NF - ISAKMP VPN Connection setup from host to outbound destination - Windows 8 / 8.1 - Windows Server 2012 / 2012 R2 - Windows 10 - Windows Server 2016

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows 8 / 8.1 – Windows Server 2012 / 2012 R2 – Windows 10 – Windows Server 2016

This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows systems initiating such connections.

Categories:

Radiflow

ID Number

5027207

Signature

alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"NF - ISAKMP VPN Connection setup from host to outbound destination - Windows 8 / 8.1 - Windows Server 2012 / 2012 R2 - Windows 10 - Windows Server 2016"; content:"|00 00 00 09|"; reference:url,networkforensic.dk; metadata:29112018; classtype:policy-violation; sid:5027207; rev:1;)

Severity

High

Recommendations/Investigative actions

Restrict or prevent VPN traffic if VPN use is not allowed in the network policy. Identify the device initiating the VPN connection and Investigate the device for unauthorized VPN software.