userguide: add JA3S fields to the TLS logger documentation

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 5182e05661641ea02964fbf2ae9dd0d0c07e8f20..5b85a9104f35396069bd79f89c0924060ec1b9e4 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -492,6 +492,7 @@ If extended logging is enabled the following fields are also included:
 * "not_before": The NotBefore field from the TLS certificate
 * "not_after": The NotAfter field from the TLS certificate
 * "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string
+* "ja3s": The JA3S fingerprint consisting of both a JA3 hash and a JA3 string
 
 JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
 

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 7f101b32d2f2177c4eea2e87364fafaf4c3bd7d7..6354c26b54cc867d26ca6e5ad790edcbcde3b949 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -209,7 +209,7 @@ YAML::
             extended: yes     # enable this for extended logging information
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
 
 The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.