P2P traffic?

[gary douglas <GM-Douglas () wiu edu>]

I have just started using Snort and am new to it. I have seen a huge  
number of alerts of three types in particular. I think these are  
related and that is why I am posting them together. The alerts are:

(http_inspect) BARE BYTE UNICODE ENCODING
(portscan) TCP Portsweep
(portscan) Open Port

I have search the internet and have not found any reference to these  
alerts in combination. When I look at one of the Bare Byte Unicode  
packets, I find the following:

http://emule-project.net

These alerts are coming from computers with in the subnet I am  
monitoring and going to numerous different destination address all  
over the internet. I work at a University so we do not block P2P on  
our ResNet (Resident Hall Network). I know one of the users that is  
coming up in the top, is using P2P.

My question is, are these three alerts typical of P2P programs?  
Should I ignore them?

That brings up my second set of questions. I understand these are  
preprocess in Snort. I have gone into the threshold.conf and added  
the following lines:

suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 3
suppress gen_id 119, sig_id 4

I uncomment the line in the snort.conf, but I still get counts on  
these alerts. I have even added the suppress lines to the snort.conf  
and still receive alert counts. How do I stop these alerts from being  
watched for? Am I on the right track with this?

Thank you for the help.
Gary Douglas