Hah, that really was all it was looking for? I was curious how you came along with that. The longer you do stuff like this, the more you realize most signatures are complete garbage. Before mimikatz was integrated into Metasploit, I got it around SEP by simply importing math.h, calculating a few square roots, and recompiling it. SEP must have been doing an MD5 check or something else extremely rudimentary. I didn't expect that to work at all.
There is nothing unique about "timestamp" parameters in exploits. That was just how the signature was written for that specific exploit. It would have been much better for them to look for a request to that page that contained back ticks (``) since those are likely never used by the application but are required for command injection.
The best starting point for analyzing something like this is to perform a packet capture and observe what is actually getting sent across the wire. Once you have that information, you can start thinking about how someone would go about writing a signature for it.
A good signature should focus on unique characteristics of the malicious traffic in order to accurately identify an exploit attempt without generating false positives. In the exploit you were working with before, there was very little unique information included in the request, and a static timestamp immediately jumped out at me as signature material.
If you've never written IDS signatures before, spend some time with it to get an idea of how real signatures are actually put together. The official Snort manual is an excellent resource for doing this with Snort, and of course that's all free to use and play around with.
If you have access to the inline security control, you may be able to review the signature and see exactly what its doing. If you don't, see if there is a Snort signature for it, which you can at least use as a starting point. Another vendor's signature will likely be fairly similar.
The day you stop learning is the day you start becoming obsolete.