The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.
Solution
How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.
Make sure you have configure the Suricata properly according to the blog.
You can also use this rule for other purpose too.
Quick Reference
self-signed-cert.lua
The suricata rule is :
alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)HOWTO : LuaJIT on Suricata
That's all! See you.