Suricata

I was wondering whether Suricata could have payload keywords to match part of a TLS/SSL certificate such as "subject", "issuer" etc. The idea is to allow things like

content:"GoDaddy.com"; ssl_issuer;

07/01/2011-18:00:00.123456 [**] /O=*.openinfosecfoundation.org/OU=Domain Control Validated/CN=*.openinfosecfoundation.org [**] /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 [**] 123.234.56.78:12345 -> 67.19.104.51:443

I think the keywords would make rule-writing easier, and the log may allow us to validate them (retrospectively) and flag up those that don't validate as suspicious.