The ByteTest syntax includes byte_test, byte_jump, byte_extract, and byte_math. The syntax rules of the ByteTest of the IPS third-generation engine are the same as those of Snort. In the following sections, we introduce them in detail.

**byte_test** obtains data from traffic, converts the data into an integer, and compares it with a specific value. If the comparison result is true, the rule is matched.

Example:

```
 flow: to_server; content:"|11 94 00 F5|"; byte_test:4, >, 1000, 10, relative;
```

After **|11 94 00 F5|** is matched, the 4-byte binary data is obtained after an offset of 10 bytes and it is then converted into a numeric value for comparison with 1000. If the value is greater than 1000, the rule is matched.

Syntax format:

```
 byte_test: <bytes_to_convert>, [!]<operator>, <value>, <offset> [, relative][, <endian>][, string, <number type>][, bitmask <bitmask_value>];
```

Parameter description

| Parameter             | Description                                                         |
| ---------------- | ------------------------------------------------------------ |
| bytes\_to\_convert | Number of bytes obtained from the data packet. If data in the string format is obtained, the value is less than or equal to 10 and greater than 0. If the data is an integer, the value is smaller than 4 and greater than 0. |
| operator         | Operation performed on the detection. The supported operations include  <, >, =, &, ^, >=, < =, and !. The exclamation mark (!) indicates that the NOT operation is performed after the value is calculated based on the operator. |
| value            | Value used to compare with the converted data. The value ranges from 0 to 4294967295.             |
| offset           | Offset of the byte obtained in the payload. The value ranges from -65535 to +65535.         |
| relative         | Offset relative to the previous feature string matching.                           |
| big              | Processes data in the network byte order (default).                                   |
| little           | Processes data in the host byte order.                                       |
| string           | Sets the data in the data packet to be stored as a character string.                            |
| hex              | Converts the character string data into a value in hexadecimal format.                               |
| dec              | Converts the character string data into a value in decimal format.                                 |
| oct              | Converts the character string data into a value in octal format.                                 |
| bitmask          | Converts the data into a mask.                                                 |

byte_test Syntax Rules