<div dir="ltr">Thanks Liviu,<div><br></div><div>Still working on switching to 2.4...have it in development and will test that environment and try reproduce the issue there. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 8, 2020 at 11:41 AM Liviu Chircu <<a href="mailto:liviu@opensips.org">liviu@opensips.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><tt>Hi Jonathan,</tt></p>
<p><tt>I recall a recent series of fraud_detection fixes from
September which include<br>
a seq_calls fix [1]. The issue fixed was that too many prefixes
were matching<br>
and the stat would increase when it should not have.</tt></p>
<p><tt>So I'm not sure if it fixes your problem, but I definitely
recommend trying out<br>
the latest 2.4 fraud_detection, just to be sure the bug isn't
fixed yet. The<br>
fixes did not make it to 2.3 since it was obsolete even then.<br>
</tt></p>
<p><tt>Best regards,</tt></p>
<p><tt>[1]: </tt><tt><a href="https://github.com/OpenSIPS/opensips/commit/3ac00a6d" target="_blank">https://github.com/OpenSIPS/opensips/commit/3ac00a6d</a></tt></p>
<pre cols="72">Liviu Chircu
OpenSIPS Developer
<a href="http://opensips-solutions.com" target="_blank">opensips-solutions.com</a>
OpenSIPS Summit, Amsterdam, May 2020
<a href="http://opensips.org/events/Summit-2020Amsterdam" target="_blank">opensips.org/events/Summit-2020Amsterdam</a>
OpenSIPS Bootcamp, Miami, March 2020
<a href="http://opensips.org/training" target="_blank">opensips.org/training</a></pre>
<div>On 08.01.2020 18:27, Jonathan Mabrito
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Good Day All,
<div><br>
</div>
<div>We implemented the Fraud Detection module for our 2.3.6
setup in the spring. Works great, but I noticed something off
with it last month that I cannot figure out. We started
getting alerts about sequential calls that do not add up and
match the CDR data from the accounting module. I do not want
to post the CDR data, so hopefully descriptions are fine.
Based on our set thresholds, I started getting alerts from the
fraud triggered warnings (Use RabbitMQ to receive the messages
and translate those messages into emails):</div>
<div><br>
</div>
<div>
<p style="margin:0in;font-family:Calibri;font-size:11pt">
E_FRD_WARNING</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">param::total
calls</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">value::12</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">threshold::10</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">user::18662710573</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">called_number::99011966560690444</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">rule_id::73</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">The
alert in that example said there were 12 sequential calls,
but the CDR data only shows 6 sequential calls. I started
noticing this been the trend for other sequential patterns
as well and verified this live by making a call and checking
the stats with the "show_fraud_stats" command. If I place
one call, the show command shows 2. </p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">I
only check for fraud on the outbound side and this is my
script snippet for outbound calls:</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">#Check
Blacklist<br>
xlog("Checking global blacklist \n");<br>
if (!check_blacklist("global_blacklist"))<br>
{<br>
send_reply("403", "Blacklisted");<br>
exit;<br>
}<br>
<br>
#Check for Fraud<br>
xlog("Checking for fraud \n");<br>
check_fraud("$fU", "$rU", "1");<br>
<br>
xlog("Call is an outbound call\n");<br>
xlog("Before DialPlan Normalization: $ru \n");<br>
<br>
if(dp_translate("0", "$rU/$rU")){<br>
xlog("SIP URI Normalized to $ru \n");<br>
<br>
#Find the best route in Dynamic Rule Table for Set 0<br>
if(!do_routing("0")){<br>
xlog("No route found for $ru in routing group 0 \n\n");<br>
send_reply("404", "No route found");<br>
exit;<br>
}<br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">//Ommited
some other stuff</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">t_relay();<br>
exit;<br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
</div>
<div>
<div>I am not sure if this is just sequential issue or if CPM,
etc are affected as well. Trying to determine that still. </div>
<div><br>
</div>
<div>Any idea on this? </div>
-- <br>
<div dir="ltr">- Jonathan</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">- Jonathan</div>