The way NethServer sends traffic to snort (or suricata).
In my instructions above:
I’m testing suricata on NethServer 7 in production: it behaves really well.
Details: I’m using an Atom C2518 CPU that is slow enough to cut bandwidth with snort. With a similar ruleset (16541 rules) suricata doesn’t cut bandwidth and reaches 70% cpu at max.
I’ll try to fine tune suricata.