Looking for testers Q-Feeds plugin

[Q-Feeds]

I would be very happy to test it.
Only an IT Consultant with some gained Security Experience ;)

The plugin is now officially included in OPNsense versions 25.7.6 and 25.10, thanks to the great efforts and support of the community!
Instructions can be found here: https://docs.opnsense.org/manual/qfeeds.html

[0zzy]

Ok I installed it, made the registration, add the api thing and nothing happens, I didn't see anything under Events.
Under Feeds I see two entries:
Malicious IP addresses
Malicious domain names
domains
2025-10-26T00:00:00Z
2025-10-26T00:00:007
2025-10-27T00:55:277
2025-10-27700:55:277

everything with a checkmark.

So my question is, what exactly should I expect?

Normally I use crowdsec (which is definitively extremely a money made machine....)

[Seimus]

So my question is, what exactly should I expect?

Depending on how you implement your block rules. I run it IN WAN & IN LANs, using a policy (group) that has the seq 0 and is inherited into every FW interface.

The outcome is that if a session tries to establish from or to the q_feed alias, its blocked.

Regards.
S.

[0zzy]

@Seimus which block rules do you mean exactly? I have different rules (floating and because of micro segmentation of my vlans some special rules depending on my needs).
So for it only Interesting for LAN / WLAN / WAN.

But wait I need to check the Docs first, as far as I know its already in the OPNSense Docs....

ah now I see what you mean .... I let you know if it changed something after I set the rule (I think its easier to create a floating rule in my case ) but thank you, after a day of coding my heady bangs too hard and I oversee things ;)

[Seimus]

which block rules do you mean exactly

The ones you need to manually create to take advantage of Q-feed alias.

Regards,
S.

[xpendable]

So I installed the plugin and set it up over the weekend and I am quite happy with it. Probably the best solution so far due to the native firewall integration by using pf and unbound for the filtering.

Not sure on what all of the suggested improvements has been so far, I know there has been many, like the automatic rule generation... which would be nice but I would also suggest making it optional. So that the more advanced users can simply create their own. I say this because for example I only use IPv4, so I did not create an IPv6 rule as it is not required. Relatively minor, but it's nice to not have things defined if they are not needed.

Not sure if this has been suggested or not, but the Q-Feeds Events page should also include unbound events as well to provide a holistic view of all traffic filtered by Q-Feeds and the fact that the unbound details page has a limited log size and gets overwritten very quickly. Also I know there was suggestions to include the IoC lookup there as well, which would be great. If that can not be done for some reason, maybe at least a whois lookup link?

Also it is difficult to verify unbound integration as the only thing you are really relying on is to either look at the unbound blocklist size before enabling Q-Feeds, or rely on something being filtered in the unbound logs since there is no blocklist to select within the unbound blocklist drop down menu. The current configuration basically implies that it is enabled without any real verification. Maybe provide a test URL to verify unbound integration?

I look forward to the continued improvements to the plugin and ip/dns lists.

Thanks

[wstemb]

Installed on my cluster and created some blocking rules on internal and WAN interfaces. All is working, at least form outside.

Some questions:

1. Beside Q_Feeds Community, I use maltrail. Use same blocking rule for both aliases. Analyzing some IP addresses in both aliases, I found maltrail blocks some IP addresses Q_Feeds did not. I decided to maintain both, because this indicated me the Q_feeds Community protection is not complete (as expected from your documents and web site :-) ).  OK as policy or there can be some "internal conflict"?

2. It is possible to ad some "Export to csv" or "Download" button in Security/Q-Feeds Connect/Events? There are 50k log entries, almost impossible to analyze just on this screen. I know, it is possible to export the whole firewall log, but it is to big to be useful.

3. How to report false positives, if found any?

4. In the portal log i found the message: "Rate limit exceeded for company: xxxxxxx's Company on feed malware_ip".  I have two firewalls, master and slave in a cluster. The message is for the master IP address. Which is the limit?  How to avoid it?   

[Q-Feeds]

Installed on my cluster and created some blocking rules on internal and WAN interfaces. All is working, at least form outside.

Some questions:

1. Beside Q_Feeds Community, I use maltrail. Use same blocking rule for both aliases. Analyzing some IP addresses in both aliases, I found maltrail blocks some IP addresses Q_Feeds did not. I decided to maintain both, because this indicated me the Q_feeds Community protection is not complete (as expected from your documents and web site :-) ).  OK as policy or there can be some "internal conflict"?

2. It is possible to ad some "Export to csv" or "Download" button in Security/Q-Feeds Connect/Events? There are 50k log entries, almost impossible to analyze just on this screen. I know, it is possible to export the whole firewall log, but it is to big to be useful.

3. How to report false positives, if found any?

4. In the portal log i found the message: "Rate limit exceeded for company: xxxxxxx's Company on feed malware_ip".  I have two firewalls, master and slave in a cluster. The message is for the master IP address. Which is the limit?  How to avoid it?   

Thanks for raising your questions!

• There's no single set of feeds that covers everything. Q-Feeds makes decisions based on relevance, accuracy, and severity. The way we curate and manage the data helps us minimize false positives, but as noted, no feed is ever 100% complete. So keeping both Q-Feeds and Maltrail active is fine.
• We'll ask the Deciso team to review your suggestion regarding an "Export to CSV" or "Download" option. That's a valuable request.

    3.    You can report false positives directly via the Q-Feeds Threat Intelligence Portal: Q-Feeds TIP.
    4.    Best practice is to use one license per IP/firewall. In your case, you can simply create another API key via the TIP for the second firewall to avoid rate limit issues.

[Kets_One]

Hi, just purchased a Plus License for 1 yr because i have confidence in your product and want to support your great efforts.

[Q-Feeds]

Hi, just purchased a Plus License for 1 yr because i have confidence in your product and want to support your great efforts.

Thank you so much for your support Kets_One! Very much appreciated! And we will keep our efforts up to make it even greater, thanks to your help we can!

Best regards,

Stefan

[RES217AIII]

Hi Q-feeds,

I have two questions:

1. I currently have Crowdsec installed. Should I uninstall Crowdsec to avoid redundancy (for troubleshooting purposes), or do Q-Feeds and Crowdsec complement each other?

2. I'm currently using AdGuard Home and Unbound. What's the best way to integrate Q-Feeds' DNS functionality? Is there a DNSBL that I can configure in AdGuard with a corresponding API token, for example, in the format "https://api.qfeeds.com/feed/domain_blacklist.txt?key=<API_KEY>"?

Thank you in advance for your reply.

[Q-Feeds]

Hi Q-feeds,

I have two questions:

1. I currently have Crowdsec installed. Should I uninstall Crowdsec to avoid redundancy (for troubleshooting purposes), or do Q-Feeds and Crowdsec complement each other?

2. I'm currently using AdGuard Home and Unbound. What's the best way to integrate Q-Feeds' DNS functionality? Is there a DNSBL that I can configure in AdGuard with a corresponding API token, for example, in the format "https://api.qfeeds.com/feed/domain_blacklist.txt?key=<API_KEY>"?

Thank you in advance for your reply.

Hi RES217AIII,

Thank you for your questions!

1. In theory, all CTI (Cyber Threat Intelligence) Feeds are complementary to each other as there is no feed to rule them all. Feel free to use Q-Feeds and Crowdsec at the same time. And experience (test) the differences yourself.

2. You can use the native Unbound support within the plugin, or you can use it with AdGuard. Whatever you prefer. You can use the URL which are in this manual: https://qfeeds.com/en-sophos-v1-1/.

The manual for the plugin can be found here: https://qfeeds.com/en-opnsense-documentation/

Greetings, Stefan

[0zzy]

Hell Yeah, it works.
But I didn't use Interface Rules instead of them I have a floating rule for have a clean ruleset on my interfaces.

I see many Events on WAN / LAN but what I miss is a description of the Event.

@Q-Feeds what do you mean, is there a way to get more Information out of that?

Which Options do I have to play with (if possible) the API of this plug?
For deeper insights, which logs can I check?
How can I see these events in a SIEM/XDR like Sentinel or WAZUH?

And one thing: I don't know why but login with UserName on Q-Feeds Site isn't possible anymore.
Also I didn't get any email when ordering a new password.... ;(

[Q-Feeds]

Hi Ozzy,

I heard Stefan solved the password issue separately.

For extra event details, you can use the Threat Lookup feature in the TIP (available with Plus or Premium licenses). That functionality isn't built into the plugin (yet), and since we don't collect any telemetry data, we can't display your hits in the TIP. This is a deliberate choice, we prefer not to gather any data from your firewalls.

The plugin doesn't have its own API endpoints yet, but you can check detailed logs under Firewall → Log Files → live view or Normal View to see what's being blocked or allowed.

If you want to connect OPNsense to a SIEM like Sentinel or Wazuh, you can use syslog or the Wazuh agent. For more advanced correlations in your SIEM, we also offer a TAXII server which supports the context with the IOCs. Yet this is a different offering from the OPNsense packages. If you'd like, we can schedule a quick Teams call (just send us a PM) so I can show you how it works and discuss the options in more detail.

Kind regards,

David

[passeri]

since we don't collect any telemetry data, we can't display your hits in the TIP. This is a deliberate choice, we prefer not to gather any data from your firewalls.

Something appreciated by this user, for one.