Create fortinet-fgfm-protocol-detect.yaml

2024-11-05 11:54:32 -03:00 · 2024-11-05 11:54:32 -03:00 · 2e783a56b2
parent 42d4a85e32
commit 2e783a56b2
1 changed files with 35 additions and 0 deletions
--- a/network/detection/fortinet-fgfm-protocol-detect.yaml
+++ b/network/detection/fortinet-fgfm-protocol-detect.yaml
@ -0,0 +1,35 @@
+id: fortinet-fgfm-protocol-detect
+
+info:
+  name: Fortinet FGFM protocol - Detect
+  author: johnk3r
+  severity: info
+  description: |
+    FortiGate to FortiManager Protocol (FGFM) was detected.
+  reference:
+    - https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/529217/fortios-ports-and-protocols
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: 'port:541 xab'
+  tags: network,tcp,fortinet,fortigate,fortimanager
+
+tcp:
+  - inputs:
+      - data: 2E
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+    port: 541
+    read-size: 1024
+
+    matchers:
+      - type: word
+        words:
+          - ".fortinet.com"
+
+    extractors:
+      - type: regex
+        regex:
+          - '[a-z0-9.-]+\.fortinet\.com'