From c10ac23a36367e9e23480f40d257398ad8f49b59 Mon Sep 17 00:00:00 2001
From: Jerome Leonard <jerome@upbeat.fr>
Date: Tue, 20 Jun 2017 08:57:07 +0200
Subject: [PATCH] #56 Phishtank() and short reports  + bump version

---
 analyzers/PhishTank/PhishTank_CheckURL.json       |  2 +-
 analyzers/PhishTank/phishtank_checkurl.py         | 15 ++++++++++++---
 .../PhishTank_CheckURL_1_0/short.html             | 14 --------------
 .../long.html                                     |  0
 .../PhishTank_CheckURL_2_0/short.html             |  3 +++
 5 files changed, 16 insertions(+), 18 deletions(-)
 delete mode 100644 thehive-templates/PhishTank_CheckURL_1_0/short.html
 rename thehive-templates/{PhishTank_CheckURL_1_0 => PhishTank_CheckURL_2_0}/long.html (100%)
 create mode 100644 thehive-templates/PhishTank_CheckURL_2_0/short.html

diff --git a/analyzers/PhishTank/PhishTank_CheckURL.json b/analyzers/PhishTank/PhishTank_CheckURL.json
index 11c24a7..2f90cc5 100644
--- a/analyzers/PhishTank/PhishTank_CheckURL.json
+++ b/analyzers/PhishTank/PhishTank_CheckURL.json
@@ -1,6 +1,6 @@
 {
     "name": "PhishTank_CheckURL",
-    "version": "1.0",
+    "version": "2.0",
     "author": "Eric Capuano",
     "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
     "license": "AGPL-V3",
diff --git a/analyzers/PhishTank/phishtank_checkurl.py b/analyzers/PhishTank/phishtank_checkurl.py
index 2e6b80e..a346db5 100755
--- a/analyzers/PhishTank/phishtank_checkurl.py
+++ b/analyzers/PhishTank/phishtank_checkurl.py
@@ -26,10 +26,19 @@ class phishtankAnalyzer(Analyzer):
     	return json.loads(r.content)
 
     def summary(self,raw):
+
+		taxonomy = {"level": "safe", "namespace": "PhishTank", "predicate": "In_Database", "value": "False"}
+		taxonomies = []
+
         if ('in_database' in raw) :
-            return {'in_database':raw['in_database'],
-            'verified':raw['verified'],
-            'verified_at':raw['verified_at']}
+			taxonomy['value'] = "\"{}\"".format(raw['in_database'])
+			if raw['verified']:
+				taxonomy['level'] = "malicious"
+			else:
+				taxonomy['level'] = "suspicious"
+			taxonomies.append(taxonomy)
+			return {"taxonomies":taxonomies}
+
 
     def run(self):
         if self.service == 'query':
diff --git a/thehive-templates/PhishTank_CheckURL_1_0/short.html b/thehive-templates/PhishTank_CheckURL_1_0/short.html
deleted file mode 100644
index b90f191..0000000
--- a/thehive-templates/PhishTank_CheckURL_1_0/short.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<span ng-if="content.in_database">
-	<span ng-if="content.verified_at">
-		<span class="label" ng-class="{'false':'label-warning', 'true':'label-danger'}[content.in_database]">
-			PhishTank:
-				<timer interval="30000" start-time="gtime(content.verified_at)">
-					{{millis  | amDurationFormat : 'milliseconds'}}
-				</timer>
-		</span>
-		<span ng-if="content.verified == false" class="label label-warning">
-			PhishTank: {{content.in_database}}&nbsp;
-		</span>
-	</span>
-</span>
-<!--  Change short report to give the age of url in database if it has been verified as a phishing site -->
diff --git a/thehive-templates/PhishTank_CheckURL_1_0/long.html b/thehive-templates/PhishTank_CheckURL_2_0/long.html
similarity index 100%
rename from thehive-templates/PhishTank_CheckURL_1_0/long.html
rename to thehive-templates/PhishTank_CheckURL_2_0/long.html
diff --git a/thehive-templates/PhishTank_CheckURL_2_0/short.html b/thehive-templates/PhishTank_CheckURL_2_0/short.html
new file mode 100644
index 0000000..563ca58
--- /dev/null
+++ b/thehive-templates/PhishTank_CheckURL_2_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>&nbsp;