Q-feeds (Community Version): Impressions after several days

[Richard090969]

Translate with ChatGPT

Hello,
I have been using the Community Edition of Q-Feeds for quite some time now, but my initial enthusiasm has gradually given way to a certain sense of disappointment.

At the beginning of my testing, Q-Feeds was reliably blocking almost everything. This gave me the impression that, in the long run, it might even be possible to replace CrowdSec entirely with Q-Feeds.

However, after more than seven days, the picture looks quite different. Q-Feeds is now contributing very little, while my static Spamhaus blocklists in combination with CrowdSec are doing most of the work. Q-Feeds is only filtering the small remainder that gets through.

At this point, whether Q-Feeds is active or not in the Community Edition makes no noticeable difference in practice. It is worth mentioning that Q-Feeds is placed at the very top of my rule order.

cu Richard

---Original Deutsch/German---
Hallo,

Ich nutze die Community-Version von Q-Feeds inzwischen über einen längeren Zeitraum. Meine anfängliche Begeisterung ist allerdings inzwischen einer gewissen Ernüchterung gewichen.

Zu Beginn meines Tests hat Q-Feeds nahezu alles zuverlässig blockiert. Dadurch entstand bei mir der Eindruck, dass es perspektivisch eventuell möglich wäre, CrowdSec vollständig durch Q-Feeds zu ersetzen.

Nach inzwischen mehr als sieben Tagen zeigt sich jedoch ein anderes Bild: Von Q-Feeds kommt kaum noch etwas, während meine statischen Spamhaus-Blocklisten in Kombination mit CrowdSec den Großteil der Arbeit übernehmen. Den verbleibenden Rest filtert dann Q-Feeds.

Ob Q-Feeds in der Community-Version bei mir aktiv ist oder nicht, macht in der Praxis aktuell keinen wirklich spürbaren Unterschied. Dabei ist wichtig zu erwähnen, dass Q-Feeds in meiner Regelreihenfolge an erster Stelle steht.
 
VG Richard

[lmoore]

I installed Q-Feeds Communinty two weeks ago.

I created a rule to log all blocked traffic that otherwise wont be logged - the Default Deny rule has had its logging disabled.

Attached is a screen shot of the rules and the count of evaluations/blocked connections by each. 24-hours prior, the numbers were similar with the exception that FireHOL CIArmy had blocked 1 connection.

Doing the sums based upon the details of the evaluations for Q-Feeds and Nothing Else Blocked are;

Q-Feeds: 0.0632%
Nothing Else: 1.7778%

From these numbers, we can deduce Bitwire-IT blocked 98.159% of all blocked incoming connections.

Last night, after updating OPNsense to 26.1.7_3, which incidentally also updated Q-Feed Connector to version 1.5_3, I took this screen shot then disabled three of the listed rules.

Just took a screen shot of these rules a short while ago and you can see Q-Feeds blocked quite a few today. There was just one (persistent) miscreant that has attempted to telnet to my IP address and did so from 02:13am this morning, ceasing at 04:16pm this afternoon (14 hours).

It remains to be seen what Q-Feeds will block for me over the coming months.

[Monviech (Cedrik)]

Im not sure "total amount of blocks" is a good metric without "quality of individual blocks".

I find most blocklists that are available too intrusive and overly strict. In my opinion Qfeeds does a good job here with quality instead of quantity.

[lmoore]

Im not sure "total amount of blocks" is a good metric without "quality of individual blocks".

I'm using the number of evaluations for each of the rules to calculate the percentages.

Code Select Expand

Around 8:30AM this morning, I moved the Q-Feeds rule to the top of the list. I've recorded the numbers from around 7:50PM tonight - see attached image.

Today's connections didn't appear to encounter any extraordinary behaviour, unlike yesterday. These are the numbers as of tonight:

         Evaluations      Packets      % Blocked
Q-Feeds:      54536         13426      86.627%
Bitwire-IT:      7293         6593      12.089%
Nothing Else:      700         700      1.283%

I haven't been tabulating the information, just doing some quick calculations at given points in time.

It would be good if the counters didn't reset overnight, at least I could then get data for a longer period - just to make quick calculations on the fly.

I'll look at integrating the Q-Feeds domains at some point, just to see if it picks up anything.

[Q-Feeds]

Very interesting results which seem to be all over the place. I think it also depends on if you're hosting services f.e. As Cedrik mentioned it's not just about the # blocked. Increasing that number as a blocklist provider is quite easy. I think we make the difference on what we block and how we give insights on why.

[Seimus]

With Q-feeds, you have more curated list of IoC, blocking more necessary doesn't mean better.
The worth of the Q-feeds feed is the quality & the curation & insight.

With the latest changes on their TiP you can track down why the IP is blocked, and a lot of information.
Additionally, the ease of reporting false positives. You simple open a ticket, they review.

I found very few false positives, lately only one that affected me, within 30min it was removed and in the next poll it reflected on OPN.

This workflow combined with their tooling and the fact all is local is a major plus.

Regards,
S.