alert udp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"AMD procedure 7 plog overflow"; \
content:"|00 04 93 F3|"; \
content:"|00 00 00 07|"; distance:4; within:4; \
byte_test:4, >, 1000, 20, relative;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"AMD procedure 7 plog overflow"; \
content:"|00 04 93 F3|"; \
content:"|00 00 00 07|"; distance:4; within:4; \
byte_test:4, >, 1000, 20, relative;)
alert udp any any -> any 1234 \
(byte_test:4, =, 1234, 0, string, dec; \
msg:"got 1234!";)
alert udp any any -> any 1235 \
(byte_test:3, =, 123, 0, string, dec; \
msg:"got 123!";)
alert udp any any -> any 1236 \
(byte_test:2, =, 12, 0, string, dec; \
msg:"got 12!";)
alert udp any any -> any 1237 \
(byte_test:10, =, 1234567890, 0, string, dec; \
msg:"got 1234567890!";)
alert udp any any -> any 1238 \
(byte_test:8, =, 0xdeadbeef, 0, string, hex; \
msg:"got DEADBEEF!";)