5149 The DoS attack has subsided and normal processing is being resumed
Written when a DoS attack subsides and WFP resumes normal processing. Paired with detection 5148, it captures the end of the DoS.
Overview
The subcategory is Audit Other Object Access Events. It is generated when WFP exits the DoS defensive mode and returns to normal packet processing.
How it is triggered
- When the traffic detected as a DoS subsides and the defensive mode is lifted.
Security review points
- Using the correspondence with detection 5148, understand how long the DoS lasted. Check the availability impact during that time.
- If DoS recurs, consider permanent countermeasures (rate limiting, blocking upstream) for the source and targeted service.
Notes for log review
- Read it paired with detection 5148 to evaluate the attack interval and frequency.
- Treat it as a record of an availability incident.
Key fields
| Field | Meaning |
|---|---|
| Target info | The target of the subsided DoS |