The rawbytes keyword allows rules to look at the raw packet data, ignoring any decoding that was done by preprocessors. This acts as a modifier to the previous content 3.5.1 option.
Several preprocessors, such as Telnet, RPC, and SMTP, use decoded/normalized data for content match by default, if rawbytes is not specified explicitly. Therefore, rawbytes should be specified in order to inspect raw data for those traffic.
HTTP Inspect has a set of keywords to use raw data, such as http_raw_cookie, http_raw_header, http_raw_uri etc.