doc: add documentation for ja3_hash keyword

8 years ago · 38cc6f595f
parent 6c7aacce9e
commit 38cc6f595f
2 changed files with 22 additions and 0 deletions
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -13,6 +13,7 @@ Suricata Rules
   file-keywords
   dns-keywords
   tls-keywords
+   ja3-keywords
   modbus-keyword
   dnp3-keywords
   enip-keyword
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@ -0,0 +1,21 @@
+JA3 Keywords
+============
+
+Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 is used to fingerprint TLS clients.
+
+JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
+
+ja3_hash
+--------
+
+Match on JA3 hash (md5).
+
+Example::
+
+  alert tls any any -> any any (msg:"match JA3 hash"; \
+      ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
+      sid:100001;)
+
+``ja3_hash`` is a 'Sticky buffer'.
+
+``ja3_hash`` can be used as ``fast_pattern``.