Suricata in IDS mode shows traffic that should be blocked

I’m brand new to Suricata. Installed on a Debian server and version 6.0. I set it up in IDS mode just spanning the return traffic from my ISPs behind my firewall. I am seeing messages in the fast log that would indicate flows originate from the internet to my internal clients.

For instance:

11/09/2023-08:29:12.701677 [] [1:2034674:3] ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228) [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP} EXTERNAL IP:443 → INTERNAL IP:63087

This traffic would be blocked by my firewall and I am not seeing the traffic if I look for External IP as a source. Is it possible this traffic is coming from a server where my internal client started a connection (which would be allowed on the firewall) and then the server on the internet is doing something nefarious once that connected is established? I didn’t think that would be possible but I’m not sure why I’m seeing these possible vulnerabilities in Suricata.

Thanks in advance for any help!