rayhunter icon indicating copy to clipboard operation
rayhunter copied to clipboard
verified publisher icon EFForg

[Feature Request]: Adjustable tresholds, yellow line, periodical restart and showing warnings net to the line

Open MatejKovacic opened this issue 7 months ago • 9 comments

What problem does this feature solve or what does it enhance?

A friend of mine is capturing packets with Rayhunter on TP-Link v4 in one Asian country. However, many times he starts the device, he gets red line. I is a false alarm (the "first 150 packets" problem) and he needs to go to Rayhunter's WebUI, press "stop recording" and then "start recording" again, so red line disappears.

Proposed Solution

I propose to have adjustable thresholds for showing red line and to add yellow line.

In WebUI there should be a configuration with a list of all hevristics/detections. And for each of them there should be an option to select what kind of line should be shown. Example:

  • IMSI requested: (red / yellow / no alarm)
  • 2G downgrade: (red / yellow / no alarm)
  • Null cipher: (red / yellow / no alarm)
  • silent SMS received: (red / yellow / no alarm)

In that case user will be able to select to show red line only if there are events with higher probability that IMSI catcher was detected. Yellow line would be triggered by suspicious events but with lower probability that IMSI catcher was detected. This should help to filter out false alarms.

Another proposal is also to delay starting the Rayhunter when device is turned on. This also should be configurable in options. In that case we will avoid false alarm known as the "first 150 packets" problem.

Third proposal is to reload/restart Rayhunter periodically, let's say each hour. Why? If you get the alarm (red line) in the morning, and are running device the whole day, the red line would stay for the whole day. This is a little bit misleading. So Rayhunter should be restarted so red line would stay for let's say just one hour an then it will dissapear.

Fourth proposal is to show number of events next to the line. So if red line dissapears (as described in previous proposal), user will still see number of red and yellow warnings. However in WebUI there should be an option to reset those warnings completely.

So if you are using the device for the whole week and will get an alarm at the morning of the second day, you will:

  • get red line for one hour at the morning of the second day
  • after that, line would be green, but you will see that there was one red alarm
  • when you will log into the Rayhunter after let's say one week, you will be able to reset this "red counter"

Alternatives Considered

No response

MatejKovacic avatar May 22 '25 08:05 MatejKovacic

I was thinking of adding a shortcut on the input button to stop/start the recording. The user would double-click the power button, to stop or start. This would partially solve some of your problems as one could look at the red line and acknowledge+reset the warning very easily. It can be done on TP-Link M7350 v3 in a simple way because ubus listen command prints all button clicks without interfering with regular device usage. Later versions are more complicated.

untitaker avatar May 26 '25 15:05 untitaker

@cooperq @wgreenberg any thoughts on this one?

untitaker avatar May 29 '25 19:05 untitaker

started a basic POC for my proposal https://github.com/EFForg/rayhunter/pull/350

untitaker avatar May 31 '25 14:05 untitaker

I can work on a config page on the UI as soon as we have an API end point I can call to make changes! That would also resolve concerns with #350.

alliraine avatar Jun 01 '25 18:06 alliraine

Today I installed 0.3.2 and there is "severity" label in WebUI when you expand the warnings. This looks good, however I would propose to show severity in the basic line (before you expand it).

I tried to illustrate what I mean:

Image

MatejKovacic avatar Jun 02 '25 21:06 MatejKovacic

Also, this is my attempt of visualisation how number of warnings (and their severity) could be shown on a screen.

Image

On monochrome displays it could be H: 2 M: 4 L:1 (high, medium, low).

Maybe is not a good idea, but someone who is a designer can think of something better.

MatejKovacic avatar Jun 02 '25 21:06 MatejKovacic

I am still thinking...

Right now you can see the severity of warnings in web UI. Is there a table of which warning translates to what severity level? Because on my recordings I can see only low severity.

Now the idea. What if user could set their own profile for severity levels?

In that case you could have some preset profiles (like USA, Europe, etc.) and also profiles like "Monitoring on a fixed location" and "Wardriving"

For instance, if you are driving around on a locations where mobile signal is weak (i. e. through tunnels), you can expect there will be a lot of 2G downgrade warnings. So in that case you can set priority of this warning to low.

But if you are monitoring a fixed location with a good signal, 2G downgrade could mean high severity warning.

I would propose to tie severity level to the color of the line. High severity: red line, medium severity: orange line, low severity: yellow line, no warning: green line. (Or do we have only high and low severity?)

And then - maybe there should be another option to define which severities (i. e. which lines) to show. Only red line, or also orange and yellow? So user could decide to see only high severity warnings on the screen, but on web UI s/he could see all warnings.

MatejKovacic avatar Jun 03 '25 21:06 MatejKovacic

Today I installed 0.3.2 and there is "severity" label in WebUI when you expand the warnings. This looks good, however I would propose to show severity in the basic line (before you expand it).

I tried to illustrate what I mean:

Image

This is a good suggestion, I think we should implement it for the UI.

oopsbagel avatar Jun 04 '25 05:06 oopsbagel

I spun that request out into its own issue because it's a small lift

alliraine avatar Jun 04 '25 17:06 alliraine