Chris Kruegel wrote in focus-ids of a project called Alert Verification by William Robertson. According to the project description:
"The verification component of the system is currently implemented as a set of NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. A separate thread processes queued unverified alerts by running an associated NASL script against the target host to test for the presence or absence of the vulnerability corresponding to the detected attack. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable. The alert is then released back to the Snort engine."
I wonder how fast this works? This is interesting because it is the first free implementation (known to me) of this sort of technique. It's a patch against Snort 2.0.2, so I hope to try it.
Visiting the RSG's site reminded me of the great papers they write. Giovanni Vigna is a publishing machine!