Assuming I'm understanding the attack technique correctly, if the initial exploit is delivered inside an HTTPS connection, that delivery takes place well after the HTTPS negotiation and both sides have started encryption; pretty sure there is going to be no way to detect that stage via IPS unless HTTPS Inspection is enabled.
However when the vulnerable server is tricked into retrieving the Java class to be injected via JNDI using a ldap://126.96.36.199/ URL that will be in the clear, and perhaps can be detected by the IPS signature if it is configured to do so. Gets more murky if ldaps://188.8.131.52/ is used in the exploit, but I don't think that will work since JNDI will probably not trust the certificate of the attacker's system and the ldaps connection will fail to deliver the injected content.
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com