Examples

    alert tcp $EXTERNAL_NET any -> $HOME_NET any \
	(msg:"Base64 Encoded Data"; base64_decode; base64_data; \
	content:"foo bar"; within:20;)

    alert tcp $EXTERNAL_NET any -> $HOME_NET any \
	(msg:"Authorization NTLM"; content:"Authorization: NTLM";
	base64_decode:relative; base64_data; content:"NTLMSSP"; )

    alert tcp any any -> any any (msg:"Authorization NTLM"; \
	content:"Authorization:"; http_header; \
	base64_decode:bytes 12, offset 6, relative; base64_data; \
	content:"NTLMSSP"; within:8;)