Snort's HTTP decode preprocessor doesn't change the original packet but it does reduce the request to the proper format so that it can pass it through the detection engine. It merely does it to simplify the detection of malicious attempts.
A good book for all this is Snort 2.1 Intrusion Detection by Brian Caswell et al, (ISBN 1-931836-74-4). Try it, you'll love it.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides