From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 15 Nov 2018 22:42:45 +0000 (+0100)
Subject: userguide: add documentation for ja3s.hash keyword
X-Git-Tag: suricata-5.0.0-rc1~464
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76b94c7073c2df08c61d5b2a1d9fb04ad802c2da;p=thirdparty%2Fsuricata.git

userguide: add documentation for ja3s.hash keyword
---

diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst
index d5707261b5..0c3e43c034 100644
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@@ -42,3 +42,18 @@ Example::
 ``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue
 to use the previous name, but it's recommended that rules be converted to use
 the new name.
+
+ja3s.hash
+---------
+
+Match on JA3S hash (md5).
+
+Example::
+
+  alert tls any any -> any any (msg:"match JA3S hash"; \
+      ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; \
+      sid:100003;)
+
+``ja3s.hash`` is a 'sticky buffer'.
+
+``ja3s.hash`` can be used as ``fast_pattern``.