alert udp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt "; flow:to_server; content:"|01|"; depth:1; content:"|1A 02|"; distance:25; content:"|4F|"; within:2; distance:-8; content:"|02|"; within:1; distance:1; byte_test:2,<,74,1,relative; metadata:policy max-detect-ips drop; reference:cve,2009-3677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-071; classtype:attempted-user; sid:16329; rev:8;)
Recently I encountered such an offset, distance with a negative sign when writing the script. Be readily appreciated that the forward offset of 8 bytes again take two, but we must note that the latter is relative rule matching again after the end of the previous content matching the position, so here it is content: "| 4F | end of the match, "the re-match. Rather than content: "| 1A 02 |"
Specific nasl script can be written:
First organized udp packet, and then sent to: 
If you do not see the full picture, right click to view in a new tab, or you can copy pictures