Hi Andrew, It is just the time to send a message via unix-socket (or via the network if it is supposed to run on the agent) plus the time to execute the script. However, note that the response will only kick in after 6 or more attempts by default, and some of these scripts are very fast, running in parallel...
On my logs, I get: " Sun Mar 23 19:47:06 ADT 2008 /var/ossec/active-response/bin/host-deny.sh add - 220.225.201.5 1206312426.14761 5706 Sun Mar 23 19:47:06 ADT 2008 /var/ossec/active-response/bin/firewall-drop.sh add - 220.225.201.5 1206312426.14761 5706 " And on the alert.log: ** Alert 1206312426.14473: - syslog,sshd,recon, 2008 Mar 23 19:47:06 enigma->/var/log/authlog So it is all under the same second... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 17, 2008 at 1:15 PM, Andrew Storms <[EMAIL PROTECTED]> wrote: > > AKA, how long it takes for active-response to kick in. > > I'm curious, anybody got any ideas on how to speed up the response time > inside the active-response mechanism. Its not uncommon for a ssh bot to hit > a system with 20 or more brute force attempts before active-response kicks > in. > >
