From a6668f37d099e7e02378afa0192ecfc5ed694ddc Mon Sep 17 00:00:00 2001
From: Laurence Jones <laurence.jones@live.co.uk>
Date: Wed, 14 Dec 2022 12:05:32 +0000
Subject: [PATCH] Nextcloud whitelist (#609)

* start nextcloud whitelsit

* update

* Update filter and parser assert

* Nextcloud latest flags as 403

* Add whitelist to nextcloud collection

* Add link to upstream issue
---
 .tests/nextcloud-whitelist/config.yaml        |  15 +++
 .../nextcloud-whitelist.log                   |   1 +
 .tests/nextcloud-whitelist/parser.assert      | 124 ++++++++++++++++++
 .tests/nextcloud-whitelist/scenario.assert    |   0
 collections/crowdsecurity/nextcloud.yaml      |   1 +
 .../crowdsecurity/nextcloud-whitelist.md      |   5 +
 .../crowdsecurity/nextcloud-whitelist.yaml    |   7 +
 7 files changed, 153 insertions(+)
 create mode 100644 .tests/nextcloud-whitelist/config.yaml
 create mode 100644 .tests/nextcloud-whitelist/nextcloud-whitelist.log
 create mode 100644 .tests/nextcloud-whitelist/parser.assert
 create mode 100644 .tests/nextcloud-whitelist/scenario.assert
 create mode 100644 parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md
 create mode 100644 parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml

diff --git a/.tests/nextcloud-whitelist/config.yaml b/.tests/nextcloud-whitelist/config.yaml
new file mode 100644
index 0000000000..5333dbbc1f
--- /dev/null
+++ b/.tests/nextcloud-whitelist/config.yaml
@@ -0,0 +1,15 @@
+parsers:
+- crowdsecurity/nginx-logs
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/http-logs
+- ./parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
+scenarios:
+- ""
+postoverflows:
+- ""
+log_file: nextcloud-whitelist.log
+log_type: nginx
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/nextcloud-whitelist/nextcloud-whitelist.log b/.tests/nextcloud-whitelist/nextcloud-whitelist.log
new file mode 100644
index 0000000000..0450ff20d4
--- /dev/null
+++ b/.tests/nextcloud-whitelist/nextcloud-whitelist.log
@@ -0,0 +1 @@
+1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] "GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0" 404 20 "https://myapp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
\ No newline at end of file
diff --git a/.tests/nextcloud-whitelist/parser.assert b/.tests/nextcloud-whitelist/parser.assert
new file mode 100644
index 0000000000..11fb2fb08d
--- /dev/null
+++ b/.tests/nextcloud-whitelist/parser.assert
@@ -0,0 +1,124 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "nginx"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+len(results["s01-parse"]["crowdsecurity/nginx-logs"]) == 1
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["verb"] == "GET"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["program"] == "nginx"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["body_bytes_sent"] == "20"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["http_version"] == "2.0"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["remote_user"] == "-"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Parsed["status"] == "404"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_verb"] == "GET"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_status"] == "404"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["service"] == "http"
+results["s01-parse"]["crowdsecurity/nginx-logs"][0].Evt.Meta["datasource_type"] == "file"
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["status"] == "404"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["body_bytes_sent"] == "20"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_version"] == "2.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["http_status"] == "404"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
+len(results["s02-enrich"]["crowdsecurity/http-logs"]) == 1
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Success == true
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_version"] == "2.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["body_bytes_sent"] == "20"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_ext"] == ".vcf"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["static_ressource"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["status"] == "404"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["http_args"] == "photo"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Parsed["impact_completion"] == "false"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_status"] == "404"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_args_len"] == "5"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s02-enrich"]["crowdsecurity/http-logs"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
+len(results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"]) == 1
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Success == true
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["body_bytes_sent"] == "20"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_args"] == "photo"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["message"] == "1.2.3.4 - - [07/Oct/2022:00:01:18 +0200] \"GET /remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo HTTP/2.0\" 404 20 \"https://myapp.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\""
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["status"] == "404"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["static_ressource"] == "false"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["time_local"] == "07/Oct/2022:00:01:18 +0200"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_dir"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_name"] == "14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["impact_completion"] == "false"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_user"] == "-"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["request"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["program"] == "nginx"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_ext"] == ".vcf"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["file_frag"] == "14FF37C0-C83C-4CB5-9091-269A9337D362"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_referer"] == "https://myapp.com/"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Parsed["http_version"] == "2.0"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["service"] == "http"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["timestamp"] == "2022-10-07T00:01:18+02:00"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_user_agent"] == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_verb"] == "GET"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["log_type"] == "http_access-log"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["datasource_path"] == "nextcloud-whitelist.log"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_args_len"] == "5"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_path"] == "/remote.php/dav/addressbooks/users/crowdsec/bvf-panilor/14FF37C0-C83C-4CB5-9091-269A9337D362.vcf?photo"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Meta["http_status"] == "404"
+results["s02-enrich"]["crowdsecurity/nextcloud-whitelist"][0].Evt.Enriched["MarshaledTime"] == "2022-10-07T00:01:18+02:00"
+len(results["success"][""]) == 0
\ No newline at end of file
diff --git a/.tests/nextcloud-whitelist/scenario.assert b/.tests/nextcloud-whitelist/scenario.assert
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/collections/crowdsecurity/nextcloud.yaml b/collections/crowdsecurity/nextcloud.yaml
index 05f014d7d6..b3e77f474f 100644
--- a/collections/crowdsecurity/nextcloud.yaml
+++ b/collections/crowdsecurity/nextcloud.yaml
@@ -1,6 +1,7 @@
 ---
 parsers:
   - crowdsecurity/nextcloud-logs
+  - crowdsecurity/nextcloud-whitelist
 scenarios:
   - crowdsecurity/nextcloud-bf
 description: "Nextcloud support : parser and brute-force detection"
diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md
new file mode 100644
index 0000000000..b49c1e85b0
--- /dev/null
+++ b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md
@@ -0,0 +1,5 @@
+## Nextcloud whitelist
+
+### Contacts app
+Contacts has an issue with excessive 404 response codes when a user image is missing
+[Upstream issue](https://github.com/nextcloud/contacts/issues/3021)
\ No newline at end of file
diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
new file mode 100644
index 0000000000..e07a8819b5
--- /dev/null
+++ b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
@@ -0,0 +1,7 @@
+name: crowdsecurity/nextcloud-whitelist
+description: "Whitelist events from nextcloud"
+filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
+whitelist:
+  reason: "Nextcloud Whitelist"
+  expression:
+   - evt.Meta.http_status in ["404", "403"] && evt.Meta.http_verb == "GET" && evt.Parsed.file_ext == ".vcf" && Lower(evt.Parsed.http_args) contains "photo"
\ No newline at end of file