From 333f167df4d344ba3ba152f00a650a051c0f3852 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 22 Aug 2022 15:29:03 -0300
Subject: [PATCH] tests: test flow droped but applayer event logged

It seems that Suricata will log an applayer event for a dropped flow,
for the second packet of the flow. This test demonstrates such behavior,
so we can investigate it.

Related to
Task #5510
---
 tests/bug-5802/README.md                      |  16 ++++++++++
 tests/bug-5802/suricata.yaml                  |  29 ++++++++++++++++++
 tests/bug-5802/test.rules                     |   2 ++
 tests/bug-5802/test.yaml                      |  20 ++++++++++++
 tests/detect-udp-flow-rule-01/suricata.yaml   |  29 ++++++++++++++++++
 tests/detect-udp-flow-rule-02/suricata.yaml   |  29 ++++++++++++++++++
 tests/detect-udp-flow-rule-02/test.rules      |   2 ++
 tests/detect-udp-flow-rule-02/test.yaml       |  16 ++++++++++
 .../README.md                                 |  14 +++++++++
 .../input.pcap                                | Bin 0 -> 3616 bytes
 .../suricata.yaml                             |  14 +++++++++
 .../test.rules                                |   1 +
 .../test.yaml                                 |  21 +++++++++++++
 .../README.md                                 |  15 +++++++++
 .../input-http-ACK.pcap                       | Bin 0 -> 504 bytes
 .../suricata.yaml                             |  13 ++++++++
 .../test.rules                                |   1 +
 .../test.yaml                                 |  21 +++++++++++++
 .../README.md                                 |  14 +++++++++
 .../input.pcap                                | Bin 0 -> 14564 bytes
 .../suricata.yaml                             |  13 ++++++++
 .../test.rules                                |   1 +
 .../test.yaml                                 |  22 +++++++++++++
 .../test.yaml                                 |   7 ++++-
 24 files changed, 299 insertions(+), 1 deletion(-)
 create mode 100644 tests/bug-5802/README.md
 create mode 100644 tests/bug-5802/suricata.yaml
 create mode 100644 tests/bug-5802/test.rules
 create mode 100644 tests/bug-5802/test.yaml
 create mode 100644 tests/detect-udp-flow-rule-01/suricata.yaml
 create mode 100644 tests/detect-udp-flow-rule-02/suricata.yaml
 create mode 100644 tests/detect-udp-flow-rule-02/test.rules
 create mode 100644 tests/detect-udp-flow-rule-02/test.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-dcerpc/README.md
 create mode 100644 tests/droped-flow-applayer-event-logged-dcerpc/input.pcap
 create mode 100644 tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-dcerpc/test.rules
 create mode 100644 tests/droped-flow-applayer-event-logged-dcerpc/test.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-http/README.md
 create mode 100644 tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap
 create mode 100644 tests/droped-flow-applayer-event-logged-http/suricata.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-http/test.rules
 create mode 100644 tests/droped-flow-applayer-event-logged-http/test.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-smb/README.md
 create mode 100644 tests/droped-flow-applayer-event-logged-smb/input.pcap
 create mode 100644 tests/droped-flow-applayer-event-logged-smb/suricata.yaml
 create mode 100644 tests/droped-flow-applayer-event-logged-smb/test.rules
 create mode 100644 tests/droped-flow-applayer-event-logged-smb/test.yaml

diff --git a/tests/bug-5802/README.md b/tests/bug-5802/README.md
new file mode 100644
index 000000000..626da18cd
--- /dev/null
+++ b/tests/bug-5802/README.md
@@ -0,0 +1,16 @@
+# Description
+
+Ensure that Suricata logs the expected amount of applayer protocol events,
+when there are packet and flow drops.
+
+# Expected behavior
+
+Application layer events for dropped packets or flows should be logged as part
+of the drop event, when their corresponding transaction is completed (which also
+happens when the flow is dropped). Therefore, we should not see ``sip`` events
+after ``pcap_cnt: 4``, since there's a drop in ``pcap_cnt: 5`` and the flow is
+dropped with packets 6 and 7 due to the applayer error exception policy.
+
+# Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5802
diff --git a/tests/bug-5802/suricata.yaml b/tests/bug-5802/suricata.yaml
new file mode 100644
index 000000000..a2f9e65cc
--- /dev/null
+++ b/tests/bug-5802/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes 
+      types:
+        - alert:
+            tagged-packets: yes 
+        - anomaly:
+            enabled: yes 
+            types:
+              decode: no
+              stream: yes 
+              applayer: yes 
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - sip
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
diff --git a/tests/bug-5802/test.rules b/tests/bug-5802/test.rules
new file mode 100644
index 000000000..ca13c4b2a
--- /dev/null
+++ b/tests/bug-5802/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_server; sid:1;)
+drop udp any any -> any any (flow:to_server; sid:2;)
diff --git a/tests/bug-5802/test.yaml b/tests/bug-5802/test.yaml
new file mode 100644
index 000000000..2e06568c2
--- /dev/null
+++ b/tests/bug-5802/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../sip-body-frames/public-cloudshark-sip-s0.pcap
+args:
+- --set app-layer.error-policy=drop-flow
+- --simulate-ips
+- -k none
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 3
+      match:
+        event_type: sip
diff --git a/tests/detect-udp-flow-rule-01/suricata.yaml b/tests/detect-udp-flow-rule-01/suricata.yaml
new file mode 100644
index 000000000..a2f9e65cc
--- /dev/null
+++ b/tests/detect-udp-flow-rule-01/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes 
+      types:
+        - alert:
+            tagged-packets: yes 
+        - anomaly:
+            enabled: yes 
+            types:
+              decode: no
+              stream: yes 
+              applayer: yes 
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - sip
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
diff --git a/tests/detect-udp-flow-rule-02/suricata.yaml b/tests/detect-udp-flow-rule-02/suricata.yaml
new file mode 100644
index 000000000..a2f9e65cc
--- /dev/null
+++ b/tests/detect-udp-flow-rule-02/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes 
+      types:
+        - alert:
+            tagged-packets: yes 
+        - anomaly:
+            enabled: yes 
+            types:
+              decode: no
+              stream: yes 
+              applayer: yes 
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - sip
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
diff --git a/tests/detect-udp-flow-rule-02/test.rules b/tests/detect-udp-flow-rule-02/test.rules
new file mode 100644
index 000000000..031f1bea5
--- /dev/null
+++ b/tests/detect-udp-flow-rule-02/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_server; sid:1;)
+alert udp any any -> any any (flow:to_server; sid:2;)
diff --git a/tests/detect-udp-flow-rule-02/test.yaml b/tests/detect-udp-flow-rule-02/test.yaml
new file mode 100644
index 000000000..0f9f568be
--- /dev/null
+++ b/tests/detect-udp-flow-rule-02/test.yaml
@@ -0,0 +1,16 @@
+pcap: ../sip-body-frames/public-cloudshark-sip-s0.pcap
+args:
+- --simulate-ips
+- -k none
+- --set app-layer.error-policy=drop-packet
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/README.md b/tests/droped-flow-applayer-event-logged-dcerpc/README.md
new file mode 100644
index 000000000..8d9438881
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-dcerpc/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+It seems that Suricata will log an applayer event for a dropped flow, for the
+second packet of the flow. This test demonstrates such behavior, so we can
+investigate it.
+
+This test demonstrates this behavior with the SMB version 3 protocol.
+
+
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/input.pcap b/tests/droped-flow-applayer-event-logged-dcerpc/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..014c3dc2987890375ca9705228de15e882b3e36e
GIT binary patch
literal 3616
zc-oy;ZERCj7=F*a?bzC@?Olw!=)R1>NfcsZ0@0AH87!eDBv%$bMrPbH@gs`qppvPC
zl0gg^{%D462q=R_lO-e|AY(DzXyX1%2_!^=(SQEh@W*OI5J@`U^WNL;+}pF#?rdlG
zp4+qMJ|FKnXZ!hwOJ^1EK%p%x05H7%xbaT+FV6-bgZI4GLfhH4S^OEla;z3Q0nY1B
zhT%{RKz7X6g1tGrmrceK86%x!Nz(||rPdPQP`+zRN0=}Hy!MqhU*U~;>y3SUut=oX
zUcs)EK88_NPuCS-{eBoaV6ceF@nWzK_Cr5u@vjQNEqr>*(n2aMMW|(3`<rXoahY_W
z9yXcX%XOfh)20Crdw(Oy6K*Z6N-f<s*GIOXb9e|l*RsVPdnqZNmDRYyPE?r2`?M^r
zFZ2d!TBp-VC1e`yf25uupm#-uL4m8kLWQe=c?}NadhTY<8Q(_6CvkjImdWSZUCQK+
zGZQ5gPfYrFCi#s7*z0D@s$^UTo57HH&R}sRgq{n)YdGND?Je7&8!~SveaIG9Li<cA
zLwG@vX`SG$Rw2_6MBz*sPu=sq;8(e*GxiFa2u_ej)z&vubHC+v-|R~(_Qd?NH|CD<
zcYEGAI{atjj6RAAUkGmQRcNMs?#teRf$yi*M-H#N^85Uk*Vi$6k9_WnjaNUYKN0R!
z1$Vi#GwAFv-Ve)a;DGiI)xZN+4dA+*YBmi9nR^6gx}9ZJI;-0*iR<YuGCPO&=Va^Y
zD}ALb^QmTJH;0*jmue!Q0g+j)kojX3XKp&4KPq#gKHe4p#HC(hYEHXHrXF#bI*0U+
zb5rLN1T^iY&Z?xYBlVc095pJ(m{5+t`glk^X2k65>5J{#-w&`&rO%Zm_eNRSsh~>d
zayRDCjjcFot8DRZ(w~wBc|4s|FJh2Gsc9-#Lv+J01o?Os$5=yFF9~o^D80eLWY6L;
zf%6=T_-OG6Q5@Txd!z2buReGS_P~4aA*{izqu<&uzrCS2j~PXF;uOdI@G2s46yD#b
zWAzhQ3%il+Zv6Zw{)fUd0EfZqCH3}^cAx4k@2ofVVmxu}0&e6Bx$X3#NWo#1Sq`f%
zhntEA`%)XZy+k;rnspdHSiOW&M*Ej2jk_r23zWJi2r1zV9jc}jS|aqQJ?7U|#}ZK}
z>{dILT087QVqDoOREFQwOZKJb^`~X!eC<Ly=@~JD?UCe|g))l2J_1%RK{=u~mO(Mv
zBPmPkPSKwlVNnDsTolF<yBcTMu^wO?tX`7fnD&4YoN*@T8Hp#deoQdG<|+Xma5H38
zGTZ>mZ(PN;&(v~hHOYL=`qN2oJ*Ksqr*#`qqVrxjhzJK|C{ew+42pp$Iij;k^ui;g
z6|B$;{)n^rIOkyFOeU)R$Jy)zXENS;WYoozdHYQ{8@5a~U+2nt(<1ez3mNS~ZyIFY
zD1tY-zy>N{^XXq@y?IDgyWsL>7cx4<y?N)RoDEwhn{SX!nd)nmdUFaHrA_>QfLGuD
D4Tpaw

literal 0
Hc-jL100001

diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml b/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml
new file mode 100644
index 000000000..4f1afe04c
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+        - flow
+        - dcerpc
+        - smb
+        - drop:
+            alerts: yes
+            flows: all
diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/test.rules b/tests/droped-flow-applayer-event-logged-dcerpc/test.rules
new file mode 100644
index 000000000..b018a2242
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-dcerpc/test.rules
@@ -0,0 +1 @@
+drop dcerpc any any -> any any (msg:"dcerpc rule"; sid:1;)
diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml b/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml
new file mode 100644
index 000000000..f3622529e
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml
@@ -0,0 +1,21 @@
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        pcap_cnt: 2
+        event_type: smb
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+
diff --git a/tests/droped-flow-applayer-event-logged-http/README.md b/tests/droped-flow-applayer-event-logged-http/README.md
new file mode 100644
index 000000000..7c1f235a0
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-http/README.md
@@ -0,0 +1,15 @@
+Test
+====
+
+It seems that Suricata will log an applayer event for a dropped flow, for the
+second packet of the flow. This test demonstrates such behavior, so we can
+investigate it.
+
+This test demonstrates this behavior with the HTTP protocol.
+
+
+PCAP
+====
+
+PCAP is the result of extracting the http packets from a pcap representing a
+curl to the www.testmyids.com site.
diff --git a/tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap b/tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c5b1c5155fcf81275ebdd01a873ddd0ab6b584bd
GIT binary patch
literal 504
zc-p&ic+)~A1{MYcU}0bclKT(0g)iY@W@rbpL6|{QoR{tUjniFk7rJpUxH2$Q_Rnx&
zaA2F=!zIAT9kg`gtjnty0;*0d-#7i)CG`LahNn^|85rDMLlpECJVHVO^bPe4dAU6D
zi%YB&%FE03N>YnUaw{`aiuIE7b9uQ!i&Kkq9n(|ufYQmOMLGKBdM3tt2E1I3$;qh&
zKtU~iEnY5OE|9bKy=G;w1iBG~Ar68#4&*FG?T}&z21B+d|3OXyIgKIU@+y#%s!pun
z50GH=KETbu0CSLnk%57Nzc(+JOJYf?l|p!GijIPzv4U4=4p7F>Ou@*=%EZXZz+A!I
zH-wifIJKxOwa7}ru^=%yBbArSC$YFh*Ec^UGc7YU#Y(|9KM$zeRKY7T4`i;nf|0S6
zp`n$jDMYtxNMgE`f|8+yVX}pZWumT;xvq(kxnZ(tnqgwHNwR?w%&)pZiFxU%#a0SQ
zmB2va<#Nu?D*=X!u1{)SdP#<rg0Uq+ETpmk=<br#iW2>dlH43n2$g20*cxaQ<>!}Z
QDx@Q`i}FhgieX$X0EzLFIRF3v

literal 0
Hc-jL100001

diff --git a/tests/droped-flow-applayer-event-logged-http/suricata.yaml b/tests/droped-flow-applayer-event-logged-http/suricata.yaml
new file mode 100644
index 000000000..d672946e9
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-http/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
diff --git a/tests/droped-flow-applayer-event-logged-http/test.rules b/tests/droped-flow-applayer-event-logged-http/test.rules
new file mode 100644
index 000000000..5e239544c
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-http/test.rules
@@ -0,0 +1 @@
+drop http any any -> any any (msg:"http rule"; sid:1;)
diff --git a/tests/droped-flow-applayer-event-logged-http/test.yaml b/tests/droped-flow-applayer-event-logged-http/test.yaml
new file mode 100644
index 000000000..3c5faea4c
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-http/test.yaml
@@ -0,0 +1,21 @@
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        pcap_cnt: 2
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+
diff --git a/tests/droped-flow-applayer-event-logged-smb/README.md b/tests/droped-flow-applayer-event-logged-smb/README.md
new file mode 100644
index 000000000..8d9438881
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-smb/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+It seems that Suricata will log an applayer event for a dropped flow, for the
+second packet of the flow. This test demonstrates such behavior, so we can
+investigate it.
+
+This test demonstrates this behavior with the SMB version 3 protocol.
+
+
+PCAP
+====
+
+PCAP found on Wireshark Wiki.
diff --git a/tests/droped-flow-applayer-event-logged-smb/input.pcap b/tests/droped-flow-applayer-event-logged-smb/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0adc7740e1c97dbd6d9b6a1d488ec764a0b38db2
GIT binary patch
literal 14564
zc-p;tbwCtt*Z0ybh=PRD9ZE|nh|+?zuoBXeD=Z=1jYvpHOLqxMgMdhbl!TNZT_PYQ
zyfb?%uki42zu!L}<Lu7v%wBVTah)@JX6<h*d5sJ~h5YXyDg+65%%Z%iVf70Gk_T*q
ztC9+2emxdKeEXh~CMHB20!bvB7lnwT`;B2Iiw0pQ-)V~^Myg?xZ<2(<blKfWkXj4r
zAP^)ZOzfIS@;<DR=jp&8Mu*CBVxq@qLWZ3F8-SeuM+d|PM)wd{OAc0FN7CIf3=pY%
z#AcG$e|!)M82i8>2IMwyD7gL;^*;!}*pWD_4@4pE=xcmn++h4jHIc+%+(7)r?j%&K
z;hq1)4#b@a#t)3Kb29dS;`o1w{SE{L0{)ZT<f?lSjwTgae`|tX!oX4zvDf{04Gf;k
z-t6i{f|NPrmUi|cxkH{Ij(BW`j?RjXgocKkY|detEX*N@jt#s<Me@9fj7))!#o{aF
z`I8U{85yzZ`_Cr!@g~Y&M`Ne5a4;n^kkeVhY;+6^jZ7>J4RlN_b(AFT@^Ied7kz4O
zs0%mLF)_A;SsQ|Ec9UU3YJnJP&vHT$*&@OTt*4w&429`215OxzQ+(`%0gzE(kY|6h
zi3HMey#0S;lk_k9s6(iZ-<MapFQ=@mfEb4t8FTXV=Rh=z<e2Aq;}^mkyeGY($IK@G
zfgSWl*W+Vv6oQEU_69KoQjhePH%_Cu1%bSTNc|@oEMS#_6dgwoLc;_WegukuuSi5B
zmwE$&JO3R26j;FXVM7GKL-3U$st{!$dSu`;f3}ezxWGJ7hHybRAe<0BU|wH<z#+E4
zY6!UwF#sM>AXiTuasAYOwEy@71~C4yKYz2?dmR%}0K5X%)80TzCR+l%;X8EF8z0!A
zFnxN!8;fw7V{Z(Ci~_Ho{5NkP{~y^r=?wy;)86<qB6yB?U=jVz_7~up3|MA<?>_`q
z0$>4U<VE(M6c`;{A|GQea@3+~*}1{?4(a#Ee;ApIibeHfBM$f{*8jgs{5h8{u-5`&
z0<i>EIK&2G4ZLFmfdS7z#+<iPjgMC^;*lN5P6~-p1=YLCg9!-%_JQl^xd3suK19rg
znUixtpPo&=`4uo1n5~44=Rzr{AZX*$>S6thdhNq72F!d~Vk1Ig<&Bd1vVZ2nKi>K#
zhY2YKwoA{-I~iolh`jUZq_>)10TEh(-rB1<_SO&>Aux#LKhgao9123E-$moUL}!(M
z<<~VYk7(3@S4&Qz=F|T~M+eaamcJF#1T?XP=mR`E0CUp@cxCV#gM>ULBnsG$I*Va{
z>mvliqo)|QVw3-f12P=5c+7AWhyxfy;WP%UGcX|ig`xQ&W{lVF&Y_*oYUPgCS7ZWk
zulqm89wAX8qKwqSgx~^i<DM~#A%|ou2&SK%Wcnix5a|byX@c5griZ~ufq|QU0a4mr
zF(Xx5VT*@$LsD^3eX0d>qF#^`=+4f;C=q85|Lu}Lk<Ky2?2Sa%ek7^Aup$@6;&v2>
z`r-EbS2_42M$tJQMr}}L0)E%3qDP@G>k0X$pWYTqOULd1Fc{xPRG_t*LABrDO2s?q
zaVZ%>vRv_f$Xf?}O*1iOSXJXrfBuWZz^R>4Q6C~LtdFKgyAckm-Jek23KY=!jBFGr
zB?fQMeera%wr&VTT144kF!ft|b)U}oM;OS>KEMq!zzgyj^#Za9haeQRJf+|VfS&<C
zK_)%>V+HF$et<EmL2j1odhH;Ck7$&(MOt=w2j{f5nhu_gg}DC7R{p2B`5-VYsXZ3t
zy5?NrJnOHE(nWT^^1H1-tetT4sIjN)AVm=63TtkM6B1Qjc89iue`iFaNASu3SwoiL
zozf^-)>*&0jayMS;bUGZ`^{3pMx0HQg9`&Bj~c~88by|32lc+C8k(_{5$F4|HiuN`
z+^Rn^!~RUmShw24WyDG+KBC0Cz6!Hfa{(E-W{wHj1ESkIYhEssts>kKaLO$MP?&)a
z;Ff)pren8^fUJNM9AqT+iFT1gTSq;|JNygR`G(BH9PEf4_ej))`)iJ`k^W``z7SUR
z7P(-#JZFm?_fo4$VD~K+2ceJ7)(bo(3+hrOl}rAfELD2X9=Px4RTe!AlDNL{W++F-
z6F({Q#}e9tvkXV}gL+$bnpNj77Lk|7NnZq6CoQ?rzk0ne>~03@x>!0Dhc+g<IrNN^
zWhK6Fn)-^G^M~m<7-n4feMuQBqeYO30)PoZz!!vPT}z<Ckr3X{I_V7qA2#`x=YTgD
z=kFhTqY-2S7^4GZA}z2xcRHHVp;$zOa0N*<OZ${JVoot(Q}HDaZ7`&+Mp|LE$qesN
zjf_bAoU(SlxVXO!mH~>_zA6TlJBHYD$HRe$7v{55t-=iRBJI`^a02?|P<D);lWlur
zbNvU;vw97%s52YZ-maAT@nI-VUAp|?MUc@rl$^(1sAZN+(f-wwBF4w8ouA(C+Q`x>
z{&0Tbf_{|OfS>!Kpsm46&L^$nz3bL5Z$4C<F7!tp>Kh<KEe@EFA3(G}&hpAPvNeQP
zUYztw%X28qP}Q9T88-`l?3GcFC18+zkfB1WNil8_T_&0Am!D(2mf99zMs(wv@U+Az
zL?r{V@JWWE;gKXZQd@!rJ>x(7@4WRT#eZ4l#hjrAy=CP2MS>t&?M<lb;B$O@w+K$t
zz|c`Hh9<*O)g*hD&l(>DHt#37NxMjdkHyr8v<=;~<M=G{Fn?@y%L#vXs<TTl+;lW9
zs>>kQr-sqOZdtMSigoh0@(WYUQ`A^9{NF$d!W}UoGC+0)*V86J5r!j!CRw37X%a(K
zHu=`ufJqoKOOH+R5u^b~^r#>OjrPGG6BlAc1uvys>vqg(*Ewa99^{i0;NPd>EOpCl
ziD>1tSX#k*oJ{t?m&a~o-MY`CEU%oE>(MWHtoOY&f*hTY+F!zv7gIC04&uG}3iSE{
z0@$(q#xa#UeLDM@<DBP%X4=?<h>)KgKD$%)xx1R!gjzB%-gC^CFua3yhVQC`fkv2=
z`Q<mag0>%sY(%L?5em!APB7QnG#%<}V4|6R8X)*I=#@o1z#qJlIM7<{C`9v;2uAx_
z|LATRrgIcgJpVjp|ABJgHmf&l*jv_@6Y;E+wUW>Y4mQ4(=NRwS%LPJM2&NLv7}wIM
z$Q)}Es%}fUWWQqZMW-bu!V8MeF(B1qn7!IbBl1<VLa1g6BZzavt9|q{t@*{VI?p9{
zeM1sa8mQyU<jOlc*0|)U=}m6<_Q#u(^B?8eE^DvPyOYr<Ae9j}DcuZ+yE6TZT$M8^
zvNL^hwlcUh!|WndpCVevM{{`~_@}V1nZGd0gvxemK2mFNe6*naKzZIxJe@KA_XH7m
zd4ijtq`m6joA^g#n?CQ&&8b!KpQV1FAO{zT-@0d<zSAPEf1&JxL+_fhoDbG;g9w%~
zS-4U=2KkVZWO5tpQ;+N%2#eRk<%HCL{zXORU?u6xKO=hI7lsguH{}U4kzOP5eZIy<
ztQ9`pAt0`5u#Q7xa6so8bwv-Q^@w95>j5Lad~m%<#O{N9PcN;sC6wx09_mIU;@WH-
zOyX7HQ(^+&%oSO}(rznBeA-)?%$+L_GAPBFH{LJj?ii2X4}ZvR{Qk~6b(y992`z~>
zXil2yt8KW8cR<&$vPTLoITtie=qNfjoCc$$;T6Mf-la@eqrLTu4HCYL_nYb88fuKz
za#lMjvEWzU>BQ6;_1sLXX5bkS*r-XYwCpm^d*9z45VhU{e}kOkg!*2SGyaty_ZC)F
z7FtQM<vob(Si;=$k>Lv0_Q%{Qfe$wnQdp#<rwL>|R2YBGBNYxDP0U~I#sg<ovo9uO
z8gTjaS;=L9Y#otY5>F<V*4t3n6D=UQ&}rHqCzmha>;eW!0B07-bAhh3;^}SC!mXZS
zwHT%P8Y5NW(bCda3T}v*WpXOH4DVzZT9@MLkuSnDXwnF?maYpo6vlrwWpuR-2ri?o
zSdv~d!Zszt;(L)lm>v>v8*@p>89iv!=4~hc!U`F^M%VuJYHI6WzV(4*`j+L28#r5n
zbT{tr{mi{LXB~zi*dIQ~?0iem*wz_@OzVdU0WY)%&$^y$fukTQPV~uS@<a=OJpm?@
zjh5qN(gwl?#s~!=$M*{c)h;W~AaRq}xaox!K0cL9G*3bH_xOAzr{IpIq&b_4&eS-J
zW5+xm;{}tQT_jy{c}`sSV>*`0YwCh`4UM}etP4h7=SyK6II%9@e<IbZJSW}PQ5XF)
zeHps?qXY7Y7hQ>N<9l@qo(XsTyVUqs+91l@@N<Rzju1BCl&}*3((iz<!sQ0X!j6GR
z{|Kw%K8*SE_QE*7P;x*lzRRPF;~SRV3OH=6lwD^ETTqd<e*eOz;^T3bC8Z~w<^|RS
zt|mnHlw;p1Q_?nRACeh_-huWQ>?FV!LL|Ew@oBUI9G=k^_?EOA+Y4lN)M;A_;y6wv
zD@D$v@S2n_`w}v_aLgvnl{|}ap+6wk*16Q%!u3L9Ky@92{0o2#M%s3ku+?x>gs>^6
zg#FGY-{uasB`#h&7Pb?F4UFLpLhe={rcAqtUK5b1XYR=RC{_2AunMOjTjE*q4AfBJ
zvGIn+pf0U0b8g2rvr}}kadYt#pkI6a!@TuLfSX=Q?Dy!Mf|3W>=5PkOIMNW^Am*0o
z#9y0^4#Uts=LAWfjK?u}^EynjdLXih#B;^mK!_QCQp`4YD9pqG5L4yt-U%@~|A_e_
z({==R-sl!H>{3>47R|P}74`7FFPvgXGVW)J`Q>x>Fg(;xrA@H=-5xos+UFZS#0j36
zv*J>GYx^-rwc%vqV_go+SWVc?id)-~c!kp0Ax~|17w{Ea1MsQwkWjFN;BxU8^4*m;
zg#x@4OAC{En%j4y*0`#WIu`}U4@obM!B-no)dLXUTmi`A!0E@&60--6h7j}lNij_v
z*yP)(0Wn#KtB%F&`7LG)2$|o!WZ686($#RYP7L#c7rx#pF%3>Z#!*yuQd{>PqpNSm
zY5XM+3}<g?t8S!Mc)9D~Lh9ER$?V4C8>7^a-~s1IYN`uSdL{6|uhRP6FtSqUfTOCs
zVI(AS?;EXOZD^$2cjq5Vx8!a)PqYku9=#eir`{nm)h)()mjXmforMYM1<u@imcUJ9
zKM(@vofNp88VWNd0tB`onLHMF97GHZ5)7hcT`AQ0LfBM{zqipa0sm%yRJ$|P<;wM=
z=Nj+t-p)z1VZF8^9?5aHwHyNXHt2>>o?9GrI_08V!MGPh{bNpz8&}t>>mdo-JcW@3
z2h#5L$7OrFkJmHmNyzez#ckPFZ1Ifo6TMRASFy%8={bt3J%~xH)v)@o+d+iE0K#qH
zY};q)IS)ri=xK9OPg5cQCD>19=?*y7vkycGj8Oz4Y&LM+={<tC-pIdV>ImWgq<>0J
z=Tiv3Dj6h*>xk2(GH~UWQqEI;PBu}-c^tGtRf!WFOkImCy4L&}Ns7NRHbfA2*roBS
z7jrRE35DdHLn7fh9co@1tnTEPg4vHXWkOuAUlLM|Z!Nu!M1mi7hV=NPn1nP--nClS
z6p#s!Srl!UGp(eM3@Gk@>V7%94Z|H<A7r7p025LUL{xs3&N*b82%SHi(zzI5q7~5D
zM>6t+&R|#F`tNSh-~AYz|I&}qHu_X)+}^>)OMrhz=?A{pKm8acL_dZT!U4IC=*EE0
zd=OsX5$w-!0sEwZM0XcL_q!*9TX<ei29AMHv+tCet!(lgj9^a&m+V;0{@-dUoW_B5
z1`f2paKu(H-mUbQQ~0KB^598Q8505U84k#CPX-B$(((-^gar6rNpe<a6`O1e!M4Fk
zwmTT1FtckQ+jySGY)^oZg3}Y>ISF!7jLh{`@tR)U(YNF+k^~k{u*%3+5>W6FXHPuk
zxy+nm{MItpD{sj2pXB{2G!Gn<#*rGbSQw;)Ox2CCvH86ye97|-n^@jo!pO{vd?L3X
zw7Vp_mHi=?8Mj4g;0kNEnIQAJ7)PFXflp+2qptFJzMESa2HtK(O6ZLw<9ioh(BuTT
z*EB$<JmDOD_#~HRZ0BBtexl~!qq2FTNMRWF&D=wIDsF&Z6Ek#+XGaLye(Uj)g#%;e
z=&RJ{h;NuCb(j$Fi(%tgYL>w<5o)HNRMYGlz|}8M%^M2GY7T*10b{s;JYCqS+81N=
zic5`2mrY}P`oQ4S+>}1W6SAq(xMc(z3SNB$I-91yO2WE23lZu=c9V$dLJMI6`g`h+
zq1w06@U&y{EV?-8YVaG)r77ibAFA9_`M#KU_vPO6(F^>y59WP9NDa;BHdwY1(tDhe
z{ucl%5s*G%OaEB<Nf6eb21~}53-Rc^YFk^5x_yuK$DLD%NV{BDsfdYU=g(}gBvK72
zOJ@c5hC`Vub%=|vO@1PTwkQ93u$%bp>sOrC7Gt@ujh0H+LX(gi?`!T>P(8MNgt7kA
zQ)xA?2qU&Plf9q5<tF5^w3`8=w2>&oPzz)KcHq^U)9%;%(6aBne@IDO-1b#}EQa`2
zXnKst)KLwWsncCE1L4A#ldKxqi#2eN3Gt8THdwF_;;Nn!H<3-gvkYv$g+PzR9Rb<+
z(_lH+mlMd?FYllkYE-UPrzJN0mj;U~t_;ort3BVlSM)2PH-&09s}eDWs#9NBS(OaW
z*ZTgLq0HKk<h8X~troS*B`+Hj7$MB=FT8Cf#uC=3UPQ0nQPEk1o3avLqSVg)3eC^%
zrQvIW!c0q7u`N+OC*k&YczXWh$;;k0-c$yJySHAkNE6wl9#MXt*O0$nXOZz0UQ3S2
zz#f+l$)vj?xmKh&$`zL~P=`;AD82+8=N8|e2(M(F^h#$L6lQJ-c%@7w<Ahg6{uJL@
zpXqV+kpRDtL2N6xpGRe}1(g1BSPyAQ$P&&hzD#S8iBBr7^5D{ntI|_U2kkT8GUq2y
zfiX+I{GLL`XgkRmel_z))AN{jThBzeJM?PQZmyWVO&n80x}Os+!uu6{evb;aE;y9*
z{n>5V<*jChg|t+>CO1D2p?=4?#TOglfu|=uU~b7K-z5$<+0c=XJ@DnX2N1>A%f!Mk
z>;}Klr6giS-9AX5(Z3X5<y?#y7L<-lvdm%JQ%1)6``7)5e<@s$cg%KWVcQuRY^*A{
z68qZfsEu|pKW9l!0wn{s!oJJ3V5fvL<fo(y<-mHS^bYp()@_kMjj{sDqp14FA2|3r
zmq_e2tVx#)59FrUQJ^wz7kY?V4_2yQ#g8+kz)|fs1h2X8d<0n_>Nz(j>>zY@JE?P*
zI22|<1L)kf`s;+wU;gBTu;-6R5?G=eaAZec8t91?L??Z2ViU3b-c5;rW==S$n_CmD
zWz-x#qUkZRF!EJ2(@fwDtj4>aspe{7=s&yGDoD8m&8w2e(`P3+GS`Wq&M~(UTvw*0
zow%Igb{Pde^6Qr9cGo%{l#Jop6mxbLJuY6s^EJ|b@p}|wmQO#Mtvg^e&sV%1tiCAp
zb>s6!o!VCwyYEVCOqily3Ey5lMEo$J=iHotgYbj$Nk3T70BnE>pV5}&*bifW=LDrF
zS=Gn`v@73gR)`5*LOhKBB`3^lXg|6xIh-cIm;TUwPn14+L-lj^8Y)Fc(GMM7f~vb}
z0X>9~{##?q9L!J$Q;bVQ3zXD1c{NOel`gBrJT7MS5P?MyCE}}fA(5&OEqxBso7P?O
zQ<vBZ`)=*jOkj2+Ax+yPr|M2=QIDypTA-#>@B5a{x8JOmu^*-jTX<%AX`uFHA5r1O
z1|r{wS$}-|z{gc=@T*!KJIK&V@3}c)7vYtRQ(gh;hs6fqmD#4)W3NnsEd9v|n@VDm
zE<Gmr?FI^Smc#WAX+}C#MTLa1urDW{nG-f;Su{k}`tP^;y6fIbEOK}x+0FK*T_kMY
z=)jVB{M*9Hh2V&=wVl<DtoIAtEU6T(wvqNmz8*>v-+V*}MqeA<ZxUZJ&!Hvx<fIBC
zfHoYxefXSbh+Cl?L@3gCZce~G>!ysw2Ah00*m!3cs6Y0=IEeC3POzzXTD)9mL4WZ4
zLY~sp4VfqZk`uh<j<ivYqviYz0%qldlRjj`u5IxPnnuWOenVkjbd9hJpuog-{J1Q=
zp*0exuk`V-a)VB>EQ4L_0+-NDXt!*Pl_0&iHq)Gh)71O+io8kGr~uymaAT+7FXoTy
z(@Q=)+b)PxNyUnFa$@Dra6~(Rgi~*@b<(zFPf25gEKm-en-lgBI=h_Ix%)X3W|;x#
zd?-V4Lg(>6IU%OH*g1hsT$Vl#Z@E)qynQHLO>j|BPH;i3?aZ8TgWfm%qk6f}j2L_S
zHeF-u)%<Xp8trR0<VuyaKJ}1|F(OflS%)C`g}t836MHGzMxdwTFt_My>S@a}8QpYm
zNm&KA1+5GE-K}XLl_7Kgko6^hkRDbh68`)7hr5kVT(XM!w*#bYB~pdijeJ>>ktgBO
zhf<9}V~3AXV%QDnXh9~thtACjcnCizp7eud2Ag~jSR+{N8IS!i@!JoGoUrktRW+EI
zu)IUKB17I}q1)tNa)P_N0)=XYsmNoKO=p*3t$HW1ReN+lXFC1J(3k#cevKBQVR!FZ
zq_(}j;ub(V^XhvDUs!S-)ZBwMn!xBb7tbfxOI}kdcr)P*RG!fxk(G-c2?dKjc(W)r
zdInfA?E>QUBfN2)=?+O@X^9tDtD(~dW*MK=t2^dKuX-C`Fq1x-cDPM-`;jtPM@No@
zrhmU?-H%z4VQPYYkfDpC=XPQC5nhQn>6IR!e!%S9Nl=JY%uje_;!hVwRl|L4M#i44
zf>)gSwRDo)`YeZH6H#GqAoIeRT^QSrd;XKI;yDuyI)U)fF4xWpOwL8V_(j@s_0QI&
zc^Sls({<uxpKToE`V;v($q#kgpjZ%$^%<$DtHK(1vX#$RI-9=8M+BjMzF^c?HbfUt
zL`t6<8lyAiaE*V=ef~-|bHw|*H8Y90AY?-TG7De`ma|N86@CF>3jUL(fY|}CXTfjn
zWPQh`nEY*u84$7qJHLV1b6Ke$V{hu{E%&%hPnn|V6y#u`v{}Mu#k=Z-PEO@&#h+Gk
zN%1d#+#8!?(T*-iC++UaqEfT`*}BMN?=PElpUJQxKZWv}zPh8MvG~$6VjcsoqxH==
z;*ZL=%Y{-)N0!DH{5u30?d5~aw)y>vAEWsMGdj<CCZc-O>7p-<Sm$p_Q=z2U!33ob
zQ!{VsSlAPOSYD|#yu}D_%%73xr@g2o;=l8CU3sO#%nHX<{iRO{i@Sgm=bd}(lEYe$
zM2GJ`2AR|Qa&7@RK$s=<lv!q>u&3I9S#Ibgo-oVgp8|s8FmHZw)FM>2<D$L6=+JDh
z8cp`yJPx7_1;aB72<|*&F!9&h!RxpeZmU!kbv}7r^8IO!e*`0uLtje5rz^&$;k6<;
zw6M65z@k{+BxlNjquZEi7-XMThx=4Ck-XQ3v~`8;rzRTgMP)u*vZ5HJyBauIS7!zy
ztoU+n0l`Oj!|bFto@%qnf3gF;!L9lq-ar(PHTuB-EZ)i%g<hW`NH2zn*}oK!O+qU<
zMzYtiW%#GoLgly))ye_U+--`S@gMqOoz|;qS9x*zqdsIkBB|sx?h5647pPvr`+1DS
z6NZzw`l3v58;SJ5`<3h6Mb9|&{w~U%6id9hpC5*EYD3JvQrF{+G}KL|Q&*MDcDXT5
zRqd-X1d&ZGS9^b~Yo&FS{Fw{(7$ot|D<FpmogGf<{K*aqvmyj^mRu+QqcbJRZ=DeZ
zWL)Wo%=jfsUS9>ROXbMUowgp$+~|}epHOnB&nzIj+1xs%Yx6bo$ykFOYCmh}P`tMY
zi*S~b$ST6hbZ4p3Qx@||<a!;9UiVCp1hXF8(;yaAG3hn+ZpupTODlv*5*1qAu;dn>
zn%L7zmwsCv9FpX-r(}{KG4VX9M5#0NEhLqI{kf(~>4Qa?3R|*v2mK;a883~XSU>Z?
zUsPchAQN^{c;^)m0)!vrPx`@%kWIe#I@m>caC~1Swi0CHPXW=%v6eFrFsE}{*uN;A
zQ6^#jF9pPQRU(uJLuR2PKA>;?E3Ax0o4m<6EUKM`u2KUiurKA=k}3@dNDeuLOXM%i
z+bfLec5ODLAvvm+SMR{hZ_FEskfVJN3~jU~Nk~G+vRNTl#;=@VWmb!*<|q3=$fI{-
zSusf_01M5OV`qz%pDTudmycswOsUTtdxwh3l{WZZg=+sM|C=bK4_Cy=mW&r}Clqe<
zr$|kL3|ZgDJEwq<Ll9mGIq8+&>i|n%0k7!b=l<=L*vdZzWHna2ntoxmo|)3ecdM8$
zCrM`|XMnrkVY+(s%mTvn!fj}m_l0KLfKh|Ftw%d*rO*NOVF|ag4?2-@I6rp~-!|s^
zcRrbqnI@7|!V4cRhk9DtT<UM#(Hf`f`Vd`HLR@=sLdr=X@twW7E^8%joD18oG)7L+
z>(+%}_s*fhz-yL4t?p#+i9yJp0LbSQkc(&iRMhG#0J|IPK5W<?o1*HsDG&ujKH>Uz
zq{%F<wCBblW>pE-E&io|Ea*PvXL3r5Nb>$zLuqkPkakZon?Qf%jWk8%(}<_WUFQB;
z-^vwY23oyGnHe|-3k4{yIp(R%eD{B(fqgIk8n(BssL{T6_`>Wp{V`PDv71VIsiZg`
z8M+62cx9iVU)R}iwEVK${Dx>sCd9l|jHtromUHav3V)?uX!wtm*pQ4Xx;l2#>{VjT
zP>jxD%U3nZzBk_A%$ND3jW1mK&Kz%ktJpyYiT#?nI*jn3m)8;<WR6cB@0<ccj&#<Y
z+1_p_%(@LQi~V593A0rFDIi$<I?}4w-d`43vcF4aYFNF+SryqFBev_A8+c{`DJXW|
zHC8ULpjj-bp$U7FlKpe^l71x~k6~_RvSUtBhB9Yi=MPDlFKAH<esQ+5?-vB!{5{tj
znvgg*73yl{qc6I=#QPc@Un_|z;gK8B`*zOH<fd+Loe79A3P5;H0U<<q<H<>HShums
z_vwJ%(8&A`Zy*Xt1~u;FH1Dqqo_*N+;yFI(mj6;firu{eRxKRM){A3>Fu&wKE0)^6
z)$L~Ux?DHT_(0?7!b47`FBbW@!FL@cBuWRL;m+CgneFq7-K?0tB~OUb6aZyuGa)iD
z6%N3y@c!0h7V1Re2`yA}aj9uIveMr!CcTL5`KmEAz^?xq@k>eQb1~ZuwdN$k(Nz83
zZhw%4gh%HU5OQRM&bB9Y?$d$7;I4qqq5Yf3I+Om^8BstiVjN?ntO)P>*j-spdv_-i
zHPgkhl;NjXP7L>%1!SfWV=L5SL}+7If(k3x6qBOivc=X6Bm<)kmf{t!hIQ#c)}X?g
zGy}b=A-_B;z}4vHH)y8I%pD9&-AK%0ou`@JSP`gqRc%Bcdw0ES|2AXKy|rtl%J>XT
z?7QIdTdu1g;_iO>#>0j>g^}xfaAO2_smE~e3nr(zLOU{v5l#IT$ON|Lxdr4B!Vj`1
z{Q!4mlkdL*b|tp29Q&aTWaCc(8S1{xPu&gWLlsT()jeDtf&EJXd5o`abJ<X9CPK*9
zS!1AZsdpi}gg%jVoM$mRSjIU^3+1P0U_~cf^wxvsj#agbLSj~m-cx9NI2tb<8(Dt%
z+UuCs&c{|UAiLLNVPSZekVG2?-FevdE<H=)VobaKY}%!db4C*}O@R;=RsZo?-k$gE
zT)Ea)`%rl(ne1)f$GjGx`{fpV?^#{ngq6a6T5oN!O+yTWac3aNP?k0x;z!nB&hknZ
zISRrn;U~S)e+3G&kq5kz^%CWTSL(p~Hy}d-kV!~6{g_l;w%qp>-1T(n9WtHo6dY~X
zA*u*&^iKb55Qb(UP(XY!+mOYG_*NR}Mzm|m-c5&Z6rW`%A4NCHmM5}lj^m>5iBOp&
z8D089-jJ@S>5rmeksqC|F%zD;lOlWPruz0>4H=!nJ1;SHxrNzPzC@Bf>Qefs&To3b
zPve?6h;<vlIs`aj=qxw1!7qbuSoJ>X1{-+*FL=X{G3ViFHz0+BSjC-}=+ri!vSsPd
zUi+k5vj6my8?=#5<v)tI8I&Dc{QbJij@d0NlQaIpG&5hVNe&kXE}A-oYvSNsx`}H1
z`lW#3WIPr3ruGeLb_rVU=2b<xn!?#2%+Vt*_Dy-ImJm556=|fbx8rhlv(^stdC1@N
zWH%HY-$~yIR2`OlnAOWpxF+Zl62^?}eMxDQ0c}^?C(U2~RWn2<G-1m=U2!N%Oz`sZ
zb*4QF^Y=SaRKJ>T3}gDL24<#yU4KS`zqV3bQ**)Ci<~&C9~MAEQBzFBmdcDJ=fx*a
zaJ_jJ&NmIm?$9lHlg`(%g7YM%%`<Aeh*nX{?E4nevZ1c?Wq4rAb>8(6C5U-wxT4`z
zLt)*|uX{2h-Vjx5b$ie-@O*zXb1w|}9>;^eN?KW>=Q+Ms?ID*hXr#vW^xdGlY)+yY
zmc1r1wg$gFlP*^^cxA!1H(m)MMQy5&MU48yl<51^&VzWeXFCf}EgJTXepX2SrO}E^
z->~U-pw9iS=Xx3y;pwnbo-T&MY-a#Z*UMucdz$=jPxq=0c2mDJ+F^Js(=W}Gc>$e*
zgq7;<YlU~dMrV4O@lep{;Ua_2vj$OhPVwo@3L`VBq}6K#{m9qrbY28ZLU8S$71g90
z(xMCb<W<n4=o&cL?<$Ik2oE<m<2F<35T@UV3uS7#tO%2i;^``q!E@;1N9psMj*M<J
z-I*bjaCrk_z2$~?-i<aQM23qw>1o>;Hu(Wru;-Q>bL{CB5bvKGZ9H#FoRR5*B-V+e
z8{wasB&`1BM%z{aDVY^Ku%YX9BhdqgiF!2Ao7@q)I3uFhv+;0t+AT|>2KKw3cK7gp
z=AgeJ0vFl2#Dy6=WN%HkSg6H$DEUIhXy|LAS#-ix5RzHQxtA$u2>D`9$~Pbjh1nSb
z@(sN?{vQUES3y{RE>k!YX1VX(CvFI`A(}7U*b8;RlDI3qi^UKqZgl2lN`AS!@~RjE
zHH_0Uajy_Fn1{%q^}QzAYkT;tt8$3QPjd4Q+tirTG)kllMLjJM7O^S%oq6TgUrK!x
zbCVi(*}BQg7wf`Tx~wjg<;sd#t9Ma_h$xr7Mg&CI9CGeu3Nb=7gOj4!83HIr0nzBQ
z{<kc3fGGc5rg*MV=&U+5<e8z>dPWG7%vt}-WlBzW>y*|FNuTjMq49pzcc3ZxZyY!2
zUp$k#C+7y+;CM>s^mf=6)`+EDFK76)yRO=WkV#=rZo^ZGXeQ-gy!rA-=1Ul6^Qz{H
zSBI}9W|c!LA7~a2UUU%d*c-&zd9wBs$$=uuAphF7y>{1INAr>7K&hGM7qt^bpa!p#
F{s%;kPnG}x

literal 0
Hc-jL100001

diff --git a/tests/droped-flow-applayer-event-logged-smb/suricata.yaml b/tests/droped-flow-applayer-event-logged-smb/suricata.yaml
new file mode 100644
index 000000000..4c89a119e
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-smb/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+        - flow
+        - smb
+        - drop:
+            alerts: yes
+            flows: all
diff --git a/tests/droped-flow-applayer-event-logged-smb/test.rules b/tests/droped-flow-applayer-event-logged-smb/test.rules
new file mode 100644
index 000000000..c1dc7f067
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-smb/test.rules
@@ -0,0 +1 @@
+drop smb any any -> any any (msg:"smb rule"; sid:2;)
diff --git a/tests/droped-flow-applayer-event-logged-smb/test.yaml b/tests/droped-flow-applayer-event-logged-smb/test.yaml
new file mode 100644
index 000000000..3cfc1fb67
--- /dev/null
+++ b/tests/droped-flow-applayer-event-logged-smb/test.yaml
@@ -0,0 +1,22 @@
+args:
+- --simulate-ips
+- --set stream.reassembly.depth=0
+- --set stream.midstream-policy=drop-flow
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: smb
+        pcap_cnt: 2
+  - filter:
+      count: 53
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+
diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml
index 1b351c028..65594aa5f 100644
--- a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml
+++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 7 
+  min-version: 7
 
 args:
 - --set threshold-file=${TEST_DIR}/threshold.config
@@ -16,3 +16,8 @@ checks:
       match:
         event_type: drop
         drop.reason: threshold detection_filter
+# due to the drops, we don't expect to see any http event
+  - filter:
+      count: 0
+      match:
+        event_type: http
-- 
2.47.2