<div>Liviu, thank you very much!</div><div> </div><div>And, sorry, but i want to worry you more about the module.</div><div> </div><div>First of all, now, i am using</div><div><div>opensips 2.2.6 (x86_64/linux)</div><div>flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT</div><div>ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535</div><div>poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.</div><div>git revision: 5d229f5</div><div>main.c compiled on 13:56:51 Apr 20 2018 with gcc 5.4.0</div></div><div> </div><div>Recently i found such problem. Module detected fraud calls, dealing with call_duration (my previous question about seconds and minutes dealing with problem), but i cannot see calls drop. But all in order,</div><div> </div><div>In opensips.cfg i have such logic:</div><div>"<div>check_fraud("$avp(user)","$rU","$avp(profile)");</div><div> switch($rc) {</div><div> case 2:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 2");</div><div> break;</div><div> case 1:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");</div><div> break;</div><div> case -1:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case -1");</div><div> break;</div><div> case -2:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD DETECTED");</div><div> $avp(501)=$ft+$ci;</div><div> $avp(501)=$(avp(501){s.md5});</div><div> acc_db_request("Fraud_detectead", "acc");</div><div> send_reply("403", "Forbidden");</div><div> exit;</div><div> break;</div><div> case -3:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD failure");</div><div> $avp(501)=$ft+$ci;</div><div> $avp(501)=$(avp(501){s.md5});</div><div> acc_db_request("Fraud_detection_failure", "acc");</div><div> send_reply("403", "Forbidden");</div><div> exit;</div><div> break;</div><div> }</div><div> </div><div>where,</div><div> </div><div> </div><div>in</div>"</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>06.06.2018, 14:29, "Liviu Chircu" <liviu@opensips.org>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi, Denis!</p><p>According to the table data I wrote in the tutorial [1], it's definitely seconds. It's a pity that the docs do not reflect this as well -- I'll get them fixed!</p><p>Best regards,</p><p>[1]: <a href="http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1">http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1</a></p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 06.06.2018 14:20, Denis via Users wrote:</div><blockquote type="cite" cite="mid:4051661528284039@web14g.yandex.ru"><div>Hello, Liviu!</div><div> </div><div>It is me, again:)))</div><div> </div><div>One more, call_duration measured in seconds or in minutes?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>27.04.2018, 09:25, "Denis via Users" <a href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a>:</div><blockquote type="cite"><div>Hello, Liviu!</div><div><br />OK, i understand.<br />.</div><div>But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.</div><div>Because, now, "sequential calls" and "total calls", actually, perform the same control task.</div><div>My experience tell me, that many fraud cases deal with calling to the same number in a some time period.</div><div> </div><div>Anyway, thank you!</div><div> </div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>26.04.2018, 08:22, "Liviu Chircu" <<a href="mailto:liviu@opensips.org">liviu@opensips.org</a>>:</div><blockquote type="cite"><p>Yes, exactly. Apologies for my incomplete example scenario!<br /><br />Best regards,<br /><br />Liviu Chircu<br />OpenSIPS Developer<br /><a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a><br /><br />On 26.04.2018 07:57, Denis via Users wrote:</p><blockquote> Liviu, it seems, i confused.<br /> You gave an example<br /> "the "sequential calls" holds the size of the last batch of calls sent<br /> to the same number. For example, if a user were to dial 44 and 45<br /> prefixes in a round-robin manner, his "sequential calls" value would<br /> never exceed 1"<br /> So, it seems, that if we have TWO PREFIX field in fraud detection<br /> table with one profile, with 44 and 55 content, and ONE user were to<br /> dial 44 (for example <span><span><span>44667788</span></span></span> or <span><span><span>44223344</span></span></span> etc) and 45 (<span><span><span>4567788</span></span></span> or<br /> <span><span><span>44223344</span></span></span> etc)<br /> prefixes in a round-robin manner, his "sequential calls" value would<br /> never exceed 1.<br /> In my case i have only ONE prefix - 810 - and, although, user were<br /> dial different numbers but with common prefix (810) "sequential calls"<br /> increased by one every call. And when counter reached predetermined<br /> value calls have started blocking.<br /> Am i right?<br /> Thank you.<br /> --<br /> С уважением, Денис.<br /> Best regards, Denis<br /> _______________________________________________<br /> Users mailing list<br /> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></blockquote><p><br /><br />_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>