<div>Liviu, it seems, i confused.</div><div>You gave an example</div><div>"the "sequential calls" holds the size of the last batch of calls sent to the same number. For example, if a user were to dial 44 and 45<br />prefixes in a round-robin manner, his "sequential calls" value would never exceed 1"</div><div> </div><div>So, it seems, that if we have TWO PREFIX field in fraud detection table with one profile, with 44 and 55 content, and ONE user were to dial 44 (for example 44667788 or 44223344 etc) and 45 (4567788 or 44223344 etc)<br />prefixes in a round-robin manner, his "sequential calls" value would never exceed 1.</div><div>In my case i have only ONE prefix - 810 - and, although, user were dial different numbers but with common prefix (810) "sequential calls" increased by one every call. And when counter reached predetermined value calls have started blocking.</div><div> </div><div>Am i right?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>25.04.2018, 17:56, "Liviu Chircu" <liviu@opensips.org>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Denis, they all match the same prefix. "810" is the same number match, over and over again, so the sequential calls is not reset. Please fix your number matching if you want it to work differently.</p><p>Best regards,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 25.04.2018 17:41, Denis via Users wrote:</div><blockquote type="cite" cite="mid:719141524667280@web7j.yandex.ru"><div>Hello Liviu!</div><div> </div><div>Sorry, for long answer.</div><div> </div><div>I do not quite understand</div><div> </div><div>07:08 was the first call to 810 prefix from 00:00 where counters, how you mentioned, has been reset.</div><div> </div><div>So, after 15 calls i can see, that Opensips drop any calls with appropriate reason ("fraud detected")</div><div> </div><div>The only counter that has such value is "sequential_calls_critical". Another counters are long away from this value.</div><div> </div><div>Anyway you doubt that "sequential_calls_critical" is the reason of call`s block?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>24.04.2018, 12:41, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi Denis,</p><p>It is difficult for me to assess your intervals, and triggering reasons. For example, your sheet starts at 07:08 AM, but the counter accumulation is reset way back, at 00:00.</p><p>Please provide some actual fraud event logs, with a log such as below, so we can blame the sequential calls for sure:</p><p>event_route [E_FRD_CRITICAL]<br />{<br /> fetch_event_params("$var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)");<br /> xlog("E_FRD_CRITICAL: $var(param);$var(val);$var(thr);$var(user);$var(number);$var(ruleid)\n");<br />}</p><p>Best regards,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 24.04.2018 12:06, Denis via Users wrote:</div><blockquote type="cite" cite="mid:10679041524560806@web50g.yandex.ru"><div>Hello Liviu!</div><div> </div><div>"Yes, the "sequential calls" holds the size of the last batch of calls<br />sent to the same number. For example, if a user were to dial 44 and 45<br />prefixes in a round-robin manner, his "sequential calls" value would<br />never exceed 1."</div><div> </div><div>Here you can find acc from one of the client (from the beginning of the 24.04)</div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;"><a href="https://yadi.sk/i/Zkj70CCM3UiEyw">https://yadi.sk/i/Zkj70CCM3UiEyw</a></span></div><div> </div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">and fraud module params looks like </span></div><div><div> prefix: 810</div><div> start_hour: 00:00</div><div> end_hour: 23:59</div><div> daysoftheweek: Mon-Sun</div><div> cpm_warning: 10</div><div> cpm_critical: 11</div><div> call_duration_warning: 1499</div><div> call_duration_critical: 1500</div><div> total_calls_warning: 99</div><div> total_calls_critical: 100</div><div> concurrent_calls_warning: 25</div><div>concurrent_calls_critical: 30</div><div> sequential_calls_warning: 14</div><div>sequential_calls_critical: 15</div><div> </div><div>Something wronge))))</div><div>As you can see the client dial different numbers but module detects fraud anyway.</div></div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>19.04.2018, 18:14, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi Denis!</p><p>Good catch! For the first time, I documented a parameter, but forgot to export it for the script writer as well! :)</p><p>It is now fixed. Thank you!</p><p>Cheers,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 19.04.2018 17:28, Denis via Users wrote:</div><blockquote type="cite" cite="mid:1389971524148132@web59g.yandex.ru"><div>Hello, Liviu!</div><div> </div><div>I had installed latest Opensips 2.2 (Opensips 2.2.6)</div><div> </div><div>In a log file, during start of Opensips, i can see</div><div>ERROR:core:set_mod_param_regex: parameter <use_local_time> not found in module <fraud_detection></div><div> </div><div>Where is mistake?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>13.04.2018, 09:49, "Denis via Users" <a href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a>:</div><blockquote type="cite"><div>Ok, thank you</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>12.04.2018, 14:23, "Liviu Chircu" <<a href="mailto:liviu@opensips.org">liviu@opensips.org</a>>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Use $Ts [1] to get the current UNIX timestamp in seconds.</p><p>[1]: <a href="http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91">http://www.opensips.org/Documentation/Script-CoreVar-2-4#toc91</a></p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 12.04.2018 14:08, Denis via Users wrote:</div><blockquote type="cite" cite="mid:943251523531284@web48j.yandex.ru"><div>Liviu, is there any way to find out current time from Opensips during call processing (some functions, variables etc which i can use in opensips.cfg)?</div><div> </div><div>Thank you</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>12.04.2018, 13:50, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi Denis,</p><p>The fraud detection module has no such mechanism, currently. We could invent some variables such as $frd_last_warn, $frd_last_crit, $frd_first_warn, $frd_first_crit. They would output a UNIX timestamp. If there were no warnings during the current interval, the timestamp value would be 0. Can't think of anything better now - you can polish this idea and open up a pull request if you want.</p><p>How many users do you have? The "cachedb_local" offers a fast and configurable hash implementation. Why wouldn't it be a good solution in order to store/fetch the above-mentioned timestamps for each of your users?</p><p>Best regards,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 10.04.2018 13:11, Denis via Users wrote:</div><blockquote type="cite" cite="mid:324741523355075@web30o.yandex.ru"><div>Hello, Liviu!</div><div> </div><div>"So you want to check the time of the last fraud detection attempt for a user?"</div><div> </div><div>Yes, but not for store this time to anywhere.</div><div>I want to detect the time of the first fraud call, and if this time, for example, between 19:00 and 09:00, make some actions.</div><div> </div><div>Can i do it with Opensips?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>10.04.2018, 12:28, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><p>Hi Denis,<br /><br />Yes, the "sequential calls" holds the size of the last batch of calls<br />sent to the same number. For example, if a user were to dial 44 and 45<br />prefixes in a round-robin manner, his "sequential calls" value would<br />never exceed 1.<br /><br />So you want to check the time of the last fraud detection attempt for a<br />user? You can use "cachedb_local", for example, and hold the last fraud<br />detection timestamp for each user. Also, note that check_fraud() [1] has<br />some useful return codes (-1 and -2), in case you don't want to use the<br />E_FRD_ events.<br /><br />Cheers,<br /><br />[1]:<br /><a href="http://www.opensips.org/html/docs/modules/2.4.x/fraud_detection.html#func_check_fraud">http://www.opensips.org/html/docs/modules/2.4.x/fraud_detection.html#func_check_fraud</a><br /><br />Liviu Chircu<br />OpenSIPS Developer<br /><a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a><br /><br />On 09.04.2018 09:12, Denis via Users wrote:</p><blockquote> Hello, Liviu!<br /> Thank you very much!<br /> I will try your fix.<br /> And, What does "Sequential calls" mean? These are calls to one number?<br /> So, if we have situation dealing with reset counters, i want to make<br /> one thing.<br /> I want to check the time when fraud has been detected and if this<br /> time, say, after 19:00 make some actions. How can i check time of the<br /> call processing?<br /> Thank you.</blockquote><p><br /><br />_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>