If your CPU load > 50% or your memory footprint is > 70% of physical memory, an obvious solution is to buy a faster CPU or more memory.
If this is not possible, here are some other things to try.
FreeBSD
First, check that your BPF buffer size is big enough. The Bro installation script should set this correctly for you, but to test this, do:
sysctl debug.bpf_bufsize
sysctl debug.bpf_maxbufsize
They should both be at least 4 MB.
Next, if your Bro host is capturing packets on 2 interfaces and you are running FreeBSD, we provide a patched kernel that bonds both interfaces into a single interface at the BPF level. This reduces CPU load considerably. This patched kernel also increases the default per-process memory limits.
This kernel source is available for download at http://www.bro-ids.org/download/FreeBSD.4.10.bro.tgz.
To install this kernel and the BPF bonding utilites, type:
tar xfz fbsd.4.10.bond.tgz
cd FreeBSD-4-10-RELEASE/sys/i386/conf
/usr/sbin/config BRO
cd ../../compile/BRO
make depend
make
make install
cd FreeBSD-4-10-RELEASE/local/sbin/bpfbond/
make
make install
For more instructions on rebuilding the kernel, see: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html.
Linux
XXX section not done.
There are a number of patches needed to make Bro work well with Linux on sites with a heavy traffic load.
These include:
Luca Deri's patch to fix libpcap issues. (see: http://luca.ntop.org/Ring.pdf)