doc: add documentation for ja3_hash keyword

author Mats Klepsland <mats.klepsland@gmail.com>

Sun, 10 Dec 2017 15:40:58 +0000 (16:40 +0100)

committer Victor Julien <victor@inliniac.net>

Tue, 20 Mar 2018 15:27:22 +0000 (16:27 +0100)
author Mats Klepsland <mats.klepsland@gmail.com>
Sun, 10 Dec 2017 15:40:58 +0000 (16:40 +0100)
committer Victor Julien <victor@inliniac.net>
Tue, 20 Mar 2018 15:27:22 +0000 (16:27 +0100)
diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst

index d7543ec2886cbdba0a48be3d506638bb5e67dac5..55f6e8aa1caac9498e6ebf20f5bb3f513565a5df 100644 (file)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -13,6 +13,7 @@ Suricata Rules
     file-keywords
     dns-keywords
     tls-keywords
+   ja3-keywords
     modbus-keyword
     dnp3-keywords
     enip-keyword
diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst

new file mode 100644 (file)

index 0000000..35676a9
--- /dev/null
+++ b/doc/userguide/rules/ja3-keywords.rst
@@ -0,0 +1,21 @@
+JA3 Keywords
+============
+
+Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 is used to fingerprint TLS clients.
+
+JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
+
+ja3_hash
+--------
+
+Match on JA3 hash (md5).
+
+Example::
+
+  alert tls any any -> any any (msg:"match JA3 hash"; \
+      ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
+      sid:100001;)
+
+``ja3_hash`` is a 'Sticky buffer'.
+
+``ja3_hash`` can be used as ``fast_pattern``.
author	Mats Klepsland <mats.klepsland@gmail.com>
	Sun, 10 Dec 2017 15:40:58 +0000 (16:40 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 20 Mar 2018 15:27:22 +0000 (16:27 +0100)
doc/userguide/rules/index.rst		patch \| blob \| blame \| history
doc/userguide/rules/ja3-keywords.rst	[new file with mode: 0644]	patch \| blob