Snort3/4 & Suricata - HTTPS/Web Application determination based on TLS 'Hello Packet' inspection without decryption

shon

Does anyone know whether Snort or Suricata for pfSense can identify which WebApps via TLS Hello Packet inspection ? The Palo Alto example is pretty straight forward.

Palo Alto:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0

Cisco:
https://secure.cisco.com/secure-firewall/docs/application-control

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/understanding_traffic_decryption.html

Snort:
https://docs.snort.org/rules/options/payload/

Suricata:
https://github.com/OISF/suricata/blob/master/src/detect-tls-cert-validity.c