This rule option tests a byte field against a specific value (with
operator). Capable of testing binary values or converting 
representative byte strings to their binary equivalent and testing them.
 
Snort uses the C operators for each of these operators. If the &
operator is used, then it would be the same as using 
[source,c]
if (data & value) { do_something(); }

'!' operator negates the results from the base check. '!<oper>' is 
considered as 
[source,c]
!(data <oper> value)

Note:
The bitmask option applies bitwise AND operator on the bytes
converted. The result will be right-shifted by the number of bits
equal to the number of trailing zeros in the mask. 
This applies for the other rule options as well.
 

===== Examples

    alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)

This example extracts 2 bytes at offset 0, performs bitwise and with 
bitmask 0x3FF0, shifts the result by 4 bits and compares to 568. 

    alert udp (byte_test:4, =, 1234, 0, string, dec; 
        msg:"got 1234!";)
 
    alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex; 
        msg:"got DEADBEEF!";)
