[Bug] Shodan Analyzer: Inconsistent Key References #748
Description
Describe the bug
No long or short reports from the Shodan analyzer (Shodan_InfoDomain_1_0).
To Reproduce
Steps to reproduce the behavior:
- Enable and configure the Shodan_InfoDomain_1_0 analyzer
- Create a test case with a domain observable for "google.com"
- Run the Shodan_InfoDomain_1_0 analyzer on the google.com observable. No short report appears, and the long report is empty.
- Click on the observable and show the raw report. The raw report is not empty.
Expected behavior
Long and short reports display the correct information.
Complementary information
The problem occurs because of inconsistent references to the results object. When self.service == 'info_domain', line 41 in shodan_analyzer.py sets results to a dictionary with a single key, 'info_domain':
results = {'info_domain': self.shodan_client.info_domains(data)}
A few lines later, in the summary() function, there are multiple references to raw['infos_domain'] on lines 60-70. There is no 'infos_domain' key; only 'info_domain'. Most likely an exception occurs, and no taxonomy objects are created.
The corresponding long.html template (thehive-templates/Shodan_InfoDomain_1_0/long.html) also references content.infos_domain. Since this name doesn't match the actual JSON the report is empty.
Work environment
- Client OS: Windows
- Server OS: RHEL 7.8
- Browse type and version: Version 81.0.4044.113 (Official Build) (64-bit)
- Cortex version: 3.3.1-1
- Cortex Analyzer/Responder name: Shodan_InfoDomain_1_0
- Cortex Analyzer/Responder version: 1.0
Possible solutions
The simplest fix is to change 'info_domain' on line 41 of shodan_analyzer.py to 'infos_domain', but whatever the solution, the code needs to be consistent.
Additional context
None.