Suricata

From: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
"Protocol This keyword in a signature tells Suricata which protocol it concerns. You can choose between four settings. tcp (for tcp-traffic), udp, icm and ip. ip stands for 'all' or 'any'. Suricata adds a few protocols : http, ftp, ssl and tls (so-called application layer protocols or layer 7 protocols)."

Create signature:
alert ssl any any -> any any (msg:"SSL proto test"; flow:established; sid:23456;)

Test:
$ sudo suricata -T -l /tmp -S test.rules -c /etc/suricata/suricata.yaml -r https.cap

5/10/2012 -- 10:11:04 - <Info> - This is Suricata version 1.3.2 RELEASE
...
5/10/2012 -- 10:11:04 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_PROTOCOL(123)] - protocol "ssl" cannot be used in a signature