Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

The more I think about it, the more "call duration" makes sense as it is now.  If you want to force a shorter dialog lifetime, there is no need to duplicate this logic into check_fraud() -- you can already achieve it by setting custom $DLG_timeout values. Ideally, we should be able to one or

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

As for me, it is not solve the problem, if we will still talking about 'per call' criteria.For example. I set 10 "total calls" with 600 seconds of the "call duration". Your idea will give us 100 minute of successful calls. Not such many for minutes, but may be a lot in money. But, if it is

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

I agree - it seems like a "good in theory, bad in practice" kind of feature.  So let's see how we can make it better: would it make more sense to add a forced dialog lifetime equal to the critical threshold of the "call duration" setting upon calling check_fraud() (which, by the way, will also

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hmm.And what is the purpose of control "per call"?As i understand it triggers AFTER calls finishing. What can we do in such situation?Just send email to, for example, support, that "potential fraud" call has been finished?-- Best regards, DenisС уважением,Путято Денис19:32, 9 июня 2018 г.,

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

The "call duration" is a "per call" statistic, while "sequential", "concurrent", "cpm" and "total" are "interval-based" statistics -- indeed, once they trigger, subsequent calls have a good chance of also being rejected (e.g. unlike "total" and "sequential", which are only reset when a new

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu, I expect that ones the module detects fraud, it should return -2 on subsequent calls. As it does to "total calls" and "subsequent calls" respectively.In my example, the second call was successful (return 1) , although, as i expected, it should be fail (return -2) Thank you -- С уважением,

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis, If these are your tests: 1.       101    06.06.2018 15:34:54 2.       0  06.06.2018 15:38:21 Then the 1st one should return -2 ("call duration" critical threshold hit, since 101 sec > 60 sec), and the second one should return 1 (success, no

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello! Liviu, can i be sure, that you will analyze my question? Thank you. -- С уважением, Денис.Best regards, Denis 06.06.2018, 16:28, "Denis via Users" :And a final i made some tests and found that subsequent calls falls to this case"case 1:    if ($avp(3000)=="1")  xlog("L_INFO",

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

And a final i made some tests and found that subsequent calls falls to this case"case 1:    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");" -- С уважением, Денис.Best regards, Denis 06.06.2018,

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Sorry, wrong button pushed))) Continue where,$avp(user) - caller number$rU - callee number$avp(profile) - profile id in the fraud module table in the acc table first call         101    06.06.2018 15:34:54 where, - caller number - caller nuber101 - duration of the

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu, thank you very much! And, sorry, but i want to worry you more about the module. First of all, now, i am usingopensips 2.2.6 (x86_64/linux)flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAITADAPTIVE_WAIT_LOOPS=1024,

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello, Liviu! It is me, again:))) One more, call_duration measured in seconds or in minutes? Thank you. -- С уважением, Денис.Best regards, Denis 27.04.2018, 09:25, "Denis via Users" :Hello, Liviu!OK, i understand..But, to speak the truth, it would be more reasonable to control exactly

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello, Liviu!OK, i understand..But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.Because, now, "sequential calls" and "total calls", actually, perform the same control task.My experience tell me, that many fraud cases deal with calling to the same

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Yes, exactly. Apologies for my incomplete example scenario! Best regards, Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 26.04.2018 07:57, Denis via Users wrote: Liviu, it seems, i confused. You gave an example "the "sequential calls" holds the size of the last batch of

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu, it seems, i confused.You gave an example"the "sequential calls" holds the size of the last batch of calls sent to the same number. For example, if a user were to dial 44 and 45prefixes in a round-robin manner, his "sequential calls" value would never exceed 1" So, it seems, that if we have

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Denis, they all match the same prefix. "810" is the same number match, over and over again, so the sequential calls is not reset. Please fix your number matching if you want it to work differently. Best regards, Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 25.04.2018

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello Liviu! Sorry, for long answer. I do not quite understand 07:08 was the first call to 810 prefix from 00:00 where counters, how you mentioned, has been reset. So, after 15 calls i can see, that Opensips drop any calls with appropriate reason ("fraud detected") The only counter that has such

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis, It is difficult for me to assess your intervals, and triggering reasons. For example, your sheet starts at 07:08 AM, but the counter accumulation is reset way back, at 00:00. Please provide some actual fraud event logs, with a log such as below, so we can blame the sequential

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello Liviu! "Yes, the "sequential calls" holds the size of the last batch of callssent to the same number. For example, if a user were to dial 44 and 45prefixes in a round-robin manner, his "sequential calls" value wouldnever exceed 1." Here you can find acc from one of the client (from the

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis! Good catch! For the first time, I documented a parameter, but forgot to export it for the script writer as well! :) It is now fixed. Thank you! Cheers, Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 19.04.2018 17:28, Denis via Users wrote: Hello, Liviu! I

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello, Liviu! I had installed latest Opensips 2.2 (Opensips 2.2.6) In a log file, during start of Opensips, i can seeERROR:core:set_mod_param_regex: parameter not found in module  Where is mistake? Thank you. -- С уважением, Денис.Best regards, Denis 13.04.2018, 09:49, "Denis via Users"

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Use $Ts [1] to get the current UNIX timestamp in seconds. [1]: http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91 Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 12.04.2018 14:08, Denis via Users wrote: Liviu, is there any way to find out current time from

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu, is there any way to find out current time from Opensips during call processing (some functions, variables etc which i can use in opensips.cfg)? Thank you -- С уважением, Денис.Best regards, Denis 12.04.2018, 13:50, "Liviu Chircu" :Hi Denis,The fraud detection module

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello, Liviu! "So you want to check the time of the last fraud detection attempt for a user?" Yes, but not for store this time to anywhere.I want to detect the time of the first fraud call, and if this time, for example, between 19:00 and 09:00, make some actions. Can i do it with Opensips? Thank

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis, Yes, the "sequential calls" holds the size of the last batch of calls sent to the same number. For example, if a user were to dial 44 and 45 prefixes in a round-robin manner, his "sequential calls" value would never exceed 1. So you want to check the time of the last fraud

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello, Liviu! Thank you very much! I will try your fix. And, What does "Sequential calls" mean? These are calls to one number? So, if we have situation dealing with reset counters, i want to make one thing.I want to check the time when fraud has been detected and if this time, say, after 19:00

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis, I have fixed the sequential calls to also reset on interval / day change, as well as adding a new param on the 2.3 and 2.2 branches, named "use_local_time" [1], so as not to break the default behavior. The default behavior will change in 2.4+, so it will use the local time, as

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Ok, it seems the UTC theory was right. Quoting from "man gmtime_r": "The gmtime() function converts the calendar time timep to broken-down time representation, expressed in Coordinated Universal Time (UTC)". This is an ugly behavior IMO (to reset counters at 21:00), and we should consider

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

I will take care of the seq calls + "UTC time" investigation. Just let me know if you find anything else that refutes the theory in the meantime. For example, if fraud alerts are also skipped during daylight hours. Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Ok, i will check it. And what about "sequential call"? Should i make TT? P.S. I will ask you about one thing yet.Can i detect current 'time' using Opensips script? And compare it someway? Thank you. -- С уважением, Денис.Best regards, Denis 04.04.2018, 15:13, "Liviu Chircu"

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Did OpenSIPS crash or restart between 0:25 - 3:20? I double checked, and "total_calls" cannot be reset in another way. Another possibility is that the code sees GMT time. Since Москва is on GMT+3, this may well explain the situation: first calls were placed around 21:25 GMT, then the "total

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hmmm it is interesting hypothesis. About time.I tried to check it directly. Now we have 04/04/2018 I made a test call and time answer was "Ср апр  4 14:45:37 MSK 2018" from unix shell command 'date', where апр - aprilСр - Wednesday4 - 4 april14:45:37 - timeMSK 2018 - timezone and a year. So in

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hi Denis, Some interesting data! Here's some analysis: 1) First we have this detection suite: 4/2/18 0:12 270675427b234658 X.X.X.X 11 8102463894929 Fraud_detectead 0 This is due to the "cpm" throttling (> 5 cpm within the last 2 minutes) hitting. Once he makes a pause until

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu, and another interesting case.Here, https://yadi.sk/i/-vRrJXtz3U5m2Z, you can find cdr of the fraud case.In the table:time - time of the callcallid - sip callidsrc_domain - source ipsrc_user - caller (from one number)dst_user - calleesip_reason and duration - column from acc table. Several

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

"Do you agree?" without a doubt:))) As you can see in my table, i should set a big value of the counter to allow users ('good users':))) to make a call to 810 destination. Is there any chance to fix this quickly? thank you. -- С уважением, Денис.Best regards, Denis 03.04.2018, 18:28, "Liviu

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hmmm... indeed, the "sequential calls" only reset if you dial a different number. If the other stats reset at midnight/interval change, I don't see why this specific one should be different. To me, it looks like a bug. Do you agree? Liviu Chircu OpenSIPS Developer

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello Liviu! I am sorry, i totally missed one important thing - serial forking)))I.e. i had 52 records in accounting, but several of them leads to one call.As a result i had exactly 29 calls before fraud module became block subsequent calls. About counters reset i understood. Thank you. The last

Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

Hello! Is there any idea about the problem? Thank you. -- С уважением, Денис.Best regards, Denis 16.03.2018, 15:22, "Denis via Users" :Hello! I am sorry that it was early, but anyway. Server:: OpenSIPS (2.2.5 (x86_64/linux)) Fraud_module has been activated. Profile

[OpenSIPS-Users] Opensips 2.5 and fraud module

Hello! I am sorry that it was early, but anyway. Server:: OpenSIPS (2.2.5 (x86_64/linux)) Fraud_module has been activated. Profile data  17.02.18 20:55 Opensips received first fraud call.And before Opensips detected fraud there were 52 yet calls to 810 prefix. First question is why it didn`t