PyPI - rosetta-ce - Versions diffs - 1.7.6__tar.gz - Mend

rosetta-ce 1.7.6__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

rosetta_ce-1.7.6/LICENSE +21 -0
rosetta_ce-1.7.6/PKG-INFO +151 -0
rosetta_ce-1.7.6/README.md +124 -0
rosetta_ce-1.7.6/rosetta/__init__.py +3 -0
rosetta_ce-1.7.6/rosetta/constants/__init__.py +0 -0
rosetta_ce-1.7.6/rosetta/constants/attributes.py +285 -0
rosetta_ce-1.7.6/rosetta/constants/db.py +92 -0
rosetta_ce-1.7.6/rosetta/constants/sensors.py +55 -0
rosetta_ce-1.7.6/rosetta/constants/sources.py +67 -0
rosetta_ce-1.7.6/rosetta/constants/systems.py +146 -0
rosetta_ce-1.7.6/rosetta/rconverter.py +82 -0
rosetta_ce-1.7.6/rosetta/rfaker.py +879 -0
rosetta_ce-1.7.6/rosetta/rsender.py +236 -0
rosetta_ce-1.7.6/rosetta_ce.egg-info/PKG-INFO +151 -0
rosetta_ce-1.7.6/rosetta_ce.egg-info/SOURCES.txt +21 -0
rosetta_ce-1.7.6/rosetta_ce.egg-info/dependency_links.txt +1 -0
rosetta_ce-1.7.6/rosetta_ce.egg-info/requires.txt +3 -0
rosetta_ce-1.7.6/rosetta_ce.egg-info/top_level.txt +1 -0
rosetta_ce-1.7.6/setup.cfg +4 -0
rosetta_ce-1.7.6/setup.py +28 -0
rosetta_ce-1.7.6/tests/test_rconverter.py +31 -0
rosetta_ce-1.7.6/tests/test_rfaker.py +164 -0
rosetta_ce-1.7.6/tests/test_rsender.py +53 -0

rosetta_ce-1.7.6/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2023 Ayman Mahmoud
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rosetta_ce-1.7.6/PKG-INFO ADDED Viewed

@@ -0,0 +1,151 @@
+Metadata-Version: 2.4
+Name: rosetta-ce
+Version: 1.7.6
+Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
+Home-page: https://github.com/ayman-m/rosetta
+Author: Ayman Mahmoud
+Author-email: content@ayman.online
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests
+Requires-Dist: faker
+Requires-Dist: urllib3
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+[![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
+![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)
+[![slack-community](https://img.shields.io/badge/Slack-4A154C?logo=slack&logoColor=white)](https://go-rosetta.slack.com)
+# Rosetta
+Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases. It provides the following functions:
+- Generate bad and random observables/indicators that include IP Addresses, Urls, File hashes , CVE's and more
+- Fake log messages in different formats like CEF, LEEF and JSON.
+- Convert one log format into another, for example from CEF to LEEF.
+- Send the fake log message to different log management and analytics tools.
+## Installation
+- You can install rosetta via pip:
+```sh
+pip install rosetta-ce
+```
+- Or you can install it from the source code:
+```sh
+git clone https://github.com/ayman-m/rosetta.git
+cd rosetta
+python setup.py install
+```
+- Once installed, you can import the library in your Python code like this:
+```python
+from rosetta import Observables, Events
+```
+## Usage
+Here are some examples of how to use Rosetta:
+```python
+from rosetta import Converter, ConverterToEnum, ConverterFromEnum, Events, ObservableType, ObservableKnown, \
+    Observables, Sender
+# Example usage of the Converter class to convert a CEF log into a LEEF log.
+converted_log = Converter.convert(from_type=ConverterFromEnum.CEF, to_type=ConverterToEnum.LEEF,
+                                  data="cef_log=CEF:0|Security|Intrusion Detection System|1.0|Alert|10|src=192.168.0.1 dst=192.168.0.2 act=blocked")
+print(
+    converted_log)  # {'message': 'converted', 'data': 'LEEF=1.0!Vendor=Security!Product=Intrusion Detection System!Version=1.0!EventID=Alert!Name=10!src=192.168.0.1!dst=192.168.0.2!act=blocked'}
+# Example usage of the Observables class to generate bad IP indicators.
+bad_ip = Observables.generator(count=2, observable_type=ObservableType.IP, known=ObservableKnown.BAD)
+print(bad_ip)  # ['ip1', 'ip2']
+# Example usage of the Observables class to generate good IP indicators.
+good_ip = Observables.generator(count=2, observable_type=ObservableType.IP, known=ObservableKnown.GOOD)
+print(good_ip)  # ['ip1', 'ip2']
+# Example usage of the Observables class to generate bad URL indicators.
+bad_url = Observables.generator(count=2, observable_type=ObservableType.URL, known=ObservableKnown.BAD)
+print(bad_url)  # ['url1', 'url2']
+# Example usage of the Observables class to generate good URL indicators.
+good_url = Observables.generator(count=2, observable_type=ObservableType.URL, known=ObservableKnown.GOOD)
+print(good_url)  # ['url1', 'url2']
+# Example usage of the Observables class to generate bad Hash indicators.
+bad_hash = Observables.generator(count=2, observable_type=ObservableType.SHA256, known=ObservableKnown.BAD)
+print(bad_hash)  # ['hash1', 'hash2']
+# Example usage of the Observables class to generate good Hash indicators.
+good_hash = Observables.generator(count=2, observable_type=ObservableType.SHA256, known=ObservableKnown.GOOD)
+print(good_hash)  # ['hash1', 'hash2']
+# Example usage of the Observables class to generate CVE indicators.
+cve = Observables.generator(count=2, observable_type=ObservableType.CVE)
+print(cve)  # Example: ['CVE-2023-2136', 'CVE-2023-29582']
+# Example usage of the Observables class to generate random Terms.
+terms = Observables.generator(count=2, observable_type=ObservableType.TERMS)
+print(terms)  # Example: ['Create or Modify System Process', 'Stage Capabilities: Drive-by Target']
+# You can create an instance of the Observables class to contain your own observables that are to be used in the fake security events
+src_ip, dst_ip, src_host, dst_host = ["192.168.10.10", "192.168.10.20"], ["1.1.1.1", "1.1.1.2"], ["abc"], ["xyz", "wlv"]
+url, port = ["https://example.org", "https://wikipedia.com"], ["555", "666"]
+protocol, app = ["ftp", "dns", "ssl"], ["explorer.exe", "chrome.exe"]
+user = ["ayman", "mahmoud"]
+file_name, file_hash = ["test.zip", "image.ps"], ["719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2"]
+cmd, process = ["sudo restart", "systemctl stop firewalld"], ["bind", "crond"]
+severity = ["high", "critical"]
+sensor = ["fw", "edr"]
+action = ["block", "allow"]
+observables_list = Observables(src_ip=src_ip, dst_ip=dst_ip, src_host=src_host, dst_host=dst_host, url=url, port=port,
+                               protocol=protocol, app=app, user=user, file_name=file_name, file_hash=file_hash, cmd=cmd,
+                               process=process, severity=severity, sensor=sensor, action=action)
+# Example usage of the Events class to generate generic SYSLOG events.
+generic_syslog_with_random_observables = Events.syslog(count=1)
+print(generic_syslog_with_random_observables)  # ['Jan 20 16:04:53 db-88.zuniga.net sudo[34675]: ryansandy : COMMAND ; iptables -F']
+generic_syslog_with_my_observables = Events.syslog(count=1, observables=observables_list)
+print(generic_syslog_with_my_observables)  # ['Apr 07 10:21:43 abc crond[17458]: ayman : COMMAND ; sudo restart']
+# Example usage of the Events class to generate CEF events.
+generic_cef_with_my_observables = Events.cef(count=1, observables=observables_list)
+print(generic_cef_with_my_observables)  # ['CEF:0|Novak LLC|Firewall|1.0.6|3019ab69-2d0e-4b3f-a240-4e8c93042dc3|Firewall allow dns traffic from abc:33504 to 1.1.1.1:666|5|src=abc spt=33504 dst=1.1.1.1 url=https://example.org dpt=666 proto=dns act=allow']
+leef_with_my_observables = Events.leef(count=1, observables=observables_list)
+print(leef_with_my_observables)  # ["LEEF:1.0|Leef|Payment Portal|1.0|210.12.108.86|abc|9a:1e:9d:00:4c:ba|3b:a0:4b:24:f7:59|src=192.168.10.10 dst=abc spt=61549 dpt=443 request=https://example.com/search.php?q=<script>alert('xss')</script> method=Web-GET proto=HTTP/1.1 status=500 hash=719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2request_size=6173 response_size=8611 user_agent=Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/536.1 (KHTML, like Gecko) FxiOS/12.1s4879.0 Mobile/00Y135 Safari/536.1"]
+winevent_with_my_observables = Events.winevent(count=1, observables=observables_list)
+print(winevent_with_my_observables)  # ['<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="5fc4a88c-97b0-4061-adc3-052159c10ef4"/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-04-07T18:45:17"/><EventRecordID>575</EventRecordID><Correlation/><Execution ProcessID="1071" ThreadID="5317" Channel="Security"/><Computer>abc</Computer><Security UserID="S-1-2915"/><EventData><Data Name="SubjectUserSid">S-1-2915</Data><Data Name="SubjectUserName">mahmoud</Data><Data Name="SubjectDomainName">johnson.org</Data><Data Name="SubjectLogonId">S-1-2915</Data><Data Name="NewProcessId">3371</Data><Data Name="ProcessId">1071</Data><Data Name="CommandLine">sudo restart</Data><Data Name="TargetUserSid">S-1-2915</Data><Data Name="TargetUserName">mahmoud</Data><Data Name="TargetDomainName">johnson.org</Data><Data Name="TargetLogonId">S-1-2915</Data><Data Name="LogonType">3</Data></EventData></Event>']
+json_with_my_observables = Events.json(count=1, observables=observables_list)
+print(json_with_my_observables) # [{'event_type': 'vulnerability_discovered', 'timestamp': '2023-02-12T16:28:46', 'severity': 'high', 'host': 'abc', 'file_hash': '719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2', 'cve': ['CVE-3941-1955']}]
+incident_with_my_observables = Events.incidents(count=1, fields="id,type,duration,analyst,description,events", observables=observables_list)
+print(incident_with_my_observables) # [{'id': 1, 'duration': 2, 'type': 'Lateral Movement', 'analyst': 'Elizabeth', 'description': 'Software Discovery Forge Web Credentials: SAML Tokens Escape to Host System Binary Proxy Execution: Control Panel Hide Artifacts: Process Argument Spoofing Office Application Startup: Add-ins Compromise Infrastructure: Botnet.', 'events': [{'event': 'Apr 09 19:39:57 abc bind[56294]: ayman : COMMAND ; systemctl stop firewalld'}, {'event': 'CEF:0|Todd, Guzman and Morales|Firewall|1.0.4|afe3d30f-cff4-4084-a7a3-7de9ea21d0e9|Firewall block dns traffic from abc:26806 to 1.1.1.1:555|10|src=abc spt=26806 dst=1.1.1.1 url=https://example.org dpt=555 proto=dns act=block'}, {'event': 'LEEF:1.0|Leef|Payment Portal|1.0|19.90.247.108|abc|d4:27:4c:a7:40:50|2a:3f:f3:37:81:eb|src=192.168.10.20 dst=abc spt=47335 dpt=443 request=https://example.com/index.php method=Web-GET proto=HTTP/1.1 status=500 hash=719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2request_size=3640 response_size=4766 user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_1) AppleWebKit/533.0 (KHTML, like Gecko) Chrome/47.0.819.0 Safari/533.0'}, {'event': '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="67eb0bb0-ab24-43ce-b7f1-6d6a6bb0ac27"/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-01-15T04:07:58"/><EventRecordID>38</EventRecordID><Correlation/><Execution ProcessID="7182" ThreadID="7703" Channel="Security"/><Computer>abc</Computer><Security UserID="S-1-7181"/><EventData><Data Name="SubjectUserSid">S-1-7181</Data><Data Name="SubjectUserName">mahmoud</Data><Data Name="SubjectDomainName">johnson.net</Data><Data Name="SubjectLogonId">9638</Data><Data Name="PrivilegeList">Through moment tonight.</Data></EventData></Event>'}, {'event': {'event_type': 'vulnerability_discovered', 'timestamp': '2023-01-18T23:49:45', 'severity': 'critical', 'host': 'abc', 'file_hash': '719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2', 'cve': ['CVE-2023-29067']}}]}]
+# Example usage of the Sender class to send faked events to log analysis tool.
+worker = Sender(data_type="SYSLOG", destination="udp:127.0.0.1:514", observables=observables_list, count=5, interval=2)
+worker.start()
+# Starting worker: worker_2023-04-26 17:50:15.671101
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+```

rosetta_ce-1.7.6/README.md ADDED Viewed

@@ -0,0 +1,124 @@
+[![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
+![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)
+[![slack-community](https://img.shields.io/badge/Slack-4A154C?logo=slack&logoColor=white)](https://go-rosetta.slack.com)
+# Rosetta
+Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases. It provides the following functions:
+- Generate bad and random observables/indicators that include IP Addresses, Urls, File hashes , CVE's and more
+- Fake log messages in different formats like CEF, LEEF and JSON.
+- Convert one log format into another, for example from CEF to LEEF.
+- Send the fake log message to different log management and analytics tools.
+## Installation
+- You can install rosetta via pip:
+```sh
+pip install rosetta-ce
+```
+- Or you can install it from the source code:
+```sh
+git clone https://github.com/ayman-m/rosetta.git
+cd rosetta
+python setup.py install
+```
+- Once installed, you can import the library in your Python code like this:
+```python
+from rosetta import Observables, Events
+```
+## Usage
+Here are some examples of how to use Rosetta:
+```python
+from rosetta import Converter, ConverterToEnum, ConverterFromEnum, Events, ObservableType, ObservableKnown, \
+    Observables, Sender
+# Example usage of the Converter class to convert a CEF log into a LEEF log.
+converted_log = Converter.convert(from_type=ConverterFromEnum.CEF, to_type=ConverterToEnum.LEEF,
+                                  data="cef_log=CEF:0|Security|Intrusion Detection System|1.0|Alert|10|src=192.168.0.1 dst=192.168.0.2 act=blocked")
+print(
+    converted_log)  # {'message': 'converted', 'data': 'LEEF=1.0!Vendor=Security!Product=Intrusion Detection System!Version=1.0!EventID=Alert!Name=10!src=192.168.0.1!dst=192.168.0.2!act=blocked'}
+# Example usage of the Observables class to generate bad IP indicators.
+bad_ip = Observables.generator(count=2, observable_type=ObservableType.IP, known=ObservableKnown.BAD)
+print(bad_ip)  # ['ip1', 'ip2']
+# Example usage of the Observables class to generate good IP indicators.
+good_ip = Observables.generator(count=2, observable_type=ObservableType.IP, known=ObservableKnown.GOOD)
+print(good_ip)  # ['ip1', 'ip2']
+# Example usage of the Observables class to generate bad URL indicators.
+bad_url = Observables.generator(count=2, observable_type=ObservableType.URL, known=ObservableKnown.BAD)
+print(bad_url)  # ['url1', 'url2']
+# Example usage of the Observables class to generate good URL indicators.
+good_url = Observables.generator(count=2, observable_type=ObservableType.URL, known=ObservableKnown.GOOD)
+print(good_url)  # ['url1', 'url2']
+# Example usage of the Observables class to generate bad Hash indicators.
+bad_hash = Observables.generator(count=2, observable_type=ObservableType.SHA256, known=ObservableKnown.BAD)
+print(bad_hash)  # ['hash1', 'hash2']
+# Example usage of the Observables class to generate good Hash indicators.
+good_hash = Observables.generator(count=2, observable_type=ObservableType.SHA256, known=ObservableKnown.GOOD)
+print(good_hash)  # ['hash1', 'hash2']
+# Example usage of the Observables class to generate CVE indicators.
+cve = Observables.generator(count=2, observable_type=ObservableType.CVE)
+print(cve)  # Example: ['CVE-2023-2136', 'CVE-2023-29582']
+# Example usage of the Observables class to generate random Terms.
+terms = Observables.generator(count=2, observable_type=ObservableType.TERMS)
+print(terms)  # Example: ['Create or Modify System Process', 'Stage Capabilities: Drive-by Target']
+# You can create an instance of the Observables class to contain your own observables that are to be used in the fake security events
+src_ip, dst_ip, src_host, dst_host = ["192.168.10.10", "192.168.10.20"], ["1.1.1.1", "1.1.1.2"], ["abc"], ["xyz", "wlv"]
+url, port = ["https://example.org", "https://wikipedia.com"], ["555", "666"]
+protocol, app = ["ftp", "dns", "ssl"], ["explorer.exe", "chrome.exe"]
+user = ["ayman", "mahmoud"]
+file_name, file_hash = ["test.zip", "image.ps"], ["719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2"]
+cmd, process = ["sudo restart", "systemctl stop firewalld"], ["bind", "crond"]
+severity = ["high", "critical"]
+sensor = ["fw", "edr"]
+action = ["block", "allow"]
+observables_list = Observables(src_ip=src_ip, dst_ip=dst_ip, src_host=src_host, dst_host=dst_host, url=url, port=port,
+                               protocol=protocol, app=app, user=user, file_name=file_name, file_hash=file_hash, cmd=cmd,
+                               process=process, severity=severity, sensor=sensor, action=action)
+# Example usage of the Events class to generate generic SYSLOG events.
+generic_syslog_with_random_observables = Events.syslog(count=1)
+print(generic_syslog_with_random_observables)  # ['Jan 20 16:04:53 db-88.zuniga.net sudo[34675]: ryansandy : COMMAND ; iptables -F']
+generic_syslog_with_my_observables = Events.syslog(count=1, observables=observables_list)
+print(generic_syslog_with_my_observables)  # ['Apr 07 10:21:43 abc crond[17458]: ayman : COMMAND ; sudo restart']
+# Example usage of the Events class to generate CEF events.
+generic_cef_with_my_observables = Events.cef(count=1, observables=observables_list)
+print(generic_cef_with_my_observables)  # ['CEF:0|Novak LLC|Firewall|1.0.6|3019ab69-2d0e-4b3f-a240-4e8c93042dc3|Firewall allow dns traffic from abc:33504 to 1.1.1.1:666|5|src=abc spt=33504 dst=1.1.1.1 url=https://example.org dpt=666 proto=dns act=allow']
+leef_with_my_observables = Events.leef(count=1, observables=observables_list)
+print(leef_with_my_observables)  # ["LEEF:1.0|Leef|Payment Portal|1.0|210.12.108.86|abc|9a:1e:9d:00:4c:ba|3b:a0:4b:24:f7:59|src=192.168.10.10 dst=abc spt=61549 dpt=443 request=https://example.com/search.php?q=<script>alert('xss')</script> method=Web-GET proto=HTTP/1.1 status=500 hash=719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2request_size=6173 response_size=8611 user_agent=Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/536.1 (KHTML, like Gecko) FxiOS/12.1s4879.0 Mobile/00Y135 Safari/536.1"]
+winevent_with_my_observables = Events.winevent(count=1, observables=observables_list)
+print(winevent_with_my_observables)  # ['<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="5fc4a88c-97b0-4061-adc3-052159c10ef4"/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-04-07T18:45:17"/><EventRecordID>575</EventRecordID><Correlation/><Execution ProcessID="1071" ThreadID="5317" Channel="Security"/><Computer>abc</Computer><Security UserID="S-1-2915"/><EventData><Data Name="SubjectUserSid">S-1-2915</Data><Data Name="SubjectUserName">mahmoud</Data><Data Name="SubjectDomainName">johnson.org</Data><Data Name="SubjectLogonId">S-1-2915</Data><Data Name="NewProcessId">3371</Data><Data Name="ProcessId">1071</Data><Data Name="CommandLine">sudo restart</Data><Data Name="TargetUserSid">S-1-2915</Data><Data Name="TargetUserName">mahmoud</Data><Data Name="TargetDomainName">johnson.org</Data><Data Name="TargetLogonId">S-1-2915</Data><Data Name="LogonType">3</Data></EventData></Event>']
+json_with_my_observables = Events.json(count=1, observables=observables_list)
+print(json_with_my_observables) # [{'event_type': 'vulnerability_discovered', 'timestamp': '2023-02-12T16:28:46', 'severity': 'high', 'host': 'abc', 'file_hash': '719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2', 'cve': ['CVE-3941-1955']}]
+incident_with_my_observables = Events.incidents(count=1, fields="id,type,duration,analyst,description,events", observables=observables_list)
+print(incident_with_my_observables) # [{'id': 1, 'duration': 2, 'type': 'Lateral Movement', 'analyst': 'Elizabeth', 'description': 'Software Discovery Forge Web Credentials: SAML Tokens Escape to Host System Binary Proxy Execution: Control Panel Hide Artifacts: Process Argument Spoofing Office Application Startup: Add-ins Compromise Infrastructure: Botnet.', 'events': [{'event': 'Apr 09 19:39:57 abc bind[56294]: ayman : COMMAND ; systemctl stop firewalld'}, {'event': 'CEF:0|Todd, Guzman and Morales|Firewall|1.0.4|afe3d30f-cff4-4084-a7a3-7de9ea21d0e9|Firewall block dns traffic from abc:26806 to 1.1.1.1:555|10|src=abc spt=26806 dst=1.1.1.1 url=https://example.org dpt=555 proto=dns act=block'}, {'event': 'LEEF:1.0|Leef|Payment Portal|1.0|19.90.247.108|abc|d4:27:4c:a7:40:50|2a:3f:f3:37:81:eb|src=192.168.10.20 dst=abc spt=47335 dpt=443 request=https://example.com/index.php method=Web-GET proto=HTTP/1.1 status=500 hash=719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2request_size=3640 response_size=4766 user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_1) AppleWebKit/533.0 (KHTML, like Gecko) Chrome/47.0.819.0 Safari/533.0'}, {'event': '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="67eb0bb0-ab24-43ce-b7f1-6d6a6bb0ac27"/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-01-15T04:07:58"/><EventRecordID>38</EventRecordID><Correlation/><Execution ProcessID="7182" ThreadID="7703" Channel="Security"/><Computer>abc</Computer><Security UserID="S-1-7181"/><EventData><Data Name="SubjectUserSid">S-1-7181</Data><Data Name="SubjectUserName">mahmoud</Data><Data Name="SubjectDomainName">johnson.net</Data><Data Name="SubjectLogonId">9638</Data><Data Name="PrivilegeList">Through moment tonight.</Data></EventData></Event>'}, {'event': {'event_type': 'vulnerability_discovered', 'timestamp': '2023-01-18T23:49:45', 'severity': 'critical', 'host': 'abc', 'file_hash': '719283fd5600eb631c23b290530e4dac9029bae72f15299711edbc800e8e02b2', 'cve': ['CVE-2023-29067']}}]}]
+# Example usage of the Sender class to send faked events to log analysis tool.
+worker = Sender(data_type="SYSLOG", destination="udp:127.0.0.1:514", observables=observables_list, count=5, interval=2)
+worker.start()
+# Starting worker: worker_2023-04-26 17:50:15.671101
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+# Worker: worker_2023-04-26 17:50:15.671101 sending log message to 127.0.0.1
+```

rosetta_ce-1.7.6/rosetta/__init__.py ADDED Viewed

@@ -0,0 +1,3 @@
+from rosetta.rconverter import *
+from rosetta.rsender import *
+from rosetta.rfaker import *

rosetta_ce-1.7.6/rosetta/constants/__init__.py ADDED Viewed

File without changes

rosetta_ce-1.7.6/rosetta/constants/attributes.py ADDED Viewed

@@ -0,0 +1,285 @@
+INCIDENTS_TYPES = [
+    'Malware', 'Phishing', 'Access Violation', 'Lateral Movement', 'Port Scan', 'Sql Injection', 'Brute Force',
+    'Control Avoidance', 'Rogue Device', 'Denial Of Service', 'Account Compromised'
+]
+SEVERITIES = ['Low', 'Medium', 'High', 'Critical']
+ATTACK_TECHNIQUES = [
+    "T1548",
+    "T1548.002",
+    "T1548.004",
+    "T1548.001",
+    "T1548.003",
+    "T1548.006",
+    "T1548.005",
+    "T1134",
+    "T1134.002",
+    "T1134.003",
+    "T1134.004",
+    "T1134.005",
+    "T1134.001",
+    "T1531",
+    "T1087",
+    "T1087.004",
+    "T1087.002",
+    "T1087.003",
+    "T1087.001",
+    "T1098",
+    "T1098.001",
+    "T1098.003",
+    "T1098.006",
+    "T1098.002",
+    "T1098.005",
+    "T1098.004",
+    "T1650",
+    "T1583",
+    "T1583.005",
+    "T1583.002",
+    "T1583.001",
+    "T1583.008",
+    "T1583.004",
+    "T1583.007",
+    "T1583.003",
+    "T1583.006",
+    "T1595",
+    "T1595.001",
+    "T1595.002",
+    "T1595.003",
+    "T1557",
+    "T1557.002",
+    "T1557.003",
+    "T1557.001",
+    "T1071",
+    "T1071.004",
+    "T1071.002",
+    "T1071.003",
+    "T1071.001",
+    "T1010",
+    "T1560",
+    "T1560.003",
+    "T1560.002",
+    "T1560.001",
+    "T1123",
+    "T1119",
+    "T1020",
+    "T1020.001",
+    "T1197",
+    "T1547",
+    "T1547.014",
+    "T1547.002",
+    "T1547.006",
+    "T1547.008",
+    "T1547.015",
+    "T1547.010",
+    "T1547.012",
+    "T1547.007",
+    "T1547.001",
+    "T1547.005",
+    "T1547.009",
+    "T1547.003",
+    "T1547.004",
+    "T1547.013",
+    "T1037",
+    "T1037.002",
+    "T1037.001",
+    "T1037.003",
+    "T1037.004",
+    "T1037.005",
+    "T1176",
+    "T1217",
+    "T1185",
+    "T1110",
+    "T1110.004",
+    "T1110.002",
+    "T1110.001",
+    "T1110.003",
+    "T1612",
+    "T1115",
+    "T1651",
+    "T1580",
+    "T1538",
+    "T1526",
+    "T1619",
+    "T1059",
+    "T1059.002",
+    "T1059.010",
+    "T1059.009",
+    "T1059.007",
+    "T1059.008",
+    "T1059.001",
+    "T1059.006",
+    "T1059.004",
+    "T1059.005",
+    "T1059.003",
+    "T1092",
+    "T1586",
+    "T1586.003",
+    "T1586.002",
+    "T1586.001",
+    "T1554",
+    "T1584",
+    "T1584.005",
+    "T1584.002",
+    "T1584.001",
+    "T1584.008",
+    "T1584.004",
+    "T1584.007",
+    "T1584.003",
+    "T1584.006",
+    "T1609",
+    "T1613",
+    "T1659",
+    "T1136",
+    "T1136.003",
+    "T1136.002",
+    "T1136.001",
+    "T1543",
+    "T1543.005",
+    "T1543.001",
+    "T1543.004",
+    "T1543.002",
+    "T1543.003",
+    "T1555",
+    "T1555.006",
+    "T1555.003",
+    "T1555.001",
+    "T1555.005",
+    "T1555.002",
+    "T1555.004",
+    "T1485",
+    "T1132",
+    "T1132.002",
+    "T1132.001",
+    "T1486",
+    "T1565",
+    "T1565.003",
+    "T1565.001",
+    "T1565.002",
+    "T1001",
+    "T1001.001",
+    "T1001.003",
+    "T1001.002",
+    "T1074",
+    "T1074.001",
+    "T1074.002",
+    "T1030",
+    "T1530",
+    "T1602",
+    "T1602.002",
+    "T1602.001",
+    "T1213",
+    "T1213.003",
+    "T1213.001",
+    "T1213.002",
+    "T1005",
+    "T1039",
+    "T1025",
+    "T1622",
+    "T1491",
+    "T1491.002",
+    "T1491.001",
+    "T1140",
+    "T1610",
+    "T1587",
+    "T1587.002",
+    "T1587.003",
+    "T1587.004",
+    "T1587.001",
+    "T1652",
+    "T1006",
+    "T1561",
+    "T1561.001",
+    "T1561.002",
+    "T1482",
+    "T1484",
+    "T1484.001",
+    "T1484.002",
+    "T1189",
+    "T1568",
+    "T1568.003",
+    "T1568.002",
+    "T1568.001",
+    "T1114",
+    "T1114.003",
+    "T1114.001",
+    "T1114.002",
+    "T1573",
+    "T1573.002",
+    "T1573.001",
+    "T1499",
+    "T1499.003",
+    "T1499.004",
+    "T1499.001",
+    "T1499.002",
+    "T1611",
+    "T1585",
+    "T1585.003",
+    "T1585.002",
+    "T1585.001",
+    "T1546",
+    "T1546.008",
+    "T1546.009",
+    "T1546.010",
+    "T1546.011",
+    "T1546.001",
+    "T1546.015",
+    "T1546.014",
+    "T1546.012",
+    "T1546.016",
+    "T1546.006",
+    "T1546.007",
+    "T1546.013",
+    "T1546.002",
+    "T1546.005",
+    "T1546.004",
+    "T1546.003",
+    "T1480",
+    "T1480.001",
+    "T1048",
+    "T1048.002",
+    "T1048.001",
+    "T1048.003",
+    "T1041",
+    "T1011",
+    "T1011.001",
+    "T1052",
+    "T1052.001",
+    "T1567",
+    "T1567.004",
+    "T1567.002",
+    "T1567.001",
+    "T1567.003",
+    "T1190",
+    "T1203",
+    "T1212",
+    "T1211",
+    "T1068",
+    "T1210",
+    "T1133",
+    "T1008",
+    "T1083",
+    "T1222",
+    "T1222.002",
+    "T1222.001",
+    "T1657",
+    "T1495",
+    "T1187",
+    "T1606",
+    "T1606.002",
+    "T1606.001",
+    "T1592",
+    "T1592.004",
+    "T1592.003",
+    "T1592.001",
+    "T1592.002",
+    "T1589",
+    "T1589.001",
+    "T1589.002",
+    "T1589.003",
+    "T1590",
+    "T1590.002",
+    "T1590.001",
+    "T1590.005",
+    "T1590.006",
+    "T1590"
+]