Mirror/rayhunter
1
0
Fork 0
mirror of https://github.com/EFForg/rayhunter.git synced 2026-04-30 09:29:58 -07:00
Code Issues Packages Projects Releases Wiki Activity

add docs

Browse Source
This commit is contained in:
Cooper Quintin
2025-08-20 12:19:42 -07:00
committed by Cooper Quintin
parent ffdad4aed8
commit 493fdfa227
3 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
doc/heuristics.md
View File

@@ -53,3 +53,7 @@ It could also indicate an IMSI catcher which is connected to the mobile network
This analyser tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2 (i. e. some IMSI catchers send just SIB1 and *one additional* SIB).
On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as **IMSI Requested** detection it should be considered as a strong indicator of malicious activity.
### Test Analyzer
This analyzer is great for testing if your Rayhunter installation works. It will alert every time a new tower is seen (specifically every time a tower broadcasts a SIB1 message.) It is designed to be very noisey so we do not reccomend leaving it on but if this alerts it means your Rayhunter device is working!