alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Niagara Workbench Anti-CSRF Token Disclosure (CVE-2025-3943)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:12; content:"/csp-reports"; http.cookie; content:"niagara_userid|3d|"; http.request_body; content:"/refresh$3ftoken$3"; fast_pattern; reference:url,www.nozominetworks.com/blog/critical-vulnerabilities-found-in-tridium-niagara-framework; reference:cve,2025-3943; classtype:web-application-activity; sid:2063844; rev:1; metadata:attack_target Server, created_at 2025_07_31, cve CVE_2025_3943, deployment Perimeter, deployment Internal, confidence High, signature_severity Minor, updated_at 2025_07_31, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)