From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sun, 10 Dec 2017 15:47:07 +0000 (+0100)
Subject: doc: add documentation for ja3_string keyword
X-Git-Tag: suricata-4.1.0-beta1~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a357f52fa5aa9f79d061b5560afe4df0458d81fd;p=thirdparty%2Fsuricata.git

doc: add documentation for ja3_string keyword
---

diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst
index 35676a9263..d210bf64bc 100644
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@@ -19,3 +19,18 @@ Example::
 ``ja3_hash`` is a 'Sticky buffer'.
 
 ``ja3_hash`` can be used as ``fast_pattern``.
+
+ja3_string
+----------
+
+Match on JA3 string.
+
+Example::
+
+  alert tls any any -> any any (msg:"match JA3 string"; \
+      ja3_string; content:"19-20-21-22"; \
+      sid:100002;)
+
+``ja3_string`` is a 'Sticky buffer'.
+
+``ja3_string`` can be used as ``fast_pattern``.