Nebula 0.2.3

Nebula is a fully automated intrusion signature generator.
  1 Screenshot
Nebula is a fully automated intrusion signature generator. It can help securing a network by automatically calculating filter rules from attack traces. In a common setup nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in snort format.

The code was written to be fast. A signature isn't of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds. As more attacks of a kind are submitted, signatures get better and nebula will publish updated revisions.

The signature below was generated by nebula for FTP downloads during multi-stage attacks.

alert tcp any any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1";
content: "cmd /"; offset: 0; depth: 5;
content: " echo open "; distance: 1; within: 17;
content: ">> ii &echo user 1 1 >> ii &echo get "; distance: 13; within: 70;
content: ">> ii &echo bye >> ii &ftp -n -v -s:ii &del ii &"; distance: 2; within: 107;
sid: 2000001; rev: 1;)

Nebula successfully generated signatures for input from honeytrap and argos. Feeding it with input from other sources shouldn't be very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. Its code can also be taken as a reference implementation for the client side part of nebula's submission protocol.

Compiling nebula

Installing nebula is easy. Just follow the instructions on this page. First download the latest release from sourceforge:


Now unpack the archive and change into the extracted directory:

tar xjf nebula-0.2.2.tar.bz2 && cd nebula-0.2.2

Run the configure script to create a setup for your platform. If you want to install nebula in a specific location, use the --prefix switch as in the example below:

./configure --prefix=/opt/nebula

To finally build and install nebula type:

make && sudo make install

This installs the commands nebula and nebulaclient in /opt/nebula/bin/ (or the location you chose when invoking configure). Now check your setup by running nebula:

$ /opt/nebula/bin/nebula

Nebula 0.2.2 Copyright (C) 2007-2008 Tillmann Werner

Warning - No submission secret given.

[*] Ready.

If you see the output above, the installation was successful. To eliminate the warning, use the command line swith -s to define a secret used for submissions. Nebula can be stopped at any time by hitting Ctrl+C.

last updated on:
December 11th, 2008, 1:27 GMT
license type:
GPL (GNU General Public License) 
developed by:
Tillmann Werner
ROOT \ Security
Download Button

In a hurry? Add it to your Download Basket!

user rating 10



Rate it!
What's New in This Release:
  • An entropy threshold bug was corrected.
  • Realtime signal thread control is enabled only if it is available.
  • BSD compatibility changes were made.
  • The default host and port in nebulaclient was fixed.
read full changelog

Add your review! 1 USER REVIEW SO FAR