Active response times are based on the OSSEC_SHUN_TIME variable, this is a value for how long to block an attacker in seconds. The default is 600, in addition you can disable expiration completely with: OSSEC_SHUN_ENABLE_TIMEOUT
Now if for some reason you kill ossec off instead of shutting it down correctly, then you could run into a condition where the block sticks around for as long as 24 hours. So dont ever do that.
There will also be a graded "repeat offender" active response, where IP's that come back will be blocked for progressively longer periods based on a multiplier. Thats not active in the version you're running.
To your latter question, there are 2 basic types of active response, those that handle network events (firewall, tcpwrappers, etc) and one that handles user events. They are both handled identically, the field you're looking at is the userid field. If that were a user event, the active response could be used to perform an action against the user like disable the account, or maybe turn on very verbose logging, or even restart/reconfigure a daemon based on some specific log event. We're looking at using that kind of capability for self-healing, or policy based security controls.