Suricata

given a packet with the following payload

AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy

The following rules should fire as it is the behavior of snort to modify depth to however many bytes are specified by offset. I have attached a unit test showing this behavior

alert tcp any any -> any any (msg:"all work and no play"; content:"Work"; offset: 3; depth: 4; sid:1;)
alert tcp any any -> any any (msg:"all work and no play hex"; content:"|57 6F 72 6B|"; offset: 3; depth: 4; sid:2;)