From: Shivani Bhardwaj <shivani@oisf.net>
Date: Mon, 1 Apr 2024 11:40:51 +0000 (+0530)
Subject: doc: add description about tls.subjectaltname
X-Git-Tag: suricata-8.0.0-beta1~1296
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=719fda396790b2910878555a05300786a7c2eee7;p=thirdparty%2Fsuricata.git

doc: add description about tls.subjectaltname

Feature 5234
---

diff --git a/doc/userguide/rules/multi-buffer-matching.rst b/doc/userguide/rules/multi-buffer-matching.rst
index f599659394..c7ed0ea3d6 100644
--- a/doc/userguide/rules/multi-buffer-matching.rst
+++ b/doc/userguide/rules/multi-buffer-matching.rst
@@ -90,3 +90,4 @@ following keywords:
 * ``quic.cyu.string``
 * ``tls.certs``
 * ``tls.cert_subject``
+* ``tls.subjectaltname``
diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst
index a6d1bd6dbe..dbca6a3d5e 100644
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@@ -121,6 +121,21 @@ Examples::
 to use the previous name, but it's recommended that rules be converted to use
 the new name.
 
+tls.subjectaltname
+------------------
+
+Match TLS/SSL Subject Alternative Name field.
+
+Examples::
+
+  tls.subjectaltname; content:"|73 75 72 69 63 61 74 61 2e 69 6f|";
+
+``tls.subjectaltname`` is a 'sticky buffer'.
+
+``tls.subjectaltname`` can be used as ``fast_pattern``.
+
+``tls.subjectaltname`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
 tls_cert_notbefore
 ------------------