doc: tls keywords

doc/sphinx/convert.py

@@ -50,7 +50,11 @@ def main():
 
             if line.startswith("<pre>"):
                 inpre = True
-                line = "\n::\n\n"
+                line = line.replace("<pre>", "\n::\n\n  ")
+                if line.find("</pre>") > -1:
+                    print("Removing </pre> from end of line.")
+                    line = line.replace("</pre>", "")
+                    inpre = False
 
             if line.startswith("</pre>"):
                 inpre = False

doc/sphinx/rules.rst

@@ -16,3 +16,4 @@ Rules
    rule-lua-scripting
    adding-your-own-rules
    live-rule-swap
+   tls-keywords

doc/sphinx/tls-keywords.rst

@@ -0,0 +1,70 @@
+TLS-keywords
+============
+
+Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.
+
+tls.version
+-----------
+
+Match on negotiated TLS/SSL version.
+
+Example values: "1.0", "1.1", "1.2"
+
+Support added in Suricata version 1.3.
+
+tls.subject
+-----------
+
+Match TLS/SSL certificate Subject field.
+
+example:
+
+
+::
+
+  tls.subject:"CN=*.googleusercontent.com"
+
+Support added in Suricata version 1.3.
+
+Case sensitve, can't use 'nocase'.
+
+tls.issuerdn
+------------
+
+match TLS/SSL certificate IssuerDN field
+
+example:
+
+
+::
+
+  tls.issuerdn:!"CN=Google-Internet-Authority"
+
+Support added in Suricata version 1.3.
+
+Case sensitve, can't use 'nocase'.
+
+tls.fingerprint
+---------------
+
+match TLS/SSL certificate SHA1 fingerprint
+
+example:
+
+
+::
+
+  tls.fingerprint:!"f3:40:21:48:70:2c:31:bc:b5:aa:22:ad:63:d6:bc:2e:b3:46:e2:5a"
+
+Support added in Suricata version 1.4.
+
+Case sensitive, can't use 'nocase'.
+
+The tls.fingerprint buffer is lower case so you must use lower case letters for this to match.
+
+tls.store
+---------
+
+store TLS/SSL certificate on disk
+
+Support added in Suricata version 1.4.