You can learn all these things by reading the manual.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433
Shout when you see a TCP packet from what I have defined as external networks to What I have defined as SQL Server on port 1433.
If you scream, say "Attack Detected"
Just shout if the SQL Server in this connection is the TCP "server" and this TCP connection was made (for example, ignore random packets that are not part of a connection).
Just scream if you find a binary 0x02 character in the first 1 byte of the message.
Shout only if you also find the string "sa" (or "SA" or "Sa" or "sA") in the two bytes after the 39th byte of the packet.
detection_filter:track_by_src,count 5,seconds 2;)
Shout only if you see 5 packages within 2 seconds that meet these criteria.