Messages

can someone with these problems share the output of this command?

Code Select Expand

/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs

https://github.com/opnsense/plugins/issues/5474

hmm that's not the way it's intended.. We'll create a Github Issue for it.

There are still a lot of Vodafone numbers on the list. can you share why?

Well, can you specific 'a lot' for us? Obviously we're unable to whitelist everything residing from Vodafone and it's also hard to identify the specific ones since Vodafone does not communicate about it.

With the help of your feedback we can indeed improve our services and minimize false positives. Best way to report them though is via our TIP (tip.qfeeds.com) This way we process them on average within 30~40 minutes Max.

We found a solution (for the majority) and it will be done within the next couple of hours. The IP you listed has been removed from the list already. thank you for letting us know!

Thank you for reporting! This was an issue on our end and we solved it. You might need to re-apply the settings in the plugin. (no need to rotate the api-key)

For those interested. Community licenses don't have an expiry date but the plugin checks against a license check which returned 'null'. as an expiry date This caused the issue. the expiry date now shows the date 9999-12-31

BTW ... 🙂

Haha, oops... let's just say it's our Dutch accent ;)

The widget's 'Updated at' timestamp has a bug in it... it skips exactly one update cadence. So if you're licensed for 24 hours it will show 48. If you're licensed (plus) for 4 hours you will see 8 hours and for premium it will show 40 minutes instead of 20....

We actually solved it today but it wil only be shipped with the next update: https://github.com/opnsense/plugins/issues/5415

That would be actually cool.

As well, I had more time to play a bit with the new updated TiP, its fantastic. As mentioned above the visibility is superb.
For a T-shooting nerd like me, what you provide in TiP is just a dream.

I would love to have all of this directly in OPN GUI (or selfhost it via docker :D), but I understand its most likely not possible.

Great job guys! Keep it up, looking forward what you have next on the table.

Regards,
S.

Thank you so much for your kind words!! Very happy you like it! Well at this point in time we're not sure what we can do in the OPNsense GUI but we're exploring options ;-)

[Promo for existing users]

Clicking on my account name on the top-right gives me these menu options: Dashboard, Orders, Subscriptions, Downloads, Address, Payment methods, Account details, Log out

In none of these I'm able to enter a license code for the trial. The Orders, Subscriptions and Download page only point to a generic 'Browse products' link.

Promo for existing users

If you've already used your premium trial, you can test the new functionality for 7 days with this code:

Code Select Expand

1-WEEK-THREAT-LOOKUP
You can activate this code by clicking on your account name on the top-right and then go to licenses -> activate licenses.

Aah yes you're logged in on our website. But the code works for https://tip.qfeeds.com/ ;-)

What filtering options would you actually use?
Anything missing in the IOC view?

Not sure if this is feasible but what about sorting based on country of origin? E.g Country from where the IoC originates.

Ideas for improving the OPNsense plugin?

Well, OPNsense has inbuilt RRD and other graph possible tooling, would it be possible under the condition its not resource heavy, to create graphs based on the events/IPs/ports/protocols?

Something similar for example as in
Lobby > Reporting > Health
Or
Firewall> Log Files > Overview?

This would still be local to the OPNsense, but would give the users more visual representation.

Regards,
S.

We will take it in consideration! We're indeed also in conversation with Deciso's developers to see if we can improve reporting f.e. mapped on MITRE (that's what we were thinking about).

Very interesting results which seem to be all over the place. I think it also depends on if you're hosting services f.e. As Cedrik mentioned it's not just about the # blocked. Increasing that number as a blocklist provider is quite easy. I think we make the difference on what we block and how we give insights on why.

We've been able to reproduce unfortunately.
Solution might be rebooting (not sure)

True solution is to empty the folder "/var/db/qfeeds-tables/"
by running these commands:

Code Select Expand

cd /var/db/qfeeds-tables/
rm *

Bug reported to the developers as well: https://github.com/opnsense/plugins/issues/5428

[Phase 1 is live: IOC browser, context, risk scoring & MITRE mapping]

Phase 1 is live: IOC browser, context, risk scoring & MITRE mapping

A little while ago we've shared a preview of what we were building for the Q-Feeds Threat Intelligence Portal. Phase 1 is now live.

This release is focused on giving more visibility into the data behind the feeds instead of just consuming blocklists.

You can now:

• Browse the full IOC database
• View IOC history, enrichment data, and relationships
• See risk scoring to understand relevance/priority
• Explore MITRE ATT&CK mappings for additional context
• Investigate indicators that are not included in feeds (e.g. lower confidence)

The idea is to make it easier to validate and investigate instead of blindly blocking.

Please note that this update also introduces a brand new risk-scoring system. But be aware that this risk-scoring system is not used (yet) for our current feeds.

Promo for existing users

If you've already used your premium trial, you can test the new functionality for 7 days with this code:

Code Select Expand

1-WEEK-THREAT-LOOKUP
You can activate this code by clicking on your account name on the top-right and then go to licenses -> activate licenses.

What's next (subject to change)

Phase 2 (in progress): more granular feed filtering/generation (e.g. only C2, exclude TOR, MITRE-based filtering)
Phase 3: updated OPNsense plugin to support these improvements while keeping it simple

Would be great to get feedback from the community:

What filtering options would you actually use?
Anything missing in the IOC view?
Ideas for improving the OPNsense plugin?

Happy to answer any questions as well.