alert udp any any -> $HOME_NET [500,4500] (msg:"ET INFO IKEv2 SA_INIT with Microsoft Security Realm Vendor ID"; flow:stateless,to_server; flowbits:set,ET.IKE.MS_Sec_VID; flowbits:noalert; content:"|22 20 22 08 00 00 00 00|"; offset:16; depth:8; content:"|68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8|"; fast_pattern; reference:url,www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2; classtype:misc-activity; sid:2069042; rev:1; metadata:attack_target Server, created_at 2026_04_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Informational, updated_at 2026_04_28;)