Suricata

any thoughts what we should use nowadays?

Could we make it based on some other values so it will be calculated?

Think it makes sense to base it on number of threads somehow.

I looked into that but couldn't find a proper way. One idea is to change the value to be per-thread but would brake too much.
Is there a value you think that would be safe to just use as a new default value?

The value is currently already per thread.

The challenge here is that we also need to be cautious as to for the situations where Suricata is run on very small devices. In those cases we would also want to offer good experience right out if the box.

I have been going back and forth (internally :) ) quite a few times on this. It seems it might be better to offer some sort of quick "perf guide" where a user can just adjust a few basic settings without needing to dive into advanced tuning.

Well if someone is running suricata on a small device like raspi I would expect some knowledge/time to tune it. I would expect the default to match a "normal" system. I would suggest 32k or 64k as that shouldn't really have a huge impact right?

Well it is a good point what is a "normal" system and "normal" traffic? :)
I would say going to 4/8 x times the current default should be ok though. Think it would still keep it all under .5G ram