From 5b954212f73dc4e9f838370667d087f91455ae6a Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sat, 24 Mar 2018 23:15:58 +0100
Subject: [PATCH] detect-tls-ja3-hash: add warning if nocase is used

---
 src/detect-tls-ja3-hash.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c
index 714137fae7..ab9af80fa7 100644
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@@ -154,7 +154,14 @@ static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
         if (sm->type != DETECT_CONTENT)
             continue;
 
-        DetectContentData *cd = (DetectContentData *)sm->ctx;
+        const DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        if (cd->flags & DETECT_CONTENT_NOCASE) {
+            *sigerror = "ja3_hash should not be used together with "
+                        "nocase, since the rule is automatically "
+                        "lowercased anyway which makes nocase redundant.";
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+        }
 
         if (cd->content_len == 32)
             return TRUE;
-- 
2.47.2