unusual alert destination

["Rob Burris" <robeb () keepthevibe com>]

I saw this in my logs today:

EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack [Classification: access to a potentially vulnerable 
web application]

The alert destination is my gateway IP on my home network. All incoming HTTP traffic is forwarded to my webserver on a 
different box. I DO have Apache running on my gateway, but it is only accessible from inside my network. Any idea why 
snort would log the destination as my gateway IP and not my webserver? I'm running Red Hat 7.3 w/ Snort 1.9.0

- Rob B.