Neat project.

On HN a lot of people are against TLS interception. How is a defender suppose to detect this traffic? TLS aside snort or yara rules can be implemented.

For personal devices of course TLS should not be interceptable. But I've personally gone 180 and support TLS decryption for enterprise networks.

Tools like JA3 https://github.com/salesforce/ja3 can fingerprint TLS traffic to provide one way to perform some type of evaluation. Defender can detect on a lot of other things like an applications behavior.