rosetta-ce 1.3.3__py3.11.egg → 1.3.4__py3.11.egg

EGG-INFO/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: rosetta-ce
-Version: 1.3.3
+Version: 1.3.4
 Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
 Home-page: https://github.com/ayman-m/rosetta
 Author: Ayman Mahmoud

rosetta/rfaker.py

@@ -29,11 +29,6 @@ class ObservableKnown(Enum):
     GOOD = 'good'
 
 
-class CEFDevices(Enum):
-    Firewall = "Firewall"
-    EmailGW = "EmailGW"
-
-
 class Observables:
     def __init__(self, src_ip: list = None, dst_ip: Optional[list] = None, src_host: Optional[list] = None,
                  dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
@@ -148,7 +143,7 @@ class Observables:
         - A list of generated observables.
 
         Raises:
-        - Exception: If the function fails to retrieve data from any configured source with a HTTP status code other
+        - Exception: If the function fails to retrieve data from any configured source with an HTTP status code other
             than 200.
         """
         faker = cls._create_faker()
@@ -274,7 +269,8 @@ class Events:
         return Observables()
 
     @classmethod
-    def syslog(cls, count: int, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> List[str]:
+    def syslog(cls, count: int, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> \
+            List[str]:
         """
         Generate fake syslog messages.
 
@@ -282,7 +278,8 @@ class Events:
             count: The number of syslog messages to generate.
             timestamp: Optional. The starting timestamp for the syslog messages. If not provided, a random time during
             the past hour from now will be used.
-            observables: Optional. An observables object. If not provided, random objservable will be generated and used.
+            observables: Optional. An observables object. If not provided, random objservable will be generated
+            and used.
         Returns:
             A list of syslog messages.
 
@@ -317,7 +314,7 @@ class Events:
         return syslog_messages
 
     @classmethod
-    def cef(cls, count: int, vendor: Optional[str] = None, product: Optional[CEFDevices] = CEFDevices.Firewall,
+    def cef(cls, count: int, vendor: Optional[str] = None, product: Optional[str] = None,
             version: Optional[str] = None, timestamp: Optional[datetime] = None,
             observables: Optional[Observables] = None) -> List[str]:
         """
@@ -331,7 +328,8 @@ class Events:
             - Firewall
             - EmailGW
             version: Optional. The version.
-            observables: Optional. An observables object. If not provided, random objservable will be generated and used.
+            observables: Optional. An observables object. If not provided, random objservable will be generated
+            and used.
         Returns:
             A list of fake CEF messages in string format.
 
@@ -357,7 +355,7 @@ class Events:
         if timestamp is None:
             timestamp = datetime.now() - timedelta(hours=1)
             timestamp += timedelta(seconds=faker.random_int(min=0, max=3599))
-        if product.name == "Firewall":
+        if product == "Firewall":
             for i in range(count):
                 log_id = faker.uuid4()
                 timestamp += timedelta(seconds=1)
@@ -374,7 +372,8 @@ class Events:
                     else Observables.generator(observable_type=ObservableType.URL, known=ObservableKnown.BAD, count=1)
                 inbound_bytes = random.choice(observables.inbound_bytes) if observables and observables.inbound_bytes \
                     else faker.random_int(min=10, max=1073741824)
-                outbound_bytes = random.choice(observables.outbound_bytes) if observables and observables.outbound_bytes \
+                outbound_bytes = random.choice(observables.outbound_bytes) if observables and \
+                    observables.outbound_bytes \
                     else faker.random_int(min=10, max=1073741824)
                 protocol = random.choice(observables.protocol) if observables and observables.protocol \
                     else random.choice(PROTOCOLS)
@@ -382,12 +381,13 @@ class Events:
                     else faker.random_int(min=1, max=200)
                 action = random.choice(observables.action) if observables and observables.action \
                     else random.choice(ACTIONS)
-                event_description = f"Firewall {action} {protocol} traffic from {src_ip}:{src_port} to {dst_ip}:{dst_port}"
-                cef_messages.append(f"CEF:0|{vendor}|{product.name}|{version}|{log_id}|{timestamp}|{severity}|"
-                                    f"{event_description}|src={src_ip} spt={src_port} dst={dst_ip} url={dst_url}"
-                                    f"dpt={dst_port} in_bytes={inbound_bytes} out_bytes={outbound_bytes} proto={protocol}"
-                                    f" rule={rule_id} act={action}")
-        elif product.name == "EmailGW":
+                event_description = f"Firewall {action} {protocol} traffic from {src_ip}:{src_port} to " \
+                                    f"{dst_ip}:{dst_port}"
+                cef_messages.append(f"CEF:0|{vendor}|{product}|{version}|{log_id}|{timestamp}|{severity}|"
+                                    f"{event_description}|src_ip={src_ip} src_port={src_port} dst_ip={dst_ip} "
+                                    f"url={dst_url} dst_port={dst_port} in_bytes={inbound_bytes} "
+                                    f"out_bytes={outbound_bytes} proto={protocol} rule={rule_id} act={action}")
+        elif product == "EmailGW":
             for i in range(count):
                 mail_id = faker.uuid4()
                 timestamp += timedelta(seconds=1)
@@ -399,8 +399,8 @@ class Events:
                     else faker.email()
                 recipient_email = random.choice(observables.recipient_email) if observables and \
                     observables.recipient_email else faker.email()
-                email_subject = random.choice(observables.email_subject) if observables and observables.email_subject else \
-                    faker.sentence(nb_words=6)
+                email_subject = random.choice(observables.email_subject) if observables and observables.email_subject \
+                    else faker.sentence(nb_words=6)
                 email_body = random.choice(observables.email_body) if observables and observables.email_body else \
                     faker.sentence(nb_words=50)
                 attachment_hash = random.choice(observables.file_hash) if observables and observables.file_hash \
@@ -409,11 +409,37 @@ class Events:
                 spam_score = faker.random_int(min=1, max=5)
                 action = random.choice(observables.action) if observables and observables.action \
                     else random.choice(ACTIONS)
-                cef_messages.append(f"CEF:0|{vendor}|{product.name}|{version}|{mail_id}|{timestamp}|"
-                                    f"src={src_ip} src_domain={src_domain} sender_email={sender_email} "
+                cef_messages.append(f"CEF:0|{vendor}|{product}|{version}|{mail_id}|{timestamp}|"
+                                    f"src_ip={src_ip} src_domain={src_domain} sender_email={sender_email} "
                                     f"recipient_email={recipient_email} email_subject={email_subject} "
                                     f"email_body={email_body} attachment_hash={attachment_hash} spam_score={spam_score}"
                                     f" action={action}")
+        else:
+            for i in range(count):
+                log_id = faker.uuid4()
+                timestamp += timedelta(seconds=1)
+                severity = random.choice(observables.severity) if observables and observables.severity \
+                    else faker.random_int(min=1, max=5)
+                src_ip = random.choice(observables.src_ip) if observables and observables.src_ip \
+                    else faker.ipv4()
+                src_port = faker.random_int(min=1024, max=65535)
+                dst_ip = random.choice(observables.dst_ip) if observables and observables.dst_ip \
+                    else Observables.generator(observable_type=ObservableType.IP, known=ObservableKnown.BAD, count=1)
+                dst_port = random.choice(observables.port) if observables and observables.port \
+                    else faker.random_int(min=1024, max=65535)
+                protocol = random.choice(observables.protocol) if observables and observables.protocol \
+                    else random.choice(PROTOCOLS)
+                rule_id = random.choice(observables.event_id) if observables and observables.event_id \
+                    else faker.random_int(min=1, max=200)
+                action = random.choice(observables.action) if observables and observables.action \
+                    else random.choice(ACTIONS)
+                generic_cef = f"CEF:0|{vendor}|{product}|{version}|{log_id}|{timestamp}|{severity}|src_ip={src_ip} " \
+                              f"src_port={src_port} dst_ip={dst_ip} dst_port={dst_port} proto={protocol} " \
+                              f"rule={rule_id} act={action}"
+                if observables:
+                    for observable, observable_value in vars(observables).items():
+                        generic_cef += f" {observable}={observable_value}"
+                cef_messages.append(generic_cef)
         return cef_messages
 
     @classmethod
@@ -487,7 +513,8 @@ class Events:
         return leef_messages
 
     @classmethod
-    def winevent(cls, count, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> List[str]:
+    def winevent(cls, count, timestamp: Optional[datetime] = None, observables: Optional[Observables] = None) -> \
+            List[str]:
         """
         Generates fake Windows Event Log messages.