<div dir="ltr">Rollover can help with packet losses by sending packets to a new socket when current one is full. As per the documentation, this can help with packet loss on single intensive flows, even though there are cons about using this (and it might even result in you missing alerts since Suricata might not be able to analyze all the traffic).<div><br></div><div>You don't _have to_ do the placement group, especially if you're not planning on doing 10/15Gbps+.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 24, 2019 at 11:38 AM Shell_Xu <<a href="mailto:xuh881026@gmail.com">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">New problem, I tried to add 'rollover:yes' to the configuration file, I found that the packet loss rate has dropped.The 5.0dev version does not have this configuration by default. Is 'rollover:yes' obsolete?<div>In the test, I found that the packet loss rate dropped significantly, but it was not stable.Why is this? What is the role of this configuration?<br></div><div>This result only adds configuration parameters, I did not add EC2 to the Placement Group.<br></div><div><br></div><div>The verification results are as follows<br><div><img src="cid:ii_jzpeoxl30" alt="image.png" width="562" height="556"><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月24日周六 下午3:49写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">You can have mirror sessions as you want, including between AWS accounts. To get the best performance, however, placing them in the same placement group will help substantially. </div></div><div dir="auto"><br></div><div dir="auto">I’d first check if this helps in the problem you’re having though. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 24 Aug 2019 at 01:46, Shell_Xu <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">HI:<div> Thank you for your help!<br><div> 'What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. '</div><div> Does this mean that servers I monitor need to be deployed in the Placement Group? </div><div> e.g:</div><div> Sruicata、Web Server、DB Server、Redis Cluster...</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月24日周六 上午1:38写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>It can be fixed, yes, but it requires deployment of the EC2 instances (or re-deployment). What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 5:48 PM Shell_Xu <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div>I am not sure if I use Placement Groups. If not used, can this problem still be solved?<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午11:06写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">Are you using EC2 Placement Groups? Ideally you would use Cluster as much as possible exactly to prevent underlying hardware performance issues. </div></div><div dir="auto"><br></div><div dir="auto">It is also the recommended configuration for HPC applications, and Suricata would greatly benefit from that. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 23 Aug 2019 at 15:54, 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>hi, again:</div><div> Yes, I am using Elastic Network Adapter (ENA)<br> Since the EC2 instance is a shared underlying hardware, many network interface hardware settings are not available.<br> I don't know how to optimize Suricata on EC2, can you help me?<br><br> $ modinfo ena<br></div><br> filename: /lib/modules/4.15.0-1044-aws/kernel/drivers/net/ethernet/amazon/ena/ena.ko<br> version: 2.0.3K<br> license: GPL<br> description: Elastic Network Adapter (ENA)<br> author: Amazon.com, Inc. or its affiliates<br> srcversion: 1980993534E135DFC7933C4<br> alias: pci:v00001D0Fd0000EC21sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd0000EC20sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd00001EC2sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd00000EC2sv*sd*bc*sc*i*<br> depends:<br> retpoline: Y<br> intree: Y<br> name: ena<br> vermagic: 4.15.0-1044-aws SMP mod_unload<br> signat: PKCS#7<br> signer:<br> sig_key:<br> sig_hashalgo: md4<br> parm: debug:Debug level (0=none,...,16=all) (int)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午6:51写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Based on the instance type and interface name, you're most likely using enhanced networking, but, to be on the safe side, can you confirm?</div><div><br></div><div>$ modinfo ena<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 3:07 AM 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>hi, team:<br> Since AWS traffic mirroring uses a VxLAN tunnel, I have to use the 5.0dev version. i deployed Sruicata on AWS, but recently noticed that 'capture. Kernel_drops' appears in stats.log when traffic reaches 2Gbit/s. I tried rsync a large file, 'capture. Kernel_drops' appears in stats.log. default loading ET rules.<br> I hope anyone can help me, any advice is good! Guys, I need your help very much. <br> <br> # Client rsync files<br> $ rsync -trovpgP xxx.tgz /usr/local/data/xxx.tgz<br> sending incremental file list<br> xxx.tgz<br> 3,361,243,136 51% 114.14MB/s 0:00:27<br><br> # Suricata Server:<br> $ suricata --af-packet -c /etc/suricata/suricata.yaml<br> [24073] 23/8/2019 -- 01:51:19 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 14 packet processing threads, 4 management threads initialized, engine started.<br> [24073] 23/8/2019 -- 01:53:58 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.<br> [24073] 23/8/2019 -- 01:54:01 - (util-device.c:317) <Notice> (LiveDeviceListClean) -- Stats for 'ens5': pkts: 11270384, drop: 2046365 (18.16%), invalid chksum: 0<br><br> According to the official documentation, I made some optimizations.<br> <a href="https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss" target="_blank">https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss</a><br> But I can't set RSS queues to 1<br> ethtool -L ens5 combined 1<br> Cannot set device channel parameters: Operation not supported<br><br> Amazon EC2 C5<br> EC2 Hardware:<br> RAM: 32G<br> CPU(single): 16 Core (Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz)<br> NIC: <br> ethtool -l ens5<br> Channel parameters for ens5:<br> Pre-set maximums:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br> Current hardware settings:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br><br> ethtool -i ens5<br> driver: ena<br> version: 2.0.3K<br> firmware-version:<br> expansion-rom-version:<br> bus-info: 0000:00:05.0<br> supports-statistics: yes<br> supports-test: no<br> supports-eeprom-access: no<br> supports-register-dump: no<br> supports-priv-flags: no<br><br> Suricata Version: 5.0.0-dev (3a912446a 2019-07-22)<br> Suricata Config:<br> af-packet:<br> - interface: ens5<br> threads: 14<br> cluster-id: 99<br> cluster-type: cluster_flow<br> defrag: yes # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.<br> use-mmap: yes<br> mmap-locked: yes<br> tpacket-v3: yes<br> ring-size: 400000<br> block-size: 393216<br> #block-timeout: 10<br> #use-emergency-flush: yes<br> # buffer-size: 32768<br> # disable-promisc: no<br> #checksum-checks: kernel<br> #bpf-filter: port 80 or udp<br> #copy-mode: ips<br> #copy-iface: eth1<br><br> - interface: default<br> threads: auto<br> use-mmap: yes<br> tpacket-v3: yes<br><br> max-pending-packets: 1024<br> runmode: workers<br> default-packet-size: 1522<br><br> defrag:<br> memcap: 4gb<br> hash-size: 65536<br> trackers: 65535 # number of defragmented flows to follow<br> max-frags: 65535 # number of fragments to keep (higher than trackers)<br> prealloc: yes<br> timeout: 60<br><br> flow:<br> memcap: 4gb<br> hash-size: 1048576<br> prealloc: 1048576<br> emergency-recovery: 30<br><br> stream:<br> memcap: 4gb<br> checksum-validation: no<br> inline: no<br> bypass: yes<br> reassembly:<br> memcap: 8gb<br> depth: 1mb<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br> randomize-chunk-size: yes<br><br><br> detect:<br> profile: custom<br> custom-values:<br> toclient-groups: 200<br> toserver-groups: 200<br> sgh-mpm-context: auto<br> inspection-recursion-limit: 3000<br><br> mpm-algo: hs<br> spm-algo: hs<br><br> threading:<br> set-cpu-affinity: yes<br> cpu-affinity:<br> - management-cpu-set:<br> cpu: [ "0-1" ]<br> mode: "balanced"<br> prio:<br> default: "medium"<br> - worker-cpu-set:<br> cpu: [ "2-15" ]<br> mode: "exclusive"<br> prio:<br> default: "high"<br></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>