Mirror/rayhunter
1
0
Fork 0
mirror of https://github.com/EFForg/rayhunter.git synced 2026-04-26 23:49:59 -07:00
Code Issues Packages Projects Releases Wiki Activity
302 Commits 14 Branches 29 Tags
266f2b2e53c6a9f267b23e24a3fb7cb9d851aaed
Commit Graph

47 Commits

Author SHA1 Message Date
Will Greenberg
e79dc4a8f0 lib: diable null-cipher heuristic due to false positives 
Due to an upstream hampi bug (https://github.com/ystero-dev/hampi/issues/133),
our RRC parser is reporting false-positives for the null cipher
heuristic.
 2025-03-25 15:13:36 -07:00
Sashanoraa
d0d01089dd Fix various clippy warnings 
This commit fixes various clippy warnings that do not affect the
function of the code and aren't stylistic in nature.
 2025-03-24 13:47:20 -07:00
oopsbagel
0b3c0de481 fix(lib/util): use better names for runtime metadata 
- document RuntimeMetadata fields
- rename RayhunterMetadata to RuntimeMetadata
- rename RuntimeMetadata.os to RuntimeMetadata.system_os
- remove unpopulated hardware field
- remove unnecessary duplication of datastructure in analyzer harness
 2025-03-19 11:48:54 -07:00
oopsbagel
f2b5aa2743 feat: show rayhunter version/os/arch in pcap, ndjson, qmdl manifest 
Create a util mod to provide information about the rayhunter binary and
system.
 2025-03-19 11:48:54 -07:00
oopsbagel
09d35ccec7 feat(pcap): add operating system kernel name and release 
Display the uname sysname and release as the OS option in the pcap Section
Header Block, falling back on just the std::env::consts::OS name ("linux") in
the case of runtime errors.

Co-authored-by: Nat Budin <natbudin@gmail.com>
 2025-03-19 11:48:54 -07:00
oopsbagel
5ae186bc73 feat(pcap): add rayhunter name and version to metadata 
Add the compile-time name and version to the pcap's Section Header Block
as the shb_userappl option, the canonical place for storing the name of
the application used to create the pcap.[0]

[0] https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#section-4.1-10
 2025-03-19 11:48:54 -07:00
Will Greenberg
5a084f1abb lib: set uplink flag for NAS 2025-01-30 11:33:14 -08:00
Will Greenberg
34d87d1fd7 this macro isn't public, so docstrings won't work 2025-01-28 11:02:19 -08:00
Will Greenberg
da4952e70f fix docstring code 2025-01-28 11:02:19 -08:00
Will Greenberg
30323b8329 Keep old 2G downgrade analyzer 2025-01-28 11:02:19 -08:00
Will Greenberg
28b0f409db fix attribution 2025-01-28 11:02:19 -08:00
Will Greenberg
12640cc878 Rewrite our 2G downgrade analyzer 2025-01-28 11:02:19 -08:00
Will Greenberg
26eda5904f Better wording on IMSI requested warning 2025-01-28 11:02:19 -08:00
Will Greenberg
6bd36921d8 consider early IMSI request medium sev 2025-01-08 15:23:59 -08:00
Will Greenberg
c83ae30be8 fix language 2025-01-08 15:23:59 -08:00
Will Greenberg
fa612241a5 lib: add IMSI requested heuristic 2025-01-08 15:23:59 -08:00
Will Greenberg
10592bbd9d lib: add inbound/outbound field to NAS 2025-01-06 16:24:11 -08:00
Will Greenberg
327eaddcd7 rayhunter-check: pcapify qmdl 2025-01-06 16:24:11 -08:00
Cooper Quintin
f4a6c834d2 remove false positive IMSI heuristic until we get a NAS parser 2024-12-09 10:53:58 -08:00
Cooper Quintin
ee75326912 Fix macos install (#67) 
* update shell path and some docs

* download ADB if not present

* big O not little o

* bugfix

* bugfix

* silence errors for macos developers

* Update dist/install-common.sh

Co-authored-by: Will Greenberg <willg@eff.org>

---------

Co-authored-by: Will Greenberg <willg@eff.org>
 2024-10-22 12:21:27 -07:00
Will Greenberg
6c237e884c lib: rm duplicate TestAnalyzer 2024-10-10 12:41:25 -07:00
Will Greenberg
16f705f29c Add the test analyzer entirely via daemon flags 
Also consolidate the duplicate AnalysisWriter implementation
 2024-10-08 14:58:46 -07:00
Cooper Quintin
ca4f49b15f Framebuffer update (#60) 
* first pass at changing the UI color based on state

* adding flag to qmdl metadata for when hueristic is triggered

* update style for web page to match UI and have color alert on heuristic trigger

* add test analyzer

* rename example_analyzer to test_analyzer

* refactor ui update to not depend on server

* refactor to pass around color instead of display state for framebuffer channel

* add debug feature flag for test analyzer

* remove warning status from qmdl manifest

* dont keep has warning around
 2024-10-03 10:41:59 -07:00
Will Greenberg
861aaedd47 rayhunter-check improvements 2024-08-19 16:49:01 -07:00
Will Greenberg
d6fb54afb3 lib: rm unused imports 2024-08-05 09:57:09 -07:00
Will Greenberg
09fdb9d6e1 lib: add analyzer for a null cipher being set 2024-07-18 16:02:12 -07:00
Will Greenberg
b5262cd1b9 lib: use ImsiProvidedAnalyzer by default 2024-07-10 20:28:33 -07:00
Will Greenberg
8f7ac607a7 lib: add analyzer for detecting IMSIs being sent 2024-07-10 20:24:52 -07:00
Cooper Quintin
f261940a26 Merge branch 'main' into documentation 2024-06-06 13:06:49 -07:00
Will Greenberg
bfc688ad21 daemon: switch to writing heuristics output to ND-JSON 
ND-JSON (newline-delimited JSON) is just a file with a list of JSON
objects separated by newlines. This way, as the analyzer harness
processes new packets, it can simply append JSON-serialized results
to a file without parsing the entire thing first.

Also simplifies the analysis stuff to all operate in the diag thread.
 2024-05-09 14:46:41 -07:00
Will Greenberg
4a5bede4ee lib: fix overzealous regex 2024-05-08 15:00:24 -07:00
Will Greenberg
3c932f0ce9 daemon: run analysis in realtime 
Currently we just show the results of analysis as a <pre> tagged
JSON blob, but eventually we can make some actual UI
 2024-05-08 14:58:14 -07:00
Will Greenberg
531c10cf29 Add rayhunter-check, a utility for running QMDL heuristics 2024-03-11 18:21:52 -07:00
Cooper Quintin
63e9c53dd4 server listen publicly 2024-02-29 15:19:25 -08:00
Cooper Quintin
924b7c9302 Merge branch 'main' into documentation 2024-02-29 12:06:30 -08:00
Will Greenberg
fa5f72dd52 lib: ignore WriteZero for flush as well 2024-02-29 09:53:56 -08:00
Cooper Quintin
6be208698b merge 2024-02-28 16:05:46 -08:00
Will Greenberg
36c09e1dbc diag_device: rm unused initialization tracker 2024-02-23 10:54:51 -08:00
Will Greenberg
0b6c06c7e6 appease clippy 2024-02-22 19:29:52 -08:00
Will Greenberg
775cbcda1e Transition to async I/O for most things 
Mixing async and sync I/O leads to a multitude of complications, and
generally speaking it's much more convenient to stick to one paradigm
or the other. Since axum (and many other HTTP servers) use async,
and since async is a convenient model for performing operations like
"handle an MPSC message or file read, whichever happens first", let's
commit to an async interface.
 2024-02-22 19:28:58 -08:00
Will Greenberg
abd3b98cff diag_device: remove unnecessarily public function 2024-02-22 19:10:31 -08:00
Will Greenberg
d4ee48827c lint fixes 2024-02-13 17:03:06 -08:00
Will Greenberg
5d7caba1a6 Minimal version of the LTE downgrade analyzer 
This also renames the lte_parser crate to telcom_parser, since it'll
handle any 2G or 3G parsing going forward.
 2024-02-13 17:03:06 -08:00
Will Greenberg
d570ad3cb1 lib: add Analyzer trait 
This trait will be implemented by all of our heuristics, giving
us a uniform interface for collecting events and displaying them
to the user.
 2024-02-13 17:03:06 -08:00
Will Greenberg
7e4511fdde lib: add lte-parser crate support 
This'll let us convert a Gsmtap message into a fully parsed LTE
message.
 2024-02-13 17:03:06 -08:00
Will Greenberg
ed9d2b41d7 Renamed library crate to rayhunter, binary to rayhunter-daemon 
The produced binary is still called rayhunter though!
 2024-01-30 10:18:38 -08:00
Will Greenberg
87f18c0c8b Rename directories (again) 2024-01-30 09:58:05 -08:00