Anti-fraud: Difference between revisions
No edit summary |
|||
(16 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Anti-fraud rules are in main menu Alerts / Anti fraud. We are continuously adding more rules to combat fraud / attacks and as of now you can use following rules. Each fraud alert also implements custom script which can be used to automatically run firewall rule or any action you like besides the standard email alert. Each alert is also archived in Sent alerts. | Anti-fraud rules are in main menu Alerts / Anti fraud. We are continuously adding more rules to combat fraud / attacks and as of now you can use following rules. Each fraud alert also implements custom script which can be used to automatically run firewall rule or any action you like besides the standard email alert. Each alert is also archived in Sent alerts. | ||
= List of fraud alerts = | = List of fraud / watchdog alerts = | ||
* Realtime concurrent calls | * Realtime concurrent calls | ||
Line 9: | Line 9: | ||
* change register country | * change register country | ||
* country/continent destination | * country/continent destination | ||
* [[Billing#Watchdog]] | |||
Some fraud rules have common configuration | = Some fraud rules have common configuration = | ||
Line 18: | Line 19: | ||
* Numbers include/exclude - by default there is no tel. number filter and you can exclude some source number / prefixes. For example you want to have one general rule to be alerted if any IP will have more than 10 concurrent calls expect for some customer with some numbers. | * Numbers include/exclude - by default there is no tel. number filter and you can exclude some source number / prefixes. For example you want to have one general rule to be alerted if any IP will have more than 10 concurrent calls expect for some customer with some numbers. | ||
* external script - path to the script on the server which will be executed. | * external script - path to the script on the server which will be executed. | ||
* international prefixes configuration | * international prefixes configuration | ||
** international prefixes - to distinguish between local and international calls you have to add here list of prefixes. Default are +, 00 | ** international prefixes - to distinguish between local and international calls you have to add here list of prefixes. Default are +, 00 | ||
Line 24: | Line 25: | ||
** local numbers are in - select the country to which local calls belongs. This will allow to classify calls with international prefix as a local number. | ** local numbers are in - select the country to which local calls belongs. This will allow to classify calls with international prefix as a local number. | ||
Alert is triggered when sniffer detects >= N number of registration attempts from some IP during set interval. | |||
= SIP REGISTER flood / attack = | |||
Alert is triggered when sniffer detects >= N number of registration attempts from some IP during set interval. | |||
= Realtime concurrent calls = | = Realtime concurrent calls = | ||
Line 33: | Line 36: | ||
* Concurrent calls limit - You can choose to trigger alert only if international calls is over the limit or only local calls or both calls. | * Concurrent calls limit - You can choose to trigger alert only if international calls is over the limit or only local calls or both calls. | ||
* Time period rules - you can limit that the alert will work differently during work hours and after hours. Time periods are defined in Main menu -> | * Time period rules - you can limit that the alert will work differently during work hours and after hours. Time periods are defined in Main menu -> Groups -> Time periods | ||
= change cdr country = | = change cdr country = | ||
Line 50: | Line 53: | ||
= SIP PACKETS flood attack = | = SIP PACKETS flood attack = | ||
Alert is triggered when sniffer detects >= N number of packets from some IP during set interval. | Alert is triggered when sniffer detects >= N number of packets from some IP during set interval. | ||
= Examples of custom scripts = | |||
== Getting passed arguments == | |||
'''Example of a simple script for getting info that is passed with any alert to your custom script''' | |||
#!/bin/bash | |||
echo $@ >> /tmp/passed_info.txt | |||
You can then use php function '''json_decode($argv[4])''' on 4th argument to get data result | |||
== Alert type RTP == | |||
'''Example of a script for storing audio to different dir when RTP alert is triggered''' | |||
#!/usr/bin/php | |||
<?php | |||
#var_dump($argv); | |||
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered? | |||
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD | |||
$guiDir='/var/www/voipmonitor'; #where is GUI installed | |||
$destdir=$directory.'/'.$date; | |||
`mkdir -p $destdir`; | |||
$alert= json_decode($argv[4]); | |||
foreach ($alert->cdr as $cdr) { | |||
$params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}'; | |||
$command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap"; | |||
exec( "echo $params | $command", $arr, $val); | |||
} | |||
?> | |||
'''Example of a script for blocking the IP on remote host using ssh, when single IP had more CDRs matching the alert's filter (group by caller IP) then set by limit''' | |||
#!/usr/bin/php | |||
<?php | |||
## Settings | |||
$Limit = 19; | |||
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist"; | |||
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout | |||
$alertsData=(json_decode($argv[4])); | |||
#prepare string of CDRsIDs for query command | |||
$cdrIds=$alertsData->cdr; | |||
$out=''; | |||
foreach ($cdrIds as $id) $out .= "$id,"; | |||
$out = substr($out,0,-1); | |||
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G"; | |||
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'"; | |||
## END of settings | |||
#call query and get results | |||
exec($command, $arr); | |||
#parse results | |||
$resultip=array(); | |||
foreach ($arr as $nth => $line) { | |||
if (strpos($line,'INET') === FALSE) continue; | |||
$pos=strpos($line,":"); | |||
$resultip[]=substr($line,$pos+2); | |||
$resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2); | |||
} | |||
#print ips and counts if exists and exceeded limit | |||
if (!count($resultip)) exit; | |||
foreach ($resultip as $n => $ip) { | |||
if ($resultcnt[$n] > $Limit) { | |||
if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n"); | |||
else exec ($blockCommand." $ip",$ar,$rc); | |||
} | |||
} | |||
?> | |||
== Alert type Realtime concurent calls== | |||
'''Example of a script for blocking IP address when trgiggered by concurrent calls alert''' | |||
Note: you need in alert's setting use type By 'caller IP' to pass IP of attacker as an argument: | |||
#!/usr/bin/php | |||
<?php | |||
#echo "DECODE PARENT INFO\n"; | |||
#print_r(json_decode($argv[2])); | |||
#echo "DECODE RULES INFO\n"; | |||
$triggedRules = json_decode($argv[4]); | |||
#number of tresspass of address | |||
$IPtriggers=array(); | |||
foreach ( $triggedRules as $rule ) { //for each triggererd rule | |||
$keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key. | |||
$when = $rule->at; //get 'when this rule triggered?' | |||
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?' | |||
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule. | |||
# $name = "Parent rule"; | |||
# } else { | |||
# $name = $rule->alert_info->timeperiod_name; | |||
# } | |||
# print "\n\nName: $name\nat : $when\nType: $type"; | |||
if ( !isset ( $IPtriggers[$keyIP] )) { | |||
$IPtriggers[$keyIP] = 1; | |||
} else { | |||
$IPtriggers[$keyIP] += 1; | |||
} | |||
} | |||
#echo "\n\nShow how many rules theese Adressess triggered?\n"; | |||
#print_r ($IPtriggers); | |||
#echo "Block all adresses that trigged any rule.\n"; | |||
foreach ( $IPtriggers as $IPKey => $nmGuilt ) { | |||
# echo "Blocking address: $IPKey\n"; | |||
passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret); | |||
if ( $ret <> 0 ) { | |||
echo ("Problem setting firewall!\n"); | |||
exit (1); | |||
} | |||
} | |||
?> |
Latest revision as of 14:05, 30 November 2021
Anti-fraud rules are in main menu Alerts / Anti fraud. We are continuously adding more rules to combat fraud / attacks and as of now you can use following rules. Each fraud alert also implements custom script which can be used to automatically run firewall rule or any action you like besides the standard email alert. Each alert is also archived in Sent alerts.
List of fraud / watchdog alerts
- Realtime concurrent calls
- SIP REGISTER flood / attack
- SIP PACKETS flood / attack
- change cdr country
- change register country
- country/continent destination
- Billing#Watchdog
Some fraud rules have common configuration
- Enable hyperlinks - in the email alert the title will be html hyperlink which transfer you to rule definition
- IP include/exclude - you can exclude some list of IP addresses or IP networks (ex.: 10.0.0.0/8) or you can use IP groups and select it.
- suppress repeating alerts - to prevent spamming you from repeating alerts you can limit that the rule will sent alert only once per X hours.
- Numbers include/exclude - by default there is no tel. number filter and you can exclude some source number / prefixes. For example you want to have one general rule to be alerted if any IP will have more than 10 concurrent calls expect for some customer with some numbers.
- external script - path to the script on the server which will be executed.
- international prefixes configuration
- international prefixes - to distinguish between local and international calls you have to add here list of prefixes. Default are +, 00
- min international length - if destination number is less then this value it will be not treated as international but local.
- local numbers are in - select the country to which local calls belongs. This will allow to classify calls with international prefix as a local number.
SIP REGISTER flood / attack
Alert is triggered when sniffer detects >= N number of registration attempts from some IP during set interval.
Realtime concurrent calls
This anti-fraud rule (and the purpose is not only for fraud) works in realtime and it is not based on CDR. It tracks each source IP and count number of concurrent call. The advantage of tracking concurrent calls in realtime and not based on CDR is obvious and it helps to compete attacks which creates many channels at the same time with long duration. You can set this parameters:
- Concurrent calls limit - You can choose to trigger alert only if international calls is over the limit or only local calls or both calls.
- Time period rules - you can limit that the alert will work differently during work hours and after hours. Time periods are defined in Main menu -> Groups -> Time periods
change cdr country
Alert is triggered when the last CDR changes IP source which is in different country or continent since last call. You can set this parameters:
- Exclude country form alert: you can whitelist certain countries which will not trigger the alert.
change register country
Alert is triggered when the last SIP REGISTRATION for some username changes country or continent since last successful registration.
- Exclude country form alert - you can whitelist certain countries which will not trigger the alert.
country/continent destination
Alert is triggered when someone is calling to specific country or continent. This alert is based on first SIP INVITE and not from CDR thus it works in realtime.
SIP PACKETS flood attack
Alert is triggered when sniffer detects >= N number of packets from some IP during set interval.
Examples of custom scripts
Getting passed arguments
Example of a simple script for getting info that is passed with any alert to your custom script
#!/bin/bash echo $@ >> /tmp/passed_info.txt
You can then use php function json_decode($argv[4]) on 4th argument to get data result
Alert type RTP
Example of a script for storing audio to different dir when RTP alert is triggered
#!/usr/bin/php <?php #var_dump($argv); $directory='/home/alerts/audio'; #where to store audio from alerts that triggered? $date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD $guiDir='/var/www/voipmonitor'; #where is GUI installed $destdir=$directory.'/'.$date; `mkdir -p $destdir`; $alert= json_decode($argv[4]); foreach ($alert->cdr as $cdr) { $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}'; $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap"; exec( "echo $params | $command", $arr, $val); } ?>
Example of a script for blocking the IP on remote host using ssh, when single IP had more CDRs matching the alert's filter (group by caller IP) then set by limit
#!/usr/bin/php <?php ## Settings $Limit = 19; $blockCommand = "ssh root@pbx -p2112 ipset add blacklist"; $verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout $alertsData=(json_decode($argv[4])); #prepare string of CDRsIDs for query command $cdrIds=$alertsData->cdr; $out=; foreach ($cdrIds as $id) $out .= "$id,"; $out = substr($out,0,-1); $query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G"; $command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'"; ## END of settings #call query and get results exec($command, $arr); #parse results $resultip=array(); foreach ($arr as $nth => $line) { if (strpos($line,'INET') === FALSE) continue; $pos=strpos($line,":"); $resultip[]=substr($line,$pos+2); $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2); } #print ips and counts if exists and exceeded limit if (!count($resultip)) exit; foreach ($resultip as $n => $ip) { if ($resultcnt[$n] > $Limit) { if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n"); else exec ($blockCommand." $ip",$ar,$rc); } } ?>
Alert type Realtime concurent calls
Example of a script for blocking IP address when trgiggered by concurrent calls alert
Note: you need in alert's setting use type By 'caller IP' to pass IP of attacker as an argument:
#!/usr/bin/php <?php #echo "DECODE PARENT INFO\n"; #print_r(json_decode($argv[2])); #echo "DECODE RULES INFO\n"; $triggedRules = json_decode($argv[4]); #number of tresspass of address $IPtriggers=array(); foreach ( $triggedRules as $rule ) { //for each triggererd rule $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key. $when = $rule->at; //get 'when this rule triggered?' # $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?' # if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule. # $name = "Parent rule"; # } else { # $name = $rule->alert_info->timeperiod_name; # } # print "\n\nName: $name\nat : $when\nType: $type"; if ( !isset ( $IPtriggers[$keyIP] )) { $IPtriggers[$keyIP] = 1; } else { $IPtriggers[$keyIP] += 1; } } #echo "\n\nShow how many rules theese Adressess triggered?\n"; #print_r ($IPtriggers); #echo "Block all adresses that trigged any rule.\n"; foreach ( $IPtriggers as $IPKey => $nmGuilt ) { # echo "Blocking address: $IPKey\n"; passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret); if ( $ret <> 0 ) { echo ("Problem setting firewall!\n"); exit (1); } } ?>