Problem accessing telnet data

[Henrique Santos <hsantos () dsi uminho pt>]

I have a simple alert rule to detect telnet packets with the word 
"Login". However, it seems the packet data is truncated and only the 
first 2 bytes are available for detection. The packets I want to search 
for start with "\r\nLogin..."; using content:"|od oa|" it works, using 
content:"Login" it does not work.
The rule is:
alert tcp any any -> any 23 (msg:"INFO login"; content:"Login"; sid:999;)
I am using a simple configuration file, but I have also tried with the 
original snort configuration... same result
Snort is Version 2.8.5.2 (Build 121)

-- 
Henrique M. D. Santos
Universidade do Minho
Centro Algoritmi/Dpt. Sistemas de Informação
4800-058 Guimarães
Portugal


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!