GEN:SID 1:495
Message ATTACK-RESPONSES command error
Summary This event is generated by an unsuccessful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.
Impact Serious. An attacker may have the ability to execute commands remotely
Detailed Information This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "Bad command or filename". For example, it is generated by the Windows operating system if the executable file to be run from the command line is not found.

Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has tried to execute a command. Note that the source address of this event is actually
the victim and not that of the attacker.
Affected Systems  
Attack Scenarios An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then tries to run other commands on the machine.
Ease of Attack Simple. This post-attack behavior can accompany different attacks.
Corrective Action Investigate the web server for signs of compromise.

Look for other IDS events involving the same IP addresses.
Additional References