rosetta-ce 1.6.4__tar.gz → 1.6.6__tar.gz

{rosetta-ce-1.6.4/rosetta_ce.egg-info → rosetta_ce-1.6.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: rosetta-ce
-Version: 1.6.4
+Version: 1.6.6
 Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
 Home-page: https://github.com/ayman-m/rosetta
 Author: Ayman Mahmoud
@@ -11,6 +11,9 @@ Classifier: Operating System :: OS Independent
 Requires-Python: >=3.6
 Description-Content-Type: text/markdown
 License-File: LICENSE
+Requires-Dist: requests
+Requires-Dist: faker
+Requires-Dist: urllib3
 
 [![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
 ![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)

rosetta_ce-1.6.6/rosetta/constants/db.py

@@ -0,0 +1,92 @@
+QUERY_TYPE = [ "SELECT", "INSERT", "UPDATE", "DELETE", "ALTER", "CREATE", "DROP", "TRUNCATE", "GRANT", "REVOKE", "MERGE", "CALL"]
+DATABASE_NAME = [
+    "users_db",
+    "products_db",
+    "orders_db",
+    "inventory_db",
+    "payments_db",
+    "transactions_db",
+    "accounting_db",
+    "customers_db",
+    "employees_db",
+    "payroll_db",
+    "recruitment_db",
+    "attendance_db",
+    "cms_db",
+    "blog_db",
+    "media_db",
+    "articles_db"
+]
+QUERY = [
+    # Normal SELECT Queries
+    "SELECT * FROM users_db WHERE user_id = 123;",
+    "SELECT * FROM payments_db WHERE user_id = 123 ORDER BY transaction_date DESC;",
+    "SELECT name, price FROM products_db WHERE product_id = 567;",
+    "SELECT * FROM employees_db WHERE department = 'HR';",
+    "SELECT * FROM products_db WHERE category = 'Electronics';",
+    "SELECT COUNT(*) FROM orders_db WHERE order_date BETWEEN '2024-09-01' AND '2024-09-30';",
+    "SELECT product_id, SUM(quantity) FROM orders_db GROUP BY product_id;",
+    "SELECT employee_name, salary FROM payroll_db WHERE salary > 5000;",
+    "SELECT AVG(transaction_amount) FROM payments_db WHERE user_id = 123;",
+
+    # Normal INSERT Queries
+    "INSERT INTO users_db (user_id, name, email, signup_date) VALUES (124, 'John Doe', 'johndoe@example.com', '2024-09-12');",
+    "INSERT INTO orders_db (order_id, user_id, product_id, quantity, order_date) VALUES (999, 123, 567, 2, '2024-09-12');",
+    "INSERT INTO payments_db (transaction_id, user_id, amount, transaction_date) VALUES (555, 123, 120.50, '2024-09-12');",
+    "INSERT INTO products_db (product_id, name, price, category) VALUES (1001, 'Laptop', 1500.00, 'Electronics');",
+    "INSERT INTO employees_db (employee_id, name, department, hire_date) VALUES (200, 'Jane Doe', 'HR', '2024-09-10');",
+    "INSERT INTO transactions_db (transaction_id, user_id, amount, transaction_date) VALUES (789, 234, 500.75, '2024-09-11');",
+    "INSERT INTO cms_db (post_id, title, content, author) VALUES (12, 'New Blog Post', 'This is the content of the post', 'admin');",
+
+    # Normal UPDATE Queries
+    "UPDATE users_db SET email = 'newemail@example.com' WHERE user_id = 123;",
+    "UPDATE inventory_db SET stock = 50 WHERE product_id = 567;",
+    "UPDATE payments_db SET status = 'refunded' WHERE transaction_id = 555;",
+    "UPDATE orders_db SET status = 'shipped' WHERE order_id = 999;",
+    "UPDATE inventory_db SET stock = stock - 1 WHERE product_id = 1001;",
+    "UPDATE customers_db SET address = '123 New Street' WHERE customer_id = 567;",
+
+    # Normal DELETE Queries
+    "DELETE FROM users_db WHERE user_id = 999;",
+    "DELETE FROM products_db WHERE product_id = 1000;",
+    "DELETE FROM attendance_db WHERE employee_id = 101 AND date = '2024-09-11';",
+    "DELETE FROM blog_db WHERE post_id = 5;",
+    "DELETE FROM transactions_db WHERE transaction_date < '2023-01-01';",
+    "DELETE FROM employees_db WHERE hire_date < '2020-01-01';",
+
+    # Normal ALTER Queries
+    "ALTER TABLE users_db ADD COLUMN phone_number VARCHAR(20);",
+    "ALTER TABLE products_db MODIFY COLUMN price DECIMAL(10, 2);",
+    "ALTER TABLE payments_db ADD COLUMN transaction_status VARCHAR(20);",
+    "ALTER TABLE employees_db RENAME COLUMN hire_date TO start_date;",
+
+    # Normal CREATE Queries
+    "CREATE TABLE user_addresses (address_id INT PRIMARY KEY, user_id INT, address_line VARCHAR(255), city VARCHAR(100), postal_code VARCHAR(20));",
+    "CREATE INDEX idx_user_email ON users_db (email);",
+
+    # Normal DROP Queries
+    "DROP TABLE archived_orders;",
+    "DROP INDEX idx_product_sku ON products_db;",
+
+    # Malicious SQL Injection Queries
+    "SELECT * FROM users_db WHERE user_id = '1' OR '1'='1';",
+    "SELECT * FROM payments_db WHERE transaction_id = '1'; DROP TABLE payments_db;",
+    "SELECT * FROM users_db WHERE username = 'admin' AND password = '' OR '1'='1';",
+    "SELECT * FROM users_db WHERE password LIKE '%'; -- or '1'='1';",
+
+    # Malicious Unauthorized Data Manipulation
+    "UPDATE users_db SET password = 'hacked_password' WHERE username = 'admin';",
+    "DELETE FROM payments_db WHERE '1'='1';",
+    "INSERT INTO users_db (user_id, username, password, role) VALUES (999, 'attacker', 'password123', 'admin');",
+
+    # Malicious Privilege Escalation Queries
+    "GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'password';",
+    "CREATE USER 'hacker'@'localhost' IDENTIFIED BY 'password';",
+    "GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'localhost';",
+
+    # Additional Malicious Queries
+    "UPDATE employees_db SET salary = 10000 WHERE employee_id = 200 AND '1'='1';",
+    "DROP TABLE users_db; -- Malicious query to drop a table",
+    "SELECT * FROM users_db WHERE email = 'admin@example.com' AND '1'='1';"
+]
+

{rosetta-ce-1.6.4 → rosetta_ce-1.6.6}/rosetta/rfaker.py

@@ -15,6 +15,7 @@ from rosetta.constants.sources import BAD_IP_SOURCES, GOOD_IP_SOURCES, BAD_URL_S
 from rosetta.constants.systems import UNIX_CMD, WINDOWS_CMD, WIN_PROCESSES, WIN_EVENTS
 from rosetta.constants.attributes import INCIDENTS_TYPES, SEVERITIES
 from rosetta.constants.sensors import ACTIONS, PROTOCOLS, TECHNIQUES, ERROR_CODE
+from rosetta.constants.db import QUERY_TYPE, DATABASE_NAME, QUERY
 
 
 class ObservableType(Enum):
@@ -32,22 +33,23 @@ class ObservableKnown(Enum):
 
 class Observables:
     def __init__(self, local_ip: list = None, remote_ip: Optional[list] = None, local_ip_v6: list = None,
-                 remote_ip_v6: Optional[list] = None, src_host: Optional[list] = None,
-                 dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
-                 sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
-                 email_subject: Optional[list] = None, email_body: Optional[list] = None,
-                 url: Optional[list] = None, source_port: Optional[list] = None, remote_port: Optional[list] = None,
-                 protocol: Optional[list] = None, inbound_bytes: Optional[list] = None,
-                 outbound_bytes: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
-                 user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
-                 file_hash: Optional[list] = None, win_cmd: Optional[list] = None, unix_cmd: Optional[list] = None,
-                 win_process: Optional[list] = None, win_child_process: Optional[list] = None,
-                 unix_process: Optional[list] = None, unix_child_process: Optional[list] = None,
-                 technique: Optional[list] = None, entry_type: Optional[list] = None, severity: Optional[list] = None,
-                 sensor: Optional[list] = None, action: Optional[list] = None, event_id: Optional[list] = None,
-                 error_code: Optional[list] = None, terms: Optional[list] = None, alert_types: Optional[list] = None,
-                 alert_name: Optional[list] = None, incident_types: Optional[list] = None,
-                 analysts: Optional[list] = None, action_status: Optional[list] = None):
+                remote_ip_v6: Optional[list] = None, src_host: Optional[list] = None,
+                dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
+                sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
+                email_subject: Optional[list] = None, email_body: Optional[list] = None,
+                url: Optional[list] = None, source_port: Optional[list] = None, remote_port: Optional[list] = None,
+                protocol: Optional[list] = None, inbound_bytes: Optional[list] = None,
+                outbound_bytes: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
+                user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
+                file_hash: Optional[list] = None, win_cmd: Optional[list] = None, unix_cmd: Optional[list] = None,
+                win_process: Optional[list] = None, win_child_process: Optional[list] = None,
+                unix_process: Optional[list] = None, unix_child_process: Optional[list] = None,
+                technique: Optional[list] = None, entry_type: Optional[list] = None, severity: Optional[list] = None,
+                sensor: Optional[list] = None, action: Optional[list] = None, event_id: Optional[list] = None,
+                error_code: Optional[list] = None, terms: Optional[list] = None, alert_types: Optional[list] = None,
+                alert_name: Optional[list] = None, incident_types: Optional[list] = None,
+                analysts: Optional[list] = None, action_status: Optional[list] = None, query_type: Optional[list] = None,
+                database_name: Optional[list] = None, query: Optional[list] = None):
         self.local_ip = local_ip
         self.remote_ip = remote_ip
         self.local_ip_v6 = local_ip_v6
@@ -91,7 +93,9 @@ class Observables:
         self.alert_types = alert_types
         self.alert_name = alert_name
         self.action_status = action_status
-
+        self.query_type = query_type
+        self.database_name = database_name
+        self.query = query
     @staticmethod
     def _get_observables_from_source(source: dict) -> list:
         """
@@ -99,7 +103,7 @@ class Observables:
 
         Args:
         - source: A dictionary containing information about the source, including its type, URL, structure, and value
-                  column or key.
+                column or key.
 
         Returns:
         - A list of observables fetched from the source.
@@ -116,13 +120,13 @@ class Observables:
             results = [line.strip() for line in response.text.strip().split("\n") if not line.startswith("#")]
         elif source['structure'] == 'csv':
             rows = csv.reader(filter(lambda line: not line.startswith('#'), response.text.strip().split('\n')),
-                              delimiter=source['delimiter'])
+                            delimiter=source['delimiter'])
             for row in rows:
                 results.append(row[source['value_column']])
         elif source['structure'] == 'json':
             results = reduce(lambda d, key: d[key] if key != source['value_key'].split('.')[-1] else [i[key]
-                                                                                                      for i in d],
-                             source['value_key'].split('.'), response.json())
+                                                                                                    for i in d],
+                            source['value_key'].split('.'), response.json())
         random.shuffle(results)
         if source_type == 'subnet':
             ip_addresses = []
@@ -144,7 +148,7 @@ class Observables:
 
     @classmethod
     def generator(cls, count: int, observable_type: ObservableType,
-                  known: ObservableKnown = ObservableKnown.BAD) -> List[str]:
+                known: ObservableKnown = ObservableKnown.BAD) -> List[str]:
         """
         Generates a list of observable values based on the given observable type and known status, with a desired count.
         The function attempts to obtain the values from sources defined in configuration files. If the function fails to
@@ -305,7 +309,7 @@ class Events:
                 else "sudo"
         if field == "unix_child_process":
             field_value = random.choice(observables.unix_child_process) if observables and \
-                                                                           observables.unix_child_process else "sudo"
+                                                                        observables.unix_child_process else "sudo"
         if field == "unix_cmd":
             field_value = random.choice(observables.unix_cmd) if observables and observables.unix_cmd \
                 else random.choice(UNIX_CMD)
@@ -359,7 +363,7 @@ class Events:
         if field == "attachment_hash":
             field_value = random.choice(observables.file_hash) if observables and observables.file_hash \
                     else Observables.generator(observable_type=ObservableType.SHA256, known=ObservableKnown.BAD,
-                                               count=1)
+                                            count=1)
         if field == "spam_score":
             field_value = faker.random_int(min=1, max=5)
         if field == "method":
@@ -427,7 +431,7 @@ class Events:
         if field == "file_hash":
             field_value = random.choice(observables.file_hash) if observables and observables.file_hash \
                     else Observables.generator(observable_type=ObservableType.SHA256, known=ObservableKnown.BAD,
-                                               count=1)
+                                            count=1)
         if field == "incident_types":
             field_value = random.choice(observables.incident_types) if observables and observables.incident_types \
                 else INCIDENTS_TYPES
@@ -441,6 +445,15 @@ class Events:
         if field == "alert_name":
             field_value = random.choice(observables.alert_name) if observables and observables.alert_name \
                 else faker.sentence(nb_words=4)
+        if field == "query_type":
+            field_value = random.choice(observables.query_type) if \
+                observables and observables.query_type else random.choice(QUERY_TYPE)
+        if field == "database_name":
+            field_value = random.choice(observables.database_name) if \
+                observables and observables.database_name else random.choice(DATABASE_NAME)
+        if field == "query":
+            field_value = random.choice(observables.query) if \
+                observables and observables.query else random.choice(QUERY) 
         return field_value
 
     @classmethod
@@ -606,13 +619,13 @@ class Events:
         for i in range(count):
             datetime_iso += timedelta(seconds=1)
             leef_message = f"LEEF:1.0|{vendor}|{product}|{version}|{event_id}|" \
-                           f"severity={cls.set_field('severity', observables)}\tdevtime={datetime_iso}"
+                           f"severity={cls.set_field('severity', observables)}  devtime={datetime_iso}"
             for field in required_fields.split(","):
-                leef_message += f"\t{field}={cls.set_field(field, observables)}"
+                leef_message += f"  {field}={cls.set_field(field, observables)}"
             if observables:
                 for observable, observable_value in vars(observables).items():
                     if observable_value and observable not in required_fields.split(","):
-                        leef_message += f"\t{observable}={random.choice(observable_value)}"
+                        leef_message += f"  {observable}={random.choice(observable_value)}"
             leef_messages.append(leef_message)
         return leef_messages
 

{rosetta-ce-1.6.4 → rosetta_ce-1.6.6/rosetta_ce.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: rosetta-ce
-Version: 1.6.4
+Version: 1.6.6
 Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
 Home-page: https://github.com/ayman-m/rosetta
 Author: Ayman Mahmoud
@@ -11,6 +11,9 @@ Classifier: Operating System :: OS Independent
 Requires-Python: >=3.6
 Description-Content-Type: text/markdown
 License-File: LICENSE
+Requires-Dist: requests
+Requires-Dist: faker
+Requires-Dist: urllib3
 
 [![snyk](https://snyk.io/test/github/ayman-m/rosetta/badge.svg)](https://snyk.io/test/github/my-soc/Rosetta)
 ![codeql](https://github.com/ayman-m/rosetta/actions/workflows/github-code-scanning/codeql/badge.svg)

{rosetta-ce-1.6.4 → rosetta_ce-1.6.6}/rosetta_ce.egg-info/SOURCES.txt

@@ -7,6 +7,7 @@ rosetta/rfaker.py
 rosetta/rsender.py
 rosetta/constants/__init__.py
 rosetta/constants/attributes.py
+rosetta/constants/db.py
 rosetta/constants/sensors.py
 rosetta/constants/sources.py
 rosetta/constants/systems.py

{rosetta-ce-1.6.4 → rosetta_ce-1.6.6}/setup.py

@@ -5,7 +5,7 @@ with open("README.md", "r") as fh:
 
 setuptools.setup(
     name="rosetta-ce",
-    version="1.6.4",
+    version="1.6.6",
     author="Ayman Mahmoud",
     author_email="content@ayman.online",
     description="Rosetta is a Python package that can be used to fake security logs and alerts for testing different "