No ports listed for SHELLCODE x86 NOOP

["Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>]

Hello All -

My snort sensor is running snort-2.2.0 on Solaris 9. I'm seeing a problem with some of my "SHELLCODE x86 NOOP" events 
not having port numbers listed:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624643 220.246.35.35 -> 192.233.11.147
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1356 MF
Frag Offset: 0x0000   Frag Size: 0x0538

The port number does not show up in the ACID database either.  Funny thing is that many of these events do have port 
numbers:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624796 220.246.35.35:1995 -> 192.233.11.147:80
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1500
***A**** Seq: 0x4B6D415B  Ack: 0x7C5136E  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

Bug?  Or is there something I don't understand?  I may just shut this rule off, since I don't have any x86 based 
machines. However, we like to run will all rules enabled, to understand what attacks are being launched, and then use 
custom scripts to post-process that data.

Thanks in advance! :)




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users