rename to diagnostic and add docs

daemon/web/src/lib/components/ConfigForm.svelte

@@ -339,11 +339,11 @@
                             <input
                                 id="imsi_attach_analyzer"
                                 type="checkbox"
-                                bind:checked={config.analyzers.imsi_attach_analyzer}
+                                bind:checked={config.analyzers.diagnostic_analyzer}
                                 class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
                             />
-                            <label for="imsi_attach_analyzer" class="ml-2 block text-sm text-gray-700">
-                                IMSI Attach Analyzer
+                            <label for="diagnostic_analyzer" class="ml-2 block text-sm text-gray-700">
+                                Diagnostic Analyzer
                             </label>
                         </div>
                     </div>

daemon/web/src/lib/utils.svelte.ts

@@ -10,7 +10,7 @@ export interface AnalyzerConfig {
     nas_null_cipher: boolean;
     incomplete_sib: boolean;
     test_analyzer: boolean;
-    imsi_attach_analyzer: boolean;
+    diagnostic_analyzer: boolean;
 }
 
 export enum enabled_notifications {

doc/heuristics.md

@@ -73,6 +73,9 @@ This analyzer tests whether the SIB1 message contains a complete SIB chain (SIB3
 
 On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as **IMSI Requested** detection it should be considered as a strong indicator of malicious activity.
 
+### Diagnostic Information 
+This analyzer displays some diagnostic information about when your device connects and disconnects from certain towers. It is helpful for analysis of suspicious PCAPs. The informational warnings in here can safely be ignored until there is a low, medium, or high severity warning. 
+
 ### Test Analyzer
 
 This analyzer is great for testing if your Rayhunter installation works. It will alert every time a new tower is seen (specifically every time a tower broadcasts a SIB1 message.) It is designed to be very noisy so we do not recommend leaving it on but if this alerts it means your Rayhunter device is working! 

lib/src/analysis/analyzer.rs

@@ -4,7 +4,7 @@ use pcap_file_tokio::pcapng::blocks::enhanced_packet::EnhancedPacketBlock;
 use serde::{Deserialize, Serialize};
 use std::borrow::Cow;
 
-use crate::analysis::imsi_attach::ImsiAttachAnalyzer;
+use crate::analysis::diagnostic::DiagnosticAnalyzer;
 use crate::gsmtap::{GsmtapHeader, GsmtapMessage, GsmtapType};
 use crate::util::RuntimeMetadata;
 use crate::{diag::MessagesContainer, gsmtap_parser};
@@ -20,7 +20,7 @@ use super::{
 #[derive(Debug, Clone, Deserialize, Serialize)]
 #[serde(default)]
 pub struct AnalyzerConfig {
-    pub imsi_attach: bool,
+    pub diagnostic_analyzer: bool,
     pub connection_redirect_2g_downgrade: bool,
     pub lte_sib6_and_7_downgrade: bool,
     pub null_cipher: bool,
@@ -34,13 +34,13 @@ impl Default for AnalyzerConfig {
     fn default() -> Self {
         AnalyzerConfig {
             imsi_requested: true,
+            diagnostic_analyzer: true,
             connection_redirect_2g_downgrade: true,
             lte_sib6_and_7_downgrade: true,
             null_cipher: true,
             nas_null_cipher: true,
             incomplete_sib: true,
             test_analyzer: false,
-            imsi_attach: true,
         }
     }
 }
@@ -349,8 +349,8 @@ impl Harness {
             harness.add_analyzer(Box::new(TestAnalyzer {}))
         }
 
-        if analyzer_config.imsi_attach {
-            harness.add_analyzer(Box::new(ImsiAttachAnalyzer {}));
+        if analyzer_config.diagnostic_analyzer {
+            harness.add_analyzer(Box::new(DiagnosticAnalyzer{}));
         }
 
         harness

lib/src/analysis/diagnostic.rs

@@ -10,11 +10,11 @@ use pycrate_rs::nas::generated::emm::emm_service_reject::EMMCauseEMMCause as Ser
 use pycrate_rs::nas::generated::emm::emm_tracking_area_update_reject::EMMCauseEMMCause as TAURejectEMMCause;
 use std::borrow::Cow;
 
-pub struct ImsiAttachAnalyzer;
+pub struct DiagnosticAnalyzer;
 
-impl ImsiAttachAnalyzer {
+impl DiagnosticAnalyzer {
     pub fn new() -> Self {
-        ImsiAttachAnalyzer
+        DiagnosticAnalyzer
     }
 
     fn is_imsi_exposing_nas(&self, nas_msg: &NASMessage) -> bool {
@@ -80,13 +80,13 @@ impl ImsiAttachAnalyzer {
     }
 }
 
-impl Analyzer for ImsiAttachAnalyzer {
+impl Analyzer for DiagnosticAnalyzer {
     fn get_name(&self) -> Cow<'_, str> {
-        "Diagnostic detector for IMSI Exposure".into()
+        "Diagnostic detector for messages which might lead to IMSI exposure".into()
     }
 
     fn get_description(&self) -> Cow<'_, str> {
-        "Catches any messages that may expose IMSI. Can be quite noisy. \
+        "Catches any messages that may lead to IMSI Exposure. Can be quite noisy. \
         Useful as a diagnostic for finding out why an IMSI was sent or what \
         the reason for a reject message was. Not a useful indicator on its own \
         but a helpful diagnostic for understanding why another indicator was \

lib/src/analysis/mod.rs

@@ -1,6 +1,6 @@
 pub mod analyzer;
 pub mod connection_redirect_downgrade;
-pub mod imsi_attach;
+pub mod diagnostic;
 pub mod imsi_requested;
 pub mod incomplete_sib;
 pub mod information_element;