Try the sguil console, and you'll be happier with handling alerts. It presents the data from full content pcaps, Snort alerts, and session data, together with a handy window to to reverse DNS and whois. It will give you the signature that fired the alert, or, if no alert fired (say someone emailed firstname.lastname@example.org with an IP and time range) you can look back in time and see what connections your host had open when. It will even help you decide which alerts are useful and which are useless, but you still have to tune the rules yourself. For handling that, I use oinkmaster. Sguil scales to billions of rows.
Some folks have worked on integrating bro (or was it prelude?), which is another interesting alerting engine. It might be possible to integrate with this project.