Created
April 4, 2019 21:36
-
-
Save adriansr/e5d190b7da0f9166bf85ca4a14d4ee01 to your computer and use it in GitHub Desktop.
Random Cisco ASA logs generator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from datetime import datetime, date, time, timedelta | |
| import random | |
| class WeightedRand: | |
| def __init__(self, weights): | |
| self.v = [] | |
| self.n = sum(weights.values()) | |
| for (k, v) in weights.iteritems(): | |
| self.v += [k] * v | |
| self.pos = self.n | |
| def next(self): | |
| if self.pos >= self.n: | |
| self.pos = 0 | |
| random.shuffle(self.v) | |
| val = self.v[self.pos] | |
| self.pos += 1 | |
| return val | |
| def remote_ip_gen(): | |
| return '100.{0}.{1}.{2}'.format(random.randint(64,127), random.randint(0, 255), random.randint(1, 254)) | |
| def local_ip_gen(): | |
| return '192.168.{0}.{1}'.format(random.randint(0,255), random.randint(1, 254)) | |
| def make_rand_ips(prio, gen): | |
| ips = {} | |
| for p in prio: | |
| ips[gen()] = p | |
| return WeightedRand(ips) | |
| allowProtos = WeightedRand({ | |
| 'TCP': 20, | |
| 'UDP': 5, | |
| 'ICMP': 3, | |
| 'SCTP': 1, | |
| }) | |
| denyProtos = WeightedRand({ | |
| 'TCP': 6, | |
| 'UDP': 1, | |
| 'ICMP': 4, | |
| }) | |
| allowPorts = { | |
| 'TCP': WeightedRand({ | |
| 443: 42, | |
| 80: 25, | |
| 9200: 19, | |
| 8080: 12, | |
| 128: 5, | |
| 22: 3, | |
| 55: 1, | |
| 79: 1, | |
| 34511: 1, | |
| 23431: 1, | |
| }), | |
| 'UDP': WeightedRand({ | |
| 53: 38, | |
| 67: 9, | |
| 68: 7, | |
| 2356: 1, | |
| 44120: 3, | |
| 9812: 2, | |
| 3431: 1, | |
| }), | |
| 'SCTP': WeightedRand({ | |
| 22: 7, | |
| 1252: 32, | |
| 80: 55, | |
| 1231: 1, | |
| }) | |
| } | |
| denyPorts = { | |
| 'TCP': WeightedRand({ | |
| 8000: 2, | |
| 8080: 3, | |
| 80: 4, | |
| 22: 8, | |
| 138: 3, | |
| 25: 6, | |
| }), | |
| 'UDP': WeightedRand({ | |
| 53: 5, | |
| 231: 1, | |
| 1104: 1, | |
| 1231: 1, | |
| 12: 1, | |
| 8181: 1, | |
| 67: 1, | |
| 68: 1, | |
| }), | |
| } | |
| acls = WeightedRand({ | |
| 'inbound': 27, | |
| 'outbound': 12, | |
| 'acl_out': 6, | |
| 'dmz': 4, | |
| 'vpn': 3, | |
| 'restrict': 1, | |
| }) | |
| blockedIP = make_rand_ips([53,49,41,30,24,19,14,7,6,4,3,2,2,1], remote_ip_gen) | |
| remoteIPs = make_rand_ips([53,49,41,30,24,19,14,7,6,4,3,2,2,1] + ([1]*54), remote_ip_gen) | |
| localIPs = make_rand_ips(([1]*54), local_ip_gen) | |
| FLOWS_PER_SECOND = 185 | |
| MAX_FLOWS_PER_SECOND = 323 | |
| MIN_FLOWS_PER_SECOND = 101 | |
| TOTAL_FLOWS = 10000 | |
| ALLOW_TO_BLOCKS = 0.85 | |
| if __name__=='__main__': | |
| date = datetime.now() | |
| sent = 0 | |
| fps = FLOWS_PER_SECOND | |
| while sent < TOTAL_FLOWS: | |
| fps += int(random.normalvariate(0, 43)) | |
| fps = min(max(fps, MIN_FLOWS_PER_SECOND), MAX_FLOWS_PER_SECOND) | |
| sent += fps | |
| for i in xrange(fps): | |
| date += timedelta(microseconds=random.normalvariate(1000000.0/fps, 96.5)) | |
| header = 'Mar 19 2019 {0:02d}:{1:02d}:{2:02d} localhost CiscoASA[888] '.format(date.hour, date.minute, date.second) | |
| print header, | |
| dstIP = localIPs.next() | |
| allow = random.random() < ALLOW_TO_BLOCKS | |
| if allow: | |
| outcome = 'Allow' | |
| srcIP = remoteIPs.next() | |
| proto = allowProtos.next() | |
| notICMP = proto in allowPorts | |
| if notICMP: | |
| srcPort = random.randint(1025,65535) | |
| dstPort = allowPorts[proto].next() | |
| src = acls.next() + ':' + srcIP + '/' + str(srcPort) | |
| dst = acls.next() + ':' + dstIP + '/' + str(dstPort) | |
| else: | |
| src = acls.next() + ':' + srcIP | |
| dst = acls.next() + ':' + dstIP | |
| duration = datetime.combine(date.today(), time(0, 0, 0)) + timedelta(seconds=random.normalvariate(86, 31)) | |
| bytes = int(random.normalvariate(435012, 325768)) | |
| if notICMP: | |
| print '%ASA-6-302016: Teardown {0} connection {1} for {2} to {3} duration {4} bytes {5} TCP Reset'.format( | |
| proto, random.randint(10001, 99999), src, dst, | |
| '{0:02d}:{1:02d}:{2:02d}'.format(duration.hour, duration.minute, duration.second), | |
| bytes | |
| ) | |
| else: | |
| print '%ASA-6-302021: Teardown {0} connection for faddr {1}/0 gaddr {1}/0 laddr {2}/0'.format( | |
| proto, src, dst | |
| ) | |
| print header, | |
| else: | |
| outcome = 'Deny' | |
| srcIP = blockedIP.next() | |
| proto = denyProtos.next() | |
| notICMP = proto in denyPorts | |
| if notICMP: | |
| srcPort = random.randint(1025,65535) | |
| dstPort = denyPorts[proto].next() | |
| src = acls.next() + ':' + srcIP + '/' + str(srcPort) | |
| dst = acls.next() + ':' + dstIP + '/' + str(dstPort) | |
| else: | |
| src = acls.next() + ':' + srcIP | |
| dst = acls.next() + ':' + dstIP | |
| if notICMP: | |
| fmt = '%ASA-4-106023: {4} {0} src {1} dst {2} by access-group "{3}" [0x0, 0x0]' | |
| else: | |
| fmt = '%ASA-4-106014: {4} incoming {0} src {1} to dst {2} .' | |
| print fmt.format( | |
| proto, src, dst, acls.next(), outcome | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment