From: Victor Julien <victor@inliniac.net>
Date: Tue, 18 Jun 2019 13:05:51 +0000 (+0200)
Subject: doc: document tcp.mss keyword
X-Git-Tag: suricata-5.0.0-rc1~251
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a01df4b86b4089c5f227c205d3d4dc755783e654;p=thirdparty%2Fsuricata.git

doc: document tcp.mss keyword
---

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index edffbc4d02..c53f870c9e 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -328,6 +328,24 @@ Example of window in a rule:
 
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;)
 
+tcp.mss
+^^^^^^^
+
+Match on the TCP MSS option value. Will not match if the option is not
+present.
+
+The format of the keyword::
+
+  tcp.mss:<min>-<max>;
+  tcp.mss:[<|>]<number>;
+  tcp.mss:<value>;
+
+Example rule:
+
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (flow:stateless; flags:S,12; :example-rule-emphasis:`tcp.mss:<536;` sid:1234; rev:5;)
+
 ICMP keywords
 -------------