I am running an IDS on the outside of my firewall (I know not ideal) and an IDS on the inside of my LAN running the same detection algorithms and definitions. My website auto redirects all HTTP requests to HTTPS. My IDS frequently detects nmap scans, OpenVAS scanning activity, GNU Bash Environment Variable Code Injection attempts, etc on the inside of my LAN that is not seen or blocked by my IPS on the outside of my network. I assume this is because these attacks come in encrypted using my own SSL and since my IPS on the outside does not host my SSL certs it cannot see these attacks. The traffic is decrypted on my LAN by a load balancer that hosts the SSLs prior to passing the traffic to IIS Servers and this is where the IDS detects the attacks.
My only conclusion based on the the lack of detection of these attacks are that the packets are entering our network encrypted with our own SSL certs and is therefore "invisible" to the IPS.
Is it possible, or maybe even common, for these exploit attempts to use a targets own SSL certificates to avoid detection?