nextcloud-whitelist Configuration

Contacts has an issue with excessive 404 response codes when a user image is missing Upstream issue

On first load the photos app calls a preview endpoint, however, if it fails to load it will trigger http-probing

When opening the photos app, multiple requests are made very quickly for images, since they are not marked as images (ending in png,jpg etc) it can trigger HTTP crawl non statics.

When loading backups for a file if those backups have been modified or deleted by (OS/USER) it can easily trigger http-probing

The /core/preview endpoint returns 404 if a file has no thumbnail (including files which aren't meant to, like XMLs). This can trigger http-probing when using the file search bar.

When previews are missing for files in the trash bin, a 404 error is returned which triggers http probing.

In rare cases HTTP Probing will be triggered when opening multiple folders quickly, Nextcloud checks for a readme.md file and if it doesn't exist a 404 error is thrown.

When uploading files via WebDAV, a PROPFIND request is sent to the server, which returns 404 if the file does not exist. Then the file is created. Uploading more than 10 files at a time will trigger http-probing.

When syncing large amount of files via WebDAV, it could trigger http-probing so the expression also whitelists 200 response codes.

When shared files via federation are reshared, the federated instance can scan each directory to find readme.md file with a PROPFIND, even if it doesn't exist.

Whilst browsing deleted files in the trashbin, a 404 error is thrown when a file has no preview thumbnail. This can trigger http-probing.

Whilst browsing bookmarks a 404 response could be sent if the bookmarked page had no favicon or image attached.

Whilst browsing private folder on the bookmark app a 404 response could be sent if the bookmarked page had no publictoken generated.

When sharing a file, a 404 error is thrown when a file has no preview thumbnail. This can trigger http-probing.

When pushes changes to a text session, a 403 error is thrown if the user session has expired.

1name: crowdsecurity/nextcloud-whitelist

2description: "Whitelist events from nextcloud"

3filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"

4whitelist:

5 reason: "Nextcloud Whitelist"

6 expression:

7 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.file_ext == '.vcf' && evt.Parsed.http_args contains "photo" #Contacts app .vcf missing photo

8 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_versions/preview' && evt.Parsed.http_args contains 'version' #Backup app missing file version

9 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains 'x' && evt.Parsed.http_args contains 'y' #Photo app loads all previews as small panes, but can 404

10 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching

11 - evt.Meta.http_status in ['404', '200'] && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404

12 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'PROPFIND' && evt.Parsed.file_dir startsWith '/public.php/webdav/' && lower(evt.Parsed.file_name) in ['readme.md', 'lisez%20moi.md'] # Resharing scans for readme to check existence

13 - evt.Meta.http_status in ['200', '204', '404', '400'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '/apps/mail/api/avatars/(url|image)/' #When loading mail contacts the avatars may get 404, or if you have a lot of contacts, it may trigger crawl-non-static

14 - evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Nextcloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets.

15 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request matches '/ocs/v2.php/apps/text(/public)?/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Nextcloud Files that don't contain a readme.md 404 error is thrown

16 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_trashbin/preview' && evt.Parsed.http_args contains 'fileId=' # 404 error thrown when preview is missing for files in trash bin

17 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/apps\\/files\\/api\\/v1\\/thumbnail\\/(\\d+)/(\\d+)'

18 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/bookmark' && (evt.Meta.http_path endsWith 'favicon' || evt.Meta.http_path endsWith 'image') #When loading NC bookmarks: some entries might have no favicon or no image

19 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/folder' && evt.Meta.http_path endsWith 'publictoken' #When loading NC bookmarks: private folders have no publictoken

20 - evt.Meta.http_status == '403' && evt.Meta.http_verb in ['GET', 'PUT'] && evt.Meta.http_path matches '\\/apps\\/mail\\/api\\/messages\\/(\\d+)\\/(flags|dkim|itineraries)' #When loading mail messages, some requests are forbidden due to message deletion by another user in shared inboxes

21 - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_sharing/publicpreview' && evt.Parsed.http_args matches 'x=\\d+' && evt.Parsed.http_args matches 'y=\\d+' #Public preview thumbnail in files sharing app can 404 if file cannot be a thumbnail

22 - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path matches '\\/apps\\/text\\/session\\/(\\d+)\\/push' #When attempting to push changes to a session that has expired

23 - evt.Meta.http_status == '304' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/avatar' #When loading avatars in Nextcloud Talk, the request may return a 304 Not Modified if the avatar has not changed

Hub configuration

« nextcloud-whitelist »
v2.2 by crowdsecurity
Log parser

Hub configuration

« nextcloud-whitelist »v2.2 by crowdsecurityLog parser

« nextcloud-whitelist »
v2.2 by crowdsecurity
Log parser