Hi!
So through modify.conf I adjusted a bunch of log4j related rules on Suricata 6.0.3:
2034647 "any any -> [$HOME_NET,$HTTP_SERVERS] any" "any any -> [$LOG4J] any"
To ensure that only log4j affected machines appear on the alerts, the number of false positives is massive, I created the variable $LOG4J in suricata.yaml:
LOG4J: "[10.0.0.1, 10.0.0.2]"
Then I ran suricata-update and restarted Suricata.
No errors when restarting Suricata or with suricata-update (the number of modified rules increased accordingly).
However the alerts are still popping up with IP 10.0.0.3. This IP is not vulnerable for Log4J but is part of the $HOME_NET variable (HTTP_SERVERS = $HOME_NET in my settings).
Any ideas are more than welcome!