Is it ethical to use web server logs to build an assessment tool? I think so, as long as you aren't tearing the tool apart to pull its sigs. Sure, people are going to stick honeypot sigs into it to see if you are using their data, but anything sitting in a publicly accessible log file is fair game IMO.
Maybe my perspective is skewed, anyone else have a take on this?
I believe it's ethical to use the web server logs and try to determine which precise (as for CVE) vulnerability is being tested, and, with this in hand, implement similar vulnerability tests. However, taking the tool and testing "on purpose" against a server to determine its vulnerability database would be akin to taking the tool, analysing the raw packet dump of the tool while testing a remote server and make new tests that generated those same packets. That's reverse engineering, if you ask me.
Regards
Javi
