Re: [OpenSIPS-Users] Opensips 2.5 and fraud module

[Денис Путято via Users]

Sorry, wrong button pushed)))

 

Continue

 

where,

$avp(user) - caller number

$rU - callee number

$avp(profile) - profile id

 

in the fraud module table

 

in the acc table

 

first call

11111111     22222222    101    06.06.2018 15:34:54

 

where,

11111111 - caller number

22222222 - caller nuber

101 - duration of the call

06.06.2018 15:34:54 - date/time of the call

 

second call

11111111   22222222   0    06.06.2018 15:38:21

the same parameters, call success, but without answer.

 

Before the second call

/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111   22222222 1

calls per minute:: 1

total calls:: 1

concurrent calls:: 0

sequential calls:: 1

 

After the second call

/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111   22222222 1

calls per minute:: 1

total calls:: 2

concurrent calls:: 0

sequential calls:: 2

 

So, additionally, in opensips.cfg i have such logic

 

event_route[E_FRD_CRITICAL] {

fetch_event_params("param = $avp(frparam);value = $avp(frvalue);threshold = $avp(frthr);user = $avp(fruser);called_number = $avp(frcalled);rule_id = $avp(frruleid)");

exec("echo -e 'Обнаружен фродовый трафик с номера $avp(fruser)\n Параметр фрода: $avp(frparam)\n Величина параметра фрода: $avp(frvalue)\n Порог параметра фрода: $avp(frthr)\n Номер вызывамого абонента: $avp(frcalled)' | mail -a 'Content-Type: text/plain; charset=UTF-8' -s 'Fraud detect!' fr...@ptl.ru fr...@ptl.ru");

}

 

Between two calls I have received email about the first call with param: call_duration

 

So, why could i make the second call?

 

Thank you

 

-- 

С уважением, Денис.

Best regards, Denis

 

 

 

 

 

06.06.2018, 15:51, "Denis" <denis7...@mail.ru>:

Liviu, thank you very much!

 

And, sorry, but i want to worry you more about the module.

 

First of all, now, i am using

opensips 2.2.6 (x86_64/linux)

flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

git revision: 5d229f5

main.c compiled on 13:56:51 Apr 20 2018 with gcc 5.4.0

 

Recently i found such problem. Module detected fraud calls, dealing with call_duration (my previous question about seconds and minutes dealing with problem), but i cannot see calls drop. All in order,

 

In opensips.cfg i have such logic:

"

check_fraud("$avp(user)","$rU","$avp(profile)");

   switch($rc) {

    case 2:

    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 2");

    break;

    case 1:

    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");

    break;

    case -1:

    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case -1");

    break;

    case -2:

    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD DETECTED");

    $avp(501)=$ft+$ci;

    $avp(501)=$(avp(501){s.md5});

    acc_db_request("Fraud_detectead", "acc");

    send_reply("403", "Forbidden");

    exit;

    break;

    case -3:

    if ($avp(3000)=="1")  xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD failure");

    $avp(501)=$ft+$ci;

    $avp(501)=$(avp(501){s.md5});

    acc_db_request("Fraud_detection_failure", "acc");

    send_reply("403", "Forbidden");

    exit;

    break;

  }

 

where,

 

 

in

"

 

-- 

С уважением, Денис.

Best regards, Denis

 

 

 

 

 

06.06.2018, 14:29, "Liviu Chircu" <li...@opensips.org>:

Hi, Denis!

According to the table data I wrote in the tutorial [1], it's definitely seconds. It's a pity that the docs do not reflect this as well -- I'll get them fixed!

Best regards,

[1]: http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 06.06.2018 14:20, Denis via Users wrote:

Hello, Liviu!

 

It is me, again:)))

 

One more, call_duration measured in seconds or in minutes?

 

Thank you.

 

-- 

С уважением, Денис.

Best regards, Denis

 

 

 

 

 

27.04.2018, 09:25, "Denis via Users" <users@lists.opensips.org>:

Hello, Liviu!

OK, i understand.
.

But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.

Because, now, "sequential calls" and "total calls", actually, perform the same control task.

My experience tell me, that many fraud cases deal with calling to the same number in a some time period.

 

Anyway, thank you!

 

 

-- 

С уважением, Денис.

Best regards, Denis

 

 

 

 

 

26.04.2018, 08:22, "Liviu Chircu" <li...@opensips.org>:

Yes, exactly. Apologies for my incomplete example scenario!

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 26.04.2018 07:57, Denis via Users wrote:

 Liviu, it seems, i confused.
 You gave an example
 "the "sequential calls" holds the size of the last batch of calls sent
 to the same number. For example, if a user were to dial 44 and 45
 prefixes in a round-robin manner, his "sequential calls" value would
 never exceed 1"
 So, it seems, that if we have TWO PREFIX field in fraud detection
 table with one profile, with 44 and 55 content, and ONE user were to
 dial 44 (for example 44667788 or 44223344 etc) and 45 (4567788 or
 44223344 etc)
 prefixes in a round-robin manner, his "sequential calls" value would
 never exceed 1.
 In my case i have only ONE prefix - 810 - and, although, user were
 dial different numbers but with common prefix (810) "sequential calls"
 increased by one every call. And when counter reached predetermined
 value calls have started blocking.
 Am i right?
 Thank you.
 --
 С уважением, Денис.
 Best regards, Denis
 _______________________________________________
 Users mailing list
 Users@lists.opensips.org
 http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

,

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

,

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users