alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT GTPDoor Client Beacon Response (TCP)"; flow:not_established,to_client; tcp.flags:AR; tcp.flags:!U; tcp.hdr; content:"|50|"; offset:12; depth:1; content:"|00 01|"; offset:18; depth:2; xbits:isset,ET.gptdoor.tcp,track ip_pair,expire 10; reference:url,github.com/haxrob/gtpdoor-scan; reference:url,doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR; classtype:trojan-activity; sid:2063378; rev:2; metadata:affected_product Linux, attack_target Server, tls_state plaintext, created_at 2025_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family GTPDoor, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2025_07_09; target:src_ip;)