Hi Andrew,
Sorry for the late response. A rule function is to basically, let you know what is happening in your environment, but this rule will not block normal visitors IP just because it was triggered. Have you checked if the Active Response module is active? If you have something similar to the following lines, probably that is what is causing the IPs to get blocked:
Example 1:
<command>
<name>firewall-drop</command>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
</command>
This is a command to run the firewall-drop.sh script to block the srcip.
Example 2:
<active-response>
<command>makelists</command>
<location>server</location>
<rules_id>31533</rules_id>
</active-response>
This active-response will run the makelists command to update the CDB lists. The CDB are used to create a white/black list of users, file hashes, IPs or domain names.
Lastly, if you want to just remove the rule you can copy the entire file to which this rule belongs (the path should be /var/ossec/ruleset/rules/0270-web_appsec_rules.xml), to the /var/ossec/etc/rules/ directory, change this file's name (very important!) and delete this rule from this file. You can copy the file running this command:
cp /var/ossec/ruleset/rules/0270-web_appsec_rules.xml /var/ossec/etc/rules/new_name.xml
Then, with any editor (nano, vim...) feel free to delete the rule 31533. The last step would be to go to the ossec.conf file and add the line:
<rule_exclude>0215-policy_rules.xml</rule_exclude>
Hope I was helpful. Do not hesitate to contact us if you have any doubt.
Yana.