Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Wed, 06 Jun 2018 06:11:47 -0700

Sorry, wrong button pushed)))
 
Continue
 
where,
$avp(user) - caller number
$rU - callee number
$avp(profile) - profile id
 
in the fraud module table
 
in the acc table
 
first call
11111111     22222222    101    06.06.2018 15:34:54
 
where,
11111111 - caller number
22222222 - caller nuber
101 - duration of the call
06.06.2018 15:34:54 - date/time of the call
 
second call
11111111   22222222   0    06.06.2018 15:38:21
the same parameters, call success, but without answer.
 
Before the second call
/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111   22222222 1
calls per minute:: 1
total calls:: 1
concurrent calls:: 0
sequential calls:: 1
 
After the second call
/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111   22222222 1
calls per minute:: 1
total calls:: 2
concurrent calls:: 0
sequential calls:: 2
 
So, additionally, in opensips.cfg i have such logic
 
event_route[E_FRD_CRITICAL] {
fetch_event_params("param = $avp(frparam);value = $avp(frvalue);threshold = $avp(frthr);user = $avp(fruser);called_number = $avp(frcalled);rule_id = $avp(frruleid)");
exec("echo -e 'Обнаружен фродовый трафик с номера $avp(fruser)\n Параметр фрода: $avp(frparam)\n Величина параметра фрода: $avp(frvalue)\n Порог параметра фрода: $avp(frthr)\n Номер вызывамого абонента: $avp(frcalled)' | mail -a 'Content-Type: text/plain; charset=UTF-8' -s 'Fraud detect!' fr...@ptl.ru fr...@ptl.ru");
}
 
Between two calls I have received email about the first call with param: call_duration
 
So, why could i make the second call?
 
Thank you
 
-- 
С уважением, Денис.
Best regards, Denis
 
 
 
 
 
06.06.2018, 15:51, "Denis" <denis7...@mail.ru>:
Liviu, thank you very much!
 
And, sorry, but i want to worry you more about the module.
 
First of all, now, i am using
opensips 2.2.6 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
git revision: 5d229f5
main.c compiled on 13:56:51 Apr 20 2018 with gcc 5.4.0
 
Recently i found such problem. Module detected fraud calls, dealing with call_duration (my previous question about seconds and minutes dealing with problem), but i cannot see calls drop. All in order,
 
In opensips.cfg i have such logic:
"
check_fraud("$avp(user)","$rU","$avp(profile)");
   switch($rc) {
    case 2:
    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 2");
    break;
    case 1:
    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");
    break;
    case -1:
    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case -1");
    break;
    case -2:
    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD DETECTED");
    $avp(501)=$ft+$ci;
    $avp(501)=$(avp(501){s.md5});
    acc_db_request("Fraud_detectead", "acc");
    send_reply("403", "Forbidden");
    exit;
    break;
    case -3:
    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD failure");
    $avp(501)=$ft+$ci;
    $avp(501)=$(avp(501){s.md5});
    acc_db_request("Fraud_detection_failure", "acc");
    send_reply("403", "Forbidden");
    exit;
    break;
  }
 
where,
 
 
in
"
 
-- 
С уважением, Денис.
Best regards, Denis
 
 
 
 
 
06.06.2018, 14:29, "Liviu Chircu" <li...@opensips.org>:

Hi, Denis!

According to the table data I wrote in the tutorial [1], it's definitely seconds. It's a pity that the docs do not reflect this as well -- I'll get them fixed!

Best regards,

[1]: http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 06.06.2018 14:20, Denis via Users wrote:
Hello, Liviu!
 
It is me, again:)))
 
One more, call_duration measured in seconds or in minutes?
 
Thank you.
 
-- 
С уважением, Денис.
Best regards, Denis
 
 
 
 
 
27.04.2018, 09:25, "Denis via Users" <users@lists.opensips.org>:
Hello, Liviu!

OK, i understand.
.
But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.
Because, now, "sequential calls" and "total calls", actually, perform the same control task.
My experience tell me, that many fraud cases deal with calling to the same number in a some time period.
 
Anyway, thank you!
 
 
-- 
С уважением, Денис.
Best regards, Denis
 
 
 
 
 
26.04.2018, 08:22, "Liviu Chircu" <li...@opensips.org>:

Yes, exactly. Apologies for my incomplete example scenario!

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 26.04.2018 07:57, Denis via Users wrote:

 Liviu, it seems, i confused.
 You gave an example
 "the "sequential calls" holds the size of the last batch of calls sent
 to the same number. For example, if a user were to dial 44 and 45
 prefixes in a round-robin manner, his "sequential calls" value would
 never exceed 1"
 So, it seems, that if we have TWO PREFIX field in fraud detection
 table with one profile, with 44 and 55 content, and ONE user were to
 dial 44 (for example 44667788 or 44223344 etc) and 45 (4567788 or
 44223344 etc)
 prefixes in a round-robin manner, his "sequential calls" value would
 never exceed 1.
 In my case i have only ONE prefix - 810 - and, although, user were
 dial different numbers but with common prefix (810) "sequential calls"
 increased by one every call. And when counter reached predetermined
 value calls have started blocking.
 Am i right?
 Thank you.
 --
 С уважением, Денис.
 Best regards, Denis
 _______________________________________________
 Users mailing list
 Users@lists.opensips.org
 http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

,

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
,

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to