Yes, you are true.
But the problem is that ultrasurf uses a very laaarge and change every day the list of ip’s (that none knows).
The only thing that now I can do is blocking all the 443 connexions except the ones that I accept (gmail, hotmail,…). It would be better a good blocking program to do it.
Any other idea?
I don’t think that what you are trying to do with L7 filters is possible:
As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.
SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.
And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.
I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.