There is a known bug that when the IPS logs get too big, it slows snort down and your throughput suffers. For some reason, snort also was ignoring the 1mb log size limit in the config. A workaround has been to clear the logs manually or weekly via a cron job which works but you loose your log if you don't manually save it. After testing, snort is recognizing kb limits though. When it hits the limit it saves it in /tmp/snort and starts a new log. I'm currently using 80K with no speed loss and that should be about 5-7 days. So in your GUI go to services>intrusion prevention>snort config and the bottom lines should be:
# include $SO_RULE_PATH/so1.rules
# include $SO_RULE_PATH/so2-misc.rules
Another recommendation as shown above is to comment out include $PREPROC_RULE_PATH/sensitive-data.rules. It generated a lot of false positives and spams the log. It's mainly for data leak detection in businesses such as SS#'s, email address, credit cards, etc. They are alerts and not drops anyway. Your choice.
/etc/snort/reference.config sets variables only - no harm if it referred multiple times.
root@Shield:/etc/snort# cat reference.config
# The following defines URLs for the references found in the rules
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb http://osvdb.org/show/osvdb/
# Note, this one needs a suffix as well.... lets add that in a bit.
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: msb http://technet.microsoft.com/en-us/security/bulletin/
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode