[OpenSIPS-Users] Fraud Detection Module - Double Counting Calls?

Wed Jan 8 12:56:29 EST 2020

Thanks Liviu,

Still working on switching to 2.4...have it in development and will test
that environment and try reproduce the issue there.

On Wed, Jan 8, 2020 at 11:41 AM Liviu Chircu <liviu at opensips.org> wrote:

> Hi Jonathan,
>
> I recall a recent series of fraud_detection fixes from September which
> include
> a seq_calls fix [1].  The issue fixed was that too many prefixes were
> matching
> and the stat would increase when it should not have.
>
> So I'm not sure if it fixes your problem, but I definitely recommend
> trying out
> the latest 2.4 fraud_detection, just to be sure the bug isn't fixed yet.
> The
> fixes did not make it to 2.3 since it was obsolete even then.
>
> Best regards,
>
> [1]: https://github.com/OpenSIPS/opensips/commit/3ac00a6d
>
> Liviu Chircu
> OpenSIPS Developeropensips-solutions.com
>
> OpenSIPS Summit, Amsterdam, May 2020
>   opensips.org/events/Summit-2020Amsterdam
> OpenSIPS Bootcamp, Miami, March 2020
>   opensips.org/training
>
> On 08.01.2020 18:27, Jonathan Mabrito wrote:
>
> Good Day All,
>
> We implemented the Fraud Detection module for our 2.3.6 setup in the
> spring. Works great, but I noticed something off with it last month that I
> cannot figure out. We started getting alerts about sequential calls that do
> not add up and match the CDR data from the accounting module. I do not want
> to post the CDR data, so hopefully descriptions are fine. Based on our set
> thresholds, I started getting alerts from the fraud triggered warnings (Use
> RabbitMQ to receive the messages and translate those messages into emails):
>
>   E_FRD_WARNING
>
> param::total calls
>
> value::12
>
> threshold::10
>
> user::18662710573
>
> called_number::99011966560690444
>
> rule_id::73
>
>
> The alert in that example said there were 12 sequential calls, but the CDR
> data only shows 6 sequential calls.  I started noticing this been the trend
> for other sequential patterns as well and verified this live by making a
> call and checking the stats with the "show_fraud_stats" command. If I place
> one call, the show command shows 2.
>
>
> I only check for fraud on the outbound side and this is my script snippet
> for outbound calls:
>
>
> #Check Blacklist
> xlog("Checking global blacklist \n");
> if (!check_blacklist("global_blacklist"))
> {
> send_reply("403", "Blacklisted");
> exit;
> }
>
> #Check for Fraud
> xlog("Checking for fraud \n");
> check_fraud("$fU", "$rU", "1");
>
> xlog("Call is an outbound call\n");
> xlog("Before DialPlan Normalization: $ru \n");
>
> if(dp_translate("0", "$rU/$rU")){
> xlog("SIP URI Normalized to $ru \n");
>
> #Find the best route in Dynamic Rule Table for Set 0
> if(!do_routing("0")){
> xlog("No route found for $ru in routing group 0 \n\n");
> send_reply("404", "No route found");
> exit;
> }
>
>
> //Ommited some other stuff
>
>
> t_relay();
> exit;
>
>
> I am not sure if this is just sequential issue or if CPM, etc are affected
> as well. Trying to determine that still.
>
> Any idea on this?
> --
> - Jonathan
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 
- Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200108/1c2bdf27/attachment.html>