ACK Scans

[Triple Crown <triplecrown () optonline net>]

I'm researching some snort archived files from last year and have keyed on
some detects triggered by this snort rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap 
TCP";flags:A;ack:0;
reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)

I've tried to reproduce the scan with nmap of sending a lone ACK flag 
with an acknowlegement  number of 0 without any success.

A google search lead me to this:
http://archives.neohapsis.com/archives/snort/2000-08/0163.html

Apparently there was a bug in an older version of nmap that would 
produce this type of
scan. The date on the posts from the above URL suggest that the bug 
existed a few
years back.

Does anyone know if it is possible to reproduce this scan with nmap 
without the older
version ? All of my testing with -PT or -sA resulted in what appears to 
be random
ACK numbers

On a side note -
It may just be my ignorance of using the -PT  flag properly but I found 
you can't do 
a -PT80 as suggested in the man pages to scan port 80, but by adding 
-p80 it
works properly.

Any help is appreciated.....




---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).