Known issues as of 5.0
A known broken PCRE version based on libpcre 8.35 contains a stack corruption bug. This leads to risk of crashes with certain rules + certain traffic. https://redmine.openinfosecfoundation.org/issues/1693
To address this we have disabled PCRE JIT on that pcre version.
Recommended solution is to install your own libpcre version for those distros that have only version 8.35
Example(extra info) - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819050
Using NFQ on a bridge is known to be problematic. As far as we know this is a kernel/netfilter issue that we can't fix in user space.
If you need to run Suricata as a bridge you can use AF_PACKET or NETMAP instead.
We track issues in our Redmine installation at https://redmine.openinfosecfoundation.org/projects/suricata/issues