To conclude this discussion... For the last few days I was running tcpdump on all interfaces of my linux box... And at the same time i was running unhide-tcp in loop every second... (detected more hidden ports than ossec)
Result was more than 100 "hidden" tcp ports detected over weekend, but when i was analyzing the tcpdump data (which was a slow process even with wireshark) i did not found any traffic at all coming/going to these ports (at least not in -+ 5minute time sync, but i guess that is good enough)... So, I have to conclude that this in deed is the problem described above (or feature of linux kernel)... Thanks all for info and help!
