<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt>Hi Denis,</tt></p>
<p><tt>It is difficult for me to assess your intervals, and triggering
reasons. For example, your sheet starts at 07:08 AM, but the
counter accumulation is reset way back, at 00:00.</tt></p>
<p><tt>Please provide some actual fraud event logs, with a log such
as below, so we can blame the sequential calls for sure:<br>
</tt></p>
<p><tt>event_route [E_FRD_CRITICAL]<br>
{<br>
fetch_event_params("$var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)");<br>
xlog("E_FRD_CRITICAL:
$var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)\n");<br>
}<br>
</tt></p>
<p><tt>Best regards,</tt><br>
</p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 24.04.2018 12:06, Denis via Users
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:10679041524560806@web50g.yandex.ru">
<div>Hello Liviu!</div>
<div> </div>
<div>"Yes, the "sequential calls" holds the size of the last batch
of calls<br>
sent to the same number. For example, if a user were to dial 44
and 45<br>
prefixes in a round-robin manner, his "sequential calls" value
would<br>
never exceed 1."</div>
<div> </div>
<div>Here you can find acc from one of the client (from the
beginning of the 24.04)</div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;"><a
href="https://yadi.sk/i/Zkj70CCM3UiEyw"
moz-do-not-send="true">https://yadi.sk/i/Zkj70CCM3UiEyw</a></span></div>
<div> </div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">and
fraud module params looks like </span></div>
<div>
<div> prefix: 810</div>
<div> start_hour: 00:00</div>
<div> end_hour: 23:59</div>
<div> daysoftheweek: Mon-Sun</div>
<div> cpm_warning: 10</div>
<div> cpm_critical: 11</div>
<div> call_duration_warning: 1499</div>
<div> call_duration_critical: 1500</div>
<div> total_calls_warning: 99</div>
<div> total_calls_critical: 100</div>
<div> concurrent_calls_warning: 25</div>
<div>concurrent_calls_critical: 30</div>
<div> sequential_calls_warning: 14</div>
<div>sequential_calls_critical: 15</div>
<div> </div>
<div>Something wronge))))</div>
<div>As you can see the client dial different numbers but module
detects fraud anyway.</div>
</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>19.04.2018, 18:14, "Liviu Chircu" <a class="moz-txt-link-rfc2396E" href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF">
<p>Hi Denis!</p>
<p>Good catch! For the first time, I documented a parameter,
but forgot to export it for the script writer as well! :)</p>
<p>It is now fixed. Thank you!</p>
<p>Cheers,</p>
<pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
<div>On 19.04.2018 17:28, Denis via Users wrote:</div>
<blockquote type="cite"
cite="mid:1389971524148132@web59g.yandex.ru">
<div>Hello, Liviu!</div>
<div> </div>
<div>I had installed latest Opensips 2.2 (Opensips 2.2.6)</div>
<div> </div>
<div>In a log file, during start of Opensips, i can see</div>
<div>ERROR:core:set_mod_param_regex: parameter
<use_local_time> not found in module
<fraud_detection></div>
<div> </div>
<div>Where is mistake?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>13.04.2018, 09:49, "Denis via Users" <a
href="mailto:users@lists.opensips.org"
moz-do-not-send="true"><users@lists.opensips.org></a>:</div>
<blockquote type="cite">
<div>Ok, thank you</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>12.04.2018, 14:23, "Liviu Chircu" <<a
href="mailto:liviu@opensips.org"
moz-do-not-send="true">liviu@opensips.org</a>>:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF">
<p>Use $Ts [1] to get the current UNIX timestamp in
seconds.</p>
<p>[1]: <a
href="http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91"
moz-do-not-send="true">http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91</a></p>
<pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
<div>On 12.04.2018 14:08, Denis via Users wrote:</div>
<blockquote type="cite"
cite="mid:943251523531284@web48j.yandex.ru">
<div>Liviu, is there any way to find out current
time from Opensips during call processing (some
functions, variables etc which i can use in
opensips.cfg)?</div>
<div> </div>
<div>Thank you</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>12.04.2018, 13:50, "Liviu Chircu" <a
href="mailto:liviu@opensips.org"
moz-do-not-send="true"><liviu@opensips.org></a>:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF">
<p>Hi Denis,</p>
<p>The fraud detection module has no such
mechanism, currently. We could invent some
variables such as $frd_last_warn,
$frd_last_crit, $frd_first_warn,
$frd_first_crit. They would output a UNIX
timestamp. If there were no warnings during
the current interval, the timestamp value
would be 0. Can't think of anything better now
- you can polish this idea and open up a pull
request if you want.</p>
<p>How many users do you have? The
"cachedb_local" offers a fast and configurable
hash implementation. Why wouldn't it be a good
solution in order to store/fetch the
above-mentioned timestamps for each of your
users?</p>
<p>Best regards,</p>
<pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
<div>On 10.04.2018 13:11, Denis via Users wrote:</div>
<blockquote type="cite"
cite="mid:324741523355075@web30o.yandex.ru">
<div>Hello, Liviu!</div>
<div> </div>
<div>"So you want to check the time of the
last fraud detection attempt for a user?"</div>
<div> </div>
<div>Yes, but not for store this time to
anywhere.</div>
<div>I want to detect the time of the first
fraud call, and if this time, for example,
between 19:00 and 09:00, make some actions.</div>
<div> </div>
<div>Can i do it with Opensips?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>10.04.2018, 12:28, "Liviu Chircu" <a
href="mailto:liviu@opensips.org"
moz-do-not-send="true"><liviu@opensips.org></a>:</div>
<blockquote type="cite">
<p>Hi Denis,<br>
<br>
Yes, the "sequential calls" holds the size
of the last batch of calls<br>
sent to the same number. For example, if a
user were to dial 44 and 45<br>
prefixes in a round-robin manner, his
"sequential calls" value would<br>
never exceed 1.<br>
<br>
So you want to check the time of the last
fraud detection attempt for a<br>
user? You can use "cachedb_local", for
example, and hold the last fraud<br>
detection timestamp for each user. Also,
note that check_fraud() [1] has<br>
some useful return codes (-1 and -2), in
case you don't want to use the<br>
E_FRD_ events.<br>
<br>
Cheers,<br>
<br>
[1]:<br>
<a
href="http://www.opensips.org/html/docs/modules/2.4.x/fraud_detection.html#func_check_fraud"
moz-do-not-send="true">http://www.opensips.org/html/docs/modules/2.4.x/fraud_detection.html#func_check_fraud</a><br>
<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
<a
href="http://www.opensips-solutions.com/"
moz-do-not-send="true">http://www.opensips-solutions.com</a><br>
<br>
On 09.04.2018 09:12, Denis via Users
wrote:</p>
<blockquote> Hello, Liviu!<br>
Thank you very much!<br>
I will try your fix.<br>
And, What does "Sequential calls" mean?
These are calls to one number?<br>
So, if we have situation dealing with
reset counters, i want to make<br>
one thing.<br>
I want to check the time when fraud has
been detected and if this<br>
time, say, after 19:00 make some actions.
How can i check time of the<br>
call processing?<br>
Thank you.</blockquote>
<p><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>