--- /dev/null
+OSSEC HIDS 0.6
+Copyright (c) 2004-2006 Daniel B. Cid <daniel.cid@gmail.com>
+ <dcid@ossec.net>
+
+
+How the active response works internally:
+
+- Read active-response.txt for details on configuration
+
+
+1 - The analysis server receives an event that matches the
+ active response policy.
+
+2 - The analysis server verifies that all required fields
+ are provided with the event. It means that the analysis
+ server was able to decode the event and extract the
+ necessary information. One example is if it was able
+ to extract the IP address from the event to send to
+ the firewall to be blocked.
+
+3 - If the active response policy specify that the action
+ must be executed locally on the AS, a message is sent
+ to the execd directly.
+
+4 - If the active response policy specify that the action
+ must be executed remotely, a message is sent to the
+ "Active response forwarder" (remoted) to forward the
+ event to the specified agent.
+