What you found is a known bug in version 3.1 and earlier sensors.
The sensor did not track which port was the server and which port was the client.
So if your analysis is correct that this is a normal HTTP connection, then the HTTP client randomly chose the 12345 port which a Netbus server usually runs on. The HTTP client then sent a request to the webserver that contained "netbus" in the request.
The signature looks for the regular expression: [Nn][Ee][Tt][Bb][Uu][Ss] from a server running on ports 12345,12346 or 20034
So you may want to verify that it is a legitimate web request containing "netbus" in the request or some variant like "netbusiness" which would make the alarm a false positive alarm.
In version 4.0 of the sensor we have addresses these false postives where clent ports are being confused with server ports. The 4.0 sensor is able to track the direction of the connection in order to determine which of the 2 ports is the server port and which is the client port. So in 4.0 you would not have this false positive.
Here is the signature definition on a 4.0 sensor in case you are interested:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :