Messages

Hi Mokaz and Dirtyfreebooter,

Glad everything works as expected! And thanks a lot for your feedback, really appreciated. Please find our answers below.

1.
Your guess is correct, the Community edition only provides open-source intelligence. Our threat lookup (Plus and Premium licenses) feature gives more insight into where items come from. We're not planning to make this available for the Community edition.

2.
As Cedrik already mentioned. :)

3.
We went with this approach because several users asked for a specific category during our beta testing. I guess everyone has their own preferences. :) Our personal view is that it's clearer to keep a distinction between Security and Services, otherwise the Services menu becomes cluttered with too many different functions. That said, I do agree that adding other security related services (including Zenarmor) to the menu would help keep things clean and consistent. I'll add it to our next meeting agenda to have a look at it.

Thanks again!

Kind regards,

David

Good news, we expect to launch support for DNSCrypt-proxy in the next release (Plugin v1.4).

Hi Stefan,

Thanks, it has been fixed. 👍🏻

Perfect! Thanks for letting us know !

Hi vpx,

Thank you so much for letting us know, we had no clue since we're not using Outlook Classic. That said we've added an explicit width to the header in the email now, hoping it's solved for Outlook Classic. Please let us know, much appreciated.

Kind regards,

Stefan

No not all in particular.

Unfortunately, I had to give up on this plugin. In my case, too many resources that were critical to me were blacklisted by Q-Feeds. Otherwise, it worked quite stably. Good luck with developing the service.

That's unfortunate to hear! Sorry it didn't work out for you. We'd really appreciate it if you could share which false positives you ran into, it helps us improve the service for everyone.

Thanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.

Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.

Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...

94.16.122.152 is identified as a TOR node, that's why it's on our list :)

Hi VPX,

Thank you for this Idea! We will investigate the possibility in the upcoming weeks. I noticed that it already has DNSBL functionality so that could be an easy implementation.. we will get back to you!

Hi,

Thank you for the clarification, that makes sense now.
I appreciate the quick and detailed response.

More than welcome!

Hi Shayoo,

Thanks for you kind words.

This is expected behavior, the blocklist won't appear within the Unbound blocklist list. Yet you will see an increase of the number of 'Size of blocklist' in the reporting feature of Unbound on this url https://*****:***/ui/unbound/overview

You can also search for "qf_malware_domains" in the details tab to see if you have any hits.

you right, nothing upload are very good, from this sign. But the plugin matched the list and the blocklist  take from the blocklist the ip. So when the pluing can see that dangerous ip take to connect and block ist, it can also see and write to the plugin log, which port.

for  zero days often, the check in wave specific ports. So when you see that many ips scan for a specific port in a wave, you can take it different.

Where the question to the qfeed maintainer. Can your plugin  without upload to your instances, see which port the attacker probt to be connect ?

In the next release we've added the ports to the Events page. We also added an option to use Threat Lookup quickly by pressing a button next to the IP addresses which then redirects to the threat lookup function in the TIP.

Thank you for your prompt response and explanation.
The table amount has increased indeed. All is up and running.
Thanks again

Glad to hear that it's working! You did bring up an idea though that we provide more license information in the OPNsense plugin/widget. That way it's easier to recognize if your license is loaded correctly. Thank you!

I just ordered a plus upgrade. I was already using the free api key.
I noticed that after paying for the upgrade, and received confirmation, it stays free.
Than i read that i have to go into the tip-qfeeds account and edit my free api key to change it to plus.

I think it will be very convenient for the user to have this api altered to this paid version automatically, instead of now manually.
Why would a user want its api to stay free when he/she just ordered an upgrade?

p.s. is there a way to check if my qfeeds plugin is getting the plus feed instead of the free? And should i alter my url in Adguard Home for this plus package? or is there another url only for plus to use in adguard home?

Hi RamSense,

To start of with; thank you so much for your support!

The reason that we don't assign the license automatically is because a lot of our users have multiple API-keys. That said it's not up to us to decide which API-key should be upgraded. In order to keep the process the same for everyone we've chosen for the current system even if there's just one active API-key.

To see if the plus license is activated successfully you can have a look at the number of IOCs which are loaded. For IPs you should see somewhere around 880K IOCs and domains around 1000K.

There's no need to change the URL if you use the right API key of course.

Small BUG report,

- When you expand the Advanced Options menu, you cant anymore shrink it
- In table view mode, the HASH can not be shown (eye icon doesn't work)

And a small Q,

Additional assets (other emails, passwords, hashes, IPs, domains, etc.) can be added here and require administrator approval before they can be used in searches

By admin this is meant by Q-feeds?

Regards,
S.

Thanks will fix them asap! And yes by Admin we mean Q-Feeds but I understand we might improve that wording as well ;-)

[We've got some exciting news to share! 🎉]

We've got some exciting news to share! 🎉

After a brief but successful beta phase, our brand-new Dark Web Monitoring feature is now live in the TIP. This feature is available for all Plus and Premium subscribers. This feature checks (on-demand or scheduled) for leaked credentials in leaked dark web databases. There's also a check added if hashes are 'crackable'.

Together with our built-in vulnerability scanner, we're now offering a powerful and well-rounded EASM (External Attack Surface Management) toolkit. These tools are giving you deeper visibility, stronger protection, and more control over your external attack surface.