Mirror/rayhunter
1
0
Fork 0
mirror of https://github.com/EFForg/rayhunter.git synced 2026-04-26 15:39:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

track packet num in analysis harness

Browse Source
This commit is contained in:
Brad Warren
2025-08-27 12:21:39 -07:00
committed by Cooper Quintin
parent 7475cd5cd9
commit 87d6d1691a
8 changed files with 75 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
lib/src/analysis/imsi_requested.rs
View File

@@ -23,7 +23,6 @@ pub enum State {
}
pub struct ImsiRequestedAnalyzer {
packet_num: usize,
state: State,
timeout_counter: usize,
flag: Option<Event>,
@@ -38,20 +37,19 @@ impl Default for ImsiRequestedAnalyzer {
impl ImsiRequestedAnalyzer {
pub fn new() -> Self {
Self {
packet_num: 0,
state: State::Unattached,
timeout_counter: 0,
flag: None,
}
}
fn transition(&mut self, next_state: State) {
fn transition(&mut self, next_state: State, packet_num: usize) {
match (&self.state, &next_state) {
// Reset timeout on successful auth
(_, State::AuthAccept) => {
debug!(
"reset timeout counter at {} due to auth accept (frame {})",
self.timeout_counter, self.packet_num
self.timeout_counter, packet_num
);
self.timeout_counter = 0;
}
@@ -62,7 +60,7 @@ impl ImsiRequestedAnalyzer {
event_type: EventType::High,
message: format!(
"Identity requested after auth request (frame {})",
self.packet_num
packet_num
),
});
}
@@ -73,7 +71,7 @@ impl ImsiRequestedAnalyzer {
event_type: EventType::High,
message: format!(
"Identity requested without Attach Request (frame {})",
self.packet_num
packet_num
),
});
}
@@ -84,7 +82,7 @@ impl ImsiRequestedAnalyzer {
event_type: EventType::High,
message: format!(
"Disconnected after Identity Request without Auth Accept (frame {})",
self.packet_num
packet_num
),
});
}
@@ -95,7 +93,7 @@ impl ImsiRequestedAnalyzer {
event_type: EventType::Informational,
message: format!(
"Identity Request happened but its not suspicious yet. (frame {})",
self.packet_num
packet_num
)
.to_string(),
});
@@ -106,7 +104,7 @@ impl ImsiRequestedAnalyzer {
_ => {
debug!(
"Transition from {:?} to {:?} at {}",
self.state, next_state, self.packet_num
self.state, next_state, packet_num
);
}
}
@@ -129,29 +127,31 @@ impl Analyzer for ImsiRequestedAnalyzer {
3
}
fn analyze_information_element(&mut self, ie: &InformationElement) -> Option<Event> {
self.packet_num += 1;
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
) -> Option<Event> {
if let InformationElement::LTE(inner) = ie {
match &**inner {
LteInformationElement::NAS(payload) => match payload {
NASMessage::EMMMessage(EMMMessage::EMMExtServiceRequest(_))
| NASMessage::EMMMessage(EMMMessage::EMMAttachRequest(_)) => {
self.transition(State::AttachRequest);
self.transition(State::AttachRequest, packet_num);
}
NASMessage::EMMMessage(EMMMessage::EMMIdentityRequest(_)) => {
self.transition(State::IdentityRequest);
self.transition(State::IdentityRequest, packet_num);
}
NASMessage::EMMMessage(EMMMessage::EMMAttachComplete(_))
| NASMessage::EMMMessage(EMMMessage::EMMAuthenticationResponse(_)) => {
self.transition(State::AuthAccept);
self.transition(State::AuthAccept, packet_num);
}
NASMessage::EMMMessage(EMMMessage::EMMServiceReject(_))
| NASMessage::EMMMessage(EMMMessage::EMMAttachReject(_))
| NASMessage::EMMMessage(EMMMessage::EMMDetachRequestMO(_))
| NASMessage::EMMMessage(EMMMessage::EMMDetachRequestMT(_))
| NASMessage::EMMMessage(EMMMessage::EMMTrackingAreaUpdateReject(_)) => {
self.transition(State::Disconnect);
self.transition(State::Disconnect, packet_num);
}
_ => {}
},
@@ -161,7 +161,7 @@ impl Analyzer for ImsiRequestedAnalyzer {
| UL_CCCH_MessageType::C1(
UL_CCCH_MessageType_c1::RrcConnectionReestablishmentRequest(_),
) => {
self.transition(State::AttachRequest);
self.transition(State::AttachRequest, packet_num);
}
_ => {}
},
@@ -171,7 +171,7 @@ impl Analyzer for ImsiRequestedAnalyzer {
_,
)) = rrc_payload.message
{
self.transition(State::Disconnect)
self.transition(State::Disconnect, packet_num)
}
}
_ => {}
@@ -182,14 +182,14 @@ impl Analyzer for ImsiRequestedAnalyzer {
self.timeout_counter += 1;
debug!(
"timeout: counter {}, packet: {}",
self.timeout_counter, self.packet_num
self.timeout_counter, packet_num
);
if self.timeout_counter >= TIMEOUT_THRESHHOLD {
self.flag = Some(Event {
event_type: EventType::Informational {},
message: format!(
"Identity request happened without auth request followup (frame {})",
self.packet_num
packet_num
)
.to_string(),
});