alert udp any any -> any any (msg:"🐾 - 🚨 VxWorks WDB Agent 🔍 Boot Parameters requested over RPC 🥷 - T1592.003"; flow:to_server, stateless; content:"|02 55 55 55 55 00 00 00 01 00 00 00 0a|"; fast_pattern; content:"|ff ff 4d 07|"; distance:16; content:"|3c 00 00 00 05 00 00 06 00 00 00 02|"; distance:3; content:"|00 00 00|"; endswith; target:dest_ip; reference:url,https://www.windriver.com/products/embedded/vxworks; reference:url,https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb; metadata:created_at 2026_05_15, updated_at 2026_05_15, signature_severity Major, attack_target OT, affected_product VxWorks, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1592_002, mitre_technique_name Gather_Victim_Host_Information-Firmware; sid:3321484; rev:1; classtype:targeted-activity;)