“Lizamoon” attacks are a rapidly spreading bit of SQL injection named for the domain that hosted the script dropped onto a variety of web sites. SID 13989 is the rule you want to make sure is enabled when running a Sourcefire/Snort box. It was originally written to deal with SQL injection attacks similar to the Asprox trojan. The rule has the handy benefit of picking up a number of different attacks that are being obfuscated via use of the char() function.”]
Source: https://blog.talosintelligence.com/2011/04/lizamoon-attacks-and-generic-detection.html