rosetta-ce 1.6.3__tar.gz → 1.6.6__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rosetta-ce might be problematic. Click here for more details.

Files changed (23) hide show
  1. {rosetta-ce-1.6.3/rosetta_ce.egg-info → rosetta_ce-1.6.6}/PKG-INFO +4 -1
  2. rosetta_ce-1.6.6/rosetta/constants/db.py +92 -0
  3. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/rfaker.py +38 -25
  4. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6/rosetta_ce.egg-info}/PKG-INFO +4 -1
  5. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/SOURCES.txt +1 -0
  6. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/setup.py +1 -1
  7. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/LICENSE +0 -0
  8. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/README.md +0 -0
  9. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/__init__.py +0 -0
  10. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/constants/__init__.py +0 -0
  11. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/constants/attributes.py +0 -0
  12. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/constants/sensors.py +0 -0
  13. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/constants/sources.py +0 -0
  14. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/constants/systems.py +0 -0
  15. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/rconverter.py +0 -0
  16. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/rsender.py +0 -0
  17. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/dependency_links.txt +0 -0
  18. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/requires.txt +0 -0
  19. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/top_level.txt +0 -0
  20. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/setup.cfg +0 -0
  21. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/tests/test_rconverter.py +0 -0
  22. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/tests/test_rfaker.py +0 -0
  23. {rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/tests/test_rsender.py +0 -0
{rosetta-ce-1.6.3/rosetta_ce.egg-info → rosetta_ce-1.6.6}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: rosetta-ce
3
- Version: 1.6.3
3
+ Version: 1.6.6
4
4
  Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
5
5
  Home-page: https://github.com/ayman-m/rosetta
6
6
  Author: Ayman Mahmoud
@@ -11,6 +11,9 @@ Classifier: Operating System :: OS Independent
11
11
  Requires-Python: >=3.6
12
12
  Description-Content-Type: text/markdown
13
13
  License-File: LICENSE
14
+ Requires-Dist: requests
15
+ Requires-Dist: faker
16
+ Requires-Dist: urllib3
14
17
 
15
18
  [![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
16
19
  ![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)
rosetta_ce-1.6.6/rosetta/constants/db.py ADDED
@@ -0,0 +1,92 @@
1
+ QUERY_TYPE = [ "SELECT", "INSERT", "UPDATE", "DELETE", "ALTER", "CREATE", "DROP", "TRUNCATE", "GRANT", "REVOKE", "MERGE", "CALL"]
2
+ DATABASE_NAME = [
3
+ "users_db",
4
+ "products_db",
5
+ "orders_db",
6
+ "inventory_db",
7
+ "payments_db",
8
+ "transactions_db",
9
+ "accounting_db",
10
+ "customers_db",
11
+ "employees_db",
12
+ "payroll_db",
13
+ "recruitment_db",
14
+ "attendance_db",
15
+ "cms_db",
16
+ "blog_db",
17
+ "media_db",
18
+ "articles_db"
19
+ ]
20
+ QUERY = [
21
+ # Normal SELECT Queries
22
+ "SELECT * FROM users_db WHERE user_id = 123;",
23
+ "SELECT * FROM payments_db WHERE user_id = 123 ORDER BY transaction_date DESC;",
24
+ "SELECT name, price FROM products_db WHERE product_id = 567;",
25
+ "SELECT * FROM employees_db WHERE department = 'HR';",
26
+ "SELECT * FROM products_db WHERE category = 'Electronics';",
27
+ "SELECT COUNT(*) FROM orders_db WHERE order_date BETWEEN '2024-09-01' AND '2024-09-30';",
28
+ "SELECT product_id, SUM(quantity) FROM orders_db GROUP BY product_id;",
29
+ "SELECT employee_name, salary FROM payroll_db WHERE salary > 5000;",
30
+ "SELECT AVG(transaction_amount) FROM payments_db WHERE user_id = 123;",
31
+
32
+ # Normal INSERT Queries
33
+ "INSERT INTO users_db (user_id, name, email, signup_date) VALUES (124, 'John Doe', 'johndoe@example.com', '2024-09-12');",
34
+ "INSERT INTO orders_db (order_id, user_id, product_id, quantity, order_date) VALUES (999, 123, 567, 2, '2024-09-12');",
35
+ "INSERT INTO payments_db (transaction_id, user_id, amount, transaction_date) VALUES (555, 123, 120.50, '2024-09-12');",
36
+ "INSERT INTO products_db (product_id, name, price, category) VALUES (1001, 'Laptop', 1500.00, 'Electronics');",
37
+ "INSERT INTO employees_db (employee_id, name, department, hire_date) VALUES (200, 'Jane Doe', 'HR', '2024-09-10');",
38
+ "INSERT INTO transactions_db (transaction_id, user_id, amount, transaction_date) VALUES (789, 234, 500.75, '2024-09-11');",
39
+ "INSERT INTO cms_db (post_id, title, content, author) VALUES (12, 'New Blog Post', 'This is the content of the post', 'admin');",
40
+
41
+ # Normal UPDATE Queries
42
+ "UPDATE users_db SET email = 'newemail@example.com' WHERE user_id = 123;",
43
+ "UPDATE inventory_db SET stock = 50 WHERE product_id = 567;",
44
+ "UPDATE payments_db SET status = 'refunded' WHERE transaction_id = 555;",
45
+ "UPDATE orders_db SET status = 'shipped' WHERE order_id = 999;",
46
+ "UPDATE inventory_db SET stock = stock - 1 WHERE product_id = 1001;",
47
+ "UPDATE customers_db SET address = '123 New Street' WHERE customer_id = 567;",
48
+
49
+ # Normal DELETE Queries
50
+ "DELETE FROM users_db WHERE user_id = 999;",
51
+ "DELETE FROM products_db WHERE product_id = 1000;",
52
+ "DELETE FROM attendance_db WHERE employee_id = 101 AND date = '2024-09-11';",
53
+ "DELETE FROM blog_db WHERE post_id = 5;",
54
+ "DELETE FROM transactions_db WHERE transaction_date < '2023-01-01';",
55
+ "DELETE FROM employees_db WHERE hire_date < '2020-01-01';",
56
+
57
+ # Normal ALTER Queries
58
+ "ALTER TABLE users_db ADD COLUMN phone_number VARCHAR(20);",
59
+ "ALTER TABLE products_db MODIFY COLUMN price DECIMAL(10, 2);",
60
+ "ALTER TABLE payments_db ADD COLUMN transaction_status VARCHAR(20);",
61
+ "ALTER TABLE employees_db RENAME COLUMN hire_date TO start_date;",
62
+
63
+ # Normal CREATE Queries
64
+ "CREATE TABLE user_addresses (address_id INT PRIMARY KEY, user_id INT, address_line VARCHAR(255), city VARCHAR(100), postal_code VARCHAR(20));",
65
+ "CREATE INDEX idx_user_email ON users_db (email);",
66
+
67
+ # Normal DROP Queries
68
+ "DROP TABLE archived_orders;",
69
+ "DROP INDEX idx_product_sku ON products_db;",
70
+
71
+ # Malicious SQL Injection Queries
72
+ "SELECT * FROM users_db WHERE user_id = '1' OR '1'='1';",
73
+ "SELECT * FROM payments_db WHERE transaction_id = '1'; DROP TABLE payments_db;",
74
+ "SELECT * FROM users_db WHERE username = 'admin' AND password = '' OR '1'='1';",
75
+ "SELECT * FROM users_db WHERE password LIKE '%'; -- or '1'='1';",
76
+
77
+ # Malicious Unauthorized Data Manipulation
78
+ "UPDATE users_db SET password = 'hacked_password' WHERE username = 'admin';",
79
+ "DELETE FROM payments_db WHERE '1'='1';",
80
+ "INSERT INTO users_db (user_id, username, password, role) VALUES (999, 'attacker', 'password123', 'admin');",
81
+
82
+ # Malicious Privilege Escalation Queries
83
+ "GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'password';",
84
+ "CREATE USER 'hacker'@'localhost' IDENTIFIED BY 'password';",
85
+ "GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'localhost';",
86
+
87
+ # Additional Malicious Queries
88
+ "UPDATE employees_db SET salary = 10000 WHERE employee_id = 200 AND '1'='1';",
89
+ "DROP TABLE users_db; -- Malicious query to drop a table",
90
+ "SELECT * FROM users_db WHERE email = 'admin@example.com' AND '1'='1';"
91
+ ]
92
+
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta/rfaker.py RENAMED
@@ -15,6 +15,7 @@ from rosetta.constants.sources import BAD_IP_SOURCES, GOOD_IP_SOURCES, BAD_URL_S
15
15
  from rosetta.constants.systems import UNIX_CMD, WINDOWS_CMD, WIN_PROCESSES, WIN_EVENTS
16
16
  from rosetta.constants.attributes import INCIDENTS_TYPES, SEVERITIES
17
17
  from rosetta.constants.sensors import ACTIONS, PROTOCOLS, TECHNIQUES, ERROR_CODE
18
+ from rosetta.constants.db import QUERY_TYPE, DATABASE_NAME, QUERY
18
19
 
19
20
 
20
21
  class ObservableType(Enum):
@@ -32,22 +33,23 @@ class ObservableKnown(Enum):
32
33
 
33
34
  class Observables:
34
35
  def __init__(self, local_ip: list = None, remote_ip: Optional[list] = None, local_ip_v6: list = None,
35
- remote_ip_v6: Optional[list] = None, src_host: Optional[list] = None,
36
- dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
37
- sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
38
- email_subject: Optional[list] = None, email_body: Optional[list] = None,
39
- url: Optional[list] = None, source_port: Optional[list] = None, remote_port: Optional[list] = None,
40
- protocol: Optional[list] = None, inbound_bytes: Optional[list] = None,
41
- outbound_bytes: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
42
- user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
43
- file_hash: Optional[list] = None, win_cmd: Optional[list] = None, unix_cmd: Optional[list] = None,
44
- win_process: Optional[list] = None, win_child_process: Optional[list] = None,
45
- unix_process: Optional[list] = None, unix_child_process: Optional[list] = None,
46
- technique: Optional[list] = None, entry_type: Optional[list] = None, severity: Optional[list] = None,
47
- sensor: Optional[list] = None, action: Optional[list] = None, event_id: Optional[list] = None,
48
- error_code: Optional[list] = None, terms: Optional[list] = None, alert_types: Optional[list] = None,
49
- alert_name: Optional[list] = None, incident_types: Optional[list] = None,
50
- analysts: Optional[list] = None, action_status: Optional[list] = None):
36
+ remote_ip_v6: Optional[list] = None, src_host: Optional[list] = None,
37
+ dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
38
+ sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
39
+ email_subject: Optional[list] = None, email_body: Optional[list] = None,
40
+ url: Optional[list] = None, source_port: Optional[list] = None, remote_port: Optional[list] = None,
41
+ protocol: Optional[list] = None, inbound_bytes: Optional[list] = None,
42
+ outbound_bytes: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
43
+ user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
44
+ file_hash: Optional[list] = None, win_cmd: Optional[list] = None, unix_cmd: Optional[list] = None,
45
+ win_process: Optional[list] = None, win_child_process: Optional[list] = None,
46
+ unix_process: Optional[list] = None, unix_child_process: Optional[list] = None,
47
+ technique: Optional[list] = None, entry_type: Optional[list] = None, severity: Optional[list] = None,
48
+ sensor: Optional[list] = None, action: Optional[list] = None, event_id: Optional[list] = None,
49
+ error_code: Optional[list] = None, terms: Optional[list] = None, alert_types: Optional[list] = None,
50
+ alert_name: Optional[list] = None, incident_types: Optional[list] = None,
51
+ analysts: Optional[list] = None, action_status: Optional[list] = None, query_type: Optional[list] = None,
52
+ database_name: Optional[list] = None, query: Optional[list] = None):
51
53
  self.local_ip = local_ip
52
54
  self.remote_ip = remote_ip
53
55
  self.local_ip_v6 = local_ip_v6
@@ -91,7 +93,9 @@ class Observables:
91
93
  self.alert_types = alert_types
92
94
  self.alert_name = alert_name
93
95
  self.action_status = action_status
94
-
96
+ self.query_type = query_type
97
+ self.database_name = database_name
98
+ self.query = query
95
99
  @staticmethod
96
100
  def _get_observables_from_source(source: dict) -> list:
97
101
  """
@@ -99,7 +103,7 @@ class Observables:
99
103
 
100
104
  Args:
101
105
  - source: A dictionary containing information about the source, including its type, URL, structure, and value
102
- column or key.
106
+ column or key.
103
107
 
104
108
  Returns:
105
109
  - A list of observables fetched from the source.
@@ -116,13 +120,13 @@ class Observables:
116
120
  results = [line.strip() for line in response.text.strip().split("\n") if not line.startswith("#")]
117
121
  elif source['structure'] == 'csv':
118
122
  rows = csv.reader(filter(lambda line: not line.startswith('#'), response.text.strip().split('\n')),
119
- delimiter=source['delimiter'])
123
+ delimiter=source['delimiter'])
120
124
  for row in rows:
121
125
  results.append(row[source['value_column']])
122
126
  elif source['structure'] == 'json':
123
127
  results = reduce(lambda d, key: d[key] if key != source['value_key'].split('.')[-1] else [i[key]
124
- for i in d],
125
- source['value_key'].split('.'), response.json())
128
+ for i in d],
129
+ source['value_key'].split('.'), response.json())
126
130
  random.shuffle(results)
127
131
  if source_type == 'subnet':
128
132
  ip_addresses = []
@@ -144,7 +148,7 @@ class Observables:
144
148
 
145
149
  @classmethod
146
150
  def generator(cls, count: int, observable_type: ObservableType,
147
- known: ObservableKnown = ObservableKnown.BAD) -> List[str]:
151
+ known: ObservableKnown = ObservableKnown.BAD) -> List[str]:
148
152
  """
149
153
  Generates a list of observable values based on the given observable type and known status, with a desired count.
150
154
  The function attempts to obtain the values from sources defined in configuration files. If the function fails to
@@ -305,7 +309,7 @@ class Events:
305
309
  else "sudo"
306
310
  if field == "unix_child_process":
307
311
  field_value = random.choice(observables.unix_child_process) if observables and \
308
- observables.unix_child_process else "sudo"
312
+ observables.unix_child_process else "sudo"
309
313
  if field == "unix_cmd":
310
314
  field_value = random.choice(observables.unix_cmd) if observables and observables.unix_cmd \
311
315
  else random.choice(UNIX_CMD)
@@ -359,7 +363,7 @@ class Events:
359
363
  if field == "attachment_hash":
360
364
  field_value = random.choice(observables.file_hash) if observables and observables.file_hash \
361
365
  else Observables.generator(observable_type=ObservableType.SHA256, known=ObservableKnown.BAD,
362
- count=1)
366
+ count=1)
363
367
  if field == "spam_score":
364
368
  field_value = faker.random_int(min=1, max=5)
365
369
  if field == "method":
@@ -427,7 +431,7 @@ class Events:
427
431
  if field == "file_hash":
428
432
  field_value = random.choice(observables.file_hash) if observables and observables.file_hash \
429
433
  else Observables.generator(observable_type=ObservableType.SHA256, known=ObservableKnown.BAD,
430
- count=1)
434
+ count=1)
431
435
  if field == "incident_types":
432
436
  field_value = random.choice(observables.incident_types) if observables and observables.incident_types \
433
437
  else INCIDENTS_TYPES
@@ -441,6 +445,15 @@ class Events:
441
445
  if field == "alert_name":
442
446
  field_value = random.choice(observables.alert_name) if observables and observables.alert_name \
443
447
  else faker.sentence(nb_words=4)
448
+ if field == "query_type":
449
+ field_value = random.choice(observables.query_type) if \
450
+ observables and observables.query_type else random.choice(QUERY_TYPE)
451
+ if field == "database_name":
452
+ field_value = random.choice(observables.database_name) if \
453
+ observables and observables.database_name else random.choice(DATABASE_NAME)
454
+ if field == "query":
455
+ field_value = random.choice(observables.query) if \
456
+ observables and observables.query else random.choice(QUERY)
444
457
  return field_value
445
458
 
446
459
  @classmethod
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6/rosetta_ce.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: rosetta-ce
3
- Version: 1.6.3
3
+ Version: 1.6.6
4
4
  Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
5
5
  Home-page: https://github.com/ayman-m/rosetta
6
6
  Author: Ayman Mahmoud
@@ -11,6 +11,9 @@ Classifier: Operating System :: OS Independent
11
11
  Requires-Python: >=3.6
12
12
  Description-Content-Type: text/markdown
13
13
  License-File: LICENSE
14
+ Requires-Dist: requests
15
+ Requires-Dist: faker
16
+ Requires-Dist: urllib3
14
17
 
15
18
  [![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
16
19
  ![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/SOURCES.txt RENAMED
@@ -7,6 +7,7 @@ rosetta/rfaker.py
7
7
  rosetta/rsender.py
8
8
  rosetta/constants/__init__.py
9
9
  rosetta/constants/attributes.py
10
+ rosetta/constants/db.py
10
11
  rosetta/constants/sensors.py
11
12
  rosetta/constants/sources.py
12
13
  rosetta/constants/systems.py
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/setup.py RENAMED
@@ -5,7 +5,7 @@ with open("README.md", "r") as fh:
5
5
 
6
6
  setuptools.setup(
7
7
  name="rosetta-ce",
8
- version="1.6.3",
8
+ version="1.6.6",
9
9
  author="Ayman Mahmoud",
10
10
  author_email="content@ayman.online",
11
11
  description="Rosetta is a Python package that can be used to fake security logs and alerts for testing different "
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/LICENSE RENAMED
File without changes
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/README.md RENAMED
File without changes
{rosetta-ce-1.6.3 → rosetta_ce-1.6.6}/setup.cfg RENAMED
File without changes