doc: add description for tls.random

diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst
index 04e9cca0639c9813bad125499573c8fdc2eb937f..963fda5d5b17b1ab4de966f6ac3cca4f357b0730 100644 (file)
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@@ -248,3 +248,38 @@ You can specify several states with ``|`` (OR) to check for any of the specified
 
 Negation support is not available yet, see https://redmine.openinfosecfoundation.org/issues/1231
 
+tls.random
+----------
+
+Matches on the 32 bytes of the TLS random field.
+
+Example::
+
+  alert tls any any -> any any (msg:"TLS random test"; \
+    tls.random; content:"|9b ce 7a 5e 57 5d 77 02 07 c2 9d be 24 01 cc f0 5d cd e1 d2 a5 86 9c 4a 3e ee 38 db 55 1a d9 bc|"; sid: 200074;)
+
+``tls.random`` is a sticky buffer.
+
+tls.random_time
+---------------
+
+Matches on the first 4 bytes of the TLS random field.
+
+Example::
+
+  alert tls any any -> any any (msg:"TLS random_time test"; \
+    tls.random_time; content:"|9b ce 7a 5e|"; sid: 200075;)
+
+``tls.random_time`` is a sticky buffer.
+
+tls.random_bytes
+----------------
+
+Matches on the last 28 bytes of the TLS random field.
+
+Example::
+
+  alert tls any any -> any any (msg:"TLS random_bytes test"; \
+    tls.random_bytes; content:"|57 5d 77 02 07 c2 9d be 24 01 cc f0 5d cd e1 d2 a5 86 9c 4a 3e ee 38 db 55 1a d9 bc|"; sid: 200076;)
+
+``tls.random_bytes`` is a sticky buffer.