Not currently. The best way would be to do an active response script to just clear an IP address.
The issue is that the manager only sends to the agent the active response script and the IP (or user name), not the action. So it is always treated as a block. But a removal script would be a good idea :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Aug 2, 2011 at 6:17 PM, jplee3 <[email protected]> wrote: > Hi all, > > Is there a way to issue an Active Response "Undo" through > agent_control? > > Like if I wanted to unblock an IP that I blocked using: "./ > agent_control -b 192.168.1.50 -f route-null0 -u 010" > > > Thanks!
