From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Tue, 13 Nov 2018 23:38:56 +0000 (+0100)
Subject: userguide: add documentation for tls.certs keyword
X-Git-Tag: suricata-5.0.0-rc1~499
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03d986dd55930cd59b71c29c4eb98a1a84c3c708;p=thirdparty%2Fsuricata.git

userguide: add documentation for tls.certs keyword
---

diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst
index 949379ec2c..fa31fbe2d4 100644
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@@ -136,6 +136,20 @@ Usage::
 
   tls_cert_valid;
 
+tls.certs
+---------
+
+Do a "raw" match on each of the certificates in the TLS certificate chain.
+
+Example::
+
+  alert tls any any -> any any (msg:"match bytes in TLS cert"; tls.certs; \
+    content:"|06 09 2a 86|"; sid:200070;)
+
+``tls.certs`` is a 'sticky buffer'.
+
+``tls.certs`` can be used as ``fast_pattern``.
+
 tls.version
 -----------