You could try having snort listen for something from x.x.x.x to y.y.y.y then write an alert to a log file only used by this rule. Have logwatch or some custom script check that log every second, then re-writes the packet swapping the source and destination in the header with an ip spoofing tool such as hunt.