Alert rules still triggering after pass rules

I have the following rules in place in AWS Network Firewall:

pass tls any any -> any any (tls.sni; content: ""; startswith; nocase; endswith; msg: "matching TLS allowlisted FQDNs"; priority: 1; sid: 10; rev: 1;)
alert tls any any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; )

I was under the impression that any traffic to “” would trigger the “pass” rule and therefore skip the “alert” rule. However, I am still seeing logs (alerts) showing “” with the message from the alert rule. Why might this be? Am I missing something here?

Can you post a full example of the EVE JSON output that still triggered the alert?

Seems like a duplicate of ?