IBM QRadar Network Security IQNS (XGS) - Tuning parameter for large number of compressed HTTP sessions

If you have a large number of compressed HTTP sessions, then PAM may incur higher than normal latency because of the data explosion problem. A 100Mbs adapter can morph into a 600Mbs port. Thus, a packet that is 1500 bytes can turn into a 7500 byte packet which increases processing costs. A gzip compression ration of 5-to-1 is not uncommon for Javascript and HTML. The packet must incur decompression and parser analysis overhead. To help minimize the impact of inflation overhead, we advise customers to add pam.inflate.filter tune parameter for outbound content that compressed by organization Web servers. The outbound content in most cases (except where Web server has been compromised) can be considered safe.

The pam.inflate.filter tuning parameter minimizes the performance penalty that is caused by decompressing HTTP response traffic. The tune parameter allows users to enter a flow-based traffic rule that matches bi-directional network flow. This tuning parameter is especially useful for network configuration where all outbound web traffic is compressed by web proxy accelerator. HTTP headers are never compressed, so this tuning parameter does not affect header processing. There are several statistics that can help determine if HTTP decompression is present in your network.

If you want to stop analysis of all compressed HTTP content use the tuning parameter pam.inflate.parse with the value set to 0. Compressed HTTP content can contribute to high latency and also increases the effective data rate of the traffic. This parameter would most likely be used for testing purposes and is suggested to be removed after testing is completed.

Example:

Key: pam.inflate.parse
Value: 0

The tuning parameter pam.inflate.bytes.in increases each time that a compressed file is processed, but the statistic pam.inflate.bytes.out will not increase if filtering is functioning correctly. Multiple IP address and ports are allowed in any traffic rule that uses a comma (,) as shown in rule one. This first rule prevents PAM from decompressing outbound HTTP responses from 172.16.16.0 and 10.16.7.0 networks. The second rule is not recommended because internal user browsing unsafe websites may allow compressed attacks to go undetected.

 

Rule #	Name	Type	Value
Rule 1 Recommended	pam.inflate.filter	String	ip addr 172.16.16.1/24,10.16.7.1/24 tcp port 80
Rule 2 Not-Recommended	pam.inflate.filter	String	tcp port 80

Note: When adding multiples of the same tuning parameter that you will need to distinguish them by adding a .1, .2, .3... at the end of the tuning parameter name.

Example: Key: pam.inflate.filter.1, pam.inflate.filter.2, pam.inflate.filter.3, and so on.

For more information on available PAM parameters, see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information.