I'm seeing an occasional attack 'missed' by active response for up to a couple hours, then a trigger of firewall-drop.sh on the client. The rules that match src_ip are being triggered, and I'm getting the alert emails.
The active-response shows up in the ossec-hids-responses.log on the client, but very much too late. Does the server log the active response actions that it tries to carry out on clients? I'm trying to figure out if this is a network issue or if it's ossec-hids.
Thanks, Ken A. Pacific.Net
