hammackj/risu

# Copyright (c) 2010-2020 Jacob Hammack.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

module Risu
    module Templates
        module MalwareTemplateHelper

            #
            def conficker_count
                begin
                    return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
                rescue
                    return 0
                end
            end

            #
            def conficker_appendix_section
                if conficker_count() <= 0
                    return
                end

                heading2 "Conficker Worm Infection"

                headers = ["Host"]
                data = Array.new

                findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)

                findings.each do |finding|
                    host = Host.find_by_id(finding.host_id)

                    host_string = "#{host.name}"
                    host_string << " (#{host.fqdn})" if host.fqdn != nil

                    row = Array.new
                    row.push host_string

                    data << row
                end

                @output.table([headers] + data, :header => true, :width => output.bounds.width) do
                    row(0).style(:font_style => :bold, :background_color => 'cccccc')
                    cells.borders = [:top, :bottom, :left, :right]
                end

                text "\n"
            end

            #
            def conficker_section
                if conficker_count() <= 0
                    return
                end

                conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
                heading2 "Conficker Worm Infection"

                text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."

                text "\n"
            end

            #
            def known_malicious_process_count
                begin
                    return Item.where(:plugin_id => 59275).count
                rescue
                    return 0
                end
            end

            #
            def known_malicious_process_section
                count = known_malicious_process_count()

                if count <= 0
                    return
                end

                heading1 "Known Malicious Process Detected" if count == 1
                heading1 "Known Malicious Processes Detected" if count > 1

                text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."

                text "\n"
            end

            #
            def known_malicious_process_appendix_section
                count = known_malicious_process_count()

                if count <= 0
                    return
                end

                heading2 "Known Malicious Process" if count == 1
                heading2 "Known Malicious Processes" if count > 1

                findings = Item.where(:plugin_id => 59275)
                plugin = Plugin.find_by_id(59275)

                findings.each do |finding|
                    host = Host.find_by_id(finding.host_id)

                    text "Host", :style => :bold
                    host_string = "#{host.name}"
                    host_string << " (#{host.fqdn})" if host.fqdn != nil
                    text host_string

                    definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
                    definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
                end

                text "\n"
            end

            #
            def malware_section
                conficker_section
                known_malicious_process_section
            end

            #
            def malware_appendix_section
                conficker_appendix_section
                known_malicious_process_appendix_section
            end
        end
    end
end