Linking to my discussion on the same topic here too:
I am not certain if enabling IPS did things much worse, from IDS only, but it may have tipped it over the edge…from being very close to the limits already. Already before, the memory was at the very edge, with high swap usage and low RAM margins. I did have quite a few other processes running, like my custom installation of fail2ban and geo, bogon and abuse block, and where enabling IPS just tipped it over. Disabling my custom tools made it better but not good, while also keeping IPS on.
Basically, I have had pretty much the same experience on crashes or stalls.
I would like to se some compromise where this Suricata integration is optimized for the available RAM, contrary to disabling it altogether, or enabling it with very intermittent stability/instability.