Format

    byte_test:<bytes to convert>, [!]<operator>, <value>, <offset>  \
        [, relative][, <endian>][, string, <number type>][, dce];

    bytes      = 1 - 10
    operator   = '<' | '=' | '>' | '&' | '^'
    value      = 0 - 4294967295
    offset     = -65535 to 65535

Option	Description
bytes_to_convert	Number of bytes to pick up from the packet. The allowed values are 1 to 10 when used without dce. If used with dce allowed values are 1, 2 and 4.
operator	Operation to perform to test the value: < - less than > - greater than = - equal & - bitwise AND ^ - bitwise OR
value	Value to test the converted value against
offset	Number of bytes into the payload to start processing
relative	Use an offset relative to last pattern match
endian	Endian type of the number being read: big - Process data as big endian (default) little - Process data as little endian
string	Data is stored in string format in packet
number type	Type of number being read: hex - Converted string data is represented in hexadecimal dec - Converted string data is represented in decimal oct - Converted string data is represented in octal
dce	Let the DCE/RPC 2 preprocessor determine the byte order of the value to be converted. See section 2.2.15 for a description and examples (2.2.15 for quick reference).

Any of the operators can also include ! to check if the operator is not true. If ! is specified without an operator, then the operator is set to =.

Note:  

Snort uses the C operators for each of these operators. If the & operator is used, then it would be the same as using if (data & value) { do_something();}