From 76b94c7073c2df08c61d5b2a1d9fb04ad802c2da Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Thu, 15 Nov 2018 23:42:45 +0100 Subject: [PATCH] userguide: add documentation for ja3s.hash keyword --- doc/userguide/rules/ja3-keywords.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst index d5707261b5..0c3e43c034 100644 --- a/doc/userguide/rules/ja3-keywords.rst +++ b/doc/userguide/rules/ja3-keywords.rst @@ -42,3 +42,18 @@ Example:: ``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue to use the previous name, but it's recommended that rules be converted to use the new name. + +ja3s.hash +--------- + +Match on JA3S hash (md5). + +Example:: + + alert tls any any -> any any (msg:"match JA3S hash"; \ + ja3s.hash; content:"b26c652e0a402a24b5ca2a660e84f9d5"; \ + sid:100003;) + +``ja3s.hash`` is a 'sticky buffer'. + +``ja3s.hash`` can be used as ``fast_pattern``.