Looking for testers Q-Feeds plugin

[Q-Feeds]

Same same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)

Thank you, Patrick!
We really appreciate your support and don't worry, we won't let you down! :)

[cookiemonster]

I'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

[Q-Feeds]

I'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

The more, the merrier! :) Details are in your inbox.

[cookiemonster]

I'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.

The more, the merrier! :) Details are in your inbox.

Got them. Thanks !

[Q-Feeds]

This is just a brief very short initial sump-up, I don't have (yet) access to the other features in TIP,


The Good:
1. easy to install
2. easy to deploy
3. easy to manage
4. Huge list of OSINT based entries (actually this surprised me)

.................

Wow thanks so much for the great list of feedback! Here's our response:

Documentation:
Noted! We agree and will update this soon.

Q-Feeds Plugin:
Auto deployment is listed on the wishlist
Whitelisting as well
Feed choice as well

Widget:
Totally agree as wel, will be updated with better stats as well.


Miscs:
False positive reporting is now done with the support feature in the TIP but I agree we could improve this. Noted!

TIP:
Regarding the strange logs: Unfortunately wasn't able to reproduce this but very keen if other users had this same experience?


The requested:
1. Noted!
2. That could be a great way to implement whitelisting, thanks! We will discuss this with the developers at Deciso as well.
3. I'm afraid this one is for the long term. main reason is maintainability since we do support other firewalls, SIEM, SOAR, EDR/XDR etc. platforms as well. But while we grow we can do more ;)
4. Noted, again will discuss this with Deciso as well.
5. Agree! We will also implement a function which provides an option to limit the number of IOCs for devices with less memory.

Widget:
1. Yes!


Miscs:
1. Noted, will improve this on a short notice!
2. Great feature request, and totally agree as well! You're filling our backlog :)
3. We don't have a public roadmap (yet) but I'm sure that we will implement most of the suggestions in this topic. At the moment for OPNsense and our product we're in a very early beta phase, we'll keep you posted ;)
4. That's already the case.

Thank you very much for your long list! I've added it to our (already long) feedback list and we will keep you posted.

Kind regards,

David

[Q-Feeds]

Same same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)

First of all thanks for your support!

With the plus license you can use the Threat Lookup function to check your hits. We don't collect the hits on your firewall though so currently you should copy the IOC from the logs into Threat Lookup to gather more context about why an IP is in our TI. We've added an integration to the wishlist within the plugin but it won't be on the short list for now.

Kind regards,

David

[Seimus]

Thank you very much for your long list! I've added it to our (already long) feedback list and we will keep you posted.

Kind regards,

David

Same here, thank you for replying to each individual question/point, feels refreshing. These days to get straight answers from vendors is painful (anyone who was experience with enterprise based TAC cases knows the feeling).

With the plus license you can use the Threat Lookup function to check your hits. We don't collect the hits on your firewall though so currently you should copy the IOC from the logs into Threat Lookup to gather more context about why an IP is in our TI. We've added an integration to the wishlist within the plugin but it won't be on the short list for now.

Kind regards,

David

While this is awesome that you don't collect any information about what was hit (I feel this is a strong selling point as well), keep in mind that the Community License doesn't have this feature allowed. And I see here a problem and a possible flood of user tickets forum or portal.

There is an use case to consider:

If an user with the free Community license starts to see a block for a particular Destination, there is no possibility to check why is that the case as the IoC lookup is not available to them. This can cause either a significant amount of tickets on your end or on the OPNsense forum end.
Would you maybe consider to allow IoC lookup as well for Community license but maybe limit it to 5 lookups per day?

Regards,
S.

[passeri]

Or N/week, given the Community licence works on a weekly update cycle.