Try to write rules that target the vulnerability, instead of a specific exploit.
For example, look for a the vulnerable command with an argument that is too large, instead of shellcode that binds a shell.
By writing rules for the vulnerability, the rule is less vulnerable to evasion when an attacker changes the exploit slightly.