SLO-V is an NIDS configuration evaluator developed in the framework of Amir Teshome Wonjiga’s PhD thesis. It contains two main components:
(i) the traffic injector, which takes both attack and legitimate requests as an input with different parameters (e.g. the base rate and number of rounds control variables) for the attack injection algorithm;
(ii) the metrics evaluator, which is composed of different modules performing different steps as follows:
(a) Session reconstruction and categorization using Tcpdump and Tcpflow off-the-shelf tools and custom tools. Tcpdump is used to capture injected traffics, \textit{Tcpflow} to reconstruct sessions from the output of Tcpdump and custom tools are used to categorize the output of Tcpflow into attack or legitimate sessions. The categorization is possible by using information about the traffics used for injection.
(b) Parsing the output of Snort and mapping packets to sessions: by using a combination of off-the-shelf and custom tools. A tool called u2spewfoo is used to parse the output of Snort (which is in Unified2 file format). A custom tool is used to map the output of u2spewfoo to sessions.
(c) Metrics computation through a module which takes the output of the packet mapping step and the base rate parameter to compute the Intrusion Detection Capability (CID) metric.