There is a known bug that when the IPS logs get too big, it slows snort down and your throughput suffers. For some reason, snort also was ignoring the 1mb log size limit in the config. A workaround has been to clear the logs manually or weekly via a cron job which works but you loose your log if you don't manually save it. After testing, snort is recognizing kb limits though. When it hits the limit it saves it in /tmp/snort and starts a new log. I'm currently using 80K with no speed loss and that should be about 5-7 days. So in your GUI go to services>intrusion prevention>snort config and the bottom lines should be:
...snip...
output alert_fast: <your alert file depending on mode>.fast 80K
# output log_tcpdump: tcpdump.log
include classification.config
include reference.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules
#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules
#include $PREPROC_RULE_PATH/sensitive-data.rules
# include $SO_RULE_PATH/so1.rules
# include $SO_RULE_PATH/so2-misc.rules
include threshold.conf
--------------------------------
Another recommendation as shown above is to comment out include $PREPROC_RULE_PATH/sensitive-data.rules. It generated a lot of false positives and spams the log. It's mainly for data leak detection in businesses such as SS#'s, email address, credit cards, etc. They are alerts and not drops anyway. Your choice.
Running the latest OpenWrt stable release