alert udp any 2123 -> any any (msg:"ET EXPLOIT GTPDoor Trigger Packet Response"; flow:stateless,to_client; content:"|02|"; offset:1; depth:1; content:"|72 1f 18 08|"; distance:15; within:4; fast_pattern; xbits:isset,ET.gptdoor.udp,track ip_pair,expire 10; threshold:type limit,track by_dst,count 1,seconds 600; reference:url,doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR; reference:url,github.com/sud0woodo/detect_gtpdoor; classtype:trojan-activity; sid:2063368; rev:1; metadata:affected_product Linux, attack_target Server, tls_state plaintext, created_at 2025_07_09, deployment Perimeter, deployment Internal, deployment Datacenter, malware_family GTPDoor, confidence Medium, signature_severity Major, updated_at 2025_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:src_ip;)