The byte_extract keyword is another useful option for writing rules
against length-encoded protocols. It reads in some number of bytes
from the packet payload and saves it to a variable. These variables 
can be referenced later in the rule, instead of using hard-coded values.

===== Other options which use byte_extract variables

A byte_extract rule option detects nothing by itself. Its use is in
extracting packet data for use in other rule options. 

Here is a list of places where byte_extract variables can be used:

* content/uricontent: offset, depth, distance, within
* byte_test: offset, value
* byte_jump: offset, post_offset
* isdataat: offset 

===== Examples

  alert tcp (byte_extract:1, 0, str_offset;
      byte_extract:1, 1, str_depth;
      content:"bad stuff", offset str_offset, depth str_depth;
      msg:"Bad Stuff detected within field";)

  alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;
      byte_jump:1, 3, relative, post_offset myvar;
      content:"END", distance 6, within 3;
      msg: "byte_jump - pass variable to post_offset";)

This example uses two variables.

The first variable keeps the offset of a string, read from a byte at offset 0.
The second variable keeps the depth of a string, read from a byte at offset 1.
These values are used to constrain a pattern match to a smaller area.

  alert tcp (content:"|04 63 34 35|", offset 4, depth 4; 
      byte_extract: 2, 0, var_match, relative, bitmask 0x03ff; 
      byte_test: 2, =, var_match, 2, relative; 
      msg:"Test value match, after applying bitmask on bytes extracted";)
