Well, I do this sort of thing for a living (since 2003).
There are various ways you can analyze these. It helps if you've seen the good aspects of the traffic (ie, if you've seen regular yet non-malicious MSN chat traffic before, use it as a reference). The trap that most people fall for is that the source and destination may both be trusted IPs. Well, a trusted host can become infected and pass malware to other hosts that it normally chats with. You should be able to find a signature that will sniff for certain malware that affects MSN chat. It basically depends on what the signature is designed to alert against. Compare the captured traffic against the signature/rule itself. In most cases, the sigs rely on regex, but this isn't always the case. There will sometimes be blatant false positives and negatives. Study up on signature anatomy (there should be some explanation at snort.org that explains the makeup of a Snort rule). Try to create your own rules based on packets you manually capture. Alter an existing rule to see if you can refine it for your environment.
A lot of sigs are designed to alert on the existence of the traffic itself (your MSN signature, for example). Since you know that your organization has a business need for MSN chat, you can probably disable that particular signature. I'm not sure on the latest and greatest features of Snort, so check to see if there's a way to filter out trusted hosts for specific signatures (that way, if you see malicious traffic coming from an untrusted IP, it will most likely be observed and not filtered). Check to see if there are sigs based on known malware that uses MSN chat as a conduit/vector.
There will be some that you won't be able to immediately validate. This is where I use google to search for answers. I also have a lab where I can study traffic. I will sometimes crank up an IRC client (for example), then visit an IRC server...the whole time, I'm logging traffic via tcpdump. When I'm done, I go back and peruse the logs and study them. That'll help with understanding how IRC protocol and how IRC traffic is logged (so that I know what I'm looking at when analyzing an incident). The same can be done for web traffic or any other protocol. Half the battle is learning how servers interact with their clients, as well as how the Snort rules are designed to alert. Sometimes you're going to find rules that just flat-out need to be disabled, if only because you know that your organization doesn't normally utilize a particular service. Sometimes you're going to see things you've never seen before (to this day, I still see things that challenge me)...these are the types of traffic that will force you to grow your experience. Leverage the Snort forums and other security forums. Sometimes, this forum won't be the proper place to get the highly technical details. What has been a good resource is
http://taosecurity.blogspot.com/ (Richard Bejtlich's blog). Some of his blog entries are way above my head, while others are level with me...I take what I can understand.
I also bought quite a bit of books over the last 8-10 years. Basic networking books, as well as literature on apache and database administration. In addition to the basic books, I got OJT on monitoring (and administering) security devices such as enterprise-grade firewalls, IPSs, IDSs, proxies, and whatever else you can think of.