From 03d986dd55930cd59b71c29c4eb98a1a84c3c708 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 14 Nov 2018 00:38:56 +0100
Subject: [PATCH] userguide: add documentation for tls.certs keyword

---
 doc/userguide/rules/tls-keywords.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst
index 949379ec2c..fa31fbe2d4 100644
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@@ -136,6 +136,20 @@ Usage::
 
   tls_cert_valid;
 
+tls.certs
+---------
+
+Do a "raw" match on each of the certificates in the TLS certificate chain.
+
+Example::
+
+  alert tls any any -> any any (msg:"match bytes in TLS cert"; tls.certs; \
+    content:"|06 09 2a 86|"; sid:200070;)
+
+``tls.certs`` is a 'sticky buffer'.
+
+``tls.certs`` can be used as ``fast_pattern``.
+
 tls.version
 -----------
 
-- 
2.47.2