Mirror/rayhunter
1
0
Fork 0
mirror of https://github.com/EFForg/rayhunter.git synced 2026-04-26 15:39:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

append packet num in harness & fix packet count

Browse Source
This commit is contained in:
Brad Warren
2025-09-02 09:29:02 -07:00
committed by Cooper Quintin
parent 87d6d1691a
commit e2bc3a0a67
8 changed files with 35 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/src/analysis/analyzer.rs
View File

@@ -353,6 +353,8 @@ impl Harness {
}
pub fn analyze_pcap_packet(&mut self, packet: EnhancedPacketBlock) -> AnalysisRow {
self.packet_num += 1;
let epoch = DateTime::parse_from_rfc3339("1980-01-06T00:00:00-00:00").unwrap();
let mut row = AnalysisRow {
packet_timestamp: Some(epoch + packet.timestamp),
@@ -389,6 +391,8 @@ impl Harness {
pub fn analyze_qmdl_messages(&mut self, container: MessagesContainer) -> Vec<AnalysisRow> {
let mut rows = Vec::new();
for maybe_qmdl_message in container.into_messages() {
self.packet_num += 1;
rows.push(AnalysisRow {
packet_timestamp: None,
skipped_message_reason: None,
@@ -431,11 +435,16 @@ impl Harness {
}
pub fn analyze_information_element(&mut self, ie: &InformationElement) -> Vec<Option<Event>> {
self.packet_num += 1;
let packet_str = format!(" (packet {})", self.packet_num);
self.analyzers
.iter_mut()
.map(|analyzer| analyzer.analyze_information_element(ie, self.packet_num))
.map(|analyzer| {
let mut maybe_event = analyzer.analyze_information_element(ie, self.packet_num);
if let Some(ref mut event) = maybe_event {
event.message.push_str(&packet_str);
}
maybe_event
})
.collect()
}

4
lib/src/analysis/connection_redirect_downgrade.rs
View File

@@ -28,7 +28,7 @@ impl Analyzer for ConnectionRedirect2GDowngradeAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<Event> {
if let InformationElement::LTE(lte_ie) = ie
&& let LteInformationElement::DlDcch(msg_cont) = &**lte_ie
@@ -41,7 +41,7 @@ impl Analyzer for ConnectionRedirect2GDowngradeAnalyzer {
match carrier_info {
RedirectedCarrierInfo::Geran(_carrier_freqs_geran) => Some(Event {
event_type: EventType::High,
message: format!("Detected 2G downgrade (packet {})", packet_num),
message: "Detected 2G downgrade".to_owned(),
}),
_ => Some(Event {
event_type: EventType::Informational,

27
lib/src/analysis/imsi_requested.rs
View File

@@ -58,10 +58,7 @@ impl ImsiRequestedAnalyzer {
(State::AuthAccept, State::IdentityRequest) => {
self.flag = Some(Event {
event_type: EventType::High,
message: format!(
"Identity requested after auth request (frame {})",
packet_num
),
message: "Identity requested after auth request".to_string(),
});
}
@@ -69,10 +66,7 @@ impl ImsiRequestedAnalyzer {
(State::Disconnect, State::IdentityRequest) => {
self.flag = Some(Event {
event_type: EventType::High,
message: format!(
"Identity requested without Attach Request (frame {})",
packet_num
),
message: "Identity requested without Attach Request".to_string(),
});
}
@@ -80,10 +74,7 @@ impl ImsiRequestedAnalyzer {
(State::IdentityRequest, State::Disconnect) => {
self.flag = Some(Event {
event_type: EventType::High,
message: format!(
"Disconnected after Identity Request without Auth Accept (frame {})",
packet_num
),
message: "Disconnected after Identity Request without Auth Accept".to_string(),
});
}
@@ -91,11 +82,7 @@ impl ImsiRequestedAnalyzer {
(_, State::IdentityRequest) => {
self.flag = Some(Event {
event_type: EventType::Informational,
message: format!(
"Identity Request happened but its not suspicious yet. (frame {})",
packet_num
)
.to_string(),
message: "Identity Request happened but its not suspicious yet.".to_string(),
});
self.timeout_counter = 0;
}
@@ -187,11 +174,7 @@ impl Analyzer for ImsiRequestedAnalyzer {
if self.timeout_counter >= TIMEOUT_THRESHHOLD {
self.flag = Some(Event {
event_type: EventType::Informational {},
message: format!(
"Identity request happened without auth request followup (frame {})",
packet_num
)
.to_string(),
message: "Identity request happened without auth request followup".to_string(),
});
self.timeout_counter = 0;
}

7
lib/src/analysis/incomplete_sib.rs
View File

@@ -23,7 +23,7 @@ impl Analyzer for IncompleteSibAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<Event> {
if let InformationElement::LTE(lte_ie) = ie
&& let LteInformationElement::BcchDlSch(sch_msg) = &**lte_ie
@@ -33,10 +33,7 @@ impl Analyzer for IncompleteSibAnalyzer {
{
return Some(Event {
event_type: EventType::Medium,
message: format!(
"SIB1 scheduling info list was malformed (packet {})",
packet_num
),
message: "SIB1 scheduling info list was malformed".to_string(),
});
}
None

7
lib/src/analysis/nas_null_cipher.rs
View File

@@ -27,7 +27,7 @@ impl Analyzer for NasNullCipherAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<Event> {
let payload = match ie {
InformationElement::LTE(inner) => match &**inner {
@@ -42,10 +42,7 @@ impl Analyzer for NasNullCipherAnalyzer {
{
return Some(Event {
event_type: EventType::High,
message: format!(
"NAS Security mode command requested null cipher(packet {})",
packet_num
),
message: "NAS Security mode command requested null cipher".to_string(),
});
}
None

4
lib/src/analysis/null_cipher.rs
View File

@@ -134,7 +134,7 @@ impl Analyzer for NullCipherAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<Event> {
let dcch_msg = match ie {
InformationElement::LTE(lte_ie) => match &**lte_ie {
@@ -158,7 +158,7 @@ impl Analyzer for NullCipherAnalyzer {
if null_cipher_detected {
return Some(Event {
event_type: EventType::High,
message: format!("Cell suggested use of null cipher (packet {})", packet_num),
message: "Cell suggested use of null cipher".to_string(),
});
}
None

16
lib/src/analysis/priority_2g_downgrade.rs
View File

@@ -49,7 +49,7 @@ impl Analyzer for LteSib6And7DowngradeAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<super::analyzer::Event> {
let sibs = &self.unpack_system_information(ie)?.0;
for sib in sibs {
@@ -63,10 +63,9 @@ impl Analyzer for LteSib6And7DowngradeAnalyzer {
{
return Some(Event {
event_type: EventType::High,
message: format!(
"LTE cell advertised a 3G cell for priority 0 reselection (packet {})",
packet_num
),
message:
"LTE cell advertised a 3G cell for priority 0 reselection"
.to_string(),
});
}
}
@@ -79,10 +78,9 @@ impl Analyzer for LteSib6And7DowngradeAnalyzer {
{
return Some(Event {
event_type: EventType::High,
message: format!(
"LTE cell advertised a 3G cell for priority 0 reselection (packet {})",
packet_num
),
message:
"LTE cell advertised a 3G cell for priority 0 reselection"
.to_string(),
});
}
}

6
lib/src/analysis/test_analyzer.rs
View File

@@ -26,7 +26,7 @@ impl Analyzer for TestAnalyzer {
fn analyze_information_element(
&mut self,
ie: &InformationElement,
packet_num: usize,
_packet_num: usize,
) -> Option<Event> {
if let InformationElement::LTE(lte_ie) = ie
&& let LteInformationElement::BcchDlSch(sch_msg) = &**lte_ie
@@ -53,8 +53,8 @@ impl Analyzer for TestAnalyzer {
return Some(Event {
event_type: EventType::Low,
message: format!(
"SIB1 received (packet {}) CID: {}, PLMN: {}-{}",
packet_num, cid, mcc_string, mnc_string
"SIB1 received CID: {}, PLMN: {}-{}",
cid, mcc_string, mnc_string
),
});
}