Well,
I've just tried capturing packets which is sent to my honeypot host. I was using tshark to capture the packets , and i was simulating wuftpd 2.6.0 service on my honeyd host and I run the wuftpd 2.6.0 remote exploit on the attacker's host.
This is the packet captured (http://silenceisdefeat.com/~l41n/ta/log.txt) when I was launching the exploit :

If being compared to the captured packet of wuftpd 2.6.0 exploit which I found on http://www.inguardians.com/research/docs/sigs.pdf , it looks similar (but I still want to know your opinion bout it) :

And what I got in my honeycomb.log was still:

I still can't find any problem why i couldn't generate any signatures here..
Please give me your opinion about this approach
Thanks a lot..

Hmm, no comments on your approach except with known exploits I'd strongly suggest using known signatures for checking. I mean that's way easier, isn't it? And maybe it would be an idea to research about other other automagical rule generation efforts? For instance Honeytrap with the Nebula plugin might be interesting once you get the source to work.

hmmm..
seems like I hardly found honeytrap+nebula integration documentations on the net..

Nebula is at Sourceforge and Honeytrap at SVN at carnivore.it. Basically you just build Honeytrap --with-plugin-nebula (or like that), configure the plugin in honeytrap.conf and build Nebula.

successfully installed both honeytrap and nebulla . succesfully loaded nebulla plugin from the honeytrap , but still got no snort signatures generated ..
Have you tried them out ?

well , now I am able to generate snort signature from honeytrap and nebula
Thanks a lot , unSpawn !

It's good to hear you finally were able to.
Could you post details like configuration and such?
It will help those that find this thread later on.

sure thing!

Installation steps :

1.
//installing nebula
# tar -jxvf nebula-0.2.3.tar.bz2
# cd nebula-0.2.3/
# ./configure --prefix=/opt/nebula
# make && make install

2.
//installing honeytrap

# svn co https://svn.carnivore.it/honeytrap/trunk/ honeytrap-svn
# cd honeytrap-svn
# autoreconf -i
# ./configure --prefix=/opt/honeytrap --with-stream-mon=nfq --with-submit-nebula
# make && make install
# iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE


=integrating nebula plugin to honeytrap.conf :

/* submitNebula settings */
plugin-submitNebula = {
host = “localhost”
port = “4712″
secret = “secretpassword”
}

=running both nebula and honeytrap :

# nebula -a /tmp/snort.rules -c 10 -t 2 -s secretpassword 1>/tmp/nebula.log

# honeytrap -C /opt/honeytrap/etc/honeytrap/honeytrap.conf

-c = is a percentage (0 to 100) of similarity that should be met by the data to be put in a cluster. The similarity gives you control on how strict you want to be when clustering data.
-t = tells nebula when it should start creating a signature. The idea here is that you don't want signatures that are based on a small amount of source data. Higher amounts of source data produce better signatures.

Then , start testing by executing some exploits againsts the honeytrap host , then you should see some signatures are being generated

More refrences :

http://glasblog.1durch0.de/?p=139

Thanks for posting. Two questions if I may. Why did you choose nfq in --with-stream-mon= over pcap? And can you say anything wrt the "quality" of the sigs? Does it come close to your original objective?

you should set the value of -t and -c higher to get better signs , I was using the lower value , just only to make sure if the plugin works or not (and to get some quick signs) . since i'm not familiar with snort signs yet , i can't say if it's close to the objective or not
well , in fact you can use either both pcap or nfq , since i only got netfilter_queue installed on my host I decided to use it as a test.
thanx