GEN:SID 1:625
Message SCAN XMAS
Impact System recon.  Different operating-systems will respond in different
ways depending on their particular stack implementation.  This allows
attackers to determine things such as open/closed ports, ACLs, and the
like.
Detailed Information The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP
packet.  
Affected Systems  
Attack Scenarios As part of a recon mission that may be an indicator to upcoming
attacks, an attacker may attempt to determine what ports are listening
on a given machine by sending a TCP packet with all of its control
bits "lit up", hence the name XMAS scan -- its "lit up like a
christmas tree."
__
Ease of Attack:
Trivial.  Many of the popular portscanners/vulnerability testers, most
notably nmap, allow anyone to inititiate an XMAS scan.
Ease of Attack  
Corrective Action Determine what information an attacker may have gleaned from this
attack.  Would your ports show as open or closed?  Consider
implementing a stateful firewall on the victim machine, or at ingress
points on your network.
Additional References http://rr.sans.org/firewall/egress.php
Rule References arachnids: 144