Suricata misses detecting alerts when receiving high-traffic packets

Help
1

Hello,
I encountered some issues: Suricata misses detecting alerts with 1 Gbps traffic, while it can detect all alerts at lower traffic (100 Mbps).
Maybe I made a misconfiguration in suricata.yaml. How to improve this?

Testing Environment:

  • Test Machine: CPU 64 cores, Memory 100GB
  • Suricata Version: v7.0.5
  • OS Version: Ubuntu 22.04

Here’s what I observed:

  • Suricata’s CPU usage looks normal, no signs of overload.
  • In the stats.log, I found that there are no packet drops, and the decoder appears to be functioning normally, whether the traffic is 1 Gbps or 100 Mbps.
  • My test data and suricata rules are mainly focused on TCP.
stats.log for 100mbps 
capture.kernel_packets                        | Total                     | 424
capture.afpacket.polls                        | Total                     | 306871
capture.afpacket.poll_timeout                 | Total                     | 306837
capture.afpacket.poll_data                    | Total                     | 34
decoder.pkts                                  | Total                     | 423
decoder.bytes                                 | Total                     | 145560
decoder.ipv4                                  | Total                     | 373
decoder.ipv6                                  | Total                     | 11
decoder.ethernet                              | Total                     | 423
decoder.arp                                   | Total                     | 11
decoder.unknown_ethertype                     | Total                     | 28
decoder.tcp                                   | Total                     | 347
tcp.syn                                       | Total                     | 13
tcp.synack                                    | Total                     | 11
decoder.udp                                   | Total                     | 37
decoder.avg_pkt_size                          | Total                     | 344
decoder.max_pkt_size                          | Total                     | 1514
flow.total                                    | Total                     | 31
flow.active                                   | Total                     | 1
flow.tcp                                      | Total                     | 18
flow.udp                                      | Total                     | 13
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 21
flow.wrk.flows_evicted_needs_work             | Total                     | 8
flow.wrk.flows_evicted_pkt_inject             | Total                     | 13
flow.wrk.flows_injected                       | Total                     | 8
tcp.sessions                                  | Total                     | 11
tcp.ssn_from_pool                             | Total                     | 11
tcp.ack_unseen_data                           | Total                     | 6
tcp.segment_from_cache                        | Total                     | 32
tcp.segment_from_pool                         | Total                     | 34
tcp.overlap                                   | Total                     | 4
detect.alert                                  | Total                     | 3
app_layer.flow.http                           | Total                     | 4
app_layer.tx.http                             | Total                     | 4
app_layer.flow.tls                            | Total                     | 7
app_layer.flow.dns_udp                        | Total                     | 2
app_layer.tx.dns_udp                          | Total                     | 4
app_layer.flow.failed_udp                     | Total                     | 11
flow.end.state.new                            | Total                     | 17
flow.end.state.established                    | Total                     | 7
flow.end.state.closed                         | Total                     | 6
flow.end.tcp_state.established                | Total                     | 1
flow.end.tcp_state.close_wait                 | Total                     | 4
flow.end.tcp_state.closed                     | Total                     | 6
flow.mgr.full_hash_pass                       | Total                     | 49
flow.mgr.rows_per_sec                         | Total                     | 26214
flow.spare                                    | Total                     | 20022
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 65
flow.mgr.flows_notimeout                      | Total                     | 35
flow.mgr.flows_timeout                        | Total                     | 30
flow.mgr.flows_evicted                        | Total                     | 30
flow.mgr.flows_evicted_needs_work             | Total                     | 8
flow.recycler.recycled                        | Total                     | 22
flow.recycler.queue_max                       | Total                     | 4
tcp.memuse                                    | Total                     | 38797312
tcp.reassembly_memuse                         | Total                     | 7340032
flow.memuse                                   | Total                     | 23318816
stats.log for 1Gbps 
capture.kernel_packets                        | Total                     | 422
capture.afpacket.polls                        | Total                     | 307732
capture.afpacket.poll_timeout                 | Total                     | 307702
capture.afpacket.poll_data                    | Total                     | 30
decoder.pkts                                  | Total                     | 422
decoder.bytes                                 | Total                     | 145456
decoder.ipv4                                  | Total                     | 373
decoder.ipv6                                  | Total                     | 10
decoder.ethernet                              | Total                     | 422
decoder.arp                                   | Total                     | 11
decoder.unknown_ethertype                     | Total                     | 28
decoder.tcp                                   | Total                     | 347
tcp.syn                                       | Total                     | 13
tcp.synack                                    | Total                     | 11
decoder.udp                                   | Total                     | 36
decoder.avg_pkt_size                          | Total                     | 344
decoder.max_pkt_size                          | Total                     | 1514
flow.total                                    | Total                     | 33
flow.active                                   | Total                     | 1
flow.tcp                                      | Total                     | 21
flow.udp                                      | Total                     | 12
flow.tcp_reuse                                | Total                     | 3
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 21
flow.wrk.flows_evicted_needs_work             | Total                     | 11
flow.wrk.flows_evicted_pkt_inject             | Total                     | 18
flow.wrk.flows_evicted                        | Total                     | 3
flow.wrk.flows_injected                       | Total                     | 11
tcp.sessions                                  | Total                     | 11
tcp.ssn_from_pool                             | Total                     | 11
tcp.ack_unseen_data                           | Total                     | 19
tcp.segment_from_cache                        | Total                     | 15
tcp.segment_from_pool                         | Total                     | 25
tcp.overlap                                   | Total                     | 2
detect.alert                                  | Total                     | 2
app_layer.flow.http                           | Total                     | 2
app_layer.tx.http                             | Total                     | 2
app_layer.flow.tls                            | Total                     | 3
app_layer.flow.failed_tcp                     | Total                     | 2
app_layer.flow.dns_udp                        | Total                     | 1
app_layer.tx.dns_udp                          | Total                     | 2
app_layer.flow.failed_udp                     | Total                     | 11
flow.end.state.new                            | Total                     | 22
flow.end.state.established                    | Total                     | 7
flow.end.state.closed                         | Total                     | 3
flow.end.tcp_state.syn_sent                   | Total                     | 3
flow.end.tcp_state.established                | Total                     | 1
flow.end.tcp_state.time_wait                  | Total                     | 1
flow.end.tcp_state.close_wait                 | Total                     | 4
flow.end.tcp_state.closed                     | Total                     | 2
flow.mgr.full_hash_pass                       | Total                     | 49
flow.mgr.rows_per_sec                         | Total                     | 26214
flow.spare                                    | Total                     | 20018
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 60
flow.mgr.flows_notimeout                      | Total                     | 31
flow.mgr.flows_timeout                        | Total                     | 29
flow.mgr.flows_evicted                        | Total                     | 29
flow.mgr.flows_evicted_needs_work             | Total                     | 11
flow.recycler.recycled                        | Total                     | 18
flow.recycler.queue_max                       | Total                     | 2
tcp.memuse                                    | Total                     | 38797312
tcp.reassembly_memuse                         | Total                     | 7340032
flow.memuse                                   | Total                     | 23318816
af_packet.yaml 
%YAML 1.1
---
af-packet:
  - interface: default
    threads: 8
    cluster-id: 10
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes
    ring-size: 65535
  - interface: ens7f0
    threads: auto
    cluster-id: 13
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes
    ring-size: 65535