Thanks @syoc for your insights.
I made the following adjustments on the mpm side (no hyperscan available):
- mpm-algo: ac-ks
- detect.sgh-mpm-context: full
AND
In the documentation online it is mentioned to increase ring-size all the way up to 100K. My largest packet according to stats.log = 1433. Running 48 threads = 10GB!!!
Choosing 10K makes more sense?
Have been running Suricata for +/- 1 hr now and I am at a dropped packet rate of 1.6%.
Certainly better than the 20-40% I came from. However, based on the amount of traffic max 2GB/s, with a potential increase to 10GB/s this is not so good.
Also CPU seems still high, although shows more details and leading to MPM?
I haven’t tried stream-bypass and maybe I should?
https://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html?highlight=mpm#stream-bypass
Also, before, I added this solution which did not work for me: https://forum.suricata.io/t/suricata-high-capture-kernel-drops-count
@syoc in regards to your question. Do you mean:
This is based after 15.000.0000 packets.
Correction on all of the above. Dealing with 64% packet drop 
Removed the ring-size / block size and I am back to “normal”