AWS Network Firewall - Suricata rules not working as expected

I have configured Suricata IPS rules (from emerging threats) and during testing observed that rules are not working as expected. For example, the below generic rule is working as expected - drop tcp $DB_NET any -> $TEST_NET 80 (msg:"Test Block"; sid:102344; rev:1;)

However the below rules taken from emerging threats are not working - drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established; http.user_agent; content:"easyhttp client"; bsize:15; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04; sid:102340; rev:1;)

drop tcp $DB_NET any -> $TEST_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

I am not able to identify the root cause of this behavior and need your support to understand and fix the issue (if any).