Question
An ACK scan does not provide in order about whether a target machine's ports are open or closed, except rather whether or not access to those ports is being blocked by a firewall. If there is no response or an ICMP "destination unreachable" packet is received as a response, then port is blocked by a firewall. If scanned port replies with a RST packet, then ACK packet reached its intended host. So end port is not being filtered by a firewall. Note, though, that port itself may be open or closed.
Describe a rule or a set of rules that might be used by Snort to detect an ACK scan. Cleary express your assumption and explain your rules. What do you think Bro can do a better job detecting an ACK scan? Describe your answer in details.