Looking for testers Q-Feeds plugin

[Q-Feeds]

Updated,

I like the new changes.

1. The update was seamless, I had not issues at all. After update the Section moved from Services to a new main Section called Security.
2. The new Events TAB, is working for me, it loaded over 50K records e.g 4days. Is this hard-coded?
3. The events show as well Interfaces (NICE!) but only LAN based ones. The ingress block on WAN doesn't show the WAN interfaces in Events.
4. The widget is now much more better.

Regards,
S.

NOTE: The Events TAB takes time to load, as its parsing the log (Collected events from the firewall log for QFeed aliases), so the larger it is the longer it will take relative to the CPU performance.

Great to hear ! I'm glad you're happy with it.
Yes the 50K is hardcoded because as you mentioned it takes some time and resources to parse the logs as for now. We'll add the WAN comment to list, thank you!

[Kets_One]

Just updated the plugin. Looks like its working fine. Will keep an eye on it.

[Q-Feeds]

I am not able to change my email address on the TIP web site.

I have noticed that the notifications are sent to the email I registered with. However, I usually like to add a modifier so that it is easier to filter. e.g. user+qfeeds@example.com

I've added the ability to change your emailadres now. You do have to confirm your mail after changing it.

However, when I check my settings, it is blank and my default is 10,000,000. (Note: Leave this blank for the default. On your system the default size is: 10000000)

I'd rather not set a value there, but go with my default which is already 5 times the value the QFeeds plugin requires.

That's interesting, I was not able to reproduce this. Anyone else experiencing this?

[Q-Feeds]

Public beta.

We're feeling confident now that the plugin is stable enough for a 'public beta'. For anyone who wants to try Q-Feeds here are the installation instructions:

Login via ssh as root (or using sudo), and run the following command:

Code Select Expand

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-0.1_1.pkg
And for those missed it, this is also the update command.

The manual can be found here: https://qfeeds.com/opnsense/ on the bottom of the page.

For those who want to check the source code, we've published that as well:  Github

We're still very keen to receive your feedback in order to improve the product! Thank you in advance!

Kind regards,

David

[caplam]

Hello,

Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"

It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.

What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :

[Q-Feeds]

Hello,

Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"

It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.

What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :

Yes that's a known issue, we will sort this out soon.

[Seimus]

Yes the 50K is hardcoded because as you mentioned it takes some time and resources to parse the logs as for now.

Gives sense, but keep in mind even those 50K can for some users peg the CPU during load, cause not everybody is running official DEC HW or N100.
I would suggest here to create similar filtering as its in the official logs. Basically we can filter from last day, week, month, all. This is as well very good for Tshoots, or if I want to check back in history.

Would it be possible in the Events tab as well parse Source and Destination port for each of those states as well the action taken (allow, drop, reject)? (if it does not cause extra load on the CPU)


-----

I would like to propose as well another request most likely you have it on your roadmap but anyway.
We need more granular TI,PoC that are showed in TIP and polled into the OPNsense. Currently all is under 3 categories, but I believe it would be more beneficial to have subcategories.

For example we were doing some testing, and found out that Q-Feeds block public VPNs exit nodes such as Mullvad. Most likely this was due to some user of it was doing something that made it flagged into the TI. However this is to be expected as its a public VPN exit node and its shared, sadly it affects as well normal users not only the malicious ones. So having a subcategory like VPNs, would allow us to exclude it from blocking on the FW.

This as well goes hand in hand with whitelisting which would provide even more granular control within each category/subcategory.

Regards,
S.

[Taunt9930]

Finally got around to installing this, and bought a plus license. Nothing much to add beyond the feedback already given - very impressed!

Agree with Seimus comments on VPN endpoints above

I don't think I've seen a comment for these:

-The manual/setup instructions don't explicitly tell you to enable logging for the rules you set up - that might not be obvious for less experienced users.

-Also when talking about Source/Destination and Block/Reject it says "For your LAN (source) rule you could use Reject" - per the rule examples is that not Rule 1 / Destination (rather than source)? 

How long before we might be able to utilise Domains and URLs feeds in OPNSense?

[Lurick]

!! Update !!

I have some great news!! We've finally been able to tackle the rate-limit issue. And we've made some major improvements to the plugin.

We've changed the logic the old rate limit works. Now we're introducing a data delay. The community license now has a 7-day data delay, the Plus license a 4-hour delay and the Premium license is still the latest set. That said you can (try to) pull the data as many times (within boundaries) as you want on a day, you will receive the dataset of 7 days / 4 hours ago / 20 minutes respectively. The update mechanism in the plugin automatically handles the right update time.

.....

Events page is empty and doesn't seem to load even though logging is enabled on the alias rules. I also noticed Events is on the menu but not in the tabs, overall though I look forward to testing this version going forward for the changes.

Wel it could take up to 30 seconds to load the actual events. The missing tab is interesting, can't seem to reproduce that. Anyone else experiencing that?

Hmmm, interesting, here is a screenshot of what I see:

[Seimus]

Looks like the plugin didn't load for you properly, did you try to clear cache in the browser?

Regards,
S.

[Lurick]

Looks like the plugin didn't load for you properly, did you try to clear cache in the browser?

Regards,
S.

Yup, even opened opnsense in another browser since I use Firefox to be 1000% sure (Edge and Chrome in my case) and it always loads the same

[Seimus]

Are you using a custom theme? If yes disable it.

Regards,
S.

[Lurick]

Nope, just the Cicada theme from OPNSense
I did however try to use the stock opnsense theme too but the same results even after clearing cache and cookies on the browsers.
I also triple checked and no addons or anything are enabled either on the browsers.

[Seimus]

Well Cicada is a custom theme. But if you tried the stock one and got same results there is something wrong.

Check the systems logs, when you click on the Events TAB if the logs show something going wrong.

Regards,
S.

[Lurick]

I wonder, I did just install the new package over top without removing the old package, could that have caused issues?
What's the best way to uninstall so I can reinstall?

Command:
pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-0.1_1.pkg