id: fortisiem-panel

info:
  name: FortiSIEM Login Panel - Detect
  author: pussycat0x
  severity: info
  description: FortiSIEM login panel was detected.
  metadata:
    verified: true
    max-request: 2
    shodan-query: "http.favicon.hash:-1341442175"
  tags: panel,fortisiem
flow: http(1) && http(2)
http:
  - method: GET
    path:
      - "{{BaseURL}}/phoenix/login.html"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "(\"426d365a42bbc67c092b9c2e49b336420f0559d1\" == sha1(body))"
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/phoenix/js/login.min.js"

    matchers:
      - type: word
        words:
          - "fortiSIEM_current_login_salt"
# digest: 4a0a00473045022100e9dab3a43744ab3fd9bd071dc4e2410892fbe12a8cddfcb31b0b25aef766897402204aa9a18b219f9467efb3939d4497c526040671daa19f24be34ea05dc555e376f:922c64590222798bb761d5b6d8e72950