Hi Just extracted from squid access.log
1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT www.facebook.com:443 - NONE/- text/html 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT www.facebook.com:443 - NONE/- text/html 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT www.facebook.com:443 - NONE/- text/html 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT www.facebook.com:443 - NONE/- text/html This is the alert that is generated from it: Received From: (proxy) 10.0.0.55->/var/log/squid/access.log Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden file or directory from same source ip." Portion of the log(s): About the upgrade, I'm doing it right now. On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote: > > On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena > <req...@gmail.com<javascript:>> > wrote: > > Hi, > > > > I'm trying to customize the behavior of the rule 35051 > > (squid_rules.xml) in order to not have it fired if someone tries to > access > > facebook website. > > This rule keeps annoying me, because Facebook "like" button is > > EVERYWHERE and my proxy server blocks it. > > I wrote this piece of rule on my local_rules.xml but with no > success. > > > > <rule id="100060" level="0"> > > <if_sid>35051</if_sid> > > <match>.facebook.com/</match> > > <description>Squid cache report</description> > > </rule> > > > > Does anybody have the same problem? I'm I doing something wrong? > > I appreciate any help. > > > > Regards. > > > > Can you provide a log sample? > > > ps: I'm using Ossec Server v2.5.1 > > Upgrade. >