GEN:SID 1:494
Message ATTACK-RESPONSES command completed
Summary This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell.
Impact Serious. An attacker may have the ability to execute commands remotely
Detailed Information This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com).

Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker.
Affected Systems  
Attack Scenarios An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands.
Ease of Attack Simple. This post-attack behavior can accompany different attacks.
Corrective Action Investigate the web server for signs of compromise.

Look for other IDS events involving the same IP addresses.
Additional References Microsoft Technet:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp
Rule References bugtraq: 1806