Clearcutter is a general-purpose tool to assist log analysis (with some OSSIM-specific features)

General Log Functions:

• Identify - takes a log sample and attempts to find unique message types present within the sample:
  [TIMESTAMP] : [PROCESS] User [VARIABLE] successfully authenticated from [IPV4ADDRESS]
  

• Sequence – Identifies sequences of logs with a common set of variable data
  [TIMESTAMP] : [PROCESS] Connection attempt from  192.168.1.1
  [TIMESTAMP] : [PROCESS] Login request for user conrad from 192.168.1.1
  [TIMESTAMP] : [PROCESS] User conrad successfully authenticated
  
  

OSSIM Log Functions

• Validate – Processes an OSSIM device plugin, testing for errors and inconsistencies.

Processing Rule [Z 350-cisco-asa]
Option ‘interface’ refers to non-existant regexp group ‘(?P<iface>’

The Following Regex Labels are Assigned to UserData fields
   userdata1 Denied, Accepted, Duplicate,
   userdata2 {$sourcint}, {$srcint},
   userdata3 {$destint},
   userdata4 {$entry}, {$connection}, {$command}, {$result}, 
   userdata5 {$list},

• Parse – Processes a log file using an OSSIM device plugin, displaying what is parsed by each SID.

• Profile – Parses as before, but produces performance stats for SIDS, comparative to one another and the log file as a whole

Clearcutter 0.2 can be found at: http://alienvault-labs-garage.googlecode.com/files/clearcutter-0.2.tar.gz

Roadmap

• Implement a GTK GUI to make browsing through and tweaking Identify  results more intuitive