1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
|
# Sagan citrix.rules
# Copyright (c) 2009-2016, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Citrix applicances/devices/software
# Netscaler rules - 07/30/2012
# Champ Clark III
# Unfortunately, Netscalers populate the "program" field with the system date :(
# We have to do a broad search for Netscaler event IDs. Lame.
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action matched URL"; content: "ACTION_MATCH"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001200; sid: 5001200; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action didn't match URL"; content: "ACTION_MISMATCH"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001201; sid: 5001201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Request error. Generated 400 Response"; content: "AF_400_RESP"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001202; sid: 5001202; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add a confidential field"; content: "AF_ADD_CFFIELD"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001203; sid: 5001203; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw Field Type"; content: "AF_ADD_FIELDTYPE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001204; sid: 5001204; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw profile"; content: "AF_ADD_PROFILE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001205; sid: 5001205; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to HTML profile"; content: "AF_BIND_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001206; sid: 5001206; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to XML profile"; content: "AF_BIND_XML_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001207; sid: 5001207; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory allocation request failed"; content: "AF_MEMORY_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001208; sid: 5001208; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove a confidential field"; content: "AF_RM_CFFIELD"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001209; sid: 5001209; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an Appfw Field Type"; content: "AF_RM_FIELDTYPE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001210; sid: 5001210; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an AppFw profile"; content: "AF_RM_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001211; sid: 5001211; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Appsecure uthread a stack error"; content: "AF_UTHREAD_STACK_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001212; sid: 5001212; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module stopped an alarm"; content: "ALERTENDED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001213; sid: 5001213; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module alarm"; content: "ALERTSTARTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001214; sid: 5001214; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie"; content: "APPFW_BUFFEROVERFLOW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001215; sid: 5001215; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers"; content: "APPFW_BUFFEROVERFLOW_HDR"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001216; sid: 5001216; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in URL"; content: "APPFW_BUFFEROVERFLOW_URL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001217; sid: 5001217; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Cookie Consistency violation"; content: "APPFW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001218; sid: 5001218; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw CSRF tag violation"; content: "APPFW_CSRF_TAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001219; sid: 5001219; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw DenyURL violation"; content: "APPFW_DENYURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001220; sid: 5001220; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Consistency violation"; content: "APPFW_FIELDCONSISTENCY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001221; sid: 5001221; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Format violation"; content: "APPFW_FIELDFORMAT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001222; sid: 5001222; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw profile invoked"; content: "APPFW_POLICY_HIT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001223; sid: 5001223; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw built-in profile invoked"; content: "APPFW_POLICY_HIT_BUILTIN"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001224; sid: 5001224; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Referer header violation"; content: "APPFW_REFERER_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001225; sid: 5001225; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation"; content: "APPFW_SAFECOMMERCE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001226; sid: 5001226; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed"; content: "APPFW_SAFECOMMERCE_XFORM"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001227; sid: 5001227; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Object violation"; content: "APPFW_SAFEOBJECT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001228; sid: 5001228; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation"; content: "APPFW_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001229; sid: 5001229; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw StartURL violation"; content: "APPFW_STARTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001230; sid: 5001230; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Boundary mismatch in mime message"; content: "APPFW_XML_ATTACHMENT_ERR_BOUNDARY_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001231; sid: 5001231; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message"; content: "APPFW_XML_ATTACHMENT_ERR_CALLBACK_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001232; sid: 5001232; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type"; content: "APPFW_XML_ATTACHMENT_ERR_CONTENT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001233; sid: 5001233; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue"; content: "APPFW_XML_ATTACHMENT_ERR_INVALIDHEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001234; sid: 5001234; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)'"; content: "APPFW_XML_ATTACHMENT_ERR_INVALID_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001235; sid: 5001235; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size"; content: "APPFW_XML_ATTACHMENT_ERR_MAX_SIZE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001236; sid: 5001236; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attachment Found in the XML Message"; content: "APPFW_XML_ATTACHMENT_FOUND"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001237; sid: 5001237; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Send Fail Error"; content: "APPFW_XML_DDOS_ERR_MSG_SEND_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001238; sid: 5001238; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max character data length"; content: "APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001239; sid: 5001239; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - DTD present in the XML message"; content: "APPFW_XML_DOS_ERR_DTD"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001240; sid: 5001240; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - External entities present in the XML message"; content: "APPFW_XML_DOS_ERR_EXT_ENTITY"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001241; sid: 5001241; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DoS Maximum Error"; content: "APPFW_XML_DOS_ERR_MAX"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001242; sid: 5001242; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum attributes per element"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123876; reference: url,wiki.quadrantsec.com/bin/view/Main/5001243; sid: 5001243; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element an attribute exceeds maximum name length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001244; sid: 5001244; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element attribute exceeds maximum attribute value length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_VALUE_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001245; sid: 5001245; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum elements per message"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENTS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001246; sid: 5001246; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Parent of element exceed maximum children"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_CHILDREN"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001247; sid: 5001247; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element depth"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001248; sid: 5001248; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element name length"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001249; sid: 5001249; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max number of entity expansions"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSIONS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001250; sid: 5001250; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max entity expansion depth"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSION_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001251; sid: 5001251; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size exceeds max size"; content: "APPFW_XML_DOS_ERR_MAX_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001252; sid: 5001252; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum active namespaces"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001253; sid: 5001253; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - In element a namespace exceeds maximum URI length"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACEURI_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001254; sid: 5001254; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Node exceeds maximum nodes per message"; content: "APPFW_XML_DOS_ERR_MAX_NODES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001255; sid: 5001255; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size less than min size"; content: "APPFW_XML_DOS_ERR_MIN_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001256; sid: 5001256; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Processing instructions present in the XML message"; content: "APPFW_XML_DOS_ERR_PI"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001257; sid: 5001257; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal error"; content: "APPFW_XML_ERR_CUSTOM"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001258; sid: 5001258; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed"; content: "APPFW_XML_ERR_DDOS_CONNECT_TO_SERVER_FAILED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001259; sid: 5001259; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed"; content: "APPFW_XML_ERR_DDOS_INTERATION_SOCKET_OPEN_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001260; sid: 5001260; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Invalid Config File"; content: "APPFW_XML_ERR_DDOS_INVALID_CONFIG_FILE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001261; sid: 5001261; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path"; content: "APPFW_XML_ERR_DDOS_NO_FOLDER_INSTALLATION_PATH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001262; sid: 5001262; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File"; content: "APPFW_XML_ERR_DDOS_OPEN_CONFIG_FILE_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001263; sid: 5001263; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Denial of Service Error"; content: "APPFW_XML_ERR_DOS_TRIGGERED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001264; sid: 5001264; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Environment variable QTHOME not set"; content: "APPFW_XML_ERR_ENV_NOT_SET"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001265; sid: 5001265; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems inserting a namespace into the hash table"; content: "APPFW_XML_ERR_HASH_INSERT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001266; sid: 5001266; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems getting the key of a namespace from the hash table"; content: "APPFW_XML_ERR_HASH_LOOKUP"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001267; sid: 5001267; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to initialize XML tokenizer"; content: "APPFW_XML_ERR_INITIALIZING_TOKENIZER"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001268; sid: 5001268; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to open the file"; content: "APPFW_XML_ERR_INVALID_FILE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001269; sid: 5001269; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal State Invalid"; content: "APPFW_XML_ERR_INVALID_STATE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001270; sid: 5001270; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid XPath"; content: "APPFW_XML_ERR_INVALID_XPATH"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001271; sid: 5001271; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Low memory"; content: "APPFW_XML_ERR_LOW_MEMORY"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001272; sid: 5001272; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Malformed address"; content: "APPFW_XML_ERR_MALFORMED_ADDRESS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001273; sid: 5001273; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message is not a well-formed XML"; content: "APPFW_XML_ERR_NOT_WELLFORMED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001274; sid: 5001274; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid"; content: "APPFW_XML_ERR_NO_ATTACHMENT_BOUNDARY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001275; sid: 5001275; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments"; content: "APPFW_XML_ERR_NO_DIME"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001276; sid: 5001276; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems registering callbacks for operations"; content: "APPFW_XML_ERR_OPERATION_CALLBACK"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001277; sid: 5001277; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix length exceeded"; content: "APPFW_XML_ERR_PREFIX_LENGTH_EXCEEDED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001278; sid: 5001278; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Read Failure"; content: "APPFW_XML_ERR_READ_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001279; sid: 5001279; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message contains SOAP Fault"; content: "APPFW_XML_ERR_SOAP_FAULT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001280; sid: 5001280; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during pop of the node out of the XML stream"; content: "APPFW_XML_ERR_STREAM_POP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001281; sid: 5001281; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during push of the node into the XML stream"; content: "APPFW_XML_ERR_STREAM_PUSH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001282; sid: 5001282; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port in address is greater than 65535"; content: "APPFW_XML_ERR_UNSUPPORTED_PORT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001283; sid: 5001283; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unsupported protocol"; content: "APPFW_XML_ERR_UNSUPPORTED_PROTOCOL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001284; sid: 5001284; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Failed"; content: "APPFW_XML_ERR_VALIDATION_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001285; sid: 5001285; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Context is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001286; sid: 5001286; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Context user state is NULL - Internal error"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_STATE_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001287; sid: 5001287; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message config struct is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_MESSAGE_CONFIG_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001288; sid: 5001288; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log"; content: "APPFW_XML_SOAP_FAULT_CONTENTS"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001289; sid: 5001289; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation in XML"; content: "APPFW_XML_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001290; sid: 5001290; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract element"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001291; sid: 5001291; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract type"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001292; sid: 5001292; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Additional soap header present in soap message"; content: "APPFW_XML_VALIDATION_ERR_ADDHEADERS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001293; sid: 5001293; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute appears more than once in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MAX_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001294; sid: 5001294; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Required attribute missing in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MIN_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001295; sid: 5001295; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001296; sid: 5001296; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Content model of element not satisfied"; content: "APPFW_XML_VALIDATION_ERR_CONTENT_MODEL_VIOLATED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001297; sid: 5001297; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001298; sid: 5001298; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error compiling the schema"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_SCHEMA"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001299; sid: 5001299; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Initialization of the data type engine failed"; content: "APPFW_XML_VALIDATION_ERR_DATATYPE_ENGINE_INIT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001300; sid: 5001300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Internal corruption of WSDL in-memory structure"; content: "APPFW_XML_VALIDATION_ERR_INTERNAL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001301; sid: 5001301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001302; sid: 5001302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid configuration for soap validation"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMBINATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001303; sid: 5001303; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open compiled WSDL"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001304; sid: 5001304; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element has invalid content model"; content: "APPFW_XML_VALIDATION_ERR_INVALID_CONTENT_MODEL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001305; sid: 5001305; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Data type is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001306; sid: 5001306; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001307; sid: 5001307; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open the file"; content: "APPFW_XML_VALIDATION_ERR_INVALID_FILE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001308; sid: 5001308; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Did not get expected type for element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_TYPE_SUBSTITUTION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001309; sid: 5001309; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to load validation engine"; content: "APPFW_XML_VALIDATION_ERR_LOADING"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001310; sid: 5001310; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Max Error"; content: "APPFW_XML_VALIDATION_ERR_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001311; sid: 5001311; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Service URL is not present or NULL"; content: "APPFW_XML_VALIDATION_ERR_NOSERVICEURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001312; sid: 5001312; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Feature not supported"; content: "APPFW_XML_VALIDATION_ERR_NOT_SUPPORTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001313; sid: 5001313; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Trying to pop from an empty stack"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001314; sid: 5001314; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Level of recursion more than maximum allowed depth"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_OVERFLOW"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001315; sid: 5001315; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request"; content: "APPFW_XML_VALIDATION_ERR_SOAPBODY_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001316; sid: 5001316; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Body structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_BODY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001317; sid: 5001317; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Envelope structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_ENVELOPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001318; sid: 5001318; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Header structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001319; sid: 5001319; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix is unbounded"; content: "APPFW_XML_VALIDATION_ERR_UNBOUNDED_PREFIX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001320; sid: 5001320; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot be nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_CONTENTS_CANNOT_BE_NIL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001321; sid: 5001321; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element is nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_NIL_WITH_CONTENTS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001322; sid: 5001322; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_DATATYPE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001323; sid: 5001323; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot appear at this location"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_LOCATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001324; sid: 5001324; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Facet mismatch"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FACET_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001325; sid: 5001325; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validator Load Failed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FAILED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001326; sid: 5001326; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute has invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_ATTRIBUTE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001327; sid: 5001327; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001328; sid: 5001328; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema node type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_SCHEMA_NODE_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001329; sid: 5001329; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Value does not match FIXED constraint"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_VALUE_FOR_FIXED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001330; sid: 5001330; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is greater than max allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_GT_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001331; sid: 5001331; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_INVALID"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001332; sid: 5001332; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is lesser than min allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_LT_MIN"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001333; sid: 5001333; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Maximum Load Error"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_MAX"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001334; sid: 5001334; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Missing require attribute in element"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_REQUIRED_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001335; sid: 5001335; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled Schema is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_SCHEMA_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001336; sid: 5001336; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled WSDL is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_WSDL_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001337; sid: 5001337; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI Internal Context NULL"; content: "APPFW_XML_WSI_ERR_CTXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001338; sid: 5001338; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI HTTP Error"; content: "APPFW_XML_WSI_ERR_HTTP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001339; sid: 5001339; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Resource id of deployment is NULL"; content: "APPFW_XML_WSI_ERR_NODEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001340; sid: 5001340; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port URL is NULL"; content: "APPFW_XML_WSI_ERR_NOPORTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001341; sid: 5001341; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Deployed resource is not WSDL"; content: "APPFW_XML_WSI_ERR_NOWSDLDEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001342; sid: 5001342; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI List Null"; content: "APPFW_XML_WSI_ERR_WSI_LIST_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001343; sid: 5001343; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during initialization"; content: "APPFW_XML_XSD_COMPILE_INIT_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001344; sid: 5001344; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile"; content: "APPFW_XML_XSD_COMPILE_LOADXSD_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001345; sid: 5001345; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - No XSModel to print"; content: "APPFW_XML_XSD_COMPILE_NOMODEL_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001346; sid: 5001346; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during parsing"; content: "APPFW_XML_XSD_COMPILE_PARSE_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001347; sid: 5001347; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unexpected exception during parsing"; content: "APPFW_XML_XSD_COMPILE_UNEXPECTED_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001348; sid: 5001348; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation in XML"; content: "APPFW_XML_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001349; sid: 5001349; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation"; content: "APPFW_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001350; sid: 5001350; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response body"; content: "BODY_FRAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001351; sid: 5001351; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush starts"; content: "CACHESTARTFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001352; sid: 5001352; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush is complete"; content: "CACHESTOPFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001353; sid: 5001353; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed"; content: "CLISEC_CHECK"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001354; sid: 5001354; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False"; content: "CLISEC_EXP_EVAL"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001355; sid: 5001355; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler"; content: "CMD_EXECUTED"; classtype: system-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001356; sid: 5001356; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Completed reading the configuration from ns.conf file"; content: "CONFIGEND"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001357; sid: 5001357; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Read the configuration from ns.conf file"; content: "CONFIGSTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001358; sid: 5001358; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "CONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001359; sid: 5001359; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - TCP connection terminated"; content: "CONN_TERMINATE"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001360; sid: 5001360; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The input URL before rewriting"; content: "CVPN_INPUT_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001361; sid: 5001361; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The matched URL"; content: "CVPN_MATCHED_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001362; sid: 5001362; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - PCRE Error"; content: "CVPN_PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001363; sid: 5001363; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The rewritten URL"; content: "CVPN_REWRITTEN_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001364; sid: 5001364; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is down"; content: "DEVICEDOWN"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001365; sid: 5001365; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is out of service"; content: "DEVICEOFS"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001366; sid: 5001366; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is up"; content: "DEVICEUP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001367; sid: 5001367; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - After a user logs in the group for the user has been extracted"; content: "EXTRACTED_GROUPS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001368; sid: 5001368; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation profile invoked"; content: "FILE_REQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001369; sid: 5001369; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Bad memory is freed (internal error)"; content: "FREEBADMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001370; sid: 5001370; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Duplicate memory free occurs (internal error)"; content: "FREEDUPMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001371; sid: 5001371; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory is freed from a wrong pool (internal error)"; content: "FREEEXTMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001372; sid: 5001372; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A SSLVPN session receives a HTTP request"; content: "HTTPREQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001373; sid: 5001373; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A http resource access is denied by policy engine"; content: "HTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001374; sid: 5001374; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application has terminated"; content: "ICAEND_CONNSTAT"; parse_src_ip: 1; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001375; sid: 5001375; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application launch has started"; content: "ICASTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001376; sid: 5001376; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; flowbits: set,brute_force,21600; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:6;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is up"; content: "MONITORUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001383; sid: 5001383; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is in hung state"; content: "NICHANG"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001384; sid: 5001384; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is less than the min required"; content: "NICLOW_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001385; sid: 5001385; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface is bound or unbound from a channel"; content: "NICMIGRATE"; classtype: network-event ; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001386; sid: 5001386; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is equal or greater than the min required"; content: "NICNORMAL_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001387; sid: 5001387; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is reset"; content: "NICRESET"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001388; sid: 5001388; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID"; content: "PITBOSS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001396; sid: 5001396; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation fails"; content: "PROPFAIL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001397; sid: 5001397; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation is successful"; content: "PROPSUCCESS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001398; sid: 5001398; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a request header"; content: "REQ_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001399; sid: 5001399; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation parsing error"; content: "REQ_PARSE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001400; sid: 5001400; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation error in a request header"; content: "REQ_WRITE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001401; sid: 5001401; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response header"; content: "RESP_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001402; sid: 5001402; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is down"; content: "ROUTEDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001403; sid: 5001403; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is up"; content: "ROUTEUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001404; sid: 5001404; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Advertised"; content: "ROUTE_ADVERTISED"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001405; sid: 5001405; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA state change"; content: "ROUTE_HASTATE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001406; sid: 5001406; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Relearnt"; content: "ROUTE_RELEARN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001407; sid: 5001407; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Withdrawn"; content: "ROUTE_WITHDRAWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001408; sid: 5001408; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Certificate Expiry Imminent"; content: "SSL_CERT_EXPIRY_IMMINENT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001409; sid: 5001409; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Failure"; content: "SSL_CRL_UPDATE_FAILURE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001410; sid: 5001410; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Success"; content: "SSL_CRL_UPDATE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001411; sid: 5001411; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Failure"; content: "SSL_HANDSHAKE_FAILURE"; classtype: network-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001412; sid: 5001412; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate IssueName"; content: "SSL_HANDSHAKE_ISSUERNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001413; sid: 5001413; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate SubjectName"; content: "SSL_HANDSHAKE_SUBJECTNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001414; sid: 5001414; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Success"; content: "SSL_HANDSHAKE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001415; sid: 5001415; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - CPU started"; content: "STARTCPU"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001416; sid: 5001416; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration started"; content: "STARTSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001417; sid: 5001417; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System Started"; content: "STARTSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001418; sid: 5001418; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA State has changed"; content: "STATECHANGE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001419; sid: 5001419; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN and the group for the user has been extracted"; content: "STA_VALIDATE_RESP"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001420; sid: 5001420; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration has stopped"; content: "STOPSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001421; sid: 5001421; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System stopped"; content: "STOPSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001422; sid: 5001422; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logged TCP connection related information"; content: "TCPCONNSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001423; sid: 5001423; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - An SSLVPN connection timed out"; content: "TCPCONN_TIMEDOUT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001424; sid: 5001424; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - UDP flow"; content: "UDPFLOWSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001425; sid: 5001425; rev:1;)
# Triggers on non-citrix related events
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unknown Error"; content: " UNKNOWN "; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001426; sid: 5001426; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to down"; content: "VIPRHIDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001427; sid: 5001427; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to up"; content: "VIPRHIUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001428; sid: 5001428; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRID6DOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001429; sid: 5001429; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRIDDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001430; sid: 5001430; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to INIT"; content: "VRIDINIT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001431; sid: 5001431; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to master"; content: "VRIDUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001432; sid: 5001432; rev:1;)
|
