rosetta-ce 1.3.2__py3.11.egg → 1.3.4__py3.11.egg

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rosetta-ce might be problematic. Click here for more details.

Files changed (3) hide show
  1. EGG-INFO/PKG-INFO +1 -1
  2. rosetta/__pycache__/rfaker.cpython-311.pyc +0 -0
  3. rosetta/rfaker.py +120 -40
EGG-INFO/PKG-INFO CHANGED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: rosetta-ce
3
- Version: 1.3.2
3
+ Version: 1.3.4
4
4
  Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
5
5
  Home-page: https://github.com/ayman-m/rosetta
6
6
  Author: Ayman Mahmoud
rosetta/__pycache__/rfaker.cpython-311.pyc CHANGED
Binary file
rosetta/rfaker.py CHANGED
@@ -31,21 +31,32 @@ class ObservableKnown(Enum):
31
31
 
32
32
  class Observables:
33
33
  def __init__(self, src_ip: list = None, dst_ip: Optional[list] = None, src_host: Optional[list] = None,
34
- dst_host: Optional[list] = None, url: Optional[list] = None, port: Optional[list] = None,
35
- protocol: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
36
- user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
37
- file_hash: Optional[list] = None, cmd: Optional[list] = None, process: Optional[list] = None,
38
- technique: Optional[list] = None, entry_type: Optional[list] = None, severity: Optional[list] = None,
39
- sensor: Optional[list] = None, action: Optional[list] = None, event_id: Optional[list] = None,
40
- error_code: Optional[list] = None, terms: Optional[list] = None, incident_types: Optional[list] = None,
41
- analysts: Optional[list] = None):
34
+ dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
35
+ sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
36
+ email_subject: Optional[list] = None, email_body: Optional[list] = None,
37
+ url: Optional[list] = None, port: Optional[list] = None, protocol: Optional[list] = None,
38
+ inbound_bytes: Optional[list] = None, outbound_bytes: Optional[list] = None,
39
+ app: Optional[list] = None, os: Optional[list] = None, user: Optional[list] = None,
40
+ cve: Optional[list] = None, file_name: Optional[list] = None, file_hash: Optional[list] = None,
41
+ cmd: Optional[list] = None, process: Optional[list] = None, technique: Optional[list] = None,
42
+ entry_type: Optional[list] = None, severity: Optional[list] = None, sensor: Optional[list] = None,
43
+ action: Optional[list] = None, event_id: Optional[list] = None, error_code: Optional[list] = None,
44
+ terms: Optional[list] = None, incident_types: Optional[list] = None, analysts: Optional[list] = None):
42
45
  self.src_ip = src_ip
43
46
  self.dst_ip = dst_ip
44
47
  self.src_host = src_host
45
48
  self.dst_host = dst_host
49
+ self.src_domain = src_domain
50
+ self.dst_domain = dst_domain
51
+ self.sender_email = sender_email
52
+ self.recipient_email = recipient_email
53
+ self.email_subject = email_subject
54
+ self.email_body = email_body
46
55
  self.url = url
47
56
  self.port = port
48
57
  self.protocol = protocol
58
+ self.inbound_bytes = inbound_bytes
59
+ self.outbound_bytes = outbound_bytes
49
60
  self.app = app
50
61
  self.os = os
51
62
  self.user = user
@@ -132,7 +143,7 @@ class Observables:
132
143
  - A list of generated observables.
133
144
 
134
145
  Raises:
135
- - Exception: If the function fails to retrieve data from any configured source with a HTTP status code other
146
+ - Exception: If the function fails to retrieve data from any configured source with an HTTP status code other
136
147
  than 200.
137
148
  """
138
149
  faker = cls._create_faker()
@@ -258,7 +269,8 @@ class Events:
258
269
  return Observables()
259
270
 
260
271
  @classmethod
261
- def syslog(cls, count: int, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> List[str]:
272
+ def syslog(cls, count: int, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> \
273
+ List[str]:
262
274
  """
263
275
  Generate fake syslog messages.
264
276
 
@@ -266,7 +278,8 @@ class Events:
266
278
  count: The number of syslog messages to generate.
267
279
  timestamp: Optional. The starting timestamp for the syslog messages. If not provided, a random time during
268
280
  the past hour from now will be used.
269
- observables: Optional. An observables object. If not provided, random objservable will be generated and used.
281
+ observables: Optional. An observables object. If not provided, random objservable will be generated
282
+ and used.
270
283
  Returns:
271
284
  A list of syslog messages.
272
285
 
@@ -301,8 +314,9 @@ class Events:
301
314
  return syslog_messages
302
315
 
303
316
  @classmethod
304
- def cef(cls, count: int, vendor: Optional[str] = None, product: Optional[str] = None, version: Optional[str] = None,
305
- timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> List[str]:
317
+ def cef(cls, count: int, vendor: Optional[str] = None, product: Optional[str] = None,
318
+ version: Optional[str] = None, timestamp: Optional[datetime] = None,
319
+ observables: Optional[Observables] = None) -> List[str]:
306
320
  """
307
321
  Generates fake CEF (Common Event Format) messages.
308
322
 
@@ -310,9 +324,12 @@ class Events:
310
324
  count: The number of CEF messages to generate.
311
325
  timestamp: Optional. The starting timestamp for the syslog messages. If not provided, a random time during.
312
326
  vendor: Optional. The vendor.
313
- product: Optional. The product.
327
+ product: Optional. The product value options include:
328
+ - Firewall
329
+ - EmailGW
314
330
  version: Optional. The version.
315
- observables: Optional. An observables object. If not provided, random objservable will be generated and used.
331
+ observables: Optional. An observables object. If not provided, random objservable will be generated
332
+ and used.
316
333
  Returns:
317
334
  A list of fake CEF messages in string format.
318
335
 
@@ -333,34 +350,96 @@ class Events:
333
350
  """
334
351
  cef_messages = []
335
352
  faker = cls._create_faker()
353
+ vendor = vendor or faker.company()
336
354
  version = version or faker.numerify("1.0.#")
337
355
  if timestamp is None:
338
356
  timestamp = datetime.now() - timedelta(hours=1)
339
357
  timestamp += timedelta(seconds=faker.random_int(min=0, max=3599))
340
- for i in range(count):
341
- timestamp += timedelta(seconds=1)
342
- uuid = faker.uuid4()
343
- vendor = vendor or faker.company()
344
- product = product or "Firewall"
345
- src_port = faker.random_int(min=1024, max=65535)
346
- host = random.choice(observables.src_host) if observables and observables.src_host \
347
- else faker.hostname()
348
- dst_ip = random.choice(observables.dst_ip) if observables and observables.dst_ip \
349
- else Observables.generator(observable_type=ObservableType.IP, known=ObservableKnown.BAD, count=1)
350
- url = random.choice(observables.url) if observables and observables.url \
351
- else Observables.generator(observable_type=ObservableType.URL, known=ObservableKnown.BAD, count=1)
352
- dst_port = random.choice(observables.port) if observables and observables.port \
353
- else faker.random_int(min=1024, max=65535)
354
- protocol = random.choice(observables.protocol) if observables and observables.protocol \
355
- else random.choice(PROTOCOLS)
356
- action = random.choice(observables.action) if observables and observables.action \
357
- else random.choice(ACTIONS)
358
- event_id = random.choice(observables.event_id) if observables and observables.event_id \
359
- else faker.random_int(min=1, max=10)
360
- event_description = f"Firewall {action} {protocol} traffic from {host}:{src_port} to {dst_ip}:{dst_port}"
361
- cef_messages.append(f"CEF:0|{vendor}|{product}|{version}|{uuid}|{timestamp}|"
362
- f"{event_description}|{event_id}|src={host} spt={src_port} dst={dst_ip} url={url}"
363
- f"dpt={dst_port} proto={protocol} act={action}")
358
+ if product == "Firewall":
359
+ for i in range(count):
360
+ log_id = faker.uuid4()
361
+ timestamp += timedelta(seconds=1)
362
+ severity = random.choice(observables.severity) if observables and observables.severity \
363
+ else faker.random_int(min=1, max=5)
364
+ src_ip = random.choice(observables.src_ip) if observables and observables.src_ip \
365
+ else faker.ipv4()
366
+ src_port = faker.random_int(min=1024, max=65535)
367
+ dst_ip = random.choice(observables.dst_ip) if observables and observables.dst_ip \
368
+ else Observables.generator(observable_type=ObservableType.IP, known=ObservableKnown.BAD, count=1)
369
+ dst_port = random.choice(observables.port) if observables and observables.port \
370
+ else faker.random_int(min=1024, max=65535)
371
+ dst_url = random.choice(observables.url) if observables and observables.url \
372
+ else Observables.generator(observable_type=ObservableType.URL, known=ObservableKnown.BAD, count=1)
373
+ inbound_bytes = random.choice(observables.inbound_bytes) if observables and observables.inbound_bytes \
374
+ else faker.random_int(min=10, max=1073741824)
375
+ outbound_bytes = random.choice(observables.outbound_bytes) if observables and \
376
+ observables.outbound_bytes \
377
+ else faker.random_int(min=10, max=1073741824)
378
+ protocol = random.choice(observables.protocol) if observables and observables.protocol \
379
+ else random.choice(PROTOCOLS)
380
+ rule_id = random.choice(observables.event_id) if observables and observables.event_id \
381
+ else faker.random_int(min=1, max=200)
382
+ action = random.choice(observables.action) if observables and observables.action \
383
+ else random.choice(ACTIONS)
384
+ event_description = f"Firewall {action} {protocol} traffic from {src_ip}:{src_port} to " \
385
+ f"{dst_ip}:{dst_port}"
386
+ cef_messages.append(f"CEF:0|{vendor}|{product}|{version}|{log_id}|{timestamp}|{severity}|"
387
+ f"{event_description}|src_ip={src_ip} src_port={src_port} dst_ip={dst_ip} "
388
+ f"url={dst_url} dst_port={dst_port} in_bytes={inbound_bytes} "
389
+ f"out_bytes={outbound_bytes} proto={protocol} rule={rule_id} act={action}")
390
+ elif product == "EmailGW":
391
+ for i in range(count):
392
+ mail_id = faker.uuid4()
393
+ timestamp += timedelta(seconds=1)
394
+ src_ip = random.choice(observables.src_ip) if observables and observables.src_ip \
395
+ else faker.ipv4()
396
+ src_domain = random.choice(observables.src_domain) if observables and observables.src_domain \
397
+ else faker.domain_name()
398
+ sender_email = random.choice(observables.sender_email) if observables and observables.sender_email \
399
+ else faker.email()
400
+ recipient_email = random.choice(observables.recipient_email) if observables and \
401
+ observables.recipient_email else faker.email()
402
+ email_subject = random.choice(observables.email_subject) if observables and observables.email_subject \
403
+ else faker.sentence(nb_words=6)
404
+ email_body = random.choice(observables.email_body) if observables and observables.email_body else \
405
+ faker.sentence(nb_words=50)
406
+ attachment_hash = random.choice(observables.file_hash) if observables and observables.file_hash \
407
+ else Observables.generator(observable_type=ObservableType.SHA256, known=ObservableKnown.BAD,
408
+ count=1)
409
+ spam_score = faker.random_int(min=1, max=5)
410
+ action = random.choice(observables.action) if observables and observables.action \
411
+ else random.choice(ACTIONS)
412
+ cef_messages.append(f"CEF:0|{vendor}|{product}|{version}|{mail_id}|{timestamp}|"
413
+ f"src_ip={src_ip} src_domain={src_domain} sender_email={sender_email} "
414
+ f"recipient_email={recipient_email} email_subject={email_subject} "
415
+ f"email_body={email_body} attachment_hash={attachment_hash} spam_score={spam_score}"
416
+ f" action={action}")
417
+ else:
418
+ for i in range(count):
419
+ log_id = faker.uuid4()
420
+ timestamp += timedelta(seconds=1)
421
+ severity = random.choice(observables.severity) if observables and observables.severity \
422
+ else faker.random_int(min=1, max=5)
423
+ src_ip = random.choice(observables.src_ip) if observables and observables.src_ip \
424
+ else faker.ipv4()
425
+ src_port = faker.random_int(min=1024, max=65535)
426
+ dst_ip = random.choice(observables.dst_ip) if observables and observables.dst_ip \
427
+ else Observables.generator(observable_type=ObservableType.IP, known=ObservableKnown.BAD, count=1)
428
+ dst_port = random.choice(observables.port) if observables and observables.port \
429
+ else faker.random_int(min=1024, max=65535)
430
+ protocol = random.choice(observables.protocol) if observables and observables.protocol \
431
+ else random.choice(PROTOCOLS)
432
+ rule_id = random.choice(observables.event_id) if observables and observables.event_id \
433
+ else faker.random_int(min=1, max=200)
434
+ action = random.choice(observables.action) if observables and observables.action \
435
+ else random.choice(ACTIONS)
436
+ generic_cef = f"CEF:0|{vendor}|{product}|{version}|{log_id}|{timestamp}|{severity}|src_ip={src_ip} " \
437
+ f"src_port={src_port} dst_ip={dst_ip} dst_port={dst_port} proto={protocol} " \
438
+ f"rule={rule_id} act={action}"
439
+ if observables:
440
+ for observable, observable_value in vars(observables).items():
441
+ generic_cef += f" {observable}={observable_value}"
442
+ cef_messages.append(generic_cef)
364
443
  return cef_messages
365
444
 
366
445
  @classmethod
@@ -434,7 +513,8 @@ class Events:
434
513
  return leef_messages
435
514
 
436
515
  @classmethod
437
- def winevent(cls, count, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> List[str]:
516
+ def winevent(cls, count, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> \
517
+ List[str]:
438
518
  """
439
519
  Generates fake Windows Event Log messages.
440
520