id: fortisiem-panel

info:
  name: FortiSIEM Login Panel - Detect
  author: pussycat0x
  severity: info
  description: FortiSIEM login panel was detected.
  classification:
    cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: "http.favicon.hash:-1341442175"
    product: fortisiem
    vendor: fortinet
  tags: panel,fortisiem
flow: http(1) && http(2)
http:
  - method: GET
    path:
      - "{{BaseURL}}/phoenix/login.html"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "(\"426d365a42bbc67c092b9c2e49b336420f0559d1\" == sha1(body))"
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/phoenix/js/login.min.js"

    matchers:
      - type: word
        words:
          - "fortiSIEM_current_login_salt"
# digest: 4a0a004730450220067de9f0b44e9b79b8254288a61be9a34611bd871facffb224f070b63299061d02210080992db0adec73cf4422349bba4f3d574f6aa5f873050937c5ba731f4797b308:922c64590222798bb761d5b6d8e72950