nebula logo


Latest Release

Version 0.2.3: This release of the nebula intrusion signature generator introduces several bugfixes and improvements.


Nebula source packages are available from the sourceforge download repositories.

Powered by Sourceforge Logo

nebula – An Intrusion Signature Generator

Nebula is a network intrusion signature generator. It can help securing a network by automatically deriving and installing filter rules from attack traces. In a common setup, nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in Snort format.
The code was written to be fast. A signature is not of much value if the generation process takes hours or days. With nebula, you should get a first revision within a few seconds. As more attacks of a kind are submitted, signatures get better and nebula publishes updated revisions.
The example signature below was generated by nebula for FTP downloads as part of multi-stage attacks.
alert tcp any any -> $HOME_NET 8555 (msg: "nebula rule 2000001 rev. 1"; \
content: "cmd /"; offset: 0; depth: 5; \
content: " echo open "; distance: 1; within: 17; \
content: ">> ii &echo user 1 1 >> ii &echo get "; distance: 13; within: 70; \
content: ">> ii &echo bye >> ii &ftp -n -v -s\:ii &del ii &"; distance: 2; within: 107; \
sid: 2000001; rev: 1;)
Nebula successfully generated signatures for input from honeytrap and argos. Feeding it with input from other sources is not very difficult, though. The code archive contains a command line client which submits data from files to a nebula server. It makes use of the nebula library and can be taken as a reference implementation for extensions to other sensors.