Look in the /usr/nr/var/log.* log files on the sensor.In the log should be an entry to show that the ShunHost command was executed for the particular address.Look at the alarms just prior to that address to determine which alarm fired with that ipaddress and ports, and then check the sensor configuration to see if the sensor was configured to block for that signature.
What you might find is that the NetBIOS packets may be firing signatures other than the NetBIOS signatures. It may be a sweep or flood signature that is firing.Or the sensor might still be firing the NetBIOS signatures because the sensor configuration hadn't been updated (check /usr/nr/etc/packetd.conf and see if it matches what you configured in CSPM).
Something else to keep in mind is that the block/shun may look like it should only block a specific port, but in actuallity the shun/block will stop ALL traffic to and form that IP address and not just the port in the alarm.