alert icmp any any -> $HOME_NET any (msg:"ET MALWARE BPFDoor ICMP Echo Request"; itype:8; icmp_seq:1234; threshold:type threshold, track by_dst, count 10, seconds 60; reference:url,rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; reference:url,community.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271; classtype:command-and-control; sid:2069172; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2026_05_05, deployment Perimeter, malware_family BPFDoor, performance_impact Moderate, confidence Low, signature_severity Major, tag BPF, updated_at 2026_05_14; target:dest_ip;)