#Jellyseerr false positive bans

My suspicion is crowdsecurity/http-probing is only triggering because the IP is banned and the application is constantly trying those URLs even though it is getting a 403 response code.

You can test this community offered whitelist:

# /etc/crowdsec/config/parsers/s02-enrich/jellyseerr-whitelist.yaml
name: overseerr-jellyseerr-whitelist
description: "Whitelist events from Overseerr and Jellyseerr"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Overseerr/Jellyseerr whitelist"
  expression:
   - evt.Meta.http_status in ['200', '499'] && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/api\\/v1\\/(movie|tv|request)\\/(\\d+)' # When browsing Movies, Series or Requests

Taken from this issue https://github.com/crowdsecurity/hub/issues/1123#issuecomment-2395532547

in evt.Meta.http_status in ['200', '499'] add '304' so the end result is evt.Meta.http_status in ['200', '499', '304']

Up to you, internally in CrowdSec it makes little difference in processing pipeline. It might make your life easier if you want a single file to manage moving forward, you can simply just add the expression into the same file as each expression is an OR

The filter is to optimise what events shall be evaluated agasint the expressions, so for this we only care about http logs. This filter will run agasint all events (to prevent unesscary evaluation of expressions because we know they will fail anyways if they are not http logs), your one below since it doesnt have a filter will run agaisnt all events no matter which one.

take for example this nextcloud whitelist https://app.crowdsec.net/hub/author/crowdsecurity/configurations/nextcloud-whitelist

If there wasnt a filter above it would evaluate every log line agiasnt all these expressions which is very unesscary if we already know the log line is not a http source