Looking for testers Q-Feeds plugin

[passeri]

Why is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when everything has already been applied?

A query for anyone knowledgeable rather than specifically for Q-Feeds:
In some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP. While Opnsense blocks these anyway, it implies an internal address has leaked. Would BIND DNS answer such a query from the outside when the only useful answer is the external IP? Is my BIND in a knot? Is there some other interpretation? My Q-Feeds rules are standard, blocking malware sources on WAN only, malware destinations from internal LANs only.

For clarification, I now use Unbound for all internal DNS queries including redirection to the server while BIND on the server is the source for my domain address (external query).

[Q-Feeds]

Having worked through my process mentioned earlier, I have Q-Feeds working on my edge Opnsense on 25.7.5, and blocking stuff, apparently usefully. Now to questions around purchasing.

I notice on the Q-Feeds dashboard that I have access to Premium IPs, Domains, and URLs. The first of those, IPs, is available in the Plus (99€) package but URLs and Domains require the full Premium package, 249€. That is, after a Plus purchase and expiry of the testing phase, blocking will be worse than it is now. Is it possible to distinguish what proportion of current blocks are based on which list (/ tier)?

The tier for Plus includes support and allows 1-49 users, more people than the average family. Have you considered a tier without support for 1-5 users, a common home setup and licensing tier?

Hi Passeri,

Thanks for your feedback!

As for now the widget on the TIP is broken. The number of IOCs shown does not represent the actual number of IOCs delivered and it shows premium to anyone, this is a known issue. So if you haven't bought a license you're most likely on the community edition.

At the moment that is not possible but I think it's great feedback to split them up, we'll take it in consideration. That said premium doesn't automatically mean more blocks but it does contain fresher and -in most cases- more severe IOCs. Think about APT groups and that kind of threats.

At what price point do you think such a package should be? And then only including Premium IP, no threat lookup and support?

[passeri]

Hi Passeri,

Thanks for your feedback!

As for now the widget on the TIP is broken. The number of IOCs shown does not represent the actual number of IOCs delivered and it shows premium to anyone, this is a known issue. So if you haven't bought a license you're most likely on the community edition.

At the moment that is not possible but I think it's great feedback to split them up, we'll take it in consideration. That said premium doesn't automatically mean more blocks but it does contain fresher and -in most cases- more severe IOCs. Think about APT groups and that kind of threats.

At what price point do you think such a package should be? And then only including Premium IP, no threat lookup and support?

I assumed threat lookup would be included. Without it, 15€, with it 40€, no support, limit of 5 users but how would that be counted, I realise. That means (with threat lookup) your own benefit amounts only to the support load avoided. I fear my idea is sinking fast. :-)

[Q-Feeds]

I assumed threat lookup would be included. Without it, 15€, with it 40€, no support, limit of 5 users but how would that be counted, I realise. That means (with threat lookup) your own benefit amounts only to the support load avoided. I fear my idea is sinking fast. :-)

I get it but I'm afraid we keep it this way. We do have our costs to the paid feeds as well which is defined per user package. The benefit is that you can invite a lot people on your guest network within the Plus package :-)

Btw we've repaired the widgets so the number showing in the TIP should be corresponding with the widget on your OPNsense instance.

[Patrick M. Hausen]

In some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP.

Check your rule set. NAT rules are applied before filter rules! So an inbound NAT port forward, maybe?

[irrenarzt]

I'm very interested in any new capabilities that can enhance security, but looking to understand this a little better for home network use and value before I try it out.

The paid version gives proprietary, professional feeds which is great... For the free version it utilizes strictly open source feeds, correct? If so, which open source feeds are being utilized (I couldn't find it in the Q-Feeds knowledge center)? What is the added value in using a Q-Feeds plugin to manage this rather than adding these firewall and dns block lists yourself, separately without a plugin?

[Q-Feeds]

I'm very interested in any new capabilities that can enhance security, but looking to understand this a little better for home network use and value before I try it out.

The paid version gives proprietary, professional feeds which is great... For the free version it utilizes strictly open source feeds, correct? If so, which open source feeds are being utilized (I couldn't find it in the Q-Feeds knowledge center)? What is the added value in using a Q-Feeds plugin to manage this rather than adding these firewall and dns block lists yourself, separately without a plugin?

That would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

We also look at how frequently a specific IOC f.e appears across our sources. If it's found everywhere, we usually don't include it. Not because it's harmless, but because it's already covered by all the other solutions, like your browser or antivirus. So adding it again wouldn't add any real value. These and many other correlations help shape the curated feed we deliver.

[Seimus]

but because it's already covered by all the other solutions, like your browser or antivirus

Haha, not sure about others but, Linux user here (Servers, Desktops and I would put it on my dog if he did support it) ;). Also Antivirus programs today are more like a spyware...

Regards,
S.

[Q-Feeds]

but because it's already covered by all the other solutions, like your browser or antivirus

Haha, not sure about others but, Linux user here (Servers, Desktops and I would put it on my dog if he did support it) ;). Also Antivirus programs today are more like a spyware...

Regards,
S.

True, Linux is generally more secure and less targeted than Windows but it's definitely not immune.
There are plenty of active threats targeting Linux servers today, especially in the context of botnets and cryptominers. For example:

• Mirai and variants: brute-forcing SSH or exploiting weak IoT setups.
• Kinsing / P2PInfect: abusing Docker and Redis misconfigurations to deploy cryptominers.
• Kaiji and Tsunami: malware families designed specifically for Linux to perform DDoS attacks.
• QNAPCrypt / RansomEXX: ransomware that encrypts data on Linux systems.

Q-Feeds helps block the command-and-control servers, download URLs, and malicious IPs tied to these campaigns before they can interact with your systems. So even for hardened Linux setups, there's a value in filtering known bad traffic at the network layer.

[Seimus]

So even for hardened Linux setups, there's a value in filtering known bad traffic at the network layer.

Not arguing about, that's one of the reasons why many of us are running FWs like OPNsense at home, or DNS blackholes like PiHole & Adguard ~ granularity and control.

Thats why Q-Feeds is an interesting addition. Proactive prevention is better than reactive action.

Regards,
S.

[passeri]

In some of the Events lines I was a little surprised to see an RFC1918 address as the destination rather than the usual external IP.

Check your rule set. NAT rules are applied before filter rules! So an inbound NAT port forward, maybe?

I checked all NAT rules carefully and they seem good, allowing only certain ports specifically on the public IP. In general terms all my rules are whitelist over default deny. I will do a second tracing later today.

This is not a Q-Feeds thing so I will raise anything else about it elsewhere. The "problem" (given all such attacks are blocked anyway) could simply arise from an internal address leaking in some other e-mailed document at some point over the last 25 years during which that address has existed.

[passeri]

This earlier query from me has no response from Q-Feeds yet.

Why is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

[passeri]

Having logged in to Q-Feeds web page I purchased a one year licence. At the top of the checkout page it invited me to login if I had purchased anything before. I had not, and had already logged in, so I proceeded, to find that I have now been sent a new account login.

Firstly you need a warning that being logged in does not mean the payment page thinks you are logged in. Secondly, please mention that getting a community key for testing represents a "purchase".

I will e-mail about trying to get the new account merged into the old.

[Monviech (Cedrik)]

This earlier query from me has no response from Q-Feeds yet.

Why is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

In all modern pages the Apply button does not disappear after an apply, thats intentional design.

[passeri]

If I open Rules, for example, no Apply button appears. If I create or modify a rule, then I can Save or Cancel. Afterwards, "Apply changes" appears.

Having Apply when there has been no change is not currently uniform practice and brings no advantage I can observe, whereas it can add confusion in that it implies that something changed, which might or might not be true.