I've updated the signature to (hopefully) avoid HTTP response splitting detection avoidance:

alert tcp $EXTERNAL_NET $(RTSP_PORTS:-554) -> $HOME_NET any
(msg: "Apple Quicktime RTSP flow classification";
flow: established,to_client; 
flowbits:isnotset,is_proto_rtsp;
content: "rtsp/"; nocase; depth: 5;
flowbits:noalert; flowbits:set,is_proto_rtsp;
classtype:not-suspicious; sid: 1071101; rev: 2;)

alert tcp $EXTERNAL_NET $(RTSP_PORTS:-554) -> $HOME_NET any
(msg: "Apple Quicktime RTSP Content-Type overflow attempt";
flow: established,to_client; 
flowbits:isset,is_proto_rtsp; 
content: "Content-Type: "; nocase;
content:!"|0A|"; within: 50;
reference: url,www.kb.cert.org/vuls/id/659761;
reference: url,www.milw0rm.com/exploits/4657;
classtype: attempted-user;sid: 1071102; rev: 1;)