AR - List blocked IP addresses

Skip to first unread message

Nov 29, 2022, 10:14:51 AM11/29/22
to Wazuh mailing list

Is there a way (API or CLI) to list the currently blocked IP addresses by the active response?

Natassia M Stelmaszek

Nov 29, 2022, 11:51:09 AM11/29/22
to Wazuh mailing list
On a Redhat/CentOS/Rocky system you can use sudo iptables --list -n on the agent machine.


Matias Pereyra

Nov 30, 2022, 10:26:17 PM11/30/22
to Wazuh mailing list

There is more information about this topic in the documentation section: Detect and react to a Shellshock attack. There you have an example of an active response used for IP blocking.

As Natassia said, the command iptables --list -n can show you in the agent what is the current list of IP addresses in its firewall drop list.

But you can't see this information from your manager for every agent. One workaround could be configuring a remote command and executing it. See Command monitoring for more details.


Julio Cesar

Dec 1, 2022, 5:53:58 AM12/1/22
to Matias Pereyra, Wazuh mailing list
Hello Matias,

Thank you!

Thanks to Natassia too!

Any plans to implement this on the Wazuh's API?


You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit
To unsubscribe from this group and all its topics, send an email to
To view this discussion on the web visit

Matias Pereyra

Dec 2, 2022, 10:25:04 AM12/2/22
to Wazuh mailing list
Hi again!

Feel free to open an issue in the Wazuh repository to request this feature: New issue.
The team will analyze this as soon as possible.

Reply all
Reply to author
0 new messages