From 33c424f9ed60a93e0847c7cddac555a52fa92a6f Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 2 Aug 2022 11:12:02 -0400
Subject: [PATCH] doc/byte_math: Add byte_math differences with snort

Issue: 5077
---
 doc/userguide/rules/differences-from-snort.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst
index 0d2e65a64d..8226e3a7e8 100644
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -263,6 +263,20 @@ See :doc:`http-keywords` for all HTTP keywords.
    use ``byte_extract`` and ``byte_test`` to verify that they
    work as expected.
 
+``byte_math`` Keyword
+---------------------
+
+-  Suricata accepts ``dce`` as an endian value or as a separate keyword.
+   ``endian dce`` or ``dce`` are equivalent.
+
+-  Suricata's rule parser rejects rules that repeat keywords in a single
+   rule. E.g., ``byte_math: endian big, endian little``.
+
+-  Suricata's rule parser accepts ``rvalue`` values of ``0`` to the maximum
+   uint32 value. Snort rejects ``rvalue`` values of ``0`` and requires
+   values to be between ``[1..max-uint32 value]``.
+
+
 ``isdataat`` Keyword
 --------------------
 
-- 
2.47.2