alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Citrix StoreFront XML Parsing Exception Response (CVE-2023-5914)"; flow:established,to_client; flowbits:isset,ET.Citrix.CVE_2023_5914; http.response_body; content:"System.Xml.XmlException"; pcre:"/^(?:(?!\x3c\x2fdiv\x3e).)+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]+|c(?:hange|lick)|(?:un)?load|focus|blur|error)|s(?:cript|tyle\x3d))/R"; http.cookie; content:"Citrix_AuthSvc|3d|"; content:"path=/Citrix/teststoreAuth"; fast_pattern; http.stat_code; content:"200"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; classtype:web-application-attack; sid:2065779; rev:1; metadata:affected_product Citrix, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_14, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)