security/wazuh-agent: Fix active response duplicate key causing false aborts (#5104)

When multiple IPs trigger the same rule simultaneously, they were sharing the same check_keys value (only rule ID), causing the manager to abort all but the first execution. Changed the key to include both rule_id and srcip to make it unique per source IP, allowing multiple simultaneous blocks while still preventing duplicate blocks of the same IP. Fixes #4738
2026-05-22 18:44:07 -07:00 · 2025-12-28 04:23:52 -05:00
parent 809f2ae9d8
commit d3cbedaa8e
1 changed files with 2 additions and 1 deletions
@@ -121,7 +121,8 @@ def main(params):
                },
                "command": "check_keys",
                "parameters":{
-                    "keys": [event['parameters']['alert']['rule']['id']]
+                   unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
+		   "keys": [unique_key] 
                }
            }))
            sys.stdout.flush()