The purpose of SSL is that the traffic is encrypted between the server and the end user. No amount of packet sniffing is going to assist you to determine that they are using a proxy. There was a solution that used a specific pattern at the Client Hello stage, but that pattern is not unique to Ultrasurf and I suspect you were only using Ultrasurf as a typical example of a proxy service.
Instead, one possible idea I have is to use the destination dns name / IP address instead (as this is open and easy to determine from the encrypted traffic as it is outside of the encrypted part) and compare their destination proxy server against a regularly updated blacklist of proxy servers.
You would need to download a daily blacklist from someone like urlblacklist.com and apply that list to your address list on the Mikrotik to block access to those destination IPs. As ROS cannot directly untar a .gz file, you will need another device to download and untar the list.
The only problem with using a blacklist and relying purely on destination IP only, is when the proxy is hosted on a server shared with other services unrelated to that proxy server.
We use this service with DansGuardian to protect networks used by children and have found it very effective.
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)