Hi Russell,
HUNTING (Suricata 5 ruleset) or INFO/POLICY (Suricata 4/Snort ruleset) are not directly tied to malicious activity. Rules in the HUNTING/INFO/POLICY categories are based on traffic that could be of interest depending on the environment Suricata and the rules are deployed in.
With specific regard to the sid (2034098) you mention, we (Emerging Threats/Proofpoint) saw Autodesk being used as part of an infection chain. In an effort to give folks as much insight into traffic going across their networks we made a HUNTING/INFO rule around this.
In environments where one would not expect to see autodesk endpoints being used, this would be of interest. In other environment it would probably be too noisy. But it gives a point of investigation for activity that could end up being malicious.
With an unknown number of people that have MiTM/SSL decrypt available we try to have rules that cover the capabilities of everyone. Meaning, we usually try to have a very specific signature in the case where SSL decrypt is available, for environments that do not have SSL decrypt, we try to provide SSL/TLS sigs and/or DNS signatures. The DNS/SSL/TLS signatures are obviously much more generic but is the best we can do in some cases.
As Jeff mentioned, feel free to hit us up via the feedback portal. Hopefully that helps and I apologize for the delay in response.
JT