Snort 2.9.1 improves protocol handling
The Snort network intrusion detection system has been updated with HTTP and DCE/RPC protocol aware flushing and improved SIP, POP and IMAP3 preprocessors. Updates to the HTTP and DCE/RPC preprocessors now allow Snort to reassemble requests and responses, even when spread over many packets, and to intelligently flush the results. Snort performs realtime analysis on IP network traffic to detect attempts to probe or attack the network by using a user-defined ruleset which characterises those attacks.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump