Like this thread there are various others of the same theme (and new threads keep popping up) implying that Suricata | Pakon inducing (severe) performance penalties on the NIC.CZ hardware:
- substantial bandwidth throughput degradation (upto ~ 60% in some reported cases)
- SQLite DB filling /tmp storage space (reducing amount of available RAM)
The suitability/mating of Suricata | Pakon with NIC.CZ hardware seems questionable since IDS (the likes of Suricata | Snort) requires serious CPU power to compensate for timely packet processing (DPI).
In the upstream forum some other DPI engine with a different approach (analysis in the cloud) is advertised. The caveat might be the cloud-based service (privacy of data) and paid subscription (cost).