Suricata

The documentation [1] for the payload-keyword byte_test claims that there should be a "bitmask" option. However, I haven't managed to write a working rule making use of it, yet.

For example, the following rule...
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST-RULE duckduckgo.com"; flow:to_server,established; content:"duckduckgo.com"; fast_pattern:only; http_header; byte_test:3,=,0x343433,1,relative,bitmask 0xFFFFFF; sid:500; rev:1;)

...results in error message:
[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 3,=,0x343433,1,relative,bitmask 0xFFFFFF

Without the bitmask option the rule works fine.

[1] https://suricata.readthedocs.io/en/suricata-5.0.0/rules/payload-keywords.html#byte-test