From aff272654557360b986f6a48d679ccdf02d68de2 Mon Sep 17 00:00:00 2001
From: originalsouth <mail2benny@gmail.com>
Date: Tue, 21 Nov 2023 11:26:15 +0100
Subject: [PATCH] Fix/2037 kat nmap normalizer (#2038)

---
 boefjes/boefjes/plugins/kat_nmap/normalize.py |  4 +-
 boefjes/tests/examples/raw/nmap_mispoes.xml   | 39 +++++++++++++++++++
 boefjes/tests/test_nmap.py                    | 20 ++++++++++
 3 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 boefjes/tests/examples/raw/nmap_mispoes.xml

diff --git a/boefjes/boefjes/plugins/kat_nmap/normalize.py b/boefjes/boefjes/plugins/kat_nmap/normalize.py
index 63812596ebf..e6393297370 100644
--- a/boefjes/boefjes/plugins/kat_nmap/normalize.py
+++ b/boefjes/boefjes/plugins/kat_nmap/normalize.py
@@ -44,9 +44,7 @@ def get_ip_ports_and_service(host: NmapHost, network: Network, netblock: Referen
             yield ip_port
 
             service_name = service.service
-            if port == 80:
-                service_name = "http"
-            if port == 443:
+            if service_name == "http" and service.tunnel == "ssl":
                 service_name = "https"
 
             port_service = Service(name=service_name)
diff --git a/boefjes/tests/examples/raw/nmap_mispoes.xml b/boefjes/tests/examples/raw/nmap_mispoes.xml
new file mode 100644
index 00000000000..61b143ca602
--- /dev/null
+++ b/boefjes/tests/examples/raw/nmap_mispoes.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.94 scan initiated Wed Nov 15 15:30:01 2023 as: nmap -&#45;open -T4 -Pn -r -v10 -sV -sS -&#45;top-ports 250 -oX - 134.209.85.72 -->
+<nmaprun scanner="nmap" args="nmap -&#45;open -T4 -Pn -r -v10 -sV -sS -&#45;top-ports 250 -oX - 134.209.85.72" start="1700058601" startstr="Wed Nov 15 15:30:01 2023" version="7.94" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="250" services="1,3,7,9,13,17,19-26,33,37,42,53,79-82,88,100,106,110-111,113,119,135,139,143-144,161,179,199,222,254-255,264,280,311,389,407,427,443-445,464-465,497,500,512-515,543-544,548,554,563,587,593,625,631,636,646,787,808,873,888,902,990,992-993,995,999-1000,1022-1044,1048-1050,1053-1054,1056,1058-1059,1064-1066,1068-1069,1071,1074,1080,1110-1111,1218,1234,1352,1433,1494,1521,1700,1717,1720,1723,1755,1761,1801,1900,1935,1998,2000-2010,2049,2065,2103,2105,2107,2121,2161,2301,2383,2401,2601-2602,2701,2717,2869,2967,3000-3001,3052,3128,3260,3268-3269,3306,3389,3689-3690,3703,3986,4000-4001,4045,4444,4662,4899,5000-5001,5003,5009,5050-5051,5060,5101,5120,5190,5357,5432,5550,5555,5631,5666,5800-5801,5900-5901,6000-6002,6004,6112,6543,6646,6666,7000-7001,7019,7070,7100,7937-7938,8000,8002,8008-8010,8031,8080-8082,8443,8888,9000-9001,9090,9100,9102,9999-10001,10010,15000,32768,32770-32772,42510,49152-49157,50000-50001"/>
+<verbose level="10"/>
+<debugging level="0"/>
+<taskbegin task="Parallel DNS resolution of 1 host." time="1700058602"/>
+<taskend task="Parallel DNS resolution of 1 host." time="1700058602"/>
+<taskbegin task="SYN Stealth Scan" time="1700058602"/>
+<taskend task="SYN Stealth Scan" time="1700058604" extrainfo="250 total ports"/>
+<taskbegin task="Service scan" time="1700058604"/>
+<taskend task="Service scan" time="1700058616" extrainfo="5 services on 1 host"/>
+<taskbegin task="NSE" time="1700058616"/>
+<taskend task="NSE" time="1700058616"/>
+<taskbegin task="NSE" time="1700058616"/>
+<taskend task="NSE" time="1700058616"/>
+<host starttime="1700058602" endtime="1700058616"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="134.209.85.72" addrtype="ipv4"/>
+<hostnames>
+</hostnames>
+<ports><extraports state="filtered" count="242">
+<extrareasons reason="no-response" count="242" proto="tcp" ports="1,3,7,9,13,17,19-21,24-26,33,37,42,79,81-82,88,100,106,111,113,119,135,139,144,161,179,199,222,254-255,264,280,311,389,407,427,444-445,464-465,497,500,512-515,543-544,548,554,563,587,593,625,631,636,646,787,808,873,888,902,990,992-993,995,999-1000,1022-1044,1048-1050,1053-1054,1056,1058-1059,1064-1066,1068-1069,1071,1074,1080,1110-1111,1218,1234,1352,1433,1494,1521,1700,1717,1720,1723,1755,1761,1801,1900,1935,1998,2000-2010,2049,2065,2103,2105,2107,2121,2161,2301,2383,2401,2601-2602,2701,2717,2869,2967,3000-3001,3052,3128,3260,3268-3269,3389,3689-3690,3703,3986,4000-4001,4045,4444,4662,4899,5000-5001,5003,5009,5050-5051,5060,5101,5120,5190,5357,5432,5550,5555,5631,5666,5800-5801,5900-5901,6000-6002,6004,6112,6543,6646,6666,7000-7001,7019,7070,7100,7937-7938,8000,8002,8008-8010,8031,8080-8082,8443,8888,9000-9001,9090,9100,9102,9999-10001,10010,15000,32768,32770-32772,42510,49152-49157,50000-50001"/>
+</extraports>
+<extraports state="closed" count="3">
+<extrareasons reason="reset" count="3" proto="tcp" ports="23,110,143"/>
+</extraports>
+<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="ssh" product="OpenSSH" version="8.4p1 Debian 5+deb11u2" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:8.4p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service></port>
+<port protocol="tcp" portid="53"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="domain" product="ISC BIND" version="9.16.44" extrainfo="Debian Linux" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:isc:bind:9.16.44</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service></port>
+<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="http" product="nginx" version="1.18.0" method="probed" conf="10"><cpe>cpe:/a:igor_sysoev:nginx:1.18.0</cpe></service></port>
+<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="http" product="nginx" version="1.18.0" tunnel="ssl" method="probed" conf="10"><cpe>cpe:/a:igor_sysoev:nginx:1.18.0</cpe></service></port>
+<port protocol="tcp" portid="3306"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="mysql" product="MySQL" extrainfo="unauthorized" method="probed" conf="10"><cpe>cpe:/a:mysql:mysql</cpe></service></port>
+</ports>
+<times srtt="23541" rttvar="5460" to="100000"/>
+</host>
+<runstats><finished time="1700058616" timestr="Wed Nov 15 15:30:16 2023" summary="Nmap done at Wed Nov 15 15:30:16 2023; 1 IP address (1 host up) scanned in 15.03 seconds" elapsed="15.03" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>
diff --git a/boefjes/tests/test_nmap.py b/boefjes/tests/test_nmap.py
index e4a16cf41a7..64996a32277 100644
--- a/boefjes/tests/test_nmap.py
+++ b/boefjes/tests/test_nmap.py
@@ -1,6 +1,10 @@
 from unittest import TestCase
 
+from boefjes.job_handler import serialize_ooi
 from boefjes.plugins.kat_nmap.main import Protocol, build_nmap_arguments
+from boefjes.plugins.kat_nmap.normalize import run
+from octopoes.models.ooi.network import IPAddressV4, Network
+from tests.loading import get_boefje_meta, get_dummy_data, get_normalizer_meta
 
 
 class NmapTest(TestCase):
@@ -163,3 +167,19 @@ def test_nmap_arguments_udp_top250_ipv6(self):
             ],
             args,
         )
+
+    def test_normalizer(self):
+        input_ooi = IPAddressV4(network=Network(name="internet").reference, address="134.209.85.72")
+        boefje_meta = get_boefje_meta(input_ooi=input_ooi.reference)
+        boefje_meta.arguments["input"] = serialize_ooi(input_ooi)
+        output = list(run(get_normalizer_meta(boefje_meta), get_dummy_data("raw/nmap_mispoes.xml")))
+        self.assertEqual(17, len(output))
+        for i, out in enumerate(output[:-1]):
+            if out.object_type == "IPPort" and output[i + 1].object_type == "Service":
+                if out.port == 80:
+                    self.assertEqual("http", output[i + 1].name)
+                elif out.port == 443:
+                    self.assertEqual("https", output[i + 1].name)
+                else:
+                    self.assertNotEqual("http", output[i + 1].name)
+                    self.assertNotEqual("https", output[i + 1].name)