Kursused - Kasutaja kaastöö [et]

Itx8071-graded-lab

2025-12-08T13:42:39Z

Risto:

=== Description of the graded lab ===

During the graded lab, two Kibana dashboard have to be created, with each dashboard containing '''at least 7''' visualizations that display different data. Note that each created dashboard must feature '''at least 5''' different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboards '''must''' be created for '''syslog events of one type received with Logstash''':

* the first dashbord -- Apache web server events
* the second dashboard -- Suricata IDS alerts

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create a dashboard for Apache web server events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata IDS alerts, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata IDS alerts:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:1000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating additional alerts.

Already existing Logstash configuration is parsing all Suricata events, and you can search Suricata IDS alerts in Kibana with the following query:

program:suricata AND suricata.event_type:alert

After verifying that the above query is showing Suricata IDS alerts, you can create a dashboard for these alerts under the "Dashboard" selection of the Kibana pull-down menu.

Itx8071-graded-lab

2025-12-08T13:41:17Z

Risto:

=== Description of the graded lab ===

During the graded lab, two Kibana dashboard have to be created, with each dashboard containing '''at least 7''' visualizations that display different data. Note that each created dashboard must feature '''at least 5''' different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboards '''must''' be created for '''syslog events of one type received with Logstash''':

* the first dashbord -- Apache web server events
* the second dashboard -- Suricata IDS alerts

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create a dashboard for Apache web server events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:1000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search Suricata IDS alerts in Kibana with the following query:

program:suricata AND suricata.event_type:alert

After verifying that the above query is showing Suricata IDS alerts, you can create a dashboard for these alerts under the "Dashboard" selection of the Kibana pull-down menu.

Itx8071-graded-lab

2025-12-01T14:10:06Z

Risto:

=== Description of the graded lab ===

During the graded lab, two Kibana dashboard have to be created, with each dashboard containing '''at least 7''' visualizations that display different data. Note that each created dashboard must feature '''at least 5''' different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboards '''must''' be created for '''syslog events of one type received with Logstash''':

* the first dashbord -- Apache web server events
* the second dashboard -- Suricata IDS alerts

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create a dashboard for Apache web server events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:1000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:

program:suricata AND suricata.event_type:alert

Itx8071-graded-lab

2025-12-01T12:26:06Z

Risto:

=== Description of the graded lab ===

During the graded lab, two Kibana dashboard have to be created, with each dashboard containing '''at least 7''' visualizations that display different data. Note that each created dashboard must feature '''at least 5''' different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboards '''must''' be created for '''syslog events of one type received with Logstash''':

* the first dashbord -- Apache web server events
* the second dashboard -- Suricata IDS alerts

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create a dashboard for Apache web server events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:4000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:

program:suricata AND suricata.event_type:alert

Itx8071-graded-lab

2025-12-01T12:24:41Z

Risto:

=== Description of the graded lab ===

During the graded lab, two Kibana dashboard have to be created, with each dashboard containing at least 7 visualizations that display different data. Note that each created dashboard must feature at least 5 different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboards '''must''' be created for '''syslog events of one type received with Logstash''':

* the first dashbord -- Apache web server events
* the second dashboard -- Suricata IDS alerts

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create a dashboard for Apache web server events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:4000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:

program:suricata AND suricata.event_type:alert

Itx8071-task2

2025-11-13T16:27:50Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be '''fully functional''' even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must '''not''' interfere with each other).

=== Some hints for accomplishing this assignment: ===

* consider the technique outlined on slides 17-18 of Module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf),
* make sure you have a good understanding of the lab assignment solutions of Modules 6 and 7.

Cyber Defense Monitoring Solutions

2025-10-29T15:17:34Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, extra points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides 5 extra points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions!
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information
* Because homework assignments allow the students to work as a group, it is recommended to join some group by looking potential cooperation partners through the course MS Teams group
* Since the course is offering extra points in addition to regular ones, it is recommended to collect as many extra points as possible for improving your final grade

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Exam can be taken during one of the following time slots:

* December 15 2025, 17:45-21:00, room ICT-401
* January 5 2026, 15:45-19:00, room ICT-701
* January 12 2026, 15:45-19:00, room ICT-701

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-exam can be taken on January 12 2026 at 15:45-17:00 in room ICT-701.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Itx8071-task2

2025-10-29T14:50:41Z

Risto:

Itx8071-task2

2025-10-29T14:49:44Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be '''fully functional''' even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must '''not''' interfere with each other).

=== Some hints for accomplishing this assignment: ===

* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:48:14Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

=== Some hints for accomplishing this assignment: ===

* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:48:01Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

# if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

# if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

=== Some hints for accomplishing this assignment: ===

* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:46:58Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

=== Some hints for accomplishing this assignment: ===

* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:46:35Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

=== Create SEC rules that accomplish the following event correlation task: ===

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

==== Some hints for accomplishing this assignment: ====

* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:45:44Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

Some hints for accomplishing this assignment:
* consider the technique outlined on slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:45:13Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov 7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov 7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov 7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov 7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must not interfere with each other).

Some hints for accomplishing this assignment:
* consider the technique provided in slides 17-18 of module 7,
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2025-10-29T14:39:59Z

Risto:

Itx8071-task2

2025-10-29T14:39:01Z

Risto:

Itx8071-task1

2025-09-22T09:18:25Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of software module names and optional version numbers, so that the sequence will follow these rules: ===

* The sequence consists of one or more parts. If there are two or more parts, they are separated with a comma (",") character.

* Each part of the sequence is a software module name which is optionally followed by a version number. If the version number is present, there must be a dash ("-") character between the software module name and the version number. If there is no version number, the use of dash character after the software module name is not permitted.

* Software module name must contain at least one character and must begin with a letter, and may contain letters and digits only.

* The version number consists of one or more elements. If there are two or more version number elements, these elements must be separated with a dot (".") character. Note that the dot character may not appear before the first or after the last element. Each version number element must be a sequence of one or more digits which may be optionally followed by one letter.

Please note that for accomplishing the task, '''one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool'''. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

m4-1.4.16
(the sequence has one valid part -- a software module name with a version number of 3 elements)

coreutils,pcre-8.32
(the sequence has two valid parts -- note that the first part does not have a version number)

libtasn1-4.09a,GeoIP-1.5.0,iwl6000g2a
(the sequence has three valid parts, with the first and second parts having version numbers)

iwl2030,a12bcd3456ef78gh,mydatabase-13i.222.5b,e2fsprogs,PyYAML
(the sequence has five valid parts, where only the third part has a version number)

=== Examples of sequences the regular expression must NOT match: ===

coreutils, pcre-8.32
(the second part begins with a space character which is illegal)

coreutils 8.22,pcre--8.32
(the first part contains a space character which is illegal; also, in the second part the software module name and version number are separated by two dash characters which is illegal)

m4-1.4.16,
(the first part ends with comma, but there is no following second part)

my_db
(the software module name contains an illegal character _)

mydb-11A3.1
(the first version number element contains a character A, but A is not the last character of the version number element)

mydb-11..2
(version number contains two dots, but there is no version number element between them)

mydb-
(software module name is followed by -, but there is no version number)

mydb-12ab.1
(the first version number element ends with more than one letter which is illegal)

mydb,,mydaemon
(the second part of the sequence is empty)

!"libtasn1-4.09a,GeoIP-1.5.0,iwl6000g2a
(the sequence begins with illegal characters)

coreutils-8.22,pcre-8.32+%
(the sequence ends with illegal characters)

Itx8071-task1

2025-09-22T09:17:54Z

Risto:

This homework assignment requires the knowledge from Module 3.

==== Please write a regular expression for matching the sequence of software module names and optional version numbers, so that the sequence will follow these rules:====

* The sequence consists of one or more parts. If there are two or more parts, they are separated with a comma (",") character.

* Each part of the sequence is a software module name which is optionally followed by a version number. If the version number is present, there must be a dash ("-") character between the software module name and the version number. If there is no version number, the use of dash character after the software module name is not permitted.

* Software module name must contain at least one character and must begin with a letter, and may contain letters and digits only.

* The version number consists of one or more elements. If there are two or more version number elements, these elements must be separated with a dot (".") character. Note that the dot character may not appear before the first or after the last element. Each version number element must be a sequence of one or more digits which may be optionally followed by one letter.

Please note that for accomplishing the task, '''one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool'''. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

====Examples of sequences the regular expression must match:====

m4-1.4.16
(the sequence has one valid part -- a software module name with a version number of 3 elements)

coreutils,pcre-8.32
(the sequence has two valid parts -- note that the first part does not have a version number)

libtasn1-4.09a,GeoIP-1.5.0,iwl6000g2a
(the sequence has three valid parts, with the first and second parts having version numbers)

iwl2030,a12bcd3456ef78gh,mydatabase-13i.222.5b,e2fsprogs,PyYAML
(the sequence has five valid parts, where only the third part has a version number)

====Examples of sequences the regular expression must NOT match:====

coreutils, pcre-8.32
(the second part begins with a space character which is illegal)

coreutils 8.22,pcre--8.32
(the first part contains a space character which is illegal; also, in the second part the software module name and version number are separated by two dash characters which is illegal)

m4-1.4.16,
(the first part ends with comma, but there is no following second part)

my_db
(the software module name contains an illegal character _)

mydb-11A3.1
(the first version number element contains a character A, but A is not the last character of the version number element)

mydb-11..2
(version number contains two dots, but there is no version number element between them)

mydb-
(software module name is followed by -, but there is no version number)

mydb-12ab.1
(the first version number element ends with more than one letter which is illegal)

mydb,,mydaemon
(the second part of the sequence is empty)

!"libtasn1-4.09a,GeoIP-1.5.0,iwl6000g2a
(the sequence begins with illegal characters)

coreutils-8.22,pcre-8.32+%
(the sequence ends with illegal characters)

Itx8071-task1

2025-09-22T09:16:27Z

Risto:

Itx8071-task1

2025-09-22T09:15:01Z

Risto:

This homework assignment requires the knowledge from Module 3.

Please write a regular expression for matching the sequence of software module names and optional version numbers, so that the sequence will follow these rules:

* The sequence consists of one or more parts. If there are two or more parts, they are separated with a comma (",") character.

* Each part of the sequence is a software module name which is optionally followed by a version number. If the version number is present, there must be a dash ("-") character between the software module name and the version number. If there is no version number, the use of dash character after the software module name is not permitted.

* Software module name must contain at least one character and must begin with a letter, and may contain letters and digits only.

* The version number consists of one or more elements. If there are two or more version number elements, these elements must be separated with a dot (".") character. Note that the dot character may not appear before the first or after the last element. Each version number element must be a sequence of one or more digits which may be optionally followed by one letter.

Please note that for accomplishing the task, one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

Cyber Defense Monitoring Solutions

2025-09-01T11:20:45Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, extra points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides 5 extra points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions!
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information
* Because homework assignments allow the students to work as a group, it is recommended to join some group by looking potential cooperation partners through the course MS Teams group
* Since the course is offering extra points in addition to regular ones, it is recommended to collect as many extra points as possible for improving your final grade

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-28T09:48:42Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, extra points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides 5 extra points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-28T09:37:49Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides 5 extra points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-27T10:19:12Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-27T10:15:43Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to the course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-27T10:13:58Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following when opting for the distance learning path:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab topics is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-27T10:06:32Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab assignments is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2025-08-27T10:05:06Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Notes about distance learning ==

In the case you are not able to attend lectures and labs physically, the course can be taken in a distance learning setting. However, you should consider the following:

* All course slides and prerecorded lecture video clips can be accessed through Moodle
* Lab assignments can be found at the end of each lecture slideset (slides with the title "Tasks")
* Make sure that you solve all lab assignments on the course virtual machine -- examination tasks are similar to lab assignments and having a good understanding of the lab assignments is essential for passing the final exam
* Lab assignment solutions with comments are regularly posted to course home page -- don't forget to compare your work with posted solutions
* Check the course home page regularly for new homework assignments, assignment deadlines, and other important information

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Itx8071-graded-lab

2025-08-25T08:08:10Z

Risto: Lehekülg asendatud tekstiga 'To be announced during the semester.'

To be announced during the semester.

Itx8071-task2

2025-08-25T08:07:20Z

Risto: Lehekülg asendatud tekstiga 'To be announced during the semester.'

To be announced during the semester.

Itx8071-task1

2025-08-25T08:06:34Z

Risto: Lehekülg asendatud tekstiga 'To be announced during the semester.'

To be announced during the semester.

Cyber Defense Monitoring Solutions

2025-08-25T08:03:46Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Monday of fall semester 2025. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 1 2025 (introduction to the course, lecture of module 1) -- room ICT-401
* September 8 2025 (lab of module 1) -- room ICT-401
* September 15 2025 (lab of module 2) -- room ICT-401
* September 22 2025 (lecture of module 3) -- room ICT-401
* September 29 2025 (lab of module 3) -- room ICT-401
* October 6 2025 (lab of module 4) -- room ICT-401
* October 13 2025 (lecture of module 5) -- room ICT-401
* October 20 2025 (lab of module 5) -- room ICT-401
* October 27 2025 (lecture of module 6) -- room ICT-401
* November 3 2025 (lab of module 6) -- room ICT-401
* November 10 2025 (lab of module 7) -- room ICT-401
* November 17 2025 (lecture of module 8) -- room ICT-401
* November 24 2025 (lab of module 8) -- room ICT-401
* December 1 2025 (lecture of module 9) -- MS Teams
* December 8 2025 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1RWWofqn4AO0thk1lRbeTw6wHeZ6f6UOJ/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 8 2025 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 15 2025'''
* lecture materials of module 3 ("Regular expression language") by '''September 22 2025'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 6 2025'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 13 2025'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 27 2025'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 10 2025'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 17 2025'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 2 2025 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 14 2025 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination times will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Itx8071-graded-lab

2024-12-10T13:45:23Z

Risto:

=== Description of the graded lab ===

During the graded lab, a Kibana dashboard has to be created which contains '''at least 10 visualizations''' that display different data. Note that the created dashboard must feature '''at least 5 different visualization types''' (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboard '''must''' be created for '''syslog events of one type received with Logstash''', for example:

* Apache web server events
* Suricata IDS alerts
* Iptables events

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create dashboards for these events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:4000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:

program:suricata AND suricata.event_type:alert

Itx8071-graded-lab

2024-12-10T13:44:17Z

Risto:

=== Description of the graded lab ===

During the graded lab, a Kibana dashboard has to be created which contains at least 10 visualizations that display different data. Note that the created dashboard must feature at least 5 different visualization types (for example, pie chart, bar chart, table, event counter, etc.). The Kibana dashboard '''must''' be created for '''syslog events of one type received with Logstash''', for example:

* Apache web server events
* Suricata IDS alerts
* Iptables events

Dashboards created for events received from Filebeat are '''not accepted'''.

=== Instructions for setting up the course virtual machine for the graded lab ===

Since the course virtual machine needs more resources for the graded lab than pre-configured defaults, increase the amount of RAM to at least 4GB and the number of CPUs to at least 2.

Start Elasticsearch:

systemctl start elasticsearch

Start Kibana:

systemctl start kibana

Start Logstash:

systemctl start logstash

Make sure you can access Kibana web interface via following URL: https://ipaddress_of_your_vm:5601 (login: elastic, password: default-root-password-of-the-VM). Note that the startup process of Kibana might take several minutes before the web interface will become available.

In order to receive syslog events from local rsyslog, configure it to send all events to Logstash. For example, set up the file /etc/rsyslog.d/logstash.conf with the following content:

global(maxMessageSize="1024k")
*.* @127.0.0.1:10514

The global(maxMessageSize="1024k") directive configures the syslog message size to be higher than the default 8KB, since Suricata can produce syslog messages which are larger than 8KB.

After creating that file, don't forget to restart rsyslog:

systemctl restart rsyslog

In Kibana, select "Stack Management" from the pull-down menu on the top left corner in the Kibana interface. Note that "Stack Management" is the last selection in the pull-down menu!

Then go to Kibana->Data Views, and select Create Data View:
* for "Name", select logstash*
* for "Index pattern", select logstash*
* for "Timestamp field", select @timestamp
* after setting the above fields, select "Save data view to Kibana"

Generate some syslog events by accessing the web server of the virtual machine and logging in into the virtual machine over SSH. Note that already existing Logstash configuration is parsing these events. For seeing the events, select "Discover" in the Kibana pull-down menu. The web server and SSH events can be searched with the following queries:

program:apache

program:sshd

After verifying that the web server and SSH events have been received by Kibana, you can create dashboards for these events under the "Dashboard" selection of the Kibana pull-down menu.

In order to create a dashboard for Suricata events, you can run Suricata in IDS mode as follows for creating events for that dashboard:

suricata -c /etc/suricata/suricata.yaml -D --af-packet=enp0s8

If your virtual machine has some other interface than enp0s8 connected to Host-Only Network of VirtualBox, use that interface instead in the above command line!

You can use the following test signature in /etc/suricata/rules/local.rules for generating Suricata events:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"HTTP request for a picture file"; flow:established,to_server; pcre:"/\.(?:gif|jpg|png)$/Ui";classtype:web-application-attack; sid:4000002; rev:1;)

Also, you can use other signatures from Suricata lab for generating events.

Already existing Logstash configuration is parsing all Suricata events, and you can search these events in Kibana with the following query:

program:suricata AND suricata.event_type:alert

Itx8071-task2

2024-11-01T21:46:30Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

==== Create SEC rules that accomplish the following event correlation task: ====

1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.

For example, suppose the following events appear in the log:

Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.

-----

Some hints for accomplishing this assignment:
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
* if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
* all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2024-11-01T21:45:25Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

==== Create SEC rules that accomplish the following event correlation task: ====

1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.

For example, suppose the following events appear in the log:

Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.

Some hints for accomplishing this assignment:
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
* if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
* all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Itx8071-task2

2024-11-01T21:42:02Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

==== Create SEC rules that accomplish the following event correlation task: ====

1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.

For example, suppose the following events appear in the log:

Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.

Some hints for accomplishing this assignment:
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
* if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
* all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html).

Itx8071-task2

2024-11-01T21:41:24Z

Risto:

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.

For example, suppose the following events appear in the log:

Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

Cyber Defense Monitoring Solutions

2024-11-01T21:19:59Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Tuesday of fall semester 2024. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 3 2024 (introduction to the course, lecture of module 1) -- room ICT-401
* September 10 2024 (lab of module 1) -- room ICT-401
* September 17 2024 (lab of module 2) -- room ICT-401
* September 24 2023 (lecture of module 3) -- room ICT-401
* October 1 2024 (lab of module 3) -- room ICT-401
* October 8 2024 (lab of module 4) -- room ICT-401
* October 15 2024 (lecture of module 5) -- room ICT-401
* October 22 2024 (lab of module 5) -- room ICT-401
* October 29 2024 (lecture of module 6) -- room ICT-401
* November 5 2024 (lab of module 6) -- room ICT-401
* November 12 2024 (lecture of module 7) -- room ICT-401
* November 19 2024 (lab of module 7) -- room ICT-401
* November 26 2024 (lecture of module 8) -- room ICT-401
* December 3 2024 (lab of module 8) -- room ICT-401
* December 10 2024 (lecture of module 9) -- MS Teams
* December 17 2024 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1TJ2f42-uRrHHfv7eQJSR83_8rQLb1tl8/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 17 2024 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 17 2024'''
* lecture materials of module 3 ("Regular expression language") by '''September 24 2024'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 8 2024'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 15 2024'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 29 2024'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 12 2024'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 26 2024'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 4 2024 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 16 2024 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Exam can be taken during one of the following time slots:

* December 18 2024, 15:45-19:00, room ICT-402
* January 6 2025, 15:45-19:00, room ICT-701
* January 13, 2025, 15:45-19:00, room ICT-701

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-exam can be taken on January 13 2025 at 15:45-17:00 in room ICT-701.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Itx8071-task1

2024-09-21T13:57:57Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

1) The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

2) Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, '''one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool'''. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

=== Examples of sequences the regular expression must NOT match: ===

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Itx8071-task1

2024-09-21T13:57:43Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

# The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

# Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, '''one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool'''. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

=== Examples of sequences the regular expression must NOT match: ===

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Itx8071-task1

2024-09-21T13:56:43Z

Risto:

Itx8071-task1

2024-09-21T13:55:15Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

1) The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

2) Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

=== Examples of sequences the regular expression must NOT match: ===

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Itx8071-task1

2024-09-21T13:54:28Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

1) The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

2) Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

=== Examples of sequences the regular expression must NOT match: ===

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Itx8071-task1

2024-09-21T13:54:10Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

1) The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

2) Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

=== Examples of sequences the regular expression must match: ===

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

=== Examples of sequences the regular expression must NOT match: ===

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Itx8071-task1

2024-09-21T13:53:41Z

Risto:

This homework assignment requires the knowledge from Module 3.

=== Please write a regular expression for matching the sequence of integer expressions which follows these rules: ===

1) The sequence consists of one or more elements. If there are two or more elements, they are separated with a comma (,) character.

2) Each element of the sequence is an expression that can consist of digits 0 1 2 3 4 5 6 7 8 9 and the plus (+), minus (-), asterisk (*), and slash (/) characters. No other characters (such as spaces or letters) are permitted in the element. The element must contain one or more integer numbers, where the integer number is defined as a non-empty sequence of digits. If the element has more than one integer number, two consecutive integer numbers must be separated with a single plus, minus, asterisk or slash character. If the asterisk or slash separates two integer numbers, an optional minus (-) character can appear before the second (right-hand side) integer number. However, if two integer numbers are separated by plus or minus character, the minus prefix is not allowed for the second integer. Also, an optional minus (-) character can appear before the first integer number in the element (in other words, the first character of the element can be either a minus or a digit).

For example, the following are valid sequence elements:

012
-1
2+3
-0+12-7
22+90*-2/60
-100+16/-2*-30

However, the following sequence elements are invalid:

1 + 2 (the space character appears both before and after the plus character, but the use of spaces is illegal)
1%2 (an illegal character % appears between two integer numbers)
12C (an illegal character C appears after the integer number)
12--2 (if the minus character separates two integer numbers, it is not allowed to use the minus prefix for the second integer)

Please note that for accomplishing the task, one regular expression has to be submitted which is suitable for use with the egrep or pcre2grep tool. It is not acceptable to submit the solution in a fragmented way (e.g., several isolated expressions for addressing different parts of the task). Also, it is not allowed to submit programs in Java, Python, Perl (or any other language) for the solution. Finally, if the solution only works with the examples provided below but does NOT meet the task specification, it will be treated as incorrect.

Examples of sequences the regular expression must match:

1+2+3 (the sequence has one valid element)

10,1+2+3,-20 (the sequence has three valid elements)

-0,2*-3+7,-11,33/-11*-5,-12/6,19,77,1-2+3-4+5 (the sequence has eight valid elements)

Examples of sequences the regular expression must NOT match:

22+11, (there is a comma after the first sequence element, but the second element is missing)

120+,3-4 (the first sequence element contains a plus character not followed by integer number)

-12-33,12+-1,5*6-3 (the second sequence element contains a plus character which is followed by a negative integer, but it is not allowed to use the minus character after plus)

1+2,,3+4 (the second sequence element is missing)

11,12,+13 (the third sequence element starts with a plus character which is allowed only as a separator between two integer numbers)

12^3,2+3,55//11 (the first sequence element contains an illegal character ^; also the third element contains two consecutive slash characters, while only one is allowed)

1+2+3,12*,2/3 (the second sequence element ends with an asterisk character which is allowed only as a separator between two integer numbers)

11,45+3, 100 (there is an illegal space character after the second separating comma)

60 ,-4+0 (there is an illegal space character before the first separating comma)

--10A (the sequence has one element which starts with two minus characters, while only one minus is allowed; also, the element ends with an illegal character A)

Cyber Defense Monitoring Solutions

2024-09-02T15:29:22Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Tuesday of fall semester 2024. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 3 2024 (introduction to the course, lecture of module 1) -- room ICT-401
* September 10 2024 (lab of module 1) -- room ICT-401
* September 17 2024 (lab of module 2) -- room ICT-401
* September 24 2023 (lecture of module 3) -- room ICT-401
* October 1 2024 (lab of module 3) -- room ICT-401
* October 8 2024 (lab of module 4) -- room ICT-401
* October 15 2024 (lecture of module 5) -- room ICT-401
* October 22 2024 (lab of module 5) -- room ICT-401
* October 29 2024 (lecture of module 6) -- room ICT-401
* November 5 2024 (lab of module 6) -- room ICT-401
* November 12 2024 (lecture of module 7) -- room ICT-401
* November 19 2024 (lab of module 7) -- room ICT-401
* November 26 2024 (lecture of module 8) -- room ICT-401
* December 3 2024 (lab of module 8) -- room ICT-401
* December 10 2024 (lecture of module 9) -- MS Teams
* December 17 2024 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1TJ2f42-uRrHHfv7eQJSR83_8rQLb1tl8/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 17 2024 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 17 2024'''
* lecture materials of module 3 ("Regular expression language") by '''September 24 2024'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 8 2024'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 15 2024'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 29 2024'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 12 2024'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 26 2024'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 4 2024 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 16 2024 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination time slots will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time slot will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Cyber Defense Monitoring Solutions

2024-08-24T15:01:51Z

Risto:

== Basic information ==

* Course Code -- ITX8071
* Credit Points -- 6.0 EAP
* Course Language -- English
* Course Schedule -- the course will be lectured from 17:45 to 21:00 on every Tuesday of fall semester 2024. Note that some lectures might take place in MS Teams environment under the team "Cyber Defense Monitoring Solutions (ITX8071)", while remaining lectures and all labs are arranged in room ICT-401.
* Course Materials -- use the registration code w7Xz53c for accessing all course slides and pre-recorded lecture videos in Moodle.

== Detailed Course Schedule ==

* September 3 2024 (introduction to the course, lecture of module 1) -- room ICT-401
* September 10 2024 (lab of module 1) -- room ICT-401
* September 17 2024 (lab of module 2) -- room ICT-401
* September 24 2023 (lecture of module 3) -- room ICT-401
* October 1 2024 (lab of module 3) -- room ICT-401
* October 8 2024 (lab of module 4) -- room ICT-401
* October 15 2024 (lecture of module 5) -- room ICT-401
* October 22 2024 (lab of module 5) -- room ICT-401
* October 29 2024 (lecture of module 6) -- room ICT-401
* November 5 2024 (lab of module 6) -- room ICT-401
* November 12 2024 (lecture of module 7) -- room ICT-401
* November 19 2024 (lab of module 7) -- room ICT-401
* November 26 2024 (lecture of module 8) -- room ICT-401
* December 3 2024 (lab of module 8) -- room ICT-401
* December 10 2024 (lecture of module 9) -- MS Teams
* December 17 2024 (lab of module 9) -- room ICT-401

== Evaluation ==

During the semester, two homework assignments are given to each student. Both assignments can yield up to 12.5 points, thus the maximum score from homework is 25 points. During the exam, three tasks are given to each student, with each task yielding up to 25 points and the whole exam up to 75 points. The final grade for a student is derived from his/her personal score:

* score > 90 -- grade 5 (excellent)
* 80 < score ≤ 90 -- grade 4 (very good)
* 70 < score ≤ 80 -- grade 3 (good)
* 60 < score ≤ 70 -- grade 2 (satisfactory)
* 50 < score ≤ 60 -- grade 1 (pass)
* score ≤ 50 -- a student has failed to pass

In addition to regular 100 points from homeworks and exam, additional points can be collected for active participation in the course (see the following sections).

== Virtual machine image ==

For course lab sessions, there is a [https://drive.google.com/file/d/1TJ2f42-uRrHHfv7eQJSR83_8rQLb1tl8/view?usp=drive_link virtual machine image] which has been created with VirtualBox. When importing the image into VirtualBox, '''don't forget''' to select the option '''"Generate new MAC addresses for all network adapters"'''. Also, if you are using the image on a classroom computer, import your virtual machine into the '''D:\itx8071''' directory. In order to run your virtual machine as a node of the classroom network, change the mode of the first network adapter from NAT to '''Bridged Adapter'''.

Since the virtual machine is essential for doing homework assignments, it is strongly recommended to also install it on a personal laptop. In order to do that, leave the first network adapter to NAT mode, and change the mode of the second network adapter to '''Host-only Adapter'''. The host-only adapter is connected to a special virtual network (e.g., 192.168.56.0/24) that is not accessible from other hosts and is shared between the host computer and virtual machines. This network can be used for accessing the virtual machine from the host computer and creating setups where several virtual machines need to communicate.

For changing the console keyboard layout of the virtual machine, use the '''/usr/bin/localectl''' tool. For example, '''localectl set-keymap ee''' sets Estonian keyboard layout for console and '''localectl set-keymap us''' sets US keyboard layout for console, while '''localectl list-keymaps''' lists all available layouts and '''localectl status''' shows the current settings.

== Lab sessions ==

Solutions for past lab sessions are available [https://drive.google.com/drive/folders/1-UYUgO-rnobRPRoVLwQvrivqyQbDpjEc?usp=sharing here].

Note that the last lab of the course on December 17 2024 is a '''graded lab which provides extra 5 points for participants'''. During the graded lab, groups of max 3 students have to work on an assignment that is described [[itx8071-graded-lab|here]]. In order to speed up your work during the lab, you can accomplish part of the assignment in advance. '''To receive points for the graded lab, the assignment solution has to be presented to the lecturers for evaluation during the lab session in ICT-401, and any other submissions are not accepted.'''

== Independent work during the semester ==

Note that the lectures of the course are interactive discussions which assume the students have prepared themselves for the lectures.
For attending the course successfully, the following course materials have to be independently studied in Moodle by given deadlines:

* lecture materials of module 2 ("Introduction to packet filtering with the Linux netfilter firewall") by '''September 17 2024'''
* lecture materials of module 3 ("Regular expression language") by '''September 24 2024'''
* lecture materials of module 4 ("Introduction to Perl regular expressions") by '''October 8 2024'''
* lecture materials of module 5 ("Syslog-ng framework") by '''October 15 2024'''
* lecture materials of module 6 ("Introduction to event correlation and Simple Event Correlator") by '''October 29 2024'''
* lecture materials of module 7 ("Simple Event Correlator - advanced topics") by '''November 12 2024'''
* lecture materials of module 8 ("Introduction to intrusion detection/prevention and Suricata IDS/IPS") by '''November 26 2024'''

In Moodle, lecture materials of several modules are followed by '''tests which provide extra points''', with each test consisting of four multiple choice questions. The test can be taken '''only once''' and has to be completed '''before the relevant lecture takes place'''. To pass the test, at least three questions have to be answered correctly, and each successfully passed test yields '''1 extra point'''.

== Homework assignments ==

* [[itx8071-task1|Task1]] -- a group work for max 3 students which must be submitted by '''November 4 2024 23:59 local time'''.
* [[itx8071-task2|Task2]] -- a group work for max 3 students which must be submitted by '''December 16 2024 23:59 local time'''.

Solutions to homework assignments should be sent to the e-mail address of the lecturer (given in the title page of each slide module). Together with the solution, full names and student codes of the authors must be listed. You should consider your solution submitted only after its reception '''has been confirmed''' by the lecturer.

All submitted solutions should be carefully tested final versions. Please submit the solution '''only once''', and do '''not''' send in partial and/or untested work. It is not allowed to submit a partial solution, and use comments from the lecturer for later resubmission of improved version(s). Also, if you wish to submit multiple solutions, you must '''clearly indicate''' which one should be used for evaluation. If no such indication is provided, the '''first solution''' will be used for evaluating your work, and other solutions are not considered.

Please note that each student can be a (co)author of only one solution (i.e., participation in more than one student group is not allowed). Also note that the list of authors can not be changed after the deadline.

The correct solution with your score will be announced after the deadline.

Solutions submitted after the deadline will '''not''' be accepted. Also, it is '''not''' possible to redo the homework assignment after the deadline.

== Information about the exam ==

The exam is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted. In order to attend the exam, each student must present an ID with a photo and have at least one pen in good working order. During the exam, each student has to accomplish 3 tasks within 3 hours on paper. All paper materials such as printed course slides, paper-based notes, and hardcopy books can be freely used during the exam.

Examination time slots will be announced during the semester.

For taking the exam, '''official registration in OIS''' is required for one of the examination time slots.

Note that each student can take the exam only once, and in order to get the second try for improving the result, official application for re-examination is required (see below).

'''While producing his/her final examination work, the student must consider the following:'''

* Since there is no defense of the written examination work, the examination work must present full and unambiguous task solutions
* Each task must have only one clearly presented solution; if multiple solutions are given, only the first one will be evaluated
* All handwriting in the examination work must be legible
* No spare pens are provided to students during the exam

'''The following rules apply during the exam, and failure to follow them will invalidate the examination work of the student:'''

* The use of Internet, digital materials, and electronic devices (computers, mobile phones, cameras, etc.) is not permitted for any purposes
* All electronic devices will have to be switched to silent mode and left on a designated desk for the duration of the exam
* Any communication between students or with persons not taking the exam is strictly prohibited
* While the use of printed materials is permitted, it is not allowed to share such materials between students
* Students can't leave the examination room during the first 60 minutes and the last 30 minutes of the exam
* Each student can leave the examination room once during the exam for max 10 minutes (only one person can leave the room at a time)
* When leaving the examination room, the student has to surrender the task sheet to the lecturer (it is prohibited to take any exam-related materials outside the room)
* When submitting the examination work, the student must also hand over the task sheet
* It is strictly prohibited to take photos or make any other copies of the task sheet

== Re-examination information ==

Each student is granted one re-examination attempt which requires official application. The student can apply for re-examination after failing a regular exam, or for improving a low grade from a regular exam. Re-examination invalidates any previous grade or intermediate result which was obtained during the semester. During re-examination, 2 assignments have to be accomplished within 1 hour. The final grade is solely based on assignment solutions, and no work from previous exam or semester can be combined with the re-exam.

The re-examination is an '''open-book''' exam, but the use of Internet, electronic devices, and digital materials is '''not''' permitted, and all rules of the regular exam apply (see above).

Re-examination time slot will be announced during the semester.

== Plagiarism policy ==

Please note that '''plagiarized''' home works and exam works will be '''rejected without a review''', and the university will be '''notified''' of the offense. All cases of student plagiarism and other violations of academic practices will be handled according to [https://haldus.taltech.ee/sites/default/files/2020-10/Terviktekst_IT-teaduskonna%20%C3%B5ppuri%20akad%20tavade%20rikkumise%20ja%20v%C3%A4%C3%A4ritu%20k%C3%A4itumise%20menetlemise%20kord_ENG.pdf regulations of the IT faculty].

Itx8071-graded-lab

2024-08-13T12:34:18Z

Risto: Lehekülg asendatud tekstiga 'To be announced.'

To be announced.