Merge branch 'release/1.5.0'

2024-11-06 17:15:21 +00:00 · 2017-07-05 13:30:27 +02:00 · 2017-07-05 13:30:27 +02:00 · 0ced7bec60
commit 0ced7bec60
parent f6558a1881 99d5cc4bd8
199 changed files with 1304 additions and 530 deletions
--- a/analyzers/Abuse_Finder/Abuse_Finder.json
+++ b/analyzers/Abuse_Finder/Abuse_Finder.json
@ -1,6 +1,6 @@
 {
    "name": "Abuse_Finder",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
@ -10,7 +10,7 @@
      "max_tlp":3,
      "service":""
    },
-    "description": "Use CERT-SG's Abuse Finder to find the abuse contact associated with domain names, URLs, IPs and email addresses",
+    "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses",
-    "dataTypeList": ["ip", "domain", "url","email"],
+    "dataTypeList": ["ip", "domain", "url", "mail"],
    "command": "Abuse_Finder/abusefinder.py"
 }
--- a/analyzers/Abuse_Finder/abusefinder.py
+++ b/analyzers/Abuse_Finder/abusefinder.py
@ -14,6 +14,14 @@ logging.getLogger("tldextract").setLevel(logging.CRITICAL)
 class AbuseFinderAnalyzer(Analyzer):
    def summary(self, raw):
        taxonomies = []
        if raw['abuse_finder'] and raw['abuse_finder'].get('abuse'):
            for abuse in raw['abuse_finder']['abuse']:
                taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", abuse))
            return {"taxonomies": taxonomies}
    def abuse(self):
        if self.data_type == "ip":
            return ip_abuse(self.getData())
--- a/analyzers/CERTatPassiveDNS/CERTatPassiveDNS.json
+++ b/analyzers/CERTatPassiveDNS/CERTatPassiveDNS.json
@ -0,0 +1,12 @@
 {
    "name": "CERTatPassiveDNS",
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
    "version": "2.0",
    "baseConfig": "CERTatPassiveDNS",
    "config": {},
    "description": "Checks CERT.at Passive DNS for a given domain, API Key via cert.at.",
    "dataTypeList": ["domain", "fqdn"],
    "command": "CERTatPassiveDNS/certat_passivedns.py"
 }
--- a/analyzers/CERTatPassiveDNS/certat_passivedns.py
+++ b/analyzers/CERTatPassiveDNS/certat_passivedns.py
@ -0,0 +1,37 @@
 #!/usr/bin/env python3
 from cortexutils.analyzer import Analyzer
 from whois_wrapper import query
 class CERTatPassiveDNSAnalyzer(Analyzer):
    """Very simple passive dns wrapper for pdns.cert.at. Needs no credentials because access is controlled through
    firewall rules. If you want to get access, you have to contact CERT.AT, but:
    CERT.AT pDNS is not a public service. It is only available for national / governmental CERTs in good standing with
    CERT.AT. For access, you have to get in contact with CERT.AT.
    """
    def __init__(self):
        Analyzer.__init__(self)
        self.limit = self.get_param('config.limit', '100')
    def run(self):
        self.report({'results': query(self.getData(), int(self.limit))})
    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "CERT.at"
        predicate = "PassiveDNS"
        results = raw.get('results')
        r = len(results)
        if r == 0 or r == 1:
            value = "\"{} hit\"".format(r)
        else:
            value = "\"{} hits\"".format(r)
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
 if __name__ == '__main__':
    CERTatPassiveDNSAnalyzer().run()
--- a/analyzers/CERTatPassiveDNS/requirements.txt
+++ b/analyzers/CERTatPassiveDNS/requirements.txt
@ -0,0 +1 @@
 cortexutils
--- a/analyzers/CERTatPassiveDNS/whois.sh
+++ b/analyzers/CERTatPassiveDNS/whois.sh
@ -0,0 +1,2 @@
 #!/usr/bin/env bash
 whois -h pdns.cert.at "  $1"
--- a/analyzers/CERTatPassiveDNS/whois_wrapper.py
+++ b/analyzers/CERTatPassiveDNS/whois_wrapper.py
@ -0,0 +1,55 @@
 #!/usr/bin/env python3
 from re import findall
 from subprocess import check_output
 def __query(domain, limit=100):
    """Using the shell script to query pdns.cert.at is a hack, but python raises an error every time using subprocess
    functions to call whois. So this hack is avoiding calling whois directly. Ugly, but works.
    :param domain: The domain pdns is queried with.
    :type domain: str
    :param limit: Maximum number of results
    :type limit: int
    :returns: str -- Console output from whois call.
    :rtype: str
    """
    s = check_output(['./whois.sh', '--limit {} {}'.format(limit, domain)], universal_newlines=True)
    return s
 def __process_results(results):
    """Processes the result from __query to get valid json from every entry.
    :param results: Results from __query
    :type results: str
    :returns: python list of dictionaries containing the relevant results.
    :rtype: list
    """
    result_list = []
    # Splts the result and cuts first and last dataset which are comments
    split = results.split(sep='\n\n')[1:-1]
    for entry in split:
        entry_dict = {}
        for value in entry.split('\n'):
            if len(value) < 1:
                continue
            (desc, val) = value.split(': ')
            entry_dict[desc.replace('-', '')] = val.strip(' ')
        result_list.append(entry_dict)
    return result_list
 def query(domain: str, limit: int=100):
    """Queries and returns a python dict with results.
    :param domain: domain that should be queried
    :type domain: str
    :param limit: number of entries to return
    :type limit: int
    :returns: query results
    :rtype: list
    """
    return __process_results(__query(domain, limit))
--- a/analyzers/CIRCLPassiveDNS/CIRCLPassiveDNS.json
+++ b/analyzers/CIRCLPassiveDNS/CIRCLPassiveDNS.json
@ -3,7 +3,7 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "CIRCLPassiveDNS",
    "config": {},
    "description": "Check CIRCL's Passive DNS for a given domain or URL",
--- a/analyzers/CIRCLPassiveDNS/circl_passivedns.py
+++ b/analyzers/CIRCLPassiveDNS/circl_passivedns.py
@ -37,7 +37,25 @@ class CIRCLPassiveDNSAnalyzer(Analyzer):
        return clean_result
    def summary(self, raw):
-        return {'hits': len(raw.get('results'))}
+        taxonomies = []
        level = "info"
        namespace = "CIRCL"
        predicate = "PassiveDNS"
        if ("results" in raw):
            r = len(raw.get('results'))
        if r == 0 or r == 1:
            value = "\"{} record\"".format(r)
        else:
            value = "\"{} records\"".format(r)
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        query = ''
--- a/analyzers/CIRCLPassiveSSL/CIRCLPassiveSSL.json
+++ b/analyzers/CIRCLPassiveSSL/CIRCLPassiveSSL.json
@ -3,7 +3,7 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "CIRCLPassiveSSL",
    "config": {},
    "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash",
--- a/analyzers/CIRCLPassiveSSL/circl_passivessl.py
+++ b/analyzers/CIRCLPassiveSSL/circl_passivessl.py
@ -66,17 +66,27 @@ class CIRCLPassiveSSLAnalyzer(Analyzer):
        return {'query': cquery,
                'cert': cfetch}
    def summary(self, raw):
        if raw.get('cert', None):
            result = {'num_ips_used_cert': raw.get('query').get('hits')}
-            # Not available for all certificates
+    def summary(self, raw):
-            if raw.get('cert').get('icsi', None):
+        taxonomies = []
-                result['validated'] = raw.get('cert').get('icsi').get('validated')
+        level = "info"
-                result['lastseen'] = raw.get('cert').get('icsi').get('last_seen')
+        namespace = "CIRCL"
-            return result
+        predicate = "PassiveSSL"
        if (self.data_type == 'hash') and ("query" in raw):
            r = raw.get('query', 0).get('hits', 0)
        if (self.data_type == 'ip') and ("certificates" in raw):
            r = len(raw['certificates'])
        if r == 0 or r == 1:
            value = "\"{} record\"".format(r)
        else:
-            return {'num_certs_by_ip': len(raw.get(self.getData()).get('certificates'))}
+            value = "\"{} records\"".format(r)
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        if self.data_type == 'certificate_hash' or self.data_type == 'hash':
--- a/analyzers/DNSDB/DNSDB_DomainName.json
+++ b/analyzers/DNSDB/DNSDB_DomainName.json
@ -1,6 +1,6 @@
 {
    "name": "DNSDB_DomainName",
-    "version": "1.1",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DNSDB/DNSDB_IPHistory.json
+++ b/analyzers/DNSDB/DNSDB_IPHistory.json
@ -1,6 +1,6 @@
 {
    "name": "DNSDB_IPHistory",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DNSDB/DNSDB_NameHistory.json
+++ b/analyzers/DNSDB/DNSDB_NameHistory.json
@ -1,6 +1,6 @@
 {
    "name": "DNSDB_NameHistory",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DNSDB/dnsdb.py
+++ b/analyzers/DNSDB/dnsdb.py
@ -40,9 +40,24 @@ class DnsDbAnalyzer(Analyzer):
        return row
    def summary(self, raw):
-        return {
+        # taxonomy = {"level": "info", "namespace": "Farsight", "predicate": "DNSDB", "value": 0}
-            "records": len(raw["records"])
+        taxonomies = []
-        }
+        level = "info"
        namespace = "Farsight"
        predicate = "DNSDB"
        if ("records" in raw):
            r = len(raw["records"])
            if r == 0 or r == 1:
                value = "\"{} record\"".format(r)
            else:
                value = "\"{} records\"".format(r)
            taxonomies.append(self.build_taxonomy(level, namespace,predicate,value))
        return {'taxonomies': taxonomies}
    def run(self):
        try:
--- a/analyzers/DomainTools/DomainTools_ReverseIP.json
+++ b/analyzers/DomainTools/DomainTools_ReverseIP.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_ReverseIP",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/DomainTools_ReverseNameServer.json
+++ b/analyzers/DomainTools/DomainTools_ReverseNameServer.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_ReverseNameServer",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/DomainTools_ReverseWhois.json
+++ b/analyzers/DomainTools/DomainTools_ReverseWhois.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_ReverseWhois",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/DomainTools_WhoisHistory.json
+++ b/analyzers/DomainTools/DomainTools_WhoisHistory.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_WhoisHistory",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/DomainTools_WhoisLookup.json
+++ b/analyzers/DomainTools/DomainTools_WhoisLookup.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_WhoisLookup",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/DomainTools_WhoisLookupIP.json
+++ b/analyzers/DomainTools/DomainTools_WhoisLookupIP.json
@ -1,6 +1,6 @@
 {
    "name": "DomainTools_WhoisLookup_IP",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/DomainTools/domaintools.py
+++ b/analyzers/DomainTools/domaintools.py
@ -21,35 +21,58 @@ class DomainToolsAnalyzer(Analyzer):
            'config.service', None, 'Service parameter is missing')
    def summary(self, raw):
-        result = {
+        r = {
            "service": self.service,
            "dataType": self.data_type
        }
        if("ip_addresses" in raw):
-            result["ip"] = {
+            r["ip"] = {
                "address": raw["ip_addresses"]["ip_address"],
                "domain_count": raw["ip_addresses"]["domain_count"]
            }
        if("domain_count" in raw):
-            result["domain_count"] = {
+            r["domain_count"] = {
                "current": raw["domain_count"]["current"],
                "historic": raw["domain_count"]["historic"]
            }
        if("registrant" in raw):
-            result["registrant"] = raw["registrant"]
+            r["registrant"] = raw["registrant"]
        elif("response" in raw and "registrant" in raw["response"]):
-            result["registrant"] = raw["response"]["registrant"]
+            r["registrant"] = raw["response"]["registrant"]
        if("parsed_whois" in raw):
-            result["registrar"] = raw["parsed_whois"]["registrar"]["name"]
+            r["registrar"] = raw["parsed_whois"]["registrar"]["name"]
            #
        if("name_server" in raw):
-            result["name_server"] = raw["name_server"]["hostname"]
+            r["name_server"] = raw["name_server"]["hostname"]
-            result["domain_count"] = raw["name_server"]["total"]
+            r["domain_count"] = raw["name_server"]["total"]
        taxonomies = []
        # Prepare predicate and value for each service
        if r["service"] == "reverse-ip":
            taxonomies.append(self.build_taxonomy("info", "DT", "Reverse_IP","\"{}, {} domains\"".format(r["ip"]["address"], r["ip"]["domain_count"])))
        if r["service"] == "name-server-domains":
            taxonomies.append(self.build_taxonomy("info", "DT", "Reverse_Name_Server","\"{}, {} domains\"".format(r["name_server"], r["domain_count"])))
        if r["service"] == "reverse-whois":
            taxonomies.append(self.build_taxonomy("info", "DT", "Reverse_Whois","\"curr:{} / hist:{} domains\"".format(r["domain_count"]["current"], r["domain_count"]["historic"])))
        if r["service"] == "whois/history":
            taxonomies.append(self.build_taxonomy("info", "DT", "Whois_History","\"{}, {} domains \"".format(r["name_server"], r["domain_count"])))
        if (r["service"] == "whois/parsed") or (r['service'] == "whois"):
            if r["registrar"]:
                taxonomies.append(self.build_taxonomy("info", "DT", "Whois", "\"REGISTRAR:{}\"".format(r["registrar"])))
            if r["registrant"]:
                taxonomies.append(self.build_taxonomy("info", "DT", "Whois", "\"REGISTRANT:{}\"".format(r["registrant"])))
        result = {'taxonomies': taxonomies}
        return result
    def run(self):
--- a/analyzers/File_Info/File_Info.json
+++ b/analyzers/File_Info/File_Info.json
@ -1,6 +1,6 @@
 {
    "name": "File_Info",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/File_Info/fileinfo_analyzer.py
+++ b/analyzers/File_Info/fileinfo_analyzer.py
@ -138,18 +138,40 @@ class FileAnalyzer(Analyzer):
    # SUMMARY
    def summary(self, fullReport):
        taxonomies = []
        level = "info"
        namespace = "FileInfo"
        predicate = "Filetype"
        if fullReport['Mimetype'] in ['application/x-dosexec']:
-            return self.PE_Summary(fullReport)
+            pereport = self.PE_Summary(fullReport)
-        if fullReport['Mimetype'] in ['application/pdf']:
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, pereport['filetype']))
-            return self.PDF_Summary(fullReport)
+        elif fullReport['Mimetype'] in ['application/pdf']:
-        if (fullReport['filetype'] in ['DOC','DOCM','DOCX',
+            pdfreport = self.PDF_Summary(fullReport)
            value = "\"{}\"".format(pdfreport['filetype'])
            if pdfreport['suspicious']:
                level = 'suspicious'
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        elif (fullReport['filetype'] in ['DOC','DOCM','DOCX',
                                    'XLS', 'XLSM', 'XLSX',
                                    'PPT', "PPTM", 'PPTX']):
-            return self.MSOffice_Summary(fullReport)
+            msreport = self.MSOffice_Summary(fullReport)
            value = "\"{}\"".format(msreport['filetype'])
            if msreport['suspicious']:
                level = 'suspicious'
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        else:
            value = "\"{}\"".format(fullReport['filetype'])
            level = 'info'
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        result = {'taxonomies': taxonomies}
        return result
        return {
            'filetype': fullReport['filetype']
        }
    def SpecificInfo(self,report):
        # run specific program for PE
--- a/analyzers/FireHOLBlocklists/FireHOLBlocklists.json
+++ b/analyzers/FireHOLBlocklists/FireHOLBlocklists.json
@ -3,7 +3,7 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "FireHOLBlocklists",
    "config": {
        "check_tlp": false,
--- a/analyzers/FireHOLBlocklists/firehol_blocklists.py
+++ b/analyzers/FireHOLBlocklists/firehol_blocklists.py
@ -20,14 +20,14 @@ class FireholBlocklistsAnalyzer(Analyzer):
        Analyzer.__init__(self)
        # Get config parameters
-        self.path = self.getParam('config.blocklistpath', '/tmp/fireholblocklists')
+        self.path = self.getParam('config.blocklistpath', None, 'No path to blocklists provided.')
        self.ignoreolderthandays = self.getParam('config.ignoreolderthandays', 365)
        self.utc = pytz.UTC
        self.now = dt.datetime.now(tz=self.utc)
        # Check if directory exists
        if not os.path.exists(self.path):
-            os.mkdir(self.path, mode=0o700)
+            os.mkdir(self.path, 0700)
            # Downloading/updating the list is implemented with an external cronjob which git pulls the repo
        # Read files in the given path and prepare file lists for ip- and netsets
@ -80,7 +80,8 @@ class FireholBlocklistsAnalyzer(Analyzer):
                    else:
                        if ip in l:
                            # On match append to hits and break; next file!
-                            hits.append({'list': ipsetname, 'description': description.get(ipsetname), 'file_date': file_date.get(ipsetname)})
+                            hits.append({'list': ipsetname, 'description': description.get(ipsetname),
                                         'file_date': file_date.get(ipsetname)})
                            break
        # Second: check the netsets
@ -88,14 +89,14 @@ class FireholBlocklistsAnalyzer(Analyzer):
            with open('{}/{}'.format(self.path, netset)) as afile:
                netsetname = netset.split('.')[0]
                description.update({netsetname: ''})
-                file_date.update({ipsetname : ''})
+                file_date.update({netsetname: ''})
                for l in afile:
                    if l[0] == '#':
                        # Check for date and break if too old
                        if '# Source File Date: ' in l:
                            datestr = re.sub('# Source File Date: ', '', l.rstrip('\n'))
                            date = parse(datestr)
-                            file_date[ipsetname] = str(date)
+                            file_date[netsetname] = str(date)
                            if (self.now - date).days > self.ignoreolderthandays:
                                break
                        description[netsetname] += re.sub(r'^\[.*\] \(.*\) [a-zA-Z0-9.\- ]*$', '', l.lstrip('# '))\
@ -103,7 +104,8 @@ class FireholBlocklistsAnalyzer(Analyzer):
                    else:
                        try:
                            if ipaddress.ip_address(ip) in ipaddress.ip_network(u'{}'.format(l.split('\n')[0])):
-                                hits.append({'list': netsetname, 'description': description.get(netsetname), 'file_date': file_date.get(ipsetname)})
+                                hits.append({'list': netsetname, 'description': description.get(netsetname),
                                             'file_date': file_date.get(netsetname)})
                                break
                        except ValueError as e:
                            self.error('ValueError occured. Used values: ipnetwork {}, ip to check {}, file {}.'
@ -112,13 +114,26 @@ class FireholBlocklistsAnalyzer(Analyzer):
        return hits
    def summary(self, raw):
-        result = {
+        taxonomies = []
-            'count': raw.get('count'),
+        level = "info"
-            'hits': []
+        namespace = "Firehol"
-        }
+        predicate = "Blocklists"
-        for hit in raw.get('hits'):
+        value = "\"0 hit\""
-            result['hits'].append(hit.get('list'))
+
-        return result
+        if 'count' in raw:
            r = raw.get('count', 0)
            if r == 0 or r == 1:
                value = "\"{} hit\"".format(r)
            else:
                value = "\"{} hits\"".format(r)
            if r > 0:
                level = "suspicious"
            else:
                level = "safe"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        ip = self.getData()
--- a/analyzers/Fortiguard/Fortiguard_URLCategory.json
+++ b/analyzers/Fortiguard/Fortiguard_URLCategory.json
@ -1,6 +1,6 @@
 {
    "name": "Fortiguard_URLCategory",
-    "version": "1.1",
+    "version": "2.0",
    "author": "Eric Capuano",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/Fortiguard/urlcategory.py
+++ b/analyzers/Fortiguard/urlcategory.py
@ -10,7 +10,25 @@ from cortexutils.analyzer import Analyzer
 class URLCategoryAnalyzer(Analyzer):
    def summary(self, raw):
-        return {'category': raw['category']}
+
        taxonomies = []
        if 'category' in raw:
            r = raw.get('category')
            value = "\"{}\"".format(r)
            if r == "Malicious Websites":
                level = "malicious"
            elif r == "Suspicious Websites":
                level = "suspicious"
            elif r == "Not Rated":
                level = "info"
            else:
                level = "safe"
            taxonomies.append(self.build_taxonomy(level, "Fortiguard", "URLCat", value))
        result = {"taxonomies": taxonomies}
        return result
    def run(self):
        Analyzer.run(self)
--- a/analyzers/GoogleSafebrowsing/GoogleSafebrowsing.json
+++ b/analyzers/GoogleSafebrowsing/GoogleSafebrowsing.json
@ -3,9 +3,12 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "GoogleSafebrowsing",
-    "config": {},
+    "config": {
        "check_tlp": true,
        "max_tlp": 1
    },
    "description": "Check URLs and domain names against Google Safebrowsing",
    "dataTypeList": ["url", "domain"],
    "command": "GoogleSafebrowsing/safebrowsing_analyzer.py"
--- a/analyzers/GoogleSafebrowsing/safebrowsing_analyzer.py
+++ b/analyzers/GoogleSafebrowsing/safebrowsing_analyzer.py
@ -20,10 +20,31 @@ class SafebrowsingAnalyzer(Analyzer):
        )
    def summary(self, raw):
-        result = {"matches":0}
+
        # taxonomy = {"level":"info", "namespace": "Google", "predicate": "Safebrowsing", "value":0}
        taxonomies = []
        level = "info"
        namespace = "Google"
        predicate = "Safebrowsing"
        value = "\"0 match\""
        if ("results" in raw):
-            result["matches"] = len(raw['results'])
+            r = len(raw['results'])
-        return result
+
            if r == 0 or r == 1:
                value = "\"{} match\"".format(r)
            else:
                value = "\"{} matches\"".format(r)
            if r > 0:
                level = "malicious"
            else:
                level = "safe"
            # level : info, safe, suspicious, malicious
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        report = []
--- a/analyzers/Hippocampe/Hippocampe_hipposcore.json
+++ b/analyzers/Hippocampe/Hippocampe_hipposcore.json
@ -1,6 +1,6 @@
 {
    "name": "Hipposcore",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/Hippocampe/Hippocampe_more.json
+++ b/analyzers/Hippocampe/Hippocampe_more.json
@ -1,6 +1,6 @@
 {
    "name": "HippoMore",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/Hippocampe/hippo.py
+++ b/analyzers/Hippocampe/hippo.py
@ -15,29 +15,41 @@ class HippoAnalyzer(Analyzer):
        self.url = self.getParam('config.url', None, 'Missing URL for Hippocampe API')
        self.service = self.getParam('config.service', None, 'Service parameter is missing')
-    def moreSummary(self, raw):
+    def more_summary(self, raw):
        data = self.getData()
        result = {}
        result[data] = 0
-        if(data in raw):
+        if data in raw:
-            result[data] = len(raw[data])
+            result[data] = len(raw.get(data))
        return result
-    def scoreSummary(self, raw):
+    def score_summary(self, raw):
        data = self.getData()
        result = {}
-        if(data in raw):
+        if data in raw:
-            result[data] = raw[data]["hipposcore"]
+            result[data] = raw.get(data).get("hipposcore")
        return result
    def summary(self, raw):
-        if (self.service == 'hipposcore'):
+        taxonomies = []
-            return self.scoreSummary(raw)
+        level = "safe"
-        elif (self.service == 'more'):
+        namespace = "Hippocampe"
-            return self.moreSummary(raw)
+        predicate = "Score"
        if self.service == 'hipposcore':
            value = self.score_summary(raw)[self.getData()]
            if value > 0:
                level = "malicious"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        elif self.service == 'more':
            value = self.more_summary(raw)[self.getData()]
            if value > 0:
                level = "malicious"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, "\"{} record(s)\"".format(value)))
        return {"taxonomies": taxonomies}
    def run(self):
        data = self.getData()
@ -51,9 +63,8 @@ class HippoAnalyzer(Analyzer):
        post_data = json_data.encode('utf-8')
        headers = {'Content-Type': 'application/json'}
        response = {}
        try:
-            request = urllib2.Request(self.url + self.service, post_data, headers)
+            request = urllib2.Request('{}/hippocampe/api/v1.0/{}'.format(self.url, self.service), post_data, headers)
            response = urllib2.urlopen(request)
            report = json.loads(response.read())
--- a/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Inet.json
+++ b/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Inet.json
@ -1,6 +1,6 @@
 {
    "name": "JoeSandbox_File_Analysis_Inet",
-    "version": "1.1",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Noinet.json
+++ b/analyzers/JoeSandbox/JoeSandbox_File_Analysis_Noinet.json
@ -1,6 +1,6 @@
 {
    "name": "JoeSandbox_File_Analysis_Noinet",
-    "version": "1.1",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/JoeSandbox/JoeSandbox_Url_Analysis.json
+++ b/analyzers/JoeSandbox/JoeSandbox_Url_Analysis.json
@ -1,6 +1,6 @@
 {
    "name": "JoeSandbox_Url_Analysis",
-    "version": "1.1",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/JoeSandbox/joesandbox_analyzer.py
+++ b/analyzers/JoeSandbox/joesandbox_analyzer.py
@ -26,7 +26,32 @@ class JoeSandboxAnalyzer(Analyzer):
            'dataType': self.data_type
        }
-        result.update(raw['detection'])
+        taxonomies = []
        level = "info"
        namespace = "JSB"
        predicate = "Report"
        value = "\"Clean\""
        r = raw['detection']
        value = "\"{}/{}\"".format(r["score"], r["maxscore"])
        if r["clean"]:
            level = "safe"
        elif r["suspicious"]:
            level = "suspicious"
        elif r["malicious"]:
            level = "malicious"
        else:
            level = "info"
            value = "Unknown"
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        result.update({"taxonomies":taxonomies})
        return result
--- a/analyzers/MISP/MISP.json
+++ b/analyzers/MISP/MISP.json
@ -0,0 +1,15 @@
 {
    "name": "MISP",
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
    "version": "2.0",
    "baseConfig": "MISP",
    "config": {
        "check_tlp": false,
        "max_tlp": 3
    },
    "description": "Check if this IOC has been processed in different MISP instances.",
    "dataTypeList": ["domain", "ip", "url", "fqdn", "uri_path","user-agent", "hash", "email", "mail", "mail_subject" , "registry", "regexp", "other", "filename"],
    "command": "MISP/misp.py"
 }
--- a/analyzers/MISP/MISP_Search.json
+++ b/analyzers/MISP/MISP_Search.json
@ -1,15 +0,0 @@
 {
    "name": "MISP_Search",
    "version": "1.1",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
    "baseConfig": "MISP",
    "config": {
        "check_tlp": false,
        "service": "search"
    },
    "description": "Search MISP events that have the observable provided as input",
    "dataTypeList": ["domain", "filename", "fqdn", "hash", "ip", "mail", "mail_subject", "other", "regexp", "registry", "uri_path", "url", "user-agent"],
    "command": "MISP/misp_analyzer.py"
 }
--- a/analyzers/MISP/misp.py
+++ b/analyzers/MISP/misp.py
@ -0,0 +1,62 @@
 #!/usr/bin/env python
 from cortexutils.analyzer import Analyzer
 from mispclient import MISPClient
 class MISPAnalyzer(Analyzer):
    """Searches for given IOCs in configured misp instances. All standard data types are supported."""
    def __init__(self):
        Analyzer.__init__(self)
        self.misp = MISPClient(url=self.getParam('config.url', None, 'No MISP url given.'),
                               key=self.getParam('config.key', None, 'No MISP api key given.'),
                               ssl=self.getParam('config.certpath', True),
                               name=self.getParam('config.name', None))
    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "MISP"
        predicate = "Search"
        value = "\"0\""
        data = []
        for r in raw['results']:
            for res in r['result']:
                if 'uuid' in res:
                    data.append(res['uuid'])
        # return number of unique events
        if data == []:
            value = "\"0 event\""
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        else:
            value = "\"{} event(s)\"".format(len(list(set(data))))
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        if self.data_type == 'hash':
            response = self.misp.search_hash(self.getData())
        elif self.data_type == 'url':
            response = self.misp.search_url(self.getData())
        elif self.data_type == 'domain' or self.data_type == 'fqdn':
            response = self.misp.search_domain(self.getData())
        elif self.data_type == 'mail' or self.data_type == 'mail_subject':
            response = self.misp.search_mail(self.getData())
        elif self.data_type == 'ip':
            response = self.misp.search_ip(self.getData())
        elif self.data_type == 'registry':
            response = self.misp.search_registry(self.getData())
        elif self.data_type == 'filename':
            response = self.misp.search_filename(self.getData())
        else:
            response = self.misp.searchall(self.getData())
        self.report({'results': response})
 if __name__ == '__main__':
    MISPAnalyzer().run()
--- a/analyzers/MISP/misp_analyzer.py
+++ b/analyzers/MISP/misp_analyzer.py
@ -1,95 +0,0 @@
 #!/usr/bin/env python
 # encoding: utf-8
 from cortexutils.analyzer import Analyzer
 from pymisp import PyMISP
 class MISPAnalyzer(Analyzer):
    def __init__(self):
        Analyzer.__init__(self)
        self.service = self.getParam('config.service', None, 'MISP service is missing')
        self.url = self.getParam('config.url', None, 'MISP url is missing')
        if self.get_param('config.key'):
            self.api_key = self.get_param('config.key')
        else:
            self.api_key = self.get_param('config.api_key', None, 'MISP key for API is missing')
    def summary(self, raw):
        result = {
            'service': self.service,
            'dataType': self.data_type
        }
        # search service
        if self.service == 'search':
            result['events'] = len(raw['events'])
        else:
            result['events'] = 0
        return result
    def run(self):
        Analyzer.run(self)
        data = self.getData()
        try:
            # search service
            if self.service == 'search':
                misp = PyMISP(self.url, self.api_key)
                result = misp.search_all(data)
                events = []
                if 'response' in result:
                    # Trim the report to make it readable in a browser
                    # Remove null events
                    result['response'] = list(filter(lambda e: e != {'Event': None}, result['response']))
                    for e in result['response']:
                        if 'Event' in e and e['Event']:
                            event = e['Event']
                            # Remove attributes
                            if 'Attribute' in event:
                                del event['Attribute']
                            # Remove org
                            if 'Org' in event:
                                del event['Org']
                            # Remove related events
                            if 'RelatedEvent' in event:
                                del event['RelatedEvent']
                            # Remove shadow attributes
                            if 'ShadowAttribute' in event:
                                del event['ShadowAttribute']
                            # Remove sharing group
                            if 'SharingGroup' in event:
                                del event['SharingGroup']
                            # Remove sharing group
                            if 'Galaxy' in event:
                                del event['Galaxy']
                            # Replace tags by a string array
                            if 'Tag' in event:
                                tags = list((t['name'] for t in event['Tag']))
                                del event['Tag']
                                event['tags'] = tags
                            # Add url to the MISP event
                            if 'id' in event:
                                event['url'] = self.url + '/events/view/' + event['id']
                            if 'publish_timestamp' in event:
                                event['publish_timestamp'] = long(event['publish_timestamp']) * 1000
                            events.append(event)
                self.report({"events": events})
            else:
                self.error('Unknown MISP service')
        except Exception as e:
            self.unexpectedError(e)
 if __name__ == '__main__':
    MISPAnalyzer().run()
--- a/analyzers/MISP/mispclient.py
+++ b/analyzers/MISP/mispclient.py
@ -0,0 +1,261 @@
 #!/usr/bin/env python
 import pymisp
 import os
 class EmptySearchtermError(Exception):
    """Exception raised, when no search terms are given."""
    pass
 class MISPClient:
    """The MISPClient class just hides the "complexity" of the queries. All params can be lists to query more than one
    MISP instance.
    :param url: URL of MISP instance
    :type url: [str, list]
    :param key: API key
    :type key: [str, list]
    :param ssl: Use/dont' use ssl or path to ssl cert if not possible to verify through trusted CAs
    :type ssl: [bool, list, str]
    :param name: Name of the MISP instance, is sent back in the report for matching the results.
    :type name: [str, list]
    """
    def __init__(self, url, key, ssl=True, name='Unnamed'):
        self.misp_connections = []
        if type(url) is list:
            for idx, server in enumerate(url):
                verify = True
                if os.path.isfile(ssl[idx]):
                    verify = ssl[idx]
                self.misp_connections.append(pymisp.PyMISP(url=server,
                                                           key=key[idx],
                                                           ssl=verify))
        else:
            verify = True
            if os.path.isfile(ssl):
                verify = ssl
            self.misp_connections.append(pymisp.PyMISP(url=url,
                                                       key=key,
                                                       ssl=verify))
        self.misp_name = name
    @staticmethod
    def __misphashtypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: MISP hash data types
        :rtype: list
        """
        hashtypes = ['md5', 'sha1', 'sha256', 'ssdeep', 'sha224', 'sha384', 'sha512', 'sha512/224', 'sha512/256',
                     'tlsh', 'authentihash']
        filenames = []
        for h in hashtypes:
            filenames.append('filename|{0}'.format(h))
        return hashtypes + filenames
    @staticmethod
    def __mispurltypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: misp url/domain data types
        :rtype: list
        """
        return ['domain', 'domain|ip', 'url', 'link', 'named pipe', 'uri']
    @staticmethod
    def __mispdomaintypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: data types containing domains
        :rtype: list
        """
        return ['domain', 'hostname', 'domain|ip', 'email-src', 'email-dst', 'url', 'link', 'named pipe',
                'target-email', 'uri', 'whois-registrant-email', 'dns-soa-email', 'hostname|port', 'jabber-id']
    @staticmethod
    def __mispmailtypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: misp mail data types
        :rtype: list
        """
        return ['email-src', 'email-dst', 'target-email', 'email-subject', 'email-attachment', 'whois-registrant-email',
                'dns-soa-email', 'email-header']
    @staticmethod
    def __mispiptypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: ip data types
        :rtype: list
        """
        return ['ip-src', 'ip-dst', 'domain|ip', 'ip-src|port', 'ip-dst|port']
    @staticmethod
    def __mispregistrytypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: misp regkey data types
        :rtype: list
        """
        return ['regkey', 'regkey|value']
    @staticmethod
    def __mispfilenametypes():
        """Just for better readability, all __misp*type methods return just a list of misp data types
        :returns: data types containing filenames
        :rtype: list
        """
        return ['filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'filename|ssdeep', 'filename|sha224',
                'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|tlsh',
                'filename|authentihash']
    def __clean_relatedevent(self, related_events):
        """
        Strip relatedevent sub content of event for lighter output.
        :param related_events: 
        :return: 
        """
        response = []
        for event in related_events:
            ev = {}
            ev['info'] = event['Event']['info']
            ev['id'] = event['Event']['id']
            response.append(ev)
        return response
    def __clean_event(self, misp_event):
        """
        Strip event data for lighter output. Analyer report only contains useful data.
        :param event: misp event
        :return: misp event
        """
        filters = ['Attribute',
                   'ShadowAttribute',
                   'Org',
                   'ShadowAttribute',
                   'SharingGroup',
                   'sharing_group_id',
                   'disable_correlation',
                   'locked',
                   'publish_timestamp',
                   'attribute_count',
                   'attribute_count',
                   'analysis',
                   'published',
                   'distribution',
                   'proposal_email_lock']
        for filter in filters:
            if filter in misp_event:
                del misp_event[filter]
        if 'RelatedEvent' in misp_event:
            misp_event['RelatedEvent'] = self.__clean_relatedevent(misp_event['RelatedEvent'])
        return misp_event
    def __clean(self, misp_response):
        """
        :param misp_response: 
        :return: 
        """
        response = []
        for event in misp_response.get('response', []):
            response.append(self.__clean_event(event['Event']))
        return response
    def __search(self, value, type_attribute):
        """Search method call wrapper.
        :param value: value to search for.
        :type value: str
        :param type_attribute: attribute types to search for.
        :type type_attribute: [list, none]
        """
        results = []
        if not value:
            raise EmptySearchtermError
        for idx, connection in enumerate(self.misp_connections):
            misp_response = connection.search(type_attribute=type_attribute, values=value)
            results.append({'url': connection.root_url,
                            'name': self.misp_name[idx],
                            'result': self.__clean(misp_response)})
        return results
    def search_url(self, searchterm):
        """Search for URLs
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispurltypes(), value=searchterm)
    def search_hash(self, searchterm):
        """Search for hashes
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__misphashtypes(), value=searchterm)
    def search_domain(self, searchterm):
        """Search for domains
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispdomaintypes(), value=searchterm)
    def search_mail(self, searchterm):
        """Search for emails
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispmailtypes(), value=searchterm)
    def search_ip(self, searchterm):
        """Search for ips
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispiptypes(), value=searchterm)
    def search_registry(self, searchterm):
        """Search for registry keys and values
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispregistrytypes(), value=searchterm)
    def search_filename(self, searchterm):
        """Search for filenames
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=self.__mispfilenametypes(), value=searchterm)
    def searchall(self, searchterm):
        """Search through all attribute types, this could be really slow.
        :type searchterm: str
        :rtype: list
        """
        return self.__search(type_attribute=None, value=searchterm)
--- a/analyzers/MaxMind/MaxMind_GeoIP.json
+++ b/analyzers/MaxMind/MaxMind_GeoIP.json
@ -1,6 +1,6 @@
 {
    "name": "MaxMind_GeoIP",
-    "version": "2.0",
+    "version": "3.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/MaxMind/geo.py
+++ b/analyzers/MaxMind/geo.py
@ -58,13 +58,18 @@ class MaxMindAnalyzer(Analyzer):
        }
    def summary(self, raw):
-        result = {}
+        taxonomy = {"level": "info", "namespace": "MaxMind", "predicate": "Location", "value": 0}
        taxonomies = []
        level = "info"
        namespace = "MaxMind"
        predicate = "Location"
        value = "\"\""
        if("continent" in raw):
-            result["country"] = raw["country"]["name"]
+            value = "\"{}/{}\"".format(raw["country"]["name"], raw["continent"]["name"])
-            result["continent"] = raw["continent"]["name"]
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
-        return result
+        return {"taxonomies":taxonomies}
    def run(self):
        Analyzer.run(self)
--- a/analyzers/MsgParser/Msg_Parser.json
+++ b/analyzers/MsgParser/Msg_Parser.json
@ -1,6 +1,6 @@
 {
    "name": "Msg_Parser",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/MsgParser/parse.py
+++ b/analyzers/MsgParser/parse.py
@ -17,13 +17,17 @@ class MsgParserAnalyzer(Analyzer):
        self.filepath = self.getParam('file', None, 'File is missing')
    def summary(self, raw):
-        result = {
+        taxonomies = []
-            "attachments": 0
+        level = "info"
-        }
+        namespace = "MsgParser"
-        if("attachments" in raw):
+        predicate = "Attachments"
-            result["attachments"] = len(raw["attachments"])
+        value = "\"0\""
-        return result
+        if("attachments" in raw):
            value = len(raw["attachments"])
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomy}
    def run(self):
        if self.data_type == 'file':
--- a/analyzers/Nessus/Nessus.json
+++ b/analyzers/Nessus/Nessus.json
@ -1,6 +1,6 @@
 {
    "name": "Nessus",
-    "version": "1.0",
+    "version": "2.0",
    "author": "Guillaume Rousse",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/Nessus/nessus.py
+++ b/analyzers/Nessus/nessus.py
@ -37,7 +37,34 @@ class NessusAnalyzer(Analyzer):
            summary["medium"]   = count[2]
            summary["high"]     = count[3]
            summary["critical"] = count[4]
-        return summary
+
        taxonomies = []
        level = "info"
        namespace = "Nessus"
        predicate = "Info"
        value = "\"0\""
        if summary["info"] > 0:
            value = summary["info"]
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        if summary["low"] >0:
            value = summary["low"]
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        if summary["medium"] >0:
            value = summary["medium"]
            level = "suspicious"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        if summary["high"] > 0:
            value = summary["high"]
            level = "suspicious"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        if summary["critical"] >0:
            value = summary["critical"]
            level = "malicious"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        Analyzer.run(self)
@ -51,7 +78,10 @@ class NessusAnalyzer(Analyzer):
            if self.data_type == 'fqdn':
                address = IPAddress(socket.gethostbyname(data))
            else:
                try:
                    address = IPAddress(data)
                except Exception as e:
                    self.error("{}".format(e))
            if not any(address in IPNetwork(network)
                for network in self.allowed_networks):
                self.error('Invalid target: not in any allowed network')
--- a/analyzers/OTXQuery/OTXQuery.json
+++ b/analyzers/OTXQuery/OTXQuery.json
@ -1,6 +1,6 @@
 {
    "name": "OTXQuery",
-    "version": "1.0",
+    "version": "2.0",
    "author": "Eric Capuano",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/OTXQuery/otxquery.py
+++ b/analyzers/OTXQuery/otxquery.py
@ -154,9 +154,14 @@ class OTXQueryAnalyzer(Analyzer):
            self.error('API Error! Please verify data type is correct.')
    def summary(self, raw):
-        return {
+        taxonomies = []
-            "pulse_count": raw["pulse_count"]
+        level = "info"
-        }
+        namespace = "OTX"
        predicate = "Pulses"
        value = "\"{}\"".format(raw["pulse_count"])
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        Analyzer.run(self)
--- a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Enrichment",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Malware.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Malware.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Malware",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Osint.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Osint.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Osint",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Passive_Dns",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Ssl_Certificate_Details",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Ssl_Certificate_History",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Unique_Resolutions",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
@ -1,6 +1,6 @@
 {
    "name": "PassiveTotal_Whois_Details",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PassiveTotal/passivetotal_analyzer.py
+++ b/analyzers/PassiveTotal/passivetotal_analyzer.py
@ -17,58 +17,90 @@ class PassiveTotalAnalyzer(Analyzer):
        self.api_key = self.getParam('config.key', None, 'PassiveTotal API key is missing')
    def summary(self, raw):
-        result = {
+        taxonomies = []
-            'service': self.service,
+        level = "info"
-            'dataType': self.data_type
+        namespace = "PT"
-        }
+        predicate = "Service"
        value = "\"False\""
        result = {}
        # malware service
        if self.service == 'malware':
            predicate = "Malware"
            if 'results' in raw and raw['results']:
                result['malware'] = True
                level = "malicious"
            else:
                result['malware'] = False
                level = "safe"
            value = "\"{}\"".format(result['malware'])
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # osint service
        elif self.service == 'osint':
            predicate = "OSINT"
            if 'results' in raw and raw['results']:
                result['osint'] = True
            else:
                result['osint'] = False
            value = "\"{}\"".format(result['osint'])
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # passive dns service
        elif self.service == 'passive_dns':
-            if 'firstSeen' in raw and raw['firstSeen']:
+            predicate = "PassiveDNS"
                result['firstSeen'] = raw['firstSeen']
            if 'lastSeen' in raw and raw['lastSeen']:
                result['lastSeen'] = raw['lastSeen']
            if 'totalRecords' in raw and raw['totalRecords']:
                result['total'] = raw['totalRecords']
            else:
                result['total'] = 0
            if result['total'] < 2:
                value = "\"{} record\"".format(result['total'])
            else:
                value = "\"{} records\"".format(result['total'])
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # ssl certificate details service
        elif self.service == 'ssl_certificate_details':
            predicate = "SSL"
            if 'sha1' in raw:
                result['ssl'] = True
-
+            else:
                result['ssl'] = False
            value = "\"{}\"".format(result['ssl'])
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # ssl certificate history service
        elif self.service == 'ssl_certificate_history':
            predicate = "SSLCertHistory"
            if 'results' in raw and raw['results']:
                result['ssl'] = True
                result['total'] = len(raw['results'])
                value = "\"{} record(s)\"".format(result['total'])
                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # unique resolutions service
        elif self.service == 'unique_resolutions':
            predicate = "UniqueResolution"
            if 'total' in raw:
                result['total'] = raw['total']
                value = "\"{} record(s)\"".format(result['total'])
                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        # whois details service
        elif self.service == 'whois_details':
            predicate = "Whois"
            if 'registrant' in raw and 'organization' in raw['registrant'] and raw['registrant']['organization']:
                result['registrant'] = raw['registrant']['organization']
-            elif 'registrant' in raw and 'name' in raw['registrant'] and raw['registrant']['name']:
+                value = "\"REGISTRANT: {}\"".format(result['registrant'])
-                result['registrant'] = raw['registrant']['name']
+                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
            if 'registrar' in raw and raw['registrar']:
                result['registrar'] = raw['registrar']
                value = "\"REGISTRAR: {}\"".format(result['registrar'])
                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
-        return result
+        return {"taxonomies":taxonomies}
    def run(self):
        Analyzer.run(self)
--- a/analyzers/PhishTank/PhishTank_CheckURL.json
+++ b/analyzers/PhishTank/PhishTank_CheckURL.json
@ -1,6 +1,6 @@
 {
    "name": "PhishTank_CheckURL",
-    "version": "1.0",
+    "version": "2.0",
    "author": "Eric Capuano",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PhishTank/phishtank_checkurl.py
+++ b/analyzers/PhishTank/phishtank_checkurl.py
@ -19,17 +19,30 @@ class phishtankAnalyzer(Analyzer):
                                    'Missing PhishTank API key')
    def phishtank_checkurl(self, data):
    	#debug('>> phishtank_checkurl ' + str(data))
        url = 'http://checkurl.phishtank.com/checkurl/'
        postdata = {'url': data, 'format':'json','app_key': self.phishtank_key}
        r = requests.post(url, data=postdata)
        return json.loads(r.content)
    def summary(self, raw):
-        if ('in_database' in raw) :
+        taxonomies = []
-            return {'in_database':raw['in_database'],
+        value = "\"False\""
-            'verified':raw['verified'],
+        level = ""
-            'verified_at':raw['verified_at']}
+
        if 'in_database' in raw and raw['in_database'] == "True":
            value = "\"{}\"".format(raw['in_database'])
            if raw.get('verified'):
                level = "malicious"
            else:
                level = "suspicious"
        else:
            level = "safe"
            value = "\"False\""
        taxonomies.append(self.build_taxonomy(level, "PhishTank", "In_Database", value))
        result = {"taxonomies":taxonomies}
        return result
    def run(self):
        if self.service == 'query':
--- a/analyzers/PhishingInitiative/PhishingInitiative_Lookup.json
+++ b/analyzers/PhishingInitiative/PhishingInitiative_Lookup.json
@ -1,6 +1,6 @@
 {
    "name": "PhishingInitiative_Lookup",
-    "version": "1.0",
+    "version": "2.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/PhishingInitiative/phishinginitiative_lookup.py
+++ b/analyzers/PhishingInitiative/phishinginitiative_lookup.py
@ -12,9 +12,18 @@ class phishinginitiativeAnalyzer(Analyzer):
                                    'Missing PhishingInitiative API key')
    def summary(self,raw):
-        return {
+        taxonomies = []
-            "status": raw["tag_label"]
+        level = "safe"
-        }
+        namespace = "PhishingInitiative"
        predicate = "Status"
        value = "\"Clean\""
        if raw["tag_label"] == "phishing":
            level = "malicious"
            value = "\"{}\"".format(raw["tag_label"])
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        Analyzer.run(self)
--- a/analyzers/VMRay/VMRay.json
+++ b/analyzers/VMRay/VMRay.json
@ -3,7 +3,7 @@
    "license": "AGPL-V3", 
    "author": "Nils Kuhnert, CERT-Bund",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "VMRay",
    "config": {
        "cert": false,
--- a/analyzers/VMRay/vmray.py
+++ b/analyzers/VMRay/vmray.py
@ -42,19 +42,48 @@ class VMRayAnalyzer(Analyzer):
            self.error('Data type currently not supported')
    def summary(self, raw):
-        result = {
+
        taxonomies = []
        level = "info"
        namespace = "VMRay"
        predicate = "Scan"
        value = "\"0\""
        r = {
            'reports': []
        }
        if raw.get('scanreport', None) and len(raw.get('scanreport').get('data')) > 0:
            for scan in raw.get('scanreport').get('data'):
-                result['reports'].append({
+                r['reports'].append({
                    'score': scan.get('sample_score'),
                    'sample_severity': scan.get('sample_severity'),
                    'sample_last_reputation_severity': scan.get('sample_last_reputation_severity'),
                    'url': scan.get('sample_webif_url')
                })
-        return result
+
        if len(r["reports"]) == 0:
            value = "\"No Scan\""
            level = "info"
            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        else:
            for s in r["reports"]:
                i = 1
                if s["sample_severity"] == "not_suspicious":
                    level = "safe"
                elif s["sample_severity"] == "malicious":
                    level = "malicious"
                else:
                    level = "info"
                if r["reports"] > 1:
                    value = "\"{}( from scan {})\"".format(s["score"], i)
                else:
                    value = "{}".format(s["score"])
                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
                i += 1
        return {"taxonomies": taxonomies}
 if __name__ == '__main__':
    VMRayAnalyzer().run()
--- a/analyzers/VirusTotal/VirusTotal_GetReport.json
+++ b/analyzers/VirusTotal/VirusTotal_GetReport.json
@ -1,6 +1,6 @@
 {
    "name": "VirusTotal_GetReport",
-    "version": "2.0",
+    "version": "3.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/VirusTotal/VirusTotal_Scan.json
+++ b/analyzers/VirusTotal/VirusTotal_Scan.json
@ -1,6 +1,6 @@
 {
    "name": "VirusTotal_Scan",
-    "version": "2.0",
+    "version": "3.0",
    "author": "CERT-BDF",
    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
    "license": "AGPL-V3",
--- a/analyzers/VirusTotal/virustotal.py
+++ b/analyzers/VirusTotal/virustotal.py
@ -64,6 +64,12 @@ class VirusTotalAnalyzer(Analyzer):
            self.error('Scan not found')
    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "VT"
        predicate = "Score"
        value = "\"0\""
        result = {
            "has_result": True
        }
@ -80,18 +86,41 @@ class VirusTotalAnalyzer(Analyzer):
        if self.service == "get":
            if("scans" in raw):
                result["scans"] = len(raw["scans"])
                value = "\"{}/{}\"".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"
            if("resolutions" in raw):
                result["resolutions"] = len(raw["resolutions"])
-
+                value = "\"{} resolution(s)\"".format(result["resolutions"])
                if result["resolutions"] == 0:
                    level = "safe"
                elif result["resolutions"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"
            if("detected_urls" in raw):
                result["detected_urls"] = len(raw["detected_urls"])
                value = "\"{} detected_url(s)\"".format(result["detected_urls"])
                if result["detected_urls"] == 0:
                    level = "safe"
                elif result["detected_urls"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"
            if("detected_downloaded_samples" in raw):
                result["detected_downloaded_samples"] = len(
                    raw["detected_downloaded_samples"])
-        return result
+
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        Analyzer.run(self)
--- a/analyzers/Virusshare/Virusshare.json
+++ b/analyzers/Virusshare/Virusshare.json
@ -3,7 +3,7 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "Virusshare",
    "config": {},
    "description": "Search for MD5 hashes in Virusshare.com hash list",
--- a/analyzers/Virusshare/virusshare.py
+++ b/analyzers/Virusshare/virusshare.py
@ -21,7 +21,24 @@ class VirusshareAnalyzer(Analyzer):
        self.filelist = os.listdir(self.path)
    def summary(self, raw):
-        return {'isonvs': raw["isonvs"]}
+        taxonomies = []
        level = "safe"
        namespace = "Virusshare"
        predicate = "Search"
        value = "\"Unknown\""
        if raw["isonvs"]:
            if raw["isonvs"] == "Unknown":
                value = "\"Not MD5\""
                level = "suspicious"
            else:
                value = "\"Found\""
                level = "malicious"
        else:
            value = "\"Not Found\""
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {'taxonomies': taxonomies}
    def run(self):
        searchhash = ''
--- a/analyzers/Yara/Yara.json
+++ b/analyzers/Yara/Yara.json
@ -3,7 +3,7 @@
    "author": "Nils Kuhnert, CERT-Bund",
    "license": "AGPL-V3",
    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
    "baseConfig": "Yara",
    "config": {},
    "description": "Check files against YARA rules",
--- a/analyzers/Yara/yara_analyzer.py
+++ b/analyzers/Yara/yara_analyzer.py
@ -1,5 +1,8 @@
 #!/usr/bin/env python
 # encoding: utf-8
 from cortexutils.analyzer import Analyzer
 import os
 import yara
@ -45,7 +48,19 @@ class YaraAnalyzer(Analyzer):
        return result
    def summary(self, raw):
-        return {"matches":len(raw["results"])}
+        taxonomies = []
        level = "info"
        namespace = "Yara"
        predicate = "Match"
        value = "\"{} rule(s)\"".format(len(raw["results"]))
        if len(raw["results"]) == 0:
            level = "safe"
        else:
            level = "malicious"
        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}
    def run(self):
        if self.data_type == 'file':
--- a/contrib/cortexutils/analyzer.py
+++ b/contrib/cortexutils/analyzer.py
@ -74,6 +74,7 @@ class Analyzer:
            os.environ['https_proxy'] = self.https_proxy
    def __set_encoding(self):
        try:
            if sys.stdout.encoding != 'UTF-8':
                if sys.version_info[0] == 3:
                    sys.stdout = codecs.getwriter('utf-8')(sys.stdout.buffer, 'strict')
@ -84,6 +85,8 @@ class Analyzer:
                    sys.stderr = codecs.getwriter('utf-8')(sys.stderr.buffer, 'strict')
                else:
                    sys.stderr = codecs.getwriter('utf-8')(sys.stderr, 'strict')
        except:
            pass
    def __get_param(self, source, name, default=None, message=None):
        """Extract a specific parameter from given source.
@ -119,7 +122,6 @@ class Analyzer:
        :return: Data (observable value) given through Cortex"""
        return self.get_param('data', None, 'Missing data field')
    def get_param(self, name, default=None, message=None):
        """Just a wrapper for Analyzer.__get_param.
        :param name: Name of the parameter to get. JSON-like syntax, e.g. `config.username`
@ -128,6 +130,21 @@ class Analyzer:
        return self.__get_param(self.__input, name, default, message)
    def build_taxonomy(self, level, namespace, predicate, value):
        """
        :param level: info, safe, suspicious or malicious
        :param namespace: Name of analyzer
        :param predicate: Name of service
        :param value: value
        :return: dict
        """
        return {
                'level': level,
                'namespace': namespace,
                'predicate': predicate,
                'value': value
                }
    def summary(self, raw):
        """Returns a summary, needed for 'short.html' template. Overwrite it for your needs!
--- a/contrib/setup.py
+++ b/contrib/setup.py
@ -2,7 +2,7 @@ from setuptools import setup
 setup(
    name='cortexutils',
-    version='1.1.1',
+    version='1.2.0',
    description='A Python library for including utility classes for Cortex analyzers',
    long_description=open('README').read(),
    author='TheHive-Project',
@ -21,6 +21,7 @@ setup(
        'Topic :: Security',
        'Topic :: Software Development :: Libraries :: Python Modules'],
    py_modules=[
        'future',
        'cortexutils.analyzer',
        'cortexutils.extractor'
    ],
--- a/thehive-templates/Abuse_Finder_2_0/long.html
+++ b/thehive-templates/Abuse_Finder_2_0/long.html
--- a/thehive-templates/Abuse_Finder_2_0/short.html
+++ b/thehive-templates/Abuse_Finder_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/CERTatPassiveDNS_2_0/long.html
+++ b/thehive-templates/CERTatPassiveDNS_2_0/long.html
@ -0,0 +1,52 @@
 <div class="panel panel-info" ng-if="success">
 	<div class="panel-heading">
 		CERT.at Passive DNS Report
 	</div>
 	<div class="panel-body">
        <p ng-if="content.results.length == 0">
            No result found.
        </p>
        <table class="table" ng-if="content.results">
            <thead>
                <th>Count</th>
                <th>rrtype</th>
                <th>data</th>
                <th>First time</th>
                <th>Last time</th>
            </thead>
            <tbody ng-repeat="r in content.results | orderBy:'-seenlast'">
                <tr>
                    <td>{{r.countrequested}}</td>
                    <td>{{r.rrtype}}</td>
                    <td ng-if="r.rrtype !== 'SOA' ">
                        {{r.rraddress || r.rrdname}}
                    </td>
                    <td ng-if="r.rrtype == 'SOA'">
                        <p>primary: {{r.rrprimary}}</p>
                        <p>hostmaster: {{r.rrhostmaster}}</p>
                        <p>serial: {{r.rrserial}}</p>
                        <p>refresh: {{r.rrrefresh}}</p>
                        <p>retry: {{r.rrretry}}</p>
                        <p>expire: {{r.rrexpire}}</p>
                        <p>minimum: {{r.rrminimum}}</p>
                    </td>
                    <td>{{r.seenfirst}}</td>
                    <td>{{r.seenlast}}</td>
                </tr>
            </tbody>
        </table>
 	</div>
 </div>
 <div class="panel panel-danger" ng-if="!success">
 	<div class="panel-heading">
 		CERT.at Passive DNS Report <b>Error</b>
 	</div>
 	<div class="panel-body">
 		<dl class="dl-horizontal">
 			<dt>Error: </dt>
 			<dd>{{content.errorMessage}}</dd>
 		</dl>
 	</div>
 </div>
--- a/thehive-templates/CERTatPassiveDNS_2_0/short.html
+++ b/thehive-templates/CERTatPassiveDNS_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/CIRCLPassiveDNS_1_0/short.html
+++ b/thehive-templates/CIRCLPassiveDNS_1_0/short.html
@ -1 +0,0 @@
 <span ng-if="content" class="label label-info">CIRCL:PassiveDNS= {{content.hits}} hits</span>&nbsp;
--- a/thehive-templates/CIRCLPassiveDNS_2_0/long.html
+++ b/thehive-templates/CIRCLPassiveDNS_2_0/long.html
--- a/thehive-templates/CIRCLPassiveDNS_2_0/short.html
+++ b/thehive-templates/CIRCLPassiveDNS_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/CIRCLPassiveSSL_1_0/short.html
+++ b/thehive-templates/CIRCLPassiveSSL_1_0/short.html
@ -1,4 +0,0 @@
 <span ng-if="success">
    <span class="label label-info" ng-if="content.num_ips_used_cert >= 0">CIRCL:PassiveSSL= {{content.num_ips_used_cert}} IPs used that certificate</span>&nbsp;
    <span class="label label-info" ng-if="content.num_certs_by_ip >= 0">CIRCL:PassiveSSL= {{content.num_certs_by_ip}} different certificates on IP<span>&nbsp;
 </span>&nbsp;
--- a/thehive-templates/CIRCLPassiveSSL_2_0/long.html
+++ b/thehive-templates/CIRCLPassiveSSL_2_0/long.html
--- a/thehive-templates/CIRCLPassiveSSL_2_0/short.html
+++ b/thehive-templates/CIRCLPassiveSSL_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/DNSDB_DomainName_1_1/short.html
+++ b/thehive-templates/DNSDB_DomainName_1_1/short.html
@ -1 +0,0 @@
 <span ng-if="content.records" class="label label-info">DNSDB:Domain Name= {{content.records}} records</span>
--- a/thehive-templates/DNSDB_DomainName_2_0/long.html
+++ b/thehive-templates/DNSDB_DomainName_2_0/long.html
--- a/thehive-templates/DNSDB_DomainName_2_0/short.html
+++ b/thehive-templates/DNSDB_DomainName_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>&nbsp;
--- a/thehive-templates/DNSDB_IPHistory_1_0/short.html
+++ b/thehive-templates/DNSDB_IPHistory_1_0/short.html
@ -1 +0,0 @@
 <span ng-if="content.records" class="label label-info">DNSDB:IP History= {{content.records}} records</span>
--- a/thehive-templates/DNSDB_IPHistory_2_0/long.html
+++ b/thehive-templates/DNSDB_IPHistory_2_0/long.html
--- a/thehive-templates/DNSDB_IPHistory_2_0/short.html
+++ b/thehive-templates/DNSDB_IPHistory_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/DNSDB_NameHistory_1_0/short.html
+++ b/thehive-templates/DNSDB_NameHistory_1_0/short.html
@ -1 +0,0 @@
 <span ng-if="content.records" class="label label-info">DNSDB:Name History= {{content.records}} records</span>
--- a/thehive-templates/DNSDB_NameHistory_2_0/long.html
+++ b/thehive-templates/DNSDB_NameHistory_2_0/long.html
--- a/thehive-templates/DNSDB_NameHistory_2_0/short.html
+++ b/thehive-templates/DNSDB_NameHistory_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/DomainTools_ReverseIP_1_0/short.html
+++ b/thehive-templates/DomainTools_ReverseIP_1_0/short.html
@ -1 +0,0 @@
 <span ng-if="content.ip.address || content.ip.domain_count" class="label label-info">DT:ReverseIP={{content.ip.address}}: {{content.ip.domain_count}} domains found</span>
--- a/thehive-templates/DomainTools_ReverseIP_2_0/long.html
+++ b/thehive-templates/DomainTools_ReverseIP_2_0/long.html
--- a/thehive-templates/DomainTools_ReverseIP_2_0/short.html
+++ b/thehive-templates/DomainTools_ReverseIP_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/DomainTools_ReverseNameServer_1_0/short.html
+++ b/thehive-templates/DomainTools_ReverseNameServer_1_0/short.html
@ -1 +0,0 @@
 <span ng-if="content.name_server" class="label label-info">DT:ReverseNameServer= {{content.name_server}}, {{content.domain_count}} domains</span>
--- a/thehive-templates/DomainTools_ReverseNameServer_2_0/long.html
+++ b/thehive-templates/DomainTools_ReverseNameServer_2_0/long.html
--- a/thehive-templates/DomainTools_ReverseNameServer_2_0/short.html
+++ b/thehive-templates/DomainTools_ReverseNameServer_2_0/short.html
@ -0,0 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
    {{t.namespace}}:{{t.predicate}}={{t.value}}
 </span>
--- a/thehive-templates/DomainTools_ReverseWhois_1_0/short.html
+++ b/thehive-templates/DomainTools_ReverseWhois_1_0/short.html
@ -1,3 +0,0 @@
 <span ng-if="content.domain_count.current || content.domain_count.historic" class="label label-info">
    DT:ReverseWhois= curr:{{content.domain_count.current}}/hist:{{content.domain_count.historic}} domains found
 </span>
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`#!/usr/bin/env bash`
							`whois -h pdns.cert.at " $1"`
		`@ -1 +0,0 @@`
			`<span ng-if="content" class="label label-info">CIRCL:PassiveDNS= {{content.hits}} hits</span> `
		`@ -1 +0,0 @@`
			`<span ng-if="content.records" class="label label-info">DNSDB:Domain Name= {{content.records}} records</span>`
		`@ -1 +0,0 @@`
			`<span ng-if="content.ip.address \|\| content.ip.domain_count" class="label label-info">DT:ReverseIP={{content.ip.address}}: {{content.ip.domain_count}} domains found</span>`
		`@ -1 +0,0 @@`
			`<span ng-if="content.name_server" class="label label-info">DT:ReverseNameServer= {{content.name_server}}, {{content.domain_count}} domains</span>`