Figured out the alerts being triggered for each packet of the exe download. Snort uses stream5 by default out of the box and reassembles all the packets for you when you issue a content match rule.
Thus what was happening was that everytime a raw packet was coming in, it would be reassembled with the earlier packets in the stream and matched with the properties in the rule. Hence this would be repeated everytime a packet comes in.
Setting stream5_global: show_rebuilt_packets in snort.conf would show packets as they are rebuilt. You could also try running snort with snort -A cmg .. to see where the logs are coming from i.e. see the assembled packets at each stage.
However its still not clear how snort can be easily integrated with a data carving tool to extract files from packet captures and if it can be done inline.