<div><div dir="auto">You can have mirror sessions as you want, including between AWS accounts. To get the best performance, however, placing them in the same placement group will help substantially. </div></div><div dir="auto"><br></div><div dir="auto">I’d first check if this helps in the problem you’re having though. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 24 Aug 2019 at 01:46, Shell_Xu <<a href="mailto:xuh881026@gmail.com">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">HI:<div>    Thank you for your help!<br><div>    'What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. '</div><div>    Does this mean that servers I monitor need to be deployed in the Placement Group? </div><div>    e.g:</div><div>        Sruicata、Web Server、DB Server、Redis Cluster...</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月24日周六 上午1:38写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>It can be fixed, yes, but it requires deployment of the EC2 instances (or re-deployment). What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 5:48 PM Shell_Xu <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div>I am not sure if I use Placement Groups. If not used, can this problem still be solved?<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午11:06写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">Are you using EC2 Placement Groups? Ideally you would use Cluster as much as possible exactly to prevent underlying hardware performance issues. </div></div><div dir="auto"><br></div><div dir="auto">It is also the recommended configuration for HPC applications, and Suricata would greatly benefit from that. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 23 Aug 2019 at 15:54, 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>hi, again:</div><div>    Yes, I am using Elastic Network Adapter (ENA)<br>    Since the EC2 instance is a shared underlying hardware, many network interface hardware settings are not available.<br>    I don't know how to optimize Suricata on EC2, can you help me?<br><br>     $ modinfo ena<br></div><br>    filename:       /lib/modules/4.15.0-1044-aws/kernel/drivers/net/ethernet/amazon/ena/ena.ko<br>    version:        2.0.3K<br>    license:        GPL<br>    description:    Elastic Network Adapter (ENA)<br>    author:         Amazon.com, Inc. or its affiliates<br>    srcversion:     1980993534E135DFC7933C4<br>    alias:          pci:v00001D0Fd0000EC21sv*sd*bc*sc*i*<br>    alias:          pci:v00001D0Fd0000EC20sv*sd*bc*sc*i*<br>    alias:          pci:v00001D0Fd00001EC2sv*sd*bc*sc*i*<br>    alias:          pci:v00001D0Fd00000EC2sv*sd*bc*sc*i*<br>    depends:<br>    retpoline:      Y<br>    intree:         Y<br>    name:           ena<br>    vermagic:       4.15.0-1044-aws SMP mod_unload<br>    signat:         PKCS#7<br>    signer:<br>    sig_key:<br>    sig_hashalgo:   md4<br>    parm:           debug:Debug level (0=none,...,16=all) (int)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午6:51写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Based on the instance type and interface name, you're most likely using enhanced networking, but, to be on the safe side, can you confirm?</div><div><br></div><div>$ modinfo ena<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 3:07 AM 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>hi, team:<br>     Since AWS traffic mirroring uses a VxLAN tunnel, I have to use the 5.0dev version. i deployed Sruicata on AWS, but recently noticed that 'capture. Kernel_drops' appears in stats.log when traffic reaches 2Gbit/s. I tried rsync a large file, 'capture. Kernel_drops' appears in stats.log. default loading ET rules.<br>     I hope anyone can help me, any advice is good! Guys, I need your help very much. <br>    <br>    # Client rsync files<br>    $ rsync -trovpgP xxx.tgz /usr/local/data/xxx.tgz<br>    sending incremental file list<br>    xxx.tgz<br>    3,361,243,136  51%  114.14MB/s    0:00:27<br><br>    # Suricata Server:<br>    $ suricata --af-packet -c /etc/suricata/suricata.yaml<br>    [24073] 23/8/2019 -- 01:51:19 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 14 packet processing threads, 4 management threads initialized, engine started.<br>    [24073] 23/8/2019 -- 01:53:58 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.<br>    [24073] 23/8/2019 -- 01:54:01 - (util-device.c:317) <Notice> (LiveDeviceListClean) -- Stats for 'ens5':  pkts: 11270384, drop: 2046365 (18.16%), invalid chksum: 0<br><br>    According to the official documentation, I made some optimizations.<br>    <a href="https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss" target="_blank">https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss</a><br>    But I can't set RSS queues to 1<br>    ethtool -L ens5 combined 1<br>    Cannot set device channel parameters: Operation not supported<br><br>    Amazon EC2 C5<br>    EC2 Hardware:<br>    RAM: 32G<br>    CPU(single): 16 Core (Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz)<br>    NIC: <br>        ethtool -l ens5<br>        Channel parameters for ens5:<br>        Pre-set maximums:<br>        RX:        8<br>        TX:      8<br>        Other:   0<br>        Combined:        0<br>        Current hardware settings:<br>        RX:      8<br>        TX:      8<br>        Other:   0<br>        Combined:        0<br><br>        ethtool -i ens5<br>        driver: ena<br>        version: 2.0.3K<br>        firmware-version:<br>        expansion-rom-version:<br>        bus-info: 0000:00:05.0<br>        supports-statistics: yes<br>        supports-test: no<br>        supports-eeprom-access: no<br>        supports-register-dump: no<br>        supports-priv-flags: no<br><br>    Suricata Version: 5.0.0-dev (3a912446a 2019-07-22)<br>    Suricata Config:<br>        af-packet:<br>        - interface: ens5<br>            threads: 14<br>            cluster-id: 99<br>            cluster-type: cluster_flow<br>            defrag: yes    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.<br>            use-mmap: yes<br>            mmap-locked: yes<br>            tpacket-v3: yes<br>            ring-size: 400000<br>            block-size: 393216<br>            #block-timeout: 10<br>            #use-emergency-flush: yes<br>            # buffer-size: 32768<br>            # disable-promisc: no<br>            #checksum-checks: kernel<br>            #bpf-filter: port 80 or udp<br>            #copy-mode: ips<br>            #copy-iface: eth1<br><br>        - interface: default<br>            threads: auto<br>            use-mmap: yes<br>            tpacket-v3: yes<br><br>        max-pending-packets: 1024<br>        runmode: workers<br>        default-packet-size: 1522<br><br>        defrag:<br>            memcap: 4gb<br>            hash-size: 65536<br>            trackers: 65535 # number of defragmented flows to follow<br>            max-frags: 65535 # number of fragments to keep (higher than trackers)<br>            prealloc: yes<br>            timeout: 60<br><br>        flow:<br>            memcap: 4gb<br>            hash-size: 1048576<br>            prealloc: 1048576<br>            emergency-recovery: 30<br><br>        stream:<br>        memcap: 4gb<br>        checksum-validation: no<br>        inline: no<br>        bypass: yes<br>        reassembly:<br>            memcap: 8gb<br>            depth: 1mb<br>            toserver-chunk-size: 2560<br>            toclient-chunk-size: 2560<br>            randomize-chunk-size: yes<br><br><br>        detect:<br>            profile: custom<br>            custom-values:<br>                toclient-groups: 200<br>                toserver-groups: 200<br>            sgh-mpm-context: auto<br>            inspection-recursion-limit: 3000<br><br>        mpm-algo: hs<br>        spm-algo: hs<br><br>        threading:<br>        set-cpu-affinity: yes<br>        cpu-affinity:<br>            - management-cpu-set:<br>                cpu: [ "0-1" ]<br>                mode: "balanced"<br>                prio:<br>                default: "medium"<br>            - worker-cpu-set:<br>                cpu: [ "2-15" ]<br>                mode: "exclusive"<br>                prio:<br>                default: "high"<br></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div></div>