Remove blocked IP from wazuh

[Athan Espinoza]

Hello, good day.
Sometimes it happens to me that Wazuh blocks the IPs of agents which, upon review, are false positives carrying out valid and non-malicious queries, but they remain blocked and have connectivity problems for a fairly long time.

How could I revoke this temporary IP block through the API console, or is there another way to do it more quickly?

Best regards!

[Adebayo Kalejaiye]

Hello Athan,

If you are certain that the IPs are legitimate after your reviews, you can whitelist the IPs via the ossec.conf of the Wazuh-manager in the active-response block 

 <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>8.8.8.8</white_list>
    <white_list>8.8.4.4</white_list>
  </global>

Then restart the Wazuh-manager 

I hope this helps.

Best Regards,

Adebayo

[Adebayo Kalejaiye]

Hello Athan,

Another approach is to add the IPs to a CDB list for Wazuh to ignore if you know the rule that triggers the Temporary block and for Wazuh to ignore the rule if the IP is in the CDB list. For example :

Create your list like follows: listing the IPs 

192.168.1.10: 192.168.1.11:

Do not forget to store your lists in /var/ossec/etc/lists and define it in the ruleset section within ossec.conf file:

<ossec_config> <ruleset> <list>etc/lists/your_list</list>

• Then, modify the rule in /var/ossec/etc/rules/local_rules.xml: for example if the rule that trigger the temporary block is rule ID 5706

  <rule id="100002" level="0"> <if_sid>5706</if_sid> <list field="srcip" lookup="address_match_key">etc/lists/your_list</list> <description>Rule to ignore known hosts</description> <group>pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,</group> </rule>

Please see documentation on using CDB list below:

https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html