An experiment was conducted where known incidents where replayed. Existing PCAP capture traces from client sites with known attack and incident patterns are loaded into an analysis system for evaluation purposes. The OSSIM and BASE frontends to snort had been deployed for this exercise.
SQL scripts where altered to display a random lag into the responses and tcpdump was used to replay the PCAP trace as if it occurred 'live'. The analyst had to decide if each incident was worth escalating or should be noted and bypassed. The results of this process are reported below through a display of type I errors.