Not to sound like a commercial for Cisco, but their IDS stuff does rewrite ACL's based upon signatures.
Bil Herd