userguide: add documentation for ja3s.hash keyword

author Mats Klepsland <mats.klepsland@gmail.com>

Thu, 15 Nov 2018 22:42:45 +0000 (23:42 +0100)

committer Mats Klepsland <mats.klepsland@gmail.com>

Mon, 20 May 2019 12:30:27 +0000 (14:30 +0200)
author Mats Klepsland <mats.klepsland@gmail.com>
Thu, 15 Nov 2018 22:42:45 +0000 (23:42 +0100)
committer Mats Klepsland <mats.klepsland@gmail.com>
Mon, 20 May 2019 12:30:27 +0000 (14:30 +0200)
diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst

index d5707261b59421db62fe256333491c0f8b03cf43..0c3e43c034e41a5b3c7aae9aab472be02455f615 100644 (file)
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@@ -42,3 +42,18 @@ Example::
  ``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue
  to use the previous name, but it's recommended that rules be converted to use
  the new name.
+
+ja3s.hash
+---------
+
+Match on JA3S hash (md5).
+
+Example::
+
+  alert tls any any -> any any (msg:"match JA3S hash"; \
+      ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; \
+      sid:100003;)
+
+``ja3s.hash`` is a 'sticky buffer'.
+
+``ja3s.hash`` can be used as ``fast_pattern``.
author	Mats Klepsland <mats.klepsland@gmail.com>
	Thu, 15 Nov 2018 22:42:45 +0000 (23:42 +0100)
committer	Mats Klepsland <mats.klepsland@gmail.com>
	Mon, 20 May 2019 12:30:27 +0000 (14:30 +0200)