Looking for testers Q-Feeds plugin

[Q-Feeds]

Thanks a lot for spotting that, you're absolutely right! That's a mistake on our side. The "Plus" tier should indeed include Commercial IP data. We've corrected it, and really appreciate you catching that! https://qfeeds.com/opnsense/


OSINT (Open Source Intelligence) data comes from open sources like communities, news etc. Commercial (or paid) data comes from vetted, paid intelligence providers. We notice these feeds usually detect threats faster and with better accuracy and quality. Think about APT groups etc.  Services refers to the services around the TI and extra functionality that come with our Threat Intelligence Platform (TIP), like enrichment, faster updates, and extended IoC lookups.

We'd be happy to have you as a tester! Your setup sounds perfect for evaluating. I'll follow up with the details so you can get started.

[Lurick]

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.
4. The Feeds list on the plugin shows three lists but the TIP console shows 4 feeds for the free tier and 8 for the top paid tier. It might be good to make this more clear in some way. Maybe even just a tooltip that says if the three shown lists in the plugin encompass all available feeds for the API token.

For the QFeeds site:
1. On the main qfeeds webpage have a more direct link to the TIP console and other products as well, there doesn't appear to be a direct way from qfeeds.com to access the TIP console or other pages
2. Attack surface page on TIP console, might be good to have account manager email or contact methods auto populated for easier communication between end user and the qfeeds teams.
3. Opnsense banner on the TIP dashboard seems to cover some messages that pop-up and the X in dark mode was near invisible with the current banner color. Additionally, every time I navigate to a new page it shows back up after being dismissed.
4. Dark mode version definitely needs improvement. Right now text is very hard to read in a lot of cases.
5. API Keys shows "Allowed IPs" as "any" but no way to change this. I assume limiting where API calls can come from is coming at some point but just wanted to ask mostly if that's the case.
6. Company Information lists other companies for "Parent Company", not sure if this is a good idea to have companies listed here but just wanted to call this out.
7. Is there an android app coming at some point? I see the app page under Settings but it just mentions iPhone so I wasn't sure.
8. Company Information seems a bit difficult to get to since it's buried in "Manage API Keys" from the main Dashboard and that's a different page from User's API Keys page. I definitely feel as though a Company Information/Settings area at the top next to OR within "Settings" menu would be much better.
9. Company Information seems to require a "Role" but that's empty for me and as such I cannot save any changes on that page.
10. I have a link under Manage Company that it supposed to take me to "https://tip.qfeeds.com/views/admin/companies.php" but when I click "Back to Companies" it takes me to the dashboard. I feel as though this definitely should be cleaned up and the "https://tip.qfeeds.com/views/dashboard/index.php?error=Access%20denied" should be displayed as a message as well or something to handle this better for users within a company.

[_tribal_]

Hi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

[dmurphy]

Thank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

[Q-Feeds]

Feedback so far:
Definitely some areas for improvement but overall honestly I believe this is a great product with a lot of potential!

Plugin feedback:
1. Have a link in the plugin to the TIP console, right now I have to remember to navigate to tip.qfeeds.com
2. Summary of stats/integration with TIP console in the plugin as well to see hit counters and other basic stats
3. Maybe rename the alias from "__qfeeds_malware_ip" to something more generic since it encompasses all the feeds. Maybe "__qfeeds_lists" and same for the description too. I'm not sure if there are supposed to be multiple aliases or the single alias for all feeds but the current name/description makes me think there should be more that I'm missnig.

.............

Amazing Lurick! Thank you so much for this valuable feedback, really appreciate the time and detail you've put into it! We absolutely love it. It was quite a list, but we managed to address most of it right away! Here's our response:

For the plugin:

• There's a link to our website (which links to the TIP) under the help section. Since this is a bit hidden, we totally understand your feedback. We'll improve this in the next iteration.
• User hits are visible via the widget on the OPNsense dashboard. We're not planning to collect any user data to show in the TIP. The number of IOCs is also visible on the OPNsense dashboard widget. I agree it would be great to have such stats on the plugins main page as well. We'll add this to the roadmap.
• You're absolutely right! At the moment, the OPNsense plugin only supports IP lists, but we'll be adding Domains and URLs soon. Stay tuned ;)
• Thanks a lot! This was indeed a bug in the console, it's fixed now!

For the Q-Feeds site:

• We're currently not planning to include all TIP functionality directly on the website, but we agree it should be more accessible. Thanks for the suggestion, we'll discuss it internaly.
• Loved that feedback we've added a link to our contact page in the warning right away!
• That pop-up was super annoying indeed! It's fixed and much easier to read now.
• We've fixed this in many places already, but please let us know if you spot any more examples :)
• The limited allowed IPs are tied to paid subscriptions, since part of the license model depends on the number of firewalls (IPs). This is already functional but only editable by resellers or administrators. The field remains visible to end-users so they can distinguish between multiple keys.
• This was a fun one, thanks for catching it! Just to explain: the portal is designed for distributors, MSPs, and resellers as well. That field is meant for assigning end-users to resellers or resellers to distributors when applicable. Regular end-users and community users shouldn't see it anymore.
• We've updated the description. It's actually a Progressive Web App (PWA), so it's Android-ready too!
• Great catch, fixed it!
• Nice find! This issue was similar to observation 6. Thanks again for reporting it!
• Cleaned up and organized, everything now lives under 'Settings'.

[Q-Feeds]

Hi Stefan,
I'm also interested in testing Q-Feeds plugin
Thx in advance

Thank you! Send you a PM with the instructions.

[Q-Feeds]

Thank you for the invite!  So far, everything is working great.

There's some inconsistency between the install guide and the actual install (i.e. the firewall alias name, etc.) but nothing that wasn't simple enough to understand.

I echo the above - would be great to have a button to auto-create floating in/out rules rather than doing so manually, but the task really is not difficult.

For others, I also inquired and IPv6 is indeed supported and in the IP lists.  It's obviously clear that there's a lot less malicious traffic on V6, but I still love the idea of blocking it where I can.

One thing that was interesting (for me) was adding logging to the rules.  As they are floating rules, they apply before my interface rules, so I'm seeing lots and lots of blocking going on that I really wasn't seeing previously (as I don't have logging turned on for the default "block in all" rule on my WAN.

Dang is it hostile out there.

Luckily you were able to sort it out but we'll update it in the guide anyway :), thanks for pointing it out!
Regarding the 'auto add rules button': On the roadmap :)

While V6 is not necessarily cleaner, cybercriminals are able to rotate IP addresses quicker. That said they're quite short-lived in our lists. And can agree with more, the more blocked the better !

"Dang is it hostile out there." --- dmurphy
Unfortunately it is...

[Patrick M. Hausen]

Installation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

[Q-Feeds]

Installation was simple and painless. I would like the automatically created alias to be able to be placed into another group alias for easier management.

Also I bought the plus license with the same email address as contact, paid via Apple Pay, but I received neither a confirmation email nor does the license show up in TIP.

Hi Patrick,

Thank you very much for your feedback!
Your suggestion regarding the aliases is a great idea and we'll discuss this internally.

As for the payment, I've sent you a PM to look into it further.

[Patrick M. Hausen]

Looks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

[Q-Feeds]

Looks like the Apple Pay quick checkout did not work as expected.

But while I am browsing the shop: what's an Opnsense Basic License? And why is the duration 12 months but below it says something about 1 day?

Hi Patrick,

Thanks for checking, it seems the Apple Pay checkout didn't process correctly indeed. We've temporarily disabled Apple Pay while we look into this issue.

Regarding your question: the OPNsense Basic License was the former name of the Community Version. Together with OPNsense/Deciso, we decided to make this version freely available for the community, so the Basic Package is no longer available for purchase.

Thanks again for your feedback and for pointing this out and we would like to invite to try our check-out flow again :).

[llama6668]

Hi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

[Seimus]

Hi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

I am as well for several years running ZA, and this looks to me like a potential contender/replacement. There are two hurdles with ZA currently;
- no Multicore support for Home licenses, which significantly impact network performance
- data collection/privacy

Several questions occurred to me when reading this topic;

we focus on blocking threats at the firewall level using real-time intel (malware IPs, domains, phishing URLs), so no heavy inspection overhead.

1. Thus this means you are not using netmap, but keeping it simple by locally updating/loading lists of blocking IPs populated into FW rules?
2. Are you at all collecting any data or telemetry from customers or installations of this plugin?
3. What specific OSINTs you use? I hope its not just some random scrape from internet
4. Which vetted Commercial providers do you use for the Paid sub?
5. This product looks similar to Spamhaus, Greensnow & others, what is the actual benefit from your point compared to these?

Regards,
S.

[Q-Feeds]

Hi Stefan,
No problems with installation, feedback as follows:
1. In the absence of a auto firewall configuration, Step 4 should show examples for both Rules 1 & 2.
2. Suggest adding date/time to Firewall: Aliases table: Last updated.
3. Suggest adding to documentation, for those that maybe unfamiliar, testing config by using an IP from Firewall: Diagnostics: Aliases > __qfeeds_malware_ip, current list of 668348 IPs.
4. No errors that have not been raised here and clarified.
Regards,
Craig

Hi llama6668,

Thank you very much for your feedback! We've added it to our improvement list!

[Q-Feeds]

Hi,

Well well this seems interesting. I am highly interested to test this as well if I am not late to the party.

Network engineer here, I am mostly doing last end support (or what ever that means in my company).

............

Hi Seimus,

Thank you for your interest and the great questions! Good news upfront; you're not too late to the party, I'll send you the instructions in a minute.

Here are the answers:

• This is exactly what we're doing, we're just using the native packet filter (pf) to block based on the aliases
• No we don't collect any personal data regarding connections, blocks etc. The only thing we 'collect' or better say monitor are the API-request for pulling the latest Threat Intelligence. All the data we collect is also visible in our TIP. To provide an overview we collect: Date and time of when the API call has been made to pull in the TI, IP addresses (licenses are bound per firewall), and the client header to see which platform is being used (in this case OPNsense off coarse).
• We don't just scrape data from the internet. Our threat intelligence is built from over 2,500+ different sources, combining commercial, public, and proprietary intelligence. This includes commercial and paid feeds such as URL, botnet, malware, IP, and intrusion databases, alongside public OSINT from social media, dark web, and phishing data. In addition, we enrich our intelligence as well with proprietary sources from our own honeypots, network activity, logs, and scans.
  
  What really sets Q-Feeds apart is how we connect the dots between these different pieces of intelligence, creating a more comprehensive and contextual threat picture. To ensure high data quality, we only use verified and trustworthy sources. We validate all data against RFC internet technical standards, false positives and so on. We remove duplicates, and apply relevance filtering to keep the most accurate and actionable intelligence.
  
  This layered approach ensures our feeds are reliable, validated, and meaningful, not just random data from the web.
• It's a combination of the leading cybersecurity vendors in the world. We're not able to provide you the details because of agreements we've made with them.
• I could tell you a great story that we're the absolute best compared with them, but better is to advice you to take it to the test ;-) We believe in the world of cybersecurity every solution is complementary to each other.

Kind regards,

David