Messages

Thank you for your prompt response and explanation.
The table amount has increased indeed. All is up and running.
Thanks again

Glad to hear that it's working! You did bring up an idea though that we provide more license information in the OPNsense plugin/widget. That way it's easier to recognize if your license is loaded correctly. Thank you!

I just ordered a plus upgrade. I was already using the free api key.
I noticed that after paying for the upgrade, and received confirmation, it stays free.
Than i read that i have to go into the tip-qfeeds account and edit my free api key to change it to plus.

I think it will be very convenient for the user to have this api altered to this paid version automatically, instead of now manually.
Why would a user want its api to stay free when he/she just ordered an upgrade?

p.s. is there a way to check if my qfeeds plugin is getting the plus feed instead of the free? And should i alter my url in Adguard Home for this plus package? or is there another url only for plus to use in adguard home?

Hi RamSense,

To start of with; thank you so much for your support!

The reason that we don't assign the license automatically is because a lot of our users have multiple API-keys. That said it's not up to us to decide which API-key should be upgraded. In order to keep the process the same for everyone we've chosen for the current system even if there's just one active API-key.

To see if the plus license is activated successfully you can have a look at the number of IOCs which are loaded. For IPs you should see somewhere around 880K IOCs and domains around 1000K.

There's no need to change the URL if you use the right API key of course.

Small BUG report,

- When you expand the Advanced Options menu, you cant anymore shrink it
- In table view mode, the HASH can not be shown (eye icon doesn't work)

And a small Q,

Additional assets (other emails, passwords, hashes, IPs, domains, etc.) can be added here and require administrator approval before they can be used in searches

By admin this is meant by Q-feeds?

Regards,
S.

Thanks will fix them asap! And yes by Admin we mean Q-Feeds but I understand we might improve that wording as well ;-)

[We've got some exciting news to share! 🎉]

We've got some exciting news to share! 🎉

After a brief but successful beta phase, our brand-new Dark Web Monitoring feature is now live in the TIP. This feature is available for all Plus and Premium subscribers. This feature checks (on-demand or scheduled) for leaked credentials in leaked dark web databases. There's also a check added if hashes are 'crackable'.

Together with our built-in vulnerability scanner, we're now offering a powerful and well-rounded EASM (External Attack Surface Management) toolkit. These tools are giving you deeper visibility, stronger protection, and more control over your external attack surface.

We've reviewed the Bigcommerce IPs and for now removed them from our list for now. Thank you for pointing it out and sorry for the inconvenience! You can force to pull the new list by hitting Apply in the plugin.

Coincidentally I have this evening (my time) received an alert from haveibeenpwned about an aggregated list from Synthient last April, in which list an email and password appear. Given that list gathers previous material the alert probably repeats previous rather than being new. In any case, without knowing the breach source there is really nothing to do if passwords are strong and never reused. Criminals are not going to expend centuries trying to brute-force long random strings and state actors would not be interested in me.

This is still in the vein of saying of course my e-mail is known, and in some cases they can see the lock (hashed password) but breaking it is another matter so why jump on hearing someone else knows my email and a singular lock? If it were to something critical then I will hear from the organisation and can act as a precaution, though all critical assets have 2FA anyway.

While other people may have a different view, I am not seeing credential monitoring as worth the investment unless it can tell me precisely on which site the breach occurred.

Edit to add: I am my own e-mail provider, and have for many years kept anything important out of e-mail unless the message itself has strong encryption.

Makes sense! That said, bad actors don't always publish where the data got stolen or leaked. The use of aliases as Newsense mentioned is indeed really helpful for this kind of thing.
Still, I get your point. Without knowing the exact source, it's hard to take meaningful action.

Thanks for your feedback we'll take it with us in our planning. And of course safety first!
We're not sure yet on pricing, just asking.  First we need to determine the value indeed, then we can make an estimate of our costs etc.

Since we have our own sub forum now we are closing this topic. Feel free to open a new topic for feature request, questions, comments etc etc. We will be around to do our best to answer everything!

On our roadmap one of the next major upgrades to our Threat Intelligence Portal would be to add a service where you can monitor on Leaked Credentials. The way the service would work is that a user submits their email addresses and we monitor f.e. the dark web for any leaks. This goes beyond the haveibeenpwned service since we will also include info stealer logs and the actuall password hash + maybe partly show the password so you can easily verify the validity.

• Would you be interested in such service?
• Are you already using a service like this?
• What would be your desired features regarding this?
• Would you be willing to pay for it? And if so, how much? (realistically)

Hi... I am interested in testing out Q-Feeds, if that windows of opportunity is still open.

Me too - I already registered for a free account on TIP.

We're well past the beta phase now, but you're more than welcome to start using it! On our OPNsense landing page you can find all the information you need, including the implementation manual: https://qfeeds.com/opnsense/

I've been testing this out and had a question about the malware IP list.

Why doesn't it use CIDR notation? The list contains over 500,000 individual IP addresses, and I can see entire /24 ranges represented as separate entries — even including the broadcast addresses. That seems inefficient for the firewall, especially since the premise of Q-Feeds is supposed to involve preprocessing and aggregation.

This approach also makes it practically impossible to scale into IPv6, where the smallest subnet is a /64. It feels like a dead-end implementation.

You're absolutely right, there's definitely room for improvement when it comes to optimizing CIDR usage. The main challenge is that in many cases, only specific IPs within a larger block are confirmed malicious. Aggregating them into CIDRs would mean potentially blocking legitimate traffic, especially in shared or cloud environments where a /24 can contain hundreds of unrelated tenants.

IPs in threat feeds are also quite dynamic servers get cleaned up, new ones appear, and attackers constantly shift infrastructure. Keeping indicators at single-IP granularity allows us to stay accurate and flexible when rotating data. We already perform preprocessing and deduplication before publishing feeds, so even though the list looks large, it's already optimized for relevance and quality.

For IPv6 it's a different story. Blocking based on IPv6 addresses is significantly harder because malicious actors rotate them extremely fast, often making static blocking useless. That's why future IPv6 detection strategies will likely focus more on ASN or behavioral patterns instead of individual addresses.

That said, there's no performance impact for firewalls we haven't seen any cases where the number of IOCs caused issues. OPNsense even raised the default table size to 20M entries, so handling large datasets like this isn't a problem.

👋 Welcome to the Q-Feeds Sub-Forum

Hi everyone, and welcome to the official Q-Feeds section here on the OPNsense forum!
Q-Feeds provides Threat Intelligence Feeds focused on malicious IPs, and domains helping you strengthen your network security with real-time data against malware, phishing, and other online threats.

We're proud to share that there's now a Q-Feeds plugin available for both the OPNsense Business and Community Editions. This integration makes it easy to automatically import and use our intelligence feeds directly within your firewall configuration.

Everything you need to get started — including installation steps and an implementation manual — can be found here:

https://qfeeds.com/opnsense/

https://docs.opnsense.org/manual/qfeeds.html

Feel free to use this sub-forum to:

• Ask questions about the Q-Feeds plugin for OPNsense
• Share feedback or feature suggestions
• Discuss use cases or integrations

We'll be around to help and respond to your posts.

—
The Q-Feeds Team
https://qfeeds.com

Misunderstanding something. The internal router stopped it. The edge router can never see what is not passed to it in the first place.

I have no further such contacts. I have organised to track their app source if one turns up again.

Aah sure that makes sense, its outbound traffic off course.

To wrap up the curiosity item I raised, one of those addresses is bam.nr-data.net which is a gathering point for browser activity tracking, while the other is bigcommerce.com related to shopfront checkouts and again probably about activity data collection given purchases were not affected. Calls originated from Apple Safari, not Mullvad, although it is not excluded that that is coincidence.

While they are more about privacy than security, nothing has broken with them being blocked.

Makes sense as well. Platforms like bigcommerce, Shopify etc are often used to host malicious scripts or files. This IP from them is also used as an open HTTP proxy that's probably the reason it's in the list. Well since it didn't break anything we'll keep it in the list for now.

Sorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues

No crashes, disk full or power loss - all running fine. I restarted the host that OPNSense is running on and it's now working. Strange that it was working during the day, then overnight the log somehow was corrupted. I'll keep an eye on it.

How frequently is the widget "Blocked" number updated ?

Probably fixed because the log rotated with the reboot. Indeed curious how and why this happend but glad it's fixed now. The cron job for the widget runs every 15 minutes.

interesting to see that you experience outbound connections to it

That "interesting" could be carrying a lot of freight. The attempted connections were for a short period then ceased. The machine which sourced them has Sophos Premium running on it and no open ports. The router which trapped them is internal, not at the edge, looking only at outgoing traffic, Community key for Q-feeds. The Plus key is on the edge so it saw nothing of this.

I tried the threat lookups again. They worked in Safari, not in Mullvad (Firefox), "network error". Everything is latest versions.

Plus has everything community + more. So I have no clue why your edge router didn't catch that activity !? Or am I misunderstanding something?