<div><div dir="auto">You can have mirror sessions as you want, including between AWS accounts. To get the best performance, however, placing them in the same placement group will help substantially. </div></div><div dir="auto"><br></div><div dir="auto">I’d first check if this helps in the problem you’re having though. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 24 Aug 2019 at 01:46, Shell_Xu <<a href="mailto:xuh881026@gmail.com">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">HI:<div> Thank you for your help!<br><div> 'What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. '</div><div> Does this mean that servers I monitor need to be deployed in the Placement Group? </div><div> e.g:</div><div> Sruicata、Web Server、DB Server、Redis Cluster...</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月24日周六 上午1:38写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>It can be fixed, yes, but it requires deployment of the EC2 instances (or re-deployment). What I recommend is the creation of a Placement Group of type Cluster and deploy the EC2 instances inside that Placement Group. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 5:48 PM Shell_Xu <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div>I am not sure if I use Placement Groups. If not used, can this problem still be solved?<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午11:06写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">Are you using EC2 Placement Groups? Ideally you would use Cluster as much as possible exactly to prevent underlying hardware performance issues. </div></div><div dir="auto"><br></div><div dir="auto">It is also the recommended configuration for HPC applications, and Suricata would greatly benefit from that. </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 23 Aug 2019 at 15:54, 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>hi, again:</div><div> Yes, I am using Elastic Network Adapter (ENA)<br> Since the EC2 instance is a shared underlying hardware, many network interface hardware settings are not available.<br> I don't know how to optimize Suricata on EC2, can you help me?<br><br> $ modinfo ena<br></div><br> filename: /lib/modules/4.15.0-1044-aws/kernel/drivers/net/ethernet/amazon/ena/ena.ko<br> version: 2.0.3K<br> license: GPL<br> description: Elastic Network Adapter (ENA)<br> author: Amazon.com, Inc. or its affiliates<br> srcversion: 1980993534E135DFC7933C4<br> alias: pci:v00001D0Fd0000EC21sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd0000EC20sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd00001EC2sv*sd*bc*sc*i*<br> alias: pci:v00001D0Fd00000EC2sv*sd*bc*sc*i*<br> depends:<br> retpoline: Y<br> intree: Y<br> name: ena<br> vermagic: 4.15.0-1044-aws SMP mod_unload<br> signat: PKCS#7<br> signer:<br> sig_key:<br> sig_hashalgo: md4<br> parm: debug:Debug level (0=none,...,16=all) (int)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> 于2019年8月23日周五 下午6:51写道:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Based on the instance type and interface name, you're most likely using enhanced networking, but, to be on the safe side, can you confirm?</div><div><br></div><div>$ modinfo ena<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 23, 2019 at 3:07 AM 徐慧 <<a href="mailto:xuh881026@gmail.com" target="_blank">xuh881026@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>hi, team:<br> Since AWS traffic mirroring uses a VxLAN tunnel, I have to use the 5.0dev version. i deployed Sruicata on AWS, but recently noticed that 'capture. Kernel_drops' appears in stats.log when traffic reaches 2Gbit/s. I tried rsync a large file, 'capture. Kernel_drops' appears in stats.log. default loading ET rules.<br> I hope anyone can help me, any advice is good! Guys, I need your help very much. <br> <br> # Client rsync files<br> $ rsync -trovpgP xxx.tgz /usr/local/data/xxx.tgz<br> sending incremental file list<br> xxx.tgz<br> 3,361,243,136 51% 114.14MB/s 0:00:27<br><br> # Suricata Server:<br> $ suricata --af-packet -c /etc/suricata/suricata.yaml<br> [24073] 23/8/2019 -- 01:51:19 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 14 packet processing threads, 4 management threads initialized, engine started.<br> [24073] 23/8/2019 -- 01:53:58 - (suricata.c:2851) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.<br> [24073] 23/8/2019 -- 01:54:01 - (util-device.c:317) <Notice> (LiveDeviceListClean) -- Stats for 'ens5': pkts: 11270384, drop: 2046365 (18.16%), invalid chksum: 0<br><br> According to the official documentation, I made some optimizations.<br> <a href="https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss" target="_blank">https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#rss</a><br> But I can't set RSS queues to 1<br> ethtool -L ens5 combined 1<br> Cannot set device channel parameters: Operation not supported<br><br> Amazon EC2 C5<br> EC2 Hardware:<br> RAM: 32G<br> CPU(single): 16 Core (Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz)<br> NIC: <br> ethtool -l ens5<br> Channel parameters for ens5:<br> Pre-set maximums:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br> Current hardware settings:<br> RX: 8<br> TX: 8<br> Other: 0<br> Combined: 0<br><br> ethtool -i ens5<br> driver: ena<br> version: 2.0.3K<br> firmware-version:<br> expansion-rom-version:<br> bus-info: 0000:00:05.0<br> supports-statistics: yes<br> supports-test: no<br> supports-eeprom-access: no<br> supports-register-dump: no<br> supports-priv-flags: no<br><br> Suricata Version: 5.0.0-dev (3a912446a 2019-07-22)<br> Suricata Config:<br> af-packet:<br> - interface: ens5<br> threads: 14<br> cluster-id: 99<br> cluster-type: cluster_flow<br> defrag: yes # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.<br> use-mmap: yes<br> mmap-locked: yes<br> tpacket-v3: yes<br> ring-size: 400000<br> block-size: 393216<br> #block-timeout: 10<br> #use-emergency-flush: yes<br> # buffer-size: 32768<br> # disable-promisc: no<br> #checksum-checks: kernel<br> #bpf-filter: port 80 or udp<br> #copy-mode: ips<br> #copy-iface: eth1<br><br> - interface: default<br> threads: auto<br> use-mmap: yes<br> tpacket-v3: yes<br><br> max-pending-packets: 1024<br> runmode: workers<br> default-packet-size: 1522<br><br> defrag:<br> memcap: 4gb<br> hash-size: 65536<br> trackers: 65535 # number of defragmented flows to follow<br> max-frags: 65535 # number of fragments to keep (higher than trackers)<br> prealloc: yes<br> timeout: 60<br><br> flow:<br> memcap: 4gb<br> hash-size: 1048576<br> prealloc: 1048576<br> emergency-recovery: 30<br><br> stream:<br> memcap: 4gb<br> checksum-validation: no<br> inline: no<br> bypass: yes<br> reassembly:<br> memcap: 8gb<br> depth: 1mb<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br> randomize-chunk-size: yes<br><br><br> detect:<br> profile: custom<br> custom-values:<br> toclient-groups: 200<br> toserver-groups: 200<br> sgh-mpm-context: auto<br> inspection-recursion-limit: 3000<br><br> mpm-algo: hs<br> spm-algo: hs<br><br> threading:<br> set-cpu-affinity: yes<br> cpu-affinity:<br> - management-cpu-set:<br> cpu: [ "0-1" ]<br> mode: "balanced"<br> prio:<br> default: "medium"<br> - worker-cpu-set:<br> cpu: [ "2-15" ]<br> mode: "exclusive"<br> prio:<br> default: "high"<br></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div></div>