Looking for testers Q-Feeds plugin

[Q-Feeds]

Security: Q-Feeds Connect: Events

Where exactly is that, please? OPNsense or TIP? Could not find it.

That's in the OPNsense plugin; we've released an update ;)  https://forum.opnsense.org/index.php?topic=49123.msg249660#msg249660

Code Select Expand

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-1.1.pkg

[Q-Feeds]

!!   Another Update   !!

Today we launch another version including DNS (Unbound) support. For this to work you can set the setting in the Q-Feeds Plugin. It's also important that Unbound is enabled with Blocklists enabled as well. There's no need to select a list within the Unbound plugin but you can always select extra lists.

Code Select Expand

pkg add -f https://pkg.opnsense.org/distfiles/os-q-feeds-connector-1.1.pkg
We are also included in the business edition release of tomorrow. As the first launch you can find us with the 'community' plugins.

[Maurice]

There's no need to select a list within the Unbound plugin but you can always select extra lists.

The last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

[Maurice]

This could be improved - show both or show the identifier if the interface doesn't have a description.

Thanks for catching this!

This is now fixed in 1.1. The events list displays interface identifiers for interfaces without a description.

All events showing up twice is not fixed yet.

[zz00mm]

All,
    I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
    I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
    Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?

Zz00mm

[Q-Feeds]

The last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

Thx for spotting this, will get working on it! We were able to reproduce it.

[Q-Feeds]

All,
    I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
    I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
    Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?

Zz00mm

Hi zz00mm,

The best way is indeed to have a separate API key for the 2nd node. We did make some changes just now to the rate limits, seemed that some accounts were to restrictive after our last change. If you send me your TIP username in a DM we can have a look at the logs.

Stefan

[Q-Feeds]

This is now fixed in 1.1. The events list displays interface identifiers for interfaces without a description.

All events showing up twice is not fixed yet.

Yes that's fixed indeed! We're investigating the double events although we're not able to reproduce yet.

[Patrick M. Hausen]

Quick IP blocklist update

• Filtering inbound on WAN
• Free block lists: FireHOL (all levels), Spamhaus DROP and DROP6, "Herr Bischoff"
• Sample: 1000 blocked connection attempts

Q-Feeds first:

• Caught by Q-Feeds: 70%
• Caught by the free lists: 30%

Free lists first:

• Caught by the free lists: 93%
• Caught by Q-Feeds: 7%

So the free lists block a lot more than Q-Feeds does. Which is not a measure of quality as has already been argued.

I will keep both in place.

[Maurice]

We're investigating the double events although we're not able to reproduce yet.

Let me know if you need more details. The affected firewall rule is:

Interface: WAN (not floating)
Action: Block
Quick: Enabled
Direction: in
TCP/IP Version: IPv4+IPv6
Source: __qfeeds_malware_ip
Log: Enabled
Category: Q-Feeds

A typical match in Firewall: Log Files: Plain View looks like this:

Code Select Expand

66,,,22be69e209c065d36d4e0f11865de1dd,vtnet0,match,block,in,4,0x0,,241,2711,0,none,6,tcp,44,202.93.142.22,10.0.0.194,62182,443,0,S,486549660,,1025,,mss

[Q-Feeds]

We're investigating the double events although we're not able to reproduce yet.

Let me know if you need more details. The affected firewall rule is:

Interface: WAN (not floating)
Action: Block
Quick: Enabled
Direction: in
TCP/IP Version: IPv4+IPv6
Source: __qfeeds_malware_ip
Log: Enabled
Category: Q-Feeds

A typical match in Firewall: Log Files: Plain View looks like this:

Code Select Expand

66,,,22be69e209c065d36d4e0f11865de1dd,vtnet0,match,block,in,4,0x0,,241,2711,0,none,6,tcp,44,202.93.142.22,10.0.0.194,62182,443,0,S,486549660,,1025,,mss

Does this command also output duplicates?

Code Select Expand

/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs

I see a lot of "duplicate" hits as well but that's the nature of networking and retries, in my case it happens sometimes with 8 hits after each other. But they don't seem to be displayed 'twice' if you understand what I mean.

[Q-Feeds]

Quick IP blocklist update

• Filtering inbound on WAN
• Free block lists: FireHOL (all levels), Spamhaus DROP and DROP6, "Herr Bischoff"
• Sample: 1000 blocked connection attempts

Q-Feeds first:

• Caught by Q-Feeds: 70%
• Caught by the free lists: 30%

Free lists first:

• Caught by the free lists: 93%
• Caught by Q-Feeds: 7%

So the free lists block a lot more than Q-Feeds does. Which is not a measure of quality as has already been argued.

I will keep both in place.

Nice Patrick! Thank you for these insights!

[Maurice]

Yes, qfeedsctl.py logs also outputs duplicates. Not sometimes, but always. And always exactly two times the same entry, never more.

I'm pretty sure this happens when the Q-Feeds plugin parses the firewall logs; the raw logs in /var/log/filter/ don't contain duplicates.

[Q-Feeds]

Yes, qfeedsctl.py logs also outputs duplicates. Not sometimes, but always. And always exactly two times the same entry, never more.

I'm pretty sure this happens when the Q-Feeds plugin parses the firewall logs; the raw logs in /var/log/filter/ don't contain duplicates.

Thanks a lot! We've found it, and apparently I was looking at the same behavior all the time but in my case it was x6 because of multiple interfaces in my rule.. That said we will make sure it's solved in the next release. fyi: https://github.com/opnsense/plugins/commit/9432d3e4d906c0b039fc400ab691342c9a1a7f70

There's no need to select a list within the Unbound plugin but you can always select extra lists.

The last part doesn't work for me. Registering the domain feed in the Q-Feeds plugin prevents the DNSBLs selected in Services: Unbound DNS: Blocklist: Type of DNSBL from getting added to /var/unbound/data/dnsbl.json. Q-Feeds seems to override the Unbound DNSBLs, not augment them.

And thanks a lot for this one as well! Will be solved in the next release as well: https://github.com/opnsense/plugins/pull/4979

[Q-Feeds]

Here you can find the latest package with the bug fixes for Unbound and the Events page:

Code Select Expand

pkg add -f https://qfeeds.com/os-q-feeds-connector-1.1_2.pkg
For those new:

Login via ssh as root (or using sudo), and run the command above.
The manual can be found here: https://qfeeds.com/opnsense/ on the bottom of the page.

(The dns instructions will be added soon)