module Risu::Templates::MalwareTemplateHelper
Public Instance Methods
conficker_appendix_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 35 def conficker_appendix_section if conficker_count() <= 0 return end heading2 "Conficker Worm Infection" headers = ["Host"] data = Array.new findings = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id) findings.each do |finding| host = Host.find_by_id(finding.host_id) host_string = "#{host.name}" host_string << " (#{host.fqdn})" if host.fqdn != nil row = Array.new row.push host_string data << row end @output.table([headers] + data, :header => true, :width => output.bounds.width) do row(0).style(:font_style => :bold, :background_color => 'cccccc') cells.borders = [:top, :bottom, :left, :right] end text "\n" end
conficker_count()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 26 def conficker_count begin return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count rescue return 0 end end
conficker_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 68 def conficker_section if conficker_count() <= 0 return end conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count heading2 "Conficker Worm Infection" text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps." text "\n" end
known_malicious_process_appendix_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 107 def known_malicious_process_appendix_section count = known_malicious_process_count() if count <= 0 return end heading2 "Known Malicious Process" if count == 1 heading2 "Known Malicious Processes" if count > 1 findings = Item.where(:plugin_id => 59275) plugin = Plugin.find_by_id(59275) findings.each do |finding| host = Host.find_by_id(finding.host_id) text "Host", :style => :bold host_string = "#{host.name}" host_string << " (#{host.fqdn})" if host.fqdn != nil text host_string definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "") end text "\n" end
known_malicious_process_count()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 82 def known_malicious_process_count begin return Item.where(:plugin_id => 59275).count rescue return 0 end end
known_malicious_process_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 91 def known_malicious_process_section count = known_malicious_process_count() if count <= 0 return end heading1 "Known Malicious Process Detected" if count == 1 heading1 "Known Malicious Processes Detected" if count > 1 text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A." text "\n" end
malware_appendix_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 142 def malware_appendix_section conficker_appendix_section known_malicious_process_appendix_section end
malware_section()
click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 136 def malware_section conficker_section known_malicious_process_section end