Ok, with positive security there are no rules and it is based on usage pattern, anomalies would be flagged ?
How you determine this behavioural model. It is counter-intuitive to acquire scanning tool to write the policies. How do you write positive security using the rules you mentioned manually. Can you show examples in the downloads ?

Ivan Ristic <ivan.ristic@gmail.com> wrote:
On 5/21/06, kiran k wrote:
> Are there any tools which discovers web application from an input URL.
> I am looking for a tool which crawls recursively and finds the forms, form
> fields, server scripts, cookies and hidden fileds. Based on this information
> I would like to develop policies. If I have this data in xml it would be
> even better.
> Any quick starting point would be greatly appreciated, if no tools exists.
> How about any commercial libraries ?

Your best bet might be the commercial tools (web application
vulnerability scanners). But, IMHO, none of the tools I have seen are
smart enough to work in a general case. For example, if the web site
uses JavaScript or Flash for navigation the tool is not going to help
you much.

Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
mod-security-users mailing list

Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.