Looking for testers Q-Feeds plugin

[Monviech (Cedrik)]

The apply button vanishes in non mvc pages like interfaces and the firewall rules.

But if you check the new Firewall - Automation - Filter or any other new page (dnsmasq, kea, ipsec connections, openvpn, wireguard...) the apply button is always there.

[Q-Feeds]

Why is it that on each tab under Q-Feeds Connect the APPLY button is highlighted when changes have already been applied?

As Cedrik pointed out this is in most cases the OPNsense standard. That said on the 'Feeds' and 'Events' tab it doesn't make sense to show an apply button since there's nothing to apply anyway.

[Q-Feeds]

Having logged in to Q-Feeds web page I purchased a one year licence. At the top of the checkout page it invited me to login if I had purchased anything before. I had not, and had already logged in, so I proceeded, to find that I have now been sent a new account login.

Firstly you need a warning that being logged in does not mean the payment page thinks you are logged in. Secondly, please mention that getting a community key for testing represents a "purchase".

I will e-mail about trying to get the new account merged into the old.

Hi Passeri,

This is great feedback and sorry for the confusion about the account creation. The website and checkout pages are currently not using the same login system as the TIP, that's why a new account was created. We will look into this!

[passeri]

Hi Passeri,

This is great feedback and sorry for the confusion about the account creation. The website and checkout pages are currently not using the same login system as the TIP, that's why a new account was created. We will look into this!

All is installed and working thank you.

[passeri]

The apply button vanishes in non mvc pages like interfaces and the firewall rules.

But if you check the new Firewall - Automation - Filter or any other new page (dnsmasq, kea, ipsec connections, openvpn, wireguard...) the apply button is always there.

Yes, but my query is why? I am simply curious. What problem is solved by having Apply ever-present and active regardless of relevance? The risks might be mild, over-use with sometimes long delays for superfluous updates, or more severe, neglecting to use it when needed. These are avoidable on the traditional basis that Save appears (or is enabled) when necessary and not otherwise, a useful flag.

If the new paradigm were to make it ever-present then there ought to be a flag on each such page to indicate whether the page is dirty.

[mschaeffler]

Hello,

can you add me also to your testers list.

Thanks

[passeri]

Hello,

can you add me also to your testers list.

Thanks

It is already open. Here are instructions: https://forum.opnsense.org/index.php?msg=249660

[wbennett]

Hello, excuse me if this is a stupid question but can you please explain why for the LAN firewall rule the direction is IN?

Thanks!

[Patrick M. Hausen]

Because a packet from a host on the LAN network is coming IN to the firewall through the LAN interface. IN and OUT are from the interface point of view.

[Maurice]

Security: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

You cannot view this attachment.

[wbennett]

Security: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

You cannot view this attachment.

I am seeing the same, no interface and every event twice.

[wbennett]

Because a packet from a host on the LAN network is coming IN to the firewall through the LAN interface. IN and OUT are from the interface point of view.

Thanks Patrick!

[Patrick M. Hausen]

That would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

I used to block via freely available lists and now that I activated your plugin I put that "block based on free lists" rule after the Q-Feeds one.

Result: for 100 blocked connections 72 are caught by Q-Feeds and still 28 by the free lists.

My free lists are:

FireHOL1
FireHOL2
FireHOL3
Spamhaus DROP
Spamhaus DROP6
Herr Bischoff's IP blocklist (https://ipbl.herrbischoff.com/list.txt)

Surprised at least FireHOL and Spamhaus are apparently not included in your feed?

Kind regards,
Patrick

P.S. I can send you a list of addresses if you want to investigate. And of course these numbers vary a bit over time, but roughly 25-30% make it past your feeed and are caught by my other block lists.

[Q-Feeds]

Security: Q-Feeds Connect: Events shows every event twice. Also, the interface column is empty.

(Sorry if this is a known issue, just started testing Q-Feeds and didn't read all 200+ comments.)

I am seeing the same, no interface and every event twice.

Well it wasn't known, so thank you for reporting!

[Q-Feeds]

That would be a list of more than 2,300 sources and it's still growing. It's not purely OSINT, and it also includes our own proprietary sources, such as data from our honeypots. The real value is in the work we've already done, filtering out false positives and prioritizing the data. Simply adding raw OSINT feeds often leads to tons of false positives and unnecessary IOCs clogging your memory.

P.S. I can send you a list of addresses if you want to investigate. And of course these numbers vary a bit over time, but roughly 25-30% make it past your feeed and are caught by my other block lists.

It would definitely be interesting to see which IOCs got past our lists. As mentioned we do quite some processing on all the feeds we have so maybe we need to make some adjustments. Or maybe they're not interesting enough :) Happy to investigate !