Is the attack local to the computer?? Maybe, there isn't a port due to to false positivs...?
Which attack is that?
Port destination/source normally for TCP & UDP packet.
while ICMP there no port no so nomally ICMP alerts will show port 0.
There could be a number of factors, however, based on the information that you provided I submit the following answer:
There are multiple source and destination ports
This is likely to be the case when scanning from one IP Address to another. The Scanner (or source IP) will have random source port numbers, as that is standard TCP communication.
The Target (or destination IP) will have multiple ports that a scanner is scanning (such as UDP 53 for DNS, TCP 25 for SMTP, TCP 80 for HTTP, etc.)
Because there are no real patterns in the source and destination ports, the NSM will simply use port 0 to indicate that there are numerous ports.
Let me know if this helps.