-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathcitrix.rules
273 lines (266 loc) · 73.7 KB
/
citrix.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# Sagan citrix.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Citrix applicances/devices/software
# Netscaler rules - 07/30/2012
# Champ Clark III
# Unfortunately, Netscalers populate the "program" field with the system date :(
# We have to do a broad search for Netscaler event IDs. Lame.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action matched URL"; content: "ACTION_MATCH"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001200; sid: 5001200; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action didn't match URL"; content: "ACTION_MISMATCH"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001201; sid: 5001201; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Request error. Generated 400 Response"; content: "AF_400_RESP"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001202; sid: 5001202; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add a confidential field"; content: "AF_ADD_CFFIELD"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001203; sid: 5001203; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw Field Type"; content: "AF_ADD_FIELDTYPE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001204; sid: 5001204; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw profile"; content: "AF_ADD_PROFILE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001205; sid: 5001205; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to HTML profile"; content: "AF_BIND_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001206; sid: 5001206; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to XML profile"; content: "AF_BIND_XML_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001207; sid: 5001207; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory allocation request failed"; content: "AF_MEMORY_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001208; sid: 5001208; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove a confidential field"; content: "AF_RM_CFFIELD"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001209; sid: 5001209; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an Appfw Field Type"; content: "AF_RM_FIELDTYPE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001210; sid: 5001210; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an AppFw profile"; content: "AF_RM_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001211; sid: 5001211; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Appsecure uthread a stack error"; content: "AF_UTHREAD_STACK_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001212; sid: 5001212; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module stopped an alarm"; content: "ALERTENDED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001213; sid: 5001213; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module alarm"; content: "ALERTSTARTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001214; sid: 5001214; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie"; content: "APPFW_BUFFEROVERFLOW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001215; sid: 5001215; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers"; content: "APPFW_BUFFEROVERFLOW_HDR"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001216; sid: 5001216; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in URL"; content: "APPFW_BUFFEROVERFLOW_URL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001217; sid: 5001217; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Cookie Consistency violation"; content: "APPFW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001218; sid: 5001218; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw CSRF tag violation"; content: "APPFW_CSRF_TAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001219; sid: 5001219; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw DenyURL violation"; content: "APPFW_DENYURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001220; sid: 5001220; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Consistency violation"; content: "APPFW_FIELDCONSISTENCY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001221; sid: 5001221; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Format violation"; content: "APPFW_FIELDFORMAT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001222; sid: 5001222; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw profile invoked"; content: "APPFW_POLICY_HIT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001223; sid: 5001223; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw built-in profile invoked"; content: "APPFW_POLICY_HIT_BUILTIN"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001224; sid: 5001224; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Referer header violation"; content: "APPFW_REFERER_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001225; sid: 5001225; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation"; content: "APPFW_SAFECOMMERCE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001226; sid: 5001226; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed"; content: "APPFW_SAFECOMMERCE_XFORM"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001227; sid: 5001227; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Object violation"; content: "APPFW_SAFEOBJECT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001228; sid: 5001228; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation"; content: "APPFW_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001229; sid: 5001229; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw StartURL violation"; content: "APPFW_STARTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001230; sid: 5001230; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Boundary mismatch in mime message"; content: "APPFW_XML_ATTACHMENT_ERR_BOUNDARY_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001231; sid: 5001231; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message"; content: "APPFW_XML_ATTACHMENT_ERR_CALLBACK_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001232; sid: 5001232; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type"; content: "APPFW_XML_ATTACHMENT_ERR_CONTENT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001233; sid: 5001233; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue"; content: "APPFW_XML_ATTACHMENT_ERR_INVALIDHEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001234; sid: 5001234; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)'"; content: "APPFW_XML_ATTACHMENT_ERR_INVALID_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001235; sid: 5001235; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size"; content: "APPFW_XML_ATTACHMENT_ERR_MAX_SIZE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001236; sid: 5001236; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attachment Found in the XML Message"; content: "APPFW_XML_ATTACHMENT_FOUND"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001237; sid: 5001237; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Send Fail Error"; content: "APPFW_XML_DDOS_ERR_MSG_SEND_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001238; sid: 5001238; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max character data length"; content: "APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001239; sid: 5001239; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - DTD present in the XML message"; content: "APPFW_XML_DOS_ERR_DTD"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001240; sid: 5001240; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - External entities present in the XML message"; content: "APPFW_XML_DOS_ERR_EXT_ENTITY"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001241; sid: 5001241; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DoS Maximum Error"; content: "APPFW_XML_DOS_ERR_MAX"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001242; sid: 5001242; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum attributes per element"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123876; reference: url,wiki.quadrantsec.com/bin/view/Main/5001243; sid: 5001243; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element an attribute exceeds maximum name length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001244; sid: 5001244; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element attribute exceeds maximum attribute value length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_VALUE_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001245; sid: 5001245; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum elements per message"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENTS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001246; sid: 5001246; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Parent of element exceed maximum children"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_CHILDREN"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001247; sid: 5001247; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element depth"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001248; sid: 5001248; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element name length"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001249; sid: 5001249; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max number of entity expansions"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSIONS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001250; sid: 5001250; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max entity expansion depth"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSION_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001251; sid: 5001251; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size exceeds max size"; content: "APPFW_XML_DOS_ERR_MAX_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001252; sid: 5001252; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum active namespaces"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001253; sid: 5001253; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - In element a namespace exceeds maximum URI length"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACEURI_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001254; sid: 5001254; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Node exceeds maximum nodes per message"; content: "APPFW_XML_DOS_ERR_MAX_NODES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001255; sid: 5001255; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size less than min size"; content: "APPFW_XML_DOS_ERR_MIN_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001256; sid: 5001256; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Processing instructions present in the XML message"; content: "APPFW_XML_DOS_ERR_PI"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001257; sid: 5001257; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal error"; content: "APPFW_XML_ERR_CUSTOM"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001258; sid: 5001258; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed"; content: "APPFW_XML_ERR_DDOS_CONNECT_TO_SERVER_FAILED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001259; sid: 5001259; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed"; content: "APPFW_XML_ERR_DDOS_INTERATION_SOCKET_OPEN_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001260; sid: 5001260; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Invalid Config File"; content: "APPFW_XML_ERR_DDOS_INVALID_CONFIG_FILE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001261; sid: 5001261; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path"; content: "APPFW_XML_ERR_DDOS_NO_FOLDER_INSTALLATION_PATH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001262; sid: 5001262; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File"; content: "APPFW_XML_ERR_DDOS_OPEN_CONFIG_FILE_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001263; sid: 5001263; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Denial of Service Error"; content: "APPFW_XML_ERR_DOS_TRIGGERED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001264; sid: 5001264; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Environment variable QTHOME not set"; content: "APPFW_XML_ERR_ENV_NOT_SET"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001265; sid: 5001265; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems inserting a namespace into the hash table"; content: "APPFW_XML_ERR_HASH_INSERT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001266; sid: 5001266; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems getting the key of a namespace from the hash table"; content: "APPFW_XML_ERR_HASH_LOOKUP"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001267; sid: 5001267; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to initialize XML tokenizer"; content: "APPFW_XML_ERR_INITIALIZING_TOKENIZER"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001268; sid: 5001268; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to open the file"; content: "APPFW_XML_ERR_INVALID_FILE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001269; sid: 5001269; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal State Invalid"; content: "APPFW_XML_ERR_INVALID_STATE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001270; sid: 5001270; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid XPath"; content: "APPFW_XML_ERR_INVALID_XPATH"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001271; sid: 5001271; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Low memory"; content: "APPFW_XML_ERR_LOW_MEMORY"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001272; sid: 5001272; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Malformed address"; content: "APPFW_XML_ERR_MALFORMED_ADDRESS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001273; sid: 5001273; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message is not a well-formed XML"; content: "APPFW_XML_ERR_NOT_WELLFORMED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001274; sid: 5001274; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid"; content: "APPFW_XML_ERR_NO_ATTACHMENT_BOUNDARY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001275; sid: 5001275; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments"; content: "APPFW_XML_ERR_NO_DIME"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001276; sid: 5001276; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems registering callbacks for operations"; content: "APPFW_XML_ERR_OPERATION_CALLBACK"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001277; sid: 5001277; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix length exceeded"; content: "APPFW_XML_ERR_PREFIX_LENGTH_EXCEEDED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001278; sid: 5001278; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Read Failure"; content: "APPFW_XML_ERR_READ_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001279; sid: 5001279; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message contains SOAP Fault"; content: "APPFW_XML_ERR_SOAP_FAULT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001280; sid: 5001280; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during pop of the node out of the XML stream"; content: "APPFW_XML_ERR_STREAM_POP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001281; sid: 5001281; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during push of the node into the XML stream"; content: "APPFW_XML_ERR_STREAM_PUSH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001282; sid: 5001282; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port in address is greater than 65535"; content: "APPFW_XML_ERR_UNSUPPORTED_PORT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001283; sid: 5001283; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unsupported protocol"; content: "APPFW_XML_ERR_UNSUPPORTED_PROTOCOL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001284; sid: 5001284; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Failed"; content: "APPFW_XML_ERR_VALIDATION_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001285; sid: 5001285; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Context is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001286; sid: 5001286; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Context user state is NULL - Internal error"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_STATE_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001287; sid: 5001287; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message config struct is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_MESSAGE_CONFIG_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001288; sid: 5001288; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log"; content: "APPFW_XML_SOAP_FAULT_CONTENTS"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001289; sid: 5001289; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation in XML"; content: "APPFW_XML_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001290; sid: 5001290; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract element"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001291; sid: 5001291; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract type"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001292; sid: 5001292; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Additional soap header present in soap message"; content: "APPFW_XML_VALIDATION_ERR_ADDHEADERS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001293; sid: 5001293; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute appears more than once in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MAX_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001294; sid: 5001294; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Required attribute missing in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MIN_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001295; sid: 5001295; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001296; sid: 5001296; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Content model of element not satisfied"; content: "APPFW_XML_VALIDATION_ERR_CONTENT_MODEL_VIOLATED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001297; sid: 5001297; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001298; sid: 5001298; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error compiling the schema"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_SCHEMA"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001299; sid: 5001299; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Initialization of the data type engine failed"; content: "APPFW_XML_VALIDATION_ERR_DATATYPE_ENGINE_INIT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001300; sid: 5001300; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Internal corruption of WSDL in-memory structure"; content: "APPFW_XML_VALIDATION_ERR_INTERNAL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001301; sid: 5001301; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001302; sid: 5001302; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid configuration for soap validation"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMBINATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001303; sid: 5001303; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open compiled WSDL"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001304; sid: 5001304; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element has invalid content model"; content: "APPFW_XML_VALIDATION_ERR_INVALID_CONTENT_MODEL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001305; sid: 5001305; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Data type is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001306; sid: 5001306; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001307; sid: 5001307; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open the file"; content: "APPFW_XML_VALIDATION_ERR_INVALID_FILE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001308; sid: 5001308; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Did not get expected type for element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_TYPE_SUBSTITUTION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001309; sid: 5001309; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to load validation engine"; content: "APPFW_XML_VALIDATION_ERR_LOADING"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001310; sid: 5001310; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Max Error"; content: "APPFW_XML_VALIDATION_ERR_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001311; sid: 5001311; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Service URL is not present or NULL"; content: "APPFW_XML_VALIDATION_ERR_NOSERVICEURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001312; sid: 5001312; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Feature not supported"; content: "APPFW_XML_VALIDATION_ERR_NOT_SUPPORTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001313; sid: 5001313; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Trying to pop from an empty stack"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001314; sid: 5001314; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Level of recursion more than maximum allowed depth"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_OVERFLOW"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001315; sid: 5001315; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request"; content: "APPFW_XML_VALIDATION_ERR_SOAPBODY_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001316; sid: 5001316; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Body structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_BODY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001317; sid: 5001317; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Envelope structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_ENVELOPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001318; sid: 5001318; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Header structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001319; sid: 5001319; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix is unbounded"; content: "APPFW_XML_VALIDATION_ERR_UNBOUNDED_PREFIX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001320; sid: 5001320; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot be nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_CONTENTS_CANNOT_BE_NIL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001321; sid: 5001321; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element is nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_NIL_WITH_CONTENTS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001322; sid: 5001322; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_DATATYPE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001323; sid: 5001323; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot appear at this location"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_LOCATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001324; sid: 5001324; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Facet mismatch"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FACET_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001325; sid: 5001325; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validator Load Failed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FAILED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001326; sid: 5001326; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute has invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_ATTRIBUTE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001327; sid: 5001327; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001328; sid: 5001328; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema node type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_SCHEMA_NODE_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001329; sid: 5001329; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Value does not match FIXED constraint"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_VALUE_FOR_FIXED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001330; sid: 5001330; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is greater than max allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_GT_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001331; sid: 5001331; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_INVALID"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001332; sid: 5001332; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is lesser than min allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_LT_MIN"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001333; sid: 5001333; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Maximum Load Error"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_MAX"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001334; sid: 5001334; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Missing require attribute in element"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_REQUIRED_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001335; sid: 5001335; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled Schema is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_SCHEMA_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001336; sid: 5001336; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled WSDL is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_WSDL_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001337; sid: 5001337; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI Internal Context NULL"; content: "APPFW_XML_WSI_ERR_CTXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001338; sid: 5001338; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI HTTP Error"; content: "APPFW_XML_WSI_ERR_HTTP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001339; sid: 5001339; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Resource id of deployment is NULL"; content: "APPFW_XML_WSI_ERR_NODEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001340; sid: 5001340; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port URL is NULL"; content: "APPFW_XML_WSI_ERR_NOPORTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001341; sid: 5001341; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Deployed resource is not WSDL"; content: "APPFW_XML_WSI_ERR_NOWSDLDEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001342; sid: 5001342; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI List Null"; content: "APPFW_XML_WSI_ERR_WSI_LIST_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001343; sid: 5001343; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during initialization"; content: "APPFW_XML_XSD_COMPILE_INIT_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001344; sid: 5001344; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile"; content: "APPFW_XML_XSD_COMPILE_LOADXSD_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001345; sid: 5001345; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - No XSModel to print"; content: "APPFW_XML_XSD_COMPILE_NOMODEL_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001346; sid: 5001346; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during parsing"; content: "APPFW_XML_XSD_COMPILE_PARSE_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001347; sid: 5001347; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unexpected exception during parsing"; content: "APPFW_XML_XSD_COMPILE_UNEXPECTED_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001348; sid: 5001348; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation in XML"; content: "APPFW_XML_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001349; sid: 5001349; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation"; content: "APPFW_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001350; sid: 5001350; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response body"; content: "BODY_FRAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001351; sid: 5001351; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush starts"; content: "CACHESTARTFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001352; sid: 5001352; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush is complete"; content: "CACHESTOPFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001353; sid: 5001353; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed"; content: "CLISEC_CHECK"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001354; sid: 5001354; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False"; content: "CLISEC_EXP_EVAL"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001355; sid: 5001355; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler"; content: "CMD_EXECUTED"; classtype: system-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001356; sid: 5001356; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Completed reading the configuration from ns.conf file"; content: "CONFIGEND"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001357; sid: 5001357; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Read the configuration from ns.conf file"; content: "CONFIGSTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001358; sid: 5001358; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "CONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001359; sid: 5001359; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - TCP connection terminated"; content: "CONN_TERMINATE"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001360; sid: 5001360; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The input URL before rewriting"; content: "CVPN_INPUT_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001361; sid: 5001361; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The matched URL"; content: "CVPN_MATCHED_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001362; sid: 5001362; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - PCRE Error"; content: "CVPN_PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001363; sid: 5001363; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The rewritten URL"; content: "CVPN_REWRITTEN_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001364; sid: 5001364; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is down"; content: "DEVICEDOWN"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001365; sid: 5001365; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is out of service"; content: "DEVICEOFS"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001366; sid: 5001366; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is up"; content: "DEVICEUP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001367; sid: 5001367; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - After a user logs in the group for the user has been extracted"; content: "EXTRACTED_GROUPS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001368; sid: 5001368; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation profile invoked"; content: "FILE_REQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001369; sid: 5001369; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Bad memory is freed (internal error)"; content: "FREEBADMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001370; sid: 5001370; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Duplicate memory free occurs (internal error)"; content: "FREEDUPMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001371; sid: 5001371; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory is freed from a wrong pool (internal error)"; content: "FREEEXTMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001372; sid: 5001372; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A SSLVPN session receives a HTTP request"; content: "HTTPREQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001373; sid: 5001373; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A http resource access is denied by policy engine"; content: "HTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001374; sid: 5001374; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application has terminated"; content: "ICAEND_CONNSTAT"; parse_src_ip: 1; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001375; sid: 5001375; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application launch has started"; content: "ICASTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001376; sid: 5001376; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; xbits: set,brute_force,track ip_src, expire 21600; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is up"; content: "MONITORUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001383; sid: 5001383; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is in hung state"; content: "NICHANG"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001384; sid: 5001384; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is less than the min required"; content: "NICLOW_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001385; sid: 5001385; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface is bound or unbound from a channel"; content: "NICMIGRATE"; classtype: network-event ; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001386; sid: 5001386; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is equal or greater than the min required"; content: "NICNORMAL_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001387; sid: 5001387; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is reset"; content: "NICRESET"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001388; sid: 5001388; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID"; content: "PITBOSS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001396; sid: 5001396; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation fails"; content: "PROPFAIL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001397; sid: 5001397; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation is successful"; content: "PROPSUCCESS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001398; sid: 5001398; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a request header"; content: "REQ_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001399; sid: 5001399; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation parsing error"; content: "REQ_PARSE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001400; sid: 5001400; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation error in a request header"; content: "REQ_WRITE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001401; sid: 5001401; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response header"; content: "RESP_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001402; sid: 5001402; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is down"; content: "ROUTEDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001403; sid: 5001403; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is up"; content: "ROUTEUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001404; sid: 5001404; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Advertised"; content: "ROUTE_ADVERTISED"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001405; sid: 5001405; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA state change"; content: "ROUTE_HASTATE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001406; sid: 5001406; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Relearnt"; content: "ROUTE_RELEARN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001407; sid: 5001407; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Withdrawn"; content: "ROUTE_WITHDRAWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001408; sid: 5001408; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Certificate Expiry Imminent"; content: "SSL_CERT_EXPIRY_IMMINENT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001409; sid: 5001409; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Failure"; content: "SSL_CRL_UPDATE_FAILURE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001410; sid: 5001410; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Success"; content: "SSL_CRL_UPDATE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001411; sid: 5001411; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Failure"; content: "SSL_HANDSHAKE_FAILURE"; classtype: network-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001412; sid: 5001412; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate IssueName"; content: "SSL_HANDSHAKE_ISSUERNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001413; sid: 5001413; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate SubjectName"; content: "SSL_HANDSHAKE_SUBJECTNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001414; sid: 5001414; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Success"; content: "SSL_HANDSHAKE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001415; sid: 5001415; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - CPU started"; content: "STARTCPU"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001416; sid: 5001416; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration started"; content: "STARTSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001417; sid: 5001417; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System Started"; content: "STARTSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001418; sid: 5001418; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA State has changed"; content: "STATECHANGE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001419; sid: 5001419; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN and the group for the user has been extracted"; content: "STA_VALIDATE_RESP"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001420; sid: 5001420; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration has stopped"; content: "STOPSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001421; sid: 5001421; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System stopped"; content: "STOPSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001422; sid: 5001422; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logged TCP connection related information"; content: "TCPCONNSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001423; sid: 5001423; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - An SSLVPN connection timed out"; content: "TCPCONN_TIMEDOUT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001424; sid: 5001424; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - UDP flow"; content: "UDPFLOWSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001425; sid: 5001425; rev:2;)
# Triggers on non-citrix related events
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unknown Error"; content: " UNKNOWN "; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001426; sid: 5001426; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to down"; content: "VIPRHIDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001427; sid: 5001427; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to up"; content: "VIPRHIUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001428; sid: 5001428; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRID6DOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001429; sid: 5001429; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRIDDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001430; sid: 5001430; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to INIT"; content: "VRIDINIT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001431; sid: 5001431; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to master"; content: "VRIDUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001432; sid: 5001432; rev:2;)