differences between p and sp/dp port numbers inside the alert log

Hello.
I need to understand why the field port (p) is used when 'PortScan'
alert is logged instead of using the field source port (sp). For
example, in the connection summaries, I've got 51 udp connections with
flag S0, from one host to another host using 51 different destination
ports and the same originator port=43210.
In the alerts log, the same host appears to have scanned 50 ports but
instead of identifying the same originator port number, p=29638/udp is
recorded.
All my 'PortScan' alerts records have no coincidence between the
originator port written in the connection summaries and the port
looged in the alerts.

Thanks in advance,

Veronica Estrada

I need to understand why the field port (p) is used when 'PortScan'
alert is logged instead of using the field source port (sp).

The main reconnaissance information gathered by a scan is whether
the destination has a listener on the given port. So the source port
isn't relevant to the semantics of the scan. (Bro will however try
to determine when it's observing TCP backscatter, in which case the
apparent source becomes relevant. That's not the case here.)

In the alerts log, the same host appears to have scanned 50 ports but
instead of identifying the same originator port number, p=29638/udp is
recorded.

In the notice, what's included is the port of the most recent activity
(the activity that triggered generation of the notice). Often for
routine scanning this readily identifies the attacker's intent. In
your case, however, it doesn't. (Indeed, I imagine what you're seeing
isn't a scan at all.)

    Vern