OSSEC HIDS 0.6
Copyright (c) 2004-2006 Daniel B. Cid   <daniel.cid@gmail.com>
                                        <dcid@ossec.net>
                                        

How the active response works internally:

- Read active-response.txt for details on configuration


1 - The analysis server receives an event that matches the
    active response policy.

2 - The analysis server verifies that all required fields
    are provided with the event. It means that the analysis
    server was able to decode the event and extract the
    necessary information. One example is if it was able
    to extract the IP address from the event to send to 
    the firewall to be blocked.
    
3 - If the active response policy specify that the action
    must be executed locally on the AS, a message is sent
    to the execd directly.

4 - If the active response policy specify that the action
    must be executed remotely, a message is sent to the
    "Active response forwarder" (remoted) to forward the
    event to the specified agent.