alert udp $HOME_NET any -> any any (msg:"ET MALWARE BPFDoor Heartbeat (Outbound)"; content:"|31|"; endswith; udp.hdr; content:"|00 09|"; offset:4; depth:2; fast_pattern; threshold:type threshold, track by_src, count 4, seconds 60; reference:url,sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis; classtype:command-and-control; sid:2065016; rev:2; metadata:affected_product Linux, affected_product MySQL, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_09_30, deployment Perimeter, confidence Medium, signature_severity Unknown, tag Backdoor, tag BPF, updated_at 2025_10_06, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)