Rule History

SID: 2069173 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 3 • May 5, 2026, 12:00 PM

Message:

ET MALWARE BPFDoor ICMP Echo Reply

Rule:

alert icmp $HOME_NET any -> any any (msg:"ET MALWARE BPFDoor ICMP Echo Reply"; itype:0; icmp_seq:1234; threshold:type threshold, track by_src, count 10, seconds 60; reference:url,rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; reference:url,community.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271; classtype:command-and-control; sid:2069173; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2026_05_05, deployment Perimeter, malware_family BPFDoor, performance_impact Moderate, confidence Low, signature_severity Major, tag BPF, updated_at 2026_05_14; target:src_ip;)

Created:

May 5, 2026, 12:00 PM

Updated:

May 14, 2026, 12:00 PM

DB Created:

May 6, 2026, 9:34 PM

DB Updated:

May 14, 2026, 10:34 PM

Filename:

rules/emerging-malware.rules