Question regarding content of a rule

[Matej Lietava via Snort-sigs <snort-sigs () lists snort org>]

Hi guys,

Sorry I am quite new to snort and I have been checking our the various rules that are in the snort3 rules file.I am 
writing my on rule parser and small detection engine that will work off of the snort rules. I have been trying to 
understand the rule options but I am quite confused when it comes to some of the content options. Some of the 
signatures are just byte code indicated by |. I understand that but I don't understand what it means when there are 
strings and bytecode in the same content signature such as for rule SID: 32385 where it is content: 
"|09|tiptronic|04|soxx|02|us|00|". DOes this mean that the byte code 0x09 will be first and then immediately after the 
string tiptronic?
I am very confused in understanding how the signature works when there are bytecode and strings together.

Thank you.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!