Interpreting relative option in byte_test

[Sushil Pangeni via Snort-sigs <snort-sigs () lists snort org>]

Hi All,

I would like to request help in correctly interpreting the snort signature.
I have a signature that uses a byte_test option with a relative keyword.
However the signature has no content. How is the relative keyword supposed
to behave in such cases?

*alert tcp any any -> any any (msg:"test"; flow:to_server;
byte_test:2,=,0x01,0;  byte_jump:1,12; byte_test:2,=,0x02,0,relative;
byte_test:2,=,0x03,3,relative; )*

So as per snorts manual here
<http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html?msclkid=24ba9a70ba9111ec900ad54a232c9dd8>,
under section for byte_test under relative it says
*"Use an offset relative to last pattern match"*

So is the above rule invalid or is there some more interpretation to
byte_test with relative.

PS. This is my first post to this mailing group. Apologies if the email is
not properly formed or this is not the right place for this question.

Thanks,
Sushil Pangeni

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!