<div>Hello!</div><div> </div><div>Liviu, can i be sure, that you will analyze my question?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>06.06.2018, 16:28, "Denis via Users" <users@lists.opensips.org>:</div><blockquote type="cite"><div>And a final</div><div> </div><div>i made some tests and found that subsequent calls falls to this case</div><div>"<div>case 1:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");</div>"</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>06.06.2018, 16:12, "Денис Путято via Users" <<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>>:</div><blockquote type="cite"><div>Sorry, wrong button pushed)))</div><div> </div><div>Continue</div><div> </div><div>where,</div><div>$avp(user) - caller number</div><div>$rU - callee number</div><div>$avp(profile) - profile id</div><div> </div><div>in the fraud module table</div><div><img src="cid:5Ri3efcKWgO8*DqdZdrapKnzMq5iyCe4NDJmtaoNYVyu3QFwCs/43bPanlLveo2UOIIvAthnb/nMg41v0EnhN2GmDZL6J0HGHo8qhOJJa/tyjocuPjbur0XAnF15z6*p" /></div><div> </div><div>in the acc table</div><div> </div><div>first call</div><div><span><span>11111111</span></span> <span><span>22222222</span></span> 101 06.06.2018 15:34:54</div><div> </div><div>where,</div><div><span><span>11111111</span></span> - caller number</div><div><span><span>22222222</span></span> - caller nuber</div><div>101 - duration of the call</div><div>06.06.2018 15:34:54 - date/time of the call</div><div> </div><div>second call</div><div><span><span>11111111</span></span> <span><span>22222222</span></span> 0 06.06.2018 15:38:21</div><div>the same parameters, call success, but without answer.</div><div> </div><div>Before the second call</div><div><div>/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats <span><span>11111111</span></span> <span><span>22222222 1</span></span></div><div>calls per minute:: 1</div><div>total calls:: 1</div><div>concurrent calls:: 0</div><div>sequential calls:: 1</div><div> </div><div>After the second call</div><div>/usr/local/opensips2.2/sbin/opensipsctl fifo show_fraud_stats <span><span>11111111</span></span> <span><span>22222222 1</span></span></div><div>calls per minute:: 1</div><div>total calls:: 2</div><div>concurrent calls:: 0</div><div>sequential calls:: 2</div><div> </div><div>So, additionally, in opensips.cfg i have such logic</div><div> </div><div>event_route[E_FRD_CRITICAL] {</div><div>fetch_event_params("param = $avp(frparam);value = $avp(frvalue);threshold = $avp(frthr);user = $avp(fruser);called_number = $avp(frcalled);rule_id = $avp(frruleid)");</div><div>exec("echo -e 'Обнаружен фродовый трафик с номера $avp(fruser)\n Параметр фрода: $avp(frparam)\n Величина параметра фрода: $avp(frvalue)\n Порог параметра фрода: $avp(frthr)\n Номер вызывамого абонента: $avp(frcalled)' | mail -a 'Content-Type: text/plain; charset=UTF-8' -s 'Fraud detect!' <a href="mailto:fraud@ptl.ru">fraud@ptl.ru</a> <a href="mailto:fraud@ptl.ru">fraud@ptl.ru</a>");</div><div>}</div></div><div> </div><div>Between two calls I have received email about the first call with param: <span style="background-color:#ffffff;color:#333333;display:inline !important;float:none;font-family:monospace;font-size:14.16px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">call_duration</span></div><div> </div><div>So, why could i make the second call?</div><div> </div><div>Thank you</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>06.06.2018, 15:51, "Denis" <<a href="mailto:denis7979@mail.ru">denis7979@mail.ru</a>>:</div><blockquote type="cite"><div>Liviu, thank you very much!</div><div> </div><div>And, sorry, but i want to worry you more about the module.</div><div> </div><div>First of all, now, i am using</div><div><div>opensips 2.2.6 (x86_64/linux)</div><div>flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, QM_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT</div><div>ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535</div><div>poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.</div><div>git revision: 5d229f5</div><div>main.c compiled on 13:56:51 Apr 20 2018 with gcc 5.4.0</div></div><div> </div><div>Recently i found such problem. Module detected fraud calls, dealing with call_duration (my previous question about seconds and minutes dealing with problem), but i cannot see calls drop. All in order,</div><div> </div><div>In opensips.cfg i have such logic:</div><div>"<div>check_fraud("$avp(user)","$rU","$avp(profile)");</div><div> switch($rc) {</div><div> case 2:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 2");</div><div> break;</div><div> case 1:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case 1");</div><div> break;</div><div> case -1:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD: case -1");</div><div> break;</div><div> case -2:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD DETECTED");</div><div> $avp(501)=$ft+$ci;</div><div> $avp(501)=$(avp(501){s.md5});</div><div> acc_db_request("Fraud_detectead", "acc");</div><div> send_reply("403", "Forbidden");</div><div> exit;</div><div> break;</div><div> case -3:</div><div> if ($avp(3000)=="1") xlog("L_INFO", "Route4:$rm was received (IPS=$si, IPD=$rd, CALLID=$ci, FROMTAG=$ft, TOTAG=$tt, AUTH=$au) and FRAUD failure");</div><div> $avp(501)=$ft+$ci;</div><div> $avp(501)=$(avp(501){s.md5});</div><div> acc_db_request("Fraud_detection_failure", "acc");</div><div> send_reply("403", "Forbidden");</div><div> exit;</div><div> break;</div><div> }</div><div> </div><div>where,</div><div> </div><div> </div><div>in</div>"</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>06.06.2018, 14:29, "Liviu Chircu" <<a href="mailto:liviu@opensips.org">liviu@opensips.org</a>>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi, Denis!</p><p>According to the table data I wrote in the tutorial [1], it's definitely seconds. It's a pity that the docs do not reflect this as well -- I'll get them fixed!</p><p>Best regards,</p><p>[1]: <a href="http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1">http://www.opensips.org/Documentation/Tutorials-FraudDetection-2-1</a></p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 06.06.2018 14:20, Denis via Users wrote:</div><blockquote type="cite" cite="mid:4051661528284039@web14g.yandex.ru"><div>Hello, Liviu!</div><div> </div><div>It is me, again:)))</div><div> </div><div>One more, call_duration measured in seconds or in minutes?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>27.04.2018, 09:25, "Denis via Users" <a href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a>:</div><blockquote type="cite"><div>Hello, Liviu!</div><div><br />OK, i understand.<br />.</div><div>But, to speak the truth, it would be more reasonable to control exactly numbers, but not prefix.</div><div>Because, now, "sequential calls" and "total calls", actually, perform the same control task.</div><div>My experience tell me, that many fraud cases deal with calling to the same number in a some time period.</div><div> </div><div>Anyway, thank you!</div><div> </div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>26.04.2018, 08:22, "Liviu Chircu" <<a href="mailto:liviu@opensips.org">liviu@opensips.org</a>>:</div><blockquote type="cite"><p>Yes, exactly. Apologies for my incomplete example scenario!<br /><br />Best regards,<br /><br />Liviu Chircu<br />OpenSIPS Developer<br /><a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a><br /><br />On 26.04.2018 07:57, Denis via Users wrote:</p><blockquote> Liviu, it seems, i confused.<br /> You gave an example<br /> "the "sequential calls" holds the size of the last batch of calls sent<br /> to the same number. For example, if a user were to dial 44 and 45<br /> prefixes in a round-robin manner, his "sequential calls" value would<br /> never exceed 1"<br /> So, it seems, that if we have TWO PREFIX field in fraud detection<br /> table with one profile, with 44 and 55 content, and ONE user were to<br /> dial 44 (for example <span><span><span><span><span><span>44667788</span></span></span></span></span></span> or <span><span><span><span><span><span>44223344</span></span></span></span></span></span> etc) and 45 (<span><span><span><span><span><span>4567788</span></span></span></span></span></span> or<br /> <span><span><span><span><span><span>44223344</span></span></span></span></span></span> etc)<br /> prefixes in a round-robin manner, his "sequential calls" value would<br /> never exceed 1.<br /> In my case i have only ONE prefix - 810 - and, although, user were<br /> dial different numbers but with common prefix (810) "sequential calls"<br /> increased by one every call. And when counter reached predetermined<br /> value calls have started blocking.<br /> Am i right?<br /> Thank you.<br /> --<br /> С уважением, Денис.<br /> Best regards, Denis<br /> _______________________________________________<br /> Users mailing list<br /> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></blockquote><p><br /><br />_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote></blockquote>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>