I did some general research into this about a year ago and discovered that the Cert used to encrypt tor changes about every half hour. So if you can detect repeated changes in the cert with a particular IP it might be a good IoC.