complicated snort rule interpretation.

["Rong-Tai Liu" <tie () totoro cs nthu edu tw>]

Hello,
 
I'm trying to interpret the following signature but keep failing :-( Does
anyone know how the snort kernel process the following signature?
When the engine find the content "|07|", why it needs a "within" and "depth"
for the following byte_jump? How could this byte_jump happens in a range,
not an exact location?
 
Thanks a lot.
 
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third
payload certificate request length overflow attempt"; byte_test:4,>,2043,24;
byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4;
byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative;
reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin;
sid:237);
 
BRs,
Terry.