[OpenSIPS-Users] Opensips 2.5 and fraud module

Liviu Chircu liviu at opensips.org
Tue Apr 24 05:39:36 EDT 2018 

Hi Denis,

It is difficult for me to assess your intervals, and triggering reasons. 
For example, your sheet starts at 07:08 AM, but the counter accumulation 
is reset way back, at 00:00.

Please provide some actual fraud event logs, with a log such as below, 
so we can blame the sequential calls for sure:

event_route [E_FRD_CRITICAL]
{
fetch_event_params("$var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)");
     xlog("E_FRD_CRITICAL: 
$var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)\n");
}

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 24.04.2018 12:06, Denis via Users wrote:
> Hello Liviu!
> "Yes, the "sequential calls" holds the size of the last batch of calls
> sent to the same number. For example, if a user were to dial 44 and 45
> prefixes in a round-robin manner, his "sequential calls" value would
> never exceed 1."
> Here you can find acc from one of the client (from the beginning of 
> the 24.04)
> https://yadi.sk/i/Zkj70CCM3UiEyw
> and fraud module params looks like
>                    prefix: 810
>                start_hour: 00:00
>                  end_hour: 23:59
>             daysoftheweek: Mon-Sun
>               cpm_warning: 10
>              cpm_critical: 11
>     call_duration_warning: 1499
>    call_duration_critical: 1500
>       total_calls_warning: 99
>      total_calls_critical: 100
>  concurrent_calls_warning: 25
> concurrent_calls_critical: 30
>  sequential_calls_warning: 14
> sequential_calls_critical: 15
> Something wronge))))
> As you can see the client dial different numbers but module detects 
> fraud anyway.
> -- 
> С уважением, Денис.
> Best regards, Denis
> 19.04.2018, 18:14, "Liviu Chircu" <liviu at opensips.org>:
>>
>> Hi Denis!
>>
>> Good catch! For the first time, I documented a parameter, but forgot 
>> to export it for the script writer as well! :)
>>
>> It is now fixed. Thank you!
>>
>> Cheers,
>>
>> Liviu Chircu
>> OpenSIPS Developer
>> http://www.opensips-solutions.com <http://www.opensips-solutions.com/>
>> On 19.04.2018 17:28, Denis via Users wrote:
>>> Hello, Liviu!
>>> I had installed latest Opensips 2.2 (Opensips 2.2.6)
>>> In a log file, during start of Opensips, i can see
>>> ERROR:core:set_mod_param_regex: parameter <use_local_time> not found 
>>> in module <fraud_detection>
>>> Where is mistake?
>>> Thank you.
>>> -- 
>>> С уважением, Денис.
>>> Best regards, Denis
>>> 13.04.2018, 09:49, "Denis via Users" <users at lists.opensips.org> 
>>> <mailto:users at lists.opensips.org>:
>>>> Ok, thank you
>>>> -- 
>>>> С уважением, Денис.
>>>> Best regards, Denis
>>>> 12.04.2018, 14:23, "Liviu Chircu" <liviu at opensips.org 
>>>> <mailto:liviu at opensips.org>>:
>>>>>
>>>>> Use $Ts [1] to get the current UNIX timestamp in seconds.
>>>>>
>>>>> [1]: http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91
>>>>>
>>>>> Liviu Chircu
>>>>> OpenSIPS Developer
>>>>> http://www.opensips-solutions.com <http://www.opensips-solutions.com/>
>>>>> On 12.04.2018 14:08, Denis via Users wrote:
>>>>>> Liviu, is there any way to find out current time from Opensips 
>>>>>> during call processing (some functions, variables etc which i can 
>>>>>> use in opensips.cfg)?
>>>>>> Thank you
>>>>>> -- 
>>>>>> С уважением, Денис.
>>>>>> Best regards, Denis
>>>>>> 12.04.2018, 13:50, "Liviu Chircu" <liviu at opensips.org> 
>>>>>> <mailto:liviu at opensips.org>:
>>>>>>>
>>>>>>> Hi Denis,
>>>>>>>
>>>>>>> The fraud detection module has no such mechanism, currently. We 
>>>>>>> could invent some variables such as $frd_last_warn, 
>>>>>>> $frd_last_crit, $frd_first_warn, $frd_first_crit. They would 
>>>>>>> output a UNIX timestamp. If there were no warnings during the 
>>>>>>> current interval, the timestamp value would be 0. Can't think of 
>>>>>>> anything better now - you can polish this idea and open up a 
>>>>>>> pull request if you want.
>>>>>>>
>>>>>>> How many users do you have? The "cachedb_local" offers a fast 
>>>>>>> and configurable hash implementation. Why wouldn't it be a good 
>>>>>>> solution in order to store/fetch the above-mentioned timestamps 
>>>>>>> for each of your users?
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Liviu Chircu
>>>>>>> OpenSIPS Developer
>>>>>>> http://www.opensips-solutions.com 
>>>>>>> <http://www.opensips-solutions.com/>
>>>>>>> On 10.04.2018 13:11, Denis via Users wrote:
>>>>>>>> Hello, Liviu!
>>>>>>>> "So you want to check the time of the last fraud detection 
>>>>>>>> attempt for a user?"
>>>>>>>> Yes, but not for store this time to anywhere.
>>>>>>>> I want to detect the time of the first fraud call, and if this 
>>>>>>>> time, for example, between 19:00 and 09:00, make some actions.
>>>>>>>> Can i do it with Opensips?
>>>>>>>> Thank you.
>>>>>>>> -- 
>>>>>>>> С уважением, Денис.
>>>>>>>> Best regards, Denis
>>>>>>>> 10.04.2018, 12:28, "Liviu Chircu" <liviu at opensips.org> 
>>>>>>>> <mailto:liviu at opensips.org>:
>>>>>>>>>
>>>>>>>>> Hi Denis,
>>>>>>>>>
>>>>>>>>> Yes, the "sequential calls" holds the size of the last batch 
>>>>>>>>> of calls
>>>>>>>>> sent to the same number. For example, if a user were to dial 
>>>>>>>>> 44 and 45
>>>>>>>>> prefixes in a round-robin manner, his "sequential calls" value 
>>>>>>>>> would
>>>>>>>>> never exceed 1.
>>>>>>>>>
>>>>>>>>> So you want to check the time of the last fraud detection 
>>>>>>>>> attempt for a
>>>>>>>>> user? You can use "cachedb_local", for example, and hold the 
>>>>>>>>> last fraud
>>>>>>>>> detection timestamp for each user. Also, note that 
>>>>>>>>> check_fraud() [1] has
>>>>>>>>> some useful return codes (-1 and -2), in case you don't want 
>>>>>>>>> to use the
>>>>>>>>> E_FRD_ events.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> [1]:
>>>>>>>>> http://www.opensips.org/html/docs/modules/2.4.x/fraud_detection.html#func_check_fraud
>>>>>>>>>
>>>>>>>>> Liviu Chircu
>>>>>>>>> OpenSIPS Developer
>>>>>>>>> http://www.opensips-solutions.com 
>>>>>>>>> <http://www.opensips-solutions.com/>
>>>>>>>>>
>>>>>>>>> On 09.04.2018 09:12, Denis via Users wrote:
>>>>>>>>>
>>>>>>>>>      Hello, Liviu!
>>>>>>>>>      Thank you very much!
>>>>>>>>>      I will try your fix.
>>>>>>>>>      And, What does "Sequential calls" mean? These are calls
>>>>>>>>>     to one number?
>>>>>>>>>      So, if we have situation dealing with reset counters, i
>>>>>>>>>     want to make
>>>>>>>>>      one thing.
>>>>>>>>>      I want to check the time when fraud has been detected and
>>>>>>>>>     if this
>>>>>>>>>      time, say, after 19:00 make some actions. How can i check
>>>>>>>>>     time of the
>>>>>>>>>      call processing?
>>>>>>>>>      Thank you.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>> ,
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>> ,
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>> ,
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> ,
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180424/14932457/attachment-0001.html>

More information about the Users mailing list