shell code detect

[Omolayo Salako <OSalako () corp goamerica net>]

i am getting this alert on some of my smtp gateways. i know is a buffer
overflow attack because of the shellcode signature. i have had my mail admin
check the servers out for signs of buffer overflow attacks, he reported back
no problem. this might be a false positive (i am still investigating). my
question to the list is that, if this is a false positive, how do u tweak it
without having to disable the rule altogether. one idea that i have been
toying with is to set flags on most content rules so that the connection
would have to be actually established by snort starts squeaking. if the
traffic is getting blocked by the firewall, i dont want snort alerting me on
such traffic. what do you guys think?, attached is the  decoded payload of
the shell code attack.

Attachment: shellcode.txt
Description:

Attachment: shellcodex86.txt
Description: