Looking for testers Q-Feeds plugin

Started by Q-Feeds, October 01, 2025, 08:43:40 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5
User actions
October 02, 2025, 12:45:09 PM #15
Quote from: mrpink on October 02, 2025, 12:00:27 PMHi Stefan,

I'm also interested in testing out Q-Feeds.
I have a homelab with some public services and till now I'm using crowdsec and some public IP blocklists.

Thanks Rene

Thank you Rene. I've sent the instructions to you via PM. Please let us know your thoughts.

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 01:09:02 PM #16
Is there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.
Hardware:
DEC740
October 02, 2025, 01:20:22 PM #17
Quote from: Monviech (Cedrik) on October 02, 2025, 01:09:02 PMIs there a way in the q-feeds dashboard to whitelist an IP address, e.g. if its an accidental false positive that would impact production?

Right now, you could create a manual alias and firewall rule, matching before the q-feeds block rule, that allows an IP address explicitly.

But I couldn't on first glance find anything in tip.qfeeds.com to overrule a decision for an IP address manually.

Indeed, at the moment this can only be done via a separate alias and firewall rule that matches before the Q-Feeds block rule. Of course, we do everything we can to prevent false positives. If you do encounter one, you can report it via support in the TIP.

And thank you for your input – this is a very good feature request, and we'll definitely add it to the roadmap!

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 01:27:43 PM #18
A few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?
Deciso dec3840: EPYC Embedded 3101, 16GB RAM, 512GB NVMe
October 02, 2025, 02:18:29 PM #19 Last Edit: October 02, 2025, 02:23:06 PM by Q-Feeds
Quote from: Kets_One on October 02, 2025, 01:27:43 PMA few observations after a few hours:
- Are the alerts only visible in the firewall log screen (when logs are enabled for the Q-feeds block rule) or should they also be visible in the TIP Dashboard under logs? So far I have seen a few block actions by the Q-feeds plugin, but none of them show up in the TIP dashboard.
- Maybe a counter of sorts in Opnsense would be nice to have direct insight in the number of blocked IPs/URLs. This avoids having to open up the TIP Dashboard too often.
- Is there also a possibility to send alerts to an email address or via SMNP. For example in case blocked addresses are higher than a set threshold?
- Are threat IPs/URLs downloaded to Opnsense or is each threat checked 'live' against the database at Q-Feeds? I expect the former. In that case, how often is the plugin searching for new threat lists?

Thank you for sharing your findings, much appreciated.
Hereby our answers:

- The logs can only be found in the OPNsense firewall logging when you enable logging for the Q-Feeds block rule. No information is uploaded from OPNsense to the TIP, so you won't see these block actions appear there.
What you can do with a paid subscription is look up IP addresses in the TIP to get more detailed information (context) why a specific IP is included in our database.

- The widget already gives you insights into the number of blocked IPs/URLs directly within OPNsense. Currently, there is no alert functionality (such as email or SNMP notifications). That said, this is excellent input — we'll take it with us for future development.

- The threat IPs/URLs are indeed downloaded locally to OPNsense (not checked live against our database).
•⁠  ⁠Q-Feeds community (Free): updated every 7 days
•⁠  ⁠Q-Feeds Plus (starting at €99 per year per firewall/IP): updated every 4 hours
•⁠  ⁠Q-Feeds Premium (starting at €249 per year per firewall/IP): updated every 20 minutes

More information about our premium packages can be found here: http://qfeeds.com/opnsense

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 05:41:10 PM #20
installed and activated. No issues so far
October 02, 2025, 06:12:32 PM #21
Hi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will
October 02, 2025, 07:15:21 PM #22
Quote from: Mo'Kai on October 02, 2025, 05:41:10 PMinstalled and activated. No issues so far
Thank you for confirming!

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 07:15:57 PM #23
Quote from: willj8823 on October 02, 2025, 06:12:32 PMHi Stefan,

I am interested in testing the Q-Feeds plugin.

Thanks,

Will
Thank you, I've sent you the instructions.

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 08:01:35 PM #24 Last Edit: October 02, 2025, 08:03:19 PM by Q-Feeds
Widget Not Functioning After Plugin Installation | Quick Fix

We've received feedback that the widget is not functioning well after installing the plugin.
After some investigation, we found that this happens because the configd service needs to be restarted.

You can fix this by either:
  • Performing a full reboot, or
  • Running the following command from command line:

service configd restart

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 09:28:48 PM #25
Does this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.
October 02, 2025, 09:53:12 PM #26
I am interested in trying it out and sharing my experience.
October 02, 2025, 11:27:03 PM #27
Quote from: IsaacFL on October 02, 2025, 09:28:48 PMDoes this work with ipv6 threats?

I am a ipv6 mostly network and when I tried crowdsec I could see it would only add a single /128 ipv6 address to their block list so I gave up on Crowdsec. Typically the threats I was seeing were rolling thru a /64 and never same address, so minimum block size for ipv6 should be the /64. A /64 is equivalent to an ipv4 single address with NAT.

Yes, we do support IPv6. However, the lifecycle of malicious IPv6 addresses tends to be relatively short. Because of this, the number of IPv6 IoCs we provide is more limited compared to IPv4. Let me know if you would like to test the Q-Feeds plugin/product.

Your Threat Intelligence Partner  qfeeds.com
October 02, 2025, 11:28:19 PM #28
Quote from: gtwop on October 02, 2025, 09:53:12 PMI am interested in trying it out and sharing my experience.

Thank you, Information is in your pm.

Your Threat Intelligence Partner  qfeeds.com
October 03, 2025, 08:37:10 AM #29
I would also be interested, when you need more testers.
Best regards,
   Marcus
Print
Go Up Pages 1 2 3 4 5
User actions