We're seeing a ton of false positives for sig 3010 TCP High Port Sweep. We've reviewed the flows in question and they are valid sessions, not attacks. Upon reviewing the details of the event, we see that the according to NetRanger, the source port for the packets are 0 (zero). It appears that NetRanger is unable to match the packet to the outbound session that it's related to. We were thinking there might be a bug that's corrupting the source port during packet capture? Is there a configuration error that can explain this condition?
Thanks for any assistance