Forum Discussion

Festus_50639's avatar
Festus_50639
Icon for Nimbostratus rankNimbostratus
Jan 10, 2011

ASM_REQUEST_BLOCKING and email notification

I am trying to send an email notification directly from the ASM when the blocking response page is presented.

 

 

There is a post similar to this which I now cannot find, but it seemed geared more towards sending an snmp trap rather than sending an email notification.

 

 

Background and setup info -

 

 

-Big-IP version: 10.2.0 HF2

 

 

-ASM SMTP Options configured

 

 

-Using ASM Security policy with "Trigger ASM iRule Event" checked.

 

 

-ASM iRule assigned as a Virtual Server resource

 

 

-ASM iRule name: ASM_iRule_app1

 

 

-ASM iRule content:

 

 

when ASM_REQUEST_BLOCKING {

 

 

log local0. "ASM_BLOCK_app1 - Request for Support ID: ts.request.id has been blocked"

 

}

 

 

-/config/user_alert.conf entry information:

 

 

alert ASM_BLOCK_app1 "ASM_BLOCK_APP1" {

 

emailtoaddress="user1@domain.com,pager2@site.com"

 

fromaddress="ASM_ALERTS"

 

body="The ASM Blocking response page was just presented for an app1page request"

 

}

 

 

Questions -

 

 

1. Is an "snmptrap OID=" line required in the user_alert.conf file for each alert created? Based on the Solutions articles I've found, that appears to be the case. ( I would like to send an email alert without creating an snmptrap message.)

 

 

2. How can I add the SupportID to both the /var/log/ltm entry and the email that is sent by the alert daemon? (My thought is that I can add " . ts.request.id" to the end of the "body" line in the user_alert.conf entry.)

 

 

3. Has anyone successfully implemented something similar?

 

 

4. Does anyone know if this has been requested as a feature in a future release so that email notifications can be configured from the web UI when the blocking response page is presented?

 

 

 

 

 

  • First of all ASM SMTP Options in 10.2 are for something else - for new scheduled reports feature. (Application Security/Reporting/Charts/Chart Scheduler)

    To configure e-mail sending you need to enable the postfix service as described in SOL7365

    http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7365.html

    To answer your questions:

    1) you do need OID, just use a custom one, as per SOL3727, for example: .1.3.6.1.4.1.3375.2.4.0.555

    here is what should be in your user_alert.conf

    
    
    alert ASM_BLOCK "ASM_REQUEST_BLOCKING" {
    snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.555";
    email toaddress="youremailhere@yourcompany.com"
     fromaddress="ASM@mybigipdevice.com"
     body="ASM Block"
    }
    
    

    2. You can get the SupportID from [ASM::violation_data] (see documentation here: http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__violation_data.html)

    So, your iRule should look like this:

    
    when ASM_REQUEST_BLOCKING {
    
    log local0. "SupportID: [lindex [ASM::violation_data] 1]"
    
    }
    

    3. I tried it and it worked for me and you get SupportId in both/var/log/ltm and the SNMP trap (and the email notification)

    4. I think getting the BIG-IP box to send an e-mail on each ASM block can be considered an overkill (and possibly a performance hog). If your site gets attacked by a bunch of PCs running trojans (most frequent attacks these days) your BIG-IP will be very busy sending thousands of e-mails whilst trying to block the attacks, load balance request, do SSL decryption, decompression and all the other good stuff BIG-IP does ...

    you can always send logs to a remote syslog server which will send e-mail alert (for example free Kiwi syslog will do that).

    By all means you can put a feature request via F5 support to make this configurable in WebGUI

    --

    Sam