I believe offset and depth is what you want. It should start and stop depending on what you specify for the offset and depth. What are you seeing that makes you think it it continuing on?
content="value"(offset,depth)
Syntax
Description
value
A pattern that is specified as a string literal or a binary literal that must be enclosed in quotation marks.
offset
A positive integer in decimal notation.
The offset specifies an alternative location to begin a pattern match. The offset also specifies how many bytes to skip before the signature tries to pattern match.
When an offset argument is not present or has a value of 0, the content argument pattern tries to find a match. The pattern tries to match the content at the beginning of the packet payload or the portion of the packet following the protocol header for the first content argument. Each successive content argument automatically begins to test for pattern matches that follow the end of the previous successful pattern match.
depth
A positive integer in decimal notation. The depth specifies the maximum number of bytes to search when trying to match a pattern in a content argument.
When a depth argument has a value of 0, the pattern that is contained in the content argument tries to find a match from the offset to the end of the packet. The depth argument value cannot be smaller than the number of bytes that are specified as the pattern to match within the argument of the content argument.
content="\x04\x20\x20\x20\xBF"(4,5)
This example skips four bytes forward from the previous pattern match or from the beginning of the packet payload and compares the next five bytes with the binary literal that is contained in the content argument.