Snort is generally used to monitor and analyze incoming
network traffic, to detect potential probes and attacks of various
sorts. Whilst the main powerhouse of Snort is the detection engine,
not all attacks can be identified here, so it also has an array of
preprocessors that either look at packets themselves or modify
traffic before passing it to the detection engine.
Obviously, this kind of analysis takes some system resources,
and Snort can cause delays in your network traffic if it is not
performing well. Inevitably, tuning Snort forces you to balance
between the risk of intrusion and maintaining a smoothly
functioning network, but by monitoring performance and tuning it
carefully to your own systems and requirements, you can do your
best to maximize both.