Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
 
(ei näidata sama kasutaja 144 vahepealset redaktsiooni)
1. rida: 1. rida:
 
+
This homework assignment requires the knowledge from Modules 6 and 7.
This homework assignment requires the knowledge from Modules 6 and 7.  
 
  
 
=== Create SEC rules that accomplish the following event correlation task: ===
 
=== Create SEC rules that accomplish the following event correlation task: ===
  
'''1) The rules must process netfilter firewall syslog events about blocked packets sent to local TCP and UDP ports. '''
+
1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).
 
 
For example, the following two events represent accesses to local ports 23/tcp and 25/tcp which were blocked
 
by the local firewall:
 
 
 
Nov  6 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''192.168.1.67''' DST=192.168.1.107 LEN=60 TOS=0x10
 
  PREC=0x00 TTL=64 ID=20049 DF PROTO='''TCP''' SPT=44963 DPT='''23''' WINDOW=49640 RES=0x00 SYN URGP=0
 
Nov  6 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''192.168.1.104''' DST=192.168.1.107 LEN=60 TOS=0x10
 
  PREC=0x00 TTL=64 ID=36362 DF PROTO='''TCP''' SPT=56918 DPT='''25''' WINDOW=29200 RES=0x00 SYN URGP=0
 
 
 
'''The rules must also process Apache web server syslog events with status codes 403 (Forbidden) and 404 (Not Found).'''
 
 
 
For example, the following event represents GET request from client 192.168.1.101 to URL /banner.png that was
 
not found (status code is 404):
 
 
 
Nov  6 19:05:37 localhost apache: '''192.168.1.101''' - - [06/Nov/2016:19:05:37 +0200]
 
  "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
 
 
'''2) If some URL is requested from 5 different clients within 5 minutes with status codes 403 and/or 404, this URL must be memorized as false positive for the following 15 minutes.'''
 
 
 
For example, if the following events appear in the log, the URL /offers/sales-offer.html must be memorized as false positive
 
at Nov 6 19:06:17 for 15 minutes, since it has been accessed by 5 different clients 192.168.1.101, 192.168.1.103, 192.168.1.104, 192.168.2.16, and 192.168.7.33 within 5 minutes (between Nov 6 19:03:49 and Nov 6 19:06:17):
 
 
 
Nov  6 19:03:48 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:03:48 +0200]
 
  "GET /images/poweredby.png HTTP/1.1" 200 3956 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:03:49 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:03:49 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:03:59 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:03:59 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:04:07 localhost apache: 192.168.1.102 - - [06/Nov/2016:19:04:07 +0200]
 
  "GET /banner.png HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:04:22 localhost apache: 192.168.1.103 - - [06/Nov/2016:19:04:22 +0200]
 
  "GET /banner.png HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:04:29 localhost apache: 192.168.1.103 - - [06/Nov/2016:19:04:29 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:04:40 localhost apache: 192.168.1.104 - - [06/Nov/2016:19:04:40 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:05:01 localhost apache: 192.168.2.16 - - [06/Nov/2016:19:05:01 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 403 225 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:06:17 localhost apache: 192.168.7.33 - - [06/Nov/2016:19:06:17 +0200]
 
  "GET /offers/sales-offer.html HTTP/1.1" 403 225 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 19:26:16 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:26:16 +0200]
 
  "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
  
 +
For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:
  
'''3) If some host does the following within the 60 second window:'''
+
Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
* '''probes at least 3 different ports that are protected by firewall, AND'''
+
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
* '''accesses at least 3 different URLs, so that status codes for URL accesses are 403 and/or 404 and none of the URLs has been previously memorized as false positive, '''
+
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
'''send an e-mail to root@localhost about offending activities from this host. After an e-mail alert has been issued about the host, disable further alerts for this host for 2 hours.'''
+
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12
  
Note that ports in netfilter firewall messages must be distinguished not 
+
2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.
only by port number but also by transport protocol (in other words, ports
 
53/tcp and 53/udp must be considered different ports).
 
Also note that the detection should be done with a sliding window approach --
 
if the counting operation for some host has not seen enough events
 
during 60 seconds, the 60 second detection window should be moved forward.
 
  
For example, suppose the following events are observed and the URL
+
For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:
/offers/sales-offer.html has been previously memorized as false positive:
 
  
  Nov  6 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
+
  Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
  PREC=0x00 TTL=62 ID=1881 DF PROTO='''TCP''' SPT=16333 DPT='''25''' WINDOW=5840 RES=0x00 SYN URGP=0
+
  Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
  Nov  6 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
+
  Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
  PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0
+
  Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
  Nov  6 18:51:08 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:08 +0200]
+
  Nov  7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2
  "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 18:51:08 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:08 +0200]
 
  "GET '''/banner2.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
 
  PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0
 
  Nov  6 18:51:09 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:09 +0200]
 
  "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 18:51:11 localhost apache: 10.1.1.7 - - [06/Nov/2016:18:51:11 +0200]  
 
  "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
 
  PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''21''' WINDOW=49640 RES=0x00 SYN URGP=0
 
Nov  6 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00
 
  PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
 
  Nov  6 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
 
  PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''445''' WINDOW=49640 RES=0x00 SYN URGP=0
 
Nov  6 18:52:05 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:52:05 +0200]
 
  "GET '''/docs/report.doc''' HTTP/1.1" '''403''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 
  Chrome/54.0.2840.71 Safari/537.36"
 
Nov  6 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00
 
  PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
 
  
The event correlation rules must produce an alarm at Nov  6 18:52:05 about
+
Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.
offending host 10.1.1.7, since between Nov 6 18:51:07 and Nov 6 18:52:05
 
this host has:
 
* probed 3 distinct ports 80/tcp, 21/tcp, and 445/tcp,
 
* accessed 3 distinct URLs /banner.png, /banner2.png, and /docs/report.doc with status codes 404 and 403.
 
  
Note that although event correlation for host 10.1.1.7 should be started at Nov 6 18:51:01, the window has to slide forward after 60 seconds,
+
Note that all parts of the solution must be '''fully functional''' even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must '''not''' interfere with each other).
since only 2 distinct URLs have been observed for 10.1.1.7 (access to /offers/sales-offer.html must be ignored, since it has been
 
previously memorized as false positive). Therefore, the port probe at Nov 6 18:51:01 will be left out of the window when it slides.
 
  
Some hints for accomplishing this assignment:
+
=== Some hints for accomplishing this assignment: ===
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
 
* in order to accomplish subtask 3 (detection of port probes and URL accesses from the same host within 60 second window), use EventGroup2 rule.
 
  
Apart from studying the examples from the course slides, have a look at the SEC
+
* consider the technique outlined on slides 17-18 of Module 7,
man page (installed at the virtual machines or found at
+
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf),
http://simple-evcorr.github.io/man.html).
+
* make sure you have a good understanding of the lab assignment solutions of Modules 6 and 7.

Viimane redaktsioon: 13. november 2025, kell 16:27

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes: 

Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12 
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12 
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed: 

Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov  7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Some hints for accomplishing this assignment:

  • consider the technique outlined on slides 17-18 of Module 7,
  • as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf),
  • make sure you have a good understanding of the lab assignment solutions of Modules 6 and 7.
Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=11990"