here are details of what this signature does:
Can you post a sample alert for this signature here? feel free to modify any sensitive information (like IP addresses).
We need to get captures to figure out what's going on here. Is it only between the above 2 IP's that you see this alert?
You can enable "produce verbose alert" also in addition to the captures and that way you should be able to figure out which is the offending packet in the stream.
Thanks and Regards,