At first, I want to thank everybody who helped me with this problem!
If anybody should have a similar problem, here what we did:
- set
cluster-type:tocluster_flow - set
runmode:toworkers - activate and configure the
cpu-affinitysettings
In the end what really did the trick I think, was settingmmap-locked:andtpacket-v3:toyes. But in order to use themmap-lockedoption you have to edit the/etc/security/limits.conffile and add something like this to the End of the file, otherwise suricata will fail because it can’t lock enough memory:
suricata hard memlock unlimited
suricata soft memlock unlimited
Additional if you start suricata as Service you have to add LimitMEMLOCK=infinity to the suricata.service file.
You can read more about it here: Bug #2918: Unable to mmap, error Resource temporarily unavailable - err seems OS specific - Suricata - Open Information Security Foundation