Looking for testers Q-Feeds plugin

[Seimus]

Hello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

[Q-Feeds]

Hello David,

Many thanks for the replies. I am looking up for trying it out!

I see a huge potential in this, mainly because there is no extra overhead, this means network performance should be on pair.
Many of us may have slower internet connections (<1Gbit/s), but run High speed LANs for internal services.

Regards,
S.

Even better, in some cases we see a drop in the firewall load since we're blocking all the crap :) I'm glad you're as enthusiastic as we are, looking forward to your feedback! I've send you a PM with the instructions ;)

[passeri]

Stefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

[Q-Feeds]

Stefan, you have referred to it being licensed both by IP and by firewall. I am taking it to be the former?

I ask because, as I mentioned earlier, I installed it internally to check operation. I am assuming that all I need to do now is disable that instance then transfer the API key to a new instance on the edge router?

Hi Passeri,

Licensing is per firewall indeed, we check it based on IP. This is not applicable for the community version, that's an all you can eat recipe with no restrictions besides the refresh rate. That said for every firewall you need a new API token in order to be able to pull the data.

Kind regards,

David

[Taunt9930]

This sounds really good. I'm not sure I'd be able to offer any useful feedback, but I am very likely to deploy this at home - when is 'general availability' forecast? Thanks.

[Q-Feeds]

This sounds really good. I'm not sure I'd be able to offer any useful feedback, but I am very likely to deploy this at home - when is 'general availability' forecast? Thanks.

Thanks, Taunt9930! I believe every bit of feedback is valuable, so I'll send you the instructions anyway then you can decide if you're up for it.
We're on track for a public beta in the next OPNsense release, with general availability following shortly after that.


Kind regards,

Stefan

[Seimus]

This is just a brief very short initial sump-up, I don't have (yet) access to the other features in TIP,


The Good:
1. easy to install
2. easy to deploy
3. easy to manage
4. Huge list of OSINT based entries (actually this surprised me)

----------------
----------------

The Bad:

Documentation:
1. Documentation needs rework, even thou is simple enough its bit janky
2. Keep in mind not every user is knowledgeable or feels confident, showcase of exact rules with screenshots is necessary

Q-feed plugin:
1. No option for auto deployment of necessary rules
2. No possibility of whitelisting
3. There is no possibility to choose which feeds to install e.g push to aliases

OPNsense widget:
1. The OPNsense widget on GUI is bit janky, cant resize it properly, if its resized on landscape the Logo is cut

Miscs:
1. I do not see a possibility via OPNsense GUI or TIP to report possible false positive (except to open a ticket)

TIP:
1. Not sure why, but on a newly created account in Telemetry Data there are some logs already present with a token that is not associated to any of the created account API tokens

----------------
----------------

The requested:

Q-feed plugin:
1. I would welcome an option to auto deploy the rules, taking two approaches as a floating rule or as a rule within a Group. Groups on OPNsense work as a policy that can be inherited and pushed onto FW interfaces, this is superb for management and deployment.

2. We really need a whitelisting possibility in the plugin UI itself, sooner or later a false positivite will be a reality, its extremly annoying to create a specific rule just for this and its prompt to human errors. OPNsense aliases support revert matching, you can take advantage of this for example if an user wants to white list an IP it could be pushed into the q-feed created alias as !IP replacing the IP.

3. The TIP interface is overall nice, but its only remotely, would it be possible to have it in OPNsense directly? You are already using API keys for the DB, what about having the possibility to show it in the UI in OPNsense or at last some of the functionality?

4. The current Q-feed plugin is under services, assuming you will expand its categories and possible functionality I think it would be better to have a separate main category for it instead having it in services.

5. Would be nice if we can turn off and on the feeds e.g aliases we want, I know this may sound silly, but for example if I decide for testing purposes to disable the IP feed I cant, can be done only by disabling or removing the rule. This could be as well co-implemented into the GUI widget to show which feeds are provided by the licenses and which ones are active by user choice.

OPNsense widget:
1. The widget for Q-feed in OPNsense is bit plain for my taste, would it be possible to enhance it and show the TOP talker per packet/hit count? Basically show TOP most matched IPs/Domains/etc.

Miscs:
1. Not sure how to properly report a false positive that occurred in the Q-Feed DB, I assume via ticket in TIP, however you could create a simple portal where an user will fill in the IP/domain, category and reason, which on your end would flag an IP or URL for review

2. I would welcome a possibility in TIP to put a description or a name for each API key, in case of several deployments to various FWs/Edge devices this would help to identify to which device what API key is assigned

3. Can you please share your roadmap, in regards of the product itself but as well in regards of OPNsense

4. Maybe this is bit to much ask, but you provide 1y 2y 3y subscription licenses, would it be possible to give some % off depending on the year of sub? (1y base price, 2y 5%, 3y 10% off for example)

Regards,
S.

[Patrick M. Hausen]

The reports are not doing anything at all.

[Seimus]

The reports are not doing anything at all.

Seeing the same here, it just quickly refreshes the page.

Additionally, I do not see any hits on the API counter or anything in Logs within TIP.

Regards,
S.

[Patrick M. Hausen]

Same same ... some threat report, i.e. which IP addresses were blocked and why, is definitely called for to make this a product. Check out crowdsec for reference. I only dropped crowdsec because the free block lists are a joke and paid subscription starts at something around 90$ per month which is a no brainer for a company, but definitely too much for a home lab.

I just jumped in and spent the 100 for the plus license to get this project going. I hope they deliver :-)