IBM Support

Enabling or disabling inspection of X-Forward headers on IBM Security sensors

Question & Answer


Question

How do you enable or disable the inspection of X-Forward headers on IBM Security sensors?

Answer

Inspection of the HTTP header is handled by the Protocol Analysis Module (PAM) on IBM Security sensors. The inspection behavior of PAM can be modified by using the following parameter:

pam.http.report.request.header.<header_type>

This tuning parameter adds the specified request HTTP header field to every attack and audit event. Several limitations do exist that must be considered. First, only the headers that PAM has evaluated are displayed in the event. Second, the full field's contents might not be displayed because space limitations which are dependent on: a) the size of preceding attribute value pairs; b) the size of header field itself.

To impact the inspection of X-Forward headers, you would add the following parameter to Advanced Tuning Parameters policy for the sensor:

Name: pam.http.report.request.header.X-Forwarded-For
Value: true

[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.1;5.3.2;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
24 January 2021

UID

swg21962594