id: citrix-honeypot-detect

info:
  name: Citrix Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Citrix honeypot has been identified.
    The HTTP response reveals a possible setup of the Citrix web application honeypot.
  metadata:
    verified: true
    max-request: 1
    vendor: citrix
    product: citrix
    shodan-query:
      - http.title:“Citrix Login”
      - http.title:“citrix login”
    fofa-query: title=“citrix login”
    google-query: intitle:“citrix login”
  tags: citrix,honeypot,ir,cti

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'len(body)<2000'

      - type: word
        part: body
        words:
          - "<title>Citrix Login</title>"

      - type: word
        part: body
        words:
          - "In order to use our services, you must agree to Citrix's Terms of Service."
        negative: true
# digest: 4b0a00483046022100a0b42801a31e87ed0094775d9c9adabdeddbf7f0cd374a21b9eeda54a64aeeb5022100d3065beadb35ba731702b6966f257bdb56e35aea22133e8f89de7fb7b11b2088:922c64590222798bb761d5b6d8e72950