NF - POLICY - Windows XP making Internet connection - IE 8 - Company Policy Violation

NF – POLICY – Windows XP making Internet connection – IE 8 – Company Policy Violation

This alert is triggered when a Windows XP machine with Internet Explorer 8 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.

Categories:

Radiflow

ID Number

5017401

Signature

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NF - POLICY - Windows XP making Internet connection - IE 8 - Company Policy Violation"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:"MSIE 8.0"; nocase; http_header; content:"Windows NT 5.1"; nocase; http_header; fast_pattern:only; reference:url,networkforensic.dk; metadata:22072015; classtype:policy-violation; sid:5017401; rev:2;)

Severity

Medium

Recommendations/Investigative actions

Identify the source device: Locate the Windows XP machine initiating this connection, as it poses a security risk. Block further internet access for this device: Restrict the device’s network access to prevent external communication, minimizing potential vulnerabilities. Consider upgrading or isolating the device