lib: add IMSI requested heuristic

lib/src/analysis/imsi_requested.rs

@@ -0,0 +1,59 @@
+use std::borrow::Cow;
+
+use super::analyzer::{Analyzer, Event, EventType, Severity};
+use super::information_element::{InformationElement, LteInformationElement};
+
+const PACKET_THRESHHOLD: usize = 150;
+
+pub struct ImsiRequestedAnalyzer {
+    packet_num: usize,
+}
+
+impl ImsiRequestedAnalyzer {
+    pub fn new() -> Self {
+        Self { packet_num: 0 }
+    }
+}
+
+impl Analyzer for ImsiRequestedAnalyzer {
+    fn get_name(&self) -> Cow<str> {
+        Cow::from("IMSI Requested")
+    }
+
+    fn get_description(&self) -> Cow<str> {
+        Cow::from("Tests whether the ME sends an IMSI Identity Request NAS message")
+    }
+
+    fn analyze_information_element(&mut self, ie: &InformationElement) -> Option<Event> {
+        self.packet_num += 1;
+        let InformationElement::LTE(LteInformationElement::NAS(payload)) = ie else {
+            return None;
+        };
+
+        // NAS identity request
+        if payload == &[0x07, 0x55, 0x01] {
+            if self.packet_num < PACKET_THRESHHOLD {
+                return Some(Event {
+                    event_type: EventType::QualitativeWarning {
+                        severity: Severity::Low
+                    },
+                    message: format!(
+                        "NAS identity request detected, however it was within \
+                        the first {} packets of this analysis. If you just \
+                        turned your device on, this is likely a \
+                        false-positive.",
+                        PACKET_THRESHHOLD
+                    )
+                })
+            } else {
+                return Some(Event {
+                    event_type: EventType::QualitativeWarning {
+                        severity: Severity::High
+                    },
+                    message: format!("NAS identity request detected"),
+                })
+            }
+        }
+        None
+    }
+}