Merge pull request #11147 from johnk3r/FGFM

Fortinet FGFM protocol
2024-11-18 18:16:32 +05:30 · 2024-11-18 18:16:32 +05:30 · febd7e23bb
parent 175e7f32f7 9c4a8c3146
commit febd7e23bb
2 changed files with 38 additions and 57 deletions
--- a/http/default-logins/minio/minio-object-default-login.yaml
+++ b/http/default-logins/minio/minio-object-default-login.yaml
@ -1,57 +0,0 @@
-id: minio-object-default-login
-
-info:
-  name: MinIO Console Object Store - Default Login
-  author: johnk3r
-  severity: high
-  description: |
-    MinIO Console Object Store admin credentials were discovered.
-  classification:
-    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
-    cvss-score: 8.3
-    cwe-id: CWE-522
-    cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
-  metadata:
-    verified: true
-    max-request: 2
-    shodan-query: title:"MinIO Console"
-    product: minio
-    vendor: minio
-  tags: minio,default-login,object-store
-
-variables:
-  username: minioadmin
-  password: minioadmin
-
-http:
-  - raw:
-      - |
-        POST /api/v1/login HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/json
-
-        {"accessKey":"{{username}}","secretKey":"{{password}}"}
-
-      - |
-        GET /api/v1/session HTTP/1.1
-        Host: {{Hostname}}
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body_2
-        words:
-          - '"serverEndPoint":'
-          - 'status":"ok'
-          - 'permissions":'
-        condition: and
-
-      - type: word
-        part: content_type_2
-        words:
-          - 'application/json'
-
-      - type: status
-        status:
-          - 200
-# digest: 490a00463044022050a2f260d5a7914f75a50491ac244782fce6970736f007ccbe9451f215b12a2a022026e6a3eff40a706a7bed3e6f128acdbd647c2f068a07c8ba4ce4fa83ecdd97b1:922c64590222798bb761d5b6d8e72950
--- a/network/detection/fortinet-fgfm-detect.yaml
+++ b/network/detection/fortinet-fgfm-detect.yaml
@ -0,0 +1,38 @@
+id: fortinet-fgfm-detect
+
+info:
+  name: Fortinet FGFM protocol - Detect
+  author: johnk3r
+  severity: info
+  description: |
+    FortiGate to FortiManager Protocol (FGFM) was detected.
+  reference:
+    - https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/529217/fortios-ports-and-protocols
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: 'port:541 xab'
+  tags: network,tcp,fortinet,fortigate,fortimanager
+
+tcp:
+  - inputs:
+      - data: 2E
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+    port: 541
+
+    read-size: 1024
+
+    matchers:
+      - type: word
+        words:
+          - ".fortinet.com"
+          - "Certificate Authority"
+        condition: and
+
+    extractors:
+      - type: regex
+        regex:
+          - '[a-z0-9.-]+\.fortinet\.com'