Understanding tls.sni rules

Apologies for what I have little doubt is a Suricata-newbie issue, but I’m trying to understand how I can control https traffic to specific domains. So to test, I have a single rule: -
drop tls $HOME_NET any → $EXTERNAL_NET any (msg:“drop google”; tls.sni; dotprefix; content:".google.com"; nocase; endswith; sid:1; rev:1;)

…which should allow everything through, except a TLS handshake to *.google.com, correct? Except this doesn’t seem to work and all traffic is allowed through, including curls to www.google.com. In fact if I try dropping all tls (i.e. with a drop tls rule without tls.sni keyword) it doesn’t block either.

I’m running Suricata 5.0.6 on Centos 8, running in inline IPS mode. I have confidence that traffic is directed correctly to the engine, because I can successfully control traffic through Suricata at the TCP or UDP level.

Any help, gratefully received.

Ok, I appear to have solved this. If anyone’s interested I changed my suricata config to use nfq mode: accept as opposed to repeat

When set to repeat it didn’t look like suricata was doing any parsing beyond the tcp level. The reason for this is opaque to me I have to admit, but if anyone stumbles across a similar issue, then I suppose this may help.