Setting up an interface IP-less and transmit no packets - is tautological.

An interface which is "up" but isn't configured with IP or another protocol (say IPX, or appletalk DDP), should not ever transmit any packets unless an application explicitly sends them out of it. And snort won't (nor should anything else).

As far as optimising throughput is concerned, my best guesses would be:

1. Recompile snort with absolutely every processor-specific optimisation turned on. Link it statically.
2. Optimise your snort rules as much as possible
3. Disable swap (get enough memory first)
4. Ensure that logging is not blocking snort i.e. make sure there are not IO bottlenecks on the logging (hopefully you won't see that many intrusions that it matters)

But it's really anybody's guess.

I wouldn't bother setting realtime scheduling, you will only see a small change, and you could end up starving other tasks of CPU they need in order to work - unless it's a multiprocessor system, in which case you could have it on just one CPU.

On the other hand, if it's a multi-CPU system it might be worth running several copies of snort with different rulesets, to share the load between CPUs (if snort cannot do multithreading natively (which I don't know the answer to))

Slarty