GEN:SID 1:1228
Message SCAN nmap XMAS
Summary A nmap XMAS scan was detected.
Impact System reconnaissance that may include open/closed/firewalled ports,
ACLs.
Detailed Information Nmap sets the URG PSH and FIN bits as part of it's XMAS scan.
Typically, a closed port will respond with an ACK RST, whereas an open
port may not respond at all.  However, this varies from machine to
machine, and also depends on what (if any) filtering policies are in
place between the hosts in question.
Affected Systems All systems
Attack Scenarios As part of information gathering that may occur before a more
dedicated attack, an attacker may choose to use nmap's XMAS scan to
determine open/closed ports.

__
Ease of Attack:
Trivial.  Nmap is freely available to anyone who wishes to use it.
The only requirement is root/elevated privledges (the XMAS scan
requires this) and a lack of proper filtering between the two
machines.
Ease of Attack  
Corrective Action Determine what ports may have responded as being open, and what clues
that may give an attacker relating to potential attacks.
Additionally, investigate the use of proper ingress/egress filtering.
Additional References SANS:
http://rr.sans.org/firewall/egress.php
Rule References arachnids: 30