@bingohotdog I put together a small BPFDoor ICMP lab and wanted to share a few tested rule ideas based on a recent Rapid7 whitepaper (link in rules).
I built a minimal PCAP to exercise the icmpShell related behaviors described by Rapid7 and tested the rules separately in Suricata. As part of the normal workflow, I first checked ET Open / free rules before testing the local rules.
The three candidate ICMP rules are:
alert icmp any any -> any any (msg:"LOCAL BPFDoor-inspired ICMP visible X marker request"; itype:8; icode:0; content:"X:"; depth:2; reference:url,https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; sid:9002001; rev:2;)
alert icmp any any -> any any (msg:"LOCAL BPFDoor-inspired ICMP invalid echo code 1 heartbeat"; itype:8; icode:1; reference:url,https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; sid:9002002; rev:3;)
alert icmp any any -> any any (msg:"LOCAL BPFDoor-inspired ICMP hardcoded sequence 1234"; itype:8; icode:0; dsize:>0; icmp_seq:1234; reference:url,https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; sid:9002003; rev:1;)
Observed hits on the lab PCAP were:
-
visible
X:request rule → 4 hits -
invalid echo code 1 heartbeat rule → 1 hit
-
hardcoded sequence
1234rule → 4 hits
My reading of the Rapid7 whitepaper is that these three are directly supported as network artifacts:
-
plaintext
X:transport tag -
technically invalid ICMP code 1 used by the heartbeat thread
-
hardcoded ICMP sequence number
1234
I also shared the lab PCAP and related notes here in case it is useful for review:
https://github.com/Pb-22/Network_Detections/tree/main/BPFDoor
Do these seem like reasonable ET Open candidates?
Thanks!
