Is the Attack count more than 1 in the attack detail?
If yes, tt must be the suppressed alert.
NSP has a function to suppress the similar attack (same attack from same IP to same IP) for avoiding
a huge amount alert logging while encountaring outbreak, DoS, etc.
The first attack will be logged with right port number and the following attacks
will suppressed and logged after 2 minutes with the minimum infos.
So you can find the first attack and check the right port.
Thanks for the reply shinogi, as i did search for this one will be any relation with unsupported protocol traffic ?.
1 of 1 people found this helpful
Those alert may be related also with the L2 protocol (e.g. ARP Spoofing, MAC Flip Flop).