alert icmp $HOME_NET any -> any any (msg:"ET MALWARE BPFDoor ICMP Echo Reply"; itype:0; icmp_seq:1234; threshold:type threshold, track by_src, count 10, seconds 60; reference:url,rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; reference:url,community.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271; classtype:command-and-control; sid:2069173; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2026_05_05, deployment Perimeter, malware_family BPFDoor, performance_impact Moderate, confidence Low, signature_severity Major, tag BPF, updated_at 2026_05_14; target:src_ip;)