I think by writing the question i figured out the answer . The TLS SNI is seen once and the Client Hello in TLS handshake comes before the Server Hello and the Certificate part. So there is no way to alert on something that has already happened in the flow . Suricata engine has already seen that packet before the Certificate part where the Issuer is seen.