Hi
Just extracted from squid access.log
1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html
1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html
1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
www.facebook.com:443 - NONE/- text/html
1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
www.facebook.com:443 - NONE/- text/html
1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html
1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
www.facebook.com:443 - NONE/- text/html
1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
www.facebook.com:443 - NONE/- text/html
This is the alert that is generated from it:
Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden file or
directory from same source ip."
Portion of the log(s):
About the upgrade, I'm doing it right now.
On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
>
> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena
> <[email protected]<javascript:>>
> wrote:
> > Hi,
> >
> > I'm trying to customize the behavior of the rule 35051
> > (squid_rules.xml) in order to not have it fired if someone tries to
> access
> > facebook website.
> > This rule keeps annoying me, because Facebook "like" button is
> > EVERYWHERE and my proxy server blocks it.
> > I wrote this piece of rule on my local_rules.xml but with no
> success.
> >
> > <rule id="100060" level="0">
> > <if_sid>35051</if_sid>
> > <match>.facebook.com/</match>
> > <description>Squid cache report</description>
> > </rule>
> >
> > Does anybody have the same problem? I'm I doing something wrong?
> > I appreciate any help.
> >
> > Regards.
> >
>
> Can you provide a log sample?
>
> > ps: I'm using Ossec Server v2.5.1
>
> Upgrade.
>
