Looking for testers Q-Feeds plugin

[Q-Feeds]

Hi David/Stefan,

Please find a few additional comments/questions on the plugin below.
1. How is the update process of the IoC list handled? Does it handle its own updates? How does the plugin know how often it can request updates?
Or are updates managed through the regular cron job for update of aliases under the System->Settings->cron? If so, how does the run frequency of that job relate to the update frequency enforced by the License?
2. I tried to lookup a few IoC IP-addresses via Threat Lookup and some lookups were successful, but for others I got an error or were not found.

Hi Kets_one,

The update process is indeed handled by the plugin. So when you save the api-token in the GUI it will first contact an API endpoint on our end which provides information about which feeds are available and at which times the feeds should be updated according to the license. If you hit the save button multiple times you might get a rate limit error (which we will improve) due to the fact that the plugin then tries to force refresh te feed while it shouldn't.

For the lookup function I'll try to reproduce it, I can see your lookup history in the server logs and will address it soon.

Kind regards,

David

[Q-Feeds]

The enthusiasm and amount of feedback positively overwhelmed us, thank you so much!
To give an overview of what we did with your feedback this far:

Done this far:

• Improved the documentation
• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity
• Added False Positive reporting functionality to the TIP
• Including tracking and notifications
• Added possibility to add descriptions with API-token
• Fixed a lot of bugs:
• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

Still on the feedback list:

• Plugin
• Better error handling rate limit notification
• Better error handling expired license notice
• Ability to set refresh rate
• Ability to set number of IOC limit
• Add support DNS/URL natively
• Whitelist functionality
• Improve reporting on hits
• Auto deploy floating rules
• Give the plugin a separate 'security' category in the menu instead of 'services'
• Integrate TIP functionality with plugin (not likely to happen)
• Widget:
• Improve overall look and feel
• Add stats like top talkers, next update etc.
• TIP
• Consider limited amount of lookups for Community version
• + many many more ;)

We can't promise timelines for all items, but we'll do our best to address as many as possible as soon as we can. This list mainly reflects the feedback we've received so far. It's not a complete overview, there's still a lot more great stuff coming up.

The call for testers is still open and if you have anything to add, let us know!

[danderson]

Im open for testing this, i have 3 diff firewalls with varying levels and types of traffic.

The enthusiasm and amount of feedback positively overwhelmed us, thank you so much!
To give an overview of what we did with your feedback this far:

Done this far:

• Improved the documentation
• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity
• Added False Positive reporting functionality to the TIP
• Including tracking and notifications
• Added possibility to add descriptions with API-token
• Fixed a lot of bugs:
• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

Still on the feedback list:

• Plugin
• Better error handling rate limit notification
• Better error handling expired license notice
• Ability to set refresh rate
• Ability to set number of IOC limit
• Add support DNS/URL natively
• Whitelist functionality
• Improve reporting on hits
• Auto deploy floating rules
• Give the plugin a separate 'security' category in the menu instead of 'services'
• Integrate TIP functionality with plugin (not likely to happen)
• Widget:
• Improve overall look and feel
• Add stats like top talkers, next update etc.
• TIP
• Consider limited amount of lookups for Community version
• + many many more ;)

We can't promise timelines for all items, but we'll do our best to address as many as possible as soon as we can. This list mainly reflects the feedback we've received so far. It's not a complete overview, there's still a lot more great stuff coming up.

The call for testers is still open and if you have anything to add, let us know!

[dan786]

My initial impression of the app so far is positive ill highly the few things. i really like the simplicity of the install kind of reminds me on Maltrail . The lightweights witch good for those who are not running like a r620 or equivalent for home use. So far no stability issues on net that is around 500mb down. over all for home use i feel it better then Crowedsec and Suricata/snort . I have used most of them snort , Suricata , Crowdsec , Matrail and Zenarmor. if you want me compare them Qfeeds is by far the lightest and simplest compared to those.   I do have a few questions not sure if they been said . Will there be asn look up or any way to look up and get info on the particular address? second is for the updates is that a hardlimit 7days i feel that should be 3-4days just my opinion. I do realize the opnsense logging dictates what the addon can do.   

[Patrick M. Hausen]

Well the easiest method is to use the live view with a template. Downside is that it's live; and doesn't show history.
[...]
There are also a lot of possibilities to use external reporting, logging tools but that's another topic.

I do understand this is not very convenient and will add it to the list to further improve. For now it's a bit bound to how OPNsense handles the logging.

I understand now. Since your service only updates that block list alias, there is of course no mechanism to report back. I did not use firewall rule logging until now.

The "Overview" looks good, showing IP addresses, ports, etc.

I'll check if the blocked packets end up in netflow even if there is never a flow established, really. If yes, I can create an ElastiFlow dashboard.

Thanks!
Patrick

Update: no netflow for blocked connections. Makes sense 😉

[Q-Feeds]

Im open for testing this, i have 3 diff firewalls with varying levels and types of traffic.

Thx and sound like a very nice test case, I've send you a PM!

Stefan.

[Q-Feeds]

My initial impression of the app so far is positive ill highly the few things. i really like the simplicity of the install kind of reminds me on Maltrail . The lightweights witch good for those who are not running like a r620 or equivalent for home use. So far no stability issues on net that is around 500mb down. over all for home use i feel it better then Crowedsec and Suricata/snort . I have used most of them snort , Suricata , Crowdsec , Matrail and Zenarmor. if you want me compare them Qfeeds is by far the lightest and simplest compared to those.   I do have a few questions not sure if they been said . Will there be asn look up or any way to look up and get info on the particular address? second is for the updates is that a hardlimit 7days i feel that should be 3-4days just my opinion. I do realize the opnsense logging dictates what the addon can do.   

Thank you so much for your kind words and nice review!
ASN lookup and other IOC context are available in the TIP through Threat Lookup (for Plus and Premium licenses only).
I totally understand it would be great to have less strict refresh rates and features. Unfortunately, we can't offer that for free at the moment. Maybe once we have a bit more resources, we can loosen things up a little.

[Q-Feeds]

I understand now. Since your service only updates that block list alias, there is of course no mechanism to report back. I did not use firewall rule logging until now.

The "Overview" looks good, showing IP addresses, ports, etc.

I'll check if the blocked packets end up in netflow even if there is never a flow established, really. If yes, I can create an ElastiFlow dashboard.

Thanks!
Patrick

Exactly! We've decided to collect only the data that's strictly necessary for the service to work. We believe that it's not up to us to see which connections you (willingly or not) make.  Combined with our European (Dutch) roots, we hope this approach could make a real difference for some decision-makers. The downside, however, is that we can't offer those fancy all-in-one portals :) . On the other hand, as you've proven, there are plenty of possibilities to handle the logging locally.

Thanks,

Stefan

[Seimus]

• Improved the documentation

• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity

The docs looks much more better now but you did a bit of a mistake.

• Interface
o Select the interfaces on which you would like to block the connections. In this example we chose to
use both LAN for outbound and for incoming WAN. While you could select multiple interfaces for
either the inbound or outbound rule.

Both of your rules in pictures are for INBOUND for LAN as well WAN (as it should be), please correct this text to reflect it. This could enforce the idea that the Rule for LAN should be OUT instead of IN.

I think it should be worded like this

o Select the interfaces on which you would like to block the connections. While you could select multiple interfaces, in this example we chose to
use both LAN (towards Q-feeds destination) & WAN (from Q-feeds source) for INBOUND blocking.

-------------

• Added False Positive reporting functionality to the TIP

• Including tracking and notifications

This looks really nice in TIP! Is this available as well for the Community license?

-------------

Added possibility to add descriptions with API-token

This doesn't work for me, I changed the description I got a success pop-up but its not updated.

-------------

• Fixed a lot of bugs:

• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

TIP reports page
The System summary report doesn't work I get an error "Error generating report: Network response was not ok and no error message was provided."

Regards,
S.

[Kets_One]

Hi David,

Een vraagje.
In de qfeeds alias ik zie dat er momenteel 725256 malware IPs zijn geladen.
Zouden dat er niet meer moeten zijn omdat ik (tijdelijk) een premium license heb?
Waar zijn de "Malware domains" en "Phishing URLs" opgeslagen?

[Q-Feeds]

The docs looks much more better now but you did a bit of a mistake.

• Interface
o Select the interfaces on which you would like to block the connections. In this example we chose to
use both LAN for outbound and for incoming WAN. While you could select multiple interfaces for
either the inbound or outbound rule.

Both of your rules in pictures are for INBOUND for LAN as well WAN (as it should be), please correct this text to reflect it. This could enforce the idea that the Rule for LAN should be OUT instead of IN.
...................

Thanks ! Fixed the documentation again, we borrowed your text to make sure there are no mistakes anymore.

Yes the false positive reporter will always be available for community users as well! And the descriptions should work now.
The system report item is repaired by removing it, this was some old functionality which nog longer applies to the current setup of the TIP. Thanks for spotting it!

[Q-Feeds]

In the Q-Feeds alias I see that there are currently 725,256 malware IPs loaded.
Shouldn't there be more since I (temporarily) have a premium license?
Also, where are the "Malware Domains" and "Phishing URLs" stored?

At the time of writing, that number indeed matches what the premium list contains. The total count alone doesn't say much — we can easily add more items if needed. Whether that actually makes it more valuable is doubtful though.

As one of many examples, the Premium feed includes more APT-related IOCs. There may not be many of them, but their impact is significantly higher compared to the OSINT lists, which mainly contain more brute-force and nmap-style IOCs. This is just one of the examples where the premium list really differs.

In the current version of the plugin, nothing is done yet with the Malware Domains and Phishing URLs. This is on the shortlist for an upcoming release.
If you happen to run Pi-hole or AdGuard, I can help you set those up there already.

Edit: translated to English.

[Patrick M. Hausen]

Mocht je toevallig Pi-Hole of Adguard draaien dan kan ik je wel op weg helpen om ze daar in te laden.

Please do so publicly if possible. I am also interested in loading the data into AdGuard Home.

Thanks!
Patrick

[Q-Feeds]

If you happen to run Pi-hole or AdGuard, I can help you set those up there already.

Please do so publicly if possible. I am also interested in loading the data into AdGuard Home.

Thanks!
Patrick

(Translated the quote to English, my mistake I responded in dutch previously...)

In both Adguard or Pi-Hole you can add a list this way:

Domains:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=XXXXXXX

URLs
https://api.qfeeds.com/api.php?feed_type=phishing_urls&api_token=XXXXXXX

Obviously replace "XXXXX" with your own token.

For even more creative constructions we have this page which describes the current functionality of our API endpoints: https://api.qfeeds.com/openapi/

I do want to emphasize that we're planning to implement it in the OPNsense plugin. But for those who can't wait this is a workaround for now :) Please also note that these platforms are not officially supported.

[Patrick M. Hausen]

429 Rate Limit Exceeded.

Why?

Thanks,
Patrick