Greetings Daniel: You were on target, and thank you for pointing out the log file:
aug 17 16:58:08 CEST 2007 /var/ossec/active-response/bin/firewall- drop.sh add - 61.136.58.249 1187360911.3960043 5720 aug 17 17:02:01 CEST 2007 /var/ossec/active-response/bin/firewall- drop.sh delete - 61.136.58.249 1187360911.3960043 5720 I guess I was not seeing it in time. May I ask how quickly does the firewall drop occur on the agent itself in relation to the email sent from the ossec server? Thank you.
