Versions (5)
Version DetailsCurrent
Rev: 6 • May 5, 2026, 12:00 PMET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound)
alert icmp any any -> $HOME_NET any (msg:"ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound)"; xbits:set,ET.bpfdoor,track ip_dst,expire 60; noalert; itype:8; content:"X:"; fast_pattern; offset:16; content:!"|20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37|"; reference:url,rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; reference:url,community.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271; classtype:command-and-control; sid:2069175; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2026_05_05, deployment Perimeter, deprecation_reason False_Positive, malware_family BPFDoor, confidence Medium, signature_severity Major, tag BPF, updated_at 2026_05_14; target:dest_ip;)
May 5, 2026, 12:00 PM
May 14, 2026, 12:00 PM
May 6, 2026, 9:34 PM
May 14, 2026, 10:34 PM
rules/emerging-malware.rules