And a finali made some tests and found that subsequent calls falls to this case"case 1:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");"--С уважением, Денис.Best regards, Denis06.06.2018, 16:12, "Денис Путято via Users" <users@lists.opensips.org>:,Sorry, wrong button pushed)))Continuewhere,$avp(user) - caller number$rU - callee number$avp(profile) - profile idin the fraud module tablein the acc tablefirst call11111111 22222222 101 06.06.2018 15:34:54where,11111111 - caller number22222222 - caller nuber101 - duration of the call06.06.2018 15:34:54 - date/time of the callsecond call11111111 22222222 0 06.06.2018 15:38:21the same parameters, call success, but without answer.Before the second call/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111 22222222 1calls per minute:: 1total calls:: 1concurrent calls:: 0sequential calls:: 1After the second call/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats 11111111 22222222 1calls per minute:: 1total calls:: 2concurrent calls:: 0sequential calls:: 2So, additionally, in opensips.cfg i have such logicevent_route[E_FRD_CRITICAL] {fetch_event_params("param = $avp(frparam);value = $avp(frvalue);threshold = $avp(frthr);user = $avp(fruser);called_number = $avp(frcalled);rule_id = $avp(frruleid)");exec("echo -e 'Обнаружен фродовый трафик с номера $avp(fruser)\n Параметр фрода: $avp(frparam)\n Величина параметра фрода: $avp(frvalue)\n Порог параметра фрода: $avp(frthr)\n Номер вызывамого абонента: $avp(frcalled)' | mail -a 'Content-Type: text/plain; charset=UTF-8' -s 'Fraud detect!' fr...@ptl.ru fr...@ptl.ru");}Between two calls I have received email about the first call with param: call_durationSo, why could i make the second call?Thank you--С уважением, Денис.Best regards, Denis06.06.2018, 15:51, "Denis" <denis7...@mail.ru>:,Liviu, thank you very much!And, sorry, but i want to worry you more about the module.First of all, now, i am usingopensips 2.2.6 (x86_64/linux)flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAITADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.git revision: 5d229f5main.c compiled on 13:56:51 Apr 20 2018 with gcc 5.4.0Recently i found such problem. Module detected fraud calls, dealing with call_duration (my previous question about seconds and minutes dealing with problem), but i cannot see calls drop. All in order,In opensips.cfg i have such logic:"check_fraud("$avp(user)","$rU","$avp(profile)");switch($rc) {case 2:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 2");break;case 1:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");break;case -1:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case -1");break;case -2:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD DETECTED");$avp(501)=$ft+$ci;$avp(501)=$(avp(501){s.md5});acc_db_request("Fraud_detectead", "acc");send_reply("403", "Forbidden");exit;break;case -3:if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD failure");$avp(501)=$ft+$ci;$avp(501)=$(avp(501){s.md5});acc_db_request("Fraud_detection_failure", "acc");send_reply("403", "Forbidden");exit;break;}where,in"--С уважением, Денис.Best regards, Denis06.06.2018, 14:29, "Liviu Chircu" <li...@opensips.org>:,Hi, Denis!
According to the table data I wrote in the tutorial [1], it's definitely seconds. It's a pity that the docs do not reflect this as well -- I'll get them fixed!
Best regards,
[1]: http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1
Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.comOn 06.06.2018 14:20, Denis via Users wrote:Hello, Liviu!It is me, again:)))One more, call_duration measured in seconds or in minutes?Thank you.--С уважением, Денис.Best regards, Denis27.04.2018, 09:25, "Denis via Users" <users@lists.opensips.org>:Hello, Liviu!
OK, i understand.
.But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.Because, now, "sequential calls" and "total calls", actually, perform the same control task.My experience tell me, that many fraud cases deal with calling to the same number in a some time period.Anyway, thank you!--С уважением, Денис.Best regards, Denis26.04.2018, 08:22, "Liviu Chircu" <li...@opensips.org>:,Yes, exactly. Apologies for my incomplete example scenario!
Best regards,
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 26.04.2018 07:57, Denis via Users wrote:Liviu, it seems, i confused.
You gave an example
"the "sequential calls" holds the size of the last batch of calls sent
to the same number. For example, if a user were to dial 44 and 45
prefixes in a round-robin manner, his "sequential calls" value would
never exceed 1"
So, it seems, that if we have TWO PREFIX field in fraud detection
table with one profile, with 44 and 55 content, and ONE user were to
dial 44 (for example 44667788 or 44223344 etc) and 45 (4567788 or
44223344 etc)
prefixes in a round-robin manner, his "sequential calls" value would
never exceed 1.
In my case i have only ONE prefix - 810 - and, although, user were
dial different numbers but with common prefix (810) "sequential calls"
increased by one every call. And when counter reached predetermined
value calls have started blocking.
Am i right?
Thank you.
--
С уважением, Денис.
Best regards, Denis
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users