NETBIOS nimda.eml

["Paul Lane" <paul_lane () supplyworks com>]

This rule is generating lots of alerts on my network;

"alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;);

 

The source IP is an Exchange 2000 server and the destination IP is a
file server. I've made sure that these boxes are patched and the virus
dat file are current. 

Can I modify this rule and cut down on the alerts its generating?

 

Thanks,

Paul Lane