ASM_REQUEST_BLOCKING and email notification

First of all ASM SMTP Options in 10.2 are for something else - for new scheduled reports feature. (Application Security/Reporting/Charts/Chart Scheduler)

To configure e-mail sending you need to enable the postfix service as described in SOL7365

http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7365.html

To answer your questions:

1) you do need OID, just use a custom one, as per SOL3727, for example: .1.3.6.1.4.1.3375.2.4.0.555

here is what should be in your user_alert.conf

alert ASM_BLOCK "ASM_REQUEST_BLOCKING" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.555";
email toaddress="youremailhere@yourcompany.com"
 fromaddress="ASM@mybigipdevice.com"
 body="ASM Block"
}

2. You can get the SupportID from [ASM::violation_data] (see documentation here: http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__violation_data.html)

So, your iRule should look like this:

when ASM_REQUEST_BLOCKING {

log local0. "SupportID: [lindex [ASM::violation_data] 1]"

}

3. I tried it and it worked for me and you get SupportId in both/var/log/ltm and the SNMP trap (and the email notification)

4. I think getting the BIG-IP box to send an e-mail on each ASM block can be considered an overkill (and possibly a performance hog). If your site gets attacked by a bunch of PCs running trojans (most frequent attacks these days) your BIG-IP will be very busy sending thousands of e-mails whilst trying to block the attacks, load balance request, do SSL decryption, decompression and all the other good stuff BIG-IP does ...

you can always send logs to a remote syslog server which will send e-mail alert (for example free Kiwi syslog will do that).

By all means you can put a feature request via F5 support to make this configurable in WebGUI

--

Sam