From a01df4b86b4089c5f227c205d3d4dc755783e654 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 18 Jun 2019 15:05:51 +0200
Subject: [PATCH] doc: document tcp.mss keyword

---
 doc/userguide/rules/header-keywords.rst | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index edffbc4d02..c53f870c9e 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -328,6 +328,24 @@ Example of window in a rule:
 
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;)
 
+tcp.mss
+^^^^^^^
+
+Match on the TCP MSS option value. Will not match if the option is not
+present.
+
+The format of the keyword::
+
+  tcp.mss:<min>-<max>;
+  tcp.mss:[<|>]<number>;
+  tcp.mss:<value>;
+
+Example rule:
+
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (flow:stateless; flags:S,12; :example-rule-emphasis:`tcp.mss:<536;` sid:1234; rev:5;)
+
 ICMP keywords
 -------------
 
-- 
2.47.3