We are having the same issue, except with the TCP SYN Host Sweep (3030) alert. The signature explanation page suggests to filter out internal addresses as the source, but we have not for a reason: this is a good way to detect a worm within the networ...