diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 032ba02..6dc9f62 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -344,7 +344,7 @@ jobs: else mv installer-$platform/installer "$dest"/installer fi - cp -r rayhunter-daemon rootshell/rootshell dist/* installer/install.ps1 "$dest"/ + cp -r rayhunter-check-* rayhunter-daemon rootshell/rootshell dist/* installer/install.ps1 "$dest"/ zip -r "$dest.zip" "$dest" sha256sum "$dest.zip" > "$dest.zip.sha256" diff --git a/doc/SUMMARY.md b/doc/SUMMARY.md index a8b4264..d9195c2 100644 --- a/doc/SUMMARY.md +++ b/doc/SUMMARY.md @@ -10,6 +10,7 @@ - [Uninstalling](./uninstalling.md) - [Using Rayhunter](./using-rayhunter.md) - [Rayhunter's heuristics](./heuristics.md) + - [Re-analyzing recordings](./reanalyzing.md) - [How we analyze a capture](./analyzing-a-capture.md) - [Supported devices](./supported-devices.md) - [Orbic RC400L](./orbic.md) diff --git a/doc/reanalyzing.md b/doc/reanalyzing.md new file mode 100644 index 0000000..320c288 --- /dev/null +++ b/doc/reanalyzing.md @@ -0,0 +1,26 @@ +# Re-analyzing recordings + +Every once in a while, Rayhunter refines its heuristics to detect more kinds of +suspicious behavior, and to reduce noise from incorrect alerts. + +This means that your old green recordings may actually contain data that is now +deemed suspicious, and also old red recordings may become green. + +You can re-analyze any old recording inside of Rayhunter by clicking on "N +warnings" to expand details, then clicking the "re-analyze" button. + +## Analyzing recordings on Desktop + +If you have a PCAP or QMDL file but no rayhunter, you can analyze it on desktop +using the `rayhunter-check` CLI tool. That tool contains the same heuristics as +Rayhunter and will also work on traffic data captured with other tools, such as +QCSuper. + +You need Rust installed and the rayhunter repository checked out: + +```sh +cargo run -p rayhunter-check -- --path ~/Downloads/myfile.qmdl +cargo run -p rayhunter-check -- --path ~/Downloads/myfile.pcap +``` + +Since, 0.7.0, `rayhunter-check` is included in the release zipfile.