one tap two interface no tcp session data logged

["Jacob, Raymond A Jr" <raymond.jacob () navy mil>]

Question: A tap was bought and connected to box with three(3)nics[one for mgmt and two for snorting]
and a snort process is running on each nic.
No tcp session data was logged i.e. no IIS code red attempts. 
Tried giving each NIC its own sensor name and that did not work.
Finally, created Bridge with the two(2) NICs. Now one sees everything.
I Ass-U-Me that one snort process saw incoming traffic and the
the other process saw outgoing traffic so there never was an 
established connection for the IIS rules to fire on?  If one does not 
want to bridge the traffic what kind of rule should 
I write to catch an incoming stream with IP proto=tcp
and root.exe. Of course  I think that the 
http preprocessor normalizes the data i.e.
r^H^H^H^H^H^H^Ho^H^Ho^Ht.exe to root.exe so I would want to 
bridge the traffic to make sure I get all of the alerts? Is that correct?

Thank you,
Raymond