diff --git a/src/entry/Maat_rule.cpp b/src/entry/Maat_rule.cpp
index da6eb76..9376fee 100644
--- a/src/entry/Maat_rule.cpp
+++ b/src/entry/Maat_rule.cpp
@@ -32,7 +32,7 @@
 #include "stream_fuzzy_hash.h"
 #include "gram_index_engine.h"
 
-int MAAT_FRAME_VERSION_2_6_20190118=1;
+int MAAT_FRAME_VERSION_2_6_20190127=1;
 
 const char* CHARSET_STRING[]={"NONE","gbk","big5","unicode","utf8","bin",
 							"unicode_ascii_esc","unicode_ascii_aligned","unicode_ncr_dec","unicode_ncr_hex","url_encode_gb2312","url_encode_utf8",""};
@@ -1984,7 +1984,7 @@ int add_expr_rule(struct Maat_table_desc* table,struct db_str_rule_t* db_rule,st
 					break;
 				}
 				sscanf(sub_key_array[i],"%d-%d:",&(key_left_offset[i]),&(key_right_offset[i]));
-				if(!(key_left_offset[i]>=0&&key_right_offset[i]>0&&key_left_offset[i]<key_right_offset[i]))
+				if(!(key_left_offset[i]>=0&&key_right_offset[i]>0&&key_left_offset[i]<=key_right_offset[i]))
 				{
 					MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module ,
 							"Table %s region cfg %d invalid offset.",table->table_name[table->updating_name],db_rule->region_id);
@@ -1994,7 +1994,7 @@ int add_expr_rule(struct Maat_table_desc* table,struct db_str_rule_t* db_rule,st
 				if(sub_key_array[i]==NULL)
 				{
 					MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module ,
-							"Table %s region cfg %d invalid keywords format.",table->table_name[table->updating_name],db_rule->region_id);
+							"Table %s region cfg %d invalid offset keyword format.",table->table_name[table->updating_name],db_rule->region_id);
 					return -1;
 				}
 				sub_key_array[i]++;//jump over ':'
diff --git a/test/maat_json.json b/test/maat_json.json
index da4b3a2..997741a 100644
--- a/test/maat_json.json
+++ b/test/maat_json.json
@@ -735,7 +735,35 @@
                     ]
                 }
             ]
-        }
+        },
+				{
+				    "service": 0,
+				    "do_blacklist": 0,
+				    "groups": [
+				        {
+				            "regions": [
+				                {
+				                    "table_name": "APP_PAYLOAD",
+				                    "table_content": {
+				                        "format": "hexbin",
+				                        "match_method": "sub",
+				                        "district": "Payload",
+				                        "keywords": "1-1:03&9-10:2d&14-16:2d34&19-21:2d&24-25:2d",
+				                        "expr_type": "offset"
+				                    },
+				                    "table_type": "expr_plus"
+				                }
+				            ],
+				            "group_name": "Untitled"
+				        }
+				    ],
+				    "user_region": "APP_ID=100001;BEHAV_ID=100002",
+				    "is_valid": "yes",
+				    "do_log": 0,
+				    "effective_rage": 0,
+				    "action": 0,
+				    "compile_id": 148
+				}
     ],
     "plugin_table": [
         {
diff --git a/test/table_info.conf b/test/table_info.conf
index c16e6d7..68a98eb 100644
--- a/test/table_info.conf
+++ b/test/table_info.conf
@@ -31,4 +31,5 @@
 12	TEST_FOREIGN_KEY	plugin {"valid":4,"foreign":[6,8],"tag":3}	--
 13	COMPILE_ALIAS	compile	escape	--
 14	TEST_PLUGIN_EXDATA_TABLE	plugin {"key":2,"valid":4,"tag":5,"estimate_size":1024}	--
-15	IR_INTERCEPT_IP plugin  {"valid":14,"tag":18}
\ No newline at end of file
+15	IR_INTERCEPT_IP plugin  {"valid":14,"tag":18}
+16	APP_PAYLOAD	expr_plus	UTF8	UTF8	yes	0	quickoff
\ No newline at end of file
diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp
index c1c5048..c013e6a 100644
--- a/test/test_maatframe.cpp
+++ b/test/test_maatframe.cpp
@@ -250,7 +250,64 @@ TEST(StringScan, Regex)
 	EXPECT_EQ(result[0].config_id, 146);
 	Maat_clean_status(&mid);
 }
+TEST(StringScan,   ExprPlus)
+{
+	int ret=0;
+	int table_id=0;
+	struct Maat_rule_t result[4];
+	int found_pos[4];
+	const char* region_name="HTTP URL";
+	const char* scan_data="http://www.cyberessays.com/search_results.php?action=search&query=abckkk,1234567";
+	table_id=Maat_table_register(g_feather, "HTTP_REGION");
+	ASSERT_GT(table_id, 0);
+	scan_status_t mid=NULL;
+	ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, scan_data, strlen(scan_data), 
+						result, found_pos, 4,
+						&mid, 0);
+	EXPECT_EQ(ret, -1);//Should return error for district not setting.
 
+	ret=Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_DISTRICT, region_name, strlen(region_name));
+	ASSERT_EQ(ret, 0);
+	ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, scan_data, strlen(scan_data), 
+						result, found_pos, 4,
+						&mid, 0);
+	EXPECT_EQ(ret, 1);
+	EXPECT_EQ(result[0].config_id, 128);
+	return;
+}
+
+TEST(StringScan, ExprPlusWithOffset)
+{
+	int ret=0, table_id=0;
+	struct Maat_rule_t result[4];
+	scan_status_t mid=NULL;
+	const char* region_name="Payload";
+	unsigned char udp_payload[] = { /* Stun packet */
+							0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, 
+							0x4f, 0xc2, 0xc2, 0x70, 0xb3, 0xa8, 0x4e, 0x22, 
+							0xf5, 0x22, 0x87, 0x4c, 0x40, 0x00, 0x00, 0x46, 
+							0x03, 0x02, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, 
+							0x3a, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, 
+							0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 
+							0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 
+							0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 
+							0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 
+							0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 
+							0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 
+							0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a };
+	memset(&result, 0, sizeof(result));
+	table_id=Maat_table_register(g_feather, "APP_PAYLOAD");
+	ASSERT_GT(table_id, 0);
+	ret=Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_DISTRICT, region_name, strlen(region_name));
+	EXPECT_EQ(ret, 0);
+
+	ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, (char*)udp_payload, sizeof(udp_payload), 
+						result, NULL, 4,
+						&mid, 0);
+	EXPECT_EQ(ret, 1);
+	EXPECT_EQ(result[0].config_id, 148);
+	return;
+}
 TEST(IPScan, IPv4)
 {
 	int table_id=0,ret=0;