I have an answer, but I do not consider myself that proficient in the SNORT rules or the rational behind them ....
I would prefer someone with more knowledge reply.
Maybe I have had too much of the grape, but I could not find how to bump this thread ( even though I tried assigning points to it as we used to be able to,) so I included this in response in hopes it would bring attention to it.
Although henry95's question would be better directed to the SNORT lists, I believe that many here could answer, as it is more a general question ( albeit a little more specific since the packets in question appear to be coming from within. )
Anyone care to take a stab ?