I had a case yesterday, where firewall-drop was called on the first IP in a list of IPs that ossec reported under rule 40111 (multiple auth failures) - these were NOT from the same IP, yet the active response fired anyway! There was only a single auth failure from the IP that was blocked. This is a default, local install of ossec .9-3 on an FC3 machine.
Thanks, Ken A.
