alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-4966.LeakAttempt; http.stat_code; content:"200"; http.content_type; content:"application/json"; startswith; http.response_body; content:"|7b 22|issuer|22 3a 20 22|http"; startswith; fast_pattern; content:!"|22 2c 20 22|authorization_endpoint"; within:20000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:successful-admin; sid:2048932; rev:1; metadata:attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_29, reviewed_at 2023_10_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:src_ip;)