If your CPU load > 50% or your memory footprint is > 70% of physical memory, an obvious solution is to buy a faster CPU or more memory.
If this is not possible, here are some other things to try.
FreeBSD
First, check that your BPF buffer size is big enough. The Bro installation script should set this correctly for you, but to test this, do:
sysctl debug.bpf_bufsize sysctl debug.bpf_maxbufsize
They should both be at least 4 MB.
Next, if your Bro host is capturing packets on 2 interfaces and you are running FreeBSD, we provide a patched kernel that bonds both interfaces into a single interface at the BPF level. This reduces CPU load considerably. This patched kernel also increases the default per-process memory limits.
This kernel source is available for download at http://www.bro-ids.org/download/FreeBSD.4.10.bro.tgz.
To install this kernel and the BPF bonding utilites, type:
tar xfz fbsd.4.10.bond.tgz cd FreeBSD-4-10-RELEASE/sys/i386/conf /usr/sbin/config BRO cd ../../compile/BRO make depend make make install cd FreeBSD-4-10-RELEASE/local/sbin/bpfbond/ make make install
For more instructions on rebuilding the kernel, see: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html.
Linux
XXX section not done.
There are a number of patches needed to make Bro work well with Linux on sites with a heavy traffic load.
These include:
Luca Deri's patch to fix libpcap issues. (see: http://luca.ntop.org/Ring.pdf)