Hello, Liviu! OK, thank you.
Additionally i will ask you to analyze one case. In attachment you can find a log of calls, which were made by one user some time ago (with the number 1234567). It`s a fraud. Also i attached a piece of opensips.cfg related to a fraud detection (see script.txt). When critical event triggered Opensips sends email to some address (see script.txt). As you can see in the call log, fraud began at 01:40 2016-10-01. Value of the field "sip_reason" "fraud_detected" means that fraud_module detects the fraud and a call was discarded by script logging (see script.txt) First email about that i received at 01:41 with fraud param " calls per minute". Next email i received only at 11:08 with fraud param "total calls". Between these two time stamps i have no emails about fraud, and as you can see from the call log, there were many successful calls in this period with "big" duration. Fraud_detection table had such content: profileid = 1 prefix = 810 start_hour = 00:00 end_hour = 23:59 daysoftheweek = Mon-Sun cpm_critical = 6 call_duration_critical = 3600 tatal_calls_critical = 30 concurant_calls_critical = 30 sequential_calls_critical = 5000 The questions is: - Why module didn`t detect fraud based on "call duration"? Thank you. mailto:[email protected] Upon looking through the source code, it seems that calls_per_min / total_calls / concurrent_calls are also reset to 0 every time a new rule is matched, or if the day has changed since we last matched the current rule. I will make sure this info ^ is more easily accessible: either in a new tutorial section or the module doc. Regards, Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 10.11.2016 16:29, Denis wrote: Re: [OpenSIPS-Users] Fraud_detection module Hello, Liviu! Thank you for your answer. About 2) "Calls per minute" - ok, but what about other parameters? For example, "total calls"? Suppose we have 09:00 - 17:00, Mon-Fri, and "total calls" = 30. If in Mon user makes 25 calls, on Tue since 09:00 counts of "total calls" begin from 0 or 25? mailto:[email protected] Hi, Deniz! Answers below. Regards, Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.com On 10.11.2016 15:18, Denis wrote: Re: Fraud_detection modul Hello! Opensips 2.2.1 A couple of questions about fraud_detection: 1) In documentation says "consecutive calls to the same destination ". Same destination = same number, or prefix? Same prefix, taken from the fraud detection rule 2) At the beginning of the next period, a counts of events begin 0? The module uses a gliding window of 60 seconds, in order to keep track of "calls per minute". When changing time intervals, hence putting new thresholds in place, the "calls per minute" will not reset. In other words, when switching intervals, the new "calls per minute" thresholds will initially work with calls placed during the last minute when the old thresholds were in place. 3) is there any method to reset counts of events for certain user? Currently there is no way of doing this. 4) what is the value used to calculate duration in fraud_module, minutes or seconds? It should be "seconds", I will fix the misleading example in the tutorial. ______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
fraud.xls
Description: MS-Excel spreadsheet
if (dp_translate("19996","$avp(500)/$avp(500)","$avp(999)")) {
$avp(user)=$avp(500);
$avp(profile)=$avp(999);
} else {
acc_db_request("No_number_mark_for_fraud", "acc");
send_reply("403", "Forbidden");
exit;
}
$avp(profile)=$(avp(profile){s.int});
check_fraud("$avp(user)","$rU","$avp(profile)");
switch($rc) {
case 2:
break;
case 1:
break;
case -1:
break;
case -2:
acc_db_request("Fraud_detectead", "acc");
send_reply("403", "Forbidden");
exit;
break;
case -3:
acc_db_request("Fraud_detection_failure", "acc");
send_reply("403", "Forbidden");
exit;
break;
}
event_route[E_FRD_CRITICAL] {
fetch_event_params("param = $avp(frparam);value = $avp(frvalue);threshold =
$avp(frthr);user = $avp(fruser);called_number = $avp(frcalled);rule_id =
$avp(frruleid)");
exec("echo -e 'Fraud detected from number $avp(fruser)\n Fraud param:
$avp(frparam)\n Fraud param. value: $avp(frvalue)\n Fraud trigger:
$avp(frthr)\n Called number: $avp(frcalled)' | mail -a 'Content-Type:
text/plain; charset=UTF-8' -s 'Fraud detect!' [email protected]");
}_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
