The more I think about it, the more "call duration" makes sense as it is
now. If you want to force a shorter dialog lifetime, there is no need
to duplicate this logic into check_fraud() -- you can already achieve it
by setting custom $DLG_timeout values.
Ideally, we should be able to one or
As for me, it is not solve the problem, if we will still talking about 'per call' criteria.For example. I set 10 "total calls" with 600 seconds of the "call duration". Your idea will give us 100 minute of successful calls. Not such many for minutes, but may be a lot in money. But, if it is
I agree - it seems like a "good in theory, bad in practice" kind of
feature. So let's see how we can make it better: would it make more
sense to add a forced dialog lifetime equal to the critical threshold of
the "call duration" setting upon calling check_fraud() (which, by the
way, will also
Hmm.And what is the purpose of control "per call"?As i understand it triggers AFTER calls finishing. What can we do in such situation?Just send email to, for example, support, that "potential fraud" call has been finished?-- Best regards, DenisС уважением,Путято Денис19:32, 9 июня 2018 г.,
The "call duration" is a "per call" statistic, while "sequential",
"concurrent", "cpm" and "total" are "interval-based" statistics --
indeed, once they trigger, subsequent calls have a good chance of also
being rejected (e.g. unlike "total" and "sequential", which are only
reset when a new
Liviu, I expect that ones the module detects fraud, it should return -2 on subsequent calls. As it does to "total calls" and "subsequent calls" respectively.In my example, the second call was successful (return 1) , although, as i expected, it should be fail (return -2) Thank you -- С уважением,
Hi Denis,
If these are your tests:
1. 101 06.06.2018 15:34:54
2. 0 06.06.2018 15:38:21
Then the 1st one should return -2 ("call duration" critical threshold
hit, since 101 sec > 60 sec), and the second one should return 1
(success, no
Hello! Liviu, can i be sure, that you will analyze my question? Thank you. -- С уважением, Денис.Best regards, Denis 06.06.2018, 16:28, "Denis via Users" :And a final i made some tests and found that subsequent calls falls to this case"case 1: if ($avp(3000)=="1") xlog("L_INFO",
And a final i made some tests and found that subsequent calls falls to this case"case 1: if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");" -- С уважением, Денис.Best regards, Denis 06.06.2018,
Sorry, wrong button pushed))) Continue where,$avp(user) - caller number$rU - callee number$avp(profile) - profile id in the fraud module table in the acc table first call 101 06.06.2018 15:34:54 where, - caller number - caller nuber101 - duration of the
Liviu, thank you very much! And, sorry, but i want to worry you more about the module. First of all, now, i am usingopensips 2.2.6 (x86_64/linux)flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAITADAPTIVE_WAIT_LOOPS=1024,
Hello, Liviu! It is me, again:))) One more, call_duration measured in seconds or in minutes? Thank you. -- С уважением, Денис.Best regards, Denis 27.04.2018, 09:25, "Denis via Users" :Hello, Liviu!OK, i understand..But, to speak the truth, it would be more reasonable to control exactly
Hello, Liviu!OK, i understand..But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.Because, now, "sequential calls" and "total calls", actually, perform the same control task.My experience tell me, that many fraud cases deal with calling to the same
Yes, exactly. Apologies for my incomplete example scenario!
Best regards,
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 26.04.2018 07:57, Denis via Users wrote:
Liviu, it seems, i confused.
You gave an example
"the "sequential calls" holds the size of the last batch of
Liviu, it seems, i confused.You gave an example"the "sequential calls" holds the size of the last batch of calls sent to the same number. For example, if a user were to dial 44 and 45prefixes in a round-robin manner, his "sequential calls" value would never exceed 1" So, it seems, that if we have
Denis, they all match the same prefix. "810" is the same number match,
over and over again, so the sequential calls is not reset. Please fix
your number matching if you want it to work differently.
Best regards,
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 25.04.2018
Hello Liviu! Sorry, for long answer. I do not quite understand 07:08 was the first call to 810 prefix from 00:00 where counters, how you mentioned, has been reset. So, after 15 calls i can see, that Opensips drop any calls with appropriate reason ("fraud detected") The only counter that has such
Hi Denis,
It is difficult for me to assess your intervals, and triggering reasons.
For example, your sheet starts at 07:08 AM, but the counter accumulation
is reset way back, at 00:00.
Please provide some actual fraud event logs, with a log such as below,
so we can blame the sequential
Hello Liviu! "Yes, the "sequential calls" holds the size of the last batch of callssent to the same number. For example, if a user were to dial 44 and 45prefixes in a round-robin manner, his "sequential calls" value wouldnever exceed 1." Here you can find acc from one of the client (from the
Hi Denis!
Good catch! For the first time, I documented a parameter, but forgot to
export it for the script writer as well! :)
It is now fixed. Thank you!
Cheers,
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 19.04.2018 17:28, Denis via Users wrote:
Hello, Liviu!
I
Hello, Liviu! I had installed latest Opensips 2.2 (Opensips 2.2.6) In a log file, during start of Opensips, i can seeERROR:core:set_mod_param_regex: parameter not found in module Where is mistake? Thank you. -- С уважением, Денис.Best regards, Denis 13.04.2018, 09:49, "Denis via Users"
Use $Ts [1] to get the current UNIX timestamp in seconds.
[1]: http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 12.04.2018 14:08, Denis via Users wrote:
Liviu, is there any way to find out current time from
Liviu, is there any way to find out current time from Opensips during call processing (some functions, variables etc which i can use in opensips.cfg)? Thank you -- С уважением, Денис.Best regards, Denis 12.04.2018, 13:50, "Liviu Chircu" :Hi Denis,The fraud detection module
Hello, Liviu! "So you want to check the time of the last fraud detection attempt for a user?" Yes, but not for store this time to anywhere.I want to detect the time of the first fraud call, and if this time, for example, between 19:00 and 09:00, make some actions. Can i do it with Opensips? Thank
Hi Denis,
Yes, the "sequential calls" holds the size of the last batch of calls
sent to the same number. For example, if a user were to dial 44 and 45
prefixes in a round-robin manner, his "sequential calls" value would
never exceed 1.
So you want to check the time of the last fraud
Hello, Liviu! Thank you very much! I will try your fix. And, What does "Sequential calls" mean? These are calls to one number? So, if we have situation dealing with reset counters, i want to make one thing.I want to check the time when fraud has been detected and if this time, say, after 19:00
Hi Denis,
I have fixed the sequential calls to also reset on interval / day
change, as well as adding a new param on the 2.3 and 2.2 branches, named
"use_local_time" [1], so as not to break the default behavior.
The default behavior will change in 2.4+, so it will use the local time,
as
Ok, it seems the UTC theory was right. Quoting from "man gmtime_r":
"The gmtime() function converts the calendar time timep to broken-down
time representation, expressed in Coordinated Universal Time (UTC)".
This is an ugly behavior IMO (to reset counters at 21:00), and we should
consider
I will take care of the seq calls + "UTC time" investigation. Just let
me know if you find anything else that refutes the theory in the
meantime. For example, if fraud alerts are also skipped during daylight
hours.
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On
Ok, i will check it. And what about "sequential call"? Should i make TT? P.S. I will ask you about one thing yet.Can i detect current 'time' using Opensips script? And compare it someway? Thank you. -- С уважением, Денис.Best regards, Denis 04.04.2018, 15:13, "Liviu Chircu"
Did OpenSIPS crash or restart between 0:25 - 3:20? I double checked, and
"total_calls" cannot be reset in another way.
Another possibility is that the code sees GMT time. Since Москва is on
GMT+3, this may well explain the situation: first calls were placed
around 21:25 GMT, then the "total
Hmmm it is interesting hypothesis. About time.I tried to check it directly. Now we have 04/04/2018 I made a test call and time answer was "Ср апр 4 14:45:37 MSK 2018" from unix shell command 'date', where апр - aprilСр - Wednesday4 - 4 april14:45:37 - timeMSK 2018 - timezone and a year. So in
Hi Denis,
Some interesting data! Here's some analysis:
1) First we have this detection suite:
4/2/18 0:12 270675427b234658 X.X.X.X 11 8102463894929
Fraud_detectead 0
This is due to the "cpm" throttling (> 5 cpm within the last 2 minutes)
hitting. Once he makes a pause until
Liviu, and another interesting case.Here, https://yadi.sk/i/-vRrJXtz3U5m2Z, you can find cdr of the fraud case.In the table:time - time of the callcallid - sip callidsrc_domain - source ipsrc_user - caller (from one number)dst_user - calleesip_reason and duration - column from acc table. Several
"Do you agree?" without a doubt:))) As you can see in my table, i should set a big value of the counter to allow users ('good users':))) to make a call to 810 destination. Is there any chance to fix this quickly? thank you. -- С уважением, Денис.Best regards, Denis 03.04.2018, 18:28, "Liviu
Hmmm... indeed, the "sequential calls" only reset if you dial a
different number.
If the other stats reset at midnight/interval change, I don't see why
this specific one should be different. To me, it looks like a bug. Do
you agree?
Liviu Chircu
OpenSIPS Developer
Hello Liviu! I am sorry, i totally missed one important thing - serial forking)))I.e. i had 52 records in accounting, but several of them leads to one call.As a result i had exactly 29 calls before fraud module became block subsequent calls. About counters reset i understood. Thank you. The last
Hello! Is there any idea about the problem? Thank you. -- С уважением, Денис.Best regards, Denis 16.03.2018, 15:22, "Denis via Users" :Hello! I am sorry that it was early, but anyway. Server:: OpenSIPS (2.2.5 (x86_64/linux)) Fraud_module has been activated. Profile
Hello! I am sorry that it was early, but anyway. Server:: OpenSIPS (2.2.5 (x86_64/linux)) Fraud_module has been activated. Profile data 17.02.18 20:55 Opensips received first fraud call.And before Opensips detected fraud there were 52 yet calls to 810 prefix. First question is why it didn`t
39 matches
Mail list logo