An ACK scan does not provide information about whether a target machine's ports are open or closed, but rather whether or not access to those ports is being blocked by a firewall. If there is no response or an ICMP "destination unreachable" packet is received as a response, then the port is blocked by a firewall. If the scanned port replies with a RST packet, then ACK packet reached its intended host. So the target port is not being filtered by a firewall. Note, however, that port itself may be open or closed.
Describe a rule (or a set of rules) that could be used by Snort to detect an ACK scan. Cleary express your assumption and explain your rules. Do you think Bro can do a better job detecting an ACK scan? Explain your answer