Rules modified with modify.conf still appear in alerts


So through modify.conf I adjusted a bunch of log4j related rules on Suricata 6.0.3:

2034647 "any any -> [$HOME_NET,$HTTP_SERVERS] any" "any any -> [$LOG4J] any"

To ensure that only log4j affected machines appear on the alerts, the number of false positives is massive, I created the variable $LOG4J in suricata.yaml:

LOG4J: "[,]"

Then I ran suricata-update and restarted Suricata.
No errors when restarting Suricata or with suricata-update (the number of modified rules increased accordingly).

However the alerts are still popping up with IP This IP is not vulnerable for Log4J but is part of the $HOME_NET variable (HTTP_SERVERS = $HOME_NET in my settings).

Any ideas are more than welcome!

Its an escaping issue as the first match is a regular expression. Please try:

2034647 "any any -> \\[\\$HOME_NET,\\$HTTP_SERVERS\\] any" "any any -> [$LOG4J] any"

Thanks @ish! And me thinking all the time that only the first part needs to be escaped. Time for some regex lessons!