From 30bb18016edd480f4caff26e3013ee21504b3df0 Mon Sep 17 00:00:00 2001
From: Matej Kovacic <3339198+MatejKovacic@users.noreply.github.com>
Date: Fri, 1 Aug 2025 21:13:21 +0000
Subject: [PATCH] Update heuristics.md

---
 doc/heuristics.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/heuristics.md b/doc/heuristics.md
index 0015b51..ce98943 100644
--- a/doc/heuristics.md
+++ b/doc/heuristics.md
@@ -50,4 +50,6 @@ It could also indicate an IMSI catcher which is connected to the mobile network
 
 ### Incomplete SIB
 
-This analyser tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2. On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as **IMSI Requested** detection it should be considered as a strong indicator of malicious activity.
+This analyser tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2 (i. e. some IMSI catchers send just SIB1 and *one additional* SIB).
+
+On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as **IMSI Requested** detection it should be considered as a strong indicator of malicious activity.