代码拉取完成,页面将自动刷新
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273
# Sagan citrix.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Citrix applicances/devices/software
# Netscaler rules - 07/30/2012
# Champ Clark III
# Unfortunately, Netscalers populate the "program" field with the system date :(
# We have to do a broad search for Netscaler event IDs. Lame.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action matched URL"; content: "ACTION_MATCH"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001200; sid: 5001200; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action didn't match URL"; content: "ACTION_MISMATCH"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001201; sid: 5001201; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Request error. Generated 400 Response"; content: "AF_400_RESP"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001202; sid: 5001202; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add a confidential field"; content: "AF_ADD_CFFIELD"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001203; sid: 5001203; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw Field Type"; content: "AF_ADD_FIELDTYPE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001204; sid: 5001204; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw profile"; content: "AF_ADD_PROFILE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001205; sid: 5001205; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to HTML profile"; content: "AF_BIND_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001206; sid: 5001206; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to XML profile"; content: "AF_BIND_XML_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001207; sid: 5001207; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory allocation request failed"; content: "AF_MEMORY_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001208; sid: 5001208; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove a confidential field"; content: "AF_RM_CFFIELD"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001209; sid: 5001209; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an Appfw Field Type"; content: "AF_RM_FIELDTYPE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001210; sid: 5001210; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an AppFw profile"; content: "AF_RM_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001211; sid: 5001211; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Appsecure uthread a stack error"; content: "AF_UTHREAD_STACK_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001212; sid: 5001212; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module stopped an alarm"; content: "ALERTENDED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001213; sid: 5001213; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module alarm"; content: "ALERTSTARTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001214; sid: 5001214; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie"; content: "APPFW_BUFFEROVERFLOW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001215; sid: 5001215; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers"; content: "APPFW_BUFFEROVERFLOW_HDR"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001216; sid: 5001216; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in URL"; content: "APPFW_BUFFEROVERFLOW_URL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001217; sid: 5001217; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Cookie Consistency violation"; content: "APPFW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001218; sid: 5001218; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw CSRF tag violation"; content: "APPFW_CSRF_TAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001219; sid: 5001219; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw DenyURL violation"; content: "APPFW_DENYURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001220; sid: 5001220; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Consistency violation"; content: "APPFW_FIELDCONSISTENCY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001221; sid: 5001221; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Format violation"; content: "APPFW_FIELDFORMAT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001222; sid: 5001222; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw profile invoked"; content: "APPFW_POLICY_HIT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001223; sid: 5001223; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw built-in profile invoked"; content: "APPFW_POLICY_HIT_BUILTIN"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001224; sid: 5001224; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Referer header violation"; content: "APPFW_REFERER_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001225; sid: 5001225; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation"; content: "APPFW_SAFECOMMERCE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001226; sid: 5001226; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed"; content: "APPFW_SAFECOMMERCE_XFORM"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001227; sid: 5001227; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Object violation"; content: "APPFW_SAFEOBJECT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001228; sid: 5001228; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation"; content: "APPFW_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001229; sid: 5001229; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw StartURL violation"; content: "APPFW_STARTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001230; sid: 5001230; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Boundary mismatch in mime message"; content: "APPFW_XML_ATTACHMENT_ERR_BOUNDARY_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001231; sid: 5001231; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message"; content: "APPFW_XML_ATTACHMENT_ERR_CALLBACK_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001232; sid: 5001232; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type"; content: "APPFW_XML_ATTACHMENT_ERR_CONTENT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001233; sid: 5001233; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue"; content: "APPFW_XML_ATTACHMENT_ERR_INVALIDHEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001234; sid: 5001234; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)'"; content: "APPFW_XML_ATTACHMENT_ERR_INVALID_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001235; sid: 5001235; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size"; content: "APPFW_XML_ATTACHMENT_ERR_MAX_SIZE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001236; sid: 5001236; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attachment Found in the XML Message"; content: "APPFW_XML_ATTACHMENT_FOUND"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001237; sid: 5001237; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Send Fail Error"; content: "APPFW_XML_DDOS_ERR_MSG_SEND_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001238; sid: 5001238; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max character data length"; content: "APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001239; sid: 5001239; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - DTD present in the XML message"; content: "APPFW_XML_DOS_ERR_DTD"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001240; sid: 5001240; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - External entities present in the XML message"; content: "APPFW_XML_DOS_ERR_EXT_ENTITY"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001241; sid: 5001241; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DoS Maximum Error"; content: "APPFW_XML_DOS_ERR_MAX"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001242; sid: 5001242; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum attributes per element"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123876; reference: url,wiki.quadrantsec.com/bin/view/Main/5001243; sid: 5001243; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element an attribute exceeds maximum name length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001244; sid: 5001244; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element attribute exceeds maximum attribute value length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_VALUE_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001245; sid: 5001245; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum elements per message"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENTS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001246; sid: 5001246; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Parent of element exceed maximum children"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_CHILDREN"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001247; sid: 5001247; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element depth"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001248; sid: 5001248; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element name length"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001249; sid: 5001249; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max number of entity expansions"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSIONS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001250; sid: 5001250; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max entity expansion depth"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSION_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001251; sid: 5001251; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size exceeds max size"; content: "APPFW_XML_DOS_ERR_MAX_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001252; sid: 5001252; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum active namespaces"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001253; sid: 5001253; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - In element a namespace exceeds maximum URI length"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACEURI_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001254; sid: 5001254; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Node exceeds maximum nodes per message"; content: "APPFW_XML_DOS_ERR_MAX_NODES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001255; sid: 5001255; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size less than min size"; content: "APPFW_XML_DOS_ERR_MIN_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001256; sid: 5001256; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Processing instructions present in the XML message"; content: "APPFW_XML_DOS_ERR_PI"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001257; sid: 5001257; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal error"; content: "APPFW_XML_ERR_CUSTOM"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001258; sid: 5001258; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed"; content: "APPFW_XML_ERR_DDOS_CONNECT_TO_SERVER_FAILED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001259; sid: 5001259; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed"; content: "APPFW_XML_ERR_DDOS_INTERATION_SOCKET_OPEN_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001260; sid: 5001260; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Invalid Config File"; content: "APPFW_XML_ERR_DDOS_INVALID_CONFIG_FILE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001261; sid: 5001261; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path"; content: "APPFW_XML_ERR_DDOS_NO_FOLDER_INSTALLATION_PATH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001262; sid: 5001262; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File"; content: "APPFW_XML_ERR_DDOS_OPEN_CONFIG_FILE_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001263; sid: 5001263; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Denial of Service Error"; content: "APPFW_XML_ERR_DOS_TRIGGERED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001264; sid: 5001264; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Environment variable QTHOME not set"; content: "APPFW_XML_ERR_ENV_NOT_SET"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001265; sid: 5001265; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems inserting a namespace into the hash table"; content: "APPFW_XML_ERR_HASH_INSERT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001266; sid: 5001266; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems getting the key of a namespace from the hash table"; content: "APPFW_XML_ERR_HASH_LOOKUP"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001267; sid: 5001267; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to initialize XML tokenizer"; content: "APPFW_XML_ERR_INITIALIZING_TOKENIZER"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001268; sid: 5001268; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to open the file"; content: "APPFW_XML_ERR_INVALID_FILE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001269; sid: 5001269; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal State Invalid"; content: "APPFW_XML_ERR_INVALID_STATE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001270; sid: 5001270; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid XPath"; content: "APPFW_XML_ERR_INVALID_XPATH"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001271; sid: 5001271; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Low memory"; content: "APPFW_XML_ERR_LOW_MEMORY"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001272; sid: 5001272; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Malformed address"; content: "APPFW_XML_ERR_MALFORMED_ADDRESS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001273; sid: 5001273; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message is not a well-formed XML"; content: "APPFW_XML_ERR_NOT_WELLFORMED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001274; sid: 5001274; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid"; content: "APPFW_XML_ERR_NO_ATTACHMENT_BOUNDARY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001275; sid: 5001275; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments"; content: "APPFW_XML_ERR_NO_DIME"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001276; sid: 5001276; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems registering callbacks for operations"; content: "APPFW_XML_ERR_OPERATION_CALLBACK"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001277; sid: 5001277; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix length exceeded"; content: "APPFW_XML_ERR_PREFIX_LENGTH_EXCEEDED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001278; sid: 5001278; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Read Failure"; content: "APPFW_XML_ERR_READ_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001279; sid: 5001279; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message contains SOAP Fault"; content: "APPFW_XML_ERR_SOAP_FAULT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001280; sid: 5001280; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during pop of the node out of the XML stream"; content: "APPFW_XML_ERR_STREAM_POP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001281; sid: 5001281; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during push of the node into the XML stream"; content: "APPFW_XML_ERR_STREAM_PUSH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001282; sid: 5001282; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port in address is greater than 65535"; content: "APPFW_XML_ERR_UNSUPPORTED_PORT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001283; sid: 5001283; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unsupported protocol"; content: "APPFW_XML_ERR_UNSUPPORTED_PROTOCOL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001284; sid: 5001284; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Failed"; content: "APPFW_XML_ERR_VALIDATION_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001285; sid: 5001285; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Context is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001286; sid: 5001286; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Context user state is NULL - Internal error"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_STATE_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001287; sid: 5001287; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message config struct is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_MESSAGE_CONFIG_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001288; sid: 5001288; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log"; content: "APPFW_XML_SOAP_FAULT_CONTENTS"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001289; sid: 5001289; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation in XML"; content: "APPFW_XML_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001290; sid: 5001290; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract element"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001291; sid: 5001291; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract type"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001292; sid: 5001292; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Additional soap header present in soap message"; content: "APPFW_XML_VALIDATION_ERR_ADDHEADERS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001293; sid: 5001293; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute appears more than once in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MAX_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001294; sid: 5001294; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Required attribute missing in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MIN_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001295; sid: 5001295; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001296; sid: 5001296; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Content model of element not satisfied"; content: "APPFW_XML_VALIDATION_ERR_CONTENT_MODEL_VIOLATED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001297; sid: 5001297; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001298; sid: 5001298; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error compiling the schema"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_SCHEMA"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001299; sid: 5001299; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Initialization of the data type engine failed"; content: "APPFW_XML_VALIDATION_ERR_DATATYPE_ENGINE_INIT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001300; sid: 5001300; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Internal corruption of WSDL in-memory structure"; content: "APPFW_XML_VALIDATION_ERR_INTERNAL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001301; sid: 5001301; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001302; sid: 5001302; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid configuration for soap validation"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMBINATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001303; sid: 5001303; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open compiled WSDL"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001304; sid: 5001304; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element has invalid content model"; content: "APPFW_XML_VALIDATION_ERR_INVALID_CONTENT_MODEL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001305; sid: 5001305; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Data type is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001306; sid: 5001306; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001307; sid: 5001307; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open the file"; content: "APPFW_XML_VALIDATION_ERR_INVALID_FILE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001308; sid: 5001308; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Did not get expected type for element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_TYPE_SUBSTITUTION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001309; sid: 5001309; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to load validation engine"; content: "APPFW_XML_VALIDATION_ERR_LOADING"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001310; sid: 5001310; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Max Error"; content: "APPFW_XML_VALIDATION_ERR_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001311; sid: 5001311; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Service URL is not present or NULL"; content: "APPFW_XML_VALIDATION_ERR_NOSERVICEURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001312; sid: 5001312; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Feature not supported"; content: "APPFW_XML_VALIDATION_ERR_NOT_SUPPORTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001313; sid: 5001313; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Trying to pop from an empty stack"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001314; sid: 5001314; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Level of recursion more than maximum allowed depth"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_OVERFLOW"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001315; sid: 5001315; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request"; content: "APPFW_XML_VALIDATION_ERR_SOAPBODY_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001316; sid: 5001316; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Body structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_BODY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001317; sid: 5001317; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Envelope structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_ENVELOPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001318; sid: 5001318; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Header structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001319; sid: 5001319; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix is unbounded"; content: "APPFW_XML_VALIDATION_ERR_UNBOUNDED_PREFIX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001320; sid: 5001320; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot be nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_CONTENTS_CANNOT_BE_NIL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001321; sid: 5001321; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element is nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_NIL_WITH_CONTENTS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001322; sid: 5001322; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_DATATYPE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001323; sid: 5001323; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot appear at this location"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_LOCATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001324; sid: 5001324; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Facet mismatch"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FACET_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001325; sid: 5001325; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validator Load Failed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FAILED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001326; sid: 5001326; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute has invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_ATTRIBUTE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001327; sid: 5001327; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001328; sid: 5001328; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema node type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_SCHEMA_NODE_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001329; sid: 5001329; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Value does not match FIXED constraint"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_VALUE_FOR_FIXED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001330; sid: 5001330; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is greater than max allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_GT_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001331; sid: 5001331; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_INVALID"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001332; sid: 5001332; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is lesser than min allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_LT_MIN"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001333; sid: 5001333; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Maximum Load Error"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_MAX"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001334; sid: 5001334; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Missing require attribute in element"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_REQUIRED_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001335; sid: 5001335; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled Schema is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_SCHEMA_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001336; sid: 5001336; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled WSDL is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_WSDL_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001337; sid: 5001337; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI Internal Context NULL"; content: "APPFW_XML_WSI_ERR_CTXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001338; sid: 5001338; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI HTTP Error"; content: "APPFW_XML_WSI_ERR_HTTP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001339; sid: 5001339; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Resource id of deployment is NULL"; content: "APPFW_XML_WSI_ERR_NODEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001340; sid: 5001340; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port URL is NULL"; content: "APPFW_XML_WSI_ERR_NOPORTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001341; sid: 5001341; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Deployed resource is not WSDL"; content: "APPFW_XML_WSI_ERR_NOWSDLDEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001342; sid: 5001342; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI List Null"; content: "APPFW_XML_WSI_ERR_WSI_LIST_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001343; sid: 5001343; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during initialization"; content: "APPFW_XML_XSD_COMPILE_INIT_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001344; sid: 5001344; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile"; content: "APPFW_XML_XSD_COMPILE_LOADXSD_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001345; sid: 5001345; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - No XSModel to print"; content: "APPFW_XML_XSD_COMPILE_NOMODEL_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001346; sid: 5001346; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during parsing"; content: "APPFW_XML_XSD_COMPILE_PARSE_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001347; sid: 5001347; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unexpected exception during parsing"; content: "APPFW_XML_XSD_COMPILE_UNEXPECTED_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001348; sid: 5001348; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation in XML"; content: "APPFW_XML_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001349; sid: 5001349; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation"; content: "APPFW_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001350; sid: 5001350; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response body"; content: "BODY_FRAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001351; sid: 5001351; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush starts"; content: "CACHESTARTFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001352; sid: 5001352; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush is complete"; content: "CACHESTOPFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001353; sid: 5001353; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed"; content: "CLISEC_CHECK"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001354; sid: 5001354; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False"; content: "CLISEC_EXP_EVAL"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001355; sid: 5001355; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler"; content: "CMD_EXECUTED"; classtype: system-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001356; sid: 5001356; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Completed reading the configuration from ns.conf file"; content: "CONFIGEND"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001357; sid: 5001357; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Read the configuration from ns.conf file"; content: "CONFIGSTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001358; sid: 5001358; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "CONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001359; sid: 5001359; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - TCP connection terminated"; content: "CONN_TERMINATE"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001360; sid: 5001360; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The input URL before rewriting"; content: "CVPN_INPUT_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001361; sid: 5001361; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The matched URL"; content: "CVPN_MATCHED_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001362; sid: 5001362; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - PCRE Error"; content: "CVPN_PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001363; sid: 5001363; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The rewritten URL"; content: "CVPN_REWRITTEN_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001364; sid: 5001364; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is down"; content: "DEVICEDOWN"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001365; sid: 5001365; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is out of service"; content: "DEVICEOFS"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001366; sid: 5001366; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is up"; content: "DEVICEUP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001367; sid: 5001367; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - After a user logs in the group for the user has been extracted"; content: "EXTRACTED_GROUPS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001368; sid: 5001368; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation profile invoked"; content: "FILE_REQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001369; sid: 5001369; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Bad memory is freed (internal error)"; content: "FREEBADMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001370; sid: 5001370; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Duplicate memory free occurs (internal error)"; content: "FREEDUPMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001371; sid: 5001371; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory is freed from a wrong pool (internal error)"; content: "FREEEXTMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001372; sid: 5001372; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A SSLVPN session receives a HTTP request"; content: "HTTPREQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001373; sid: 5001373; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A http resource access is denied by policy engine"; content: "HTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001374; sid: 5001374; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application has terminated"; content: "ICAEND_CONNSTAT"; parse_src_ip: 1; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001375; sid: 5001375; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application launch has started"; content: "ICASTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001376; sid: 5001376; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; xbits: set,brute_force,track ip_src, expire 21600; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is up"; content: "MONITORUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001383; sid: 5001383; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is in hung state"; content: "NICHANG"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001384; sid: 5001384; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is less than the min required"; content: "NICLOW_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001385; sid: 5001385; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface is bound or unbound from a channel"; content: "NICMIGRATE"; classtype: network-event ; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001386; sid: 5001386; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is equal or greater than the min required"; content: "NICNORMAL_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001387; sid: 5001387; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is reset"; content: "NICRESET"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001388; sid: 5001388; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID"; content: "PITBOSS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001396; sid: 5001396; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation fails"; content: "PROPFAIL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001397; sid: 5001397; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation is successful"; content: "PROPSUCCESS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001398; sid: 5001398; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a request header"; content: "REQ_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001399; sid: 5001399; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation parsing error"; content: "REQ_PARSE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001400; sid: 5001400; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation error in a request header"; content: "REQ_WRITE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001401; sid: 5001401; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response header"; content: "RESP_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001402; sid: 5001402; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is down"; content: "ROUTEDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001403; sid: 5001403; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is up"; content: "ROUTEUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001404; sid: 5001404; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Advertised"; content: "ROUTE_ADVERTISED"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001405; sid: 5001405; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA state change"; content: "ROUTE_HASTATE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001406; sid: 5001406; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Relearnt"; content: "ROUTE_RELEARN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001407; sid: 5001407; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Withdrawn"; content: "ROUTE_WITHDRAWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001408; sid: 5001408; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Certificate Expiry Imminent"; content: "SSL_CERT_EXPIRY_IMMINENT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001409; sid: 5001409; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Failure"; content: "SSL_CRL_UPDATE_FAILURE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001410; sid: 5001410; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Success"; content: "SSL_CRL_UPDATE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001411; sid: 5001411; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Failure"; content: "SSL_HANDSHAKE_FAILURE"; classtype: network-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001412; sid: 5001412; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate IssueName"; content: "SSL_HANDSHAKE_ISSUERNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001413; sid: 5001413; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate SubjectName"; content: "SSL_HANDSHAKE_SUBJECTNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001414; sid: 5001414; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Success"; content: "SSL_HANDSHAKE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001415; sid: 5001415; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - CPU started"; content: "STARTCPU"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001416; sid: 5001416; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration started"; content: "STARTSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001417; sid: 5001417; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System Started"; content: "STARTSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001418; sid: 5001418; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA State has changed"; content: "STATECHANGE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001419; sid: 5001419; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN and the group for the user has been extracted"; content: "STA_VALIDATE_RESP"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001420; sid: 5001420; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration has stopped"; content: "STOPSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001421; sid: 5001421; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System stopped"; content: "STOPSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001422; sid: 5001422; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logged TCP connection related information"; content: "TCPCONNSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001423; sid: 5001423; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - An SSLVPN connection timed out"; content: "TCPCONN_TIMEDOUT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001424; sid: 5001424; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - UDP flow"; content: "UDPFLOWSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001425; sid: 5001425; rev:2;)
# Triggers on non-citrix related events
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unknown Error"; content: " UNKNOWN "; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001426; sid: 5001426; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to down"; content: "VIPRHIDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001427; sid: 5001427; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to up"; content: "VIPRHIUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001428; sid: 5001428; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRID6DOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001429; sid: 5001429; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRIDDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001430; sid: 5001430; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to INIT"; content: "VRIDINIT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001431; sid: 5001431; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to master"; content: "VRIDUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001432; sid: 5001432; rev:2;)
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化