From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 16 Nov 2018 17:50:58 +0000 (+0100)
Subject: userguide: add documentation for ja3s.string keyword
X-Git-Tag: suricata-5.0.0-rc1~462
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b59e82a6426a76d8cd35a6936bc50634a1c13df8;p=thirdparty%2Fsuricata.git

userguide: add documentation for ja3s.string keyword
---

diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst
index 0c3e43c034..c77b9f3906 100644
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@@ -57,3 +57,17 @@ Example::
 ``ja3s.hash`` is a 'sticky buffer'.
 
 ``ja3s.hash`` can be used as ``fast_pattern``.
+
+ja3s.string
+-----------
+
+Match on JA3S string.
+
+Example::
+
+  alert tls any any -> any any (msg:"match on JA3S string"; \
+      ja3s.string; content:"771,23-35"; sid:100004;)
+
+``ja3s.string`` is a 'sticky buffer'.
+
+``ja3s.string`` can be used as ``fast_pattern``.