alert http any any -> $HOME_NET any (msg:"ET HUNTING Fortigate Forticlient EMS Multi-Tennant Fingerprinting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:19; content:"/api/v1/init_consts"; fast_pattern; reference:url,bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4; classtype:network-scan; sid:2068436; rev:1; metadata:affected_product FortiClient_EMS, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_26, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Minor, updated_at 2026_03_26; target:dest_ip;)