From d3cbedaa8e405a72fc8317d0b4d4aed9c96a63c3 Mon Sep 17 00:00:00 2001
From: mbedworth <michael.bedworth@me.com>
Date: Sun, 28 Dec 2025 04:23:52 -0500
Subject: [PATCH] security/wazuh-agent: Fix active response duplicate key
 causing false aborts (#5104)

When multiple IPs trigger the same rule simultaneously, they were
sharing the same check_keys value (only rule ID), causing the manager
to abort all but the first execution.

Changed the key to include both rule_id and srcip to make it unique
per source IP, allowing multiple simultaneous blocks while still
preventing duplicate blocks of the same IP.

Fixes #4738
---
 security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
index f2b349a25..a13439c2e 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
@@ -121,7 +121,8 @@ def main(params):
                 },
                 "command": "check_keys",
                 "parameters":{
-                    "keys": [event['parameters']['alert']['rule']['id']]
+                   unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
+		   "keys": [unique_key] 
                 }
             }))
             sys.stdout.flush()