alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Netscaler SAML IDP Memory Overread (CVE-2026-3055) M1"; flow:established,to_server; flowbits:set,ET.Citrix_NS.CVE_2026_3055; http.method; content:"POST"; http.uri; content:"/saml/login"; fast_pattern; http.request_body; content:"SAMLRequest|3d|"; base64_decode:relative; base64_data; content:"samlp:AuthnRequest"; content:"Destination|3d|"; content:"ProtocolBinding|3d 22|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|22|"; reference:url,labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/; reference:cve,2026-3055; classtype:web-application-attack; sid:2068631; rev:1; metadata:affected_product Citrix, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_08, cve CVE_2026_3055, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2026_04_08; target:dest_ip;)