Service name inference by port in kat_nmap normalizer

[originalsouth]

Question regarding the following lines of code:

nl-kat-coordination/boefjes/boefjes/plugins/kat_nmap/normalize.py

Lines 46 to 50 in 56c8004

	service_name = service.service
	if port == 80:
	service_name = "http"
	if port == 443:
	service_name = "https"

Suppose one places a ssh server behind port 80 or port 443, do we really want to report http or https respectively?
Perhaps there are considerations for this behavior?

[noamblitz]

No, then it should not be overwritten bij http or https. I remember a thing where nmap would identify services like http-web instead of http. Maybe this was implemented to overwrite those...?

[originalsouth]

No, then it should not be overwritten bij http or https. I remember a thing where nmap would identify services like http-web instead of http. Maybe this was implemented to overwrite those...?

Could very well be, nmap reports the following http type service names:

http
http-ocsp
http-proxy
http-proxy-ctrl
kazaa-http
ncacn_http
ntop-http
ssl/http
vnc-http

We could opt for a simplified re-classification where suited?
For instance:

http           -> http
http-proxy     -> http
ssl/http       -> https

See this comment for more background.

[noamblitz]

Sounds better to me

[originalsouth]

Addressed in 78a830e.

It is better to use tunnel type in stead of service name as that is the format used in the XML output (rather than the standard output).