuM
z0C}H5;n7xEH{WNNHX|$33)58P3Z}|HLv2UGmhJ(n3su~s<M}%6JRJxNPTzkB7?-(P
zn$(7b`zN!6ZE6gHR4n0sGZSsg7-ncW!medKEhmJjGS>0|Mj|SoON~*Uzg+2esr-fN
zH>Yt(V+ayPo|6xhE3HD~d|a^QAa0lv|9Rlu1zq@=%d8JE0;^J#>mKT;N>FrE-Fy@i
zXREd=;L3@}DrRtQcMKp8F97BP2{4rCYv}V8UTC$+V7kon6~gvaR-r5L7Q#DMrSeus
zpXdqUpW-m895uEQp6EB7j*l4QEhl(#tiqi(BG;efs5gWwy3)?>7>Ezl5Gv=m7^<o2
zbYLEcvF=1d&!0Qf>Mxq^E9}F-X2)yj7i#~ZomsD?z2-j(%x*=1{?(wudcIN#E}YnZ
z{u9xJ*S>zAGOM>+>2K&S#Bb7w<GT~#w*hC?>%PL%i~X+twD%Vl`&=Ic>M+3aIY=i`
zWrT(g=r$1S9%wlLo*CdlfuA7}$Z!r<A1-C^9z^RNbbRI(Sd9?Q^h{JHDm*IF3^CIg
z1onjU+)sI$n?A$vxVh;Jc`H691YoKMzT&8nilzXWD}Wz*lW?T~xhrrL51;`J1t?sB
zDHK4uWZ%e=-^(R`LbT*B-W!tq#g9ZwemGxTpHdM@S6~sxipJHj*AW)DFuz<0PDQhU
znW<yCYGP_+R^jdfB3Gb!fgpfmFw736K$MdRBjyhtxdaLjO<XlHzze=6eV=yG$a^68
zwDcWx)hOuuN7DC6=zaQrn7&0+h~z@UiNIvw7*SfD-|<mi-W+h>wg9Ffznd=n?3_{_
zb1nXDjhP>FH~#H#9EY5-PhuMxM1g(EaRq&*!@o+Ondq0x!%5&|r^qRIQe=j}x<8a6
z@w2CBbOcUf=*^Vqcx?CYhD9RdAP7nhU%UYM@R97QjvV61HnRJPB@dKqAQf{ntp2jh
zD)jsV<^7z>I~;0pG$yzD;WtcEI`LFl(`<4l*aftoBV$)}@ZlF9%L5c;IdEqN&rVH%
zNF|M&sF)#fd7(Hk=TtR(Hd8NZJr<~(=LO;Q{lLlUkEQTfgeN@kPX>|K)dh-EI53sx
zX<viI-Y;~&&1Ht!{ghfC-1!xB^`}*xDtTNU)xT4vigVJ-uIJTNyESoDyN=+g$MbzW
zjd*^5XG+|zr`4SEckVXF`BE$h|24wL#8o+WwX4&P?6x9wQe3gK>b9z-Rp&phf?TND
zJpsv%A=%`(T_@DL)8TB+z$l~rDfRBmxQEQs<Eqj+s&>zatJ*yaQFG%Sj_Fk8#3jXc
zs^-TX!@DhRJl-8~7x11Jmnb_>uD5o^%HymL-OUHK)Itx6qsm5%%pkljpeFD~)yd87
zhvhZ!YpsxT@#F8)_9bkIm7VXDF^|RUu0eu(aqX11Ze1_>49#wrn6^9Ze5agw5&=!d
z#AvhoetCC7rvtxG6bjfb52Qh0`<e#atU2&ESo&~Th>@Z^j*!ZJ2%0{Q2mA{YAYv8p
zM5}8CC3xU300o<2r7N%nZ!Jyz%$wcPbb)!ta$Hh|;KE^bZ$00s<akD*)eS*g179a8
z2YC(5jhDcgdhKD4rc>pLlfh(!*RX@E<~PI<*mr4A%RR>`@t4UWMh!tCD``xR_CPt=
z0H`PMo9luxm<nm3!lkJ(xfL|t36@Yv-N|J4D|9s`ila0fTL9HC@<5qkYxA}`P1Y3k
z00@3u@cQ>LD7*{AV93b_K9pS_tf#pb6>>g^0qm~wI6+k&2Wl-cy94ro6FrJ11l)l;
z@V5JQ^us&j%<dnFjfoid<Dv@My$n$+5cP9;R15tHb=uu*1ow<5JIvg^52dusEk_lT
z1$}v(H$j-uYz)MpVLDaKn5Cg)G$%p>7!L-cVh`&P?PRB5CduDE;wYlcM3VnHevTeV
z|MTHlXw!O{g|5Cdd=&B0$hxF~>k@smF1hWtkS?+Aiq<8|KtNA|Xu#u*EXy6t-=M=_
ztYt1L>CsZ9U1fnFWNE9TUviwc+Ky&B`ZvODu2vk3nZ$0!$JMQN1P*Mx5@Jfx$pZ&A
z>Y(knVJyD;wz%$zovPc=H1J5EmHmYSzQW!dFbfQu3w$;w@GufqwamR86juu7+v9?}
z)YKa2qVTbs+h@aN75s_1WiFr)Ubn>s4nr_^$5Atior_uo>vPG{Q!(#CSU;{Bec)NZ
zb=BznBJZ95Y>t|3Om_wLIBrqiK~@iZ%O3L%#|3N49JDnoOr0Qj<AWzv=z*d?NzpY{
zhRKy34#@vb<s@`iO76F-{D)pWuCQ*uD{iu|^Zdn~NC2Z4Ge@PWhdPkNe;A3NZF|oj
z^);OJxy~WQIi!H;TngXZ1?zUZdh$sz46{LZ>H*$nAl~x7y0dt(-_h&;U}v$@-{UJh
z<12?<bXt_FT?fj~R#|<yrYiWA=_QpI2+y%}v(RlK+*Vd!*-VfdU(>CfxidgrJTQWg
zK^f-GMIo-!R$pTdlFdhe%@T*Z;~!ew^S09a!Y}B(;Ft7XDA2pJPJ?@KY%D=4B}CCe
zBuKcP#5-DmxQE`vQOqG!M{18dp?^U2gBnitUQm7E4o5Gi`aJ9AIn3gn6+9M;ZkR>E
zelMuuw`)ia5EWrwqCu#+#O^u=jikBxFim6(<kTy=&Y<5$w-8|bs}|}NTL{hLI*YbB
zJJ>e8p|+v0=(YjT`#@rwsVd=>SLsEfzKy7FBkJ2G;+lzcun&9~Uv=6*b+L(Tv+<QP
znIRlRx7ku?=;XLF9{0Sl^uEwd?*$fmFZ9s6(@O8fA8L`ug{w4@<|d{!tzymc<M`Fa
zt4&i)MpFWQ14(Ogv%@&JJvywKSroSo39F$W9#=%Bt4<2R`)$%clD?fZ6Y#2&LhvHP
zLhvHPLhuH|{%pEi!tX0nO!B83zdxJqlyHd*TPEQW8CJpb8dzjlCC?ifmYRH*R7QI8
ztmN^@M1$1ia;c2SuoY4ngJJ7TB~spPrtg~?Oo_<5&QvPpjSO2V<sA&mHW{V7OHCD~
zTTOc8r7)4s(P1K;hlHt_Qq7{ns4Wdc!bq3AI<n+%<dQ!=TJo2(kmSGPFVT{pFdSM6
zVK^)d7!D013{!_-NbrV+5xikxfEOLM;xZImc^L{;NYsy{mY3&^gts6$U4nN{@_orm
zl2gzk3z9>v6d9(vOgfcRZge`a<)XvHR*DW2X&N0S(sVHF=cW*TubAF8?d9C?b5n*?
zZe$o1jB(D43={JjSY()(H!|!;mnq{%mnq{%rlDn&)>p1w#VkehZe^v#`8IoDDYN7E
zSu58w{66?R{MMzNmD%Z+wF@n_{M>x}7Bs%|OYOJf7fPM>VvDO_K8<2pPHS9cW@zQ<
ze0&PW#XyZZ@GIzHZqyCbXab)k(g&t$2WoVI9(*|IRUf#7*W1sZfTR~kku>&dSFU^0
zFk6Y4CYJD~Armvgy{+c$@lcQH*||#ZwUD!TQF$@TdI2wLZxSRlUNl}!NxD!bzXMic
ze7a)%=8IbsH@=?Gx{dkFPs_7}9i8o4QeL=A`Q{D2x%=b~sh*KP)S>P4jtRw#mqo{T
zin2PM$KcSsPd<mq>fqDvJ73k0Ax?~-xR&*wueuO};q{S(mJ>a%o>2N<dmd&s3QG4E
z8Poln4Ek8gS*L-9Q~3{L1}Glx*TcJ?mhavt-~EhyJa^pgryQ8R*8_3=HdVXae;9AN
zuM36?mYk0rSsy;f<o@^lXVbSUtutdi`UNMxfL7kW;Kb+ja3EOI;r%?Pe1AJzm-S))
zn})28%@=QSd1X2Koh93kHh&`9e!TglyyK*DqHcR%M^LWmt9t&AiqjMSraAERYiFK5
zu=lI&pHzLexA)Ba(-V6%ooDX2ZTkn5>x7uA`Gju!g^o|<nhV2nMP%B~BP|_4<@V#x
zA5iT5ilE6f#}|rlb(#a2C--M{?1zTi@9a3C+<u~pk_D?iyN!SGkI(k=2eJar{`Q-b
zQ2h?;=D9g6YZ|Z5_Tz_7?tQxI`L|@qxBUct;2qiClI?vO*$xNyx2hgW?0R*;x&3&@
zai!*X)$_*`dlM=3Yf=agKo$xoBomNjXJXfmfmYSl#I9`v{=<~<wW{aeRGa}C6B9x?
z4^YT{+&Ffvs-GtYmkyxGWdQJGV%H)nb8j5z4Ez)*ac|uA6ZpahA*k3JC)KM}^;}}t
z_yLmq2S%3s>$&9DMN9sbdqR@`7cWLj{#Mm@61!3fjplRmy?P=rClmj|he%#M(AeKT
z%OufO&N8|r+5*|Vb`kl3j^+buo>{EHUi)V}NUVunstIpQkQMn*8m~03@?L$o(o`C6
zOlo&AX<Ss&xNy=z`gA0AExrV4Q|2nk!h8k1?e`_-!jpOa==l#?jzYSqeQ;~i6bKL3
zgu`_{7nsnS>@U<HTh@{DpZoE1+A2KW?VgEO1iLUnqI#$Moxi;E={rZYA9~Lrvgdr2
z?mJkQaQ>9yojTpkE_GvUo$6+XszFwmb>z_^Z|wOG&L4&A_>S_sr8yNq_ZRB4hXBzV
zM<skr5hdq87R#&BDR{XbE8e|B%287Guc~73yN1;yHKHcG9<OB`DcZ20JMZf&bBHQ)
zzDhG#6)jaomFCb~<<g}&R9CswMH@m@x;u=Yixc$gXm<$HXA<qY-uaNz?sd@ai+@48
zat@v}2Z)5a5XIC)F(oL5sVs?NO2QWuLnu)U5t;w|L`9{XxUk=h*_pCf8QX+s3!XIl
z<cud5AZCx`v{gsWX6wjtp^z=nD6lg_A-fo-!0eKoO^6d`lP<=}nHAx?k@`1y9!C6l
zJZHdRLbFLZc+zasbBKQ)&m(xgfafNijJ=3wV;udMdW`IESlsz*d_RtF8=lVr&TKs2
zPo%A_3Rx<S+obR*z{8H`Uf@f!PHH1?#`AOJD*+r^GWY@C-vR!2V>apqq`L>-uL9n2
z)FkSUd=W0a`$d`Lh|u=He?3WtpkK%WHzBFCu;w+b;~Zl26ti6xSj=N+pzB9WKVr@i
zm?l|Z4PtgrH2PAkMntJ58WDGt;vN%=5JzKrcZDqEND<1<?Vf@R={&;}qi063Fk^~Q
z@BWrdDDU4r2~m@I)Fh)v-KknZOHQGyFK8WoG@?&8Qfi^RPw$=|1#>zw&fpoR8$B+-
zoDP^vIm`@1W%8&DBl)(P0Fzd$3NvN^8l@{7md=Yl6e?3pg))%|%XF(6voiUw(dRE%
zRGPP>@K!9<rB}Ci?LBzKkFBp<UMnSOpdV-t#Vo)N$UE!St<1_SqhH6S*Lf8c^h@#-
z;;5^vET~>lx4doxeHN@+ULk$j*HeJ>>*3rx+%k6s7D~poljQFl(SNk4jU<2dk0JSo
z>|z*Wp;_pP>xTP}-WXYzY#@j=+Gt%;?F{LXvTsN060DkrcUp&`w|?_L#yqb9OCZSe
z?8`O4K>#NidInk&t0wqzr@=XBVa8-M&m^PNb7BPZL?eeJ)}H32-e^N)l#h-QUoIo}
zV2T-OMaxc_*+*JTkil;#l|TWP%}j|!55EXOLyJ5)Dp-S{M=k~GL`z2ok^eeSqO%B2
z2m=;f$(rGT5#f+U%o|lruwVa!fsl!dUJXif!oZe_xeRG|Ch8q6bFplb)>abL0VPIU
zkTM**OprGtioBE~3_;!ACjh9PV4zT1luFc!TJA2)xEv5YUt=NSp++<DbsT^a8<{&y
z`OCw=ioBtiC<zl#fQW#%@W0CgP|6_%HITj}mB-<UNg?`!ExZ%t6_?->53)n|lm7{8
zBe1mZ=CW2tGhY<XMI^0C59A`3zlVnp2GZ2k%?CZ&vcOtIbKjQVtdc1{^lzJK^lfdT
zg$~k!2r*nxsbs!aW*S@Os$`mtD$J(9tIhMFo|5}3c5@Sc>b@bn)uDt>Udc<#>TSMP
ziPa)41Iqixv|B8#w=17hvb4AS@AxmK#J<z@#V_h*Pbtn~DZX;!pP=|)-GrdJvR;3o
zhg2lZ-F}g6Q+dZ_m#V#~ew)T$s>^n$z46&D4HkOXj9Qz)qixwgc3#U@w{Cp1dy3zd
zqP3YkW&w-DJtmF_DwKd#t+o`nwXj0x54vuZ{~)H3vDTUHhp+~;%=L0l940?*#X3=y
z1l8a_mc2>o0dc)CCHmlZbu9<S3WfdN<1cH_g2Bz0Pn8#XzXZ;l%N~P<5*JGd4JqjV
z!Q)5(|ES65!Y6gY;9Fvd!RIm-V@SwT88Bz5##)meFFL9CFW8TC2<vsI<WNg5!mVub
zyHZ4tEg07CGK%Vn&wy~xwb^|VF6@(%3ma>G31U-1^Sz%~ym5sG=byxy@=c$&ZmqyX
zkl2?wWnl1WvDn%oMws1dS)dVXT0-fFZ+SYi`;Z7el<+VM{2U2E*_CGZUNMf4H@gu-
zJq&iSxRMK%ka^}}QfOAEvSdxCO}>1UR2`ejR|-p%SI4IDm136y_6%Ul0Co_-5c9kA
zXfI!BO80MRE{7Ja9U4n5Wp4iob_IyF2!8ug3+a->BTN2!x#ZVGOa8TeT=L@-Rn4!W
zB|kMA>}UuKqCl`3b3O=x#jT-cBRLZM1;W%c<>twFL8*D}R+=UA$6`h@+ivnEWG_ka
zYC7$h3hK0{VA#BWY`*v7GJSBDhW2TQb>sebGNN6YuWwB&i2QY}Ih^pPU=fC!D%>3Z
z0T{eF&{6pcRwAKBff+Fp$%aVL<_gTkhFhwZw-7ButMlWr*M)hfY{n)GSv|ZFw49G7
zakEP`jVX01Yqm|@sK=DB+UhUWT<_3a>4Gka2C5InhGserflH|Pi&Q)~4Fj7_zM4Kw
z*~T|3!Q+ihGAI=5%pg?sa7BD9!V8|b$eTg$a{)Xltl(iWMB{VmL~Ow=1v2dsuZE-B
zsOXw2E9Q+z2nEk0IcGJG5h_nzhIz9|GJUXJ(e;!9>u}Xp%<N#1jve$8S8H2+aLxOc
zkk#%lho5{A<~Huqr1e^TUhHw9g+X?cQieCI*!5z!i`S6ZVSVs{J<R%`eG;xzfDyTt
z)|ZrHDhM-{L-;k0CPTl5U&C!_c7G@_rMp?=v18a`fMK3B+zEy!d4{iT2T7h7fGB>s
zLSUY8&Cgc|7Ej9d`zr+h->AwDHt%5$3T56;cnH-1Vb%w8Cv|;Sj`sFB21IH61sYjv
zQ+cLJJ;Q)?0RB>SwnOh7lkGBK*u<r=7rv_jp%88X6#W_tiRO-7I+<3bk$Dtdo$Tdi
z=ALh%r6(jS#977N8ksLeCnIZIBSY4%OH_Ta7k|iL7i(lLE?!QeUjDvT+r^vv>eH$I
zp)|WRGCv?FIx(wsFs&2&8X$~l23sMft}7B|=wyKyjFZG7`R5=8X&t+DGN7?}fHl`C
zy4;r(y<KHOo8VDnExO>*34C!IpRS#8scVA_yHyUDH8N}SEzEPLziB{m%-Xz3neNR1
zB8r0{9V)U>GNqJyRW|d+TeF>VZ>+zw2qJWL2=Rl(&cG#Lm!s$r0ncRKr%14fFu;WR
zhLs@TTm74x49jahS9Kle=Lv;cxmCzO`Pc-CE2hgOaBX0ApJjm}k|9_W-eiFn((KmD
z1{DR2gZZR1egwgRwJjs`H=+`6(c*saZ8Woh4U`QlaaS#`MceNL+kjD)XlOCJ9gJcR
zGm0IIVh5wx4PiFP>Lo^*3C-jgBlgZD|KF&8Mt03pVrM;wju{qZI@U&#|HQQ;ov8Fc
zHA((yZwwzrTw6=C&`UuZX)pAZp%azP0OAo4gswx!yG`Hy8=E+8OVb85v#S*ca=%Rw
zS6>~iOFU18bjd%kJ|p5pr7O90VQ#;dHn<e({a^VC`~82}EcC?HUAg(<L}Pu@=37eE
zc;h#3f@1Wl;8mqvP)A6Hkrg|h%WN8TbjFfw$_2he)?5`X$fjHxj)2&?AagFroXh1=
zF36k<GGn0f;5Lz$!Oy9^zi;-=_Luj!?AJpWWygAM;Oy6XAjcEyFTdcA?S`1UAlxJ}
zr6}rS_ON2wiW#^b#-h;B@0L3w?Qwlj#Y7xK`v*E{sYSWLf6;FrqqV1cmZH|1zsk(<
z-U!734+<6ywQRz&N2}F;x51w~Mw^@JNkq8S-w1(%?SZ)l>_Ve}&Rk5d3f?h-H+6Aj
znONeStnB(8^S`nABFLD!`74mo$jPV^$rwXqlyfSoh>G3S80`pNqW~LA2GKt_+7a%;
znsxFI(2VOG%(!Oz4^Ev7dQ3f+;4yZm!NWy3zY6jvux@=@#JAzPP;)>+0tg)Sq1_aG
zEMjioi$xZE*rRTB=x7}yRFOXTCv53_<4}RPKasWu!0e>;2b4k?xQKa#R)?Cu{}Lp}
z3P;+cc#KpMrif2>I<Oy>wrHKjl9G@mK|9SL^CVk>R?HPUTet4R9yfjP={~S6?N|GY
zjK-Y&U+_C$LK6aQ2%o>hjn<^<jD>BMi!K=W80*{p<pbzlk%mE8;GiNIy#wK?zOpg?
zFVKzrwlP{;s%Hveag40BT$Qg31|7F(ay7m(9a>NjFjN)<V4RzRIej?)6<v#D{$qm$
zl4S88LwO<m#jOI|{^L{P%`e{x?WE{>p0(zh%&6F%Fk*v0MVBQr8C@S0Ouz?~A@{{*
z30<GEk{Sh7wbk(v(O|_Tj=8~CX7rQH_!1mG!kK9siNkBu(Hy=$BjhLW!QT|g;jd|P
z4PLDLJF9i{cycy3^)*y`vo|+gsHpd5wg_q%f{xR2v>_U<({a3^8oNy^Rz@S36oDWI
z7mEQ$jja0t%)<DwSwf=hIlrqHEDy?dV*^_+RyK+o0)t8CLYB=fVJjPp7$ZpVKd~@H
zTn++CUL#=pg*g@~>p4C9;wK;uFND(v+U9Tm{h>V!WO2h>JBDs54qpQ|V(^D<gV8bB
z<a&_Uz&q=T_`y#689Fhx(^AJhMIBchvCz`aP><zX<H)uUH$sOy=E5&R6?r0D5h=ek
zToA_v!-fldX9*uJgzF8(rVl=MQRHuIoQlKPFNJm4g*Nah4Kqry!BDJ(=p!+=XT@`?
z*ne#E0GBKzphuD{U5_z|3v5tdf+rO#XSZunVy7~99mYCqD``xl#-?kmv%r??@c2d?
zjABbP7Fa-V5Ek&%NCVF+q%mv))}4kZqYr*|p=BdX<2b>i4=Pj`dlG25PdNg7X;Y-Q
z2JR|7mqu=NjwoMPO@=-gxBy|)b|{tBter=K5DyM-E3pm5Ej{9BROHiCziW)xwSW&7
zgb;b|coc#iuE0K3AH0zYfv>>ao|+)ykPybfiZ<am@c3^_@mGiAu_vhaD~=;HAB`OT
z2a@<3Of3Ug!HT6VkYT;vRCmQncSE%cqMgRsF0AL(2ban*2F89;h(3qh*I@ED8Bn_&
z4x=^OuJk5CoZ?08MMtLP@D8=ht<6zkOi;u0!IrPEfJf1F7|VoBZcR?)#%6u6>MOBF
zn*BXHJ~+^%d(H$N8czcR=xADf6w=XL17~AHDJ`+eRvBd*6<sZo>FMurVs7|*&~RAA
z6<)oy+X#oEXcV{1HOdma@U|GSV1ho>_wf&`?#GA0JLUitn5#E1RY@Q-tJi=Y&J(2a
z1gTA-1Qsy?Hn4;f_yOTSxdDn;ul6cl!9IWnjOnoO6wAM`8b`uEw10o29uAkLaoG-4
z6Z)ze=AF0-3>2hySRbX(-Ztg=f5ePu6aT?i%U2+j_WYNo5Cydo1y$g{NqxXW(e(&}
zXxyZG#lX5BXv2!UuC+poVDQGilFGX3g|-$U74H_-wTj*?-gDUAz?!b3rEg7FQ;R`+
zVac*sg$8(TGzQkSc%aSa&~z=tl>G2k+k2iQ|5qbR{`<J(kByf6_Z<yM{z*TKmi*`>
zWBG=2Mc1d7_`XXls=tKN^+Dlc*Pky*WCh=<VSE57a|9v2bsl~YE@!a|`p^{79(b90
zw<AUCFo8zpSeFM+Ro<Lf)}ZLZ4j#Usyw=#(Y}|@}&n7kFdN%1H<14Bh*i5fzbGnsn
zuZ+*}HNhA$Y8?iTO>{CzY@rXPVV46b{jszGde9%L51zz|H7|za16|$lWb{*AJaBpr
z=z}vZZf-I`qb=Xulv1(MdpkA~V;F;d)K2O#E%(7=tEP=B@czveOS8h#!eu~Xzi?hG
z?+O@=z)4TVl1l~aU1^Eje?*k?)`cu6H0mxc7q*>q+a*9-u$KCpuvV5LglCQo2+w?k
z=EZ{9WfEx1(5hTXRZ(<hVz&g)Z^SAL%IokS+*uq3JP&}qPl-!}$*+VlVwo#ofxqTj
zmIG;qVyDrX=QBxAUp?H0QwFf85aUjXI|WN)th6%Fe;z}$?#wnZSx8`WBbvN$o}&S*
zvt?vu$M_lsy5n2{557SdLeL!>+B|Z>=jsRMSGP3v(GpPXcc9s;?!b^e@7+G0;6_S7
zj^RA-WL~6<<|4#@LOHGad`Sup&oUqwnSv|3p*t`~gsmxbih?f|OC;s+htf_WtVeML
zI#Fq0>rD!6!vWZU8?=G5lvbSv*5f_TI}4L#K>ikdgjB4@DwP>Ch)TZ{6n1=Lvdk4I
z6T!7v;NpG(+t8ZvJdAB?oAG?hBx73`CI$6C2hS=6d>sf+Hi_HlKEac=(PiK{fM*N*
z(Fu5JF@Z?i>3sO6?R5Qk(ssH(88D>AcQ3w^@vOymxQPf~XvCx<zCS~G8F)U33D9YH
z_T!r-Lbt?-+wPXdVw)W%C|#IveFo3D*j7i|={92z22FVW2v3^uJS9zZ`VHblXO&#W
zmLmKSgx^l_N#b_9OiX+(!}nkCeGf2Td~ZZ}pB+RjHZLi<u9VRzyJhxVsE>FVww+<Y
zzM@M(Z`cq44)dr3COz#WgX7AE9t;_rYSr3OJn4u_4XgrSXW+ZIQwj=c<sm;2L-<Z}
zI*la-`NksO7@luz;0d1Ujc~rPf#36xzeePv(_6+Mp9T5MJf9`-XPydeD3xakV1+j@
zKy4|6muEpfGxE(uz8O5<%s>L-MR$ydr?`7B9K!R>M7|mP4dY%L-&ly%(33=&No(zK
zmH<pkPPg$2+TSkHElI)YMv^};Wh6hr4!&Cb`pc|VPfMlQ#*(xsKS2pWd;$<h7)3PY
z&?rI`txH;(L%QUFSEF?a+BS}`#kNL8mjDJ;YaJ@Qo`Yw{qjsyHIcWNb8WLAZU{73}
z99(`gRW`ceU*rU}gLx>98vYi%I|F56$Y8^BI&GZ9?t>v=v(mz8+az?OmW}CxcPbtk
zg4fCmH^Y_2)L>*RagLiK-^JAa6gf;OxI}H~Q1aL`Bz8S-agB(sQbL!QA9)((@NAXB
zpW+PMj=Pu>PKwf0|7+A`QBPfT#$u_GkI2PJsNFHcDKL$i`k_~`*@zq-FgMClFjS{6
zf9?dUHrL`EFMX4x(`XbwUO`Q_7wO;qN4K^ulzfxL--$KSIuX<+^wY8luy3&3L&O!P
zT&c<GFM!wL&Pi5ZK_(WoPfvRtZ&(doFo9D^l~e2_a!Z(RRiJqkUDIVXyb2;#fKiqb
zV^Cv5CMfbdPLUVF6u|*WrDHio#(*Lh7=aBP{sLEZphMjwcJ7T<nKu?KG>Lg;_ijBo
zp!D2G4~sXwMvhG^Z~>;^5@)|coJ5U<lb1>@yZ|!_*eP`owL5k=ZLd;78Lg+<huFN5
z*HVXlmSP>H0pXswn;B}Fizx<9L7xr8DV>hetWt-<0X2ceybEHVw^XJju!KtoT8Du`
z2BibQkOvH-OSrzm=Y`Cr<E~%~NwV<>@`PmLLF%zwHoizAkc%=@?l%++L3ty`IxZ)q
zk<c4YW4|$`D<tVfJBHP6ePn`%x#*1+i$*9RXJ9VwqL>;Rn8`z&VhFFm<;3Dbo@%cs
z1W}YF@D%6I*Tj&)iqjYny9>lU9_IEYau_zLXi(K79?0W!VEByr5|5FiA7k||kz<u9
z%!Y1ASJJ^y>J6qH4wC4Zn2wo_Nt#KU^c!iC#@fiwsv*jXCYhG9&~aAX32jIZsa$Fy
zuaXO<HjF<wZ)sHL=<TM-9V24lDC_mPaQG0M4rlo(M7^j^2Cj4%cW^}DZ6dA-t&TG^
z%ke4AG#X%LB8+HE8jB7n8iR}T2rnm$Rn`&CJ?g+&{o5GbW@?Yzr|5bX&I79Pl~kz+
z4k7~hV&G#2Yf)`QJw#{5&{0TcT$e48`T*k80b{}&%9aBu=;5yIjx*O9_>Mv!ZO@1Y
zK;9<Qfip$ulOUq39_SQXrp!u`|HmUs{!Lu+$3#nh-=vV_uYM(3^0$;uXWb-%VY1>r
z9rqU71nBwFiPWK?XG_O+E3g`YvjnVFz6;3QUK@iRQhu2pvR~>Ue21hsHWz!y1$=~>
zy`^caG=j!~R-Ws`5i}79hZ%8`nVPOf7MO4BjP*Ija^L?LY>OSsRS_kTWV=ocGG2q@
zZZIlFQ;nw;B7WXEn-3@<=S1VM`$nudIotJ9Iqn366hs7&+cBQw`;n;CH_JDnDZs<)
z<u&smCg)>7>I_V#{Z;TkoI`PnuDj%7agIog5acWagFi_q!7q8v>Eb~<I;{Rh7Vygi
z#p_8&=&~x}tw~Gd#o}(jZj2BHQR4Xk<r(PPv0UvCqM^{jIB`o8AKapOpl56rZxVzJ
zG>p!=y+98M_U`fS7~(2$6itVqfBH%%sBrucLnWMnMevW61#)qB;s7Efd-b?H4LD)M
zoK%`(RVeX*#)Rr@q%?v1a38Gt3K`)=B0CbV@5FI+W5*<uN$W6rlMj@W8YIwGMXX}K
z&tZJXVZvE@Q0kb{6}%RL5~bO@<0Q?FQ8cDhLlQIOFURNs>(<GsI>_HR0RjVC!h@(H
z)&%&|?3ap8Swe3b3yzM#;Sj{poX%0Qc$TK?VfdT5WZ&;e7NI~(mI7dCa6*ViWopx)
zeec9!cE$b+ff7z46~t^=;L&eDQgOa74}FTux?YCqJs@e)--Frka{&fG-P6(9+JiW4
z5M2n)nP+$rboNnM;2iGGKq^wTG!5q6gTWwY&s0coq$W>Q4)*kgq$s=u61QC#%5B7F
zqAJA+h4YO!!hLAsz5j7+N*8@6oE1S#bV`pFRUa3cIw!#hO%}mz-8X>Gdb={fXT6l2
zoL3RqU(|BBni%3Rwa8)D^Gf+J9-?k0dT9QMo<y_rXxu?C@JBnbyD%<B*FBlPBaO3c
zB>vh8&^sJ`B7a~=DLO$2B^3es6&z1}=s4H{SE0Y0{|Ip+iy1`_+Cdh>=?ykZ6nou`
z8bC?I6<rpXiTl4|FE^zLti^q>-e026n%p{xZlMbI>$D{K-@0L>QN)t1B>9*B8j^p=
zn#CDznr+Mj_eab&@=?TlfH=Y^qM7RwWwb8YaX6$)=Gvll30a&+p)_?`hlWG|ly{^E
z&^+Xj=q<_xiBUrw9_lC{090g3JgLYd_hGZMDcU|ti|_Uf3)~!!o_Uww)kjQe<AmKy
zoDkUd4H{x1my0)`ub}(Uu5e;X6PWUka2NFjo&q4!An?p^uIwYO+{4RQiY6}$l<<as
z5y>Jmr)VXvBo7;46IULmqqPP{i+4nf7K_BuB1mXg;J6i~%u8EVk&hb$WIxjmSUS-Z
zu2Ne%*VY;QPJ<_(4Fdz)6kL;Wi6d+AoKrgYR2=yZp1#UQv<RP#YZm&k4r)ZhkDAdm
zR0F!MVr9*IEKoTm3-rKA><skcP8)j3N2KWbF&|T4IUFP<S`^!0C2NSxbu@aZfd@*<
zS70MyN?tso3vZ~!5@e#J=}4L(CPkVhsbVNbIi-`tP~g5~tQa~Op;N?Aj3bs<#PN~U
z_rO9df%#qm#08yji0?xBc4D^rf%mzQi-HPfVBj>9XKwun(LX!}6I;gzP@n|G7Jv$O
z&K6S~rxYh-P-q1p!4}r~K(S1PvDNPYRQMghANV2N#^Z1aL(2gjC<4XNZ{7S-u?(Kd
zIJ}g~D(XE62&ATa0NDsDS`%q@o1i{Z-GboGNKuKWQ$k7Scw_hhykwJtyt^R-bnssa
zpAlR?mM!>2+DPMFF%*`WNE;gJ_(Y2N?XaYmScqc0BZw5kX+vTNhLhrkU;h#;qM$UG
zxECAC{{RT%{~jj{!e=0y6U_er$l?Fq2_hKpEWXm&Sc0nrz5AUo=mJmk{_!Jl1F_0u
zoGX5fJGZYlQZ7CaS{*(Cb47TN4qL&=r#v8uO^GnI{Fwc92EK#4SQ<J-c#NLRO=pw-
zW!T7Mu7WYT$F)%)tT_%TG-&TOM2+H1BKOgOJubK~#N`EiEfjxs4eq_q>YxD)4w)$I
zOIhry>EZFk&^V;D`9UK&;&7JR7Bvub{b|rh@LQ)jE;wsacsg3siP<D7j?PW;KlHu~
zM+W2Iho36RTc)yhZlQjOWMV2+picRAA~!b>!B>R-k<WS_q1iwOO*oQvz$zR~o_8sA
zBKKBBtK$cl-m2gQirQN|iq+`es0b{<K0lmH!6PveLdw>y(=lny18{!C4hQLyKaVW=
zH*?9ah?e}1tPe^4J-ebMKb-?>bl<0lD2Wdl_?Z+q*sIJHUOGS&7LPe5UqSY^_i4G+
z!wRc^+XphMcH2?<Y=Nn-q`LeG-e9WBU-86HlzSJRMLOZxqcUvY7tE`%7?p;NAtx|0
zI~4rP<|azqvdP4nJnp|FxO)>-CETXex%1#efP3N@&5XpB14i(9GDW!Mn?#ZYF7d+7
zP=5b5Hz8Fe!${u0Z8g2u$UN7he1r?nR?!Wi!m}8w6kqYvB#e@Alt8z!4R%l;29P+(
zS%%wb;*Qfo!>3fOO?+k?_7ruiv?JT!+kSj<hoS>R16<&O;wv6Y_Bl@YTqk*T8%;GB
zAoi<DB9*C%CN}|7>GmiB0l2e?NS*j;&U-p4K$lj>37US+`vRlp796)k`s@rZ4`^}A
zF`kaY-L4l+j|;SE<Ddsip6O&n2qaFxc_9LNZ=%9l9jEw|Dqi_NNPr#`g}Reme3nGw
z6Ct^1X*n>q+X{_IV8O5#AndtW-HlUD&Y~jR6NQtmeXbx?;@gVAuc#6tihWYhE2s~u
z@`2QKF?;iY(D0Gaa7<`8&QpRcXh|iO8Ylx_@R@*K3c^0sjTR&WZjI_d5}>3xj-5Zc
zGwro^(DOdH-f^sZ8YD-f8WY@#fEDo|6JR<ecw)mij)${+biLy^Z;NN&mq}Ro9mmof
zAAt9dr#U`yVrBzg2#GK_DhvNuz&1XZ$oX{}*n-ZK2g6>CjT=M($wh`76+#0@a4OK8
zvOAeKz919>k#G_*nkWKxxEh0RYU#NE1Fj~Zty>2$TNNlm2n;4lM_kCmRv}Dmf(dvy
zeOvnn0tSK*cnU&Wcm|(8=F+>JKE-C3L6Ako#OGwrigwGTL|Q4-%a_uK=cSTg=rmkI
zG)`9snjv%e7!eX{P9m}JEG*2On!r5QOqIzzw|B)D+NPQ)yh1<qB0YbZke7$Y4->jR
zO`ug-FG4Ef`>zRnKr*;SiZ=$r_>)e~ItMAP5B{81({}wP0ewtzRqv*pp?wZKHJJp3
zY7Fmoyz2krAvzue%hLSY3W$pr$~+i4!aKANpTfR{;=U`h`zrBecdZd4rB(1eUn2|T
zUxD3PZtRAt!Oo9bDDiAr;4TV-@JU%Kh21J;ybWQu!$*ek=oT=Bc1t0SY(@#hB>M{a
zESZ2q!}&0N%TbsHk9+{#iqxVJ2J^2J3OAG$6tUAMiAJQx=M0=2--A<<qy-L~7b$<Z
z1nYsvLTs2yOM7WL_EW7R=t;#nV<h=M7;zMll|+(%3#~95GK!dOpt*?oS;I#W$41sA
z_j6q$kJcptOGuZ<GNW|~Ny%WK6RSd;fj4m{yA$ef0PdYt;>qO=1KeyFsoJp0U``Ie
zdNNwIb_31`mOQ)YvVa9<ND%@Xcp0%^3E>%h$~bSN;4VTYJ+tqq)MTV+#4~F=w~?D0
zhEy(`I%N|=k{f;wYf>3}qO^JioV*3X)fv!3ED<zry_f2^_gmvhAzKAw3z8aKD+B|l
zVD+Fwx@#4Iz2HG8N$i!UcID?$mzA~JCSXnPImP@d`S5%<7L}Y8<0l~v&6G^RH5q#7
zeNE$)+{=pIa*-F_Yg4PeG)=<oe2*0c!;gmKG(m$i<@ngX<w|HmKJ#nR|M1GLSAord
zAIBG-i<yAg0=`-uQviAlqWj#5Sf1DCR$zUQm|`K#C;a|OLi+;Eh!2ST$8%4n+)Ce8
zqu_hgBt%3gr3gJD3_{=-vLATdC|Jd_)ebza7p&Q_-dWb{GPxHn5!emARAK*?W5f&}
zfvu<>GD!J-2od(dfED(gpxbd7EXw6$2FaI;`IX`@3C$oO_^e~V-^5Ai#}Z+!UE_g&
z3MUiltq1PHzy_iME9*QCF2T1zq^6PtUmwW2irOiX1Y%U+z!<UmoSX$n1wAWx;aUnI
z-fKrI*wG`!(r%6_XX>B}l%tKo7!Kj#8io8aS6{_j)U(!!QEBcNj?@E#NHs%;T^6aO
zz=PTZfP_FhD9n+%hKksHpVF4kS5K(sTRf<-T?HyALm0zo!D*dT1&mF4#ZJtRr@U4M
zhy(stTRxU!HSr!Lq?@0{I9iNxJV`B0r?G*8pQhHWMHlS~4B!Jy+@N>4H!A{XfDo_=
z^y2Aq->(P=Qa~)N^>eo<0x5W*6lOg6fGEr5UatsTCk5ZY(={prGo^qW9<V_XD3Suo
z@Z<-)A>$@RV3`!`=INRgfp19x8+bsoBJiLT(1s^J6E4x^zE=_0DFyH1>0qKfB?Uaq
z1E7vykOFWnFL1vPm5~C-vJ)W@A|5(O3Foz={@n`H*%e%g6_ZMiqoS*q*Ao5lpMZgi
zUOx`?Z*?4pQeTQ!j8Ev*BEHgc`3icaniWz?*ey5;((gE#<~R;><W!pD1X1r1o(N=G
zPl-erdninNT_?U0xZm=Wpvw;_<=24wgeL-#J1LO}gLKKqBkGdhZXn68cwx9M$z4Vs
zshePTNFJ#%^y^&&@$Vz+k`}H@WYN0hi9;b>awWuV#Ol~F%V3vCReqVOAZ|XmheF+G
z`O{xpWl@{E$h?+;ZD4ePg(^T;YFd}O5sn+kX78B57&Co0N#Ej;z|@XXJaWwCDK>>t
zgkeC^??aT+t%o%2<zmCllP1cb1<2It3milM|Cx()f)^4USEFQI;8DsP$hS!93Ly*d
z?hM?CJG5QbN3q~P@ExR_i_}Wpc&=8Q?pSGEXW$edKsw}j)!hBiozg}^!~k?IaC8>(
z960~?oVDepld#WXp*rEhF<~$|r%nO=vQN3ml;@dBmfY`UQ`b^ZtGsJj?9_UCeMUJo
zmW;Z$lv88q`J<RFd+d-h?xr$a(1M~!6$_SMO_nP!7^U%6_$!wa@&JB(fe&&BDIe|V
zSdvQ35%>e(K&+dI_Jlmh{8t2t$;M!N2w1ZlLy>djld)s2)INrqjkl+mFFY=5#rRLm
zXGT6yb1)wqX>hT$+-G8&6kY#|xOV}Js=5}x&&-)jh9o30gct!sM2NgpN|YK=OldL!
z3m6fC|5jqP5D^tD%!J+wAviQJIRtans?4=k8*T05_NjtaB>_r;q9R%wfhr=Ui9w7=
zlbFQJ_gj0<OfnFnxA*(LKbkq`?6c2)tiASHd#~5N2VUdFaDYRVx@FUquQ~LZO!?T#
zM`AS}ft;3tK_i82A!YGgh!p8PTcAh{*4->YB)dvls@5ZGb&`@D@r_?3GeIw5#|q^i
zoUKt+;1|h^AIXfYDY*CKFSWC*coyd8ROKXuidF^q5$&jqGypxQDo%1s+0P2ol<%G%
zH1PsyO#P3J63LEDpxukSLOBwOmw=3sGmJauGeqD{d~Ml9L?O1yIu?L9N-z@GsyHE*
zer2p!QWH~$yK_oA*S@cHw@vr7Li^M%FudXSunZ4x>Vp|KrtnfaFR%T`16UQ&6xO~V
zwca5%2OZTi2tn^qng<)>7bd2g+I&?|4KcPl`HmKjLvhW3xW48HkJ^1GVZEtpu)>R)
zf2dvyP~r;p=8a|4(}Uthv5Jh5g(G43LaPtS6yG;f(S>B{v%2iigMW$D0Hf4GqY%4v
z_&&D{-y=a8F#`?1>25hk$`<W8*_3Fct!T*#GvFD;T$WAx8g7b~tTY1^I;A6UpGtu;
zJ)%>30#B%vQdm?t<xeWbYX)8nr~E~wFjHRFDV>48sT5ew;c!Z`N`cIu45xId6y}NJ
zLe-w`z+i3^`$-F@j8rL*)1~1Q&Ht1zbE86UAIdjxE<=zW^ya9MD4VRXFr)$$%HK3F
z<zKHTzY$IOpSn9t`R{lmn(}LNp?5EgC>3S#t|-Yp(#oZFCT+_QmGHPu&;ytD{32sZ
z`{#vVK*eb3sn=AQOde$G9aL8%FcI3RwxbJ*n&UnTBiA;_fkq=a91I%t^q|i#Z26nQ
zRv{UW==Wey<o$@u=6mgG!I2s&dW5Q%1;-eb5EHmqC9vR_5=xk+5?F9tA4>QK)RDy#
z(v;)Ot|E~Yc+@K-_0XapEn}H%{%D15hO7-bg%e7a0^uNHASCo>88)1X8mh(RMr4fD
zEO-k8k1?Bdj=P0SEW?417okP(yDU7Bfy?42l=87!ik@0f)D-tI;j){5Zd-@(w4EvV
zsIB=mY^32yXziAsvRYMb;64WPfgeJvtybYHE-^Q*{#=_Ir;iyw=8`d!#}tlP#D9-x
zJf1NkYfj6R)$W!loNL$ZF}*Rq6LBr$AQ{iMv31z6!p7j4tu5z<-|mi6GN<P`3hyvB
zJUV$|eA^m(cAKwfQJMMjA_!Ze3^SnlJ*a>{m7wDQ<GnG4(R|FnY?iN9n{?q_9Q4(e
zAqO~=q4?wy2C#zf)ZJ_2Rce;`><ZhQNKp?+xgxvmh3gg>!@jV5js)Bwr7;m`Hjvh`
zNa2~Xdr54%mH~D(-`#<5LyY@pgk>k5X?z%XTuH$c;|xCYj!i~8_xxo;m8&><UJ1G(
zSSj<9C)uctWxH$Dha(o_qFtShb?EO2r_;psPidwKi}OK}X?()-0zBQ98+N03h-rxR
z>VZ_dA>n{tzW|jq&wnQWYOZ%>nZ_Efk7a7>SYLvTut0XBJq7n!(jU#x*0N9XUaVy+
zc@}Hg?__Cf+4Ve&wd|?Urtu@LH&X5fuFYIGa(#t*)5w2C8mc#*H`3mpa2<NSX`Ih>
z^tn2KMI6tWJa5BV_X4h$lP=b^cZ@QPQCzW3P={L#Ki9<g8Y^Dv8_#tl{rhjOpF*nT
zkc;;7OygOsZu2Sc3Z5SzeHz!NFElx+n)3KAm#drd#47g(T*WGP4CP1|qPBFKaTDMF
z@B&kXBf6FPze76a7RF6nD=4p+>r*35btpz0aK44-`+2^V>x1;Kgr4^PBlN|z5@K!3
z!YgsfPwa_Hp0bA~uo4jb&K9^VHpi&JK&F<Z*W)&1S&6Q|5!bJbCz4(9PVv2HuC(pS
zNJNESkf{$HXvN{fHI^vMsi;?ozl&K&`>N43X+#uCCxwh75P4+O40HL@Mv$1{LiK1B
zjIPP#VU+7@Q|g_gUD=Z-)D{-8xL7p;J!yGbt*s`D{9|4IDdS!KX%jIQtC>Wwa#zh|
zgee!w-!kAX!hUfsyNGASFXA+b)NGeXq`r3LnY)Nj2IeI{k`iwZM)Q(ir-ymT^)E&9
z5?9R?u9_*X5UfxrE=a7ok}h2(pu^s1K}yXu9&_a}mB+N2={)AiV;oWhmv;<`h|$U3
zjC$vlL`e2ey9#hka~(GQ({j0+?iy+Mr=6ZXeMN?U+LgS%$`xcprn!t@ID1fM&sjTa
zb^2O#C~Gr4w4z`H0_)Jwv?M)|g_-PFSJt?Kv03LW7*7Mn+g2n4`Wdbox2q=ARg>as
zN#d)CoIo+wpGevaS5{krBiC~tN0iwX1pY|u2t-1WwM|W&tN7-ff`QvZKifk$+a-mE
z+S*#9yu4fv41m7yf9NI{df+fyc>~4JKV(%m<&wg~SNT3~#VxDmEx+M=gne3O<SqW*
z^1JSqP*D9QO~2i9*DZGwvqnA%J<Pb}&Jxe^Ws6m6-tD&<i%M^iR{UH4!X2s(O({=`
z;0UUk;LUk}I@wi|NL1|v3_%HTo}i<d)H``Lb~cRFl691V#6n-nOdiBaQ>=Jityc7T
zjNPayLHMX1w8NHIFKdUb+qi50q~=yz(b6oHp=Ob-={__NT3M+H!h`Ht0}qk2=FSj_
z*kDHt^t7Zb3#E93XuKdPcZX7Lk(9lXvLci+Pg0O~8#Nvq(UxqPrMP-=!PV<lTQUb~
zN}6|Jy}J?8;Xa^tpIh{KlYX~&2Xj8<6Soq1{+JjfeWa9sa>k=}BW7W(OhL6?P<)xI
z+>OX3CTGj3N8(j>D<N@#P0do90#C-a(Zug)vU=*BfK7SizslKNLGfY4#NtLwSC{54
znWztQQL%0C!W&uqYQ1A(+!IS|LFW=1<#LYbJ;*mnM-MBe8D4GjN-(3ibyrV}^E#|{
zxMCYld~(X;NVS}6$}l()0E-XBKoghPq?l#F(7@3ERhBv|R$TiS%pIJ2Rpum!&xJXw
ziOhzUG%#AMw^pZ$QjQQoBVmZ_03`HGDs^LAVOZ-QH{#bnW_TtApLyH}%qKtg>*Q09
zbGRuC+{!P|B&VO8{`F7t_cOi>@Z}?h=iJ~k0kS`01g3DXvSbX9;SnR}#YZXD$8XRx
zF8Iu&2BtL&_{Tc+r5N>mP561YdS?F?43;l)d_o)7KWbo7f*m&oB|ai9d16(AZ?gGb
z++=Y0k#Cv{OdlM4W)o{2m&SJeYLKJ_;9-XE#Y(cK2cN0bh~1v&$OIC!FmDp(4OZTy
z_`FN->gIOdq@4BDMC8hO@P5NHY;NEt)$vUN2hXHHg?jogey#Nn(dh>b&!xgkT$2W}
zk@}-gD8J(mXY!I8Zxo4C7JKH?B~n8uaR3{s3dKu$qIt>hYs0+cGHfCGN~A1WYCZUn
z(Wh_2=LUYPdQ&HTd*&e{@Mrb-hIB4(Vtn3s0myjlU;2CmK=!Cy3KcyQ6-w&uv4(L%
zRo>*nz^IwmIJCF!`uo9vYDQ4t><4CkT7t<Ch9ds;t{DG%Cw~e2#qqa^x0U=QbN>w2
z-|+V<{(jHjZ;f?}>^;}`7CDm3XT{j?!36&`s*B}=wnt$4e&EEX%Pv$dF!!p*#ilmw
zvnB+?<&AA~E=D)lLIg2=7u%jsKy1%}s%Kw!WE2IT1x1cdD{!%kfDP>mJ`1+u%lYi%
zM)29kj0~~g8-=N@XUV$N$<t?gYu2q!nK#?}sBd+eebqxNoHE6{o7?izP47n1Y%A_v
zHAtnI&8vdtvtyJ8vjlv?(%zbvF)lClJp4ubspP+7sKjiZ9^|~Lb=NsEldCqo?yx#C
zVwLM{a4XGx`KoUd5I_L!FSx|NV3M^XzTgtCtNb>{`^|AdiP<m8RORU`q~^bc)ZoVG
zPGAi-mFNL!L?(z^ca5StpM|K7*?d6~TMxw>gv@-OlW*gUHF4s3YZVX?Do(so!_QbS
zyX4&AH7Fc#Y)_F8MsiO&C-8DwsM)+9F^cl<*^@}bgaW&@z=7dJwzwa&@k-6vuvyL&
zjYvDJ4UZYt!_XHb6Ct~={Rrhkt*%FnE$vXNpIybBDBY6*((et_H7VTuLciyzWM0LR
z@KERjL_d<*L6R?&<kCql?@C=}qJB>Feoy%bubr=xGj(#NcNX<#Vp)u|M7<fgtF#lx
z&`ovtgjU%$xliC%V~wyl{&r4B2C;f3IY(~Z@n-Yz+Npa!`-Rsrq2aTikMzb$lnzI=
zigw~jZ*zZ|>`jqS1O@3i1!>+`brektst@E|D%lR8#vDFJ<TeM}4~jKgX-`gGqIV=V
z-Z^>6UXG@W%fW~)37F^PB}fUK)IbTHlt3J|^_!8Xp$wR!Yy>AU;uEFygd<VjG;28$
z1drCW$#%l?_;`}z7clXSWkj0K8;m_k503em_W4%J;UTK1nCydefn%yEEJLNIi$kzz
zwo{iTX^Ifq6QDE~FNr1_wjKlmh!f1nOQ0Jn+!;a72ren(sU4TjQ-EJ3N46+urNh{{
zqV2>jNhvMvUYaXIz)JT_?WZ6M%0Qt?`d9I%2Ol@A9m3PV!)qmAM+mvpfhcI{J2Mto
z9h-NIBre}mL-u_3Btx2zWnSjr`ZHtG1~{U-C+6oIs*$j1Cj)Ao%!u85Fy#1N+OzA$
z$CQnv2!r#1^NY}^7mUq2tpmCj-vTW*)moidCYq|*nROr7Gpb&E-LO8Rl*Zl)>ApGA
z!iNQ=F}Z}7qz_E_Hz>;gMKtAqZb_K(?@EfM{HosZF{jlFa@7}%#^=@T%=BbvLO4Vt
zMxtx&AYS{{rg3abd5QCV!GTVQudNpA$1y$E49c^YFS36juFw`ijjZ`8@jC$UJ+?}>
zb963oU<G?y23I?g#yr;v9c6LV#u-cG@dMKo1PESnoRE-)PF^^?lS8SPYf7p|Qj;b6
zd&-t}P7&Sjoy!YuUECJ%&gJ=rcEr|5j6XKMFB~W+@}2|uKuH3T48VNQ66=&uNJP#`
zQape-SI@8{c$6i9*?g}oXp|&0Qe-kg5>h0DN$1>IbS6JjYe_XOI~NodV!tyz<^I94
zG=aaI-}g204ap$d(_e=&crpu@oS&;@AS{ia9@HjQ!?AF&ay%x=7sagAZHdzhB(wPw
zqn?t3K?P5s_Q4>AVSDpEJ>_$p<vK4*n@0^+NiW4pR+;J=ReRR$u*ZN-tsy?aK+?Sp
z=`sEdX))G@xEOudm!CWT!wE4Ae>pI?(bUsWE1%8g8K(0Fq%=((9gH6GF&HPo3Chgv
zEWU&3tHX#wn8o(pVn0Iw1Akd3u?$vYel5f$G1(ihUI`&eH`;d-6H{W>lwap?Jh99M
z(9GufHqqbwA6xT6miKp3%-}Y6EYT1&`Unk7Mt>V;m0?TM6Wj_wl=ptshMyZ5h^V0}
zi0p-UI8>i7m>dS`^Cm=7^tonO6-}4qz;j8zN>cSc;3}d(Ys0S${oSsgK89?5l_PL7
z`K;Cj>g8{vU+Pt*)v<JX=+pLJJY$3{_uGH*Tf@KM1;hXFi(-(lK$(*+<d?kug7N+Z
z6Cpwc<Gn+r6O7sS2lJwSgN$&qlQSXX{AI54>tby3TG`+uAxqHRl*LApS_k}Hz*k@3
zGL5S3<729}zHV%4++52U0iQi3S&7}asW`E@{R^T<^{@cwYH_JM;7x*Wdvc8In7A-z
zgc0#NWF$_Tb%Wb?O8`PC;5xCijWcVf;#32Ramih>mkg}5RfgLf*v5osXL|4KJUvUN
z3{g%&Vp*tIyB=yLcx<vK0jcZS@C%70A|9({go!IiT+^G}(_TPySVAI%F^f9bw}zTQ
z5FzzlrnK(NWS92>N*%=!;aoD4R}FFA(DZ|m2&+-P^_CE-0tKTYPGK@6K(e(J*mFH8
zzU|C1aJs;OYEh+!5Z#4dOYog@rnsalW}288F1ts7FFba&!ZPV!>Gw$kX|vs@h$ia!
zp2ew&@f#j7gz^s`a2N5jxkC9<kDR%SC^keQl{x*)UBt+NdC5k_OS+?Z$&1NhUh<!R
ziRLAqVZp6z@V2TAUPTNY5#qugkM{Rn0vyCAK~xzZawSu6RZ1WM1*!su+JRyRo5uc<
zglqy>rQpZREx=^}*C+v_cZF~JGlpx$9fI6d53};^L(@P!vimpeclaNE+hH{b`uR7!
z!&9S!8M@EfaL8euZ2urKL67-29O3Oz2h-E9sKI?Q*JXP4uA4_OZ8Rc4mTGO~x7puk
z&E#4;rG7(ljLT@5iFGYC`!}#-dDz7nt6ThAH5DaUyvIsivP9Q2vE@0IhMJ+^B8O9A
zej;lovC5&astxv-jKUk5uErk2i7AW37&~pwZgs|3+v8%GguNBgPuCXzoTf1GrsEXW
zUeXll=LbUN{ST*8gAhqwPgOw{^fEkdhS4=d0q+s$RltxCaE___JlR&k*!Y4h&xEDZ
zgIm*Mf?LyK0_z#F!a$`SIRAzR`QRa0PjLs&c+Bu^e}qtV=lHgR5?=A04PinUquG;(
zYn@_yjd*tuUG~iK`31qP>^Cn!ZBQ7Pr4d1;xVbM3d`GABmgwg@X@Iri8Lr71_Mu^@
z-{J>Q!pwRZ9l-oTuW7P`=DAjlR7>0QG(bSdrrLCxBTJKl6i9D!rMq=>CaWE8RZdrZ
z0s5zA%K#^hWbk2~!B?E@STHO@uP^l%Loh`X{2qo?G^Jj79$FHWkka%d_jag^^cy;o
zTwgE(Wl&NzSfob#6B59|f?-!5H_FUy#|?i$hFLIz1uqmQ({m2mmsJ@Ev!&c4m{dx+
zx-&yrA6MR&9P`#;aAOo*A02~Nzw~}IY<?6G#M3bJO>DZ;<P$mo?=_phkO^uV-q!ve
zVTsRC3uRV4g#kCx5uEQ-;UZ2+)8dqj;MR~h#fhe-1tV9zh9aMT!zMM8w~I(+klKiL
zVc9|sUIsy2w&JRMmA6vNBc}ScOWBu6p@5I!t#L_z1m3|_qeH{OmX<=Q3XmV{D!46H
zoLp+XUniUXnyQfIB#CrFl6q@zME6G$l!TV~H&hxjm*^!{g)9<M175nQK9L3AcL0cK
zc<1@1-3_ssZEd(8j6~k^O_|$@NXrRCm$RRAdM_2i!k3|Bmp6mtI3jX~!0JiV&4|6B
z>0ZnW?BPlP_d|Wv9Y`!!C^O@7S#Rfhe`sYavQ_@G{HTqoU)qB(3i-q0ka$9;%PK^-
zbarr6LU5I`$qTLmT1uG~oHD}|oZ@z2(kme<Ajya)wm!xk|BYTEykyjXyyVq4h4Q!D
zdL}Qqy-*}lLo?6hC0PUW62IalUD3RxZd;g_G=Dpqmt38zmP60QH75CXjb}kD2!Ws@
z_X@6&)mdaj&QqzOWm#lE%;wgUya10J&BsnMw?e*eDJmX4$9Ss1oX$RSj#rU$?1|qa
za?+71{@nEfv!>4DOe&R-vF){UH#hQ@lS#E42}zMMR6?9eOi2-`ERZu^#s0k>3br&?
z7T<OQ(LiBfEpl2F0O=hhwk9tKSBKSbVO5?ZL^zNj$u3obDjkr_^-4w~UO5@t?CHw8
zo#w_Xu?)L5i3=gpU}>)kn1@h_NCj-lL-F(4@}L$xr-YuBu!*p}DNVUVS+^tK#R($x
zF6^bdTGiv~Q%{%F6VyFyeut=h#m=0Csa|{b!JLI@5XRXt$^M0DD)N=t{3pZr5>yq1
z`7ep}Jz5C@mM9QaJ^KcZYvW^NL&b*RC0MwZAf#!PdA7>Ym9v5^BdaAODF=h0&u;^O
zHzE0y_wKgJlJ?3u9pgW~Uei|z*}B`|kM+5`?LjxH@E*gq`nN3^)!BP;W)CYHQuPyR
zp^BY$|8+gzAZhI>4pdj!)}(R_S8)$#x=eW0JXrPo_?V2?&wefA3#bV<A*a=fJnX1~
zLSi2%M4)XpUu^nbr1dbm3r&CNsj#;;Q+tRhM*!`?XMd1M5I3vdtV657`C(;dbGto0
zxHiUmz2!!DJwh-HR+Yr4(_hv>{Ll_-&M7euuXI@N?)vG^2sr%>%piEqvqcin>`Q`O
zCjf)2jW%DsBRHqSyGyEjH^N?5#s|y5JrxB~&T+>Hg38Rgn0-+69;va_D(gfVl~ozD
z(ZTVTwvBl~F7}OiJ(Nh%GrdPGLR%p24?gplQMF!{B~^K{TnNkY4dX{cM1t>sFkmzf
zu_F&UB?t%@?nNHXNG4!+jhl}%@E+WZEp0NbusYb{V|MZ(n+R#0^?u!lc5`R0)gUJI
z^=3V1%nFW(P-sFu@-*vHX=w2&*p}-3=<&5xHwDLkoK=|=Ux)9r4W#%D<@;l3w6ESS
zz}VNk-X^$DQ-<0kK-(KRWyi~~*w!^p&~?U`27qbInKfc<Le8wrve>NMu{McQusfD0
z-HvbM%sIXmGu8xY#GE)zu;s*LS}e!27PU^z8?h#RLf!})0pRmSOi<vpQ9jxTI?4XX
zoiH^ovuqF^*}P;4s3AhQx4B`LKP=Sfu)A$)J@9x7QG<*Sz5qq7{XpYWK#;RmTDq2&
z5|-G1P0JYg|5;(;!$wrH#R^#5ofsFjneL7PDtor&wrVAsON|~SAw4ZKK%A?0(NT>s
zyJIFY7=kbuiGeepN1=@HlJNsm{z^spJEJLo{ddEZ-}SR-%HJ;%YVCnTFo>Dj8x04`
z5KV<MwtaLSI!loyOJv{2g+|5oGj}~lWc`tW{)2t9vwV@cwuMs7a#9i7NdFZDby~C1
zWJNwJ1!iy_EZ9i)JWa@D4%Qw8L*m1jPg)+XhNh54x>KELC`D`P&1nI#`m3SRW=NX)
z_E=)*TdQ7C8)qoa*^KjrvZwUZUT<8;Ws!4OBv>{9Me00X<5GBi)p}XQ6RTLxSkQq*
zrWPfv7`!TGsymLrKym^Ar!(jlDNT*gd3~Ns#x_TW#2v-3N2VuCZmcjm(Hp|%oQgj}
z16Pr$e>jFYj#Ej>f}T&c;3-Y1>r!$f#fm`d`{yd^+Naz{Rk^}=2jFB%9~de(Rh2s=
zR~jk*QR<P5P^oBG8?YG@nte)@JF35O&F10Ar!$2%rNpz&vZKC2^lKpm)(4W{B<^<)
zvj~FgmP1vTuehd2RL#=1mf2W{wMBwZ?nlXi(qr(hV(cmk924Y31FiQ6CArjmNA)o*
ztoj({D@zZnJ`jg1)rY0N5n35Xdn6<(4&%jbVJWmQ$)X-sK4$Y@5#WUaV7`KSLTU}E
zIK;0|R2+W_t2ln8-=pH-m8dwjgg!vUA(=(RQ4vZ)#i9HXy`{QLR2=f0h>yRBBG%rh
zlQVU4ruRDP)hZ6;HZ%fxI5xJaqT)!aLX&=Elly2$%W+hs=U++7aS2_nyv>|k65F;b
z*_&y(he->N8KLq>mIJ2Z<X}%^F0Pz{1kZ$E>8N07X0UXa4za=lUL*0k66Y7pF`{4&
z`=^rQT|9_zAG;n!cxM$b9(qU;0JOt1Sj|jS8M0QQ#7yNy8mPZOVmLaGqB38lmdcXY
zF@`<lW1ZOa<1YD5ILdE~wmefLqnp{1@HN3-)GWK&Zg^K)?u;DwiM1ZfJtD{5y7o?b
zWV$n^x=*gXg-)675mVi#))vu_WN)EwS{x#?tM~+VrzD%IyiRN!wb`R`)S+LQ0T1?(
zWU7RYyL+BCy(qRZLC}41d4@xf+FRnKfh?&YIWnt@nyw_sjDxo3dWIoVb9hr>iFV#E
zGPkSu!_<3yrp}dU%n>@$y|FeaM~<b)P-!w}0(99f0`y;+LU))lLisNqa2K(!TPXjr
zub;V#Sk@sDsibSq+(mqCU|wP=Uh;V~FL})s<|U;!MDvnO#c5hcjlz)=hNN2#4{<u;
zEELBf`L3Xd$ahU-KEk9+T^8EpsFyH|3*{w1P3-5(sp_SOW&8Q^=qUM;kon2f&Yp5y
z)q0TvrK+ZhJ%Pnx<S8JD5FB?pm1NiYg`y;o9|_>lux?)E3%|2aoX4X$XFxu8XyzD4
ze#{@t<|c=q!v=_UyOW1UL{g5d;-^k#sw5()B{Brj8}el;XPGf3ORVHgC}&0E!AK{t
zv;_}5^@K=}0e9L!C+yub0~e{TNXT@XJHy&xbB}l;5qqxWP@pP>#i%z&_~*2m(w~#&
zoOJ)3Q>=Edo?(s%9SPoi6+3=8R|*YcoU=M)zQ*z?eS({X(+C6=Vseg3DAwhn@jXVl
zpe~z?IYHph{|phHxPY55JdlAA!P1Pr8{Tka>NIirqiQz1({hzQ<hi)=F>EHqp1r7(
zY3)sj-|tm%;>65{sTS|<=xa64K_Vf$sodt9V+46@9??Pw4ZRxslNgb2p1rZa&*t^Y
zXLiqUtV1L!+%rcVxC8QcoWGA8f!z3CkI}CLEktp_q8aiNZoF!DO43`jo5QZ8-MYM4
zXDRQ|_+XHDNBCXhcBvN#XDRXu#N44GiJoioW+>ONbfJFj&?cAXJT*q;v+OC&w<_5r
z(D58?{vA35wjc8xW6m*rM+oT1`59#@!X6qnoA*+sUh|H%&~{o65`It)f5IAYewrth
zvh4NiQ;2O_zdjWyPjinQ{g(Y>>C#!J<s(@GOv`80%d<?&{p#gerln2I*#rTR)o~h`
zu+~3E+qW5z_v*+*`xdQ4GL)z1j`H92Vt0xoP5a_LQJNMLp(~$2X!BVK-Os+M8V(^t
ziUmILC%vhGTUe?nwxo3I@o-wS>L^lU+ZD#+rO3>X8P|MVpc8}Hv`ki|Nc96e|AVP9
zqP0$m0SosUx>a(j5O<K5Z-?+mp_{CfBCL|>pm9qeqM2qO*Y=$;@<9j$LXI@0JUcy_
zsrP|m5fpspLA4mug=wViQ$=W#7`!PfOu}^8VHzeZ&@)aEFX1Iq2IM85{!%FaUn<Y!
zC7#DcA~k5=nY`r6fqBU$#Y;M(dCC6Yhk40OA4T&L@2KYEUDdu9!C&vW5RM^wU|0vu
zPxG%wu>N3rOaxo5Rh{F2jxGqN5GWy2YRw{cXu?I}Vj_zYX1%bTC3}sfnR*?8Jx6UW
zM6h|2t=eCfstNoGwPU+LEn$X>F=fV*QgM%1j{p;z$}GqXyum6#=#J+K5eB$337SL6
z485k9dUWKNFWR6?v2L6>Aq_%MpEpI$r$|sLf01Yx1e<$0i9%1^(&1d+i_BPWj`SI6
zK7ZH|N8>(XEbOYs;Fgh=HI+#}IBP0LzM-$}(H18?v@9G(lj$$Gtjivz%kCGRtOhX$
zxI$Kgm;+4e3rwIUm`qomi9@I?T??V6XS9MM(XsmGSNx(E_fPwxAK<IjCiEp(0(!5u
zb)mXUtXY~6ZOd9sJW$1V2cImpvCB|9C=Q}5bucf#D}42YEkrks+;v9`&L)7nNx&f9
zXJVkpCAr+=BoeQZwegs1c+}35K>4!V^vZ&OEHTfMMN28o=7TcYaw6h>DF-?68nvjs
zU2T`n&($0tv|+k=f<CZIQ3X#jhi0g|(`CgWagV%%bzT)_oeiV49QJadO*GtYaDqd1
zb*LiA&3-s6E0WZv|Bhj^%UaxzF`nuv7Mt6VAxa=x#T(7$pNCq#P_-KSP*mLER<{fx
zMA1IN)%2}H>S6EaoT#!AkuD;f67I>H3nsvkE@Efs%8Q|1B|QyiQmr~S)T)=mt)eNW
zXKtuhrr!P!jc&;~n3OiQz`a%T6l8QeHlNuJ*^|?b;}d8@M0Tsu02xB6T0RVuI=%2i
zGgo3OsWf&Y4CL{mrrjK)hy{(gJrs>e3;wgU!fGNVRjnUCh?Rn8bO_x`olVIZN*&_C
zYQ&MunM`6E+k%KlRME*|1E};N=P7NEh~=OaPNhj{oN>iCMrnzGd#$7C21LRR743;Q
z^B`}rv%cbFmw}V8cnxIwD^7JWp4iez=;*;>gheOcIxOkFmrr$J9T1BDUsW&`mg4SE
zc4q2T**B}6YwN1Yw-XI-^A05dZWDoLC(_3$8y!^(5k1CE*_damT8Mm8?(9=`=P?{2
z(L)fo`Bc~1x9L2J8>}#&JJqG8IQGwSUsci8#TM)e{LNYh3ojXwJ&?U^Q=w4)*FQXy
zm;7K7yyQdYB@tdSJnR8}AterAZ(F5!NqaOeX}mGaORfn-@si<HfRzS+5Aik<HFeMc
zXRbO7p%+N=MUMbpC{xP8IHIZ3X#y9M8;dzYa=NN2I_3Li2>3LJk$aV$U$yy*E+tp)
zMlOZWv;oo0l#L^lB)6UMjr!J3C#j^ttwvgO7?=dA+1bvq0NB7XPd`?c^&;i|P;CD1
zzf_uAxO8ct5SGJcR4n`dOd?CiR5HD6Q<@KUuYs#6o%5d5Ch`{~bJlNF#S7BrRPrxa
z(xDO#NWyhwt$OaIE*J$CJ;gm!um+;Z-}1I?YIr`^$k?80uX^r<uFbV+BeQEi`?)7(
zc<uSY;7GN}|FxlVyls;l{k*sI`(LUOPJi!NMxP!K?I3-U_PAf5Ie(&kMY?^FAWzcI
zQWTw4WiPQjOU9b1$7)9f(Wj~Vq#;#hFZAD3fb#?_7dPc4hAjjLlZt4-%XD8iATIRc
z@=4NyHe+dAmHU2LRHHH$1>O=sRlLOMO+>Hgjx&(_&7lcOQa#h#R`u9Fx}HC7kl;Xc
zEeXXx#=)>R1BxmJqPGDS<!PsZ5UJ9WS8IVF8pMV37q^N1Vb>;972I0aWybF*TY(%n
zyUluC$({4<mrP!tYJa-Jd!DEeco-@V371r^PqSxDj(NJnGewjNym;HzC)Z!)L2|ug
z)47rva}F#{Uj1~4hA6ED=Ea@H+W!pG(uVPZt@Rb}bm7!d(by$%tB8ljv47SAr@!Jr
zm;a$dT_W(|InH149?yrn>MM?PvE`^Z+T{{szKW(Uf5kEWj`Q~sf35tT;O`WFC&}H`
zW!U@`9XxgO*V$DV7{Z9CF;c+m5v(0UlAy)aT(g5!6+JR6R;w>al&^Kc4r9%*DV2+C
z<7=l>&a#jHIKFO5Wx^D{V~T&4y=BmZ+9~M$c%;h(>w;*m8o&)<d~^)akLE3&iK6uk
z_dGN<tQXXx!Z)qL7Q~Fm?c{(5w7<mbOCBydW|e>l0oJp_!CDOH5T4VTm%@rw$I!jk
zxY%Z_aPh-ou>UC#5if57`z#1-{hCZ`ME%``OKjMu5H<fYC+?se(W=O8d@b6m((aaV
zL>=XLwDGkpVj}xzzG`!K5P9Y081&d3Pz~Sf`1-I35A3I0MdfHxH6AR7X;k7C-;r2z
zM_q?$HJXjqhV?ex<m$&OY&fYWIP@c$&x~!eMk0n5g@h}<&O4Ol)(Xc>lj-fYd9F<d
zkXK8oxbI%y^j^<|{rb6qrR;(t&IczDZ}~K|h)ltSwrt(m?s^&u<zz_;B8zUR$9#YM
z(Mu{fG<_Y<A8YsX+2U@UQzX1(?0~%FJBx(!e`nvByu?>7`;yKRXY!Iu2IeK36)$Ov
z<|XeLVO|n<eKap=TNCqp8*9eNwGjN>FJv3mfi3M_c8Gts`JOv#<9$$K(T=`W?*77t
zu9Ri1WA$&)2PviDWB*f-w5@Sao&EIMD(mcf><#uky|pH*T6g!Y^{H^J5C5-fRdvu&
z90joYJ!S2q@*RH|-Sz=Tdm5Q;Rqw98_11*z{V~cES(ITCTdw}f)kR$W%FAo{cc}K~
zue3TG4wuW7kdScBIp?IMrHvRdV$`Tn<Hn7fKY#x0*|VolpPrMGvyOk1u+GpIuG|rY
zti&+37{*>+WgFSqMhS?NZS2i9g6ds%iBVEwY$-AJmKZ^mHG7Luvc=f4#n`*W2&yl$
z_ZlU8jV*hPy?c!y_d#Pz(AbM&O3I@Ez936>P*sqfon4Zhy(K$)Z+3Q2)yH#5N%oeK
z?7bz~K~+7kOSWWh*^<3?OLkDThTJ84v$yQc-n%zDsJ<)-W^V~*?+xPKCJm+Gw3Mc)
z`l*vjD3xOPj=a(h68N{Jq-3w^5>@iBWlPE4EhRzKLt3z9Z^_=hB|+6&TC*isvNuSF
zq-XS58YLa2+w_2MXc2uCh)@-spghW;Y3h~_w(Q-qC8&T!XQ-Ixy?eI=73}C6b@O^}
za7$2u64(Q2KnpAZ8$bdofPsF~S2{;;Xf&VEOj@VvSA|Nc6eD9mcHWb~zn~ftKt>O#
zmFFPfQ-jIqF)R!MPzTJw6<9KOKnn-~6277Lj3r&9Px8GqQ-+r2P(Kw?B1Q5k*?Gwm
zA5(z7aOJM9uI}cWZ(g-(RYgU`Lk~Ul>Z`B*@sEG}+u#27_rL%B!w*0F=%bH5{q)n0
zj*ehg>*J3<SzcZ)h=Z%Ex`@jwW%BU7=@%I1IY(wCOdK-kLUY8WY2%XQ#6#gNtS^(<
zS~q=UvKeUlwyY@OG3Tn#%SLYCw?o7R?-_n2w4&%`cpDF)m5KEVQKd=om*Pp;n$3}#
z(CieeC^crh%8jzS@-QCl_*>SyPr_x(PKjO(5tkStj6VwR(HjBw2YMd>Z^~}-m!Wq*
zVZG=3(5(9~&Mf}O+G!T|Y<3=x&8mEub~KvBgeqyus@!0(*=aKI<*EFskvTp%{;1hF
zzRf%!ZwTq!YQ6i7tc|g5Uyp0WAJE}jWo>GaaT4BePtYnmRRH^5i7!Y{pDtV+D<>Bo
zxJVlf=<YShqNxv*cG-cF&YmKN589J+nzFE504kmgE>ow>O7S|UI_IPaFPS_r<-bo+
z{(nVN{tus4lt0~A@wZLUl;4wtRr?g%wb@X$-oc<VAK0vnSt(D<5fwmk(7D-W?X=S7
zr05<jv1dx$sKCf8WFW`ztG;Eiar!9I^qM&-^?V-+7pvl^na$e}buh+F;x=3A%s%KZ
zZslmxOz{|%<5N(Swmv_NAhPYB;%R$F?W367?zB$Iv)Sq|JyP#JmTCBlPe^t`p8~A5
zNcKZIyZe-NK;>`r7rzIpWK!etn4>Uf?8-YMxf?^dJ9={;U}<c}F@P|7O_x+U9`U>1
z$#EYj&B7n4<wESgaIli_o9~*tIfvu<VDPOY=36>CBFE!ZXCE|+8^NxFW}|t~a=+s*
zemlqgUa3>Q#sZ4BZ=1!3qB88yaUUs-kqlTvnZ^6f;=>v<70P{Ny<Y&z`F3NJLST^Q
zJA(eQrgiR)CKHwv7n~!gcVTdy`;;WKk#LNJf3Vm-v2Ld%wUTs{q?#U?nC|0@fE^6=
zsvw9W-H;jQo3<Ir@0G#C&Ft5>U3;kvy>nIyK^3RWNeSFHRYrO!c1`LriJQW}Mf~Co
zJ}0GSRtgI!<s+%)eV$?cLnHKw!Gh4&<TU-FUDYG&tloShBKa!Lk$f*tZCcx#ukS8`
z(f=&VbYKLx{pe+~&$O}Wozr<qWlYva$0h6<u;u|s+}W#c>dD%jhl7{E%;BpyXL=iV
z6+0+D(~z^i(LmAZo!PaoLe>;zgQUs-Lf676IziLAP^NH}a2}zAp-(yv$Bq>GSZ;J5
z_Khr8#jHMTlD5|Pyt6w<kF~^y?Q>$&6%J0Sb|@N9CKfXBa;SikkMz~2$)N&bs^L!b
za`=D^AIL;T?F}2Aio}B#=|>SnPeiCX5GZ;&eA*T#jIYfy^AoR5wt22!J49mCW?pQf
zGQ1eQ-sI+=8r2u46H)78RK{~I{=n{8(2S{VX}9dd>K%iOW?ZeqPjLpviAJ7KwN>;!
z*^QR}z)~ypooTe((fi~uS{C*`#TYHuNtB>u(|e)T>x|&L-iBUGLsO(V=gQ9ry|{X{
zS~tjPv?$Z0dVC^U2=XqCbg?5*f@67P55$wz02H({j!tw~*b}(2+V4_YmBW#3f__Vg
zco+LgHYYt<8}leuo`@bUPlSq&!|Ej*)>NQgit-_kL*et%vkBhC!G0Xl2l2}CuO`TR
zUNV~lA1BGIxj+iA@|;#fdn4)Sb@CiD+MBsmr<@UkE|fuDN+2&e$TbhGt<(oXa$YcY
z@bCrks`m_Dur#sC-O8q^8E%o-B$WT_15^HLMfp!fQ~u_{@S6WG=R{NfpT(#U0_^jI
z>%NM03iJVBa6)|Kyjo7*mV-d({5%l#l-$$rd2yBQj`2r%NT_sw&LvTGhi>L!=HAi1
ztgU^S1cs%5^Yp1ta#VvH-M|3{0LIVJBl_qD;``@~=DcjHeoT@v<LW^YA!%7qM@ahF
zHR-wG|DL<1iT~t@0Qt$L9H|Ga_#JC>@H<}JPdp5-%>!EeP8un{lab|3;u`fuP~L>T
zFyv&Y&==~v$w7lIjX&DH?4-Cn^kU9bcbjJnL&{vs6JwbMP%#hhY<_XhhW!X^=;FL#
z?e)1Ls=rqbO2aw(9$Yh2P=pm+m;`ZL(AJsF6;UN9h=MvLZRkMc%u&`B1Wd0OCut{0
zZf``?NsvD{AbYg>_75iPm$9+|<#Xnx^=$x%If7<oh#sb=T>KzU5kH0Isi9L8sFonp
zc8zm!f^#YmYGTvXBAP}1st`is;Yrc+WXu_)ERO#HjuZtR&C%?>lkm4%*Th$^NG$Xm
zhj#}HBEY22-5~sY;AIhxb)aZ*25P<`q5)`zoN1;a^vWE`YQNJNvM@sfb)FI*-V;RK
z)E)TobQ%}<3BS#^!}Qo@vsR4b@EqU|H;*e^01LRj2xD1abLQ~<7rx@F%Uo()ANbZq
z)XBW!EZa`bD#xF?2mBInVcuDmkciMiqPKM_wABZXR016u0+dDw)I5WGXK2f?YBiU6
zFSx5_b5{FJBlyE2rYF~PX}BA{PTPu6JfwmoFi!Q=maO*G>3ljYYaE}RH!qcw-|F*l
z{ZJo?+p{=B6MVQ$di)H~lGu3PL{g}u%M-tLo+1x&(uyn^S$g<O#g4Kn4|}O@!tP<A
zfLvDeu}Z?CWQ4FAM7{`JG~ZG3AYn@)6NVcJnQ>8A5pa%M8lw)movyx?oTTAcTZJSa
zvCtCuTxncYzOAsR>4%{tc%3BKNxDsv$fLfh$~Q@x7f#Z-93*{1l2m1?5<xxH3dFN9
z#`fp0+FYCQms02HuIwSn)vMKHi!-+W?yCMW#cm^N7v<?ZPxY6_b4b7Zul`;lA9Jb#
zq?ROO`<i|;#cqoY*Fv66XURjXE8UV*WBcv>=84&cpVw$=BFFr*<bZ*q1C){)Y7OPJ
zmvQAlx`;cJMbo!_d8YixKUQp{{>82=6#FBhix^Fb1Lz|DQ}L3|qIt=QjxaBIc5^f@
z0iDvSZN5$sC+?7jS2Oc}3i%a@XDY7BzWj)=znx^>-Ucz?Ew1~4P3q+-3C;@7<1mIm
zC(<_bGJ;c0gc0X%df*r2k|fTL`2h76TTFBZOCC3>D%{~SK=f^5QvrTg*dt&-i-Y&^
zs?F}8StrLvTpCXIIM%&Ut~C`G*oshyG?9-;r!o%$$A&(Yo68oY&|i@k41C0lgp6>8
zi(8hw5AYjl*>iauhd|SYd{bsEq$Z&qx~i9E?1jwcU7}Psn_q$&wasWRAuv#f+CG@>
zZrM6q<7Vr?Dh~7U$+aw35s6ON&$}V}Rl2_-mk8p7=V&Arp2+CmNN%q$$0JIn8#TA6
zc^8zjndU`J<=srOzU2q5jFg{MevRQt-t|~+Q0}l>d?UBzBE6T<jfu+Xjf>>8X9t1L
zslW=xO9rb5%2X8irHo#^e_FLjTv@p!Yc6t1#qN<ES=$ry2E{w)4)PAqSaQF%L!^yM
z9?-Wna|ij;<_!wxiL6235)6U<Pmn|?mID6Q3Itm?^*c$_bs2L9vD1bbwTu+LaxjmV
z!eTlD$GC;sE8LK5fd5;CfgFWv{-TqLW38nuI94``8#dUi`#84)(#%nuSZjy2!IIM+
zDBwGCvL-x<jDf*pVU_~L><RogWh@9h%Wq3UHEoczK|Dzt?gvpB6O@!1Hi-foF{Oaq
zCN|Bsfg);gcM?SJkoK;Is}ZO|{2TM;`15A@^XB^V3hNy=62->8G_xviVum8)+E^j5
z@2aoO;ItbMO#2GGDp?XTa6@-~<3Zj?=$LDLtFw%?dA`*Xjk0O{I@Vs{Tb*E(P3G6N
zcA|CD#JUen^QHvZhFbSI?EYEvtVUcYB+jJuu!q<;h5mVS>+^~dueI{##^)7!Q|t2z
zQ)bua&Heht^?CD3xhoPgk$Hw^yzJ!jID=^3Jh}$F&f$rc`}vWMG~XD^re{1!#5DyI
z&4EgtzN>EZ(lAV3C&Q0`?gZcJA{?(Nt4L<jY8=Q3>fu!NNUGEjE-YM<Fhwbdg%t&5
zMwK8SjWoocH_x9}R4n)!(t)V&C><Ng5G<*${m!vgLuKC3@kgx#?aN$|&BGS6VaNe<
zR>qK<GC69M!=i7v-pU&b)v)ri_|?WBR^ALrX~5VT89H~L`-?lVX<3yoWnQk!Og+8K
zX+v(xy#W`1&IN1-<tulhl<1ig^vnw0R2TvqP@}I7D{oGG-Ym}uUI#9{R)|ssn{#<8
zSDW-7^BYDb`4Wz=H5p5DWfze!Z6IFqe{K}YzwpqRyyU?jh%Tb}UlCq1BCOX=rNjYv
z$^D9#oQ&orrydXUlCt&)FPT?-+k_F=5d@~eu@wC_G4BZLJTn#qUO@?ja7LtlZPxp!
zE_WB8-dCDRlrR!+O&zgg*t7@ScoHORi&fmA92|1oo!;b}qHb@zwOf>a8|CynT(7eC
z$b8jK5RxZ`JOuK<d1u|{Xg&TZzc{Mx!8J*J=JKKY(K-Sqe_P-Vnj2EGHN?r8P*oKj
z`0mm0rm-x1h<8Jj=WmGisV-(L(Oxii6*Ekvl0{;s3bu$RcaQb1ug;E1ynJmoPN|Hw
z-WUJwjfSr3?^;ip>91%b1hpr|YJgthf|h*{h3ciEuE#~GUB0L^#vh%!)04KYtHbaP
zH9yNLzbe){*lOo)x1-~mQ{P?vx2dn5p%+xzE>``r9~QeT&QjChlg%|xxHHH}#q4&m
zHHwv3GJWd58Y5lpk8ZVRZA_Os+SZ{2U30E-lCyRa%)n~RuC2O)z%;*JY5SFQMr=Sl
zgILS+am$<47KUyP)T1cp_6SLDm6i|&TckGmPT8O3OIXhOeD*Bl6q+b8v|0K(Wf`lu
z1?+(mbZTG%l(;DHQ|K}hKdXqHhgep!o1M>YRtPjtq|7G{3u-)H*(sw;oPh<7^rkN;
z6BQ^21I9sFyA1`x_j8I*dBu1II<yl{p`Ml#a1VJ1$#zO1jIy`ib<>qf`%R=FDqDaH
zmxIII*yah1D8ghpYk1LEjGbjg@P5AV;SqBSiH_ol3slac>3Nel09>NetEN)HD`W9i
zQ5+X)P`>(dv9){M;3kuszZiZGrg&ha(11+#+>o7(c|(1x5dbCnRy#vM>4eeHGJkP5
zig~1B3bF-2mhc97lc7F=huG&81_}gvU~3!f_$9?%J0VQs5{x9OjWba^R|Sz9dccm8
zftzLv`|Xf*TW8>H8ABQ`CflK|!$=DWk9^G>B|U_86$LI(6zp<-l?ky#g%TJ>L((Cw
zr*i=c91)*4j5XDL++JzTyGk9R14s!MDRT9;T{h2b)yw6YPI}X|*1;Bdm&O$a-j^oA
zW9LCz6?s+1)zA$`({$EP;t+m0tj-Ax=bG2GWMio;<krg$tw-g02c3pfmq5OfbIF%{
z9p3Rg?2wO+O%3BjcI{3uLjUR0r7@qd@~^b!UnS!59xH!NeEzI(1MPudDzN;HUw{5A
z|NJ>xUZjs{jbR$KFehhaTDz@Aj^sgbZspIi=FgE+%!?47v-W}x<Z~txLQ;gIxBxP2
z9X90;D$>!)*wLs+QfoglE018dFJjWlb9oxy7QaKZCt=sencmmeF%@iUh~jWc&0h21
zu2MwpRaYn<SB3A}Y{E;<8<_GxpeX;R(UiY)Mws${enT|nH+BL!_4nn_as;luPKL9P
z-+v!k*8r{DURbfI*5JyjJi|X!LnzBX+pdJlD84(rf7NhG3&V*8lme8wrw^#YeUfV!
z8_st9@_yR`S%uQ?iTwWi{VwPqOX&6(qeJ{++dz#vEc17aK0E-P?ENZu@;@8Z3@j50
z1Ecx<_j@<ssEV(z7}Ka3!BM7y_y5MI_8mdiWy0!52H^vJ(;KFXrBPVv*{ynJpG(h(
z5L<LYS>|Y!=T5jT<h4anPe)-O3z`cVl?B8S!^J6d^Wg)~SB#^XGN?rri}q$><~Jy-
za(3d&SWq6T%4gZSNwlKJpagAYcPneWT&TO+yI{}PBwpsN9CjguMKC-X79qFz!oU+$
zVzH3of4105X~2?JW9bEf1lTF53j)*T$so<)7Y&q)`4F7b=KV!|#mma1s<w+oTE#0}
zVlTC$%W&0K>{2Pav7M@~Xy6{sRIv}csMoQS+TUg5`YYb%sgb{T_&dZOR#+8>`NR4O
zn=3!oSHOZm@r8&_{1tn<0L=*wo~)uu5pgNjuNvGM*rK*!9f2+E)cGRt1h5l^<OrMx
zWo4gF{6ryP66L)0V!LrS(aRqhZZ}qNz4KbTvC3vQUYUt;BJXodo3WnjylZV7U~byX
zZ`q7kuJ>fwjdCN#HhZ?s_&(2noo+X5hTWJrIYxc=&RiWGe$)AOl|O%ujtYN>bcqU|
z!?Q$%KX*o~%Ad{iP@ZqjVPnGe;2aKaCf@^-?8ZY}AEsRau8-VcCknjX_<A;rHJ;au
zH;rMmJ7%0|4Ch)u)^1$L`|oEDR`35j*=}T!Z;x9?jenb~M2R0xITv#^3hc%tuAh&!
z897{2NS7%2Hm;X(%^Pnwwo-1w96JkK)0REYZal9j|M>&%BC>AEWfxK1c;+r5kSP+W
zqa)AUMO-j2FL_W(yuCG=mjqkGyktA<FBFYd?IKLuVA}p?+WbTMB9ZIev|S?CR}M9e
ztGNDxbctX;zrbe9Az#N_*%z6%|C(htuH|~;JRRxYe}UbY&9if~-MEfxC9o*u`T?+;
z%k{o**o^P+{SUrrH*VnhAkPvJ-%I@qcs>bk+|2WNqwL1_cuu;+ZY<$Bfw8@VYZcc!
zxn4WMZY;MkZ0a90B||LF&|J!4<B6gii@%uQX=d}AMstE~S1|{-vwZeuX`}9u5>78!
zuX|YwYxC?t$JYZAas>UZ&OAn2<!1DkIkBm&Pu^s2|0QPR)b`1hewJKMPCeEq7a_F!
zt1z&4DmJ(w?Q;pPbgaG6_9@eFVwP(C@gwX23hWnQb=NXn`jF{8N5A;}AbEkO+CQqr
za733QJLHUQF$Si7Vm6{JCsM_7!kdVl!*{37AVP<-^(#aaGuo~n8gi9{M(I_tzpb@e
z(_%LtKtlW3QzM_4l_F*jIc}%-+?*oZC^Tdfn;wwh(+EBY)_|b~uS4t1Tt$ntts^f(
z<}JLBvWzH8iAcAg>RQYt^!}u#_d4N3Vc<@?Viy7x>#X#?^?yn4tEi+udM~X|^!`_5
zC=A>JP3%kW6}>$kCcWw^$XXvemOUDiLw*xvzea#78AY{&D<G0K_i@4m*cG5m!418>
zAl1m_4%KP_s=@;FXa%SWIg`O(fT~aev=*Q$EEuhh3OON6fTu*@B~A!({BfjqaWQbW
zW>{TSrL~*(ZEn<~C@1<_v@I0tHGF2Uu!WPMPf>fuYGa*5HZ~HWLv~us9B>NpokAzX
zh37Ncg`EEI8-Sq)PMbgLd-+7!L5Q3tdyiPZUXkFri2e7Z)fe!avvxR<Sst<8tUF>i
z-!%7|J1(ANSPgDo8QyoTx?(Z7opt+4&-CR#FbY>JFS-5B+n3#znRoljyYIZ^KaA-G
zb2E*(1=BN)%P+s2pDFx|nKapJjN$)96T|--nPV3HK>a^<%*rv|amLF3Sm{}O*Cn?v
zyWLpCkpYWtztu1n=`t@_w4&6wb@_6S(eNvo1&K@UawIOfg}?7Qsw!@jqah0um&|r3
zC;{iAP$*=rOA`aXagcv0n|k%C{RB5p<}E-a)hW8%8CN@vRcTt2`?}+Z;{^X5a&$VJ
zG0vFX?x&5G$yM&Bk;%(0V$6WN<gW=r`Hx(5CNFvFZjneeesLx*nJ_Rf`LW_9pG5JJ
zTVfsw^O6c6(U+Gj8R=*lRju2*WT*p8e&~L*qa`kUKTLxNK|@`Kqp)hu({j?fEijP<
zL3n`zAg^{*Z3d{<E0|fWRrd;n1F1|6-!6{BUJ$qgyh>bhV+i(Y6a-EjS0uAh$te(k
zRd7}=*2l_3sk{7#PvbRH9|J9%R9!Wl-2RH9VAF^me~k55QE-Zq{9{>7zKNb#x61yR
z{CaF|pN@3%qOZ(pct`k@MfgzPw2c^sC;FyUiha0m+9q4jJDnxql3W`)Vp{45P9bdy
zucwf6N(IL$e9fU?qFU+OmE7Bf-ee{RlGi(-DRN%W<4INShaw$g*Ny6j=R^))4I~3J
zaBV4IL6{E|<zxW_W$LK)mW#9vleuQN1YtU15rN5k*DOBH?#sUc+1iGAu9ibV_X!R?
zja`H9;BkcXZ&b}Wm8RlwDPg@1u~Owel~%Z<ma0MoL?tM7IkFiv?i%QcOS(8Sinfsz
z*%A@ACb&D)ncL**p5X4(_lg|KdO7r;0);HvMO72}Z%9BEd=Q;Tim_DFk5KMoLXd{A
z2$bt1%rJ-<jqBtqHvGZTR>T}XBU!{8IE1z?wKb&^4+fo6Qy9xgRfPqf<fFhZ<wsCw
zTk^FSn7wxCGlO5d061c6HWCp*-C+zVAB2#$HWe|j1V}q!9t3uNZ0Uht%$jpFja3K8
zzOfC><UaIqsz6#ORn22)d}YUwD#>Brnq_F3sx0f#VUE@M4;)7l0)%6QXe2@_R?)Eb
z6B3>^0pxRG1E^$Y!c-6V-Hnkoj5;%;=~80##fgabK)kyV$z?DoOZaLIuEfEGLp2sO
z-6BU!&G5{e;o(@kc>ZrmU|ZCZQ~ffoK(E`DysUg-RMshy^=cfk@h(VN($M?j{5~&q
zxlPw5h$=DUUB!+<SV4j`QUte3Ad4ha4oBYYFKXCTygSQUO9+(RS$7mT7GbM_0D7N(
zbcG&YSD7Tt{ULqF65;^ob$Mg5_p~Heuj^?*J16d$$ad|-LUwsmt#?6f-}dja1SInH
zE4*`7a}~#x-D+L8YN{?u#W?q<`r(5T#T-9A<PP!{M>~n;sLaNY{$SI{u_nw6<$KY{
zBblr@v_IA=YB1|e3>V$|{Y7uHabny$*pJ8^F(qCMjD&l)FMCmsUC>n;(!lTZm+eKs
zMPI~vDJ!s%Y;C(TJs)6lvB-lEe6PdvS9PDD@Z@QU3^9iQr27yN?uIubm|ehX>h;j0
z5|%Dl5Q+D01b#?~;OZ-Z`$3)sfq?u{Q8q{=6GC{&r2|v`hZN;M5l#8ybHkMXPn)7C
zKh)zRz#YSds;b;CL#zeGE%%NI?n7$cW1ecccTI2~2tB<g$Z?WsOMjESi3^(M#%ryZ
z+59{cWpAdWxd(^So-zXW#H(qJdQ#CUiR@E$w^erBs>kR77ZU4a-7(JP#tR3Vk-}b7
ziykeJD9T`|b8g=YmL3Y09uO)MEM>;NF6ya<VCilqZ?Bg!lEZ?WvbePm`Ahe!ZcT8v
z4lk0n(-t-36>>;|bP8MDV`})!=F4nLbC=$zz5$~k-e&V5yQ*BO4dAV9C^2y0V|9nb
zm?K|fSrVc`P{)GnwurJutX_5%T*5RXP|^w9GAy?PRFLX1JuN*zPjolv-2UF@8v-}Z
z-0D!_Cxp-w{y6Y2u!AQ0i<)}jc&+FU(X5mnvdRu1i%|fPlEU}hl=CMlPm6#~tW*>k
z?*&wFPLFp-;E(L7C%BIdFA_jdi?n>y%+F<b<yMovPSFSboe`BDKR}N~68=Z7&3}fV
zf)UA7)HH2SWc(#HQ>RXfV9I?qtMq`L(~0dRhcHDO^Uq*ili7YuYmW3Q3BIE4k|aJL
z+z}-P(tCG@m=F~8Ai{^@vr4T~Yc_w;QDu{m4F@|aXPN6UKv%BYZh_F7-B|U76ePPb
z8Ov8H2TH_Kizf{F=3{EsZPstvA!gb|ZGpQI&j31M=zfNK<B`57d;kh&7Hic~G{KC<
z;xNrQ%F)k262k*MWQVXpkoKaMkKi<sC+;yL!v>y&hF9{+m%&n9N(keZs%fS$o-m4w
zf`O}%p+t}8(ZJ(sS^r0Vd+|Sv_fY6Iq0nUskmwj;F6PTn=(1M~Pt0~KRf&$Xx9$^K
zbZqIerHca1Kn8j%m?D-2?pDu*FtsJg7YWxKn*<SgpM}f&=6kYkDSkmMTZUFgC)Tr;
z5o*&E?>>ggIrO<^vzB~Q<Z6knuID1T4n@<^1AXbJZi2+ZlCr#`;0lU^hRVjEwbd#*
znN!rXDrrSbj{Ddu7tCJe*rtq{&>>G$+^-DPPvE;yUZzzc#J2^`pcW}&0znXK5FTp?
zN7MK4k(W@}?t}^ZwL&}&b^1R+Vge?P?!KYWKj*N&_z0@;U=Ri9ftaxl6ku~nK7_q~
zppeN{7%1XbtYfTJ4nOI$vt(9J*so3Q72gobpFQ9%B5R#c{^~!Sxr_L9x=5tny6DVZ
z#1#Ycl7|&9`8b-FBsYb5$<E(J^Ag3|4qHV>Xt82#Y<p#U>|d+QXZ2Q?L9~kABL`D$
zfwG+)cth+9I*6iCpO=|zw8YC|fo*JFCJIxru_b6ERxP7q;tU{b)(+V(f17qjyDf-*
zoKj%LPqC>$iUx@{%5L_T9%rGW>_RbJA(|s2dCGdduGuaYsA>UmfZ%8-quvOm+1&^J
za86q@XW1Ymu&s<)=kDH@qWu=8wy%DN(t_?&Ii;so|H>*o&apH$&s4rHIw2Zy6jeRh
zd#F>i;P103$?_-R$m?2tGW%fFh7QAOS80xK`np`JPc&~Zt2et(C=1Q;^mJ_1O=A@r
zAY&*Oa{wUgFv>}C_CEA|R}R!8?|6uM*Y~^HT6tG%R24X4*lsm~g5~8T+0{p^!{v2Q
zUduZw#hzH?9H%Ap$syLqQ8{!%-yElx5mX5rjaYh|Gsv-5kda}m8L~gJBV@>s_FpTW
zQYQ(p86GmL6l<ljVq(a*mnAsjHo6<N$9Y*tr5mAQ?;uh9#@IRD=5_VQ4V+25e^z5N
zP7BH-gL6<uMvuaXZ;E1n^{35--Rfz<(nTcdQ5h?DV&_6;7Ich79^6lV^3UeiY}K6M
z;k_%=Y*@vg!MZl6mqN0cAX(kv7+E-Pbb~T&m9j4FZR?gHVkNg*XKAk$_SgIJ3wh}V
z*IwzxwVLMdNR8>h>d`Q)sMOuJ(o$^asCP@{$;!7Y509^fZyp<(p1RRZtOy$LcHcV2
zr&5Pn!88Hcs4uEgt%f!h`@IdCDw+ExyhK8hwD6aa782ukWw7}<7W$dA@wa{2_%rUq
zfT777;d^H`^Vgwf_TQv`C7s@+H>F9Z_36mz&HPN7*|*&j&JpuNY52o^8(tjLV=vA%
z{#Xc>eN*l8DTFXs>##oC+=%p47)Z$0O2q;|l5Nk5kM$H~2PGW9XG+73R(qZua~RCl
zMq>hY4r`67n<Vn2#Qa)d_atF0ZV#-3ofZZ*@GBngzF^#n9oe-=_Xsjz6*;Z0%{xB(
zwc=L|j&L*z9O?~QJs$XmnZ2j#IeRy%ObKOx>MuShHy*-<B(%i-J~+OP_#wm!vEfcH
zyyU6@dCB#62<2bA=S*Jm+!B#UHLxWP+1o~Jq^1wdOCC|Y<ajhMNvjU?lBa5-c}d7H
z=`C3C)3TCK!6%6QV05!V8Jvb)MJV<I`(3p#1$P3q<g5Z3p(HgnlN78<9kRX`5B?(d
zdIj=5d-RULpZKEvldF@6I;wZ)tQxi`W!*!fs6%1*kSOX7p~ic!D_N=aj_@qu5{`B`
zP}E6?1PPBI;SwY~!g1cTq8OAQ379eQN5BNVa<vr^E@0bODIe9~L;Jf5tGMAj?mm$N
z%8<UE88m=E0SU~VY>o_NjwtKV(6!19JajRb1*y<jH*?&l+OJ$3RM`V}OM)DOHzFvO
zWvjnRA-@e5($u31*-pZkj*fLlI*hA3B!1!>J@NawG)R<<!)DRkxza5C+ow@;b(_8j
z7q=x;Tq4#x;o^)A$|={y{f87c()g0%Zeot8E?yfdPIe}t;*>e^<eqh%s+Hq<Ld(F0
z%lhDfNHzoyuA>zi53U9yqVS-ep|PXPMS08b+e+2@j=FDD_XoN%6*h?aR<Pr+!Un+&
z!3a_4YOJUSBLo`+Hv}VEyLz!;FIe!pV8LF61%lac(vJArG8U`dR#8uH=m;I_u{*(g
zx8N}{ms5yGgN$cq&?qXzl6R?1|0)5WE-{P{!@|HH9YToN=Y<er2nk{jKB4d6%4l?k
z;rD46esXg5WwH8X@t-8b7&qHZ+ZRJcmu%Yp(?Kjg-cQ9caJ^wSjtyaV!SnCpwNCj(
z7J;Hu-kYd(%Js>jQ;xB%9zuu>(&Kne;<{$2)*&bJoWk?ZQQwLVxio>rIM1tiFFNE&
ziCTC3(^#82F?_vU>x{3mvEL!z_v5tA_<;nwF^cDMo<(>3w{)#5p2_<BNuKL@FFN9p
z^lKc~WidA6O0M<sT1Py=X)~ts{3g$$E1qzk))f~x^~vIsOwkpaw(s)%C*BX|V5!Tw
zme3y2v))L#^8MeaNA$9@c^19w8$63%wgo+{<QvM#=<<Fk?<M`oIIWM(r@f+w{Xewh
zMy@YX&kU|t(avwnmG+1}_6LKtKK4W2iyrrOz8Af0W}4Q+zD9Zpkm>vH5g8(ucUSQz
znw|%_hW{j=y#GB^eo^SpV9gi#3%!4YG~p%gfhqqMMfqEzDgTHo!jym6o@mN1rOMwk
zeg48N>L%?_=r0wd2>;1@+&!ZHmhc?@llQIkaG-yqDfj=Ye+zuaU7KD-TUTp!Z;Llx
z`&w4{Y-jGa1nx?ZNtfKb;UIQ3&y<_BE8Z@dpS1OOiSPJ~?xF=5O+TecE6m{hj*&MP
zlXXVP!je}qjj204?p2w%^dFphz%x_*7Fq|aec83`pIMFB`ze`os;vXO+3ESF`n}dV
zkiFmHeWA|u?QIZ0V<(>8gv>a&jbDtn_WzknIs4+sLoS*~$;Jv-vSE|SgS_V<RUSUy
znY1-OJ!$L0w4|-GT}fLpsm<TzUs&s({i1*VHmLD?#2G(8kh*u^7yAjn(U!fZ<S*Wo
zl3i;?l@O~vt7PhRiQebg3VD(UY=lwr=jomp-{+a$r;wAif8eVf={tOwO|?J&kUxJf
zpC(dCT>BBTm5LMEKj4+wYURJE?)>?0kIUc7A}spLMt^<-a%9e2O-<Uqa9Eakv#b5B
z692+s?F$>*7dFtAjHK=Jhf!!p()Rojy3h_Qe^;o`edF>Qe9bP-pS1F~S@UZ-e>xcS
z&p+;8*km<cVm(j}B>eL`3TcKle^=8&_4bs1VXM^`|1R%&&HL_ePu<~7RtW?VHiUoj
zQO8beHqbgsvDf<NA4WJgzx(E5b4?>vjmtm0a*&l@Ys)`udJhF>AN3xN<lc6A?pm_Q
z2ef+|AL!g04qCJKAzp9hj63U9-v{PrPwpgbVJpZmdl$)`OTfKKr}>ue9iuW!UFsT=
z&q!eT%Wh|;_pf|KDPG&oO03IcRsMpR-jmn|&wkN*_swR{`IJ{;IdSGE<jk(R!^xF9
zDv=22&yTh56ogZsS02tP@e^mF-cFzNx0CvQdpPRb5^IMlO<lvqy%kkliM5YU$iQog
zb<n0h{k(j>b=N7?*SZFm`PPtsRXWdl6DfaTbaxB*&U;F_3k>rcZTSt-@`a833MenL
z(kgdX9_wv4yTg%nA0<a67O<7b8|m=Xi&@!B?_RzYfF_u08cgrr;OuSQKLA?|9024P
zDG-|JJ??pL!$CD@z<8pD69Z+=ZykQnhv@M$U>@}x?!({O^3!bqoc986#zi15c%fl_
z5oO76Ir=~k;8{CpxQ3+~_(Ks;mslCr&bq@w`L7*t7qR4rLiy*saON)J#bl94?YQ*J
zUBsM$c}YO=l8>T!$pweQyks^rt*>624(t>-NS__5&$|>#2rA4rKdvr$%KVr4*6>;%
z2a2@L^tLWkbEDC=utC8GNPn%`N&^ZJyb6tIpQO{qb6<P@iweaD>j5nZ&USkL1oY1+
zMz^Y^QQ$vYx2xo-C#5;<`+SGLkOqBndYi4km>-)>wEM|$!y$g;TZmnzOlUQhA)IjF
z3=x`kEqc5eX9W!~5dA~FYo_;v%-blKm>*L{1S}3I{nLdzjem!OxrBq2_!cL0m-zD2
zP43dWo2r=pC072hk}<JH<>92QwMknKCT-mV0~z7_Fcuz?&P)ROX_Y$`Ri^H&d&SkW
zv;4!@ul|(fKNn<HIQv4+uJWU?rnkdf)6F=fc?p+PTeA7E=A|ypOW`P^Zo^C4S8MtX
zcl-0ZiB2T^fCj;6geUAYJA`BP&D4?Ira95Vgb+8{X|`q`EJ=E1p;P$bxcm-%>E8M8
zKrUGWF1=eZ+&`xSv!-2ORnon}prz!xCVLVA_<^NAKfPMOW@XUr%AK``O~_hFU5mYP
z=jaY@E9-SqT}yKKtwxJ}@|>*<{Xst^^;1R&=aPPO2f;?nHLa%il)ygeM+<n?kWbc-
z|5C_=*F^7x*F-4-7b`!VPM;{T8cSHnmyGES3Jgk!d*pFQP1`a7i-uXXK<nOn<X6MY
zv!WMXP6R7;hh0g(X+&5ZTlXP8iahMZTmEKA=S);yiJ=yRI@wpB0Ilxrj`u~{aiU}l
zfk#FH{S#oUlaI1CUR2kV44o~oDI_E^%RhCWQ*@s{-ziHVK_^)NW!=WNi6yuy{qwdG
zYZiA6-oFc;MXh^4%2OKK&RF+Ix6~SCT>dFtSk`TLHbs5j;m>c?7#&*SY>ljN`h4En
z@#UBrJsx^2l1nx>mawkPcUrUK%!ZdCz{Z5vt)2-TYRw^?XUUo{FaZ%>a>IbU<chBe
z<zH)_$xG_LD-x-#=uu9WNEHoO;>F9QME_sTEb%p$aHl_f{mc??9I(WrOQpp9{YcFk
zZ<IFvoCR~Jjpv6w3%@fkzxyx6@0z3e-9;P2{O&hLb%~UwY=UJg5!y%mP0g8p$H@BJ
z_ld)5pWt<_Yvz073pG;Rk)f(!_aJ(yH2!vT|E2R3j&b_#MNzPzOiPHqred;@Xgb7i
z(!JQi8YP<-vR#;+CO&~CEl65lD5-u(g=PXt>#xxX>@H@fGrhC-UlJVsllRbaZh&RX
zPG4jdIm%xzH}{uV2V|9HR*r&CFS61|eDg?eqEMvWF2xb{LXDWj^7V#;r+@DgU{wB0
ze$OnY&&xjLy*N;L|M%LX32r0XkiHBrM0UT8^z2?Xa<3r!OyTcKhc^nN*qQcnCt*x~
zR^v+eBF1$zd+riUm!JuNxX;kW%Zt84+sTHK1Q}Kt)R#at#l;xC$^*j4d`6~WRK92T
z88lT!_W-y2t8C=eBzaX?V~j>X5&FPhV=%q=phm<Rm4|psF2+%P%Qs`yTc1IjBj5N8
z8Xr~S#BgOb#)wdH%z#L7wQvWulS%r~Tw!k!Yzh}iMHhrBIwxF|4}^-YWlWzo)F9K+
z?MBoRsi?Qz<3hzDv<p`PB#?kbwfo|5Wi^Pzba8+*QruT*_oz@sDdD1g27?q;OIDvY
z)ELMr6}%CgL@MfS_xMn81cK?)ZY)@$O1vaoS&fkqDh~9F6!%ryePO7gA>pEY2G|x=
z%SC<KP-7tNRP6?3BNg?wdqSwV;eEdG84#VQ64|<Fq^vPUhKge<MT+aU-FjB0eGv=_
zzx&?6l>bph`J19C|HYHSl>ZZEN8g=JKlA(~2sn*7@k0Rf9E19$^PK&qmO=eByx!`a
z=~Ne*>30I$q<gRDw`5yJ;u$mj3VG3YreCBJ!ZZB_TJ=Ah>0#{A^IeS`y$VA=da_6I
zM$Pvy`RFs*BN=N9ro1YY`5rFxEK`1F)Rc$oMN0XySs%$*V=(tsb<Fy3b<q<)lGle+
zTJrh~=6<*jeI|Y+V+~?#T_|%uT<BS*|3G~hm;&^v4mzOv00jtF7fl2rd3{D7IuPzd
zA0iORSYtp6RH4v;aG_@*1q1cr!Vt*%rv`nhgC?lzpa$XUq6tDIug~a16T*GyLl7bv
zYYfPODioR!F7zy9p|=m3EHrob%dADb8rdT6Pudzx+S<l0GrWB$vGn$#aZzOd@Y<sO
zHxPW(pX9X97Jwaul-K_b;w<9Rj`oFmb8)8lv`@)wF1`x+iC#src12hmRJ&^LFm^EG
zOa8LZX?oMlHCa}E;<)^jarvXH`H9)cPhMdG>B(X~I-$}gWcb3m+T=dBYRRUB0tc;E
zMBbKZdQ&)679sT1`r)+~=4Y54!P#-%XG5#tvBsjxjLP9z8%MekZ+_-^^Gm5`)G8^|
zc6M#5;k}I(%76R7l>aA+^8YiM@=tD5l%M#vD?f;){2C1TDe?KE;`1{+Q>=xF)>~}<
zId)8>L9ZhBedV(!`|s@sk=_E(_Qi2lgW3vM4N6el^1+vOIy_=}hd$7V`4%U3M@9|l
zg=e8ZKT%{>jGv;U&dPn2j<<StVxlsdi;Q1X0zx3t`V8dWp55igknZ$1j88{8_N84o
zjqA~e|LfoWFXl@2exVNi&K9$l`66=7M42p?$y|B6#2S%O_aTs$n=JoGfx1rI8A-fZ
zPGC^dLS)s61I(SLB7j>|iL{dfOZ*|}^$E}3uP_i{Y|=Wgv&|vthno70NURl}e`PHH
zf3*#x2trFs{@9^liVkJe4k%8Ut@abMuEnf$+ehu#*A&+wK=AE0l@R}6|JYg^0o+$;
zVAL9IAQ+8OfRg4R<4ydM_A$UH8UFuiAEbcDAc>K2oSlfEeVU&(N;^fnVAihta3l-s
zF}1<kV7wOLYw8W<?r*;D{^}6?N_1Mym9vhoJv_eAqx<*%+qOfuO(_4efhqrEit-<e
zru<iwhu8eeSvvMv^Pf+YoG-<f|3PnMTJ?u5XY^L%%D}y)ZC~CvFf-J?s2M*1$2V)$
zpp43{4PiB0+DiQin-hXzpIi5li`lk7oc<8J9_@cP_I!0zIZOMZxq67PDQwn_(-anb
zey$^g(Pv2JNA3P{$$V6vekAkiy%tBDRWct{MnrU>B=h~vqog0r3JK|v*?tA=I+J(G
ziY*#GYNl(zfM8g<hln;*^DC}Rz7)y-XXB(sYJ$-2QF^32^BJoUK3V^cR-ivndjAl{
zGYOmV+&OH=PXE_{Xar||iGhH9W8sn)h-WLYLB*O4!wHEEi~BxttEc=RW!nq5MRji~
z#y+m;H(7XV-HY+;u?e|i5V*ux8*)^_D(s~AooiD^tZSXvRJRh11%F6~5moxIqQE=1
zZIXJDivml~&FB-nr9wHKanGyYD4JPx`=Z6mFUTEp=OSaJ=N6B5WoF6p6{~JpvB+4o
z_*U<2#>%^Hx${oamU&hh;=Y|(;=S|EmET*jc=58#F=r;NSX{bz#mdF<DpVYo6`sty
zm#@6tbNljT;nc|U_wHQ2a<Q>;@!~r&J<Bt7GZx>SdFy}Z`^BEjMa!43$XtH+;$_B)
z#dj~h#iN@M%B-8TV)<PvyL#%=1ohn8l)IKMlBztnco*HiJhOE9o!+|^t6CRjdKRzr
z^!I8~<W1(vyB9BBgj4$IDVI+olTiK@15^H=D$4(lXv#lrY?$&p+12)?{GkSgs{MZ`
zdmH$uitF+F?%vI2Nx~8WMnDY_F#;h#fg%BdsLKWwLx8xk79%L?5-BR~CccCu7(|vO
zG``f<+c&NLtW|4mYb~`_0V#>rSJalOrD(0)C5RC*gb=dN_srZ~5^4E=9x;3GojWh*
z&YU^t%sFSyd}ETdB5Bv$xaztU*N0bMd;HFZNDtpl%T`_+3SFBYT()ZY%4?0<6|0ut
zSZhD!v&CL|lHti;wsOU?TjX<Um#qlphi<#++WaIs{P#S@rR9wOwX6U8+x%OC%T`~z
z>}r}+Ev&k>R#*D<ri@#b)hPV9)OXQ^D_2~*O7(k<pkaQ0*!9rJzW)`guDdaR#VSx~
z<;qpdzVkl@QN}MdN=Zahqn3QoL!Nv};$VJg^|EVjpevFuR)xQF^|j#Kb^1*Tl|w7Q
z7pBK|K*9yJtFB!=f5oaBRI7d72<n$D3$3V8Q0Di2bKPoSr#8UsoBW*<lS1FQ<vQc0
zFrRZ{c=a{c<}VA$NG1PQZ<d1$D^}6ajjO)?`qB$8%Ab2{=-O4c@bVUPapJw6N9^a#
zyX7Rsut&Vq3N{5i-q<q)OApn^Zkg~9**+igtS!rGEN5>n*Eh2p%Ld{!t@jB_^pIhP
z{aHq1c(6DbH_CmsI+;Ap$b+(ZgOk|^sZUhyVIx&=yn`*1Zpk($WNx`YcD;IZd>2K_
zMnd<9OM!{Dse#y~xrth~AhPX>JgG3?5<~AniT&9K9hI=5DyRivW+N3@I6N=y^bML5
zzM!dYvJsxuR5#TKPa`Nh?$(WLbZ@jHDnVL<3mkdD<pWYlQ&kR0s-C1^p`L8c0}W*n
z128c)__`|)yGEjYC*zJv+bSU6cpCz>1vwFN2Q%49Ca2-aHhfLi-wI0%WGRWixxkKf
zBUOGvvb@C3l=4H9<>i=!AEPE@e<QJa4@Co=6xP8PRV{enau6wfMUVpq<v|jsbnd9~
zsG!Ir_{|RuB|P4SJ9~Ql3BSjF6aJJkiCR})aHq4GS2mD*nn~aWdDffMoBdh#E4=GT
zRbJ>Y9-HgPIUNc=GG!C4E4GRt)a-H=4`$#H{E{yet|V^E5;8=hg`BUVh0K&_A%qBd
zkWi;YnADp;quZkIn6C`^K>bNbTDdRl8dB9ADeH+;^-466No!t8HPMnfYXk(*(FTYi
zZ?>{yxU6?(Yt2~Mh0!=`Vkn>AB_aA_){M|l$?Mj`qJkC9Y_0uUbSK$O;?4`~Dw@Lx
ziFV4d5mOQpU0<S@nDHMQ+~kLHfPF*Lr@f`T5s-{<j2%dk8e9j|NQ6cR<-g?olSQNb
z{9U2^tye+$M+)^n{KC9n3f14dbdMoc=!a%&%1_+bl+Cz;8c!09_94YfKIzX(E_^G=
zOPWwT_vIyO{Qu&N9&Wz#Q^9}>(By&v4%t)OtJ9KLkj?8WdELBTaw>6x*yo0I6KOh-
zYF{+Slo;lWQ6}+bb5-Wp0}`HG?O~y#<TNP`fC+fjJ`HSS^s|k^?9Cy}_mo}8^eXq1
z1mS5UBpjU_I;~IV8won!lk9v#*x2~|mb1CZkia7kq0<$7?$XbSfVi9e@+B|vN+K=E
zewp=>Swc8@rG|5@cX+2-)=@~4xT}jRv`>z4VWQR@ywD?i+CxP7#!(jf$koM8Pkp?}
zKbW`Ry@bQ`_h$Ng!r6JvHHRd0&yITc|MA~QJIaCsS2Ec?<S2FPwwXDCd#+BO*BM@&
zfG}~~fo`4I)s+Y>VkRDmmi0EpPg$6jP8gO`s$JI4F%ihCG?kOP;2DHtT@)Pds{W45
zT&tN3_O6qCm`@U+3fV;8Q*9R3_cXPpRjOJ<2<_7YYG6n3(arT;&9xT@lMv8_>ejo7
z%9133gR2oUfie)=!B~6RhqUxNqd|f6(sG*Xtz-xB2rL0m1sazpX_Ai8UwIv`*yBM6
z4}y_&mxD)z#0wPoy+Id8#0Fx&<cN=Ky2cU83dDBNnw<CXvTje+1^3F4P7~sJKHm)C
zq<Ynvt|ou)DXO8w)ankETQ**+n`99Ihaf41{)2`7UXvgwQ??gw*GH5PE`UAa#7L2(
z5~s0--HOgN>4DfK0tQtAW;KNs%=Q;l=UU4E0%qb0Wy@<=$*ZuE7mf%k5y+EKbzvr)
zpOP+QoMdnCJySmS#cujjS6uB3#8&Xg#(zO8wjy@T^yStM?DQW?gwr{(BN28ih_*)S
zhDCQ5F3Dy4b<`1EC<_R3dxP6meXFECK-84(|JC}O{;jtQ(8<>4&?)nWn)7pKZmau$
zx7$h4e(hppR#<MI8e^%x^9GkFC`U2KSsb*ZKinI<P^D&(D&gVNSR%<u5}aAoR5y$X
zNZ4{UhUz?;h1GL7sf3-pdd_eX2?*t;GLATzk|?elN=#`^=JDm4tu|um+MniIz0oDZ
zI6g0u&YnMT#Z^l7hIeH=+BCfNuBJ6PMyM(gu2A@x2w$EE2P}hio(faYv}UMLfA*Bl
z<ooEA!xA?+6O*j5<Uk(~oja6cMvMKub^l0ZnHz{+cDXtCiXoRRVT<OSU`q-w0#V^5
z-#R(ve^^m|Ik7um_{qFq9)4l-vWsp_QvN6N`%```wS+l#evUdeCF;8(TCqfrDrpYE
z(Ce9M^3S>hu!$`nskoffU^4Y*D)ov;#gbwO8&So3L)WPZwiK!o9N?1eMHK!W*(4#2
zghc4_L?~dj*-7bCWhed1PV$fx^#!68mz%yThEzyj?7<=%h@CC7D-e4_&2>g%ox+@Y
zf;Az<U7C{OKE`Z_uvjS~oVAPxZ}2Pyun3{e>+2x(DPfOn)*7<RfkW_yZTOJs-72Eg
zRl1J%oK}boOs9aGxWgjia70jxYJ-~x<z2vSwyJk|!QD>l^W?jqbAyW_mL)0D#nT*<
z$fhET7~zMZ3(cGB5}S6-{37gPM~7npqLG}02SZX{RF?XpIk1q_7Y)FoC=Zq!CI#HI
zzKCyq->EQPV@!pXxnwBV&XoWqpAx)$+D&+!=RN%F9K_FCX{7C1X*`p)!T-z#{|g)Z
zZR`o=w3&#13(<Q}HJD`BcZ0!>kPU=%_3uy{&pN+jOy0V||LYC@KW*^8vcdn}2LIj-
z{?9h}yPk1u@PD+ye*~RI#Q$8xzdhoALq$8<BVi&WXiP8IWB9AHg6+=gbO>d))x+nM
z2VWup)l*28>D2@6e_2+>^(CO(qP*ZkOnMQd_0C0wk4#uqT8OloycP$dle+>|?OPJ@
zT@mqJ4!Q<nLy$t8T1M{IC(9wz!RjO)Ux^rA0+U^oxhqV}>_trJpxeWqM(al2*a;p*
zeyz23io+FDDGuv3Qkv@WMKtULzZV60HArRVkjaw4&Tu-_n(_6Hl7Y$l+Z`o?oZ%Zt
zzrJ5{droMs<Amm%xKQ+K#TrhEoQDw_tkbJk(qRs37RkxU-BOb646mTQYx}iVX4l2{
z+Ml=dc<uJ*-KuIQBtC1PKHp|NuF?zSvvcjwRt+0*r=zKElo1-8YD!Uo=a1Ly)?N9U
zosw+bVSVyH+B#~t)$a=pD+|Atew5}6J3%OoYIL@p;I@Z49_zKCvcE1shW`d_P!&|)
ztDtpQjVkBY`@vy-U!|YW``1FwKs<@qiFCBl=N&C`aV}lMQre9F&`2iTlSDAPS3dq)
z%R>2=oOBhj`)Q&4d+rjdFVz3|Dk5Gko~Pf#w?$<BzN?63C+8(UlNwii+@F^$$WQW;
zAEP?xyNWQZLpIdM$I^`thTYd{HaM(PQz<rv79CHxf$lil!{jcvW~)@qF4Q0{uoIGl
zXf=``{Rry)K#yK_KU^a!Sl?%dI*?bUXebu}ET8jU^&Ho;^muL?&UaMxjHp-V(`em}
z0zfE(4SQSxr4stUej(E}5c?*9_BGYfGJL&j%2rw1B7yn4i|1Y(8kh)Qtmw71W$pWe
zTIXJjWH^_zBFuO@f(0KopmXk^Mjk&@kD>aeHK!Y)TdiHVK2Z^(?MlTX7N&T_dfpI{
z2|78hP;tKROM-C5MX5Ybr1C7$dH$HpvpALKe4Ki8JzI62{p3*~nekt8Gfg`EQN!B6
zI+E{E`>?+U1vebQUrbb^HG((Mxzp43PJrH*?43|IeM;w+HaY4xJRQI}(WpnAV9~2`
z`^cSq>z}!^_M@g%y=iOfd-qOQLp&tO8GJ(5`!G3Woni!IrZ@Oam_lW&>kH(=KTMV=
zVrfeU;J?65o^9m>6nF6%Hq;xrnITZGHLL+7v)cD}bJEf+0jd0+DGH3|sT{$rWr_+p
z*<Hyiz4QG&UNjv@BW&H|HF08HNtt_fnMJCr2&JU}8UsM0{<yXeNMppMA_<c4DmCVG
zi|RJRv{#Y9_Oa1f3Ij6Ze>a*Mpq=y7&{d>{<yzGiT?SuL!&@T>GQ5|i^86r`$D{N7
zf&|qBh(E5g6vQ8`iUd+c{+uc@NEdl8Sp@7qOJ%N1WtN@fh%)roN(F+0XI1?uBb?LJ
zKqGExgtNCA6g5Q6M{sw=uhkxN&c6_*AV6P{s?=v!nhnyaS}!A^slF$f^V_MMtB&XF
zQ8^n_&hBK+C8?a*S^}%4&Tf_SXDTOW#Sn_I2NhXUJ*9~J*atwh+_M!o6V=CzRXwIV
z;ajP?J8dY8>g!e2ZXAl~1oAe9b>1sed9POUO*$;7^4`L;J>;QDO%0>_k4jal+;Zwv
z9UUB^M<t{iQTjbI{uH=EYg1KEUY;uTgJh}d6{@wn^z-pCczl@Juf6=_l>ZS$`9JDU
z`77Fzls|y7ryu24P%KM9u_Fb=O$v&4lc0}DBGgr>y#Gn%U8V9KmS;harKv2hrn>t^
zmF0b&=|Y6(NGY-JdLpIsiAWnMEn}H6Y3=Dl`>dD<y*IVG$GRU)LdjDF>~`orWq4?U
zV!vaW>L911M42#=W4;5i$M>_KMIv-5d`0)FCTjZ#m3ye@V)Yvp+rs(+s@_zW$9Z!U
zc_1l7z6A$t_0c^$eXGO>r{qvH<Dn|#@SBKcDqmKf`mzb~u~XGY3GM}AuXd^B%^55|
z6-=*vj<yVT<p~jO7WMhm;9t-eyt_|9s-~4bYfkHXl{K+?PVfbX6=t=hj=oJ(N@j?X
z<klxfN$^1qV0ZxABL|1claF(TI;^qym~zf-q=HX6+taA5fywx=hke;wjj*e6x%azr
zEI3i_wiQI}Aa|lt;5}OWi)hCtZ{3jj8K{`BW>ybXY3kk^d_^x(?Ajx~Nn|A4c@KK8
zT%vgn(~HkQY|0_}pw(A>$kFOs`Bu7gXzRLFj(PmvgfqQ>y>7Lm@Ri7>I!9#F?ff<J
zSI^%%{_b=%&tDbUwBE7lM;jci>oz(XDYuDoQlNzloB6w+zkB)n0e=th_apu+a{t8P
z8W!2~5KkNux9Mm6J?bD7+x?F_BKJSW-&6cO!QV6dJ<Z><{QZU)!MElt4F1a09kA|s
z4rp@OC<9`?jWanIo9XW%yf(*JRrSz=618}cWHZ6Jg^R6w83Bn_f+k2u<gSwQOGWF<
zf{?JIkstFxcWofJVb+6@yEZx^-`nKK><nc_|JiysKzrH;5L-{(4r{&pA-=Zx?gK_1
zp}b>%`9g@!4p-!*8po!e-YTUAHQ&9;kymd0Bv5&}Od0#}&cM{+Y6jU-t6D(jfP;>3
z7WYfTZtk6-kxg~8i7gbJU)^p-=dWa%IaKIj{q?>owcb)z8PLVgmi|O|`pj+NsmQ^~
zxYF!fMcZdUrCErplxjyH<`JU`j4_?%qgXJS%NjQY2=t$^&>P%FgcJHIX2jw5yldO2
zwML$ee)rh~SWz5xuC#^nt7PWRa4|jByuOCDe)C*uEN7%{OeKlrV4+1&tr6x*^#E^V
z`Jd5L-)j)LjbnIsh6W^+{)IN#4!gIEGva5VBMz={3Gk{u>k?|0TUCLOr&2eloH&<7
zn9WzFY)udnx73ZD-`QZzHzd~6y|_9P%|$iH5j$dv;cJ!H;SK)G8NbJ9k!S138Bj2n
zQ9nvO&7s@Sxb0D(-PSW9oGI#QiETs-@2}T#CzNDyY&5+ltBC7Qx{B!hxlsPCn@(Is
z9Ox2T#CPYWRuOs0{cAUzoR>VRc*)-WyyS|TlDx$8c|Tr~mt)(15YPNwVgJ`ZX1V&9
zqp_wPc1BcyXMR1?957{Z?61c&VUSTL5Mw&*)T5!RpF~N;K-`OCzdgnSBqy<ek+n&y
z8xkp5N;9IBaz63PN+>xkRf@dQx6`^+Q5VCjUUf0Zg20i|rIE_3Bc;nDrPno=f`V%B
zwzCo=TjE^JcoxUr`Bc!5lP*P-X<|9xE$0G27l(pln`xrC^aAkrDM*ND)8#<{2t~Jg
zQ4xBB!|4{88yl#KqcKxjQB_kOndy&D|IHKj7|sVE!LvB_UMgV}2?G|#cBB$UlaNlI
zq!J29NLw8HSt?;13FhM1J*kB8Bsdqx8dC`qyul1LT3`NK1J(cg#(0DKS)VVCy=%Xo
z;tl?t1o@0@c2a)ut#og&)lPkqROzP-zN58t2Aw5lHtv|#vK+WqRd<)2E6*GJrCo5f
zU0tTiK8=FVNhvuEZe2QkxuKfT#r<}1UG?-fI#-nM0#%`1P5<x6VVs6*jr!u4M`sD?
z(g*`I)6{?}Ki?aCl4=-*PgG}w2I(SF?>mwtH!dU)CnZ=0WXsqKx_D#HQl|?A=xZ<s
z$#pS{3oPNT*bfidH(eqwP%cp$TpTL_?F9{y50M(A3Xte8uEntn{zdmmt|WH<3ECqj
zHbw2*Q1;q}rkhxTd}QogzqL2Hz<vjt1t4(*D@g2(jnWY11^?-6CKtAq;!#LLI~0F_
zuc)-V;KxpDKIs(AXDu@|c%7?yj0$9KHABrvo)gMc&w0UrJKG1?x9zw<JwuhNM8MjS
zr7P1(Azj-Xq&6zrAc6GP!!&*kIH`Q3S`nRZ>2XjFXrTkUj)wQ*GnHb-J~K2bY}O@5
zSNgosifo$#9f78nVJ_-C{Py9u&YJH%Yx`M83wLF{8JX{m__C+ecTEX&pH+Y8tUxE{
z4n$jj;dv-@Mj+;v(c#;i;p{-{r-*M%0c1<&rK{85;|$#>??UIJMo@%k3Nj++$5sSl
zuXpHzuvsZlBPH6;Zy~!YJOlQc#{7~A|0s???PFU4vFF+;5Qxo`HUhED$>O1HQY7>`
z)-n3UNuxJ$)@&?KH0C_GLZ_%I2lc6PDVW78M`#eQ9N_`dey5CaVyY;pJkK7N1+Rx9
zDyx+6lCsj1*|n#Q7s|iZb0RP4o+lcqb+$(n8mSa7Sxk*5v1|XI;wAs=&r6mLOY)LG
zT-u+PAS0lPsSGH~<vfO1BcblcjL{-{r>q+)JgZegA{Go{C%YVV=`*`(%=l5sl`d<7
zM0IaGW{91Wlv|ZR&3G)Ph{W0VqgcIw7b{$g7A>+?ky_+1n%<YvAiio-+UT}^pxWrB
zjfV^(V@3_t%>4$siI$d@zEwX(PUzh%RjWPx+erIbm7P|M#ORyRs?Nf;)85bgpkZF!
zw6#aNja%llPw11^I;P96=mX9{EB9;z2*Rfn2M!XUJN2mv>l9{@kOr|yYRZ5JC>Y`l
z4d8bUR06eS9}W6GYSPksNtQG0BDm4Wk{o@LE2?fu8Q4@e2g4>d&;NjrN`E&%WJl|9
zNJ7-NG+J?W%8WEsn<gW^rICuOMF0(XF}+L;wy^{n{!fURKq0vODYihSz?CeE)YJ<>
zh-eQ%70Pp4-yT?8kOVR6TOO^rF4flJKx~{qlx%W&qyj4za;|Rj6`Fi(k8Uzwn!H7t
zl)eZLSKdWKQnsxc6>R(~kXuCHmNxCxz_HlLBQmUJfPiTfBA#kb6~sO5et=?0QH4si
zAkb-6Dc!0UZfZ0h6O7K=GQ)+-XuY=*3|t^mN(XC#lA)sFT4~mfpI72FYFFu#Y4#R8
zI%ew_|2h71D#rTH`N`Pl_&xsb#jz!~yC`-0U~oNQlq{ErySzL+Ym^Lj@bCk7?b4F<
zQu8=h?X;3}<!+d(Hhb1+Zf-DZPZ>X)n~O~j>NDf74{fTOWW@jF7+<*hz<6gZQ6f!F
zuPS;}O69qVmdLf*HILt%w4yY5>P>6kA(jd5%-X!79BDI@AvxA%%J1&Xq7KQo*KGe$
z(G<yd=fI*5C1vBld6MD2fkhk+W5$0yFn)WY=vo)u0Qfg1?9V@^<tN|V|IOLc7EN0+
zZS%C}rtO@zd)oeK)#uinyZ_v-bDh(rFFeyHO)sB*>+}-SLq*eu)Rq_B;VL;p>N&@*
zXUv$Er>1vLFDRZ@Tv5Edcw_P7#V;1WTl{|U-r|m8V}^T1){Gf5E}v07<AE90j2C8X
zpV2nsjT!IGcz?#;86#%So>_94)I4SgHNMwd<nj=3l-pN(HIVDZRLu0BbLY(GXWq}h
z<mmLK?lWd-zmv+?)$kWL*ki^w_lk@ezi|lBl35E(*~)oRI9*%{BXC9cG&Njopkl7Q
z*g6G`6DsC;r%R%;kk<~g&K?WS@LVnn&|2H0WKU~pIZXE@BEp3RB!2(Ay>i(Tt(~;k
zT9yUk*+ggx7^jAN4@ZT`*~Ew$eH>%rALO)fki=eCaSfUm%#`DlC&yqlVKM`;-!pri
zO{+dttSDp(FS-2Wl>aeB`S<jv{MT+xQvO(Jf65<!`4}PU363uSC%r|MeTcV6{1?YK
z#dbEXMi8BKGPPpA5;-b<k4lHPek!m(4eYXPV^yj2Kb$F#wrG6Bzef~76`pE$HFC->
za@D~+aW$M#S&ciH==lt5IG@`-R?lsQYGh?K@$mJlwY*ByJT2K0&)OZ_r@46MF+G}1
z4W|oA@8S5P45&ld-ds*j?}}AGgFKoTZ~(wwb$|c|0O(-(9CwgKDx#!TT|sfwHxLOr
z>Z=eflo@}r$6k*X?uy?%ShdxQ)xi-CYsW+72B(@+Lp_UwH=90kHXU)C_R8VEbNTAD
zSDHRLWudiHR=YC7j6bTQmmq1%d*;WCchvuBq5oqsa-&V+9EL*wUhc9)70(GN7%_<E
zj-*9e4gtL5!+OA94YoofTzS5g1F2;-G-X%(<LoG^l=y-~i((dLJbqLt41Kegn>@Ms
z+tJD(jtrbXPTZ{B+7$c~0E)jzj*BJ7?~a0bVp)0WC?^|0Yckf>XSl=`_rs&dJu_Q<
zQ*n3*U0jWH&A|$ts0h?>3LfxI1fTfIL<?$xqBD(>beX?Pj_Ub)u+TX^Ykcnb{PE+)
zPafaMUuAHpquLq2Inko-%=q>8U3&aV`_3I-tncFIIa>OdGy<`~A0W|cR?24;gomXq
zH=^^WbEMiwPV-gsm6_W(y?a}`r=@7Qaho{55CnE=aFycg<#C5yza#!-uRvRJju9GG
zTR8r-P{w%o>a)hXYBJi-s8q(@_AKFEp+O2prT4VfveUVGutJ>99gTF}t=&>bNc!=|
z^3B2SS^m({+T8KqxW$ZryL-G@GjjZ(&^LSALKnv8caOg`bj5gQXbz7{$D5(6<Hg+~
z!#e2eiI`MY0^<$-jO9gJbK;8x&cTlAn^Z3^gk#3D$U@4h_Wdwlv3(sqqIn_AGZ7!t
zD{t`|2s)hAH?+T2i6NxjrN1Pe-m7c7vHcktp>G&K_opL8rhxprBQ^-Ls6jy3LVuQJ
zG{q-LpntJ9{;i1C^EeefV{M{q-0Bf)6MHAz!i4s!?9F$1-jiIzCm6=s#4je|!CN<d
zZR_3%YZFgQ44W^>&E5&C7eswx@|xMYdajg|@rbsH?Wfh;nl`6UYFJMVh;(Nol8zG_
z1jii>PlV<to_&tBs&xTxd8)*C^{8s<o+;GcG9@Bl-8&_m*6Pn_n+)!@O<ui_OUsnn
zi>0NTq$SQ_*M=q<n?wR9ql{OLozthW(-IsAt{eNcYOIVoM{_r0;*w!*7yjC2)Q%~-
z-Y6L$eRo@zM)AK+XvvvaFmdX{Srh%|`1qSYF*LDpVv$?;TAM?0;=eeBAHV4=QfAq=
zoki+E^Us~}sZ4MdYe1#O`j->wZO=dm7nJ{sOHa0nSopk9{%dbPaTSs15RFv*B`J;6
zNQr?YH7=#bldK|su6W5m`ty<-f=OQTbF&{W8OdpFTKZ44?~|`U&B_5lUe*NdF}dF0
zYJbfeG|)K(Vn6#U^jVfq3*VRJ6SPr2*kS#U^=AB?!$NOKj3tJ|A3qw14Ld#ll1f`!
z?{Nq<y6-4MbptmWk4E<-Y8Q$7)D5b~{z{L5H)i}M-Ux5!_S&P81<y`?@$A$YKO!S)
zcj3L~Ov0_dxjxohvsauoH}4jA&5_ZnE(+)zL&%YQ{>0{Z`k52zRD}*}xz5vCD#Wq&
zVo`<cg~HE+&hja`p4Xunlp_!L3p93N!}>MTs@eZWZn<5nLrq=7`VEyT`{%>m&Hk8h
zk-sKt-c>|LC2u78>!q|b62Gy#r8?XCtEym4TD1d>nRIx@mvlIE>m&VQ6?qnXLmF8#
zrKxTNn(8f=l6A{u*QT;wFN%Y`3``()@LdS4>er_b6DD&a<X!`J0(cEY+)~8Va=gsz
zs?3YJOy~|>;B})tC=l(@txf!|t*v5q2V(2&lIQD^s~qhU{zpsoDu0EYf3VI^A}DsA
zBnDztU&i+zZV~+Rc;c5FQ+ESA@$;4Z065!a?r&v%dEODpq`e#<F@ecoV&M^$e~2f3
z_A%iQqdSW7J3?9d=-u^3eC$^(Dd{D9qd$YgE(hj+5%Fil2Yr>~!)afMNCX=89IDhx
zN*PG2nfjwXf3bf*=Q(_IDC(P6>_5QmU%A!F6)_iKM`D?zi7WWM+}b9^lqagTK*gsW
zv8(^_p-O8R(yEeqTU1-%w=@-;l5A>?N4Hb=L)|o=ecd5*>r4g25*r8-7pg=7r}PAH
zG-H4bw;8M*THw3R@Vv@ur}c9YmDg=?6#M3fhgWK<zV124abi2Cu>Dkck0QeTUT7+O
z7hsBT!nA(-%eW8Uql%!Bq=X}xt~R5WO)3M(DD?F4FV(8@%2wZGhq1P9DI$xzsqShc
zbSe)lIy2=VrR9zI*xWM92u-LiZ(d)8y~7)P3Ur$yn9}%SRl*+{B$w+rS<g2M?I$Pe
z`DQs4z4r)-{{;u<+&3Zd^Py7<rcRzZYwAr?f5$&->d&S=Gqq_|kE5xo*NCrUR-hwl
z3iKN7w~3=Jy9Q(LLho#+;`Ze&+I#fveQ)pX`#09#Gd$4SK3A1-qlx-k`>X#wr^DYf
zn4G6+&(HRs_w@j6e~`YQBL(N^3i@g?U4eQ*_siL9>xA-Ob5dRseN-raVao};WLf4M
z(Ma9GNZUSADPD5@$$81+ikE!YpO@U6o#Z9&wDspDOHqtyfQMBor4s7`{8_A1zbOlm
z38KSO-!@i_=UMzZ!s$xPNdv>8NvydZ#WiQMiRQ1r-XVTzr{*ykm9aclimv!4Oj9K#
zANfM0<oM}b@E{Jv1Ib?bN?3_{`Qlf}rQJ#pGXATt&@Vous#nX2q+DL|CUSZF`))?s
z9d~`Dg?4Z7Ooz2aR)kx_X_fIikF*3aimemFqt3vZbXQ8AUBnVKk7_`K^P~Yi>Ejnt
zr#fOfG(+LZz@*RnA@Z`Kv6q)#<i9|y_id_6X49_huS+(?Y_UQFVz<5-uSmcbWbt=Y
zQEj)BiGOHoQDGbJSEh7-RwMmcnR01n4YdA>MC5@b39A#LZtfhyZT#W1B!q~CDR4yp
ze4|ti;mAVOTkUFJ+u{wLr%3g50V*C$V`&xf1^MuQ(hsh9;t(`62!Dw#3Bq6gh%EYY
z{JAd~mwt<Yinpj%`!z+ow*AM6n=ivPUoF_@H{Z2)0vy=7`dp!#Zf1O%Dcs@DZ!kid
zppg7uN;B@!-bAfkfya813gWl*(pR=iRs1dXFC`%nhbFud_>L1HDN~S?HQ&`XSs*zV
zaZ*Eanu28J$ss8d*5LpWRRQM%B_SBYd6{gJp~ptV-}@3w8xj9)hb+41oVdfrk=kL?
z&eV<PexAh0dlU#;UI%X78G+cp-;ICwn2lq7M=)ffDVGnlvBw>M=@{7m+`I8fU%&<2
ziSP)-^h9`QAAEUlx-54&l`h%dQb+qN^7e{z5qaH}sDazF|3~Q<Qc}Ot6$)E2jzb&&
zh!Y|`nXK4{=oXaW1+-HVl72<^4dKN2_yeE+H@y6UN$|Hf;u*)pR-IspBQs&RGyY`{
zFlTs!?<jHg`>(}|k}cukqINeXC%lDr4o;pCt;mZ1pR+}sT}8C|x@sFT_H{8vE8*ht
zp3jfJ6}JGvvCq)@rBYWaX8|)F{;d5?MzlKK))DosjBoGIUnhv0^RM{Z0vj7VGXk+k
zF=Dyn6P(Bl@gI@b6@Q@P_}GbtBS~N~tii>Cc&fL|_-ArjN&L<ONh#&NFQoE&Fn%N3
ziF~)p5x)m)$CE&63B)c2O+E3IU#JaOrS5{lQfGOA+G(-!<dpvxit>NZpYqpiNmBk0
zA&2|;NR2FY6%?kI7qE%7KrFxe)Wllx7tu&PD69YWt^FbRT7H+S{SA6<RQ$+iQQztD
zFZs=nf5z|V_<#5<h=0WInD_^uRVRXjP0KYi=@XyBox+-OTk&I`WnNA;?cF#<mcD=L
zNa6BN3@t=hpR#CSUg)Q4BmSh)Cg3s@|86ojgB8D@*{XVf7#*7Ok&+!(zoG5;9}Rk&
zmC-+h^gWG<!`9<m(jlbfBC%GA^MdRPE%v!Vo!PSQ6;)O_VxH78mdO?$(yiy>Xf?m`
z`pm`etGVb6o}(twsjs4+IAJEft4F*2@A~QuPI0uqt?w1OMfS!Y<51K7n#^8EiX86s
zYKGn+jhu{S5bvi*S+@!9v;C{g#qLr-Rip!bAiLgdD#CnIz5dE}DUAh%{Y~{^Wt6?I
z;B!GCha<BA&TTnLgc?{LE|u~!F;$KN6Mdm0c6TC~1j8-jC>Wi5Q!1I9)eh<dZ+*^r
z<*|T%Lj&``wXeM_PN1W-&erXX@6#UT=h;=CLY`~|IWURhO92pd&0$jboO8-?VG=li
zt-ZH0F)e0V-=!k@0`dIZetDy9Y==qaFDRVvMt>N0E#!#x>N9oCBKSxX^zn8#y~IGO
z{h!fv^jT1sqC!L40Uk5w#XUG`WJCj5X<k{=?vHllrf+^<Eofx}XS5VL-&@dG>UOfX
zx3kpa2oKSwZfEciYbi!U9N;A@F9(2STTHq0gg8M`d2K}Qe$G*XS|zgtrHVURS_Ws1
zmd=mdy~PpLrPyR>S80twq?fwZHn>m*i4{a{MHLiZs%}MZ6TeK|qP7w1h`0?8b};`%
zh8t(S&D3BpoBjL2aOng&%YD^B&ia#&;RNdaTySyeaPzevHrMR$vw~;)IGYdm7kLf)
zIOd)v{{c6p-46f$vAW17Un?Sg)?Dj#kJOts*;9Fd;bA`xH=KluI#G7#q|){=$Ps_r
zO#gv315(LN{{1NJJJ<|&Fs*6Tfi&uTS2ts878F?E0_U(6a=bc9NwC;$-7`yJ_z$>{
zz;SwWK(+%2ej1aa9kHKEJOK5AqVvi*k}9@Ik`f#P=|3<Bbi=_@a+CKKows8ixTRhN
zVoTXDN<WH@&{{P|xPkP~*8mA7u;5ygd95o31mObRu~BwQB!H2!in!^dtB6m2DU^TL
z`V&_X*)h>beP{8BtBBCadC3!sm%QJfm((py@{$L-`tuUHXRrXxOud!wVWu|d&*H;V
z-9nE+5aLJs^(>u^;>Ho%h1xsWV+#AIY>@TM^HpWDxJW5+C@HrVGQW9h_P?524tD+_
zX3C5ay(!zWIv{$aTZN#r5<Cwj%_g0Z0IDtqm7(Y~{rlgJl}ERO6^D15{)0S-`2+}5
zar*>h>jsS>Xo8eJXtx}*U8sR+_M@MQeM`PZ9eIpx2j$y7>t<z7>1EIJE$1oVZ|9;i
zeVC}(6ZP*c^nVDVd|c??Qy%-UyZyQ-E9-J2d``8!S_rl%@{l6i&T0ZxY_py8ee%V6
zmJ>LDDSpqC&@esKL)mh@cS?wpX-hq_<y)?9b@FM3IB_bELKWKqUmd-n`7qzYu#9D2
zy}xTL&VhK#&Sv3cGrC`3JAp|Lx`13|ohES$+SZJRa^;aw=<k{7?`jyt<Aw6Rqp+q&
zD3s_Ep(vPrI@_l~oQwSj>x;>>sDBw5;}goLY0CM=P{-<1tfRCpUX{d=5c~481=yGU
zsDvCL_q@=V@ei>?c>~o5O(Hj0-+(y=Vk2?abc(>WmG8=!r>XVhtRL}`5ZiPH+u*1?
z0YCx)3C${c1ar|&@K{|y3hf3AtAoLecIYf>Rrw2+#jGlom%htWUe4K=voWnLY@veY
z&BUQtn7a_ken(2o#}J1_vbX$rGj&LZmDQO#K{bl+!AF4Io{7YRepaPPyd%x&ZLe2x
z=4DCrv>6EgdrYwI0=igb<YTK|+3ti}d6mBuTPS-Q<>NDVhOu?2V>&w`fedUj%59g^
za@A4M&Fc^1CzZ7C&yffn;vOK<NAvn_aiO}-$1%`&`Zm@%W`wVoxDx*Eo&KXUcKUlz
zp?1p|kGG2}t6wrpZ_+W(H@<j#Vqz#=E=$6b8(+LbKi$F8Xq{h<AI?x4Q?1@JWok%+
zQjs<BjHI)1+djp4#alL)U7I~@fE5R;7jw(=f?ql-W9wd~gNYyIW_wHrb%gtbHIZml
z{{eKAsC@taO#i-+TOAwTGNltI<4F{gEvEmi*h+{7#fI3$GXJ1F`pSC62l5qVUjCku
z`3l@~vmt;b-FWNfica|f=@6ADa9Wil&MCJ>&yaT{s0`MC3spBwR7uuN<cW4PKA)R7
zGkkjA!cX&p-McrUv9P|Ph|CE6K6WZ@QyzV9cRSj%oiuC&=j7{Z|0wWm29$+})@@Q1
zC@hd!!b@&FDKB~E7NPv^Z71@Q)2E9@>T2{4U)M<0ot&3Esd&lX`}2}JJxN}2^Vc*|
z?<j!1!P}iyI|yO!OdD@JXv=<ZaHWm^9%oZ0>AGldUz()4h;Cv5_4Ah?{F%GLryv1(
ziZ~2qKzl~ZOOp+#(@Wowj`SatSP*sFm4Zh1O!fF^Syy4%p@r4s6QS!8q2<-kIsVzd
zmDS^$%U;aIpIqc=fh{kXjs&GtWxs*dHSL%I9Tj(&mNvw?%0P9dW%*@vInuKiDk~=Q
zgJLpw$4qHh0U=H3Xbv-Xu5m_pmP3UL{fF!a>m#U-O%9@6nO)%lOi^e8bKOpbO3@t|
z<&{=0?gs69TQInHVwG33k*0BUQ1h}gjC!co`io@xBX<GoVs4pN+!K<cP_t~wN(Yx)
zD|tyI58lzdu2Bog>ow=Cv|c6$l8R+QblG|#TYy4miH87N31s2aApuD6Nq~1LK50F}
zgv3*rIukVq#h5L=9Ao)D<-eS%(tE6CEi`EGciP|D=2o<z#>E6A{)Fn|fYb{GQaRPW
zsZWWk;O~a4sL%?h!Na7>LT|RF8740xbDgX$al3ahqvS(%JOp-J)t}OQWjgyGaG7LF
z11FcCUtHGRa41iAU9_Xp`f?1F2{eptj)JAk0~N4G!)3HAv~Io#Qn{Ttf*qUuhmb}_
z6=as?hldw5)p<R&Igsdrjq|<l?0paqgZzR>#VF}m1%?{I(C>&>0$%BVDxD75OihW9
zi$5h8sALXmM*qSp&9E+|Np6$5tMx7qQlu6s%aV&F(tMBF1W~?_=Y0C6z;u~A-Q_rc
z*+=s#1W70+g~0U_h6G5GwW=#?%%C%$YCYCo<|h89OsqS~t%E#>10kCqt-pioe9LBk
zPeE&%2c+&Qh|G0w+G>A9aQ^^-?D9xGLU@Pu8nBmJyZGHvb%4W+oI0B)nN2lYZe?X8
zGr+UuTaVESp3*4{_jd}8Fam958b>_f$nkOE7+r0b`3iJx^=}=+&vsz;?|V?f1_X9S
z+o1H(_jziI1YT|RzvkeBHu^g{ulpiW_CloU#Yp{@NZ|Prk5Qk-(Ue&0JbdLF?AR&W
z6)AfwQS*GFW=pi~@O3YwjWkC8hf^QHvFH)2G56DpBmQ?Ifxn6(;r$4w!25|d@L{C>
zIZludn_CPAZSIW(K9;IJjg);7ydXbWTh#wt^!=|_87ccsr0Q8JP9(&w^4X?s8BOmP
zsd!Y|hP(rXTuz5FSc*a(>BSLfo|@2%5W#)6>fk=z9Nx_l;SAa5ddN^sumQOo!bIBL
z*sd90>FdK3=8AMBec#5x<lwc&pmg(PFi3bw<H;%iQ;PEM?oaveekMuz9~{zu6|vYx
zJOvWAcpAs$#rj-BVvQ2AM4U1;<o5aIH7L*?HLc$PceKkJyxZRE<nOk1IzPc5RAH0)
zsSLy{+0RyPwNn5B7Km-s&y(jPJ$hsJcMDOR8mt!~k$=`{FyHdn>*8ApdMjdu6MPRY
z=l?h+v=Sh_u^FOk@Kl?`siGQ1j__a*`gjG;qErY0y4q2bQ7seUI7EDmlHCv@MIYl5
zmD`T1W<|f`pmzEj%}gbM(KsQmbQUMQ&nBeCB$MDc+Ep8kL^R;hZcR?eiUK;=I49_t
zQ*9JPW>s2KU7IgNQqoz*RW|!_2rl;Ru{4GmQD#13iG+dM4Tr+%OKv%>S8kI*om8&Q
z9dknCguJ?-EaF5pl(0oya@0Kc<tiT5U6f@MIDEs}&z78SEO@N5{%iJvrj^57)g!AX
zH~Y5>KUHn0dv&MFj2FRHXs#{)^07#?wv;Mk1I7koU&49m0Z~%r1xxhk%VSgBc=$fF
zbG&siW1y49vAve0an;%O=$gEe6^2LkzEXundpG&JRY<S&(t^ekBYY&<I&-H)Ya_Kp
zMQbZj(b`H>v^IBum?u-yH6iR~r}*DgcJy}LmDW<IlJc;oaP+W@C>4fIr}hb<T(=hA
zlU##$=NaKo<l6}vqKeD-$W2mBO0XAO!f@H}>OL{!S2>a&h-|vZQLq!kr20_9x?zC+
zdOrL3*1wVk$u60sdufv0@zQY<bkYQCCzvn=3J&)9Ch<3c{(jO#J1UC{zb7oQVATkr
zN0eOBggB<~8i^!C8!Udz_!BTs2~#r}wE)6?W$e31u(Ew55B`xXCrYTi;KioZtcrze
zk}pzGeLeyjCMUvP=B~QR1{YHf&W4GIniie<@`69ilFj^I5PdAT6t5U1nJqfC`Ql`H
zUhq=$I3U&(VP1sD*{R^NZi5&yQ4~&{${n6EeC?l{+{I5#NL)nmJBK-{s8G6|QKILV
zQcgYU`$ov)%b=2g-YE9qf%GPhfr7J?j_%yFJuOFcg?szy3gPhQT5B}vW_8bF?RcvQ
zf<ex&d&>Ctq5FdU>2;j~y*i<ITrgYjb5#{UqPnbqQKhbKT<~req8N5aD|2BgQEz-X
zorI|W!$M(EC;|2q3cKq5S~>VTsB9;)YZl7C?xd@TD{d9azvP7zR}p9K6^+!AZ=bk|
z*l==Q@=L`_{??zDG+&<NC3#5QeXSe2A!YlR-s+RO)mOm<>pO5g%1zH5sr0mC{hiRU
zLVw3hfA1PBaHx3YNr<}jEdA0xK_?&`Di252g?LAsenK@Ig2tI!+XuEtQYt}$2~j1^
zrUY3#V9IFyb*8^_O&&G!rqF+oy1T7kGcqRZUuxmEBZ?P;zq7e4#)3^br$#v)8GYe2
zGd=pM(x^ftqhDC=MY5K}0ukL==s!fW$#>Rl-e@OR+EwbUeJHimYH3Y+tG`>sraw3(
zAO&g7WgW7T5lAXkjkvDJtfiL@n*L5vk}GmxBiRTeFWS{y)3JHG-EE|&jnav+WRgPL
zaZ+gq0>0gkdTArOt;48PZ1iEhu>)jE(vH5gw;(Deh)rAB<9Z!ERy|w>;s%*u1leOo
z_FCi6$3X-tk553jtKJ=@K-R_yi2favvU3UDsZQ{<ObYaq&+vw-Dy<i}NkLH|Gdpj~
zx(ha=<MWmWuQ085(3(ovSQ=zvWa+I3YmM3=^X7%d77a8)Q;Qsq(9HM^j+U09A+kqc
zpHb8!*U8%Vun;F<^tnQbV*en(oGU)Z(PBTRC)y8iFPbabi~S5KL~ine*J~bD_`&9_
zk*Xfy8J+G7BOf|yI)FA_fZ{o$WT`7OuQr?QJh+s$%eJ1H;qiYNMax{FZxs!a#J{S<
z`SCYI@6{uUvfwV4wV2P;th2W=wuC);9-^o45_8!+T6ow{x$Y*H+(26;vvq`3U;Hk1
zdrLi%HGEt9Gx&P$a)ob7);t#hW+(By0>P!OV1`Rwa1~UoS-+w}1dXSdlJ9~D>dx+m
zze(V|_}Sva+?&Zxbiz*daH<cS`V{EkI4oJP3|qtZj$lHcY@MYU`Jq$jwZ6Fu5?6U8
z`d(6d)|MqBD`I#j^DQqJ()}ClXzI;hJ)vCryQXbvG?DFFOnYre#t3`pgv@qk`VWN%
z+N(|wt$n}jwh{{8>6_#Vrxi5LpX8GJ?9jl1!@kK*e4q*%mrwe<8U<bOH-_az&}5^x
zl23(qy%k2Vbq5kv?BnZ>|3)#3sBca|wBiCK_sqo${jzLnAPUosR!r8Z8Kfe{N$M<8
zXX{ir^JR+l5>U&(xS-W{!H)R?Q9j*N5UE3C^vzDTB_#-ZUl7%`M`$ym+l<b|!lP?f
zjJ{$r#W8GH!GORnVu+Si%B}s(+~cb+EsY?b<!vcjym`0GenIHiMi{(%q%6$TySoFt
zv(4Kv6^A$Zj!j&`OPWv0OSZlzl)tm;L|#%fNi<Rm(Wic0BX#e|dCAj?m;ALqFS*Z1
z@{-eD?$1l`<?}=<GKzh!u(!CvO|)ZQ9y(VngqlPa`dp_~xEGaU2cL(gO6N`{TJ%`L
zv<qli){W1Yqal+8dbGk#MJ}}KuHyN5Yd$NUKT6W2HJ!e#(3f{Ym3BMSY*d;)*ATms
z78PxS@C*ToPN#xfSi{J}da!KELnd@nhw7hkCGqnHDO0;d>HiZ-HZWeM2&*5$K?xHh
zLO-GWJ#%!JekXHQ)T%YAHbP^I&RO(OLcO6!6#M^Sh3-PjqpZ;MhAevAL^2l3aE>+a
za%C}Dz=Z^qSrRbK8T&y(UJtcqAQT~ECC*c?o99ZjZk?khfrQ0?*t(*6B3X_m$RS@8
zy>v$AE1`*6-Lq!8Q9nA$+P<f<k}4BZV`ubIM|UigP|+`^+tDvS>YO`S+|GYM$f%*w
z%W{h^%VBfmMx)MCJU1Kn#73j|GIzrrb!o+OUA3V^SYRKkVV}gMG7-*6gtKE?St9mG
zv`z6TD-`Wsx49Ez7r_j9if!xlH}yK}_L4mpZ=TpaI(xKUHt*w>K_Rk7cS<DCWSM4N
zW{-TX^uJT6o9zFjgWT2|-%=g)9vAsMqPv9h6QR>FuU&?drzGH>Ay!MBILA&T7xqlw
z=t5sU2D)*Qiem=`_<rd*lFld`)QucTH9|?rE6p4@CV8^0UtXaAd6tW+EDt-qFJFF6
zm*&a2Lvku}eI=Qcu5L=7tRjTinKfWI?w4yN<TYRcIV-JGVbGnBTn6eT{DOu?D{_k~
zWT1X61Lc!}`nkb;CFQ3o#kJaue-F!)#0<>F${OwBJ~t5>8p}n9P@k7$b!pHO8uUs9
zcCvQ__E?6397CdfP`@`FJ<W5S5<T@Bz(-I0TcgB&jn0Cvx)X>V+=^9Hb$F3UmA~(?
z$5YP;ro+@`UjZ={9MLZ8XUNI{O%rAY+;syR(q{TyM3oNU@8p_U;cggMmp0Sqy2TAK
zfuyjnDN?~6(bxq?qw|No9WUG#NsIc1nQ0N<IGX1ZBEB)SO%F$W<5@P#`f@d9En88d
zCsNWwL}8XSNwKe{x@l>sAGJP3G#+YF;d4gybRW(a2TbeYB}zi$H6bg(I8i%lj2o5+
zji5V+i3BaiwcrLLxYMxCr@(*9iGV<!14eMY)(=1pdaOJ~rPBH?;OGw1^i;2WX1auz
zJaBT#|0_lL-|J8LfAF}X{G4NV|LOfHfA|ytemiFR3K*_2f|QCKDubIy7HaBAu;$N@
zYaSQb??Eup1MQy|@ex<9A*0ndU33gg)~31{h6DqiVSNjQmV^PGu5{H|JVksn=&^TD
zAS<4b#y;&`P%l~S&aB92m@6afxn;J^S^Pbx1z1mrkaD={5dSv?IujUZqctojBzAJr
zEm}tke%VzP{?A3XeWIbBArvET%Ofyld$;b3gP4FULbBKa$`|Z%)E3OsJ8cqa+6{a4
zl`S)>_EZJ0310I<e!HuNT@}10|EiKS*_!);S$lhlLuO&jSv#Y|kX~S)?a(5%_xBS=
z(JfNzcbS%HElAAVU*{|$0EHQ^cNTpn*Jfw@duc5t4yo-`De08j9(NY?O75qf@mfkc
z<?VB7JJ0j#cegWs73pqQ$v|-#Uu?sgSJm>=vR9YAzii(!_tn#{4qY9*=83C+bM^aI
z@4b58)rYP|o}IKdR0U5|5q;v52rbTFRL`<r0}=J`ihBLyD(RHStXAK&gjkFBuKm19
z5L{Hs!U|8jSU6woK~6L@w{Pom637|7GA^Ph+47Jhe}5J4eIrbJ#*J?B<wI1#C5JC>
ztZx+b70w><NlX<p-sEbWKiSdhI~@UknX5&q_pcOaUIZp~${wn+=HFR<Rs2SI=cqQR
zSm>b^&0?1v)3%Cuxt<8|c`o@T5#47)JL1Jy<?Ayt6JbmTK)(~{|2$T3&WS}VQb#D^
zJMTv`I`l{&c14e#iiyw|v^k<Z%R)04h{bsKNe@*ZyxLVvMH$lSga5?;Zn8IHKl#e5
zhqE~}P>o8g9g$zztf07vev}d2;@?=12h?q)l>zmZSRe7H&4_qq9N)qiF*Vl3u4?JJ
zs`o0_(u}3q{2R)@mvCzs(ejdMv=40|R6a2>Uvd+4rDaN@-Fyl2xBBkba+B?8@e8o~
zNTsZX&NYkF=E#XS7%F2*?0hpmDyb`WM*>1{{ca%q3J9Td32<$h-m5xO@Gj=WpFzpC
zU1oe<q9ysX!Hj?4Og(+bZgc!neOb{8Z~Sj^Cjy>M6Ok_dvJ+oJ74`8>V*6wiFPYB9
zkJ@9=qvA|mHzS%Bz04W^iIe`2bqU);>Yd_Y4c!=;sGSilojyk>M)d`1;M)g)wl1pz
zM1@i)rT^2t(LIsU8PThzOL%prwCIN;Mx>lrEWL@+=^8B@))<ge7L$#=_%L!tz?kIs
zEd2_ONPN*O0(4b;HM1+^O}=^VNc;;2UnJi#GvLu|$SrJ$U|R0~#fIX4qKtUux>_X$
z9gD|^k1ZeAbtHDY>@u}sgm2MP6OTW8BJ|fthw3j)HDi3JqNc4rXc)`k7A6fs618Uw
z<$v&`tBCW?70O?G?8H^X<lUl?y5yP@R}nutX^j_*ks8BUC)PN<QPw4M<0sbm@X5K;
zGm1OC+n+oAq&&GU`EX)??$qkbvHNsrt1p*ZB>;go|1cV6ApjBU;2ooVa<ZQU7kt@~
ziky_J)R2n^OTIxRNZ4llF=M7EY<~*j%8pj##9Q!<wfk6=9U4&$Gz`(D*zk~@2(M<_
zLn6FV*Qx7ouZsF+Y<fTbs^WP}A2tuxXB5{7wl^FNME?nPnoDNL@j2(l{`F;i)lqn1
zJjkzV_C5nV6KO6UF<KgzPd=t1S1HIPPJTtMjfE9ng@wK>u&~0*wEJIJsBnB-68X<t
z2KH$zkDtN5ugSgbpCqw7=!h>BpYMJu1?vD>vZOviOB_UHwC-gRm9wW>2*XryoO+l9
zc&x{;<C8Ek#QR3GaRgO|oW(%~){RQK(<%__Aebl8)Rr_U?KTwuu;1M`Nxf^spPIlR
zb)GGz&cg~q<xR?qQhWGPz5*qZD^{OS@^pzUs@a!F-LzKUghZm%Hz|>5N+?mT+L3fd
zy#|6E@l8!uag`FVfK-34M^PLR0K-`URB@q6iO_`DK_U@M#af`kr4&(t+LN9nvF{RA
z-5N}vC>Cn>cx*X`1W6Ah`$*L}gJxZ^u`E1A;)(huL@Oqx0-=0U%QV;@A{CPY2)1W-
z2CCC^2eqG)1bAcbOy9KdfB=GJwGq3VLw-~%j9eh$-flL{-fqf%w_gia{Pwkm@yJdS
zlBr`+lC)Wp+DHn0Rz0jb7bdHHbVd2`$g7h6USe7s7QQzm<7+6!tRKnU8}jOTp0>eh
zAK4{OPie~*@ft{8fz?9CZn%ZJN8XhTQC-tP%11loUT;~IrqBmJ5*vV*Qih}lto_ug
z7TYiTRxhjd%W+&6a<bj(8&?{aEuOn*!raT}8kMV8gsv@Ly`pBBTyDH>#mZ|JhgOHL
z2^p8nT~s!AzRJ{+@NPFlF6w%@X?7bvF=sT*evQjOX(uu5HPia-b;#j7SasaAy2)cS
z&E6^AGl^+CP3vBj$}_3Ebm}hCdO@Y~OzIo`YJEf3x{i-bOnbw$%8_JR-Q*$XTe|#P
zrWI4=c_#H$o%*V2^{P~!NqtwRz6-NP_tfg<*+|BstRIyZd`9UgqyD^TAiwdAITG@L
zf6J@$STCGjNhtrTVH+yZa%W42XLdl4)}pA)6C00`k~lR`_Cp$>0;LYj4+Qg3T`Gp3
zVLi-Cw04;R>$J0wSUTJN@Juf!{>T|*p;H3Ekt#2GO0V^Ml{fTmAUK4|M<i-;6E(xE
zSA;wL0?L0oc02iN+uJ_$zJD5{&sbM~o5z^zajh)<wNU;WF6>YFAL&Z2OT-VguXTfV
z0>PoQk)5c)aFJvE^cucRdCcT7w?^<<>w%uJ^+0!2Dm~DmEzhL%KxlV3OrhX*ltJfJ
zwfgtdyZ!?#3Try1Y()t~Oh}YNKcO5e4Nh&$P95Q>1>jdyjbGCRi8{v{t;x1$rF9cZ
zf=E4jRGi_v&H4<SY)oVTf3MO$i4#x%4GM!;D$B~wYqTLFNNpKWLWr<J&0isabg6RI
zsp_E{$A&;+8mN(}o_hn>SzPjGeTWqiEfxYax~4+E`|$30tm3)?AcaRV;8>t3nuOIH
z0JOc<l^`8AxI}epxjL!m6nHX><OwUl<CSS5h@;7^xN%=?m9a9FiISLBk&~FVD95@F
zm?Wb#sWc8l<#n_wE1G_IWeyk_e9frNxBjTINjcc)wA*v6rNRGKIlU%6g9#<Im7;y?
zog?dPFRBMjO#&Q70*~n%DsJuWXdSx*dd&|K--!J}&JWw31%|j)?^b!Hyb`_26Ft&C
zB${q+BOpuNDRRSE>o0psQOgzAxf}i+|B=B46RZ)%vv-(biGo5cuR_B)s785y;SHOC
z!<Y47H6V$j+9d>&Rc}0!yo;Vy2~MJZ2-C;dYr8mGtJbFnc}K)n6^In-IEl*2tyX$L
zF|jkzML)6wSG$bp9`+v`UezsRRnf{;4Te(A1CEZY7Ol^Y*5t@QCwaI%AhD`roqmrj
zEPu)xMClH_(Xy<jxN{-O>1pfe{X28mJQJICOuZ%=hgs&m2#-DXy(Hhqh93)5M*Uu;
z_>piO&V|WW!n?}4V_iJ~u-!zz11^cyyE~a7_KzOB-DG+dZ7#`){W+CRTk$g;Ehho5
zEB1Yz`#5-AeZafD=YNCON$fzOM87?`4Eh@-gYN22i5{PnltC}8?@x(h-|F+ho$|ql
zQXf1!`C+6-30zo~L3i4C9y>Gj63@#>S=L2r81y8Fx$H{mL{%s3P<IxDDfXYEdVu^H
zrr%4BEa`yc>yB6(5~l3gV3<T<BXc1`X`t*pv7bwMC-2qPge-Y?yoOlhsGybixNcPf
zO38HcXHmp$;@r@8I%oHv&UZ4MqgC0-Sy^b$%Cl4*StvkN4ffP@^_iMWrP=M-Mw?e=
zrlP>2y{`8*eU86H7R!AQjIfX!OL4<aJf0oO==3L?p;?XBB|hKiPmDIhr~}!hBU{ak
z&^MwrLm_5>o^4MAcrdt_q&iQo!XiAL8eE|lcls0A?Js=20CkT0gdiDA>`~s>AvW~n
zIGg<0sBEECOvWk?n+9VZz3zO*(ds{h?_5<zw6(A_$KC|gt>9wu=I`dUlYoviH+(Vl
zFa;Vm*+Z4F`+GT@rG;aH9frJ>IYY9TP2ca<1pnq6h2g3FGIiWiQ+D{WBq~|2@HOxT
zh{ySXa_d?3BtD9TAVQAxdG?%gsV+&kgIkQ?#pzZL8G)qJ`WrVw?FUkI5|ga+OOutB
zP${n1!ceI692@xmQsKD*rBqld6;a`}5JX^g$oT?7m8%`ia}&VBmX{PPS_^7Xf}Ddx
z*TK=)!}dt3y~~>F4|3M2kl21*^U@LBHNS^a+FkQ)kng`i_puT5r(21YHgsh`B{-g)
zl<qm(4dG{CB9vjhKv$^sIr6jGQy^ugy{gn+cuiY(B29tA#r{Kevb-tAxna6ygDH`j
z(~-59rB^$6XUew*tUINbsmgjuzKt6t*kb(Bk;R+pT_RNZ-I#+i@F;3(O)sv?tsjL8
zEk0Akvyf!pFnH7&L>M&Pxy63Zno-fZT(SX-dR0G+VR6Sw6Ug=hWkPvaOV$$}2R&CV
zaHFMDdhgR|8(p29Bgxxca6I8@(&B)JV*||AIU=g4?~~1s0jdq*^F}o}k-DLp5wgrs
z9EfYm8uRczv)Gp(Dvs8<7vO=LnW)3+)Kmxm8=_*j(baD2ted2(VZ=>4JqvF82qR7a
z>nKI>5f;FlMw?&DKv=W#IIF68?&ygB6Cn-Qj@eActUBN@(B3swSH|wd!+|p-pJ$Bb
zu;z;R@qyy`eV%{Dm^BIIf42N&agDw)Unu`wu@m(fv&V>rWDd#(+s>MwjBE4)HJ&7{
z(Qg$mdAmO^`Q`2;FS&d`KVFhwzelveerI%UuIvMxi&dec)eZAc2-RWz?v2gFKKZfI
zb&Vw3h=@OiTP>8_l$*UxYry05XnhBUb?8Z#i1nWu_20m&2G>Q#Qtc_kjiEPM)*bEY
zba^C#JUVGPqtjfF+q5%lK{yT@rwUEz@ZzglEhOEgNLZvaLoZ*v4}UU%olOny;@O`L
zSTk3Nc6iTh#qli*!Xe8H^rsNrfb}@#`>uJ$-7M(;7TU>!k9;y9Liu*0XdO_EG&S%6
zNCmshL~VvO0t{&^JLHh}hvZuhK-r~IEqortiBnk$A<%~pOFFJMB9-z&AXb!n&tcUM
z4{v4CpjG_TKnL?@rtl}iU1WzPRs({Jb$8BnNjSQnaN<vzBa~)-GkzZg=@6S&6*M*b
zRmIA^$Hg2w;Ei=1iPXH$N0>V$24T%Ujcg*BF-tC@tRpmrTAg7c#P4Gg#gyki{mREl
zbz1&?>^pFx(^wbu&s1YKa^DeJU=yjiv(Wv%iPwg|J1bGv38WV%R1+*<sZSQLAKxPM
zMYz+))++iuH6NOo4>F;|Pu!zsl;U5-OY%^VJzzwSn*0+DEO7_NNGIHBsP5`%_A%jl
zGd~DTL6^!=z{KnWV@~b#sUFG_?=LuBX|8}~wkhQKha3h>hYAUUZ>xiavA+>N;_scM
z6mv(@qiu3NL9SWWQxLh-g(@FUd8g?cCJys9Nr7r<nu0C~h}BvSYFoIoXteQ%EOFz)
zoraZDY=TfE&TC*hiCRcme%66X^^uhDGx(I~g1oVQ&utm#(dY+}+@qx<#`@jLyQ#T!
zbmlAdrwh{WmV-3vdpb+`%F`9NnT3PebHszF{hLC6AAa8~<YdaW%vb6%n_kW;Ew1lw
zc)NXsWDVmI%q+?%E*(}gAZm-|EwoseyjKuOVC#mw<^`jb?JzS@e`fUWO)op8gVH4)
zWCqoqKl9DHFNmbR4Okg7>QFaYGGez$v=nOC-P|x5VZr5%J;nhCnH^|7-!r1SP5z->
z>^$EkrlXfx&Em>%D6_L6U6!G5w4XyrVs#h&(&XQ^Po3uBjlQ(eu24qC*0AHkONdqc
zNu;VX`bDCwySS#i{;cRWbEmlzy*o#%rllEd8NfdO_s(=z$kVhf%RlpQ-51e4CjUg`
zUf<PuK1MM|8P>R&Z#4KQ%s(mI3IU>ndyC5sh0;3H9bvEj()t5}nr<Wdcawjj7_I7R
zyx!HTm_3I8^d8giljG@{l91ru>@KhGE^hGF3u?lKduoSqNc2z~<<#29Y(-i`{pPBL
zZ0tmE>qb#7ZUx1q-i9|5wOQ67w4hQmTt<5n*Jm`XA@<)5(M#RYD>3c%Fppn>baIq0
z&0*GdhfigZR_u3$g_mqSDKGiMI-&f>esv-*x#(8WjZf`3k(cZ^IWKuu@shXt^OD~-
zCV9yzz5RK~Ai*aO#ID(BLI4|M4q{2WAT!bMH*^Y#uqQg#jWNY!*RN&J6-qCZ*?wk=
zm?+ZQzs0E~ky=mtX)V}TJXR(-B6B_P9eWNbxdME@(!K3prg^1@EiBB>2>bR4#xSV0
z6t13_>z?vTQ@f}5N>6PDt*g75&geGjb*&>7&y6g#t*{$SdA2aWFPQAIbkD<kCEA9m
zT#!eAyn&Ill~=Fhiia@BPSJpM1-!kuF7FmIT9=1cQmP1k&BGMKV@AJizGA*AaXPoj
z8nq^ie1)xQaXk_{8SCq4M;=VG=MQdnhH%hX77?}}vKiq|M87}<rP&u9{>Xtc+wXCd
z=0R~-Ui3iU7Uzj<ROyZV2|o;oTSn6?qap3#7tILa{<E46pq$7q>`Ih*!tX7PebA{u
zhIKit4?;=TOOz3s(q$!mcbMNeLoLXw)%$oviyQsI<e$vdFPnCbZpOg@XN?7U(1DrT
zYDPzDy76&fag_X!Zv7#CK16Ygp71At8M^`il<^M${&8yx0P5FT^eS&tLw45c5kkiT
zp1f$s=J$8hXQ;Yt<$wP-cI?6oc3Ed=!itti^Oq_wU(Sl8B+FQR0n1OKMA-GYb$#rc
zV7G(_BxP=>2*fvYYklFAtwIN@x}!(mj(_>&EvG#Jsz|Jl{xzs}?KfIWmbc}CD^u3|
zZ=xI2*8G7k%;FCbG*kRuCb>$Q1i>CptMzL;|D%rDYzdCpX2|b!2SL|biiS&`dmY&4
zF`NECoJir3n;oo?dEQ_@*E`zlTUtsCQKoEm)aDo6Wvu>=&U#T=QB<n<wxfs$^jPH`
z?TfMcOU?{swZF+(lyIy*kM%4SpJKvSiUzw%1{<~Gwb8fx_NVH-4HFt>H!Nyc(hzL8
zzrkwAyF>mx*6>_ITf+gKdK!>G`Z$K(3e$_f<7z=MG-<7~j%liG`&(VHc$}xS*#3R(
zpD~k1Tg~<~3hmLsZLo-8n#_jBvMD4xHtQ>}`(?x@PR6}MT$b_kEX^^I32wrs-ciuF
zAV(r*4COD!dIX=3_~mR%43#0|i>!a^**J}&L$ZZ^uM+mr{<*Ds5duZd|C9~#oEFTU
zf3H!G#Q$n{z}kmjojp0MbHL14$v%w!p_}7Jv8)r7?5p@e7LV54i_m56inBnF=-TRB
zo<5!MtvaA#b#?txqUX1UX0mmV@E(=bhpgh;(SS!!51MG+oYu|ci^AOrHk?f)TX8f~
zO7P3Un^ssse7(suX1wZ6l}*gwx0o`~nLggw#a%)<>V`GXHTw`7jO1?FEG_$_qo<>z
z810;;Vjs`kM&C^}8*5zzknsi<$95f#pKXf8TvvBgcuDKYDgW;j<$tq3<^RK&B;`MZ
zVWp35JpZr&h&Ygq8-b~U-R?{qEpsh`+7}H;r!`|aT~O6YAGkuNq8n{okc4jiVX|1i
z!0MvAPe$dCwPKC#K!<c-{L^0DKhHR$r^6Vj*s7z#<NbXJJzOrmjaK;^+^0TvDWIkL
z^pjo%<v)7A){`&OVQsyL0LKukoS}30MQZ}AV!ry7z$*R})Y%*R_;9<6o+XyiTVJTO
zsj)wI$`~erS9?L@-|UtC&hW-oA6D@<4?6^bI!yivO|9vIsBZM3R+3n+giwnTd*z=S
z*S>$$<8!qSLi)2GJKxIpab&D(y8kFRQQ}yez$b@uxPVWrA1FL%C3Y!Y*cChPi?s=Q
zH>}eGv7*j+mP13aA1w;Q^K?&2S{wJt#yMl)80H6O-Tms(_)4OkDR{T*oTUn0xKtA2
z!vb)b8&D>11L_U)T^U<LuFBY}9i9H89@)wYZ&Zw?>NXG>dvas_Q9<d5OtVS}rfIjZ
zRJVXDU{Z2au*BmS7DVA9NE&<RaNO0yj&4@iS_k8f-P;xa;wW>I6ax3{(|57WN8%qG
zZ9y}OFE7;XyYTXD@ZL7zy>B#a8=Z$TS)53`u`%69`t3Jk=gyP3yXtG-{VM+BqY5sa
zD^_|azN`o8GEc=z6h4A^y?urZlEhth4`W5>QMaDlB$8qKytpHNnW{$t|3XK+6quy!
zC~>z*+OgZl$Vv#B7_=&(bV{^H?yhciu~SxDd)V&!AOsTE4BR$w$WU4nPQLfzEQ|`o
zm(7mhn;S*j(7mBz%!cJ-H*(_}x6@Z>;QqKmj6e7k2YNPCjNh=lNWGjeC9%^t5u504
znUUb(?!&DF_xEhM?6T*dc%t3C<%uVrzwEMUk@RVD$o<Q%QZ~%ieF)KnxPP=rD(o%K
z6U~>axomgtLb=t}05Zsgn}J&qc2oHzS$OEPLI?|!bo*yrK8iBI*Bw^*Wm288IB(Bn
z?*W7Bk|-OAsve1ik<<#g*>pX)Y4)e^v!v|<&6rB4&%`AvJ>mXTPLzl}35rsE>BBKu
zYipPJM`CCI9$YILfEbp{vqiZVtCk=oYC9;{&}+R3u+;NNEA@aCKV-CeDW~KjoU9Yx
zPcdK9d_75j(e+@HMM-!&^|lgEK*=(H(NavkfScYldq1r$))z08XC&PFO%WOhvWgd*
zI`wfpzSU};7?@#-?|9^Z7^hDI;n<qEi>fI$xRqks-orOXD5>j6c=rPnZ8V(TH2Z)y
z(c=7Bbf*BsGrznv{sMm7McN~aaw54EIXDL2Cr?Xws>%_{|LRFs5lzR0@=rPU#8t$C
ze9=fv#LoG3jno?_=Oxc6Uh+nNUh?8wNnY~z&-(Kcu=rtt_;w(!%fZ9C5^R42J5lbs
zoQD_XMER&<_aQTUUU6=x87_W!2}xBXb(!Ju#kt*PxZvU2Nvb2M#|#fI&h0hBLms}9
zq;(`2aLwXeCwqAkZo=<5ys-(W8NIRHy>{J?95N$RY*+h87f;=$UE?D?JoTD(WsexH
z2sQnMo$wMZ2g5ECz@MGz_a^tlWA$rZe=9*iFcU-r*=b{BTNIv;*1zwPtQnc?=$zT?
z-xBeAIByX0f?l%|@4D!^7t*8mznC7mU`u4t^NDA-rdzdiN%Iw3rm@~(mbyi*3Gaq1
zW!DQ?%Epe|DcUNxQGW$X28s3}YhOG&nqPbY6&xNh-D)=qs*rJ83pQ3d$8~0IANSd`
zNZPc>rOxJBPTq78Fu@spYuwh%wsD=!;ht%ctZ9)72m*Rx4@>j#wjEX8O<N1hk<q_w
zV#h+&zD@r9XwkBbjsC2&v0|@(PC{dt@$Eo!C?OybplAJbg2?~@`DLRwnz3vnQq_S7
zAj{k?iC(a_Bw>V!q_oD#)r0Qg`2=DO2TUC&NlmS;i^A`;U)M6_gGgCNah1EivU&X$
z9CDHSHv10>@X-oqWc_b?BM&@_ZmpMG)1qn9aPBK6kufJZl*NZ!Na2Q0+K077(L|Wh
zJL#Q!U+mpc)lm>hXS+A+_6}B*9fTE2lpVmEcrzbeuyKL6aht?AdS`Ee$yR*U8M0+r
zg2tg7?JS7avdXcxE3({EZp}j-4``}0b{S1CK8M9SJxct4@^<>OIATi~y*o9%LZ_8{
zoPfxRepMBGP-rUwde%!)C-*`(U?1vN*=ykaVrojN^)kt++p0j>C)z>!UOZwzI8hN&
z1yc6OYB(2ZH`S2NUOg&UU|O3*&!=JoSbydAI32wPv=k=LV|~iU_d#=w_p0qsle~!u
z6-%u+MRdt7+**$Bklqx}Cr?`2JKhl%HOPl<iB8QiWiEEl;5&e#^0?IPjcpd!ed?kL
zt$InSVDx4$v4Pm{Wv5Bsk`+A?T;%Eid{}cZ<-U>iv|&0PTVxtBu78?j@<pa&{2iuo
z1J~j@)7a0oj`Z(v?U-R2tGI^On8uA<zki`=d~P_6Cl^3`c}~03VXWgiywPE#asBl?
zr?H0XWfwV(dal{GIt(`IJNENFo$CS88@QG(HH})XmoIc0ja-+la&l;t>3AaOq;}J>
zr^aDqa2-dxbzBeCo2uT2E^`=zcy>^a)Hlip98S}*2yKRxUlni|gSiH%ZvfZF$e+XY
z;ChEKgzJ`Sr;*8Z2KC;>bqV=T;d+ekbURGPTKZu<&-W}bjk~!%!t(~MZNf|5hVoy)
zXUm`Vt<ioqc-R=m)XJxX@?W*#L|$^mO`?%H3uD38dC7a!coOTz?-eh3y+1G6ach#7
zI0yCTC6}-t30RjbH&x$VHQzKg^87mKQLaBGJ&SAgRZjKIACTV6^Mi9;jFHpGyAzKX
zp7ST0MmBx%>q1lY<rCz)hx82kO#1TMT%|AL*PF)u4ySQNWu_{(<}Ro4BhoKk;WW<R
zdeu1U<a#xIc`Ef!xIIhd+cU;Aen7go2@K<U#bVPK&b5cJKa=a3=bDDa)knJ{fa6De
z#|WNBuXh@wxSlu6G=50>0^Xm-)dW{hC;eOCl(hRPW0^<#yrHJ?Q?3!<IEVBn`L2;%
zjkOMABG*so{CuvLQ2rtE-FLI8+JEybx5Ayl<eSX<8w=bDXWsg@X`ID#`c<a!2-kMz
zz@wCVl=srF!%2UXYs6z3|3~@*qfFy$o_|We6mh+Se)vDGQy7QGxHi$A!1Y_6f6n#u
zTTEjNSLaPmV-nZ%=-;tipJlF&<9e>wVa(wA|8e&|;7t`-|M*SQLZK}wLJ>tY{1xSo
zK&Up9YD=5aDuqCy0r^uxn~>Jh*7V+9*adA(qhv!AciCOtEv~ibi!1vst0JiUDd192
zRuO!m3X7<Sx0}9Nk)>5D`F+mJO`1^b@B6;b?|Ht@^D9j5oquO$&YU@O=FFM78v)ON
zXFi_O@O%ukJp<1X4z2JPJom$&hUf2xX$2bVPZnu~Nq9CR{9ZhdBHu35uM__J;6HGa
zR@i}OT}G6Ug6E@i;77dpK$P$%o_lRkf)U}L)I<qy!T)r&R(K8mmt0!mbvz%gjbi0L
ziuxwQ|10F*iFB!`59Ryw&01FPe`acg`{5TcHfQ3wZmd>F#q;0jFRH)Y9wlVqnTCEg
z;W_&bt*{?(?swC$1J8I|%i<3W*RuG{_eS9=5v}F~>XU<K;arWd2+vo*8_al)M*rsG
zY01(Ei}Ab}@Qwmri$fzk2>+)QQNnyYZ||=a9>DVy@H87wEAX-u>9)*@5%z+&w9V79
za$by$5%$4<{ywcR2k8c3yVZiH0X(J<&uZ|J6?jfJX#^|s9|AqhgMW5rjBpV7J_CI(
zf&bN6T44d6Q$Y6%@jM6oF2gg|q!msh-zKCh#Iqc{mfDjJe73+p4$qJAJf9OKe1_*y
zJU_?tQ;ZLS`ykRU#q-OVS_W?(;vI-zT7@UV?}Yy$_+PVWg)i{jx<D(~5dQt0TEUKy
z8Tx}v^726e%77X=UTepOh~4|1J?@OogM=Mt?3noMh9ma4CLYjYhX7_bylam;!2>?A
zcYKZvAO2|99<t+@k^RFj;y$*gp47Q+L;mk5<Ax-`9(OdDU$^yOqW8;XnB?pzJMbu?
z*8a=haoqnU%6GLz!Q=>s04~LySR2=YyTDEe9iQMt1)qNn6x_F?g@w{?*_?R8x5(eO
z<BaP=q2puhl_~!fg?)D%1O4#oho5Sj2c1I%l7INsho|Bm>63a&9_5Tq{h(^NvPc_u
zV$Be!NLhXkvT!-C8A6$?_9)`~9Ve)AkdXdYc%r%FV-ROAoPRgt{Kq0W|GWAi=YKIP
zlJj4Kd6!=kM7`^f=Km(<|DxfTcYULAox_ELLEO8VHLg=a80zne`k$fx4h=)Szl3z_
z|2q=>ze0-jxDA0wF|6s+H2<Tfvmp_SA#usu+3^Krb9`Xcd$^-jRWuxacGSr`3cBd~
zB^_UAvVRzecYMFZd*Inor-R{NVW03_!wKvWXqW#mXinFlf~$<o5B&`6&w{WcA$If*
zCkl37_+;YRxSHyKrsGrecgH!5)uHfeJC1jp#5aad&^g4D0w0gcc%gC(4d&fK&DCSr
z^d-Bd;K+t23LZYDF(P?YVTMTvz*-BN;yB58NgjZq{Jk8@K;ZOG+@ZJwaR<elu?IGS
zcIgH`@uBxnM+e%U-PzIc#3yl0tv73)I0;|t4H~E;M!Bvck@rBy6>P&E>bUa6yZDL|
z68&4i+abK;G7Rr2Z?p0*SghivIXWTv#eMq%fs+?IPGOaI@(XOqpKS789n~54sb~3B
zLo;?;P9B2)$2i(CHGGPqy5oN^Ag~kXDUpkIeR0Ba`Q^AXQewxqw8Qd4$G1;h!j`Xp
zN$Q8rIGC?tY0*CZJHM_2A11owz0~o=_|9RMs`>@yT+;qH=-a9esv6Ss)Yt*-PTd}!
zx?N3;i(v{bdFOon#lW}G0)NNJli!?tf7H3S9}VAm-}inR*Tks;H<O-N^MKUv*Z7!i
z*54A>r1!rfB|LuV@sA!qUvnU~|CKd&WoVlQomexDKSuD!&HOQlKjQf#hCL2pv7nhB
zr4e3L=bR?t$fhANLZUE81I@TlP*QBG&}UYxu5{X}s!A%#g;*gkU!QL+uhQq+oF#V1
zXMKbcgwjec%KX^aVA=}jbODixSgd3Um0AdNW+)%}L2fi7bu}#(%#Q^V1F(MVJjq&C
zBCciGCLmisOnhLj<~mdZ*+w9n#Iq5c8IVNcv9W~JhPh_!1Gcq#c4R_ts<t_y37&%l
zLy%w%a@3lk;aUZW>t;yfYdHww{Aa=We|{D5+Ck#{T4&Ey#EPM$k-Bwc&sD_v-sh4x
z*<A8o<XrN>k>FfHdk^8e8+JMaf@QBD%oX0mqN-L4eZToJYW-~1`bX5(XIVw7em>5G
zP`hWdc0U?yw;e&$?i$|i2WH+?Wh(+sgeYN(FaS{T&s;MX$E<6yrl6oG6o{ZqYk83k
zc7(OUXcp`Q01B=sA8RjJB{^-ACQYK)X)G2JGwX<ql@*f6Vm3g;yc6Jlp~je<w(1g_
zeDA#i8iT|_vG7>1L3;!oaYc{)Qi}x)wQ!G+fq;Gj7Qp}u3V02I;R;X_Ry;&Ff-qFW
zVYq@Y2v7WvXc#K38-#X9wStguD=*gPW#;N}RHmeS6;bnQYk6@GN}h^Jyakd0t~kl`
z6~<#35W*3`5wH&7fk7;lRge*6U*sLvJqpw!K+1iE!Qm0}ZB<g4i14Wh-v>tvHr5`s
z?!iamoC^JXTT%DGyE$7bE8{d?r60GjJQ!swzGDQV{OS5JQhyZ8M{4;hbiyS4xG`nL
zW5(RU^RX29CBLxYrA*S_#eT<)p#=RxAV!X<O6adIsnT2Z<rU=<tE9@x3a4l*)@Kyt
z0(Hf<BJ_IXUq95<<aAazC*82HysFYxRAMhd1{({y2|*zk)r_6kE1avX;-sNjAc!Ix
zl~pB{pmCLD*0ty$f`Ud=TAcvmuvv?3&Pj3kYs-sNh(pwT)-op|*Xm2k^-`5>l0MT~
zDS|BZ#T=|`twIY#ctu+g8ZhaOPy!sFvN@?-iZ3az60K!rD67(0QE79Qt(|nE*;-~3
zMVr0|C5XhF)VA=$R#Zq8(1@%>6;3ChPtuvK7_3teQVk|ntoo;h{39`J*r?&)&^8Qh
z5tZo9^0P_0p$yF~v#zSrcjpckcTIn=&d^UWOiBtzzFjIWqQ*=bFjo@w6?Xk<+v*DE
z+DSKc_ro<Py&;!3Cy3JAtVz0HkOM=g%r+@0=w}$xmrJWxqPuPaMXZ$UcAFD)1Z-KW
zttDmFl}JA-j}@vf0zS%0ibPN$(2khZ-5qsn?p<^B*5YECa=H_S`f*5BUdDBT$L5v;
zp-!n%?2fz+@YF2c`$g7r>V2nFj!pt=Ky$3lV*P4R_yoPv_OMif;`OF-w6h4bLE%Bd
zAIOj15iiLqsj4iaxr9_02f-7_U3=y$>h)P~5$7+v6v_GjtCDg4n*=Amup7bot!rZ~
zR%ba%7~xx7A?a6J*XnH`Hi??3FQ!5f0%B!D2^9<?u__g#$Y!kq>Ei6575Eh$He@fC
z?C^kaoz(GbD<r3$kHwW0)M~LpUu6S5+x1oqrpjVWCB^#U&@k!lzDPm~`HpF(2?hCu
z1*ZA=xpU_f=FZ8UE9{N_hU~PUB&0b;2tDtEN`?L?l$dDv-!dfRTsj*^8*|I;FdxrF
z*yL%GjgzODrcv6lnBR!aS<BbX!5|XyN{XBnRTXv-+{p=E#YPy?O%wD2LCLaJ6*)^P
ziSonJa=`}Z(_2c)i!0<Reb(&RP{zfuJOv<JN<U@Nlw>MXk7<FCSGl!}6^gLcRSbiZ
zip$ENR2eJGwym<3WmZ(Kb(XAh!00LTs()D@S;tBGDMsVeiTI%gjRx$w$WsE?RNr!H
z)HU!YK&=L%E5=FBYuenS9Z=xK1k(na5o*V1z%8&kL&zPBX={NK!dw~0TEFNE(Ns3m
zu@>|u9XVQwqUSu&Q#yLcK|0nOAP%ZJ))7Gq@_V3mn+fRTdTMQ#Jwgx{ztI!o!-*ts
zCEU>yVn(kJm!Bbsix&5UxNZg2F{*D*h*`ZteDoWFc#o+k#K&T(j$L<!AdU>SdRDIx
zKORpI&&BqH=vzc}{5GK{#0PqXc&URRzB8jI#NP;1NB=!NA<pR);#&&{V%MiVAwFlO
zI-XDJ32|Pp5bsn7;>OuMAvShW9Y49RC&c_-A#Tefhy%Xr32__U9Cz+iH}!;iW&zZK
zKTnTce;|l&J=+uFYwXU4cQ1tMI4aoJOL~R)$IS$B*z-LhzR6Bq{Cz-Ah|7D0SUi>>
z<`3uz@f~J+`(|5Dh%0-AxUY;Lb~g8f_%7Rre|<<#h{e4^{O64X@snG6Li{hb8?)_l
zPl&5}g*Zhdi0-DI5Kn)LzHWO7#waT93H8iFy+WLxKoHm8eqD$I6NQ(udP1xSgLv(X
zFHD>DHbJa-7!dUYHRmrKd!DqO{uVR7p(asqy58UriE@^&8b69S?v2<sc@V6T+%*sd
zVfN}Qf|wh+VO>b-c=Nxf99sLBW8#}NxX<c|jtGcJQ>WgoXS^L!7^H#KkPAfHq=f!d
z5^Y5MJmufspGw+vX9yc_3Q1H7N_!fkv)`;aA#98ZQvSEtI>|x3$@Spv(~ZpxzpJhb
zacE+{-#r%z(VUTAz-u}ZDsoJw%=N&DeYJ_<WG~<{EUP$q8nxX|IQe972qz1H<uOyI
z-UE>iG8D;fW-Bxr)i!+|L_7VsDaNT2rrez}Vaf!<)CqSdPnbI8o;y@*SxS1tR^eW%
zgGIikZTo?(L%>$wS=}RMEU>kZ@IU1t+PI+A`gO3C?)i!!PRs~F+?(-n*SY(Cpu{_(
z0)f{c6-7nIyspt|V^lgHOL5UreCD1G==Z}<t_RL$2m(RhH6e(zjE_6^e*7Ej3Y75U
z^Eaeya_!^LqoZQ`Q+<KAu_&o8)q8bCZ<zRxp#(Xxd!+Mv{|M+-U?S=3jiFw?J&1{c
z*m_%ldXnowH`y2eNf3``g)qS>k>hq~V&5UpL_(ZzS}<QfXYK-%IU|ei!r(Nt9A*3p
z;K}vC$GX+oR7UPgL42q*bO<!`A<@v7M<QtG_9@Ae^>Zt2B%JGK=FZ8OznCo!^bne@
zBz2c#JxEJNk}bokq91p6%H5Mw^efkjwyGdym7!)ozxVL|G^*JbbAvTgd&){ZMLcB5
z-y&<4_uwW0>Ji9vu$qAUwHr_ROJ~2m|0swaaNAo0gxCB1W5jOF?0<|{;J^YIYqM2Y
zs_NC%(n?!!!IU*OpRb7$68eu;LASY=?A>-D`Rky2$Upt-m*IcNzfgTTzJ8m<Py2c$
z3ore8KYKo;##gZC{E{LE!T7lvn@wPc8m;i<A5Y<p|D6|fnmA40{=ypg|IEW)B;6V8
zy@gH8uVL>PBQZi0bA%`MmyRU{JkA8RBB^1XM1)ZW%Fo~U3w|e8gO13z1E4*j;2tk4
z1__YcfBx^tP~JC-P^aUR3}t0e2mZ|8B+<5pc;QkRKU6PjYp4-;$DdvhR!kyN#QU~e
z@v{l84;+k>!~fC+p=pw{%2|X!)`lH;p#kz3T-aYas_5*0+O!B^Z{umh^F2Iquu*sz
zPYe#BPuyvf7tgWq{|?U<JR7mPqbGsA7tgowY{v5)JcECjl#0t%8K$x&RDO<W_H6at
zk~=5gJa_KwNm=s?gv_~lnG1q3SacORMV28Wt02RitLEU>->9BB3$T`(MC-X(S-}K!
zg^n5>EdKv@&)U)s`TepEx$LEX%YXg-zvUk;Uy&a_e?>OR9Yirg#rMnEvpMdNT+-)|
z+<~XAs7d}j{*e616HW4jH=E>#V-Lw)|IsAR`el=RX2>D=yM}{u<KiayPDhh$D{hiM
z_BP2Y?M?EH>zm|UYm@xQCr$DK;eh<0=74<jZ<^%uOPW|2AKr9PmVbLu?l<-;dG$RP
z<pog}<t6<t$}f-jQXUAmxC!yMUX;JhyeK!{by0rnwhMB!{(_uP@|C<ougHgoUy#qj
z|H*q_%A;0Xly4e+QLZ0#Q9e5IqI}Q9FXgxq7iG<DU&_z@!7o?bdr^+M@1p#`&<k=#
z&PBO&$CvV&85eO?<wdz**G0MF(3kRS`!CA5Z(o#?vM$Q6d~;DgHUxFq`=$I9V8uT7
z*t$CwUX<@{cx+wfl#6ml`<L>F&I|JQ#TVtgzkVst`_~0IZ|y}n17(~-UAMpyKKnlQ
zhjq)w{(7B$^l#TyR6ff_*t(-e`PbP-Ir*?r9s#HPE=6Aca*A9u&M5DK|L~hBGR>q9
z_s;o~(~0xXiRApN`UN@vq`XMZ|FvU=y!5*i`PO2i{JSEfJX1Gau03y*Uz}x>|DdGE
zXXO<6g8@eQyPs0zuS<;bp0g=(<!GZk@QoDtt@n)bXM0lQ^K*>2uf-_;TVs^X2ur+b
zlry?gWXC?EoLQG5KQ`Ma_gkAHPbe_Tr6-N@R|it$W~7_8WV-y``$l>5=hNk5Lyhvh
zW}|%8iE<92oK&NH#+o9xM5oF-;Qj??{5(ZI^jV608qcI(rpUK^ZIq=^MtR?Eqg=2v
zMScx+dU#EWeC2N`@{H9f^5?%#k>lP0_WpCaeBdpkynU}xZa4(D)F`*0tecJ)<+~fF
zvmWWQvTxP0`F*QaF6ztnO<p}Tq55j<gzEU4CRPueHKBU@=<(J6xH`UiYQG89$Hnp0
zO9JD;%LSop#vXa;U-!sfxUKv4$^-ZAm1Vp)eDszqmhF*0Kk=5l@Tt9WQUASi2EyC!
z*)Koy-CJ^>|J(y2-z%@n-Y-9S<t_Q|a1)C5$g6~X^3zC9u<7q|CD`H5`~_z*Oajma
zfwA8N$5#D<@Gr~;Fq2}>V0LWQ!Adpg<IgeJOrgIyLM04x%7r3qpA}<Ut{mH5S$JB7
zGKApN5B@|<8#IgD2~(ut`+VD~k}8PBW?OkiWu+iMGYb8C@uVWhYUH*sNX394V^gL=
zr~*tZvG8~OIGQW2A4j>amxprLVcIhrwJ$`9D*Ub#oG9xd7{-(nIE3b*9Zs}@+BF})
zt6)q+Ex9&sHuBh6Ok|#!fG6T#1q>>$&9eZZXgL0=gkL}!b)u{iV9ka%9+rc5E3nE#
z1jN~eY=jgcWDcII@uWYykPlxqd_D12g3?P+QaMVYzkK+ua1#78@kV9Yk&jBJ+LSPS
zQ+q|EEkVtA8C13zei5ZRuvJ!$dQn}dx5|XI1e(=v9w1ZSQ%VY@e3{H&iTqALD?(fq
z9My@(&qW^by0O9h4p!5A<R<JBOlpS{P^h<fejdJ%)r>Gkbtq@Gr}Vi<&+A3<2TyB3
zY<Qniy15K0Q2@tNcs)(1cM+geA|K(N($HT%+CsfAvs&6<h?NJpMSw(<%j1@!$A}he
z$W47pf3wkU!bUMd^uQADr3%!X<D9ok&mibQf0;;C1sK$B8fWAqXhaVq@Q?noK+gq;
zF(DO|Pn=%@=f4y!Fn7&rBsTiO`*#!Pzd#yBwxZ=Sf7#y{=f`T~{S%R#->H_AulDLf
z)FA_PAiUm%5uT5-7r?m9%>49A;bykpA`WmT^IO#L4E8hu2ShRSM`MoK7lcWiWi|d4
zqr6oZr4F>V3}w>awQ<=jXEAU^crH_MBZToCTBig8%0fZY2B!y%R&X{FTj@zSRPek_
zed59X^!QD{HZA=P&|_x-uI3Md<~W?gQ6xIcCRG$cHqM-#pPRMxml;_zQ&J{p+&wWX
zB|CfKlqs3n6OD#@?wL4waz@7F$%dKtWK5Z|erYcD94m@o(}1l(!&Cyz{-}OyBtf$d
zj@~ozw7}&A6Z|ipZNC*X={G?|g}n3gv+{rX;fa<*w>_8s`>*D`o_*ksHz+*Ffh&tw
zMwD<-QoRk^{zK5Xn+m+iA0-MnFK7;&YS_+#*t=^C#S5-66ecV`bd3JI0hkrd!&Q8y
zE^}#ugVqksF&B^k*Jfy%W7_Z*5AcDc7J#(7)^|;j^t-7C8jmBYu?0WPF+1?v=XtCy
zae<)VzjgOJ{d&gtr}*PguQwi}j343WXjm2KO1MDs&}V?sB>fG7ra_NaZ(e*y%dn<V
zG3Q?vaC_4DBlB={pH3YFQ{IA<%W#}NtSR%nrg)c<U!beQb=rbU8K<k;hXzdiEq=st
zIXd@k2qqYgS$J^}#sM^tlmbwV<F*N!)~iVAO(uW7C6HXdNzlBV$@1jyr_}gfLu}ww
zAo+PjlnO|~y;~!_+rqsKL*er#5GYnejyNPojLVURcoQg{e}FfEvitjZ6A0?O(trb|
z`)WyrOZ*jHDbXm!O5=Q{PIDk>8mh+LsNR#|2}oT5sgpHh0=(Y#f<V$ZyrfZm#lC4;
zJfu4v>jt65{R7EMQAPp2ZYAOF$oTM-aV(`6ZD{h}#8b!f)GXa-Kr}R^<9?CEFob(e
zu^_k^h$|Ix%#OE#JhgXDxjOL)30x!zokS>%VSZOw!186p0oV2}``*K3U)mc8<A4u`
zv>x{kj^uy`qpzu;;fmp?f2`g0y<Y5t-+ofG`-*rg-bUhl)KT{p-R1+{Z-Lo#G{f$V
zwY!f>CzjJoSdR2`|9>xwfLz-a55zXm*v(gQVDXr`eD2Fv0|B$o-ANC}j<Cjpa(7aw
z<7il*7iSk|`DP($IP$z(DB<{)OuCmtN=zLd{X5*PADfyc;3*o3G<TpMeeNzKD}5A|
zPek`N492jryKJ~o;+?_nCUKz8NAb8^&k={A4UXW=>+&!dh08q*<`QMv0{SA0iZdJ`
zy$ww5;4NV&EbvOWD$?#90K{0lSG|YDQNYY}hRdb+ya^Fy80x-Ay(&h{n&oXSTpo!q
zS6iaX)+yxUe#YcPHq=)D;ocUXsU6?uy&Qq7BqAwq-eqs{QoI<NQuEq%o11VeDR@t*
zCLef4ThbOG&Kx+60RUra77;k5`n6$xP~A<)L~%(Akj2%h!H6<-NpTcoW)T2_;bcZE
z;SE;;Ce6mX$J7}}%E61F$!O|iHHeA?ER+u51mA4x0y%(HQq2J)+GXnkZ|N#cQj4Z)
z(&fUuH~@^93?%4&+hoS2!)hoSABVfCg8>7HHi1Ov;gSM1Sp(%H-sn0XYcAE7MggWb
z4HtqFHW=>=MGh;~@&XH&FA4QBWBcAb+=G&cYorSOH`u)c?Vd#ZYMZqm*xe_@Arz9D
zwCO)Vb)SO(;xS@w^y6Dt{@aldsX7cN?A{?rDt+TR5RK770My*lw_p^7%MQke5s_>C
zV4R3fzL1F761NJ2`JD20;#*w-d@Cn#O55zq5^&W?dLZdMQh3`@9PZjfDtt+24o$Pt
z&;V|qW}Q@wb{60h)k$ZO)Q=<-MPR50DG~?m8SxDcE5EjFb8xg0@g$w)y;Nj4YB-Vl
z*oLQRba{WZ5l?SF*TGoV59v+?d|;$Gki3Zvv@#mF&FC6+thwGv^!X^z?lR(PQwKIF
z!RBTl?Ytm)Q(b@wj5*~42wLG2o~vzeenB94FlHQ%6q-{K;q#c<ff>e8iJ4$n5U-D5
zBZf2i`HsEaL~<(ikjK=ftJ{wt3u@O+80<{_QCGJeAvB0go#T(B=5^`Zzea#@cqPOl
zoJN+qe9^PeJ}Nel6c7G^k6?mwC-W4N1Nnl9FvYNR4o#wv$mE1TQX9%~bw)|)yd7XN
z2g53b%-+0q?U8wrGXQSH5p}3PCIRC7>wD+?DU9=zO+gsvmqS{QzPd=xADU+ZQd=NN
zLH&AAeQn!Es3has_!ycuZ*V>?JOZXwxxu2VdmePc1cxW^!UP9h-G3twgoi&OM7Qf;
zjyNJmOqfV3c%7S4;cE;SnMrlLzgw#jR9ftFPXpbW_tEma0I@ZQ4TYA1-`5bfk}ji`
zYSKVbEIPrPMjT{usnEC?qc3t&J#9E@OrYTESejn7^ZXk?ZJRft1CyV@FNz_eV{C*J
ztm<5R8q*O~#<30XK_Tmq27Rp-OO;!L5IjUYT6ZF2sMeJT!4%bQ2_%)_H9^p01Te3I
zVpv^$?g`XVpBs0}M^1UCY09I}@G0+f`v0gpf2M)A85Iu-FZ2D0+#eKA9)=h*8nwX{
zI(c2_apg5=!y@Gri+6pzp$TT@)$?gO)9o5i`~5eVaK&l0-v=P_iGymtzlt3aQI9)U
z&dnACj04;cpY9(Ce>MD^p=$j%lt%dzT!E<Sel?Fo?U%Hr+C|I3>cWLknk(XQ3ynqS
zTjQVTT?h$D0&k`1Q;fHJ`p=x1ogK)Fm)czG<Avo?-}~?1{R<?uyG9C;JhQg#7AWeu
zgyCJ57^KoU)B-eUuxDrc_kn<}4u_^du`#;3sq6(ZZxgzZ%e-Sjwgr&O8A*g>UPy>c
z;w8zn^&UiDPtpaurbH3aE-R5jLIQ6nBqZ~yAx!Me;d1Z)sl=;hZQY87q<$w&_PH;h
zg`ij_^l}gC&ZOR*3Zeo#DFK3*<l6!g?v{MHJgakC04zfKMJi4%>A1)QZI`bj2J77V
zP_`hQ$?^Wb*FGBi(oaCTn}ln~dU!WGqA95j5*8}50VqR-xfGy#@)PvL+c}u7^VP%{
z<O4}S;QZPUurNMQiW@F94y3IKC5uKf404aVjdk+Vh_v{8)Z_CQ1NQkY(>uz-QBVMU
z#BSV6vEuRoLn8peXI8qp@Y#62`k?OqKU{sVrIAV|YL$Stu0+toPO4BKsT1#^5tniQ
zwIi;!EfI93ipL}v8_pP-?4B)zG2;Any>ose<NWtWa{hH(>w%q41@nh$8BhDsx4&5n
z^!WB(0r2l$F<i+u4v$7#?XPeKg@J+yad3WqP+AL|rXHwACd@^<@d$EC3SN)y<NzAR
z0m^=1JEVgs9N)-`?f7`u(b~@h%=NlmM_oq^K!5URr12zABZ-#H|9tvaUhcq`Hah!w
z+*Gz_IK}JSBSWCYzK*kCYW`7doRC0IGBH~qD%-Jp4+hlNd${!{*6p0mIR3q9=Rsm`
z*I-fXPsg~$Gek4gKLtS_1E{QEuy~lxO=5$C+5@to#5}x_fHbT@JMwu$Jju@>q&a2}
zem_Djn`1WOEggbFbIdz<%ek4}j^J$vi+vq$_6-|^#vOQJxOJ}tjWn~igA6dwsRGyV
zFhMDhJPk$ihVzNbHHOfHTj5-L32RZ1j#ZXE75WvDU$F#0?Rn)JXu;k%6fpdUyLAAr
zHa%7tNrN#c912YvcaW?&ln={9gc`1-9tJ&%edyNWz;Q^K7Dc>7Y=*?hSmn!MgncR2
zBPp%4e9JGuIEY6^vt!0^;CFXi4dy@~a2sHH)3(xYi@(sd{(@N=R8Zj1AUfEn=MmX(
z3)+-=Sk(FQ&eL$MM;PEw@|n(qdRho$>U!uI9y6H5ByEO|ziq->0q!k7UjX?YSvM;&
z-vGVI8zBjBF*x;{*can-BN8q#N@!aFnzj&9jZ%2cioLe&2-GlaT-seP((({;Ip&kn
z`+$?hfn=h1Lz8dsRm6PvN`d_quvErhq?>r8&%Fs8#c?+%*{m!BEAZpm>ZH*~<8!BU
z0*&zL;q!L7Fy==3+{F~Qk9Z_VbHfkBlg1(&`sfxU^A9SBjO&j$B&0$hC$RK^q~mB9
z>#m<&_Ocak;c_v_cg>oYvEo4T1hh+q3Tj}rWkm#W-$qr2q<+-I39Xx;YTH%>IT<E%
zEMJM4T_I++lbBfq>#@J0+qFL46-f8|mIzq))c2Udb#-U(>k1_4o_ZgUbaiw+4nD%8
zdrD;9IQ-7l)pY_xc;G0xFjwq9SDb2SYF&=LGA0u*V{C%42kE8)J_z^#e{>{~tIj<+
zl+>FxnYE8<*FCh^*ldmo4%P7C+dZVahk0=5zfB#-*@P6Aukw!5{&>c{R4xKR$wB<6
zkw$MLu@0=`&|~0X23&itaxY@S#QA^KJLjLyIDc*==YMQ*aHsRJHzPTJKsi2waZ7!0
zhULgP9mXAEl&>+qIcsZu5Peagbb-o<*UyH}JDhk3uO@F6!<x!uM8xsd5p(05@I2#$
zK@@SM7AJ0i@{}46gyF55I}&=GqX{V=airvX(`ujrEl{Waf>LeIsUH&(3T~uyDgu>P
zNAaG1CI&aLFbE!2^VTOQfW0a)Xed6JNXif;7JBm5hw$!AYeK<qKMz>`37i$D#bFK;
z2c-3*N8hw~Jfwq);3qVZhS-x#>f(H2H{w6M$z6#+Li$ViIgg*fDaR&ypNu4dQ>{3B
zFSx$xBc{$3$GN_V)zx)C6q>7ZKMDE+Kcq#oI=!;7*xEvp67F1_A4nqp*vdW!rMz?>
zYP%OvuE5Q@r|dwYt`5id0eOh7?lNFtZ2X2E;&Q;A3fRG+y8=M?L=UK{I>y@)IBhNn
zS3aIbRl-z{r@>B`Rw!vHvV)KpQB~5YYL3Gr&@MK*2wV;0vYRoaXqXK{3M{!0rp#;u
zu1T>L<nZwT!<JB2Fu)xGBa(Rh0(l?^TI|CTNn>x0xf!oD2%@F8@CpkW%7UP2M>QI0
z#%TQ;fY^=66ff!=^iW(dT5f$7;cAJ}lVPRM`3VnGDcC*9RKj)PzXSOG=P&^71t?rw
zAe0VUG9J2u4u)zhA_n3G2>$R#CRcAFw%C$-PFFV)X}xShcN_=9Dt&Oj9!SV<c0Z4<
zn1PP*xVPfXvv)gnP0|W98q*uhjX?Jk042YprJ#|rG`n9%iVO^6&(7VHW9J_B+r)nH
zZD52PVZX=lYj1WR$3xJ2c7DVHTkwmSj&V3D8aO|OHql^y6!i)u*P#sW@C`^1IEhK7
z7!`p!<f=F+kh~62fg}e)N^v{pWKNZyG#*SMyVtz~ARAe&lQ&T6ldX3EYDnWYh77G@
zqBYQLEB``oV0hes1z$4L<!x?iq^JL80!^x*K=K0iOQIc@aCl15%(Qf=hZ{#DMjTX-
zkLx;7cP6Lu#X~r8V<kpJnvaDzJ}E?M%q)1Jb70=q`v@bd2ti|^0O3dzM%Tt<Do0nh
z9EC)b)mnmS*5^LY@Th{Q1Llm$v;!mFLpmzFc$hbkv>j1icN<cVcVD19Ubn(L41luc
zD-4JqKnme$3|Ckx;`~qb&iPXr=g*1c{2Meu&YwK-8qSYOP`TM=UOnXj6knkHM=Lbq
zF}&Wq#;uq#z;GO$kOna^p$+Ie;x-KkcLg%U>RQN};5ScB!mLmmAYJk!gK@(po}#ff
zK)Pg|`v%1M+-IrPJ~j*@v~rBI@!^rm5{a_{Nf!uR3AC++t59Q8V~7l-y9x>{^IG#U
zyh@{j%tfI(Ikr;$!j=$F)F7N|5J|0ZB8^0okX9A<46sSSaHT+b^gEi)#Pn;Ylzp+-
zFMvR%E+*M@BE=RcD{h9?D!vrx`s;8aVyO?GPzu9020?ZrDnP0O+<!?MT`1x<zS<?Y
zQ0`D5iOosRAfe&_9WpI!C4A8ShigUV&4ZX3@4AZbvc*2Adjc2QfWPkoJ*HmLJwf_4
zNJ&IFhjVgtbu?wT6s>5@5pRP6V<{Wgd=R}3(5UZyeC+zCU{^8`cM;GdO1dLB4AfLN
zd6Rb_ec+Ue`+jWj5Q{e806nRQpaM5s8Gl&plOyKlNUfo1BuGG~b^E2krO}Ih(bc$l
z-<8)Dz@7l9WJ{wQ(QGQ9@ex2W(-3oka^wQ!;YKVeFuTOG{sr|0l9Jj{2fvT2v*))S
zK&bbyOG!kD;sBS@PghqCyfL+*;fj&1B*l^5v~9>$5IBwh4)7c>HqKGjfupqk3M7dc
ze#5uO2OWAq*@n6hAygxTSm7-QEFc0~8peP~>jB*Lz6RqX$D6#BAx=doG(O$Dvvoh#
z2B@i&D5f{eAnHEsO-Lu&j!k`ESJ!}8j>kyd@3j+f>zYtP2jzAUsBlg9X$G8wPCX#~
z&67+iJjs-}HI*{2AM8CmkvONWE*V$_<@^gCmlCb3`v@=aKa0mi+6&gzJwmS+8KvPm
zB4MHe`#fFUjd)E>-T+BP=e|M&Xd3LziT7eh@W9tm9miegHLi=Ax_28zD9t^|Om&{9
z&N0bsjyZ+vFb*V&6CwlAIZMEZ__R$o0|fYVa;o()aF8np^rB4bP_d6EnIPv!PFq1T
zjFexLej$j*MzB%arb0al?iRMsdM&0=nWsUROIrJ|veR{SKY{JL#*mmHw0?_sPMdsx
z<#}{`>p291p0HYl&psxgwd0;{Nt2CrrK1ICiV*1jip1XL14<$i>g;JT;Fd2T4cJB!
z*a30=KlIM|XE4q`E0Xj3UJi18Peml>R~`hrYxS~v$I=$jpTJF9e+j=UZ349kBZ{hI
z8ccPf;ZO)Kq-=dV)%+}5pfGuF7Kfqy8|Z1B-VFe3K^&1r$#r$35S*6IUWd}FnY|{k
zoP*7d8$dve=`p-rK}}NAh~-PO0ffp=6JoGenx=`7rn}O{Ax0zVnq%k%BrCMOgB-mo
zMOt4#3K$yD2A8q|@;!;6Pf}RxA20~I7pk}x*OX{3rB6~aO$OGviDV%WnlWJPL12<-
z7mjVX!3RdwOLA9RJnduBE_Abr7N~e!2CEUo(ZRhbW;+rB0Zv6MrVngIqQw|s0N*<?
zb%xDar~@W~q1r11lWDP~q2dUiX{g!aGhsLLI*?)^A>q;!Dbai2Kx@=@FX9V@pJ~6_
zO8d*<TYRpz$y65yPNZo_C0+wnE31vpJqehG_5$*p;~B(aS4(*psDoC3g4U@)yI9a<
z3Ua7HTM?vtBW4=H%#H<W;8Q#>nFY>J1AoB-?`DCc)j%5$yoUuQs)1%6n8E_vlX!KA
zouMEj3p}m{j^%;VS>PTua3Bv%Wr5GAfn6BbT-bKhs6nkPh~!a+s0N*4K_uBZR;WRT
zSWq!okYkz}L=v!L2EaRRQ9}+=2rc{^vEgZG`RBMim^a`#28hgp9B0*_RV;{%gd9z3
z&;k}jHb9PTYET9XB8wo$Mm1;>3reASmZ?F*5acr*$BKf)fM(P22_V8i(r$1k2qih#
z@N+CsleV*w+3uL3`p?7fHC-NWYBM|ZYS=Lr);S)g2aaepY&Xk?z2Rt3P2^^6G1Hgf
z3-h!IgQX%87y`IxKf#yx{JheoBy1zdXR5yr^@&=~`uc#h&675oaLVbgUfIG*+uq2C
zl2c&4vVjHeXk=u`X|P_YLSQ3NrS1*W>p?24SC%691tLrY?}TcSQCGc!`UPGf(nRnZ
zW(TLldSwy?6LBJVm)XH-v0k~6f{8p4yxZ*H)L5?w6ift);5W?<PLK6UE11p;M4||O
z%k1D3S+AU+U?NfkzioDKnygpeX7~I5sdvtw#yEd=B<KIlyddZQ)5npVA6#6|X|oOO
zRSC5I1sV*>B~+udSf&4Zg>gug^y}G*PWdHLuoap`rT==xfgp=Y`t^-8G?aw|XIvwV
ziQPo>uwmk4U#~pHqIMJEBb1YVy|Naef#fjKuU7`LAR>KcDW}qZz4ATOpMhj%1INY%
z9|ZNvXDpls0W*+OM?$@F6yf_o=`{r^IoC7WIpuE%FHkAIzHuq4syxSnIDywUE}|eW
z3*z)$-?)H+)*#5Dj;i`bGX>cYWL#fg*hm9zIT>fv^D#i`&?s0whL44L(0}5-WLzxR
z7Za;^yEl0chM;a&6O4;6HgvnRvu0(QGXtmWWMHG?$)rz7++K3@5bda5>7KA^+ZKQ^
z2RArrpEMpY>|V^4BQZC;Cnnj`ZpTLn*ph>`sVAc>|9HcRY;R|_|3*7T;LWu^kb<)6
z2D?X-k%666=w*=~Q_yF2*9d67NEPjKlTHGLKBuvvCMD%7uO^UAGb~W-i!n^<XxeVT
zx0IJC{idMdkt-N9eIMO2<d}?F`|mRZ3}?L2dyj7-F&zdHlbICIMCHv1q#jt`AJ^AU
z^ex40njcd%Ggm>#`Wv-Ze9?D@j9uJKXtVUHKgxTkhqVID_%)yy5@F~pRslXT7hxnL
z!-^zn8r8eyL%&3(d&QRhR3mR+#B|rlt4oKK$Q0kS>_>BPh4uKB+CbgYFk)@-CKFCe
z#|4sCAeXA$BX2QziO^w2x(M%fuV8N^dm!{-;Sy%r1uM$*8<8p=KeWs#X6q{dXWbnP
z^T7XCJ33Gl?LQa--otN}0g`8Zm+~~ai=>=!z_z+G)*M5U9sDTh2&(K@gtUD9+{gvG
zcPLa4eiBOC`7F`M_EwU}P{DP0K!H*MOxlepy1HY4V%|p^Nd-z3in6?2gAmfDc++U5
ztm<R2@&diEHM7oL$4X8?Y)+17#NxDcN`ZKXOQ{xb2_)YF1O?Y;G(Rbq&q9l3>hk9V
zl4m2%|2gD)dVW%BfJ#MwZSub(IqemK5Qf02ltegQhbGj4RlvoT`T-G}Fe@-<3zR<&
zfPfvf2%}8wTiRz4OsUuq3mWoq%U*_A;I$68QVrCUWbk$au#1n79qv=0EPyxxl>3Jx
z**YXsk`Pb0C+kMnVSJ@#DpGjc?Z$htML|e_Y^iFBNF7w5;&D8(rKcO$cS-jH$0YM7
z$i1Bn&bx&;f9X(g{@aNAckq+EAO820cj9n1I3{}!=ls~+9Tz+s{KrkbLG+v<h!eYS
z_XwRfF8dqZO7X=bJt6)T5PLaqdoP=vuCcv;=6g0f!S?<)p3v-6K=sts{R0RxE3^%5
zccqNv`>pBeh7<l_WNs=Bul*r_6je!fPyE94t%7DIB4Jt?Yft?^`lsD9g9Ub*1n_-<
zYxOtx!+L|$;b>Bl40S0p@NH3Ly4bgY2+=>Nfze!i10%VZ1|ql8$=Ev#(=91EXP~J7
z>2hky1VcpMiTF6TKdLlJiNP@dV%ChRBH17rOhGe5I|3M*Wq{4B4==zE2J2gz8O8Qc
z5D0G|xe^H|ko#HmMvxiz+Fiw&xKVfcl1NKYu#I1(-w5NZ4H-8YnwCXa97D>tl->aW
za5B*%+t(%AoEXicz&y+;u*pIrIH~|Paj*fyJES%;on%1@wh|G9fkwh4)-uFUJkkX$
zZemf<W>ZV<G<vjSTS)M%|H!lctY`gsXqb`7-qBJxtf`|Vd^)Uc+lGXE2IGS*?J|dt
zrH|t*8tRd@drUh5rwwOP4>dA1Lmh1yIGPX_IE}D6@K~tdq0qquw+WfaoNu?T?n{Ie
zD1J=N#Qjf`!sia&UT+#TvAfm4vm*-4&u?TJ>(h=MfL+i?dhkFJaYf^BdS~oVSLXwy
z)I+*DH=f32@lt|9iySJW3Lzf0-O(IFdqpq|#<mje19^t?J)yIBSAIMJebe|Wfk1vi
zKJ*qOL+s<KOOi04abmwDfPfo+fbA5*EZTM!HSr!#J?Tjz7U@aa${KzZb14~M)EHwZ
zySUOALlDIW4NawSi+y_+foXsDN&|uOCQu5GTSO4PQ=dTTJnnVyHBgxz_Zk-AG1d6o
zl+8T9nLYVZp@oWPMVD%@^R$M%X?6JZnd;PKMc}m8v?)IzZFe=*m+Cl|gH^yrRr{Ym
ztSKM*|Mmd%|C7zwUD^sfI|N!=vc{n^Y2mM{!>#6mYKH63ptCuoVNJ*^Bo<(()nq~3
z&|}0P3+WH}_6yWBbsy0(XEW-<)rwxz^W#m=ltwqw83?bbe!OWjRFUaWMRFTaSKc<v
zGh2P8t=A|dG5FY?gyRUxRFyTSjKgU;DC&d!n>GtDFkmB0D;Rk2Ahn3P!4r^nUuPeu
zqlIn!SlC_;-(CTZb~keUU>zFeF}?0H?SWx31CWD|fb=?hr&uPwQ+&`8N}OPEoXJun
zSh59_B~0O{?&7c_&@L(|xOqeB=iOxafR4l$ZD!g%!)d3C+Y!UI=kKBBH*#wU+Hs`W
z>F>RB{`(l`r+X&CEKi?n2(C+Na9mHdKVqDpn?@*ieg?9G)pFSUsA}kvHlTt5X@@ca
z))1});<|x1>p?%>PR0Lk8h<c28BW3eQQqb^HzP(l$;10M$51$NDpwlID8@mCvnZdz
z!pPfcQGUWR^^kZojB$1D|3<QqS=PqeNr+9voDCb7DQwGIOoA0uVz7pUjaC_;?Z(@5
zb)-VHFmor1(ul(I)eUM$Mi|OM4f=t^qo7bEt>F_983AXP8ZaBsOcOE7O#3eqY@&2^
zBzr-^k!Gkcqg9wqDoiHi_;0l+uYw7w*gX3wGBJY`B%=8yC<H+OAv{==b70dB+Kg9T
zL*pFj^!75|)Nwv!F_=jI{bZW(-78+x_Qj1G@M>t<Pg}F!z2Y<NfOR#N)H~2PK1P~j
zDDfirJxO(V10%#QtuUHnDAPC=6OA__yd9wHaJ}m(ZrB_eZ=lNv^(oF3M5<3uVUBGj
zeNeZ^j9DbneWiLh43c4QmT%X+Vb&PV{3^w8((W0Uk&&K0NAi>S9j?^F$%=f#8RN2{
zIH&=DPok2w>*L9G%(D!(K+x1-!o!@Mh0cQ_u`3^Zo2=%^yq?54nBu4YC=T<@(u7tQ
zGzoP|@ue`SPe(2+ER2*9_T`Zo+f%=TU7Zhl6adEJ3h8Gcy|<lwY{}z2%$7AFO&uhC
zV;bW_bBt-U<V3}2>s5piwKDMoNF`$(4)m_0jDEViCUDAPi9j~I;mmD$AwN(SJXs-T
z8Dj{%7>DJf-mLrr0`noYEHk<xJZ~VGN`y2+MTRNTPla!XF%-v&1M-!hKIRkV%RsaW
z(ZY7`@=HOQGzXB0ELl?V!G!Ps;++OCr(=tv`6otKene5%&<>axc5gV($^k|(z+*TI
zQv=&EAncx@!88iI;Ej~Q0ns@`gM}(byjI2{X$68MiEY04Y=5HbhoulAf0!-~NPWM$
ze{QaB*Fe_~lOzSl8zzZETum`)Gz#Q+NAys188@L~tH5s3t!<+Vhq$T?&`a^z+%5;S
z@mOk;ei97djD|2>0TW=M>~#n?5K?9%+}%_<Sscc>M=*oRM`>Z{ABu%jk9F2Z$1&LR
zx|S<1j3iDMe)0=PEDG2rmAWSy?UC9Gi1Q!oo%5$N&Yu~{`M2f<IsdyLk8sW}agmuZ
z$R@TG8qOlIIAl#V98DwJ6WwnQs65P**Cy#PiP2)p4B}9^Cf57;Xc8>HJ^|iTV}TfD
zDA1RW#VL)GZW|Zu4HkqQ1R;|bvTVGptD`G2fo>uZ3Q5$}-GdNj5rsW5KWc)<ALt<s
zg<T;Ie`*~^o~Bxmy%8V6*sB1W(~5&28lZdFwrBf(0pg55&d>ybnfQwV=6(gx%t(oB
z_$LvEF-q;&2s|f_OFb-&E}g=fxFMp6l^Er0R-gf72!yh;(wUadzXpv3EMB=N$MNpU
zou=gYuiOS58;kcv4+C4moW?58;$iZM6hA?D_D_z4bSw<g^>UM`h-8bLwd0j?bU;Ly
zil|Ot*p<M_HA<IBcXpW{JTXdb<ipPRB0>q1#l#rpZ>TdC>PxWqjL$}?Ko%ec>l<_@
znJRD=!VFtgTM#K;83CTdGkBOiAUD89d1~=$vB83Jm;#cm2bkzVi@6PKs5)veNF9k7
z#Y)>Kb+~#=7rg6ZJ$swbOnlgE3mM*cw$Mg^XA3jM*}@EUwvZ)G1GSd)XnicLr%_v<
zuM(kT*t#9a@b279xptCnE%lHTXHg7L477d|gDL4MQm5-&NAYglvIz;WKE^xW`h?{?
z(16(_3m-Y(OIAQwUeL)l6-he)oLd-y6B@DdD2+yuud`4}9oV^*ewkUie~^#a7<t?j
z1EX^?IPx-}L2zLmm-?fGb#OPT0y_x}j0{`vNBuB|diIiu5}gt1M5SNFSkmq4o5l{1
z%t&MBM@Fa7@eyfBvzzdR1VXc$?3I9P!F%pQe=F$>(Fq<F?_qKNi>|9t)#GX&joL4b
zY<6!8Wh6Ay=)&O=p0f2BKrFB*Ylfpb3<8iah?hWRu@XMuX}WHqGz5%Rd4mwh(?PDn
zTM)E&3)xX&u4K?8m@^dwm>rfmu#?h2ut#^`!+mNxv$-^m(<Ps+1E<I=Bw_+%0bv$)
zr*N)3YgiQ4GTpP7$4!Jp>ZJ*&7{|0~RKur69Bxz2LqrbmkW!ojVRkox<djVzR>|fD
zWz2hIl|%iT+9~#hoVWtj263pB4V)sAjaHYIoi=;sncnnAPmUtaf5*U(Mk=H~dKkCW
z={`AkxTpT;Pk`8q{wRaZB{L)El9#^?&LtTiM$RR~l{cW9aztB>IMB0&2*|?*U28jp
z#9m1Rq@;VCHZ|?F_kHuW&P_HNL|HobPQ3Z%YCS%p;qmQ!Y_|Rhq1VtOQ4#NNz_=Rl
z-`ZPz;Hu7T1&jxHj@E^ESEn40oA`%oFO392%(i=Vb~<Gx#rWhX{}8-i4M++3zPVBJ
z%*s_PGyJo>9lrQsIJOzFzsm<KCpZ7-d=Mrv6;7p4H(!TLy{urbkKrw0C}@Rx-+wRK
zamZ^^Fx|4DeH}UCv7^NJD0O(L9G=g|$m@GCK_xF9%r*e$dyk}kT0PKv(rz?LG4^JS
zUdYI}U-}lRyhTv!rKdyfH%S^Be4Q-~3%<_9nJ`z%tY&6#h_N8R6lCuXG|;%0hKP7$
zfEh<}w(e!ahKql!31O!oRCe{^Nzh6f$(h`?fIwnJ)<YiTCJ0edZukiEFuR0q{PY-R
zD~~`+&K9aTr_?>TTHi-0JTs*6zr&-7zs#`L$l4>0xkk`M$_Or@QJ_Z=3}-U)Ee_i2
zawHLJP{n9$+NeTc7Y4Q^Y+%!o876A88zX}6ok$hlGVdY(U8R$ev`3SkY9=nj<(;tE
zfY#0zl-!$e)5vyk+sGXtwpWp;+tml_prk!03KA}S@Ia1*I*FudC>}eZNLm)}J_E^1
zS_*Y3=|ykJ^v`?X0Xhb4_iDu$duktle|svl_qXD=Q%a^7e7#yqgf!KC7}r0HLg4bR
zbMjW~m%1!g`ZLyM!M&sKs~K2b<MEklCgXcscs+Tg<HIVAc^?}UGhsg`V81Q3kCaR&
z^uww!3Kfip1q&)G-GoWma=ohbpEXO}>wANqq?{auL)bWT9=T8*4c#slQg-7|&oafc
ztWCmqr(54chX>bDw3K9K9N{a!APuYlmh($*G6ZH>%pTL(kkV=a!c&{2exCJho@MQr
zut9QryQz_#kUlRasQigmyR6)KDAzb##G+5Ef>hZReoFOJe)x?H)Tg*Sq0^IxQ_Wqp
zig=-S&OeiJe!8(WOn>y(XM>!7;Tw^h-#^;5z7w`*Sg2nR&4E1nptaN)c_l>N1!&Vz
zS6}>Gtg|8K<M=i>C^08*i~EeY*MB2V;KdnoDV7d*D_P*mSQki8VbcQ9eMZW?5<@2G
zdY$_Ph9HuAys9Oex0BhGLl+g(KswsebY{N>O(NI|U!j<lm)`*^2%PfUQO5XBKl~Bc
z<|L-YI)acGzJA79e|?*nWFb@gfYjY#q-9hqA`R)u5N<qx+0LX84`WA|uDQCv)s~Xa
zExeh|oePi$z8(xqJr4x%lVHsqeBMC6iMVq?8Qz3SN9qgUCB1Wy(O5cKEW?_D#|JuE
zJSK&9wA=Z`1W{a}nA(i7BHd<Oe_6!M3D@Wlpzt`^+76ID(-8<ggg~4LCw@e`zqA$u
z&9<R)(s9>Ls93NdQfI2#=7983Kss*0Vk(v?6ndzbQGr;9t5g=%!g*~i{3}Y^g1nF)
z*oNF`Mi^;kXeSi?5LBRY<J~q3los@gZl4hXe4XY2z}8@Eh?rQj&f*0l7)Pl=uxKWW
zQ28>Y#&Bm!@dlcRuwPI6?3BlA>Ou!}&lq9aSu)<{$lDG8K!p;vDk8-S=lW#D%d4A4
zW*cIP&(soucCYEec+*+4*K~e7VifBhn008BJ^SzoTK6)8c1Q<3Hr`!rw?KK|zpoU_
zZLAV6pw`hS4;By88d9)t$B*+}2s_S)Lwl5JGg9$4I<yC4UL+RZq!R-4wj5W8MDC`6
z?X3VhU<emm8jE37+TYTsY(dLTl|E=`yujbeEsf{-TZN_ZEPt!CG`8@!hb@gCvA4p;
z<9J@9lyS8!@Fvmjjr#;$Q`3Z6S>ApWt3&A)du_rFMASq(o~Kp+sS(4;%Tq&fnzY!r
zemk~as4uXE#qO7KeE{LT*|eQ)4Xy8NHZ{d->hM`EsQhtjh}N@kx6ia4XgI=<C8fg*
zP$S0TH%giYOThJeTxqnQBuEeguUok3^+rnIHSKPsO4CIiup40uSE5`_7qNhj8661a
zB<UJM??TvxQuF8{sGOVv+~?2+(sU{Fbah0dxY$8l$}e?r)0ramrl-<d3*RPFA1q;R
zXGBQ@5F426!7fK|9Wu|V{c$pJ{ug^)MGSwPIRCRXJy#Ly*e>+R^`TY79l?F=mwTT}
zGTB^`9yyon%m~gU(+@?=C3gUAk9^_~@Bv$OfmV7eYYpgpN$ZQ$=>Oe)Qm)Qh*R67O
zj(BvX<CdYoRq!sU&}n-A1L2oSQSuZ@Zs5tG=vul7Jysp>{|E5BFP-o`4x$EerW*99
z>o8D!l@69Y@>S40KU}#u8k|hsX$2Ri5o0*R7lt@u;$a7dvprkrM2Kh01@^1p7dLDG
zc5nfi)Ctex#k3?zeNR_M%ku^YYUQ5>L4B;4>*6Ptz2{2Kuyc=_cM?4BbnU0uv0o-U
z2a5EyBSg2W-z?8`-00vPPBNc#fCocaI#%cYJ)i~wvD9{NKYMDduI_tGX!g_`Y=?Zq
z-(aUcjlcE5t|5Ozx)0DvNY`IiM+_2g@wz%v>f>#IuC9*WP+RFf-$q`&fxcg8Y6DbZ
z&)znwoi71Z@LnxpVcH+Ozok%nbM$&@!C1jFu(gdBmMBgE&>O_@_#G?`$L|mkc2zk;
zMF^)kH|yN*Af4e#>s~xcqn5YsWZvx7zu@U;c^ch$(zl0KLgyQ-;l@}VR-De~LLxIu
z<sa`j|C`<u7qG;X%6qt^iQ1w);EOg<g~3l|;Ao7O9X!IlC9Px@6htuVFaw!ejF%?(
z6TQr@+m+~x-|t&@|M7HaTzH2GOksr2V}pw?UM!tz*aK#%ZN_1q%Ro+#t5GP>thOz1
z5}%yxt36WtJ=JUd1YEs<*m>UfOOCRN9`QxzsTJ)4HK^w`11Gh8J$+q&q2i<bYh7${
z23<Jil?E}Jw%}=YI^OJuOh8)(Xl)pf{|{=w2t0_c5Iwq&>fEuYN#SzCQGNhyi8oRE
zq1`olAvHy)JwQ!!HAUBc9}8l7<a4qH9EZK@ke1z*MjTp@(rXg_h8J}fNun91W(<Y=
z7))_1?bgmf+aT<)U(Uu!t?xP#I0PQR&Ya>bJ+OzhQv#a;+6_&(F-1EM2RU`SvZH*_
z*`)&B`rrjPN~feeTk<x%L*si&y#kTlcjyjCxAj^q7EPF3BIb;I3)D}v_}EXjIToc1
zTSl}oi%Pa`!>EHK&}oKp2^%f2AfJg?2q4||c(}17fg*+@0$KbrzoxGfXC_#NfgD^v
zEXha&qPb*y@0>r2asK-vIsaR&LC${;({R{c#2x;VKid`gn9J_wSPR{qMRh%d9wi0n
z&!fu!xVL$EVQ>=WSBIJ6C(?EJ;?x}RR@^+p?hJH59$o?QH;}xB_R^Rkf#2L5Lvjz&
z3d&S$%tE39&cN`GK(tdwL?fk#?Gh2czdzG#DF1!~qpuYElSsM-WWruZ;=?2sX%94y
zuXBCTZyY!u?W>_#oGmZe0*`h&%*p_41E6pEHXOr<_YZ6!scL-8WYlYX%n`iXjl+rL
z`9)kFQ@lmIWj_VbQA<oun7H0SDprNr=r<&feI7M_fV%f>dWA6)^b}Or8HjHn`E7hm
z6MplxF_iV$@du&YGIiqlVdsZ|@gP-7AJ6AL2Gf<6_yPtKNwEM*?~y>gX$)!_gF1eF
zPY6H^lVZcq+~KYVXnnh_lMH7t(#RAD^C!;OLNV{zvYq`lvEM!HcL)1@hkl1s=Xr*6
zNsILJ1<DK<{_JZ<qd>)*(OMk+!|#4#78b_q^KtCV3_UOMWBVI%7RLLbIDkfr1wKzm
zB7s)-*BD_Fq<|Y2@1ujkzP)6Y|J{qvzBw6;spETWKC6{Hj&Ser8svj+kzkwz86`9M
zH<`)9EFI2EA_c|l2KNahzfQku%o@b()}uAv&V9!a{^E--mPWnkWwCT)g@|}kD-?j&
z4=;wt#|knBPQpId{W{9j)g8s&7p1L3G=&n<bak&Gl(a0BEK>@?%#gFo;G-oK&a5N;
zin{{geIzH8b$AI@iU5I?Iq)b=gsp;auYy<@CiE;jkID|u*Ij|Bh{DwyRIr+Wl}iWJ
z(IT%q2QgkB#e0(o1KJ~A_iXqMoYywafWLuO595!+K<%U_fkuTViHP>mKAz$9^d>RN
zOCmgLlg1H%gD_hnLZl@0Y#5DDZxXFO##0=PGm4`p8*TX5G3zaD@&w9%ij2T$<WVAe
z@^LsmhBCmm2_uZgv8c(x8`&V^4VxKH-VSPZ99q`ht69LD7bXb0jZb2Zid6cr6S**B
za1({=>f(_XxMo|T2qf}`)fIBFiP+~J2a*dd9|wcegcOgo+Q@hKZA4Nuagq9y*6g@*
z6ESEm4G&%2D}cqp;7mLn<QNR*<8g1qn`aAMHR9Q_nf*S)^hbZ~o%5R*=f5|S^EW*m
z<ov(9JCgI$SR*?PT$q9~f^?8%27cU4k0$U<Xm5M#n;52sCMcSzCTS!A`S#Z1{gqc<
z@v^>urGfg~<EFqcMrOEzy*CP?9`d-Kr`HR34KmPV>Mze08sDBRjE%Ur;a%*b@lje_
zW5BvGcKiWsO(7t#lRALwje-gb=&9Hpb64Kci~XA!1Bnu%unA5~Nav<=<?b`OCoka{
zNM==M7tTQl*o00gM(5HUsB|wQzlaWp57jjy%^-ZJm%^m-Mob4Z)<o0*?SAEz1{wtg
z&29?dowkNmE`?!F_v9!b&BtQRP{boD!8{Jc<YPzzBWG>FP%FSTA<Gz#@^Ek5e`3M|
zV;HA`Ig5(BUZfN_A74iaW2hCxBc4N)*GDMv#b=Cfaivj{1rH0+)%8JATsU*axP_R9
zcxz8464*%`igOa<7J?(jW4nZfDJb5^`UJ)ZDmUa+dNdxhA||aA5RSLqxP^#9Txw)Y
zpQjX4aCZap`?C#ax+R2-n}S1u+x$aeO|%yT)H)wk!C4K~?8q{L<xfMLBI2lWxT>BP
zEJb?{`?aM%EuxbcIES$q<2EF6GU)?$AT)=Cl$NGgmjcx}%<}sx@tB?b@yc;}#3-5V
zWM{w)5NN={+{)j_%mk5Zv?R4{qk}UgwC$u3S2m$`bP*{mW~t+@Ugaw<*VUiIM_pID
zaP?p1a@W-#@f?6BoBcT=ad+u*th_fdsyPdsf--}KF9nDY!c1Pg2{}L}OtgHIP!))n
zBqYV`rUMG4lg+r{k;~4+d=%#nREsQL(!p;c5mVbnS97b=J->1dd*2Q)Hbc{!ThR#L
z-coqzf;9Up+1{&s>c-h#T3H?zW9?}Pf*57E;&Tt>wWj$!^*e9!Q1q@iDL76;qtxdn
z*kb?E5rvKg&<OZrO9vJ@%y`3Lpi+#FaRdg}@-T2PEX0h2oduE!DE3HrY-to?NHD+!
zq5E?HLhNth@BvFr8}d7{kRaq!%L)1EiqVM7R7<k>ItUa5wTEO$qf%H0f+G<L)t}*L
zw&8>^FaD8aGDeTq)HSUIW^mnY;*1*SpyTIf)-|p9{(jtv+jn%+j2cOIe@1Fv{JN9w
z6LK{ApAO<^A(4T~!sW4fE|U3Q?NxtNvW_@^-tM0IqsJEGT!iqC|KOY-=M6&oqn*9a
zCE08)NsF9I4jY4W$<QT{a|t#<X$?ffhPXpKIwewP33Ee6WYC88O-qMbP0C{{BW#Hw
ztyk(YknLYQh{n*4Bbo@K=SKFV?H!o8Q##XSgQ?wccntU<uEC7iO^_PtI_-|*jS3#B
z+AlSM!lZs32he)~Npq+*1|1fz7}A4)EsZsQ#0-?Mj((HY(C=`Oev>QdH?0i6_Kiu;
zut&m1_89J9kC<Zi7_)*sCN9OJ{;8Nvcz8|GzPxDMZ|q6f3~%EG{4~cL$8v@4+Ch{z
zx2tg@ybK*+8Vyu$%mjFa^;<$6OJ9Qo{i1~?PZ~_Fz$K5M@s35HU>N7qD~sEE9-{#a
z97qFxnh;(Xe$D{5XRuANn=m2bSiYkS*`ea2GtPsN7K_x$e6bk|!z_};VM?@(iXfdl
zsD@H#vY9U$KCoDv?0^wcxWQa)TP!kS@lBJ`QO-uNjfwMqY>QCJH70CDl$7D)cbhA8
z#h<&$n|urq#Q|z);8Y_42!es4V+GaYl=q1HsE5H8hc(o*c@G9~1LmQ6XtTSik;0?_
z%`sF4>H#su-=CYPV(EHZ9jo79C?5@;2RRlP^E!qxBL%$g2z%chd@rqZ>_GX-7XS&%
zre!$yQ3C`YN0p(=#=$3hZ5j&G<UJ_e-Y^3%z8dn@rqDO#q`|sfIYVo|k3(irk0)5J
z7~@%X!GF7JcOB9VsJ?_7d7q(UQT_q0HR6Ek&&jXA4^ux+9?q4pTft$<nKTW;$zo4h
zJtiVg+Vf0)oJ?A+gxzSc2Lo*a^S#b|4dcioG;T#Y<uw#<9Ntc&Al{*`Cc+s_z!Xxj
zITqm6VaAVA0&l|(%5OUB!_EgJBY1qKkFcS79PStzehU(MOh+8EDOVQdG9Z`hozV?L
z;qk&`^L$OpNa?P0y!<M5`g>wb4X(-mmcpXL!}QhPUNLRghy!)I@^<(K)THREFHpSy
z-=+N*&okqqIABq^>vft#J<>bIWf!Erkc9@L5a_qiJ9Or3iWmD~vEF{3ycY93g@mBR
zi^)*KE4AP@MS<mLLt2RK_+{1^hy97*tCWbmyTLjHWhQ>O9_N??pTp1;Hy}VTd$UF-
zddfy8`ryW&r*o^OPLEA7W9tds0@~$QxwIEIQu0H%t-9EgK(C8wAw5rp7#I_cItOV?
z3DOnlO&<(LTeX<h!4e>Au{N;eh9(XoFeZhi+`X0<82|g|7lHsqnc!H{9X9fpf>1dS
zU+D`=w-RBXYhkF|o$hgj=}{2PCA)j){IeM6r!PN;?LxozS&;J|!-Xf|`lIt<B|o<g
zm_^B*)!ije#@>a1lIy~1Bh(54Si7JP3v)gu2oN!abz!YDKY@H`-Sz(7MOo+I+Tgn2
z;!%zsZa3cPuM#b$zY8d<1@3*ggK%HNJqPz|xIQS;iRT+|Kfo2k&4<f^n+A6)+yJ;C
zR5!S3aQDKQ;fmoNLmd6hs1byba5unp;ZW7T;9B6`g?kIG9`13tYPi`*vl4C{+*Y_I
zxN~q{!`+Me&xTtLR|>ZVt`6?ka9iPa!0m%O2G;_20qzpqRk*>A;M<9CDR5bEX1JAb
zYvAhOo`m}Y+)Hq8z#W7;0jI!q!u3bp#=_kVmjyQmZUx*X)QkSwL48-@5`ovx@ua^L
zw;<%eEr44A=YabK+(x+P;a-J12zMvk=Wv~H(T@wl&2Z!3?uNS`?m@V6xOH&9f_olr
z2-5b4y9%D!26r6quOj>y+*!CbxF6v9gGO$K8wYnUTno~!L*M)gt{!e1+-|tzaG%3n
zf{S%wbij><n+BH+R}3e@)xrG^ZY$h>!tH^3AMQNd*Kj|;#iNX&aCgGp4L1{R0h|MF
z9o%NPZE(cz55v*ly};WfxcMqwz5pCP4tE%C4V(k+Rk&Zn&460~M}N^o-^g<b?q6`{
z;BG+J5j<aq+Ya{v+-A625I!1i65PFT_rooRD~EdoZX?{E;XXoI23yFiSiL%{Y?Wz^
zXe%$a6`P#S3Mbkp%(993)@oaJNttbqb+yd`oKYD07nF!)2+#_dj*5yZTXsdcXc77d
z*(K%03-D=Ci;yJDw^f!|i)`F0=mfKMl`Y>UN|h+ef^RMX5`FwO4Eha%8J|-YSye1T
z#5X<h?Yex2t*k6#WrYOjw+UHJ>nfC1QU&%oiuvYAHs@M`hI-!0LNbbqY?Z9KRYLej
zL5B&MWvDbO%!Zb(p}MHPEGItX?6e4v2vj*W5D+6iBnmuaI&D_bmM>aGsmg*@SICyg
z?~4lGXbP*!<w|Oi9jbDzTvSzFw7OELi7J%EiZbD{P-t626)bdE%ZtnKttgDesFEtV
zNL*WKL;v#}m1~9bQDqfH)-thVwM`hMWe?$)P*{ZgC8F>X!NGH`P`IdwH5Z@X!|}<&
zA{H#vNAc%hg+eQF{<nKwMZ~2L=YOTE=PJVYGM$B{kxZOFd=+t^_qim8%_XUkbIFIE
z;9N56*2uY}2%mB-$2ZOj3s>31)z*@7t8*2;X{RYfZ;NQ!YT<drRe_SK;IWDhn-hJw
z7p*HUm8!%-dvOV79yiid78ZhtR^y}G^g&wYw{zcf973VBva*n4JM43?!aspK5VW(R
z%wCCa{6^uMh9KMmYnfy-tpP1`Y7oN6tvl>J3S(sTfNiaClKB{kz-tjwHMvzZ5Ehn~
z6j60Lu7!{RUPfU=bjV>^lOaTWl~xF7W|dW}w3cN%ZD@_80maTHqOj$b+bd9~rBTew
zq8IV^j53f7_?EV;3Li4Fl_S+k9<#6<F%Jo;H1aF0PLMHu#vJj>c|1TpBwP}*E6R$4
zQPcRC$zh}_9APkvD$z7yC-7q}rh$jWgE}twF#J1DwYstdV}oj(DLI|CatyVKB3o5e
zZn5w@g_1X;xY&sxK^Vx=q1RB*?2>W}=KUOs6~kV5pK+K>8ok1QvG?o}XB8Xbh_zB)
zDmp_%gH}rTJT^iP25W(LF)B|g%Od)CFW3U0#mZZqU-Ao^@G!xcZLJbjF8HF>;w%vv
z4;1duf(*jqeyg>V6x%W#R_B5Wz!gho;)~ouA%`~KrsDrH@JMu;hxUO5q849L84E$Z
zSvI>B`4;BRwwAAw5Q&+U$}p7|&$V-m)(Kg*G8?ae1!EmKGcwJPShNevS6eF!N^G*4
zRHC-=IxMINR!ne2<wc}g7}i6GspS2>GKe{%CaNqxJ3e!*+Sx+?C{BAS*$7(I&&Wjh
zjPfo3Z{p2F`*J8G3+yoz^2IeRo}HPSB?wg%3Lw@p%8oUB6dP1#o0C<dyvUYWA(az1
z`;?ba^biZcTupwJnie=P&Wb@y!n+ijzZRb#T}=QpstAP)bfI<ucm-IA2(HhF5A$^x
zj9_2|u*$h{v5E0!-~m9W3c>@_Gd~+WAH8k`#jbQ(oog|gcd@#NRwpJrLTZK(@nLD<
zDYakct}Mk@-UT5o*e_r_x#h(rPJ~*7GJ=w2t1ba5td&*5Gvw!4fajNZ85pcVDDMlV
za%nZq#zgshD4y6(Hs)dYby4}Cr6Lu8fUh_5Su88lBD@hy%cKC&T!CrJFx4WMqX@uU
znskMYYMrw(Asw+*#5=un{#?fSr$=)B(^G<+zjJFO=Lgwm5yuh)O!H2Wy+4B%6_e;7
z<VIn(b&BkL7Jo+yi!cza5?Kc7Maag%mgL#M1&V-(8!5%ihw_N?9@ES=ixpWILAY7M
zCi1BpZ8l-WaUX@yh^j>CYS;t{!$4t~!@dIErpc?Qw(;zO@Ec8Td9}5y1fNT{&1e02
zA_{Riwz5j#Es<&jsU{O_nCN~6q^6RxVxBqMS+Sa7TM(v1<rjgymoKQuEGq$@6ofd+
z2|BN;aGEQ?9q&PHfTXfjxuEe7LrG_$A+In2@U6}{=r@aC#JjENp*&l;M0xOSSjIh3
zK;_B`s}rN<PnerRUOr+os;wnu)|JH3uV`pW3dIZeP>l#0i9U!wi2k9Jp#p@(lp<eR
zNg;wTA(&pcs8MS;vjUT7E#Z}8V0HzYdnzbpL<pM;)W%|Np&Z#2MH29^fZo*@E?~Aq
z$yHp|vIv6-Qbg=wqN1!4YgxrA!9=lU%z8lZ_9zVKii(F&tf`t|`~@Maq^i;?7CE}{
z`RAwwPHTBp85*nxLbC4;BQX==n^mlU-1q{p$qVYvuZ=?Ih4KG;IZo8+;1LxQtO7Zx
zjIfO2IUiGLSP-7*#usm}uwO$QCl`{6MHoUkRNM@p_bgl0Lt;fGM<>=3QTYx?s7y}9
zs+?vKPGXE$^9VMlGT~0l=4Cc(l?{VDo<YhK{sf#5>d<k(n{_p2bIOrXBtlkJfsUlK
zkX#s1&9<(En9g{doyXJA#7KA+90bBh#acDjxe!g*Y?VSZ!_z#eB#0~FM&2%`ZIu%<
zfjVNq_j0SK-6a_9Yz|S&pykGD){FPB5wNhbl0<nL^T1S4lG(+4VVwpJv6RXQVjN^U
z6j<QjvCb^BR#h>n@4)}V-gm%daXkGmqEXY-6ib@KsL{mUTVgNRMZk{IR4jmi0>*;I
zf?X5~g1rHvprWACMUf(c1*NDI5d}d+v7+<;&fRnHP~-3Yz3ub)zo)}Kx3@bxGdnx8
z?e=7O&xI`l&Oqr-7TP$myrgzUmr!A-vad3EjHE>|UOBErM*^zpS+ey|2}W2jMwkPO
zIdi0z-%{dexP`66kw&%Arlx4rN{=F3)e4o|K|KDkWkumqm0p=#i>fLV3z=s*gG!_H
z#tzi!*rAQdoH^3Ku+l#~iioV*@(-0PfA`XsKP6GI{J&<Ew)~YA_22vePC#e?%6`+C
z=iWHJ8bA|J9Z&=C37{sR7N9oZQ^03{&jCCmh<#fa`ASn?f~T;)0(=c<4d4aiZvpiI
z4FC-RczH;C2lyWF1K>vhhDXwOi?tB`3}^!Q1<(}G4A30#E1(6SB>)F7iQfUO06%ON
z8d`v+fEIvGfOddZfNlU@9_#}c02l%o4j2v41&jww2Fw9i0&D<wfJFcYzzTpPU^8Gn
zz!|U;;0D+SI0SG9cmbvXOaMLrUw}U#01yHQ2V4Qf0A>OX@k}paP6oeO-hB|VTn8Xz
znR7hLox|#wD|Fy^gnVBM;R+|A@$^El;J0h})mpwL$ie^p{r_A7|ECB4o&vDtzgp$|
zQG*X``S*4yKYz4!46i~5c*~Ywef}uEYF{#pF=lit?Mu>^DZXUEmH(Z-<lmFD5Wxe8
zcx9XYPUTlE$sb`j<G?=29U<Gu5QJ<a^AWON($WwP?2Gy!goza65wgFrM2JA`sx6i0
zh<LWW`w+6f^GC?|;}9}_ykIBc7uAFV`@e<=*$3jR0;#+q2yv@+@w&GV)5^qafcgP7
zgo7R8*>7$}$iCAZA=4XDCOvyz#&ZYpOkX}irmvQ!a9}^Fg%CmU#c8yFzZ>G)Ask)i
zIZKz*%&Z`u%K>r+1ZtPe2Nc#pEfPO91XkmP4--@BlH)@viI1x!KDCng{7T{>mNJ)I
zZrw`awJM2kS4n)IO5#UX5<jhyc*{!S9V&_6TuJ=CO5%Mgi4UnHKCY7Z)Jo#>D~T7}
zC`w%_`6GUaKlF<mqw4YrLi=H*Q(Zel(RX8IQ(Ylp(0^8b)ipC7_uRNtSKTDwQ!CHz
zKAtyIp0d7c2zPGes_P2gil3=QxBqt<qMw=`)zZ?yYDdY{uCazlD7h7mc>bqa{wqy2
z#67j=TJ1E%2Q~t#t6@tGQC;m`tDA;ElHzN0cMZ`4ckD}UR&Du*_hHN5wY24b)Kaqi
zI7M|xK_!;|Ck^3PT%Hh)xQAsdzS=<oD~j(}dK$t~O(K@~knt_G8mcKqh`vG_qk_Jo
zKmOGgW5saXj~03WIj%0Ajur#)w?9^521uy~OJQH69VG^<mDj7c-P}1^SZ1=u^x_{)
z+P7)fM9b713j>&p{iBJV?x5D)nrK<uU<MqcZgbN=n%J9KH|hQ77oYa}xpix;{uY+@
zR%SD1+GvG&XtnR&t$phb?b@~18exXPqP4|z8ziv81eP?1tJS(SXTuQIbgt1Hdo7e}
zZv97-`BvsVtc_=y&NZ}dJy*%s8fzsz46Wz3S<t?T7N+0LremnCuTG>oDs2-Cw9Rbn
zzxY%OmpPUP|7cQ7LK}HlY28Lzvuk5+VPk4(XwpPZYbj5_T3Ge9GM<U4bz__PR>*AE
zt&1u_v0ys4foLEcIUldn{L#eL%)DcVCT*D%6H{wrD>F-;tNv3}pq5l%ueR!sq?DM$
z0>Q@i$j9^|uN-63S0x(N1L>h6uF^d6Bfiw>kg>_}l}iDuEORZ)TlbgOl&n?!D7lK+
z?ZV6!v#UJ*M{yM=oNqM8%otNJx)!rdp;lcwckgV}rBnM(os5mAw>Ozyrr0^EC5Jzn
z{HFGV1<MFogykhv5-UlvS6f9=$OZjw0cZ!927nE~-+#Cq@Z7;cNCE!hrw9oNLC7%}
zy7A}@LqRFPUmg`=ATH|t!=+~YfS@F~W9dsng{Gmrvqt&*%Aw+TDvq~RE;&nad@=eg
z=_-y_lG`qoGL(<ERmC&4%2ktd$?^54t6kH$lqGyQ%qT{TAJa<Gn@f*Xe-<zzsbB|l
znJ)RSdc1miTP|QD$COT=#RbTC>gTCvkPtDU4)xXXXO+a)D@Bm)G`9TJJgPcTY1BQo
z{4?~+k0SQ$=T+#FD`m@%QAB&?UFbT%cpX-p;Yw=GH(T$Era!J&VqZ%Ptfd(qJAyH0
zjx6m<a^n?W^2vZwzNEcM$PV>N2~84$#B06sLSW%I)GIFpIlinAWFbQr$`znWU%mhd
ze+31|@#PEPI)pBlD?pXLTmdMU)0g8w6<@9ZXo;lD6%-)Fqksh}%>^mY2N^#Xkg8I1
zXiQ0b1qDcWm;<E+Aj34Mp&X9_RCt7{09AZhMO4~u8AY@$jxUt~1;}{HRdR8Bsq_nK
zD)D7Guv2V|`SiSp=6TAWX_hJzQ?EWvw|F^S`QxZ0uUF4;nWJMv<<BxD`NxN-V_a-6
z9i%Bs{tcrn&5E(icy{b#!Vozbtn<HiDe09kM3r3$Q&sm$n6J85!q=*MC1jiNEn0XL
zXQqvmdW)S)xA13%$~-{;x`1kX7TXu8N>D<TK!g&q!1yW-9i&^q0_BTBq@W~BRoyG0
ziWO2q6)U8KTrk%Nhp<^vjiBF5RCmSCjX6|mP!8F<Y61EH{`<XaU6d+aDivfeBwez~
z7W+_@_gu~1NOE6tOOo%Gf)j`0t(+<gSnS>4sQ9_LlofyAaHM;st-&$jr$ccYhT#Ch
z60f7&=c&9CJeg#nip`UR5EfnaT(L;S_HIEf6aWief<U%3Y6zBsel-NOHnIgQK>!oS
z_i70E9`;KT9ZZ)a@T((`El2&VR8CM6ws0vwS4Y72B_@2Dt$bg?f^@G&fqefk&s_RH
zW13t)7SmtK{~Z}!y?PCoIm-X#TlK$?IYCD?p|=_Yx>(N{@V}fDa8SkZGlo<Zu*x&A
zsxz>PGjQ8t;5H?J140Ls6N2&{Y#GHxv!1iIX#xI=^&BM#$fqG|989vL#JrJO2-`eM
zNiS=XrKB!3msm<#Fm0)&R5_MQEG3ygtYayugKbTOtf(;U^;5CY(h?!xFA#EdXH7%6
z8kZremz`O?A`M&H*FuI6NWnp5K}{GO9q}9YOO}L4P}4RQ&r|U%pFyLh?Q2bPDBatx
z#Z*^%*-f_*8<sf=`-x^EHat=sbKNJFjWH0%);Woz^B0Mj6Q_iy$xLz5+Eyf-@DZ^-
zCxwrmz6i9n7ygEZB6z_95x;-GNc8X!H;x_^&oeWHE#fAOA1`7yZV;K5FNy0Xy+wM^
zdEwfwp)eaaMkLw~7ap@liHpulMD+2!;{8T_@p7%6$ad5hh0Z48;_8{=y}z^YT4X9-
zJ53Uo7LOBekJyRG^`_!4)A8c$gdfCpv!A7Tg72!f{G%kx->J0ae^pzt{8=4Q&DgVu
zo}xbY7_V=eCE~W4irc$p3&LwrS@u5)y5le6H|dI-TlB@PZ4<<u9g{@z9!_H_Hrq}U
z4>xoa54Q~z$!-SXvDZ9t|A@JGaB8WTI(dS)>#8eK_l_4C2PcUv4^xqL$W%N#Jy&G9
zn~5W9=LpKVCI0@)N<2EEi!{0-%iTac@t%%WHD6GuouDu~@$$Tlh&wb-gt?guO7aqv
z5h}7h^u-gei6U~#2$An&Aa3p+D=5%ZJolX@J_OAY`KL{RW1gVPe+i0QE_SW95cDWo
z(93MG^sfcTGgiDftuJ2tO%S0QhoCI%JUowb<2DMq>4LPE1-*YOZf$HVJ_PEC)2n&|
z?_}}j!epeKCNjPC1%;!GOS42l;7mbRECJSnq8Eq{F(@;3sh}Hc1*IGm1?NVK3!D3j
zYkRfDU60WsVyCvC_!WX~Z4@68oFL!rf|A_?r7>@(1U>Y}Z+Ai2(EXy9pyQ3OozhgK
zc@Gwep4uYw`~*=L3E4flBq;Za$ULhpaso$+C!v!>eyqKCc5{=UJUn~%On9yDEV3h}
zi<~I%|13tle~~Og_jDKMUAl|H2i_viyPJsg=q64&cNPhLBgNzRh2oZfFR^b;8<BXS
zzeoxiE*{-jAs#1g6;Y?!iZgrL2)DH@#O;gYM9%%a;{1`{#9`;=BJe~raePlR5q74B
zxD!1?>{zcQLeI1km(TYTCyx9m60TW^0ROHc;kum&3mYmfMT`@-Z?6>R0|$%nC?gRb
zH%A=y>nbvHFNlCx6Os8eOoZP4OT^^(iajX~BJ<@vQSdHbcsz6yK~H>zOZo<3nlMpZ
zD~J}EuQP;I;%u?>uANw)wpO@2*dcUp=m^t0CZgtzhoW|PifDQ@Lv*}&S5)`7CYrkX
zi?-fZ#n8ZeV#&T^!uVv2Sm7NiBJVyF2CH|A!FJokiO59Zb<$sKaX~$xgXrYsB-X51
zBbF~;E*36aD6Fv|a}G8Gn3$Ld0|Nu0qoY%)h55$^Z{NOs^XAn*CQ}l;di%CMvb=rs
z`qfJ%uBx!!H_d)&`dj1H{olVYddIn{N(|>x@0;eoHT|V2{&S`V?~976%!Kr}3$2}p
zcmB0mlP143Y5G&+)(skPQE%A2mA{ZaBRwN6G3DUFgUHmoWfNpmWqMaWInz^EcsnKS
zetP=-q?_*eKcVCAs!TstkU>gsz0KMA;K7u{q>S|Rq&qj=-QBIm|K6-gTlTbNE~HOO
zxy$K?n_8~ed@J$ho%_k@_io*cJ9_koiqj{i-Am87pLAxiv9YnYi;3k5C)ewVx9+7U
zZ*NeZAcdZkMDLKWz!UyEEevr@<+2X^@S#D`JKp7>b}8wdhwEtf?mqd{sdJ~!dF)&`
zm9Mt?!+NoFrPB^(AFFDf;JXO6{BCp0&l4Qd=GDeyCuGa7nkSG>@wWoTDn=2bC1299
zv@a<-srZt4sBd*&q9zLPlztCY?mS*+aPQu|56$h~t=rsHht3^3;px~(m#@C#hP5uq
zz%sa-awj$8TF42{H3lcvbno81Ti32#yL6empiQfGef#Jki(cvUg{bqHI(n<ucm{?+
z&a2jRLyj(8y0mH4s#Wvm&D-nhy(yM5@TYM42|C)NM~@!lx!Pcj=ZSM+=MEj3JGo7J
zWN6i@gYLMJhJy5|P}+M}T^x~qwCCzUg9Z*9IAFjU@X)4xd(P2EcX}~;S!b=cB`o$n
z9vmF(AMCMulq$!70h}I}jv6^i`WZTg)22<Cve4h(BRDWP*wbV60Hp8PvuFGEebvd~
z^r;Z%3LT4SoZ<M+Ns}f`bX@J>85kJYrUx?g)K({l)2F1QrN%@A1$lYx*l~R46wWYl
z;>eMsMztL>q(_gQdg|n;=yBIEwzu28+w1tHO927LkMG<m<v{u&Lxz?jN0okp&LVSr
zds|yOuibNI?eIDtz`T339XxpOkkaIE`izW>7;oRbdpXC+-F7ghvuDqqHEYMtwquY%
z2j2x&yO6%H@ZjRTF23OxaRvG9-n~-E(bmXl%ott$lFC9pDg6u`lVuJLOO`BJ<ahey
z$%{d_nE6gdMn-zN!_=@#=@V1V>MUQo966RQIl1RA=41ZK-6y^LY%DB{bac(ircX-?
z4~dM4j5>e*@Zs>iixzQ?`FwS<u&^jYjzo{Uj_LY!fA2eT`26{Zh=`Dolc!Jb*~970
z&5g^DBc<=GW4U1ia;#mu{QO}MwRf-Y>675y#@t-D3^|-0(!6r!%$fDb@%Q;7%m;H0
zsydk)mL-SN&s==uZ1j~YSFc7zMa4vgh8{V>oFhl4^5k&(31jDN+O%cGij5mLYzPhY
z2@MU61pDFPzJDw&M-HdoKX%jR&8i%i&oEVBWSPUR!$@DcvgG;-55K`zbaeFDv$1C+
z&gC3`n3R={R9|D~xo+L+bnL=~v(eG9@v*V-SFc_LQAds-ed)@Q@sHi?>dHBsoHlQc
zKFfS;+<(RgeEg}aU(Qj1{;}>z@8-G{e_f+5Y}&GE(<ZRKe%azb%ag<Wj%}#<)YZ+c
zQFTsVeM`ypr|yVSy2Ce8`e%=-ySaV&DBsof>rWnizGchzFP<XT*MI7k*eNBWR=uyj
z|Ni^znr?1x1&<oJep@#?f6JDJ&mPs@vgMOUdF99#E$V&wW!<`u^D%g>lUcLj*I&PQ
z{57uZueW^t_0z|tnu@&IIKOJkKSr|r9ZFe#=V}ua%WwH>Y0J-K_j{iI-4_p@*Q(X9
z)`L&$e)*+FW?ft$sbRyKnF?R(VQyCTLyYhqJju%Lm7V)MJGWY1joJ^M*Zizr{$urY
z#lL^f%|$ED<xI~XK6scdaxx#}i0teq4~vsj`s4Y-=Xh3-hd((Fb1O~ukq>xm&a;TG
z8_Qw7G(*MX{F+jHDmKvbbA+0z5Gmw2fu)s%y;bowRiRiarx(5dAym?p4M~-+OsJu{
zFB@vA;>(5#J!Qi>s`O>U#;W+Tp~7EPA<vU6MgG_A<glpy^16h39Aw>14rO_lp8u<S
zyl-!}L9Ac5P3+jVORCu|E1ksdMH|Gm9lOPq-TOtvb{BCC5VLK&2wk~SL^?Z*z3BNr
z#7ozq4ok!p=Pe>)tCP68ah(XVohR1VEf6<$Z5EFXI*af%OGJ?4ViCG-nFw`UD8klY
z6c~3&ggDv@m&pS}zO$K#vmGw(uAU;!S&bI2588@_Q$~rr^ZSLp(Kul?W4d^>a+J98
z_Y@Jn+C*H~y<YfE?<%f3%@pz8J4F2EY2uat8u2>J1*1O?5r5u8B<z|YuJ14tYc0l$
zaNG9co~wb#K5Qx;9i1cY?l%(;+$}}w0aKBFWR8g2V<GJ38euN=y|}-jy|}TevnV*C
zCvuKVMj2yqGQXL4cgs_}zI|GF?%pJx`%Dq{_UenwBL?E_1uK!`Ge;Eo+lZ{w^Tmxr
zbA+Gs9I<!PB9Y_T2_t(w5x#M#cz4c7WFMa-Zn=#WZ~ctLyC8E>aCWx%aOp3Rbj(sj
zA21hQYcaR7X^z;j#ulUaA>!Wt!Q%b-N#Jdwco||XUPW&d^Q|pKlyg7v9wYAp-?1Y3
z&<GK@d60<SHC#M7H9_3>8ZYut*89uzL}skJ2y^No&aL}Xyb2sEa(u^#^y50>Rj7e@
z7iA-gqU}ZDl?CG6^>rdQYLj?+^RRewW`u}z?Jtr&hGC{+w8-W1Bh18yCs)KB&jBLC
zS6hU;^%cQ8`iLBi-tCM#i)S(Rq9A^ic$2tYyuZI+&;t+g=HUeq?%G56I&~A#hx&@g
z0VBlS)5Aqx*hEoyeW`eHYn^zM=qs*!_7IT=yCdu)l1~p14+6Bs%@ae#lL%uGw!fP=
z=h9WAT^J}lH+B*k!Mftnl^No0kg<3iHCLpDn~U7*4kGXNX7T=6v`F;rAx>=RDDDPo
zi<BTe@jUH_c%I=Y5;4+Fk1!JHQM1H@xJBaVmR90cz(8^DimAxBW-W5>?G{nKZAI9z
zwj$w@p?Gj>g*1O;SLG;Tw`BPnWt1O9c)MV=@$kNL<wp^Vs`e#1k}qjr+LzSQP<)A5
zOle>8Fv(e5jXEbDB(4+Ba<7Tli#j49cAmI%eWAF0bA`B@>?D%!yNS$4fg<YWN)da{
zNrWXV6&^S7rf-(7cwYESoKA8Pr!#hlpq!)Pzyn8dA?A!odU{*Ly@(N6uQSE5M@K|N
zZn!v}=_&lP{Y3K1B(XDRhwyyjDgH`dEcRy|5Jz)8MC6Mo;g#zxp1#i)?$5l%n%!H)
zwo8}943CpyMC?N`J|Ir~<$p=^Ja$P8K73wu+IB*84}BtZwt0#LjvIyP4o_ijw@4iJ
z_7$799~JA@ua{;OmM&c??CtF(o203!S@fZ(s2ajbu3B}PXf^q%OY=S--W64pq+zX&
z9XhoCrLk6%CO<X(b=Lc`i5k?+On;Pm<Hm07F~2naS*umk=FNXq$Ma+Dn~ziOWjxGy
z^dSAl?hftSHE!{fI*tbQQj^otQk<8DUr$K5lb(M2#?_y`QA6;3?WEMq%!FertPZX+
zSn3oUcjpdH87#TJ|1>G3Z{G-OOAGhy>;E=gXl-NA!mvx9KC|A-X&ThM|M2dkYgQAx
zS&SPrXq+u(Q~UQAGiHpAp^W7_rZ4&UigoKRoLY|*NYkoi>(;G%8OR74)V-IL96NKu
zh!N{7C;ok8`}Xa&c>ddOf9l9wd|&%s#-nR4JNE84vd(-su8Fg|w(Z=y^=Kox{O>+Z
zdfa!&q<IS$9zML|@V0I1{>Jl8ZF`Q^Rnb>3H9Ns~|NfQp_N|zpuWxR?V_Vm5Jv)t>
zrV<j%FV=e1hPC@cL-*`kvu4E#)BfH5{6j&n+2HfkN71YP!nJ?-4Ewcf_Uzf)f5hOy
zqm5<snvhTOaSxBvetsb**J8qH?p%|814m7ns?@=EpQc0@EMC0G#^&^aokvgN+S6~?
zl#ydq*)<!~O^x>r4D|Ou6yUMzufL|xv0JV;Y_dYVrsj{I+;m#vwt176*Oe>2zNb$g
zJ$h1ax=k^9%?7n@g`M|ygHi^1Enc*G^{!nz^`;vXqu2bdruGu=@QYEAkypabo%1|&
z=+G{`@dgU@nwkwhb=Z97>>2cB&!2ER5p*ul-`8aF7=?OG%|>4xi@J)_TrOXZin@65
z#0gi|MFU2vWY0V_`pV4N(b@Uznc(Q?%NH-64+;v@A6bGP&)e^I^x+k@t7o@v-MYoe
zY106mFF2=sHTt&QH~Bu!Z=d+gua>w~`;zn4A>9p2iq~xTRsEXJJ8HjqcIgLEu&h~O
z{?<0HUaCFs{dJAco>l+4PC@lAKP#yA<rf9@>%V!fAm_06)4YOjo<1#n{VMml(8zsO
zqt44h_2-(uzsc3i$$hDr|8%J4)4Xq9zQ`~2xXPPUbZJ7+OAHZ>0h$0_0#ZQK2@#^E
z8t}aWjqzK7-uSJ+Qv6nc@VgA~QkDiitA|2yabKz~KntKDy}g4U6<q7qI7zYF*KZLQ
zcDYHuWNFowf2?Hr+m*KbUw9~%KMb$tsLvnWby+K1H?0>t7B3JRZO~)D(I?L4)5KDf
ziQ>f8wPNQ2GqH8ad=b6DOdMS}S)?9cCoV1;B5ti6BU1Lv5|7-iMDjih^gLFIxHZ}$
zc<Wqo-EXhB?!RB$Jv>LGM4uPQ&f4PHDNB)z`=dD4<o?z3;^FQgB5G|Pae2dFk?lT3
zd<d}-J8Z{@Ko<*<6?05n4e=3|HuM)CE|`dC=jMrvd*`8twnA)LGE*Ghu~Ni@o)Ry-
zw8aNM9TB#^x43g^5qbii;)u&?5fgGkTn+U>nv>${MPIQ6y~UKnL&a5BZE<D$5OL?g
zXp!z?C}J+25i#L@;_A-cBH@s>xOG5VT-ex01UmH<X~%ktTl@bM>F7aZcn=p*y9bI$
z(46JlM`WEDB(nX7iR5F0MeYS1k#k|3$VX2o{+Paa7(7edi`p$xeEN%PNBW5y=;=i4
z>nrktMu{gO`XV>nKs=3{jh+tPrru~P9-JR6ve2W+xja>5Up5g>Vr)cmz#Q@X`XZ5c
zW0gqqMUNwJn8?NYz{|UvM8N}pkrt{a(!-~S2k3=l#r-96?`#&&@9z{Zu%_`g@1l4J
z&z%;#N~FeEiU&8Ah$kuAMaHd_BKQ7Q@hHVvB*!ik>FAkcVQt}2`hIce=1!4%e~-AC
zutcO}92B?j9~8-H-XbvMthk-+BZ40|iHMxtB0lGoxS1O&uD`k_F1?Htk+0%J<lE~a
z{#}x|MoD6yhr8J8cR}c!yDm)Ex``e8J%r=BEfwhX|3&>zNkHS1&%dZqL!;#SZtaA&
z4eQjdSxXhwYx|b<8#X$w?DDA`(S7UYext^jEnEHTA5ym8wyo)_J*4UHzkK!W_wA6R
zhx5Wer;O~~r*pk8zv+hio=)S3Po6Yr@W2LNH*SOb{+sl4=S&<icG!<Uwcz^!tMsSM
zHPIO}v`KR<+-h`KGSkRv-c*Cp9b5BbjYj74Xa8kwINh|9bgNN+>EDZ&FS4<p(W*T^
z)~IV~XS>2-fyJz5@_lvJpLhPSqvg7;#`67VE^aQurJ9T8E-880KYvq$x(>bXK5}S0
zv71B9L4zDLZ5KFb_88-!sblB>pW#sRyV?#lQ<5F(tXuC;XZ<*bI!IHeWow7Vy$pyn
zHQ91wpsd<ss`XLTIAX*I4M1%`V?bZPNWd__AV42LS3oPk&wz%2uK-^HJ_URNsLuP3
zmRC87i1>^xe}0RKM-g?!J_FhEtFJ|@tP*3jYK-v=&qy_9fAXsMyOL-6^6JK}v*j^5
zR_&d1CGXU>w0HV?jN+YKEK7SQa9&LXEJ2Nr68C>nB2~F{5OxRH0d@j*0Gt7v0V@Gk
zfN2070M}*@KpQ|4KqJ7{0LJkdpeCR?;J<|@F6UzZmgBe17-MX#H}b&PQ6nxRE&^}`
z5Cez=1Oa>jo`Bte^#FUobbvm9wUjlq1E3k;JHR)9x`59C|7AQqU8`Ro`#uQ!JqUX?
z@(b7Nzt38&UleAq`)bc@okDwqQ3blAM?3)yj{pw<_W(Bm%wGWDB;W{OJ75`L7GOMJ
zIDlJWCqP9!eS&zk_b>iq3Wa?qq|krXX6&uVMY^vZJL-RUxj~=#`H%y6wP74RTCM*f
z#BS_+x7lOf*-aVs3OqeS`MH3{fDAwq;3^;(a2jwFz`FQ1U^YPEsULoGJ^cV+%kgjV
zpiX~5Q2~0b_#_{HnED;gsD7A06n~bAPOhV(U9;%J=J8atUZ38s8B6ci>(SHII&|G`
z*avr0?IQ5>8oKu!^yC4u0bEzffLK5XfO+x&xBwOcSm%BMux|Z_+q^pcrguzf{H^hX
z-3sLLU^@lpo}<L)ao`1fy~A<dZ}W(9lZcXo>3y&p-QR0KFP+BIhfU+CXq_&-->65=
zSLx6l+hHG$8xMXDp5Bz<DHF6N0?q>#0a&-Vef+1;&tnFbe*x%>$&UaJ&b0LIUo`%v
zz649}+LKHAW{SxRpn{io@q0bRJn<tcyhoId?;c(~N^kbt&|9Y|5>M};gV+y6uTW2^
z_QOA%ovHoaXq5H~(0dE870?^NZTzEjh`rN>Dt*buM7I1bCYARkAx^xbev@-~U$VJs
zU!o`Zk~XD%Ny9gaFZp6qX<t%ND^}MLMaGhjzsCvqMbPsieC1cABZ<$VDLCgeWV?|}
z6Q<Gdcx@VgV=TF(t)){B_fSmEDabpS=*1lX+Q*~IL<z^~t>+?ov(=D_Hjbkkle>I?
zOj7`CYli~Zp4JAi&Cvv~Z}@0mr%u01rVGUsL{sLgG_=z)^gp>yba^>ZEDndibC~G<
zX>z~)7X@c~K~K)m;Rjo3X|fggnhc)CkQLgC%l*G8=8*?sw-8}h6Cj!n{_^#E(8o5(
z8^HGTPrz>g?%6Z|)B}70_!RJuc2u4I;HSallDU(tlIKCE(N=F8OFHh7v4t|?9H}tS
zj40R&U<t6GgtJ2_`}`!LOMel?Z6ZoKMDzeUpM8<Avx$PU_JfCIWCc9K;|7u`+W&&d
zzp(tD0^$MgfYku@;f8=QfB}H+fL4I-0qnOcZ3F7`SEN6Q&*Lfh$yvH_UWYE8{DZbS
zHlYJsey5WzUFgJ~b`*C^n_iutfe+Kn2FwD0$H18Y#6_dN;y1u1?FV1bt-MR*)T0s8
z{~Exy^d8_EARKTG;0164tOYPnY)83XDz&5kM8Bl}tUDpr^z77ZO58P-?(8(6h^?b(
zpJQ7ITvz`_d)Kw1y_<fc;61%5!DA#nJUI?LOb3|C5MV+SU`%%{ThNWeb3Yt)G=A^2
z(BQ45iC!V-%LhCGJOnULTsMAzr2y_3e*vh_j;hno_MLTy?fa?h6R?w)<o26%Ork%_
zeLAJ=o{CL?29&hRfR1nIMxjnaDPj90y5&5PZf>1O7dH+kzjgiT=&CNXV|h#R+SHl6
zoI6mUYcINYY!qcIZbjHFSq|=bS$+uIKJ&f%8sm5KO!NytFZV+fJ6Z?7E7T!%`dNQ6
zUq7IjXIJQO)&W|d>L|4V?AW8wQ{BmTXBRrVqX$Lq8cx?;b?Ky2H@dWKC?&c~qB}b#
z((UaN2|Gu@$9TH2WgK01(x>=MdUS20E(Na{OxRsXN5}m{k?W@ucA!$~K?{0xY#u#7
zYg3A!!VB|R$Kn9oHa=SZ73n{{$dqLN`kXmk+c$zRgF^l;-O1hgciO)3N7}XVXF9a`
zH#)VYD_z*yhr*o)6Z;b9sx801Wcgc{w){WsS1f<CsiiId?d{_!VcR&=vOeA1q6f+7
zLNa5q4ONHE3~WSK)|pBWvDTC>Ihs<~N>d75VM<pwqcx(oRT2q;H0A()1=IrkqejLQ
zz-lVJCdDGB2TBqt@HL|>_i6O-=v2b$A3Zp1K<8Y#QH&cja*qy0?b4?6+k2AtmJYOM
zV>8;h?q_ma*Ni+jw1eh$qR>tKDQfdj3K-r9bedAs2AKzSUa-GdqCeEdj6M4i09&|*
zfa(=_Lyl9|$o1$&aL;LY{4i*u30Wms(B;cBDD|8^B^?`0nVysAvFB8J<Y53_4CsPu
zH@dcWC}AHmr5~6`Y5OOlCpCfY?H*5e-NsRht3F-cHjqM4)7~39!D_T1_nBIRz0eX|
z+hR&Fn@pjhGB4T3=SlQ$u$`O=n%S!L0DK9kur-yXzpO@Le=9wOMM^w7iY_1RK|cF_
zCC@!gV2OXFQ+s}=W3J69Xiqn~en6X259!l`LlY_EzywO)Kb}(ej-&f~^y!|P9$~*V
zrR*9@NjqWH$2OuH+f6CnS>{3ECDzH5ih^zbCEfWa`swji=ni^u7iLqzX+v1#Y4p@*
zD&=__P==Q-`R!{<etX+e=>Dz}FNa-zCJ&cp<h8RUUD(xy!d?HMt8N1+dG~0#zk4kB
z(4lbMMua`)65QHpD)GWR+&}QI>rPqvS%2802j>Pzy;i!7o(JfE1CLjD){tJDnMTh~
zPX!+alz-BIE+6Sei5^4giPt2`IX029JtyMxh0veFqv`toK@_&TI|aCQrX$;$(%!9F
zbZ~1^I=euNl6ITY9aotLg_ozN{&n3cOFy???oqKvS)aCs{QUaRg_E5q;P|g}!RuFw
z_3lAePxPR)lf&u0&oIIsZ%XkRO8GvM=&AQa$~!(0yiA}R&+(M)F%G=w)1xDLlyz8_
zG7pZW2M2U0W^yA~Vp9q3?lYBmVIJNFE>LubM@Vx4RoWe<oiFwFTT1^6&?|)ODa4%K
z2OH6=fXVdGZv>^D8A5SB-6`^TC-Oe}BOO2dBb`0coUrGdBHg=EjC)T?@*GU}P%pX1
z^udcBWxMOr<D+B2iw?ybHKL3oGW`l4c<(@Jw;?WO?A<*9V*!l-mD(Mqoh|>4Dn}6q
zFgxGplW&fcA4Od5&NEVLg36B~T&wma<0N0ws<ba@s;&4Eq1wT#yt`4Qj59)H8HddQ
z|LF0A8qtT~Y4kp5DisA7pxqkKHJ@&jae64d@|#3YPLH8fpCNS1t2cC~3k4l+O{Wf^
zz3$T@pS?}#+`d*6w!b4?UhorTd74V_;HW93A2y|DzUT$RH?3bVnS0}#0e=80?P)OG
z%B8L&Y~N)tp@4vqlmMMb4j4{3A>$}NWP*whL+~|~J_H%i%`@F7%Wo*XMbG<<|3rH2
zH<4bRoj`@Y<LSlearFF@J{9=rQNFh>r9y8K-TTvZs~;%)xJ<voM^W$siGI+05nv7Y
z9l#@@3jL}=JBRA@7wh<&0@(H$lpSbDsiFFm5Hyrx&i_eae(fp1_csdjZ4LO10(_cK
z^y#*g;WrR`Xj8ub7<zMV0{9qDug;F6muK{;@H9sIr*y%`SbFBILn(6_(bH3=ly}mU
zo_L#5u8*wW(fj7S0=?Yp9tYsjLJf5~EBjp`{aKOF7s%wYJy8rsG*RefM$IR>0y`FA
zfq3Xt_)LmE+mVvb^`Qj+o~Wztbotb86ynp2&L97of{r(%u;VQ$&bu?kp6EpBKK&`p
zyFcBxY(#ihN8*9`czr?Eot;aj@~njufJgiF0G0Yxbzaoz=TRHm$Vb<mWcsfzBf5r>
z%he?^AJGaQ7`a85Qvztu4$>jIi1ra?ggjHBTNuR!O`s2f(4X@oDeLS&N;%yNd~~9y
z<83K^ZDV?Q&XfxMO{w6FDZLMob!YOpF%h8oU(y}sL!EveHM5TjhdzY*_M))xQ4|n5
zgu+6hKNoc<Asl_ji+YrE*_3iF8BugVU&;=hi2A^2?Gi?67frzj+K0kNFlLPcF}o6=
zOGW3$(z|mylx5opqdZfIhu0S>)E%C&`zYNhOTVQ5`FCa6M?&_uFv7pN5g!^|OL$L-
za-!!^W~3STm;gTXDd2op6?CJp^W7=zTvv*}(3cV}^rz$t0|@UpQBJ@xjIc3+3(}(x
z0b?oWuSUSna%cGWbf-f4Q%=kD$E_y}V*t+J1Nx-mgW^|XgueoMwG2FrqwEMC9owRP
zz@J6VqnwLVC?{+pr3S-(1q`70^M6RAh&@&MlKD^B^7kEB-j~F$;TfqVuEoBj16zOg
zP6w*?CF3Pu@_T7t((;+&OT3qr8kckkJIgldcM3Swj1sprmSoIwrm%lczst&)?YrLv
zZP*ORCvE|y-f+MxfvYL!#tM3y0DWOu-(sCvM|9nh5-v@m?5MezEkYZ<3R@JTYQvB<
zU4bo%K;Q5(bUz$z_#$*a%%E6DDD>ag@3QpMt2`<Uo=e%`7L=2;m6C5Qr-U1S5#Dp7
zuoxo>i<(LSSH@FV<U|UK7*Bp-XuFr8?~z878aWefz?^cTX3^Vd=u0$Y8wFbwsm8}8
zwC%+|$?^~T_w~CR{SU%{8#27PgDCAdQR*?wz_}ATwnTRi5T)$F?3F7~;!e!YZKH(f
zS(F?zmvZ9lDH*>LB8@5G$}|eQI9#$z0m1z!EMy>s1@)zfp#GE)GMw%@w?^GqqdsKa
znWR6OS3zt5AMIC}Zsk(9k-2fu5vKn>=zic!lyMTX$|uzLI0QcS7xRJl5GngQY|(9%
zUfqOV-Ef3%twcM9Z-|3l#X_&HVtf=i2e#FSvK(7Mui)>{r&0OU6QF$p;9s(h714j$
zw-1H-51_EbWfXARp2BV~qOb&nw`?gP5&C|61tlabhi+}5oWxBO9cMw=w?J<q>gx_{
z(d{jm$wm86=OZ5cT`S=u$FVEqzgVJw$C9a8pnDsDS7biguPU^2s4jn5cc33nE@5^v
zl<08~W|sp9@0L<d+5y5lqLg`eCwN&c@e&$mP65|uP}sFufSD8!V<@+i=xG!YZAb}M
zXH!DVOz4;y<y^I*oEQtr+Smi_d7(r<bSD~g+XLDHcqaEB`(*00S4e*v^oHqIAUh0v
z1cQ$YL|Oh=Q92{fa%Ol_!kyKWodQ2_AMN8F+Q;3!&@DH#5f>`Fy@7IWqONW%rOY_g
zA9zTJo=y+850q$6IBNa|^qvA30C@KEld`mZ%)Pq&+43K$+VW43EdOt%Eq_}V#q#^_
zC~f(r8ZEe0A`O;G?iKky2a-{wqzWa8+=B+BqXnkHa&V{sOD5R`+PV$e>O^lM7g52v
znUw1^K$6ITl}0&`f(u{};A;R*`}o%{b%`+jF&owp-sh+2`x!F5Og|v=ayUg_iYdhd
z(=Wv_?H>tBjn15^dmS`806GFb2Ygg7wJe9_>0e6&tv6GR<MDL!A}q9u{zJn@QT2UM
zG-NYmtdf6{mlxr@0;+i+if}$bF%M}00kn1N0m$HSaUAo<=@t4xZ!o|d&;n5D%wbu2
z%ib&W;~WG^4?0&2Exe*>|9Z3*75y9rUrQq4dy6tJ$t@1&CD1t&6Z*wFj>fIrT}*4t
zh7F{>co)_1ilgY`u<EM1SvF=03HNx~;2lDs*%x2}Xae9hoqyRHFfTY~L0S*@oiKq;
z>+2KFb&%jEH$R%@;EW{(>tevU4<y3wlE;em6uV^$-Enu9z-iBM`u<=@@x2oNo6j{V
zj_Kz(mVbCsCTZ<D$Mm}clo48$GZ1BEUiLm}x`x^Lb74<S*X$vjH$gb3f<)W{@;dB8
zM{WL+AZpDTI=WyniTF&ynHCa{%&+hG@q}|Qs76>4`571#^Ure7+IK;cK^TsliC(u(
z;@NB6R{AtBiRs@2U{CTNZoBGygqZc--8n3oy7|Y^kC&6F)8!1j?St<K`bANlYnim-
zh!6c5a))|&MbHLI1N!A;EKT-{rZcC{&`-WGG{Pr}aFz$zdSApW<35V<K273ACb=K=
zr8Ap05zg=+=EHLBZtA|#i|J?GVcq`^c@lNn`FG6pjy0f53+MUWAj6}f<TQBzAKfcX
zP3_duF7PfjjZddu7gK1hPPexE^xD>1uwe(aznV>bBJWW1_zbce)uYQMy{<!hT)anL
z#{zC<(ttAwG()?aWxw6mu5~$koornWQ}at{(kQ~S%29-I1GfCSKb9Xw+-}b^Qg)Zh
zk0Op&?Mo&~zNBSoU(&g+;!8~Cl=dY9rp)XE*|r3*e*9bd&2m&O$XNsM3CmlFQ$p3V
zVmpBQ+WVZ>uUL2?>HYH4kuP!IjMH9TGpDcH#oM&nCzLMRj{bw=F4+ukp&Rgkeu&E=
z<6|)tHNCS`fBfu!>SBIArtIkH*siU*)PE~+|B*12U$sLEL|9W5;zdUJJ;KJSP<h|4
z?E8SqeewH>_}ByR0Fx?&r<d;kDOA#z4HbN4!^SGSWy9X8__E<rReafyRPklPvhPVM
z_hsLctn8lUlFwp5_*$zZWH}buFR!~4A*MKTS>C*(6G=oLfQIx7KdQby$K#2Bl>l47
z0sva2&;|4dbO!tks0a80z=xCm=e0}wNsb|l=0Ec{>;Lf5^v(}XPwkZIFtGWJ>D?M%
z9@F}}fM(x*ei-FB0;~b106sRQ1E3M$YXH-PnwCzDX1a=X8o&SX3UXXj6uI4n63_2@
z_3VmA(fep`%yRAe@b18(_jzllyt!^OB;VJlXXXL@4tJOQ+2m#)t*-)VXja<|#2Wz1
z0DOqUKmg0>H^5hbkES7X#lqKDoVU{ctfS<Vx0{aVouokQb&7iEM{((AFcR{kqPWxa
z=+t5=JTQ;4o#(txUZ(f_s#&k6dxo`4o!aroNbO%6obU2|-IKMeS3}QSj0138eH0CW
zf7=vZ+qR4Hp6AlD_XYIubvlLThtRPn$LR1Ack;~jB=5ZAgm>C#=c8>DkJYcNByY)=
z_*Cgjj=yEgUz@*IR%X9#`ZAu8ntKo=%HO^$o{{pc+Lug{d<pLfF8PkKbC1W0FX?hX
z#;97|=#YPTKRplGjv4S(?_X}8S(Lwc)Y~;Zn<Ul!L~|+R^WDeFD0GEg;pMGP6#O`V
zVqeA5ofo(1?yI|${pJz9PYa~C@lKSPw3G1uAo-+jpbHP(X#c}awBzw6+WW+X@D3rx
zXS!3uJ?!Bb+$!h$8r9aI>?VNP03Oj*skgx^78K$gV@k?TAit;nwC~|wI*_%GydUhM
z`&j)-bjOOF*LcGFp_J`E1v3we=`Hpcy}iASp4{C<c)yXn9;~8W87pYEZj;BK*RBEC
z3o`)Th8NucEdk#HU>VC_!GA9(jNZPTlJXMh@w-RZ1n?d<9^1m6T%#O+Bf7G41O;v!
zOn4WSPC0d@kR5&Kid!FSVH!f2SXs|Unm6H?%?baD?yns9%GG+neai`5ua52WYf#tU
zzVrIw+b>*DDz~L60B+BvuCNvMg?Nve@UA7f=Xns`y`&RQ&|k$2%)Jx3*gv9&m25)_
zaKbFo=3#UV`$eKQ=};K<znojwm(H*MlR}*Sq>G!o(9P973GX`7lQZ+*KlU+yljc3=
zMeIJKynPFY-9w>U0S!wPj+>yr=S%W`QJ7E9(MB>~rcr$U6}orHoRU07QJ70V3flE2
z;r&^{d$tt3tsh<5s!dn7j-hK#V<{H2T*VHJORI*EpK(VDcbJSm@ob9QVg_1g5#G6`
z_hEJ)P!#JW+mBKg>t6);zl5>$<-!Pxd484B9|scNeWu4=Q|Q6bDU=Dg=++l2;_{A*
zD=vfR+_s){+NlfqZtg~BoO;r^wLR$k+;$YbY6?YfGNa3DOt3q|1S@dn6uZYL8-<Ps
zuzfFevHrzE|6-m*l4p(wc|18umu{^jythozNBdC3p+5-kGL!#qtnTeWy&o7uDf@LX
z(V<6a*fDX}O`mSNj-kjc{VB+*Jzd*iKzIk8qBojIyFCidTGJ+r0g))Q3!p}+!g0g$
zkJ+|^?mbPSoFce6-nX0JL3m%BvQJ`1!*Lx<M54YAcBPB^vHE+UH-+xSYQXLu6z<lG
zF1z)nXtx0ry&beJ=s-8IZ#2QxjN-SNP|992dggEacFN#Z{DMFGlyY{H^$+jxlm8=M
z!aKZlGHoZ_4!}O8Q&?p<H5l93MpN#o@f7dbhf<CWqnzUtuor0@WxDIp{Uf6&@!(L3
z-QS-sW3SMa#qBA1=M+qoVy4H%1S^Tyg|c&M)_320ZiuqW=|19wWTUt5qSr59P~Q7|
z%6b?`PcInJ(}3}Wcg-mctKKP~CDf}8UG(IAc)jSlC-$y+_J?g4M9J<$0NRB2<|)CU
zBc-}cq4c9>g!lZh3S~_$3$$ZUOb<YXvrA#nKb&hoXC9uSV|gbiDQ-38U6@3Lp;!eD
zF{IZa)96*OA*Gz{Pmj-xAiS4Pc&8pKcEc#qt3Sni^rCC-y(sEHXNp_fjvgMIN)L~j
zL3hn4@65b6JR{{-wdJ2IS^i&3TmC*yiscUvEp7P?hqhr0*BDUY>`DkU8Yec;?Wecs
z`iodf51UI5v0j%Js!K_MSX;Qz4?Ti@gty<ZGqbz2w)(_x1m&I?MR~rX=o!|!3w(9y
z32Hmtu_NI`1bTAH4C{Gw>E=Px+}2ILwL;kyT2sV}U}*GJl%Me;i}LbfsVICgy^pk~
zBCIbKMOjl3uaQPr(!Bs^SAaG>4je^k=LS&H*<O_7+k+CZgD&Az4@x-JnNpnE(6i$P
zRNyz0-UZo^yTj-N6ww#Jy`l;)u2HtACv(nY?szHPJ&!#=S4;s$lonxxSuZ0@7Maq`
zz`>LetV2&PPNf&2lTh1}(b1epIAwuwasp~^2xV{YNQI{+)0?0<RCwO%oz3{JUMTb@
zK)IHr5F=^yj@|Se8vQ)Mm0m>HQo*hDQ~--Et@FiLQdZ<_x)w5$u46smUKsW%1&^kC
zLHHdwgwieyqV&LlbRY6~<l2tj`A?<~@G!|oXXH2h>ND=WeyNmIQ5d$;zA$XZPQqLM
zbSG>YWno<?7jv-%33vklYez*`Z+wTfqg2QwJ8~|)y}FRzVtwvS1bD>SX#v*ga>KCy
z<pMmeYX>UwpM*6eJMvsM`VPwL2`Fd9)aeL<M~&Hq-pO5mD!ekE@-Qd=FmW@bC#<5|
z@pg18b{^f1wWP=^lj+74>;Z_LO%Jg4gHs+TCj#p`5r&i-fxS{8<0)@XPxM%g=zX~T
zhe-o}KZ0`DlUFKxrXzUe!onDMbewKM1#zpWAk~AOr+H8z=BVG^J48ji{&DvpWnN!O
zdDoZIt6NxqjbBQSV&@Z1i@-XRDW!p~d!g9>b7TM&1zAwKxB2rrpVj0ZdWBYu%T=!6
z)r$+Goi<=^1}revzLHXRQOaFsN=n*9smYruHE|tfC2pkn>kH`a^(B;*u$ms;SdMl1
zrG%3$=s9S4h4^<^|0*~%hTdThfUDiG>%jjfph7FAl+9t_>P3aIo7NFd4xyqvf4nde
zPH(Xe@ha;qy?A(>o~0k5-240JCe~8!BrKx`ch*q)t-mSbrURwL+XHMU_1ZkT8!;XG
z1$D9K!s>(3@U};RntOE>+8i!dxdK-$D!jIN4ZXSQM!7f6();Wv>_`VZ!K^d?&bthV
zqV!Z3dj7xzYYLcYPWQxG6~k_NkM)E%SUW7hzKUn=*dgm`@U-Kv4Hp6bM~yy$Rxf&q
zQ)uYTg>|&TdMPdNy+ZHuuhF}VV8SUAgcB<0!}CbONh##Cb1&ia3zU0=3h$htxNu*3
zo`H3aho1E6rYGU_7&@|e;Qh~Qe=-Z@S8DSV-Z>0dy@;Y5*GZ#@b5)KaM(t+HKVwJv
zQN*K`JR>#Zs%-i39$@h(BCu*-GDY$w%}e`|LERN!(rtQaU-HP^g)Z*fN4<8Or3n8M
zRCMPg9rHRye_*yJ@*38z;w}+R38De}f(R$Y5KiZzi5t9WsUPYPZ3-vx(2Q+|X`GGC
z-Rd=J%=lOt`P=Ea`YtdlIAHHcVXIfrpU1;!^NKALZfQvu9hOr6V?pG+YBSwkXiLG%
zS5cpReso~lZhE@djt;EfLgNnlV?XX@%64(4!^Z=tj`jLP@k!0GDF1V=gO9la?Yj6G
zosOlU*K%oq=ULjgZ~;xitSR1!rvAG<2`7_~k&8DOAMvHu`_7WB!+OGLNo3`In!0#~
z(axn#6u4+HEnT;R>Y6S(sZpaQe}uD2+oVoc?6e;=k2uT<x7o7w#DHCguQ&SQllnM8
zg$$1!B~!;0PxL$f{Hw92&;8L6v9w~|6d$u8U4NStaf?R9+@p1W&80;vHxf=$p@BHJ
z?Z<}ozx`LrR;S~?^LGg5azdoj8>CYgmWE(d0H_0~3DB$r_?ZHnR)NO&tw3-5R)?jy
zmmn1(KpNHY3{uHy4qCXY{4(m<&SQEfEw3TJe7pVEFF#p;4#y~@?gaP-P^AxKtT<PJ
z@NPcgi~+Qh6%?>>`g7NrgVN^pX&pNJm-_pEuUmU@&1xFjNUF){%U(DSf$*+A;r)HW
zyZwZB`w8#%6W;qLoCAO!`XU<q^Vg@4uR@=MvlR&M{S(dsKyTGh+R=}558#*P5Y81K
zoFPD~3_B(FZ2QB;pBjESr&=|Q{=ikt7tVDcoEJbiV}NiD1L3R%!kG(%b07%kJrK@>
zAe=2hI8%afegv6}XnPL%i$_>E*MV^60O5QC!kG?)vlR$uGZ4;pAe`+$I17SsJ_X^t
z3c}eGWHPcXk5G#*oC!fVzkqN~1GX>>C7jPdIH!Sd{sZCs2f|qpgmWygC1VyP9h~{5
z*^gh1D9(%@I5UE94g%rK2g2D8=v($9ob^CBBZ6=q1mVmG!g&|i(`-pTE63hK7M?XJ
zzHr_I;j9J1c@c!OAkZfpMmPfkvk=1w=SmRHogkczK{yYCEOa}&A!8}uh;uIpXE_kg
ziNH%))_A#Z3i{xBgtH|GXG{>zry!h*ff1TTQOm~P=oJ^N`hl}K;6GOo&Ww<JNobY6
zWQX*oMdN$reMxRS&qx`;HkO@{x>U6<F_3&ov(mm~SeoKX?i-c%B{&0vaE=AxtP8@q
z8Q3c_m2h4L;oJ{8w`oEW*lJXkN1R21zQ|U>`4)t;FVGKJK{yA4a8?H4Yz)FV8-#O3
zXy)jSJIm(fdz^7XIA;TWoQvq&_!G{^Ae@^)IAeow1_$A64$3|{@m;H*znM@`ew?X7
zIQxQd&I#c>48j>GgtIXS=b8}C)F7NwLR(f_Jp1I68ht9tf5dS~mhmA!!r2)#6Fvi{
zz|iz<M+v9E&^)(e*vs!mBkecb6E$ja-|0W~a=?6w19~J5b?gfrG`5g~h9@~_dH{|9
zya6l8p{6cCj~wb40tNzx0mi`=>JYoC+M->%x(KUF-yOu9x|V#$UmdI_a6qN>jK4Xk
ziIkk9mh{EJ>PV@&tHmY*38iQJwZTtRDYc|;4c1hp#2wPqQl-?AzB5?6SRQrpZR$ao
zw3{PMf-|n>_&%N~rtE8Dn%+iO;mPla;j0>+jS`l4YA)JH|J2j4iDqh><I8)7nC>?%
zg@HQ=JRzw((?Ytwn0%M<NDrkyHSmQ#LooxnwUE{n6f_s}QD#ZHPY^R2beVw)n+oU{
zU5v~DL)C#uZHKfrh-F>}3KP|xe6I&ACc>f=trLqeu=x9<{N~87&MQx7;VYw>%^@QT
zP-kE2DI0TqvlLI67i;7#Een0=xu)g-#5b2DFQ?#p9%L%lw|L5R!xWa6_aG@*{o)iX
zQLZ^ViPk})qx8H1VsQdJXq*FDjPa{HrXf<whDbRW+-PBm#-f5$gB7w6Hj?Uwb;cN_
z$#ppgC8*1&FVZ={u<L?@xk%X-_y>Rnnb$$m!bV+C-yEe`Aq79-i?NN9;!N;+9G)41
zddBrLo(#g1l6sfxP#-0*#&VkPk!CC~F}C@Ty_V>Q-#l%y8Bc~F-5d#<5Pj6{Wu7g8
z$5>hrLULRV&`{P=Ba}HG__QEj3xq69L)3|K)keGqZfc`-p!p&kD|IYtqyBl&SR3Dx
z*FaB$XQY;%uIjAxIW7BOTr%vl^1kGmA$&=Ofj2ZuUft-d?6+MBj8&YKK9w<MG%f8*
z#;j3%$<AvsMqnF<(N1T4WfPKN{k4+5danU~**VvSZZt&r8ESw#yq`gq4G`92%OX9W
zs0z_Gz$<G4^ITi#qa_Hj26AL4^s%z~ucD*2iVh8E3i_22opLxpx?h7uOTG^g_})FP
z>gaNQBd$m?5#{Q?7QQ+<7J4yO%#<{14t@`ShRxutkfEkzjC4gS#D59hAaa0Q457i?
z5|y?NTOp-mD}4pP9p>dyS+>YmV(Zuv$e4lKLCN!#l;<1dS}v8!<top9ke+?3_G~~?
z5QwW9rqb$(RvPtHd8+0FMBo|#%q{RwQ-jN5TgrS`NEVeT>!HG>DSnaCGd+j!R0HW(
zs-A^w$#VTcx;N1Xm%_3(pDjL1qjKriRPk5~sZz1n)V?~)mhrHE;`Yv$EQh+#+@?s^
z7ipHGuFOFDLZm9DS3{<^4>Woo{>?)=h29bzttA}&BphsG*d|y>^;jOyZxS9WH9RHs
z4umds6YcQK0rrCZ82eM%VwnM}xkPzwmG0Dq_3nhBwU(5AG$?0l$$r@oIc19pZ!XCj
z^A=LtpQW_Jk(M>h1QyL$B^L=b^jnq-e+zdfXz3`WAAvMhz`$B&Ehki^8;@`3YC(P@
zk&f$qI4GWuvK79C_**L94z&INTK`76WhxAc{0^ybj8fsyK{+$fYD%!kIKovpR#t#x
zJkm2Aqg6QAPgxdIq0lfxqG3e^`46e`k5T3Chx|79X94e1mX~l)$Gohn08cHkTKot)
zw4`<=dlmKvtal0?2eC|&NjI?yug86k)>d97wZtw7&(A76?Av7jQV|{(2~T4c9`+^9
zepUIBl<REylMKuIlA@D5E*WbHOHsy`><7jwe91J)m;6%NmyBz#_>v{)0y0L$m#_*b
zHZTa(cYqDl0R61@yhJQt8j_q|sGe75BY{au_nU@{ryA<T0lHXX9a;J%y+qh>DSbZb
zX^z-~Qf2#Kg<4u5wK?uDNRzr!x(~=Z8vnXUx*=0mLxp3cMhEzT(V}|=&py#uh$q!W
z54C3@T2~wxLv;y_ujnp?+_z#~(*ix*#!L}gm4)L>ayzXFFVz9VdmpI`Zhvxq?vKoe
z?i#6So`aUGcU{rSyF>4)!S*U`5j|Fk*P574uBt9Zs-9O?7nYixK$|{n;8gq_h!#5*
z-_jlhYNjF_i5`MH76`2V6synhMi{5q)`|U6341eZxT@oyhWxYmZ(KFb!96&+hd%?@
z<k5*XWHuf0!!B7VO*`1ScHoi2e)uaOm-@)dJ@UDNduZn9myblqy-&VI0FyEBTEM<p
zNES>>N^OPIY*o3>s94}`s2h#qvbkr@R+MS7R7+L9M__}^Iwkq^rJAuW#>(4y+CcVg
z&^zxc(ayiRBepyAq6NyZf_An;+*JIwM9Qg%u>l8d5Ze{dLA1wmc5D3Y3TP*7v1ljJ
z%JSj9sTD#)=vWEoWqYj-z@{Nt@flJ|WemgI$u?OC576`R@@j+BeNiU&e@d`$@0;73
zwL}$<2zeYM;Qu~H`Lgem{SDKr)H72r*Vss;(S?5T_uB^`=Rj;E7>N9{L^I^)md|~U
z`KT8gHEt`a=M$g=C)-0ZJl3-XMI0lKWtDp89t`*7?D3T4IG0rhw6e`AT~^szt-MaT
z&&2wy51y=wIV{m+fj$LW30*v8eZ{xD5SC~m`lr=>s#gQQ&CugE2kj-Jk2dgTJeJ{6
z`E<1Ql0H;(#MTE+c`V31QVYn4Ers0E;Cg8RJ#7PQJX&O5a=2>CZ`g-N5lu>4{>h1w
z<!>mgetQls)hvHYSSv*zlzQb-tE*&g4th&w0(c%^mzV%5=OYdGRm@eqYKeJ><9<%r
z`qPrE9;f9|9?uroKpyg}fjs-b8p&nyc%Svl0`>c;G?ueNEbBtq@f^o;4(?URa~xW@
z8w-753XG-RgKWV|w<zx28%rgWP{No#EmbyCj4vNZV*$BerqIlku)VWKsPM}=AZui4
zz10FQ+-mu08{w=PO~{(T&y4YpTO9LYFG<u2zbt{BbIA6g4Jhj;$;uki;}$AY!kSlk
zE=4-r<LCO3$Nt==W&E<#c)p1FP&ia-hiwd(&ux~i1Zykf;NP-L**-9p)1~}en=(C0
zy_V*oG&R$aZ-$DOis)&BXWWK9E!Hx&16rVfTNLKRP!^ZZoG=x0fsbV<djo|+MK5G&
z$-2TN^E^l!<dtWv6lrqEwuZUnI$)0@=j10!K91+7EDio^B9(0}mCw>*8OSMQDOo^^
zc&s4nZ$;F$5j8YqUU^nyri4koJh}c99IPj-*=(O!dt?paSh)nAA7ih{mR6>lsgY-E
zw7?zXms<w664?WAe}sEE>}OfJT&Id&X(3LLHP>uuDY68(Y*`w8Vb!^3p#^-(NK@7~
zrjjjJ312LKU6iOLX5$&p(3Hr!EDy{X_aqcP<XTo*G4nGUxz)$%vbAB3ctoz~wyc?4
zZ`|%nX2V$1<=R)T@v>B~HYt{#d7ch>xaU$r_rPMVnPT=%CQ=&aP4;74Huol3&MX0?
zm2vv{prJR~d5K?O4PpsdOZCTf#g^ZrYRhjVS^l3(TYjTuN}qq-<kFU(spm3ES}SX~
zEDxpM%l3yo9@~kMbPA7bF_hmWl*(<0YmKc)8;s4E*SYw|G3?_?tUT+Bl_V){SuM~@
zvP0YFexe=vOJ75))cvRydQ)1`%%@Db(z|Y`*3V{XD*bHcN1hFoTeR%CdB$44w9DA!
z(pH1@f?KD$=6(u!@aUU0mup9{$%eRN?`19Nquf$hG9?<q`e3HAT(Y(2{A?AB5zjV8
z?sN4lLlZyYzEBCKifH0~LrJ@}mGqw5oGd5q4Vxm4+ak9Kwx&D_Tf$jy^my0;@$-@v
zTbhH?<;s@0#3r%U%N($bs-~y3UEwliyC&nXMq8+bISAGs_U7DLO@LFb{n8pyw^C^}
zk?O7q#{Y5-*)p*{aKBj#I>P-%wk)y_TmZSSRWyXv<`PR}Cy!A$PL^MZEmZs{OIEf_
z+_J}@47neqv?kdr$fe0OV2PUNHpaaoB`?cTt}m9mQfG2Mh3#-z`qVjKi&);)DLobS
ze#o%mdM;a^veq&MtV=8jo?~KqWeZ%k55~6PQ`D0}q3oeqhqx_sov{>T-eta&IObE<
zHO05KK`*m(%?^Y{${cepMKaou3}cloh?z7us8!rsFKt_R#ft4LdrVogO3EDs3|yni
z2u59cibj<5-S+$ow2TJ#Tz}m9)GeJ%O+~hYWx-mYv|pB9iLEu2EWZ~l|H2wVf-9*x
z-)y}vn*O+AiG3|GuvU#ZvBr|+-(1@A&ul4K{zk&e3i~J2`}|yjT-$OFgROzwpQxxu
zRwA4KEj`37Wm<iSv`T8Yw05&5{QuUEu3v2V*y6MOV2i^wth74z1M&#I4ZND%i;`P0
zTV!>gp|sbsQmxD%mguySlV^GOcZoJBR46p?6M2NgTFJcvSu5LM)~YORoKkM5iicOq
zDZd`cyvY3z#X@qgmo2ZN&vIV5?9x_nF4D+-=E}UH!UfNkRL3}0?g!VD{8veD{Hrqe
z+)L$gknEM%QZj8dkV+S}rZr~z)n^Hsq1L`aTK+d2>9}8FB8^VDXT{?(zUQZ(12~Rn
z)tDb18L|Crg*gc=%*e=o#U4+YACBj_@gb64@TkEYF|`ph3OX`f(igT3tt9WOgI_%A
z8HH3la+LF`&%(3<2PM|{OJEp;l18H}UE~`8N%jX-I><d-)dN$4FOWhRCve|EeGWuP
z^FJSQAKV+3xF1MikZrJRk70?i@9nc>w#3IKz!H~!=M7&z<=v_ycFC5Q*Kd_o;nP)O
zjF9GYo?b7H@e2=L8|Y_O9^=_6G0t~o8vDAG$N2Rarm@$7@)*xmiP6!KF}Cq4kMXDd
zOk;cO!cnbXbWymzRwc$I4H#qh^6#NLH<i9b{<}wcj0sg@{GJ%2Yv=Mbwsm0|wN{tM
zm{=u7uTaMLsdagbo%^yJzdKnT<EoIVv}ewK#yE6qd5nFWn8rFAi!pXp<hZs<jIZx9
z#vuLj7zarwOxE@<k8wkl7~iy#FxD)Oag21%*oST9F*XRRit9`57-NBEd5q)Qvm9Rs
z7Gvzj>s8zef2tCrNM(#?b<1NkTE=qBEop__6^uVuiSfvA##r}Jd5klqUFca@99L<0
zF~+7<VjMD#F`C~kk8!RMXiP{yQyycBDlz6t8XnoHLX7q5iuASRF}7C2Shim&I>nkW
zjgKOLQSE)(xkl($7CF=vR)3$BF|rI{(YkZZYy!rKFpUglFk;zf?qJ5KeM`Y8zI}Br
zw|)3$%V)NZcfjoQ>aL|Qw&>8Ii<YjHp}F;RQ!6cFi@BC_Ol?fteDNulH05$tTGi@r
zE@|z_VriTc-*PD^?H6cO^+8U>(&(Y+!0iZ4_(CB;IosYNxejAY`KdyT4eM6lmR1_$
z=)Pn1WlHN`(S#2a5|oq4^tnSMnVc^plV3pXZI($gM5)$$@6n+{SFM5OHl|i)<}<WL
z8(LeNEily@VPRsb)uMg(4z1dE>DH=!tBxI7b?VZpefxGTRnns9s-$&oF4K^8xeRZ&
zAuT;fOLNeKV%~Zx(rSHG6TKZ?SHmTZM$|lEpVciGV>?ldF{q8XYyF|{RzmnxBl@Wh
z)=aC{@YT@N#D}<QeG2{Q$<MHaB8_-@0{c+hGnA8AFCiGaU-3D&ZOmT<)yfR$g%a%d
zebsIA-$63=>eY(ZxO<|cnyfcgaaBoT(ICd$Bd-kI_Q3uJB=K!*QL!X?DUv9P*A$aL
zCqp?&jM)4=WBj#560#=BvTaybGr3V|j5-5#b+q(H*cw`yj)&UMv6x}q#?;PKR;4l5
zH3c+Rf^uT{d#*MYrR`QmmGq!W`K(G$^Gm5xulAkWX^pZpHD^ugr#-T-&IGNwtVkw?
zHil?!=H{lxHf9#)TGK78DxgTKMW>FPyL8hsvbQm{R`kpe1XjK;;p<sU;GXXk0#)_)
z2iF^0l+JHU6F6exX5OMEt-SH+7I0V6)khUp6@XXqW#jW-3g6mSfA-fHe)VVFnP%2n
zmR1%stPJOB85^3LTi9qBnQB?hH`g*V*BUTtti*krFTVJ+sS5G99ch=oez|G80^-BN
z?O)-({@d%@>q_BM)xE>^|Ht0Dz(rYY{o~JEgaJlo6i`&m(eP4u8N@qY@G^>*K`sK`
zfRKwo2nI8#B?=B0!_$~u>{O>rPgZufGBYy;F~Ljaty1xVW;KW@mLV!R|L@w*49oy>
zI_G!Z&wJkghtbXRJbSOT_S$Q&z4qF-=jnpy_4kgy(22pXdtm@eKl*|ju9iQKS>e88
z*YMPY6r$Oj|4=xQvqVzvpz9!Et0w@eIEBbf<m?JZn#0tn@KfSK;SqWa67KO#E0pxJ
zU9pvtr5!oQw)zPVgh$Bi+IXQzZc8%9p>c6s9<rhhk+vV`sJq)9IPT~p9OiZJ|2vgr
zwW2l<z#p;Qw{jh<OIl7AGGHqH5MQCzD=xO53Z)&KMXJehb=XM7%1*G4AlUtaAdtZV
z7`K(+mLd=wUG08B*g7~kD?2LzajdL)xFI;Y+Wmr<fbAmMZ`&o%E&&G#P`{eow&j16
zS^jR0mcR5To8>=&jYxK04l_ayS+qa2OQ2l>?Gk90z<-ql$nvMb^8W^xlR~pWiA;Lg
zBb_Y&Yf4AUUv6TSAA^!_{?=~!|EsFBotbtCv`gSGOMookV{QAsY<6v9S4RtYq;b~c
zuF=r~rVU7`eI$r8>o6A<V2QSPad=A3AElkI@5Kj?l~m-9rilW5XT@g|y~nwUFtgZe
zoEw039gMk`Yx)~LF97%MIll#zjQ+eHw>9pD6*~8vOZ05UvtmPuQFGat+mI%*cnt&b
zd4`UgRs?YtL&q(2v3RKw$#;Byc@SrmS-b|ar}gY<b1*${ufGC7^I+s{K8Qb~$0?Tv
zae8^m%Fe*|@+F$)jYvq5BR)ljKV~C6s*rB}2|R3mipXisnlxuaEyIiOVA52Dnlz^n
zPKH{%d_cmmUuD!B2`tZ*rOC`xrg<q+BF7QAF(7C0@+5AwRp3%zWznCq=ueuLbigsE
z{hoZSQC~4S_p;tO%HpL2n8izuzcqt+%~f8;yBM`cL&MAii0ZsDKFQ4Mj~a3>a}0a{
z1D}Pz25p0dKVbGnW@VPXGK%l(P4VNHr1VafzCn0QA@QZKD4nm|EC;w@zr4(%^Oc&9
z;Xuo+Q$0#<othV1mL|t;4{-k?@-5d~ela<S%g<$(>^_F129DQU=DETWotx!ojdMUr
z5OGF47&MoqHQ$+E0UFUz5{)?mjZFd#y8I;?bBTtfuZq~FX(9X(appM0LJ$EZWk*tu
zppp_dBZ3R%r}!$3>Ap%6f?ricR5Y)tHzt`wc}+vPrh(4t7&Y}KO>N@q1YX8#YZHy^
zRU7l-Viz0?Lq4OJ%*L|6Q}Fl5kx2e({#BZz;<Yl9Mjjew+Q5NS3PpvR&tu++?>HBb
zrb3DiHIxR0S-j>T!m!`l(l?aRIAZq$JsYJo&in!4dl7!9VP8;+4<r>Xpl_x~LrD;{
zYayfN6H`WH7(d&<epGZoNy-)=B$pS4qG;o}&uNy+^d-LVWQq9wU5i&b@c3H8epz9i
zzL&)-g&w)kh?JF7A38vx*3-~_NZ-;#5h*E%PnkoBzd$SbafyhJN*is`?oShiS$=?m
z7nbBqPvg=aGi?Y1dN{Oyf2euBg!IR=phTxKnTV4x^IO0t%t&B{6Q*Zj$+81A9aF{<
z_1pI-YiY_rdRR%I7OzK;7dVZJ<$n^&X%iVMuM$~Mb=C${rtDq>u8c7a#+Z6*5$k~%
zc-NSFQ}54@qf%Oa;7=jc^Abq!DMav!(6FeK=YeTn$ujq}l{?zBp%yVI&?=IA5o1GM
zSfVKS6fu0y0z{Y!8AuV(LoFvro=Das*<@k~B)2eYf<R7DZ~|4q1R9P{`_vi^bV?h8
zQsxma^=aGzXEgAYcz|lwho-CqWzfQlN*NzvW@nOrWc{QR9a5%68zbw9yt=SN-#H}|
zQRW?hg$S#!Bbzj+3EpOfqAnM>H`I%CUTLDxlzI{{&p_p5`E%N~{26T4ql=^EKh`+w
z@s`}t@>lOi<|r@dhexGUAuo%UP7oKB<SZh<6Dc99f1{>BQAo=HLP^6?_5+~i38n=Q
z5)-Sg3z{mB1Z|L_(E^^UiRE(}3N5;5tGuZqAa7G-Z8%@cB!(JdjqiXg%1ocAK-+^l
zcH_0R(P*!fMtbPAl<}ghagR#bN}}0^1mw%--i)@^F{uIaZ&HK8FlYyQH7iH36U`Nr
zS|qQL8S2HkJ}D=`n)y+XO(~(fcp(Erg(ap;@4;*2e6TdkT*)|;29(5<Me%w$A0>_E
z$E^o%X_AzBps^MM9n>o$_*j{FA&4x93n+<=DdVR~0do^Dq137f#+{!kGd~1@3lIVa
z)pu<iT)-WQ7zY-B&l(l8KuXHl6eZsI?mO?ibL$eX@jP~=^pZI6s8OrT>db4rVb-0>
zIr<HyoDKKH5z#r1o1*?~#E|iKj$NO|TNFE#rB}qo&vFStTu~>*j=7?M<HgF-8mZx$
z#84tJlu8YkB&C<6ZYQiTVSfV10-(@)r8Q25OA2J%lz5L4EQU)HX4}9m`d4Zs5HbIK
zNa1l^WMQ4ILvg66Mm+SmV#lb`>*C_qSk~PXJ2=IT<Ay3pX_b_}Q+i$MR$f?FoW~L;
zigX>3lVXo_13lMt*f|bGE1D=iFi|oNEV2^E9T0H~bRGP(N~3I>$X;F=Pne$oi*eMZ
z7twbHR2G!z69Vc?e<%5%T|dthOM2^6_Y&WG_bQ6kz6cj#YW_V^r>qMHI?&_210BAj
zOF+p-6KmW|TYL%El<3PT_8ctACy3%A5m*Z<IH<o06yzh~^|AmI(n+x=k5Mcv$?amO
z|5JC>P=8P7Z>YEEFU7?UEm;s#78t3_zFGRClcC(n?UcbHTY1oMUB-XQmz^;4TKS}+
zDXx~99jN8FSfg^A2naU&%6b&iOsy<*vk$lk+a;B8oZr!KQ=T_mmryh9f8sk*l3~9R
zwk6kjCxa+OPrykk!cqv#{3Z@>A{~U8ehGc0c@yhpWcJxndQA1=PFQ3Set3=`ZHzXB
zh)5pAPE#S?+kQ6!Dr+RB>71l4D#GHm2_ojn(!&ru#A}o&6>NGmf5GenQj9Z;?j%Z4
zcu*%ciuiIg)tE9Mz9Q63Tx<Zz30VsI&qvBl8c*0?Sy*_e`IM5;fP8zHv@$-d!B8y?
zPYX^-M1`bG!5{O~dJ7scaSVLJRT*T7#$0$1tgEBTHRQQ+Mt#HTPAnrb61={F@efY<
zPH4HjR%se54yX*go#VonegW0s{Pyv=GJb^Q4qw3^E3Fp){sw=@a8dI67KS4^T3Bi9
zq<;{71ZeSEPd-c<WH=xT+y^%Xd98f4F|WATokWirCo11m^igC?Wl^DFWchR3w)~mQ
z@_RX2{vU){53F=<dC$@Ehnr`xdR3NBg{r_eoC;?M?mr9~t5R?fX1F4wN>vnmf)v9Q
zvCh|U#YqPblw2bIDB5DN=g{e;W@%wbQ78R1zLfR+hI-d*`E;qeNMwzOK&u;v%vR@k
z1{~kx3R<`7rthV)=Iv7#b>eGDWB3CveZi9MPDd;{8tBI~q6<xl@h<jI?AaGsukV?6
zXSL4TaL;9xM{%U*^rBA1lSKg*^b^v_#u#r%7;e(1aSN;&7az^L<V@sB%@Qk%8WO5&
z@xHNYopkyEk=hDr(})N@MqXHnLMx-;dT3<J`ek)M6J6GekMTj8H-cwGbQu4Q`K;iB
zSUVF)N>M-^9Z6}Ry_6~x@12qwE<#eHLtsz&3b(^WUG(NS{(#U86;>`&Q68?@-Ov_Y
zBSJ&W7l&X$RbAxN2$PQvz_Pkr0|kdI>bHzo%IReT?+oy~QnfKgUgQoKk}H3wM$F$e
z!rVs62rN20#OyZM3f92KD2v>oijxZu8e^2Y5hz=+Ti)%}x`8lbqqR!CZ=q$SYPFLg
zSLTxAU99yEDRM8KDJnQ<<$wv>hra{*Zsqz{8rfvxMsX#Oct}x~QW*TBZYT6+v}TvQ
z@ep{(0Vj1MG}E%CKSGNnbt|lk&Q(G7aEH?1j%+1eg9j`(+_UH(p&pVNX8yfAlyhY$
z+Fn3OGVdJ0_uK+NleRvfE>v*j4CP|f^&qR2hRAfi(Ih1Y0!x>9!wV%WQ)GRp;I}Yf
z{h0-(sUr9eFH)W`R8knK2Vjq)!r(p-Bg6(Qc4s`=Y?76s15#&>43^Ecp!P#18C9S}
zVaW3xV;VLgD6rP3ZO9d)L>8HTwn>U@SIk{uS)QUSD`||!T9~#WO%(?7_nwe*;Jw_A
zCeJVUZ~VRuDB<t?{w_25N~3q2(O*y|lP4n=j^PWlwV)>hy#uWbVgz{?mY{USk#ewC
z)X6jt{lcwN2PA`PBnKpZlcAI*{k>f20f`#-iMAV;Ra0TnU)sxBt0e@LZK!uC>azM*
zDQexxq`4PZoBfdA0joLW@7ftendDR)Ul!|E%8VRzTr%12xk(vt$M_p&(j1A1f~5>7
zfqlM7h6<Kp52-lD=|;^_qvoVha|)w+qo#^x7&PV@C!t4I>_P1-3Le6OJhR}F4E23=
zau%!qy}C1^11gO%R}nGE7+K3(Ou<!#+w&Dq)*=(d4&ze~!xi>54Zwv!4D}BKN>OkC
zIh%ry8g9ER`v&p2orL?Gn>Akq95l&|rdh#9DSA1gEiO5~8tQ$4rhlEkQS*WT9$*1H
ze`cA7NxpZoX(fS61cEug<^}rlnw$Eef%PjpnIdn7n=r0myAKQ6w*2V2vB$;J(ej@g
zZd>V`V%^zi-8DDX{0TfwC~{zK!zu~pWO!}8DMG}@TrHP=E=KvP@hL+~VC_mz8xK+D
zd|>dA)CdFhghV}AJ;V5jFs4@H(>oSErj`m5dK6{6<KkGt(4&ZIEa7lgLe0%kG}o|b
z^MlR!iL9SoF5N|hjWM<S3FK4#7OX8;>SVGaMVYTLx4em;NP(Y^2@R}Ht=0jht}IB`
z$?)Ue{KK4zs9mj&C9{1vs5$~y#KNLh2jjL_Ja&Y>Q{LmEVR|>iKC$7js@fmXV*~W=
zh#abyA+oxUfP;Rr+7q{RWlEj9;m7L$CdyJo84fF}Z=*Dz3^l60Mg=>p1R&~Fr)Dy3
zEWjWXpqWfH_2trSU70|i1}cNs-VB443Xd}XiB6z3c%cH~tXY-YWz~qf?>?vsmX$A1
z>&m58{u+@?_d%k`mZ{a(!F^r1tU1!$`yjb7q+NtmrfQD#;C+xFLgZA)kd)1luHlmm
zt%(DpZXksM$x(cJ?BNybN>E!gv!ri;$ORGlu#Dgo+N!Ei6l?5p1@&iDMQ_NOT74Pp
zJLVOBA9ybYza8*(t=3cb`{2PjMm{SUUJH@`bh~vyV5ASEX$+}F<!-wVk~>4{Oh_&3
z>52OwQAaSf`W%?2CLySKqwJ>M2MKTC0n%266x1B4(|wT0@K3GICZzHfYIGLfeQO%w
z$&kha$+4E+yAM41!BeZ<0Z(nW)rxxTKB(lNO|3ow?x{fybIfn7J(6PG2T-?04HO#H
z%M4LwMI@iUxNXb-7_<Byj+Xz@xkk%>+R^84tQ3hOEAQB|A~e-_Vx^@D9J<xIjM1H<
z-~$;_3l-RKA0*710_hfbaTHY2ec&YwzMSCoH_<&c7H8Of5IQr27l6>*3OAzOu4}zO
z-VAj?3*HXi2i}9h`&qLRl%`qzud_#0tn;zAK!W02MLAkgoJdE+a%g5V#rcFG+7zd;
za6XQRW%h_dH9t;>sODy@{`iNTR21vH?O7G7dLlzqHb;EN5s|vdMplLDmI2YRx^o<H
zl=e76m7hd8;LH^sq4H=N4E3^=-T4ZW=hxIjU`~+v&U!hVXQLAa9hi=@PJ01(7uk%!
zeJj)8=$a-r7)tB;+<JcO-wYP-Wg!;dFU|1q_<1sZyrEQP^!b6GCpDDFj0=B|)~NaM
z=O)S!ea`0x#MP+y@yYyLDb0nINRt6u<Bmr{qzJ;zZI~4J!>ZR%;=&RP40WAM+9QFb
zI#-M+tfK`sr(lUz1#zVak0WeC@btwBK%XG)7=j$32ST5ILEOvzgSZX@f;bsMD&kHe
z{MZ|FO1K6gtOQ<Pz@-B2RfGkI8;-E>p&)!!${YVFi13a>u{S5N{SZq(sdon_DgHWp
zd&|7NT@d5y?dI(*XNfGmqq|fpRk$m?J9&5Z@RWIbbwQ%syX*QJpx;*5iF69B!Q3zH
zTfkGeV8x@s0LB3MSD!)!MnnbFMH}@6M*XRB&GYLMg17^kr!ZBs-KZ}z>epMmwm*Ve
zgx{w$7OsRVYBG`cXTpF$dl>`W&@f}<eoRD@DwwC;M9Ky=pfETxMw*TK-9~+_=}U?+
z>M;$xU$Mu#u#&HU=XkfT&PB0jt|$nDsNam5{eGpo1U_=N<Y+#cl4Z3q@}%O)aXsN#
zDlkngsW48H8p>r;4fkY5Efxc>t_<KyF}*7dsDtuoF;_*)STgu?r!ZZWd5zlGNz8f$
z)PVtjTX~4wO_qOM+m=6zS^mzBmfu`xv-~T6ceMP4m5PFLEG=0y`vXd7=1G%h)Vx=&
zIg4UgiZr*1G#~Mim~!#twJ3hKiAL>yHfl1>6h=ia!$4tFq@KY>MO&vs+5({A?!$mp
z6of#wrkOM_0#S&WTehFg>S)ihVbM&?NuO<^EkNd6ta%LsS?zw4G|x0;GKNAdV{76s
zhP%Fsf;T`HoPx9JrC_yKd#m7}qA&`#2Q;@-)mq#bwDqFuDY)Td_8ViW6nlCYV|E(K
zjs_ew+;v%o*`u8`GWtXFkXB~+m@3Q{HGu*!=PV*I0@M5QF_#M~b#h*QSOD8!^Du6B
z85;RyqsG%1v%dzb5|=Tn;l#_2O{#I>Ws}GNASto|Q!3i`6sAw1ez#8J7R*W6=mqTh
zRc{n*8{d=kwIe5{vSC?>50w^+i!@K+E*Pq_y?QCZwN@HGDu^ro*yf&T%sKODYvnm(
zEst6#PiK^e)j<_iE*rqGBH7}=J)-}_SU@P7g35+Ol&Sg`iWLeO*+Avgo~=HCxO{DW
z9;&*!oYIdH<SvF^Usp=wu8Vu~4{|D$QCnZV1qp_OL3I0)fXT*QCW4RIPt#8$^j>*S
zVEm;pl!+l@2u@X<f#kf~0T`J*fkBv?kWxL@N`MApvxtBe8PZtn;&sD86=g93v4(?6
zy7jXHqpPUyMbX-NWu2xTbI+G`Q&5M_iqE8|L^o>{Dn1KpKtW6!wxbF{`F)|r$SR8$
zO)bG%VCqLvunfm%jG7YECs#cVEHFJF60TMfd{BeQMChPn)K(Q0(tWw6gscz4at0Q7
z78pc-rLDhJszT#b6yW3`SND|?HKy}~4yN$Z6PV}Vr<{;tlA@vJ(Ymjsx_(G-N5UkU
z0f}q~D5;qvXdm)ziVLdyN~YTlPz3{xY<P(X?W-Bk#3YcdksgSIDQw_FVHi9?#~68}
zumsa9il>RAm2Nzqk1Gt@@POM}XADQVTc-d75R_=pE*b$;Z*c?jrAqyLs(mObwIa%0
zvA2Y{H)<+s7B%ILSZk!V?kkn9udUTl!6F+Jdydu&Z34E&sO*6>6^N}-G9Y4|DQ08^
zuc^QafD72uR5bA>18=<cY~jJ87>`^sQ8fIh>15HsC?Pi28Bye)@Y?mL&rW=4sJRsN
zOa?Ks0e%HEMn)QwiB#WnRNMUzXgs)@(&EE;)#4(p2P32Z3}mR9Yd$;2F_|)(aPCzy
zT_)|8FhH3$EXPB5aimAx8Ixu!_97HgYLDZFeUk7{viuv`w*1-5@^^By{MQEAEdPh7
zB>R2s<{l^q)>7F7+4`DfQdd?0mzFG^W31edQGrD)o1F9UHEZA?^O0K(`+f57DEd>2
zs4{BS>s`w=_;3_HzZ1EYFQkHE23AVdAat1e8N8+{Z&Zl>LBrkna!u8dgdmP&UsZt{
zY8z-K<nmRIhZF^n{Wg#i+}M(PA(>{NG*z%LxJN_hwOjlu40jhBO}@xh=VG`!O;PwR
zXc_LHUpuQ<_bl!Mq0z;-qB=!Xe|j-r>bH+n{cLUr>KM;rY3GD7vSc-wVhuL1Oz%X{
zI#*s>Vwxfnq3QG5?SY3C1<xVlz!QpfJg&u}v8#<Sn~X6p8Y5p(6r>``YM~W-N|5V1
z>L2}%7EcrvU{Z1z9wtw$R^vjn^{#v=vZnRXv&C8ubZ`ZFlmV0Rrb!m8eS6~}-27Y(
zS-P{v!hv{{l#)5RP28*&_;cnpB|(h2yg+TqYFL$$V$H3B5~FsfP70I1vsm*{0oH>J
zrD8nrn)d=r`J=1F{4qXex8#J?pV=^g@_o`B6BXFHkbkKFvNCQ^QDor)IR1X6B&*#h
z4jv3JqA_yCx?3=<rr_(P)s)T2Tc=AeN+l@IZeCN19@kK!EO%C6;jw(06ix(ZbC5L5
zL3$AS(G`mn<Qheow5P(t&3Au-k%m)Lg0)%Zlv%VV^`BQik6bL8O(bYVAx#IOpA^K+
zYd4|nlEaeH>IP<YU#Y%@E9(_hIu+~A6a_r;MwiBGc9VU1$tW_0Nvl7>fP!qQj}_=u
z0z&Hs1l&BMvieyDAkz(D05A;FW4xA8Fv_a+G#tTGqxl6IqGK5jt*bC6!K+2C;|R~@
zGk~EcejX%LbY*tgHSywvM2EZt7O!LYL>4zd$j$>SCR=$-1~*5M%%1JJq=e51?<*3I
zqM$cwnAts{?8TA0i<H$b0Kg$XA$m2UTkpMofb^`r*8n)2g;;SEte|7hf=*)>DwC@&
z#atapAKtaDhqaqRFIBENid0U3c@;1YOf(0ey+_p7jR6tw#=b5RD+5Oa3JaQ3c*$s&
zIu5Di9M6FSfK8pGwYP0#vpeNbs#Fx_fh&@9pwJC<rQ8&sS-UYIvuo(uo7ioZcnpcu
z*V*Hv?iD-WI#rP6_y4}Flfvs=$@2Gq7?xjn*N1Sfw-#rnx6peFG`|U!A19l~*-i?7
zQP~#7NF7m(FKMJGoSDYi<8l+dx1j7=ON#qIv5oV#jN-;-d+&e$j`dF1d;eTeWA8MV
z_!Ok}frHc<MIt0VgG52#o{c(EAtdG4@Pz(9vI5?Vkg|}FtUh`(-we7-?X*eH$SPq}
zxg`NRBM&mKv<I+lexhy;uPs8`=nS7g7{)g`1^3ASCNi=?Hy*Y+EYzI9tQi)ajhZ4w
zfdP4;r>uFXEmQ#LWjl9*9o#X$V&y<SvWh<)kw%jp+n6tkZ9_U&KTTC&8EpP4A7hN*
zklw_&)D$XOUo4|7D7XEv%Roq|q`99~ea?TO)iO7aKHbqqt7S0fFtTZC29Dxp0J{Nj
zzgEit{@$E|t<|#BT%_K=)iRLzl*2!7wG4K!LuO5_mL+x~LicO6g6Dfp)U3EdlNJ(>
zA+e?YGSWM2c=r0sQeHudRVQoUim)jURA2r@8YiHa6}Ds`2KH7rT+k-6{QRtA7>FLh
zR^v(4<RqaInmhKeYt_!g6Cq3OyA2vWSdDM>B{T}V8f;29hy;ep{9$Stl&{dI(tzY>
z^*fHJ!YG3hp0T2$gX?8$05pKkVHpWBAcwi4CXLK&UjarA@~9FpS5Y&&i6yEf#EcWV
zFr5z=aUn(&J1T1W+JWJ*i!}}KlWMRcZ%s97X#_!KDHZJ^BLH7PbCTK>uQ}qTIjVQB
zQD6hRrUJXy5i2Q*`6&OQ1w%-9o8+s)Tcc*3x6&p5;%amsh!)0irdP>h!~BA779VrO
zE#|1cGi~xiHj09k$j5L;re6jplGi+i5kY+@U)q<Z0zyrNgoi1jqX<V3o;O?+nKxe`
zf5^LL5+756X()G)as?^fa3Z6&k^yi%Uy*;2=z!+)VTLLZ;wnrgB57W7o@jWIJ&CLm
zvhmx8C4E>2EQP_Z5H<)<ld8r@Nf`ZN<XiNrb?i#L)8V!)zn=P%jS9zc$?aU*xa4ar
z!&t{9%<@A6h0*Ze$s5wt!ex<^3Z9~IcH=af;3fJ){M{YB#GdD@UZPP`OY>*e$+H?K
zxTK)Q=81F~llE4SQ321Ba&z=NA7V5yCmd-GkDyZkVdjIF4P&0CBh6y%M+FCUGfk1(
z3?*V?S5SkHZPX5Ewqdgp^JN8!4!-QN)+y$HNiKCBs3;06@RyHy&o5>tq`z(#QNF8O
zm1&yE9BTg9tuxqmi54$8QzN$yDcDRF^Q+bO^Q(!Mo-L*v&6U&%oOJN6r-QcsV@X-L
zGZ8b!H52_nMhN@tv}Wj)40{qtQm=tfE0W^1d4AfG!h?!+JE$DDm8()sVb@EqNGI`U
zZdI24D3xGJO^#VpqjvXS;@`e@{D}ET><--R!2b-8(|?SyQ;eMShZUl^{tRwe*XPc(
zS^`D~L!Y_>BK;T)q0n3~mg(ADBNb1{;la}WlG~U_aL~-^Gl&sJafN5#Ir7@A5XjRR
z(7+&py;jwc<lIcf$Jnt5mh7~gIR*L-b^AoRVBSO%-v5G@|9HC9lJhZJZ&i{CZnvsn
zdTT1^VpT!j@|Wtb*_3w*vi=wK51x`7@(nZT%@`h<4>0Dj-%wHb5lNor>#cM55DI1;
zB!_5n@?GlRVz2`f_U;wG(}8DJiTN{ym8&L6%8ZKp=y>z_`7chjDyM*h5Yood=?_Ac
zL7F6n{WYx7rnM$9XRE~i9eIrc3;&|LT5qq{e`vKVG_4)^3c3)<8QKb1g$;6%FBTrh
zfLif%Aw)=uOP2p=+m=6vS$=m%%Wvsxv;0f2!`j~R=Tqfqw~W?S<w!6;Dk!rsi4n|i
z5VV=BEWm75)@EU8!&{^*)T#__tcI8})KN>bR|Zr*TxRWAzcYcSQTeE+RT@-&*A|sO
z1PxC`8;KnZoDu>9b}Ke6;5gO)z8Mdm@H<3g73(5sv;dpEq_ygIwN}4vCgfkV*hSy}
zs~VtqstgV~nWk;HHZNH9I!Zja$_ZwF6V@*yxAWQ;XG}LnZZ~RQG-;o@pB)j@N+YM<
zlGOm4s=4xA>uLqphRI*C$Hh+m)c9J;zjey%??X9qdsF*U?CCDFzt8^XES3y>{6|{g
z-jl71DssDGkE=*qReiDnImMj)oU}gh^lDAPG5tiSa8PTV56wIZU0O2(JI|I&KwWhT
zHM5wiVmF~p6|p6WVpqYpgC{e&xhqq|R;{c}tzWD3Z=bN1!ZtT&?8U!I^R1?tmZm<^
zG{qZ-^q5a1kZG<rA2%mM4fU|lnrxN%KjQ(7LeBqUeKzZXUSPa4qr(iDz0onz)T}UH
z+nU#~QqcA09nF^Gt*QoQhNX&vub>XR_B}sL**f$!OItHG9c{*jooQh`&V6TITlWyX
z!HZ2kWckz2wKabvIzX2H(~Oq$M@R7PI>nj2BU;WMJqC(x%pWadeMv`$zT{`=*S5ao
zgF}veiA@h}UM#J>TL%$w7zo?^a(xG*<|@|Uo16Ksaa7i3;{n05`R{<bzyrp}-HL)k
zmq-}Rn%K(%O7%NPEY}oJbFJwGCj{-qy9NCv0x+*xk7Son^Pd36Y7(z0!n6IhkVrYY
zUCpT+W#B$jutg`v=4rj`fYcv#Ur=~ZkK-abDPLP7F?@ru(q$lfnl|V#$&GkBGL3ud
z*DD7FalQyA5C$O}LMTOed0-H?ac~fK5!dh`LELGCS^h!X-w`$=Tt?a*1kH#bZs;iN
zJ{cXvZ6AZfnt;2EupMcq5c=Z2dKgX?0q*9=AZ`R;ry@=X_%8w94fp-V1#w*O-lE>U
zdy9MbmPmVdaO&+Wv;7b&{9Ih!<Q;pv_wKFe-CK#MPQ5$#?(Jbq?cLkc3+Y|Fy7u<&
z-K~2MMQ@*;5A^QctG9~n7RL?|oD(@m2OT_ddXLxmU{A3!EL`s{tW#OMN*)Q~YUH-3
z-FU(@-cDRFriL6x@fA^~$3(@QCKepWeAzc9Pf_4eUaK;8ip}wiSkHGVo^P3vcUP@<
z!m+we%dRirwWwyLu~XwYB3|o*O&#aZ)p}!Q5Q8KodPtmW3b(G5&4W$AGFc;hjHNGa
z24d_ViH?d4umt>yL(iUWCAnVHH2fT2<*id#VLine5oyFD5`B>9ISpyvO=&(z^L8uI
z58!9{dJ}<w<F{_`r|A4NuC;vGtwh9E@CWEBIaV_bX#_dP*OOq5)f_v0?8>oIZk76*
z1P>@5Ku<vyKTD2fxd#GnnJh~Y2-qB#5I-dJnB(gcP>DMw?mV?CoNt}Eb;@vt;}2nz
z_G!v$w%!&O6C1Zr$sLITL6nR!Nd=KNGAV0hQfXyU$(XF*7ox~>eC2?a9jiW8$(TF{
zCVyv4dNL-JjZDg|Ov(f%8EcG58JLu};4qfBYWhW3`SXTon)pM`;BH^Q@tRQNc7J{<
zAT-Zs@CU3ji4imIkeDn-=4TZXuJ)WPaLivgg&`b;!`T-Z-vx?eo(d-od+l+8t{+sY
zoZFI!{Z#Y^Q@hrgU8o@@cSShY$+nca(;jgX&fSKYjpU9p<o;+BJ5zvGE~dYB^TLkU
zhTM8_L>9ERfgipes+k6Gz=vDD2Oa*@t;+6|_saC1*i46%N01WAQZNyPvoTmGLrOg@
zD`JV%+fZ`PC@L;nAh3n}eOdn0m+0HJ{Fr^f{E^(z^1JG7mVdy*oWm%B=r%9Wf<}Qf
z)i9H=l8)cx%A!+tC($~yg)@J;ALogs^g4?DC^4NcQWnxSEWOX3^?>0IfHs?FX`D&t
zPt`0)2@jn--8@~e;+Xt%()*^=Cg5aYGRW;&$Pi)Qo2m(i15efXQomr`_a7b|Wu8Z?
zlQB1WJx&;TVoeqc<Q9=)kH!)THd9ofV(tQZe6AAdIDs?+r)7tlX5#!l+v$i5khL@B
zM-Q_DhjdU)*>uPT-G&<uFV#4eJEL#HETt#RoU>s9ha;6ZAy*4xD|x5Fl21gs*idsv
z44gm^s-{Re0+E_uDI;?w9a>pXS?)vx^rOH+XTB?z9;}-f1;Qy;34DnF9yPSGF*z<4
z^-o$^9Am+`S}Rghtj1!00-M#34+@^<DHJcD64}$TMuToO>I^T|<?{G)llHRPfv{v_
z%r%_xNiNr1eSkBULeq;i*8sj%q_>^(3j7_@evy~M1L_!Xt_}EkJ7C=ztcd;wea1Q{
zA9*v*7>c8_^|8jeQsZ2iF<8mCM{?7?&BjBT)^kZX2S}%{Wy!n~AA-~0%4DOa4l2f+
z1+e#<i1sAV!bi+iJl29+55~Z6j9Xn)LCJ~*pn>sYK~Ja?A0<!baSU8(jJ%v|)Se-?
zBl1W%P_Y(@zsErjJ1k-_b9UBT4f9Z}InF343eQ78Td_L14p(-Nm_$!>$#rz#k1q=*
z*2GrUbc2I+y@D~@?F`q)P$RABr`XXo;9zm4xOldx^rFn|5Y2xVFBTOOK#h}Phr+16
z8c<1NKx>&MFixyx>R>3B)~p39Z1(~R2gy+WQA)@K(jXB*Q)!@0Y@kH63}+M1O)(Wp
zAf+fghbGckn7CM+cBWEMt7iH#j1C(+3LiTNqC<(U#9BNni?7(zEpWxtR<WXhhFQsm
z+&Yn>@D_<b_bMMEGsTGlPv`XFL!=Sb19S%AJrS=0#5h$7_KdNzf)YB>r<EJW@Uc>3
zw-wV1u_^2#lXVw<s+<pjE<~PbS$k)(7uA@164NZ^V8)ZJ0^a~`^-uUigkEf3X|ywf
ziY2uc3#t!pNGC|C=qOyH)Cx9H0!k%T6kfqCUmmO*9jxm|b*#N=bTeGXrsm?vt3`N=
z!PQc;tZ1?b@uk(uqM70vFUN$M4#nE5MQ%9CRfa>5ioz6lF?h)V^;9r0u28I|!q!<e
z;<pY^(s~?kwC9m5|Kn|rB6f$8<-hY|%TdG+Y!&*GUj@sL_2Tiib?sGc_a!S>U*hK2
zmneJM`jQd84t>dZ&fMKjj`~?!mAWv8mSd}gX1aA5LT;3PA)O;@)LFQJ<y22-l2+wy
zl-R8cJuFZWlA58sLwK?=7h8+1Vj~P|)jo+^H1S4?O<kJM2E6an20jsyx;Qzuf-xW_
za9U8N7Z0t3j`QQlGUJ^vQP!j1^fn5-yv1s~?Xsi%;Npgsb18GRQOV^&^0`swV1Yf>
zC|jh@i!$&0C+W@bse?uq{Blozsgj314wlj8dhXXJrM|}Hp2nq07-=JR$Ig{L4VgN;
z{DAlae)21kj6{le3n~r2rxTqN?-rzDl5qgvks7lx|BPP7KcR=xxBuED&@O@hqy(rh
zDQMgBKh7+_tE1)j`pRbcSEo0#{QpVz+G({*pj`s(5@?see_R4&`HgK`{wJ8_cX71*
zJ(k!kf8bmH|F--erwBsdvluVsLiirxJi;}E1_ZnYl=DW|f%~zz&O(@vkdE*a!pjI-
z5C$T=2bhz%o<;Z>;Tl3cf;g4qToF7Gd=UB}s1e2>OhTB25QPwnkcOZ`ScOo8upZ%M
zge?f$5OyK#M>vjf7U43&RRsH=?W;5xF5`QS9H&Ya0>NNBYKiNFH;^LOo?SZQR2_ot
zS&REHgyq)H8jVr)&2~lN_*t2YlT*`^@L8+GY!%08va;~OA$*c&QhavOh+%P>j0Aj@
z$d&7xO&DWTIrtdZAXQ&tp$T_V(&E$%!sfWhjQB;Mrpr`i;^RgtM!IjdYFVldvw2xr
z8JWPPe6tqW@=8oX4)hhIOucTYUT5V?;DcyTl9db)mjN#;DV`zNh$Ay(;mW0E5I#7}
zrVl6eO;jajCS_;nR7>J@2`MUFN|NfnKO0hJGT`u~qD840@mVXZ<qXMeB$}Fm?=gWM
zWsr#Pp(W^&SaCQ(E*#f4F|KcV;$VC^isPo~ld^SVRO3l5t(IqCqew`mR0J+d$8niU
ziGDWXk}?v8Kt71K)thRpHFdmdER{baeo4}JqyvfrG-bt2oHTigX6m%y=`&`|(uT~&
zG<w9G$f)SK^XA7dN=QsfUYwGe_GtQ&jLfBvWo7I1Im?!>cwFs2G+@~95hF*9_8Y>D
zLpid?K!B6<$@KL%U1p{#dr5qHx=Ovg?{ehEaS3CFWG))AC^IX5(C7g5@R96xNP6m`
zA=x_mIvQOD3+!-Bw1xa90KX|t;FjVBWa!h=AL6*_A^1jgMlu&NF@(#A&#;3P@SEd?
zFHM-OhoBQO_34Qj{dI!sC8XdhQ%UK9>d|C1eSS)pnUI-I1+d{v&&Y{SPfeuHY@u4&
z*S1JevXZj(=^#YvkfdVR_ypdP_zY5fwTk2X5o|P?bUrI7A&EW-_fJW*f}5R`k=Qaf
zTOL$4vi$4XoIm<mL6-lRZ_D|kbHnLe#0Onl&L2J3c3-lR^(8XLzNEL8tuGNj=h&Ap
z`6r}jW+$nv72rx`O&z1sH(CZEnPfyV)n}w82o0(cL8u?#L?og4W+gpF4QX8ezS;c;
z;%RC63hO=8e_Y?``hlu!UA#`8Jx(w!t;m+yqWflu>{`J|fSJ(=RVh@0Dsxd98a#s)
zcw<(`o;_FL`-MdC-}vQW-DiDr5S`-V!Xu_cgetUJv&Yq7{`lyQPbb%&qxgg|3o{oj
zY-)GHZO)SH%w*ldMf%kA#D!T&=}9o&3*(nA&0c7;8w;C#)oy7b45{7kNN2kT>#Z4m
zjO~|)K2P=tzKCWQcK~r5;#&Lt|EUi?#Kk4VB`r_Yad$Z3I+Kf=o3K<jH8maIg5<tN
zI!osMCKj$MxwyEcadB~}8L7IYj2vzs7Z<-Id$E9wZ#c)rEl$!ciKk9xaW*$W!~j8R
z3HKV(vXh|9c!-C_W@T~Q7r;(T(`W1Ak`q&NIBtzVof;4NW{!JOcup3cUJ)q7q59)=
zE0!Yt263H`v{V-dlbD#Eloh~n+K8yh;UoPAC#I)!j{*bN%nZi-PEnlot`g<S%+O_J
zrYA2&&nudiq{Fu^_325$jLbxio2dy8(aZ`M%E)kQ#PLu}9rva<c`5n;T{1TrCCh}O
zy(&&lPS<BcUtSg`v*yon?~0SDBj>JzJ8}#-?hSD=HB@f9IC)tX1P3ojY$e2Xk)T7-
zWn#|a0f{bk3DP=HOhO9e<3V@$&vBc?$q;Nd=Snf4nu$1fy3a^hvJ`8-soB{};}ep&
z3u5ZcGSNT1M_ho~A7U`Wq9#d}CFnAjfa?jk%ck3G_<rIgNf38V689tBv3$>nK_WgK
z{tK#@YY@dDqeT5u?oTc*IUz^KT|vp{x=suzmRoBr<$ouR`jQvhw*0xw^3&Ib*%xTp
z_acAp_odD9zjWEr^8fFYqdnJl3A9U~T>|YAXf6S^<cdfPMOF4`Wcgoda}@DCb~Oe$
zUF^_u6k#r;v(W$eqva@KbK8B%D%O`cIrb$3lWcuS%8~ZI#J-N&@7pENE`fFl{I^Sh
z`jR)>w*0G^<)^;HZWJ-Jqs{Wqy4!B~|J!T%|0;h{Fy4H|U)}7d;@bYF=Gy)j@^jD^
z|5xSH&Ud>6{#^-><$tGb%b&+Aztqw4kNnhT`TJwZ$L=gNTP6E<xoO91mq5D&+9mLx
zmw=ewf(9Rf%k#!{6t1|~{X`tivxMF!9t$3McEGq5aV~I6nngCougBdcB>G5jWBrvF
zI4(nMd!n>qc!=U6xH$aPaN)R{&dugR@H`!Vr{bP|UrMjvqx{62Gq=dqrSVED?evr4
zpKXpvh{5Y^k&g)UbX*pfigl{Rpq9#|b4j3_!6kE8q~XZ&f6(Uqk;a!Se-^#@PIx<C
z<Gb{(4Wd=(S9=MT-~JTCCvEp7`K&LIIQAvuVr+d$X9(K9FPY2Aq2`9cdmD`~j9Y}i
z*qwtnO^dk6D8~|RDHo42t$@Vh@q{HH{GvE5w+zo&cpivar&1?ygIU^KygOdhD32+C
z$VM8;X({BD3Yr-$XsEd5kXjO;(viLx7%DE3L8k*lhuk@C3fI|=ZWM#gwxc%!`Ku9z
z0e2CnM@l+&01ZO90uVo(8wnaiITz3%ZgmVl17%3JD_L_ch|x6eLEy{+{9*=8QdtU)
zs6>nLVPY(FGf6qdskpbnhd**3jn*&-Ig@`p3UO`8ZW5FGY%6WjEaK0mTl6H<Kyy9^
zgS+Jj^b_hX6f`nXem!Kbvn!!v-Kn@afXYN3Sh~Y6n90}?x4ESMikzo_mIx&!4Y6_G
z)G|2E7j23|-dTXiK;G%N+UtgkbQ=M1V<#+Ml5X2nG_H^TV09nb>%;azjq4LRXX>C)
zeP~ldMq)fI%Z}@_A}PDigz>Ip<Fm7qmMltNp#pwJ_P9R!tc)?)2`NcS;<E=WNlnPg
zq<sK`urfR*K6}aF9REJp{FITJjO`Oq!nP<Ov+=GN7c~-_o``K0sk#*uiJx^Z6oVYB
z25Z)MY@bO;%FfQrnuujrEYBwB^jTnS?x+zq2-=J^u8*+OV6gRK+kjw$p(W{YeU_zW
z1Po<SLj+zDld==CQrX6*@m2~d8>%W&mzoa#`i#Y9s3tI023;1`#iwIe)?buJKp&PL
zia9nrDM62A<`uRGinDI!NJ<RNO3lIcs>Mm!cF7J9n&rT!jasvka+1=mG6IC~OQ*<j
zed4pR!6@_5q%2$UZRsj~>cj*R=eRz}@#)z~cIkpd1i-OF+TdvH5Qid+9nvTaXvz?q
zs?hGR|JEP%C7-oz`PVSZFLt#2lRGfWkGH6X`#M_w|JIVW^VKeab_ujgpj`rj1jzFL
zR@K%UmA=_XmfyUg<tXBIF0Dd8)6h7Im|!~#{U<2mlMyUbRMmJscY*WmS+Ht_jMK;@
z`#lUqaZ@+Pz9jg4TVE35xR=#7P-?HTb_ujg;J-iuWHUq;+k9tQ0rM6)#}+<ooNb-}
zA9}H$Czzn_j$(<$oO(_7o=z?guMJ*%tE0$SylG8$cSO00MIwJUwTn{+KX-{3-#$>M
zIJx>ciKL=6BgG==rupi*>HxbKg}Sdqgs<5B<AFRMZY=vZ8$<SNHV{o>L-X+*{;7N0
z(Uf`yWF&w6K#<%gedV#d58gYb{PfFbqc^ST;-X$7d0f3lyl9g|EE0>Aqx$}Er#}9}
zjW^f-((lvn=YOZ}*vPS{19*#ItV$xKP9EaO2>-5XFDE>>dbnfcml~0}IAfq{dPc%v
ze?Rp@lpyiwV@puY!G>B@gf4!`QaWrCk(8B_ilK>W@<jCmT|25rsz>+_7naTDckSpu
z6pzD(1`HoPeDr+v!oQg5F!fL&Q@?+fDRIiq7)=|h&VS9mkfIKpB;UlT^Nr&Cd~W}z
zzlD44E?WD@LtSPp7&7yjN1uG=_u+Hq4!?42MC>AMc-XMV_C1l@(^zrt;r(f@bt6x|
zsC%aF*$=jTn)AYqw`U}1rVW17?b(o-eotMSJA*&ze7XC;`Ze#&J^l5h-v^cG&zs&Y
zU)S^H^jWeE51g;OzW8F+zUlimJ~H;=r9E9<PgtJn`NaE!#Heb~>-qcD`K9V%PBN%P
zhYrpnk#vB%pW4^<tQM{HPSNR>ju|o}Ga-BFU<|EOvr)jo7@@1>kVsDtk;ozyV-6*N
zo_a|KsvlMl*wk;6@7g|A#DuJL2fQJ=?Ce1a@q-bs?m|d?iG*D3YRgn2Q@c~Vg5sqT
zu~Uiq0ebEvg-&eoP<QfIK&(s!oaRJK^dB_TUdm7<$r_P}3;k+lg>T-4%N>39o$vn9
zX7T1X*9?*yyz)o7u5ll@ZGPAIPfvBYS5$f9nP)zU>K^oF&9i$(jozjop&Rq!?8_r}
zy<|MJVN%a+pO<ekMOWSVE>SvZc!=m&z(2ZHXy55y{@ca1v&5schUEtuBC2YtoSr<l
z<%Ny0@)s|?v1jj^!m>v$UU+}Nsq!~wCY~wpvEa-1M$5h%)n{`6Kcx8On%&O5Crp{>
z;{0inkMHi_6I1ePHh+6iyxsHLIptkm&s%tV#rT-4+@h`<2TuOSp@?sC$JISNX6NkZ
zxi^-$8e(q8M%?uNBwDew?Cu}$Z`kDC_5A)Wd5;`a_+_k>-l(~`y#KKdUtJrvAola=
zLw^fE>)Veo$lCg*?d`VVf+>9J<Xe?Xf;;+eX(lptK5y3&=1=tZQhShyWghZqOui&#
zWvC{{FHQ3IRClImXAie2`m9Cq8JJ^8PqNjAtB2E^l=x-3B>$f39t7s*;VDF@CMRX-
zQj@I*W&C@odkXc}#hOeF7}G^U`?WUP0JPL$P0f}b18mLqf5cX-5%sZ`3N_a?A_Z)#
z$W=@l_4c8Uw;cIe^`UF7@x3SYwcA5(TqsrST^#@A>xn*RzPNoT;N1eXaqg<8Djz*J
zVxwa3v8&5}TlVIv%&~i)`;aWZbK91`kSzbJ7Dvk;_LI%>d%y2!`8)1Pxtad_p)bP+
zy&F94j~(B|#Ptxrc4x?=4{W*h`pa*2uMl5cJuCc2_eZV<`K<c9<M|2Y+b=x%W!&Rw
z{(~hi<$G+MruxP|yJPgAua^%C*wFc<&Yz!88S>80Kkh4j>ftiJ_mjzA8s<i4>i3R)
zr{9w?hm>ApUn{sWr_?oL|Glqfocr9l)8G26tQ_C}*aOS2zUF`M#?O7aRqp>}+T@qJ
z$8CCG{pHv{uC2V0`|cvq(|>5)&L8a)wROYS9~9+$aBWw|-!E%VZ@QbZ=>yNePo6CO
z!fJym)%mCXO&dhoDA*vG+6neTEaKD?DXy1vjCz!M#HL}JhOSlL&k_mRXRmydCo;Q4
zy5F;JTSiIb1S`pm5_Ek_H+5HAi;;N9VU(b{qXzj88XjP;QDmB6`DZ+O`^wyXQ+)i5
zD_-(@VegvvMBn?&`g&XO+>8sdhhC4ZIP{#yFVgUi*QfO#!j0N?`QURQFQ4qQ$m`aG
zk-cXx_0PM(k9zVGv-xk_y>BC52=P7scK?vaKlm(u;_nZC^UJ~0vFE<<D;)pntDl~}
z7;V|J{i{`fd@J8r`?q_3Cj!HJ^cdCu)`S`AHPXEZ1FV)|;xn7)k6wP^+v!Qkqk7KL
z?`y`fI?m28wAC+<R1b$h(B=nEPRHDxDnJ#gUzDDjpu$w-5;~0PU;|VW^}3Wyn!aRx
z^f2{E{}D}%ogRnV8hifszsP~rthjk}Y3ihDdQ}yYq+6Dm^{9WKdbGge&^b7slugGY
zaZpKxbCaYY+34k#EnDW;S!FGaR}DybNIeX5+ye<&;?cK}x~-s-ag0et9Y47rL)GeG
z<a+!wbFydmwcV?(8)~XX&b}*Aj@lzT{#5R(cb;9{O}_8ZYm>sCI)B0^*rV^2(uBuv
zhb3J*@lN0$wa>reclWpClfGwe{qb5xx6vbZAALPX_CTNhzUiZ$>3^wU`UgFVH~-mp
z%|NBv{Mfq#%*$qk-MIR7eeIl+nI%6iaeeyqsYFx4$Ad!p*A=?oTk_*WFI_5}wsO$g
z)#m7@-(S2hVCXX*s)n~8^n7{AzJi%KDbnvA8yM63PEp5xfA$*mjNdP!NbPS+h7VYC
z;q;>mcYJ^Po%}!JzBcSic=c$XhPMMJrGC6_%%{7zZ&bwYzcO$QKj6;@*$d}B6{(Kh
ze#85hl51g0M_$~~AvioZbJUeGbNUlg3apKPjc5}j^$P1&nm6Pr)WB5IacZhJw@20n
zi`Ld_M9y6$<YU;p1+l1$Pg}L8_9rU6q(D)_E!os(EvszQbqmL2X+nGeYyQ+bq4{@F
zd)jh=7h-jhBoasO1csoKlZ(LIB=}EoSU3@LQQ@%kQIq9=_LsKi3F1E{%OAO><vf9<
zFReB{)z@L3U@lR75fs~a^YU8Om)vvgOQKD-zU0n4$G$|h<pH&ie|NRFpx>RCS_e$F
z8L?pjth?^%F6|=ql>HHAzI$)nxWo}FQ@&lWeCvhJzZ$8|&m)07C|#jmwmD%-{QtPg
zSfgCJ>vB)!>4%2x7<K3g$&p=qn;9)KvmcD<x^u=8k#`a!uLf=Tb^65hFTG;i{o&xA
zhn7Eh+ozjibxq3dp{I*Roj*I_gmL?XkJh|!W6S(qzYgwq;`~Zc2ItCcaeB5>uuITw
zAMX{5AM~yI;=7BXAN2Uc{an@H{IBy~PY<8{j6Sk>SD)XGUzw;c8j=v1`@o#}8|EE4
zJuDv|46l3qQ<&I4;DDX8n%S(o{?A`Xdv;oQx8G-Ga>nPHajgD7YUP9h)@XnKCgZL4
zR}UTCXuNki8gIDoq-8P>*U31yj#KLysqy}u)k=zV_HYTsdZB7!x-Qe!ow|C;g@ril
z=x@AwEP=Xt44;y^I8_&)u9`kYWwXPBR9f2_qACIliOb@%l2lQ2K3+JWoio&ym7AxF
zHa_doBpocaEh~v*R&9>ne)#R+k()(-W{Y3)d+X=v`_3miXTP*z<dE}^CR{yte)IL6
zDoM$oD^<T6%0mv{{(f3rTFl=rzy8phi@zE=>fw|5(aTbHbzA6l_n8xg6ML3PZ~m0_
z<=Y+C`ppWRaBZSI+2k(YIKcmt!973eyeDH*#WNpWdiIZByYC$}d3ktN&}$>&cl|bd
z&}PANS|eHw<M{+e<7j>!Y#8P+a&pd72T@Wl>1d3Chi?kl<iB=^)ft)`F*yJuC-tyF
zE$m=p5;KPX87th1M<v0VxSPhEsp`dlaojn<hNTv-4QNrC_|$mE9=x$MgD5E>DNEgp
zWb&ZYTiqqEb$iy_pi7k)sW#1=^pG-V6EiWEX04cwJRgz_=<?#Ohjmrj%0s{2t$g02
z`*$C|^Ue8rGl$Ll<ax~x@4x$x<%y9A-*o#^`^T7?zuyjuey(fz+vj`ya{F1uBX8?g
z_TS<@_w{w_dMv%v@ya5nUqua-(jcD$K9AoXNS5ENrmeojc{o}A4`~$PxO3%aS3S)+
z=VNY}_L*Sk3e7pQzQhX@+vrQ4WPQn>j(thYa9dwuzT()I#O!*y+gm$Ik7fT*U2!Ej
zXV2<gSEqgR(bjKNaqAZTnjSkw6mqb%?)ZnZV!qbaKl}ZhieDxsp7Pu=$Ze;tL&K#t
z8J*&spP0V&X3$HDpKn(L&p$KApn2fW`J-PpnqJBHMDz7w$!9lCY&ran>&jQp#s;Z|
zJ9RhYnfh~^UvJnDe$(Z|*^>EPN94Wy<DS{yzP$3W%B9_A_82+lYsuMyc(MAWDX;fR
zn!aQ8vRMm%KKzk-O$Q0)rfLM^>>4lc?8GJrdo-(1_3HbXuju&f6c`U(W`@6#c?2+D
z&f!UkOENPO{n4M2m2&m)YBETZGqaZBbtAOm?*EXwKc!1N><kujBFVM14U<*jnVCA~
z9gk4M8TKEE_lAt787%9gKRy1B_qA=B!GjCuZTziAvB-0~@`5y|^2g{8(=<U(7s%a?
z1)M(J>Dz1KxxM<{dU)%U4)0u*^jf}p<8z<C%)Rqq?)UE%{v$zCp4I=z%~=QZj~yR<
zefFeU{RP+c2iB=FUsTk;_h8)8hem8Uxb~NiURE8Bc%$%_aeH!KzUQk6IGf}3tKuJz
zCC*A3oS&k3%Vq{2gc<C`dKUPLu4*(-Cn;P<PCdfO#X8~X<t!zs_p&|8OjXB>Aq79Y
zQs%t&&9!%Zo<6bnO)pV5u_%MakZxom6y(f_)~Xfsz$Usns3p|snSaRKp-ZcuIJNA%
z3maW0Y}|g>eem1YD^r&t*_NrNSgL%$9ovv-(@!@3P39&#n4d*=U3)KBJvpP(8J9Vs
zkN$D|g~x7eR7X;Ny`&-PS?U>^f;UZFJH=|{$Wk}%lA$@cAxj@kB|mlu_O>MI6Li@_
z8ug9TiD?sQ5i{hD^R1FKD5vQ1)K3C6tMwjFu8Ny{e(Jiz#b552HgWfnBf4i!eKR_2
z!<IKcomO)F_?ai3j_!1G=u<1do^Wl_8ENksw<;zV&B$DM$g^SQvDapOc``ENh<H!O
zH;bNL>#}Q0-!IMEYVYumg)H87c+J)y)<xbLSyMZ{==$ZV;y-;d2FFhf)^Fc7u;+kN
z(-l8>)%s@l9ebomety8Lq&fFuKX~d&xAzBzef;+^)BYHnH(b>9()1_4pEKj`%y*r4
z@6BED?cU+s!Y?*{+pxyiWAvu5zwJ0*@`<x$$_rCUhCSSE;k(yr1Ft?5@~OvHBMVpQ
zzuW$ON2iQWkEcKQ*y1ZU9$WWei0&Qv?W=od&Ak)5{_jghA6{EDf%n<kW$1VJmVADr
z{*x;|JX1Gf+VYbA4||oTe1G$+hS?z%izndg8?W7X;9z|4FK<a2{Ilh?Q;Y6Jotgg7
zhU+e8UjJ#&^+&Frp0jD*D+9iqb3NH>^^>y-D&KV9uy}CT6T?RDn7Hq$f|Pz|eZ?-n
z<gau6+o0>$-unE-Hx>D&a^<HNe|>RCaAri|^u*<VzZ&!2-`pbmm0jOusyOz>kol{h
zdo;d#z~8-h{$r8yyziBqi$f;YTs^n4^DtlInE{a>{G<=@_gkE>W9tv^X1hwh`RdBN
z3FS2pYd+YzXu%NfrP1$hkIOETUCrzC^fdRUANH7h@foK@kzZJLjeGm;as3n@9Lin9
zdqo<lFX;x$-^OZV5n29Co{pA((K%-MyKz|$E_Af~-#<T0`+buC8VP(7$rECcNS%N1
z|EO0hR<`ign-)<v<rk~FH7;GaNc`n?u7MPWzsXT>^LNKAdDF9(`oShdsXvBO_3KVA
z>TKH3FYufBd*$bz4$Qdr{U!Cob|`XxA9eT5-g#ZDCV)*)EFs61wSW8W3KN#n{JepW
zDfYbh#~t^*-V<N&7_xiL<iZy^{rbSF@sIf$R8Nek`^j^f?}qh1=ef=>_~-YYZLI!&
za@>zjL&Tdt_$6Z7@9s6%#yoOiQ|3QTjr2%=<I&2&yniIOXTh&w#z*e<{p9RhGZyFU
z^mU5*sOWDm_IE!2+xeXfqTl>t_Mj(wjy!VhiHC0fbfo*$&1*!fV2vMdDyWnH8quSO
zT1+~z_<v-br<K(uxsyy-4-;eBZPPpqZf)yhs4}<42WJs#tTCm7zXA(JqtwIE#||4h
z)Zc$TtaW3m)W5S-`ONQ~&%81C<c$j_di|9DYmusD4Ls~*p849~=c7a8S03E3+pX+S
z-+s%EpWMA9pzo+pC-jnTtNu=$JHl)A!q?`Fp8j_EQw!I;Cl3BS5#!DG+*UsE(}7PW
z96oaQNXTS;>2Ud;!yk!<?~Gfr`^1vV>86wF+Kq*eJ#(Y`y_K@_A8rfV*1e<4o3DLc
zdfnS-nzh{&^zI&|<=tlt)|F0b;XZA8i!0xv7Cy$*(pyyaq?v~&2DS7SRc%sC7ZJso
z0WB%^SVI2iQtaik`kz5I|MS5%Dc*jVDDI(mK{oSfdwUU&Y1mBOoMOK=DOz44il4pQ
zlH$N5;xVpsONtM*NwF@BD3)AmNpWaL;&I;CmJ|oJNwGmi6u<CjNpV~Z@fd=2-{z&B
z*d|3EHYfD*2Q4X1?m#>SPiaXpxJ`;)Y{g>phb<`vzfU|)I@FS4@zu6QFY^~tsTZDV
zNpTi^gY3r%0~#q#v}w=NZBm?w?^*>p<<NS1Gwq2s5sv}YEh%Q#w#DO1M~Pz3#Fi9e
z*c<8wH)+o#8;|GlA&W_9l@x^iJi^`{?CRmTVe9LNV!!b%DJEx7seS7jd2FO8`(47#
z2QdoG_6gzDol9mA#p%aEk)2uQyl#E|tN;EjYf=W);uuKQTD+T+w1@b^NO0WHp(9jt
zvf?wc>0OENDwn3?&5(mTx{?K1akDMnrx_`y%y(Pmy_1sjJ=K!;0y~P$c$eXj07n!*
z8))NQcxzK~2E2~P^ORiHuw)0`ClQZ}Znec@%s!$xFRPKq&p9uW1SGPXG+%R~k;lol
z8vCeT!rp`z4EeUGu`%v(L~-l4ty1(>avL6Wq!>CeB1({ECFo{@B!y;W=eVRLGl}l>
zowl-D>uoo<t)qJTrp%%2lZOr+iPxTDah8@HLb2vTuWrN}&XQCE{6`NR=s#lAK>vXO
zLkEr=IdIgdhpZJks-Z1mEzczu#(&nVXmt?QuTaK&npYc(HpM2aS$|4!kbz^Ng|LD;
zGgI~ky?{|@f_t@dkIg@E4G7#evBfgs5$s@*cGxbGNIF<e8cY$6_lSj~I&(pN2A(Oj
z5E%?B@!O;>+PSy(KHv8jBXYRDsq?7yhCKpxskl+yrywV1Qkw!Cc9;aJ6k6~->?0SV
z?Bv&s@9Usm47KqZy|+;k8k;0`i=;TtgqI(-Msdpea-!HTrjeqch=OdPHkPJ_&M1a!
z=7g(sSQqynjMupe3e-uAkH>&Ig%;9yV#zGZVftp|VBhe6U6V4{i4>>+TLP^Oe;yjX
z2HRp(v#qbFoisgUV)#52y@OAM>C$)@0=#}Sfu<{jw~E>rfpP`-!$(prS^?&4YPFz4
zTf&@ngBZ)4>{#@{PQUtpH4JL?r>3d*nF?Xfqv|;_QQF45RPYI+nDUXWsMd-vriv#!
z;fXr17Ii)qRXcw@CxOtU2o?*+?ZlOSLF{kaf2xq|-fNdTx83FI-aAFJzV1DT-m!}@
z_u{PhC8`9xr!`ZjT7<W*>NDuo!&7EQFgXtH*wNM3O1kXQk}sb$NUqt!M{mfkneZ%q
zt>d+4aQ)~Fmun|+o$^%dwRH?meC;%@nXkyMy^m{9VTWsLaScyRNFf@{ISxfvG7IW=
z>g1~tloo?f#q|@pi7>Hs6b~v9MRRwe@kfbJg+QgJdjygT{cKlGB^J^UhdcZLM6iul
z>m!l%#C@&sUS|lM8}Kc`{fB;49LK)Qc^`6vbxF&0NSj1?5`RanS6pnrO&s^g;3=fk
z9QO_#gRDYOS+BU*enB{dHCO=SM9lP~aB51WLN@(^IId)HR(4hbqF7l&kxu!xgrmsz
zU%Ld_CGZy|K$ib_+m`=i5Ly0hj+Xz|p*G7u9#+8K^8dw*+rio;&@O>?3A9V#e@Oyl
z`M-zd$LBFwXg0i&NiPR~N0vYJEl11$+Zks0F}xW)x83spFI8T9w(SyVm%#s{1jqtb
zw(a|V&wO8+#b*;d!mP)w##xWxw;U~C6o11!AG49Bsj`$HZlWc$+-dzqeCm6DAU;U@
zrY{X^=gs2}#Fh~tM)6!7K5;M7IY*hF#nc+5?2~fkBEqT80G+UiNI*tgcF=5sWrq*@
z>rH>XJgb5@exa{7Kh7I>p%KO@zTTD}_(48+O6!0pAIo>45%@6e9+s`XpJj(9LszoD
za`sn-zveYE`dY5ixRwAdJA}VY=@I5J0)R#5>kWdqC@o$pWMfz*73q~}oRAUk6v2OE
z3H6SPjae`c#lU}jTo&wG^m2<{X4%n1(yRbQKb9Z9n`_j_D>d?SKECD`A*QoEx1sd&
z=EYv9+L$8^D5;U8iRQ-alW`=n8px#FX(s?$6`~gSjY1@-Y6}p+h2g3k=!R9E_-OT4
z5PL*4apa{VLZ{N4BP?EWlqUioPPcd|aTm~Gz|e_YsAae>E|%dc`s=kG360X$+_d}v
zF>C5AUL<jnv?WJr$&p)fWR@JMd5|;S@+90xm~UfF$fEbO=mEe|751r>NHy#avgjME
zd|34LL{5KG5OW0Mbvf~>QN|hZootP#ajJ4b?7@9XF08R!#Z<1yXsRV^$$C<u`1&;G
zXv>LcXav3zf8W9}bsEG}DcbT~S_f;faPLs8DDY}6R<yYfV_ZcFK{?>+WAP$B<6;)1
zaqBzhaa>9#(kaH$QY6IATd(AH9y*IAv0*&a8(%KI9Z<(l^9($oe}F!at@SiclN+Z=
z%cqgDa>m(8<7`>=H@G#_Tk9@m08)@HMx^=CF{p8)rZ(_^QQx3*;VaB58t}F4+Rapd
z5yrLDZZ=c(@iCspwbXJpQ<WOD4Hn~CYEJw#sc|he1Adx}&s9c5hZ@&5DXMXg5=q95
z#Ef}<2i8tT?;&uZwdlKy-bm1T_rf}z7w?oNLK9HdxJ7+lub#-6`+>zYE~QBj>!EZc
zhXuU$W?XEdu_FLDsz%fzK7bw+I8~;1PD^B_!Gem$e|&9vj;}1%=$VfO6@eBnBiOQN
z$y8Zsl{nO#IvTv!2b7GSDx0@TLE!Ryqx?xCwekjO;;2!uQL(al##Q(r_5u(AzN78w
z0*J<DQvvp>FQ7~W_5rRuOjNlOMdLf}f`!_7o@(#}OjcM#)E=sjX#RAR`8?4<Wdv9P
z%Z<50bzHfF>Zp&hWJ{yX-vEK1EJfK3`{jm5VCkkwfs2o=gE5;hTAIdXBkkBbO6&z$
z*;6#KN6}5}{YLB!v$99_jIlSNi9NFX7uvS`KQPPxzN6*;vvJmA?t_k&zp=m<Bvc<l
zfrtEi1wJ*xuE3|Lz?&hZolfUas%<cFB=mu{Qhh<vX(sfHu1!3=3xvNWbPuWuR@szi
zqcr(aR#jXTB3o9@Kzm*pNI*&1&K|^S2VxakWYpK1LZs&R!LcE!fis18nu~mpmG)-2
zlNm&zQ}?g@Bf}eIu`__Eeux%tr7ED?Xs!oMYS)GXQvREAr>mfBejRyI8(2$JVv%EG
zMmuAP*dh?ize-BTYh|XwT6~5+Ds+9Fc>|UagvXRQ96AE?8{<Hruw<UTUkd4yS;LB5
zVbs?4);AO$)H$1fL3E8cpoCc9Ypuxe0f3xhLw=aqF0-r=x$t1QrU8f?2z0KuSXvMW
zW(4{-5ukcEmouSI?u-CgLJ(N)WzRujot}D6Iq!t-gF0q8e*gk#6g4vhI$t@AGm-%n
zs>C1mU<sAQ3LS3BdSqt^ky`|LmQR%>A}{ka<PZI@c`{aEqf|`T-G-5{NmZ-~J*^3}
z+6;$BE}BOk&u;;ZHH&WGMu27XD*4KuJZy}7CnVaD7o~|TN<15UcXHDLSIJlXNSwsQ
zmO)A7FpA13lU(VyFN~k%t27Pk<hMR5G)(AfWa#%|%h2zmR(XxwPpkCPc=E>-A0Fc?
z6dzVdj)fT`<zZH*BLj_e-aNAcGL9h}_%rCI1)s%>s|vDM^xmxVhV7Pua13h%2f7Jf
z9#fBUr&`iB^-xwKq3n((wnI~4%S8lSeGvrysdwio_#3=Ak{kl&z%f5>2X#yK9#w>S
z5<co_*zXAecmg)k&O?*gduG&$pl0Aw-p3m}fHnXkzWgcrYoCYtT_I^0Uyr0=_7u$P
zk>q#RuwN}H4>)M3m&7SvDUIbz7YJ$;&5xrh;aShhucQ9c6e=~8G=!VNq~V6r23B!C
za9`IFS3E18DVQL_U^>DK2O2`7kS8GG$U~;CX=rzH1?88R{b*^Ip7(Fmu5uAURZj&%
zBu|$A=e8~XDQ5ZKbFlpV#KNoxRyrq5a<u#o&gEvPI&&^L!MU_^!PZB&?Ou`x777@6
zedLD0?IQ2e=1@kPKlu|CW9LLhn>QoIuzvs?N4Q^b8l$b4HpfwLa>*fU#c{NEiFx9h
zxsIy;N7oVBsbVf8Q`08q>)@3M+DWb=s?w7@OXe5SNP>JvUpwE?&SlbpAoH1G;WWTg
z+L=X$`z}lg^#c4<&%%;M*Kw*GR;hfd;5vpVjUlq?FHkh*I)02BX1kFt#=ZIE|3}-`
zz(-Y`dCzBZlT0!LBoHt_grI0ZQv*tzL?^<8&=Q;&lVOAe+e(_ws!QQsz%~gJZ_;LR
z9c5eF>S}k(V*Aq8-KDEb<3}-JFdv8tNLvulfK<=)Mva;#g9PsTf6krBhalU1cVGBT
z?!D)p^PF>@^PJ~AU*}wS8hr{eQCdMb50}tNV!<RuRi+19xm>tP2)2@pr<6Ik*x1TN
z!tI<;7n7J-!1D!nldP$5T_L!eBu#~D55e6eW<pThPCy_ic0f>cKv3+_CaWnPT~ORH
zq-hfbMbb_-(7=u7*bY)<n)*wVF<MpL{Ekq=+5Dm3;NL5KHxwJ{Xc_ZXy<}Jm=8T?X
zJV69iRj1i!LwR|c9@u~E1rqMZno_qGf3%FBQ>vEn3@%kwesh)ISO?SuyxO5E52wUk
zc%wu^KS+j=(8G4zNGKZ!xubrNY8BT|o<$CR^E__sdn~i;dsfb}gghqa0V#*>O(BmF
z_nCArVA|u}M)wJFhuPU9nwP4*_C3pHS(Qo_vdvojL7mkQ`c85v%hc2$d^g2t5Y3R$
zm9mkxaDKv~4>b2kNo#Xz`(HJ!q^V)#SPDLq{KrrWJ!^+VAyl@@%WT6SHjL@Iko#n%
z7YhKZ&4&~U(lE?{E16zNlQ5h+TxapA!`|J-y0!m00921?(m;i3t*TPZy_%H8F7#c{
zJgnNMX&{MDDt+OWj!G<*{rTFGdkTUc3+A(u7O6zdN@uqr>&)fkqZ-6?j>^_N3m-!w
zLGWS8*8X!K+&N(X!9U?@Zzknb=_)O?H#gx<W~t&gWH!m(jME4V-ux3UP$~xg_a9;E
z*9L#qkIQGjsr^l;h3+^7KojMfYDI<LRN*(q-k?|j1N}J0NRDdj^opQZM_vNafUCT)
z0ECQn&u@pc!2XKS*8Ul9uoh<AN2}Ej@z74X9Gcqv9bB6(YWQpa{<qNkri&(YXS1#8
zA_WoITPl$D!Xg07KcRGj-m?m3F2j=u1(<YT(2c+np*uzj0Rm}qQ6XL%W3QySEGx-i
z*hy*5u)Sp(GWm_V5?n`ZNk9TSK+0IusJ<I=57uoZDXGgn_&}HYuMc&(hrZtB9^TO9
zj^cOjhA#K#>$}|Nw-V=9ugv+6bIwoEbz|0^YlMg6p3b#h6FGmEdt`lU^#z7a61s4h
zQbz>Kc7cufls6Sg@Znck<%1wn?eJSGluj@((4mwJ1$jaK2{!u=n#NaTtz5uWvU*%W
z=~&fG9h@{n?tbNyko#%85f@dyLi4*<H8*!C#TGsVLuGyHG_CUGHN$Qj2DmzC43=6%
zvwBZ(RhIM6l4?aMUR1iq6AD={AcXtv9QRtr{XnBSb=<IfXh?47v{kc)^ih(X+_r@d
zR4L9amC|bE28U5hp^Hf*xpI>IcWwt2(=zS_G;X5-bAF7N^KP&Sxxb!ryqFq*Ch6Q~
ze~eU0d-DPOmG^y43DrE|SCqi&?9C+Dg6wIu7e2L(^8N(vDHSJ`+FMFMR&@!06!{)r
zgQ&~ewZ(&HP_0SZg|TOT$o@MlUx8wext%{0DmAwBHs-br)w`Sn+X{D#KpB5w5P!5q
zyF>1F5Bnw91<zlCtj<sB|3I8QRMx?c0T5k(auq5&jmko9p|1TyaLI1B@N=qaDpnrM
zt2Lp}Rv;CmPVK0u<IO0Ah!LzFQCjGg;<7ZawFaa)A^yng_ptecnuaNHGRF8nAHa(9
zW(CQdz$B5k-jZha9AJgYnwbqPSre&3Q+O65&45zEf}!rMt6c`|JC+v)&@=zHSnp);
zXf0zc<+uhpUKD__+<oGTQt_5jabBr71*kl40KVsuMZ^$6=#ZhCTe<+;5cw3ZVvic$
zzBl@aCqv{Y{@lf9H8Wy3BK!Gk0)!_+<UjGp`sp?>-e{8j2S3J>meX=D2dhUa&3!Dd
z3A#Wp&!cBUq?wl|V+>khP`7ql=^l*7px&?F!$xRO@9nly9X!w7byEUJno^fR7hByl
zx>)PdaRF}hwk4r8YOcPjt^lt6#&Nh+C+i%Dr2Fq!^m*`w6}B2pF2Ik@BrnHrCVt<>
zuMxiu`27&SE%;T1z5}(1?ZPPG@+}DS(0D@MvEkudCQqy2X_!cIzpE<b?(ljv4P)%V
z@F-DEd~rg(0fc%N2z8Z`N|Y)W{?;H)M%s0X?YCaVsCg{oY4r$Tc{H*l-3?IdxE1gc
zD%}9__madlNK`uWd%F$UXQ1GhI)bI?!P3lNX?CzQCs?`!+#^^j1WRp~iqny6#w}x1
zI^6yuP4!oExuHl|<-iCh$40moOwKJVqzNl7D;4LIO6&ZYY|pg>0`itHrnKI{vQ$if
zBE0_T#Md<7;#^h-Sx23P*IP$lk4kI*h~Xt^4Ytq;g9y{J1B;~2#Yov9&j0C^Ise<7
z^Z$Ax=TEyn&iU`g6c``ll7GTmP?If9uc$i;o>2EZO#OUz*3;Zuh_(~+Bx1EUC*cWv
ztp)ul71Ob@x1=Hknl$y0PeG+YfaFfLXl-*g<cnkMj|5>=CWhYOQQioaWV1eGR#v6^
z?S6X&B_pR!<0&74386Si`M8wg0wInj2w1^N{^X|@#9AUh0u-I{G|nRJk2WF2c^=dk
zjZ>dud%?LXTe{h+!*^mnp=-e!Na2?QKDI7%z{`oBo~wUW&Ao*BZp5m<kwjoB#y1hx
zKQi#QpWzgB9j7QSdJB?D;UooJu{PZRJhf={=3k-76`^$kx6D*9BMDe!nVIVs*faCu
zG?w4t?16kHCU_ZkEa(Q`l5}#)7%JH73u0xiLzxYuWyY*Af|or-j3j2y38ExfVk+2=
zsHATVbdGr_x_DwylrV@W`X8uJC(LvZ<~TdA#n7Jo4ra~i`FbDWkibmGNR#$4+SAN0
z>FKn1tEs0i=3J(ydHvwOSjmDVnX#U}hxy5|Lp}ZeXqgE;T|-lFw5OS|p8kqTj`s9x
z6N|=s`VuPCdz$&ho<btP41{H;9>$taTD1B_FyU;wan!yOTMk0Yjm{F=Hg331ZwlF(
zT*2}YwO?Ch0{{X&s_>@+yQA*1-^`)z$J}K(XF%JvKssl(whE<MsPg&~l}|45>nzp+
zn!&@@1l@racb;9wor9KYySb5Mw*&K0+fDkLwwvZH`{_rT7IX_9o@Xq*f_d?Rx>#mY
zDq%ztjJgh4Vli^{53h_|f212-g``@>L&yLG*ipXJ8-&TyyU)f=AYa8W=muNDz^K8N
ztRoYU)p+$dWGx_M6`*7cSs0-r@)HrhXnMl$1dm+I4|WN@W^xY^&oZdJ1p@`gz~!-o
zT<l-Ko<{NUUn66)WxQ2syzz;ERRWl9@4yo^G)h-kK4Oltaj3ZwqXg6t=O4Z@=Rd(Y
z|F0%;{wYV|od48MCvtwcLI{HskPXH*Mw#Et9z`|{L=^AzF<LafShtZLBRCV1#-Y6Y
zax{w-p4@epjKL_)Ms*h?#wzZDyuxT;F602(|H@#*U;+EF8OEuV4+wV*#|9$qIVeO|
zFBK_nojr=EZX?eUBkSj^kX_(F=eF<egk>nrX3pZ7VOo_t1+w@G>>-E-(2Opj_A`1`
z-IGp*BYOexf5DUfWuzI$#(&Q}PJ#)%dA7g7HVS)g+;mEu=!>S)aj(fYaoN}NX+B)m
z@XAZ;ufG&Hw{<=GrNH&q#28UGnRLmr%dNT`IDdUvlP+F^R4|B`1B4H+@+h@I;U3nI
z#h&}-ld$g}j_S@<9S3G^B1SqTQ@hzWAR6LXiR#wlTyAAP49m?5k{Nw^w<$xV5b{|M
zN1bmq<j9@porfD|DvuI`&|0IlpxV}umfIsotOaE@`(xiX5WYA<d{z|5)(cFZSRgrG
zV4E*CKxMYjYOC|LhFNmQd1p`KG=&E_gw`%0AW6C1GQ47kw&m(A)w9mkvt}tg@*=eC
zHsnB4hUJf}&ObI<N0&h^BN4R+pd@uC+zZOSY!Jj5D2$^^Bjt)bjsiNjM{zv};#u_X
z|0xK9#|eybpeqMK#3#l$qxERg|0LEys{gO!9EkIuzcS}P$vOY7iJX7>cjKIYZuvyc
z59WE<un>-s|1xp{A~>;M*tstkD>1>|jqnXJ{nq#(Kef*yd9f0#^8dlwO(vDNwfhE6
z6%(x8XW*JA2}?;OE4FUi<~Hn9(zt`I+=iV>T6wUQY}j9B6_44!$JxdI3v2iJzQ4`d
z4QkErsAEux_0SDHoC8ZQRtH2@Z2)a|^B@j1&cIee?FQXri2y@^`lm+>O%Q~pLnR-b
z8dN;2{g${>dmn^*kM>)d@3@dS=4n5PH0`&<)sRGZ!G+L(3&+gLoFyJsf~kd|6WR%d
z%M$(RQ#*gUUVn1wPg(j?YZ`x-raygGe<HI7ir=q4VfQjU)!+#|2{lm*J)tJvxKI;s
zT&Rh+E7Zi>6>6e(HFZ+6JhV7wvu?dX9s1>)`XxobSoF&Uy<J1Npc;lX(h$LtYT)Li
z$P2iu`)Cn}@AWxAT3Anob<<F_m+VdC!hx-09TMPNhTE7e$F2VX+}gAZ7w8w7EBlU#
zUb7N<#f{0!@B#_XA^}#gMBILg+Zs?h2@C0lZo?xqEE9YoJl>3E1agr|@kQ}=>9ld9
z%8R!b)2x{dTi&?%1LJ8(k1!909xX(b>>nbU7J76UZehkXvbR5mph^)5Pow@TMkE}a
zI$B-(daCDlm|CL|2~=DM8}sb5eSjPotM@k4%WZrJiP(>cFy3?#R+?JTAaZb9g8UXE
zqdznw9S@w1=jqwx^(SHP>;pm;F9LS_e+L`op*)ORxBIA>UycQ4LsWI2)&5v#*hWJT
zbTchu31z-N=<e5~v)%521fF&90e*>|C93};6o8QX5G)9V$XnAJCU=vD^|>9H0@@yG
zq}S{9cs=cuA3mcu4IU3z+yZ1*jyd1up$F5nJ=AKjd>VCJ@~C3tYApHWXP5i4u;wq$
zLLz{N+-Ct%IquQ^2*Ox|N00Vg0L9Tr__C1+I(Irx&d9-&em9>Ad#S8P?NZ$RBzO|%
zPyX7KcE>(^GjaY!bYAE9Ez;O({OQ|tO2G~PtaE<sW39sO*n0@#Y(V_-Q`<^U@wH@P
zr2I9r=kT=zk@Bm$Cafh@u@R>J(Fhx1D>ip3rLc^NNpi0VRyah_D6VWiM|v1}e}FiW
zp_K&WmG8^TGw?fe*N|&owwQ%PrAKjScUj=xky81)?qzub4K9BeT9!A@B^K6Yn_$D9
zbu}y^QOzf%>EKr838oNo*SYAe;Y;4?QLA^tw2fv>qdBj<!MQU#O0~Sfs>$ljb@F&a
zm6drGZos5geW5ZgyoA0J^@bV+<xSQ^Fy3Up10UisA`~K$3hoVl%}oI9Z8X<D29qx@
zm)8#%<OZ$;2c>>-dT15YvR!BJ{(2M#O#`po6`%*dxGde4yl3zly)Ctv-(cTEF3dZ*
z7Pub^KEjHj6i0!{?qx!hvJ;g;HKXVhQa}G4c!A|uiLzhdPC2F|_=44x-xo@EhHQDt
zvb;R!zRgLw;oNRaAk{+LW~ewPS-L}kLR~h}($TmCccIlrj&^gGeNX9vax{r))ZPgw
zN}%!h8WlRR<*-s6Z2`WO1oG(9P{+`k?(7!Fu*!?X2Rla)i<E{DrTfm74#eU$<}LqX
zoyz6wyp!tGP-g;6d$tLcg}<~ilXwd{ru3A;?Xobm^^*S0{*t<+Kho&Jph2k5au#QA
zN^842$I|N1inHu{_NhrA9x=zFd9pA~U|t^tvDiQ*KLk8n+RWpKrEk(WV)-{BmVMyV
z<%lsQ)>Y781E~ZX2E@$JDjQ;m&mhAHmZuoC07v79<$1h~6U!=8g8Q;T;6h%Rmtzbz
z3W%k|_~fknBK1%nP|qNh50BZtMA$FULz=qgE`6E{`ZQNP^44sFI19sTBSQEpI_8Wv
z>Vt}5&St-bGqFXJ7Vy%T#W_YX8*`0TVxAPj<OSskn3ICd6g0*nrum#v%I7P^3!H~G
znREAr!BL2wE2?0;hG~q?)|L)?^N&y^hosc!<)K%3cNSC&!AuF^V0w>r-k?6%qHXTi
zGlKls$4Q)I$;Nt}hkX+xOh(w-5OLM!9%;3tjOBa;IhQ)$-56H0M?o4}P7r}hlSflH
z^|qW4gK!-La?F^RoG>s$i{}><=WMc<28-vntpsrh_Pw2IihVB#MKRu`d2)z0Vw{m?
z2D@8tns}9my#`|d+9l2!YtC=sS5o^%>orn4xbG%TTyGIV-ehFPC(fULWzG*m!|vE$
zPShfD4#c&H?|p&ukMcGda@Qzt`+&%GJ-8ibH~A+Ds?(KE{6?bK>Vb7)Iw#p45EXk0
zjRO_K%jjRi?t~=AT`K9$*C^mNkxc_dlT2R$>8rJRgt-wGfUsoK8Vn`;>nH|RxF3Lc
z|AX~;S)+)7%Oa(lJAxHp2&=8WiX^Sg69`2#0cc3#5tJmd702nFAV%(_y109(507vr
zb-M%zwz#u#UlVzmx?S^WN$PSfz*AnZH0x5kkRNhyOi0J5%8gl2b_pON0#{kEK*s%u
zVBYYePz8KpqKse2LUuQBzY>d>fcbYG40)Ac;qhZ*%T8>te~6`PbZA)WxS^T*F0g(8
zuGKFc8mvA2XdlBl7ux91JkNUpeQR`R>e15iL(_2XGDE`v=<-7o=0ii$+TS)b@r8^a
zMmD1^Ad`Kbh)G+!2qB$$2<ddZhsrLu8RY}p=n%9o;r$119Tjn@7%gpb<01+>CEl)D
z*`t^)B-esBokA@W#9CDCl^gRkaSp|qTC~l1SVVsfv6+MrF;zyup+HSix^#;_vCdD}
zryxW5O~jIm)c|?};N$i#Wfi0($*z<*;N=LGWFZ0!4zdDx8N_LLag|b%<t)kGGzIGh
zIb(;>b1rj&NrVtL>NjHhLLTd*$`OPfHHxQ|Zncj%Bd_$T^IW_Ul#==OJqC3XK=?=7
zQHG~qqPu9v9de^!5U&ck0i8p1&g2lW#$RjS<JQyyGz@N0XXj>1ZYOmMF^;G>J)Uiw
z1@%&nV58048C;bUTs1#fvcSH_2$wF&heAdEiK^VN@`;#QDkhdn^Zh2(gunx|VGh~=
z)QK4t=p}rCdF(mxIo=;lGRr+0jA}L>=ZSlG((;@=_U29$0%xfa>@CmZR%rz4GM&+l
zmfR?sr#a7yH+ntgtP37(KtdO@o#DoZ;N}#~*8$C&GjpTnF0ZGGJ(<mOs2G)CO=hqr
z3(i6I9`KC(9;Go4kuQJhJZF{9%vNk6!!5;zwzY>XL*alpU0F3>saoJXuqi1}kSrNp
z#p-86VUuWd4Icv*z3f9BIV1^L(Q<WC{s{{C4c6oYYvu=Q7LYe+4RH)kOv&7RM!_ia
z^_ebCgYIjC2x2$)_zmTxfYQzzH8JLG1+7ES;HpP@Mb!=$=-9ir5Pw4rBelPH2Hp&c
zsne9>zh*BH=P$T2=f}hV=l{h-&VT*JIOp$sXQIrn2Y!fh1L(%Bq#%e#S!T}Jb+35c
zE|)l|lUari<z(Adx4J)Xbze{|2wVDl<QYPqfS3UtHBYru*~X-y{T30gM{*$yA`Zxd
zFd+|9Kob}?3K@D0DI*^C9%5XS*Vz52cbyU@AuFanQs0+dq3@IQmOjW^di#H~rFP!Z
z%eV1^tH0RB+x0f~e0G^OdiR#{p~0YFa6%2|`B42DW2GGD3EHn&Eeb;L`5TaWE{4=|
z{~e^>d`W{J1#W=UX_qwE0jl&H*s}=aM1yV)xd)UtJZu9L4UEPB!X;S|MhMao1}SKi
zi=Kd4ZO&y>qR~-`0bHX4bjASA9tSWbCk_x3CTNtV{q0b#I@FRF)LyKj@n-%6eSQHe
z**0PVosAg~$AX9;pCAgRk##8G?5sb74h4;vSJZ4iFG1YX<VI}xvl6S%MnP;n$i}8M
zgzc9s0BWoSCG$5X#?rNt`Czopk_DTr;I_!3XOAuDfHj4~LUsUw?+46);82NC7%>1A
zSFmLM7Ym}{dhOUrH4Zvh0CzVK8?m=sZv-AIZS4jZI&~&6^!8Op<{mO18gkpRC3D~n
zqu;f<*=-YXYeAYICdy?tlYBtHgX0y02|oV>N=f+>5=>$i{u)KAe88ld<pV}Ml}VHF
z-jVVrHJRSon+bc$%;*^x=)sXP(*QD0nK^>Txvz;gHk~tIy%BS8g*8sh#1*TtXu}mE
zg=F`;)MS62n&8jIYT#I1M>Yh{U8J8*<}AQL#88qaB3iV&WD#B(!1AT*3u@A(d0zJS
z;D^qzPfCihM0HZAmAc?Ja(0=8TeQ(4&LQ0ogMk=Q>>MG6>;O0YKDMZE9$by(1&j4x
zN!*i5u|34#K_}wzL!)s;S@F=K`N7f!mr8m^Kz3u2UUve)V7H*j*jQ?SuDRKPU3D-6
z{F?G%_&VjS4uf<pm^{gWQ)ypZ%MmdR!ln6ue6N7|)72CRoz!Vsadl=7YrzOM&Q)Uv
zX!vU_9gr-<#Rw&#^&3&Zy0nngW^Wa=k}TC>-$R_gvg}IsqaS#Q^WS*tQv1;`j;gc2
zeccB-=O1rBssY3+*pK@7TJp@qwIpvwd@Y$*G`g0oA*gmGp`0dG7Dh%)S&pD+-Z$wD
zXyIIK;>(=gb6xnNMTgI&u_;k)<Aubz92?jOG@}js4c}<RY$J%Vi9<M(`o`b_k<ijU
zj?Gl6|2@n=rEx)S6oEu0<$R0Q_zq&-K#+St$i@c2*f`(VFamax`>whl+MKg^!A2~9
zQ1>&pn4y(or4P&a<gSz<KZNnMlfh^{M1re2<UUg=>8<EO9Z@N}8<aq5CP@c1;R&P*
z#z;1@7zg0=Q{n)>N%XKZXz)G~5hzk@Sq=n8EWJ6{E0A6TItD2Gg&-v$0*9_PP&`Nn
zl`17U&XW0?Qs^an`BS({?w~!M_zy8RHZLqG9qIxiCfb{6!&U^&<)%T@$?Yulloyw?
zb+B0hML<AnrV?I53J8}$XiGBLCK7@T(Qfx3Q7yPEborcJ4lxPlW3tAp(;*$u15`c4
zJlgjHDcPOO1ijmf8QF*UQBvZkqcm;v(QQNQA0fpm$K>+}m-=UvLoifSvdiZef-jxV
zm8_b3P+j3{7?d`Ge+TOATAoxVpWjMvS4$}cQ0dF$h7pIj9JkUcRE~i}@Y8qD22!T0
z@lwDToWEt;T^d3_+(K&>ar9W_Pr$FV9JOn9`y&rwB~cf~nhya>Jwkw`=PKCB7%+$W
zGA|0#iokVoxgly;1C!Z=C5PLw#9UO>W=Zsn)phMBu%<_WLsU*$D!Pz;Q9UdR79f@k
z35f>PO!TceE?I18s?fT1@Zdp;QW8{u=$RaJ)Szg@V!Xqhpc{i|Z!;D*cZg2?QTjwN
zzNlTi*l0c^4`})O<W9@45E|GdGNpI~+2%HH7iatmhC(nfTtH7I_4Uw0nwlDV=%Olw
z9=f2KLl2FRpc;cey=_u)^AYjB)@jRQReYpcgVW@03$I5p#%fX~jn;J<`4=@0iPsMA
z<26mDE3c|MIE@H>UAR`i=~`|wj6SRjx5nOrpe<}KG&i4a<E+|CXEb`N>TaKcS(Y;&
zIKZ%`)y^B(=Bq8jAL;&6ZlS!KHtD}{4T_ce#FeFD0TN5S;?*auf%jZcknuX6&7XmQ
zv&?J~__EZM{FOh0J&!7J)PU-&^0K|x8VtzoJKpD0bMgFdv1gw;6Q+o&c_f3-mMIJ)
z2!}n!Uq^jDQjZv#iA|Vj=gwvbQcT6m6KBHV_SYYRPtf|Twb<~D%`U^vUAXDC?#AC9
zJa${3$DP3M+Htp=vb>C&Fm@W!6!%kvosJT+`nqj$hYc;bPk~+nl$h_^$**n!Oi=me
zi1NUQ))!;9t9?JP<Y;}d3#pT2IHtAa8&~H1r#a`}Ig#@(-WTWmF7UNj<SFO;_wAr2
z03n!Dt5?CFLMCa1-w?mO_fa&`O*Y${3y44q7F+b(Fdqla_XT+;##RTp-+~s7pnuR!
zJz&^?!H+25TOXMRxRCc}2i@r?f)fXnKl9y@a(_DEWqm)%ve+VoH?W{4-HBcV%c6v=
zSOfd9^8`bvqYPUp%OOIrp?tKk2acK;COdnH{xHNgNXXg-hqghW4&h2iMzDjqybZC6
z7ooZG`eU%zo;-v46nAFOjfDv#bXIX^!L_Bh(cFIS99TaH6GfDpDbT#<kv+J6F!(?;
z-nwI<mSdx>>vkUm`vgFA=n%Hb1>Hx<`-NvMPs<nqf%$y$`h##ej6k{_r3R(?*eF_I
zsdgWWlgB|qGIfmb3n&;6xvv&$ksYn=cI8lISgO=A>;iM!v<-w&be{j!`_FGV3VN^S
zC_sX|HOC;O04*4B_95BYhzPTkzsuIXnaNEYYdE4ncjO!Kg6k<;Y|1)^g0m4Qq_4g}
zz6iOTO`$<3bF2zk_7tp?Eg_5CV0D%XjaGV%!zBa_wBsH@A%fFzfGqoE=_SFhC}o*J
zqjR}!i^Vyx*~(tK386EVJ?m-!0sTFAQ15Xid3x*mJuVC+h7fLsYN8;J4{=pQ<3R*9
zv=a`15AZ75$s07a6R#ydBQ4M#|HZmN0Ju-X&KjI^8k|QLyvbHp3(5u?8Y<r4#FjyE
zerVBV#r9kf0bwvR%Jt7-6V2p0BcLnGo)ef0#k9Mh6V&j1kCA{tDl!@anc_YLMm{*r
zAF@zIkZ#Lu%3ZdCa;$5-ZQ+XYm!3Bk8`R|34UzlTgy2$3@b7Fsidi~%(64!Pdh(!Y
zwpc5J_vhF`_<4YkasPlDFYWgN;%Q(ymBZ#P=f%x}GirZ$E1EmpO$d<EJ0m9fj9ES>
zY`pHXUuZc$UQ*%0`3Nu4OF3fMXp{TQ<{oUV@Z1Ib=7dV|dONNM@wok7{CNbw-T2Kt
z+?LRq*j8d}U2beEF#&Ara+BO;mb*FdgQLJhE5`EjTt>OeBzK#r3BMf8wOxl-f*i}~
z%_F04Q2s_VA`8EC{A~DH@EbuJ2J!31Pg(Zp+2FFr&f>~&Ww`d^+K=l1t^>FZ;yQ?H
z6xS%OBe;%)EFl^r^ME-T$Am^5_TaY`zYX|-Tx-_#hPP91$KUHckENiE6R-hP#Pf#4
zuZ)E13r1r2&l$si>V?mKF@kyz-Hlqb;p4z^0Jne@ACGhTc;wP}979`>gEDVtxF^p4
ztt)B~oBYK2mmau8i@;uE@<Pvo<VKu-ycTi)mDiFpd@cExiED||A74wp@x6&_iGarD
z;n!ATo_n};xp@^je<zLZo^f3#+{NCH(a}dH`D0EYkBrN?eOx|Z7$Xp)r;p6?$3%7Z
zhwlN;9ajRdn^FHG_&tu_)A&7u-?R8Vk6$-_poJ{ZLKd!>xMt#-j%zxu4qPG6KWf9(
zhO2-pTw#w|a0OQzPdoY;_5mKlFN&Y7avbfHn9=)jw8Ed!+i`S)z9EmEHi5Rr&2ext
zxMp*N;eC8A7b>P(jnWOt9pW{&e%&a|OFk>k>|~Bxi%rsWBu={Z>t@LTnNHqkNj@tb
zQJ`9fw_nw9xX%>^z3t;1GQG`o2Y^J1QJ`;lA9NstxT{t%$@>WQ5u_d<*u8+=DR-LG
zN5(bhpxiH<O3z`Z@*pb_x0Ck^;Sk!$T9I<sQ^yN)h;NDIwM~UN+f1UBxsXmmYe1TP
z{ByY|fRzv1IiEx7i^M%csfWN3BfIrn1KXqpztS|jL7FE+dNxS2)PpPo@6<VZ@~3*T
zO3XVT?ml(w#KJxZTb#X)0<W3~oUOYNUs=%C5_$jNQ^y-FK2@u@F9r_UYOy9Ae_-U@
zhQZ?xTvQ-=R7N2Pidcl8pc>&GAyatl$36sD2%2HP3rTdwg^e8s?ScJ=yN!>$hp}Hl
zHiX1-_HP*^1w$2M?;*qJ27^PeOvY>zVBK<mHpl~;3IyNY?I;~;==<y!5W=u5qgB{~
z3h`-xB2}b5En|P5zAXzLU&QgWbTpWTkA<tW#nGD~sk*SDDH(L@Q&I<UQ9jB26i1dg
zyJ|MwdKbGIujLMGtkiRFMDNgM-a$QkZYq`CNq;)enL@VKpbmv1hK#b6AX>ucuZ6Xt
zJETPWhL4qo>jD@A_TU_@!12;jDt1*RgUEL9#>m<F%}#<4-i~81w%6@OPwUv@Sci9P
zM{!SVg_HYNW1SAJM<~%zbT$7-+tFagZqSO-({vhYgdv#vES@?~3+4mC)LnGT96O)E
zHGimzT~`QvqeFr}i|s~cANH!V??S=UG7bUS&YV(Usk#7?eJe_^gj>+=(wp(;#~|UL
zbSUJ0260ITk(C_>vV!iXhunvZVgh!X9>rN<$*VCGPghlG89m72VR<KMr^e4cOh$1C
zo{FF(1<Rg*qhs14F6=Alhx7!K@LDd~jw+21k@lgH9EqRerjGigWekG$p&X25`dK{F
z>(r%Ku4AYb)C6q;2e2env45a0!YIM!;)axG-E=WjlIjxeIOBo62h+~*F<;G99gs?D
zAOWGQja>Aw#q`Lh&4F_!T1z%une$_$;ENdj5CK1@?waDsan9f5naKI2TWWuWbLYOI
zlnBagxd<+4yapy4v?c+Z3k2uvhPGT{+Z7PgaxTDlt0uzqnk~PEy&M8X%>)y;O96Tl
zGf@Y5fY?y}2^`|GI2!}lShmBm1O#E(4XJmDQfeFOl*K&o1BX$vd)N&$70LBCbE!Im
zQVr6Sp-z*S=3!G}uOw4Sw8Y7Q)j!7zDq+#YPl^ifpem~TIQgMQN^Ccv1!{t`t07V8
z+DUKx77x1_SoQ6sHjugKYQLo_$YHUW6J7}Z8EiF<F7f5}0uCCSK}CX=Npc4wzAZ%o
zOR=H;FZoAaaL~(r%BP)CtNi|K#nM84EyXfG_Ag9vINg#oxikBYrgIyRv;JsJnDqf}
zpy(JV${<=JRj4<7kW0Xwv^t3Cx>>;$H!E=Q^vbq{o0`vxIl66O%9w4Tm|H7yJHw&k
ziv*wFT^PM1Qv;=8lYJ71yD`mg0c8t1B78g$O-ap5gqO}zEcaPP^G)I`gJ-2l0LmwB
zHkx%_0G$}koaPsJ&YsKUl>3A*4!R)|OS-ej0Q}nJ@1wBNtqkkv3}tb2cD`>`%!qKY
z7{zaU*}J!a5{X6%WsU6Vnn{}KH?bZhLv3R072NooulmF+9F0Qv;0n)U@?kKNwTzRv
zQy7fEA9~qUc&nIwf&20-hL#V-q)PS^YNnb2&tbYe?`ayLZYw!tlF%%e1L*`qQs0{T
z(_wFf;9ucPrFK_&?earLq;x8uT-x$Bw0sw=`(EV0JZNyhtcP#_DKWnzLTS6QMVsH`
zEoW|hjwxme-m?UB&n#9FDgw2uL9l=S12hEsGg<M<Msmw+&N9cQ>*#<A_efh(;9Rnl
zsJREa45_YG!KL(seoQ%Y55Pr$_SPT7fgQYTZWJpM6l?v->ru?wA}F+d982O-tf5AC
z)Y)C10u3+MZF9OE8{5cihBSK%^fp65gCMT+TUQsj1!?6NigpspA^~L35sjU2YImq?
z&`UZ#nIpz30q8;Wh%A5qXDsv6q!~_f(jXM+L+(QOliL<pGQ-~dI_8aDR~Bjr7ExvD
z)Li$#mkpM#YvVi{@J>naIv49S_9~537iKGl3ZxYyve?u$ceQyeL;EmX|AcI0Do`41
zINSh%KjOEB_L-z_4DBlwXSTVlg~{Snt;_-K!W_EO*zJxYzoBbco;6uVE|4lY$~j``
zC=`(2t$IiOR-dy|${0giFqPx&HmWfC0H=$^xc9KcTY-rPZP{1MO68!jGK!!s3(*sC
ze(}nj|19VHKc6V`m%JF~{Ij2&$oY4H-lFIM94ASE+mj`W&7zue&bN{!LLmc=!`$QS
zgek`^zlLnEhO`+9F)IIthr(1br8N=00Y`+EwG{=R%1q>N1(qaB39{Q^Qfs;rQ<npX
zx=F_l^6DWHG1`lvC^kcZtmSgUpg}CwsQ^b5w7E54d>X(gDa%`zeZ{I?=WMV^DS-wp
zS+aH|CabV@_-VH_yAy4|T19W*4@bRdKbmBJcsbS()q(L6fyIPfE_Bk=nvjbKzy?Tc
z(JRmqvA7DSRiEseHo;UiK#>gZ&khyxNCsk2_Mv580gI~gutza&#G)kI*dVKSf)QqN
zKSCBb(plm|WQd2^hBGDdOJPk+Lde__qW^3qkr>kj7_Ti#_)D7>miw0x6Rk6VO4wJY
zV`K(=kT3-QRV;$zZhXPTv?6u$re^~&q3=^p=fI{J0j$?@n$}ffP2NFy<SxNV@6<Dh
zhk>NYWvN;$v3D3^=g%z5Sw=pE7XU`d3)NZL$s_3;2xZ*>|IR=GpI;4ky<!0{y*)3&
z!$Gpm5?QZ5m<ZPlRo}TOGjK1e7ql*yHCeIC9YRwluly|R+d8EBm(&D>!_3!Oh8jy0
zGcBq&x0M-&I*sBDL!E+@f>sXbTx%AVjW>z;o{q1=Axn>v5)_cXwbZiQEr%`6i}f$&
zpU^v7cuWf|IwqC1oaidCG)Y$f&}ubV372yBQpaBbxSxh7N-;>&5Wya+#x{=&vbV`m
zlavrxWpN?+B5IbBaVw}6{0%IX&ztL?f`JMPgO<Sngq96?|FZubyAS&&T6Gz_j{)hh
zGemJAyH7n`9r#m--@W+#O?Dpw4&8e+Z%j}Bg58I5UEb~!EB`Js9K>%welO$qJbusO
z_Y8hd;|E>*EOhbzq1}gLLZc2F?t|WrUp9Vm`_2D9yH8*}YSHaJdAR)&yH6|HLY5)q
z*!~3W+wtqeFK!FD#HK<y{|1{1asI7Wv>$CdL!AGXyDqgK2@lhE_A+~Q&OhFMRDb2Q
z<j;I9`R9pi$;xlU*OI?@C$1$hj`4oS`#NeJxsu%{*8fF7Lm__4@LP%B-T1A=?>_vt
z;0N0IU$Fa7Ws0^Pf1ki_7k)2OO5A4nKe79aSq0#E2)g@1Zb!Gf{|@j>MAGy@3hKtb
z8@RA=fEct_tW#RqS!G}=&ZF!LWE<cPboY4>Fq8`&mLCb;8{V-C8Yb2TlXj>so3_>1
z@Q1wth;;%z8tCyAJaWSZd49;Ok--ye*fPbPST+U`kg5xN{l;|#MSYN-q)8;4YZ*~6
zDKNZ2T)^%TAPA3jda&puvb4@5MMWy)#sIWoj&5y0$o+_OVB-`eL2sA*k;Ta^6PrG)
zsarse%ArQVM}bb%Eun-wO2GPrgq9O)AP=JIAa912LCWzuT|0*L-nI!5#xb~E7WKm#
z^Z~iYj5vBv93+a9bVpJe)QAS5ZFXo2VxvdmDvjN~C+rtI%=HzjRkiC%3KF?WLy_^;
zwpk_Wp}_ftC<RHSEZwA91Mq|=ARS4NVX)vm@`w?b!!gs%GQY{OKlWYR`0>ss<pj>>
zkssc{o$@!eB@}KIQwvw~B&?1Gb#}1K0qH}UhK$l={@zl!S`yl7j3rbD^osl=!;<3_
zGho7T7HhnH&u5J`sHaSZ#R`p2*`e!V8=#A!;fQsAO^)QLH^uv!;;mw<$7iioEF0!_
zBkNb~d&3^)CDjIogUBtUGu*65QS?@DN`o8IC0o1=&I6kX2^KZU{_m2*j1zhx7jfkx
zGjbn@7VaMG0zpg^ExrzjiV2u9&`oFr)Uu&YOFL1vl!XOax=lW95|f(Xw1<^%OA<nG
z7ZkXoo39;mryF&#Xb#>`h*T5-oq!xTZ5ld$Rqya|GoquT0B%LyK@;+uM9hxp@G)*!
zi>lBaVEGbF!6iKAs8{#Wj*-Wo;RB<oz{w*E4o?c09qJ5tG4pJwGg!^Uq+oS_mz$2{
z4y@PUIqV1W@h!pt<dq(2($K3eNhq*pF2dn-mOz;n@SBy+nz>!MVR2!pcy*~5lisHi
zw3%FbpJ#%y=pIBuhl&YLH!cL2@|ytYNRB$hYvgFQm?=l|#AG?@l3v0A$Z7`MkSK}}
zj@X71)r`>o7Y&Kj91!~41Fvw2sb||_xVBysuXnyF&V)jTGGZaF&>8J54+8DbKscOR
za6=PBy#b@AUWY8OAc!+?O~5tDc|c5y+@|NJwIpz5&i_8={QoqO^WT*m=lpL%z#H#{
zCSwKlnkz#Xro90qv~-J8l+>Stj|?B4Tb7QIkZ^W?4dPdln}~}6!$ZcQ{SMKTG7M!{
z;E95ojA)kxe(zw<-e4ec8A0FgN>e7N=4gOHz0GgH;epU<u{n_Jt%F>w9_a&1A8-zf
zlVSDK<u~an+>$jw7rH&He<4ka?#LejMwjWzG?$u0G93-PP*uTRMcqEAA3o(X<u#j8
zm-}1YDdR=|!1|O@C?ytYD@<b|BIQitgMO1=t6=R23<cMP=!&zrrL-olw#ukYEK_d}
zte=7ni&GHeT*0117!fi;^_d!Im@<PD=79>fw*ZxMbH`+IpH{HCQFxNAf>{ve<HPJ#
zrw1BRz|T>$fU}Vj1JDz*b=86UoJoJF()E{3_kauZ%|<t3QP`ooJ1uQ1J1rzt-`3W-
zmnOkH{0s$P#ga8}dYhWsM9YE;e#l9I-T;Znt;x0X3>{`{642)|%>*@hOx;17z_zEe
zHSqQ8ffJ;IBW&-U9SnwK!tc~7_8=*^Ege<j%^nt_d!KqMjlwk{oS{R(%2n)_%lWE>
z`929_3m^9g`-`5W+N-cGEItcxT87~?-;YXDzNqi|Vzl%+L@k_h+jxXYdHL~=cnpgE
z2skiMwt!gW{W;a)I*M`8n|?LAfpY8srXLFXe6bLN)tZzYa%WNt*v-0`1_Lz*N%H!>
zi)g9?zicvbNYwCMSlj_g-k(VYKBkKFR{10fb;ZfN*{9r@6PxDXj{xCeD&{X*)(f^>
zhqB!WAVCXJh~327mFe^GFalVhu%o96@f^6rvK}nPZX97vu-MjC<{0X9VB3pZz|!;>
zm{QVe3@|LIddiQGB9~fB&9B8%ptw^CGFjqDkLpPRn0-8HyPo7AhqYVqo0K%gBVbm)
zCZGAZ^Ry-9z&dPEMWP#tcq5;-96l|d8BRGcA^C6wFXS`lzmVJ+G0%NdK6BxcWGlhH
z$dlO=aIxkvc8DWldWFrg%M!m8b|C^+Pqh%|z-`h)Ht-W#qmou5YV`#Qn4Q}xE-E6%
zD$XwA0ksHbmgXaiESRBmBPau{zL@eRltKOeLdt7F0h%asWMeDf3&e2&B)f>SU@AR_
zzk5%e5i9Y5+-splii1++UW${(Ls>e!Aa?LEN9Sp4)0x?ZiyFE_uaZ{tic7QQ)9<Cc
ziP%_#u$(gB#i`W@{=jPrIZ;YI{I$}6=vhiQm3V5ki%kN7&}^ZjBDXtqClg){xdex3
zman;p8-Z@l;|6Dd%GV6zhI<a=D{2uRt{~3e`<F|#h$%<N3!VCZF4ZD_aOJh+1HP90
zY~ott{g3!s@_6^ewS*e`ar0{4`gaxKMGdj_@O#J+gE()6ICX`Xv_hH{SY@=SnMzvV
z&*uZL3o2+Y@aN&c>y}`eYPx!=B0%GiPbX5DDJ#Up71GqJr>c{cw7CZYubb3F{l*+j
zJLPhnnhj1Fo9;y16<#R+AI$a}cL{66^yX@ZXs=)ofpC2C2g8vAkQYFEQ-|CRi|FuM
z*gE~q`N(d(X%5?)kAMN-tzd8N!5xC$iYP}r(I8?y=3?VbE7Gwn6D_XB71E+O9~*L7
zFv*a`cFK5i=7zH_!zt@lct`Qon=Pi}eW$7iPa#P2!Ex{DdpN==YaKGFxKifPd?lCW
zqxY1L@{i`5H7=k2YC?Udrpq5(<ZI+Elf9YNZ1l`wZ{Cl)s{A2LHxm{|e5=Qxw@+_4
zK-inXd%#HtiJ5Z-#}-3MfnbNF4tZe?LQrVaxi?^^Zb&-*k@6W5)w@w(6vQTr@)nF^
zN7~$<%YAm61Mc3>+s)Yg>g;Klo!i-5Jt!u?;DrVpeqgY<I!XfDaNzI*(NgI>2$2F{
z#k)x@%v6!HWvE6J{0{bOv<1U?VaScyg2mI3EvERh*^l((k71G1)~&HW-od#oe7)e#
z?C0nZ1b+mViItG+s(5@^I^xSPX|cp%l}FGSUs5z_J`aS;4oZDobj^XN%%%W1>3Hmy
zJL3yJLfLZw)pyDrMGRxSEQ^4WX#F5H;*>iZ7~}iDu#?{?PHvomHFR4{4xNJ>v4xmc
zurRz<+u@;798P%k#WYygii>Ex>pw&&fns_6al8z-K_&ouwD_&+RPauV->9a6q%D4v
zny|}=t9f<UzK3G15BHHQU0#mvDrISi&9q(w6Rd4IZ4aEPj&}B0QaUjz7twr<sQe>M
zhz~O$4j`$ZQh;~Hs21uenw~;cTn|X?(QV+RJ+;mr3AL%yYMaiX&=j0ntZ9ij^cbZ@
ztKYJ^8XizRgsmKv>y%Li>XK~7Kgu6M6CyuBuk(9rhuvuau$}`z`~i+^5=8H4k-bDU
zD7GnncG8eL%^^)WyxunCP6=QycA3q1c)hSn{h+pKecH#Gvy*5EeWVCi9^yI#7X+%q
zNT}D2rIJGrL9v{oqu8%iJ5NirzcSGD5n%~9173o87+AvLQ>Pj(+Fx;B)SvKh;>_41
zq8cdVQR$gW>*w6EkrZe`w&M@jkYz+KQQlUD_1GvTpIEpZ1A3xbc#4*1$5Ze2=_zR5
zQ+S}&A9<ce9!jBA9n<SLd*_o=$MA$z@wiGaKyC=6A{&Cyz?zqW2)VQ-_h+8628j7o
zN5N9~&A=)5z)2~3vMhS?fq_%i?3A0GoEdn}MOsALl{r7+?cjxedLrkqz9-K4?*Nk+
zuSF2E+f0Mhi-AWApF#b)-yXtKMqMi&VXk<l&qY=dD;B;(;mDIvX}EjczBd7Ts+K{5
zimvyG3rgY&vK=qT1N=Qq7BU9lanxzab!zEoTdFGw{?3Hfw34>8)`YgswzQJwUg<Mz
zF~MAE%iwQ?=3dcu>j6<{D>b_CcCbyrMZCU^UZe)jtrvyBIk#wbsUPCpgTRtJ@$)4P
z$ynMp$%Sz4R);jip`F49&4|0Bs~a)(R->o-B%|GR@Ep+=(x`_WUQQ$gL6m$jkRe8}
zm!>yN@+Nz4?3E)ZaPkNgF=$!X;3-~<gT;58#Y29tGSG6u{?DD|*pahjq5bhrbD6E2
zeE=>5EG)r72huiB{Pr!SsH)nb3{*kE4=pu%@XearP@p5fmjf^#G9M^s|A<=g!3MlR
zvm{HGVWF$#L}NOT;l=q5t%8n2_~ToJ{NB3V=;4x7Y7|x6V}7li-FOsiuOS_^D>&r8
z%jiZtK{27JP^qze?IG*%i7w;9V)^`i^^=sa|Gp<{hA$e7O8Cj)i^|(bPUgwU6Os)+
z@>0?29Y;W=az8!;;}x&p(T}=e&dO326E>V-X*uvf-J<5au5@-8@&fl74Qd{SI6aPv
z1%%qQ_|^$<QDQNNM^RyZ)x(}B8O6W_DY46KSQu(BB3nzxHhjLp%g9>f>q^Y?EmuwE
zD3DW3shg4db0Q!gJcgSs%i*MHm>+AdXc>M-O&EU1`40Rj?^Jl%3S_SE=Xu#a9oy@a
zS7WYc3WRN-AxoqoYerLcQonFS#0rdEFqOK?2ijAi54G}16?@-}XdcRjfuo!SJR82m
z(waIzg<Y0XIXbeF%GO`)3^&XKB`3Eflr(op=dw#K(s>_V2D(Cdn+m-&T~DEP33e7P
zHj#a<%Sr=H5%XiVm~X)r6PU-Tl1wsqXB*3=$6u9#eU4_a(IkMsb-j2K{<_5l_**MY
z;SuOO?s*1sqZ!rV_}6!M>KUY}lO`m62xgBetHb=HS)8LWgGbO*u{UtIlFL(N9<E~F
zWIRvJy0Es`17i=GConK=;)1Y*TKcxkL6U`$!<meIQwtE6EK=_fD+k<D+B=xIT&LyS
zhZNfk=i)vnrCV;VVt=}kXA&1-k0SKig&;D1AV+9}U4DN6VM&e}=i-ylSGUYoy0CP3
zSSi$C0y|4hg;Ya!61j`=j?;B5r=jZ-o}f}^dSA)5{%Cr^ZHUtQ0S1JN{+3#CHs31u
z_i{s)LHf2|gLNdGgcsWJ1f-}{*z#o%Jxxo#x#@vE80NO7Z@yM3%~Dp-NkcR3dn$9V
za}eTAmR=BJZu4k|5%#an*3&g9r%EHv|LB!De}r@XrzUd#Z<^wqzwGox&L7`s;9+D=
zMSVPeJtmdIrECk(1_PI%n^Wq+5Hp>{mU=5cT7bLxU!oqxkTT2Oayw>{+~_b%RRxXd
zQaK$4A$?6*JP1N<8L~HDh1WZxc<>t`$T_-T2V_~8E&OO?U^Ed{5I{LcjUgxwf|A0a
zSlPE@Z%@SD+FK6e4ms>CJ-AUC210HIYrqIjz#?R3vXQrl-qLYIkbA`GW_DSj0?uvq
z&hJ^aZBdpY&O=a^!UhDnvGG3aK~!9}&{m5AihuywI9uDCrQJdzp_97BjYTuGvM9Ms
z-O+8QH5^?8NtQh4+xDqBn$(YBLe&+#P<(dKU{<kYECBNU1!yE<N91sN<l9(410WYM
z8Mt8gLan4NHHe|0L~1@k;?^}7H9$-;Fw}RD#UCQpgxHa_a?uD73X8mWb-d7632OZ7
zh`7Y=9~e+JL7CNes*mC5*byB^5Tk*k=%zcJx79CoHd?mbMv-r;91u6@NUT9R@gqRH
z1F!KL<&FWpD$Ekk_<mA#*&J63sGD8s>aS><5Dz-C;qx(&AHEvcD&Txl0kH;PTsTSu
zVjrS!h4Q=DHGhKfiYDWnp#+4%4kZdA;*4>=odNPO9*ttsF4(w-5>5PEGfY;TVMY_v
zuhq4m9gUF$ipIrAA{vEaBykqCvPlR^XYp}Kr<5*MV(&tu)wzX;*#YF!=2Qiro?JFS
zjkMK~cc8+<DxfXWX&UMbj4lIrL5v+D75M=h4Gsbdh$yyb0HD=h1~*}f48)FR8MOo|
z27Tg-X7H}aN`T}{H=B0DX3+v;1CImQ(5X`Fha7z%ss#o-N@lN$z?KCp`ArDDpoyDx
zbbFZ<^n+E9JN}{hxPr?CZ4;O?#vUhI0uXJ@0>z;>iCzzDeFIzjV+uFW)$?WO!dY+}
zU9_p^X#R;{^+~cltr`iI9fK<hgcgMRES08ku&fVDW3Y%4p<xI0L>z3Re@Ty1FG4S*
z^eT1)m17<PA`ZSG+%b4Zz&nqA0a=9Ox=|djKWgyfJh}l7`|J=1!-p`jH}NGKGzS|u
z+{c0?5Z=%3<kh?Tc2bj?Zs+{<T6r6I$JI^S(ur3~nFZA+r6~o~N5wQY33CAlTzmo~
z$0O-tgCkAHu4c0|rD>~PDp}r&c{ol~1lIb#3~O;B!={pA(2u=YLIp(V_U6CCol=Zd
z$leUOhc>u}>K)j)g(Jy~g18JSEc}I=Gg*d<nnc<1kc~u`*`q15i1Yu$741he{*yTW
z)7!xLC!VEu&Ghe*7dr8f&iUbm_QucB`|*|6lE3h^<R2%lC3U}!uO)WK{NuC;3a!II
zCPCN)(`h<;*iVt-^92(lv=Lm9(uWd^I5wu5`nxHU_1+%u?^%pE_4lpO6td-Lo70ia
z%jVH>kuc~trd#YSd+|a^BqTkLJ4Db_sXvt)aZrB@s&p&+&M1^eVsO6~OA#9Zlgd!_
zpW~&^2U2(y;t9!Fwd|I7K74-5%iQs&QW~8Kdcst44kcK`EPVL}C!Z3S=X5a0;$@bD
z5Q=8U-#j_)&3mumjg_qg9ysTi$RbD^0Z)ni2_<x9HgI`5<69Ytm$^x(xrz%A6g@wQ
zsHt4rkjcJ_iY`+_e#a8G&HiK9B2di+RD)Ple7+Xa7mhqE$607CN9t3RMK?hnQEX}E
z1Ln?}Fzq6vt%<Ng#I|3e+Db4N+Bx;W2zwNBx(XjCTUVo;szzF+qQa<#9!l01u+|yM
z+5N~-?c=B9>)kT^`LaAZ-Yx3I4nscoy-$sEkwa=?3_tXm^9}$vMBYXmuMRcyZ-9Cf
zdO1+`UqZbbOf|l9Bk<ict2C)r`Po`psoyjOKDhYY?W(2rrQ4_Ai(fTJJpQlr_oWK}
ze*DkDAK#CMr%wI;UR=6bHsG(}skYG9aXobU(78jMZJjyxKVjc^(`gG<0Of7-F*)qe
z=Ke2KbG%ot=lGvv)g$3wdBuM|bm7peZLgx@w!U$#ICS>V+2s9~wuN;9wa0r;9SgJH
z;Z7Yob?nr!;~$0jg@sT2{u}7ciGQWPLoFo0xI{tkYGPQw8c$jWfsXL;-pgf9ie*+4
zW4Yhyye!b{zr8p$P2bNF_&vw@wm9tM-f(iS2peuJ5RB+~KMaF?e8VbP4I%ZZNu$Xy
zz0lgGfBYJuBxU`u^W)QA9!MrKVr0Q2U|Fig*YL1M$9((&m;mCW!mr0Wj*px?eZ2R0
z-|+z$emaj|ICVTsTalX17)T8`u&p+DcTU3b`*RY)h#JR15DD#&Xbs_$);y3f-;NVj
z?y$@wQy!>$V4G+@Wug?hKN-6sv~Bp7V*(zPWcxEcDV?WN@N5a%a!xGBk@qJ9B&g~R
z3t2maaWITLAspLVWIn!t){-Z$%=uN$`JbG~`5(NCbAFtn`tM-A<2irMJz+#Y<kS`c
zF|%rME`pc=lNi6TwL?iVun6?Ud&0*TAg8_=3XQa28x(IRf-U(5sqtxIk&c0Nqkyj`
zc+%Bzz?mGd{P|2VktrNHdtj`RQ`WUWDaHb0fN?o}a^^}rqwGJmW9}I?b)QVV9|`I!
zr>u8>A>*=mM$$_+|I^9T`zYg2Kqkbel*Ox|x01+4vQZS`Oj}~%*Tory8%2BJ7JJJa
zFu)g#D5~0E7I?#`3NO%yhvYYKV%R-x%Z<x#g{$H{Kz6=mZze^C4w8u8y=|j-ugr3B
zGzgn6-Yl~;F{{+x@+{sLRFBwOcH$<+5ar%%^>;iG?!vJ|hx#u=oi3?C?sch8!0{+;
zf>%v`e*~vnHoXx*PW9n-Ivg9(7QU38$VSXvnSDbnEfsH&S&BGWW(ksO=+zF%8F<|l
zsle-k>Zo)>EV7{KeeD%ZixkF^r^S=sFu1^q>4X3j6%+H1M5g0D@OmIJ3D>%3&~q#p
zh(;IK-(#7DBYeLDhw{@=VQ}81Yu3j}j@)1iuC@d-gR6z$YWUj7zyZU125lihsBQj-
z`9nB2;}71(YGo$h%yM3_J6{(whKg;nnCyZw=G<4`uimaKlGPj~>d)@{z{Jjyqh3kX
zcahljO)!Ot&I?c|hMj*!e^)uQ;DeUngSOy<Lhy#*gIRQ_BDNdot71Y-Q%~nIVOm@!
zv_@La(Fg1FH7XsE$G7PAh9rbJP%1?g)43vbj|a(wDxAhfDoTgFgD!dsw>y&A5u&z~
zMrMMWskM;+mQ6^vFhd|wVA2^%{5BHfE_{272^h`S<codwAH0P@rEK)2JmnZ-yzI?S
zAt`1HSqT}r%3Hz0Ih=7p_q(}@8MBc!>Vs`&A!#m4M@pSt8%;`=2PUw4yYc-hrT`d#
zD#t3=Z*U8TI*vSDdL_e%LMP&04d*Y8-H3xL_p(U<2S63<J`N_m<%D$gL@;<e7EWLT
zq6m^SQ!XOI5VqyuGxi9{gEnYyNd~M47oNK#YiKq_P4<?_baSx}b8cv}pxbP?eJ6&V
zKL8gYw~d<v2u-%@2u-BJ15r<NM3Eh6(`w~n=f@T=S=cDn;a?X}uMug6Xs8B3y$L5Z
zQ9&JP_C023!!euzsFz*eMV}tjiyD!UBh21HV#F5=NE}Z~FNMHf9fR=7d=5cPhZX2D
z$g#JKfWyTQWN-c$4^`}iMKL7Nw<XovU_%B@=3XAv#QD>4bk7~=KK%?iGn*S9>giL{
zfAp?ka2pJZ-akN`|IoKD)gp2ZkQaL7H=|mFFRn$*1H>a{1OMr;bhv;hnD>|V6GZ>+
ziEGKG&*N*!GZ>3;Yl)9Xmk>FCWT(c7A+?H0dOxLou^2SYk99jB*#M_QkE&uDX6Vxq
zr$&y*EJ<BbrCv*Rz}aLJBEtt!!Y{8SEW_x7puRl@3@8~g$D#Y>zIbR0Mi$=|1Dz2S
zHj`Zg#~u*<WDxD0w<3`5UID7h>Ii*GPCk!_#UWr-Nfj{H@qIlwd4v2OMqt`@t(&P*
zTN9u#XFP(x=EGIa0}UCWMJsX-hZg;3CX(c9pw`&FDh(?JW%1)kD59_s+Sx!4GQg`F
zinfnSYNDj-B8n%8=W3>;uNG0zNj#~Al5QyqjZ1o%l5&dR3mVP!eM*{C^g~KQa1qtm
zh9r$Q1Y67A!uAGA^wp>Wb-f%Z&<b`^e<>;|iKaqEI}ixp0N;h3x*gdIG936@)lPp!
z>Mi<8_c+zX*|o`1;E?_rvaP5I*+P_x%?d~o!AY^LZ2<HDje@-aMvKLlHl-q@bB;6*
zd%sHx=ZG0N>Sq$Xrf~1(>tp|ZiTYmPwmDL2iJDxPy*Z&Ia9j44&)X7^(Sqj)9khx7
z#e$gx8VuOVHUhS?xD`uLzSfp-Ygn9ISR@*kS1|(=I$uakFsdwM`8^2^9(E%>(uOS`
z&d-92J5U0Ilf-&@X|X9H2uo&*1(jab1wBk*K6l{uB5_V7`}{9-D5o!&z_UL|*}dA$
zEbuaJu;<ukzOZDr)LX6bMzHKtNDj^<aKTyYYPzlcXekKHz&FD|3YpOQ=WjL`_S!H2
z{Hw!NINtve;C}~UD!BL%U?>-tWFlSw(Ry@5<%p*O+`bIZ5aJ2{R>;!oVfUbY$^e*`
z^E0$iV8cCVfu5gu#zM^SE1a43A(s|^I&p??X^Yzl22t1e89stw8dUpz56&8z#@m75
zg!Izj;&wE4UCqwtanZMu!P*Qd0mrCZjdjsMLRUA(1L?mwsWx~E*8X4vcB{>imbH0|
zuE6JW#OrV*(>(j0BSQ~&F2)vY(WV&@1((p~Xq{T(;`e{x_v#z`!4kN}P(lDoT<TJu
zV&$*f94`Bww}<5MK&)+<t+Pr{OSYJVT9N{vCrJmJk4WZHl_Kpdfm#h_#7skA3Cuoy
z=vkYC@>(e$+>@X1^d6*-Z#=$lu9@&nTN>Z|6M-dbC5vmRI!sMkFcijV1+;}R6OPWU
z#yR+aw`5WFAz~E<Fi4<B3Mw=0kM9dsW*%0Rx4wqxi!`j&*n^d@wnQ_2P5P|Ofp&gX
zZpbuX#|)ZsJDMWi%Fh$Uw@$_B<GPrj<44C00=Y*KXa?3aqbsr+>kIEC5T+R;)96t{
z%+R$UBs!W%GgODm%Xc`idRJ5`3%7y@apL<42yY;LDPQ{oLPI|j!N({E^;Vs)Wz-{=
zg7fO^&3{3P{?3HE2)GiKd856h2{)ihn_k}DybsT{1+$bcG0o+wEy$G4>6cG)yOg2;
zz#WcORJbZCJXIAH(2o}3lU>ZIiZ@lV?ho`yxGcvZ&aJ4Z^uVo@gIwC5u+*gC!NH=(
zY38kkSsFixbj{Sfuv$TD$V%sVVs7yki-k*OE8UPkmt;!k>CaGZw@YD_>|RvE83b(9
zLuyJT;>17S%S}w!)znG=V}~nOuYm=Ui<^Gp`ntotwrNS(JrcZzg|O?SnmgM{XSAlZ
zxvpw0F>*_H`+~_(r+Tp%hFTD~qE&dh`So$21)nPdc&uwP<lk?_JCig?{yiBbtQ%o-
zTOA?cG1PJtAMdN%4pqQY_Xso_eDIVPvNs<Bi2M_w5M@~MGy02NfX2eF*9(Q;-DX*k
z-D)geGF|#mhv1*;sS{D0T?E_Zt0~UF<*?Nip_cm~nv8w~o!HTmpHWgMM1Q{oD!uaP
zAn<i&K=t{YVevNq0<fo>@C5!T=3$d9m|0q&z$sZ;r>ne0pZb$wsDG2YF%b7_5@$jn
zps;VFIEDBfdjgOH4I>FY9AwyG25ZUh@EZ!CCD)Ng1cy6<8|pX`c2aPwcr*JEN&v`C
z3Z0cw>!Ofu*eoF4ry`Kt1jo|qnY7qQ_INn#{V0z0iY!$JtCrrBw|Z$_9vK$;1<3f7
zBXmL(LQGuz$R&Hr!@x8TP@;XtV6(xcBg!V5@;!mhQ~G+ywpp%!3<oE=t13f(=g{tc
z%u-zg2q_(6{?<a|s$ij)h@dQZi+JgM{6Ro5?8nB*E6j~$MX@{<TxvsE0R`|%S@f8?
zqaF1c)GTgkP%{WPMNB`em#^l@@gt%tm6gQ#Z@Dt(|A=$`pG@TZ4L8L(|2_XWk@Lgc
zcpc80^eDxd2-uBP3vFo!9rr-vl?t3*FBe6z|Hdd?T{nW}G731~kq(|g=2zO1qfx2}
ze|Y3fQ~xs{YkX1;F<3t*>A@kU@c1j*zOnHWoF{_4qRyYtD|-ulo+)0Ly_o?9Dol-4
zXm9=#5}H1zTJ6oB;BTm9EeJs;Wauh<VMT!{vGjU|xEQwXKfyD6dXm=@`aKn4{{66x
zA&$Io^L6?gYzRRTZ3w6LGIRRP=4jnkK=86ukT-OWPzzZO>(+9pNr0*+z;|OCeW+W_
z-=2RSIrlt+KIwTpEP|9e2Sn5ulsukq&Q}QXf^{kdc!ziaa@gI>4usKY-1zau&VJA?
zW&rI*hpUc^FtNb(B5b=oG~od8p=F1$<8~gV6lMf%^uHH{fRTxNYA5r3=@VkpW8U-a
z*ye&m!}`29(`?H`e>+#(wych;x)KHVI<4HVe}jiThRMg3FlnVao2KB5m>Yj`%#A+@
z6H?D`dldxLSd=<>?zvi-6W1iJs$y@>r(ySr(^ZAb{a&^fDd1srs6}<SO6`Yv;;%Sk
z#+<L!#E#KeHtraW8;4vlJfy-mNZ6&55sb^_i|O^#cpiM&o|%u5kpTNqeR9rjL;UoN
zmkB=C{n0gio>{k+<77B~>Vy4vmSXiTr3XSTQEn&Hg*}IdmQ@)8HQ;yaFB)3QMsRdC
zBKeX6>n|8u-6LQ&p)xp+X`ezlm+TN^pTS3*e7&aLFpgqLp6jM4MjSnne?;H+-d>8J
z7^fg+W0u@ev^$w*iF|I##+mZDoGqF9sKMH3K-}UVRwC=pConm~P3K-l+Q!LE=MLbi
z=Mr$YIkpFZ_9M{YBRHBQU&|kQfgj6Z#EiWqw4GLa=e|u@IAnnikmwN9Pp}a=*Vq}w
z$qV|X?7MNu$8xzV8#n>l>R(lt?xj*y>^_){Xt45QJDNkb-xFvZC=S8fw<&%6#%7!s
zBAEZEvd#~z%Dei}C`8b)tr*@-K=9>ulFNl((WIMWe1Px9lV-`xAUaA#p;Veu;U83m
z3jbeKbA^9M%h(N~R}zC+dHEe{zHFm7M|qWgT!nX2<+zh73P;b_NaW{E7{y!UB^ttS
zVr*}Aen)PP=vW~NE2JqNs@X#|d&X*(ZFxAN>dR{$o55LM*m^RwtkYr)Svp0tf-^%d
zbK(Y(XGIlp{`@spvJ*@aiSz%W1DyX0-p1=UlDBaP<`<Ir;cXnX6Wj)fSI{Cp=4;81
zC$1$Aza3vou30j1Eg?5B;uC5dyB@YTe+KH?<+8V^bTx`o>1do?h?gb<E51{ab1|5P
z!*h_IUdZchhMbRWrrKZGj7XK{G+oR#Vc8d&F1m1)QYx4skFy8~fx^Fq&)-)&Tw)W9
zUJ)T8{G1-l-e4L&7rvrJ3$C&>I=t9V)YZX-yrA2r=Hr|J9E%-RUi;z(dDYrZN7-N|
zWQ(cTu!IdpU%|RS%%=o9=Y>{5O^0*QEvzGun?^z6t4Zsybq{C%U{|GE;G5!A!A9q~
z)6O3~j=rgXrHO(OftvhYZ?J3tn<|@6z>g6uI~0^`_U2WI2E!|GJQ!XyAfuY9l<ntt
zJWX!sH`pJ^MV7$%?D{Ez^INy2VJBl-K*UmlNN_T3+V?hhK90xED1xFBgYNzIA4C!$
zc;>Xcvy%iM+FKZOBX*`I2>-nMB*Yu|{3EX-4?xK*TXf3IEH0FpAkK#E8D?j*z2%p9
z4ac4k`I&xWi9D{~7$XX90%aqC$isSyDe@4doWEY0%VRR{Ky$$!P@6rpPS0YYeT&B;
z<#<An0Jd$0EP>Fn;zMeLc1=bKV&!M?@}_wCs68~Bmyc?Zsk~@(tSDr)h>@3DAubG@
zuM=kn&fhOi3Y>@WF=90sk{U)Lr*TCm9Fb%CO?Ko>+yrjBSxOHy8W%}vB_)Bf3jvHn
zWDn(7zaMrY;`B1Y9I!=pXj!olU*@21NMKdsTS#$;grRK~Xan0;>4OrZFaC`H?6*Z8
zz?JYC{g(Z)B^Xge;Mzk!0nN+N)%M5wabs_OoYL7+d-D!F0_7X<yI*EDd&?{sG!Vf(
zg0DZB(E}X!tnGzZ0k0D_t8(m|1$@fk5ctQ92JOu=01Z1!la$owv2X<OoksUj@M$`U
z=Z~vej@X+A@Kh_40{lMiTrTy4Zg&Ue2!ykN9v2-d9s2$Ah*AtT4BA7l;|-h%z^x&Y
zKt;#eqgPDr5S?rbS_0*O$|016+h}p%+W^jVyQ$mVL-5t>WOfg@C`%GwEwwkB(9lRB
z$?f!|245>L8r$)y!-4ZJauqW0o_-Eo&@yuqEOk)4a$E2br)l<A42R(c97IL2Zbtq>
z*u;P#6>lTQ@VJAPPyq8pevM{GX@T?Kl5UGRNYupzmC;6Xurk`z5Z#H_jXAKoSgX-s
z4_o*)U)pfgE%s62grY&dk&|-42dPQWRRn~{VVk8=3diL0iVJh8od_f3e%=e&YZv^i
z3idPaPj7lZfKu3Z0OZ0djUAVG<)em>Gl3H5AZB0S_JxuFA~Y^XWnSig5i(#TgL=fi
zt*d`Bv)Y?~23Wu#84*jxa+;ydeZYGu(sm<_PuVl*0Z!|^7SC#7Zs*}><aMOzl)>?V
zk5uU-L2F4z&6U=YGh2xBAAR}KwPf)=vN@~IUAmU^0^$|ck^#P!JU($PX?-}pmb_6u
zaV<dv`4WRjCYs#N$S&TsC<!;{A@~FK-i!o5I?xpj;@UR%!7le-@+{>z{TQf&Af~Fz
zV>zgdcxzJSh`N|lRVl~|ud;n&Qms<fUyFThR$PPFBgknsQbfqdtN`?6UeSesh?$OH
z^BE}WQ;Vszcs2gI_(ZU=zoLZC{z}J_>O2<V_rL2<KOM~=u%ncy_OXL>%|AkK#F;He
zwoR``T+*f~!^h+!pw_<Ow}}vfm1oriJmEUzz7UY`rNpy1T{&uKzz%!9r&y)fl3{+f
z8$upI%5>IZUyA!I<voeX^BhPYG>xc8#A72Yi{6R1EAD|OmCuy{FFYA^7$Ymco{lxg
z1LVDM9;LiV?vnEbdhLy7bM-+SQH6-g)=c%^0X7#8?m@H)C+rX4i$!IFfr2~<eUMU-
z$%W@GV;)|~4Lwlo$i}Etj|_!f;x$9vIE4^nv`|fl0gd10s!8;HqZFiOW85&pm^sIC
zrIWeRz);vGO^$KbDr`o&9&bq-1HTQq{{mjDNhdwbt)~u!1@Zr~_a1OfCDH%r4G9n-
zl8B(Fs8O+^D~b)H5}JTYQ53|E6af(s5=B=q7*s-x-Cf<a_tjl>T~~2+6+{JlTYFio
z8;k`js7T)T+$0JXKEL-q|Ig?B-sgE?GWX7$nLBgt%sEreIaB|20k2957i~GRLkea3
zKQN%AOfO|JB&fd{+E!`$7&X@m`Rot&(#qT5i-5>vbk+nsqCHVITuWmXq-G84%g^fU
zjYTo&RcnbrA{L*KC#zaY>YeO6&*HE(z5J~9GL~$W(PyDtEf*O0J~;l&1Lc@>8jfQv
zsJl|i++8kZm=&<}0jGqU19up1DB>{m!-j?4pO<E%u9Jha1kCgttgP#-sjOOOGHyhg
z(I8GZa)7UgL^xLbSjkR9;WL^+pvWN<3uz8;cG_RTOu(g-ee|Gjbo}M?yO{s5r!(NZ
zi_kEf(A5gI=p0E56v`oCeUZvBSSvRsbEjl<=*9FqSY2f2rAh{(xuAo_2k3j!IiUkh
z&xnknSX5-7viCIFMhua|hCQU0BZPCd6UNG?3g>O48?CrxC46jyX1=4DMtU2Q-U@8P
zg=kko_pyo*h@nu*Ldzq=P~+A1#I@B0`Q@0Q6}|TE2eyp~niVJkKYL^?!vw7slT8w7
zn4n>rh6x&%CTRR%_V5gSS1Ouz7l<b$c`-%$1xp`t3mjHfp{tGG_rl!)75T+{>wLp1
zIJ<AJO>U0bptw-~!wF}YBng$Y3-#F`^R;&o5BpFgK@GX$5bY#TdHM=8FyjlesI|qL
zA$-(_aADRZ1k&odGZ~;vVpqj9Ga2kj!?sp7w$x%71zxUwg{?|fiW5ilfEY^3(_se^
zT$vy-T8-OndXtRL=H#HetYp>i&1o}<rjfPrA|<54NR@sQas!H`=`be12AteWJJ7RU
zQZ8f;YiO|)<^;-aHF{lkE09d0+Y>K2T{Go>#!~)8)hYknb|%Vy@LF}s|FKvG0|o5L
z1(gSjY;#c_U=DHty4nV~T2y=*ZbL^(3gmy>zovzTnR)AO(0U;RZZO?ew)_VVjI!kw
z^5Qw`&cavKrUi{c^CJ8bI~iKAhN3kB#TrTqE3(-9vZIYN=U_qRTLwTWmdZRkofeCW
zXx7R{kiNr`B29igupv^ZJX+yAMUekgs6G>Sj0cjhnZxl$$uRg=+xSCqO%(v~kq3xS
z+jY`7c2W&_sSd5ccm(F{V0BM5QXtRBf6MEqeCs}m8}B|$-Jd7v4;zEZx8l?$`%prK
z`uGK%W`G&5>_W2<x!#qvpt~KwZ`MH9Ow+HJ1^5uXJohjX0D@G(n}tJ1p4L5eT=GNs
z>ft;thEl_L5P(IY)VLYMS0Vgdwf95W?=Fh<QaF=Vw4E{dfx_cEUc5Vo!2L%_ZcT#1
z4mY4&eGYk0LdhkBT#{UqMS^yzC-Ni{`Esf9ojBEzL`4<q6BnM8U1}yn$p>(G@>W!`
zPLR>;U(80ck-H4#rg*mG6H#(x#fN2LOzsTXLNHPl2w88c&PbT!e~EFH<eD%m6EA@b
zvl<8MX$0p~qmY8HLI#066*7QqdmvvvCI{#PLbC&emHFAYPi?74hqk262mGQ`wHkbQ
z(s<{3*K*LcWr0K=(M(X`JUstJHM{Uolf@RimI&KvDhrjj3&f#I_1I-DL;M<QeIzG)
zgGyNYB%ah=qtK)BZwtA8f_>DZV;L#B^+5e4Lp+<rn0KvUKKp1)DHSQ#XVcd;<g1p7
zD*e0+0DdCH6fZ_zOF4#D$%ZJ?z%k=O&^K^)#3eQeXDWQ`Dr7l=ZS`t<w$1Yt`Nd}H
zA{NlONHd_$qk$SfJBSaDfpHrm-mutIn|g`Foa!`*r<}mIW4jC6r2wJoP1RdRvEUS}
zVjfP%sPc}GPz_HJrs*|<fYU29e)W~NOVLI0-|+mEZ^Y>~ph*{=u#;E$OC6LEiqXqm
zUtiFw<QV*yuc59>r>Uz(@>3h2i>M_n0?J#!XaQ7H3hX2!D-e<LAAI=~^)<;A0<*6M
zW)3jj1IZP6IDk^?D8Gjq1s`F6)IFwjtxV}^vvDl^6TsVOX<nzkG84jPe3@N{_8K0;
z)%`^{?9EGrbtBe#r4WIt#%w9QL~4=ptzI>xLT0C)GoQYhdfI$%Q+d0q4MEA?Eryi0
zkiR6ET8*E#^(D3ZrM$j+K^EYlxPeG4$f+w^xLIG8m8h|Saokn^34wX39)NsL<8)fX
zYvRRt$>^EKrkS6+?W-%p08Ksk4P+Ia(LJ8Qz)*fA4^-Se17v2Dq)eDaA`|L<JV`&k
zJVL1#r#l-uz?lm=+LfNx0~7}~gIbKp_EwF^Cdz*vl;0EOBlo%F%B0_k@=KMU&mtu8
zv?6sM9ihsK)Nso2GIFe87V(_rB@3(bl11lDykym}>b%6eQYi01a#aD3npx{QX@X4j
z(O4hN9JULAkT$3kqH1z$BXEBnOI6hU`0A-R1Eic$P2mAE>ZyFy6tHX}goMp$&p>0I
zsiyK&{rIYZ1fd$pH)1d<XMhDySqU0ro!+)GpN!LFBSda}5Q!D)(-)rBl6<&Dd1_6|
z_SSW*0$5uUSj++d@_QoPn*D5P5p1NCwYozk7IR~3m6d8hoeHAs<!X5;_nan>LqVM@
z(1z4DGmmMea8!M;K;M`;Bo3AisF1MqM{a54i3m~gHJ&`Svl_Z-ZQ_V@Ksd~M;OuKv
zFlYj7uM>d?GcD!|Ksaz3YJ}3jK3QgKOiggHhl$Vf(bEkHG+i<wlgFmPabvP}@lcf!
z6VU@x#f*4xG37?<e|E69{oy4<ov^lAA14&+Ref;0xZa#-4^Fwoke5UR4GZ|hgu~Pm
zq3ywUy*@J!ZN3<r_RybokIN%AJWP}2!t!B|W+`8Vb7%7S{eYf#@x1*1gxo0tc96x6
ztBhsA@RARzQ?dvjO!Fg?jPcdm$-OkbBBfusUYY$!h>oeru7Fo4ttf>D6lPaE#X1Vk
zcUEW-K!N5otkC$C!mwB&Nm&F5%xM}23v>X3xf)GB90ART0UKr1N^eHBe<cx!oW5Q;
zMV0wkc_5G3fnHb*O5?G70NnFo+4*L{e09M`!V2rOnC6M7{^<hsWleH@XB^q$A%f0i
z{zIYq_-AAysKQ?Y0)RbrH}-@N$jl1ojz+04I}^?f!VUMT<b`k^O|j543`E%-6l0P_
zyn8r&^=O`CG+*uqQk~k=IOag((+uFSqmubFDsd*x-azLB+Wi^Ca+c;*8JGm|k);YF
zlpvmZI(0IrFF2p(1YixUf)UQ8bsRM;0|W^2^}Ha>fKC-kJv%%aO>;WOcPc1t4`<Uu
z12`O~(eTvaJe)~`Ur9J$J|bs;B@YxWJD@J{drMwwGZ>iq!0%ZC2Y#>dp6_kI@);cl
z1OO0KB^fNQ&tglCU=v#wVe~|u)4MaekZJ&jx*-&b`f^mBIH{#`d5JHO2s_ta@PwM4
zgwc_Lw#XTMw10(Wgey8J4j&f~F-8FBF%A1hVS0&AF_Y>ouP_p7HUb!u1o2@Uxbnkz
z@H7T|G7A&tZ9a|%15KFMfbxLKeTH^yf&=rDF*IT^KN%w>45^@Vg(Hqc)!zD%+I>%m
zrBBr#2<IDzr@*k0+OZ=l3l_sPqN+mT__f?VV)!&+7y!US@j;^e*K6b@{$51+Cp`O{
zm-PLMR-~@&{lH6xK?;)PCB-%Kk{2v5Sx}vqESqZLC2dYu<0ZrJB@`E)(ui*gPh)Ha
zfmK=o&c@=Zyd7u{knNeu-bGl2)RSdmx#fXe-0K?0ip8H!QDB+?O1J`Q79EHHex!-G
zXCPvO37{~GL}%l9=tdk+OVAVOC0?YV<aUJTQr?nMY>)M(JBa43BVXBjKl|jkj(nZH
z%3=-O;DAR}SGs|sqRK@xn_;AkX6{ntgEJpBP!<ams4{R2B;WP%-e(APJ+FK(60SJZ
zuf@53J}MkvN^~>xJ;Q@F^}85ShG`dJ3Q3c)z9Mdcq&&5eVjiu&=rz84m1UtXuM`iN
zg;Z$W4anKFW+^Pv>FsIkn^{R^m3?Z*j3i1;lHbMzU<rmKZe6dm0~dopDQ_L!8M6@M
zS#1LmU)YGSpwYe`&%~x!%V-74+Uy50unSTfAS~eQbrJAO44oZ#9T15bW*<}P4#h<(
zx!g@%zz)i}eMKzhF$<=0V~wDxQmEJ0cErK~cCqlxlN3(k;>2<c*7N~<S?x?6Ra*HJ
z;;HF7iHxaF!|DOl`KLf16dJo45AiS>E($yeqi<P^J~jAq9KOO}(Is5M7814+A(}3n
z7mOgbZP5nmUxc_&^>K-ZXp*_a!!8A<cfhh?ciofCLU|`O>?fj4K}!HENb)>Ij3pfb
zHpoc7w+Loym{R9_m5uYEQP?-qc=P!Xz%iKkAT=~+KT-Z0fyTSY0Z#(q?m8Tiq8W5D
z2_c129yJSjeZ4tVUD=y{#Sl>xY1c!Hf)xNUXl2m12~&sC*w=8>raFVKnd<=jstcWu
zDzy&SY|bwha1Tk|U{fl!r&@@?m*m8>hHj&Ilk7t<-Pns7pk;v%%V|P2nx`x@=D;#l
zHeE`QVWfs#z(A2E!vT{63D)K-QeD-Sl7eXsC^Ned?9)_e<3D8A3VCJvRIuNtkS|Fu
zPdRVMrJICpTr&F-FW_3mKD2GB%HWr@L1MP2!6epnm_M*kP8Tqk^Sk4eGFD1Or&W(;
zbx2_bs=&ES`NSc=lAHfPz@02oO7xKX!r`9jBnLxU*w|fuiYj5~QEV7@1Vi_}+&Ba}
zDx8@M6r=ac%R{wYundjiKH=fK`b36{2K{zOg(92QSM{1;o+`NFFZwX(n{^63*pI_v
z2MV7sR4Tuu>P;U)Gn)`EDM}S6-SpV;&*$r&ONtuhwa8cbk|0!eU%qNIzb%fl=Yd!7
zHLQtrSP<)??edQHL}YE%exmGfzGiR(KHKY5b=bE$U%<FmxcfreU<XYmwK&?7G>uFK
z(zs*@#wAz<2vfUhmJwl)JjZ-bT}bn@W*T1o?D~>|R7*~swgX{uRT;r!G#)rM8^ogo
z^q1k5Df%#wls&5HB9gpF^~!O`x-NG?-x<morI0`u*sHIuO!7Q6P=eD~&B4WV0^%k2
zYo`1!S;{}ZI^|#0+(h{gW>=^DZRG;DAp+ryWhf90LJD*^k^2RgEt8y|^0#IpUs9Hu
zq2bk&`0!IFkzBJ}iZYJk45c!*^pfhzG>#$(=AgBlpQ{>BF%4Cn$X9jB7NJe(x<PEB
zZd)95F+`BkMg2mz4a>aTQr#wvV?9H<LrCXgN=GQlt_QW&@yCRamUqstj&-0MV~kMY
zZYvB3`9#;yB7H^q<v1+EPBX30VUjHbM4gMW%{W3(XzI_pF{#lA({wS@DA})6I(dkO
zR|m4-R@jIkS=pD8qjJw2AG>TbHCJ+WvNO&(Y;A%~wR6o=x%RM-TS^tZEEw4voCSy~
zM&fIF@l{;s06V<Mpo5N9|Dkz=lC>x5nLP=!rO;|EJKF*t9}+UwrJ>qC5sZywK{)I`
z(Lw60+8k7y%Jd{C%GY8w0_&CR`ZcUT4#D6xOa^-*L$MnmGZXM>XTVIrdtCs@b%ELI
z0x>)eZ915PV}YLTIT5NpcYv(X9VBhQ7MK2J%&=S3)Ift}cJQ%%B;!ji$*rvmb(Ypg
zbX>(rPKz_6WY&^XashJTFgnT%2g#0nT__sP=FEfC4TM!uqELD@nMC+d5@Wf{P!bXC
zgqR7$Wd*F_Axfw|@fTZ;;|JJskcnG#D4DI~G})|`*Tz9#I=<p0pGv_~p8ydDID7gz
z;N%w85Ms4HG>Y=$F~e~t`$^XR?}v4Fj6)17?;gTAG@e$L4-?K?LpOQi61HuR<g<o$
z<2jOlN2RxP>q@8MWLRTm+U6F!Fl=Qsz&y0YQRC8k^p}?2g|ze@Z)RA0A4<Ye?Ap8f
zD3~*?z8hEGF~MV3-P=Ks%&_Xd4NdGzi|!_#$H!*SvhcDu@lDZKyq!eL%HFVNS34h9
z9@k&EQ+9r)-43~9Uu7jXy^e;r1AE@s<5%Wk7S5ga9G_v7iObPcF<y+1WJlStnb{#T
zO|L(~;+uv8()sv>;$VGu?ajI@2MSDcL>#D~Jxq)u_^2^h`IHA6M*pFF>>QNzvXL|P
znBv7a6&33^qd9m@!6@X7G8Y+4IKjd??37}%#LGt8c78q#YXNs=ie$~aSmhQwYSh@1
zlH0H*BLe9W{1HkW0@RXV<GJC@u)<g_mE>c(H-wKRx?VF}^ImK<^)29rPYd3m@m%Mk
zVQLpu7nld(^^?CE#aaSF%iOwk>u7e%h72V^p4Nk~^u~ZCAjz<>4Zc9tK@HOR!?7N>
zOnm~K7(In41INY|qX6|H(H$&EKXATQc1djsyKSdwdU*VT)*9!(;n>M?^$Dm1Tqp)F
zLT%+Y)aftd&4#PXa9mve12f6L(}bvjIv=9qJP{6;f<a2GFFJ9U{>l>GlwuR9P(Fg%
z0ev;$9zQGfRWyACI3Bo*p9S{))qZBeJ&c+tzqZC%#NUgF^1oU2`7C0<SXz<#=dOYB
zLq_VuEaGv^yyO+-7(1^zFIj)w#7p)pug*)-MVWW?(=jm9>D{RYFdZn$e8+)Q5xy}Q
z{e9{BI#_FgkB%l_u%?5sV6B$MR`F&-OY(t!3L(2X+C2!>Pv)}_O>vK18Z=Ul7tFe-
zi=2b_lB?<1yGHU~D7mhe<jQn+=K^)9!6*;HCm|dF*i_n9C98iRTcGw8NbwTDEM_wn
zyS^@&hPO$YPHV#khq4I-WNDIpCRJbcWIK#gxZUG9C4&H~ha}}>J4JNabb{c%(E0<0
zjE10-IR^>U(?u5^V2Dr#ljlUt7=`sSYb=23rC7nldjF7ea7tAj2zcwoa_rIzRGrxN
z5Ua(21`NPpJ8K48JOM`O&Q(GajG^ofjetGH8Dl^ogVYaEDSr?hY$>t#hFwwE8vYuv
zV-?^fs1|FO7{D~PAw~;DH+4Tjm?ndB)WT)vb#-AzQw(ohujkZ(u7`#2z<Cd-LAngf
z7D+KNkYn*yq!2SRuTQg8xOJUY8wT>+aC{HrqI*>d>7-6_bG;`|XB(!S|1(+Xg0ezu
z)=Z|s%9x>yq1d{FWHZ$y2#5>U$X|xXiZK$$#%3KH2%xUmupwrHwo5%2NAsg$`e6s*
z0rTd#TPMZOXyHL~f?ns1pF;Bi_;rHIr8uxzykj8NFwos%)SeaxVTcmv7q+A>mtVqb
zaR&XERNifcd#<tzk>JQeR0oFqWpyS0%J`bSOfQTm+8m^Yu50Fc9m*!Qk_$LC4{QCT
zRvZJpVqJgDUJk&p^rSwXUt*tMY;9cx0BbBa-La;nG11J^U|1sVG4-{4T~q6;8i6eq
zScdX4p~s2>ozVS@CSiRh2CHXmvtTv;u~8==(g(#GU)Ma?_vDAE-zeYmQaY4fh2>mq
zgPy}NP5$z?>LTpt!io|+5xnC#Sr~?LWfm{CA}J2c_3Z~3BsY-B0vxaQ>_;@-f;EGI
zBXlw$8X!-9mL!x+25DfUWR$5{>g@*@W{GC5uSvbFdR*|A;vli@S1ml=N;?Z;%klNJ
zdVI(5@OZBF&U(F`Z2?2s^*-!=3HM;S8|H__Jejkf%n1i``N`_}v7&sIe)7b4k*;2$
z1qW?JH#Xi@XBA&Z2NRGwvv~e+OqK>h9l2;5yQd0<?g8|ZjeZ#FuLp_!^2V6tz_d4v
z1qT%0#A@s9yEjLkRUYH20*W<({4m--7lq(wbFlX8R?5Ty>Mzu-L|WZWJon*;hs*3t
z#>lNhwG#)kWDW8g-L$1UfKB$h#q%)JL2uS#Nr9$&u(*opZ4PFhS=prPC3l1!I+$j#
zfjqWPPi*wJz-OTWFN(}z^*dOMIH0+bR75r^OUgc7H{(M=s9l&v^FB1f7s9Mix;vlS
z29(0hMV6w>bMfr$(4NGti6TO~$QvJk)o~(TVgZB3o+uN!&v!T4RuJXa^!S{Ygzcmi
zsbl${^AaI)tYLTKHOoupR_7&KQcS$$K*Q?11YDAdm%8SKAIt-ql<8WIimmjEty@%$
z4`Yd3IO{1&u1J3Z**{u>)dV~xl4LlsOt{-a51lf}A>nLV;8w7>=1Fx=K4$r1tES5!
zbkO_<ye*oQJ%BaLXVfQT?Q;fl3_5*~MtLhKoNR{)YR*D20QmFilS#1@^2)<Q;l{}S
zq3Lb`_Gc@2Dfwt%h35P5T~Kl+cpZHq?NKV&?)FG~a0i|@YzSXRW#6D1f()kUAxY#1
zl8Z5!p@e*CZ?rK|Bhk)*Zvg(7DP*S_(+gbl*xWGA(baZqJOUxGGzGO?M!OR~*iPVL
zWuI++w3ec5Nf7w*m2y#`Io(qM^(}j`&Eb9ZKq(toAs4Qh1Hg~q?0BlfdW?@`&6Qf7
ztiDoPTPE;hEsW)oeVKw>TlSZSSw%r^9l8&Tmx3L#-w$8SSZEe6>!=niCfKnWnmCSJ
zgxn-#kwUQzL#V6LT<f8{u6eA0es-4mBQQTHbmCv;_&h&4lb*y-we21frWx`AlR``_
zCHa#ZW7xQ#1@*`k<5FJ*{lggY1jyuzEuNk^o_fq<&yF6BLHo={Z}APf(swbuIv7F7
zHZ&Oe4ZouzEDS~shS<;#(Ky<d5^3jxg|ILcpTig>a9Fq)z$p)paLv<b=#??*IuMDF
z)iZp0QO;uXM|es0{5;fN=ZLciWg<hAn4*w3^o&<iBqR0k00Iu`{Eb*qmV2Z$z>EjO
z5w@X=a*7oB;_PfTC#bJPq|}8Z(qtP`c14O3v98#Z8L~P6zG%{YwvB(UZI8Ew7n+mC
zGPRYec4su6`r!qd^-c(8G*M3YFvN#K)K|c9z@Lm~U_<B5%CpB+**RDm9cVlj`?2+v
zFo-eT6@^+~QCl6<S5{^~X0y!o1kQPXqkN`Umg-&4xE{r+*cdNyIGJ+CmgLDUkjIhp
zGaulU3i;ttqlaS<ulB6yaYfb*pZ;l&8?x3oA@x6;HjE(B(7u5n3k3b6`(e~*Ly0{r
zk*+}F`QG4FkVj0FmIT8>LUZasG>o)Y<8mf)vR=!A)MbdV%dza+<1Cw{HSDG0)(Xw$
z)u`d4Q347mmFqMa`kV+eysS-*h4QFbk7D`Z91kuE;gA!9qhS#s`&ainRv?Fu&N)<a
z0S!yztH(oux{!X+_QOI$upxA}mHH~?B0xyq^KCdJ=Y+Zv9Pq`)oW6S3V?BNKlVQ5s
z-yg>=<PWEV@7VzXeg^iYg+2{xkz$uwLiZi$XC{XYPkrQEq&_^8qrMH<H7PIHpou;P
zjR+HF&)6O%QgpP{=<}o$D;uZox*qqj?GYTNzXSmzf|LcvIvN6E`Q)#QLZJTAx>$H?
zqKKE&t(o$dv6Np^o$~K!XrlZ@O{-IWWQ!q4J^fh{Ly+05q4yxbJcL5POG(;~bx=L0
z@`2D{R;MdBVFcez5QdH8sX*&htO?td9i?d<eP6jH$bdXa*9_l|MoO}l_)cvN@p2tY
zBw$1IE>~9D0D#zzP-~{?IFMdYR!AAiY$>TQD+l+65cv~B(gZ~Gm%kl8$}qN4)yL$}
zU$*@(wy9fi&r%CNq^<`I{9o9XeGBcaJsMk+vO^%qSnVJmLyV)U`Z|Y9m}9{RvcAp+
zcL>HE=~Pjku6h14D=bP`QvNvT=`L43(^N)Q!8Z&i>0sR+C-9hq6X<$wR?51BYG=;_
zQB#*|Ut`sr&U}8iz&JQcHwQdMLVcmfC9@9JX0Am<j3XVKql^&%!PH7&jxZRX-*_%K
z3RK1BB@IttCvHswJ_kD@?n6iQV8j?2>xVQLd$^!oA#)x!Ng7jJXskCy;1hOXV+^Mb
zU=FyB@*s^nNUl3#Y;C?~8Uj98B*h>In-r9$WEG0Q4rge8!)>I4oX_$sm5&2-tXcD=
zY9BFs++#6ciusX)-o6LYK>!$fzLDVknqF9}hlZ|Gg_aM>ONQ=Vs^m974Yb*>Sk&mO
z!J5g49qE-ra9R(Ia-2I;48dX%CR|u9G3AOZ5n_j77AYrEZD|mvi9Y$M#Yxr#5xd!<
zJ&M6;I6I!t!&bShHqJZY7kW5Q_k|d=zksLlutNlb%uqvY{nHAvinXt0RGCcS5+$sD
z+)oa4u9U@6`eYc9U>IpO611I=2;qnr%qn1oU(ZZ-i-$39Sl-v*oRw%;)*yi?S`x#M
z7xfB`72}=yt~3bH+bd8Vd^`(Qk>4nr*p9GY1gYGUSONETa<I;m(}s#2wL_eD_6#;~
zy`2Q`FX%kfMYI|P?jWMDb0z1lpL=-jiZyJjm%V_*Wt5WxAiU90A8^m5*x*b9(PVy#
zr3A2(IDxL`F~t~uNW_@>cL;$RU&m(1z79+XFFWLVUKh;1PQ*@@5c<jMitswS1^5ve
z-zC7iZ167rB)&7s-e|Cs9eh4~LD@BkuU}*6<%SM0=4&0mXvGw^6M82DW%9mZSW6oo
z!nS^cW+Ao&M;Oq^S2ZRWUGuQ85JN9OTzfW7nAIHow$Pm7fq$ICY=<2@)*7#t&MSs>
zOCP&66iYp%G3+-Rtg{-LBir;Sqmo<nambp%1vV4xU>UoHI1JMWGVZJPajMca#D=b+
zhA7!R$-f4BMI^Y!Yh>siC9pz8-QzHHtf(94aHQ2xqWtx1oJCj{5ar)G@$*^4$YHc1
zRiOKP7SX6?UQ*8Tk~!6R$)ATzykzf$>b!*QyHNdMORXMx&n^9iEC$r!h5-xIfsJ)X
z`wqYdVWY_8xZ!iDVP^LVP8jR_+NU;8CUr}96lT#FTOxOy-o$|ZPm^HhdgeTUQ137L
zr1u-Q2{gQJ2E2AP;`N4VWHF0ZTNAy}yI!XNXboV|VHfBmsWqU~AB%<pFGqR8!sNWL
zFr9^=Frguajw=_>XL~Ijk0#8Th;ga<XbG8SpdlLi50(%@HU0E3^8rN^zEu6pABsCK
z@Gwelj@A#Oeur3lI>b$|z@!m$mK;yvNlvHIf<JZSQ7S8gEeW!|4$~FgG3$j58WLbe
z!Rlil59D9(qTTZ$jH~a<r(g_Z5Web@a8UKhe1y+7goEW!DIxRYqK19!)7;nC&hO%$
zU((e2nHnchT~;OY@*g%mciV6x)dy&Z4*Bua&(&}8A2dBzVtpD*EjT0SKir>tXnkh1
zDwwb0v)qg%o3Q{4oBFPpC5Ga|1WLhU>#9O{5E7m=Fbt|t>KB^y(hVCzHfWPkst|2F
ze#ty=h}MjK9)@39Rfv9x?e%hK#(}q#8USu%m<JQsdLL|4isZXp&yRKs;X`x<qC5E*
zrmDR7YAzImpWvt{k@YiLCiST(C3c_6Q*m_{4loJ~;Zku1V~F-8vO+8k2Eui^7%YR2
zicxu4ndDAKfc3(}w8m#W*4?qdnm3G8A%|$O;)>F+I+4X>2ifN=PPD-`EDo|!rHgWe
ziZ@~zern0AaICz{T=Ay1oa?LmFP=9lr>U>9+*&w$GAIx<Eq7m(LIJYVG=bus+jPr#
zZb@T=_iRi@9mp-?%}e^?k(2^qO|S`c{cKo$Ez$~NZK}k>*31>E%~0JYW%L#7oD9{i
zM0TnnrPFW{r(4E0Lsr79{pd3|np4&Zr*+EO)2W+-6z{x*b5+Pn@y;j1R`D)UIQM(@
zDOxx$1vl{)B}Jf$LGjildGM)}wUDQ9ZYaKtDc^A1BRAp9KLMgXRMHsFc)OcDy8#4S
zP6b#X_JdtDtU+;x>1?VVB1&69vL=|`H%LWufr3zlLgxZCA?OTo^*-gmlx~j^730vs
z4$)VKECjMw4Y`3mEu0972Ef9-sQ$vstTw`zU+Bobuujz%B9m+fdfi^2NSI~C)~SOq
zi-Vhzi+HUecf2*jSffc_e}OQIcE~Ui3)2Ku(zgf@8NP+L@jH^4#whkX3W2kDzAjod
zq?jsWPDOZ)B*Hn*+0W%BoL7PyofY98s)%mWYsJ?Z8dQ>t@f0QS*5xbH#f+>Sa@GXF
z4uvzV<=H{EZ{{wfQwC`D@s>kNRK!b~*2qgZw~6xq8S*(ViQPggQn^Oy*s8l5Eo$Z^
zZ&+TUuFgyL#hZ8uw!tt;=Ub7)73GR5QCTy|w+b4nEVmM7EdfkP5<<`gOR%#J6~1Di
zjKOHJH?=QL275*=&V9&%+BF?ZQ?+>+j(T-u6@PbYWFBWTD}(JAW;%=J0|y4;9#-Bz
z%}M&zoY-_{gKz@Y8xS|r3{&+GW?e;j;vI&%`BY4@SETPVpT@29*$47~_T`604A~GI
zN=t%>vo-({3-%B{!iE+_J=gf;VL-SZ+t|U{c*shqeePjX?XbWtK$~t>c7^Lx?iNri
z=W=}<+yZXMxz0Y0y{QHnE`>%tU5GByU;}c527R?LuGe#E<(yqxcRi1TS<#Of-KgF>
zbaX;kq0d=DpRSO`()4oe4GT2YA$jVNht%?;YM<kHx$aNb^R9U?^mJXf)pUo9uu=m_
zFl9P4)Pz-nDL?GPSo>TVt(s_|3O9>UdEo57N1&p0Kt!jXlQO5_TAr6OL2z5(nq9y&
z7j6xl0?zy&Df1NmJ~#{nm5&^0ftqaTtBVe>8(!>|U5leJGmnKG^|=R)&HHc<;QoWt
z!j-^1gww%2f_n`2<lRx9r|u@vfwRyY^fK$9<KY*Zl7g6-=jBacp|YV{I$v%dqin%Y
z#8EFU=cpIYrKA$|ioxdnRFbAq#1!KE07*HHIEE~hOjuTkK&jj^c0LBIy1pou%svwg
z1ZMVX6NLP`*ldasB1sE2pmD4M0U9r~R6A(Ih2uTu>@IIfB3=}mW{ND686qvhb+?6k
z4yn(8i<LOU<%t5YfAWMMql_+v^shz`7^52UcKopbRr+hqE{@>wewvKrSBg|V&xHq%
zmR-Teg`Ispz8O9!Y#hJUyQhGO-Ro<JIEq#g9{$?LffJ*0mDN$F+aVPW+tE+wmplWx
zLx56m57~bE(ZW6Qw>XN+o%Fz?-=YILVg(W_iO7B=v=Q|Ij^XlW*vPJ5b_)Vyh|0hb
z+=xs>WMH`bg(irDYR^2T@^Q=vRzZYBUaCpwZ`eRU8?+4p#e&yiZ%Bs{X*WVSk-d3`
zn;f5a>HtSY^gC3=jtBPOs1LBq=E!$r0-NIpJ!Zw5uA2V5X)cod6d`SgSztTNPxp-M
z4oYM6+)AchL3?ht7Z;{^6;Td6sAC(XNB|F8b1r1>?InP(R%-(s7e%BwP(4(40Zo#|
z0DN^J=yo_<Us|E{00EcvqPuo5wkvahX%WoVN=W`i-E}#p5V`cD>!R+ulpg3u*IM0m
zH9gReu3?z=3;`$eA;W_Ms$m|I;^;?N$zc^iwjv$_M~n)zks1t<u<tE-1A#uhH5MN9
zr2o{IHPzUXei_LdxwqP$>^T}tJ<<}lY6v7gNHp$^yv>?yM5$}DhANA&{oh1mC&fCh
z-4fPLWphS(NZ>Co(^)FTl$Ff~E0LE#S0PVu39k*udx@8{u9@<`WhsA7b;_S_Yoh#R
zo2pZO)TFLbk9iwa1KXjnKuNWLITkYDgW)hwZL~XShhU@K$$FpKoiuj~=E+}HH#|vU
ztmR2|*@l*El(NP+tgnH75?{M`Ar^@<V+3XIunhu@D@d{R<rzn>PNu!t7<GRv1!1`Q
z$TZfw7o+ZLrGE1l5hmC27Kd6K&-{-@U@^V*(=~R`!R8B<WP6L&0j3L;zp=M(-yamt
zUTe5L=suY&Cije)nfDhu&~&VEU?CwCqfys9x4uyFaDyyVNfLlv^XP29CKQd~Z9O+H
zp1h75S6<stRFy@^cmT13VvIp?P=^3({Ak{#+&m>t5X|t0m>Hz4NyQsFdQg4Rl1K$i
z9qfVp5{@X(hv>O7zhYppzLPfUrD<|uf&M|34{;v0a>7e9eSlV8r1YsU(?c6A09;SN
zOkbYq!#B$#iU4Al(eky=e+s#S#^*+`b~&;^Bs-dBW2fIScy7i}_9@*NC-U*ju5fT%
z&z09u;Fe*y_lV6vg$(+K%O8^Y5*dyUyuktWx`7kWVJGDVHj6n-Z$`mk<Xx5Nw{VV%
zGWr%aukMhc;pjU+dHMrrqgn%DF@-)47=_LzM(^`L2eHXJG@`tPrbVAAwGkF-Zdn(`
zK&UmKSQTid4!EZZw1`plwbC_;Df_n(mgjg3J}XE+#E%vF=`iRAK~8qhhviU$kbPq8
z{efBQ#<&FtWRW;L#z(ME(E*2a!(NGi4HiKG5ieBn3Bm(31mOjPA$P-77F*(&oYoo;
zsLWnUMxp7VOc7|(UvAj2K_BoM8}hWyrA@)W2NDm*kX&xi*wDAM!#Hhz%e-PK)@z_s
zuH|Fy6kd?)@CeHiTWKPSu$M_}n3TePG=>!$!eS{*X$(7Q2%Aq~NeIJi8fs!Cvm|<b
zZY~85Lm-xgjNyqCUQFShhH!dUHk$|CWqi1k8S>>n255cbyT%y8q!h+Qm?j{%B-s}}
z1fDR)o`T!lB8q%~3gMkp|Mtcl`P$|m?i>vHloRManl}QD_aXLeBGsJ2O4++ymnVQ*
zWQ4o%A@=--yCMTzEWwRu;Yzi;3}LG&EDT}B`d{h6-e%_aLa!_7;Xx%PkS+i*;b>Pi
z7(0R~Cm0b61M>#OFrp>QvZj6-@CcH$CHF?_^#!?Yo&rdRdZ71y3L_}VV_|{`rtoVp
z%LxX<I_>KTgabBrLCNe9C_x$}oQs6?EkDnnUoys&_OFj=`6ab60ngn*X$Kk766JTU
zaTak&O_aZQ^XIdO#6h$owe!X2D^eY6<|Xe~UZSebOOF0!;w75~R_7)7Rwbt(N|39i
zg7-$jf$IMcUq8KMnE7zC;HJSP!i|L+1Sf@af!hd2mjwnNFQF}b2ks<X9^7uYEpR`<
z<-kpai-#KqR}b*r;J1Nm2q%E6c#ZUMMQ}Udeu7iL#lQu_$uKdEfeVK7gzF3^hO>pU
zfa`}m%AdjXIAGhr-9p(O!d1YDUNKB_xGr#>aKUh6;1b|6;O4`vhT8^r2<{TxJ-AZ1
z3b=;IkFNd3`qqPAi5B$`?h@Q#xLt6Y;eLXf1(yOB1vdb$CtQ0tF`Njl66JjkR}6O=
zZa>_waO>fg!i56n)2ppW$^^q5ag{RTx=5L09i)t~j+7C=eZ1_XiFjTDmtu>#PhBbV
zpPiK105{8C%6P+B)r0j8_&edxgL?}1mxGkq-2jKi!d1;bq@k2K1lPKelnI2hbd)j&
z;YK!<GUr=LneOeRj0i5unPGZ6OPQbA!vYB0dXy~_?kXJfUG+Ryc9b#;5O&oCah+f_
z1TMO>lv#^<{RC%vKi#h|hA~~GV7v@7g7r}+_*%?dR`)<2xM*U~<Drx})l*83Bpl6T
z<GEdLDLt~!$?$FH!GU4UB5q(GDI?b5eemg`Jl2E0vNu-nDH8>p6nO#eA9pFU)kDfC
zJ%NAtcl?0|KPmGET#Qu8T!wpzu<3AgwM>YDlQS)&pn`$)CB9OoAL7~q{s#Q2>E|X$
z8FE$Avzd@e&m+v|LZu8HNJhmoU0mFVaVnYVS&!@7P$_dCZuFEyxK3~`OiW628r3~!
zLJ~^CFr#CqBqzz>M@EcI#dAWGAs*2&6dz*<W?~YOl2Y&-86B5E;j)NCCNe3NNsUWn
zQYWS$2Zo72U}vMxJ`(^v6A&&$$C8g=)<-bwCnSyQ<brVcOmfm>#!v!+WUssoPOt~=
z6ned{hkt5tN>XHWYHCtS-{=ULJS93fB|0@akqXe?XHcNe09Psk6YcEcLU|G%)@4YU
z-{9z?XY$)Bq~tNgOS;s^OCqNb<qz5SIWI|lODj^pP5GRcKw+mQ8L0}Emt<GxB`3$4
zc!}?k>b%4fWvv58We=Z$b_PcmJ@1==J_AP=J(I6dO37oUz)y!Wh2J%XpMihDcn_-P
zKHaSAq1a|?uL+O!krJ$4|8zQ=0c}yT*U~(rFE#k3#(1=w(Y^zMJUs@C_Ve)w9v$K{
zz{hK_k2i$}goJtx8eBD;(x%80WpNXt#nCA#NhxB6sg1rhctB7{h#`a?nGpX#-ztxc
zcTj+bf8fWELET(B_o!{vK`c*<7@H6+mL-Yf660iX5eacqqs6h&5y@;e48e6LxWpux
zI65&&J}y?Anj8@sEsnvv6Oty!RY@2ji%UxUn6BGb)1}IyYDm|W(j}u=iYLXT$m9_T
z;uv{iB;_rRj7UgeUqI#R^40uDCnZLw#mPEG$jB4RsEQxT)ya+0eXMs<ax^kdN=!`x
z9-^Wr#YI+uHR1@}DLPUX9mQhiBNoBCySa2?@gv6@jW84B39>j@Y)W)Q6fhJy{!{p`
z<HeXL3RD2at!))CHZdt>0uYd#k~A(QVuDx}oiZUVu{xez*!q0&`$Q)KgGq@K(6^Bv
z%Id<_=ZmlrDdXe>m}<hWOJ~9ph!$R#I8L0L6qhJtn*l<iqN5D>42X+NNlHzMk%>d&
zQt4B9IXjC785`(;xUne_Dd^h_V}(X(3ihFP+sw)eRER3o6HS=;?z``pUZz?mMxb@e
z6UQeeO-}5Cu?YQh$T$Gkg0V0Y@qB!I%<1at!UR+1;x;{khg$NP?k+B2!IpRy6YF94
zV`9hPVwmLQG+cZ@FqRCT508&OdSu!#iHw{{z+YQR!n8@0CnVt3H(E9zB30&rW;ZE1
zI4N14%!V1B!{QR7Kw|?yLL<gSdnTn}sUtNy#kKQyQ3)(%XR~5|h!QkDfpt<iy6Cy<
zX({6dNB1T0AH#KOF)+|05bV2!e_&t0kq;68KZFf0WjrYPhl__hqAYx}$88Ly{7e8l
zN~FwExKA%L1QZ#=StQ|^^0;CQ6MrQ?=Hb`#b3hzj0`?c^M;>jAVLfn9@1(10`GP6_
z3waVR(Z$vzZ`<lHQU3YKpYxK*Ip8ICf4TgDmkc*)fIml$HOSk(XL-r&>b&H<m5G-G
z7FOdW!)crl`$?Uto@vIgs^6+=omU&<2^VzHcgy`GjMC;A!-jqZcUr`M>HAW-7@d@U
z*&!GCl!wR|mW+GTRkd6=J>ZLNC>ZH_7}J{4kx$<<_LFeRBke2jRL|v~z*AW^8^f-A
zrCet}NkjQ)KMA9>rN%HCyAezejPJg5QJwQ{NZBzS!HuZ_?w=}f*)_mvtHAB30j{D7
z+?5*OL^nT{k9qv{dbBaZ(Kl~X1Dq6aRPTO9e{hxj$JCH67I1_kg^})19(ZJk?wBr$
zpI<{fwUcbTBlZjL*^DsyUIe54LOi{L-Z{-!?kr=uslE<Rq!j(xMesX}@EeW(@+#?q
zYe;w42!Gn>U#XHVyM}a+jPS3GK6C5i_sgpxot+Vmt$z)0Z2(7?YZZ70EQfsQqWTXo
z!iO2*=^Odg0H0h1F1ZG{#YQ;7|I!-Za*gjlZ}e|eNq4q}bT5tYHvdZ5syV<n^=E#m
zA&iZv@<a7?0o>}+kAXSQu`W=IcKOUOFDb8?@>jBye^zzMe|e{g@*f&oo${OB<MfhY
z9B*SbR^`n*5ys%n*?6<*`Uhclfcw(*Z8hls{nel@j8{TZYP4TOVpKvj^QYM$4B7j}
z;g*TyU<63FA(#&_tLcd*%^p!vm?~pNKFDkUM#07bt_Rkq%z`kDAP|c7B6u%(N(#o)
z#xVaVCY15QoIn;$*@iJ01QU=HB~M@j0x{+d`#AqLj3nEkL<!LmsnOnEjDX<bo0$bC
zrOJ$BPrP|9;~gDi7?H9iWSB)9|HMg{$YB~0JqXhlP;EBNKzW=g9dnfNNsRKwbPwwV
zD;dKL2C~5s7?67~%aCWPEG21*aim*B(7_Ry0ARMsct($lOEf+mLJZBW0-_V;{<7!^
z=zVOx@W}kjsX9VlXciKiG})LTvztTs^N5T@{Zb-iNhzrwOnuaLTwE&VI9>@6si{5~
zRx^LGa6ly%D?FG3?2|txYaYygvmwb;LsO1pjMz0iQ{pwK7v`$6$k>nA+F~|1B_c63
z0SS$P472HDSd{{KFg*=5VF&ph%#aYDL8cM@Jm4oGS{5BNHlD@r27(NcVXkKiu`vq)
zM5N60>}xDtaC9OwfS^6cdnF~%a!^-5$_51mcV-qdJ_!kN$*IxIDb9en#OT3E40DbX
zkTeN*K4~z@#i6emkvI+w)YseJSQsJARjRimpER_j;1G{s|L?p93}7ys4U#1cNt}#X
z3+g&3A}%%BCoM8MnP$`wp<!#uwnIZd0M_>y>Jx$4cd~zCOcKVB6ylXMVFJ1el?}Q)
z6cQSplFH_?m+`?&+tmIiQXI{n*r^^?0l8r*afXJ^G~%MZ)CGcRLKzJVI8lh<-CjwU
zI?^${NFO4LGImTRhMp<S;3>(`%qZ?)<1`oxSB4J9coM{i9!Il?iW+ATr@e^sYfC?$
zMa;NHD^e?$8Yn-cnLf-Sn7A5e5qg%F%&g8!ZVof?lIJa|^AbbBL#ogO52l`(A68!a
zrbL4RiP(FO1gs!1{Rl%t5@T6974_lc0V9OKhAiZuXalSx`^1thCXxHqL`*tita`h_
zmw(OB+kHN+8-&PGF#AXEEc;4K7_*og78e!m6&sN<I4OYEK0K$$qM0F-|K}MoVP6hM
ziyit&OlU+(9MKjJri5aQZH;=i9a~2ujbd!sCj)JTkPJ7}uxiAj@d?v6L7o~*ZO2m{
z6NBc;Fx?58Ra%#bo<ZP(Vh9X6`KBBU2xYpN`KNkDM6pdcSeC-L8lH(+&?Dnwc=k$)
zie{gAR9dfK>Nw1M>YW~5!9<mD7vvK__j0ojcp98!LLO)xAPo4Xc8;&{cl8k9$lGjy
zS3pFv0SXX4Ri6?6?fQm+Zy5MLi2>pzyc#LLKf_Y~tm>5it{F@D9hj8i=$BQbV~78r
zEZw)fzG2`S2EJk7|0xDeL+-(Jod}aMeTPYz@S{@Zn(AY?4q>KCS0&ubD=sAx117JJ
z(-OvuCI<i>ADxmIonV?TF;zynVGM>$>^0}El=Z(0_83YxRi3@+ncd%n-#N<5!}~i~
z8YTuzFgqO<N5&>$-Y$+1C$TdyaZFrFs;n8}lT(r=Bm+<^hQsq<FFl(VZa?Pl?hzW7
zlq!`{Ag&MZML4F`n4?c%<B0MnrPj0;AzV+Ce-l{{{N${?>=`5@we;YJS;Q#QUW5WU
zetj>(pTqJJvXw5TTmy!d9bDW>yTvq%*pO9?myD`fc1)c=l)YMbOqB?QVO_Oqd{UM8
zs^NxIW91}^Q8hdUqhv!UMzWYErNYe*kTRQ$j@Ip1#D3w&B<D~yKN$wQqvJ4I#(Nf{
zeMQGe88c&AaSspnj(iTMN`|5;_r_aFQx)V>2#Po5`)S;_=WiJJ5(a3EnIVA+<7Edw
z;hvOf3_lirL-<kf8^Ip|zbX8|@aw`K0KXZ0Z}>Lwd%>>_zYBaJ{Pysv89Tu@hwli#
z3490mw(#xXi{Xpl3*htNTf=AI+rulrD`gzvm%^tGr-fe!eldIp_*dZ9gMSu&efUN2
zo5Md0ABz!89(*VG`{5fdlS~Q}IN0k`85Txi1XPH;KlC*P9m!dqC;g(M{#^CyrIa${
zKDqL+D{hpZA$xdqmAZ5IJZ#p(F+736F@&c)76*X9H^}3$unhA<m3s~D`Nr_MRqp3i
zxu0L<enFM{g;nksRk`OPKS&m^O<@jv6Zs)}!q-aK{ni`*Nts%B-T|MQ%pCXxHwHfO
zk{7a?cuA+FMEPef|D2aBI!`N7niZe(5*WU%iI<qMyktgoUh-s+iI*I_`+=8?z&h6`
zYCA3{E44iVd}_nR4-9Q-Gkj`e3i#CK{oqrZ7s01CsJ$;`(%@f#PXZrB@TbDhg<k=G
z7koYZ_3+7d7dhh4pZ>LhM26w-)0i(k`vJc-{bezq|5b<2WIq0JnE%;d)f{FpAOFn2
zUH&J3ru1T9;Q#Lz2MG8Mj(l=Nuc%LvqdrGI502=WIULbX3pna$mT)XxH2M@q&(!xQ
zj_3r@0ScphDJ}U#dnsS)n-oUvp4vP)3U3BS;Si5ypFNDvUdHEO_>^XlF+9ZR)AAeT
z9}Y+FPJp9)Ccuf|lHsVYq`*;GsU8HcfTJ>J8vPmYDP9Rj@mX+`59kytrL@xcyaqm%
zcRd`vZxbBB?SZ56ora_M%WxF$0HhEum=Y;d3YtZR<H?;hIwR57mjdJ&!F{{_S7Lx&
zk*b;UbEV)Vv6<B=|BJUK%HO?xb;|$0vYOut^$i2xFz^in-!Sk214Q|2f%1DIgxu%W
zXqA(R^1J^1`7B~pbIc+(%)p?W_9AG!Z(5NO*33(IEH6=1=Ou5}ns`Yk3{Q-^8|*CN
zLt($&e8a#u41B}DHw^r*!~pS<x;0aNbC&W?uTJ^({Y;eK`NlWO|G)Cnek;^B41B}D
zHw=6Q14Q}lYn(+)KTnju``9nfB1Fs#Y;%1&i*Tqh$9P-HF`)V9Ic`az-Hl1_KhM#z
zX6|Ica;J=H+^IG1xrsZq>hg^{eWd|>3;u?IZy5N7f&Y~lAnw$(X3B5LQvUSnl;7$n
z6Xh4r`9}HwSAN=Wh5CkpZy5N7fv;eID1WmWXAxbS6Xl;_`}r(lM?;dgo!I*GSwzd4
zc?qB8CDW?&5|O8gm+U<7jhB4obA1c`0tQH)rkKMpi(45Zd1ya4k%DB2NCrm=r-xvZ
z0)8e0Zb+_)WR%2k)8R}P$Ba$~B+XgK56+k}qnR;c<G+TRH5&|m=Bi>6uVbVc3fA8Y
z`22O()`<<#pZ#W58iJ%o|Ihy+yoV8fH{j2#y|=a@bAPRN?dPgYAM(#w!=@Mrp{;?}
zMqLv#qp!tZ>->3nE?l`){04T8GE6By0a<M({SZ=w1!>du79H1kNtX*g+y@s3KioUL
z#G-@YQv9&Ap6On^|3Cx7J@4SLMsvH+{hG%oPd7SrAy6tVUHNCS^XA`<tca7I9r?cH
z{f2Xc8t9bLi9cLk;$>s5X}f);^v%K5-j6eF=Vi{=D?Qlj;>I(2|E6h&E=ZG(7SAbB
z9P|Ba(PoeRGsh2U?WQS9E}rJO|K{9VZ&tk1Wo#MfwdTR3yC<Kw?U<F>%DauI{+9A>
zqPs^9zxCE_`sYQN?smVaOV0R2pDbKpvvJ$%26xx>tsPxoAkUm7pLEPGV5sN4O^e(l
zU2}In4hh(Fe`N0?BPHsU3y0}PZY*6R&Kta8PWOm&@72T9S6Yr#y}3Sa%aZaJtq-m(
z8hKNZIN;dNKZ<kA28}t~QjYpEr%s+S9uoD=ePVB`%j=Tqr`&y5l;qza&5wz;%2)0M
z7urWRxHGi=o^#LK&k9>)`8M+X^~k0t?$V9B;}W);|J{9-&fT^5e$T1*FD^cK=|A^F
z@86$}$f`5><koxc9S01*9dP)-;w2A`xi35%B9VKavODn8cK2K3{#xwj^IMbO&n$L#
zYH{?={=X!hBGgmeBZh?MXZ#*A&34~t_sdT@YAg;coN52g+ug~1Ly6ml)(@v|Zs(r<
z>zaG}qo(yedvi#i$nPyqwirBFsb7%Ud%@eD4W>r6^y-xNYp-Uib3JDG{+LU=q-~A7
zWZVLx{6XtJ=Oz2%X+;WFqfKjEqfI;I-_^`ZYO%cJ`|7;J{-KGNEQqVdOGY#AFH3G@
z59K%dU3+)dMy}*&mXD|9?q%}s*T3uOI??fbi|d`A_|G5awsH1>ys&E<W^7#hXXiVy
zJL_y3w8}etkEnf1|9c&}bqNaDc6xlvdEvbEdAAOwztbLVvhu&|VPOk;9Sl}BcL?ks
zJ@&nF-gb+{>2>aPxV7r^`6AxUjaNwA@Z0r2!~hxsE^}56wFgKy$)N_rC;81-_#~^T
zz&{~%DSL|>T!wTUR{nFx7sAH@rsxadmIyEYLO98hmVY69B*H};DuUrMy_Yyh8}K62
zRW-cFSHk_i5<c_`;goMI!qWzFm;q)`OEA2EIUK@a9wN^4ykjtjR0KXe7vou4<ykz0
z!|;!Pj7Jn?b6YWenK;PMM$;q1Q?z1&AVC`qdwpW|uNLFQ$RJCbfG20TAQsLXa3M?t
zGYODih9hZR!=*s}K6p<Wd>Mj7c#1OKGfZ9N<i#Z6om0M&lNZu(7<)x9-j|9TzV^mY
z_I33Y0mwTAe@Sp(E?a=1VC=7*!W%hK{j26|2%|<&?~`~Bz>>tVi19}L5zJ&Z7YoGz
zyfqQI&}FF@gu6)O7=f^HZ0?j7U*W};Ez%ew0uE)Uw*mVi77qz*xha=gY%WoB%UCIV
z@wRCECE`iJSSvh{O3uDd#0*9r^v&oJC_<1!0^VatSsUd~!dobn4ekkt=uNOF7RJKJ
z*e6J9D>_kfMx^M1Uj?kVq7MS972}7T6IiKg1z=mj64_YfC`X=R$duC`14R(@FkC!H
zQrBS~F#Xx5kB~I_3PC9i-;a72D|e3WO}33|F?RSPUec*%%5TL|{;Aa|f1`ya%D>sS
zI^{QmZL=A0<M9>+W5&L%6J)?AqckLiJp-8YLVdhZlTg$$1?7uF-Kgz%LcORr87@;=
zyDDi-tu_T|#sM>gk2c7!E&R?%>%tHw>EbY4_T2@LMQ?)fDF<&?peGry#99nC0J6Wl
z52gATSUt>^>BxRHTgILBt?|~n3L5zaF!fnKh~cq*2xHFrq3Ay(>HZyK2VZ|hU(AU5
z_4V%y)@xA4VD#6K3D?Yw{&Df}Z_YP2=kd&~EG;eg0xN;Q+RECxwvDZ*woM%yYim(G
zQJuPW_V)GyVSR^sb`G|7_I8vBhl?~k^IGQSwd`tJ*S7n=ed+U<I($(6U@oT)V^)X5
zt;5kDh87HmG2>R#O|;;fS=Qp1BeJ`Q;c(4(Tnny+C5NGlW5(q%<`$OxI<|G2)oR|!
zV_>FT#6<gggJvxFy?)EiAt}m*e^9Q-5SdoZ7WFo>;8-HE9bRu{#$mC+W@^Z`j;(p!
zPR%?9+GUouaO!+6BLA8G8YAGMcy+jS@I`)E^48<NIkVc%Oc89wk+%8d)*|9ZySd_P
zInzar+Xy`SWiz%x^H+Bs-al5ct8JsoW`8pMzw6M_-!sQ|Y2!A+kj57^=db<K+tYvJ
z>0M*`{^Qo!>$@J^z2bvk`L$A5{IFqhR-4Uf>uq*fjJDD<uSe*aMWegT`)iy!;^<M`
z1pg*mcwrZApS^YFLHj8y7Ub@;95JDE^r{AlyJz2;JF{n_^qm~578wsS-;Y1>s?Xq?
zjherAUl&<7<hLU~wf3G8Q1<hn5>@J~AIILlHEr2|{fhN7#idSdn#|ts6DPOMjZEx#
zETrLq(2{qJw(pw93I8wplJ(K@sZM>@y0$HvySLWjHQ#l6?m2(mA&YnQvMXM#I{)j!
zo$`PmQpLHy9PT>)&wFL#hCS&#VaLU32YfoXyg1n`@Y(Uy#GDq%gZ^zeyZl1R!Oatc
z&P`wUWJ%ifvY4Ca-tVb>^uj2MCGuUvZ;sd_h-_AV>X#AYCweqm*j=(>(UW#_Q-3b{
zN!>nj^Xs+O+64ZdvZs9Ds<c_WNp9VaJxSkCt8F8vZY56Zr!73tY|m=@lH|mv1M5|6
z_iEkzz)ekK%kw`B8k+KNYZrOWvp8kzIwSAyowV4g(DR1>sN+|jnSHMc@q2rD>B+w)
zk8FG7ZAY(BId}O^m$$Z+mv!%O)qLxt!u@VDZ{OihZ}45i4o|YyY%H7T)W*iv;)Wz`
z%B7caQ+mvw*CEYyWX{(0uXY|Oc`=y(Pm|s;`Qwi_8sOJq(~3U#HZ=3gIs2l;;_d@`
z+pg-I&S~M=x^Bsu)1iOA>v(j;#>$tun;Y)i)xT@<@@4aPmes!Yxa7yAH2>UFIfq2U
zN7t$qWjA+I<lfg?S9Jc_c5=X*QjZ^_re_TlKDtx5O8(-%N0Ubs&r6?``>yVtJKt;H
zYl1F1|L1FWsnO}76>o1fYOJ`|Q}wne-02VX;_aE6bc+KMy2bTsy8KDtw85d<-*p?h
z*{tlXkUMtec)yNo)0f-tGj|Z|(X^jswfSO;1dk?vrdv9!dhyqg1+xODzOw(V?S!bE
z&GOA7FPz=Bp8uXZ{@AH*GX~wBzFw<Y{D(vC*-hE5J4)C5=)31?#mJ?v?sZ+zb29(J
zRkx^iQ<)7pwTbfgsc{xz-JK}^*7u*!BJyo%MQRL~ka4H{!z{w1#vIiLC`ac>pXYdT
zEX_-XK!xYi9Q)SHovc~zG^ILsYSz=loxaaB<cL`gN$`%YbuG{{t?Bpo?LGSaGV{of
z%!Ar3_wBFOzi9r7-Q_+{kB4-(JvQ&mKSkaCJG*zj{Plxt=knXB2aFrxZ~J6YfZyZ9
z$<3UuzrNuz?pTl2)@4ufw`=bV?YODXXUPN4o$5ZXgRkFzv;EHW)lGN&wP@;<%&bvc
z#cdheko&dk-5#avf9c7v6K5y1|NUeaXU7rUvTY8I6%TckNA%vcb?5hD^|iFOWplS#
z)}5nyJZ^%>*Dw5qQrfpmpvRk)yOuo}b}skSxB<VlG+%O0xB1wu>>o>;mtPy5cWbHL
z-i{eQ^LIDCGjmg$u0wq9&+2Hsb*bR=D)-Q56>(j6T;y$^v7?vWfsKn(x(*Dic)87X
zaCpI)6E{@Lk~;f#GIQ(vy0|PzxK-3;)RclGv-YEQy8Y{W%5}S~j`uXL#q`2fI}XfR
z!QFSEV9cMI%}Is5LPm8+=)pM<+UwV_!y6+z_{H?T+;Dr(dm)7#?S^d3_Bv3SGdRdS
z!~TYNSo4zLJ}di=zqqvVm6gG*I&Td8r`vzxjZ2RPX1raT)`mOFrGxpIwlB^1_-z?<
z=Gn%I$s75b2Tl5U(73K{R>D(%$L_aSv*r)6WoA%e=`R<*k7=U(b<^d#2dpo4^69hn
z)~H^`G)?qv7yqg`klFL6-H&JW-nDUcXztDCzXlE8lK#k7diNhcvqPhH-Q2o3{8e}F
zmOb}G&OE>2kW;<B^Um&*H8||LfLrp`Vc`kKi{?%0PrYlS@Ajh2o^1XQ@1M48=bmzi
zcFy+SV)>tIR9r01=jrAjP&WO{4^tdZtA5`<xvcYsJ$*eI&vW|I;d!@R^+!pC)`Dhh
zS7+XP$RAhVIb&mP=X)3aX~w)>e{#(DhrI_*>e#9ByTVx8Nu@~{+g4Pl8~1(Y^m<bH
z${X*duTV`mpFWrwKC<v+{hkfVGVE)~yNn(Zu|SYL<(eu`5>P&Uf1Kt4_t{e3R<50H
z>iAzPcizd~`p?K6{Tr7S+zE^{Uw=)stVFDOI=}fsUcbGueJU$o_I2qyed)pUd!tn<
zwant`@M+_%=hZpf@foa3ge@qXH*U(ZwUS?5a!cp5f2m6KjeEVsZ^D(bGcA4`raTlW
zAGbTM>w+I2pM3ZJn7sSyx%S~RXAIrvJ<#*#`suS5%<IQ5I-t4Q>wT+vakZYf9be=0
zPSs)1L+SpXR<*Ca>&ma1w3(OAPF6KseZKw=K6R&^{!h|pLI1Rhzt86WTyWBSywe|c
zZI&%CTi0z0bGXGx#;14fP6wi|gm1Zh>BxvX&zHScTAW@fWa9fT%8Y5a`+;}r)(bap
z$h2GCZ`bM4)o$CAu_K>5o|<*(+Rwa{n@`+5FQ#0Mys@}nzeJy~W@Fl1eRNGcrP6+N
z!}9rYAq$VhG;!_xYWlBr53SU>#k|hk^X}A?MUA|~_Y;N<ueYc7Q_%$T*g>Obj0^X;
zwuGPUmmU*+D97eeqa71ZHTgN~zI*rgoyXsw=Kpt{^}m&#%IP-AciPg~eGa6xxbv#p
zjxN{Uu3Wk9uYjCOaR+yu*>k1bB{XtEYUS81N6rpw-Ds(3+nZh8-k8<RKC&#<JYmgE
zzXj*dGQMx7#!asK&}Lw*hc5NH{wN%xo0jn|@matTuNQ8QcVw11*>u*lw*A*@`_9mo
z-p72q9<VIG|MY;a?CdCqUw(?=Z6E%J)v1Yp+dKWxqhWH$-A>-uqK+TA)#=%*UeP7T
z&tK@awtr;i*0+*1y$`Q08a{3Qls_V0*q$n0_-f5Xq1E-pJDkJa8Q)qfJf4hgCJuXe
zd7}PU>Xg^tmo_gppA-7Xr>xnj=(pRS^v|DI60x)PDWCouwwXm1ToiWF?`*JT-zDz%
zl4<Y#$L;Ccu*aWXgI_FI_4vQuix!_<K6+^UhP90oZy&4mW=`R<KC|pP$Wk7yzWK+#
zw5aC(llSKqH|yHFIQ_-8hdq`L_$488P3V)U%TLE0RQo;&uqp4Kcwy+<b9*EIiMg1;
zueD@<+Xp|UIBcEnWbV4A=hJ{i&Z}yzxc%mVL(ui5#GU+W<Rx1d6XmyF{W&i=Z$;cG
zsN3hfq<@V$&d#MAJJNp1Cl*g`4kPa5ZTESO0X1_cEZ#y_F|9gxYIVoNodgZ4bEif>
z91gyd*W`Wk`NJyuJhR%?@xD5(SM=17%^o4X^G^RZ^ycidY1`Z)I#@q{t*SHTprSnS
z-=5ha9p>sE53v3-Wuk}EGTlMd`omprUJA-N9i;9xD|h2xKiL=LTpJ;N@w%ya)NYC0
zor9}x$8CFcee6%$hbO<y|1<a4A>ASOEu5FKM5a;0*UxSTc1YxolP|FlJZL!P*HdW@
zzYSe8>fHjT&J{lOA9%F0Jn-V8a?0LxNr#Cy)0X~pC~W7*BmLi(O{)mZ^Jr<YV%Uv6
zy_)`<{AXml(@zI(teEe+?NQpb`wb3zIJ-aCe>bJSL))AMm+!0|k|RE1n;ORX^JT(<
z%uWFXf%QUrG--Znqtvn02*1}o8=Y~n+#7ypr=6Xy=PCEf5Zk=O`CVJ*FTY{6qLE*_
zhBjk<(+|8{XH?h--yQ{<hWu9BJWNrC)44_E_WSka;d>50kj#GA>quC=F{d(ewiV93
z((>|8A)}|B>zo~Q>F9`Ej)l`aH_sh#dzfAFuk9D^uD9QNNyottA1>YeXULMlM~3hH
zdB`!Z?=Eh=Rl3l&rFYAx8IA1|Ci+aUXtY7;cY4bdUdpRd&m|chZTh+mKjk{rH-2b~
zTGP)AvtE9w(zV^SLn{+zHQ2dl_TouvYuV^JO<g(qVR@f(-t(RnTru}(d+C<&#HF{d
zT<<;~nLcoNSJ(STI;OvkoHusSi2bdaKCa*8!o17PD!W&Bw`@JORng2ci;J53w{AOM
zTGY9zn`79^4cYr2|1jkEy5GINU*h`Y*5;QzkFBxG_YaTttmrU4{78C3q4&<{L1E?o
zt(^KtPM%+A@i5@|&&zKVPET`~y-)vo=!m=1%HMqFu`czGetY<j*H2sGa^irZec6`O
zSsCX#FTJ@oePiCa@Am8})^t0y{rWADm8?_OGf&e6B{3E!e_WT<r$hLlrWbo2h&<70
zg?zY~PujoJp6*sAJu5xAaAJJVT~4|GnRyp`pWWJM&W$NK<qvxM%xToO-;~mvlRf=n
zTAKgb<yN0Y+e3~9KmK{Fs@C3BQQISj=8qh3*LK}VUyJOlWxf8&_<2jl4`si%5dQtX
z#k%d^72XvGgk{*x(%x8f`3FVI=>x_z@|<^VP1w@nPIog7)w_3KnMV9eal2n$x4rki
zvph~^Kee-UGoOEbQ<WLN?QJT5KdwMI{P4}48<lYn-fJa_W_yCh<g~MBeD(YW%evy3
zI}hkDlqbbLdzP5JZRyZ^X#?uU=lh?!86w}_{wJs8BGu_5?GHy4x3)HGFr<(D8r8`~
zM`ui4BVKT4t@`znz47a7E6u(A%;mkCb)O@>?)=Kb?@{Qfp<CCamFA}Rx)ELb)TnV~
z2kSqKTXr?^t(VMka#Lwt;loFjt8$yoz8|$;rWu%O{@8xyiR}5yZM+uU9oSgBL+8D4
z?0^LUHU)mVwSiNvhTRBw*XZ!@Ucm_~R*v4Z@LGrRxx=;$p3!Sn+oX~ncb3d|U;SJ7
z>`q<RhHRVDkMob?q<tRU`{xaEX&3ckN`r?DW;B{$<+tnyZ0J0*aK6@Ro@iacws^&g
z-}zh3??xRO^Qh^$T`OaMy7j~JA18L~vPc%oTk!n4>Z)z*xYncW*7&X8eSJNzNlv|{
z%JU6Rrw-|0esPS4-)wWaxo6_Ckw4sNobzJG3iBBS_pMv3O=`Vw#;gXjLf77%{e+vm
zZAnb#wzIoO{`uPiZ~KY0dSu`4B0OVtaY(<Om0K3BAJE?E`i{<H7VLB#mb!TS1>q5$
znA6vOnTK7Ey;(sM<7}Etskph}?LV74)-CHdeCHqjeK!3kOJf?Soldn#AG7~fpuO`v
zzatYP8)Yp|Q~Gr28XmKyv-@Ce{Mw>c)?J6yzjkQVW&aG$;)EB6oQKRjdA?Q0<J)Zn
z;YSx*rnxxj3POt3X02#(a9v!BLAis^X{6@${x81Xu{*G>3%89?NyWBpr()Z-ZL?zA
zwr$(CQ?YIPR_)vNxu@>i+WrIM!}`$s9Ak}VP9^Q|LWJ2C5=vXu#RsVo-2!=2_w_kl
z2zZk3-A9`8;*2Vm9+niwJ{X1OT~6^REGuHe5->b4X^pPgj-eov`+w{t{huzO{`rUe
zq0Rs6l0Be5cH-v#Uzf=KXGNRKKNUrU|F`0C*&jQx4g7CKx&OA)_kZl<^0%F+!v3|>
z+3(9F{&Zvi_D&FT8ZA3oOU7g*czvCixW_YAr0Oj7$QzfYkNXa9YrRX-5FHhe8$qH2
zopKg$vIui*W#*NpB*DZMl*E^CIWqaDG|qBg`2_Tuz>diY6CybvlP!#pU1}Xy%%yH6
zuNl3SB*ddnPz_wH24Y@XlS#jDa1V{>-QHN4TI-nlB~cVVw^Z%l4Mr46(oV{H#HL1t
z>)^2(Uea<s<*LbQyQy<Go1`X_?1Drue<UIApLw9Is=`Cc)Jf)N{Xi~i6|f<YA>~p1
zn0y5?Zk_b;CbS)0$;8Of_xS(@e~OL`MaxYR56LZ8hg#4^XJ)f!cs7@_eE`T`p#A2=
zG2H1|fw02pO#15cb9{Vq(K>7dEt*jp&)@`0%@IO7q|Ba&A;%I#p#dQUSND+w)Lqd{
zmESlUm0SS9{BwDR?KKQ!iuBXVDtNjL51uPzL=LZw{2SgK+AwFf6Z1-LOc|9F%<WdS
za|OSmiu>TCISfm*L@YHYYzR*FQVL%ph-ci>Di+7o8E&-1S?^^CMqFt#ym-Z}X9jca
zxWRd~Oo7a@pG<?68-_|JCTQ7BiCH&-@5=xZ=#*%H8G?8(+LxJ5w~W>R`ZjL<?An*Q
zd)r)FIzPDrQ*;1!s?T`Lk_|=l;CR!fu(Ft!1Q)s6=7{RgozvBt*xGIOb?$BlopO(~
ztO0$tk%g0~>^sk8k7+!#{wfd{`~(M*x<NiYLmt@e{cR5(LiP$exS_I(2|d50uwn6=
zR?Te6I!BF?1DaJWx00}S4s7i^^$CZ$(#fF7EMBncQRuGSJrI_S!S!ayM=gb?<WS4=
zHBxX#AAs^vjmTCRDbDyipd2D*Ie|m!1u$gk467|fR-8{{U86?DP<d9RK*@;u>oH^T
z*ig@0sR=Bp)$LB()UsLjDbh)%z1N-@AS_0Qi$_B5Qg)D>i-ax1;X&mBa9ABseV2YK
zgSaNpK2Q<%nWJ)pT*IEoQT@OO7qqHpG1sa$E2JAh4GEiS#bUDYj$aGj6lV<7-st_Q
z)-vmKHXL(L&6gnR+1KsA=BG(CIP3+6^4goEmt`Yx#VAd&l!6{Fs3M4uw4&w;mEr;S
z01l9BnU1rNa6Cv`D$3Zm@q~q@!+oRHD}n$gPCABm?y*s7Y4(55Pw98Ln)><*%`!6c
zPKhIGV4MYPX`4=G&ZV#}dDYxwL(ig^^ry8j)AL4<(F*KZCh9A<Ke!Qt5Hw}lQ9iZ?
zT8?FKf1j3&cFr<EbSaLbD*Gm0KYywqwRg_C1gu27r5~>tkho|0l4G?2-61WAop^~2
zXc-}|46rm=)G=qI1=R(ZvPCg)p*pjD_tbop^Sl*jexKzu=0dbL%ht8`_J|q!-s8%Q
z+udF?Bu9)&dFn#~D}5nVt?Eb|D8cg1HkVy_%v22*^$e@)U$GB4J?H_yMvv8DDZ^I+
zR`WvMtt|?(VI1mRssoC$hXRc-`gzl51BD5`sqoByEgqQ!X_>)YvofD}Vm3Y^Nr&2v
z$d0Tbxn_;>SVJA@*(!lULw%wf%#;bGFHr|SBERKd><qR=ZQLc2fHnSY9ma$TvPg0+
zsCY$=UBRF!<x`w8EimVzj7;h#)GEo6zqb3Pa@1XbU~xctnPLN@Pq`h`I*|Q(tV07*
zD#&^qCmh$U_TF7cel1~XV1;4GU!h?uskc<)NHt;{HfNjYy>*sy^H2oHQ~aiUeEEs$
zHBMjey@Cw(dvAsDS360yAs?lJKxB-llq~gH4_=<HC_Wj42$ecA^QjtYxRvAJvM&6L
zJ>BU}?asEAZ9%%q^EZEUPm>>dra2o1z}R<Q-?H|g*&A{BiD&9^+)gVv!{ILApEvKq
zM6;tsM!_703iI#Fd~}7{-;kd!GO<B_&-Po?>crBZ5IG7razr3}L3NQSVvrB13{EsS
zo>TTT{@6+BzsV2t5BdMh;r_py7)coz{vrSGTYb0xe}D5ye?$eE_*7nj2I+JCSSXOh
z^4cHi<N<#Y%_wfMrgkZ~a&Qc^ROxpuG4F7OX{4tGw4-JLLIx{3Oe#Mcfz8#<crHSk
z$a+}U=1KU{pXhMsqL=Mljd=^WLi2m#UV5FqXDY~5^iHJJ*fu?%XK9OF*(Ap6c6ekL
zofBZRoc3W}cfL?+yImP71555S!PEuJEVqX^x%lN6_P%;m;I+Yy>2xW!R0ab*XjHXj
z+~M-cOUe>liR7G>f}qVmK-xTROgVlago{_PSIs&jRCEi}dOFNmdJJq}+wjh1jHks#
zpdz3(<#K*GFP*euEDCLTIvyg8#bwYT64%_jyHl46GHLsx#}tcp=x04|Jz14QQSVH0
zebhFOO!gN#8!lm9w-Sp#)J|42&c+wNZhnp{yZjDLjy$hKxysT)r?c~5STxOTz|Drj
zZUwzwja^|i)!Gn0MFvzvyWJ;=1T9$EpxpxZCTbESIRoGzhMR#~4*1-rIMuiVKBZ<8
z@M<=V<>++!qiK7;7V$0D0|cxAi;5PSh-4-DUU5^R!-i^lGn|qHT2bu@%!{?c0VF=3
zR+%f-bJtw~P&xcM<%*+2yLj}<^`YmZVOZ#GLRG1@@g7dEgE+Ej`pOy$DPQBOgLqIW
zl|VgjYF0}yS=p{tpEwkVWC2RxuTGZSIwd63c9sX53!G;$(ML7Y84jGPjF$47J(Bql
zl0Y*iGtwuU50i%=Ge=D7rnK!Pa*)l{C49rw&s2YgMjMt$Ch0KfM%AbLF4xKcsq)LX
zB|QVj1btS#Kn|S9;jTjgYa~ps#i{=0O(Y0)P+#!QZk-*3_F(M#E>OO5Z^&RmBWuFq
z^8&2iNc=KlxzTnShp${eC09+%6`V;V1E(J-yIcJJ#4Cd}r+Eh{85I0gia%`wWMal3
z4gpX(wE3*AN}SnN$p(%lh2%q^60d(ag#|SFgt(}?6IJ))m`kl+5}|@5t$^)CLJzcb
z=hpW}7rj@3hi|%SUV`~@Yn9zJFF*k?o%90NGL1;OB7grh<TFLR$Am~@X=-qayX2Rf
z)8NH7A)vZ3iH)!t`Q;>=|6MB=juFHo<*0tRjJ%EPv00EelG#v$7YK%xgJ@J{c(FHR
zj$GVQ(~ab-KmVBZM}H<<*PKzJq9ItnK$tglN>3uv-VhTRIBcW1&kiJy1e5#fU8oMH
zS$2whpNDXP{b;r?&$n1>tM8=`4a)q!rP>PUB)?t)*s{=wqr%0r7Fazf@<Up8^wkZ5
zJkx|E#-X0KOOVyhb%2w&G4h$0!F(7TWwGkf%_~uym$O=<P};<@f>XQ^<U*eU_H9<l
zSmMe&L9QQ4?H3IOYjw+OIkA%*P42UYpr6V|S<^urnF&ZQGSpyMt8$lWAPf<}$s3_g
zGBF@cGaKDI7Bs^efl{^4wj!L%x(jt%-Lt^t7*Qq*`PSAx++S9r+ks^eUsYjb$Gr>z
zBBOfta~*o)cBI3}mcl#s+SC)wEtQ8IQ`DNj6&L!CE#c)cwH!JEp)n9f0t8sO@(&o+
z!joK-2(;-SY}Dx$bth^1iXRDr9qf5apbeo4D!`Q1FOBjIAnysRDA`Q2{~&B0TtjFb
zkBmS7IIJe>|MBamrmfi`H3$yV6T%va*i8P*>B?t|o&%->=LMp`oxs#xP*f_vJmx{s
zdBWAfimI~1X@~P_IF>Da3v!hNI475|HgF=xO^*6nEt@aARVdNy^o3eq47oY&Y@*#d
z{3^MX94_OAaofn^J$zOURm}&3N*I?V+mM|~ExY|o@CxKfl&&872+m?diG5$HdoqhM
zBq`wL%<V~R{WVZC4vf$n!3!sg_%9v@Ze!?PNjz5E>SW=5It4BycHq@F9?jFNg`=h6
zpv^gHbwd2<3I(rG)9OiGdg<l2A`Q{DY;kG`1j|3<*Zyzv|6U>dJ&|(yoBXW5{yp=D
zBmRBn???C^t!K9^*IAwUDs=ru;=jf$kyUiNL5)xIgYMd|)V(?dCg`2IJZhTQBxyl>
zOb=Vy0(%5<Js=^1z$1fC9T$hMjO92p`kwma>!ns0AulRs5aCky{6vNm(uz^~HrEpq
z`e7=+Uot>zPla436mI6A3=q@!;_W>8GI`E73lUQ{<3t&8h>W^M?5mBOS{(I#@Zxid
ze_dGw6@M^=D3Q>#eOi@_wyZ|aMHP>$TYt`vP>vF(X6~?GW<wc|{CKjLOwN=)yGQ7V
zKA1hCM;ZG}lk>nKgpx~-qTYyVPUuj|xWhcTPu|Ka^|fExwuyI-(X;l3W5v2T?*gg(
z(emB!qlA{3B~G_{mu+_E!Y*cO0m*K60XtT&-tshph;tty*ud3F1jLYnVE}BWiiZzz
z&zP|U?$+{h`ISG@5nX9Fds{gnrJQO8d|4tGLY&wJ-sxL>FAkPt5Jh8|eBJ8Jcorg_
z|1nH|<+6pW4l1P&P@5dKx;4dGNW#I)wlp-yqEV3{fILiEO`u$kd_CYJA))78T%#-^
zRzMv_pX54_rs1kGn?2RIk!sR)tqDv6+>_~bkx-|;u$`1A_xf!az4r33%w7?W-rgZ|
zEBw#f^1%S)dDpALUq-VF^jLVX0*dQo3&Uk^Y-HkS5Sh2`#ZF7zYTa2TiTxSZq?fd&
z=Yk+XglLN{m?HizxlQmjx9_q(&SrD5%Ri`}(cYYu3;El;s^aFtMM;j|6Y;*Hx+;Ut
z?Y!XoyWhD%U}N~y<ViGat$+ue>hAmtOQnozU{L@#TV#$EfqepCK`1e5i}w@XiE?0h
z>2Hopc_<gl4nDJnqas(LuCwX%xxB#q$>qk})6-T>D)sT143M$u1iq)9!nH{sNE1P7
zAWLJs=_)1A0ms%(Mab>))_TI(j&1zRm7YM>bXG6G=|Gg_MC4z?Aw9NW8?~c&gNvVw
zOk>r#Dvn+h7x(lBx;2(wHxWB$2Rh~_sgFuQ7{W+bG4lta<dpn&XIKuaqq`t>zi3e%
zZUo04t%G7BQY<Yr=IkcAVr^_!%(>mNL@jAg#BGi}{0;W;EVYddAD5Bca@)ir%U)`F
zwgX4JlEcbO?KU&YN^gNsH=8t<@(t!{wOM`7#C_T{8}S1=Sl;Q_8EK{%#;-hI+aKfc
z)ezozq%>pgP}EK5haYa@s}Le~Al><kg`<^uv<a1tR}EePrk2A(bEuwM=!Yl|AGyjl
zT)N~47L{Ye1d_JR5JeYGtY|&knyMj0x)X^<1;CjxJvvAPvTPQ8uK>NKs_7|N<BsTn
zhlQD&;P`Mq=1oLzD`4bfoE7;*E73RJZ0Pwz^xg89L@Kw=jm=Ru=`PEvaVjTyNo!P{
zEQg*Cnc@dtFVc!v!!@<|Uq2ezWAg-toRPp=x*4~&QBF2E@r=BfwVD~83Y>cY)=}DE
ze`cK-yS-`LIC~Z>Ye~(Vf-*^)GPL+fBS140_UIT4!h%dutIH;|$CM6hrXy^~<hn;<
zRjd_`-;m1ev{~)2-IM3e9Cr-D4SG!SFYdo}`nw)ZtzQ)jj;-McsRfR2cmp^ky*q<r
zIWp3QVUvq+B@?>8T;*tir=3z(2`QaZxg4tWb6OaV$;euD2pirDh{p!N9PM@7_}M(W
zI|YMvLlpf;dohREzVdt4!3!zcsC$XfPWKybA=1>If43ly-~}tIltc*3YLAu08HdiI
zx&3h=ZfQ!TVLtP;;#=)XH0<Y)l>AaA3Rm{9o@d-4R5VrR>V5REC1!ncxmW^Z6s#$B
z25p|xF68xcU3}1CV7405`ZL0U|6yQdM%~m56bQIHDd?Px@O11_TEKAApbL0|HPI4*
z14Wo!Ujm4G@CDik$knA4r-X|C+l`PtI809Owjvm;Gn)81;aP{}m^bQJpI|X|QIPK+
z^6URM`QiQ{zvJKJ=koiP{Fz;UlmE!yU`HeNtRw2%jroG6XfMJ>Xh_PYf%S*-U3y;`
zcEl8Vq#(yg>2AK~kQyfZQ7fjsncHfqYCG407S7V4B*pGMlvW+Cq^cqeSE1VRCC#Lf
zd%Fi0#Agb+N2(0z7(^s;PpkkpgkpuqL}$Aq>EV)n1fyA}f?)e(-L&CX{m!q7h`92*
z>0_pMmX0wh0R44qc2f!`QzSYDu|r-==$~$3v5d+~!?BCcTUUB8wAoQt+?s>^bUMT2
zh7c;rg0F+cvUjXgv!gQoV#z&(9nYvyF}vyht~ke6R-pINEu_*)duq7RY}Jp1$|i8J
zo@-n`MuWYTJX0sNaKBAZ$9Q1)dh$v*<)r0%`F?35!8Dc*Tv>|fcT11!D5VY)8Anqc
zESS`f8!jyOa;)P9I7Bfje-SQ5n2}47ia%OSue>xT=A)~1#uM?Qb%rJZJb3j3(WlX=
zJ4kh&30B2MxxJt>;|Xuwoa`-9qad>kD<TF;L8F-shL5dy0l61h&_RIovRf*ptc+_$
zNvflX(5Pl@C(?9Yjmt^frLW6W89Ye6_2=|53HgR!S!h?PFwEfA3WVO|=zfeLuAuV(
z!$A_mQTDs_Z!4(r#B-#b95^@E?Z2Q+DKYdlw@2YPrPy+nU@uD=rDqQaXAL@iwrF8t
zOneX5<gD9HR7x3*EXUS@Oo;<JT!vnnRT(k-+O7<;B!qTAyQrgAutqeA9Kau@vqk0y
z?k4-5>IWX4?Ck$W1`o=`Q=E^j*u8)o>XItU`Xsero-SYoo(*{U#8T6x(#_Qd10qqN
zWE8^J?#2wWSM1~5zQCdVp8vGk&2w*#F-g?&iKhjbbrrNW8xF~sxi!CGxm0!7idPrW
zfenzQvT6|0#M!#C<Mw%zE#|VwB56`S-7CeNd<}yEi!n506@t+DYadUg36lj6Yy@<6
z-f%Ys6rJAUoY1L*r=?Z&Rf5jaEgd^?x#e!+<b62Y;Ooe+r8&{5$$`L3=2;H|5%Z}Z
zY7}Qx?;Xmv7Z$TZ?q}J#*7GLWhv2s~0iffy7mD6gktb4(GUP+EO|C@et@W*Au^gn&
z9uiZw+cg8VC?^i2R1ZldSemVkQjLrU>-jv3>_T=-|7O-oU@C~5%<+i1%%5w?zyP0)
zWA)wW30e532<fUWt*Vp^eDTj5mY7Q34|Vs-zNSNySl%u9n7(3j0d(oB!W8+XWlc%F
zu48%u+&V6_XBOP7^U5}c`eh?emP<sdsHp7>VgjL|R6|3Cq59(^qPLX#ah`<YeVo6S
z8>nQdIeF{v8Qic@kh7c=ch<CVt?vg&Rw{48yltt<>G(FwD}@{D+m7uU^JY(9d*>3-
ze9azOoJ8nQjvg>>6yiCdW`lq%S7E}e*|j}z{RfbTJgsphD@pm`sM^R8+t>xU*HN^K
z3%D-P8f8#`f;BJ3kVM<Kz+yvCd*{NzzTzm8b<y8gj!UwmL2fEHE&)x;4BnHh>`BE%
zV&9%}<d|);2Z>sTWw$`h*3LgIRc%O=%e)@vy|NbbJU>q3g|Q^t4(`m>m&QsZE1I|a
zq^e%_as{!8=}^UmlXOvUUaUETN2%t?8TS)iACt-Y+}P)%0c!bd**~z93w54^SIDGD
zwuthY2!Wq~`M{r;Yr?bmoW+d}Q7t3K6>csffoEc%(xbJuwrR1_fmWO|$q+)eYDah@
zoI8lP?0nfQ0o^avH7@$NhaiMh=5T&_+ge>VQDe?@IaHJbwFCH2!a?i*v@om1L?7bD
zBD_+o_Mm=xE-%68DZzd<Ep0R`BrqTfw%*2M=(<Lo16U4Jg%uJ$e!#=-cEQQpAUJL$
zTM!XpkUE5ck#OQb$(H=IpG3YoqTp;4b{{#*uiQksUP37Dhy0<%FGx2!QzS+!xN<R1
zS!<KT=@w-k`H6;(gDL0shx|tWO@8=)$nWqs`2{HcB|pgi-{glbL2s`@zIzTsZE8@a
zF9#6j#6Hv4IC^sv--Z=Lqp{c~46tS05RZSrnxb7&UeT3C=hXvB<U<68X){d{5~e?`
zww-Aw!fiI}Q`nhjTFQ8R{i(PoM^#qNUbg%=J5zbZ;!0V_PC4=5{v55dk#&?=Fz!XT
z48LoniLNKO%PB(l=1Ix(vzX*fv=)aHBcSEdA?SNX)<GTqIi?DGx4#ycAxQ(f8?w~$
zX{J6Ei{PH-kEZuU3Zzb|H?~(2^<G`f$WYE{6nU?8ABR4TRz(Y5GqypK+%YI|Kh>`L
zEQtCZld>gP*-yJ$#bWVa1%j_)i##Gg2`a*j{SWRsmY^(`AEEuGL(Ph?W~?KI@D>kB
z-Xv;S#W$~wwdvR5E`BxliSO2<Bxsq5ivEeZ4)mlAwY&JG13!RmV{^gIRT0=#X4e8x
z^O1PVl@z-X-L_gWHbVz91*`dvTj2Ae3Ul)KVrdq)ySPS@8(G||a7b;PO}eLIfhn78
zlJiif!?dpBw{Q2@sL^J|RS6Mzw)jGuga*Lq%9}rdQ-7aqU<K6H*z<Bb=ijS791Fwm
zA^M^YTnWjN40~<7Y1~1sPvnj5u0LQWKV9TxnWi^op(RR}IK-zDns{JX<(@BL!xg9b
zE+6y|(2zQXeZK8A-w06|1an=$#v4?+fPUojnme<M{?g7Px8v?{w{ey{jJvTO?Esx~
zjT03F9($-S*P0b?GWcKt9%k*@fcIg3z>>(>jEH4eNY-dFrA(i$R3}CUYoyB5MEQ<(
ze9c$+(Z|vV>6Q<^p*_L{;w>N)QZDgIKYAj&o)NI6nm<BXL+NwXDgCzoh+Zny;Np(w
zSm%hT)YWs__AO5CeU=h0hwO@VL3Qo^d#U)nQE86b;p(v89r5}y7!9$gF+Dep*R8<_
zFrWNNz6V`JghDU!j&S6{LO~AX8&zh;@=2~qhzsYpmXm$i^`1R9@x`Ul;s(@VcHaha
z+iLuwZr-<?`|M!9%@E<A8Eo8EWVx5E=u=5aDdHyUi4JdIes|!XJYb~vx+BLk4|Sc_
zf-7(xC^A-Jo{+zv9_=eF2()}E2%gGAK+fs0+ts4Hs1x}}4ldM2w@Pjdl5hN0cmaN0
zgE0+_NQ(%y{0OOGv2xpU6F;ZF4Sj=QIU8%r$h0^rzY{kPXe*biS(=xYd_>L4=$!Gh
z2Y$+*H$;YBo9k=Kot*M!-Ek%%N>0~sOSb>&S=2*;UaMY{!0NDPFn#3^0kFucJrv7!
zh;^&IQ9xW|uh;tPcZM!a&B1medv5TgHqg?HIL&JHVMMp5yF&d73xhX3gFMe8gp%Ky
zJ}=IK5}s!SgffLIx_4ABMgH4|d=!1_!JIP$gmT4z%#;=uH(I%qsaC=OeM!SS3e9M2
zX!+H}Gj5OKYLYS|%8eA7aj**m#DoJ#c$IDk=&wbHA=qoC)GL#rMYlv@)x}$9Bs!9)
zrJDXv9ZcM*?Sn~f74Lemwvq9!93q6AjLyt+f<z9EN%45103rMh2}Y5)i}e-xY}r)Y
zd9VZwEeR<-_;h8Umpsifx~&{`zid$~zr!2j!-1~hw~y2v47H5#R7qo4g$V(G3d<;A
zgNfqBntJ2xj!E2vD#V#u3Ivp3$33rs>!~G?I^&X!j7SjWXznds<tyLXt@W~gUqval
z&L*<NCNP;`wPKUJU#zS_?$FohHYEew(=?BqX2%UC7kk))ebJEvqLnREQi`7?QD1;|
z4a55%%27~70ZU|tVr-x7DHQRU3v)feu{-;O%a$n5VB(a+dU#WAHWA%)+MIN(Z}xC{
z97Mx{W5k|?WB^e1PD=D>==4VmYcm5I(=ObvoW5aK<L~iM``X+t?vq1xxs}-o<#(=p
zOgLd~Zbjl?wjXKhPjXMdjP}PU<?k8aP_gd&>i1^%_WqFH^1sQC@DKUz|0cia+`r_f
zul$?*@Amu{$&}KqM6z^%1eD!PL<bNTji}x!C#u!=smCg%<oEl#BQgG2IvXsQ_c&OI
z29;!&G1cQ|`w%mO-4mAI<G=b9us1$+bdN{yOmkNjyrNThW&G+j5gUyvyqOTTd@khE
zJnl<xA8w<BbpxSzs3eb&hjiX*KcAbF*hG?*SyGItvcrcFs~&YN1G6@=`ZF?HyX*7#
zqrLOU<M$+i3W9*vO^0n=J5swPd2MiCIzai2Iq6@yFcu}W4k*>3R*K=y&bD@2BERRV
z;kV5{x?YOIvtN9CNfkQ>!EJTsiqa2qo-Q=dxdqmd=V&%*>5w@dKTc$}o^1T!B?t!O
zyyJ7a{qCP@EEHL(fVGpn1nhU8%qOT94<!_4@GfF|khxka*!EFmZ*5|qKQ7$JO=vj)
z#60?9pu(0sIoD);4>v{F$wtBh4rY8zA;bnfy49D)q=s2C1B$7ym*8V!olld>Z5_kK
z3;O<ZP#<$-$<_zWcUN=cf)aPh%}^4!K32=u>e3K_QCkbzC}o|%ZJ~Qu7y)nPU`mWz
zPPyp2dpL0*B(Kk63HR#JTW^aC^#zlgB=N86P6*6|ix?&~(IL7ze2rS?%{OStUa;KN
zPsbcB^&-TPG8;<bbjs9dVRJpa6iq)i2H&H|UAeb%mG8KPq}np5(TlkLusLJW)Zs5<
zV#A-I6zI$M5JlUN9%AH{4Wr#5;qi~gLd?k`_pua8U$3SyE-vZQ=o8@V(uu1Zys`EQ
zRja|LIUI^nz0dPuN_{^#Sw3qNllv_gRm%fubKm8Sb51VjUDl&Lfb;z|orrBBAv5hf
zS>+Mn<TD@buxG)K1Tubpq~?ZD?MV>2Y|*6`xfxuAZE3QCe&fhv+#Eb%qt4L*A0u5U
zCaB(t4rkJUL8?FL9eqoEA9c&2$!Loo3t>RpmJTriJtS1zPNq7v(IUMT2;&#mEyeBb
z=1V6cnVhRj!t$BsE!O-bUo&8bU}l4`I1Q4%{LC;#RQg$t_@-r?yvFwNTBh6if#bWl
zgxn=`gLd~MBQi@(%ZJNM$ECDJ^ZmJqPL{6RGgk48ZYS<;HV!s!!>dJa6#FDosZZqC
zuKon=90c(O2X_`^P9AMnE8pI0@Dw`K68O7@)uq=cN=F4pDA%)3Suny19lSBEe^wdz
zW7)(FKwx}C`^3PWGuDamt-~N?l3C6ifJsD3&5SQKN_^_~2FrOi^ilLB?z1gE5sGo8
zK;d0A>M!tBK<G#D5j#9FbA+z0^{3HQZ0*ZgdcLK-JXH<>K=6TPJ7T|Rw-S31;f(dy
z;=BmtaM;2AssL~zr62B*@|t%kuINcFLt8=lZ-%Gy&Z{z7FV;`&ZKT^QcN-VohP^xE
zlnxeo+7kK*FE_JtElTt#U+VHnZKltbw=``|?x|T4YD$FqxZI;!=UBL?WQzV~;9q@d
z0oG$`2a`rJp%twdVJWlLPr{yoL!iK1fQyW!oMM{;TAmf_OnNVp<xL$YlrFR*Q)!i2
zzK?$1e!CL-!{|qVN91OGYdNgQ6aAoSnS)|T%{s86IkIZV<e^YQe0zBE*im!pbA_05
zhQu%lNw(oai!1&rJ-(iv-yt;1-28=1%K4(S#6cew@>JHPRe8q}4;=NHQfcVMGwNQv
zYzs6sSxF&+1im2$|8VuVs%AL=pI$+FzFA$SKfMeBp`VnmX@ZY-n{0(W8BOKw21D;B
z^lx`e9~+}fUdYK|HUWwOSQ(#mIE2@f^<JDl0YRFq-hq44gp(}CCAIJ<8ffLd+S7fc
z?N;#_4m=!eJ@j*BgqJz>rpn$_+}#x+o981dXGGNG=_PI;A$UqA&1^#C{90ZAHf=s=
zBlJE<lbY<F-}p!qg0mnemhoN~WfMXUSN9N0y=bZZI7<l#vkh5BWsz>%(aEvHj6w8=
z{C59Me#C#sZ}&I(rQQD}zt!)g{Qte%(@0_1)cqhHP07$4qq%iCBh@u2rQ1D5K=iHY
z)x(HOBnn-HV~90!A4wD`&Na4^Hup6OQS?0nsBoZ0#Rc))%K_vmWzdR`2TK8+RZ;mN
zv)a%h*hrdg?QuhaN0u2foubUc`ABts<H!EaE5yL|WkC5QJN^*<4=E}YSYk%zc*<kW
z-UP&A232xPQ`yWXVqXBW%m?Xeh&)%7&q!3<(0DF|MjyJ2%93N2LRWnx#<hW_1D@er
zKD~hp8>o)PK$B!aE|~JqE0Mtna=9|*zzH_>3dj&74p~HjW3p6fWqA{)E|f9`yBk^P
zxnF8%+U6`_*0wsGOd_s2r_G<L4l?1yvh>epY|xNf`|fY6yErRGqz}XG{n$`r8a>-I
zKHN<h5w}3*!xs5_ybf0=BXd^rZCu`%)VVQ1C}m+T!P19Z=8e5uBum}%^l~dCcf*;l
zqyqgvGF{ydo-`V$z%~c<B+#+;%f6%3dC&gfVGOou4B$g_vA0#}>o?WBsK1YOwEkwb
z*>3uaW@xxYdVhDiKI!tp4viIoA~53jXB<COkORi4-QScQ!F+Dt*97)8(UH~#449qZ
z?hd3iN%eL9atr1z%S~6qdHIsp@qg`FfTN2o?sJ<%t*tYW@)g5(;M^_6@8QoSNX4Jk
z)%tMMOhxaq&(A8V@1!*bTvGs*E2Znz(xf=#6w^M+yd=oRJZ-qaq7YO~%$ZgCb?;%K
z(zH1V?0Z2kL&O;(Ino__=WLLq_y#PMa5=~Dk-t~n2hym{^V4lrm5|w1D6=prDveYJ
z%>1HRQVdZpb`kemtkR2R-TK-DFD(C>>6nhHZ3~W&0V!;tVWJGg5i7y|8G7EdHNyu7
zF_bOEw4WxUIQ?cp8$m~6+|1Z9^kja|AnjXy;}WE0b3Xtv--X!y3H>=A=bGheyR7zi
zrD@-?PYipd(w!TEcG9y3M~RD{YGZ@~ljZB+WE{#mjvG6gh`q5`5ih=#?oL6$_3(Xi
z)g<*h!olu#hUkwbqQgKGclPK~Hu&vltW+9?rY5*+d*D+?L+P*$En_HT3If8`t#V<E
z=DSLbijaXeRC?>}uDqel6cP!NE5Xg5p$zor+m%1Z%7_}vP&EQxAT$>=5LfQ1eg=?f
zu%!vbocqHxd}nE);cld&dY0u3nOovPi&F*nkE;^zY-^Q7e!dEB2(c8hrc?ClcBLY%
z$%f8BFv#L7?MCA4(}tWOu&><DS~sNp<}^p!*s~$!{nmRE(wyJkbTwUdMJmv)-G6|s
zOBlTf-%*Ke8@-9P8D*9e2iB`(r_`REd$u8$_Y*<mV2RYiC|pv+7GML(y~i0Xr+ku{
zb$vr9-P@PTU@NzA`2#W!Ousn5?u!}K`lp|G%2Id5e1U5f%>6bL%UzZ{eP^gnc>z>}
znO@ynEB4Ux_{Gk$S7q?#;bRY~Lloc!pesq9apg2v_b$+M62w<DuQ+gGd8Q#j^xH=k
zg6Iq9^-uwURV`re<hv$HTS1}!B58<@iSaM0NtU`;D&;F4$}gV4RHJ@w+zw5EN%BuE
z>rltJN>O?Kg-~P1Is(;-yqb>6&Ym>%NW`gufk=@D3^CGQAV&A#C4mVl%_;uF?chNn
zeAhubR3LBRy~$Ej#G+Un`>s2^1y?QOBcAfc%l*~zo2=noF@=6!5$Gc#8($9ek6}aN
z)^>%NcNwn)7ChJaYDw}x%RT6>dyY7)<OEN55u8bc344O5Gcl61k|aH$J(=c{O%QXw
zT`|^k&=L!K4o^Mz-yTrJLcJ7}C{ug$-Z1&-LAR>ay%40;=jKRV!u`;hgua&tK(lM_
zph$XPR@_VRfj@mdWCTOOV0)sQXY+<VKGd3(G!Afv7r=wwRckPX0$UPP*s)OSu1da7
zf}`#1&}!9_-zkhjW<USo#(xI?hx|W0{_B;DuY*72Z<hW|{{LT!;Zpw3<|)I)|4aVg
zX*k_~@BR?_UGYEOZAJRWCANRNM3LZMm!zTo<r3XbJyO3%W`vt!4cK`YOOr|!<QHt?
zt|gD|c30cp%Gu!~LTrcf_GzcFG!nw@QLHgy&FNGX@8S>X9X;t2{41B$qWkbP%tF@k
zbyRKZxAbK`&LyRsn%X+Kp+$T-f|^6Wyhrv(0e&XT+|}54cYm`vw%#}7pVU@myk1Yz
zBB|ff+1Ofp;G?yzTCE9D+83{@CoBDlTTUkRG7M;21U6L65WFI(>9H9QqhQEa5zi=`
zgW-v(92V^*J-{F9BM!er9v1ymNaiG^Yo!ZhA)`d7rJd}k0YxX@PflhBZlZ1X=8t=8
zQtDzfj{82S4+_L%@RXSGYaB+CIBYNEDBQg82%h!OsCuXSqI>eptl0W8VaM3?t!)NX
z&#@s<a|Xi>$2L!a0m4AyOW|O0{c*PwFbOLc{7(aSOx2w&j!yJHzH7-3X3}G&&SsN@
z620~b>?cmyd}AM`wTqUhq7(mI^}tb#gd9ebTx@K0>DEk6J>EtKAH`O6RsSi9O!$<{
zsAb7PGrQ*9-aHEha)d~|c|XM|JZPJ3bKjtFL~Ud=CDkwAs}6oe(XPODT%kqbux>s5
zM!A~DLiL%k-itVDGxgAdVybcl&gyS-mkcnC6VO;4TKK{!9<1Y{rHI4N6m3H+YeC%*
z4w<wckj4O*p}k}HS))@D{%mjB8)NhSoOv;luf{ItTI>Cc^z=0O3k)XCQ#)l=Z8ja8
zV-1*?qimf%6!9easTNuF#M(Nq3=_r3HhGqr*r`_<3$w*IPKSa@{`yf>yD*VG9%@4M
zd+U;q*{{o3<0_qd%vQ%jAtuV$vD1ac(`-2cPn%(2(9L1VEC5b3oAMag&uIt4(Tzw!
zb_pX35H_Fv=#t@m-?}p_^6AJ|q7pFs-as}cZ;N}BDV1vO6Twe%-{1s7#)n`xIjX`p
z?yD&$6bd70ZFrnr8%>*(VFW-{#z4icEz?V<H#1ZyR$B+QtDdR$Z&XP0cxbV7Zh7_}
z%DY47p;kP64)Manr_o$ifrh8Po4w=1!z0mtGgn0>_(U=Zw5nz{kXh^1a9apQ3*tCi
z@IP_qe1wY1I~zp3vhYK|2#t&JK1P$j!WsB@<m8<|8Mve1EvDr!)o$M84sw?0r_LGZ
zd6(-V)qJ2?`7IRNM(EV+wq)Hs?Q*wVo-34AIRv`Jf(<Kn9J%|1iEO(Naed%5U!mNx
zdaZQ&H;H90&r{M;NAYw=4Lo|tu#I+RhqT3A3lzO2qKM*ABFmsTn4YOpoIQ|9axM>?
z)13qv)`wKlo*ifOcD|Fsx%Z2Lt{j43KJj*5b_oFk%B7>?SA%^mfX2d6JS0F?37e3$
zFsX*nQliM2obSq_Y<qT_(I^mMLQjUJigk7aU)J*Z$z)j3lh9eMp5%Z;d9UEy>m_Fr
z1vy?fH+BjOV@RSXnKw5?6RuG<Dpr1Uz?bvuK$_Pxdz*g(l8%nK;)($*SHy~*Jbzzn
z6_K_TFa}<Lu5x<y3BXBHj6g<TmA$W&Ez~--#C%c_I1vWwzT_6SCl_=k_HZ#gxk*H6
zv=l)PwyB2zh+q{N_>qT`G7Agp81l=@7hs`sDlJr;n(u?C4ZH&zI;Q>r<D~Vg7L*Ch
z+}#BTD^~aJb;HIyoOPqF5ZIxwq12@^gLnuSb$`<L{dxn`ksA_<Gj}u7mR?0D)eVI$
zK_Ms{S;BU0vQv}}$4Z{4Furvfjq$*OAhla>zdcFDe)+dKaYokXzIBVz8wtM<fmg~G
zBCmt^4Bs_4f*b}Jn<d%pND^6%E9hA?J&dB<yGYE@eZl$i8`0lv3~n_x#x6I=p~xfq
zt>+5>t?M3z7a^)$v}Wm39^1#UiJcwD1<bjg_)x4VT$vK66NX^IY}u)PRcKAcKf-gS
z!GUeccuOl`w58Q7cHT8IlRJOE?pmh>`r{Is;Qw;TwA~-_ANBpOOJ4H+WDZD&|Bp)y
z{-gx{RAl{K@jqOG{Etg){&tDl*uO4`_&X72pv;~z_`$J6A%%X0o&A1j4-<GTV22XZ
z@!)$e;!Sz^sHIg?Y^0eyc7emi*^&q98+PnDP#wW2Y*z5icF@G3XZ6h0)oT8L`B=aM
z4lH2}*T0E>(GA~?qVl099C4K<zkLyfqtP_PsDr`pfu$Yh`A`=MZpf?ghsn##i3j}p
za*=x$vU46GJGiDG3sOwM%0Ue@V<lXn7fqUVOfBVE+q4AO0qO9S@HnQ=7<_V^i2+YZ
zdsi-9g0FRrPZ9S7RriR;2_39q2?&k(X~u;-bgk%AkA-Ub@DhDp-HJd6>FHA_Q)pe?
zWidd{1?e^7iNKdw27y1F#q4N6<%lZ-SJ+8yHE%b!PzSX8R#y^Q+k40rmqiWY?OjRi
zF<0Ndunq{Nw29Fje!A^5ru1--FRrz2IW3=A2$hjgfE-fZO*PUXmC6mGo!PxVoNwbt
zy-`%Nnk*^_)$LbYCFGFQi7q)pa2LJeuF&xMzUU^C9}x#FuPIR$V}%Nvrk64B?N~SJ
z)KcS0lA=B5>8dy;(e^!rb7mR;MY1J6tLNBc)9q8NRpfJDEZhEtFP4``DE34Xznu9_
zB@rCEws_5X<v7P7EpAec;4Od1wJlpg#y|w_5*pc4w<XI4ib_-s>^Cv`5iC6`d)cBG
z6UH-5;g=tUkvSz5$)d>-jt~jNM1ushGV+(T;BHOP8{eY$Kz`;Hs{j?j@dgqTI>URi
zn;IJMM}96xad~N+rqEfq`0MD}!<{1*7I+4vxf@9Yg-g#CU*E#){qPSQdcA*7_cYw=
z+kN?+rx(pb#Vni9efH+Uo8rc3DqM-P1I}zWGcI4KS9RdIm`(6)Xw{#|Vc{yiy>0H&
zJg99ZVh&7u3cxRbNeoK^%7a+LO@aSWYnXC?O`?z|-a)|Xa|BC9#OBh}31^{wcrJ^o
z5_e!xdTe^A=yLphPcvZ565zO{rI|d2v<CnLv)xZ5o-T)vt*iB*i$G;u=v;^~bX}VI
zvfPNNs2f+e&1N8#H^~UN9*Bdg(f5n;I~kZsomy#gF2<R6hM<B{klVoaQiOd&H9kD+
z3-@7`Qv$F88j`NN-wOt8OefF2d9rNaF91Tnz+#4SlNRhKg~YRTp|8tQsEY1h`?=a#
z_Qad5k+}W`((saCDtx^5ODS!zr8;-Q`s$y9^QbtXy$ht$2)#(-M8vf#S#C+9cVoQn
zBZijT01hNGTl6-%Pfxf)R$PG*wP$=S21i{(jzI{^1z<FqZ!o9wq#)&ic)K$O_3A9Y
zG%3lpYjQ#TY>$TPpj)SX&M$krnE_rDF7Z;hx_hS`b?~66o$v7aZLn{#PTB~8%TOxQ
z8!FHHnedL$_viWG)H;%pjG6GCg3>Xb0h)ZT2*NaYheB;mn&<$(v15ba(!lm;6g0#l
zXaOH|HMraP%DqtS;xKC}$Dy^?C`*t$a*;+09|n$rUT1_12BJ3bW)A4i1K5mb;0M4z
zW!M(hF%W@ld$(eLyl{n)s_+Fui`#;8rA@kW(R)gs31Ts=TgJK_TqAlVnsFGXT}N2x
zxuT{6{#x{P*N`*fjvCCxv^W{voL0pQG~0^!ai@xRsixng;<$t5rCR<&1Y!9dPf7V8
z9|iDf`7IC2y@qdTkPozRs0@*QyRR_A%lKfsaby`je||UVMQHjQjqt>H53rwcquO+x
zQf2di-%J9U|HX&i%Xq;PJt7;i<rh@h^P1oKg!6;*&(35OAB<|y(lp(ldn7aqUw-K@
z4HcuA8-kJ$tMA7g2i?SPzk?26ffx}lQ+VEvvaM$0+&)O=vlW-5OqbRYvsKCgOjTH$
z>%60@uYmyBxSbm&=C^x;4PXSFeGJw1oCs*9Dw-aRF40u05ero?**59i>H=aWkX+hA
z{fp3{9^iIMbRW(@wHG*;qsVF(wG6!f^d<jIew2U6Z~Zs<b?pBoKcMPgU4#MjLO)}T
zP~4#rvBehBG)nW_9!m)1H+g~h^Zi}kfYb)Qof$XxsX3ZPS@4c}!(ZJDZ5^>Vix<Ca
zEhljGLGR8fg^(#}h4@BUry~|v4g($QbS@@$%QpZb>pUwP_=X(X4^X*kD*Yos4vJvC
zHaPS{s|g^qz8|$cEw8FMsLfAn*^A8Qy~>*z$pwK3!APNI)5!kPZ3NRBSOp7Jx6>Kg
z!{KsEcP+xrfd*2q^w-hSI_c(>>1%}VST??;AXf?Y=N5%^3W_;RdOA1DLO%wM)NNq^
zvev-UyJDQ8P;T)zA9m(vVx+1;NcLBgS<4#;Vh%oM^g5lNR1)m-oab>n;ENFb(eR~<
z=TAY5VO+nM5~1&~Dj-L`EdLeAaGOPrJi}qK@bV<A@m?jp_PBHMIS5>m;$=7}akB)d
zU9Svu6f6Z^i2~yDmK2DCcL9sWLW(aS-1^H@a$Ib~nT@1GX+hKLV`2^dE%0C-U!YYI
zXvUO{ouVYN*s_-I7y)thKB*H=Q8)hjC3kka0*UyQwd8;w5lEV4V%hB81y>DAa~sLl
z(9qXIhbfnVDSn(v>eQ!avJAe-(Wmh-|Ag*ozSYIZKlK-}iE!N*G<UT}hUnHQX#sh(
z8n;WvI`;9rL?Ayx{RfOciY7!JAoJ_?wc0rVZ9~}#w2dPPu$%zQ^=tI#A}Mx<PNhIM
zCn1VMcaAq;Em2Tl1RyTG=`6Ad+Q$P+fAt+V>UM;%W7bK`GyxM#dX7D_M<&@MNW=&Y
z868<ccesE(obm->a`3o|ycPxJWrH^kMm{u}CCwwyF)9Rt1)&r|Hk%Qe&Q!S*=jMWj
zd!0gO422ET+T577^+OAMxf<6ArWcD={+t+}Gz>0pnSxb;$a-c<k8IH^rKb*hgn(T_
z@s3HwJySTV^}-b37*wl*P5;(*T?DxGbS9`dMH3`fO|*<fVD}DDL(vFi{9I!5#A526
zjiCcn^7S?R5n3UYQZyoXMk8TFKME6g3`ozp&^L0MoA{WF_&x#c^WHWT;nspH=xc+T
zc}l?YQvCeA@AMpOviE?>b{<poLaQCnLM`Nb7@!MJVOZO}jg%{Z&5(+S#fN*EHxW~)
zOwe)xyiI^6AxU^qA0Ch`blMPwNHG+Gn*2R}+51v!iy3|L&-ZMayhYwLXsiXxn*O$J
zv&eC<D~=-BpFAky3Yu385%jvCXerz5rN~P>a(tEmU{8wJxlsq!S)}se!us0y%e{UM
z-3vH;U}*{ff>fN#k#eq9Eby<{dxD)*Zt~9Uv=!%j(m#dsAxgGc^73{?MC(FnYxSul
zaRMAaqevc1leE*$c^9Jdc>oF7UIfq8A2t>RmCWy}Y7JTp?Wkk9x-Zt0(tUuDW2`OB
z9N^^gN<>-p5RvJ*(L5JDx+XT=9|(74Nv%$+j+|@(`uW;&V^>gDfMb57XUxpNs(->O
zk(t(+uAUU?C0YVCs6Nrt3WfS8BivSS!10ut#OP@FanLtYF;QrIaF_EX?mEu^+E^?Z
zH;!Dd3KLvmbh-*c+|)MJGh?I(4`)e@e!&u4_83OaBe1aDc^8)xheAVA2HAiHYNcD)
z6=oS$+}kQ}cA2xeQT{T<m`ml9$ThR8n$J|_4cgN(2+i7qBQZJ*rh)3tY<;RqXRQ6c
zxZqhSgR*3C!#yuGH6nrdds$>Oct?zUy6*|ynb-(;0H{)-J$go;sVv0#Kt)`aTHk;A
z!3IOR0M{`pWe4bqz|ckitiefHD-$~5+2uTuCQBWpOu7Hp&!zx$IkV<%RpnjpQwk6A
z2>9n^`>lze#qL=|K?~a7lqo|z;-zozZ4!6g?0PI4`5wZn@Sd(&)K;mb4bQ!4jnX0$
zf*{pm4}t3Q@-5<8P%^0Nl3$dy$w!@<ruW{Ab<l7cmcT1T6K(sxQ~V*nd-#8K5k6mk
z$j`$3zg@(a_@9Xs{_h9b|NM*iJ(2o9T|~g|ivQ6?p#I|$tG``hgz>LSY?1$V$<7S2
znx`oChD>-<-L7!@ncRzOIj>l5zcpoTH)L0}gUj{`JbF}@B@m>L$pB>mJY{EtoTgX&
zK|hDDHM2M~Rdva`;F}7-OlqqEV)st|MaZFomWM@awT8KTJP`Rfn3J=uu4?4rF4g_7
zck8o$N}Zog6X10%`UTZ2Z@CfK)Y!qoJR@yptwc?M#V!tpW-~RasmYOAX}8-1x`(+0
zb9l&G`BNVm!l<oIV0DIE%!-<3_CfRe9&d`)mQ5mPXbBhW;)9Y_Fh6?<+ov+l5Ob%l
z;opQnMy8vdlK@Ij=~#b2>SXI7vg(_f+JML+4dXpM#xuMqT>o+*DjP|nh<^Tgc3+Q)
z5P2P(!;u6XqE=9bS+Gu*$}Xrp|CX(odRqY!s-2k4o2=qp2U~OaOS;7e2Hr#bD2QE)
zfHHkkba@~T+zZ!hMIo9$dtxjJZmw1%?l+O6s6rEoE}AzJl6%Pxu7C7M38~lUhA$>8
zW1`XUqh&H25V3w0DfUk@xdp+89n(H3xs$-i7VlNSpuHoQ1Uz;X)OTU1TuxSub7EL*
zNz;m6;9zJ5CzKw@5%&e!2?Drka3ac9-5{0??LUe2J&UljP;4$>;qAsj;6p<9MQ4x|
z0n53XzFB&I!d2o=CT8&TfTW}HqEoOFd70oiQO*MBxwmSk0ea)A^VXXnZvkH}C^Bj*
zjlfnkFUI(PHcgm=MHgE88mLd*PrK}wgQqHNp;K4pxD2Nhn(iHx``GXk4z_;SvMl?+
zJmm)tJ!IbmAXO1v3VO4Os#O&uZnt{8xhGEKte?I&CqETJ^F4vHF3%14+BQknXtHs>
zZDcE4UKKzgHL^u;TH)!+OT_Udkb$5e63J^a#!v@pPa%6fd+&nBDS?E2cWAaKkUBcK
zY$yX5h&kz+)!ow;2<v)y&0pYA2#aKyI(7;h(?m4;IDs=3!{H#`(SBF+7;1A9cbwfW
zA%WCdazPlZ0-EL>7juWxkIh3!mk`ybnCy$82J~OLb_A?`W&qz12|mC)JlsnC1<rGR
zmnbdI?eQ%6c}#cKuHf{z5xS!-GTA+Ge&+(f^6;=TH!y)mdnEH6n>ssJk(TDnF#Lkp
z7($>jePL~y(dbUSiGQ%6ch*I<-Qu87)E<hp-f@Q_qWsIM54<Iq;B~3RI4m~B`b%hP
zw#v11P#PCoSly<49-pDp^SC=x4_FFO!qo>`U-knyC+pN81EHv%kT=uW6{}SGD8W7-
z{%J-jaO9DlWeivg<_9V@f6!;2O84#AAh<g^4jSq`46QS1q<paC8_)h5%gf}e*K%Fg
zsy`;ph`3A<dGQ5q9?5ukk%(wAM0pQ!l(T__qU8SOFLEwffY0&*7y?bAOVx!B_XwdX
z$xJJx^Kpb8$fM3*`o604>yS(?0mH66z*23~bKi56Rg5N_geVlUTWC*;q-ZPhUnGi!
zL-KI#8Q`|SaVw39V1WyZH1MWZrMu)Ch2FcD5HSVnddjhED@pl=ju_>x={i^aGj#bd
zSj9CMQ4G@GwaWC&ZvY@s;*<-&iGdq*9u0wf3+yUN`<*J#AbpO%irR`SCRt?o8s;h!
zqvLoS3wg=u)lmTFAC@y^y1D_GI`y@Vcz6lG6pyVRH%A4ZL>n4SU7M+{#zJ=-0&Y21
zh?#j;CZl@dUlsP4K&p-Uq>m_eowsBfc^{12=Bz8+Wn|`<#3>co;EqGM#{#h%V0Xwg
z5J>iUCKzhS$V*7XPw;GX?fE>PI0%RCC#{^MGekxJ;nHEpY9G<MA-$!OT_i7Lz?^&M
zKLxyg)6p<uZg8Sd<4>BxH09`Z-O;wA7%*VLcWM_i04c8^FP!wK0{4~OeW**TE9Vc)
zgk@2^w5UegS>Mdl3fzT1oQFP3WgMZ~wIh5LzFj7%*qQ3x@@pOvM-Terl92y&iPY5}
z@|y|$k4s3urTv*mp-lg;OQQeVC20S+#PV;KnD_nblIP!-?EYVW$_<2|YwdP%%$=R{
zg!>fr#*`$ooMz-|AD0C-@C$d=U3$*5)8LcLq<v0?d6wR_6=&3&7$oM`Lci`<`jlOM
zh~e@@VTI&?jx?+T_LfK|5r<`C{iK44%)*rqdH~VH2Sf~u>dEnlG)~-0U4xYx_+D|-
z!J79<)E8OGle9-Lr2wflNp2y0+s71D*#h9?^?mb6HX1|5m8$`Q&8OjT1>pbT>m8UZ
z+tz5?G^^6KZQHhOqtdo*Ta~tL+qP{x^HrUAC*tmVZtOqs#aa<_wYK`0WAtGanwyDx
zE9R?PP=6*-Bxq%U9yhhLSlFqmv2bH_b(ej~zLRoMbZ&xWtR%3%1xgBfEIN<=<3Sj8
zJ_*srjLgdj?BS^JjZz=+aHl(wLkbiF+fl#JcGNjg0zZ4B+wNlvRjx9DhH$tKBHs<a
zec|m2+R3%$#B@{m0x?|G3fpxBHzpYPK|PL|GXwW0%=UitE0VYz6L(jrGy3pV*E%`;
z!3KQ**P(H@6+^c64oqBkfgNn^@6zUYu!l=0{qd7(-QXtfyy|c58(f^<`3#sFJ8O~y
z(wy^T4Q8z76f0G6=ss>#bjMbgL@=_XUFJ4kq8^s=(*7WB?3knNypl2qnfnW98$;ar
z;T?^S=!nd3UEHw3lRa%aj({&XGt$ohi<z3MXv9{U!-N+mm#13~?_ivdRO!Jvv3>d`
zZyX9Q%=02(5oGF#iuO(J4ufG6GC+A%#Qw&$t~dmNQu_nsr>&Z5?M0~lb}wbm;*EI1
zj_EFLLZA}7QaQW}wG`<a+v{n_AltUi_#rD06G&>CM5P_>y>XSIv(qS$f1c1>PcR1?
z6*&h@?Kp`HY?!?-^QbJ4_(uE!m61i4d-ecm8gwp=_7%2Y^iTdezRj1)Cl-cD^&~)F
z{B~>ar`JgH<_;<;D%y&O6PZ7EfQrc2*1U%#GEx;ETY-LP25$mouO4syN`X3(15_Fc
z)w68!%dy}|#zM15oWO(b)-{a0+z#FKb#a1;UfyG-lb0sm4B}_yB#+^9TC{a3GLC8H
z*4Z<e+`RS@k!$p7V1L2$qw;zV1{o@K<zg)Y<ais#jsx=f*ulkyw&;4Nc$A9%;Bu>C
z(bwmQ@V21$w1d}ETBa4JUT=tOyMa4NK<|(e-mAaLw@m>3WvPEA+!inS<8?Ce0=<z&
zn1&HwGNSh`rKPp^&(?Y!%zD`?PvpTC7W)$g=uiT{)NP#&hm`NzJaf{KVn^kZH__L}
zWNQQ4dOJ7hcgkf%IEw&C$}?s5^UO*A737AJWE0;Gmmp|GWE3-N(QG5d@4#fEx;}C-
zA8q+;0G^X3sGXbxF5#AU_JT*^U(%(wzjPkJU%$=u`Q1@RoEaQnkBhI8Ap;<ad`CSV
zP}GevF%fEse4tFts|EF517*Uvf$e2~c0><}$Nj!!hBCArb<(%c`-rWWdFM|ly#?9w
zPPt~vQ=ib*1}O@!l##jV0^h_ic#HrQCC~mrfj7<rkU%NMfQVw(pZuO>?SFN8thAXT
zuT&vsaqvU;*F{#%wdZX|dTvH#ge*;OCOu)Ann(3RqFXdLAj2m&WTxWjT%RC4OQ_zy
zrT+bk`93)^`C&H0wuA5Xw?&~04FX)hNYugG8O}PDq#@0B%%j<)R;54)bdr}u^NJ0=
zxAOTKDn!|@jzPY*Tz<a6GzYz@m~*h8rVXv<Dwq@s$=iWuO>$y2s|KK3+G)F%HV+R!
zja;Qcoj+%BoD;$1Qw$(im!UN|4~PK0N)}WY`PYC3hb-mGokk(PIzPuSbWwQBbwchX
z?@$%Lmrh0_ybg7%D4~PmdU6(-R;QI`^UXc-&lXp42IlDZtouEA*{;|su>7=n6324^
zI?9?eccozDNAbgp=VOcd$Jz@*&}C$64}*o?M9y<!xjYN@^9(Z%z9R)H<_uhvetDey
zv<g=y1q=wuW|#O$+RC8U=)e>O6ck(xR)SehRVKgJ>iekhuJ8HRC5it|{y$fx{5cD4
z`A_oOTKt#%Jr(~X{}9YqGek&<(Ip7exMDG?YV|Q_L7_rNKE_~<H*e>n-R0FS5Qd{A
z{^eRX{Wav%IDczDjf{xZW@g&mz+IL0!2zAiVjX@ez)V?EZzhm$%6O~`kAbf%H7%V7
zwM;nDEB2>Dqb@4)j+kA7B)^h-k!cv1>jlHa0HDyjV$JDW_&0tLRUm^<t@dSx1A$uS
z>6AUR6&JWoUPFX<`h{|(n|Yw*no6eM=GhlJ)mBsrd~>Z((YD%slYC_{;4SR6^$Vo7
zsKR@))#Q&D;!f1!+ZLm_My)>PIvU1R@Cdtl=C&eEtxGgczQYg}jMW)3x`8d<=oPYb
z8_NgIB1T=?4Y2msT7}&(W|+}cFIu+Om5Q+BcHxs>SSYj$H|45=31D*;K@MgHcJ1Xu
zHia@W;agZTYbDHFn0AwI+G~Ys>6X?3DI*AaxmjH)bq+g=U~q`T3}glP2P2390iQ7a
zE4AIP8y4D-kcJ2W7O5RD5U4l?wcB!}p7K@>w`g(ssF%8;rV@i*Qr5?exFgY=ceZ9B
z6awlXQ&;e8lBOVo9GJ}aDowwyufTkU+;N&;;n&jz14|c|Un$$PIyV=_gs<^AS;^2U
zeXzQM>M&U^O3#b{l{@3VbR9G2uoR?m*OJcyOhCn)#pnu>vjWtwA3l_`>B9z;H5tQJ
zTSm3k540>al&-)`+BHn|0}E;3i5`(V{Ri6$H^NQWBBwlvV_Ys>dO(MC1IG5oLa=Hu
zj~MXcP*`Eysf-A{zAhwN-NtV^URjcyJW}e_@~RWtfMv&_)4W^oXV|+9c^T|NhkK~H
z=fQ2>0Q<9lt=y;zOo>*|XzVOV4<|BlFhGIKJ;^(^K`%q>b(X?m(-k2}>-kqrPaAxg
z3^*ThQTCX<PA$b%!jsY--^_^QC!Eor6=JTvIgsiq=#VUsF+Pw20e~--lq;;vv^9$M
z5LZ$pxU?hkVPJ*M;{Qy7aRL@WBs<7CUba0C6y~CSI$EVDpoDj37QJjwOZjmLJ7Vuq
zrZ&KITcxm0sdg~735!S(^f`|nXKDbs;jPj<n0J~;`x>?6p=zZ;4Cf1>73Unr&_?Or
ztvjF`*qq-i`VP*~s;l`STZ*<Nz@7hucgTzEVKarbY9)%Gyxcdy&E{b35mavNeG(<U
zJSIBfNs3(BFUr;+0Y?jZpONu?Q?$@>n^G446&}0H!J2jJBas>5dq8CqN{NCsPE_x0
zRPUCx#b{+-h16xs$oP_qLU5fIaeG(8|CQhZdQ9YT(l6&JlYVncL!?h1SjTM)eAmAr
zcyeomf>J+wRwKQF=D&h5kR3?XZeuZnsq^}a3n*)zA3SrsBVgDs`3#O*baTBQG{i{&
z1%*;_X9|Y#>{4$1btMHqYH#wII>`Qk9lT~#ZH#|;@|0s_TpSM8_&g<h!`=zLA|k@G
z-50J}%N*WxO;n*Dn}!FsIk0Wyfkt`QEHY0XsSe<&jo{(RD5(w_CKVLU&_EY;X)Oe=
z8HpFv)ztIn@t%Py*<x^7Xlvgc;W4F0Np~Re2Ww4^NpMn8Jj8SK3{6}$LyLg>O3@Ig
z9qTqDOu!pX8&DW*y{x62L#`hT)d72A>aSKL6)R~(a_CtRb$Ku><dYxcfDCO34z1ZV
zmyCGmA!!dguq=FSqS}!&pAu7-bQa?;jNB!nC>!lTV18=yOMB%iFL5?6D1^Q44z=Ce
zAH!{@l#S&`XIUCI(wa(3BkpAg6f@~ogq@IbRpOX<#AhJ@wg*9fHkXA+&i!(S|9FWn
zMF=+Pi3Zl-BBpB8#rIZ(-c_~|%Y=B{cw;1zj{+Sw_YxLRitK9x+^>KK$sZvU{_}AD
zIYxd1#nVw-j%k2+B)Eo}bPC0h?MxlU&YeP?5Ud0;rpjlyUHv{kjf<ipq;HkY(daXG
zPRE+w2lk&8snmZ>5!3%^dOiMoo6$e_NRh$`{9TcP`*Um8|GgrW_3tjh_>W60{^=5D
zg#WsP+u)xrIfjn_^>;1aG|x~k>99)>m_{)j(?Fa|Dw|hK-A+nltq&iN#&P7vPoPK0
z%o0E+&vZ+g+C=7Mk>H9V=tVztdP}my*0$87pnW=7NCBWG)kjaVVc+q6Wa*q%0QDru
zCtUtweI8xg&dp!>Whz<k7;!ne*6VVImT~PwHoXFrz9R?<mlY6z`GB%sskvv`ED>$L
z;@^u<`}>`dSa=;7IuDt!`dG*CV_#@SWuBLZfr_0)O{M<Jn9*hP6yf(KM8UOt;<U3W
z#(Z@hC&j`U;$rQ#b26T8a>@Hc;Kh$1LCmNUzL#UZpyM0@reTipMV_k!9HI(fS}T37
zJwgiG5yl~v^1U37nuWT#pZOM(0qGkNAMP7Y7oc<(WBb1IL|c<&pv3yVaeI<L;9II+
z;T7f26FNm|2RnVb;Rek0iS?Uj!F}+l>6S?$dVw4XOG@P<FacaWBMgY~8<s1g6c7u)
zeK8~M+sBI>(Ow=_LSo6Kpb}k%R{-fIka>2E+pEd)__idabcUwpr?D+jdq#*5MkzNb
z&H<iMc@<#^RxqL73YqI5g=k0M2jHX@kWv60b<vD!V^}N(b7~gafJ2jDY0s&|9%y5-
zIY!cjMxR}F0Pf%yZK9V>#%C5puEE5t)>%_gEa1QaPHyiZ8|t}zg9@iYGCV*le-llV
z^N3fNp&OLKlfoO54)NQpWidSjD{+%@9v*v?$2ROn*3pF8^ror!f8$qZ2KS<Mb}jQu
z060DTx}E8*yyt0<_|nC~3$OBaU0*Voxb<YW*jU<$xcN~9W=V<?%SRK04@e@uwv+<{
zd?Q6Fni_(wjbRkh!zeC4RKP#%XbC>sVItfP>gwhg^(o9F(k&ZF9)`xG%Of?gi^opN
zGp*j^AK-(V=)&o!!`e$>NGH~v6bcT-jm*O#*et*T&1IYyOCBuJidC29jZ<6E!HxSi
z&Wf`6+fTLgx=AzBX7u2Z1;;y)J~1V{b2enUj)M7vt!XoK?p|EGUCiprYdyG;L{aN4
zc8vbx(Eo&)6&JB+Dp8nt2i5928n5@G>xau_MBw^V0Q&N}%Z6b*S0$e!nqqANW*AiH
zPS|4l%22Tj)wO1j@vV&0HOw6-O#udy3m!~~FF1*-URSCRjxp;1FSOp_FJDZxC&OeM
zsw+g?Pl{TghGFmIkAlXC(LYRvz#SZ!=hAZZ0`#p%bTd#J#6a);+~oABLRtFLDDZ5T
za^ir;R2Ys5CFm-g*tz;?2kncM9oK4?98HEO#f|I}@$!>&i}5lP)BrQe$jn@c`>him
zVPH97K3Z&x1if98hhK%l+lzbO_dO&o-|ql1uU(l1qj?NDl343q^kU<N$G$cN_S?(;
zawtsQh}INiL_m#r>fre*N`Rh_4zPptlY(nf+UXpx@mz*G%_-)EVIQ;cF~15z7rlUO
zl;7vuPivEOZqqVYA^kZlj3}GSpaum+zoBjk+oj<H1lmjKkzF&LIr_?dmo&;J!QBcx
zVi<Id8^Nf+pyF%9;5Q5YeIYao^Yz1@8sKX63OrHV!8%p!ixI#isvwjO<`i>VLVEvx
zV~6zztxJ5$Q>k@a&3?7*JwF(Z6K`C{4PgM+<3N)0j7bbObL_AL8%V-2WP?K7a=Zjk
z@MTp8TF&dib2LT~9Ip%WGnhe$=d;c3(bu_KISoaX%(<I%<eit;g}^-`)vgF1a&8g*
zehyhuM0h11&TN|WbIm^m=FJ~A-ZlCynK|~|10APxRZ8%i9EpMGAa)RpWK%egwY+kO
zBGh4m9%0V0Ice6XU6Z$j$@TB#<*c72ziPk)&12<dCUBo46FMp5lb~vG9OwHNON4aT
z3*<$IND4t9J+;?-u|I%l(P9#RWA`Q?7qq0M@|lfDAGc(ghEJevG9fi#OBKp}Pxy={
zb29x+5qbaWlAp?d$zQttzb?Uy|GOduy8OQ`DgJktVE)G?=KpkwN85j0l56!(mvC|^
zc@{{Mjn5XNNGsAJgJ!)fstwi1uTC&8*P4qhJ?bbvY^A>nKi6|DSsyf=18W1I51fjc
z*6H9642pOlsF{8#2EAMh4tK<n=k#U)zsF7+*H<nM`MiQ=k@V^ARcCf;%%XkfJaJf&
z03~lPM`iIP#~-OD-t!wpVxvk$g0!)ZYBQy_<laxTn5QX(4TxR*PEE%{vT|7$*;yim
z8sVyAcyw@hVM!iIBiorZf063A`Bv<=U30|H3fOd02{!4Rvz5U#IMP^{tXMAhZ%&lc
zX;g5Z!=%c^Th~VlWJ^pGW_459dS_V_deY`qUl8&5=9*jyJFf#N-S5Gnl|RozAgx)@
zga;mIrCSV!0_(PsdxyUa3%*mLVp)4*Nr5U=0KG*#r*c*_uqh&zt4i{t);OVTaQRO4
zV2rI%B`&ZuaWP+z3qzB!iYf>Lc!_{M0NxUks@Dd9%A;s-FEal@R3D$(ui2g<&2oW!
zJqQ7N)59)kFmote#-NfTr-00LjrQ@TIKQ|O=Z<-7n)RcV9p*x3cXthP)jn_fHtn8R
zcKh%EN~0J!#E<TN-T($>W6O3{MIs++&T9fJtUcG6wS`8vyU-&DPqQDC;tG$XJ0-8N
zYX@#~^Vu4OU&sw*a-+<<@9i53e;x(MUo--<qsW?6SM#3y>^ZPUA?~qvE}-{o3H(oa
ztS8y<o3z_ik6u(@gzO%_s`gb!WwYLBZQa2oDk!DcvWy=!DpKB?%x#s?gTy^Bm#N%o
zg!u#Ns|_bAX1PzhzqdSqp@*`cP1UH_ouLm`<n%JI(jblFi#<HqImXBsU3>!jUIBoX
zR4uoQkJ$|hGd^swPV<B;qK^iYitKSB9#Ylg!n}R#5#}LD@rZ0~<tZ}*37Oe+l}kq<
zm);@r&C1SCPU0C1Ze>2ugB4v<GEyu_$&OxPDl7w;mvfGy8GwlkIKy!%F+c5!lzmiG
z>3*Nn!l?>(&v{W~9dnYz#bp?aA^QEJIaxkjbUpVxH;f6jOmF*qbQM{oExe^EO`SBD
z-%TmS@}@m{j8w7^<qOUegS%JS>$yzbb`t>^wJUVpwMc)W-uT5<wkYl421W4#YD1n_
z5ujF^))sS+1^#R*h+brd){SkNJ%<VW!&v(a{^aH>{^GoU3)jQu+`03tqGxFT4M_LN
z_udua+R&2T9Vi#zvUlRzK6|!0p<8<yhWB{V{^yU2&v@Q)Oc<&4sAw0(4(rHn5hx_@
zY)a4d8C|KDk#^*>r)@;QBFhqkk8QL_56;838NET<hpT8)>?*omALZl>6pkch!r;#h
zaDHk6VqF*lwqUljG^nu-!J*<qwz85r3WG#CEXfO69Lx|@0~)mK*zAEHAzFLfTRq4p
z=FG7ro9f6d^z~RH<#HId$DtMo6?;6^zbU-PiVw6;6(>)=$Qi&th1Hq9j&_VQs#zXF
z#KDQ>Ha}T32noQE?k<CL=T(>z%`a~{r>@po8{OXOlM)z7qWCaoz@-E|qto)*X4oJ^
zHTwf<Gq>aP?ed7+G`D6kWse`DW=45V!t)?Ss-1M<Gm$QGJ=?uFeRU{m-!drt#zL?A
zuQ3Liv0Oe}q{Z%lbWN;HqgVqtca#BGO0s?5DEZg04Kc!|U7H6jm9;;M#pu-1Cc6Zv
zpd7EjdD9}IyqmpQR0eq;JgK>!C!Pu871p<?2h=$2rz5^7u`#jXNmguW(s>zpx1y)2
z^AwK3dl?I9Vz+RKjl2tyKF5HJQ3&~GvpdwPFuo^+g70Y)h39cjiP;KEPX?w_M7%}z
zek$sy=`#%K!Pg$m_c-o6iKvhXRiqK)ZzGVCFpfd(r|Eh3Gbo!G0M7DE>#y)#_VRx9
ze+ML`{P@nAC%DweMKO`0h%b<D?XM#{?;pFp9`d|$8M|e#Jr7Q^v*Z2ilJb8iKh}T9
zZ}v~}`x*R~{E(slBtKzEeNhV~2fvhj$xrqVb$JbrX<-v1+uo4AI~nb?$Qzj>-w5r1
z-Q!#j`My1S4d?hOkM&;`OGh|Dqol8iXw#zN`m-#3;j5XwG7GgTds%la84=v1U=DHI
zH4Rm86rkgcki*iU!m&9pVuaYPY%L<L!9Ks)sJgdObvBON1G%TTr*GJE<EN{Yj`%jt
z$C@cs4f*IY?uYQHzv`W4-899}bU+C>({Z+vfv}4lCiFw`$L-%cHWcJMC)&+pQo#&2
zKGJ?d!kUJ{BLmaTaoA({<EU)j2{{4fiB6yulyt_F4xqc!plgY!MIbjDmW6rwDTt+o
zw4C$mPR~qA0E42XZ(2JO-$!rNyiwJ-FX1^d0?fNQ8sqDw-9LWJ(W^Tcxvu%+pE{&g
zCl)HZH9kM)CrrKJ<|9gFK%PnHvc(kCcTbiXo=D~cq@MvOGROQRVKB}i%9<{4G3&iP
z192p-`hC(&d3$FL$<y$}D|HaWxr$-5)n3*s?WV*AH>K2oYrfEo<FEi9y|9DOp1zCj
zRAWv$jOnr$4d(#a90O;ApPc@bVgnoM!2y&dz7JdBKU-t{r=|9b#6+%S#`*W7{NC@D
zmPD`GB&U6CZ)vP>>#yJO&-ZzCHpzGsupH?2!!8UNq<o@k8lwmg7;w<yR+U#!n7?Lj
z81h5R4Jn<&x=xYY`YE_0W$4mGweKhLWG6bPueajC40VoszQv|{V8CW_#r=V4PUz3p
z^A~X$bCzHw!Y@4LuoLmDa~yU*8hyjbmHN410qsV~kc6%{jCN^70%`&BE2+V7rI*-B
zcUefLiJEBN(#-<Ui#+P}h?M-h>7?<eeWaFAI3C6*;~AC6f2<#U0W9Q7h0S=`7t9j}
zfu2KTf2BzwI5Q`3s*!>Y0`NAk#@Vkp&T0%&M8{WeIHAy(=|%(v;-5T?+O_8N_)oL6
zX;c5W?d&t)Xd9Tkkd{QrQ9&5*W-EOR#_$z2MT@OuyfMK5^K<CXZ?#R^8NPawW#B$u
z&0LBMhR>*^@D!xj5Gc+?ZGQR6dhwLQPxbTyPPp+TSS7%*a4kIz=*WIG`8<GtdWRC=
zEpU<16uZF+&fZCY1RD2SHPH}HdnHQr<1}F0l+WHCPiP2ZhtDXQf#a{9m^?4g^Dbg$
z$dPn5twOg>k76w?drH3?@+=^DJagf)KML}_Mj&!f4t_0N4+XF66sj#doJ$^c)oqx?
z=W0e=K(4;eyUCznokFh=i-+7+*O@5#v$-2kb~q65Gk<#+!8URbfitnos`kQ&((y6g
z(d${Flf@V3{lLs%_nXH4Xw<wk^imcQ8x-|%;?clzj-m?p)1jf=^qD%u$nRMg$JA0c
zP%1ov`~)lM%K11UCuAHkp}sFvlJhj8L18Vs<x7_1*HL(Bf)(WsCOUB`V^zGv$gj<u
zim7T!M)Fp6Sz~&OvP{C3cf5hdJek!c8~nZeH*ET29-a92-@A^OSO|3pR<{Wkzn#hM
z*sDQRW26$kQ}=(Nia!vUhK%ORiY{J@;7-si^3X_V2Nhzd$1b$O9~1bi(O}305ow_p
z-Hz_SdR0dzVQ%mHKw`5@Fp(s3Wtsq3ld*+CqS?gIy8BEY>&(FzV2fv6B`EFXUqu#b
zk@c0kh@7X?v@=2o?macc2W~^;<DiSayFHwA)q`d{{+#_P^{2e6EykB@Yv4_8h3E{-
zQP&PE!;@G~1!e(w%!=}`twK@Olu#?Xj)pE}=O=OVKe)SxTETnv`5s{cDW>53!H1~b
zh8V$8ed2!XQmd3%0Wln3f`$T_g+|384$(D7U62g}lkK4_U;<rJ#vxoN8U@gbaWx_j
z^3H1}*Fp%Hyj9<<7t*$1I?FO9^{$7);sR89R`e8zB2c{rj1|yF6SBK$LbkT}ruOnh
z{hKH}_cmPp=`Z=K|20KGsQe{=)z<%}2$H=&DWdSL{(n<M<G;HE`#&x*{ijPpp#JNU
z3+R8kq;OSa!6=S`6->2aR=@!#T_y%+j>5AC-^^hW4#2D=f=gXem5VRP9Yc{I;sLYe
z#zU92A(93V%(H6Dg9W>Mb$q7<C0ePLOVOcwQ~0dO9Mh#Nu^(Kdf9iZ0Ol!5mXTWI4
zO}H~S`OXkkY&oa8xWzKfS)nYEpaDy4+x`S-MRO=aiLTPKSybBkMl;n{Wwre6q_^jS
zSa$es%1aYdjGbwOwiUDAxEU)nZFAn%Mw!>vRYYtN^945AZh`}9@{o$<#am=6`Mru*
z7+ZtAX6S^<fYSab&MbY$&hxgiC{52bW-;Z-r7q;peVvam_7y+7H1HwSE)dM2*EXR}
z7F}_rP5IKx=9crT>s!`n2om{f=!9d=p`O-@QQ=iC7ES6PzT4rP6CoQGY>4;bn*wup
zhkC(JFGeQ#+v^qOQg{(HgW5&>8BwiG>zZ@AyJ?ce!pi0jDNnUDT*AZ%zb3I?=J+-|
zlx+i=K7FVrUxm%zq%8+QCDBF4u+(<Q)_g#uEU1Pr=qN<rtYx;|3vZ`Wj>6z&uI&4H
ze$=?pgJWd~sf_ZUj%@l)ni$y2|GHFte(be>VTclDUSeU2gFO`~rAO5?v{Q(z@x`$T
zdCJvJ_;{C6N7*TjiH-3)F!KNnG6d5Uv|J!&vV9w>UTmG<1bB>_vO#L40e*9;7JG?(
zX55^KXKJ$J%9l4M+t*e`SHpwRW<L3S(}RWF0vU)YU>(oP(;4Fl;dQ`O0cm{2oTZ2>
z@q$2HRi?Qh-_h_B8NRG;M<Ox8J92CnA?<Yv($j@VVJwm@A;~?(PNamX2D~J){&f5Y
znXu(k3*m5?L1^#Sf<#=X6^m^O+Uq<|^>IiMv6=&aldZt^Fd!gwm{HBLItc*^TyQzo
zq?X&Px>;+2irA$gIpya|K_DH7M-7TH=t%UzbTI~upr7e5XGC%_>F0LfT95(H1zMIF
zT;HjSJyb|}(6qooQNh(hA$2;6Fo+6{4l_FJP&wk&!)kr=+g?8$J<QqAYpo_Ym^TPS
zI;S2tZ;hZyyU1CuPS~mgN^hhjIJP?!eja9O+9RWeR8B{LLjM=Y0fd^?`6m$4I;%8L
z1&dJD4Vwr+G(t=ozX;=wkc}>F3FNUQK48-ZN*M07DUYgqP?O1n)Qt09Mydx?u?)!o
z%XSPwi)X)Zx`Ps&GCqu=+L}RcNNItiKmup4Iqs-|429_}yA?&NXK=rOryIO%6Hx&2
zH!81LE0_GpwDlMD_cGy+jpPY^3JX>XMWz1o8$9R6lRas&<nq=ROS3&DvT`z<W2%;F
zn+<&{$qfK2j0K<*j>PM(FQ{7C@Do(N3?<0Dq3N2>l<kMTHsxw<@A)<Jg#!A*Kt!*3
zlQSN!;;;n+TWG+$deX1ts#vH!VlIBt#Jt8pX3nq#Ay9J5P2HX^@IGW5eI`tnmtY`n
zn$%Bycv3ACpDM#>3!)HjBUha@?W)hI(riy$7BSi$+rAKKR*7D-egYnRd(qHNuXYnx
z?KrX=2P5E06>(d?k;2#^821znRB1!$W6Rk^71dD15?`p9)3?#GruR>v!5Wmd?rjch
z@ZCNqq87S%y#*2MQ&af+8<T544vW2%4#<29Iigue+OyXtZexO>UYZ=BTQ8d)+z-at
zwSmWA6LkX;G4dg&);8H<M{UD?Rw183Uf!SnA3jz=EJZre<qD@Q6}zG3fk$L!&E#0r
zjJC(;E{E$pqzB>w5)`CrkJ+}|;4|*G=*&x&6a6h;Z#4$rSC@I@`PNr2Tfkni&D}Tq
z{<VS(EH%Ew`tGAnqla&7ij$A5sc<(snf|)BA{@qmo)wz3w&e)@mM=i{JF&3JS_#Nw
z1z#M8;um0SOcsyj>*<Ulgok^{KY3U${h;mfNm}PHoKY*FzF_dgA*v0*#@qyj!i@jA
zr1js)kMke$oBWgfk#+wizc24U$?qPLaE1PL&`<;LJH_SlNzB`NyR*Zfp?UsVVnt|C
zG153BU7Izn==v3K<XJ&`bx3ke+4yGiswT-8=mDC+-5jAw6%IXlQrht?sL6nrlzwMO
z{MVU{)bj6g%$cWptp3=Re9tVvqWe-c3vRNHrT526vGN(rrAO1-$ZK_4jOp0k$kxT|
z>DX@@iC*>Z)9F%6jrO_f<n-SBaUhIT=U~_<H(fJ4=S@H^Ee@h6Au$(1!se$-;mP(w
zi?r~fAy!+AS^5XH5iaVR)=)m<U{}OJ#-5eLPGY6g3vLEBA&mXvysg0<nDYzquhR?R
zB<KcOe_a#&_5rD>R!{<ti$HKsXSUrbFB89Qu&#kfj4q-HZ{{6aT~|R)r`ZLGN1*7h
zyH8LD_fN2B2UXm!5bE@7m&8f_>r7qE^b^rFsro{tIbuWa3-09}kM*YzJ|6ienV`T&
zu@vYe9H9~T4y@faK<=dqvI_*rJxn=DbHml_1kQCliP;<Vx5K@7=U_fLl1s_g&g%@=
zAAhO@AZ8_h{sh`i#4Ge>uU6E$P-7Nxyb_L`h9@LGk(aYkUw1iW%$>^CWK0ngZYQfL
z-HO-goi|$$#J`E$H$;EdML4h9e@2Mg0Je|O4myy#1D{QL0d#HUoD#kLF{7KIg(N(F
zXsio*$023B+7^GoxkUm$lWQ0mofj2BX1)B<rjrauh?i~Dkq~#uC_uN7qllm;G_OQr
zR=Y2Nk2l;*qu*v_Ex~Rc7qABFOz1oDaT$Z7r)9V;T}S;;v_g=D-Fw!Hc*_()RGMp7
zZd4Li7@qgz$H|QW!buiH{bhQWwWvySsSkTaE9+%v#vRN>d1Uc`WGI0W(wL+hx<k3H
z8||9h&+?UR0Unn|I`>({UA0XR*FFk#_%eXohOI3n6AHJgyN#=J?~gJ(m1<IQn86nI
z3PTuv8^OH0)uVV>H@D6XEuPJlDcA)IL0qTO>8WiFD#ud+!E2_?O$>Ii?i46eqAZIG
zpJ+Z_XbwYt-+&MSOS|Lw)nYtJQGL2GHlWpWBRkYbRyp8nA7P=VCvh<0E$K+k1#YI0
zt!ip#QOP@Rc7TNXitoe=!OzEAV}wlj5%m5$J@72|oHkp#M=v?NkDWZ;JMY&@KVn4W
z_r2Agn(w9hh)L7*`;V)|U;Qvs;=k!=8ywB)GWCv-Kf?NX7zraE#9hcLcLsMU<q*#+
z!8sZ^m^T}uf|`Z=JAQjlG(TwRe??`kG>YT*BuB<89_6hX031&&YeUI?&%xY+S9?gC
zo-LaBr4S`Y*h|eCSe}3nor=XZTlH>FG}>XKzH?T$ePWY>VKat=rWX{}S#?R9=0L`a
z?D+od1s8k%2;)2jBOdccW!Ic4)hw93i!6I>%U<7w9Xb)fhPp4ruIi^}$o*zu4U@I$
zF^u_?Bk-rAh<5<q^a@=1eBeKTo_9#~+jac~f}^81?x+ftO-H6}P?Saz@*Hyk)yM+%
z)Lrlec2+Qnt1Q?BK70Y896@J<0^fddAnL5Cc5*#rf!AI>+cmkBm9q@^wc3sl=3djC
z+L{zf^bYMC1@~t`BRmR7$!%;)1y1VMPc~0c?lB`D#5E{7Pdlc(m{>E*c98A{o|*Pu
ze-D`_nfkTIynJ~_u-QgYMQ-`@j*&m7+k91I@wOgJc^$u$DBv=8`Eb4F`zSY7&Vo{p
zjs|9J=wEJL^+=w{(#FPem0#;UtBRMnR0ZsxQO^~F%OF<m*b2<qf^cY)wZ5DiMm@G(
zdSt9J54S)0B3o{P+Tt4?-{L`d@#U*RU*Hhoe>T0Dt$qAX=9!%J;U_?a@T6E?0-qWt
zpjV-?090eKv!Md)#SU8gR7KAMiB{iWMrZ4_a9wyVZ{}EKdU{t(P)!0C^*D_n#O&hR
zp#nwZslN$-)3O5}x&2sq{Y(C?e@ziUmVe3LF#5kKf`Q>rijchS{NEJO|L-or{f|qG
z|LKx=jsLo&B;=ni$#bS4TJ$f8WlJ_Z#5r}+TU2Kdob2#+azvpib>@j=u@$cS31?`w
zW_)P}b4s7_#8<cg(W;zSNZ#iS%`d0}qp^C_LfF5WkuFynZ72GjA#XqyaXr(2EBeF6
z^f<#y)`G7r`iiB2(7e-RG%!wsn}6vSK)eW9tRDcY-XI&Zb|NWIP5Zs9Z{!ZyQX*W`
zJ}@KSIcNRaLPOpJ(YWl?N|HY9b`0uTT)-VMfJn&?pYFwmKQCxp6!js0R!i#z)B<Ao
zZ}*myge_sx>0czC#jqV-hssa{-6O$i2zIX@*{<dL&lQ>4DJwoggT%!K2ofF+2bV$f
z0${hNuq)&KP$!KZ?d(J?)hn6JsC&2KSw(9Rm)F#M?~i?6h2JZAPURZbC5Ne;lOgr@
zskI>vf87OuQ4*qVUS%+z5yB%ym5^6BeT=oF8T0xqpCUJn0d+e!U4JX$7rQ6x`5?O?
zpux*Tp`=P-2-y)&u~x=i{PsJ%H+7jr8Lx}2X}I=m1t7D50)d>;AlfL<wIZ)~4^45?
z$gpGFlaazYh3Zk4d_h?dxET@sjlE=L|DrYT7!{_}+{Emg)z~-%;ogI_+#B#2*C$=l
z?zD^q#2;wkzNMhL56ZO2h+FYQ;xSL1p^*miVY(9>o2~vBB`SAu4JhGe;P@I7+HD9<
zc$J$T$E?OCou@_nGyvxOE`FsHibd%WQkOZTYtSpNy6T)v4pltYJmru?kizqW%(m~H
zhsj66F#br<(*Qy(spMfQ8l6kHqqmyR_PQtp%{}JN#ZBKZ*$_Dn)<Gf1w|o#Ow806H
z8v&UG#HXzOqOtq10!eT3=C4(0Ivuu`O5yKL_s-pAfe27`5grqjpvPosTmkGcB_7Tu
zBQuy|x;oaxkIL)$ayd+`<(%2XW%HG<Bk~FP)&&g9we!;Cu-H5$c@l=rx}XuYM?};8
zuf^CR(`aTxo!kU3pCvj<ZBN#`h5<#y(RM>(6!c;7;8u&uj2F=cIY%%n?#I`V?OMQI
z{XCV!p(Csl7r=w&<X;n7?iwcRv=n_GTIM)8gm{`d8>ahgI%|XjqY&mtTpeTzTAAfT
z;}O8(Kp^bY(s}19Rmgw~c}$!wmAo!%jEfTokdUG!cYUC+z5R?#7wnJS1Lya*D`jOs
zwpsf(i?+d2(yR8Lwo1np?<3R<frz;BbKoRknoiGrfd?FhlnfcfL`sSX>w)}Tp~j5L
zwJG5)D(R<4622|uA6eb+i-v8`&&I4`v&srjdy7B$ck57flse0y_MMHz5^KSKI>T*5
zM_mPNW=LgvWgO~gj7DAjx%K}1>N_;#cxE4RYIsseJ|iponah?(rC*18%x990R{qcZ
z7SN|CZUMBC5fEPxl)h5G#iXJKEcAIzW|isf6eXhZ+Km+rGwzgIw$cM7^O#+4`B*-Y
z-dXlI@Yc0SHBR}mHcg;ohb4;_VI;vu4n5JT21`PCWlnOfy2d`O&$nXZBo5(k(@V);
zdK6?YIJ|6?ur&`IG)De3{XGsph0G&OOt6@67?mwPvG~Yu)00;fv=)#9cvpPuH_^~z
z8qzUt1xoRoZ6Q)*dI#oNMeja;M&+w-_B$DZ-`LIm*f_7d`MfXQ75hX=Qyt#>m5+x@
z0p&f`bo(xg#x=_sw1EdN`!4ac+%OC4>V>wm3Nm8n*wu;sPF{=)S`GVR*b{qBcU#FT
zGq_HeNXmC8H_MQO7_AUvz65SbAJag(9?Ep<&mSi7>f0kJP7AS!mzJIdARF2Z^$U^=
z^6@I3AZFh)On+)rFFQm;)fjb~X^4~-+NZUGB6<vk?lLcgbPQ5O*JM(w_oss!LP@C(
zc>`6FNH>www<n=eX`k7k?C;*d{c-JWjBgP7HXn1ECs?2&)sf&{FUhVc)NA>#lW2r*
z*0dWTvbf3Vzb+a6ck<)?hx|tWB!4Q<f63oV_)qdXh=-$0iDv)<@*Tr!GH|2<6BDHu
z!1~vk(&l30LK33=zOwFcw_Uh?|D@AeKHXT;S^;y{yVLlj&_^tn4?lmw>2MR7@9~>;
z*j`U>n{vce7Jb`4U*$<_6I~>hwF%zIRHjQ8tKFd@jw;0~1Fvw4DgFGtMhDB-^(#XI
zcZ4HY@iyWTTw@3*utxe#-naAeM1fzHyqQ8>47)lTOB4&fd0JoVPq%P0(h}wrDTEVJ
zbX~kB{Je^Yer60s)_fz;i1Omz1zC|NSl<|$3N3j4?r|Aj-5W8tzOjP9dW1ekL=mzI
zDrE-A(I|N-L>WP=ey85t3?Ih%0Nd^Wd(2)!9D&c1$TrDSE3C!@7u|2s7r`HGJp@<I
z92oYAU-S9UHv<7m36946Y=Il|@k#@M_c1M>u^Pw5@D%Z~Q>_~hNMJe=0Xd)M<lJ$>
z#)*S%+PE#hI9^5zxhx=v&Gbrt$>6{9ypfN;J9VLwf=JHZ<^!!vn^&#Z!C7!J@{(IO
z$0VHQQ&%D#(6!KF8yhV6kwvGbqn6UlC-gzY0Se=Qb8-`F(D6SLs3=-1qA2iG@<ps?
zBP7lTxYjnl*L#)w=nn7u7{N!`;fWYNV)PC;8Ce8-bP1S*mGquj@3M2hA$45NP!aBx
zfWOUhKWe*UxG;J7Ih-9T@1+L@?Krs+$i@-ame_sJtkttnaDl_Gq?%2r?iOF3nItcc
zecLV9BNw4=nUzm>`_4wlX&=T!)hvHJ;Ev0;Vjoz`p+UiOjoy>S>jW1>Jg@n}xpO(R
z@#RF3fImD`uIE(I6`8#Xea(5fE(h>(g@zp-LmZ8w9;0X##g6g3&`uTHZ^IX9``PY$
z(kR6unj0*v8>(hO=wMO9dFdlP8ug8H_S$=`{hpu7&1V4p5;eqN%K*e08B!_fWm6Q(
zf_fXSx<T2DGFWg|NNSc~j*i!b!*@n_DJzW?3Kqe|&7%kS!aP$q!yz(MyE0<|6|HFj
zmsj8<=%J#CF?7c5Of&3#qZkkA?mapZ=y$n)x|dyTYX04Mh<a)C!4Q+$m8qj<+CN5~
zJ+xoN-dzL|KPi0x&dDlD>Hj-2tMLY5wgx8=yPwC3?t!iPU02Y)#1|cu>iNz2z+ffE
zm!h)wQ#319ilm(v=!^;NdqZkjyA6pP8Xg9oadqIX*X%)xvRhSR_QH}XRqvxwi&HnT
zkyu~-ShvSoA#Hc^Pr*?2Y9*g{x>$i4<-Y70(=^qRt~K`{u<`imuPD$gL7y9i<yt&j
z;s@VJsr&($a}*d3;03FjRBp5)pbSwd6QyNnC&p^DZ0U}y>`ErEUb`#wG!cYL;k)RY
z8o@(c)d8=<^Z?yLP1UR28MJ5<?yNRA8>hD&+5;;GZ0%<f2T(`54M;=TY&t>(f<(Zg
zOK2PW{6u0N0?ty=_ieo|WET0ih<r}jApFtE++rHsooY>UQXFVMRe2<Fsg#RApp(F%
z6PbPi-#V%rQ@U#o<iW(dmdQwq_N%@WguZ~c$lR_>#q~$@7n-+q`GAvxx*g*J`W>rh
z1pQaVMzkQCugG!{IM$s&f2gu&*&Ag!>Xz;5gH!NGk4-5sz8kQuItp#wxsli}JW5AI
z0mU(nC~^vVHR4Sf1(@GP+`lm+{op9MbQfyk78ukq2mpikhug$vmWd#46n89rWMm$y
znzMg@UwFg#7+1fogzCwivBk5;VuN0GyV#;l3thQ~b~`ddS8>^DGma2;boqW?ThwnJ
zvT#_v8-VP#$uqnz+MS&s60c<K*x`_LF}{>yLvuC?@9`!=U_iT+5J4RR<D`B8&QZ^~
zgnS=EC;KPp>g0|DpA?B7Q<(I>?6Gv{7`A@nTqy!igGZGwAq!Tzy!@P!*=sg{Iwgtw
zsfA0a1s*kTmaVVN!0PYC&V7_ILHPQ6p6f69r~WlX<dOX)Kgy5)O%berew(narziiL
zBIf_yCHVhwiQzw8l2!I!mp~Bz(<Nd=YKAO(*#$!NB6r{j*$;z&Xi^zpC#yr<eMm&K
z5+LHpi5YKMEOt_K;O~{klL`I82DX#00}3fPgaam5a01xoj6YZ6qza<idF@?dH-^pQ
zoQ7PiEwDf@xbh?KZ1=Vo7C2nS!!r92@qX^>t;);Ql$ebO{7RWhR?J^jJ^b7j2UXNK
zd63JYMvE#>SG5vVjKEYA+`&Z|e^9T7E^y=eS?2vEmnXs_Fi3APQo`q62>jT3F>|Dg
z(r2wig_s*nIT|p*CSz5ULk}tl%H#&7Ph615m?~1XvI)`uH8K*wK)%}m4m0Dm+!9%J
z)<ipy+t`N{A!?{}3P8ceFfQB5n&tW-zFvsuq?xh#SdJ>Qc>5xd9{{bV<Rq9m5BAB^
z4v$IjE1jSnEhR6(+D1<Cz&D`RH#Yd8E9X=V-?-8ExnQ8Usn)!vI|a5Ud~PARwfqq@
z!a=IX5to1-EnJ|eV!?#F9p3NLhVWPqUHKCzh@P^c<&kc=V#d3fRoFN$3*Xa6f9;O0
z_CdR>UqgcBcMNfvao&|~JY~AR!Nic5N9*Y$_Lpau4Th|5*GsU4jWPtR$sVlQt2?cX
z71QNXQ{oRwsyh}}nLkZ!qf5F4MdsttX8BEJS<irDgUVHj>y<Ydr{WskrC)lG=g1>}
z%9;I2t#tH5I>?ehfKt%QITbvHd(~TfjEJZ3$_QK`qmE9R26#6H;M>_Xq3!5tRs;)Z
zG6Q(v<>n)~0C7~~Hk81M5aI~&+7N*QeJ4NWTjn@fN91?xUX`?4<1INjfQoF(L%EJ*
zns23+BZcfjb-<~}&L8GFQ2Zi{FhCj5O%!ZkU{0;|abci~%Gsh}i_$QHJ(U*;0#W5O
z_@WO`ORSzMbjs!UWOuJ%Tmx+LmhcQ#=vA}FUKb0D$&wlczvCz?7+_K#uwqd4b}Zt`
z=2=@l^KMIFvO+*c<D!ovBqSM)2i3Q(amRQ`b3DC$8(74_hC=V$$z3wp_Hb-S7&Gk8
z8WP+JVR(4EuCI%FVNj6e#)3sn+m#~ggKQ#T2MWI^gZuat@{&;;kqrpbEG;1f4&n<o
z`g}uvoyMgZna+M(E?fWklGf_<YW)^6p;~&#nBR1M^4Mx)9_Cp|vkDuD_ME~Kb!SoT
z9g+F95fWnHN^`5OaJGi{mj(AKV-1mRike(1z_F0A*ATT=F6e_PY9uKG)bs6N^z+EF
z(Ba2)GD4S@S8mQZtsN{|*3n@c&==_OOI<enksV7cvJ$?sC3KlsG%Mp-?xjNUL6Io1
zU!kO32#NX5ZzzG>G2xDoGOkIK0P#V#gPkIIqc080=0F1y=w#v&0rJFbeCRJx^waKQ
z7d4{wgCGNHwszlAYVh6;N%LVH?`DNl1F>^aLeN60hSanN+R7C8;i|no^APn?`(8Kj
z(rLQ_(wrte^-YwE(eBiBB#&N&Y!!rxu=+L2-|(0PIXF-p;9N30GxaX9gR?HNk>2EC
zQEz?8^XIAy)r<;q(JO}uMse0~cX>Q>?z`_$!QElYXT-qV{`Mr1L&NDn-8EsOR4ERb
zQ45_PM~`*G8z1>U=cDh6k@{fVHQhpxQbX@yl*L?dlmdS^kl>-}7r70Dced5OxvIN?
z;ZajROwA7;XS1$q?srTz-LyAgpfbh9RzAH><9EMHf?|zcz$Kf(2~+=`R^1*$Q~~Ne
zptHjBY+%wm>Ptw7Q~^u@%K&qgD#k_56LBY?U3?VcD2<~^?f?QXv&piM2=marxa^1S
zA3_K(%+0w8#zuU6V=fiVq#R&+m99+b=}#(@nm@7oF=L4rY3wn}Dx9|zLqky)#8_?0
zQZyrW+pC$bh#^bwyG1=|;Cu+=KFfq}=!p1}LtDlKZ3-UH!AI2IzC&_dlrDabwA7Ry
zULac|)9oBR*KH_dwakeBuS=Hyo%{s<A-};t$)B(AU-ENA{FD4;$m&fb;VL2stn)zW
z5bW2k<rVp~UR|wppjFornwca%LxkQBFb}Uat~fV}5lIC|0!(#Ys`&SadI1dplxcoN
zoi0Oy80(XRz&re$r;_!pLn0Krr7ZLrtie^~;ACJ5(Y4QkNF=)Z2=g8;qtlZ%bW0lz
zT-3T(J3g;n=8ztzdjL_YFU6a$XKET%4WuvHq$_$w%o%N)wAm?%%iSNCBnaOVg^jcd
zi_Bk19aPLa4S8T!k5-*#1&Hl5h<Y12s(DcZxC=c3DrU6%x_+KoG%H=((G=uTnDj(#
z-HE|>NxjoL?<i`rP3>jahX$F4NC<Lh5#AyK@4w*(Pl;97nV5Hij%vM%US&{*N8pc{
z{a}rym&9=54ADTkEqrv#uVAYLB4f!i^(-pgYvIjh{CvL(!NHX0nf!PHz4aU9dj-gB
z`3moQrb0yDbt_Yt!zrgAu3t+ctrJQCf4*Af5u)UKP%1o>Wu1y62%_n*h#NOQ<mB$m
z0XGLMp=?8rh^;2G?!kBhKfYqr3Tssd%UIsoGe$u<vrT)XJrP`}EBq;yWoOl_QE=n#
ztx9QVYT2_P84F<*43Ln+0iXt%zc~V!iAuu5_N#jZg9R}}0n!@vG4W8L-Us)FFJU?S
zU3kem{=(q@!`}L<VrYrI-YmWQr+jx2G<hXe6T{%AC_1-;I-%ng{HbfApVEHKbgNIo
z&A|aJN*?E7ao|Ff%AZ3^;opMCqaXuV<Hj=todN}34f9`mA{<yM?0;HUw=thud_o5`
zAeku%F9-<3+1(yXq-1*)4T0j0&D?}%-Ym?%Kk@t}aLQ6EkV|zF*(&l}ezG(1$qrMr
zTeUf;W(n*Vw&DY$9hYE!Y~A$JxJ%h2$}DpX`q<FHq-v;e&ehOD(&70bepEMM6}o<}
zS4j>Y^nGNq4Gi@Jy(*;+XT>!UDW&{q>=fr`2;9phV~DKL?-6p^OTFxvwDgKm>t~jA
zsPp-;5Y&a1!6^flYQH!-z|3+5%;tV7@iR%G!M6^(?&$a@5=@8rX{h#ja7F?CY@S@R
zrN(!YcsY4}Lt1LcOiRPU+y!J~5#7rG{FbCmA@s=H#)niuRzi=rnY~mXUs8|wYlK5*
z3ewePn}|+}^^#Mw7}rD9z-Fe+EHSCID={EQytznWdVjF6%9Tyv6TuOB#`}yg>YEvw
z&=+*FNronOk|+`Do6UVzUa=%U%tk)7eSW{z?LB?zIPh`J1dw1LL}Nc0na_R-#E=?Y
zroEh&A7LwB>Fp4QM0V}tdg&YcH9{VO73WQ74~K99Enw_q+^-0U;wF^rj7KtgHi=R$
zkPnn4G?X8utK3B9)XL>08JtCeE;FPfqA>uM@{Ch3(VvH$&GhaN2_}(b15g$joQM6{
z?vQM(K}@P+-(KrN)aZbRCV^RFusDZuI|puu@#f7nxrdMmIB3%S6wn;B)6)SqsZ%D%
zVfWc2D(u*!feb5Zr&*I3k~IVtT|oxkKayQh5HRVI2&#PH%8LWz5gkV58^N+`cMI0<
z<s)G15lVzg7N3~|H(Yc}pL4>YqhEt6eD{!SmDdY{e+IgqXpr2uigCM-vY@DHI%6!E
z>kmL+Dd*&x6#4Or6T=Jc;#=gd75{#3FK%(>DcGoU7taFXLYJO-P@lZhY(kxG3CZf4
zQH~fbcrPB|>4Dn077leWe%Br9PmY-&QzZnWWp+HeH|<BvdytVI17e8NJ@rZVM@EpZ
z2`nIYJ5M{5Iouor`Sp0{4MY6rFRWNR?Qhs#6o*~IY&n<RQ_m`In2gH7?K8E2ubkpa
zJBp)AIWOPtG;7^4A5Dlc8&IJ#d4yk*t*Jl+bYgVxS<kU{=|bQ3rYZZQL*T}Z93H>c
zo{ZB&Z+3&YCAi($x*9cVZ={xmZ#QtsNYIwiGf8SRW@-MCf8$?MgvjV$^4tDBUHyNZ
zvHP1M-~dkb{x?PJ{Od&cz`qj<YyNklAjRK3Qd^e)JMr*eC!)CiotWG4zY}HL|GqDo
z|Nn2v_&=MePX2Ww^vd6f<y!ymiEsdOJ^%X|&;CsOm#!<qzZ1>$|4hXDJ5^fkxjT`x
z<n2EOMFX&hiu<QQonhcGqF%CW(~$<%t?T(kvF0k0XXC2ySoZyD6qb$0DRZ8-^ay4<
z*P|`qe?X8V%EpPy_fh!TkrT1UrZhayCe;+EhFgQPATJ_b4{$bkCsx`(yrdDSeL6a1
zuxgZHi~N9u?gCOxVS%Cx|CQymYNJCia!h4U-?mfBnqT4r!_oqwlf)bXX$+vK>9_<s
zd&G5TbD`IC>J?kj{wUQCzH(N0*-6x=D&M}yK->Lj?wZV@ZJNcWfSP-`IxVm>1&p-O
zypaoDO_F6?!h!%aJv*gMHZUe}6oroZMu__MVGN1DTUlnAQee^0_@lPFa@Nnok|Wnh
z6AL{yDPEF6s4R2mv!*Xm8Jbop#DP@;?HFDjQo)c=#NC7G?&^tN>Xw7u)ve_{0g5$s
zhfdFIqcPA3^w0j(r&(-|>rWm>ML0N{D<!J$rOmTQDPVBaQbE}t(xZ$>H0Ov`uAZIw
z#Kv3!?_S}e_sTwQ7(AKrKSnN0c(R-OJYB1?e-g1OP@wjn)+@hpDy*$F#k>4}y}fl*
zRNve8Pe_lnzziu3(kap)F@yqwNH+q4DBU5T^hlR<cOSZj0f_+x5k<PY5u~5tbKjru
zb9?(N|NH$|Yt~}wb*_Ewectc0_dc^XE-%Zc5^mtD#1nsZ_uGC?5-UV5vfB21Jr1Q$
z-z%ffUWiLgW;XrgwSUN<5|$ylzU?;o{qzpKX<s39D-0q&Eb@Hvesa)m$sJ7aV(0h3
zZ&B8*Gc)uT?ACE)WMm6RM2GnI*q20OnCLVh81JaMTx^OyVSH=F&p(~9-K?Of9;@f^
z@U{VzwGKIr5l>ESlHrhN&v*QB*Y$}ytbQF^QdU~K7GDl#g60%1eXI|>N&~*q6DrX~
znG?KJHCt((x_*g{H(}ioX#5#*s;Szh@wv5H@BG(KZ?F4mX9jXD!OSO-yqhm|yF5(E
zt^G)m8-~)mWl5#4Jh-H`8jlzZLwroV#R_%(>FBqXh#)5hgo5C=a%zD)B^ObBR?$8w
zYDlipWrKXsJA!zVlQ%lXI)_EJX}0eoq0_?NW^>{sb`w<=%|!PG-zhP(oem_u&}+c_
zrl4HM%O2HiP_f;<t(PCePkazNKA|e7ZBgY~sH*?LIx@hB6>JuS{nIb8WN8Md2g|sv
zD6P-92|nj=7A@}3R-6WcnfZV5a0wNLOa$`3RyPZSXD)<2?#|s9LAvCR$qZ9hasw30
ziT-JsQFK9H)6%#kSfgU{3c1KXeZ?N+_nk;emB8YyrCdLUa<Imi8HiW~V<^5nBqdB)
znApZ&al8d^t>PRT@f2L=zB+h?fAKCMRW)MVQ=etTq_J3OVzh7z&deW6XH&VMe(XQn
zXzDxab-B`xNSX^^DOdHGip)JWE9Z0=k&-7MSLvSp5o(@6U~R38dwlC5d+7}Q7_nCK
zlYU`-F4oAncv&S5fwDoP)K2v*X~Vo29w%d!0{8K31th-ebD_8mwSg=;-*n~*hbgv^
zL%y{J(pAZcNADO7dqYR3!f<~E)2`wAR%6><?Tc?ZAHJZm|K5UYZCT*2WUy)Gb@xks
zq>89`I+4)D^a6*m&P0?~T<P>Dv}uJeya#$sVyh9i45;$rt%}ep?N3hmm<F8GM8#FK
zD+~CWaz~f&Fp}=*V|M$tX+K$;zh<%brNd+%3oP6vQ}MMH#4|~hDA;@J?@s)4(tFEC
z?e0<7yvt;_JF`@V7{O(oS1V+pI!|=UqK#1}fnGo#KqDN;XVUS=P#v*j_7k&fugyIr
zAqX7C2)pxQ-Q{?vaysqJ;C=U8?8ToG>JbyhPjwv|F9QXaA3VHzv_Vw2IAy-il6zcG
zl{t3J-zZ6)gI6HF3Atn6#zl=WuW0ewS8P3n@5PDv?T&hZhd$zmlCFe>!j(3~5^~#P
zl9cG`Yr^9eEDu`w1&8%Bo|+d<x~C&rg_Sr<hNC2g76YV_6|VzIZM>W9OX_RZxvkZc
ze$HSL7-UY9`D6`s;G53)_u4cU%~hmlGj9?Ie{O+S6XeDSI-FxsLT(&%^RHgQSAV1Y
zZ~g!D5^csC2OXmN(@XaM?j_9sc!}xnUQ&_sZ*R;}<aaOGsHQpMXK5dIY0_1=9)Cxh
z5{a2&k0U*Ldy_44=YxeDHdhmZeZv*OmP>OTqJEGina{C9AIXzfoJ-lqwXWnK&^j{v
zIuUsAV#{<Y-O4JC<!i!wdB$`q9CWv2e?I4ER{yiAiRu{S)Z^0WFcUvarDgYDpI4uO
zPqPgtf2^LD7aVhckrdE8-!lK;&Uan4-0_;%RrGkVrtW!cjkKeEil(uw`wpWgMh3nh
zE-<L68?04wU8&m8c+Vy`HidJ8Ww#iP_h?sE3LP(o4gY=}A+{Gr;}_4DvTV3J6{628
zBvzdQ9>Fr+P_RVogxr>y?B^|9_CAtI+;+0G2e{-+9EyMa%wRaW(}Db?O-$UJcu3Ef
z_q}Gx(k*KZEfqI;brP}{YMg%PA;K%l^Zjlfwc5G>vLwEDuL=I)1mjk=RwH#;+M{&z
z5V{A$S_APoV}|$8NS@2S?Qf^51ylQ)utbYjs@n}3-DZMf`n&jZjtlq@s5{w8tSWwq
zPBqHP^A4zAeXP(yq#u;ctyFQPW7>4!$vsw+m^n;NrDcK#6%*c56X}%fc3@C=Nw-~g
zm_o+%faaToUw4oTGc_Mx)AK4=pRb+y^Y&;j2FGfC_(yeb?OV@ZY27!!#E7G_mPxl`
zuW~W=JuxHl=q_MB5xveTgfJ2Z!Gh>)j1Fp!0tKJyH%)_vv^0vzMCSI(@f-N`NE7M^
zE#<#jnAyU=x?fFHe(V`{7j;*2EUv>MR!E{|zPymfEj;~tM@$V;X~U)|@UeiuGvHU1
zZJ%w<>0JU+VhrySYHf#S8BpYOb-d8AU$%n%W=kYvbe~g;;SoQcww`FCo+@hK(R8z+
za3NMU5>pR5Lber|O^&Gi*(CTq3LMxRm)3L?0<~9X@_0rY=37=7l^5w<`O5p1y6)6-
zP|}MA{Q{F917`(tVJapnVZNV~o?1&oY3Jgd-)!e92N)lO^Cq0s$!{hyRx#?hbA>cW
zdBpEXSVmgxlo#SBw(hKhyyTq52}GiKT`)>7d0P{(8!>rRqmD^AbCI;xImKn^iAXFr
zH&3~F@lmuayH}jMr(}Uk<VAcUl<N<PSp?aszVw$rtR@WnZX$IMeInb0{@L#lS7^kS
z(Ltv3g~&y`j$wCR@yjgH=sNQnQ&k6OlV02&4lYQS#n{=J%;j{9t0BPJT)(X?c@HBM
zbt{7^N%C00l%agTgTGBGVjOD^8OZ5)U(d{-!zf?V-(y~Ty}ek>KsejPFK^_Y^n3*7
z^xK|^UvKOMt~@aIN}nxPd?YJOwr(kTW0C8_Y~cE0KYlN@_(x;Ky4#DR+{d}8Q*?0E
zp6?tb2(w<@Jf0eX$v|2jXU2|eBl&OJ<u1D75Z<qKCCTKv>)m0LnQ5`CHs%)65drZH
zQpF3^p^2c{O){inF7(5cBwcU%J;<4cm{d8mIqD+kSYd};FwK$J^?fR~wwsLAy+bnX
z<wfFx6c#$NuhJ(C_ZUl0KmORguvsID(fKkg?h#yMNb=%z6|Ew9a*A*($zn5=*>&Ju
zLv}1`aWIGdRIR7Up^R8xpZer!ez2lzdzm?CE`{yFs5OkZU;C~51AOF56;v>e#Wq-l
z1IoT4t{S!zxvD0}*)+91m_OBBOItnwOKTIWD!NlECQhDle<wA1so=#aNV<s&m--tg
z5_)1#0>jP;na3a{ez3EKw&Z^rm6J1Va8e+le6_kFSN_pibYfagz=m0?aUknCMF+`L
z?LB(!K!EQf3$vHc`|fEjN~_PW!xhdY2CG}l1sJ+LPt@Q1SdwIDNbH1=c5vUviJ{2*
zUS{}~wz32G=8u`>I%GT%%rsn?+7~Ke=@54%Blkiv{%k2f`_VJLbQT}W(ZNQ5#}ohX
z!>wypl|7f*D7qDqH8T1i4gJba(v5TnjZJ-_Z#7wMH5h#Pp*LP~_IKrH`A7LpepmiF
zm4B80aQb)Umne%ONIzp$#BBY(!{nbj&8-s~+Nn6RrsmnRHCR?eiqkRoOUwPFrVBm<
zUi7HLw|dD;{>@q0F#MenX`~}zP(zig!cnPc+{MpL12h{moVh-Ku632B!?o!Tn6vNB
z?thbo<Bw!YIw=PR&YC%v9Xi^S@daB2NeJ$-98_PAW(<gW$V_poj$MA**)F?1c>E@H
z<eurAnur*KasFs$s0i9UGcQDfggKV}Bi4fW!I55!)h-?-YIz|$?>o<Y7$afPwOxU&
zi={Gn;QYL!gGX3$T4|be5J9fX^G(Tub~jzxO9|nQC}=}&e`<i+YoXWW=s#{PW=rIW
zcP-o{_26cRX>d8f$dM%oQ%qPSrclnYtF8=LZ_<%|a@zp+?342*B6{0G^r|F)_^N@+
z5%1~>=KzsrJtF$*iW;ZVBr=PrepJ_DU5a`6{lNx?@y9X?4V)CRY3bGsueg<WmtG>T
zhay?)Jp4~dkE7Cqd5h9Rw(ZxNL}sKGK9r=*B<(0Zgu>rrT1+%i#k9<+RXcruCVKV7
zIyBgf<)dg4(qpWHj&m6ETTXvLuFrBrWb>0<qVuOTbCNZ(o+XyR>9G6sdnx&07V(x3
zHHjI_2_(z5+48;F2Dg6=LkMR1dsR(ZANP+fx3DkGXy;-WD&Y`pS;tFZkgr*!oee>A
zot=Mt#FOtLaPg}_-VsYNEIztAT1!0~Z6khHL?&)oXr!Ak&}#f;t8f0IX2;3ikC9I2
zf?*J-zR+-7><-pT^yf(2OVxV*OH!t>UzkPJs?<(xRz@n)BT(@HkE`izftSlqF*Fux
z`N5vA^@;h{*@DTWuicC%_sa8XKl&ta3}iqY4l5&=le|9Z1#bD_os&DORA?1LH2mUe
z`A{p&s?FIBUZs|pC!Gm(FD-dg&vGcN9te!?D+n<@iKggS<$TzklS(#|K67hTtrPno
zhWX+=tKXyg{)Rk{d4ccid=dBV_m(Lh^Ut42Pdw{*mZc_?X8(lqYToC5x($?5#}v`~
za-e`)k^g>PrNy*p$LofrqBWkiORl%M`%uRzyTnmH3r@4Syp5i-r^mF1G=rj4_Z*2F
zN``kP4~tCQvu`W>D8V@1R9*dOUH>>#vM7ZHBiKJLh7xR?fNL~dZbHV1+d)IaNGfhk
zedy2Er)KyL!p%XLtAy$$ymRv5>yIUBu6pZhR-87Nr-L^U5-`n<S?Exn{6e#Q(AB>0
z>w~$6Q{<rK(0lf8ou{aeh5~A;PU)nu&2!vdYb+@FsXGfqz5EpPUa%||dy;osweOWF
z<{j2ARu*3lF)3SKAMu-wrs@8`!*&^Gw~=@$IIgJ9oG(AC=2ia?n<oCz;|=jGJNnI9
z(si__LDJU3$EQ#1_m)qNxuD|vxAc*>h8A(eJRSHSCN$2dcy52wihSm}ynj>*2Lmon
zlOh7&60&y5#8QSR4kwHy6Ay@6UtL%C<A2tS3W?<IZ13wAPQ_41<36?3^vZZ*vKE7H
z?k?b|23}<B7C^j_{JKHY*-X(ijRZ^KoiWrdbg&AX<vw2}E@+U3l4v<|ynIo?-+{H?
zIi#w@L^Ia><#|0e`lsgd&R|fZbc<rQ1gUiOlSLfn!Pb4g9xsbmXb|^_%AQ3u%7Sw1
z;=99=^^KBgp)O2*2gf*vR#;V@y`}mFwAHtK%OBH}Iv&c7J&YFmi3n?l8erd*s{F*k
zP`=UGxVVzcrxM__D39wXjK{4ImLA_<UA)~sl9Zw=XYq!1aW@5><_XQ1HpO$yK^Gh9
z#|&945!<vOcVtbX=wjYU-p`7>A`~RU*Oes`z-KX#vIy*xh;z2Dkn!oJe2~Yyjfaj}
zm$O5x3ez;6fQY2|E`4lJ$z9mHpC>jrUp}j|znmL<9i&E*W^{MLYLt7+jS3Lh%h{)s
z)UK_^W!NMWXD2VQow-r|%fBl>>p#kG{JZiu9sH~On;pL^KhjSM_Z0HE;QlWNtbwCA
zQdrZ!CQ!f1A!y9%UYU~l{q#If9%R8JgHv6Ig*8NnO>V4o*D25NF<u$*xf}DlGZh1G
zyVB|H{8-u5#dX6o0seth??pg<Cfl-Gn>E>wsuhO_XL#k;_S1JUn|^jby@xFk7IvNv
zePM>l_boqFV`r{vF0gAbQ|)y!c1BzTI5H}@7!8V$WSe}tOs?zCJ`<MRfUPo~iSC_Y
z79N~mR}uQm*E+HzOP}3_D1U0>F|ANT0v6YzBYEDo(i9+?-c>WSmLy&pG(JTUzKUhx
zcjs{iJBs&2NA8Hcx_>rLFLA=v@a|&4yhWpei|rShnEoqocdVt@$=RvHlNhl02V!cC
zpXU7bS_k)+c%uj{4r%fBf!^VaI7`6EJNUN9Py0_K4zflc(EA_XbM5hvvtdo_H|lZX
zOOtQvkEZKpt#fH-j<@?1YM$Vv9W&=>^lL7`+aV&>KC|>N6#HW2M>z55=^G8d@>V9L
zZK7pc@6gw|%`rKTU$sy!$|+cGtt(vBKIUo7A#1okz4cPmys*$+c`KA_Yd)YbdV~e8
zr0UMg?o_{wF*`zB<0p78I=fjx8u!>-$Ke-|U>fosKi|S<n##s>w3@u)fE5^;>yXZr
z;~3i>U*9)>bS$o=O&p>j-kIVRqaBl)A_{s5Co!_|H;-22#!M@za3*uZpAKTjm^Q#}
zMSO7dnkWdMz{S|iUr4j$M<<)h4VWWUCreGFD|ihzXR^lIKdY<lhwb98g(3}VX9H_i
z`p<7!@UkMR;w1yx-?aEN6{vWmUKe|1&Qsy3*F7TVCzZA{Aiu2<1XqTCewB#Qm3+Jm
zS@$vqfuaP5JIl0OCurFXc8TK(S+OgJpIiyPLCrO&PA9Ts{jWaRwkMHbt23D$tid;)
z+%7b3=?=y&!`p9F6fAwZGsqv&+exYQeilL~Ip#K9z;b}_%hOY@zt6#JfA8I`&$o0d
zCyoNhHbVW6I2v5mTz?KgEb3xTMs&zAhZhVYXe|ou;&toq91$C8(B3sFb`7`9GH;>}
zdye{rdWpWI@JRZ#8F@)XPCROb&Nx1DX})%oF>~*Rw<O%2^T>hBNUZ`Jf?w`$*=Cuv
zyGX&c8usYugpaY@MJ}`wFvd(WIKKtbGUbSLbZTBo;RW3zOB<Lv=5XKQkncg%bty0%
z@uH8Kkc$apkd54O8SsdnoTL^d9bgPrXr>|K#-YL^e@+XCwK2R1I}u@q^BffRQjoj)
zjt_7!tDAn8s;wK1*p^69TWh#eGuEjVq-C0vtKDp$hYSDq<Uj!Z{FVAOVE&{n2kVPQ
z5T6XAt>aPf<!fTSU4hr{-thk9Y;qVLc=W{(YE3zXZX`76XlYzmn9=i~7HiZDs3_YX
zUjM}5%p9S<6>U1@ZX?3d473$_Hg6xXrR(gmSr1+|>0qQt)(hHG5b<z+iH~7v6^>+8
zxR{RZ(GS;uI61R(#s8HixmNj2TlD81R{3~+x_dl1IN<uEh^Dn}xyHbyQo4l#XNgzH
z+_xQu#>blvrE55!J+?EW?j3eyCfG4-xqSSluM8uT6zl7Px1ioe<g4P(!|-nj@K61t
zKGNmwI8i@O=DqdxbI;}6?k9#<hEyezuQcDQ#QcJ;juDc$^wf|~?(6C5xYgU~rvz0m
zgU^=<zzZcupH|D55;t?EV-$PjdfG;m<tv(B*4E`$BpeIroLL$T@7iEB$=Q`?i(q03
zQi<%;zU@1YO5q2|JW(+46g_)$E&d=L-{x98yd*Bc?fVbGep40kcQoSo-H}LC^LTvH
zbSV6Bw%++W9A?l*9yKmWpsF35#=yE8XYK!<b6xj1p%)~?#oTMHnwlL(nfuc%SR?jK
zecs*nl}ZlTXPOtk+J%0QFoy*HqJFa@jy>z%!TiQ)-U@POxi158qx=|=f1NpC`$zeW
zepmjE)PI#<j{SG#=lQjm$S?d5a=#;EfA3bi_^j>Yp_a9DyA!|rc+xIGzOJu!r8Z-b
z@r^(`k!D{frczMByy_1Q+D$&}MR92A^-NN(=0eaKorjFfYbN5ap)Xb6VZKpXnh95X
zD>mh8K`zMYm}N=6$n)%$1DbnN)Z*@lF;2bsP}8bQTfXUd=6x;rGasHF226S%@%&6V
zL~f69=%m2Q7R&yHM9?D{mq%K+c?Ba+`#r(BA8hWpwI)%u8SkCEepD;z>8{OGxTqJI
zhR;r?)!YC!PEV&`+zhYW=Jl|l)jw*Y+{0>dQ)8W`#bAoO<_TDK))@Xe$?0=B)46@%
zlDO0yko~=nm7-`<*hDbRZ7g`3(<v%7eJLXNR~<>D-?G#r(z+4~DSWF!%_P+A2U7l$
z-QYEKZ2BYo&LAm`OSAh34k9%)XX<kg_ws1ksbmcbRVU0}1RJ;F8MiIGnuGg#l{8=N
zA-Ju{C5sK>VzeHlnuHjDBwoJt+!e-QJ3@Kix0b%oRS`7mPwx+e<Ez8Q0Pc#Gqe%l{
zhv|=ChA%37Za;}-t=6rw@WN!~u!TIM*HBv?-XSNroFDfQH=m$RLENvp_4#?_tAwm=
zKUUr-p)AGngiIFiVw>W=di`W&LYyyixT3P=3r}}TOMd9Mf0WI2DRYC0nWdODi)_fX
znHd+uNL=F9NZqjL6Gn>Lr&dm~TUIi)5B0pCkFoWL3=hsm%bx27DE&BlO&wRzj3aTy
z3JFTOICtwkZcEK(JfV~eqW?OS`t0R*G=}X}`;HD0&eF{a(c}&>{{(<bQi_S~R~6{<
z9Q?d7pch$1WyT@ujge#2H&0$AvCzTrb(zBD!o?_G$?Kggsq&XYr56*ESjac_&$pi0
z3Yf|6Qe!0{D}rzRylqz|;km-O_w;dmjr%-=-6p+Xs8^h5V@-r$Vrp469cNASL5s7;
zG==k+h*Z8kS3yN&cOJJylW@l}guUVY?M0b-e)E_Mt#1xmW=dSy5`B;XN2<expWTgE
zGL<_&0w)@F^ky{ekIr)Mp0dg(>1{JYkZ^J1x7`Pv88MuXw9wvXtVI-Ht`LRB4X#&^
z+sJPoYCFkTvXIkmFX+GQPMUQbdMd8iO6zf<;2Po^SX04F-+AE6nz~IOe!2m(I<tA-
zbUVu-)@)L(efRJI)&_kr{5;%4cb`&w{>Vg8!Y8`<c%83RWlg|Uk)AfSr~P8<lHrpE
zMr*-qp(=vLeaBRx@8RtPRzmvJEDTPW>)>S^&fp)c2`fFCG?rb#4`00}kCywvr5hKR
zdeWZzV@~}$L6B*RlV{XQ!4?nHxJ8Fm`Lfotu;P4-a3X{9ZeHzYm+g-!#D{Kp5}HO4
zb#@sm$hnj0tTVb{xr2g{3KDGOrA4lM+=rFS%v|&%v?@}{m{!*LeD~_ebYf0X@XLWp
zYK!GLHN0-Cus|l=;_w>Z#nUwzoA8SDx!|MxnTEsp?fhlIcSR0!&|479U)jL38fvw0
zdkq)^4gKJmjK|?s{z_Pm-uFzH)8wnWb4#J;K9--2ixa!+*q=|~e|gKgGw(RpW%vHE
z&B{FjwbrHVDQPoX0ZT{YuhmRw_5`}c{xOZwdO{+O%w*1&Hu<%4h6gXSmq|aHEiexi
zFyd}xjiE#7aD9p~a!l|~8{0h%=ajCv+0J~H*8AFB{C%w$LS(lVd*(k~Y%H&_?p^ik
z4b48Vm0Gl|5zD)k0n)As|1PZ(t8Ff=#%iSTC3-h(iaB+Y0jkIEZN4Rc9QLTUyjW7M
zr&WcwSem6eY9Wjw>=^A<pn_zTjNJnv;u!r7#-;&_zC7K-`)6Mk%?M~Kn*@-e1=_-Q
zvu0o8TRmxcZs7h7!;R#jLM&I~H-N&W7F{EgPO3{y44Y-!Yf>evy%z6b!Yw|w2`S7)
z)Qwv0Ef~w1v?PQ-zOho>D1Tnu-*#LwC%sXA9Y&P$|F5}s6DQQX_Gs77|5AR`ytd`P
z`?gk~h<}-d{^y=xo11y<|1k^QBloYD(9QkkC6*4<jSgOHGKQIg;+(Q?HO;;{jEb9n
z)9Zb^gR{m6EClLG#b(@-2|0KOelwn5s-505xZl1*+ZQnu<e^NheNpxyYQhg@3mUyR
zV=KRM&ivA!zJ{zUvYO@jij@F7z98(F9(T%~#TD)Uct_I>GdCgA*0#au?$nmJZ{XKX
z@uDq1%cURIhO2cgjJ4Rh9zrqH{OVN}EzYbXaa+4#wIPQAc(l|Co9=ifhGmer*&0_r
zj(mJh#@cXlFEQ(>)9AQq)*y<a#HhZjqRmIx9@51{Np?)1P1B2)9x%P9duykoCqBSC
z$Gc!%vS}w4fIV)T0AE<888#DsC}3$r#0foCtiG@ONDVf=D6*lDH~Dlo0#=qbtuMWL
zCG(hs`d&x!LO1u3?Fk-3(uiBqYs1<G>VOuHA3aLTRi~LbkAA+=mwzn%i@W3lnLh1n
zO^kPb>?ieYwZIl|?C}eOjfCDc{p}O%7gts+UV%+VJgnlL3J($`H#tZ(#>F(pxmKmD
z<7DLAw2pYPFuU75{Z8w?B+Oj2ughY9(GJdm%@A^7me*!G_V7#iFqEL8Jas+u*#SmV
zg+2_c*vVr2ilZsIQAD;r*k2m!dh%c|vZT09_>S;1EMlVj4PhGReuAeUc019f7ud6o
zuJfBUMq;AT>y%5}`E6sr2o2719@FT$qE&ZL=CSHn9n^<fMI}x~ey;L;_AO;te=bAW
z)Y<J<NM~my8Ck$R6Pq@%-XvV(+q6|}3Dd=7`tVjOf%#U+<qQoSq4z1M)kNkzi5Zdn
zo%;tOa^R{p|0<(ClTnI9$J8x&HyYwFre6&+Ti|5u1yh@851|A@n>_R3D|s^+6YIg6
z7JKuO`shc4Xp7-Yvd*nnLzq^kBIwp31XPZ(N|QvKmZSp>>YofV)Ym8<YIebUU-J+-
zK9jP0T1sJX94>3?#J=#sN`r-gKxhT#Pjpqa7iTiW%_bcBrhR@7gyFQ#sO#TPNyaO%
zquo+vQe`u}JSSg<qj**Nd8K2Mg_-VS=YyIl6S}T1xyMGO=pty8A_Gx(Ki{1kIj_d4
zVY-apWQXKGb3vE4FHdTNi8&B(zR22^0jMO{h|t=3db*eDOpjE)^>g`Y+8f6#4HI<=
z16qMzV5cBuT*4>3eNt1J?ekV<KREWc?sAW>eWH}xxbyY?)=y(4VJ(vrFFXcOpJQ-@
z(a^M2<(KrYa_x<hM>J=ytz;b8beel_3q&*3y;K8t6)9KivxRGX>}$~bFF>`L&#)Ms
zHjWx13uZhZ7igh9=r9b8j-MeBEA|&yN2_S5>RIyWqxYu*RQ<XTUH*7AHpLK2Z$`D_
zoI=(W3FT)B#3W3-Uv_Ce-R{htOkzH2e8{?tqw7XaHmv+Dx9Yu^RKkFy?{rcR;i32Q
z%3;h$1-+-ebysDz3^S`Q8oJaPb9Y-#K8|&mLQ*0gS$rZCx&H-xY{f$#g4d()J*FkM
z`}kXMv3SETq~Ye<Z7Q2tj*su6vLYaFlgB3+sB1i?o@Z01lqP;tRQ9SGvzdei8sx=u
z53cT+t&cYx)<<EbOm?7?dy~7?Sg-D;<!$QydNKGt?jfVMtiO%V14C}-D)h@IsMSD3
zvjuZ!D#Ip2<W)cx`-ynj&>tQFIg_&!xAk^p3>fv7S|l+X4s2ANn?)4DIX$qH6l;3&
zeaF5g6p9L_WY-$fqn#a>hAV$U+}*Fx>>(&OxMK)XF5C@I^dw|vT6C&k_f6b4RUHP4
zrcD{=McvuWBB5#$1-*Frs(NytT|87^RX0i6KJll?e81z1Ljs5QCs}RE;CY%KRj~Gt
zS_U>F^c3<7(!yyHcOb3qtCbAL#LbsqZ@nbbeHpyvI6&l-U}rA3lEpUrZv299u%qJH
zDdds2(q&qynmBI;QAf7k$|Jc37dt%rbau%J(Eag!ksB|m`MdIS{L_mt_+9x2HvU!q
zAJ)GszsQXHNsf0YE(UP^Q<>XC&GUp#LTp>0HTnr9%;M*V#|u0a?Mx&!A?DP#*u<jV
z9?D0wxh<p&_as<`m7zO&9ewq$A;7ceTg7|RPNyer1{{gZiDqJc=r#_md{WAKmdfeE
z_P!R>v$5+tR<g>?th`@oLl|eSjkoK_%4}(_op?nZTPBL3e|##{kl{!r88{I=I}LTH
zXuN)n{(}LX_1^sSF;Me$ddd*G2da9WJQP(bW|W;tL~79_C39X#3u#{`Vq>=WNJCo5
zMqL|)R`URlOMrxbiSw)QbkDo(?$Xfoi<okQ+`WwIQM2upnp8;oTo}6<5?_}@k*MU7
z^Jl?(kdWG}OTAO@Sw7{~2ck(wS6lNQ<wl>Zmnn;w&5o#<Eei6|w?;T$Y(`6Q6e4v~
zhj8gQGEWb5zi{|#KJqy^?8M~HL2uz@GHZ(q*Te4**kWUvCTj{vx-|DBB0F&r7upuU
zZrkM^6fY=acd#?fi~tvurf}J0>rFN~O~)9HEMM?hY4<*&TC8q6_#Bg|{~ZWP_7uCX
zj?f7}ZDNOA!O8w<oU=Wc#C5@>MRIvV_^Vy9V6ONFjx1i9{=Ks<>(6JL_Z778mY+!I
z;P!Ywe=}ISA70b`Qv1gcA;R1mV1Ns!63!&jVku8-KA0tmZFI^7E|ylU?S7~U^t)Mp
zJQB*cXS>zI=@{e_DKpiYmN@!KdDgW{!!5xk|EEsB=^G1Y_3ecZvsKJ)+$zT}OtCRe
z8;m8w_s}hN5sG48g8MLDhn-Bgdx~@{?v|3wrnDzWFu|C>FQ4TH?IaPIVrpL85%{)`
z^gl#RlySXO$GPpHO%P7_^(m%DPFge~zER}eo-Ic{hJ3zHQ%i`B?Q!3aIMWclGoJ2b
zo%rqK3EvewBjoMG+C+`c8Y8zdN;4o6Hw5cd>F3lB(s;hy5e)BgGby0-DIB5-V|{|u
z`<(+hx^w-dI4gK9*KhhbA;K1k>fW^k?p{AUN<T=fpPO$91P{if(!6VppK7?*7qUW%
z^^{igV_CWKFGF6**|$Zbca`w!E=PHuyu)qEw9+OnI`FCZcHUkqpP6BG*XZ8runbnX
z^l6qspxygQvlcWd2d=z4CJVM>xf5x`l-y~84)wj~yT16_N)%ZgJfxOCFlrurT&x##
zY@6-Zcp$@ut8~gra;`a~W*!yTb$9Cr374ZceBOwp8ec3XX4SuOWYoO<LDa_z`*VqW
zG>Q3GCCJBy_Ugj;qpO5*bB3@p11aiHJHAm<<4YHoA4`=;<szt$I{oKsd_;ZDA%<Qr
z5z{3IUt0!3S^GKmXoKvw4^IQ%Hidzm1h`0h8Y&1r*?OR<ETpm72VSd}t(^-X38>t+
z<yMoq83bgzKkjk7qnuDP>dkJjy1!GA>spI(El8KlopKGjAWQI~nUrZhZ&CiV^Brkl
z^DHLwt#iAs4{9(8R2(nU9=nWnoA%2P>*D*n>DL%M!L?uHSQIpb?T@)k@{p=oMg+P3
zzc5v#J5ZaQ1h}T_RJwa!HzG+=`77B8_#X87*FPk`JSSK=P#U%2-D#C2vrcNwVoD`^
z7M&+HtA9`wlPW6WxK<QI&S-GI8a7BtL8^W`Ft6stlLVDKF0tPB9s%DZ_J>nGA*S(K
z?ur@D9h_@)a7*TiO9>nX<BR>0y%<!_Ud3sc7IY{FP(8#|z4Hr=Kp|o*?nn3StgE}T
z2`wRc$R>uvkjU(gAK0*5=jxp&2cdX(<{HizJeKZ5`Cj>rd2@t{W-o7$Ns%?YVU%>A
zQ3yWVVmT<8Bhlz}|1xV%uFMb@s1urcOFzaK9n;5|_1r>Kd}NZGBIlRJ0}L8Jdc&if
zMmQ_;PdUzK7?L!ob<3uwb|nH0C8{Y)SDIH%q<X`Q?NjhnBys(tX2=GX_OFQ5_Fhad
z>srFDE6?NAZj`_Nue}H|!yDz#{r+b!!U}S8|4}RbpS_5tzk3PiKVG8$yO(^9{ntxk
ze&4s%(j`B`op@x{R)_AWb50oi*6zDe34&yn;MdPvyC1%<S1tW`5|zr~S>@H1m=PU2
z01}K7fb)iU<5c(Z4v-?MV0jA`Z&yo%vgQ@LtuFbPBIQKm$RdlPcX!4=u1kXRhAGty
zvQi*dE8#vU!4<@Vr)ge3NmtMYTk6UmL>m7XPR@~6on7wdXy~1Dubr8A6VOsPC9qOo
z<e7Is!DNTFrh96Bj7B;uNG>~~7hQ8IV5P`C<sJ0i0{ZI7Sh12W578aii!BfKvPo6z
zi}#6O5}knYkRzAk?{)Vs1Z`CV_!!{nrXMkl#F!cQFw=TC0G}0p^%iMh<$G#)ORrff
zjlRiB{U;L>YU&3wcwT1DM(TQB2DB@}7W3O1m`FAn&ptqf3-zouhyrGx7r#Iwvwo0#
zLULLn{Ea{EDE3gnsdpHZm(CiRBQzN2KRGjt*sb``W4T-y=j;=D@iuUO#V90tZKUJN
z49>MtNnO%K!;;i4xV54IIwGHv%qak|U%ss`JbgA+1)cR^lk(cG3Fr(LbyeOUN>4IB
zvcCOcSDgm`8iwt0U~T3lDC_uAp!2Pu50-Gjz9L0iLS3F@v{zI;l}D|bXj}QDj{{fD
zdKukGJa^bYE~$Fk#GNtc+V$3YcjcByeo01m3lXdgSqT-;{t57T)G;T~Pk@@(tT4F%
z?GabHp=RPEYG1at%ZS^|79rnRT8+|V&1n)fL^)zY3eE-(ej$V5VYKh<T;#S~{M*g(
z4{$}t^<I+OCJ;TslP|u%5I!RT6lX0}xjh*psd-LsHfnz09gRJ(XwFb1{UJV49+DXF
zsx~34uGPtDqhQ?id<7GKn+~gTxrkX`;mlQgajnnO@Ko661Sg+N{mQJoJue+kJyR*n
zpI|cAfjUxw{jIm-FV6YuHeVY3J+V>_bk5m(P%cL9{cKmG52{g6edv}KR+vJ#9DIhh
z+`&yj2EL5-)L~OS4IUEFj;TPG0&l5OL>7fTkTf(%q=zB`#ix|{;9IoW4$68W-EOMw
zU1Z9exbXz{aLyzY+bJmd;3d%}6v^R>G=^}4d><-uDtd@5{WH4e37iS636lxhyOy7*
z=^P&(L$&VmcGcjFJ*<XGW>Y^2h1x<#pk$q+pso7yyVbRYa39}YsOsJJt~i{ahxee(
z*$1*4Py=Wow5Ky1Bv?(AC9{_arG@4}M`&>1n)%U?YWit92P!1@6rkh7<f#Z<gwjFx
zNW9=Acxno?@HO-%g%5DUXS47*Tu;v>rcBjEIKPmt>^hwxxG-Ck)B<`54TY{CJ;Dej
zo74^9WI;_isTHr`)40x>NN@$*f`rQTmdeNQCb%z&7{4e94OmEpF{T%uh(WJ24p)OP
z+0wzWNU<HvRgMG6Rn$^+Rk~xi;j!LABtGB;mH8$)CP!s@pj*O7L7v_|+t4l=stQ$r
zk|T%0h9s$FlLjUtu+*ssV#9}2U2<GY>`5MZ?W9%ln!>&HheIEhwyT0v;6Ya^Qp)+n
z?Gyx*Fw$-Ka@iGmMZ~)76)FSS@Th!csyqlCb%oc%fL5=D*g`MVzKif;(2DF~_mSRc
zzjRP5$43?GIL2g)5;GM75R=|Yx0-DC&{05XF;}6dmvC4vJnoi<0<Tl}`)o-rHQWjO
z3G0c#i6401$+SrC5hLN8Wp(7$5eW(*&?xwO&~4c#@TOa;_0<%$lsuh$vJc?Lpfv?C
zIQOl`)n%k=o$q9E0tCZ5Xk6ff`FMR(`N^_p>LgGds3*jP{;ii~>;>Jpmu;FKA`bbi
zTA=0!-~-6-wL-;|o1hoamQH#-0Rr)X(y%La45y&vG~ufbU$2LNG(z*@r22Nvdq4wd
zf=foncuk}|Y?qO+Fd~OP0`V&}D^guU)E89)RCpfapz4YUp8h`QbK;Gc;HUj<L@I{w
zM)_H9{plsI>~2P+s?Pu8CD#9rNYSE*e;JXw_m7w8{q7~>5B~KMvj1K&7ezBdjdNMI
zFVt{%D?OGWtm|3;y#`3&{c)M_i|Joue$})!8GsuA?>sR%83=<hs*5Q0T>~^2Kp5hD
zXm_l(y0b<Azy$D|aI1h$RXtB(qA2$PO|H8}%uttsyFws64XBW`4I?Xpldwj)4gRpP
z`Lk1dWCInvyVf0^K6HJAtoEoW0#JL8BQP#4kIJg)Yjl7+zz>zGaCx}H`-;!a?R_<N
zs9%N+ckzLY0o2~saUSsb>HRUM>hYQhU=MiJ>0~mfD0Qt(qX`HiE{ABxFscb^q5%fL
zuTzR<U17cRs~$=*K*UDx;dwN#Wi3=*M<jH{fcUCy;Ny=IRj5$=yOO~_HiAEQwfi>+
z!VM&<sujA~hSaAjtK(|)feHY}^Xp@J-~(vOXdR9PDl%eq+5iperHj9wvW6#sj%7nA
z2q|+&`2rTh>uFfwoB8nlhM^_56zDiKKD*o^{gEU}<#r&<^pEMvne6b$z2aiSh*iCQ
zgmEC=9I@DhG?)OTKssuXc`4iH4c!0-pur@GXV|>4u*e&>kiQs9Oz4#!_7q`!)SyjT
z_YGC9%`Ts@NF9<oNk9>ZZT4Gm<n356Tr7e0f%=Lg8Ove$pqL^Tu0mKFXrUA=&JL3S
zt(9c6y@4fzX38O4w_$fcf@Sk8t1vat>q=>_IhX+`sAA09ANCqlo1OGr4<-xxmbK0;
z32O&c<sPtfz%)UYIj>nhcReHb%O`?OAlW$rfqftbSSPfG(I9u&-2if61c>6If-xgO
z_cVcVAPyLiq=g9~i#aQRE7WHhZasj7B1gEdffC>`aKM@Yt4FqRF#vo(9U#DsgzX|<
z^MX-CaiB=z5;laa;yDK-08^lV#T@n+iG7z4P(s!8S1t;e3(}3@Cr|)*1I$FLFb`xN
z(*Zz>I(yj}Y+;2+DMl$E9DoC7EcGx_q$f)Ozz-M$tX#n`0i-rFD*y&?fDbsUuq5On
zTL2&o5Cf^~@~~$}OjdCK3M2uE%=|DLWQbTU5Co(G#asiZ_tNgu1Cqcda7pLY6*v|n
zt^?EnW55cG2xPOoi9ZQ*0kJKWiz~tKL8PmnxGrG*Aj*|ab_7fh6n#1&$pn)Gz5b=k
zB?0RMou4}rJ%hP{_RrWE24V3agUh=tvM^fE!bLQf80-?%a!pOg-Bm=+e>Dgz18MAw
z<F~?GL9Kfu;$yHT(7~Y^R{^XBlydNky$Mzg()~Fhxdjser5r)HQek7D^Ald8$1n>}
z=dl#SU6=w0FRYH`4GaO&4dvjXfqe#TNBH7Kc7>7Cg{#BTKw(4K^trG~kOVS}ff&XC
zs{CXw?hZ2tjSZ7XPQ!vgt6jtrF0e@uZ6}DG40Zy7cSp0_fpLRO;LNxMs1}vlBge80
z+Xh)79<e+?MJe(znw0|P3{vTx;auvXBv+VlMU7C?Pp1+x!AwDkQ!HGfFk%oet0)-<
zI|TX8To4h!W<WzDlMEy<c~H)0R+eQLI!Nvd6IV5C0<=783ekZ51Sx&pXUIjhSNyRV
z!AGzu(D}DTu7s{{<T2x!uqU9nlr(BXm^g?axt1#yHU!E_t7Crz8wYu$&Tz-V>Oqd_
zyF|+{L(q#4Dh!pd7LakK3yUiZ49d%Za6RlgCZ~z%g9(8y)^qSlP$jQj8(|rNjev|c
zd091JZ$SzhnGcL$UqFW2kGLvfEFg!iP4s3|?P~0<uv5bVKw3LKY&I}eP~ZG#ZXB2f
z=<S>}i!$sZ2(rk;wcjO4PPfp5Drs?)C$llk6T}+%mG2Xb5cCjM#jX$Y2DL@^i*doK
zKvaR_V#Kf>kX=CY^SiJ$&{R+!S1Bs*cyE^YNnui;)sSJX*IfhT8^Iee73Aj|FS+}7
z<>&fG`Jer+{F4j+D*xwS{~3|`NBOY~fg`{Pz#(jc$s?(5T?4E@HbBf}4!eU?#Ayc#
z0Zl+paujwO8G|hka07NgKBNH_jpP6a04zWx5YCqdOGRo@Z2@nAVj%N@4vZ3MLtTwJ
zLqdQ8$u$@q(i`#}m;fvRZ7wSq53-*Y2518ZfFJWmSP)W%#tL9Uz4zs|3=AK+L7#|v
zF9YCVh=O?{mFNsmXEGkpBmNepB%CDlsB@kL809j7fsiobRNxSGL|;xm7%TD{84lnH
zTmom3iZBIa2x$|r0lWvqSXW@CNa&qXfB<+0ycJJ^i6hC#Gk_PU@8R<C!ibPUlsdo+
z>UjrlY1iS{D~eBm4NAG#Q0g!!DGl64Y1#mnB}@uABEb(}146(g{|@X0l2Td_r5vNc
zPcceZKN45!5vtq(;J_jWTSQj!KSpKq4q(Pg2pdEe@c9E6Kpqe&E`!REtROYO2v7qi
zT+%Qmq@Tb9&;n=y%i?Va8_-B~1gr!J2ulHFsJiHVP6}Q{sDqB{cfgLYL?pM62LJ)4
z0Wq#{SS|9iC=)8mSfHI>5T=jR6_G;yKM6cRoi|VrcR%Ly2GrT>-ba52-la|MKbVm{
z-?Cl%8IS_5h|dtGNE41IfD-TmG>I?3@dz2vT(K3ZCaq{{>P5iJz&o1Z>iy1Tq?wsD
zzyo{(-XWMkYx_{}5h54#qL>}r0KA|XtOujMF-y}`?b$gFDrho6Xn|^%-N3d84bV_A
zA9xl}r_rp}1up@#G~?AkXF3SIts8*^Ne>Z&eGsZ3-Qwq93_yhjR(}az0gh?xs@FQZ
zklN^4fDtNp8;Eb9>FF!*HX<G*Ut9(j25!@U>qo(~zy^(f^>Jq`^0sF<Km_;#4Tv5P
zM~W2K5U~LgFP;bY0Y)?y^~+!x;DSb{I;^t^xn<RXYRg){H^g(0$vQuH7y$*H7tewF
z0ee&_tieBlAsV7;NT)pLO#%(#9BG5)hI0Ev;2U@ku?H$F?gonj^fV0hgWxNmlcu=(
z%L$(Pit<;e0F(@FUrk9bia0^$*k(0kplWR%ybVxg_#zIF8#<G9`M>~xO@9F92aYoy
zAmAXSs3%=rV-9vQ4Wp<Qod~W(cp<^Iq7720=zPFCUAM-5zI3h&2U-EVY%?+mRZnOx
zbQr;jY?q_}&VVOC9+&{pfb`OFs9Ob!0DN$Ewi6+lY7w*)N;{w(wW$|^2tbP3S~P3|
zD?l~mHKdSfQ$+)k#$>4+b@vhU3A7Rl?`J^O%o`fVCf9-0>MNj8(HAKzBdy8`orV%Y
z79o*L^(uXk`%Ijw><D2bosLIc1%M8uL1IvKZc0<#1Pqv0zXO&OpCWq;Rg{UKF;JGh
zrapUUEz|-^;T05yhv+)8GLfl?K`90vuYYIYn28a2jRtTIs5JjrC`Db#h#`!SyGA@U
z?*Iy5n7$Z{x@Q@HOjVmH0>P--RDqyF)|ir210f72WzcLW6O^Yvfyqi4il{;^8-1?n
z07QWi`du(DP)oDjwlhHZ76a&UVvep*^gz;WWh&!B9iYJwC?t@HR;2{;p2=8M4AGCQ
zFoM(+0=7WdT{);EbOKt4$B)WFGmUmzmD5qQnc_HdYWP~&5o!-LglI!vG7YJ;K^`!v
zDu*GGkOxL?H9t{jJvu!(co)^)gWDXO)T0GE`9b%ZC=_jnGMP4&e?jj+y&;N_WTsv<
zUC07cl4=N|0LftFUqb=p0_%6(p#D%ss1}|!s&#^C!rLO8o<=Vy@*xAU_LUEzHBc$Y
zC)Bi-U{e&pHD&Lag=!l^K%tXYbV_F^$g=H~qQwxt-y3BE=mTinjq;CX{H+&ZOmU<9
zdUSvGBHT!CMx;vrdmX8p>-~Rw5tAt5UwRST|9FY+?_M$={;!v0uKeyLO!|2IYFAJ*
z^)6Izmg=qzRM-;-`UT1jPKHDRwo_W@)4&=^#mnJ$n)aQlo6i;VhUPTPl!KuBP*%iu
zWTS&Ou#CC}l!EYsqk-EJpW1xsJArQ!ubOm#ms7r0%RnFMy6gen956{UpYWB=1}LN<
zNx%iVB!-)|fi#+ggkU;8;317?Lct#0mWomov=J)eH5KNMXgaDF8V++oT{|~*VU0nB
z&%^8h6@aPv*1{C8)k5oHj8|P4BLcPN(d!IU>r?>BVZ6u<Uk894PzGMSw1y#&SUyxJ
z$0-5~Wl3PGNId^7R3sZft^_me92x7^1+)P&fSD25g6u-Zg6Dz-99yWPE#1pB?5UG)
zjh1vMk8F33!UIol=T=0B?=tFopA_Jhm~rUoR>hL^3{sYGevk0=@dwmUO42S7rRm+x
zg*D_^p{nBi5rN^K{EsSmN?<6w>#oM~^L($8?c9xE^}|GYUL$Zv(pl*Maf*EhsBzK`
z^^`<D$i@?Ma)?$JPmW~F3AUK@ssLW8yoQB!+hY;FjyH<z(&@SHA|QMnCJP7v-w9{?
z902=e0%v!q8dO&tkss@I)Zx`Vt#Hp1=sN8=^I7oa1?YfVfFIHMKz@UgQH{7t)6?Tm
zBZ1CVs1c4-rk6$^5belB-(J*b#sD6=Vel&i7jjq_Ck%n|$#n31_Qd1VDg{(tlLvsP
zB0XCsR=mTzU!W|Wnb1$r13GNTD3Cf;hyDZDMX9wuT(F56@fc|&41}$sJlKqm3QR&j
zmA$(s*M1wNNI3)PQ4bZ;faXjH#Vtw>uWw-{q`?6l;c_9JA@4&hLk>b#=vd(1!V3;v
zvdlSAOwx$^+XfD=p#jh$)c6WHoDSfD=VR?Sbg9eHMYNlTDykGf2cVeH8A%bvhusk6
zJlw#c*|15;TTV;u%b_VMBG5IcCDcu#xsef0uRMMj1~@jnY+w|1P!Udv8whDa`Kp(B
z#G`?oP+s*Xb0koD<v3-TzEa8DY!dhx?qYrK5F+eMGSe=1NU|I%8T91Y90zn6>I(!x
zB_t=5_UF2w=TI(a29PHCMRhsHA(#q5%V!33=Dc`lhal&3Z*b3<l8r&s@?qCC<(R0j
zAp-f5>)qjoSnnOaDg?Ldg-)mxLMx!y(8rQj8hG98&w6nahOX26CHuIcT`I;Egd^<&
zq0%aZ&|PRWlu3fA&@X3Gt+unu*nB`ZI!*oIVGMBD0Bc|uZGm?xm#ctM)(5Pcu7G(j
zhX`?a;<E<>3!!c5GIN<wLFHxThQ4yip`!kw;WS@KLf_7z$PSRC$IIPzx`<Ac#~1=7
zP%+641BZ5th-0Wa)DNl)+?AA2UCr5xw(YbwriSO<)^u=@{Ya4+Zoq5XNoLFnpS{iK
zupm1COC|iIstgsQU<@bXz3BXAJO^jIP2liYwwb~;Jf>^hI0$ZWyUXE=><bFFa3?Az
zmt!bQ?-bSg;0QJ>J_k-&DsgV3>b~Qw7-*)R0rVd9spT3JTQ3h<2hBqgDpR;Xph|l5
z&;)4t1JnF|bI(8+d?xA_GE$iUo>P<uca`OZm*9D*TYwqD+lsB8XllNRi5*~ZRUf$R
zsxuHrz&g-47NcOnhLqPpy=pf2q+f%WjObx6{XimJEb~A)0|O%)>pbd@;~T4*CPzP!
znr5+qrlw{ec^gN|K*)c;0{!QerlMb(ni{eXA3`4~J$v@w|NQ^`{KiY>P|BZ!hW5{+
zZ*G%3ZWfK1HrUS-7fk^dEgs5qqx=pTzbpT$z(2|lMst!r{$2V1zbXMLKs32m1ZX!A
zFa6d10_|=h79RN1{Q}Kz#?Z1b{~SYG|0~g3>V_zO{3r1p{*9lea{Y(+{9ixa{wp!D
z?uN(^@Fy`=|0YHl{-4DCzY_Uh-4H_%e-e{1Zek1*`jhzcuS6k*8{(VYKZ&_oH!=E=
z{z)Xy{M&Vj+29RP=Vr&=|8>7z(b-Lm9uj{NssBoRQguVL2>z2;k#iHH6Z}si!(WMw
zFK>ufJ%1AGRBmFl-};lt^jD&G`3=$h-Jisc)SDR12L2?n|CRXlpY}Na^G{-r+)a!I
zM}HFOa{g8`;>9;HdPn?8{2Y4|qsGX8h&KPWaOS@ff9~86yA=K;jz74GQRV-RWdDa4
zmiM<9pUmG7EuQ>IoDaW=QTqFDF&f<{#Zdm=h}{i0#6zDyiK}ra;wQ2HTWZ^z@$nnt
z*k6fpiZ?{2o&P71gcwaM^FJ~EhdA*+h=1s>5R~_Z=x~W5{*OCKSL0CnyB9!=<`e|{
z7x5-O)b+gWO^kO6ZlUR;^z!EMzldmPY7Xi*MChk~iD-9Dnzs3Sgx=WjU<aU9N(!m}
zji@LfAi|*SWcJe8+RBN+!qMTCy_Jg<&u#phBfTyDTYe9fZ;sTx`JZewq20MT3hHQT
zsQg|lVEiW=cK_!0pyY4F)<-wQv*rIM5tUyBREg2iaq&@^_z&^we-Qu3hLFQQMCi)@
y%7z*$PMiReKk{pLQ|jc3zs30CA5BvIznb)4rN%*(TK%TwKfL-+j4y6V{eJ+%u5x1l

literal 0
HcmV?d00001

diff --git a/testing/btest/core/leaks/pe.test b/testing/btest/core/leaks/pe.test
new file mode 100644
index 0000000000..d951cdbd47
--- /dev/null
+++ b/testing/btest/core/leaks/pe.test
@@ -0,0 +1,12 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+@load base/protocols/ftp
+@load base/files/pe
+

From 0199ac5ece3a815b338335e3723345f87f5d54e2 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 20:27:24 -0400
Subject: [PATCH 38/54] Add a btest for the PE analyzer.

---
 .../Baseline/scripts.base.files.pe.basic/pe.log     | 13 +++++++++++++
 testing/btest/scripts/base/files/pe/basic.test      |  5 +++++
 2 files changed, 18 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
 create mode 100644 testing/btest/scripts/base/files/pe/basic.test

diff --git a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
new file mode 100644
index 0000000000..5659276fee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	pe
+#open	2015-04-20-00-26-40
+#fields	ts	id	machine	compile_ts	os	subsystem	is_exe	is_64bit	uses_aslr	uses_dep	uses_code_integrity	uses_seh	has_import_table	has_export_table	has_cert_table	has_debug_data	section_names
+#types	time	string	string	time	string	string	bool	bool	bool	bool	bool	bool	bool	bool	bool	bool	vector[string]
+1429466342.201366	Fz2N9x4SAxQiSnI6mk	unknown-475	0.000000	-	-	F	T	F	F	F	T	-	-	-	-	-
+1429466342.278998	F5fc4q3zhJHmYSvm8a	I386	1402852568.000000	Windows NT 4.0	WINDOWS_GUI	T	F	F	F	F	T	T	T	F	F	.text,.Ddata,.data,.rsrc
+1429466342.225653	Fzysjj1zfjAcgWgm22	I386	1171692517.000000	Windows XP 64-Bit Edition	WINDOWS_GUI	T	F	F	F	F	T	T	F	F	T	.text,.data,.rsrc
+1429466342.250474	FOuWFKf04xcHH4ck	I386	1210911433.000000	Windows NT 4.0	WINDOWS_CUI	T	F	F	F	F	T	T	F	T	T	.text,.rdata,.data,.rsrc
+#close	2015-04-20-00-26-41
diff --git a/testing/btest/scripts/base/files/pe/basic.test b/testing/btest/scripts/base/files/pe/basic.test
new file mode 100644
index 0000000000..4ca9ceecef
--- /dev/null
+++ b/testing/btest/scripts/base/files/pe/basic.test
@@ -0,0 +1,5 @@
+# This tests the PE analyzer against a PCAP of 4 PE files being downloaded via FTP.
+# The files are a mix of DLL/EXEs, signed/unsigned, and 32/64-bit files.
+
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff pe.log

From 71230fec81e8e0586a964d8bf651cbf3641b49e0 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 21:16:35 -0400
Subject: [PATCH 39/54] Update baselines.

---
 scripts/base/files/pe/main.bro                |  2 +
 .../canonified_loaded_scripts.log             |  5 +-
 .../canonified_loaded_scripts.log             |  8 +-
 .../btest/Baseline/coverage.find-bro-logs/out |  1 +
 testing/btest/Baseline/plugins.hooks/output   | 91 +++++++++++--------
 .../all-events.log                            | 24 ++---
 6 files changed, 79 insertions(+), 52 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index 8577d24078..7ab8f64bec 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -1,5 +1,7 @@
 module PE;
 
+@load ./consts.bro
+
 export {
 	redef enum Log::ID += { LOG };
 
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 65e3c1b9e2..38c1930a99 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-17-16-40-15
+#open	2015-04-20-00-41-21
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -110,6 +110,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_PE.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
@@ -125,4 +126,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2015-04-17-16-40-15
+#close	2015-04-20-00-41-21
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 65745fed7d..b705f00202 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-17-16-46-56
+#open	2015-04-20-01-01-51
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -110,6 +110,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_PE.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
@@ -254,6 +255,9 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/consts.bro
     scripts/base/protocols/syslog/main.bro
   scripts/base/protocols/tunnels/__load__.bro
+  scripts/base/files/pe/__load__.bro
+    scripts/base/files/pe/consts.bro
+    scripts/base/files/pe/main.bro
   scripts/base/files/extract/__load__.bro
     scripts/base/files/extract/main.bro
   scripts/base/files/unified2/__load__.bro
@@ -261,4 +265,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2015-04-17-16-46-56
+#close	2015-04-20-01-01-51
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 8feda88d15..961870249d 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -25,6 +25,7 @@ mysql
 notice
 notice_alarm
 packet_filter
+pe
 radius
 rdp
 reporter
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 9d3a9d53ae..1b63a4a702 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -152,6 +152,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -184,6 +185,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])) -> <no result>
@@ -201,7 +203,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -217,6 +219,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PE::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RADIUS::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RDP::LOG)) -> <no result>
@@ -249,6 +252,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -281,6 +285,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])) -> <no result>
@@ -298,7 +303,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -373,6 +378,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NetFlow.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
@@ -524,6 +530,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/packet-filter) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/paths) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/patterns) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/pe) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/plugins) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/pop3) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/queue) -> -1
@@ -707,6 +714,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -739,6 +747,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp]))
@@ -756,7 +765,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -772,6 +781,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PE::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RADIUS::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RDP::LOG))
@@ -804,6 +814,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -836,6 +847,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp]))
@@ -853,7 +865,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -928,6 +940,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NetFlow.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
@@ -1079,6 +1092,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/packet-filter)
 0.000000   MetaHookPre   LoadFile(base<...>/paths)
 0.000000   MetaHookPre   LoadFile(base<...>/patterns)
+0.000000   MetaHookPre   LoadFile(base<...>/pe)
 0.000000   MetaHookPre   LoadFile(base<...>/plugins)
 0.000000   MetaHookPre   LoadFile(base<...>/pop3)
 0.000000   MetaHookPre   LoadFile(base<...>/queue)
@@ -1261,6 +1275,7 @@
 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1293,6 +1308,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])
 0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])
+0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>])
 0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])
 0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])
 0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])
@@ -1310,7 +1326,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1326,6 +1342,7 @@
 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(PE::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(RADIUS::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(RDP::LOG)
@@ -1358,6 +1375,7 @@
 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1390,6 +1408,7 @@
 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>, path=notice_alarm])
 0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice, path=notice])
+0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=<no value description>, ev=PE::log_pe, path=<uninitialized>])
 0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>, path=packet_filter])
 0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius, path=radius])
 0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=<no value description>, ev=RDP::log_rdp, path=rdp])
@@ -1407,7 +1426,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429289002.204837, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1616,17 +1635,17 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -1645,7 +1664,7 @@
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -1662,17 +1681,17 @@
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 1048576))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1691,7 +1710,7 @@
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1709,17 +1728,17 @@
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 1048576)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1738,7 +1757,7 @@
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1764,8 +1783,8 @@
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
@@ -1775,7 +1794,7 @@
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -1784,13 +1803,13 @@
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
 1362692527.009775   MetaHookPost  QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
@@ -1800,7 +1819,7 @@
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
-1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1809,14 +1828,14 @@
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
 1362692527.009775   MetaHookPre   QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
-1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
@@ -1826,7 +1845,7 @@
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
-1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1835,7 +1854,7 @@
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
 1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
-1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 078f9e61e4..c1fec4181e 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -297,10 +297,10 @@
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
@@ -313,11 +313,11 @@
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_mime_type
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] mime_type: string  = text/plain
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -341,10 +341,10 @@
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
@@ -357,11 +357,11 @@
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_mime_type
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] mime_type: string  = text/html
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -402,10 +402,10 @@
                   [2] is_orig: bool      = F
 
 1254722770.692804 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
@@ -413,7 +413,7 @@
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_mime_type
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] mime_type: string  = text/plain
 
 1254722771.858334 mime_end_entity
@@ -425,7 +425,7 @@
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP

From e3d63bfee8622cf7776383f197000039e8da54c6 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 21:38:34 -0400
Subject: [PATCH 40/54] A bit of final script cleanup.

---
 scripts/base/files/pe/consts.bro | 19 +++++++++++++++++++
 scripts/base/files/pe/main.bro   | 32 ++++++++++++++++++--------------
 2 files changed, 37 insertions(+), 14 deletions(-)

diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro
index 4dc21ec179..22f246a3e9 100644
--- a/scripts/base/files/pe/consts.bro
+++ b/scripts/base/files/pe/consts.bro
@@ -70,6 +70,25 @@ export {
 		[14] = "XBOX"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
+	const directories: table[count] of string = {
+		[0]  = "Export Table",
+		[1]  = "Import Table",
+		[2]  = "Resource Table",
+		[3]  = "Exception Table",
+		[4]  = "Certificate Table",
+		[5]  = "Base Relocation Table",
+		[6]  = "Debug",
+		[7]  = "Architecture",
+		[8]  = "Global Ptr",
+		[9]  = "TLS Table",
+		[10] = "Load Config Table",
+		[11] = "Bound Import",
+		[12] = "IAT",
+		[13] = "Delay Import Descriptor",
+		[14] = "CLR Runtime Header",
+		[15] = "Reserved"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
 	const section_characteristics: table[count] of string = {
 		[0x8]        = "TYPE_NO_PAD",
 		[0x20]       = "CNT_CODE",
diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index 7ab8f64bec..eb2f5a7f67 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -77,10 +77,7 @@ event bro_init() &priority=5
 hook set_file(f: fa_file) &priority=5
 	{
 	if ( ! f?$pe )
-		{
-		local c: set[string] = set();
 		f$pe = [$ts=network_time(), $id=f$id];
-		}
 	}
 
 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
@@ -91,12 +88,14 @@ event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5
 event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 	{
 	hook set_file(f);
-	f$pe$is_exe = h$optional_header_size > 0;
-	f$pe$compile_ts = h$ts;
+
 	f$pe$machine    = machine_types[h$machine];
+	f$pe$compile_ts = h$ts;
+	f$pe$is_exe     = ( h$optional_header_size > 0 );
+
 	for ( c in h$characteristics )
 		{
-		if ( c == 0x100 )
+		if ( file_characteristics[c] == "32BIT_MACHINE" )
 			f$pe$is_64bit = F;
 		}
 	}
@@ -104,32 +103,37 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5
 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5
 	{
 	hook set_file(f);
+
+	# Only EXEs have optional headers
 	if ( ! f$pe$is_exe )
 		return;
 		
-	f$pe$os = os_versions[h$os_version_major, h$os_version_minor];
+	f$pe$os        = os_versions[h$os_version_major, h$os_version_minor];
 	f$pe$subsystem = windows_subsystems[h$subsystem];
+
 	for ( c in h$dll_characteristics )
 		{
-		if ( c == 0x40 )
+		if ( dll_characteristics[c] == "DYNAMIC_BASE" )
 			f$pe$uses_aslr = T;
-		if ( c == 0x80 )
+		if ( dll_characteristics[c] == "FORCE_INTEGRITY" )
 			f$pe$uses_code_integrity = T;
-		if ( c == 0x100 )
+		if ( dll_characteristics[c] == "NX_COMPAT" )
 			f$pe$uses_dep = T;
-		if ( c == 0x400 )
+		if ( dll_characteristics[c] == "NO_SEH" )
 			f$pe$uses_seh = F;
 		}
 
 	f$pe$has_export_table = (|h$table_sizes| > 0 && h$table_sizes[0] > 0);
 	f$pe$has_import_table = (|h$table_sizes| > 1 && h$table_sizes[1] > 0);
-	f$pe$has_cert_table = (|h$table_sizes| > 4 && h$table_sizes[4] > 0);
-	f$pe$has_debug_data = (|h$table_sizes| > 6 && h$table_sizes[6] > 0);
+	f$pe$has_cert_table   = (|h$table_sizes| > 4 && h$table_sizes[4] > 0);
+	f$pe$has_debug_data   = (|h$table_sizes| > 6 && h$table_sizes[6] > 0);
 	}
 
 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 	{
 	hook set_file(f);
+
+	# Only EXEs have section headers
 	if ( ! f$pe$is_exe )
 		return;
 
@@ -140,7 +144,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 
 event file_state_remove(f: fa_file) &priority=-5
 	{
-	if ( f?$pe )
+	if ( f?$pe && f$pe?$machine )
 		Log::write(LOG, f$pe);
 	}
 

From 49d54b6a4e6e1d11525d3240a6a9b70758831365 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sun, 19 Apr 2015 21:59:42 -0400
Subject: [PATCH 41/54] A bit of final core-level cleanup.

---
 src/file_analysis/analyzer/pe/PE.cc               |  3 +--
 src/file_analysis/analyzer/pe/PE.h                |  2 +-
 src/file_analysis/analyzer/pe/pe-file-headers.pac | 10 ++++++----
 src/file_analysis/analyzer/pe/pe-file.pac         |  7 ++++---
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc
index 44464a3a5d..9db13291b0 100644
--- a/src/file_analysis/analyzer/pe/PE.cc
+++ b/src/file_analysis/analyzer/pe/PE.cc
@@ -8,7 +8,7 @@ PE::PE(RecordVal* args, File* file)
 	{
 	conn = new binpac::PE::MockConnection(this);
 	interp = new binpac::PE::File(conn);
-	done=false;
+	done = false;
 	}
 
 PE::~PE()
@@ -27,7 +27,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("Binpac exception: %s\n", e.c_msg());
 		return false;
 		}
 
diff --git a/src/file_analysis/analyzer/pe/PE.h b/src/file_analysis/analyzer/pe/PE.h
index 1fd67c22db..4bdf7b3969 100644
--- a/src/file_analysis/analyzer/pe/PE.h
+++ b/src/file_analysis/analyzer/pe/PE.h
@@ -10,7 +10,7 @@
 namespace file_analysis {
 
 /**
- * An action to simply extract files to disk.
+ * Analyze Portable Executable files
  */
 class PE : public file_analysis::Analyzer {
 public:
diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac
index a3d46dc72e..f12d76e035 100644
--- a/src/file_analysis/analyzer/pe/pe-file-headers.pac
+++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac
@@ -39,9 +39,9 @@ type DOS_Code(len: uint32) = record {
 type NT_Headers = record {
 	PESignature     : uint32;
 	file_header     : File_Header;
-	have_opt_header : case file_header.SizeOfOptionalHeader of {
-		0       -> none: empty;
-		default -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
+	have_opt_header : case is_exe of {
+		true  -> optional_header : Optional_Header &length=file_header.SizeOfOptionalHeader;
+		false -> none: empty;
 		};
 } &let {
 	length: uint32 = file_header.SizeOfOptionalHeader + offsetof(have_opt_header);
@@ -101,7 +101,7 @@ type Optional_Header = record {
 	number_of_rva_and_sizes : uint32;
 	rvas			: RVAS(number_of_rva_and_sizes);
 } &let {
-	pe_format: uint8 = $context.connection.set_pe32_format(magic);
+	pe_format : uint8 = $context.connection.set_pe32_format(magic);
 	image_base: uint64 = pe_format == PE32_PLUS ? image_base_64 : image_base_32;
 };
 
@@ -149,8 +149,10 @@ refine connection MockConnection += {
 		%{
 		if ( ${magic} == 0x10b )
 			pe32_format_ = PE32;
+
 		if ( ${magic} == 0x20b )
 			pe32_format_ = PE32_PLUS;
+
 		return pe32_format_;
 		%}
 
diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac
index 0cb308b17e..3eed9ad5bd 100644
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@@ -12,8 +12,9 @@ type Portable_Executable = record {
 	pad     : Padding(restofdata);
 } &let {
 	unparsed_hdr_len: uint32 = headers.pe_header.size_of_headers - headers.length;
-	restofdata: uint64 = headers.pe_header.is_exe ? $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len : 0;
-	proc: bool = $context.connection.proc_pe(this);
+	data_post_hdrs:   uint64 = $context.connection.get_max_file_location() - headers.pe_header.size_of_headers + unparsed_hdr_len;
+	restofdata:       uint64 = headers.pe_header.is_exe ? data_post_hdrs : 0;
+	proc:             bool   = $context.connection.mark_done();
 } &byteorder=littleendian;
 
 refine connection MockConnection += {
@@ -26,7 +27,7 @@ refine connection MockConnection += {
 		done_ = false;
 	%}
 
-	function proc_pe(p: Portable_Executable): bool
+	function mark_done(): bool
 		%{
 		done_ = true;
 		return true;

From faabe8a5e35432fb58f0ba90b123c25d1e827822 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 20 Apr 2015 09:34:09 -0400
Subject: [PATCH 42/54] Fixes for file type identification.

 - Backed out eTag changes.  The real world is more complicated
   than just using eTags to identify the same file.
 - A bit of code simplication in the http base scripts.
 - Test updates (more existing small problems were identified!).
 -
---
 .../base/frameworks/files/magic/general.sig   |   1 +
 scripts/base/protocols/http/entities.bro      |   2 +-
 scripts/base/protocols/http/files.bro         |   4 +-
 scripts/base/protocols/http/main.bro          |  39 +-
 .../core.tunnels.gtp.outer_ip_frag/http.log   |   6 +-
 .../btest-doc.sphinx.connection-record-02#1   |   4 +-
 testing/btest/Baseline/plugins.hooks/output   | 399 +++++++++---------
 .../bro..stdout                               |   2 -
 .../get-gzip.out                              |   2 +-
 .../out                                       |   2 +-
 .../b.out                                     |   2 -
 .../out                                       |   2 +-
 .../http.log                                  |  50 +--
 .../http.log                                  |   6 +-
 14 files changed, 259 insertions(+), 262 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 2ef99c31fc..81679944f3 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -101,6 +101,7 @@ signature file-ocsp-request {
 	file-mime "application/ocsp-request", 71
 }
 
+# OCSP responses over HTTP.
 signature file-ocsp-response {
 	file-magic /^.{11,19}\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01/
 	file-mime "application/ocsp-response", 71
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index 9fcf7f24f7..597637e63e 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -43,7 +43,7 @@ export {
 
 event http_begin_entity(c: connection, is_orig: bool) &priority=10
 	{
-	set_state(c, F, is_orig);
+	set_state(c, is_orig);
 
 	if ( is_orig )
 		++c$http$orig_mime_depth;
diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro
index 92747beb87..840b5a2372 100644
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@@ -19,12 +19,12 @@ function get_file_handle(c: connection, is_orig: bool): string
 	if ( ! c?$http )
 		return "";
 
-	if ( c$http$range_request && c$http?$etag && ! is_orig )
+	if ( c$http$range_request && ! is_orig )
 		{
 		# Any multipart responses from the server are pieces of same file
 		# that correspond to range requests, so don't use mime depth to
 		# identify the file.
-		return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http), c$http$etag);
+		return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http));
 		}
 	else
 		{
diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index 9c82aadd05..87971edd69 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -78,9 +78,6 @@ export {
 		## Indicates if this request can assume 206 partial content in
 		## response.
 		range_request:           bool      &default=F;
-		## ETag for the return data used to match up 
-		## partial content responses.
-		etag:                    string    &optional;
 	};
 
 	## Structure to maintain state for an HTTP connection with multiple
@@ -161,7 +158,7 @@ function new_http_session(c: connection): Info
 	return tmp;
 	}
 
-function set_state(c: connection, request: bool, is_orig: bool)
+function set_state(c: connection, is_orig: bool)
 	{
 	if ( ! c?$http_state )
 		{
@@ -170,15 +167,20 @@ function set_state(c: connection, request: bool, is_orig: bool)
 		}
 
 	# These deal with new requests and responses.
-	if ( request || c$http_state$current_request !in c$http_state$pending )
-		c$http_state$pending[c$http_state$current_request] = new_http_session(c);
-	if ( ! is_orig && c$http_state$current_response !in c$http_state$pending )
-		c$http_state$pending[c$http_state$current_response] = new_http_session(c);
-
 	if ( is_orig )
+		{
+		if ( c$http_state$current_request !in c$http_state$pending )
+			c$http_state$pending[c$http_state$current_request] = new_http_session(c);
+
 		c$http = c$http_state$pending[c$http_state$current_request];
-	else
+		}
+	else 
+		{
+		if ( c$http_state$current_response !in c$http_state$pending )
+			c$http_state$pending[c$http_state$current_response] = new_http_session(c);
+		
 		c$http = c$http_state$pending[c$http_state$current_response];
+		} 
 	}
 
 event http_request(c: connection, method: string, original_URI: string,
@@ -191,7 +193,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		}
 
 	++c$http_state$current_request;
-	set_state(c, T, T);
+	set_state(c, T);
 
 	c$http$method = method;
 	c$http$uri = unescaped_URI;
@@ -213,8 +215,10 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 	if ( c$http_state$current_response !in c$http_state$pending ||
 	     (c$http_state$pending[c$http_state$current_response]?$status_code &&
 	       ! code_in_range(c$http_state$pending[c$http_state$current_response]$status_code, 100, 199)) )
+		{
 		++c$http_state$current_response;
-	set_state(c, F, F);
+		}
+	set_state(c, F);
 
 	c$http$status_code = code;
 	c$http$status_msg = reason;
@@ -238,7 +242,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
 	{
-	set_state(c, F, is_orig);
+	set_state(c, is_orig);
 
 	if ( is_orig ) # client headers
 		{
@@ -283,18 +287,11 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 				}
 			}
 		}
-	else
-		{
-		if ( name == "ETAG" )
-			{
-			c$http$etag = value;
-			}
-		}
 	}
 
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5
 	{
-	set_state(c, F, is_orig);
+	set_state(c, is_orig);
 
 	if ( is_orig )
 		c$http$request_body_len = stat$body_length;
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
index ab4b369533..de56e2b61d 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-04-01-22-57-15
+#open	2015-04-20-12-47-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-
-#close	2014-04-01-22-57-15
+1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FW9Lvl44OWYBjZahrl	-
+#close	2015-04-20-12-47-51
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 49fb44ebf7..fc65502ff4 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -11,7 +11,7 @@
       
       }], extract_orig=F, extract_resp=F, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
       
-      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
+      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
-      }, current_request=1, current_response=1]]
+      }, current_request=1, current_response=1, trans_depth=1]]
 
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index b60d905499..2b8df03351 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -133,7 +133,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && HTTP::c$http?$etag && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http), HTTP::c$http$etag))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
@@ -201,7 +201,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -298,7 +298,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -686,7 +686,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && HTTP::c$http?$etag && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http), HTTP::c$http$etag))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
@@ -754,7 +754,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -851,7 +851,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1238,7 +1238,7 @@
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && HTTP::c$http?$etag && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http), HTTP::c$http$etag))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
@@ -1306,7 +1306,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1403,7 +1403,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1427751587.816777, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429534151.732383, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1495,24 +1495,24 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
@@ -1527,29 +1527,29 @@
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
@@ -1564,30 +1564,30 @@
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
@@ -1602,7 +1602,7 @@
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
@@ -1612,142 +1612,145 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -1760,11 +1763,11 @@
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
@@ -1773,23 +1776,23 @@
 1362692527.009775   MetaHookPost  CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
 1362692527.009775   MetaHookPost  QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
@@ -1798,24 +1801,24 @@
 1362692527.009775   MetaHookPre   CallFunction(file_mime_type, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
 1362692527.009775   MetaHookPre   QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
@@ -1824,17 +1827,17 @@
 1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
 1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009855   MetaHookPost  DrainEvents() -> <void>
 1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
 1362692527.009855   MetaHookPre   DrainEvents()
@@ -1860,18 +1863,18 @@
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
 1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, <frame>, (80/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(is_tcp_port, <frame>, (59856/tcp)) -> <no result>
@@ -1884,23 +1887,23 @@
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
 1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, <frame>, (80/tcp))
 1362692527.080972   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.080972   MetaHookPre   CallFunction(is_tcp_port, <frame>, (59856/tcp))
@@ -1913,24 +1916,24 @@
 1362692527.080972   MetaHookPre   DrainEvents()
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
 1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
 1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction filter_change_tracking()
 1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
 1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.080972 | HookCallFunction is_tcp_port(59856/tcp)
@@ -1943,6 +1946,6 @@
 1362692527.080972 | HookDrainEvents
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
index 89ee79cad4..8abdf9a89b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
@@ -22,7 +22,5 @@ FILE_GAP
 FILE_STATE_REMOVE
 file #1, 206024, 816896
 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
-FILE_BOF_BUFFER
-\x1b\xb8=\xb1\xff^PU^P\xce\xc3^
 total bytes: 1022920
 source: HTTP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out
index 0ed8262afc..b331f0670b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out
@@ -7,7 +7,7 @@ file #0, 197, 0
 FILE_BOF_BUFFER
 {^J  "origin
 MIME_TYPE
-text/plain
+text/json
 source: HTTP
 MD5: 5baba7eea57bc8a42a92c817ed566d72
 SHA1: e351b8c693c3353716787c02e2923f4d12ebbb31
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
index d6b94e5372..7b9a721aa2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
@@ -43,7 +43,7 @@ file #3, 465, 0
 FILE_BOF_BUFFER
 {^J  "data":
 MIME_TYPE
-text/plain
+text/json
 total bytes: 465
 source: HTTP
 MD5: 226244811006caf4ac904344841168dd
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
index 36202f285b..c129982a8e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
@@ -21,7 +21,5 @@ FILE_GAP
 FILE_STATE_REMOVE
 file #1, 206024, 816896
 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
-FILE_BOF_BUFFER
-\x1b\xb8=\xb1\xff^PU^P\xce\xc3^
 total bytes: 1022920
 source: HTTP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out
index deddfbb640..2b130e7869 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out
@@ -22,7 +22,7 @@ file #1, 366, 0
 FILE_BOF_BUFFER
 {^J  "origin
 MIME_TYPE
-text/plain
+text/json
 total bytes: 366
 source: HTTP
 MD5: c9337794df612aeaa901dcf9fa446bca
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
index 8a00755e8d..d8a78a38b1 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@@ -3,56 +3,56 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-04-01-23-16-03
+#open	2015-04-20-12-36-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1354328870.191989	CXWv6p3arKYeMETxOg	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKgccv1sOsIPuN3b73	text/html
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWUdF12OgqGLhf3NPl	text/html
-1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FE9yCx4wFg8js0ey37	text/html
-1354328874.342591	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNt1Jq2h23tJ5Hwp2b	text/html
+1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FrYoRN2EwpZyXbyvF8	text/html
+1354328874.342591	CsRx2w45OKnoww6xl4	128.2.6.136	46565	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FJPouz1lbXUsa4Ef1	text/html
 1354328874.364020	CRJuHdVW0XPVINV8a	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	-	-	FbONWS332vB7QP1sDi	text/html
 1354328878.470424	CPbrpk1qSsw6ESzHV4	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	-	-	Fw8xGD2taqNAOVvI88	text/html
 1354328882.575456	C6pKV8GSxOnSLghOa	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	-	-	FdEQPY3H4Z608y5yq1	text/html
-1354328882.928027	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fe1D9QLJph7d7eq5l	text/html
-1354328882.968948	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FxJ9Xg33X67Nyx01C2	text/html
+1354328882.928027	CIPOse170MGiRM1Qf4	128.2.6.136	46569	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FcNjaW3kDUju84cG3	text/html
+1354328882.968948	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fe8v8c49yLvORp3zva	text/html
 1354328882.990373	CJ3xTn1c4Zw9TmAE05	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	-	-	FAbDo7c8yz5wducYb	text/html
-1354328887.114613	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	0	-	-	-	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	Fz1p2N3K0efiD4l7kc	text/html
-1354328891.161077	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FnhBKS2ssy1v8C41Jf	text/html
-1354328891.204740	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWs6es4rYFRUFyUzC1	text/html
-1354328891.245592	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNQNbG1yFFfHE0L8O7	text/html
-1354328891.287655	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FzDULh4an8RDf3xKpi	text/html
+1354328887.114613	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	1	-	-	-	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	F7zifu3d5nGrdGffO4	text/html
+1354328891.161077	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNf9mc2b0BWWP1UxWe	text/html
+1354328891.204740	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FG2K813sKEZvZ2TNY4	text/html
+1354328891.245592	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FOOeqs4Vg0Zs3rcVYi	text/html
+1354328891.287655	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F2wfYn1yFdeOeHFYA8	text/html
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	F1d9bG11AdUoYIAPna	text/html
 1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F73Xpt400aDAjp1tOj	text/html
-1354328895.416133	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FlniJMJjcc7kx6rhj	text/html
-1354328895.459490	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FihiZm4nJV0LOus1F1	text/html
+1354328895.416133	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FANgwp2fEJblWfGtqk	text/html
+1354328895.459490	CyAhVIzHqb7t7kv28	128.2.6.136	46580	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUelQv4zC3B2JEWwQ6	text/html
 1354328895.480865	Cab0vO1xNYSS2hJkle	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FodlEg40uUijFetJb9	text/html
 1354328899.526682	Cx2FqO23omNawSNrxj	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FgQlB81dSyLHN5T8Q4	text/html
 1354328903.572533	Cx3C534wEyF3OvvcQe	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FW2UCD2e0jxAndsTK3	text/html
-1354328903.634196	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNzD1t4XvaMaqIEamf	text/html
-1354328903.676395	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fq1Oia2lyBocfl9sX6	text/html
+1354328903.634196	CkDsfG2YIeWJmXWNWj	128.2.6.136	46584	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FKANAL2sLvMgJdaEKa	text/html
+1354328903.676395	CUKS0W3HFYOnBqSE5e	128.2.6.136	46585	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FNRuYy4eahAmiehFvd	text/html
 1354328903.697693	CRrfvP2lalMAYOCLhj	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FAVGIL2N6x9nLyfGHh	text/html
 1354328907.743696	Cn78a440HlxuyZKs6f	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKbiICMAvCsO6CFjk	text/html
 1354328911.790590	CUof3F2yAIid8QS3dk	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FD5riIpYe5BLR0aok	text/html
-1354328911.853464	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FHB2lg2TvAjywhH0Yc	text/html
-1354328911.897044	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FIcQHt2xzPeH47BMdl	text/html
+1354328911.853464	CojBOU3CXcLHl1r6x1	128.2.6.136	46589	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FUzHwP1gT2UJYnUpUi	text/html
+1354328911.897044	CJzVQRGJrX6V15ik7	128.2.6.136	46590	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FfLe59279TLFl2hHKc	text/html
 1354328911.918511	ClAbxY1nmdjCuo0Le2	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FQrvtP3qpKeKPxn5Gf	text/html
 1354328915.964678	CwG0BF1VXE0gWgs78	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	Fs5qiV3XoBOExKLdi4	text/html
 1354328920.010458	CisNaL1Cm73CiNOmcg	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FpkucFbcGcM4CNkZf	text/html
-1354328920.072101	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FcavKi2ltkvguBtFh4	text/html
-1354328920.114526	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWc18o1CNTndDqC3Sc	text/html
+1354328920.072101	CBQnJn22qN8TOeeZil	128.2.6.136	46594	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FBu6A04t7ZjbY0dCi8	text/html
+1354328920.114526	CbEsuD3dgDDngdlbKf	128.2.6.136	46595	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fk7Se84fbLvbZEfBCd	text/html
 1354328920.136714	Cktvtw2VqwbTG0OgWk	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FNb8ZY2Zvw0MpF1qU4	text/html
 1354328924.183211	CKfF8L3XSsgT2WYDN	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	Fo23U03XCMamm7QQWe	text/html
 1354328924.224567	CHrnr1115j0JRSXjG6	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FqyVeZqSV8Tz7hfT1	text/html
-1354328924.287402	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FeaMQe4sztncIKuIdg	text/html
-1354328924.328257	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FVZu7439jNbDyOjNDj	text/html
+1354328924.287402	Cnkr172qPtDAaK7Xd	128.2.6.136	46599	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Ft15j5I9xSpfcA7Fh	text/html
+1354328924.328257	CcxZj6188NwHGl3a16	128.2.6.136	46600	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FyF5ac1kxwCDvXZKz7	text/html
 1354328924.350343	CUqYZc2XzbfnZKbgT	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FuGiTK15gnR7f8Uti2	text/html
 1354328924.391728	CVdnYXVEtNT1lQVL6	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	F93zuy2MGUDDPwg0xl	text/html
 1354328924.433150	CbNmy32YFt3gdIjV8	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	-	-	FRJvy31aqXlFemaBfc	text/html
-1354328924.496732	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FMJLB42ry1sw3MMTq8	text/html
-1354328924.537671	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fx4bPY2OFFAByxhLAl	text/html
+1354328924.496732	COTmF91mGWcb4zV7W5	128.2.6.136	46604	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	Fcnnrf1A8AgOFzLHM	text/html
+1354328924.537671	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FI3I73110YtFWCuaG3	text/html
 1354328924.559704	CZTTFm2GrMAs8leAyl	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
 1354328928.625437	CV23rC3tBHfPhMUPtf	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
 1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-	-
-1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F04ZTu63dLSqJQpwa	text/html
-1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FVoxfM2o0FqsBuQkDa	text/html
-#close	2014-04-01-23-16-03
+1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FaVAsywxxOtGAzel8	text/html
+1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	1	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FmzgEKnyfPnyZqmh	text/html
+#close	2015-04-20-12-36-37
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
index e3f52e2283..a9cf1ccfaf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-04-01-23-16-15
+#open	2015-04-20-12-37-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	FjeopJ2lRk9U1CNNb5	text/plain
-#close	2014-04-01-23-16-15
+1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	FjeopJ2lRk9U1CNNb5	text/json
+#close	2015-04-20-12-37-23

From ed375167c89d4ef6808a729c5dac05ab58f9db8a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 20 Apr 2015 10:46:48 -0400
Subject: [PATCH 43/54] File API updates complete.

Addresses BIT-1368.
---
 NEWS                                          |  27 +-
 doc/frameworks/file_analysis_02.bro           |   2 +-
 doc/httpmonitor/file_extraction.bro           |   2 +-
 scripts/base/frameworks/files/main.bro        |   7 +-
 scripts/base/init-bare.bro                    |   2 +-
 scripts/base/protocols/ftp/files.bro          |   2 +-
 scripts/base/protocols/http/entities.bro      |   2 +-
 scripts/base/protocols/irc/files.bro          |   2 +-
 src/NetVar.cc                                 |   4 +-
 src/NetVar.h                                  |   2 +-
 src/event.bif                                 |  19 +-
 src/file_analysis/File.cc                     |  12 +-
 .../core.tunnels.gtp.outer_ip_frag/http.log   |   6 +-
 .../btest-doc.sphinx.connection-record-02#1   |   2 +-
 .../output                                    |   2 +-
 .../output                                    |   2 +-
 testing/btest/Baseline/plugins.hooks/output   | 307 +++++++++---------
 .../all-events-no-args.log                    |   6 +-
 .../all-events.log                            |  12 +-
 ...-doc_frameworks_file_analysis_02_bro.btest |   2 +-
 ...-doc_httpmonitor_file_extraction_bro.btest |   2 +-
 21 files changed, 214 insertions(+), 210 deletions(-)

diff --git a/NEWS b/NEWS
index 4addcc519c..b74cce173e 100644
--- a/NEWS
+++ b/NEWS
@@ -25,7 +25,7 @@ New Functionality
   See https://www.bro.org/sphinx-git/devel/plugins.html for more
   information on writing plugins.
 
-- Bro now has supoprt for the MySQL wire protocol. Activity gets
+- Bro now has support for the MySQL wire protocol. Activity gets
   logged into mysql.log.
 
 - Bro now features a completely rewritten, enhanced SSH analyzer. A lot
@@ -33,7 +33,12 @@ New Functionality
   determine if logins failed or succeeded in most circumstances.
 
 - Bro's file analysis now supports reassembly of files that are not
-  transferred/seen sequentially.
+  transferred/seen sequentially.  The default file reassembly buffer
+  size is set with the ``Files::reassembly_buffer_size`` variable.
+
+- Bro's file type identification has been greatly improved.  
+  Unfortunately we were not able to get a test suite to verify the new 
+  file type identification included with this release.
 
 - Bro's scripting language now has a ``while`` statement::
 
@@ -79,17 +84,17 @@ Changed Functionality
 - File analysis
 
     * Removed ``fa_file`` record's ``mime_type`` and ``mime_types``
-      fields.  The event ``file_metadata_inferred`` has been added
-      which contain the same information.  The ``mime_type`` field of
-      ``Files::Info`` also still has this info.
+      fields.  The event ``file_sniff`` has been added which contain 
+      the same information.  The ``mime_type`` field of ``Files::Info``
+      also still has this info.
 
     * The earliest point that new mime type information is available is
-      in the ``file_metadata_inferred`` event which comes after the
-      ``file_new`` and ``file_over_new_connection`` events.  Scripts
-      which inspected mime type info within those events will need to be
-      adapted.  (Note: for users that worked w/ versions of Bro from git,
-      there was also an event called ``file_mime_type`` which is now
-      replaced be the ``file_metadata_inferred`` event).
+      in the ``file_sniff`` event which comes after the ``file_new`` and 
+      ``file_over_new_connection`` events.  Scripts which inspected mime 
+      type info within those events will need to be adapted.  (Note: for
+      users that worked w/ versions of Bro from git, there was also an 
+      event called ``file_mime_type`` which is now replaced be the 
+      ``file_sniff`` event).
 
     * Removed ``Files::add_analyzers_for_mime_type`` function.
 
diff --git a/doc/frameworks/file_analysis_02.bro b/doc/frameworks/file_analysis_02.bro
index b01a8464a6..fd4f0e775e 100644
--- a/doc/frameworks/file_analysis_02.bro
+++ b/doc/frameworks/file_analysis_02.bro
@@ -1,4 +1,4 @@
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
     {
 	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
diff --git a/doc/httpmonitor/file_extraction.bro b/doc/httpmonitor/file_extraction.bro
index b89f87705c..c387156b62 100644
--- a/doc/httpmonitor/file_extraction.bro
+++ b/doc/httpmonitor/file_extraction.bro
@@ -7,7 +7,7 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index 273f45efdb..ed73028236 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -129,12 +129,11 @@ export {
 	## files based on the detected mime type of the file.
 	const analyze_by_mime_type_automatically = T &redef;
 
-	## The default setting for if the file reassembler is enabled for 
-	## each file.
+	## The default setting for file reassembly.
 	const enable_reassembler = T &redef;
 
 	## The default per-file reassembly buffer size.
-	const reassembly_buffer_size = 1048576 &redef;
+	const reassembly_buffer_size = 524288 &redef;
 
 	## Allows the file reassembler to be used if it's necessary because the
 	## file is transferred out of order.
@@ -484,7 +483,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h];
 	}
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=10
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=10
 	{
 	set_info(f);
 
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index fb3ccd6698..764462f730 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -415,7 +415,7 @@ type fa_file: record {
 } &redef;
 
 ## Metadata that's been inferred about a particular file.
-type inferred_file_metadata: record {
+type fa_metadata: record {
 	## The strongest matching mime type if one was discovered.
 	mime_type: string &optional;
 	## All matching mime types if any were discovered.
diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro
index 8c18d19869..c114f11c8d 100644
--- a/scripts/base/protocols/ftp/files.bro
+++ b/scripts/base/protocols/ftp/files.bro
@@ -63,7 +63,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	f$ftp = ftp;
 	}
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
 	if ( ! f?$ftp )
 		return;
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index f363ec7810..b14b4d84b8 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -93,7 +93,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		}
 	}
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
 	if ( ! f?$http || ! f?$is_orig )
 		return;
diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.bro
index ea9bf1bdc2..759acdca81 100644
--- a/scripts/base/protocols/irc/files.bro
+++ b/scripts/base/protocols/irc/files.bro
@@ -42,7 +42,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	f$irc = irc;
 	}
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
 	if ( f?$irc && meta?$mime_type )
 		f$irc$dcc_mime_type = meta$mime_type;
diff --git a/src/NetVar.cc b/src/NetVar.cc
index f7f6e12aac..7d57c52650 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -10,7 +10,7 @@ RecordType* endpoint;
 RecordType* endpoint_stats;
 RecordType* connection_type;
 RecordType* fa_file_type;
-RecordType* inferred_file_metadata_type;
+RecordType* fa_metadata_type;
 RecordType* icmp_conn;
 RecordType* icmp_context;
 RecordType* SYN_packet;
@@ -317,7 +317,7 @@ void init_net_var()
 	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();
 	connection_type = internal_type("connection")->AsRecordType();
 	fa_file_type = internal_type("fa_file")->AsRecordType();
-	inferred_file_metadata_type = internal_type("inferred_file_metadata")->AsRecordType();
+	fa_metadata_type = internal_type("fa_metadata")->AsRecordType();
 	icmp_conn = internal_type("icmp_conn")->AsRecordType();
 	icmp_context = internal_type("icmp_context")->AsRecordType();
 	signature_state = internal_type("signature_state")->AsRecordType();
diff --git a/src/NetVar.h b/src/NetVar.h
index 2c5221f6a7..514a051eac 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -13,7 +13,7 @@ extern RecordType* endpoint;
 extern RecordType* endpoint_stats;
 extern RecordType* connection_type;
 extern RecordType* fa_file_type;
-extern RecordType* inferred_file_metadata_type;
+extern RecordType* fa_metadata_type;
 extern RecordType* icmp_conn;
 extern RecordType* icmp_context;
 extern RecordType* signature_state;
diff --git a/src/event.bif b/src/event.bif
index 871ddd2d25..53f982d7f5 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -906,7 +906,7 @@ event get_file_handle%(tag: Analyzer::Tag, c: connection, is_orig: bool%);
 ## f: The file.
 ##
 ## .. bro:see:: file_over_new_connection file_timeout file_gap
-##    file_metadata_inferred file_state_remove
+##    file_sniff file_state_remove
 event file_new%(f: fa_file%);
 
 ## Indicates that a file has been seen being transferred over a connection
@@ -918,14 +918,17 @@ event file_new%(f: fa_file%);
 ##
 ## is_orig: true if the originator of *c* is the one sending the file.
 ##
-## .. bro:see:: file_new file_timeout file_gap file_metadata_inferred 
+## .. bro:see:: file_new file_timeout file_gap file_sniff 
 ##    file_state_remove
 event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
 
 ## Provide all metadata that has been inferred about a particular file
 ## from inspection of the initial content that been seen at the beginning
 ## of the file.  The analysis can be augmented at this time via
-## :bro:see:`Files::add_analyzer`.
+## :bro:see:`Files::add_analyzer`.  The amount of data fed into the file 
+## sniffing can be increased or decreased by changing either 
+## :bro:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field
+## in an `fa_file` record.
 ##
 ## f: The file.
 ##
@@ -933,7 +936,7 @@ event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
 ##
 ## .. bro:see:: file_over_new_connection file_timeout file_gap
 ##    file_state_remove
-event file_metadata_inferred%(f: fa_file, meta: inferred_file_metadata%);
+event file_sniff%(f: fa_file, meta: fa_metadata%);
 
 ## Indicates that file analysis has timed out because no activity was seen
 ## for the file in a while.
@@ -941,7 +944,7 @@ event file_metadata_inferred%(f: fa_file, meta: inferred_file_metadata%);
 ## f: The file.
 ##
 ## .. bro:see:: file_new file_over_new_connection file_gap
-##    file_metadata_inferred file_state_remove default_file_timeout_interval
+##    file_sniff file_state_remove default_file_timeout_interval
 ##    Files::set_timeout_interval
 event file_timeout%(f: fa_file%);
 
@@ -954,7 +957,7 @@ event file_timeout%(f: fa_file%);
 ## len: The number of missing bytes.
 ##
 ## .. bro:see:: file_new file_over_new_connection file_timeout
-##    file_metadata_inferred file_state_remove file_reassembly_overflow
+##    file_sniff file_state_remove file_reassembly_overflow
 event file_gap%(f: fa_file, offset: count, len: count%);
 
 ## Indicates that the file had an overflow of the reassembly buffer.
@@ -970,7 +973,7 @@ event file_gap%(f: fa_file, offset: count, len: count%);
 ##          This value will also be represented as a gap.
 ##
 ## .. bro:see:: file_new file_over_new_connection file_timeout
-##    file_metadata_inferred file_state_remove file_gap
+##    file_sniff file_state_remove file_gap
 ##    Files::enable_reassembler Files::reassembly_buffer_size
 ##    Files::enable_reassembly Files::disable_reassembly
 ##    Files::set_reassembly_buffer_size
@@ -981,7 +984,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 ## f: The file.
 ##
 ## .. bro:see:: file_new file_over_new_connection file_timeout file_gap
-##    file_metadata_inferred
+##    file_sniff
 event file_state_remove%(f: fa_file%);
 
 ## Generated when an internal DNS lookup produces the same result as last time.
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 28683e9230..0a657db7a4 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -74,8 +74,8 @@ void File::StaticInit()
 	timeout_interval_idx = Idx("timeout_interval", fa_file_type);
 	bof_buffer_size_idx = Idx("bof_buffer_size", fa_file_type);
 	bof_buffer_idx = Idx("bof_buffer", fa_file_type);
-	meta_mime_type_idx = Idx("mime_type", inferred_file_metadata_type);
-	meta_mime_types_idx = Idx("mime_types", inferred_file_metadata_type);
+	meta_mime_type_idx = Idx("mime_type", fa_metadata_type);
+	meta_mime_types_idx = Idx("mime_types", fa_metadata_type);
 	}
 
 File::File(const string& file_id, const string& source_name, Connection* conn,
@@ -303,7 +303,7 @@ void File::InferMetadata()
 		val->Assign(bof_buffer_idx, bof_buffer_val);
 		}
 
-	if ( ! FileEventAvailable(file_metadata_inferred) )
+	if ( ! FileEventAvailable(file_sniff) )
 		return;
 
 	RuleMatcher::MIME_Matches matches;
@@ -314,7 +314,7 @@ void File::InferMetadata()
 
 	val_list* vl = new val_list();
 	vl->append(val->Ref());
-	RecordVal* meta = new RecordVal(inferred_file_metadata_type);
+	RecordVal* meta = new RecordVal(fa_metadata_type);
 	vl->append(meta);
 
 	if ( ! matches.empty() )
@@ -325,7 +325,7 @@ void File::InferMetadata()
 		             file_analysis::GenMIMEMatchesVal(matches));
 		}
 
-	FileEvent(file_metadata_inferred, vl);
+	FileEvent(file_sniff, vl);
 	return;
 	}
 
@@ -591,7 +591,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	mgr.QueueEvent(h, vl);
 
 	if ( h == file_new || h == file_over_new_connection ||
-	     h == file_metadata_inferred ||
+	     h == file_sniff ||
 	     h == file_timeout || h == file_extraction_limit )
 		{
 		// immediate feedback is required for these events.
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
index de56e2b61d..60872407a4 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2015-04-20-12-47-51
+#open	2015-04-20-14-23-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FW9Lvl44OWYBjZahrl	-
-#close	2015-04-20-12-47-51
+1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-
+#close	2015-04-20-14-23-04
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index fc65502ff4..dc86cced30 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -11,7 +11,7 @@
       
       }], extract_orig=F, extract_resp=F, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
       
-      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
+      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
       }, current_request=1, current_response=1, trans_depth=1]]
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
index f8ca8e9d1a..7c0b7eb8f0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
@@ -2,7 +2,7 @@
 
 file_analysis_02.bro
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
     {
 	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
index 4a1fe36596..729947ff72 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
@@ -11,7 +11,7 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 31fdddf184..0627ff6c74 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -201,7 +201,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -298,7 +298,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -686,7 +686,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && HTTP::c$http?$etag && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http), HTTP::c$http$etag))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
@@ -754,7 +754,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -851,7 +851,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1238,7 +1238,7 @@
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && HTTP::c$http?$etag && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http), HTTP::c$http$etag))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
@@ -1306,7 +1306,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1403,7 +1403,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1428700698.322438, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429541086.593457, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1495,24 +1495,24 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
@@ -1527,29 +1527,29 @@
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
@@ -1564,30 +1564,30 @@
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
@@ -1602,7 +1602,7 @@
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
@@ -1611,146 +1611,143 @@
 1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
-1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 1048576))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576))
+1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
-1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 1048576)
+1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag=<uninitialized>, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -1763,7 +1760,7 @@
 1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
 1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
 1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -1773,7 +1770,7 @@
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_metadata_inferred, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -1782,13 +1779,13 @@
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1798,7 +1795,7 @@
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_metadata_inferred, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -1807,14 +1804,14 @@
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, etag="1261-4c870358a6fc0", orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1824,7 +1821,7 @@
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009775 | HookCallFunction file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -1833,7 +1830,7 @@
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_metadata_inferred([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index d5369c07a4..f2f38ae958 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -59,7 +59,7 @@
 1254722770.692743 file_over_new_connection
 1254722770.692743 mime_end_entity
 1254722770.692743 get_file_handle
-1254722770.692743 file_metadata_inferred
+1254722770.692743 file_sniff
 1254722770.692743 file_state_remove
 1254722770.692743 get_file_handle
 1254722770.692743 mime_begin_entity
@@ -70,7 +70,7 @@
 1254722770.692743 file_over_new_connection
 1254722770.692804 mime_end_entity
 1254722770.692804 get_file_handle
-1254722770.692804 file_metadata_inferred
+1254722770.692804 file_sniff
 1254722770.692804 file_state_remove
 1254722770.692804 get_file_handle
 1254722770.692804 mime_end_entity
@@ -84,7 +84,7 @@
 1254722770.692804 file_new
 1254722770.692804 file_over_new_connection
 1254722770.695115 new_connection
-1254722771.494181 file_metadata_inferred
+1254722771.494181 file_sniff
 1254722771.858334 mime_end_entity
 1254722771.858334 get_file_handle
 1254722771.858334 file_state_remove
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 847d5122e2..93f3447378 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -312,9 +312,9 @@
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
-1254722770.692743 file_metadata_inferred
+1254722770.692743 file_sniff
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: inferred_file_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722770.692743 file_state_remove
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
@@ -356,9 +356,9 @@
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
-1254722770.692804 file_metadata_inferred
+1254722770.692804 file_sniff
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: inferred_file_metadata = [mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
 
 1254722770.692804 file_state_remove
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
@@ -412,9 +412,9 @@
 1254722770.695115 new_connection
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1254722771.494181 file_metadata_inferred
+1254722771.494181 file_sniff
                   [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: inferred_file_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722771.858334 mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
index f8ca8e9d1a..7c0b7eb8f0 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest
@@ -2,7 +2,7 @@
 
 file_analysis_02.bro
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
     {
 	if ( ! meta?$mime_type ) return;
     print "new file", f$id;
diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
index 4a1fe36596..729947ff72 100644
--- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest
@@ -11,7 +11,7 @@ global mime_to_ext: table[string] of string = {
 	["text/html"] = "html",
 };
 
-event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
+event file_sniff(f: fa_file, meta: fa_metadata)
 	{
 	if ( f$source != "HTTP" )
 		return;

From 928f870f58b89dd48162455f811b9bdc76e2f48f Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 20 Apr 2015 11:54:34 -0400
Subject: [PATCH 44/54] Update pe/main.bro to user register_for_mime_types,
 ensuring it will also work with the upcoming Files framework changes.

---
 scripts/base/files/pe/main.bro              | 10 +++-------
 testing/btest/Baseline/plugins.hooks/output | 18 ++++++++++++------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index eb2f5a7f67..d324758bf1 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -69,8 +69,11 @@ redef record fa_file += {
 	pe: Info &optional;
 };
 
+const pe_mime_types = { "application/x-dosexec" };
+
 event bro_init() &priority=5
 	{
+	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
 	Log::create_stream(LOG, [$columns=Info, $ev=log_pe]);
 	}
 
@@ -148,10 +151,3 @@ event file_state_remove(f: fa_file) &priority=-5
 		Log::write(LOG, f$pe);
 	}
 
-event file_mime_type(f: fa_file, mime_type: string)
-	{
-	if ( mime_type == /application\/x-dosexec.*/ ) 
-		{
-		Files::add_analyzer(f, Files::ANALYZER_PE);
-		}
-	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 1b63a4a702..a4b5bd825c 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -131,6 +131,8 @@
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <no result>
@@ -203,7 +205,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -303,7 +305,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -693,6 +695,8 @@
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
@@ -765,7 +769,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -865,7 +869,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -1254,6 +1258,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
+0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
@@ -1326,7 +1332,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1426,7 +1432,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429491943.907288, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429545149.951713, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )

From d0e4d17f31aaaca97a53454d9b8059aeeb914c73 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 20 Apr 2015 12:49:42 -0400
Subject: [PATCH 45/54] Tweak the PE OS versions based on real-world traffic.

---
 scripts/base/files/pe/consts.bro              | 28 +++++++++++++++----
 .../scripts.base.files.pe.basic/pe.log        | 10 +++----
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro
index 22f246a3e9..c2a17f562c 100644
--- a/scripts/base/files/pe/consts.bro
+++ b/scripts/base/files/pe/consts.bro
@@ -127,15 +127,31 @@ export {
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	const os_versions: table[count, count] of string = {
-		[6,2]  = "Windows 8",
-		[6,1]  = "Windows 7",
-		[6,0]  = "Windows Vista",
-		[5,2]  = "Windows XP 64-Bit Edition",
+		[10,0] = "Windows 10",
+		[6,4]  = "Windows 10 Technical Preview",
+		[6,3]  = "Windows 8.1 or Server 2012 R2",
+		[6,2]  = "Windows 8 or Server 2012",
+		[6,1]  = "Windows 7 or Server 2008 R2",
+		[6,0]  = "Windows Vista or Server 2008",
+		[5,2]  = "Windows XP x64 or Server 2003",
 		[5,1]  = "Windows XP",
 		[5,0]  = "Windows 2000",
 		[4,90] = "Windows Me",
-		[4,1]  = "Windows 98",
-		[4,0]  = "Windows NT 4.0",
+		[4,10] = "Windows 98",
+		[4,0]  = "Windows 95 or NT 4.0",
+		[3,51] = "Windows NT 3.51",
+		[3,50] = "Windows NT 3.5",
+		[3,2]  = "Windows 3.2",
+		[3,11] = "Windows for Workgroups 3.11",
+		[3,10] = "Windows 3.1 or NT 3.1",
+		[3,0]  = "Windows 3.0",
+		[2,11] = "Windows 2.11",
+		[2,10] = "Windows 2.10",
+		[2,0] = "Windows 2.0",
+		[1,4] = "Windows 1.04",
+		[1,3] = "Windows 1.03",
+		[1,1] = "Windows 1.01",
+		[1,0] = "Windows 1.0",	
 	} &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); };
 
 	const section_descs: table[string] of string = {
diff --git a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
index 5659276fee..f4335adc1d 100644
--- a/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
+++ b/testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	pe
-#open	2015-04-20-00-26-40
+#open	2015-04-20-16-48-55
 #fields	ts	id	machine	compile_ts	os	subsystem	is_exe	is_64bit	uses_aslr	uses_dep	uses_code_integrity	uses_seh	has_import_table	has_export_table	has_cert_table	has_debug_data	section_names
 #types	time	string	string	time	string	string	bool	bool	bool	bool	bool	bool	bool	bool	bool	bool	vector[string]
 1429466342.201366	Fz2N9x4SAxQiSnI6mk	unknown-475	0.000000	-	-	F	T	F	F	F	T	-	-	-	-	-
-1429466342.278998	F5fc4q3zhJHmYSvm8a	I386	1402852568.000000	Windows NT 4.0	WINDOWS_GUI	T	F	F	F	F	T	T	T	F	F	.text,.Ddata,.data,.rsrc
-1429466342.225653	Fzysjj1zfjAcgWgm22	I386	1171692517.000000	Windows XP 64-Bit Edition	WINDOWS_GUI	T	F	F	F	F	T	T	F	F	T	.text,.data,.rsrc
-1429466342.250474	FOuWFKf04xcHH4ck	I386	1210911433.000000	Windows NT 4.0	WINDOWS_CUI	T	F	F	F	F	T	T	F	T	T	.text,.rdata,.data,.rsrc
-#close	2015-04-20-00-26-41
+1429466342.278998	F5fc4q3zhJHmYSvm8a	I386	1402852568.000000	Windows 95 or NT 4.0	WINDOWS_GUI	T	F	F	F	F	T	T	T	F	F	.text,.Ddata,.data,.rsrc
+1429466342.225653	Fzysjj1zfjAcgWgm22	I386	1171692517.000000	Windows XP x64 or Server 2003	WINDOWS_GUI	T	F	F	F	F	T	T	F	F	T	.text,.data,.rsrc
+1429466342.250474	FOuWFKf04xcHH4ck	I386	1210911433.000000	Windows 95 or NT 4.0	WINDOWS_CUI	T	F	F	F	F	T	T	F	T	T	.text,.rdata,.data,.rsrc
+#close	2015-04-20-16-48-55

From 229307174e166025d16f135ea5f320077cecd2f4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 20 Apr 2015 12:47:05 -0500
Subject: [PATCH 46/54] BIT-1380: Improve Broxygen output of &default
 expressions.

---
 CHANGES     |  5 +++++
 VERSION     |  2 +-
 src/Attr.cc | 21 +++++++++++++++++++--
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 27b3020272..1c8bd91aab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.3-721 | 2015-04-20 12:47:05 -0500
+
+  * BIT-1380: Improve Broxygen output of &default expressions.
+    (Jon Siwek)
+
 2.3-720 | 2015-04-17 14:18:26 -0700
 
   * Updating NEWS.
diff --git a/VERSION b/VERSION
index 4953236124..0316e00ca0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-720
+2.3-721
diff --git a/src/Attr.cc b/src/Attr.cc
index fc8d3000d1..dad51c608e 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -76,11 +76,28 @@ void Attr::DescribeReST(ODesc* d) const
 			d->Add("`");
 			}
 
-		else
+		else if ( expr->Tag() == EXPR_CONST )
 			{
 			d->Add("``");
 			expr->Describe(d);
-			d-> Add("``");
+			d->Add("``");
+			}
+
+		else
+			{
+			d->Add("``");
+			Val* v = expr->Eval(0);
+			ODesc dd;
+			v->Describe(&dd);
+			Unref(v);
+			string s = dd.Description();
+
+			for ( size_t i = 0; i < s.size(); ++i )
+				if ( s[i] == '\n' )
+					s[i] = ' ';
+
+			d->Add(s);
+			d->Add("``");
 			}
 		}
 	}

From bd4bc25eda992c29b8f9616c1d3c6d58bdc5d5a1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 20 Apr 2015 12:59:03 -0500
Subject: [PATCH 47/54] Remove unneeded documentation cross-referencing.

Noticed these gave warnings due to missing namespace, but rather than
fix I'm just removing because they reference names in the same
module/file that will appear inches away from each other in the final
output.
---
 CHANGES                                    |  4 ++++
 VERSION                                    |  2 +-
 scripts/base/protocols/conn/thresholds.bro | 18 ------------------
 3 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1c8bd91aab..06ad4c1fa2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-722 | 2015-04-20 12:59:03 -0500
+
+  * Remove unneeded documentation cross-referencing. (Jon Siwek)
+
 2.3-721 | 2015-04-20 12:47:05 -0500
 
   * BIT-1380: Improve Broxygen output of &default expressions.
diff --git a/VERSION b/VERSION
index 0316e00ca0..3e69beb37a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-721
+2.3-722
diff --git a/scripts/base/protocols/conn/thresholds.bro b/scripts/base/protocols/conn/thresholds.bro
index 62558960e7..d4ae21e1ab 100644
--- a/scripts/base/protocols/conn/thresholds.bro
+++ b/scripts/base/protocols/conn/thresholds.bro
@@ -22,9 +22,6 @@ export {
 	## is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
 	##
 	## Returns: T on success, F on failure.
-	##
-	## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_packets_threshold
-	##              delete_bytes_threshold delete_packets_threshold
 	global set_bytes_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
 
 	## Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
@@ -37,9 +34,6 @@ export {
 	## is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
 	##
 	## Returns: T on success, F on failure.
-	##
-	## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold
-	##              delete_bytes_threshold delete_packets_threshold
 	global set_packets_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
 
 	## Deletes a byte threshold for connection sizes.
@@ -51,9 +45,6 @@ export {
 	## is_orig: If true, threshold is removed for packets from originator, otherwhise for packets from responder.
 	##
 	## Returns: T on success, F on failure.
-	##
-	## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold set_packets_threshold
-	##              delete_packets_threshold
 	global delete_bytes_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
 
 	## Deletes a packet threshold for connection sizes.
@@ -65,9 +56,6 @@ export {
 	## is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
 	##
 	## Returns: T on success, F on failure.
-	##
-	## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold set_packets_threshold
-	##              delete_bytes_threshold
 	global delete_packets_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
 
 	## Generated for a connection that crossed a set byte threshold
@@ -77,9 +65,6 @@ export {
 	## threshold: the threshold that was set
 	##
 	## is_orig: True if the threshold was crossed by the originator of the connection
-	##
-	## .. bro:see:: packets_threshold_crossed set_bytes_threshold set_packets_threshold
-	##              delete_bytes_threshold delete_packets_threshold
 	global bytes_threshold_crossed: event(c: connection, threshold: count, is_orig: bool);
 
 	## Generated for a connection that crossed a set byte threshold
@@ -89,9 +74,6 @@ export {
 	## threshold: the threshold that was set
 	##
 	## is_orig: True if the threshold was crossed by the originator of the connection
-	##
-	## .. bro:see:: bytes_threshold_crossed  set_bytes_threshold set_packets_threshold
-	##              delete_bytes_threshold delete_packets_threshold
 	global packets_threshold_crossed: event(c: connection, threshold: count, is_orig: bool);
 }
 

From 4dcd8d999b3bf715e7ee55c9b7b34bb31655d1fc Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 20 Apr 2015 13:27:18 -0500
Subject: [PATCH 48/54] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 0c25c1daa7..a9d74d9133 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0c25c1daa7dcf885dd16cc1b725295dc36decafe
+Subproject commit a9d74d91333b403be8d8c01f5aadb03a84968e9c

From de6112c41b0b18b059ba840930d7caf1b89dd2f3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 20 Apr 2015 14:11:02 -0500
Subject: [PATCH 49/54] Fix uninitialized field in raw input reader.

---
 CHANGES                      | 4 ++++
 VERSION                      | 2 +-
 src/input/readers/raw/Raw.cc | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 06ad4c1fa2..c1d71a2b2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-724 | 2015-04-20 14:11:02 -0500
+
+  * Fix uninitialized field in raw input reader. (Jon Siwek)
+
 2.3-722 | 2015-04-20 12:59:03 -0500
 
   * Remove unneeded documentation cross-referencing. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 3e69beb37a..bb45103aee 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-722
+2.3-724
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index b2165afff8..2aae96abf7 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -34,6 +34,7 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	firstrun = true;
 	mtime = 0;
 	forcekill = false;
+	offset = 0;
 	separator.assign( (const char*) BifConst::InputRaw::record_separator->Bytes(),
 			  BifConst::InputRaw::record_separator->Len());
 

From 2932ad2bd6fabdd9d494e6df48bb09076767724f Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Apr 2015 12:54:54 -0700
Subject: [PATCH 50/54] Updating submodule(s).

 [nomail]
---
 CHANGES    | 4 ++++
 VERSION    | 2 +-
 aux/broctl | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index c1d71a2b2c..647c97be22 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.3-725 | 2015-04-20 12:54:54 -0700
+
+  * Updating submodule(s).
+
 2.3-724 | 2015-04-20 14:11:02 -0500
 
   * Fix uninitialized field in raw input reader. (Jon Siwek)
diff --git a/VERSION b/VERSION
index bb45103aee..91a8f8b8c7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-724
+2.3-725
diff --git a/aux/broctl b/aux/broctl
index e864a0949e..d52d184bc9 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e864a0949e52a797f4000194b5c2980cf3618deb
+Subproject commit d52d184bc9aa976ee465914e95ff5c0274a18216

From c81fbb7d3fff81c1b20e10c1e3102529d57f5e05 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Apr 2015 19:33:58 -0700
Subject: [PATCH 51/54] Tweakings NEWS.

---
 NEWS | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3abaf49c59..389820d607 100644
--- a/NEWS
+++ b/NEWS
@@ -25,9 +25,9 @@ New Functionality
 - Bro now has support for the MySQL wire protocol. Activity gets
   logged into mysql.log.
 
-- Bro now parses DTLS traffic.
+- Bro now parses DTLS traffic. Activity gets logged into ssl.log.
 
-- Bro now has an RDP analyzer.
+- Bro now has an RDP analyzer. Activity gets logged into rdp.log.
 
 - Bro now has a file analyzer for Portable Executables. Activity gets
   logged into pe.log.

From de1e2fe20b7b3eb5a21c1e0a01e62872702975ce Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Apr 2015 19:37:13 -0700
Subject: [PATCH 52/54] Removing the NetFlow analyzer.

Since the command-line option for reading NetFlow went away, the has
been neither used nor tested anymore. We might bring this back later,
but for now I'd rather remove it than having dead code that seems to
suggest that we support it.
---
 NEWS                                          |   3 +
 scripts/base/init-bare.bro                    |  54 ------
 src/analyzer/protocol/CMakeLists.txt          |   1 -
 src/analyzer/protocol/netflow/CMakeLists.txt  |  16 --
 src/analyzer/protocol/netflow/Plugin.cc       |  21 ---
 src/analyzer/protocol/netflow/events.bif      |  18 --
 .../protocol/netflow/netflow-analyzer.pac     | 174 ------------------
 .../protocol/netflow/netflow-protocol.pac     |  89 ---------
 src/analyzer/protocol/netflow/netflow.pac     |  13 --
 .../canonified_loaded_scripts.log             |   5 +-
 .../canonified_loaded_scripts.log             |   5 +-
 11 files changed, 7 insertions(+), 392 deletions(-)
 delete mode 100644 src/analyzer/protocol/netflow/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/netflow/Plugin.cc
 delete mode 100644 src/analyzer/protocol/netflow/events.bif
 delete mode 100644 src/analyzer/protocol/netflow/netflow-analyzer.pac
 delete mode 100644 src/analyzer/protocol/netflow/netflow-protocol.pac
 delete mode 100644 src/analyzer/protocol/netflow/netflow.pac

diff --git a/NEWS b/NEWS
index 389820d607..b8a75687ae 100644
--- a/NEWS
+++ b/NEWS
@@ -185,6 +185,9 @@ Changed Functionality
 - BroControl now sends all normal command output (i.e., not error messages)
   to stdout.  Error messages are still sent to stderr, however.
 
+- The capability of processing NetFlow input has been removed for the
+  time being.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f001186f50..0437c873fd 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2818,60 +2818,6 @@ global generate_OS_version_event: set[subnet] &redef;
 # number>``), which were seen during the sample.
 type load_sample_info: set[string];
 
-## ID for NetFlow header. This is primarily a means to sort together NetFlow
-## headers and flow records at the script level.
-type nfheader_id: record {
-	## Name of the NetFlow file (e.g., ``netflow.dat``) or the receiving
-	## socket address (e.g., ``127.0.0.1:5555``), or an explicit name if
-	## specified to ``-y`` or ``-Y``.
-	rcvr_id: string;
-	## A serial number, ignoring any overflows.
-	pdu_id: count;
-};
-
-## A NetFlow v5 header.
-##
-## .. bro:see:: netflow_v5_header
-type nf_v5_header: record {
-	h_id: nfheader_id;	##< ID for sorting.
-	cnt: count;	##< TODO.
-	sysuptime: interval;	##< Router's uptime.
-	exporttime: time;	##< When the data was exported.
-	flow_seq: count;	##< Sequence number.
-	eng_type: count;	##< Engine type.
-	eng_id: count;	##< Engine ID.
-	sample_int: count;	##< Sampling interval.
-	exporter: addr;	##< Exporter address.
-};
-
-## A NetFlow v5 record.
-##
-## .. bro:see:: netflow_v5_record
-type nf_v5_record: record {
-	h_id: nfheader_id;	##< ID for sorting.
-	id: conn_id;	##< Connection ID.
-	nexthop: addr;	##< Address of next hop.
-	input: count;	##< Input interface.
-	output: count;	##< Output interface.
-	pkts: count;	##< Number of packets.
-	octets: count;	##< Number of bytes.
-	first: time;	##< Timestamp of first packet.
-	last: time;	##< Timestamp of last packet.
-	tcpflag_fin: bool;	##< FIN flag for TCP flows.
-	tcpflag_syn: bool;	##< SYN flag for TCP flows.
-	tcpflag_rst: bool;	##< RST flag for TCP flows.
-	tcpflag_psh: bool;	##< PSH flag for TCP flows.
-	tcpflag_ack: bool;	##< ACK flag for TCP flows.
-	tcpflag_urg: bool;	##< URG flag for TCP flows.
-	proto: count;	##< IP protocol.
-	tos: count;	##< Type of service.
-	src_as: count;	##< Source AS.
-	dst_as: count;	##< Destination AS.
-	src_mask: count;	##< Source mask.
-	dst_mask: count;	##< Destination mask.
-};
-
-
 ## A BitTorrent peer.
 ##
 ## .. bro:see:: bittorrent_peer_set
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index cb823af519..f2ce3c1509 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -24,7 +24,6 @@ add_subdirectory(modbus)
 add_subdirectory(mysql)
 add_subdirectory(ncp)
 add_subdirectory(netbios)
-add_subdirectory(netflow)
 add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
diff --git a/src/analyzer/protocol/netflow/CMakeLists.txt b/src/analyzer/protocol/netflow/CMakeLists.txt
deleted file mode 100644
index 3afc9fd66a..0000000000
--- a/src/analyzer/protocol/netflow/CMakeLists.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-
-# This is not an actual analyzer, but used by the core. We still
-# maintain it here along with the other analyzers because conceptually
-# it's also parsing a protocol just like them. The current structure
-# is merely a left-over from when this code was written.
-
-include(BroPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-bro_plugin_begin(Bro NetFlow)
-bro_plugin_cc(Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac)
-bro_plugin_end()
-
diff --git a/src/analyzer/protocol/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc
deleted file mode 100644
index 26107d0003..0000000000
--- a/src/analyzer/protocol/netflow/Plugin.cc
+++ /dev/null
@@ -1,21 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-namespace plugin {
-namespace Bro_NetFlow {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		plugin::Configuration config;
-		config.name = "Bro::NetFlow";
-		config.description = "NetFlow parsing";
-		return config;
-		}
-} plugin;
-
-}
-}
diff --git a/src/analyzer/protocol/netflow/events.bif b/src/analyzer/protocol/netflow/events.bif
deleted file mode 100644
index 69c196de9e..0000000000
--- a/src/analyzer/protocol/netflow/events.bif
+++ /dev/null
@@ -1,18 +0,0 @@
-## Generated for a received NetFlow v5 header.  Bro's NetFlow processor raises
-## this event whenever it either receives a NetFlow header on the port it's
-## listening on, or reads one from a trace file.
-##
-## h: The parsed NetFlow header.
-##
-## .. bro:see:: netflow_v5_record
-event netflow_v5_header%(h: nf_v5_header%);
-
-## Generated for a received NetFlow v5 record.  Bro's NetFlow processor raises
-## this event whenever it either receives a NetFlow record on the port it's
-## listening on, or reads one from a trace file.
-##
-## r: The parsed NetFlow record.
-##
-## .. bro:see:: netflow_v5_record
-event netflow_v5_record%(r: nf_v5_record%);
-
diff --git a/src/analyzer/protocol/netflow/netflow-analyzer.pac b/src/analyzer/protocol/netflow/netflow-analyzer.pac
deleted file mode 100644
index 439215dbc1..0000000000
--- a/src/analyzer/protocol/netflow/netflow-analyzer.pac
+++ /dev/null
@@ -1,174 +0,0 @@
-# Code written by Bernhard Ager (2007).
-
-analyzer NetFlow withcontext {
-	analyzer:	NetFlow_Analyzer;
-	flow:		NetFlow_Flow;
-}
-
-analyzer NetFlow_Analyzer {
-	downflow = NetFlow_Flow;
-	upflow = NetFlow_Flow;
-};
-
-flow NetFlow_Flow {
-	datagram = NetFlowPacket withcontext(connection, this);
-
-	%member{
-		RecordType* nf_v5_header_type;
-		RecordType* nf_v5_record_type;
-		RecordType* nfheader_id_type;
-		char* identifier;
-		uint32 exporter_ip;
-		uint32 uptime;
-		double export_time;
-		bro_uint_t pdu_id;
-	%}
-
-	%init{
-		nf_v5_header_type =
-			internal_type("nf_v5_header")->AsRecordType();
-		nf_v5_record_type =
-			internal_type("nf_v5_record")->AsRecordType();
-		nfheader_id_type =
-			internal_type("nfheader_id")->AsRecordType();
-		identifier = NULL;
-		exporter_ip = 0;
-		uptime = 0;
-		export_time = 0;
-		pdu_id = 0;
-	%}
-
-	# %cleanup does not only put the cleanup code into the destructor,
-	# but also at the end of the catch clause in NewData().  This is
-	# different from the documentation at
-	# http://www.bro.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
-	#
-	# Unfortunately this means that we cannot clean up the identifier
-	# string.  Note that IOSource destructors seemingly are never
-	# called anyway.
-	#
-	#    %cleanup{
-	#	delete[] identifier;
-	#    %}
-
-	function set_exporter_ip(exporter_ip: uint32): bool
-		%{
-		this->exporter_ip = exporter_ip;
-		return true;
-		%}
-
-	function set_identifier(idf: const_charptr): bool
-		%{
-		if ( identifier )
-			delete[] identifier;
-		identifier = new char[strlen(idf) + 1];
-		strcpy(identifier, idf);
-		return true;
-		%}
-
-	function deliver_v5_header(count: uint16, sysuptime: uint32,
-				unix_secs: uint32, unix_nsecs: uint32,
-				flow_seq: uint32, eng_type: uint8,
-				eng_id: uint8, sample_int: uint16): bool
-		%{
-		uptime = sysuptime;
-		export_time = unix_secs + unix_nsecs / 1e9;
-		++pdu_id;
-
-		if ( ! ::netflow_v5_header )
-			return false;
-
-		RecordVal* nfheader = new RecordVal(nfheader_id_type);
-		nfheader->Assign(0, new StringVal(identifier));
-		nfheader->Assign(1, new Val(pdu_id, TYPE_COUNT));
-
-		RecordVal* v5header = new RecordVal(nf_v5_header_type);
-		v5header->Assign(0, nfheader);
-		v5header->Assign(1, new Val(count, TYPE_COUNT));
-		v5header->Assign(2, new IntervalVal(sysuptime, Milliseconds));
-		v5header->Assign(3, new Val(export_time, TYPE_TIME));
-		v5header->Assign(4, new Val(flow_seq, TYPE_COUNT));
-		v5header->Assign(5, new Val(eng_type, TYPE_COUNT));
-		v5header->Assign(6, new Val(eng_id, TYPE_COUNT));
-		v5header->Assign(7, new Val(sample_int, TYPE_COUNT));
-		v5header->Assign(8, new AddrVal(exporter_ip));
-
-		val_list* vl = new val_list;
-		vl->append(v5header);
-		mgr.QueueEvent(netflow_v5_header, vl);
-
-		return true;
-		%}
-
-	function deliver_v5_record(srcaddr: uint32, dstaddr: uint32,
-				nexthop: uint32, input: uint16, output: uint16,
-				dPkts: uint32, dOctets: uint32,
-				first: uint32, last: uint32,
-				srcport: uint16, dstport: uint16,
-				tcp_flags: uint8, prot: uint8, tos: uint8,
-				src_as: uint16, dst_as: uint16,
-				src_mask: uint8, dst_mask: uint8): bool
-		%{
-		if ( ! ::netflow_v5_record )
-			return false;
-
-		TransportProto proto = TRANSPORT_UNKNOWN;
-		switch ( prot ) {
-		case 1: proto = TRANSPORT_ICMP; break;
-		case 6: proto = TRANSPORT_TCP; break;
-		case 17: proto = TRANSPORT_UDP; break;
-		}
-
-		RecordVal* connid = new RecordVal(conn_id);
-		connid->Assign(0, new AddrVal(htonl(srcaddr)));
-		connid->Assign(1, new PortVal(srcport, proto));
-		connid->Assign(2, new AddrVal(htonl(dstaddr)));
-		connid->Assign(3, new PortVal(dstport, proto));
-
-		RecordVal* nfheader = new RecordVal(nfheader_id_type);
-		nfheader->Assign(0, new StringVal(identifier));
-		nfheader->Assign(1, new Val(pdu_id, TYPE_COUNT));
-
-		RecordVal* v5record = new RecordVal(nf_v5_record_type);
-		v5record->Assign(0, nfheader);
-		v5record->Assign(1, connid);
-		v5record->Assign(2, new AddrVal(htonl(nexthop)));
-		v5record->Assign(3, new Val(input, TYPE_COUNT));
-		v5record->Assign(4, new Val(output, TYPE_COUNT));
-		v5record->Assign(5, new Val(dPkts, TYPE_COUNT));
-		v5record->Assign(6, new Val(dOctets, TYPE_COUNT));
-
-		// Overflows are handled correctly by using 32 bit
-		// unsigned integer arithmetic.
-		double c_first = export_time - (uptime - first) * Milliseconds;
-		double c_last = export_time - (uptime - last) * Milliseconds;
-		v5record->Assign(7, new Val(c_first, TYPE_TIME));
-		v5record->Assign(8, new Val(c_last, TYPE_TIME));
-
-		v5record->Assign(9,
-			new Val((tcp_flags & TH_FIN) != 0, TYPE_BOOL));
-		v5record->Assign(10,
-			new Val((tcp_flags & TH_SYN) != 0, TYPE_BOOL));
-		v5record->Assign(11,
-			new Val((tcp_flags & TH_RST) != 0, TYPE_BOOL));
-		v5record->Assign(12,
-			new Val((tcp_flags & TH_PUSH) != 0, TYPE_BOOL));
-		v5record->Assign(13,
-			new Val((tcp_flags & TH_ACK) != 0, TYPE_BOOL));
-		v5record->Assign(14,
-			new Val((tcp_flags & TH_URG) != 0, TYPE_BOOL));
-
-		v5record->Assign(15, new Val(prot, TYPE_COUNT));
-		v5record->Assign(16, new Val(tos, TYPE_COUNT));
-		v5record->Assign(17, new Val(src_as, TYPE_COUNT));
-		v5record->Assign(18, new Val(dst_as, TYPE_COUNT));
-		v5record->Assign(19, new Val(src_mask, TYPE_COUNT));
-		v5record->Assign(20, new Val(dst_mask, TYPE_COUNT));
-
-		val_list* vl = new val_list;
-		vl->append(v5record);
-		mgr.QueueEvent(netflow_v5_record, vl);
-
-		return true;
-		%}
-	};
diff --git a/src/analyzer/protocol/netflow/netflow-protocol.pac b/src/analyzer/protocol/netflow/netflow-protocol.pac
deleted file mode 100644
index 6b97b7cee6..0000000000
--- a/src/analyzer/protocol/netflow/netflow-protocol.pac
+++ /dev/null
@@ -1,89 +0,0 @@
-# Code written by Bernhard Ager (2007).
-
-type NetFlowPacket = record {
-	# Count and version are the first two fields, at least for
-	# versions 1, 5, 7, 8 and 9.
-	version: uint16;
-
-	# This does not generate any code in current binpac.
-	count: uint16 &check(count <= 30);
-
-	header: NFHeader(version, count);
-	records: NFRecord(version)[count];
-} &byteorder = bigendian;
-
-type NFHeader(version: uint16, count: uint16) = case version of {
-	5 -> v5header: NFv5HeaderRest(count);
-	9 -> v9header: NFv9HeaderRest(count);
-	# default -> string: bytestring &restofdata &transient;
-};
-
-type NFv5HeaderRest(count: uint16) = record {
-	sysuptime: uint32;
-	unix_secs: uint32;
-	unix_nsecs: uint32;
-	flow_seq: uint32;
-	eng_type: uint8;
-	eng_id: uint8;
-	sample_int: uint16;
-} &let {
-	delivered: bool =
-		$context.flow.deliver_v5_header(count, sysuptime,
-					     unix_secs, unix_nsecs,
-					     flow_seq, eng_type,
-					     eng_id, sample_int);
-};
-
-type NFv9HeaderRest(count: uint16) = record {
-	sysuptime: uint32;
-	unix_secs: uint32;
-	pack_seq: uint32;
-	src_id: uint32;
-};
-
-# We only handle version 5 and 9.  Others will throw a parsing exception.
-type NFRecord(nf_version: uint32) = case nf_version of {
-	5 -> v5: NFv5Record;
-	9 -> v9: NFv9Record;
-};
-
-type NFv5Record = record {
-	srcaddr: uint32;
-	dstaddr: uint32;
-	nexthop: uint32;
-	input: uint16;
-	output: uint16;
-	dPkts: uint32;
-	dOctets: uint32;
-	first: uint32;
-	last: uint32;
-	srcport: uint16;
-	dstport: uint16;
-	: uint8;      # PAD1
-	tcp_flags: uint8;
-	prot: uint8;
-	tos: uint8;
-	src_as: uint16;
-	dst_as: uint16;
-	src_mask: uint8;
-	dst_mask: uint8;
-	: uint16;     # PAD2
-} &let {
-	delivered: bool =
-		$context.flow.deliver_v5_record(srcaddr, dstaddr,
-					      nexthop, input, output,
-					      dPkts, dOctets, first,
-					      last, srcport, dstport,
-					      tcp_flags, prot, tos,
-					      src_as, dst_as,
-					      src_mask, dst_mask);
-};
-
-# Works for both template and data flow sets.  Data parsing will have
-# to be done externally - no event generation yet.  We need sample
-# flow data to implement that.
-type NFv9Record = record {
-	flowset_id: uint32;
-	length: uint32;
-	data: bytestring &length = length - 8;
-};
diff --git a/src/analyzer/protocol/netflow/netflow.pac b/src/analyzer/protocol/netflow/netflow.pac
deleted file mode 100644
index 57e1b71a76..0000000000
--- a/src/analyzer/protocol/netflow/netflow.pac
+++ /dev/null
@@ -1,13 +0,0 @@
-# Code written by Bernhard Ager (2007).
-
-%extern{
-#include "net_util.h"
-#include "Event.h"
-extern RecordType* conn_id;
-
-#include "events.bif.h"
-%}
-
-%include bro.pac
-%include netflow-analyzer.pac
-%include netflow-protocol.pac
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 38c1930a99..a49f429d84 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-20-00-41-21
+#open	2015-04-21-03-05-12
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -84,7 +84,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
@@ -126,4 +125,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2015-04-20-00-41-21
+#close	2015-04-21-03-05-12
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index b705f00202..005a719212 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2015-04-20-01-01-51
+#open	2015-04-21-03-05-19
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -84,7 +84,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
@@ -265,4 +264,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2015-04-20-01-01-51
+#close	2015-04-21-03-05-19

From 770f833ea24f0c205581ebd4cc3923dd854c0cc7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Apr 2015 19:46:45 -0700
Subject: [PATCH 53/54] Removing deprecated fields from the connection record.

Removing "hot" and "addl", which haven't been used anymore for a long
time. Also removing the functions append_addl() and append_addl_marker().
---
 scripts/base/init-bare.bro                    |  23 --
 src/Conn.cc                                   |  10 +-
 src/bro.bif                                   |   4 +-
 .../btest-doc.sphinx.connection-record-01#1   |   2 +-
 .../btest-doc.sphinx.connection-record-02#1   |   2 +-
 testing/btest/Baseline/plugins.hooks/output   |  86 ++++----
 .../all-events.log                            | 208 +++++++++---------
 .../smtp-events.log                           |  52 ++---
 8 files changed, 179 insertions(+), 208 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 0437c873fd..99d2223abc 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -333,8 +333,6 @@ type connection: record {
 	## to parse the same data. If so, all will be recorded. Also note that
 	## the recorded services are independent of any transport-level protocols.
 	service: set[string];
-	addl: string;	##< Deprecated.
-	hot: count;	##< Deprecated.
 	history: string;	##< State history of connections. See *history* in :bro:see:`Conn::Info`.
 	## A globally unique connection identifier. For each connection, Bro
 	## creates an ID that is very likely unique across independent Bro runs.
@@ -1089,27 +1087,6 @@ const ENDIAN_LITTLE = 1;	##< Little endian.
 const ENDIAN_BIG = 2;	##< Big endian.
 const ENDIAN_CONFUSED = 3;	##< Tried to determine endian, but failed.
 
-## Deprecated.
-function append_addl(c: connection, addl: string)
-	{
-	if ( c$addl == "" )
-		c$addl= addl;
-
-	else if ( addl !in c$addl )
-		c$addl = fmt("%s %s", c$addl, addl);
-	}
-
-## Deprecated.
-function append_addl_marker(c: connection, addl: string, marker: string)
-	{
-	if ( c$addl == "" )
-		c$addl= addl;
-
-	else if ( addl !in c$addl )
-		c$addl = fmt("%s%s%s", c$addl, marker, addl);
-	}
-
-
 # Values for :bro:see:`set_contents_file` *direction* argument.
 # todo:: these should go into an enum to make them autodoc'able
 const CONTENTS_NONE = 0;	##< Turn off recording of contents.
diff --git a/src/Conn.cc b/src/Conn.cc
index bc62902421..96e71ca52d 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -375,17 +375,15 @@ RecordVal* Connection::BuildConnVal()
 		conn_val->Assign(2, resp_endp);
 		// 3 and 4 are set below.
 		conn_val->Assign(5, new TableVal(string_set));	// service
-		conn_val->Assign(6, new StringVal(""));	// addl
-		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
-		conn_val->Assign(8, new StringVal(""));	// history
+		conn_val->Assign(6, new StringVal(""));	// history
 
 		if ( ! uid )
 			uid.Set(bits_per_uid);
 
-		conn_val->Assign(9, new StringVal(uid.Base62("C").c_str()));
+		conn_val->Assign(7, new StringVal(uid.Base62("C").c_str()));
 
 		if ( encapsulation && encapsulation->Depth() > 0 )
-			conn_val->Assign(10, encapsulation->GetVectorVal());
+			conn_val->Assign(8, encapsulation->GetVectorVal());
 		}
 
 	if ( root_analyzer )
@@ -393,7 +391,7 @@ RecordVal* Connection::BuildConnVal()
 
 	conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
 	conn_val->Assign(4, new Val(last_time - start_time, TYPE_INTERVAL));
-	conn_val->Assign(8, new StringVal(history.c_str()));
+	conn_val->Assign(6, new StringVal(history.c_str()));
 
 	conn_val->SetOrigin(this);
 
diff --git a/src/bro.bif b/src/bro.bif
index 9bba501592..2d96e200ed 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -3207,9 +3207,7 @@ function lookup_connection%(cid: conn_id%): connection
 	c->Assign(3, new Val(network_time, TYPE_TIME));
 	c->Assign(4, new Val(0.0, TYPE_INTERVAL));
 	c->Assign(5, new TableVal(string_set));	// service
-	c->Assign(6, new StringVal(""));	// addl
-	c->Assign(7, new Val(0, TYPE_COUNT));	// hot
-	c->Assign(8, new StringVal(""));	// history
+	c->Assign(6, new StringVal(""));	// history
 
 	return c;
 	%}
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index d2cdfa3a62..05169c643c 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -7,7 +7,7 @@
       # bro -b -r http/get.trace connection_record_01.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
+      }, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
       }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 56fa2a6a8d..60d2362043 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -7,7 +7,7 @@
       # bro -b -r http/get.trace connection_record_02.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
+      }, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
       }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
       
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index a937d1986e..bd1e0e10e4 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -205,7 +205,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -305,7 +305,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -378,7 +378,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_NTP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetFlow.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
@@ -769,7 +768,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -869,7 +868,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -942,7 +941,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_NTP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetFlow.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
@@ -1332,7 +1330,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1432,7 +1430,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429581589.594551, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429585589.064843, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1477,45 +1475,45 @@
 1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(net_stats, <frame>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(net_stats, <frame>, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
 1362692526.869344 | HookCallFunction ChecksumOffloading::check()
 1362692526.869344 | HookCallFunction filter_change_tracking()
 1362692526.869344 | HookCallFunction net_stats()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookDrainEvents
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
-1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
-1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939378   MetaHookPost  DrainEvents() -> <void>
 1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
 1362692526.939378   MetaHookPre   DrainEvents()
@@ -1525,12 +1523,12 @@
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
@@ -1545,29 +1543,29 @@
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
@@ -1582,17 +1580,17 @@
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, <...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
 1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
@@ -1600,12 +1598,12 @@
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
@@ -1620,17 +1618,17 @@
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
 1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
 1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index c380b06896..29fcf2d276 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -1,62 +1,62 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
 1254722767.492060 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
 
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.492060 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [3] len: count         = 34
 
 1254722767.492060 dns_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [2] query: string      = mail.patriots.in
                   [3] qtype: count       = 1
                   [4] qclass: count      = 1
 
 1254722767.492060 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 1254722767.526085 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [3] len: count         = 100
 
 1254722767.526085 dns_CNAME_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
                   [3] name: string       = patriots.in
 
 1254722767.526085 dns_A_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
                   [3] a: addr            = 74.53.140.153
 
 1254722767.526085 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 1254722767.529046 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.875996 connection_established
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -64,7 +64,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -72,7 +72,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -80,18 +80,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -99,7 +99,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -107,7 +107,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -115,7 +115,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -123,7 +123,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -131,7 +131,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -139,13 +139,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -153,13 +153,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -167,13 +167,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -181,13 +181,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -195,13 +195,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -209,16 +209,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -226,243 +226,243 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;^Iboundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;^Iboundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_sniff
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;^Icharset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_sniff
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J^Icolor:windowtext;}^M^J.MsoChpDefault^M^J^I{mso-style-type:export-only;}^M^J@page Section1^M^J^I{size:8.5in 11.0in;^M^J^Imargin:1.0in 1.0in 1.0in 1.0in;}^M^Jdiv.Section1^M^J^I{page:Section1;}^M^J-->^M^J</style>^M^J<!--[if gte mso 9]><xml>^M^J <o:shapedefaults v:ext="edit" spidmax="1026" />^M^J</xml><![endif]--><!--[if gte mso 9]><xml>^M^J <o:shapelayout v:ext="edit">^M^J  <o:idmap v:ext="edit" data="1" />^M^J </o:shapelayout></xml><![endif]-->^M^J</head>^M^J^M^J<body lang=EN-US link=blue vlink=purple>^M^J^M^J<div class=Section1>^M^J^M^J<p class=MsoNormal>Hello<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>^M^J^M^J<p class=MsoNormal>Find the attachment<o:p></o:p></p>^M^J^M^J<p class=MsoNormal><o:p>&nbsp;</o:p></p>^M^J^M^J<p class=MsoNormal>GPS<o:p></o:p></p>^M^J^M^J</div>^M^J^M^J</body>^M^J^M^J</html>^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Iname="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.695115 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_sniff
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J  include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J  (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J  compiler: -D__DEBUG__^M^J* Each project creates a <project_name>_private.h file containing version^M^J  information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -470,13 +470,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -484,24 +484,24 @@
                   [5] cont_resp: bool    = F
 
 1254722776.690444 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 net_done
                   [0] t: time            = 1254722776.690444
 
 1254722776.690444 ChecksumOffloading::check
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 filter_change_tracking
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722776.690444 bro_done
 1254722776.690444 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index b01d9d36dc..42cff5b451 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -1,5 +1,5 @@
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT

From 6fb4b522c6b3f2094a2f35761d3c4f7022bc4013 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Apr 2015 20:44:06 -0700
Subject: [PATCH 54/54] Slight doc tweak flagged by test.

---
 doc/scripting/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 11c2119df9..2b5cfbb49c 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -363,7 +363,7 @@ decrypted from HTTP streams is stored in
 excerpt from :doc:`/scripts/base/protocols/http/main.bro` below.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/http/main.bro
-   :lines: 9-11,20-22,121
+   :lines: 9-11,20-22,125
 
 Because the constant was declared with the ``&redef`` attribute, if we
 needed to turn this option on globally, we could do so by adding the