Asterisk pattern matching

tlum · September 25, 2014, 11:32pm

I’ve been using rules in extensions_custom.conf to black list phone spammers… this works quite well. The below is a truncated example of how I do this. This works based on the most to least specificity order of precedence… basically a call falls through the basic North American number plan format unless it matches a more specific rule. This works fine, that’s not really the issue, just the content of the question.

exten => _X./_NXXNXXXXXX,1,NoOp()
exten => _X./_1NXXNXXXXXX,1,NoOp()
exten => _X.,1,Hangup(21)

exten => _X./_2012052427,1,Hangup(21)
exten => _X./_2012412388,1,Hangup(21)
exten => _X./_2012433364,1,Hangup(21)

So, now someone has started hammering with a CID for directory assistance; i.e. 6105556769, 6095556769, etc.

I’ve tried

exten => _X./_XXX555XXXX,1,Hangup(21)

but I don’t ever get a match. I’m guessing it’s because either I can’t match in the middle, or that isn’t how it should be done. So far I haven’t found enough details on match patterns to figure out middle of the string stuff like this. Does anyone know how I’d be able to match patterns in the middle like this? -TIA-

P.S. Nust noticed that maybe I should try

exten => _X./_NXX555XXXX,1,Hangup(21)

and see what happens.

dicko · September 26, 2014, 12:12am

The number should be matched without a wild card _ needed, try:-

exten => _X./NXX555XXXX,1,Hangup(21)

But surely you need to discover who is hammering and deny them at your point of ingress.

tlum · September 26, 2014, 5:33am

Thanks, I’ll try that.

Wish I knew who was doing it; I’d send the FBI after them. But tracing inbound SIP calls with forged CID is next to imposable unless you’re law enforcement.

david55 · September 26, 2014, 9:39am

The _ is needed for N and X to match.

Candidate pattern matches are not processed in the order in which they are coded, but purely in an order based on the number in the pattern. The order is based on a left to right match, but with wildcards sorting after simple digits and wildcards with more allowed digit values sorting after ones with lower ones. As such, your X makes its less specific than the accept rule for _NX… You will need to replace the relevant Xs by Ns, and possibly include variant patterns to cover the digits not covered by X.

The IP address of the attacker is available, even if you can’t trace the ISP, although a really sophisticated attack will be distributed, using a botnet.

tlum · September 27, 2014, 11:15am

So, what you’re saying in a middle is not possible, basically?

What I need to match is:

and there is no way to do that with a single statement?.. I’d potentially need to list all 1000 of them?

Also, the calls are being delivered by the provider, this is not a direct attack on the PBX IP, only the provider IP has access to the PBX. The problem is, the CID is forged so who know where the origin is. The provider would need to track it upstream. I lack the subpoena power to do this.

david55 · September 27, 2014, 11:44am

Not millions. I imagine that:

_NXX555.

and

_1XX555.

would cover it. The _0XX555. case is already covered by your general rules.

david55 · September 27, 2014, 11:48am

More generally, you can always use ExecIf with substrings and/or Unix type regular expression matches.