my flow rule doesn't work

[Xing Star via Snort-sigs <snort-sigs () lists snort org>]

I make a rule to detect this pcap.But it seems not work at all.How can I do?
Rule:
alert tcp any any -> any any
(msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03
03|";content:"|16 03 03|";content:"|17 03 03|";sid:87654321;rev:2;)
I think it will work properly  ,but it can match to 14 03 03 16 03 03, it
can't match 17 03 03 .
And if the rule like this :alert tcp any any -> any any
(msg:"TLS";flow:established,to_server;cotent:"|16 03 03|";content:"|14 03
03|";content:"|16 03 03|";content:"|16 03 03|";sid:87654321;rev:2;) , it
can match from head.
I don't know why . Should I need to modify config file?
Please help me ,thanks very much
[image: image.png]
[image: image.png]
[image: image.png]

Attachment: rule-testflow.pcap
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!