From 719fda396790b2910878555a05300786a7c2eee7 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivani@oisf.net>
Date: Mon, 1 Apr 2024 17:10:51 +0530
Subject: [PATCH] doc: add description about tls.subjectaltname

Feature 5234
---
 doc/userguide/rules/multi-buffer-matching.rst |  1 +
 doc/userguide/rules/tls-keywords.rst          | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/doc/userguide/rules/multi-buffer-matching.rst b/doc/userguide/rules/multi-buffer-matching.rst
index f599659394..c7ed0ea3d6 100644
--- a/doc/userguide/rules/multi-buffer-matching.rst
+++ b/doc/userguide/rules/multi-buffer-matching.rst
@@ -90,3 +90,4 @@ following keywords:
 * ``quic.cyu.string``
 * ``tls.certs``
 * ``tls.cert_subject``
+* ``tls.subjectaltname``
diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst
index a6d1bd6dbe..dbca6a3d5e 100644
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@@ -121,6 +121,21 @@ Examples::
 to use the previous name, but it's recommended that rules be converted to use
 the new name.
 
+tls.subjectaltname
+------------------
+
+Match TLS/SSL Subject Alternative Name field.
+
+Examples::
+
+  tls.subjectaltname; content:"|73 75 72 69 63 61 74 61 2e 69 6f|";
+
+``tls.subjectaltname`` is a 'sticky buffer'.
+
+``tls.subjectaltname`` can be used as ``fast_pattern``.
+
+``tls.subjectaltname`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
 tls_cert_notbefore
 ------------------
 
-- 
2.47.2