nimda rule interpretation

[John Rodley <john.rodley () inc-networks com>]

I'm a new snort user managing a small corporate network.  I need
confirmation that my interpretation of this snort alert is correct.
 
syslog entry:
12-05-2001 09:00:25 Auth.Alert a.a.a.a    snort[588]: [1:1294:2] NETBIOS
nimda .nws [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
a.b.c.d:4003 -> w.x.y.z:139
 
snort log entry:
[**] NETBIOS nimda .nws [**]
12/05-08:28:37.632972 a.b.c.d:4003 -> w.x.y.z:139
TCP TTL:128 TOS:0x0 ID:48598 IpLen:20 DgmLen:636 DF
***AP*** Seq: 0xDF858CCB  Ack: 0x48C607FC  Win: 0x40A7  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
netbios.rule being triggered
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws";
content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:2;)

My interpretation of this is that a.b.c.d transmitted the string "NWS" over
a connection from source port 4003 to destination port 139 on w.x.y.z.
Would that be correct?
 
Suspecting this is a false positive since both machines scan clean.  
 
John Rodley