Suricata in IDS mode shows traffic that should be blocked

I’m brand new to Suricata. Installed on a Debian server and version 6.0. I set it up in IDS mode just spanning the return traffic from my ISPs behind my firewall. I am seeing messages in the fast log that would indicate flows originate from the internet to my internal clients.

For instance:

11/09/2023-08:29:12.701677 [] [1:2034674:3] ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228) [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP} EXTERNAL IP:443 → INTERNAL IP:63087

This traffic would be blocked by my firewall and I am not seeing the traffic if I look for External IP as a source. Is it possible this traffic is coming from a server where my internal client started a connection (which would be allowed on the firewall) and then the server on the internet is doing something nefarious once that connected is established? I didn’t think that would be possible but I’m not sure why I’m seeing these possible vulnerabilities in Suricata.

Thanks in advance for any help!

Without more detail it’s hard to tell, you could also look into the EVE JSON log where you would see more details about that flow for example (event type flow). But it could be something malicious in a response, yes.