Lately I have deployed a testing box on 30Mbps link by using Bro-IDS, apparently it is a small monster when running with default setting. Today I started to turn on the signatures matching engine. Guess what !!!!! The small monster starts to become hulk, let's see how it goes -
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
546 bro 1 -58 0 166M 164M bpf 80:40 81.42% bro
It seems that it is not a good idea to turn the signature matching engine on since it consumes too much processing power, I would rather having snort instance running for signatures matching and bro running as protocol analyzer indeed. Anyway it's up to you.
F34R teh Hulk!!!!!