Ghosting IDS Log entries in IPCOP.

Don't understand this one.
I installed IPCOP on our LAN last Thursday. To test it out I ran an
NMAP portscan on it to see what it would do/say.
Can't say as it DID anything, but it did record the ping of one of the
ports in the IDS Log.

Yet, strangely, it's recording an NMAP attempt every 20 minutes SINCE
then!
Entries like:

Date: 05/16 14:22:35 Name: ICMP PING NMAP
Priority: 2 Type: Attempted Information Leak
IP info: 192.168.1.4:n/a -> 192.168.1.101:n/a
References: none found SID: 469

I looked in /var/log/snort/alert on IPCOP, and the messages are in
there.
I did a
# ps aux | grep nmap
on the original PC (192.168.1.4) and there's no entry.

Why does IPCOP think it's STILL being portscanned by that machine?
What can I do to investigate it further?

Thanks for any help.
Liam



news@celticbear.com