I'm again working with Nmap XML, and while my XSLT is improving... I'm constantly reminded of my current limitations.
An example of the Nmap XML,
<?xml version="1.0"?>
<nmaprun scanner="nmap" args="nmap -sU -sS -sV -O -p T:20-23,25-26,53,79-81,88,106,110-111,113,119,135-139,143-144,161-162,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,705,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,1993,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5354,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157,U:53,67,69,111,123,137-138,161-162,199,705,1993,5353 -oX - 192.168.100.1 192.168.100.3 192.168.100.5 192.168.100.6 192.168.100.7 192.168.100.8 192.168.100.9 192.168.100.10 192.168.100.13 192.168.100.15 192.168.100.16 192.168.100.17 192.168.100.18 192.168.100.20 192.168.100.21 192.168.100.24 192.168.100.25" start="1341847779" startstr="Mon Jul 9 11:29:39 2012" version="5.51.6" xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" numservices="105" services="20-23,25-26,53,79-81,88,106,110-111,113,119,135-139,143-144,161-162,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,705,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,1993,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5354,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157"/>
<scaninfo type="udp" protocol="udp" numservices="13" services="53,67,69,111,123,137-138,161-162,199,705,1993,5353"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1341847779" endtime="1341854043">
<status state="up" reason="echo-reply"/>
<address addr="192.168.100.3" addrtype="ipv4"/>
<hostnames>
<hostname name="sub2.example.com" type="PTR"/>
</hostnames>
<ports>
<extraports state="filtered" count="102">
<extrareasons reason="no-responses" count="102"/>
</extraports>
<port protocol="tcp" portid="22">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="ssh" product="OpenSSH" version="4.3" extrainfo="protocol 2.0" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="80">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="http" product="Apache httpd" version="2.2.3" extrainfo="(CentOS)" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="631">
<state state="closed" reason="reset" reason_ttl="64"/>
<service name="ipp" method="table" conf="3"/>
</port>
<port protocol="udp" portid="5353">
<state state="open|filtered" reason="no-response" reason_ttl="0"/>
<service name="zeroconf" method="table" conf="3"/>
</port>
</ports>
<os>
<portused state="open" proto="tcp" portid="22"/>
<portused state="closed" proto="tcp" portid="631"/>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="100"/>
<osmatch name="Linux 2.6.11 - 2.6.18" accuracy="100" line="30082"/>
</os>
<uptime seconds="3662901" lastboot="Mon May 28 03:46:31 2012"/>
<distance value="2"/>
<tcpsequence index="258" difficulty="Good luck!" values="E1B9999,E6F5E488,274272DD,94D932E2,B9CF9CA8,F7C309B"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="DA505426,DA50548C,DA5054F2,DA505558,DA5055BD,DA505621"/>
<times srtt="1424" rttvar="772" to="100000"/>
</host>
<host starttime="1341847779" endtime="1341854075">
<status state="up" reason="echo-reply"/>
<address addr="192.168.100.5" addrtype="ipv4"/>
<hostnames>
<hostname name="sub3.example.com" type="PTR"/>
</hostnames>
<ports>
<extraports state="filtered" count="100">
<extrareasons reason="no-responses" count="100"/>
</extraports>
<port protocol="tcp" portid="21">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="ftp" product="ProFTPD" version="1.3.3c" ostype="Unix" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="22">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="ssh" product="OpenSSH" version="4.3" extrainfo="protocol 2.0" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="80">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="http" product="Apache httpd" version="2.2.3" extrainfo="(CentOS)" method="probed" conf="10"/>
</port>
<port protocol="udp" portid="5353">
<state state="open|filtered" reason="no-response" reason_ttl="0"/>
<service name="zeroconf" method="table" conf="3"/>
</port>
</ports>
<os>
<portused state="open" proto="tcp" portid="21"/>
<portused state="closed" proto="tcp" portid="631"/>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="100"/>
<osmatch name="Linux 2.6.11 - 2.6.18" accuracy="100" line="30082"/>
</os>
<uptime seconds="2854295" lastboot="Wed Jun 6 12:23:17 2012"/>
<distance value="2"/>
<tcpsequence index="261" difficulty="Good luck!" values="D0B97175,E38B93CA,E038B6D0,E754B4D7,4F3B8565,2E948D89"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="AA1DFC6D,AA1DFCD3,AA1DFD39,AA1DFD9F,AA1DFE04,AA1DFE69"/>
<times srtt="1561" rttvar="679" to="100000"/>
</host>
<host starttime="1341847779" endtime="1341854050">
<status state="up" reason="echo-reply"/>
<address addr="192.168.100.6" addrtype="ipv4"/>
<hostnames>
<hostname name="sub4.example.com" type="PTR"/>
</hostnames>
<ports>
<extraports state="filtered" count="100">
<extrareasons reason="no-responses" count="100"/>
</extraports>
<port protocol="tcp" portid="21">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="ftp" product="ProFTPD" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="22">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="ssh" product="OpenSSH" version="4.3" extrainfo="protocol 2.0" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="80">
<state state="open" reason="syn-ack" reason_ttl="64"/>
<service name="http" product="Apache httpd" version="2.2.3" extrainfo="(CentOS)" method="probed" conf="10"/>
</port>
<port protocol="tcp" portid="443">
<state state="open" reason="syn-ack" reason_ttl="48"/>
<service name="http" product="Apache httpd" tunnel="ssl" method="probed" conf="10"/>
<script id="ssl-cert" output="Subject: commonName=sub4.example.comm Issuer: commonName=SSL CA/organizationName=SSL, Inc./countryName=US Public Key type: rsa Public Key bits: 2048 Not valid before: 2012-06-03 22:50:03 Not valid after: 2014-06-07 10:21:17 MD5: hexbits SHA-1: hexbits"/>
</port>
<port protocol="udp" portid="5353">
<state state="open|filtered" reason="no-response" reason_ttl="0"/>
<service name="zeroconf" method="table" conf="3"/>
</port>
</ports>
<os>
<portused state="open" proto="tcp" portid="21"/>
<portused state="closed" proto="tcp" portid="631"/>
<osclass type="general purpose" vendor="Linux" osfamily="Linux" osgen="2.6.X" accuracy="100"/>
<osmatch name="Linux 2.6.11 - 2.6.18" accuracy="100" line="30082"/>
</os>
<uptime seconds="2854295" lastboot="Wed Jun 6 12:23:17 2012"/>
<distance value="2"/>
<tcpsequence index="264" difficulty="Good luck!" values="D5B1C96,FE5DF509,C56A40B8,DF3C5676,63A52AF7,D9A58AAE"/>
<ipidsequence class="All zeros" values="0,0,0,0,0,0"/>
<tcptssequence class="1000HZ" values="AA1DFC6D,AA1DFCD3,AA1DFD39,AA1DFD9F,AA1DFE04,AA1DFE69"/>
<times srtt="1608" rttvar="697" to="100000"/>
</host>
<runstats>
<finished time="1341854092" timestr="Mon Jul 9 13:14:52 2012" elapsed="6314.31" summary="Nmap done at Mon Jul 9 13:14:52 2012; 25 IP addresses (5 hosts up) scanned in 156.31 seconds" exit="success"/>
<hosts up="119" down="29" total="148"/>
</runstats>
</nmaprun>
I'm iterating per host, and am having trouble with this particular attribute,
<script id="ssl-cert" output="Subject: commonName=sub4.example.comm Issuer: commonName=SSL CA/organizationName=SSL, Inc./countryName=US Public Key type: rsa Public Key bits: 2048 Not valid before: 2012-06-03 22:50:03 Not valid after: 2014-06-07 10:21:17 MD5: hexbits SHA-1: hexbits"/>
UPDATE
This is the altered XSL File, I was able to finish it. Please recommend any improvements, as I'm still learning XSL.
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="text" encoding="utf-8"/>
<xsl:strip-space elements="*"/>
<xsl:variable name="delimiter" select="','"/>
<xsl:template match="/nmaprun/host">
<xsl:value-of select="address[@addrtype='ipv4']/@addr"/>
<xsl:value-of select="$delimiter"/>
<xsl:apply-templates select="hostnames"/>
<xsl:value-of select="$delimiter"/>
<xsl:apply-templates select="os"/>
<xsl:value-of select="$delimiter"/>
<xsl:apply-templates select="ports"/>
<xsl:text> </xsl:text>
</xsl:template>
<xsl:template match="hostnames">
<xsl:value-of select="hostname[@type='PTR']/@name"/>
</xsl:template>
<xsl:template match="os">
<xsl:value-of select="osclass[1]/@osfamily"/>
</xsl:template>
<xsl:template match="ports">
<xsl:apply-templates select="port[@portid='443' and @protocol='tcp']/script[@id='ssl-cert' and @output]"/>
</xsl:template>
<xsl:template match="port[@portid='443' and @protocol='tcp']/script[@id='ssl-cert' and @output]">
<xsl:variable name="vText" select="@output"/>
<xsl:value-of select="concat(443,'_',substring-before(substring-after($vText, ' Public Key type: '),' '),'_',substring-before(substring-after($vText, ' Public Key bits: '),' '))"/>
</xsl:template>
</xsl:stylesheet>
This is post-transformation output,
192.168.100.3,sub2.example.com,Linux,
192.168.100.5,sub3.example.com,Linux,
192.168.100.6,sub4.example.com,Linux,443_rsa_2048
The 443 is the @portid, which contains the script id="ssl-cert" @output.
The portid could be something other than 443, namely whatever was specified in the original scope.
The rsa is Public Key type:, which is contained in that crazy @output. Public Key type could be something other than rsa, such as dsa.
the 2048 is Public Key bits:, also contained in the @output. Additionally their could be more or less Public Key bits, than 2048.