hi,
I don't know the exact format of your events, but the overall logic
could be the following:
type=single
ptype=regexp
pattern=INVITE FROM=(\d+) TO=(\d+) CALLID=(\d+)
context=!CALL_FROM_$1_TO_$2 && !CALL_TO_$2
desc=Invite from $1 to $2 ID $3, with no previous calls to $2
action=create CALL_ID_$3; alias CALL_ID_$3 CALL_TO_$2; \
alias CALL_ID_$3 CALL_FROM_$1_TO_$2
type=single
ptype=regexp
pattern=INVITE FROM=(\d+) TO=(\d+) CALLID=(\d+)
context=!CALL_FROM_$1_TO_$2 && CALL_TO_$2
desc=Invite from $1 to $2 ID $3, with a previous call to $2
action=write - %s
type=single
ptype=regexp
pattern=BYE CALLID=(\d+)
desc=bye for call ID $1
action=delete CALL_ID_$1
The first rule matches cases where no calls between source S and
destination D are active, and there are also no calls to D from other
sources. The first rule creates the contexts CALL_FROM_S_TO_D and
CALL_TO_D, and connects them to context CALL_ID_id as aliases.
The second rule matches the case where the CALL_TO_D context exists
(this indicates an already existing call to D), but CALL_FROM_S_TO_D
is not there (so S is a second caller to D). In this case SEC reports
this as a suspicious call.
The third rule reacts to the BYE message, and deletes three contexts
which are related to a given call.
I hope this example will provide you some ideas how to correlate the
messages. As for the SIP module, that's best implemented as a ruleset
(as the ones found in http://simple-evcorr.sourceforge.net/rulesets/;
unfortunately, though, so far no-one has contributed good correlation
rules for the scenario similar to yours).
with kind regards,
risto
2012/1/23 sylver_b <sylve...@yahoo.com>:
>
> Hi Everyone ,
>
> We have now all our SIP traffic written into a log file so sockets are no
> longer required .
>
> 1 particular rule that we want to enforce is , if more than 1 SIP message of
> type: INVITE with different FROM but same TO number (or request URI) is
> found without the corresponding BYE (with the matching call-ID), then
> subsequent calls should be seen as fraudulent and blocked . We know how to
> disconnect a call in real time if the callID is provided. What would be the
> best way to implement such rule with SEC?
>
> a SIP module would be an amazing addition to SEC .. thank you
>
> ________________________________
> De : Risto Vaarandi <risto.vaara...@seb.ee>
> À : simple-evcorr-users@lists.sourceforge.net
> Envoyé le : Vendredi 30 Décembre 2011 10h29
> Objet : Re: [Simple-evcorr-users] Re : SEC & unix sockets
>
> On 12/29/2011 11:57 PM, sylver_b wrote:
>> Hi Everyone ,
>>
>> that's very good feedback and socat sounds good .. we'll see how far it
>> gets us .
>>
>> thank you
>>
>
> ...and also, here are couple of posts from the mailing list which
> illustrate how to integrate Perl code snippets into SEC rulesets:
>
> http://sourceforge.net/mailarchive/message.php?msg_id=27258102
> http://sourceforge.net/mailarchive/message.php?msg_id=27081155
>
> regards,
> risto
>
>> ------------------------------------------------------------------------
>> *De :* Risto Vaarandi <risto.vaara...@gmail.com>
>> *À :* rou...@ieee.org
>> *Cc :* simple-evcorr-users@lists.sourceforge.net
>> *Envoyé le :* Mercredi 28 Décembre 2011 21h53
>> *Objet :* Re: [Simple-evcorr-users] SEC & unix sockets
>>
>> 2011/12/28 John P. Rouillard <rou...@cs.umb.edu
>> <mailto:rou...@cs.umb.edu>>:
>> >
>> > In message <4efb49c8.30...@seb.ee <mailto:4efb49c8.30...@seb.ee>>,
>> > Risto Vaarandi writes:
>> >>On 12/28/2011 05:05 PM, sylver_b wrote:
>> >>> Basically , we are running a voip peering service but have to face
>> fraud
>> >>> on a daily basis. We tried to imagine all sort of ways to detect/stop
>> >>> fraudsters (ie: account age vs total active calls, account age vs
>> >>> purchase frequency, etc.. ) . SEC comes handy as adding rules should
>> be
>> >>> a lot easier . However, we can only find active calls by connecting
>> to a
>> >>> unix socket - this is an output sample :
>> >>> [...]
>> >>> How could we continuously listen to unix sockets with SEC as calls
>> come
>> >>> in and achieve the following :
>> >>
>> >>I think the best way of getting data from UNIX socket would be a small
>> >>Perl program which would read the socket and print received events as
>> >>lines to standard output. If SEC starts this program at its startup
>> with
>> >>'spawn' action, it will be able to receive events from the socket.
>> >>Another approach would be to let the program write into a file, and
>> >>configure the file as input source with --input option.
>> >
>> > Also you could use netcat (nc) or socat with appropriate arguments to
>> > conect to the socket and transfer the data to stdout rather than
>> > writing a perl script.
>> >
>> > I would not suggest using telnet to do this, it can sort of work but
>> > you will occasional get odd behavior which is less likely with
>> > socat/netcat.
>> >
>> > So a spawn command that runs:
>> >
>> > nc ip_addr port
>> >
>> > will take the data from a tcp socket at ip_addr:port and send it to
>> > stdout (and into SEC).
>> >
>>
>> That's indeed a much better way than having a small perl script :)
>> risto
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> <mailto:Simple-evcorr-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>>
>>
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
