doc: add documentation for tls_cert_serial keyword

doc/userguide/output/eve/eve-json-format.rst

@@ -208,6 +208,7 @@ Fields
 
 If extended logging is enabled the following fields are also included:
 
+* "serial": The serial number of the TLS certificate
 * "fingerprint": The (SHA1) fingerprint of the TLS certificate
 * "sni": The Server Name Indication (SNI) extension sent by the client
 * "version": The SSL/TLS version used
@@ -238,6 +239,7 @@ Example of extended TLS logging:
   "tls": {
       "subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com",
       "issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2",
+      "serial": "0C:00:99:B7:D7:54:C9:F6:77:26:31:7E:BA:EA:7C:1C",
       "fingerprint": "8f:51:12:06:a0:cc:4e:cd:e8:a3:8b:38:f8:87:59:e5:af:95:ca:cd",
       "sni": "calendar.google.com",
       "version": "TLS 1.2",

doc/userguide/output/eve/eve-json-output.rst

@@ -196,7 +196,7 @@ YAML::
             extended: yes     # enable this for extended logging information
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
 
 The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.

doc/userguide/rules/tls-keywords.rst

@@ -31,6 +31,20 @@ Examples::
 
 ``tls_cert_issuer`` can be used as ``fast_pattern``.
 
+tls_cert_serial
+---------------
+
+Match on the serial number in a certificate.
+
+Example::
+
+  alert tls any any -> any any (msg:"match cert serial"; \
+    tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
+
+``tls_cert_serial`` is a 'Sticky buffer'.
+
+``tls_cert_serial`` can be used as ``fast_pattern``.
+
 tls_sni
 -------