Hi,
Following is my drop.conf
#drop rules containing a specific message pattern
metadata: signature_severity Major
metadata: tag Dshield
metadata: tag TA_Abused_Online_Service
metadata: tag Exploit
metadata: tag CISA_KEV
metadata: tag CINS
metadata: tag COMPROMISED
msg:“
- 
<200d>:skull_and_crossbones: Connection to an IP flagged at Log4Shell Exploit Attempt”
following is the result when I run suricata-update
11/9/2025 – 19:23:50 - – Using data-directory /var/lib/suricata.
11/9/2025 – 19:23:50 - – Using Suricata configuration /etc/suricata/suricata.yaml
11/9/2025 – 19:23:50 - – Using /usr/share/suricata/rules for Suricata provided rules.
11/9/2025 – 19:23:50 - – Found Suricata version 7.0.10 at /usr/bin/suricata.
11/9/2025 – 19:23:50 - – Loading /etc/suricata/drop.conf.
metadata: signature_severity Major
metadata: tag Dshield
metadata: tag TA_Abused_Online_Service
metadata: tag Exploit
metadata: tag CISA_KEV
metadata: tag CINS
metadata: tag COMPROMISED
msg:“ - <200d>:skull_and_crossbones: Connection to an IP flagged at Log4Shell Exploit Attempt”
11/9/2025 – 19:23:50 - – Failed to parse: “msg:“ - <200d>:skull_and_crossbones: Connection to an IP flagged at Log4Shell Exploit Attempt””
it failed to phrase only msg:“ - <200d>:skull_and_crossbones: Connection to an IP flagged at Log4Shell Exploit Attempt”
and I tired reference as well
following is the rule
alert ip any any → 159.89.154.102 any (msg:“🐾 - 🏴<200d>☠️ Connection to an IP flagged at Log4Shell Exploit Attempt”; reference: url, ; reference: url,https://www.lunasec.io/docs/blog/log4j-zero-day/; reference: url, ; metadata:created_at 2021_12_17, updated_at 2021_12_17; sid:3312323; rev:1; classtype:trojan-activity;)
I cannot do by SID because there are lot of SIDs related to this rule