[OpenSIPS-Users] Fraud Detection Module Inquiry

Jonathan Mabrito mabritoj at gmail.com
Wed Jan 9 12:11:11 EST 2019 

One more inquiry on this module. Is it possible to have the module ignore
prefixes being set in the fraud rules? For our scenarios, the FROM
Address/user is the same for most of our calls. On our PBX's we do not
really give out DID's to each of our users, so when a user makes an
outbound call, the FROM address is always going to be same and set to the
main number of our system. Within the fraud detection module, I have a
prefix of 99 defined (how we denote an outbound call) and starting getting
tons of false positive notifications, as the pair being matched would be
<800number, 99numberDialed>. This quickly filled up the sequential calls
threshold as every call being made had the same FROM Address and matched
against the 99 prefix.

The way we operate, I created 30 minute intervals Sun-Sat with the same
threshold values (48 rows of rules). I am hoping I can omit the prefix
matching and just match the dialed number to the appropriate 30 minute time
interval? so the pair being matched would be <800 number, full number
dialed> ? I tried setting a blank prefix and say "No rule matched" syslog
message.





On Mon, Jan 7, 2019 at 5:48 PM Jonathan Mabrito <mabritoj at gmail.com> wrote:

> Hi All,
>
> I am running OpenSIPS 2.3 and I have a inquiry on the Fraud Detection
> module. I had a critical alert get triggered on the call duration threshold
> today. No warning came in, just straight to the critical....and way over
> the critical duration threshold.
>
> Looking in the logs, it looks like the critical notification was triggered
> when the call disconnected/hung up. Guessing the module accounts the start
> and end time of the call and uses that duration? Does it not keep track of
> the call from a duration perspective as its happening?
>
> Luckily this was just one occurrence but it got me thinking, if fraud was
> being performed on the system, then the duration notification wont be
> triggered until the call is hung up...at least the way I have it
> configured. Is there a way to have it keep auditing ongoing calls?
> --
> -Jonathan
>
-- 
-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190109/c155c722/attachment.html>

More information about the Users mailing list