Question & Answer
Question
What tuning parameter can be used if there is a large number of compressed HTTP sessions?
Answer
If you have a large number of compressed HTTP sessions, then PAM may incur higher than normal latency because of the data explosion problem. A 100Mbs adapter can morph into a 600Mbs port. Thus, a packet that is 1500 bytes can turn into a 7500 byte packet which increases processing costs. A gzip compression ration of 5-to-1 is not uncommon for Javascript and HTML. The packet must incur decompression and parser analysis overhead. To help minimize the impact of inflation overhead, we advise customers to add
The
If you want to stop analysis of all compressed HTTP content use the tuning parameter
Example:
Key:
Value:
The tuning parameter
Note: When adding multiples of the same tuning parameter that you will need to distinguish them by adding a .1, .2, .3... at the end of the tuning parameter name.
Example: Key:
For more information on available PAM parameters, see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information.
pam.inflate.filter
tune parameter for outbound content that compressed by organization Web servers. The outbound content in most cases (except where Web server has been compromised) can be considered safe.The
pam.inflate.filter
tuning parameter minimizes the performance penalty that is caused by decompressing HTTP response traffic. The tune parameter allows users to enter a flow-based traffic rule that matches bi-directional network flow. This tuning parameter is especially useful for network configuration where all outbound web traffic is compressed by web proxy accelerator. HTTP headers are never compressed, so this tuning parameter does not affect header processing. There are several statistics that can help determine if HTTP decompression is present in your network.If you want to stop analysis of all compressed HTTP content use the tuning parameter
pam.inflate.parse
with the value set to 0
. Compressed HTTP content can contribute to high latency and also increases the effective data rate of the traffic. This parameter would most likely be used for testing purposes and is suggested to be removed after testing is completed.Example:
Key:
pam.inflate.parse
Value:
0
The tuning parameter
pam.inflate.bytes.in
increases each time that a compressed file is processed, but the statistic pam.inflate.bytes.out
will not increase if filtering is functioning correctly. Multiple IP address and ports are allowed in any traffic rule that uses a comma (,) as shown in rule one. This first rule prevents PAM from decompressing outbound HTTP responses from 172.16.16.0 and 10.16.7.0 networks. The second rule is not recommended because internal user browsing unsafe websites may allow compressed attacks to go undetected.Rule # | Name | Type | Value |
Rule 1 Recommended |
pam.inflate.filter |
String | ip addr 172.16.16.1/24,10.16.7.1/24 tcp port 80 |
Rule 2 Not-Recommended |
pam.inflate.filter |
String | tcp port 80 |
Note: When adding multiples of the same tuning parameter that you will need to distinguish them by adding a .1, .2, .3... at the end of the tuning parameter name.
Example: Key:
pam.inflate.filter.1
, pam.inflate.filter.2
, pam.inflate.filter.3
, and so on.For more information on available PAM parameters, see Technote 1498057: X-Force Protocol Analysis Module (PAM) signature information.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Tuning Parameters","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Tuning Parameters","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.1;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Historical Number
1436497
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21677865