Anti-fraud: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
No edit summary
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
Anti-fraud rules are in main menu Alerts / Anti fraud. We are continuously adding more rules to combat fraud / attacks and as of now you can use following rules. Each fraud alert also implements custom script which can be used to automatically run firewall rule or any action you like besides the standard email alert. Each alert is also archived in Sent alerts.
== Anti-Fraud Rules ==


= List of fraud / watchdog alerts =
Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
 
=== List of Fraud/Watchdog Alerts ===


* Realtime concurrent calls
* Realtime concurrent calls
* SIP REGISTER flood / attack
* SIP REGISTER flood / attack
* SIP PACKETS flood / attack
* SIP PACKETS flood / attack
* change cdr country
* Change CDR country
* change register country
* Change REGISTER country
* country/continent destination  
* Country/Continent destination
* [[Billing#Watchdog]]
* [[Billing#Watchdog]]


= Some fraud rules have common configuration =
=== Common Configuration ===
 
Shared across some rules:
 
* Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
* IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
* Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
* Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
* External script: Path to server script for execution.
* International prefixes configuration:
  ** International prefixes: Distinguish local/international calls (default: +, 00).
  ** Min international length: Numbers shorter than this are treated as local.
  ** Local numbers are in: Select country for classifying international-prefixed calls as local.


=== SIP REGISTER Flood/Attack ===


* Enable hyperlinks - in the email alert the title will be html hyperlink which transfer you to rule definition
Triggers when >= N registration attempts from an IP occur in set interval.
* IP include/exclude - you can exclude some list of IP addresses or IP networks (ex.: 10.0.0.0/8) or you can use IP groups and select it.
* suppress repeating alerts - to prevent spamming you from repeating alerts you can limit that the rule will sent alert only once per X hours.
* Numbers include/exclude - by default there is no tel. number filter and you can exclude some source number / prefixes. For example you want to have one general rule to be alerted if any IP will have more than 10 concurrent calls expect for some customer with some numbers.  


* external script - path to the script on the server which will be executed.
=== Realtime Concurrent Calls ===
* international prefixes configuration
** international prefixes - to distinguish between local and international calls you have to add here list of prefixes. Default are +, 00
** min international length - if destination number is less then this value it will be not treated as international but local.
** local numbers are in - select the country to which local calls belongs. This will allow to classify calls with international prefix as a local number. 


Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:


* Concurrent calls limit: Trigger on international, local, or both exceeding limits.
* Time period rules: Vary alerts by work/after hours (defined in Groups > Time Periods).


= SIP REGISTER flood / attack =
=== Change CDR Country ===


Alert is triggered when sniffer detects >= N number of registration attempts from some IP during set interval.
Triggers on CDR IP source changing country/continent since last call. Parameters:


= Realtime concurrent calls =
* Exclude countries from alert: Whitelist countries to skip.


This anti-fraud rule (and the purpose is not only for fraud) works in realtime and it is not based on CDR. It tracks each source IP and count number of concurrent call. The advantage of tracking concurrent calls in realtime and not based on CDR is obvious and it helps to compete attacks which creates many channels at the same time with long duration. You can set this parameters:
=== Change REGISTER Country ===


* Concurrent calls limit - You can choose to trigger alert only if international calls is over the limit or only local calls or both calls.  
Triggers on SIP REGISTER username changing country/continent since last success. Parameters:
* Time period rules - you can limit that the alert will work differently during work hours and after hours. Time periods are defined in Main menu -> Groups -> Time periods


= change cdr country =
* Exclude countries from alert: Whitelist countries to skip.


Alert is triggered when the last CDR changes IP source which is in different country or continent since last call. You can set this parameters:
=== Country/Continent Destination ===


* Exclude country form alert: you can whitelist certain countries which will not trigger the alert.
Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).


= change register country =  
=== SIP PACKETS Flood/Attack ===


Alert is triggered when the last SIP REGISTRATION for some username changes country or continent since last successful registration.
Triggers when >= N packets from an IP occur in set interval.


* Exclude country form alert - you can whitelist certain countries which will not trigger the alert.
=== Examples of Custom Scripts ===
= country/continent destination =
Alert is triggered when someone is calling to specific country or continent. This alert is based on first SIP INVITE and not from CDR thus it works in realtime.
= SIP PACKETS flood attack =  
Alert is triggered when sniffer detects >= N number of packets from some IP during set interval.


==== Getting Passed Arguments ====


'''Example script to log passed info:'''


= Examples of custom scripts =
== Getting passed arguments ==
'''Example of a simple script for getting info that is passed with any alert to your custom script'''
  #!/bin/bash
  #!/bin/bash
  echo $@ >> /tmp/passed_info.txt
  echo $@ >> /tmp/passed_info.txt


You can then use php function '''json_decode($argv[4])''' on 4th argument to get data result
Use PHP '''json_decode($argv[4])''' on 4th argument for data.
 
==== Alert Type RTP ====


== Alert type RTP ==
'''Example to store audio on RTP alert:'''
'''Example of a script for storing audio to different dir when RTP alert is triggered'''
 
#!/usr/bin/php
  <?php
  <?php
  #var_dump($argv);
  #var_dump($argv);
  $directory='/home/alerts/audio';       #where to store audio from alerts that triggered?
  $directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
  $date=trim(`date '+%Y-%m-%d'`);         #It will be stored to subdir date in this format YYYY-MM-DD
  $date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
  $guiDir='/var/www/voipmonitor';         #where is GUI installed
  $guiDir='/var/www/voipmonitor'; #where is GUI installed
  $destdir=$directory.'/'.$date;
  $destdir=$directory.'/'.$date;
  `mkdir -p $destdir`;
  `mkdir -p $destdir`;
Line 82: Line 89:
  ?>
  ?>


'''Example of a script for blocking the IP on remote host using ssh, when single IP had more CDRs matching the alert's filter (group by caller IP) then set by limit'''
'''Example to block IP on remote host if > limit CDRs per caller IP:'''
 
#!/usr/bin/php
  <?php
  <?php
  ## Settings
  ## Settings
Line 88: Line 97:
  $blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
  $blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
  $verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
  $verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
  $alertsData=(json_decode($argv[4]));
  $alertsData=(json_decode($argv[5]));
  #prepare string of CDRsIDs for query command
  #prepare string of CDRsIDs for query command
  $cdrIds=$alertsData->cdr;
  $cdrIds=$alertsData->cdr;
Line 96: Line 104:
  $out = substr($out,0,-1);
  $out = substr($out,0,-1);
  $query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
  $query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
  $command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";  
  $command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
  ## END of settings
  ## END of settings
  #call query and get results
  #call query and get results
  exec($command, $arr);  
  exec($command, $arr);
  #parse results
  #parse results
  $resultip=array();
  $resultip=array();
Line 110: Line 116:
         $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
         $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
  }
  }
  #print ips and counts if exists and exceeded limit
  #print ips and counts if exists and exceeded limit
  if (!count($resultip)) exit;
  if (!count($resultip)) exit;
Line 121: Line 126:
  ?>
  ?>


==== Alert Type Realtime Concurrent Calls ====


== Alert type Realtime concurent calls==
'''Example to block IP on concurrent calls alert:'''
'''Example of a script for blocking IP address when trgiggered by concurrent calls alert'''


Note: you need in alert's setting use type By 'caller IP' to pass IP of attacker as an argument:
Note: Use "By caller IP" in alert settings to pass attacker IP.


  #!/usr/bin/php
  #!/usr/bin/php
Line 135: Line 140:
  #number of tresspass of address
  #number of tresspass of address
  $IPtriggers=array();
  $IPtriggers=array();
  foreach ( $triggedRules as $rule ) { //for each triggererd rule
  foreach ( $triggedRules as $rule ) {                           //for each triggererd rule
         $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
         $keyIP = $rule->alert_info->ip;                         //get 'source ip which triggered rule' will used as key.
         $when = $rule->at; //get 'when this rule triggered?'
         $when = $rule->at;                                     //get 'when this rule triggered?'
  # $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
  #       $type = $rule->alert_info->local_international;         //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
  # if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
  #       if (!isset ( $rule->alert_info->timeperiod_name )) {   //get name of time-period rule which was triggered, if name isn't set its main parent rule.
  # $name = "Parent rule";
  #               $name = "Parent rule";
  # } else {
  #       } else {
  # $name = $rule->alert_info->timeperiod_name;
  #               $name = $rule->alert_info->timeperiod_name;
  # }
  #       }
  # print "\n\nName: $name\nat : $when\nType: $type";
  #       print "\n\nName: $name\nat : $when\nType: $type";
         if ( !isset ( $IPtriggers[$keyIP] )) {
         if ( !isset ( $IPtriggers[$keyIP] )) {
                 $IPtriggers[$keyIP] = 1;
                 $IPtriggers[$keyIP] = 1;
Line 156: Line 160:
  #echo "Block all adresses that trigged any rule.\n";
  #echo "Block all adresses that trigged any rule.\n";
  foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
  foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
  #       echo "Blocking address: $IPKey\n";
  # echo "Blocking address: $IPKey\n";
         passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
         passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
         if ( $ret <> 0 ) {
         if ( $ret <> 0 ) {
Line 164: Line 168:
  }
  }
  ?>
  ?>
=== AI Summary for RAG ===
'''Summary:''' This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts.
'''Keywords:''' anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods
'''Key Questions:'''
* What anti-fraud rules are available in VoIPmonitor?
* How do common configurations like IP exclude or suppress alerts work?
* What triggers a SIP REGISTER flood alert?
* How does realtime concurrent calls tracking function?
* What are examples of custom scripts for alerts?
* How to configure international call detection?

Latest revision as of 14:07, 10 November 2025

Anti-Fraud Rules

Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.

List of Fraud/Watchdog Alerts

  • Realtime concurrent calls
  • SIP REGISTER flood / attack
  • SIP PACKETS flood / attack
  • Change CDR country
  • Change REGISTER country
  • Country/Continent destination
  • Billing#Watchdog

Common Configuration

Shared across some rules:

  • Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
  • IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
  • Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
  • Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
  • External script: Path to server script for execution.
  • International prefixes configuration:
 ** International prefixes: Distinguish local/international calls (default: +, 00).
 ** Min international length: Numbers shorter than this are treated as local.
 ** Local numbers are in: Select country for classifying international-prefixed calls as local.

SIP REGISTER Flood/Attack

Triggers when >= N registration attempts from an IP occur in set interval.

Realtime Concurrent Calls

Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:

  • Concurrent calls limit: Trigger on international, local, or both exceeding limits.
  • Time period rules: Vary alerts by work/after hours (defined in Groups > Time Periods).

Change CDR Country

Triggers on CDR IP source changing country/continent since last call. Parameters:

  • Exclude countries from alert: Whitelist countries to skip.

Change REGISTER Country

Triggers on SIP REGISTER username changing country/continent since last success. Parameters:

  • Exclude countries from alert: Whitelist countries to skip.

Country/Continent Destination

Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).

SIP PACKETS Flood/Attack

Triggers when >= N packets from an IP occur in set interval.

Examples of Custom Scripts

Getting Passed Arguments

Example script to log passed info: 

#!/bin/bash
echo $@ >> /tmp/passed_info.txt

Use PHP json_decode($argv[4]) on 4th argument for data.

Alert Type RTP

Example to store audio on RTP alert: 

#!/usr/bin/php
<?php
#var_dump($argv);
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor'; #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
       $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
       $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
       exec( "echo $params | $command", $arr, $val);
}
?>

Example to block IP on remote host if > limit CDRs per caller IP: 

#!/usr/bin/php
<?php
## Settings
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[4]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out=;
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>

Alert Type Realtime Concurrent Calls

Example to block IP on concurrent calls alert:

Note: Use "By caller IP" in alert settings to pass attacker IP. 

#!/usr/bin/php
<?php
#echo "DECODE PARENT INFO\n";
#print_r(json_decode($argv[2]));
#echo "DECODE RULES INFO\n";
$triggedRules = json_decode($argv[4]);
#number of tresspass of address
$IPtriggers=array();
foreach ( $triggedRules as $rule ) { //for each triggererd rule
        $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
        $when = $rule->at; //get 'when this rule triggered?'
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
# $name = "Parent rule";
# } else {
# $name = $rule->alert_info->timeperiod_name;
# }
# print "\n\nName: $name\nat : $when\nType: $type";
        if ( !isset ( $IPtriggers[$keyIP] )) {
                $IPtriggers[$keyIP] = 1;
        } else {
                $IPtriggers[$keyIP] += 1;
        }
}
#echo "\n\nShow how many rules theese Adressess triggered?\n";
#print_r ($IPtriggers);
#echo "Block all adresses that trigged any rule.\n";
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
# echo "Blocking address: $IPKey\n";
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
        if ( $ret <> 0 ) {
                echo ("Problem setting firewall!\n");
                exit (1);
        }
}
?>

AI Summary for RAG

Summary: This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts.

Keywords: anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods

Key Questions:

  • What anti-fraud rules are available in VoIPmonitor?
  • How do common configurations like IP exclude or suppress alerts work?
  • What triggers a SIP REGISTER flood alert?
  • How does realtime concurrent calls tracking function?
  • What are examples of custom scripts for alerts?
  • How to configure international call detection?
Retrieved from "https://www.voipmonitor.org//doc/index.php?title=Anti-fraud&oldid=5716"